mirror of
https://github.com/moparisthebest/socat
synced 2024-11-14 21:15:01 -05:00
1262 lines
40 KiB
Plaintext
1262 lines
40 KiB
Plaintext
|
||
corrections:
|
||
LISTEN based addresses applied some address options, e.g. so-keepalive,
|
||
to the listening file descriptor instead of the connected file
|
||
descriptor
|
||
Thanks to Ulises Alonso for reporting this bug
|
||
|
||
make failed after configure with non gcc compiler due to missing
|
||
include. Thanks to Horacio Mijail for reporting this problem
|
||
|
||
configure checked for --disable-rawsocket but printed
|
||
--disable-genericsocket in the help text. Thanks to Ben Gardiner for
|
||
reporting and patching this bug
|
||
|
||
In xioshutdown() a wrong branch was chosen after RECVFROM type addresses.
|
||
Probably no impact.
|
||
Thanks to David Binderman for reproting this issue.
|
||
|
||
procan could not cleanly format ulimit values longer than 16 decimal
|
||
digits. Thanks to Frank Dana for providing a patch that increases field
|
||
width to 24 digits.
|
||
|
||
OPENSSL-CONNECT with bind option failed on some systems, eg.FreeBSD, with
|
||
"Invalid argument"
|
||
Thanks to Emile den Tex for reporting this bug.
|
||
|
||
Changed some variable definitions to make gcc -O2 aliasing checker happy
|
||
Thanks to Ilya Gordeev for reporting these warnings
|
||
|
||
On big endian platforms with type long >32bit the range option applied a
|
||
bad base address. Thanks to hejia hejia for reporting and fixing this bug.
|
||
|
||
Red Hat issue 1022063: out-of-range shifts on net mask bits
|
||
|
||
Red Hat issue 1022062: strcpy misuse in xiosetsockaddrenv_ip4()
|
||
|
||
Red Hat issue 1022048: strncpy hardening: corrected suspicious strncpy()
|
||
uses
|
||
|
||
Red Hat issue 1021958: fixed a bug with faulty buffer/data length
|
||
calculation in xio-ascii.c:_xiodump()
|
||
|
||
Red Hat issue 1021972: fixed a missing NUL termination in return string
|
||
of sysutils.c:sockaddr_info() for the AF_UNIX case
|
||
|
||
porting:
|
||
Performed changes for Fedora release 19
|
||
|
||
Adapted, improved test.sh script
|
||
|
||
docu:
|
||
libwrap always logs to syslog
|
||
|
||
added actual text version of GPLv2
|
||
|
||
####################### V 1.7.2.3:
|
||
|
||
security:
|
||
CVE-2014-0019: socats PROXY-CONNECT address was vulnerable to a buffer
|
||
overflow with data from command line (see socat-secadv5.txt)
|
||
Credits to Florian Weimer of the Red Hat Product Security Team
|
||
|
||
####################### V 1.7.2.2:
|
||
|
||
security:
|
||
after refusing a client connection due to bad source address or source
|
||
port socat shutdown() the socket but did not close() it, resulting in
|
||
a file descriptor leak in the listening process, visible with lsof and
|
||
possibly resulting in EMFILE Too many open files. This issue could be
|
||
misused for a denial of service attack.
|
||
Full credits to Catalin Mitrofan for finding and reporting this issue.
|
||
|
||
####################### V 1.7.2.1:
|
||
|
||
security:
|
||
fixed a possible heap buffer overflow in the readline address. This bug
|
||
could be exploited when all of the following conditions were met:
|
||
1) one of the addresses is READLINE without the noprompt and without the
|
||
prompt options.
|
||
2) the other (almost arbitrary address) reads malicious data (which is
|
||
then transferred by socat to READLINE).
|
||
Workaround: when using the READLINE address apply option prompt or
|
||
noprompt.
|
||
Full credits to Johan Thillemann for finding and reporting this issue.
|
||
|
||
####################### V 1.7.2.0:
|
||
|
||
corrections:
|
||
when UNIX-LISTEN was applied to an existing file it failed as expected
|
||
but removed the file. Thanks to Bjoern Bosselmann for reporting this
|
||
problem
|
||
|
||
fixed a bug where socat might crash when connecting to a unix domain
|
||
socket using address GOPEN. Thanks to Martin Forssen for bug report and
|
||
patch.
|
||
|
||
UDP-LISTEN would alway set SO_REUSEADDR even without fork option and
|
||
when user set it to 0. Thanks to Michal Svoboda for reporting this bug.
|
||
|
||
UNIX-CONNECT did not support half-close. Thanks to Greg Hughes who
|
||
pointed me to that bug
|
||
|
||
TCP-CONNECT with option nonblock reported successful connect even when
|
||
it was still pending
|
||
|
||
address option ioctl-intp failed with "unimplemented type 26". Thanks
|
||
to Jeremy W. Sherman for reporting and fixing that bug
|
||
|
||
socat option -x did not print packet direction, timestamp etc; thanks
|
||
to Anthony Sharobaiko for sending a patch
|
||
|
||
address PTY does not take any parameters but did not report an error
|
||
when some were given
|
||
|
||
Marcus Meissner provided a patch that fixes invalid output and possible
|
||
process crash when socat prints info about an unnamed unix domain
|
||
socket
|
||
|
||
Michal Soltys reported the following problem and provided an initial
|
||
patch: when socat was interrupted, e.g. by SIGSTOP, and resumed during
|
||
data transfer only parts of the data might have been written.
|
||
|
||
Option o-nonblock in combination with large transfer block sizes
|
||
may result in partial writes and/or EAGAIN errors that were not handled
|
||
properly but resulted in data loss or process termination.
|
||
|
||
Fixed a bug that could freeze socat when during assembly of a log
|
||
message a signal was handled that also printed a log message. socat
|
||
development had been aware that localtime() is not thread safe but had
|
||
only expected broken messages, not corrupted stack (glibc 2.11.1,
|
||
Ubuntu 10.4)
|
||
|
||
an internal store for child pids was susceptible to pid reuse which
|
||
could lead to sporadic data loss when both fork option and exec address
|
||
were used. Thanks to Tetsuya Sodo for reporting this problem and
|
||
sending a patch
|
||
|
||
OpenSSL server failed with "no shared cipher" when using cipher aNULL.
|
||
Fixed by providing temporary DH parameters. Thanks to Philip Rowlands
|
||
for drawing my attention to this issue.
