From 4d7ae19e9cd8c407012b40f3f2eaf480bfb1da7d Mon Sep 17 00:00:00 2001
From: Norbert Pocs <norbertpocs0@gmail.com>
Date: Tue, 10 Oct 2023 18:33:56 +0200
Subject: [PATCH 5/9] CVE-2023-6004: config_parser: Check for valid syntax of a
 hostname if it is a domain name

This prevents code injection.
The domain name syntax checker is based on RFC1035.

Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>

Conflict: NA
Reference:https://git.libssh.org/projects/libssh.git/patch/?id=4d7ae19e9cd8c407012b40f3f2eaf480bfb1da7d
---
 src/config_parser.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/config_parser.c b/src/config_parser.c
index 76cca224..87bac5d4 100644
--- a/src/config_parser.c
+++ b/src/config_parser.c
@@ -30,6 +30,7 @@
 
 #include "libssh/config_parser.h"
 #include "libssh/priv.h"
+#include "libssh/misc.h"
 
 char *ssh_config_get_cmd(char **str)
 {
@@ -139,6 +140,7 @@ int ssh_config_parse_uri(const char *tok,
 {
     char *endp = NULL;
     long port_n;
+    int rc;
 
     /* Sanitize inputs */
     if (username != NULL) {
@@ -196,6 +198,14 @@ int ssh_config_parse_uri(const char *tok,
         if (*hostname == NULL) {
             goto error;
         }
+        /* if not an ip, check syntax */
+        rc = ssh_is_ipaddr(*hostname);
+        if (rc == 0) {
+            rc = ssh_check_hostname_syntax(*hostname);
+            if (rc != SSH_OK) {
+                goto error;
+            }
+        }
     }
     /* Skip also the closing bracket */
     if (*endp == ']') {
-- 
2.33.0