57 lines
1.5 KiB
Diff
57 lines
1.5 KiB
Diff
From 4d7ae19e9cd8c407012b40f3f2eaf480bfb1da7d Mon Sep 17 00:00:00 2001
|
|
From: Norbert Pocs <norbertpocs0@gmail.com>
|
|
Date: Tue, 10 Oct 2023 18:33:56 +0200
|
|
Subject: [PATCH 5/9] CVE-2023-6004: config_parser: Check for valid syntax of a
|
|
hostname if it is a domain name
|
|
|
|
This prevents code injection.
|
|
The domain name syntax checker is based on RFC1035.
|
|
|
|
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
|
|
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
|
|
|
Conflict: NA
|
|
Reference:https://git.libssh.org/projects/libssh.git/patch/?id=4d7ae19e9cd8c407012b40f3f2eaf480bfb1da7d
|
|
---
|
|
src/config_parser.c | 10 ++++++++++
|
|
1 file changed, 10 insertions(+)
|
|
|
|
diff --git a/src/config_parser.c b/src/config_parser.c
|
|
index 76cca224..87bac5d4 100644
|
|
--- a/src/config_parser.c
|
|
+++ b/src/config_parser.c
|
|
@@ -30,6 +30,7 @@
|
|
|
|
#include "libssh/config_parser.h"
|
|
#include "libssh/priv.h"
|
|
+#include "libssh/misc.h"
|
|
|
|
char *ssh_config_get_cmd(char **str)
|
|
{
|
|
@@ -139,6 +140,7 @@ int ssh_config_parse_uri(const char *tok,
|
|
{
|
|
char *endp = NULL;
|
|
long port_n;
|
|
+ int rc;
|
|
|
|
/* Sanitize inputs */
|
|
if (username != NULL) {
|
|
@@ -196,6 +198,14 @@ int ssh_config_parse_uri(const char *tok,
|
|
if (*hostname == NULL) {
|
|
goto error;
|
|
}
|
|
+ /* if not an ip, check syntax */
|
|
+ rc = ssh_is_ipaddr(*hostname);
|
|
+ if (rc == 0) {
|
|
+ rc = ssh_check_hostname_syntax(*hostname);
|
|
+ if (rc != SSH_OK) {
|
|
+ goto error;
|
|
+ }
|
|
+ }
|
|
}
|
|
/* Skip also the closing bracket */
|
|
if (*endp == ']') {
|
|
--
|
|
2.33.0
|
|
|