|
||
|
||
UDP-LISTEN slept 1s after accepting a connection. This is not required.
|
||
Thanks to Peter Valdemar Morch for reporting this issue
|
||
|
||
fixed a bug that could lead to error or socat crash after a client
|
||
connection with option retry had been established
|
||
|
||
fixed configure.in bug on net/if.h check that caused IF_NAMESIZE to be
|
||
undefined
|
||
|
||
improved dev_t print format definition
|
||
|
||
porting:
|
||
Cedril Priscal ported socat to Android (using Googles cross compiler).
|
||
The port includes the socat_buildscript_for_android.sh script
|
||
|
||
added check for component ipi_spec_dst in struct in_pktinfo so
|
||
compilation does not fail on Cygwin (thanks to Peter Wagemans for
|
||
reporting this problem)
|
||
|
||
build failed on RHEL6 due to presence of fips.h; configure now checks
|
||
for fipsld too. Thanks to Andreas Gruenbacher for reporting this
|
||
problem
|
||
|
||
check for netinet6/in6.h only when IPv6 is available and enabled
|
||
|
||
don't fail to compile when the following defines are missing:
|
||
IPV6_PKTINFO IPV6_RTHDR IPV6_DSTOPTS IPV6_HOPOPTS IPV6_HOPLIMIT
|
||
Thanks to Jerry Jacobs for reporting this problem (Mac OS X Lion 10.7)
|
||
|
||
check if define __APPLE_USE_RFC_2292 helps to enable IPV6_* (MacOSX
|
||
Lion 7.1); thanks to Jerry Jacobs to reporting this problem and
|
||
proposing a solution
|
||
|
||
fixed compiler warnings on Mac OS X 64bit. Thanks to Guy Harris for
|
||
providing the patch.
|
||
|
||
corrections for OpenEmbedded, especially termios SHIFT values and
|
||
ISPEED/OSPEED. Thanks to John Faith for providing the patch
|
||
|
||
minor corrections to docu and test.sh resulting from local compilation
|
||
on Openmoko SHR
|
||
|
||
fixed sa_family_t compile error on DragonFly. Thanks to Tony Young for
|
||
reporting this issue and sending a patch.
|
||
|
||
Ubuntu Oneiric: OpenSSL no longer provides SSLv2 functions; libutil.sh
|
||
is now bsd/libutil.h; compiler warns on vars that is only written to
|
||
|
||
new features:
|
||
added option max-children that limits the number of concurrent child
|
||
processes. Thanks to Sam Liddicott for providing the patch.
|
||
|
||
Till Maas added support for tun/tap addresses without IP address
|
||
|
||
added an option openssl-compress that allows to disable the compression
|
||
feature of newer OpenSSL versions. Thanks to Michael Hanselmann for
|
||
providing this contribution (sponsored by Google Inc.)
|
||
|
||
docu:
|
||
minor corrections in docu (thanks to Paggas)
|
||
|
||
client process -> child process
|
||
|
||
####################### V 1.7.1.3:
|
||
|
||
security:
|
||
fixed a stack overflow vulnerability that occurred when command
|
||
line arguments (whole addresses, host names, file names) were longer
|
||
than 512 bytes.
|
||
Note that this could only be exploited when an attacker was able to
|
||
inject data into socat's command line.
|
||
Full credits to Felix Gröbert, Google Security Team, for finding and
|
||
reporting this issue
|
||
|
||
####################### V 1.7.1.2:
|
||
|
||
corrections:
|
||
user-late and group-late, when applied to a pty, affected the system
|
||
device /dev/ptmx instead of the pty (thanks to Matthew Cloke for
|
||
pointing me to this bug)
|
||
|
||
socats openssl addresses failed with "nonblocking operation did not
|
||
complete" when the peer performed a renegotiation. Thanks to Benjamin
|
||
Delpy for reporting this bug.
|
||
|
||
info message during socks connect showed bad port number on little
|
||
endian systems due to wrong byte order (thanks to Peter M. Galbavy for
|
||
bug report and patch)
|
||
|
||
Debian bug 531078: socat execs children with SIGCHLD ignored; corrected
|
||
to default. Thanks to Martin Dorey for reporting this bug.
|
||
|
||
porting:
|
||
building socat on systems that predefined the CFLAGS environment to
|
||
contain -Wall failed (esp.RedHat). Thanks to Paul Wouters for reporting
|
||
this problem and to Simon Matter for providing the patch
|
||
|
||
support for Solaris 8 and Sun Studio support (thanks to Sebastian
|
||
Kayser for providing the patches)
|
||
|
||
on some 64bit systems a compiler warning "cast from pointer to integer
|
||
of different size" was issued on some option definitions
|
||
|
||
added struct sockaddr_ll to union sockaddr_union to avoid "strict
|
||
aliasing" warnings (problem reported by Paul Wouters)
|
||
|
||
docu:
|
||
minor corrections in docu
|
||
|
||
####################### V 1.7.1.1:
|
||
|
||
corrections:
|
||
corrected the "fixed possible SIGSEGV" fix because SIGSEGV still might
|
||
occur under those conditions. Thanks to Toni Mattila for first
|
||
reporting this problem.
|
||
|
||
ftruncate64 cut its argument to 32 bits on systems with 32 bit long type
|
||
|
||
socat crashed on systems without setenv() (esp. SunOS up to Solaris 9);
|
||
thanks to Todd Stansell for reporting this bug
|
||
|
||
with unidirectional EXEC and SYSTEM a close() operation was performed
|
||
on a random number which could result in hanging e.a.
|
||
|
||
fixed a compile problem caused by size_t/socklen_t mismatch on 64bit
|
||
systems
|
||
|
||
docu mentioned option so-bindtodev but correct name is so-bindtodevice.
|
||
Thanks to Jim Zimmerman for reporting.
|
||
|
||
docu changes:
|
||
added environment variables example to doc/socat-multicast.html
|
||
|
||
####################### V 1.7.1.0:
|
||
|
||
new features:
|
||
address options shut-none, shut-down, and shut-close allow to control
|
||
socat's half close behaviour
|
||
|
||
with address option shut-null socat sends an empty packet to the peer
|
||
to indicate EOF
|
||
|
||
option null-eof changes the behaviour of sockets that receive an empty
|
||
packet to see EOF instead of ignoring it
|
||
|
||
introduced option names substuser-early and su-e, currently equivalent
|
||
to option substuser (thanks to Mike Perry for providing the patch)
|
||
|
||
corrections:
|
||
fixed some typos and improved some comments
|
||
|
||
####################### V 1.7.0.1:
|
||
|
||
corrections:
|
||
fixed possible SIGSEGV in listening addresses when a new connection was
|
||
reset by peer before the socket addresses could be retrieved. Thanks to
|
||
Mike Perry for sending a patch.
