From a5b8bd0d8841296cf71d927824d60f576581243f Mon Sep 17 00:00:00 2001 From: Norbert Pocs Date: Tue, 31 Oct 2023 09:48:52 +0100 Subject: [PATCH 2/9] CVE-2023-6004: options: Simplify the hostname parsing in ssh_options_set Using ssh_config_parse_uri can simplify the parsing of the host parsing inside the function of ssh_options_set Signed-off-by: Norbert Pocs Reviewed-by: Andreas Schneider Conflict: NA Reference:https://git.libssh.org/projects/libssh.git/patch/?id=a5b8bd0d8841296cf71d927824d60f576581243f --- src/options.c | 40 ++++++++++++++++------------------------ 1 file changed, 16 insertions(+), 24 deletions(-) diff --git a/src/options.c b/src/options.c index b5f951ac..7c03e7ab 100644 --- a/src/options.c +++ b/src/options.c @@ -36,6 +36,7 @@ #include "libssh/session.h" #include "libssh/misc.h" #include "libssh/options.h" +#include "libssh/config_parser.h" #ifdef WITH_SERVER #include "libssh/server.h" #include "libssh/bind.h" @@ -490,33 +491,24 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type, ssh_set_error_invalid(session); return -1; } else { - q = strdup(value); - if (q == NULL) { - ssh_set_error_oom(session); + char *username = NULL, *hostname = NULL, *port = NULL; + rc = ssh_config_parse_uri(value, &username, &hostname, &port); + if (rc != SSH_OK) { return -1; } - p = strrchr(q, '@'); - - SAFE_FREE(session->opts.host); - - if (p) { - *p = '\0'; - session->opts.host = strdup(p + 1); - if (session->opts.host == NULL) { - SAFE_FREE(q); - ssh_set_error_oom(session); - return -1; - } - + if (port != NULL) { + SAFE_FREE(username); + SAFE_FREE(hostname); + SAFE_FREE(port); + return -1; + } + if (username != NULL) { SAFE_FREE(session->opts.username); - session->opts.username = strdup(q); - SAFE_FREE(q); - if (session->opts.username == NULL) { - ssh_set_error_oom(session); - return -1; - } - } else { - session->opts.host = q; + session->opts.username = username; + } + if (hostname != NULL) { + SAFE_FREE(session->opts.host); + session->opts.host = hostname; } } break; -- 2.33.0