Report allocated port in tcpip-forward success reply

Author: yosuke-wolfssl

examples/echoserver/echoserver.c

@@ -501,15 +501,15 @@ static WS_SOCKET_T connect_addr(const char* name, word16 port)
 
 
 static int wolfSSH_FwdDefaultActions(WS_FwdCbAction action, void* vCtx,
-        const char* name, word32 port)
+        const char* name, word32* port)
 {
     WS_AppCtx *appCtx = (WS_AppCtx *)vCtx;
     WS_FwdCbActionCtx* fwdCbCtx = (WS_FwdCbActionCtx *)appCtx->privateData;
     int ret = 0;
 
     if (action == WOLFSSH_FWD_LOCAL_SETUP) {
         fwdCbCtx->hostName = WSTRDUP(name, NULL, 0);
-        fwdCbCtx->hostPort = port;
+        fwdCbCtx->hostPort = *port;
         fwdCbCtx->isDirect = 1;
         appCtx->state = APP_STATE_CONNECT;
     }
@@ -529,9 +529,10 @@ static int wolfSSH_FwdDefaultActions(WS_FwdCbAction action, void* vCtx,
     else if (action == WOLFSSH_FWD_REMOTE_SETUP) {
         struct sockaddr_in addr;
         socklen_t addrSz = 0;
+        socklen_t boundSz = sizeof(addr);
 
         fwdCbCtx->hostName = WSTRDUP(name, NULL, 0);
-        fwdCbCtx->hostPort = port;
+        fwdCbCtx->hostPort = *port;
 
         appCtx->listenFd = socket(AF_INET, SOCK_STREAM, 0);
         if (appCtx->listenFd == -1) {
@@ -548,7 +549,7 @@ static int wolfSSH_FwdDefaultActions(WS_FwdCbAction action, void* vCtx,
 
                 addr.sin_addr.s_addr = INADDR_ANY;
                 addr.sin_family = AF_INET;
-                addr.sin_port = htons((word16)port);
+                addr.sin_port = htons((word16)*port);
                 addrSz = sizeof addr;
             }
             else {
@@ -566,6 +567,21 @@ static int wolfSSH_FwdDefaultActions(WS_FwdCbAction action, void* vCtx,
             ret = listen(appCtx->listenFd, 5);
         }
 
+        if (ret == 0 && *port == 0) {
+            /* The peer requested port 0, so the OS picked the port during
+             * bind(). Report the actual port back to the caller. */
+            WMEMSET(&addr, 0, sizeof addr);
+            if (getsockname(appCtx->listenFd,
+                    (struct sockaddr*)&addr, &boundSz) == 0) {
+                *port = (word32)ntohs(addr.sin_port);
+                fwdCbCtx->hostPort = *port;
+            }
+            else {
+                printf("getsockname failed for forwarded port.\n");
+                ret = -1;
+            }
+        }
+
         if (ret == 0) {
             appCtx->state = APP_STATE_LISTEN;
         }
@@ -597,7 +613,7 @@ static int wolfSSH_FwdDefaultActions(WS_FwdCbAction action, void* vCtx,
         appCtx->state = APP_STATE_INIT;
     }
     else if (action == WOLFSSH_FWD_CHANNEL_ID) {
-        appCtx->channelId = port;
+        appCtx->channelId = *port;
     }
     else
         ret = WS_FWD_INVALID_ACTION;

ide/Espressif/ESP-IDF/examples/wolfssh_echoserver/main/echoserver.c

@@ -495,14 +495,14 @@ static WS_SOCKET_T connect_addr(const char* name, word16 port)
 
 
 static int wolfSSH_FwdDefaultActions(WS_FwdCbAction action, void* vCtx,
-        const char* name, word32 port)
+        const char* name, word32* port)
 {
     WS_FwdCbActionCtx* ctx = (WS_FwdCbActionCtx*)vCtx;
     int ret = 0;
 
