Allow client to use port 0 when requesting reverse port forwarding

Bind the port to forward before calling the ReversePortForwardingCallback callback, with the actual bound port instead of 0.
gliderlabs · Dec 13, 2024 · dd810c5 · dd810c5
1 parent d137aad
commit dd810c5
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/tcpip.go b/tcpip.go
@@ -108,9 +108,6 @@ func (h *ForwardedTCPHandler) HandleSSHRequest(ctx Context, srv *Server, req *go
 			// TODO: log parse failure
 			return false, []byte{}
 		}
-		if srv.ReversePortForwardingCallback == nil || !srv.ReversePortForwardingCallback(ctx, reqPayload.BindAddr, reqPayload.BindPort) {
-			return false, []byte("port forwarding is disabled")
-		}
 		addr := net.JoinHostPort(reqPayload.BindAddr, strconv.Itoa(int(reqPayload.BindPort)))
 		ln, err := net.Listen("tcp", addr)
 		if err != nil {
@@ -119,6 +116,10 @@ func (h *ForwardedTCPHandler) HandleSSHRequest(ctx Context, srv *Server, req *go
 		}
 		_, destPortStr, _ := net.SplitHostPort(ln.Addr().String())
 		destPort, _ := strconv.Atoi(destPortStr)
+		if srv.ReversePortForwardingCallback == nil || !srv.ReversePortForwardingCallback(ctx, reqPayload.BindAddr, uint32(destPort)) {
+			ln.Close()
+			return false, []byte("port forwarding is disabled")
+		}
 		h.Lock()
 		h.forwards[addr] = ln
 		h.Unlock()