3 Buffer size option (-b) is internally doubled for CR-CRLF conversion,
4 but not checked for integer overflow. This could lead to heap based
5 buffer overflow, assuming the attacker could provide this parameter.
6 Test: BLKSIZE_INT_OVERFL
7 Thanks to Lê Hiếu Bùi for reporting this issue and sending an
11 Socats address parser read over end of string when there were unbalanced
13 Test: UNBALANCED_QUOTE
15 Removed unused usleep() call from sycls.c
17 Unsetenv() was conditional in sysutils.c but not in xio-openssl.c thus
18 building failed on Solaris 9.
19 Thanks to Greg Earle for reporting this issue and providing a patch.
21 Mitigated race condition of quickly terminating SYSTEM or EXEC child
24 Option o-direct might require alignment of read/write buffer to, e.g.,
25 512 bytes, Socat now takes care of this when allocating the buffer.
26 With this fix read() succeeds, however, write() still might fail when
27 not writing complete pages.
30 There was a race condition in the way Socat UDP-RECVFROM and similar
31 addresses with option fork prevents one packet from triggering
32 multiple processes. The symptom was that Socat master process seemed to
33 hang and did not process further packets. The fix makes use of
34 pselect() system call.
35 Thanks to Fulvio Scapin for reporting this issue.
37 UNIX domain client addresses applied file system entry options (group
38 NAMED) to the server socket instead of the client (bind) socket entry.
39 Tests: UNIX_SENDTO_UNLINK UNIX_CONNECT_UNLINK
40 Thanks to Nico Williams for reporting this major issue.
42 Length of single address options was limited to 511 bytes. This value
43 is now increased to 2047 bytes.
44 Change suggested by Mario Camou.
46 Addresses of type RECVFROM with option fork looped with an error
47 message in case that the second address failed before consuming the
48 packet. The fix makes RECVFROM drop the packet when the second address
49 failed before reading it. Use retry or forever option with the second
50 address if you want to avoid data loss.
51 Thanks to Chunmei Xu for reporting this issue and proving the patch.
53 Socats DTLS implementation has been reworked and appears to work now
55 New addresses: OPENSSL-DTLS-SERVER (DTLS-L),
56 OPENSSL-DTLS-CLIENT (DTLS)
57 Tests: OPENSSL_DTLS_CLIENT OPENSSL_DTLS_SERVER
58 OPENSSL_METHOD_DTLS1 OPENSSL_METHOD_DTLS1.2
59 Thanks to Brandon Carpenter, Qing Wan, and Pavel Nakonechnyi for
62 filan did not output the socket protocol.
63 filan -s assumed each stream socket to be TCP and each datagram socket
64 to be UDP. Now it uses SO_PROTOCOL and getprotoent() for correct output.
67 In gcc version 10 the default changed from -fcommon to -fno-common.
68 Consequently, linking filan and procan failed with error
69 "multiple definition of `deny_severity'" and `allow_severity'
70 Fixed by removing definitions in filan.c and procan.c
72 Thanks to László Böszörményi and others for reporting this issue.
74 Solaris 9 does not provide strndup(); added substitute code.
75 Thanks to Greg Earle for providing a patch.
77 Added configure option --enable-openssl-base to specify the location of
78 a non-OS OpenSSL installation
80 There are systems whose kernel understands SCTP but getaddrinfo does
81 not. As workaround after EIA_SOCKTYPE on name and service resolution
82 fall back to ai_socktype=0; if it fails with EAI_SERVICE, set
83 ai_protocol=0 and try again
84 Test: SCTP_SERVICENAME
86 Per file filesystem options were still name ext2-* and depended on
87 <linux/ext2_fs.h>. Now they are called fs-* and depend on <linux/fs.h>.
88 These fs-* options are also available on old systems with ext2_fs.h
90 New options openssl-min-proto-version (min-version) and
91 openssl-max-proto-version (max-version) give access to the related
92 OpenSSL set-macros and substitute deprecated version-specific methods.
93 Test: OPENSSL_MIN_VERSION
96 test.sh now produces a list of tests that could not be performed for
97 any reason. This helps to analyse these cases.
99 OpenSSL s_server appearently started to neglect TCPs half close feature.
100 Test OPENSSL_TCP4 has been changed to tolerate this.
102 OpenSSL changed its behaviour when connection is rejected. Tests
103 OPENSSLCERTSERVER, OPENSSL_CN_CLIENT_SECURITY, and
104 OPENSSL_CN_SERVER_SECURITY now tolerate this.
106 OpenSSL no longer allows explicit renegotiation with TLSv1.3, thus the
107 appropriate tests failed.
108 Fix: use TLSv1.2 for renegotiation tests
109 Tests: OPENSSLRENEG1 OPENSSLRENEG2
111 Ubuntu 20.04 requires 2048 bit certificates with OpenSSL
113 Archlinux 2020 has not which command; its ip,ss commands have modified
116 More testing issues solved:
117 * ss to pipe might omit column separator
118 * UDP6MULTICAST_UNIDIR fails on newer Linux kernels
120 * renamed testaddrs() to testfeats(), and introduced new testaddrs()
123 GOPEN and UNIX-CLIENT addresses now support sockets of type SEQPACKET.
124 Test: GOPENUNIXSEQPACKET
125 Feature suggested by vi0oss.
127 The generic setsockopt-int and related options are, in case of
128 listening/accepting addresses, applied to the connected socket(s). To enable
129 setting options on the listening socket, a new option setsockopt-listen
130 has been implemented. See the documentation for info on data types.
131 Tests: SETSOCKOPT SETSOCKOPT_LISTEN
132 Thanks to Steven Danna and Korian Edeline for reporting this issue.
134 Filan option -S gives short description like -s but with improved
137 Socat OpenSSL client, when server was specified using IP address, did
138 not verify connection on certificates SubjectAltName IP entries.
139 Tests: OPENSSL_SERVERALTAUTH OPENSSL_SERVERALTIP4AUTH OPENSSL_SERVERALTIP6AUTH
140 Fixes Red Hat bug 1805132
142 Added options -r and -R for raw dump of transferred data to files.
143 Test: OPTION_RAW_DUMP
145 Added option ip-transparent (socket option IP_TRANSPARENT)
146 Thanks to Wang Shanker for sending a patch.
148 ####################### V 1.7.3.4:
151 Header of xiotermios_speed() declared parameter unsigned int instead of
152 speed_t, thus compiling failed on MacOS
153 Thanks to Joe Strout and others for reporting this bug.
154 Thanks to Andrew Childs and others for sending a patch.
156 Under certain circumstances, termios options of the first address were
157 applied to the second address, resulting in error
158 "Inappropriate ioctl for device"
159 This affected version 1.7.3.3 only.
161 Thanks to Ivan J. for reporting this issue.
163 Socat failed to compile when no poll() system call was found by
165 Thanks to Jason White for sending a patch.
167 Due to use of SSL_CTX_clear_mode() Socat failed to compile on old
168 systems with, e.g., OpenSSL-0.9.8. Thanks to Simon Matter and Moritz B.
169 for reporting this problem and sending initial patches.
171 getaddrinfo() in IP4-SENDTO and IP6-SENDTO addresses failed with
172 "ai_socktype not supported" when protocol 6 was addressed.
173 The fix removes the possibility to use service names with SCTP.
175 Thanks to Sören for sending an initial patch.
177 Under certain circumstances, Socat printed the "socket ... is at EOF"
181 Newer parts of test.sh used substitutions ${x,,*} or ${x^^*} that are
182 not implemented in older bash versions.
184 ####################### V 1.7.3.3:
187 Makefile.in did not specify dependencies of filan on vsnprintf_r.o
189 Added definition of FILAN_OBJS
190 Thanks to Craig Leres, Clayton Shotwell, and Chris Packham for
193 configure option --enable-msglevel did not work with numbers
195 The autoconf mechanism for determining SHIFT_OFFSET did not work when
197 Thanks to Max Freisinger from Gentoo for sending a patch.
199 Socat still depended on obsolete gethostbyname() function, thus
200 compiling with MUSL libc failed.
201 Problem reported by Kennedy33.
203 The async signal safe diagnostic system used FDs 3 and 4 internally, so
204 use of appropriate fdin or fdout led to failures.
206 Problem reported by Onur Sentürk.
208 The socket based mechanism for passing messages and signal information
209 from signal handler to process could reach and kill the wrong process.
