Socat Changelog

What's new in Socat 1.7.2.4

Dec 8, 2014
  • corrections:
  • LISTEN based addresses applied some address options, e.g. so-keepalive, to the listening file descriptor instead of the connected file descriptor Thanks to Ulises Alonso for reporting this bug
  • make failed after configure with non gcc compiler due to missing include. Thanks to Horacio Mijail for reporting this problem
  • configure checked for --disable-rawsocket but printed --disable-genericsocket in the help text. Thanks to Ben Gardiner for reporting and patching this bug
  • In xioshutdown() a wrong branch was chosen after RECVFROM type addresses. Probably no impact. Thanks to David Binderman for reproting this issue.
  • procan could not cleanly format ulimit values longer than 16 decimal digits. Thanks to Frank Dana for providing a patch that increases field width to 24 digits.
  • OPENSSL-CONNECT with bind option failed on some systems, eg.FreeBSD, with "Invalid argument" Thanks to Emile den Tex for reporting this bug.
  • Changed some variable definitions to make gcc -O2 aliasing checker happy Thanks to Ilya Gordeev for reporting these warnings
  • On big endian platforms with type long >32bit the range option applied a bad base address. Thanks to hejia hejia for reporting and fixing this bug.
  • Red Hat issue 1022070: missing length check in xiolog_ancillary_socket()
  • Red Hat issue 1022063: out-of-range shifts on net mask bits
  • Red Hat issue 1022062: strcpy misuse in xiosetsockaddrenv_ip4()
  • Red Hat issue 1022048: strncpy hardening: corrected suspicious strncpy() uses
  • Red Hat issue 1021958: fixed a bug with faulty buffer/data length calculation in xio-ascii.c:_xiodump()
  • Red Hat issue 1021972: fixed a missing NUL termination in return string of sysutils.c:sockaddr_info() for the AF_UNIX case
  • fixed some typos and minor issues, including: Red Hat issue 1021967: formatting error in manual page
  • UNIX-LISTEN with fork option did not remove the socket file system entry when exiting. Other file system based passive address types had similar issues or failed to apply options umask, user e.a. Thanks to Lorenzo Monti for pointing me to this issue
  • porting:
  • Red Hat issue 1020203: configure checks fail with some compilers. Use case: clang
  • Performed changes for Fedora release 19
  • Adapted, improved test.sh script
  • Red Hat issue 1021429: getgroupent fails with large number of groups; use getgrouplist() when available instead of sequence of calls to getgrent()
  • Red Hat issue 1021948: snprintf API change; Implemented xio_snprintf() function as wrapper that tries to emulate C99 behaviour on old glibc systems, and adapted all affected calls appropriately
  • Mike Frysinger provided a patch that supports long long for time_t, socklen_t and a few other libc types.
  • Artem Mygaiev extended Cedril Priscals Android build script with pty code
  • The check for fips.h required stddef.h Thanks to Matt Hilt for reporting this issue and sending a patch
  • Check for linux/errqueue.h failed on some systems due to lack of linux/types.h inclusion. Thanks to Michael Vastola for sending a patch.
  • autoconf now prefers configure.ac over configure.in Thanks to Michael Vastola for sending a patch.
  • type of struct cmsghdr.cmsg is system dependend, determine it with configure; some more print format corrections
  • docu:
  • libwrap always logs to syslog
  • added actual text version of GPLv2

New in Socat 1.7.2.3 / 2.0.0 Beta 3 (Jan 29, 2014)

  • Security:
  • CVE-2014-0019: socats PROXY-CONNECT address was vulnerable to a buffer overflow with data from command line (see socat-secadv5.txt). Credits to Florian Weimer of the Red Hat Product Security Team

New in Socat 1.7.2.2 (May 27, 2013)

  • after refusing a client connection due to bad source address or source port socat shutdown() the socket but did not close() it, resulting in a file descriptor leak in the listening process, visible with lsof and possibly resulting in EMFILE Too many open files. This issue could be misused for a denial of service attack.

New in Socat 1.7.2.0 (Dec 6, 2011)

