From 4d97fe547322c4ad0868e2282476b1a7d2027f86 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 15 Nov 2021 16:51:32 +0100
Subject: [PATCH 1/1] tftp: mark protocol as not possible to do over CONNECT

... and make connect_init() refusing trying to tunnel protocols marked
as not working. Avoids a double-free.

Reported-by: Even Rouault
Fixes #8018
Closes #8020

Conflict:remove a chunk because the change exists
Reference:https://github.com/curl/curl/commit/4d97fe547322c4ad0868e2282476b1a7d2027f86
---
 lib/http_proxy.c |  4 ++++
 lib/tftp.c       |  2 +-
 lib/urldata.h    |  1 +
 3 files changed, 6 insertions(+), 1 deletions(-)

diff --git a/lib/http_proxy.c b/lib/http_proxy.c
index 2555b401a..e788babed 100644
--- a/lib/http_proxy.c
+++ b/lib/http_proxy.c
@@ -158,6 +158,10 @@ static CURLcode connect_init(struct Curl_easy *data, bool reinit)
 {
   struct http_connect_state *s;
   struct connectdata *conn = data->conn;
+  if(conn->handler->flags & PROTOPT_NOTCPPROXY) {
+    failf(data, "%s cannot be done over CONNECT", conn->handler->scheme);
+    return CURLE_UNSUPPORTED_PROTOCOL;
+  }
   if(!reinit) {
     CURLcode result;
     DEBUGASSERT(!conn->connect_state);
diff --git a/lib/tftp.c b/lib/tftp.c
index 7e5246f01..f8c68441c 100644
--- a/lib/tftp.c
+++ b/lib/tftp.c
@@ -186,7 +186,7 @@ const struct Curl_handler Curl_handler_tftp = {
   PORT_TFTP,                            /* defport */
   CURLPROTO_TFTP,                       /* protocol */
   CURLPROTO_TFTP,                       /* family */
-  PROTOPT_NONE | PROTOPT_NOURLQUERY     /* flags */
+  PROTOPT_NOTCPPROXY | PROTOPT_NOURLQUERY /* flags */
 };
 
 /**********************************************************
diff --git a/lib/urldata.h b/lib/urldata.h
index f12e99b8d..22c66cd44 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -835,6 +835,7 @@ struct Curl_handler {
 #define PROTOPT_WILDCARD (1<<12) /* protocol supports wildcard matching */
 #define PROTOPT_USERPWDCTRL (1<<13) /* Allow "control bytes" (< 32 ascii) in
                                        user name and password */
+#define PROTOPT_NOTCPPROXY (1<<14) /* this protocol can't proxy over TCP */
 
 #define CONNCHECK_NONE 0                 /* No checks */
 #define CONNCHECK_ISDEAD (1<<0)          /* Check if the connection is dead. */
-- 
2.33.0