curl/curl
1
1
Fork 0
mirror of https://github.com/curl/curl.git synced 2025-09-10 14:12:41 +03:00
Code Issues Packages Projects Releases Wiki Activity

doh: improve HTTPS RR svcparams parsing

Browse Source 
Fixed a heap read overflow when parsing the HTTP RR svcparams. Also the
code failed to enforce the requirements of SvcParamKey order specified
in section 2.2 of the RFC 9460.

Closes #16598
This commit is contained in:
Harry Sintonen 2025-03-06 21:42:43 +02:00 committed by Daniel Stenberg
parent 3a8920e5ed
commit f1662ae97b
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
1 changed files with 8 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
lib/doh.c
View File

@ -1088,6 +1088,7 @@ static CURLcode doh_resp_decode_httpsrr(struct Curl_easy *data,
struct Curl_https_rrinfo **hrr) struct Curl_https_rrinfo **hrr)
{ {
uint16_t pcode = 0, plen = 0; uint16_t pcode = 0, plen = 0;
uint32_t expected_min_pcode = 0;
struct Curl_https_rrinfo *lhrr = NULL; struct Curl_https_rrinfo *lhrr = NULL;
char *dnsname = NULL; char *dnsname = NULL;
CURLcode result = CURLE_OUT_OF_MEMORY; CURLcode result = CURLE_OUT_OF_MEMORY;
@ -1114,13 +1115,16 @@ static CURLcode doh_resp_decode_httpsrr(struct Curl_easy *data,
plen = doh_get16bit(cp, 2); plen = doh_get16bit(cp, 2);
cp += 4; cp += 4;
len -= 4; len -= 4;
if(pcode < expected_min_pcode || plen > len) {
result = CURLE_WEIRD_SERVER_REPLY;
goto err;
}
result = Curl_httpsrr_set(data, lhrr, pcode, cp, plen); result = Curl_httpsrr_set(data, lhrr, pcode, cp, plen);
if(result) if(result)
goto err; goto err;
if(plen > 0 && plen <= len) {
cp += plen; cp += plen;
len -= plen; len -= plen;
} expected_min_pcode = pcode + 1;
} }
DEBUGASSERT(!len); DEBUGASSERT(!len);
*hrr = lhrr; *hrr = lhrr;