CVE-2023-38545: heap buffer overflow in curl SOCKS5 proxy via async state machine socks5_resolve_local bypass

In curl 8.3.0 (lib/socks.c), the do_SOCKS5 function implements a SOCKS5 handshake state machine that is called repeatedly in non-blocking (async) mode. The function computes socks5_resolve_local as a LOCAL boolean on every invocation (line 573-574). A safety guard at lines 589-592 forces this to TRUE for hostnames > 255 bytes, BUT this guard is placed INSIDE the case CONNECT_SOCKS_INIT: block of the switch statement. When the state machine resumes from a later state (e.g. CONNECT_SOCKS_READ on subsequent async call), the switch jumps past CONNECT_SOCKS_INIT entirely, bypassing the guard. socks5_resolve_local remains FALSE for SOCKS5_HOSTNAME proxy type, causing the CONNECT_RESOLVE_REMOTE code path to copy a hostname > 255 bytes into the heap-allocated data->state.buffer without a bounds check, producing a heap overflow when hostname_len > (buffer_size - 7).