Check any input username for validity

Check possible inputs of username for malicious code.

Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>

src/config_parser.c

@@ -194,6 +194,10 @@ int ssh_config_parse_uri(const char *tok,
             if (*username == NULL) {
                 goto error;
             }
+            rc = ssh_check_username_syntax(*username);
+            if (rc != SSH_OK) {
+                goto error;
+            }
         }
         tok = endp + 1;
         /* If there is second @ character, this does not look like our URI */

src/misc.c

@@ -182,6 +182,7 @@ char *ssh_get_local_username(void)
 {
     DWORD size = 0;
     char *user;
+    int rc;
 
     /* get the size */
     GetUserName(NULL, &size);
@@ -192,7 +193,10 @@ char *ssh_get_local_username(void)
     }
 
     if (GetUserName(user, &size)) {
-        return user;
+        rc = ssh_check_username_syntax(user);
+        if (rc == SSH_OK) {
+            return user;
+        }
     }
 
     return NULL;
@@ -336,8 +340,10 @@ char *ssh_get_local_username(void)
     }
 
     name = strdup(pwd.pw_name);
+    rc = ssh_check_username_syntax(name);
 
-    if (name == NULL) {
+    if (rc != SSH_OK) {
+        free(name);
         return NULL;
     }
 

src/options.c

@@ -738,6 +738,11 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
                     ssh_set_error_oom(session);
                     return -1;
                 }
+                rc = ssh_check_username_syntax(session->opts.username);
+                if (rc != SSH_OK) {
+                    ssh_set_error_invalid(session);
+                    return -1;
+                }
             }
             break;
         case SSH_OPTIONS_SSH_DIR: