fix double-free when using https with tunneling proxy

(cherry picked from commit 1c3bb7fcab1c32af49a31d1bba5dfd417a7208d3)

backport-0002-CVE-2023-23916.patch

@@ -64,7 +64,7 @@ index 879d846..660ee28 100644
  test409 test410 \
 -\
 +test418 \
- test430 test431 test432 test433 test434 test435 test445 test446\
+ test430 test431 test432 test433 test434 test435 test446\
  \
  test490 test491 test492 test493 test494 \
 diff --git a/tests/data/test418 b/tests/data/test418

backport-0004-CVE-2023-23914-CVE-2023-23915.patch

@@ -19,8 +19,8 @@ index f79b63e..879d846 100644
  test400 test401 test402 test403 test404 test405 test406 test407 test408 \
  test409 test410 \
  \
--test430 test431 test432 test433 test434 test435 test445\
+-test430 test431 test432 test433 test434 test435 \
-+test430 test431 test432 test433 test434 test435 test445 test446\
++test430 test431 test432 test433 test434 test435 test446\
  \
  test490 test491 test492 test493 test494 \
  \

backport-CVE-2022-42915.patch

@@ -10,25 +10,27 @@ Closes #9790
 Upstream-commit: 55e1875729f9d9fc7315cec611bffbd2c817ad89
 Signed-off-by: Kamil Dudka <kdudka@redhat.com>
 
-Conflict: NA
+Conflict: context adapt
 Reference:https://src.fedoraproject.org/rpms/curl/blob/f35/f/0017-curl-7.82.0-CVE-2022-42915.patch
 ---
- lib/http_proxy.c | 3 +--
+ lib/http_proxy.c | 6 ++----
  lib/url.c        | 9 ---------
- 2 files changed, 1 insertion(+), 11 deletions(-)
+ 2 files changed, 2 insertion(+), 13 deletions(-)
  
 diff --git a/lib/http_proxy.c b/lib/http_proxy.c
 index 1f87f6c..cc20b3a 100644
 --- a/lib/http_proxy.c
 +++ b/lib/http_proxy.c
-@@ -207,9 +207,8 @@ static void connect_done(struct Curl_easy *data)
+@@ -207,10 +207,8 @@ static void connect_done(struct Curl_easy *data)
      Curl_dyn_free(&s->rcvbuf);
      Curl_dyn_free(&s->req);
  
--    /* retore the protocol pointer */
+-    /* restore the protocol pointer, if not already done */
-+    /* restore the protocol pointer */
+-    if(s->prot_save)
-     data->req.p.http = s->prot_save;
+-      data->req.p.http = s->prot_save;
 -    s->prot_save = NULL;
++    /* restore the protocol pointer */
++    data->req.p.http = s->prot_save;
      infof(data, "CONNECT phase completed!");
    }
  }
@@ -77,9 +79,9 @@ index 1f774ce..f79b63e 100644
 @@ -67,7 +67,7 @@ test392 test393 test394 test395 test396 test397 \
  test400 test401 test402 test403 test404 test405 test406 test407 test408 \
  test409 test410 \
- \
+ test418 \
--test430 test431 test432 test433 test434 test435 \
+-test430 test431 test432 test433 test434 test435 test446\
-+test430 test431 test432 test433 test434 test435 test445\
++test430 test431 test432 test433 test434 test435 test445 test446\
  \
  test490 test491 test492 test493 test494 \
  \

