From 5cefe93eb644f757c5a685263a42961048b7d586 Mon Sep 17 00:00:00 2001 From: Ammar Faizi Date: Wed, 16 Jul 2025 20:22:43 +0700 Subject: [PATCH] socks: do_SOCKS5: Fix invalid buffer content on short send Ahmad Gani intercepts the sendto syscall to simulate short send, but curl incorrectly handles it. It keeps resending the version: sendto(4, "\x05", 1, MSG_NOSIGNAL, NULL, 0) = 1 sendto(4, "\x05", 1, MSG_NOSIGNAL, NULL, 0) = 1 Don't restart the buffer in the `CONNECT_SOCKS_INIT` case if `sx->outstanding` is not zero. It should continue sending the advanced buffer. Fixes #17942 Reported-by: Ahmad Gani Signed-off-by: Ammar Faizi Closes #17943 --- lib/socks.c | 29 ++++++++++++++++------------- 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/lib/socks.c b/lib/socks.c index 7d25ef5208..023696c461 100644 --- a/lib/socks.c +++ b/lib/socks.c @@ -591,20 +591,23 @@ static CURLproxycode do_SOCKS5(struct Curl_cfilter *cf, allow_gssapi = TRUE; #endif - idx = 0; - socksreq[idx++] = 5; /* version */ - idx++; /* number of authentication methods */ - socksreq[idx++] = 0; /* no authentication */ - if(allow_gssapi) - socksreq[idx++] = 1; /* GSS-API */ - if(sx->proxy_user) - socksreq[idx++] = 2; /* username/password */ - /* write the number of authentication methods */ - socksreq[1] = (unsigned char) (idx - 2); + if(!sx->outstanding) { + idx = 0; + socksreq[idx++] = 5; /* version */ + idx++; /* number of authentication methods */ + socksreq[idx++] = 0; /* no authentication */ + if(allow_gssapi) + socksreq[idx++] = 1; /* GSS-API */ + if(sx->proxy_user) + socksreq[idx++] = 2; /* username/password */ + /* write the number of authentication methods */ + socksreq[1] = (unsigned char) (idx - 2); + + sx->outp = socksreq; + DEBUGASSERT(idx <= sizeof(sx->buffer)); + sx->outstanding = idx; + } - sx->outp = socksreq; - DEBUGASSERT(idx <= sizeof(sx->buffer)); - sx->outstanding = idx; presult = socks_state_send(cf, sx, data, CURLPX_SEND_CONNECT, "initial SOCKS5 request"); if(CURLPX_OK != presult) -- 2.47.2