  • when UNIX-LISTEN was applied to an existing file it failed as expected but removed the file. Thanks to Bjoern Bosselmann for reporting this problem
  • fixed a bug where socat might crash when connecting to a unix domain socket using address GOPEN. Thanks to Martin Forssen for bug report and patch.
  • UDP-LISTEN would alway set SO_REUSEADDR even without fork option and when user set it to 0. Thanks to Michal Svoboda for reporting this bug.
  • UNIX-CONNECT did not support half-close. Thanks to Greg Hughes who pointed me to that bug
  • TCP-CONNECT with option nonblock reported successful connect even when it was still pending
  • address option ioctl-intp failed with "unimplemented type 26". Thanks to Jeremy W. Sherman for reporting and fixing that bug
  • socat option -x did not print packet direction, timestamp etc; thanks to Anthony Sharobaiko for sending a patch
  • address PTY does not take any parameters but did not report an error when some were given
  • Marcus Meissner provided a patch that fixes invalid output and possible process crash when socat prints info about an unnamed unix domain socket
  • Michal Soltys reported the following problem and provided an initial patch: when socat was interrupted, e.g. by SIGSTOP, and resumed during data transfer only parts of the data might have been written.
  • Option o-nonblock in combination with large transfer block sizes may result in partial writes and/or EAGAIN errors that were not handled properly but resulted in data loss or process termination.
  • Fixed a bug that could freeze socat when during assembly of a log message a signal was handled that also printed a log message. socat development had been aware that localtime() is not thread safe but had only expected broken messages, not corrupted stack (glibc 2.11.1, Ubuntu 10.4)
  • an internal store for child pids was susceptible to pid reuse which could lead to sporadic data loss when both fork option and exec address were used. Thanks to Tetsuya Sodo for reporting this problem and sending a patch
  • OpenSSL server failed with "no shared cipher" when using cipher aNULL. Fixed by providing temporary DH parameters. Thanks to Philip Rowlands for drawing my attention to this issue.
  • UDP-LISTEN slept 1s after accepting a connection. This is not required. Thanks to Peter Valdemar Morch for reporting this issue
  • fixed a bug that could lead to error or socat crash after a client connection with option retry had been established
  • fixed configure.in bug on net/if.h check that caused IF_NAMESIZE to be undefined
  • improved dev_t print format definition
  • porting: Cedril Priscal ported socat to Android (using Googles cross compiler). The port includes the socat_buildscript_for_android.sh script
  • added check for component ipi_spec_dst in struct in_pktinfo so compilation does not fail on Cygwin (thanks to Peter Wagemans for reporting this problem)
  • build failed on RHEL6 due to presence of fips.h; configure now checks for fipsld too. Thanks to Andreas Gruenbacher for reporting this problem
  • check for netinet6/in6.h only when IPv6 is available and enabled
  • don't fail to compile when the following defines are missing: IPV6_PKTINFO IPV6_RTHDR IPV6_DSTOPTS IPV6_HOPOPTS IPV6_HOPLIMIT Thanks to Jerry Jacobs for reporting this problem (Mac OS X Lion 10.7)
  • check if define __APPLE_USE_RFC_2292 helps to enable IPV6_* (MacOSX Lion 7.1); thanks to Jerry Jacobs to reporting this problem and proposing a solution
  • fixed compiler warnings on Mac OS X 64bit. Thanks to Guy Harris for providing the patch.
  • corrections for OpenEmbedded, especially termios SHIFT values and ISPEED/OSPEED. Thanks to John Faith for providing the patch
  • minor corrections to docu and test.sh resulting from local compilation on Openmoko SHR
  • fixed sa_family_t compile error on DragonFly. Thanks to Tony Young for reporting this issue and sending a patch.
  • Ubuntu Oneiric: OpenSSL no longer provides SSLv2 functions; libutil.sh is now bsd/libutil.h; compiler warns on vars that is only written to
  • new features: added option max-children that limits the number of concurrent child processes. Thanks to Sam Liddicott for providing the patch.
  • Till Maas added support for tun/tap addresses without IP address
  • added an option openssl-compress that allows to disable the compression feature of newer OpenSSL versions. Thanks to Michael Hanselmann for providing this contribution (sponsored by Google Inc.)
  • docu: minor corrections in docu (thanks to Paggas)
  • client process -> child process

New in Socat 1.7.1.3 (Aug 2, 2010)

  • fixed a stack overflow vulnerability that occurred when command line arguments (whole addresses, host names, file names) were longer than 512 bytes. Note that this could only be exploited when an attacker was able to inject data into socat's command line. Full credits to Felix Gröbert, Google Security Team, for finding and reporting this issue

New in Socat 1.7.1.1 (May 8, 2009)

  • corrected the "fixed possible SIGSEGV" fix because SIGSEGV still might occur under those conditions. Thanks to Toni Mattila for first reporting this problem.
  • ftruncate64 cut its argument to 32 bits on systems with 32 bit long type
  • socat crashed on systems without setenv() (esp. SunOS up to Solaris 9); thanks to Todd Stansell for reporting this bug
  • with unidirectional EXEC and SYSTEM a close() operation was performed on a random number which could result in hanging e.a.
  • fixed a compile problem caused by size_t/socklen_t mismatch on 64bit systems
  • docu mentioned option so-bindtodev but correct name is so-bindtodevice. Thanks to Jim Zimmerman for reporting.

New in Socat 2.0.0 Beta 3 (Apr 4, 2009)

  • This version contains all new bug fixes and features of 1.7.1.0 and introduces the possibility to integrate external programs in address chains (see doc/socat-addresschain.html and doc/socat-exec.html).

New in Socat 1.7.1.0 (Apr 3, 2009)

  • new features:
  • address options shut-none, shut-down, and shut-close allow to control socat's half close behaviour
  • with address option shut-null socat sends an empty packet to the peer to indicate EOF
  • option null-eof changes the behaviour of sockets that receive an empty packet to see EOF instead of ignoring it
  • introduced option names substuser-early and su-e, currently equivalent to option substuser (thanks to Mike Perry for providing the patch)
  • corrections:
  • fixed some typos and improved some comments

New in Socat 2.0.0 Beta 2 (Nov 2, 2008)

  • The main enhancements are so-called address chains that concatenate simple addresses.
  • Address chains are similar to command shell pipes, but work bidirectionally.

New in Socat 1.7.0.0 (Oct 16, 2008)

  • This release brings support for SCTP stream sockets, raw interface, and generic sockets.
  • A new option escape allows it to interrupt raw terminal connections.
  • Listening and receiving sockets can set a couple of environment variables.
  • Base control of System V STREAMS has been added.
  • Many corrections were performed.
  • socat compiles on Mac OS X again.