The vulnerability (CVE-2024-2004) occurs when a protocol selection option (like curl --proto -all,-http) effectively disables all protocols. Due to a logic error, the default set of protocols would remain enabled instead of no protocols being allowed. The analysis of the fixing commit 17d302e56221f5040092db77d4f85086e8a20e0e reveals that the core of the vulnerability lies in the protocol2num function in lib/setopt.c. This function is responsible for parsing the protocol string and setting the curl_prot_t bitmask. The fix involved moving the initialization *val = 0; (where val is the pointer to the protocol bitmask) to the very beginning of this function. This ensures that the protocol set is always cleared before attempting to parse and add allowed protocols from the input string. If the string results in no protocols being explicitly allowed, the set correctly remains empty. The Curl_vsetopt function is the caller of protocol2num for the CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR options. It passes the user-provided string and the address of the protocol set (e.g., data->set.allowed_protocols) to protocol2num. The patch also modified Curl_vsetopt to pass the pointer to data->set.allowed_protocols directly, rather than using an intermediate variable, ensuring the fix in protocol2num has the intended effect. Therefore, protocol2num contains the direct faulty logic, and Curl_vsetopt is the immediate function that processes the user input leading to the vulnerable code path.