From 2e828220579e3ada74ed0613871ec6ec61d669ba Mon Sep 17 00:00:00 2001 From: Ed Maste Date: Mon, 6 Feb 2023 11:45:52 -0500 Subject: [PATCH] ssh: Be more paranoid with host/domain names coming from the never write a name with bad characters to a known_hosts file. replace recently-added valid_domain() check for hostnames going to known_hosts with a more relaxed check for bad characters. Obtained from: OpenSSH-portable commit 445363433ba2 Obtained from: OpenSSH-portable commit 3cae9f92a318 Sponsored by: The FreeBSD Foundation --- crypto/openssh/ssh.c | 8 ++++++-- crypto/openssh/sshconnect.c | 15 +++++++++++++-- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/crypto/openssh/ssh.c b/crypto/openssh/ssh.c index 9b5ec2dfd14b..b7dd6ca8bff4 100644 --- a/crypto/openssh/ssh.c +++ b/crypto/openssh/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.576 2022/09/17 10:33:18 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.579 2022/10/24 22:43:36 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -251,6 +251,7 @@ static struct addrinfo * resolve_host(const char *name, int port, int logerr, char *cname, size_t clen) { char strport[NI_MAXSERV]; + const char *errstr = NULL; struct addrinfo hints, *res; int gaierr; LogLevel loglevel = SYSLOG_LEVEL_DEBUG1; @@ -276,7 +277,10 @@ resolve_host(const char *name, int port, int logerr, char *cname, size_t clen) return NULL; } if (cname != NULL && res->ai_canonname != NULL) { - if (strlcpy(cname, res->ai_canonname, clen) >= clen) { + if (!valid_domain(res->ai_canonname, 0, &errstr)) { + error("ignoring bad CNAME \"%s\" for host \"%s\": %s", + res->ai_canonname, name, errstr); + } else if (strlcpy(cname, res->ai_canonname, clen) >= clen) { error_f("host \"%s\" cname \"%s\" too long (max %lu)", name, res->ai_canonname, (u_long)clen); if (clen > 0) diff --git a/crypto/openssh/sshconnect.c b/crypto/openssh/sshconnect.c index 7b3f260ee788..0fca52b220ff 100644 --- a/crypto/openssh/sshconnect.c +++ b/crypto/openssh/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.358 2022/08/26 08:16:27 djm Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.360 2022/11/03 21:59:20 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -935,7 +935,7 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo, char *ip = NULL, *host = NULL; char hostline[1000], *hostp, *fp, *ra; char msg[1024]; - const char *type, *fail_reason; + const char *type, *fail_reason = NULL; const struct hostkey_entry *host_found = NULL, *ip_found = NULL; int len, cancelled_forwarding = 0, confirmed; int local = sockaddr_is_local(hostaddr); @@ -960,6 +960,17 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo, return 0; } + /* + * Don't ever try to write an invalid name to a known hosts file. + * Note: do this before get_hostfile_hostname_ipaddr() to catch + * '[' or ']' in the name before they are added. + */ + if (strcspn(hostname, "@?*#[]|'\'\"\\") != strlen(hostname)) { + debug_f("invalid hostname \"%s\"; will not record: %s", + hostname, fail_reason); + readonly = RDONLY; + } + /* * Prepare the hostname and address strings used for hostkey lookup. * In some cases, these will have a port number appended.