From 22492b69bba22b102342afc574800d354a08e405 Mon Sep 17 00:00:00 2001
From: Norbert Pocs <norbertpocs0@gmail.com>
Date: Tue, 10 Oct 2023 18:33:56 +0200
Subject: [PATCH] CVE-2023-6004: config_parser: Check for valid syntax of a
 hostname if it is a domain name

This prevents code injection.
The domain name syntax checker is based on RFC1035.

Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>

CVE: CVE-2023-6004
Upstream-Status: Backport [https://gitlab.com/libssh/libssh-mirror/-/commit/22492b69bba22b102342afc574800d354a08e405]
Signed-off-by: nikhil r <nikhil.r@kpit.com>
Comment: Refreshed hunk 2 and 3 from config_parser.c

---
 src/config_parser.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/config_parser.c b/src/config_parser.c
index cf83e2c5e..b8b94611a 100644
--- a/src/config_parser.c
+++ b/src/config_parser.c
@@ -30,6 +30,7 @@
 
 #include "libssh/config_parser.h"
 #include "libssh/priv.h"
+#include "libssh/misc.h"
 
 char *ssh_config_get_cmd(char **str)
 {
@@ -139,6 +140,7 @@ int ssh_config_parse_uri(const char *tok,
 {
     char *endp = NULL;
     long port_n;
+    int rc;
 
     /* Sanitize inputs */
     if (username != NULL) {
@@ -196,6 +198,14 @@ int ssh_config_parse_uri(const char *tok,
         if (*hostname == NULL) {
             goto error;
         }
+        /* if not an ip, check syntax */
+        rc = ssh_is_ipaddr(*hostname);
+        if (rc == 0) {
+            rc = ssh_check_hostname_syntax(*hostname);
+            if (rc != SSH_OK) {
+                goto error;
+            }
+        }
     }
     /* Skip also the closing bracket */
     if (*endp == ']') {