| blob | 3b654aaa403e0dc459f29ac1d4dc221f11fa2d4d |
1
2 ####################### V 1.8.0.2:
4 Security:
5 Socat security advisory 9
6 CVE-2024-54661: Arbitrary file overwrite
7 Socat 1.6.0.0 through 1.8.0.1 and version 2 distributions contain a
8 wrapper script "readline.sh" that uses a predictable temporary
9 directory, allowing unprivileged users to overwrite arbitrary files
10 belonging to the scripts caller.
11 This is fixed in Version 1.8.0.2
12 Mitigating factors: readline.sh is usually neither installed in a bin
13 directory nor is it documented. Major Linux distributions install it in
14 examples/ or doc/; however it is invoked by test.sh script.
15 Thanks to Wolfgang Frisch from SuSE for finding and reporting this
16 issue.
17 Test: READLINE_SH_OVERWRITE
19 ####################### V 1.8.0.1:
21 Corrections:
22 When no IP version was preferred by environment, option -4/-6, or
23 address option pf, Socat version 1.8.0.0 address TCP-LISTEN did not
24 accept TCP4 connections under BSD family operating systems, but only
25 TCP6. To regain previous behaviour, preferring IP version 4 is now the
26 default. This also fixes some other issues with bind and range options.
27 Thanks to Mike Andrews for reporting this issue.
28 Tests: LISTEN_4 LISTEN_6 V1800_*_RANGE V1800_*_BIND
30 Added Socat option -0 to allow version 1.8.0.0 behaviour (no preferred
31 IP version).
33 UDP-SENDTO, UDPLITE-SENDTO, and IP-SENDTO addresses now select an IPv4
34 address in case the server name resolves to both IPv4 and IPv6
35 addresses.
36 Tests: V1800_*_SENDTO_RESOLV_6_4
38 Guard applyopts_termios_value() with WITH_TERMIOS.
39 Thanks to Kush Upadhyay from Amazon Bottlerocket team for providing the
40 patch.
42 In some situations xioclose() was called nested what could cause hanging
43 of OpenSSL in pthread_rwlock_wrlock()
45 socat 1.8.0.0 with addresses of type RECVFROM and option fork, where
46 the second address failed to connect/open in the child process, entered
47 a fork loop that was only stopped by FD exhaustion caused by FD leak.
48 Test: RECVFROM_FORK_LOOP
50 socat 1.8.0.0 had an FD leak with addresses of type RECVFROM with fork.
51 Test: RECVFROM_FORK_LEAK
53 With version 1.8.0.0, options ipv6-join-group and ipv6-join-source-group
54 did not work.
55 Thanks to Linus Luessing for reporting this bug.
57 IP-SENDTO and option pf (protocol-family) with protocol name (vs.numeric
58 argument) failed with message:
59 E retropts_int(): trailing garbage in numerical arg of option "protocol-family"
60 Test: IP_SENDTO_PF
62 Fixed a possible buffer overrun with long log lines. In fact it does
63 not write beyond end of buffer but lets pass excessive data to the
64 write() function.
65 Thanks to Heinrich Schuchardt from Canonical for reporting and sending
66 a patch.
68 Reworked domain name resolution, centralized IPv4/IPv6 sorting.
70 Print warning about not checking CRLs in OpenSSL only in the first
71 child process.
73 Features:
74 Total inactivity timeout option -T 0 now means 0.0 seconds; up to
75 version 1.8.0.0 it meant no total inactivity timeout.
77 Changed socat-chain.sh, socat-mux.sh, and socat-broker.sh to work with
78 older Socat versions.
80 socat-mux.sh and socat-broker.sh, when run as root, now internally use
81 low (512..1023) UDP ports to increase security.
83 Added option ai-all (sets AI_ALL flag of getaddrinfo() resolver)
85 Socks5 now also allows syntax without socks port, and supports option
86 socksport.