backport-Curl_connect_done-handle-being-called-twice.patch

@@ -0,0 +1,38 @@
+From b89a4b5191e8471acca14d7de904213b0aa20125 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 12 Nov 2021 13:34:49 +0100
+Subject: [PATCH 1/1] Curl_connect_done: handle being called twice
+
+Follow-up to f0b7099a10d1a7c
+
+When torture testing 1021, it turns out the Curl_connect_done function
+might be called twice and that previously then wrongly cleared the HTTP
+pointer in the second invoke.
+
+Closes #7999
+
+Conflict:context adapt
+Reference:https://github.com/curl/curl/commit/b89a4b5191e8471acca14d7de904213b0aa20125
+---
+ lib/http_proxy.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/lib/http_proxy.c b/lib/http_proxy.c
+index cfe616fa6..2555b401a 100644
+--- a/lib/http_proxy.c
++++ b/lib/http_proxy.c
+@@ -207,8 +207,9 @@ void Curl_connect_done(struct Curl_easy *data)
+     Curl_dyn_free(&s->rcvbuf);
+     Curl_dyn_free(&s->req);
+ 
+-    /* retore the protocol pointer */
+-    data->req.p.http = s->prot_save;
++    /* restore the protocol pointer, if not already done */
++    if(s->prot_save)
++      data->req.p.http = s->prot_save;
+     s->prot_save = NULL;
+     infof(data, "CONNECT phase completed!");
+   }
+-- 
+2.33.0
+

backport-curl_easy_cleanup.3-remove-from-multi-handle-first.patch

@@ -0,0 +1,36 @@
+From 11a46d6d66c32e4be7015aca92008d979f8b90a2 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 10 Nov 2021 08:41:51 +0100
+Subject: [PATCH] curl_easy_cleanup.3: remove from multi handle first
+
+Easy handles that are used by the multi interface should be removed from
+the multi handle before they are cleaned up.
+
+Reported-by: Stephen M. Coakley
+Ref: #7982
+Closes #7983
+
+Conflict:context adapt
+Reference:https://github.com/curl/curl/commit/f0b7099a10d1a7cfbbe8f67b0ecdff5846f9805b
+---
+ docs/libcurl/curl_easy_cleanup.3 | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/docs/libcurl/curl_easy_cleanup.3 b/docs/libcurl/curl_easy_cleanup.3
+index 3c3425624..c62f4e073 100644
+--- a/docs/libcurl/curl_easy_cleanup.3
++++ b/docs/libcurl/curl_easy_cleanup.3
+@@ -47,6 +47,10 @@ Any use of the \fBhandle\fP after this function has been called and have
+ returned, is illegal. \fIcurl_easy_cleanup(3)\fP kills the handle and all
+ memory associated with it!
+ 
++To close an easy handle that has been used with the multi interface, make sure
++to call \fIcurl_multi_remove_handle(3)\fP first to remove it from the multi
++handle before it is closed.
++
+ Passing in a NULL pointer in \fIhandle\fP will make this function return
+ immediately with no action.
+ .SH "OLD TIMES"
+-- 
+2.33.0
+

backport-http_proxy-make-Curl_connect_done-work-for-proxy-dis.patch

@@ -0,0 +1,46 @@
+From 2989b11377c215884ae5a50c07607f75a31dc2ff Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 12 Nov 2021 08:08:34 +0100
+Subject: [PATCH] http_proxy: make Curl_connect_done() work for proxy disabled
+ builds
+
+... by making it an empty macro then.
+
+Follow-up to f0b7099a10d1a
+Reported-by: Vincent Grande
+Fixes #7995
+Closes #7996
+
+Conflict:NA
+Reference:https://github.com/curl/curl/commit/2989b11377c215884ae5a50c07607f75a31dc2ff
+---
+ lib/http_proxy.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/http_proxy.h b/lib/http_proxy.h
+index cdf8de4fb..2820e1184 100644
+--- a/lib/http_proxy.h
++++ b/lib/http_proxy.h
+@@ -39,6 +39,7 @@ CURLcode Curl_proxy_connect(struct Curl_easy *data, int sockindex);
+ bool Curl_connect_complete(struct connectdata *conn);
+ bool Curl_connect_ongoing(struct connectdata *conn);
+ int Curl_connect_getsock(struct connectdata *conn);
++void Curl_connect_done(struct Curl_easy *data);
+ 
+ #else
+ #define Curl_proxyCONNECT(x,y,z,w) CURLE_NOT_BUILT_IN
+@@ -46,10 +47,10 @@ int Curl_connect_getsock(struct connectdata *conn);
+ #define Curl_connect_complete(x) CURLE_OK
+ #define Curl_connect_ongoing(x) FALSE
+ #define Curl_connect_getsock(x) 0
++#define Curl_connect_done(x)
+ #endif
+ 
+ void Curl_connect_free(struct Curl_easy *data);
+-void Curl_connect_done(struct Curl_easy *data);
+ 
+ /* struct for HTTP CONNECT state data */
+ struct http_connect_state {
+-- 
+2.33.0
+

