===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/sshconnect.c,v
retrieving revision 1.359
retrieving revision 1.360
diff -u -r1.359 -r1.360
--- src/usr.bin/ssh/sshconnect.c	2022/10/24 22:43:36	1.359
+++ src/usr.bin/ssh/sshconnect.c	2022/11/03 21:59:20	1.360
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect.c,v 1.359 2022/10/24 22:43:36 djm Exp $ */
+/* $OpenBSD: sshconnect.c,v 1.360 2022/11/03 21:59:20 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -923,6 +923,17 @@
 	}
 
 	/*
+	 * Don't ever try to write an invalid name to a known hosts file.
+	 * Note: do this before get_hostfile_hostname_ipaddr() to catch
+	 * '[' or ']' in the name before they are added.
+	 */
+	if (strcspn(hostname, "@?*#[]|'\'\"\\") != strlen(hostname)) {
+		debug_f("invalid hostname \"%s\"; will not record: %s",
+		    hostname, fail_reason);
+		readonly = RDONLY;
+	}
+
+	/*
 	 * Prepare the hostname and address strings used for hostkey lookup.
 	 * In some cases, these will have a port number appended.
 	 */
@@ -979,13 +990,6 @@
 	if (!readonly && (num_user_hostfiles == 0 ||
 	    (host_found != NULL && host_found->note != 0)))
 		readonly = RDONLY;
-
-	/* Don't ever try to write an invalid name to a known hosts file */
-	if (!valid_domain(hostname, 0, &fail_reason)) {
-		debug_f("invalid hostname \"%s\"; will not record: %s",
-		    hostname, fail_reason);
-		readonly = RDONLY;
-	}
 
 	/*
 	 * Also perform check for the ip address, skip the check if we are