88 Porting:
89 Changes for building and testing on NetBSD
91 New Linux distributions dislike egrep, fgrep
93 When NETDB_INTERNAL is not available it should be set to -1.
94 Thanks to Baruch Siach for sending a patch.
96 On OpenSolaris/Illumos, isastream() is declared only in stropts.h, not
97 in sys/stropts.h
98 Thanks to Andy Fiddaman for sending a patch.
100 On latest Illumos, compilation failed due to new unexpected SO_PROTOCOL
101 implementation.
102 Thanks to Andy Fiddaman for sending a patch.
104 Building:
105 Makefile.in: procan.o build requires srcdir prefix for explicit source
106 file.
107 Thanks to Hongxu Jia and Andrew Schoolman for providing patches.
109 Makefile.in: the CC define for procan.o build failed when CC had more
110 than one word.
111 Thanks to Hongxu Jia for providing an inital patch.
113 Testing:
114 Added the optional DEVTESTS feature for developer tests with controlled
115 name resolution to both IPv4 and IPV6 addresses: configure Socat with
116 --enable-devtests, this provides internal resolution of domain
117 dest-unreach.net with host names: localhost-4, localhost-6,
118 localhost-4-6, and localhost-6-4
120 test.sh: lots of corrections and improvements
122 test.sh: many hardcoded sleep values were replaced by much shorter
123 values tuned to performance of the platform.
125 test.sh -D for output of platform/system specific defines (variables)
127 test.sh: fixed ss determination; more DEFS
129 Documentation:
130 Fixed a lot of typos.
131 Thanks to Solomon Victorino for sending the patch.
133 ####################### V 1.8.0.0:
135 Security:
136 Socats OpenSSL addresses do not (and never did) check certificate
137 revocation lists (CRLs). Socat now prints a warning about this.
139 Features:
140 Added the --experimental option that enables use of features that might
141 change in the future.
143 Now warning messages are printed by default. If you want to see only
144 errors and fatals as in previous versions, use option -d0;
145 option -d4 is equivalent to -dddd and to -d -d -d -d
146 The number of warnings has been reduced, e.g.removing a non existing
147 file does in most cases no longer log a warning.
149 Added address type internal SOCKETPAIR. This is similar to the unnamed
150 PIPE address (only for internal echoing) but it provides datagram mode
151 (the default) and thus keeps packet boundaries.
152 Tests: SOCKETPAIR_STREAM SOCKETPAIR_DATAGRAM SOCKETPAIR_SEQPACKET
153 SOCKETPAIR_BOUNDARIES
155 New option -S <mask> controls catching and logging of signals that are
156 not internally used by Socat.
157 Tests: SIGTERM_NOLOG SIG31_LOG
159 Added option ipv6-join-source-group.
160 Thanks to Martin Buck and David Schweizer for sending patches.
162 Added option http-version to PROXY-CONNECT address to support servers
163 that are not able to handle HTTP version 1.0
164 Test: PROXY_HTTPVERSION
165 Feature inspired by Robin Palotai.
167 New options openssl-maxfraglen and openssl-maxsendfrag for
168 functions/macros SSL_CTX_set_tlsext_max_fragment_length() and
169 SSL_CTX_set_max_send_fragment().
170 Thanks to James Tavares for his contribution.
172 Added Info log of resulting OpenSSL max fragment length.
174 Implemented options rcvtimeo and sndtimeo, the first of which may be
175 useful to prevent endlessly hanging DTLS connection etablishment.
176 Test: RCVTIMEO_DTLS
177 Feature proposed by Vladimir Nikishkin.
179 The file names with -r and -R now may contain environment variable
180 references.
181 Test: VARS_IN_SNIFFPATH
183 Socat option --statistics logs final byte and packet counter values
184 before exit. Signal USR1 logs actual values.
185 Tests: OPTION_STATISTICS SIGUSR1_STATISTICS
187 Added option sitout-eio to specify a timerange in which EIO on the pty
188 of a sub process is tolerated.