210 Introduces functions diag_sock_pair(), diag_fork()
211 Thanks to Darren Zhao for analysing and reporting this problem.
213 Option ipv6-join-group did not work because it was applied in the wrong
215 Test: UDP6MULTICAST_UNIDIR
216 Thanks to Angus Gratton for sending a patch.
218 Setting ispeed and ospeed failed for some serial devices because the
219 two settings were applied with two different get/set cycles, Thanks to
220 Alexandre Fenyo for providing an initial patch.
221 However, the actual fix is part of a conceptual change of the termios
222 module that aims for applying all changes in a single tcsetaddr call.
223 Fixes FreeBSD Bug 198441
225 Termios options TAB0,TAB1,TAB2,TAB3, and XTABS did not have an effect.
226 Thanks to Alan Walters for reporting this bug.
228 Substituted cumbersom ISPEED_OFFSET mechanism for cfsetispeed() calls
230 With TCP6-LISTEN and the other passive IPv6 addresses the range option
231 just failed: due to a bug in the syntax parser and two more bugs in
232 the xiocheckrange_ip6() function.
233 The syntax has now been changed from "[::1/128]" to "[::1]/128"!
234 Thanks Leah Neukirchen for sending an initial fix.
236 For name resolution Socat only checked the first character of the host
237 name to decide if it is an IPv4 address. This was not RFC conform. This
238 fix removes the possibility for use of IPv4 addresses with IPv6, e.g.
241 Thanks to Nicolas Fournil for reporting this issue.
243 Print a useful error message when single character options appear to be
244 merged in Socat invocation
245 Test: SOCCAT_OPT_HINT
247 Fixed some docu typos.
248 Thanks to Travis Wellman, Thomas <tjps636>, Dan Kenigsberg,
249 Julian Zinn, and Simon Matter
252 OpenSSL functions TLS1_client_method() and similar are
253 deprecated. Socat now uses recommended TLS_client_method(). The old
254 functions and dependend option openssl-method can still be
255 used when configuring socat with --enable-openssl-method
257 Shell scripts in socat distribution are now headed with:
259 to make them better portable to systems without /bin/bash
260 Thanks to Maya Rashish for sending a patch
262 RES_AAONLY, RES_PRIMARY are deprecated. You can still enable them with
263 configure option --enable-res-deprecated.
265 New versions of OpenSSL preset SSL_MODE_AUTO_RETRY which may hang socat.
266 Solution: clear SSL_MODE_AUTO_RETRY when it is set.
268 Renamed configure.in to configure.ac and set an appropriate symlink for
270 Related Gentoo bug 426262: Warning on configure.in
271 Thanks to Francesco Turco for reporting that warning.
273 Fixed new IPv6 range code for platforms without s6_addr32 component.
276 test.sh: Show a warning when phase-1 (insecure phase) of a security
279 OpenSSL tests failed on actual Linux distributions. Measures:
280 Increased key lengths from 768 to 1024 bits
281 Added test.sh option -C to delete temp certs from prevsious runs
282 Provide DH-parameter in certificate in PEM
283 OpenSSL s_server option -verify 0 must be omitted
284 OpenSSL authentication method aNULL no longer works
285 Failure of cipher aNULL is not a failure
286 Failure of methods SSL3 and SSL23 is desired
288 test.sh depended on ifconfig and netstat utilities which are no longer
289 availabie in some distributions. test.sh now checks for and prefers
291 Thanks to Ruediger Meier for reporting this problem.
293 More corrections to test.sh:
294 Language settings could still influence test results
295 netstat was still required
296 Suppress usleep deprecated messag
297 Force use of IPv4 with some certificates
298 Set timeout for UDPxMAXCHILDREN tests
301 Added missing Config/Makefile.DragonFly-2-8-2,
302 Config/config.DragonFly-2-8-2.h
303 Removed testcert.conf (to be generated by test.sh)
306 Simplified handling of missing termios defines.
309 Permit combined -d options as -dd etc.
312 ext2 options are now fs options.
314 ####################### V 1.7.3.2:
317 SIGSEGV and other signals could lead to a 100% CPU loop
319 Failing name resolution could lead to SIGSEGV
320 Thanks to Max for reporting this issue.
322 Include <stddef.h> for ptrdiff_t
323 Thanks to Jeroen Roovers for reporting this issue.
325 Building with --disable-sycls failed due to missing sslcls.h defines
327 Socat hung when configured with --disable-sycls.
329 Some minor corrections with includes etc.
331 Option so-reuseport did not work. Thanks to Some Raghavendra Prabhu
334 Programs invoked with EXEC, nofork, and -u or -U had stdin and stdout
336 Test: EXEC_NOFORK_UNIDIR
337 Thanks to David Reiss for reporting this problem.
339 Socat exited with status 0 even when a program invoked with SYSTEM or
341 Tests: SYSTEM_RC EXEC_RC
342 Issue reported by Felix Winkelmann.
344 AddressSanitizer reported a few buffer overflows (false positives).
345 Nevertheless fixed Socat source.
346 Issue reported by Hanno Böck.
348 Socat did not use option ipv6-join-group.
349 Test: USE_IPV6_JOIN_GROUP
350 Thanks to Linus Lüssing for sending a patch.
352 UDP-LISTEN did not honor the max-children option.
353 Test: UDP4MAXCHILDREN UDP6MAXCHILDREN
354 Thanks to Leander Berwers for reporting this issue.
356 Options so-rcvtimeo and so-sndtimeo do not work with poll()/select()
357 and therefore were useless.
358 Thanks to Steve Borenstein for reporting this issue.
360 Option dhparam was documented as dhparams. Added the alias name
361 dhparams to fix this.
362 Thanks to Alexander Neumann for sending a patch.
364 Options shut-down and shut-close did not work.
365 Thanks to Stefan Schimanski for providing a patch.
367 There was a bug in printing readline log message caused by a misleading
369 Thanks to Paul Wouters for reporting.
371 The internal vsnprintf_r function looped or crashed on size parameter
372 with hexadecimal output.
374 Ignore exit code of child process when it was killed by master due to
377 Corrected byte order on read of IPV6_TCLASS value from ancillary
380 Fixed type of the bool element in options. This had bug caused failures
381 e.g. of ignoreeof on big-endian systems when bool was not based on int.
383 On systems with predefined bool type whose size differs from int some
384 IPv6 and TCP options (per setsockopt()) failed.
386 Length of integral data in ancillary messages varies (TOS: 1 byte,
387 TTL: 4 bytes), the old implementation failed for TTL on big-endian
390 Fixed an issue in options processing: TUN and DNS flags had failed on
391 big-endian systems and the NO- forms had probable never worked.
394 Type conflict between int and sig_atomic_t between declaration and
395 definition of diag_immediate_type and diag_immediate_exit broke
396 compilation on FreeBSD 10.1 with clang. Thanks to Emanuel Haupt for
399 Socat failed to compile on platforms with OpenSSL without
400 DTLSv1_client_method or DTLSv1_server_method.
401 Thanks to Simon Matter for sending a patch.
403 NuttX OS headers do not provide struct ip, thus socat did not compile.
404 Made struct ip subject to configure.
405 Thanks to SP for reporting this issue.
407 Socat failed to compile with OpenSSL version 1.0.2d where
408 SSLv3_server_method and SSLv3_client_method are no longer defined.
409 Thanks to Mischa ter Smitten for reporting this issue and providing
412 configure checked for OpenSSL EC_KEY assuming it is a define but it
413 is a type, thus OpenSSL ECDHE ciphers failed even on Linux.
414 Thanks to Andrey Arapov for reporting this bug.
416 Changes to make socat compile with OpenSSL 1.1.
417 Thanks to Sebastian Andrzej Siewior e.a. from the Debian team for
418 providing the base patch.
421 Make Socat compatible with BoringSSL.
422 Thanks to Matt Braithwaite for providing a patch.
424 OpenSSL: Use RAND_status to determine PRNG state
425 Thanks to Adam Langley for providing a patch
427 AIX-7 uses an extended O_ACCMODE that does not fit socat's internal
428 requirements. Thanks to Garrick Trowsdale for providing a patch
430 LibreSSL support: check for OPENSSL_NO_COMP
431 Thanks to Bernard Spil for providing a patch
434 socks4echo.sh and socks4a-echo.sh hung with new bash with read -n
436 test.sh: stderr; option -v (verbose); FDOUT_ERROR description
438 improved proxy.sh - it now also takes hostnames
440 A few corrections in test.sh
442 DTLS1 test hangs on some distributions. Test is now only performed
443 with OpenSSL 1.0.2 or higher.
