git.ipfire.org Git - thirdparty/curl.git/commit

]> git.ipfire.org Git - thirdparty/curl.git/commit

projects / thirdparty / curl.git / commit

author	Daniel Stenberg <daniel@haxx.se>
	Sun, 19 Oct 2025 10:17:45 +0000 (12:17 +0200)
committer	Daniel Stenberg <daniel@haxx.se>
	Sun, 19 Oct 2025 11:13:15 +0000 (13:13 +0200)
commit	8d302ec93647ec7a57fdf8a6a1d2f7ac2af07fac
tree	c377ee613d0d5f084a95c7bc8b226fb152856288	tree \| snapshot
parent	f03e7c1d645823db285e483ba2e3dde633d38dde	commit \| diff

socks: avoid UAF risk in error path

The code obtained a pointer resp via Curl_bufq_peek(), but called
Curl_bufq_skip() before it would access them in the failf() call.

The Curl_bufq_skip() call can trigger prune_head which may free or
recycle the chunk that resp points into.

Pointed out by ZeroPath
Closes #19139

lib/socks.c

diff | blob | blame | history

Mirror of https://github.com/curl/curl.git

RSS Atom