189 Red Hat issue 1853102 related.
190 Thanks to Jonathan Casiot for sending an initial patch.
192 Socat now installs as socat1 and is referenced by symbolic link socat,
193 same with man page (socat1.1 by socat.1)
195 New option children-shutup[=1|2...] decreases severity of log
196 messages in LISTEN and CONNECT type sub processes.
197 Test: CHILDREN_SHUTUP
199 New option retrieve-vlan for supporting VLANs in INTERFACE addresses:
200 Linux normally keeps VLAN tags in outgoing raw packets, but appears to
201 strip them from incoming packets and makes them available in
202 PACKET_AUXDATA ancillary messages only.
203 Up do version 1.7.4.5 Socat did not handle this situation, so the VLAN
204 tags where effectively stripped off incoming packets.
205 With this option Socat restores the VLAN tag.
206 Feature inspired by Zhao Dong.
208 Socket option SO_REUSEADDR is now automatically applied to TCP LISTEN
209 addresses. reuseaddr= restores the old behaviour.
210 Tests: TCP4_REUSEADDR OPENSSL_6_REUSEADDR REUSEADDR_NULL
212 TCP based client addresses now try all results of name resolution until
213 a connection attempt succeeded.
214 Tests: TRY_ADDRS_4 TRY_ADDRS_4_6
215 Feature recommended by Anand Buddhdev.
217 configure option --enable-default-ipv allows to specify at build time if
218 IPv4, IPv6, or none of these is the preferred default; this is related
219 to environment variables SOCAT_PREFERRED_RESOLVE_IP and
220 SOCAT_DEFAULT_LISTEN_IP, and to Socat option -4, -6.
221 Furthermore, mechanism of IPv4 vs.IPv6 selection has been reworked.
222 When no IP version is preferred by these mechanism, passive Socat
223 addresses (LISTEN, RECV, RECVFROM) default to IPv6 because it might
224 support both versions (but checkout option ipv6-v6only).
225 For client addresses, when one of these mechanisms applies and name
226 resolution gives addresses of both IP versions, the addresses of the
227 preferred versions are tried first.
229 New option ai-addrconfig sets or unsets the AI_ADDRCONFIG flag of the
230 resolver to prevent name resolution to address families that are not
231 available in the network configuration. Default value is 1 in case the
232 resolver does not get an address family hint.
234 Flag AI_PASSIVE is now automatically applied for LISTEN, RECV, and
235 RECVFROM type addresses, and with bind option. In addition to its
236 application to the getaddrinfo() function, when this flag is set while
237 no IP version is preferred by build, environment, option, or address
238 type, Socat chooses IPv6 because this might activate both versions (but
239 check option ipv6-v6only).
240 Added option ai-passive to control this flag explicitely.
242 New option ai-v4mapped (v4mapped) sets or unsets the AI_V4MAPPED flag
243 of the resolver. For Socat addresses requiring IPv6 addresses, this
244 resolves IPv4 addresses to the approriate IPv6 address [::ffff:*:*].
246 DNS resolver Options (res-*) are now set for the complete open phase of
247 the address, not per getaddrinfo() invocation.
249 Added the netns option that tries to open an address in the given
250 network namespace.
251 Tests: NETNS NETNS_EXEC
253 New address ACCEPT-FD (ACCEPT) expects a listening file descriptor
254 passed from parent, and accepts one or more connections for data
255 transfer. This can be used with "inetd mode" of systemd.
256 Test: ACCEPT_FD
258 Added experimental socks5 TCP client support (connect,bind); syntax:
259 SOCKS5-CONNECT:<socks-server>:<socks-port>:<target-host>:<target-port>
260 SOCKS5-LISTEN:<socks-server>:<socks-port>:<listen-host>:<listen-port>
261 Thanks to Charlie Svensson and others for contributions.
263 New address types POSIXMQ-RECEIVE, POSIXMQ-READ, POSIXMQ-SEND, and
264 POSIXMQ-BIDIRECTIONAL (Linux only, experimental), and option
265 posixmq-priority
266 Tests: LINUX_POSIXMQ_READ_PRIO LINUX_POSIXMQ_RECV_FORK
267 LINUX_POSIXMQ_RECV_MAXCHILDREN LINUX_POSIXMQ_SEND_MAXCHILDREN
269 New address SHELL invokes a shell but without the overhead of SYSTEM
271 Added options res-retrans and res-retry that make use of undocumented
272 resolver variables to set the retransmission time interval resp.the
273 number of times to retransmit.