|
||
|
||
fixed a bug, introduced with version 1.7.0.0, that let client
|
||
connections with option connect-timeout fail when the connections
|
||
succeeded. Thanks to Bruno De Fraine for reporting this bug.
|
||
|
||
option end-close "did not apply" to addresses PTY, SOCKET-CONNECT,
|
||
and most UNIX-* and ABSTRACT-*
|
||
|
||
half close of EXEC and SYSTEM addresses did not work for pipes and
|
||
sometimes socketpair
|
||
|
||
help displayed for some option a wrong type
|
||
|
||
under some circumstances shutdown was called multiple times for the
|
||
same fd
|
||
|
||
####################### V 1.7.0.0:
|
||
|
||
new features:
|
||
new address types SCTP-CONNECT and SCTP-LISTEN implement SCTP stream
|
||
mode for IPv4 and IPv6; new address options sctp-maxseg and
|
||
sctp-nodelay (suggested by David A. Madore; thanks to Jonathan Brannan
|
||
for providing an initial patch)
|
||
|
||
new address "INTERFACE" for transparent network interface handling
|
||
(suggested by Stuart Nicholson)
|
||
|
||
added generic socket addresses: SOCKET-CONNECT, SOCKET-LISTEN,
|
||
SOCKET-SENDTO, SOCKET-RECVFROM, SOCKET-RECV, SOCKET-DATAGRAM allow
|
||
protocol independent socket handling; all parameters are explicitely
|
||
specified as numbers or hex data
|
||
|
||
added address options ioctl-void, ioctl-int, ioctl-intp, ioctl-string,
|
||
ioctl-bin for generic ioctl() calls.
|
||
|
||
added address options setsockopt-int, setsockopt-bin, and
|
||
setsockopt-string for generic setsockopt() calls
|
||
|
||
option so-type now only affects the socket() and socketpair() calls,
|
||
not the name resolution. so-type and so-prototype can now be applied to
|
||
all socket based addresses.
|
||
|
||
new address option "escape" allows to break a socat instance even when
|
||
raw terminal mode prevents ^C etc. (feature suggested by Guido Trotter)
|
||
|
||
socat sets environment variables SOCAT_VERSION, SOCAT_PID, SOCAT_PPID
|
||
for use in executed scripts
|
||
|
||
socat sets environment variables SOCAT_SOCKADDR, SOCAT_SOCKPORT,
|
||
SOCAT_PEERADDR, SOCAT_PEERPORT in LISTEN type addresses (feature
|
||
suggested by Ed Sawicki)
|
||
|
||
socat receives all ancillary messages with each received packet on
|
||
datagram related addresses. The messages are logged in raw form with
|
||
debug level, and broken down with info level. note: each type of
|
||
ancillary message must be enabled by appropriate address options.
|
||
|
||
socat provides the contents of ancillary messages received on RECVFROM
|
||
addresses in appropriate environment variables:
|
||
SOCAT_TIMESTAMP, SOCAT_IP_DSTADDR, SOCAT_IP_IF, SOCAT_IP_LOCADDR,
|
||
SOCAT_IP_OPTIONS, SOCAT_IP_TOS, SOCAT_IP_TTL, SOCAT_IPV6_DSTADDR,
|
||
SOCAT_IPV6_HOPLIMIT, SOCAT_IPV6_TCLASS
|
||
|
||
the following address options were added to enable ancillary messages:
|
||
so-timestamp, ip-pktinfo (not BSD), ip-recvdstaddr (BSD), ip-recverr,
|
||
ip-recvif (BSD), ip-recvopts, ip-recvtos, ip-recvttl, ipv6-recvdstopts,
|
||
ipv6-recverr, ipv6-recvhoplimit, ipv6-recvhopopts, ipv6-recvpathmtu,
|
||
ipv6-recvpktinfo, ipv6-recvrthdr, ipv6-recvtclass
|
||
|
||
new address options ipv6-tclass and ipv6-unicast-hops set the related
|
||
socket options.
|
||
|
||
STREAMS (UNIX System V STREAMS) can be configured with the new address
|
||
options i-pop-all and i-push (thanks to Michal Rysavy for providing a
|
||
patch)
|
||
|
||
corrections:
|
||
some raw IP and UNIX datagram modes failed on BSD systems
|
||
|
||
when UDP-LISTEN continued to listen after packet dropped by, e.g.,
|
||
range option, the old listen socket would not be closed but a new one
|
||
created. open sockets could accumulate.
|
||
|
||
there was a bug in ip*-recv with bind option: it did not bind, and
|
||
with the first received packet an error occurred:
|
||
socket_init(): unknown address family 0
|
||
test: RAWIP4RECVBIND
|
||
|
||
RECVFROM addresses with FORK option hung after processing the first
|
||
packet. test: UDP4RECVFROM_FORK
|
||
|
||
corrected a few mistakes that caused compiler warnings on 64bit hosts
|
||
(thanks to Jonathan Brannan e.a. for providing a patch)
|
||
|
||
EXEC and SYSTEM with stderr injected socat messages into the data
|
||
stream. test: EXECSTDERRLOG
|
||
|
||
when the EXEC address got a string with consecutive spaces it created
|
||
additional empty arguments (thanks to Olivier Hervieu for reporting
|
||
this bug). test: EXECSPACES
|
||
|
||
in ignoreeof polling mode socat also blocked data transfer in the other
|
||
direction during the 1s wait intervalls (thanks to Jorgen Cederlof for
|
||
reporting this bug)
|
||
|
||
corrected alphabetical order of options (proxy-auth)
|
||
|
||
some minor corrections
|
||
|
||
improved test.sh script: more stable timing, corrections for BSD
|
||
|
||
replaced the select() calls by poll() to cleanly fix the problems with
|
||
many file descriptors already open
|
||
|
||
socat option -lf did not log to file but to stderr
|
||
|
||
socat did not compile on Solaris when configured without termios
|
||
feature (thanks to Pavan Gadi for reporting this bug)
|
||
|
||
porting:
|
||
socat compiles and runs on AIX with gcc (thanks to Andi Mather for his
|
||
help)
|
||
|
||
socat compiles and runs on Cygwin (thanks to Jan Just Keijser for his
|
||
help)
|
||
|
||
socat compiles and runs on HP-UX with gcc (thanks to Michal Rysavy for
|
||
his help)
|
||
|
||
socat compiles and runs on MacOS X (thanks to Camillo Lugaresi for his
|
||
help)
|
||
|
||
further changes:
|
||
filan -s prefixes output with FD number if more than one FD
|
||
|
||
Makefile now supports datarootdir (thanks to Camillo Lugaresi for
|
||
providing the patch)
|
||
|
||
cleanup in xio-unix.c
|
||
|
||
####################### V 1.6.0.1:
|
||
|
||
new features:
|
||
new make target "gitclean"
|
||
|
||
docu source doc/socat.yo released
|
||
|
||
corrections:
|
||
exec:...,pty did not kill child process under some circumstances; fixed
|
||
by correcting typo in xio-progcall.c (thanks to Ralph Forsythe for
|
||
reporting this problem)
|
||
|
||
service name resolution failed due to byte order mistake
|
||
(thanks to James Sainsbury for reporting this problem)
|
||
|
||
socat would hang when invoked with many file descriptors already opened
|
||
fix: replaced FOPEN_MAX with FD_SETSIZE
|
||
thanks to Daniel Lucq for reporting this problem.
