CVE-2023-6004: config_parser: Check for valid syntax of a hostname if it is a domain name

This prevents code injection.
The domain name syntax checker is based on RFC1035.

Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>

src/config_parser.c

@@ -30,6 +30,7 @@
 
 #include "libssh/config_parser.h"
 #include "libssh/priv.h"
+#include "libssh/misc.h"
 
 char *ssh_config_get_cmd(char **str)
 {
@@ -139,6 +140,7 @@ int ssh_config_parse_uri(const char *tok,
 {
     char *endp = NULL;
     long port_n;
+    int rc;
 
     /* Sanitize inputs */
     if (username != NULL) {
@@ -196,6 +198,14 @@ int ssh_config_parse_uri(const char *tok,
         if (*hostname == NULL) {
             goto error;
         }
+        /* if not an ip, check syntax */
+        rc = ssh_is_ipaddr(*hostname);
+        if (rc == 0) {
+            rc = ssh_check_hostname_syntax(*hostname);
+            if (rc != SSH_OK) {
+                goto error;
+            }
+        }
     }
     /* Skip also the closing bracket */
     if (*endp == ']') {