git-market/curl-curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-04-14 13:01:42 +08:00
Code Issues Actions 15 Packages Projects Releases Wiki Activity

socks: avoid UAF risk in error path

Browse Source 
The code obtained a pointer resp via Curl_bufq_peek(), but called
Curl_bufq_skip() before it would access them in the failf() call.

The Curl_bufq_skip() call can trigger prune_head which may free or
recycle the chunk that resp points into.

Pointed out by ZeroPath
Closes #19139
This commit is contained in:
Daniel Stenberg 2025-10-19 12:17:45 +02:00
parent f03e7c1d64
commit 8d302ec936
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
1 changed files with 1 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
lib/socks.c
View File

@ -765,13 +765,12 @@ static CURLproxycode socks5_check_auth_resp(struct socks_state *sx,
/* ignore the first (VER) byte */
auth_status = resp[1];
Curl_bufq_skip(&sx->iobuf, 2);
if(auth_status) {
failf(data, "User was rejected by the SOCKS5 server (%d %d).",
resp[0], resp[1]);
return CURLPX_USER_REJECTED;
}
Curl_bufq_skip(&sx->iobuf, 2);
return CURLPX_OK;
}