274 Disable them and the old res-* opts with: ./configure --disable-resolve
276 Added option res-nsaddr that overrides /etc/resolv.conf nameserver
277 address based on an undocumented resolver feature.
279 New option chdir changes the working directory of the address to the
280 given path, only during the open stage.
281 Tests: CHDIR_ON_CREATE CHDIR_ON_SYSTEM
283 Option umask now applies only during opening of its very address, not
284 for the lifetime of the process; the original umask is restored
285 afterwards.
286 Tests: UMASK_ON_CREATE UMASK_ON_SYSTEM
288 Added option unix-bind-tempname (bind-tempname) to allow UNIX (and
289 ABSTRACT) client addresses to bind to unique addresses even when
290 invoked in forked off sub processes.
291 Tests: UNIX_LISTEN_CONNECT_BIND_TEMPNAME UNIX_LISTEN_CLIENT_BIND_TEMPNAME
292 UNIX_RECVFROM_CLIENT_BIND_TEMPNAME UNIX_RECVFROM_SENDTO_BIND_TEMPNAME
293 ABSTRACT_LISTEN_CONNECT_BIND_TEMPNAME ABSTRACT_LISTEN_CLIENT_BIND_TEMPNAME
294 ABSTRACT_RECVFROM_CLIENT_BIND_TEMPNAME ABSTRACT_RECVFROM_SENDTO_BIND_TEMPNAME
295 Thanks to Kai Lüke for sending an initial patch.
297 New option f-setpipe-sz (pipesz) sets the pipe size on systems that
298 provide ioctl F_SETIPE_SZ.
299 Filan prints the current value.
300 Tests: STDIN_F_SETPIPE_SZ EXEC_F_SETPIPE_SZ
302 Bidirectional PIPE addresses may block on writing a data chunk larger
303 than pipe buffer. Socat now tries to detect if transfer block size is
304 large enough and issues a warning.
306 Added direct support of DCCP protocol, new addresses:
307 DCCP-CONNECT (DCCP)
308 DCCP-LISTEN (DCCP-L)
309 DCCP4-CONNECT (DCCP4)
310 DCCP4-LISTEN (DCCP4-L)
311 DCCP6-CONNECT (DCCP6)
312 DCCP6-LISTEN (DCCP6-L)
313 New option: dccp-set-ccid (ccid)
315 Support for UDP-Lite protocol, new addresses:
316 UDPLITE-CONNECT
317 UDPLITE-LISTEN
318 UDPLITE-DATAGRAM
319 UDPLITE-RECV
320 UDPLITE-RECVFROM
321 UDPLITE-SENDTO
322 All these are also available in UDPLITE4-* and UDPLITE6-* form;
323 options udplite-recv-cscov and udplite-send-cscov.
325 Procan now prints info about CC and __STDC_VERSION__, about FD_SETSIZE,
326 value of SO_PROTOCOL/SO_PROTOTYPE and some other defines, definitions
327 of many C types, and the actual umask.
329 Procan tries to find the name of the controlling terminal, on Linux it
330 reads info from /proc/self/stat and searches for a device with matching
331 major and minor numbers.
333 Added socat-chain.sh that makes it possible to stack protocols, e.g. to
334 drive socks through TLS, or to use TLS over a serial line.
335 Tests: SOCAT_CHAIN_SOCKS4 SOCAT_CHAIN_SSL_PTY
337 Added script socat-mux.sh that performs n-to-1 / 1-to-n communications
338 using two Socat instances with multicasting.