|
||
|
||
fixed bugs where sub processes would become zombies because the master
|
||
process did not catch SIGCHLD. this affected addresses UDP-LISTEN,
|
||
UDP-CONNECT, TCP-CONNECT, OPENSSL, PROXY, UNIX-CONNECT, UNIX-CLIENT,
|
||
ABSTRACT-CONNECT, ABSTRACT-CLIENT, SOCKSA, SOCKS4A
|
||
(thanks to Fernanda G Weiden for reporting this problem)
|
||
|
||
fixed a bug where sub processes would become zombies because the master
|
||
process caught SIGCHLD but did not wait(). this affected addresses
|
||
UDP-RECVFROM, IP-RECVFROM, UNIX-RECVFROM, ABSTRACT-RECVFROM
|
||
(thanks to Evan Borgstrom for reporting this problem)
|
||
|
||
corrected option handling with STDIO; usecase: cool-write
|
||
|
||
configure --disable-pty also disabled option waitlock
|
||
|
||
fixed small bugs on systems with struct ip_mreq without struct ip_mreqn
|
||
(thanks to Roland Illig for sending a patch)
|
||
|
||
corrected name of option intervall to interval (old form still valid
|
||
for us German speaking guys)
|
||
|
||
corrected some print statements and variable names
|
||
|
||
make uninstall did not uninstall procan
|
||
|
||
fixed lots of weaknesses in test.sh
|
||
|
||
corrected some bugs and typos in doc/socat.yo, EXAMPLES, C comments
|
||
|
||
further changes:
|
||
procan -c prints C defines important for socat
|
||
|
||
added test OPENSSLEOF for OpenSSL half close
|
||
|
||
####################### V 1.6.0.0:
|
||
|
||
new features:
|
||
new addresses IP-DATAGRAM and UDP-DATAGRAM allow versatile broadcast
|
||
and multicast modes
|
||
|
||
new option ip-add-membership for control of multicast group membership
|
||
|
||
new address TUN for generation of Linux TUN/TAP pseudo network
|
||
interfaces (suggested by Mat Caughron); associated options tun-device,
|
||
tun-name, tun-type; iff-up, iff-promisc, iff-noarp, iff-no-pi etc.
|
||
|
||
new addresses ABSTRACT-CONNECT, ABSTRACT-LISTEN, ABSTRACT-SENDTO,
|
||
ABSTRACT-RECV, and ABSTRACT-RECVFROM for abstract UNIX domain addresses
|
||
on Linux (requested by Zeeshan Ali); option unix-tightsocklen controls
|
||
socklen parameter on system calls.
|
||
|
||
option end-close for control of connection closing allows FD sharing
|
||
by sub processes
|
||
|
||
range option supports form address:mask with IPv4
|
||
|
||
changed behaviour of SSL-LISTEN to require and verify client
|
||
certificate per default
|
||
|
||
options f-setlkw-rd, f-setlkw-wr, f-setlk-rd, f-setlk-wr allow finer
|
||
grained locking on regular files
|
||
|
||
uninstall target in Makefile (lack reported by Zeeshan Ali)
|
||
|
||
corrections:
|
||
fixed bug where only first tcpwrap option was applied; fixed bug where
|
||
tcpwrap IPv6 check always failed (thanks to Rudolf Cejka for reporting
|
||
and fixing this bug)
|
||
|
||
filan (and socat -D) could hang when a socket was involved
|
||
|
||
corrected PTYs on HP-UX (and maybe others) using STREAMS (inspired by
|
||
Roberto Mackun)
|
||
|
||
correct bind with udp6-listen (thanks to Jan Horak for reporting this
|
||
bug)
|
||
|
||
corrected filan.c peekbuff[0] which did not compile with Sun Studio Pro
|
||
(thanks to Leo Zhadanovsky for reporting this problem)
|
||
|
||
corrected problem with read data buffered in OpenSSL layer (thanks to
|
||
Jon Nelson for reporting this bug)
|
||
|
||
corrected problem with option readbytes when input stream stayed idle
|
||
after so many bytes
|
||
|
||
fixed a bug where a datagram receiver with option fork could fork two
|
||
sub processes per packet
|
||
|
||
further changes:
|
||
moved documentation to new doc/ subdir
|
||
|
||
new documents (kind of mini tutorials) are provided in doc/
|
||
|
||
####################### V 1.5.0.0:
|
||
|
||
new features:
|
||
new datagram modes for udp, rawip, unix domain sockets
|
||
|
||
socat option -T specifies inactivity timeout
|
||
|
||
rewrote lexical analysis to allow nested socat calls
|
||
|
||
addresses tcp, udp, tcp-l, udp-l, and rawip now support IPv4 and IPv6
|
||
|
||
socat options -4, -6 and environment variables SOCAT_DEFAULT_LISTEN_IP,
|
||
SOCAT_PREFERRED_RESOLVE_IP for control of protocol selection
|
||
|
||
addresses ssl, ssl-l, socks, proxy now support IPv4 and IPv6
|
||
|
||
option protocol-family (pf), esp. for openssl-listen
|
||
|
||
range option supports IPv6 - syntax: range=[::1/128]
|
||
|
||
option ipv6-v6only (ipv6only)
|
||
|
||
new tcp-wrappers options allow-table, deny-table, tcpwrap-etc
|
||
|
||
FIPS version of OpenSSL can be integrated - initial patch provided by
|
||
David Acker. See README.FIPS
|
||
|
||
support for resolver options res-debug, aaonly, usevc, primary, igntc,
|
||
recurse, defnames, stayopen, dnsrch
|
||
|
||
options for file attributes on advanced filesystems (ext2, ext3,
|
||
reiser): secrm, unrm, compr, ext2-sync, immutable, ext2-append, nodump,
|
||
ext2-noatime, journal-data etc.
