From 8d302ec93647ec7a57fdf8a6a1d2f7ac2af07fac Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sun, 19 Oct 2025 12:17:45 +0200
Subject: [PATCH] socks: avoid UAF risk in error path

The code obtained a pointer resp via Curl_bufq_peek(), but called
Curl_bufq_skip() before it would access them in the failf() call.

The Curl_bufq_skip() call can trigger prune_head which may free or
recycle the chunk that resp points into.

Pointed out by ZeroPath
Closes #19139
---
 lib/socks.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/lib/socks.c b/lib/socks.c
index 10fca7b44c..d146b12abc 100644
--- a/lib/socks.c
+++ b/lib/socks.c
@@ -765,13 +765,12 @@ static CURLproxycode socks5_check_auth_resp(struct socks_state *sx,
 
   /* ignore the first (VER) byte */
   auth_status = resp[1];
-  Curl_bufq_skip(&sx->iobuf, 2);
-
   if(auth_status) {
     failf(data, "User was rejected by the SOCKS5 server (%d %d).",
           resp[0], resp[1]);
     return CURLPX_USER_REJECTED;
   }
+  Curl_bufq_skip(&sx->iobuf, 2);
   return CURLPX_OK;
 }