Heap buffer overflow vulnerability in conncache.c: incorrect use of pointer arrays resulting in out-of-bounds memory writes.

In the conncache.c file, the cpool_bundle structure incorrectly uses a pointer array (char *dest[1]) instead of a flexible array (char dest[]) to store string data, leading to a heap buffer overflow when calling memcpy in the cpool_bundle_create function. ## Impact # # Summary: The vulnerability is a heap buffer overflow caused by the cpool_bundle struct in the conncache.c file that incorrectly uses the pointer array char *dest[1] instead of the flexible array char dest[]. In the cpool_bundle_create function, when calling memcpy(bundle->dest, dest, bundle->dest_len), if the target string length exceeds the pointer size (8 bytes on a 64-bit system), it causes writes to go out of bounds and corrupt heap memory. An attacker can trigger this vulnerability by providing a hostname/destination address of a specific length, resulting in memory corruption, which could trigger a program crash or remote code execution. This vulnerability affects all curl applications that use the connection caching feature, especially when dealing with long hostnames. The fix should change the struct definition to use the correct flexible array: char dest[] or char dest[1], and ensure that memory allocation correctly takes string length into account.