backport-lib1939-make-it-endure-torture-tests.patch

@@ -0,0 +1,90 @@
+From 26247a0d7e24c06d5b250f044a951441674a4484 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 13 Nov 2021 14:13:20 +0100
+Subject: [PATCH 1/1] lib1939: make it endure torture tests
+
+Follow-up to f0b7099a10d1a
+
+Closes #8007
+
+Conflict:NA
+Reference:https://github.com/curl/curl/commit/26247a0d7e24c06d5b250f044a951441674a4484
+---
+ tests/libtest/lib1939.c | 55 +++++++++++++++++++----------------------
+ 1 file changed, 26 insertions(+), 29 deletions(-)
+
+diff --git a/tests/libtest/lib1939.c b/tests/libtest/lib1939.c
+index 644617712..510215dbd 100644
+--- a/tests/libtest/lib1939.c
++++ b/tests/libtest/lib1939.c
+@@ -33,41 +33,38 @@ int test(char *URL)
+   curl_global_init(CURL_GLOBAL_DEFAULT);
+ 
+   multi = curl_multi_init();
+-  if(!multi)
+-    return 1;
++  if(multi) {
++    easy = curl_easy_init();
++    if(easy) {
++      CURLcode c;
++      CURLMcode m;
+ 
+-  easy = curl_easy_init();
+-  if(easy) {
+-    CURLcode c;
+-    CURLMcode m;
++      /* Crash only happens when using HTTPS */
++      c = curl_easy_setopt(easy, CURLOPT_URL, URL);
++      if(!c)
++        /* Any old HTTP tunneling proxy will do here */
++        c = curl_easy_setopt(easy, CURLOPT_PROXY, libtest_arg2);
+ 
+-    /* Crash only happens when using HTTPS */
+-    c = curl_easy_setopt(easy, CURLOPT_URL, URL);
+-    if(!c)
+-      /* Any old HTTP tunneling proxy will do here */
+-      c = curl_easy_setopt(easy, CURLOPT_PROXY, libtest_arg2);
++      if(!c) {
+ 
+-    if(c)
+-      return 2;
++        /* We're going to drive the transfer using multi interface here,
++           because we want to stop during the middle. */
++        m = curl_multi_add_handle(multi, easy);
+ 
+-    /* We're going to drive the transfer using multi interface here, because we
+-       want to stop during the middle. */
+-    m = curl_multi_add_handle(multi, easy);
++        if(!m)
++          /* Run the multi handle once, just enough to start establishing an
++             HTTPS connection. */
++          m = curl_multi_perform(multi, &running_handles);
+ 
+-    if(!m)
+-      /* Run the multi handle once, just enough to start establishing an HTTPS
+-         connection. */
+-      m = curl_multi_perform(multi, &running_handles);
+-
+-    if(m)
+-      return 3;
+-
+-    /* Close the easy handle *before* the multi handle. Doing it the other way
+-       around avoids the issue. */
+-    curl_easy_cleanup(easy);
++        if(m)
++          fprintf(stderr, "curl_multi_perform failed\n");
++      }
++      /* Close the easy handle *before* the multi handle. Doing it the other
++         way around avoids the issue. */
++      curl_easy_cleanup(easy);
++    }
++    curl_multi_cleanup(multi); /* double-free happens here */
+   }
+-  curl_multi_cleanup(multi); /* double-free happens here */
+-
+   curl_global_cleanup();
+   return CURLE_OK;
+ }
+-- 
+2.33.0
+

