From f1662ae97b37c509dbd3ad46d2ac7cc64806e250 Mon Sep 17 00:00:00 2001
From: Harry Sintonen <sintonen@iki.fi>
Date: Thu, 6 Mar 2025 21:42:43 +0200
Subject: [PATCH] doh: improve HTTPS RR svcparams parsing

Fixed a heap read overflow when parsing the HTTP RR svcparams. Also the
code failed to enforce the requirements of SvcParamKey order specified
in section 2.2 of the RFC 9460.

Closes #16598
---
 lib/doh.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/lib/doh.c b/lib/doh.c
index 26d34b9ffe..6b37727c38 100644
--- a/lib/doh.c
+++ b/lib/doh.c
@@ -1088,6 +1088,7 @@ static CURLcode doh_resp_decode_httpsrr(struct Curl_easy *data,
                                         struct Curl_https_rrinfo **hrr)
 {
   uint16_t pcode = 0, plen = 0;
+  uint32_t expected_min_pcode = 0;
   struct Curl_https_rrinfo *lhrr = NULL;
   char *dnsname = NULL;
   CURLcode result = CURLE_OUT_OF_MEMORY;
@@ -1114,13 +1115,16 @@ static CURLcode doh_resp_decode_httpsrr(struct Curl_easy *data,
     plen = doh_get16bit(cp, 2);
     cp += 4;
     len -= 4;
+    if(pcode < expected_min_pcode || plen > len) {
+      result = CURLE_WEIRD_SERVER_REPLY;
+      goto err;
+    }
     result = Curl_httpsrr_set(data, lhrr, pcode, cp, plen);
     if(result)
       goto err;
-    if(plen > 0 && plen <= len) {
-      cp += plen;
-      len -= plen;
-    }
+    cp += plen;
+    len -= plen;
+    expected_min_pcode = pcode + 1;
   }
   DEBUGASSERT(!len);
   *hrr = lhrr;
-- 
2.47.3