     if (action == WOLFSSH_FWD_LOCAL_SETUP) {
         ctx->hostName = WSTRDUP(name, NULL, 0);
-        ctx->hostPort = port;
+        ctx->hostPort = *port;
         ctx->isDirect = 1;
         ctx->state = FWD_STATE_DIRECT;
     }
@@ -521,9 +521,10 @@ static int wolfSSH_FwdDefaultActions(WS_FwdCbAction action, void* vCtx,
     else if (action == WOLFSSH_FWD_REMOTE_SETUP) {
         struct sockaddr_in addr;
         socklen_t addrSz = 0;
+        socklen_t boundSz = sizeof(addr);
 
         ctx->hostName = WSTRDUP(name, NULL, 0);
-        ctx->hostPort = port;
+        ctx->hostPort = *port;
 
         ctx->listenFd = socket(AF_INET, SOCK_STREAM, 0);
         if (ctx->listenFd == -1) {
@@ -540,7 +541,7 @@ static int wolfSSH_FwdDefaultActions(WS_FwdCbAction action, void* vCtx,
 
                 addr.sin_addr.s_addr = INADDR_ANY;
                 addr.sin_family = AF_INET;
-                addr.sin_port = htons((word16)port);
+                addr.sin_port = htons((word16)*port);
                 addrSz = sizeof addr;
             }
             else {
@@ -558,6 +559,21 @@ static int wolfSSH_FwdDefaultActions(WS_FwdCbAction action, void* vCtx,
             ret = listen(ctx->listenFd, 5);
         }
 
+        if (ret == 0 && *port == 0) {
+            /* The peer requested port 0, so the OS picked the port during
+             * bind(). Report the actual port back to the caller. */
+            WMEMSET(&addr, 0, sizeof addr);
+            if (getsockname(ctx->listenFd,
+                    (struct sockaddr*)&addr, &boundSz) == 0) {
+                *port = (word32)ntohs(addr.sin_port);
+                ctx->hostPort = *port;
+            }
+            else {
+                printf("getsockname failed for forwarded port.\n");
+                ret = -1;
+            }
+        }
+
         if (ret == 0) {
             ctx->state = FWD_STATE_LISTEN;
         }
@@ -589,7 +605,7 @@ static int wolfSSH_FwdDefaultActions(WS_FwdCbAction action, void* vCtx,
         ctx->state = FWD_STATE_INIT;
     }
     else if (action == WOLFSSH_FWD_CHANNEL_ID) {
-        ctx->channelId = port;
+        ctx->channelId = *port;
     }
     else
         ret = WS_FWD_INVALID_ACTION;

src/internal.c

@@ -8917,6 +8917,7 @@ static int DoGlobalRequestFwd(WOLFSSH* ssh,
     int ret = WS_SUCCESS;
     char* bindAddr = NULL;
     word32 bindPort;
+    word32 requestedPort = 0;
 
     WLOG(WS_LOG_DEBUG, "Entering DoGlobalRequestFwd()");
 
@@ -8935,6 +8936,7 @@ static int DoGlobalRequestFwd(WOLFSSH* ssh,
     }
 
     if (ret == WS_SUCCESS) {
+        requestedPort = bindPort;
         WLOG(WS_LOG_INFO, "Requesting forwarding%s for address %s on port %u.",
                 isCancel ? " cancel" : "", bindAddr, bindPort);
     }
@@ -8943,7 +8945,7 @@ static int DoGlobalRequestFwd(WOLFSSH* ssh,
         if (ssh->ctx->fwdCb) {
             ret = ssh->ctx->fwdCb(isCancel ? WOLFSSH_FWD_REMOTE_CLEANUP :
                         WOLFSSH_FWD_REMOTE_SETUP,
-                    ssh->fwdCbCtx, bindAddr, bindPort);
+                    ssh->fwdCbCtx, bindAddr, &bindPort);
         }
         else {
             WLOG(WS_LOG_WARN, "No forwarding callback set, rejecting request. "
@@ -8952,6 +8954,27 @@ static int DoGlobalRequestFwd(WOLFSSH* ssh,
         }
     }
 
