Issue #1288: Work around older OpenSSH clients which do support and u…

…se the `limits@openssh.com` extension, yet cannot properly handle the longer mod_sftp lengths.
proftpd · Apr 25, 2024 · 96e1424 · 96e1424
1 parent 65e0ddc
commit 96e1424
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 3 deletions.
diff --git a/contrib/mod_sftp/fxp.c b/contrib/mod_sftp/fxp.c
@@ -28,6 +28,7 @@
 #include "crypto.h"
 #include "packet.h"
 #include "disconnect.h"
+#include "interop.h"
 #include "channel.h"
 #include "auth.h"
 #include "display.h"
@@ -5253,6 +5254,26 @@ static int fxp_handle_ext_limits(struct fxp_packet *fxp) {
     }
   }
 
+  /* Older versions of OpenSSH just accepted our (larger) limits as-is,
+   * but then ran into client-side policies which forbade the use of such
+   * larger SFTP requests; it was a bug that was fixed in OpenSSH 9.2p1 and
+   * later.
+   *
+   * Unfortunately, this means that we need to be sensitive to those older
+   * OpenSSH versions, and to send shorter lengths to them.  Otherwise, users
+   * with older OpenSSH packages will be unfairly punished when their clients
+   * use this extension, then inexplicably fail with
+   * "Outbound message too long" errors"; see Issue #1288.
+   */
+
+  if (sftp_interop_supports_feature(SFTP_SSH2_FEAT_USE_FULL_FXP_LIMITS) == FALSE) {
+    /* In these older OpenSSH versions, their max packet is 256K. */
+    pr_trace_msg(trace_channel, 8,
+      "using shorter lengths for older OpenSSH client");
+    max_packet_len = (256 * 1024);
+    max_read_len = max_write_len = max_packet_len - 1024;
+  }
+
   pr_trace_msg(trace_channel, 8,
     "sending response: EXTENDED_REPLY limits@openssh.com: "
     "max-packet-len = %lu, max-read-len = %lu, max-write-len = %lu, "

diff --git a/contrib/mod_sftp/interop.c b/contrib/mod_sftp/interop.c
@@ -1,6 +1,6 @@
 /*
  * ProFTPD - mod_sftp interoperability
- * Copyright (c) 2008-2022 TJ Saunders
+ * Copyright (c) 2008-2024 TJ Saunders
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -45,7 +45,8 @@ static unsigned int default_flags =
   SFTP_SSH2_FEAT_SERVICE_IN_PUBKEY_SIG |
   SFTP_SSH2_FEAT_HAVE_PUBKEY_ALGO_IN_DSA_SIG |
   SFTP_SSH2_FEAT_NO_DATA_WHILE_REKEYING |
-  SFTP_SSH2_FEAT_HOSTKEYS;
+  SFTP_SSH2_FEAT_HOSTKEYS |
+  SFTP_SSH2_FEAT_USE_FULL_FXP_LIMITS;
 
 struct sftp_version_pattern {
   const char *pattern;
@@ -71,6 +72,10 @@ static struct sftp_version_pattern known_versions[] = {
     "^OpenSSH_2\\.5\\.2.*|"
     "^OpenSSH_2\\.5\\.3.*",	SFTP_SSH2_FEAT_REKEYING,		NULL },
 
+  { "^OpenSSH_8.*|"
+    "^OpenSSH_9\\.0.*|"
+    "^OpenSSH_9\\.1.*",		SFTP_SSH2_FEAT_USE_FULL_FXP_LIMITS,	NULL },
+
   { "^OpenSSH.*",		0,					NULL },
 
   { ".*J2SSH_Maverick.*",	SFTP_SSH2_FEAT_REKEYING,		NULL },

diff --git a/contrib/mod_sftp/interop.h b/contrib/mod_sftp/interop.h
@@ -1,6 +1,6 @@
 /*
  * ProFTPD - mod_sftp interoperability
- * Copyright (c) 2008-2021 TJ Saunders
+ * Copyright (c) 2008-2024 TJ Saunders
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -83,6 +83,11 @@
  */
 #define SFTP_SSH2_FEAT_HOSTKEYS				0x0800
 
+/* For clients that support the OpenSSH "limits@openssh.com" extension yet
+ * cannot handle the full mod_sftp lengths.
+ */
+#define SFTP_SSH2_FEAT_USE_FULL_FXP_LIMITS		0x1000
+
 /* For scanners. */
 #define SFTP_SSH2_FEAT_SCANNER				0xfffe