Prevent forwarded tcpip requests hanging indefinitely (#50209) (#50240)

The SSH channel was only being closed in the happy path once proxying of data completed. This resulted in any connections being made, and failing for any reason prior to that hanging until the user terminated the request. The behavior from the regular.Server was copied to the forward.Server to ensure that the channel is always closed when handleDirectTCPIPRequest terminates.
gravitational · Dec 13, 2024 · ee69d99 · ee69d99
1 parent c2117d9
commit ee69d99
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/lib/srv/forward/sshserver.go b/lib/srv/forward/sshserver.go
@@ -21,9 +21,11 @@ package forward
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net"
+	"os"
 	"strings"
 	"time"
 
@@ -1062,8 +1064,12 @@ func (s *Server) handleDirectTCPIPRequest(ctx context.Context, ch ssh.Channel, r
 	if err != nil {
 		s.log.Errorf("Unable to create connection context: %v.", err)
 		s.stderrWrite(ch, "Unable to create connection context.")
+		if err := ch.Close(); err != nil {
+			s.log.Warnf("Failed to close channel: %v", err)
+		}
 		return
 	}
+	scx.AddCloser(ch)
 	scx.RemoteClient = s.remoteClient
 	scx.ExecType = teleport.ChanDirectTCPIP
 	scx.SrcAddr = sshutils.JoinHostPort(req.Orig, req.OrigPort)
@@ -1095,8 +1101,8 @@ func (s *Server) handleDirectTCPIPRequest(ctx context.Context, ch ssh.Channel, r
 		scx.WithError(err).Warn("Failed to emit port forward event.")
 	}
 
-	if err := utils.ProxyConn(ctx, ch, conn); err != nil {
-		s.log.WithError(err).Warn("Pailed proxying data for port forwarding connection.")
+	if err := utils.ProxyConn(ctx, ch, conn); err != nil && !errors.Is(err, io.EOF) && !errors.Is(err, os.ErrClosed) {
+		s.log.WithError(err).Warn("Failed proxying data for port forwarding connection.")
 	}
 }