ssh: Be more paranoid with host/domain names coming from the

never write a name with bad characters to a known_hosts file.

replace recently-added valid_domain() check for hostnames going to
known_hosts with a more relaxed check for bad characters.

Obtained from:	OpenSSH-portable commit 445363433ba2
Obtained from:	OpenSSH-portable commit 3cae9f92a318
Sponsored by:	The FreeBSD Foundation

(cherry picked from commit 2e828220579e3ada74ed0613871ec6ec61d669ba)

1 files changed, 13 insertions, 2 deletions

diff --git a/crypto/openssh/sshconnect.c b/crypto/openssh/sshconnect.c
index eb5353e2d408..b44518d7acc7 100644
--- a/crypto/openssh/sshconnect.c
+++ b/crypto/openssh/sshconnect.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect.c,v 1.358 2022/08/26 08:16:27 djm Exp $ */
+/* $OpenBSD: sshconnect.c,v 1.360 2022/11/03 21:59:20 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -935,7 +935,7 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo,
 	char *ip = NULL, *host = NULL;
 	char hostline[1000], *hostp, *fp, *ra;
 	char msg[1024];
-	const char *type, *fail_reason;
+	const char *type, *fail_reason = NULL;
 	const struct hostkey_entry *host_found = NULL, *ip_found = NULL;
 	int len, cancelled_forwarding = 0, confirmed;
 	int local = sockaddr_is_local(hostaddr);
@@ -961,6 +961,17 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo,
 	}
 
 	/*
+	 * Don't ever try to write an invalid name to a known hosts file.
+	 * Note: do this before get_hostfile_hostname_ipaddr() to catch
+	 * '[' or ']' in the name before they are added.
+	 */
+	if (strcspn(hostname, "@?*#[]|'\'\"\\") != strlen(hostname)) {
+		debug_f("invalid hostname \"%s\"; will not record: %s",
+		    hostname, fail_reason);
+		readonly = RDONLY;
+	}
+
+	/*
 	 * Prepare the hostname and address strings used for hostkey lookup.
 	 * In some cases, these will have a port number appended.
 	 */