+    if (ret == WS_SUCCESS && !isCancel) {
+        /* A remote forward was set up successfully. RFC 4254 7.1 requires a
+         * port-0 (dynamic) request to be answered with the allocated port; if
+         * the callback reported none we cannot comply, so undo the setup and
+         * reject instead of sending a success carrying port 0. */
+        if (requestedPort == 0 && bindPort == 0) {
+            int cleanupRet;
+            word32 cleanupPort = bindPort;
+
+            WLOG(WS_LOG_WARN, "Forward callback reported no allocated port "
+                    "for a port-0 request; rejecting.");
+            cleanupRet = ssh->ctx->fwdCb(WOLFSSH_FWD_REMOTE_CLEANUP,
+                    ssh->fwdCbCtx, bindAddr, &cleanupPort);
+            if (cleanupRet != WS_SUCCESS) {
+                WLOG(WS_LOG_WARN, "Forward cleanup after rejection failed, "
+                        "ret = %d", cleanupRet);
+            }
+            ret = WS_RESOURCE_E;
+        }
+    }
+
     if (wantReply) {
         if (ret == WS_SUCCESS) {
             if (isCancel) {
@@ -8965,7 +8988,7 @@ static int DoGlobalRequestFwd(WOLFSSH* ssh,
             ret = SendRequestSuccess(ssh, 0);
         }
     }
-    else if (ret == WS_UNIMPLEMENTED_E) {
+    else if (ret == WS_UNIMPLEMENTED_E || ret == WS_RESOURCE_E) {
         /* No reply expected; silently reject without terminating connection. */
         ret = WS_SUCCESS;
     }
@@ -9105,6 +9128,7 @@ static int DoChannelOpen(WOLFSSH* ssh,
     char* host = NULL;
     char* origin = NULL;
     word32 hostPort = 0, originPort = 0;
+    word32 channelId = 0;
     int isDirect = 0;
 #endif /* WOLFSSH_FWD */
     WOLFSSH_CHANNEL* newChannel = NULL;
@@ -9201,10 +9225,13 @@ static int DoChannelOpen(WOLFSSH* ssh,
 
                 if (ssh->ctx->fwdCb) {
                     ret = ssh->ctx->fwdCb(WOLFSSH_FWD_LOCAL_SETUP,
-                            ssh->fwdCbCtx, host, hostPort);
+                            ssh->fwdCbCtx, host, &hostPort);
                     if (ret == WS_SUCCESS) {
+                        /* Pass a copy so the callback cannot mutate the
+                         * channel id and corrupt channel bookkeeping. */
+                        channelId = newChannel->channel;
                         ret = ssh->ctx->fwdCb(WOLFSSH_FWD_CHANNEL_ID,
-                                ssh->fwdCbCtx, NULL, newChannel->channel);
+                                ssh->fwdCbCtx, NULL, &channelId);
                     }
                 }
                 else {

src/ssh.c

@@ -2828,6 +2828,7 @@ WOLFSSH_CHANNEL* wolfSSH_ChannelFwdNewRemote(WOLFSSH* ssh,
         const char* origin, word32 originPort)
 {
     WOLFSSH_CHANNEL* newChannel = NULL;
+    word32 channelId = 0;
     int ret = WS_SUCCESS;
 
     WLOG(WS_LOG_DEBUG, "Entering wolfSSH_ChannelFwdNewRemote()");
@@ -2848,8 +2849,11 @@ WOLFSSH_CHANNEL* wolfSSH_ChannelFwdNewRemote(WOLFSSH* ssh,
         ret = SendChannelOpenForward(ssh, newChannel);
     if (ret == WS_SUCCESS) {
         if (ssh->ctx->fwdCb) {
+            /* Pass a copy so the callback cannot mutate the channel id and
+             * corrupt channel bookkeeping. */
+            channelId = newChannel->channel;
             ret = ssh->ctx->fwdCb(WOLFSSH_FWD_CHANNEL_ID, ssh->fwdCbCtx,
-                    NULL, newChannel->channel);
+                    NULL, &channelId);
         }
     }