Change #246106
| Category | None |
| Changed by | Daniel Stenberg <daniel@haxx.se> |
| Changed at | Sun 19 Oct 2025 12:17:45 |
| Repository | https://api.github.com/repos/curl/curl |
| Project | curl/curl |
| Branch | bagder/socks-failf |
| Revision | 02ea5e55d507b920dea90a22b16a1f4bf6ff3b2f |
Comments
socks: avoid UAF risk in error path The code obtained a pointer resp via Curl_bufq_peek(), but called Curl_bufq_skip() before it would access them in the failf() call. The Curl_bufq_skip() call can trigger prune_head which may free or recycle the chunk that resp points into. Pointed out by ZeroPath
Changed files
- lib/socks.c