118 lines
3.5 KiB
Diff
118 lines
3.5 KiB
Diff
From efb24b6472e8b87c5832c0590f14e99e82fcdeeb Mon Sep 17 00:00:00 2001
|
|
From: Norbert Pocs <norbertpocs0@gmail.com>
|
|
Date: Tue, 10 Oct 2023 12:44:16 +0200
|
|
Subject: [PATCH 3/9] CVE-2023-6004: misc: Add function to check allowed
|
|
characters of a hostname
|
|
|
|
The hostname can be a domain name or an ip address. The colon has to be
|
|
allowed because of IPv6 even it is prohibited in domain names.
|
|
|
|
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
|
|
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
|
|
|
Conflict: NA
|
|
Reference:https://git.libssh.org/projects/libssh.git/patch/?id=efb24b6472e8b87c5832c0590f14e99e82fcdeeb
|
|
---
|
|
include/libssh/misc.h | 2 ++
|
|
src/misc.c | 68 +++++++++++++++++++++++++++++++++++++++++++
|
|
2 files changed, 70 insertions(+)
|
|
|
|
diff --git a/include/libssh/misc.h b/include/libssh/misc.h
|
|
index 3cc3b113..a5bee930 100644
|
|
--- a/include/libssh/misc.h
|
|
+++ b/include/libssh/misc.h
|
|
@@ -97,4 +97,6 @@ int ssh_mkdirs(const char *pathname, mode_t mode);
|
|
int ssh_quote_file_name(const char *file_name, char *buf, size_t buf_len);
|
|
int ssh_newline_vis(const char *string, char *buf, size_t buf_len);
|
|
|
|
+int ssh_check_hostname_syntax(const char *hostname);
|
|
+
|
|
#endif /* MISC_H_ */
|
|
diff --git a/src/misc.c b/src/misc.c
|
|
index 149eb85e..e4239e81 100644
|
|
--- a/src/misc.c
|
|
+++ b/src/misc.c
|
|
@@ -94,6 +94,8 @@
|
|
#define ZLIB_STRING ""
|
|
#endif
|
|
|
|
+#define ARPA_DOMAIN_MAX_LEN 63
|
|
+
|
|
/**
|
|
* @defgroup libssh_misc The SSH helper functions.
|
|
* @ingroup libssh
|
|
@@ -1734,4 +1736,70 @@ int ssh_newline_vis(const char *string, char *buf, size_t buf_len)
|
|
return out - buf;
|
|
}
|
|
|
|
+/**
|
|
+ * @brief Checks syntax of a domain name
|
|
+ *
|
|
+ * The check is made based on the RFC1035 section 2.3.1
|
|
+ * Allowed characters are: hyphen, period, digits (0-9) and letters (a-zA-Z)
|
|
+ *
|
|
+ * The label should be no longer than 63 characters
|
|
+ * The label should start with a letter and end with a letter or number
|
|
+ * The label in this implementation can start with a number to allow virtual
|
|
+ * URLs to pass. Note that this will make IPv4 addresses to pass
|
|
+ * this check too.
|
|
+ *
|
|
+ * @param hostname The domain name to be checked, has to be null terminated
|
|
+ *
|
|
+ * @return SSH_OK if the hostname passes syntax check
|
|
+ * SSH_ERROR otherwise or if hostname is NULL or empty string
|
|
+ */
|
|
+int ssh_check_hostname_syntax(const char *hostname)
|
|
+{
|
|
+ char *it = NULL, *s = NULL, *buf = NULL;
|
|
+ size_t it_len;
|
|
+ char c;
|
|
+
|
|
+ if (hostname == NULL || strlen(hostname) == 0) {
|
|
+ return SSH_ERROR;
|
|
+ }
|
|
+
|
|
+ /* strtok_r writes into the string, keep the input clean */
|
|
+ s = strdup(hostname);
|
|
+ if (s == NULL) {
|
|
+ return SSH_ERROR;
|
|
+ }
|
|
+
|
|
+ it = strtok_r(s, ".", &buf);
|
|
+ /* if the token has 0 length */
|
|
+ if (it == NULL) {
|
|
+ free(s);
|
|
+ return SSH_ERROR;
|
|
+ }
|
|
+ do {
|
|
+ it_len = strlen(it);
|
|
+ if (it_len > ARPA_DOMAIN_MAX_LEN ||
|
|
+ /* the first char must be a letter, but some virtual urls start
|
|
+ * with a number */
|
|
+ isalnum(it[0]) == 0 ||
|
|
+ isalnum(it[it_len - 1]) == 0) {
|
|
+ free(s);
|
|
+ return SSH_ERROR;
|
|
+ }
|
|
+ while (*it != '\0') {
|
|
+ c = *it;
|
|
+ /* the "." is allowed too, but tokenization removes it from the
|
|
+ * string */
|
|
+ if (isalnum(c) == 0 && c != '-') {
|
|
+ free(s);
|
|
+ return SSH_ERROR;
|
|
+ }
|
|
+ it++;
|
|
+ }
|
|
+ } while ((it = strtok_r(NULL, ".", &buf)) != NULL);
|
|
+
|
|
+ free(s);
|
|
+
|
|
+ return SSH_OK;
|
|
+}
|
|
+
|
|
/** @} */
|
|
--
|
|
2.33.0
|
|
|