backport-multi-shut-down-CONNECT-in-Curl_detach_connnection.patch

@@ -0,0 +1,259 @@
+From f0b7099a10d1a7cfbbe8f67b0ecdff5846f9805b Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 10 Nov 2021 14:42:04 +0100
+Subject: [PATCH 1/1] multi: shut down CONNECT in Curl_detach_connnection
+
+... to prevent a lingering pointer that would lead to a double-free.
+
+Added test 1939 to verify.
+
+Reported-by: Stephen M. Coakley
+Fixes #7982
+Closes #7986
+
+Conflict:context adapt of test makefile
+Reference:https://github.com/curl/curl/commit/f0b7099a10d1a7cfbbe8f67b0ecdff5846f9805b
+---
+ lib/http_proxy.c           | 10 +++---
+ lib/multi.c                |  1 +
+ tests/data/Makefile.inc    |  2 +-
+ tests/data/test1939        | 52 +++++++++++++++++++++++++++
+ tests/libtest/Makefile.inc |  5 +++-
+ tests/libtest/lib1939.c    | 73 ++++++++++++++++++++++++++++++++++++++
+ 6 files changed, 137 insertions(+), 6 deletions(-)
+ create mode 100644 tests/data/test1939
+ create mode 100644 tests/libtest/lib1939.c
+
+diff --git a/lib/http_proxy.c b/lib/http_proxy.c
+index fc050a07d..cfe616fa6 100644
+--- a/lib/http_proxy.c
++++ b/lib/http_proxy.c
+@@ -198,11 +198,11 @@ static CURLcode connect_init(struct Curl_easy *data, bool reinit)
+   return CURLE_OK;
+ }
+ 
+-static void connect_done(struct Curl_easy *data)
++void Curl_connect_done(struct Curl_easy *data)
+ {
+   struct connectdata *conn = data->conn;
+   struct http_connect_state *s = conn->connect_state;
+-  if(s->tunnel_state != TUNNEL_EXIT) {
++  if(s && (s->tunnel_state != TUNNEL_EXIT)) {
+     s->tunnel_state = TUNNEL_EXIT;
+     Curl_dyn_free(&s->rcvbuf);
+     Curl_dyn_free(&s->req);
+@@ -662,7 +662,7 @@ static CURLcode CONNECT(struct Curl_easy *data,
+     if(s->close_connection && data->req.newurl) {
+       conn->bits.proxy_connect_closed = TRUE;
+       infof(data, "Connect me again please");
+-      connect_done(data);
++      Curl_connect_done(data);
+     }
+     else {
+       free(data->req.newurl);
+@@ -974,7 +974,7 @@ static CURLcode CONNECT(struct Curl_easy *data,
+       if(conn->bits.close && data->req.newurl) {
+         conn->bits.proxy_connect_closed = TRUE;
+         infof(data, "Connect me again please");
+-        connect_done(data);
++        Curl_connect_done(data);
+       }
+       else {
+         free(data->req.newurl);
+@@ -1048,7 +1048,7 @@ CURLcode Curl_proxyCONNECT(struct Curl_easy *data,
+   result = CONNECT(data, sockindex, hostname, remote_port);
+ 
+   if(result || Curl_connect_complete(conn))
+-    connect_done(data);
++    Curl_connect_done(data);
+ 
+   return result;
+ }
+diff --git a/lib/multi.c b/lib/multi.c
+index f307d63b9..ce634fcac 100644
+--- a/lib/multi.c
++++ b/lib/multi.c
+@@ -878,6 +878,7 @@ void Curl_detach_connnection(struct Curl_easy *data)
+ {
+   struct connectdata *conn = data->conn;
+   if(conn) {
++    Curl_connect_done(data); /* if mid-CONNECT, shut it down */
+     Curl_llist_remove(&conn->easyq, &data->conn_queue, NULL);
+     Curl_ssl_detach_conn(data, conn);
+   }
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 9a8b64bed..b6a503e72 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -216,7 +216,7 @@ test1800 test1801 \
+ test1908 test1909 test1910 test1911 test1912 test1913 test1914 test1915 \
+ test1916 test1917 test1918 \
+ \
+-test1933 test1934 test1935 test1936 \
++test1933 test1934 test1935 test1936 test1939 \
+ \
+ test2000 test2001 test2002 test2003 test2004 \
+ \
+diff --git a/tests/data/test1939 b/tests/data/test1939
+new file mode 100644
+index 000000000..0b9987b5b
+--- /dev/null
++++ b/tests/data/test1939
+@@ -0,0 +1,52 @@
++<testcase>
++<info>
++<keywords>
++CONNECT
++curl_easy_cleanup
++</keywords>
++</info>
++
++# Server-side
++<reply>
++<data nocheck="yes">
++HTTP/1.1 302 OK
++Date: Thu, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Type: text/html
++Content-Length: 0
++Location: /%TESTNUMBER0002
++
++</data>
++<data2>
++HTTP/1.1 200 OK