339 Tests: SOCAT_MUX
341 Corrections:
342 When a sub process (EXEC, SYSTEM) terminated with exit code other than
343 0, its last sent data might have been lost depending on timing of read/
344 write and SIGCHLD in Socat.
345 Now the SIGCHLD handler does not simply terminate Socat in this case,
346 but remembers the failure and allows further processing.
347 Thanks to Luke Jones for reporting this issue.
349 Now catching the case of empty SNI host to prevent OpenSSL error.
350 This is related to Red Hat issue 2081414.
352 Better formatted help output; address keywords in help output are now
353 printed in uppercase.
355 In previous Socat versions errors EPIPE and ECONNRESET on read() were
356 handled at warning level, thus not automatically leading to termination
357 with exit code 1. Beginning with this release these conditions are
358 handled as errors with termination and exit code 1 to not pretend
359 success on possible data loss.
360 Problem reported by Scott Burkett.
362 In previous Socat versions errors on shutdown() were ignored (info
363 level).
364 Now Socat handles EPIPE and ECONNRESET as errors to indicate possible
365 failure of data transfer.
367 INTERFACE addresses did not accept options of INTERFACE group (for
368 historical reasons they were only available with TUN addresses).
370 Opening addresses did not check if they support all directions expected
371 by Socat. Now an error is printed when, e.g,, a read-only type address
372 is opened for writing.
374 A lot of minor corrections, e.g., catch readline() errors in filan,
375 detect byte order in procan
376 Test: EXEC_SIGINT
378 OpenSSL cipherlist option did not override global openssl.cnf settings.
379 Now SSL_CTX_set_cipher_list() is called before
380 SSL_CTX_use_certificate_chain_file().
381 Thanks to Hiroshi Sakurai for reporting the problem and suggesting this
382 solution.
384 Fixed option sourceport with UDP6-DATAGRAM.
386 Some client addresses (e.g. TCP-CONNECT) take the fork option for
387 automatically spawning new connections, however the max-children option
388 was not applied.
390 Fixed the end-close option, it just did not work.
392 In configure.ac was a direct call to gcc instead of $CC which broke
393 cross compiling.
394 Thanks to Fergus Dall for sending a patch.
396 Coding:
397 Introduced groups_t instead of uint32_t, for more flexibility.
399 Rearranged option group bits to only require 32 bits on older systems.
401 Make gcc happy, replace strncat with "manual" copying
403 On addresses like UDP-RECVFROM with fork option every packet causes a
404 new child process which then reads the packet. The parent process must
405 wait until the packet has been read before checking again. The former
406 synchronization mechanism using SIGUSR1 is now replaced by a
407 socketpair. SIGUSR1 is no longer used for internal synchronization.
408 Tests: UDP4_FORK UDP6_FORK UNIX_FORK
410 Renamed xioopts_t to xioparms_t to avoid confusion with xioopts module.
412 Moved multicast related code from xioopts.c to xio-ip.c and xio-ip6.c
414 Pointers of type struct single are now always called sfd.
416 Porting:
417 Removed Config/ because its contents have not been maintained for many
418 years.
420 Try to not receive outgoing packets on raw (PF_PACKET) sockets - use
421 PACKET_IGNORE_OUTGOING socket options when available.
422 Test: INTERFACE_IGNOREOUTGOING
424 Renewed port to OpenBSD:
425 Guard OPENSSL_INIT_SETTINGS; and minor changes.
427 Thanks to Paul Hunt for sending a fix of the configure
428 --enable-openssl-base processing.
430 Enable direct largefile support on "smaller" systems per
431 _FILE_OFFSET_BITS and _LARGE_FILES.
