doh: improve HTTPS RR svcparams parsing

Fixed a heap read overflow when parsing the HTTP RR svcparams. Also the
code failed to enforce the requirements of SvcParamKey order specified
in section 2.2 of the RFC 9460.

Closes #16598

diff --git a/lib/doh.c b/lib/doh.c
index 26d34b9ffea34b4fc49b9b195a72fc4df711535e..6b37727c38ab6f266eb653a98786034648856843 100644 (file)
--- a/lib/doh.c
+++ b/lib/doh.c
@@ -1088,6 +1088,7 @@ static CURLcode doh_resp_decode_httpsrr(struct Curl_easy *data,
                                         struct Curl_https_rrinfo **hrr)
 {
   uint16_t pcode = 0, plen = 0;
+  uint32_t expected_min_pcode = 0;
   struct Curl_https_rrinfo *lhrr = NULL;
   char *dnsname = NULL;
   CURLcode result = CURLE_OUT_OF_MEMORY;
@@ -1114,13 +1115,16 @@ static CURLcode doh_resp_decode_httpsrr(struct Curl_easy *data,
     plen = doh_get16bit(cp, 2);
     cp += 4;
     len -= 4;
+    if(pcode < expected_min_pcode || plen > len) {
+      result = CURLE_WEIRD_SERVER_REPLY;
+      goto err;
+    }
     result = Curl_httpsrr_set(data, lhrr, pcode, cp, plen);
     if(result)
       goto err;
-    if(plen > 0 && plen <= len) {
-      cp += plen;
-      len -= plen;
-    }
+    cp += plen;
+    len -= plen;
+    expected_min_pcode = pcode + 1;
   }
   DEBUGASSERT(!len);
   *hrr = lhrr;