httpsrr: free old pointers when storing new

In case we get "funny" input and the same field is provided several
times, free the old pointer before stored a new memdup.

Reported in Joshua's sarif data

Closes #18631

diff --git a/lib/httpsrr.c b/lib/httpsrr.c
index 26b8522cc964d0904f360e8fea13387637312c55..8aa7f3b26e47ef046201df1b94eec91e9654d900 100644 (file)
--- a/lib/httpsrr.c
+++ b/lib/httpsrr.c
@@ -98,6 +98,7 @@ CURLcode Curl_httpsrr_set(struct Curl_easy *data,
   case HTTPS_RR_CODE_IPV4: /* addr4 list */
     if(!vlen || (vlen & 3)) /* the size must be 4-byte aligned */
       return CURLE_BAD_FUNCTION_ARGUMENT;
+    free(hi->ipv4hints);
     hi->ipv4hints = Curl_memdup(val, vlen);
     if(!hi->ipv4hints)
       return CURLE_OUT_OF_MEMORY;
@@ -107,6 +108,7 @@ CURLcode Curl_httpsrr_set(struct Curl_easy *data,
   case HTTPS_RR_CODE_ECH:
     if(!vlen)
       return CURLE_BAD_FUNCTION_ARGUMENT;
+    free(hi->echconfiglist);
     hi->echconfiglist = Curl_memdup(val, vlen);
     if(!hi->echconfiglist)
       return CURLE_OUT_OF_MEMORY;
@@ -116,6 +118,7 @@ CURLcode Curl_httpsrr_set(struct Curl_easy *data,
   case HTTPS_RR_CODE_IPV6: /* addr6 list */
     if(!vlen || (vlen & 15)) /* the size must be 16-byte aligned */
       return CURLE_BAD_FUNCTION_ARGUMENT;
+    free(hi->ipv6hints);
     hi->ipv6hints = Curl_memdup(val, vlen);
     if(!hi->ipv6hints)
       return CURLE_OUT_OF_MEMORY;
@@ -186,6 +189,7 @@ CURLcode Curl_httpsrr_from_ares(struct Curl_easy *data,
        is in ServiceMode */
     target = ares_dns_rr_get_str(rr, ARES_RR_HTTPS_TARGET);
     if(target && target[0]) {
+      free(hinfo->target);
       hinfo->target = strdup(target);
       if(!hinfo->target) {
         result = CURLE_OUT_OF_MEMORY;