432 Thanks to Fergus Dall for sending a patch.
434 Some corrections for better 32bit systems support.
436 Testing:
437 Removed obselete parts from test.sh
439 test.sh: Introduced function checkcond
441 Renamed test.sh option -foreign to -internet
443 Documentation:
444 Removed obselete file doc/xio.help
446 Added doc for option ipv6-join-group (ipv6-add-membership)
447 Thanks to Martin Buck for sending the patch.
449 Renamed xiogetpacketsrc() to xiogetancillary()
451 On bad parameter number now print syntax.
453 ####################### V 1.7.4.5 (not released):
455 Corrections:
456 On connect() failure and in some other situations Socat tries to get
457 detailled information about the error with recvmsg(). Error return of
458 this function is now logged as Info instead of Warn.
460 Tests of the correction of the "IP_ADD_SOURCE_MEMBERSHIP but not struct
461 ip_mreq_source" issue left an #undef in xiosysincludes.h that disabled
462 the ip-add-source-membership option.
463 Thanks to Benjamin Poirier for sending a patch.
465 Fixed a bug in dalan module that caused SIGSEGV in, e.g.,
466 SOCKET-LISTEN:1:1:'"/tmp/sock"'
467 Test: DALAN_NO_SIGSEGV
469 The retry option with some address types (TCP) did not close() the
470 sockets after failed attempts, resulting in an FD leak.
472 Filan: Corrected some syntax error messages
474 Filan: Fixed a bug introduced in 1.7.4.4 that broke displaying
475 TCP/UDP on options -s, -S
476 Test: FILAN_SHORT_TCP
478 Filan: If IP protocol type cannot be retrieved, display at least the
479 socket type
481 Filan: Fixed diag_set() call in filan_main.c, bug popped up with C23.
482 Thanks to Cristian Rodríguez from openSUSE for reporting this issue.
484 Querying the vsock Context Identifier (CID) requires an FD from opening
485 /dev/vsock.
486 Thanks to Volker Simonis for sending a patch.
488 Fixed an internal FD leak in the EXEC,SYSTEM addresses.
490 The FDs of the socketpair that queues messages from signal handlers
491 lacked FD_CLOEXEC and thus leaked into EXEC and SYSTEM child processes.
493 Option stderr on addresses EXEC and SYSTEM uses a temporary FD. It
494 lacked the FD_CLOEXEC setting and thus leakt into child processes.
496 Restoring of STDIO tty settings failed on Solaris type operating
497 systems.
498 Thanks to Gordon W.Ross for reporting and fixing this issue.
499 Test: RESTORE_TTY
501 The OpenSSL client SNI parameter, when not explicitely specified, is
502 derived from option commonname or rom target server name. This is not
503 useful with IP addresses, which Socat now checks and avoids.
505 Socat options -L and -W create lock files using mkstemp(), so they had
506 permissions 600. There does not seem to be a good reason for this
507 restrictive mode. Furthermore Silla Rizzoli experienced that Minicom
508 ignores lock files with mode 600, so it is set to 644 now.
510 Procan tries to find out VSOCK CID only when running as root
512 The mechanism for deferring logs from signal handlers had an issue that
513 caused lots of unwanted recvfrom() calls.
515 Do not try to remove abstract UNIX socket entries after use.
517 Features:
518 VSOCK, VSOCK-L support options pf, socktype, prototype (currently
519 useless)
521 Coding:
522 New Environment variable SOCAT_TRANSFER_WAIT that Socat sleep before
523 starting the data transfer loop. Useful, e.g., to accumulate multiple
524 packets in a receiving datagram socket before starting to process them.
526 "//" comments were used for disabling experimental code. These lines
527 have now been removed or disabled in other ways to make Socat compile
528 with C89/C90 standard again.
530 fcntl() trace prints flags now in hexadecimal.
532 Stream dump options -r and -R now open their pathes with CLOEXEC to
533 prevent leaking into sub processes.
534 Test: EXEC_SNIFF
536 Stream dump write now warn on write errors and partial writes (but
537 still do not recover).
539 Removed trailing white space from *.h and *.c files.
541 Porting:
542 Small correction in configure.ac makes Socat C99 able.
543 Thanks to Florian Weimer from Red Hat for providing a patch.
545 Documentation:
546 Syntax and semantics of some options (esp.unlink-close) were not clear.
547 Thanks to Anthony Chavez for reporting this and making suggestions.
549 socat-tun.html described TCP as tunnel medium but this does not keep
550 packet boundaries. Changed to UDP.
