119 lines
3.5 KiB
Diff
119 lines
3.5 KiB
Diff
From c6180409677c765e6b9ae2b18a3a7a9671ac1dbe Mon Sep 17 00:00:00 2001
|
|
From: Norbert Pocs <norbertpocs0@gmail.com>
|
|
Date: Tue, 10 Oct 2023 12:44:16 +0200
|
|
Subject: [PATCH 04/20] CVE-2023-6004: misc: Add function to check allowed
|
|
characters of a hostname
|
|
|
|
The hostname can be a domain name or an ip address. The colon has to be
|
|
allowed because of IPv6 even it is prohibited in domain names.
|
|
|
|
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
|
|
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
|
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
|
|
---
|
|
include/libssh/misc.h | 3 ++
|
|
src/misc.c | 68 +++++++++++++++++++++++++++++++++++++++++++
|
|
2 files changed, 71 insertions(+)
|
|
|
|
diff --git a/include/libssh/misc.h b/include/libssh/misc.h
|
|
index 924da533..0924ba7f 100644
|
|
--- a/include/libssh/misc.h
|
|
+++ b/include/libssh/misc.h
|
|
@@ -103,6 +103,9 @@ int ssh_newline_vis(const char *string, char *buf, size_t buf_len);
|
|
int ssh_tmpname(char *name);
|
|
|
|
char *ssh_strreplace(const char *src, const char *pattern, const char *repl);
|
|
+
|
|
+int ssh_check_hostname_syntax(const char *hostname);
|
|
+
|
|
#ifdef __cplusplus
|
|
}
|
|
#endif
|
|
diff --git a/src/misc.c b/src/misc.c
|
|
index 7c478a77..be6ee836 100644
|
|
--- a/src/misc.c
|
|
+++ b/src/misc.c
|
|
@@ -94,6 +94,8 @@
|
|
#define ZLIB_STRING ""
|
|
#endif
|
|
|
|
+#define ARPA_DOMAIN_MAX_LEN 63
|
|
+
|
|
/**
|
|
* @defgroup libssh_misc The SSH helper functions
|
|
* @ingroup libssh
|
|
@@ -1974,4 +1976,70 @@ char *ssh_strerror(int err_num, char *buf, size_t buflen)
|
|
#endif /* defined(__linux__) && defined(__GLIBC__) && defined(_GNU_SOURCE) */
|
|
}
|
|
|
|
+/**
|
|
+ * @brief Checks syntax of a domain name
|
|
+ *
|
|
+ * The check is made based on the RFC1035 section 2.3.1
|
|
+ * Allowed characters are: hyphen, period, digits (0-9) and letters (a-zA-Z)
|
|
+ *
|
|
+ * The label should be no longer than 63 characters
|
|
+ * The label should start with a letter and end with a letter or number
|
|
+ * The label in this implementation can start with a number to allow virtual
|
|
+ * URLs to pass. Note that this will make IPv4 addresses to pass
|
|
+ * this check too.
|
|
+ *
|
|
+ * @param hostname The domain name to be checked, has to be null terminated
|
|
+ *
|
|
+ * @return SSH_OK if the hostname passes syntax check
|
|
+ * SSH_ERROR otherwise or if hostname is NULL or empty string
|
|
+ */
|
|
+int ssh_check_hostname_syntax(const char *hostname)
|
|
+{
|
|
+ char *it = NULL, *s = NULL, *buf = NULL;
|
|
+ size_t it_len;
|
|
+ char c;
|
|
+
|
|
+ if (hostname == NULL || strlen(hostname) == 0) {
|
|
+ return SSH_ERROR;
|
|
+ }
|
|
+
|
|
+ /* strtok_r writes into the string, keep the input clean */
|
|
+ s = strdup(hostname);
|
|
+ if (s == NULL) {
|
|
+ return SSH_ERROR;
|
|
+ }
|
|
+
|
|
+ it = strtok_r(s, ".", &buf);
|
|
+ /* if the token has 0 length */
|
|
+ if (it == NULL) {
|
|
+ free(s);
|
|
+ return SSH_ERROR;
|
|
+ }
|
|
+ do {
|
|
+ it_len = strlen(it);
|
|
+ if (it_len > ARPA_DOMAIN_MAX_LEN ||
|
|
+ /* the first char must be a letter, but some virtual urls start
|
|
+ * with a number */
|
|
+ isalnum(it[0]) == 0 ||
|
|
+ isalnum(it[it_len - 1]) == 0) {
|
|
+ free(s);
|
|
+ return SSH_ERROR;
|
|
+ }
|
|
+ while (*it != '\0') {
|
|
+ c = *it;
|
|
+ /* the "." is allowed too, but tokenization removes it from the
|
|
+ * string */
|
|
+ if (isalnum(c) == 0 && c != '-') {
|
|
+ free(s);
|
|
+ return SSH_ERROR;
|
|
+ }
|
|
+ it++;
|
|
+ }
|
|
+ } while ((it = strtok_r(NULL, ".", &buf)) != NULL);
|
|
+
|
|
+ free(s);
|
|
+
|
|
+ return SSH_OK;
|
|
+}
|
|
+
|
|
/** @} */
|
|
--
|
|
2.33.0
|
|
|