445 More corrections to test.sh that reveal a mistake with IPV6_TCLASS
448 Corrected source of socat man page to correctly show man references
449 like socket(2); removed obseolete entries from See Also
451 Docu and some comments mentioned addresses SSL-LISTEN and SSL-CONNECT
452 that do not exist (OPENSSL-LISTEN, SSL-L; and OPENNSSL-CONNECT, SSL
454 Thanks to Zhigang Wang for reporting this issue.
456 Fixed a couple of English spelling and grammar mistakes.
457 Thanks to Jakub Wild for sending the patches.
459 NOEXPAND() was not resolved 2 times.
461 More minor docu corrections
464 Added contributors to copyright notices. Suggested by Matt Braithwaite.
466 ####################### V 1.7.3.1:
469 Socat security advisory 8
470 A stack overflow in vulnerability was found that can be triggered when
471 command line arguments (complete address specifications, host names,
472 file names) are longer than 512 bytes.
473 Successful exploitation might allow an attacker to execute arbitrary
474 code with the privileges of the socat process.
475 This vulnerability can only be exploited when an attacker is able to
476 inject data into socat's command line.
477 A vulnerable scenario would be a CGI script that reads data from clients
478 and uses (parts of) this data as hostname for a Socat invocation.
480 Credits to Takumi Akiyama for finding and reporting this issue.
482 Socat security advisory 7
484 In the OpenSSL address implementation the hard coded 1024 bit DH p
485 parameter was not prime. The effective cryptographic strength of a key
486 exchange using these parameters was weaker than the one one could get by
487 using a prime p. Moreover, since there is no indication of how these
488 parameters were chosen, the existence of a trapdoor that makes possible
489 for an eavesdropper to recover the shared secret from a key exchange
490 that uses them cannot be ruled out.
491 Futhermore, 1024bit is not considered sufficiently secure.
492 Fix: generated a new 2048bit prime.
493 Thanks to Santiago Zanella-Beguelin and Microsoft Vulnerability
494 Research (MSVR) for finding and reporting this issue.
496 ####################### V 1.7.3.0:
499 Socat security advisory 6
500 CVE-2015-1379: Possible DoS with fork
501 Fixed problems with signal handling caused by use of not async signal
502 safe functions in signal handlers that could freeze socat, allowing
503 denial of service attacks.
504 Many changes in signal handling and the diagnostic messages system were
505 applied to make the code async signal safe but still provide detailled
506 logging from signal handlers:
507 Coded function vsnprintf_r() as async signal safe incomplete substitute
509 Coded function snprinterr() to replace %m in strings with a system error
511 Instead of gettimeofday() use clock_gettime() when available
512 Pass Diagnostic messages from signal handler per unix socket to the main
514 Use sigaction() instead of signal() for better control
515 Turn off nested signal handler invocations
516 Thanks to Peter Lobsinger for reporting and explaining this issue.
518 Red Hat issue 1019975: add TLS host name checks
519 OpenSSL client checks if the server certificates names in
520 extensions/subjectAltName/DNS or in subject/commonName match the name
521 used to connect or the value of the openssl-commonname option.
522 Test: OPENSSL_CN_CLIENT_SECURITY
524 OpenSSL server checks if the client certificates names in
525 extensions/subjectAltNames/DNS or subject/commonName match the value of
526 the openssl-commonname option when it is used.
527 Test: OPENSSL_CN_SERVER_SECURITY
529 Red Hat issue 1019964: socat now uses the system certificate store with
530 OPENSSL when neither options cafile nor capath are used
532 Red Hat issue 1019972: needs to specify OpenSSL cipher suites
533 Default cipherlist is now "HIGH:-NULL:-PSK:-aNULL" instead of empty to
534 prevent downgrade attacks
537 OpenSSL addresses set couple of environment variables from values in
538 peer certificate, e.g.:
539 SOCAT_OPENSSL_X509_SUBJECT, SOCAT_OPENSSL_X509_ISSUER,
540 SOCAT_OPENSSL_X509_COMMONNAME,
541 SOCAT_OPENSSL_X509V3_SUBJECTALTNAME_DNS
542 Tests: ENV_OPENSSL_{CLIENT,SERVER}_X509_*
544 Added support for methods TLSv1, TLSv1.1, TLSv1.2, and DTLS1
545 Tests: OPENSSL_METHOD_*
547 Enabled OpenSSL server side use of ECDHE ciphers. Feature suggested
550 Added a new option termios-rawer for ptys.
551 Thanks to Christian Vogelgsang for pointing me to this requirement
554 Bind with ABSTRACT commands used non-abstract namespace (Linux).
556 Thanks to Denis Shatov for reporting this bug.
558 Fixed return value of nestlex()
560 Option ignoreeof on the right address hung.
562 Thanks to Franz Fasching for reporting this bug.
564 Address SYSTEM, when terminating, shut down its parent addresses,
565 e.g. an SSL connection which the parent assumed to still be active.
566 Test: SYSTEM_SHUTDOWN
568 Passive (listening or receiving) addresses with empty port field bound
569 to a random port instead of terminating with error.
572 configure with some combination of disable options produced config
573 files that failed to compile due to missing IPPROTO_TCP.
574 Thanks to Thierry Fournier for report and patch.
576 fixed a few minor bugs with OpenSSL in configure and with messages
578 Socat did not work in FIPS mode because 1024 instead of 512 bit DH prime
579 is required. Thanks to Zhigang Wang for reporting and sending a patch.
581 Christophe Leroy provided a patch that fixes memory leaks reported by
584 Help for filan -L was bad, is now corrected to:
585 "follow symbolic links instead of showing their properties"
587 Address options fdin and fdout were silently ignored when not applicable
588 due to -u or -U option. Now these combinations are caught as errors.
590 Issue reported by Hendrik.
592 Added option termios-cfmakeraw that calls cfmakeraw() and is preferred
593 over option raw which is now obsolote. On SysV systems this call is
594 simulated by appropriate setting.
595 Thanks to Youfu Zhang for reporting issue with option raw.
598 Socat included <sys/poll.h> instead of POSIX <poll.h>
599 Thanks to John Spencer for reporting this issue.
601 Version 1.7.2.4 changed the check for gcc in configure.ac; this
602 broke cross compiling. The particular check gets reverted.
603 Thanks to Ross Burton and Danomi Manchego for reporting this issue.
605 Debian Bug#764251: Set the build timestamp to a deterministic time:
606 support external BUILD_DATE env var to allow to build reproducable
609 Joachim Fenkes provided an new adapted spec file.
611 Type bool and macros Min and Max are defined by socat which led to
612 compile errors when they were already provided by build framework.
613 Thanks to Liyu Liu for providing a patch.
615 David Arnstein contributed a patch for NetBSD 5.1 including stdbool.h
616 support and appropriate files in Config/
618 Lauri Tirkkonen contributed a patch regarding netinet/if_ether.h
621 Changes for Openindiana: define _XPG4_2, __EXTENSIONS__,
622 _POSIX_PTHREAD_SEMANTICS; and minor changes
624 Red Hat issue 1182005: socat 1.7.2.4 build failure missing
626 Socat failed to compile on on PPC due to new requirements for
627 including <linux/errqueue.h> and a weakness in the conditional code.
628 Thanks to Michel Normand for reporting this issue.
631 In the man page the PTY example was badly formatted. Thanks to
632 J.F.Sebastian for sending a patch.
634 Added missing CVE ids to security issues in CHANGES
637 Do not distribute testcert.conf with socat source but generate it
638 (and new testcert6.conf) during test.sh run.
640 ####################### V 1.7.2.4:
643 LISTEN based addresses applied some address options, e.g. so-keepalive,
644 to the listening file descriptor instead of the connected file
646 Thanks to Ulises Alonso for reporting this bug
648 make failed after configure with non gcc compiler due to missing
649 include. Thanks to Horacio Mijail for reporting this problem
651 configure checked for --disable-rawsocket but printed
652 --disable-genericsocket in the help text. Thanks to Ben Gardiner for
653 reporting and patching this bug
655 In xioshutdown() a wrong branch was chosen after RECVFROM type addresses.
657 Thanks to David Binderman for reporting this issue.
659 procan could not cleanly format ulimit values longer than 16 decimal
660 digits. Thanks to Frank Dana for providing a patch that increases field
663 OPENSSL-CONNECT with bind option failed on some systems, eg.FreeBSD, with
665 Thanks to Emile den Tex for reporting this bug.
667 Changed some variable definitions to make gcc -O2 aliasing checker happy
668 Thanks to Ilya Gordeev for reporting these warnings
670 On big endian platforms with type long >32bit the range option applied a
671 bad base address. Thanks to hejia hejia for reporting and fixing this bug.