++Date: Thu, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Type: text/html
++Content-Length: 0
++
++</data2>
++</reply>
++
++# Client-side
++<client>
++<server>
++https
++http-proxy
++</server>
++
++<name>
++curl_easy_cleanup without curl_multi_remove_handle - in CONNECT
++</name>
++<tool>
++lib%TESTNUMBER
++</tool>
++
++<command>
++https://%HOSTIP:%HTTPPORT/%TESTNUMBER http://%HOSTIP:%PROXYPORT
++</command>
++</client>
++
++# Verify data after the test has been "shot"
++<verify>
++</verify>
++</testcase>
+diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
+index 8cea7c014..62a7675b1 100644
+--- a/tests/libtest/Makefile.inc
++++ b/tests/libtest/Makefile.inc
+@@ -61,6 +61,7 @@ noinst_PROGRAMS = chkhostname libauthretry libntlmconnect                \
+  lib1591 lib1592 lib1593 lib1594 lib1596 \
+          lib1905 lib1906 lib1907 lib1908 lib1910 lib1911 lib1912 lib1913 \
+          lib1915 lib1916 lib1917 lib1918 lib1933 lib1934 lib1935 lib1936 \
++         lib1939 \
+          lib3010
+ 
+ chkdecimalpoint_SOURCES = chkdecimalpoint.c ../../lib/mprintf.c \
+@@ -715,6 +716,10 @@ lib1938_SOURCES = lib1938.c $(SUPPORTFILES)
+ lib1936_LDADD = $(TESTUTIL_LIBS)
+ lib1936_CPPFLAGS = $(AM_CPPFLAGS)
+ 
++lib1939_SOURCES = lib1939.c $(SUPPORTFILES)
++lib1939_LDADD = $(TESTUTIL_LIBS)
++lib1939_CPPFLAGS = $(AM_CPPFLAGS)
++
+ lib3010_SOURCES = lib3010.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
+ lib3010_LDADD = $(TESTUTIL_LIBS)
+ lib3010_CPPFLAGS = $(AM_CPPFLAGS)
+diff --git a/tests/libtest/lib1939.c b/tests/libtest/lib1939.c
+new file mode 100644
+index 000000000..644617712
+--- /dev/null
++++ b/tests/libtest/lib1939.c
+@@ -0,0 +1,73 @@
++/***************************************************************************
++ *                                  _   _ ____  _
++ *  Project                     ___| | | |  _ \| |
++ *                             / __| | | | |_) | |
++ *                            | (__| |_| |  _ <| |___
++ *                             \___|\___/|_| \_\_____|
++ *
++ * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
++ *
++ * This software is licensed as described in the file COPYING, which
++ * you should have received as part of this distribution. The terms
++ * are also available at https://curl.haxx.se/docs/copyright.html.
++ *
++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++ * copies of the Software, and permit persons to whom the Software is
++ * furnished to do so, under the terms of the COPYING file.
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++ * KIND, either express or implied.
++ *
++ ***************************************************************************/
++
++#include "test.h"
++
++#include "memdebug.h"
++
++int test(char *URL)
++{
++  CURLM *multi;
++  CURL *easy;
++  int running_handles;
++
++  curl_global_init(CURL_GLOBAL_DEFAULT);
++
++  multi = curl_multi_init();
++  if(!multi)
++    return 1;
++
++  easy = curl_easy_init();
++  if(easy) {
++    CURLcode c;
++    CURLMcode m;
++
++    /* Crash only happens when using HTTPS */
++    c = curl_easy_setopt(easy, CURLOPT_URL, URL);
++    if(!c)
++      /* Any old HTTP tunneling proxy will do here */
++      c = curl_easy_setopt(easy, CURLOPT_PROXY, libtest_arg2);
++
++    if(c)
++      return 2;
++
++    /* We're going to drive the transfer using multi interface here, because we
++       want to stop during the middle. */
++    m = curl_multi_add_handle(multi, easy);
++
++    if(!m)
++      /* Run the multi handle once, just enough to start establishing an HTTPS
++         connection. */
++      m = curl_multi_perform(multi, &running_handles);
++
++    if(m)
++      return 3;
++
++    /* Close the easy handle *before* the multi handle. Doing it the other way
++       around avoids the issue. */
++    curl_easy_cleanup(easy);
++  }
++  curl_multi_cleanup(multi); /* double-free happens here */
++
++  curl_global_cleanup();
++  return CURLE_OK;
++}
+-- 
+2.33.0
+

