Cap SFTP packet size sent

Resolves: RHEL-14697

0035-curl-7.76.1-64K-sftp.patch

@@ -0,0 +1,31 @@
+From 35eb2614d86316ba9f5a6806ce64f56680fa1e97 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 5 Sep 2023 17:33:41 +0200
+Subject: [PATCH] libssh: cap SFTP packet size sent
+
+Due to libssh limitations
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+
+Closes #11804
+---
+ lib/vssh/libssh.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c
+index dea0084575859b..7c6a2e53f338fa 100644
+--- a/lib/vssh/libssh.c
++++ b/lib/vssh/libssh.c
+@@ -2567,6 +2567,12 @@ static ssize_t sftp_send(struct Curl_easy *data, int sockindex,
+   struct connectdata *conn = data->conn;
+   (void)sockindex;
+ 
++  /* limit the writes to the maximum specified in Section 3 of
++   * https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-02
++   */
++  if(len > 32768)
++    len = 32768;
++
+   nwrite = sftp_write(conn->proto.sshc.sftp_file, mem, len);
+ 
+   myssh_block2waitfor(conn, FALSE);

curl.spec

@@ -104,6 +104,9 @@ Patch33:  0033-curl-7.76.1-CVE-2023-38545.patch
 # fix cookie injection with none file (CVE-2023-38546)
 Patch34:  0034-curl-7.76.1-CVE-2023-38546.patch
 
+# cap SFTP packet size sent (RHEL-14697)
+Patch35:  0035-curl-7.76.1-64K-sftp.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
@@ -312,6 +315,7 @@ be installed.
 %patch32 -p1
 %patch33 -p1
 %patch34 -p1
+%patch35 -p1
 
 # Fedora patches
 %patch101 -p1
@@ -540,6 +544,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 * Tue Oct 10 2023 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-28
 - return error if hostname too long for remote resolve (CVE-2023-38545)
 - fix cookie injection with none file (CVE-2023-38546)
+- cap SFTP packet size sent (RHEL-14697)
 
 * Tue Sep 12 2023 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-27
 - when keyboard-interactive auth fails, try password (#2229800)