|
||
|
||
option cool-write controls severeness of write failure (EPIPE,
|
||
ECONNRESET)
|
||
|
||
option o-noatime
|
||
|
||
socat option -lh for hostname in log output
|
||
|
||
traffic dumping provides packet headers
|
||
|
||
configure.in became part of distribution
|
||
|
||
socats unpack directory now has full version, e.g. socat-1.5.0.0/
|
||
|
||
corrected docu of option verify
|
||
|
||
corrections:
|
||
fixed tcpwrappers integration - initial fix provided by Rudolf Cejka
|
||
|
||
exec with pipes,stderr produced error
|
||
|
||
setuid-early was ignored with many address types
|
||
|
||
some minor corrections
|
||
|
||
####################### V 1.4.3.1:
|
||
|
||
corrections:
|
||
PROBLEM: UNIX socket listen accepted only one (or a few) connections.
|
||
FIX: do not remove listening UNIX socket in child process
|
||
|
||
PROBLEM: SIGSEGV when TCP part of SSL connect failed
|
||
FIX: check ssl pointer before calling SSL_shutdown
|
||
|
||
In debug mode, show connect client port even when connect fails
|
||
|
||
####################### V 1.4.3.0:
|
||
|
||
new features:
|
||
socat options -L, -W for application level locking
|
||
|
||
options "lockfile", "waitlock" for address level locking
|
||
(Stefan Luethje)
|
||
|
||
option "readbytes" limits read length (Adam Osuchowski)
|
||
|
||
option "retry" for unix-connect, unix-listen, tcp6-listen (Dale Dude)
|
||
|
||
pty symlink, unix listen socket, and named pipe are per default removed
|
||
after use; option unlink-close overrides this new behaviour and also
|
||
controls removal of other socat generated files (Stefan Luethje)
|
||
|
||
corrections:
|
||
option "retry" did not work with tcp-listen
|
||
|
||
EPIPE condition could result in a 100% CPU loop
|
||
|
||
further changes:
|
||
support systems without SHUT_RD etc.
|
||
handle more size_t types
|
||
try to find makedepend options with gcc 3 (richard/OpenMacNews)
|
||
|
||
####################### V 1.4.2.0:
|
||
|
||
new features:
|
||
option "connect-timeout" limits wait time for connect operations
|
||
(requested by Giulio Orsero)
|
||
|
||
option "dhparam" for explicit Diffie-Hellman parameter file
|
||
|
||
corrections:
|
||
support for OpenSSL DSA certificates (Miika Komu)
|
||
|
||
create install directories before copying files (Miika Komu)
|
||
|
||
when exiting on signal, return status 128+signum instead of 1
|
||
|
||
on EPIPE and ECONNRESET, only issue a warning (Santiago Garcia
|
||
Mantinan)
|
||
|
||
-lu could cause a core dump on long messages
|
||
|
||
further changes:
|
||
modifications to simplify using socats features in applications
|
||
|
||
####################### V 1.4.1.0:
|
||
|
||
new features:
|
||
option "wait-slave" blocks open of pty master side until a client
|
||
connects, "pty-intervall" controls polling
|
||
|
||
option -h as synonym to -? for help (contributed by Christian
|
||
Lademann)
|
||
|
||
filan prints formatted time stamps and rdev (disable with -r)
|
||
|
||
redirect filan's output, so stdout is not affected (contributed by
|
||
Luigi Iotti)
|
||
|
||
filan option -L to follow symbolic links
|
||
|
||
filan shows termios control characters
|
||
|
||
corrections:
|
||
proxy address no longer performs unsolicited retries
|
||
|
||
filan -f no longer needs read permission to analyze a file (but still
|
||
needs access permission to directory, of course)
|
||
|
||
porting:
|
||
Option dsusp
|
||
FreeBSD options noopt, nopush, md5sig
|
||
OpenBSD options sack-disable, signature-enable
|
||
HP-UX, Solaris options abort-threshold, conn-abort-threshold
|
||
HP-UX options b900, b3600, b7200
|
||
Tru64/OSF1 options keepinit, paws, sackena, tsoptena
|
||
|
||
further corrections:
|
||
address pty now uses ptmx as default if openpty is also available
|
||
|
||
####################### V 1.4.0.3:
|
||
|
||
corrections:
|
||
fix to a syslog() based format string vulnerability that can lead to
|
||
remote code execution. See advisory socat-adv-1.txt
|
||
|
||
####################### V 1.4.0.2:
|
||
|
||
corrections:
|
||
exec'd write-only addresses get a chance to flush before being killed
|
||
|
||
error handler: print notice on error-exit
|
||
|
||
filan printed wrong file type information
|
||
|
||
####################### V 1.4.0.1:
|
||
|
||
corrections:
|
||
socks4a constructed invalid header. Problem found, reported, and fixed
|
||
by Thomas Themel, by Peter Palfrader, and by rik
|
||
|
||
with nofork, don't forget to apply some process related options
|
||
(chroot, setsid, setpgid, ...)