552 Added examples for DCCP client and server.
554 Complex Socat examples are now displayed in two or three lines for
555 better overview.
556 dest-unreach.css stylesheet has been improved to support this.
558 Testing:
559 Idea: EXEC,SYSTEM addresses can keep packet boundaries when option
560 socktype=<val-of-SOCK_DGRAM>
561 Tests: EXECSOCKETPAIRPACKETS SYSTEMSOCKETPAIRPACKETS
563 Cosmetic corrections of EXEC,SYSTEM tests.
565 test.sh: Added option --expect-fail to specify comma separated list of
566 test numbers whose failure shall not cause a failure of the whole
567 script.
569 test.sh: Added help text
571 Speeded up wait loops; more addresses in upper case; more tests with
572 command printing ($VERBOSE)
574 test.sh: Check if ports are free before using them for tests
576 Test EXEC_FDS checks with Filan if EXEC address only passes stdio FDs.
578 Improved template; prepared namesFAIL, -d (DEBUG)
580 ####################### V 1.7.4.4:
582 Corrections:
583 In error.c msg2() there was a stack overflow on long messages: The
584 terminating \0 Byte was written behind the last position.
585 Thanks to Martin Liška for sending the address sanitizer report.
587 UDP-RECVFROM with fork sometimes terminated when multiple packets
588 arrived. This issue was introduced with a bug fix in version 1.7.4.0.
589 Reason was not handling EAGAIN on recvmsg().
590 Thanks to Jamie McQuillan for reporting this issue.
592 Address TCP with options connect-timeout and retry terminated
593 immediately when a connection attempt failed on network error or
594 connection refused.
595 Test: TCP_TIMEOUT_RETRY
596 Thanks to Kamil Holubicki for reporting this issue.
598 There were a couple of weaknesses and errors when accessing invalid or
599 incompatible file system entries with UNIX domain, file, and generic
600 addresses.
601 For example, UNIX-CONNECT, when using a non matching socktype, failed
602 with -1 and did not print an error message, instead of printing an
603 error message and exiting with rc=1.
604 Thanks to Paul Wise for reporting and analyzing the case of accessing
605 a left over socket entry with GOPEN.
607 The rawer option failed because it tried to clear CREAD.
608 Test: RAWER
610 UDP-SEND and UPD-SENDTO with option lowport always bound to port 1
611 instead of a free port in range 640..1023
612 Test: UDP_LOWPORT
614 Fixed bad parser error message on "socat /tmp/x\"x/x -"
616 Tightened syntax checks to detect numerical arguments that are missing
617 or have trailing garbage.
618 Test: INTEGER_GARBAGE
620 ctype(3) functions need there arguments to be unsigned char.
621 Thanks to Taylor R Campbell for sending a patch.
623 Filan library uses Socats diag/error message system and therefore had
624 always the signal handler messages socket pair open. This fix avoids
625 this socketpair in standalone Filan.
627 Corrected printf format for type socklen_t in two places.
629 Porting:
630 OpenSSL, at least 1.1 on Ubuntu, crashed with SIGSEGV under certain
631 conditions: client connection to server with certificate with empty
632 subject, and pressing ^C after successful connect.
633 This crash is now prevented by setting OPENSSL_INIT_NO_ATEXIT.
634 Thanks to Martin Dorey for reporting and analyzing this issue, and for
635 providing an environment for reproduction.
637 Socat failed to compile on platforms that have
638 IP_ADD_SOURCE_MEMBERSHIP but not struct ip_mreq_source
639 Thanks to Justin Yackoski for sending a patch.
641 configure.ac's detection of getprotobynumber_r() variant did not
642 recognize if this function does not exist, e.g. on Musl libc.