673 Red Hat issue 1022070: missing length check in xiolog_ancillary_socket()
675 Red Hat issue 1022063: out-of-range shifts on net mask bits
677 Red Hat issue 1022062: strcpy misuse in xiosetsockaddrenv_ip4()
679 Red Hat issue 1022048: strncpy hardening: corrected suspicious strncpy()
682 Red Hat issue 1021958: fixed a bug with faulty buffer/data length
683 calculation in xio-ascii.c:_xiodump()
685 Red Hat issue 1021972: fixed a missing NUL termination in return string
686 of sysutils.c:sockaddr_info() for the AF_UNIX case
688 fixed some typos and minor issues, including:
689 Red Hat issue 1021967: formatting error in manual page
691 UNIX-LISTEN with fork option did not remove the socket file system entry
692 when exiting. Other file system based passive address types had similar
693 issues or failed to apply options umask, user e.a.
694 Thanks to Lorenzo Monti for pointing me to this issue
697 Red Hat issue 1020203: configure checks fail with some compilers.
700 Performed changes for Fedora release 19
702 Adapted, improved test.sh script
704 Red Hat issue 1021429: getgroupent fails with large number of groups;
705 use getgrouplist() when available instead of sequence of calls to
708 Red Hat issue 1021948: snprintf API change;
709 Implemented xio_snprintf() function as wrapper that tries to emulate C99
710 behaviour on old glibc systems, and adapted all affected calls
713 Mike Frysinger provided a patch that supports long long for time_t,
714 socklen_t and a few other libc types.
716 Artem Mygaiev extended Cedril Priscals Android build script with pty code
718 The check for fips.h required stddef.h
719 Thanks to Matt Hilt for reporting this issue and sending a patch
721 Check for linux/errqueue.h failed on some systems due to lack of
722 linux/types.h inclusion. Thanks to Michael Vastola for sending a patch.
724 autoconf now prefers configure.ac over configure.in
725 Thanks to Michael Vastola for sending a patch.
727 type of struct cmsghdr.cmsg is system dependend, determine it with
728 configure; some more print format corrections
731 libwrap always logs to syslog
733 added actual text version of GPLv2
735 ####################### V 1.7.2.3:
738 Socat security advisory 5
739 CVE-2014-0019: socats PROXY-CONNECT address was vulnerable to a buffer
740 overflow with data from command line (see socat-secadv5.txt)
741 Credits to Florian Weimer of the Red Hat Product Security Team
743 ####################### V 1.7.2.2:
746 Socat security advisory 4
748 after refusing a client connection due to bad source address or source
749 port socat shutdown() the socket but did not close() it, resulting in
750 a file descriptor leak in the listening process, visible with lsof and
751 possibly resulting in EMFILE Too many open files. This issue could be
752 misused for a denial of service attack.
753 Full credits to Catalin Mitrofan for finding and reporting this issue.
755 ####################### V 1.7.2.1:
758 Socat security advisory 3
760 fixed a possible heap buffer overflow in the readline address. This bug
761 could be exploited when all of the following conditions were met:
762 1) one of the addresses is READLINE without the noprompt and without the
764 2) the other (almost arbitrary address) reads malicious data (which is
765 then transferred by socat to READLINE).
766 Workaround: when using the READLINE address apply option prompt or
768 Full credits to Johan Thillemann for finding and reporting this issue.
770 ####################### V 1.7.2.0:
773 when UNIX-LISTEN was applied to an existing file it failed as expected
774 but removed the file. Thanks to Bjoern Bosselmann for reporting this
777 fixed a bug where socat might crash when connecting to a unix domain
778 socket using address GOPEN. Thanks to Martin Forssen for bug report and
781 UDP-LISTEN would alway set SO_REUSEADDR even without fork option and
782 when user set it to 0. Thanks to Michal Svoboda for reporting this bug.
784 UNIX-CONNECT did not support half-close. Thanks to Greg Hughes who
785 pointed me to that bug
787 TCP-CONNECT with option nonblock reported successful connect even when
790 address option ioctl-intp failed with "unimplemented type 26". Thanks
791 to Jeremy W. Sherman for reporting and fixing that bug
793 socat option -x did not print packet direction, timestamp etc; thanks
794 to Anthony Sharobaiko for sending a patch
796 address PTY does not take any parameters but did not report an error
799 Marcus Meissner provided a patch that fixes invalid output and possible
800 process crash when socat prints info about an unnamed unix domain
803 Michal Soltys reported the following problem and provided an initial
804 patch: when socat was interrupted, e.g. by SIGSTOP, and resumed during
805 data transfer only parts of the data might have been written.
807 Option o-nonblock in combination with large transfer block sizes
808 may result in partial writes and/or EAGAIN errors that were not handled
809 properly but resulted in data loss or process termination.
811 Fixed a bug that could freeze socat when during assembly of a log
812 message a signal was handled that also printed a log message. socat
813 development had been aware that localtime() is not thread safe but had
814 only expected broken messages, not corrupted stack (glibc 2.11.1,
817 an internal store for child pids was susceptible to pid reuse which
818 could lead to sporadic data loss when both fork option and exec address
819 were used. Thanks to Tetsuya Sodo for reporting this problem and
822 OpenSSL server failed with "no shared cipher" when using cipher aNULL.
823 Fixed by providing temporary DH parameters. Thanks to Philip Rowlands
824 for drawing my attention to this issue.
826 UDP-LISTEN slept 1s after accepting a connection. This is not required.
827 Thanks to Peter Valdemar Morch for reporting this issue
829 fixed a bug that could lead to error or socat crash after a client
830 connection with option retry had been established
832 fixed configure.in bug on net/if.h check that caused IF_NAMESIZE to be
835 improved dev_t print format definition
838 Cedril Priscal ported socat to Android (using Googles cross compiler).
839 The port includes the socat_buildscript_for_android.sh script
841 added check for component ipi_spec_dst in struct in_pktinfo so
842 compilation does not fail on Cygwin (thanks to Peter Wagemans for
843 reporting this problem)
845 build failed on RHEL6 due to presence of fips.h; configure now checks
846 for fipsld too. Thanks to Andreas Gruenbacher for reporting this
849 check for netinet6/in6.h only when IPv6 is available and enabled
851 don't fail to compile when the following defines are missing:
852 IPV6_PKTINFO IPV6_RTHDR IPV6_DSTOPTS IPV6_HOPOPTS IPV6_HOPLIMIT
853 Thanks to Jerry Jacobs for reporting this problem (Mac OS X Lion 10.7)
855 check if define __APPLE_USE_RFC_2292 helps to enable IPV6_* (MacOSX
856 Lion 7.1); thanks to Jerry Jacobs to reporting this problem and
859 fixed compiler warnings on Mac OS X 64bit. Thanks to Guy Harris for
862 corrections for OpenEmbedded, especially termios SHIFT values and
863 ISPEED/OSPEED. Thanks to John Faith for providing the patch
865 minor corrections to docu and test.sh resulting from local compilation
868 fixed sa_family_t compile error on DragonFly. Thanks to Tony Young for
869 reporting this issue and sending a patch.
871 Ubuntu Oneiric: OpenSSL no longer provides SSLv2 functions; libutil.sh
872 is now bsd/libutil.h; compiler warns on vars that is only written to
875 added option max-children that limits the number of concurrent child
876 processes. Thanks to Sam Liddicott for providing the patch.
878 Till Maas added support for tun/tap addresses without IP address
880 added an option openssl-compress that allows to disable the compression
881 feature of newer OpenSSL versions. Thanks to Michael Hanselmann for
882 providing this contribution (sponsored by Google Inc.)
885 minor corrections in docu (thanks to Paggas)
887 client process -> child process
889 ####################### V 1.7.1.3:
892 Socat security advisory 2
894 fixed a stack overflow vulnerability that occurred when command
895 line arguments (whole addresses, host names, file names) were longer
897 Note that this could only be exploited when an attacker was able to
898 inject data into socat's command line.
