From: Harry Sintonen <sintonen@iki.fi>
Date: Thu, 6 Mar 2025 19:42:43 +0000 (+0200)
Subject: doh: improve HTTPS RR svcparams parsing
X-Git-Tag: curl-8_13_0~234
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f1662ae97b37c509dbd3ad46d2ac7cc64806e250;p=thirdparty%2Fcurl.git

doh: improve HTTPS RR svcparams parsing

Fixed a heap read overflow when parsing the HTTP RR svcparams. Also the
code failed to enforce the requirements of SvcParamKey order specified
in section 2.2 of the RFC 9460.

Closes #16598
---

diff --git a/lib/doh.c b/lib/doh.c
index 26d34b9ffe..6b37727c38 100644
--- a/lib/doh.c
+++ b/lib/doh.c
@@ -1088,6 +1088,7 @@ static CURLcode doh_resp_decode_httpsrr(struct Curl_easy *data,
                                         struct Curl_https_rrinfo **hrr)
 {
   uint16_t pcode = 0, plen = 0;
+  uint32_t expected_min_pcode = 0;
   struct Curl_https_rrinfo *lhrr = NULL;
   char *dnsname = NULL;
   CURLcode result = CURLE_OUT_OF_MEMORY;
@@ -1114,13 +1115,16 @@ static CURLcode doh_resp_decode_httpsrr(struct Curl_easy *data,
     plen = doh_get16bit(cp, 2);
     cp += 4;
     len -= 4;
+    if(pcode < expected_min_pcode || plen > len) {
+      result = CURLE_WEIRD_SERVER_REPLY;
+      goto err;
+    }
     result = Curl_httpsrr_set(data, lhrr, pcode, cp, plen);
     if(result)
       goto err;
-    if(plen > 0 && plen <= len) {
-      cp += plen;
-      len -= plen;
-    }
+    cp += plen;
+    len -= plen;
+    expected_min_pcode = pcode + 1;
   }
   DEBUGASSERT(!len);
   *hrr = lhrr;