From: Stefan Eissing <stefan@eissing.org>
Date: Wed, 8 Oct 2025 12:29:54 +0000 (+0200)
Subject: socks: advance iobuf instead of reset
X-Git-Tag: rc-8_17_0-1~12
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7fecc009eacf2bd4815b4dd7b9ec082bca7a1bcc;p=thirdparty%2Fcurl.git

socks: advance iobuf instead of reset

During the SOCKS connect phase, the `iobuf` is used to receive repsonses
from the server. If the server sends more bytes than expected, the code
discarded them silently.

Fix this by advancing the iobuf only with the length consumed.

Reported-by: Joshua Rogers

Closes #18938
---

diff --git a/lib/socks.c b/lib/socks.c
index a0e1e6c042..10fca7b44c 100644
--- a/lib/socks.c
+++ b/lib/socks.c
@@ -432,7 +432,7 @@ static CURLproxycode socks4_check_resp(struct socks_state *sx,
   switch(resp[1]) {
   case 90:
     CURL_TRC_CF(data, cf, "SOCKS4%s request granted.", sx->socks4a ? "a" : "");
-    Curl_bufq_reset(&sx->iobuf);
+    Curl_bufq_skip(&sx->iobuf, 8);
     return CURLPX_OK;
   case 91:
     failf(data,
@@ -664,7 +664,7 @@ static CURLproxycode socks5_check_resp0(struct socks_state *sx,
   }
 
   auth_mode = resp[1];
-  Curl_bufq_reset(&sx->iobuf);
+  Curl_bufq_skip(&sx->iobuf, 2);
 
   switch(auth_mode) {
   case 0:
@@ -765,7 +765,7 @@ static CURLproxycode socks5_check_auth_resp(struct socks_state *sx,
 
   /* ignore the first (VER) byte */
   auth_status = resp[1];
-  Curl_bufq_reset(&sx->iobuf);
+  Curl_bufq_skip(&sx->iobuf, 2);
 
   if(auth_status) {
     failf(data, "User was rejected by the SOCKS5 server (%d %d).",