899 Full credits to Felix Gröbert, Google Security Team, for finding and
902 ####################### V 1.7.1.2:
905 user-late and group-late, when applied to a pty, affected the system
906 device /dev/ptmx instead of the pty (thanks to Matthew Cloke for
907 pointing me to this bug)
909 socats openssl addresses failed with "nonblocking operation did not
910 complete" when the peer performed a renegotiation. Thanks to Benjamin
911 Delpy for reporting this bug.
913 info message during socks connect showed bad port number on little
914 endian systems due to wrong byte order (thanks to Peter M. Galbavy for
915 bug report and patch)
917 Debian bug 531078: socat execs children with SIGCHLD ignored; corrected
918 to default. Thanks to Martin Dorey for reporting this bug.
921 building socat on systems that predefined the CFLAGS environment to
922 contain -Wall failed (esp.RedHat). Thanks to Paul Wouters for reporting
923 this problem and to Simon Matter for providing the patch
925 support for Solaris 8 and Sun Studio support (thanks to Sebastian
926 Kayser for providing the patches)
928 on some 64bit systems a compiler warning "cast from pointer to integer
929 of different size" was issued on some option definitions
931 added struct sockaddr_ll to union sockaddr_union to avoid "strict
932 aliasing" warnings (problem reported by Paul Wouters)
935 minor corrections in docu
937 ####################### V 1.7.1.1:
940 corrected the "fixed possible SIGSEGV" fix because SIGSEGV still might
941 occur under those conditions. Thanks to Toni Mattila for first
942 reporting this problem.
944 ftruncate64 cut its argument to 32 bits on systems with 32 bit long type
946 socat crashed on systems without setenv() (esp. SunOS up to Solaris 9);
947 thanks to Todd Stansell for reporting this bug
949 with unidirectional EXEC and SYSTEM a close() operation was performed
950 on a random number which could result in hanging e.a.
952 fixed a compile problem caused by size_t/socklen_t mismatch on 64bit
955 docu mentioned option so-bindtodev but correct name is so-bindtodevice.
956 Thanks to Jim Zimmerman for reporting.
959 added environment variables example to doc/socat-multicast.html
961 ####################### V 1.7.1.0:
964 address options shut-none, shut-down, and shut-close allow to control
965 socat's half close behaviour
967 with address option shut-null socat sends an empty packet to the peer
970 option null-eof changes the behaviour of sockets that receive an empty
971 packet to see EOF instead of ignoring it
973 introduced option names substuser-early and su-e, currently equivalent
974 to option substuser (thanks to Mike Perry for providing the patch)
977 fixed some typos and improved some comments
979 ####################### V 1.7.0.1:
982 fixed possible SIGSEGV in listening addresses when a new connection was
983 reset by peer before the socket addresses could be retrieved. Thanks to
984 Mike Perry for sending a patch.
986 fixed a bug, introduced with version 1.7.0.0, that let client
987 connections with option connect-timeout fail when the connections
988 succeeded. Thanks to Bruno De Fraine for reporting this bug.
990 option end-close "did not apply" to addresses PTY, SOCKET-CONNECT,
991 and most UNIX-* and ABSTRACT-*
993 half close of EXEC and SYSTEM addresses did not work for pipes and
996 help displayed for some option a wrong type
998 under some circumstances shutdown was called multiple times for the
1001 ####################### V 1.7.0.0:
1004 new address types SCTP-CONNECT and SCTP-LISTEN implement SCTP stream
1005 mode for IPv4 and IPv6; new address options sctp-maxseg and
1006 sctp-nodelay (suggested by David A. Madore; thanks to Jonathan Brannan
1007 for providing an initial patch)
1009 new address "INTERFACE" for transparent network interface handling
1010 (suggested by Stuart Nicholson)
1012 added generic socket addresses: SOCKET-CONNECT, SOCKET-LISTEN,
1013 SOCKET-SENDTO, SOCKET-RECVFROM, SOCKET-RECV, SOCKET-DATAGRAM allow
1014 protocol independent socket handling; all parameters are explicitely
1015 specified as numbers or hex data
1017 added address options ioctl-void, ioctl-int, ioctl-intp, ioctl-string,
1018 ioctl-bin for generic ioctl() calls.
1020 added address options setsockopt-int, setsockopt-bin, and
1021 setsockopt-string for generic setsockopt() calls
1023 option so-type now only affects the socket() and socketpair() calls,
1024 not the name resolution. so-type and so-prototype can now be applied to
1025 all socket based addresses.
1027 new address option "escape" allows to break a socat instance even when
1028 raw terminal mode prevents ^C etc. (feature suggested by Guido Trotter)
1030 socat sets environment variables SOCAT_VERSION, SOCAT_PID, SOCAT_PPID
1031 for use in executed scripts
1033 socat sets environment variables SOCAT_SOCKADDR, SOCAT_SOCKPORT,
1034 SOCAT_PEERADDR, SOCAT_PEERPORT in LISTEN type addresses (feature
1035 suggested by Ed Sawicki)
1037 socat receives all ancillary messages with each received packet on
1038 datagram related addresses. The messages are logged in raw form with
1039 debug level, and broken down with info level. note: each type of
1040 ancillary message must be enabled by appropriate address options.
1042 socat provides the contents of ancillary messages received on RECVFROM
1043 addresses in appropriate environment variables:
1044 SOCAT_TIMESTAMP, SOCAT_IP_DSTADDR, SOCAT_IP_IF, SOCAT_IP_LOCADDR,
1045 SOCAT_IP_OPTIONS, SOCAT_IP_TOS, SOCAT_IP_TTL, SOCAT_IPV6_DSTADDR,
1046 SOCAT_IPV6_HOPLIMIT, SOCAT_IPV6_TCLASS
1048 the following address options were added to enable ancillary messages:
1049 so-timestamp, ip-pktinfo (not BSD), ip-recvdstaddr (BSD), ip-recverr,
1050 ip-recvif (BSD), ip-recvopts, ip-recvtos, ip-recvttl, ipv6-recvdstopts,
1051 ipv6-recverr, ipv6-recvhoplimit, ipv6-recvhopopts, ipv6-recvpathmtu,
1052 ipv6-recvpktinfo, ipv6-recvrthdr, ipv6-recvtclass
1054 new address options ipv6-tclass and ipv6-unicast-hops set the related
1057 STREAMS (UNIX System V STREAMS) can be configured with the new address
1058 options i-pop-all and i-push (thanks to Michal Rysavy for providing a
1062 some raw IP and UNIX datagram modes failed on BSD systems
1064 when UDP-LISTEN continued to listen after packet dropped by, e.g.,
1065 range option, the old listen socket would not be closed but a new one
1066 created. open sockets could accumulate.
1068 there was a bug in ip*-recv with bind option: it did not bind, and
1069 with the first received packet an error occurred:
1070 socket_init(): unknown address family 0
1071 test: RAWIP4RECVBIND
1073 RECVFROM addresses with FORK option hung after processing the first
1074 packet. test: UDP4RECVFROM_FORK
1076 corrected a few mistakes that caused compiler warnings on 64bit hosts
1077 (thanks to Jonathan Brannan e.a. for providing a patch)
1079 EXEC and SYSTEM with stderr injected socat messages into the data
1080 stream. test: EXECSTDERRLOG
1082 when the EXEC address got a string with consecutive spaces it created
1083 additional empty arguments (thanks to Olivier Hervieu for reporting
1084 this bug). test: EXECSPACES
1086 in ignoreeof polling mode socat also blocked data transfer in the other
1087 direction during the 1s wait intervalls (thanks to Jorgen Cederlof for
1090 corrected alphabetical order of options (proxy-auth)
1092 some minor corrections
1094 improved test.sh script: more stable timing, corrections for BSD
1096 replaced the select() calls by poll() to cleanly fix the problems with
1097 many file descriptors already open
1099 socat option -lf did not log to file but to stderr
1101 socat did not compile on Solaris when configured without termios
1102 feature (thanks to Pavan Gadi for reporting this bug)
1105 socat compiles and runs on AIX with gcc (thanks to Andi Mather for his
1108 socat compiles and runs on Cygwin (thanks to Jan Just Keijser for his
1111 socat compiles and runs on HP-UX with gcc (thanks to Michal Rysavy for
1114 socat compiles and runs on MacOS X (thanks to Camillo Lugaresi for his
1118 filan -s prefixes output with FD number if more than one FD
1120 Makefile now supports datarootdir (thanks to Camillo Lugaresi for
1121 providing the patch)
1123 cleanup in xio-unix.c
1125 ####################### V 1.6.0.1:
1128 new make target "gitclean"
1130 docu source doc/socat.yo released
1133 exec:...,pty did not kill child process under some circumstances; fixed
1134 by correcting typo in xio-progcall.c (thanks to Ralph Forsythe for
1135 reporting this problem)
1137 service name resolution failed due to byte order mistake
1138 (thanks to James Sainsbury for reporting this problem)
1140 socat would hang when invoked with many file descriptors already opened
1141 fix: replaced FOPEN_MAX with FD_SETSIZE
1142 thanks to Daniel Lucq for reporting this problem.