backport-test1939-require-proxy-support-to-run.patch

@@ -0,0 +1,32 @@
+From b7e1443a1d59feea9fc63e5b78276153ac635438 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 13 Nov 2021 23:43:24 +0100
+Subject: [PATCH 1/1] test1939: require proxy support to run
+
+Follow-up to f0b7099a10d1a
+
+Closes #8011
+
+Conflict:NA
+Reference:https://github.com/curl/curl/commit/b7e1443a1d59feea9fc63e5b78276153ac635438
+---
+ tests/data/test1939 | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/tests/data/test1939 b/tests/data/test1939
+index 0b9987b5b..19dc74d2b 100644
+--- a/tests/data/test1939
++++ b/tests/data/test1939
+@@ -29,6 +29,9 @@ Content-Length: 0
+ 
+ # Client-side
+ <client>
++<features>
++proxy
++</features>
+ <server>
+ https
+ http-proxy
+-- 
+2.33.0
+

backport-tftp-mark-protocol-as-not-possible-to-do-over-CONNEC.patch

@@ -0,0 +1,63 @@
+From 4d97fe547322c4ad0868e2282476b1a7d2027f86 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 15 Nov 2021 16:51:32 +0100
+Subject: [PATCH 1/1] tftp: mark protocol as not possible to do over CONNECT
+
+... and make connect_init() refusing trying to tunnel protocols marked
+as not working. Avoids a double-free.
+
+Reported-by: Even Rouault
+Fixes #8018
+Closes #8020
+
+Conflict:remove a chunk because the change exists
+Reference:https://github.com/curl/curl/commit/4d97fe547322c4ad0868e2282476b1a7d2027f86
+---
+ lib/http_proxy.c |  4 ++++
+ lib/tftp.c       |  2 +-
+ lib/urldata.h    |  1 +
+ 3 files changed, 6 insertions(+), 1 deletions(-)
+
+diff --git a/lib/http_proxy.c b/lib/http_proxy.c
+index 2555b401a..e788babed 100644
+--- a/lib/http_proxy.c
++++ b/lib/http_proxy.c
+@@ -158,6 +158,10 @@ static CURLcode connect_init(struct Curl_easy *data, bool reinit)
+ {
+   struct http_connect_state *s;
+   struct connectdata *conn = data->conn;
++  if(conn->handler->flags & PROTOPT_NOTCPPROXY) {
++    failf(data, "%s cannot be done over CONNECT", conn->handler->scheme);
++    return CURLE_UNSUPPORTED_PROTOCOL;
++  }
+   if(!reinit) {
+     CURLcode result;
+     DEBUGASSERT(!conn->connect_state);
+diff --git a/lib/tftp.c b/lib/tftp.c
+index 7e5246f01..f8c68441c 100644
+--- a/lib/tftp.c
++++ b/lib/tftp.c
+@@ -186,7 +186,7 @@ const struct Curl_handler Curl_handler_tftp = {
+   PORT_TFTP,                            /* defport */
+   CURLPROTO_TFTP,                       /* protocol */
+   CURLPROTO_TFTP,                       /* family */
+-  PROTOPT_NONE | PROTOPT_NOURLQUERY     /* flags */
++  PROTOPT_NOTCPPROXY | PROTOPT_NOURLQUERY /* flags */
+ };
+ 
+ /**********************************************************
+diff --git a/lib/urldata.h b/lib/urldata.h
+index f12e99b8d..22c66cd44 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -835,6 +835,7 @@ struct Curl_handler {
+ #define PROTOPT_WILDCARD (1<<12) /* protocol supports wildcard matching */
+ #define PROTOPT_USERPWDCTRL (1<<13) /* Allow "control bytes" (< 32 ascii) in
+                                        user name and password */
++#define PROTOPT_NOTCPPROXY (1<<14) /* this protocol can't proxy over TCP */
+ 
+ #define CONNCHECK_NONE 0                 /* No checks */
+ #define CONNCHECK_ISDEAD (1<<0)          /* Check if the connection is dead. */
+-- 
+2.33.0
+