|
||
|
||
####################### V 1.4.0.0:
|
||
|
||
new features:
|
||
simple openssl server (ssl-l), experimental openssl trust
|
||
|
||
new options "cafile", "capath", "key", "cert", "egd", and "pseudo" for
|
||
openssl
|
||
|
||
new options "retry", "forever", and "intervall"
|
||
|
||
option "fork" for address TCP improves `gender changer<65>
|
||
|
||
options "sigint", "sigquit", and "sighup" control passing of signals to
|
||
sub process (thanks to David Shea who contributed to this issue)
|
||
|
||
readline takes respect to the prompt issued by the peer address
|
||
|
||
options "prompt" and "noprompt" allow to override readline's new
|
||
default behaviour
|
||
|
||
readline supports invisible password with option "noecho"
|
||
|
||
socat option -lp allows to set hostname in log output
|
||
|
||
socat option -lu turns on microsecond resolution in log output
|
||
|
||
|
||
corrections:
|
||
before reading available data, check if writing on other channel is
|
||
possible
|
||
|
||
tcp6, udp6: support hostname specification (not only IP address), and
|
||
map IP4 names to IP6 addresses
|
||
|
||
openssl client checks server certificate per default
|
||
|
||
support unidirectional communication with exec/system subprocess
|
||
|
||
try to restore original terminal settings when terminating
|
||
|
||
test.sh uses tmp dir /tmp/$USER/$$ instead of /tmp/$$
|
||
|
||
socks4 failed on platforms where long does not have 32 bits
|
||
(thanks to Peter Palfrader and Thomas Seyrat)
|
||
|
||
hstrerror substitute wrote wrong messages (HP-UX, Solaris)
|
||
|
||
proxy error message was truncated when answer contained multiple spaces
|
||
|
||
|
||
porting:
|
||
compiles with AIX xlc, HP-UX cc, Tru64 cc (but might not link)
|
||
|
||
####################### V 1.3.2.2:
|
||
|
||
corrections:
|
||
PROXY CONNECT failed when the status reply from the proxy server
|
||
contained more than one consecutive spaces. Problem reported by
|
||
Alexandre Bezroutchko
|
||
|
||
do not SIGSEGV when proxy address fails to resolve server name
|
||
|
||
udp-listen failed on systems where AF_INET != SOCK_DGRAM (e.g. SunOS).
|
||
Problem reported by Christoph Schittel
|
||
|
||
test.sh only tests available features
|
||
|
||
added missing IP and TCP options in filan analyzer
|
||
|
||
do not apply stdio address options to both directions when in
|
||
unidirectional mode
|
||
|
||
on systems lacking /dev/*random and egd, provide (weak) entropy from
|
||
libc random()
|
||
|
||
|
||
porting:
|
||
changes for HP-UX (VREPRINT, h_NETDB_INTERNAL)
|
||
|
||
compiles on True64, FreeBSD (again), NetBSD, OpenBSD
|
||
|
||
support for long long as st_ino type (Cygwin 1.5)
|
||
|
||
compile on systems where pty can not be featured
|
||
|
||
####################### V 1.3.2.1:
|
||
|
||
corrections:
|
||
"final" solution for the ENOCHLD problem
|
||
|
||
corrected "make strip"
|
||
|
||
default gcc debug/opt is "-O" again
|
||
|
||
check for /proc at runtime, even if configure found it
|
||
|
||
src.rpm accidently supported SuSE instead of RedHat
|
||
|
||
####################### V 1.3.2.0:
|
||
|
||
new features:
|
||
option "nofork" connects an exec'd script or program directly
|
||
to the file descriptors of the other address, circumventing the socat
|
||
transfer engine
|
||
|
||
support for files >2GB, using ftruncate64(), lseek64(), stat64()
|
||
|
||
filan has new "simple" output style (filan -s)
|
||
|
||
|
||
porting:
|
||
options "binary" and "text" for controlling line termination on Cygwin
|
||
file system access (hint from Yang Wu-Zhou)
|
||
|
||
fix by Yang Wu-Zhou for the Cygwin "No Children" problem
|
||
|
||
improved support for OSR: _SVID3; no IS_SOCK, no F_GETOWN (thanks to
|
||
John DuBois)
|
||
|
||
minor corrections to avoid warnings with gcc 3
|
||
|
||
|
||
further corrections and minor improvements:
|
||
configure script is generated with autoconf 2.57 (no longer 2.52)
|
||
|
||
configure passes CFLAGS to Makefile
|
||
|
||
option -??? for complete list of address options and their short forms
|
||
|
||
program name in syslog messages is derived from argv[0]
|
||
|
||
SIGHUP now prints notice instead of error
|
||
|
||
EIO during read of pty now gives Notice instead of Error, and
|
||
triggers EOF
|
||
|
||
use of hstrerror() for printing resolver error messages
|
||
|
||
setgrent() got required endgrent()
|
||
|
||
####################### V 1.3.1.0:
|
||
|
||
new features:
|
||
integration of Wietse Venema's tcpwrapper library (libwrap)
|
||
|
||
with "proxy" address, option "resolve" controls if hostname or IP
|
||
address is sent in request
|
||
|
||
option "lowport" establishes limited authorization for TCP and UDP
|
||
connections
|
||
|
||
improvement of .spec file for RPM creation (thanks to Gerd v. Egidy)
|
||
An accompanying change in the numbering scheme results in an
|
||
incompatibility with earlier socat RPMs!
|
||
|
||
|
||
solved problems and bugs:
|
||
PROBLEM: socat daemon terminated when the address of a connecting
|
||
client did not match range option value instead of continue listening
|
||
SOLVED: in this case, print warning instead of error to keep daemon
|
||
active
|
||
|
||
PROBLEM: tcp-listen with fork sometimes left excessive number of zombie
|
||
processes
|
||
SOLVED: dont assume that each exiting child process generates SIGCHLD
|
||
|
||
when converting CRNL to CR, socat converted to NL
|
||
|
||
|
||
further corrections:
|
||
configure script now disables features that depend on missing files
|
||
making it more robust in "unsupported" environments
|
||
|
||
server.pem permissions corrected to 600
|
||
|
||
"make install" now does not strip; use "make strip; make install"
|
||
if you like strip (suggested by Peter Bray)
|
||
|
||
####################### V 1.3.0.1:
|
||
|
||
solved problems and bugs:
|
||
PROBLEM: OPENSSL did not apply tcp, ip, and socket options
|
||
SOLVED: OPENSSL now correctly handles the options list
|
||
|
||
PROBLEM: CRNL to NL and CRNL to CR conversions failed when CRNL crossed
|
||
block boundary
|
||
SOLVED: these conversions now simply strip all CR's or NL's from input
|
||
stream
|
||
|
||
|
||
porting:
|
||
SunOS ptys now work on x86, too (thanks to Peter Bray)
|
||
|
||
configure looks for freeware libs in /pkgs/lib/ (thanks to Peter Bray)
|
||
|
||
|
||
further corrections:
|
||
added WITH_PROXY value to -V output
|
||
|
||
added compile dependencies of WITH_PTY and WITH_PROXY
|
||
|
||
-?? did not print option group of proxy options
|
||
|
||
corrected syntax for bind option in docu
|
||
|
||
corrected an issue with stdio in unidirectional mode
|
||
|
||
options socksport and proxyport support service names
|
||
|
||
ftp.sh script supports proxy address
|
||
|
||
man page no longer installed with execute permissions (thanks to Peter
|
||
Bray)
|
||
|
||
fixed a malloc call bug that could cause SIGSEGV or false "out of
|
||
memory" errors on EXEC and SYSTEM, depending on program name length and
|
||
libc.