1144 fixed bugs where sub processes would become zombies because the master
1145 process did not catch SIGCHLD. this affected addresses UDP-LISTEN,
1146 UDP-CONNECT, TCP-CONNECT, OPENSSL, PROXY, UNIX-CONNECT, UNIX-CLIENT,
1147 ABSTRACT-CONNECT, ABSTRACT-CLIENT, SOCKSA, SOCKS4A
1148 (thanks to Fernanda G Weiden for reporting this problem)
1150 fixed a bug where sub processes would become zombies because the master
1151 process caught SIGCHLD but did not wait(). this affected addresses
1152 UDP-RECVFROM, IP-RECVFROM, UNIX-RECVFROM, ABSTRACT-RECVFROM
1153 (thanks to Evan Borgstrom for reporting this problem)
1155 corrected option handling with STDIO; usecase: cool-write
1157 configure --disable-pty also disabled option waitlock
1159 fixed small bugs on systems with struct ip_mreq without struct ip_mreqn
1160 (thanks to Roland Illig for sending a patch)
1162 corrected name of option intervall to interval (old form still valid
1163 for us German speaking guys)
1165 corrected some print statements and variable names
1167 make uninstall did not uninstall procan
1169 fixed lots of weaknesses in test.sh
1171 corrected some bugs and typos in doc/socat.yo, EXAMPLES, C comments
1174 procan -c prints C defines important for socat
1176 added test OPENSSLEOF for OpenSSL half close
1178 ####################### V 1.6.0.0:
1181 new addresses IP-DATAGRAM and UDP-DATAGRAM allow versatile broadcast
1184 new option ip-add-membership for control of multicast group membership
1186 new address TUN for generation of Linux TUN/TAP pseudo network
1187 interfaces (suggested by Mat Caughron); associated options tun-device,
1188 tun-name, tun-type; iff-up, iff-promisc, iff-noarp, iff-no-pi etc.
1190 new addresses ABSTRACT-CONNECT, ABSTRACT-LISTEN, ABSTRACT-SENDTO,
1191 ABSTRACT-RECV, and ABSTRACT-RECVFROM for abstract UNIX domain addresses
1192 on Linux (requested by Zeeshan Ali); option unix-tightsocklen controls
1193 socklen parameter on system calls.
1195 option end-close for control of connection closing allows FD sharing
1198 range option supports form address:mask with IPv4
1200 changed behaviour of OPENSSL-LISTEN to require and verify client
1201 certificate per default
1203 options f-setlkw-rd, f-setlkw-wr, f-setlk-rd, f-setlk-wr allow finer
1204 grained locking on regular files
1206 uninstall target in Makefile (lack reported by Zeeshan Ali)
1209 fixed bug where only first tcpwrap option was applied; fixed bug where
1210 tcpwrap IPv6 check always failed (thanks to Rudolf Cejka for reporting
1211 and fixing this bug)
1213 filan (and socat -D) could hang when a socket was involved
1215 corrected PTYs on HP-UX (and maybe others) using STREAMS (inspired by
1218 correct bind with udp6-listen (thanks to Jan Horak for reporting this
1221 corrected filan.c peekbuff[0] which did not compile with Sun Studio Pro
1222 (thanks to Leo Zhadanovsky for reporting this problem)
1224 corrected problem with read data buffered in OpenSSL layer (thanks to
1225 Jon Nelson for reporting this bug)
1227 corrected problem with option readbytes when input stream stayed idle
1230 fixed a bug where a datagram receiver with option fork could fork two
1231 sub processes per packet
1234 moved documentation to new doc/ subdir
1236 new documents (kind of mini tutorials) are provided in doc/
1238 ####################### V 1.5.0.0:
1241 new datagram modes for udp, rawip, unix domain sockets
1243 socat option -T specifies inactivity timeout
1245 rewrote lexical analysis to allow nested socat calls
1247 addresses tcp, udp, tcp-l, udp-l, and rawip now support IPv4 and IPv6
1249 socat options -4, -6 and environment variables SOCAT_DEFAULT_LISTEN_IP,
1250 SOCAT_PREFERRED_RESOLVE_IP for control of protocol selection
1252 addresses ssl, ssl-l, socks, proxy now support IPv4 and IPv6
1254 option protocol-family (pf), esp. for openssl-listen
1256 range option supports IPv6 - syntax: range=[::1/128]
1258 option ipv6-v6only (ipv6only)
1260 new tcp-wrappers options allow-table, deny-table, tcpwrap-etc
1262 FIPS version of OpenSSL can be integrated - initial patch provided by
1263 David Acker. See README.FIPS
1265 support for resolver options res-debug, aaonly, usevc, primary, igntc,
1266 recurse, defnames, stayopen, dnsrch
1268 options for file attributes on advanced filesystems (ext2, ext3,
1269 reiser): secrm, unrm, compr, ext2-sync, immutable, ext2-append, nodump,
1270 ext2-noatime, journal-data etc.
1272 option cool-write controls severeness of write failure (EPIPE,
1277 socat option -lh for hostname in log output
1279 traffic dumping provides packet headers
1281 configure.in became part of distribution
1283 socats unpack directory now has full version, e.g. socat-1.5.0.0/
1285 corrected docu of option verify
1288 fixed tcpwrappers integration - initial fix provided by Rudolf Cejka
1290 exec with pipes,stderr produced error
1292 setuid-early was ignored with many address types
1294 some minor corrections
1296 ####################### V 1.4.3.1:
1299 PROBLEM: UNIX socket listen accepted only one (or a few) connections.
1300 FIX: do not remove listening UNIX socket in child process
1302 PROBLEM: SIGSEGV when TCP part of SSL connect failed
1303 FIX: check ssl pointer before calling SSL_shutdown
1305 In debug mode, show connect client port even when connect fails
1307 ####################### V 1.4.3.0:
1310 socat options -L, -W for application level locking
1312 options "lockfile", "waitlock" for address level locking
1315 option "readbytes" limits read length (Adam Osuchowski)
1317 option "retry" for unix-connect, unix-listen, tcp6-listen (Dale Dude)
1319 pty symlink, unix listen socket, and named pipe are per default removed
1320 after use; option unlink-close overrides this new behaviour and also
1321 controls removal of other socat generated files (Stefan Luethje)
1324 option "retry" did not work with tcp-listen
1326 EPIPE condition could result in a 100% CPU loop
1329 support systems without SHUT_RD etc.
1330 handle more size_t types
1331 try to find makedepend options with gcc 3 (richard/OpenMacNews)
1333 ####################### V 1.4.2.0:
1336 option "connect-timeout" limits wait time for connect operations
1337 (requested by Giulio Orsero)
1339 option "dhparam" for explicit Diffie-Hellman parameter file
1342 support for OpenSSL DSA certificates (Miika Komu)
1344 create install directories before copying files (Miika Komu)
1346 when exiting on signal, return status 128+signum instead of 1
1348 on EPIPE and ECONNRESET, only issue a warning (Santiago Garcia
1351 -lu could cause a core dump on long messages
1354 modifications to simplify using socats features in applications
1356 ####################### V 1.4.1.0:
1359 option "wait-slave" blocks open of pty master side until a client
1360 connects, "pty-intervall" controls polling
1362 option -h as synonym to -? for help (contributed by Christian
1365 filan prints formatted time stamps and rdev (disable with -r)
1367 redirect filan's output, so stdout is not affected (contributed by
1370 filan option -L to follow symbolic links
1372 filan shows termios control characters
1375 proxy address no longer performs unsolicited retries
1377 filan -f no longer needs read permission to analyze a file (but still
1378 needs access permission to directory, of course)
1382 FreeBSD options noopt, nopush, md5sig
1383 OpenBSD options sack-disable, signature-enable
1384 HP-UX, Solaris options abort-threshold, conn-abort-threshold
1385 HP-UX options b900, b3600, b7200
1386 Tru64/OSF1 options keepinit, paws, sackena, tsoptena
1388 further corrections:
1389 address pty now uses ptmx as default if openpty is also available
1391 ####################### V 1.4.0.3:
1394 Socat security advisory 1
1396 fix to a syslog() based format string vulnerability that can lead to
1397 remote code execution. See advisory socat-adv-1.txt
1399 ####################### V 1.4.0.2:
1402 exec'd write-only addresses get a chance to flush before being killed
1404 error handler: print notice on error-exit
1406 filan printed wrong file type information
1408 ####################### V 1.4.0.1:
1411 socks4a constructed invalid header. Problem found, reported, and fixed
1412 by Thomas Themel, by Peter Palfrader, and by rik
1414 with nofork, don't forget to apply some process related options
1415 (chroot, setsid, setpgid, ...)
