From: Daniel Stenberg <daniel@haxx.se>
Date: Sun, 19 Oct 2025 10:17:45 +0000 (+0200)
Subject: socks: avoid UAF risk in error path
X-Git-Tag: rc-8_17_0-2~17
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8d302ec93647ec7a57fdf8a6a1d2f7ac2af07fac;p=thirdparty%2Fcurl.git

socks: avoid UAF risk in error path

The code obtained a pointer resp via Curl_bufq_peek(), but called
Curl_bufq_skip() before it would access them in the failf() call.

The Curl_bufq_skip() call can trigger prune_head which may free or
recycle the chunk that resp points into.

Pointed out by ZeroPath
Closes #19139
---

diff --git a/lib/socks.c b/lib/socks.c
index 10fca7b44c..d146b12abc 100644
--- a/lib/socks.c
+++ b/lib/socks.c
@@ -765,13 +765,12 @@ static CURLproxycode socks5_check_auth_resp(struct socks_state *sx,
 
   /* ignore the first (VER) byte */
   auth_status = resp[1];
-  Curl_bufq_skip(&sx->iobuf, 2);
-
   if(auth_status) {
     failf(data, "User was rejected by the SOCKS5 server (%d %d).",
           resp[0], resp[1]);
     return CURLPX_USER_REJECTED;
   }
+  Curl_bufq_skip(&sx->iobuf, 2);
   return CURLPX_OK;
 }