Report allocated port in tcpip-forward success reply

[yosuke-wolfssl]

Description

When an SSH client sends a tcpip-forward global request with bind port 0, RFC 4254 §7.1 requires the server to allocate an unprivileged port and return the actual port in the SSH_MSG_REQUEST_SUCCESS reply. wolfSSH passed the port to the forwarding callback by value, so the remote-setup handler had no way to communicate the chosen port back. SendGlobalRequestFwdSuccess() then echoed the requested 0, which is invalid per spec.

Addressed by f_5573.

Changes

• wolfssh/ssh.h — WS_CallbackFwd port arg → word32*, with an in/out doc comment.
• src/internal.c — DoGlobalRequestFwd() passes &bindPort so the callback's write-back reaches the reply; updated the two other call sites (LOCAL_SETUP, CHANNEL_ID).
• src/ssh.c — updated the CHANNEL_ID call site.
• examples/echoserver/echoserver.c and ide/Espressif/.../wolfssh_echoserver/main/echoserver.c — dereference the port pointer; after bind() call getsockname() to discover the OS-assigned port for port-0 requests. getsockname() failure now logs and fails the setup (WS_FWD_SETUP_E) instead of silently reporting port 0.
• tests/regress.c — new TestGlobalRequestFwdPort0ReturnsAllocatedPort() plus a ParseGlobalRequestSuccessPort() helper and an AllocatePortFwdCb; verifies a port-0 request's success reply carries the allocated port. Existing fwd callbacks updated to the new signature.

API impact (breaking)

This changes the public WS_CallbackFwd typedef in wolfssh/ssh.h:

/* before */ typedef int (*WS_CallbackFwd)(WS_FwdCbAction, void*, const char*, word32);
/* after  */ typedef int (*WS_CallbackFwd)(WS_FwdCbAction, void*, const char*, word32*);

Any external application implementing a forwarding callback must update its 4th parameter to word32* (and dereference it). This was a deliberate choice to make RFC-compliant behavior the default rather than adding a separate _ex variant.

[Copilot]

Pull request overview

Updates wolfSSH’s TCP port forwarding (RFC 4254 §7.1) handling so that when a client requests tcpip-forward with bind port 0, the server can return the actually allocated port in SSH_MSG_REQUEST_SUCCESS.

Changes:

• Change WS_CallbackFwd port parameter to word32* (in/out) so callbacks can write back an allocated port.
• Plumb the port pointer through global-request forwarding and channel-open forwarding call sites.
• Update example forwarding callbacks to discover OS-assigned ports via getsockname(), and add a regression test ensuring the success reply carries the allocated port.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
wolfssh/ssh.h	Changes forwarding callback typedef to accept an in/out port pointer and documents the port-0 behavior.
src/internal.c	Passes port by pointer into forwarding callback so the selected port can be echoed in request-success.
src/ssh.c	Updates forwarding-related callback invocation to pass a port pointer.
examples/echoserver/echoserver.c	Updates example forwarding callback to dereference port pointer and use getsockname() for port-0 binds.
ide/Espressif/ESP-IDF/examples/wolfssh_echoserver/main/echoserver.c	Same forwarding callback updates for the ESP-IDF example.
tests/regress.c	Adds a regression test validating that port-0 requests return an allocated port in the success reply.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[wolfSSL-Fenrir-bot]

Fenrir Automated Review — PR #1009

Scan targets checked: none
Failed targets: wolfssh-bugs, wolfssh-src

⚠️ Review incomplete — one or more scan targets failed before findings could be produced. See the Fenrir PR review detail page for logs.

[wolfSSL-Fenrir-bot]

Fenrir Automated Review — PR #1009

Scan targets checked: wolfssh-bugs, wolfssh-src

Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)

This review was generated automatically by Fenrir. Findings are non-blocking.