1417 ####################### V 1.4.0.0:
1420 simple openssl server (ssl-l), experimental openssl trust
1422 new options "cafile", "capath", "key", "cert", "egd", and "pseudo" for
1425 new options "retry", "forever", and "intervall"
1427 option "fork" for address TCP improves `gender changer´
1429 options "sigint", "sigquit", and "sighup" control passing of signals to
1430 sub process (thanks to David Shea who contributed to this issue)
1432 readline takes respect to the prompt issued by the peer address
1434 options "prompt" and "noprompt" allow to override readline's new
1437 readline supports invisible password with option "noecho"
1439 socat option -lp allows to set hostname in log output
1441 socat option -lu turns on microsecond resolution in log output
1445 before reading available data, check if writing on other channel is
1448 tcp6, udp6: support hostname specification (not only IP address), and
1449 map IP4 names to IP6 addresses
1451 openssl client checks server certificate per default
1453 support unidirectional communication with exec/system subprocess
1455 try to restore original terminal settings when terminating
1457 test.sh uses tmp dir /tmp/$USER/$$ instead of /tmp/$$
1459 socks4 failed on platforms where long does not have 32 bits
1460 (thanks to Peter Palfrader and Thomas Seyrat)
1462 hstrerror substitute wrote wrong messages (HP-UX, Solaris)
1464 proxy error message was truncated when answer contained multiple spaces
1468 compiles with AIX xlc, HP-UX cc, Tru64 cc (but might not link)
1470 ####################### V 1.3.2.2:
1473 PROXY CONNECT failed when the status reply from the proxy server
1474 contained more than one consecutive spaces. Problem reported by
1475 Alexandre Bezroutchko
1477 do not SIGSEGV when proxy address fails to resolve server name
1479 udp-listen failed on systems where AF_INET != SOCK_DGRAM (e.g. SunOS).
1480 Problem reported by Christoph Schittel
1482 test.sh only tests available features
1484 added missing IP and TCP options in filan analyzer
1486 do not apply stdio address options to both directions when in
1489 on systems lacking /dev/*random and egd, provide (weak) entropy from
1494 changes for HP-UX (VREPRINT, h_NETDB_INTERNAL)
1496 compiles on True64, FreeBSD (again), NetBSD, OpenBSD
1498 support for long long as st_ino type (Cygwin 1.5)
1500 compile on systems where pty can not be featured
1502 ####################### V 1.3.2.1:
1505 "final" solution for the ENOCHLD problem
1507 corrected "make strip"
1509 default gcc debug/opt is "-O" again
1511 check for /proc at runtime, even if configure found it
1513 src.rpm accidently supported SuSE instead of RedHat
1515 ####################### V 1.3.2.0:
1518 option "nofork" connects an exec'd script or program directly
1519 to the file descriptors of the other address, circumventing the socat
1522 support for files >2GB, using ftruncate64(), lseek64(), stat64()
1524 filan has new "simple" output style (filan -s)
1528 options "binary" and "text" for controlling line termination on Cygwin
1529 file system access (hint from Yang Wu-Zhou)
1531 fix by Yang Wu-Zhou for the Cygwin "No Children" problem
1533 improved support for OSR: _SVID3; no IS_SOCK, no F_GETOWN (thanks to
1536 minor corrections to avoid warnings with gcc 3
1539 further corrections and minor improvements:
1540 configure script is generated with autoconf 2.57 (no longer 2.52)
1542 configure passes CFLAGS to Makefile
1544 option -??? for complete list of address options and their short forms
1546 program name in syslog messages is derived from argv[0]
1548 SIGHUP now prints notice instead of error
1550 EIO during read of pty now gives Notice instead of Error, and
1553 use of hstrerror() for printing resolver error messages
1555 setgrent() got required endgrent()
1557 ####################### V 1.3.1.0:
1560 integration of Wietse Venema's tcpwrapper library (libwrap)
1562 with "proxy" address, option "resolve" controls if hostname or IP
1563 address is sent in request
1565 option "lowport" establishes limited authorization for TCP and UDP
1568 improvement of .spec file for RPM creation (thanks to Gerd v. Egidy)
1569 An accompanying change in the numbering scheme results in an
1570 incompatibility with earlier socat RPMs!
1573 solved problems and bugs:
1574 PROBLEM: socat daemon terminated when the address of a connecting
1575 client did not match range option value instead of continue listening
1576 SOLVED: in this case, print warning instead of error to keep daemon
1579 PROBLEM: tcp-listen with fork sometimes left excessive number of zombie
1581 SOLVED: dont assume that each exiting child process generates SIGCHLD
1583 when converting CRNL to CR, socat converted to NL
1586 further corrections:
1587 configure script now disables features that depend on missing files
1588 making it more robust in "unsupported" environments
1590 server.pem permissions corrected to 600
1592 "make install" now does not strip; use "make strip; make install"
1593 if you like strip (suggested by Peter Bray)
1595 ####################### V 1.3.0.1:
1597 solved problems and bugs:
1598 PROBLEM: OPENSSL did not apply tcp, ip, and socket options
1599 SOLVED: OPENSSL now correctly handles the options list
1601 PROBLEM: CRNL to NL and CRNL to CR conversions failed when CRNL crossed
1603 SOLVED: these conversions now simply strip all CR's or NL's from input
1608 SunOS ptys now work on x86, too (thanks to Peter Bray)
1610 configure looks for freeware libs in /pkgs/lib/ (thanks to Peter Bray)
1613 further corrections:
1614 added WITH_PROXY value to -V output
1616 added compile dependencies of WITH_PTY and WITH_PROXY
1618 -?? did not print option group of proxy options
1620 corrected syntax for bind option in docu
1622 corrected an issue with stdio in unidirectional mode
1624 options socksport and proxyport support service names
1626 ftp.sh script supports proxy address
1628 man page no longer installed with execute permissions (thanks to Peter
1631 fixed a malloc call bug that could cause SIGSEGV or false "out of
1632 memory" errors on EXEC and SYSTEM, depending on program name length and
1635 ####################### V 1.3.0.0:
1638 proxy connect with optional proxy authentication
1640 combined hex and text dump mode, credits to Gregory Margo
1642 address pty applies options user, group, and perm to device
1645 solved problems and bugs:
1646 PROBLEM: option reuseport was not applied (BSD, AIX)
1647 SOLVED: option reuseport now in phase PASTSOCKET instead of PREBIND,
1648 credits to Jean-Baptiste Marchand
1650 PROBLEM: ignoreeof with stdio was ignored
1651 SOLVED: ignoreeof now works correctly with address stdio
1653 PROBLEM: ftp.sh did not use user supplied password
1654 SOLVED: ftp.sh now correctly passes password from command line
1656 PROBLEM: server.pem had expired
1657 SOLVED: new server.pem valid for ten years
1659 PROBLEM: socks notice printed wrong port on some platforms
1660 SOLVED: socks now uses correct byte-order for port number in notice
1663 further corrections:
1664 option name o_trunc corrected to o-trunc
1666 combined use of -u and -U is now detected and prevented
1668 made message system a little more robust against format string attacks
1671 ####################### V 1.2.0.0:
1674 address pty for putting socat behind a new pseudo terminal that may
1675 fake a serial line, modem etc.
1677 experimental openssl integration
1678 (it does not provide any trust between the peers because is does not
1679 check certificates!)
