64 lines
1.7 KiB
Diff
64 lines
1.7 KiB
Diff
From 22492b69bba22b102342afc574800d354a08e405 Mon Sep 17 00:00:00 2001
|
|
From: Norbert Pocs <norbertpocs0@gmail.com>
|
|
Date: Tue, 10 Oct 2023 18:33:56 +0200
|
|
Subject: [PATCH 06/20] CVE-2023-6004: config_parser: Check for valid syntax of
|
|
a hostname if it is a domain name
|
|
|
|
This prevents code injection.
|
|
The domain name syntax checker is based on RFC1035.
|
|
|
|
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
|
|
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
|
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
|
|
---
|
|
src/config_parser.c | 12 +++++++++++-
|
|
1 file changed, 11 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/config_parser.c b/src/config_parser.c
|
|
index cf83e2c5..b8b94611 100644
|
|
--- a/src/config_parser.c
|
|
+++ b/src/config_parser.c
|
|
@@ -30,6 +30,7 @@
|
|
|
|
#include "libssh/config_parser.h"
|
|
#include "libssh/priv.h"
|
|
+#include "libssh/misc.h"
|
|
|
|
/* Returns the original string after skipping the leading whitespace
|
|
* until finding LF.
|
|
@@ -47,7 +48,7 @@ char *ssh_config_get_cmd(char **str)
|
|
break;
|
|
}
|
|
}
|
|
-
|
|
+
|
|
for (r = c; *c; c++) {
|
|
if (*c == '\n') {
|
|
*c = '\0';
|
|
@@ -167,6 +168,7 @@ int ssh_config_parse_uri(const char *tok,
|
|
{
|
|
char *endp = NULL;
|
|
long port_n;
|
|
+ int rc;
|
|
|
|
/* Sanitize inputs */
|
|
if (username != NULL) {
|
|
@@ -224,6 +226,14 @@ int ssh_config_parse_uri(const char *tok,
|
|
if (*hostname == NULL) {
|
|
goto error;
|
|
}
|
|
+ /* if not an ip, check syntax */
|
|
+ rc = ssh_is_ipaddr(*hostname);
|
|
+ if (rc == 0) {
|
|
+ rc = ssh_check_hostname_syntax(*hostname);
|
|
+ if (rc != SSH_OK) {
|
|
+ goto error;
|
|
+ }
|
|
+ }
|
|
}
|
|
/* Skip also the closing bracket */
|
|
if (*endp == ']') {
|
|
--
|
|
2.33.0
|
|
|