|
||
|
||
####################### V 1.3.0.0:
|
||
|
||
new features:
|
||
proxy connect with optional proxy authentication
|
||
|
||
combined hex and text dump mode, credits to Gregory Margo
|
||
|
||
address pty applies options user, group, and perm to device
|
||
|
||
|
||
solved problems and bugs:
|
||
PROBLEM: option reuseport was not applied (BSD, AIX)
|
||
SOLVED: option reuseport now in phase PASTSOCKET instead of PREBIND,
|
||
credits to Jean-Baptiste Marchand
|
||
|
||
PROBLEM: ignoreeof with stdio was ignored
|
||
SOLVED: ignoreeof now works correctly with address stdio
|
||
|
||
PROBLEM: ftp.sh did not use user supplied password
|
||
SOLVED: ftp.sh now correctly passes password from command line
|
||
|
||
PROBLEM: server.pem had expired
|
||
SOLVED: new server.pem valid for ten years
|
||
|
||
PROBLEM: socks notice printed wrong port on some platforms
|
||
SOLVED: socks now uses correct byte-order for port number in notice
|
||
|
||
|
||
further corrections:
|
||
option name o_trunc corrected to o-trunc
|
||
|
||
combined use of -u and -U is now detected and prevented
|
||
|
||
made message system a little more robust against format string attacks
|
||
|
||
|
||
####################### V 1.2.0.0:
|
||
|
||
new features:
|
||
address pty for putting socat behind a new pseudo terminal that may
|
||
fake a serial line, modem etc.
|
||
|
||
experimental openssl integration
|
||
(it does not provide any trust between the peers because is does not
|
||
check certificates!)
|
||
|
||
options flock-ex, flock-ex-nb, flock-sh, flock-sh-nb to control all
|
||
locking mechanism provided by flock()
|
||
|
||
options setsid and setpgid now available with all address types
|
||
|
||
option ctty (controlling terminal) now available for all TERMIOS
|
||
addresses
|
||
|
||
option truncate (a hybrid of open(.., O_TRUNC) and ftruncate()) is
|
||
replaced by options o-trunc and ftruncate=offset
|
||
|
||
option sourceport now available with TCP and UDP listen addresses to
|
||
restrict incoming client connections
|
||
|
||
unidirectional mode right-to-left (-U)
|
||
|
||
|
||
solved problems and bugs:
|
||
PROBLEM: addresses without required parameters but an option containing
|
||
a '/' were incorrectly interpreted as implicit GOPEN address
|
||
SOLVED: if an address does not have ':' separator but contains '/',
|
||
check if the slash is before the first ',' before assuming
|
||
implicit GOPEN.
|
||
|
||
|
||
porting:
|
||
ptys under SunOS work now due to use of stream options
|
||
|
||
|
||
further corrections:
|
||
with -d -d -d -d -D, don't print debug info during file analysis
|
||
|
||
|
||
####################### V 1.1.0.1:
|
||
|
||
new features:
|
||
.spec file for RPM generation
|
||
|
||
|
||
solved problems and bugs:
|
||
PROBLEM: GOPEN on socket did not apply option unlink-late
|
||
SOLUTION: GOPEN for socket now applies group NAMED, phase PASTOPEN
|
||
options
|
||
|
||
PROBLEM: with unidirectional mode, an unnecessary close timeout was
|
||
applied
|
||
SOLUTION: in unidirectional mode, terminate without wait time
|
||
|
||
PROBLEM: using GOPEN on a unix domain socket failed for datagram
|
||
sockets
|
||
SOLUTION: when connect() fails with EPROTOTYPE, use a datagram socket
|
||
|
||
|
||
further corrections:
|
||
|
||
open() flag options had names starting with "o_", now corrected to "o-"
|
||
|
||
in docu, *-listen addresses were called *_listen
|
||
|
||
address unix now called unix-connect because it does not handle unix
|
||
datagram sockets
|
||
|
||
in test.sh, apply global command line options with all tests
|
||
|
||
|
||
####################### V 1.1.0.0:
|
||
|
||
new features:
|
||
regular man page and html doc - thanks to kromJx for prototype
|
||
|
||
new address type "readline", utilizing GNU readline and history libs
|
||
|
||
address option "history-file" for readline
|
||
|
||
new option "dash" to "exec" address that allows to start login shells
|
||
|
||
syslog facility can be set per command line option
|
||
|
||
new address option "tcp-quickack", found in Linux 2.4
|
||
|
||
option -g prevents option group checking
|
||
|
||
filan and procan can print usage
|
||
|
||
procan prints rlimit infos
|
||
|
||
|
||
solved problems and bugs:
|
||
PROBLEM: raw IP socket SIGSEGV'ed when it had been shut down.
|
||
SOLVED: set eof flag of channel on shutdown.
|
||
|
||
PROBLEM: if channel 2 uses a single non-socket FD in bidirectional mode
|
||
and has data available while channel 1 reaches EOF, the data is
|
||
lost.
|
||
SOLVED: during one loop run, first handle all data transfers and
|
||
_afterwards_ handle EOF.