1681 options flock-ex, flock-ex-nb, flock-sh, flock-sh-nb to control all
1682 locking mechanism provided by flock()
1684 options setsid and setpgid now available with all address types
1686 option ctty (controlling terminal) now available for all TERMIOS
1689 option truncate (a hybrid of open(.., O_TRUNC) and ftruncate()) is
1690 replaced by options o-trunc and ftruncate=offset
1692 option sourceport now available with TCP and UDP listen addresses to
1693 restrict incoming client connections
1695 unidirectional mode right-to-left (-U)
1698 solved problems and bugs:
1699 PROBLEM: addresses without required parameters but an option containing
1700 a '/' were incorrectly interpreted as implicit GOPEN address
1701 SOLVED: if an address does not have ':' separator but contains '/',
1702 check if the slash is before the first ',' before assuming
1707 ptys under SunOS work now due to use of stream options
1710 further corrections:
1711 with -d -d -d -d -D, don't print debug info during file analysis
1714 ####################### V 1.1.0.1:
1717 .spec file for RPM generation
1720 solved problems and bugs:
1721 PROBLEM: GOPEN on socket did not apply option unlink-late
1722 SOLUTION: GOPEN for socket now applies group NAMED, phase PASTOPEN
1725 PROBLEM: with unidirectional mode, an unnecessary close timeout was
1727 SOLUTION: in unidirectional mode, terminate without wait time
1729 PROBLEM: using GOPEN on a unix domain socket failed for datagram
1731 SOLUTION: when connect() fails with EPROTOTYPE, use a datagram socket
1734 further corrections:
1736 open() flag options had names starting with "o_", now corrected to "o-"
1738 in docu, *-listen addresses were called *_listen
1740 address unix now called unix-connect because it does not handle unix
1743 in test.sh, apply global command line options with all tests
1746 ####################### V 1.1.0.0:
1749 regular man page and html doc - thanks to kromJx for prototype
1751 new address type "readline", utilizing GNU readline and history libs
1753 address option "history-file" for readline
1755 new option "dash" to "exec" address that allows to start login shells
1757 syslog facility can be set per command line option
1759 new address option "tcp-quickack", found in Linux 2.4
1761 option -g prevents option group checking
1763 filan and procan can print usage
1765 procan prints rlimit infos
1768 solved problems and bugs:
1769 PROBLEM: raw IP socket SIGSEGV'ed when it had been shut down.
1770 SOLVED: set eof flag of channel on shutdown.
1772 PROBLEM: if channel 2 uses a single non-socket FD in bidirectional mode
1773 and has data available while channel 1 reaches EOF, the data is
1775 SOLVED: during one loop run, first handle all data transfers and
1776 _afterwards_ handle EOF.
1778 PROBLEM: despite to option NONBLOCK, the connect() call blocked
1779 SOLVED: option NONBLOCK is now applied in phase FD instead of LATE
1781 PROBLEM: UNLINK options issued error when file did not exist,
1783 SOLVED: failure of unlink() is only warning if errno==ENOENT
1785 PROBLEM: TCP6-LISTEN required numeric port specification
1786 SOLVED: now uses common TCP service resolver
1788 PROBLEM: with PIPE, wrong FDs were shown for data transfer loop
1789 SOLVED: retrieval of FDs now pays respect to PIPE pecularities
1791 PROBLEM: using address EXEC against an address with IGNOREEOF, socat
1793 SOLVED: corrected EOF handling of sigchld
1797 MacOS and old AIX versions now have pty
1799 flock() now available on Linux (configure check was wrong)
1801 named pipe were generated using mknod(), which requires root under BSD
1802 now they are generated using mkfifo
1805 further corrections:
1806 lots of address options that were "forgotten" at runtime are now
1809 option BINDTODEVICE now also called SO-BINDTODEVICE, IF
1811 "make install" now installs binaries with ownership 0:0
1814 ####################### V 1.0.4.2:
1816 solved problems and bugs:
1817 PROBLEM: EOF of one stream caused close of other stream, giving it no
1818 chance to go down regularly
1819 SOLVED: EOF of one stream now causes shutdown of write part of other
1822 PROBLEM: sending mail via socks address to qmail showed that crlf
1823 option does not work
1824 SOLVED: socks address applies PH_LATE options
1826 PROBLEM: in debug mode, no info about socat and platform was issued
1827 SOLVED: print socat version and uname output in debug mode
1829 PROBLEM: invoking socat with -t and no following parameters caused
1831 SOLVED: -t and -b now check next argv entry
1833 PROBLEM: when opening of logfile (-lf) failed, no error was reported
1834 and no further messages were printed
1835 SOLVED: check result of fopen and print error message if it failed
1838 address type UDP-LISTEN now supports option fork: it internally applies
1839 socket option SO_REUSEADDR so a new UDP socket can bind to port after
1840 `accepting´ a connection (child processes might live forever though)
1841 (suggestion from Damjan Lango)
1844 ####################### V 1.0.4.1:
1846 solved problems and bugs:
1847 PROB: assert in libc caused an endless recursion
1848 SOLVED: no longer catch SIGABRT
1850 PROB: socat printed wrong verbose prefix for "right to left" packets
1851 SOLVED: new parameter for xiotransfer() passes correct prefix
1854 in debug mode, socat prints its command line arguments
1855 in verbose mode, escape special characters and replace unprintables
1856 with '.'. Patch from Adrian Thurston.
1859 ####################### V 1.0.4.0:
1861 solved problems and bugs:
1862 Debug output for lstat and fstat said "stat"
1864 further corrections:
1865 FreeBSD now includes libutil.h
1868 option setsid with exec/pty
1869 option setpgid with exec/pty
1870 option ctty with exec/pty
1872 gettimeofday in sycls.c (no use yet)
1875 before Gethostbyname, invoke inet_aton for MacOSX
1878 ####################### V 1.0.3.0:
1880 solved problems and bugs:
1882 PROB: test 9 of test.sh (echo via file) failed on some platforms,
1883 socat exited without error message
1884 SOLVED: _xioopen_named_early(): preset statbuf.st_mode with 0
1886 PROB: test 17 hung forever
1887 REASON: child death before select loop did not result in EOF
1888 SOLVED: check of existence of children before starting select loop
1890 PROB: test 17 failed
1891 REASON: child dead triggered EOF before last data was read
1892 SOLVED: after child death, read last data before setting EOF
1894 PROB: filan showed that exec processes incorrectly had fd3 open
1895 REASON: inherited open fd3 from main process
1896 SOLVED: set CLOEXEC flag on pty fd in main process
1898 PROB: help printed "undef" instead of group "FORK"
1899 SOLVED: added "FORK" to group name array
1901 PROB: fatal messages did not include severity classifier
1902 SOLVED: added "F" to severity classifier array
1904 PROB: IP6 addresses where printed incorrectly
1905 SOLVED: removed type casts to unsigned short *
1907 further corrections:
1908 socat catches illegal -l modes
1909 corrected error message on setsockopt(linger)
1910 option tabdly is of type uint
1911 correction for UDP over IP6
1912 more cpp conditionals, esp. for IP6 situations
1913 better handling of group NAMED options with listening UNIX sockets
1914 applyopts2 now includes last given phase
1915 corrected option group handling for most address types
1916 introduce dropping of unappliable options (dropopts, dropopts2)
1917 gopen now accepts socket and unix-socket options
1918 exec and system now accept all socket and termios options
1919 child process for exec and system addresses with option pty
1920 improved descriptions and options for EXAMPLES
1921 printf format for file mode changed to "0%03o" with length spec.
1922 added va_end() in branch of msg()
1923 changed phase of lock options from PASTOPEN to FD
1924 support up to four early dying processes
1927 xiosysincludes now includes sysincludes.h for non xio files
1932 TYPE_DOUBLE, u_double
1934 added getsid(), setsid(), send() to sycls
1935 procan prints sid (session id)
1936 mail.sh gets -f (from) option
1937 new EXAMPLEs for file creation
1938 gatherinfo.sh now tells about failures
1939 test.sh can check for much more address/option combinations
1942 ispeed, ospeed for termios on FreeBSD
1943 getpgid() conditional for MacOS 10
1944 added ranlib in Makefile.in for MacOS 10
1945 disable pty option if no pty mechanism is available (MacOS 10)
1946 now compiles and runs on MacOS 10 (still some tests fail)
1947 setgroups() conditional for cygwin
1948 sighandler_t defined conditionally
1949 use gcc option -D_GNU_SOURCE