curl.spec

@@ -6,7 +6,7 @@
 
 Name:           curl
 Version:        7.79.1
-Release:        20
+Release:        21
 Summary:        Curl is used in command lines or scripts to transfer data
 License:        MIT
 URL:            https://curl.haxx.se/
@@ -30,7 +30,6 @@ Patch15:        backport-fix-configure-disable-http-auth-build-error.patch
 Patch16:        backport-CVE-2022-35252-cookie-reject-cookies-with-control-bytes.patch
 Patch17:        backport-CVE-2022-32221.patch
 Patch18:        backport-CVE-2022-42916.patch
-Patch19:        backport-CVE-2022-42915.patch
 Patch20:        backport-CVE-2022-43551-http-use-the-IDN-decoded-name-in-HSTS-checks.patch
 Patch21:        backport-CVE-2022-43552-smb-telnet-do-not-free-the-protocol-struct-in-_done.patch
 Patch22:        backport-0001-CVE-2023-23914-CVE-2023-23915.patch
@@ -58,6 +57,14 @@ Patch43:        backport-tool_getparam-repair-cleanarg.patch
 Patch44:        backport-tool_getparam-fix-cleanarg-for-unicode-builds.patch
 Patch45:        backport-getparam-correctly-clean-args.patch
 Patch46:        backport-tool_getparam-fix-hiding-of-command-line-secrets.patch
+Patch47:        backport-multi-shut-down-CONNECT-in-Curl_detach_connnection.patch
+Patch48:        backport-curl_easy_cleanup.3-remove-from-multi-handle-first.patch
+Patch49:        backport-http_proxy-make-Curl_connect_done-work-for-proxy-dis.patch
+Patch50:        backport-Curl_connect_done-handle-being-called-twice.patch
+Patch51:        backport-tftp-mark-protocol-as-not-possible-to-do-over-CONNEC.patch
+Patch52:        backport-test1939-require-proxy-support-to-run.patch
+Patch53:        backport-lib1939-make-it-endure-torture-tests.patch
+Patch54:        backport-CVE-2022-42915.patch
 
 BuildRequires:  automake brotli-devel coreutils gcc groff krb5-devel
 BuildRequires:  libidn2-devel libnghttp2-devel libpsl-devel
@@ -226,6 +233,12 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_mandir}/man3/*
 
 %changelog
+* Mon Jul 03 2023 zhouyihang <zhouyihang3@h-partners.com> - 7.79.1-21
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:fix double-free when using https with tunneling proxy
+
 * Mon Jun 19 2023 zhouyihang <zhouyihang3@h-partners.com> - 7.79.1-20
 - Type:bugfix
 - CVE:NA