|
||
|
||
PROBLEM: despite to option NONBLOCK, the connect() call blocked
|
||
SOLVED: option NONBLOCK is now applied in phase FD instead of LATE
|
||
|
||
PROBLEM: UNLINK options issued error when file did not exist,
|
||
terminating socat
|
||
SOLVED: failure of unlink() is only warning if errno==ENOENT
|
||
|
||
PROBLEM: TCP6-LISTEN required numeric port specification
|
||
SOLVED: now uses common TCP service resolver
|
||
|
||
PROBLEM: with PIPE, wrong FDs were shown for data transfer loop
|
||
SOLVED: retrieval of FDs now pays respect to PIPE pecularities
|
||
|
||
PROBLEM: using address EXEC against an address with IGNOREEOF, socat
|
||
never terminated
|
||
SOLVED: corrected EOF handling of sigchld
|
||
|
||
|
||
porting:
|
||
MacOS and old AIX versions now have pty
|
||
|
||
flock() now available on Linux (configure check was wrong)
|
||
|
||
named pipe were generated using mknod(), which requires root under BSD
|
||
now they are generated using mkfifo
|
||
|
||
|
||
further corrections:
|
||
lots of address options that were "forgotten" at runtime are now
|
||
available
|
||
|
||
option BINDTODEVICE now also called SO-BINDTODEVICE, IF
|
||
|
||
"make install" now installs binaries with ownership 0:0
|
||
|
||
|
||
####################### V 1.0.4.2:
|
||
|
||
solved problems and bugs:
|
||
PROBLEM: EOF of one stream caused close of other stream, giving it no
|
||
chance to go down regularly
|
||
SOLVED: EOF of one stream now causes shutdown of write part of other
|
||
stream
|
||
|
||
PROBLEM: sending mail via socks address to qmail showed that crlf
|
||
option does not work
|
||
SOLVED: socks address applies PH_LATE options
|
||
|
||
PROBLEM: in debug mode, no info about socat and platform was issued
|
||
SOLVED: print socat version and uname output in debug mode
|
||
|
||
PROBLEM: invoking socat with -t and no following parameters caused
|
||
SIGSEGV
|
||
SOLVED: -t and -b now check next argv entry
|
||
|
||
PROBLEM: when opening of logfile (-lf) failed, no error was reported
|
||
and no further messages were printed
|
||
SOLVED: check result of fopen and print error message if it failed
|
||
|
||
new features:
|
||
address type UDP-LISTEN now supports option fork: it internally applies
|
||
socket option SO_REUSEADDR so a new UDP socket can bind to port after
|
||
`accepting<6E> a connection (child processes might live forever though)
|
||
(suggestion from Damjan Lango)
|
||
|
||
|
||
####################### V 1.0.4.1:
|
||
|
||
solved problems and bugs:
|
||
PROB: assert in libc caused an endless recursion
|
||
SOLVED: no longer catch SIGABRT
|
||
|
||
PROB: socat printed wrong verbose prefix for "right to left" packets
|
||
SOLVED: new parameter for xiotransfer() passes correct prefix
|
||
|
||
new features:
|
||
in debug mode, socat prints its command line arguments
|
||
in verbose mode, escape special characters and replace unprintables
|
||
with '.'. Patch from Adrian Thurston.
|
||
|
||
|
||
####################### V 1.0.4.0:
|
||
|
||
solved problems and bugs:
|
||
Debug output for lstat and fstat said "stat"
|
||
|
||
further corrections:
|
||
FreeBSD now includes libutil.h
|
||
|
||
new features:
|
||
option setsid with exec/pty
|
||
option setpgid with exec/pty
|
||
option ctty with exec/pty
|
||
TCP V6 connect test
|
||
gettimeofday in sycls.c (no use yet)
|
||
|
||
porting:
|
||
before Gethostbyname, invoke inet_aton for MacOSX
|
||
|
||
|
||
####################### V 1.0.3.0:
|
||
|
||
solved problems and bugs:
|
||
|
||
PROB: test 9 of test.sh (echo via file) failed on some platforms,
|
||
socat exited without error message
|
||
SOLVED: _xioopen_named_early(): preset statbuf.st_mode with 0
|
||
|
||
PROB: test 17 hung forever
|
||
REASON: child death before select loop did not result in EOF
|
||
SOLVED: check of existence of children before starting select loop
|
||
|
||
PROB: test 17 failed
|
||
REASON: child dead triggered EOF before last data was read
|
||
SOLVED: after child death, read last data before setting EOF
|
||
|
||
PROB: filan showed that exec processes incorrectly had fd3 open
|
||
REASON: inherited open fd3 from main process
|
||
SOLVED: set CLOEXEC flag on pty fd in main process
|
||
|
||
PROB: help printed "undef" instead of group "FORK"
|
||
SOLVED: added "FORK" to group name array
|
||
|
||
PROB: fatal messages did not include severity classifier
|
||
SOLVED: added "F" to severity classifier array
|
||
|
||
PROB: IP6 addresses where printed incorrectly
|
||
SOLVED: removed type casts to unsigned short *
|
||
|
||
further corrections:
|
||
socat catches illegal -l modes
|
||
corrected error message on setsockopt(linger)
|
||
option tabdly is of type uint
|
||
correction for UDP over IP6
|
||
more cpp conditionals, esp. for IP6 situations
|
||
better handling of group NAMED options with listening UNIX sockets
|
||
applyopts2 now includes last given phase
|
||
corrected option group handling for most address types
|
||
introduce dropping of unappliable options (dropopts, dropopts2)
|
||
gopen now accepts socket and unix-socket options
|
||
exec and system now accept all socket and termios options
|
||
child process for exec and system addresses with option pty
|
||
improved descriptions and options for EXAMPLES
|
||
printf format for file mode changed to "0%03o" with length spec.
|
||
added va_end() in branch of msg()
|
||
changed phase of lock options from PASTOPEN to FD
|
||
support up to four early dying processes
|
||
|
||
structural changes:
|
||
xiosysincludes now includes sysincludes.h for non xio files
|
||
|
||
new features:
|
||
option umask
|
||
CHANGES file
|
||
TYPE_DOUBLE, u_double
|
||
OFUNC_OFFSET
|
||
added getsid(), setsid(), send() to sycls
|
||
procan prints sid (session id)
|
||
mail.sh gets -f (from) option
|
||
new EXAMPLEs for file creation
|
||
gatherinfo.sh now tells about failures
|
||
test.sh can check for much more address/option combinations
|
||
|
||
porting:
|
||
ispeed, ospeed for termios on FreeBSD
|
||
getpgid() conditional for MacOS 10
|
||
added ranlib in Makefile.in for MacOS 10
|
||
disable pty option if no pty mechanism is available (MacOS 10)
|
||
now compiles and runs on MacOS 10 (still some tests fail)
|
||
setgroups() conditional for cygwin
|
||
sighandler_t defined conditionally
|
||
use gcc option -D_GNU_SOURCE
|