643 Thanks to Alexander Kanavin and Baruch Siach for sending patches.
645 Corrected message format when no strftime() is available; improved
646 handling of very long host or program names
648 Solaris requires that termios options are always applied to the slave
649 side of PTY.
651 Fixed ancillary messages on Solaris.
653 Filan: Solaris has the open file path infos in /proc/<pid>/path/
654 Thanks to Andy Fiddaman for directing me to the patch.
656 Filan now recognizes and prints Solaris doors and event ports.
658 Solaris derivatives no longer need librt for clock_gettime()
659 Thanks to Andy Fiddaman for directing me to the patch.
661 LibreSSL does not have OPENSSL_INIT_new(). This function is now
662 guarded. Socat might build with LibreSSL.
663 Thanks to Orbea for reporting and helping.
665 Building:
666 Failure during building documentation, e.g. due to missing Yodl
667 packages, now does not let the build process fail.
668 Feature requested by Seyhun.
670 Features:
671 Filan prints target of symlink when appropriate
672 Test: FILANSYMLINK
674 VSOCK-LISTEN now generates environment variables SOCAT_PEERADDR,
675 SOCAT_PEERPORT, SOCAT_SOCKADDR, SOCAT_SOCKPORT
676 New address aliases VSOCK, VSOCK-L
678 Documentation:
679 Fixed typo in doc/socat-tun.html and link in README.
680 Thanks to William Suthers for reporting.
682 Fixed hard coded path in docu examples.
683 Thanks to Jakub Wilk for sending a patch.
685 Updated doc/socat-openssltunnel.html: 2048 bits, commonname
687 Testing:
688 Unset SOCAT_MAIN_WAIT on informational Socat calls
690 SOCAT=socat used ./socat instead of the version derived by $PATH
692 Do not try VSOCK_ECHO test when feature is not compiled in.
694 Fixed logging of test 220 TUNINTERFACE
696 Musl libc refuses to execve() shell scripts, 2 tests needed to be
697 adapted.
699 Musl libc has FOPEN_MAX=1000 which made bash dumping core on test
700 EXCEED_FOPEN_MAX.
702 Added tests for failures of UNIX socket and GOPEN accesses to non
703 matching file system entries.
704 Tests:
705 CONNECT_TO_MISSING CONNECT_TO_DENIED CONNECT_TO_DIRECTORY
706 CONNECT_TO_ORPHANED CONNECT_TO_FILE CONNECT_TO_DGRAM
707 CONNECT_TO_SEQPACKET SEND_TO_MISSING SEND_TO_DENIED SEND_TO_DIRECTORY
708 SEND_TO_ORPHANED SEND_TO_FILE SEND_TO_STREAM SEND_TO_SEQPACKET
709 SENDTO_TO_MISSING SENDTO_TO_DENIED SENDTO_TO_DIRECTORY
710 SENDTO_TO_ORPHANED SENDTO_TO_FILE SENDTO_TO_STREAM SENDTO_TO_SEQPACKET
711 SEQPACKET_TO_MISSING SEQPACKET_TO_DENIED SEQPACKET_TO_DIRECTORY
712 SEQPACKET_TO_ORPHANED SEQPACKET_TO_FILE SEQPACKET_TO_STREAM
713 SEQPACKET_TO_DGRAM UNIX_TO_MISSING UNIX_TO_DENIED UNIX_TO_DIRECTORY
714 UNIX_TO_FILE UNIX_TO_ORPHANED GOPEN_TO_DENIED GOPEN_TO_DIRECTORY
715 GOPEN_TO_ORPHANED
717 On RHEL-9 SCTP support requires installation of package
718 kernel-modules-extra. test.sh now detects when SCTP is missing in
719 kernel and reacts with warnings instead of errors.
721 VSOCK loopback still does not seem to work even in kernel 5.13, so just
722 issue warning on "No such device".
724 ####################### V 1.7.4.3:
726 Corrections:
727 Socat crashed with SIGSEGV when peer presented a certificate without
728 (or empty?) subject.
729 Thanks to Martin Dorey for reporting this issue and sending a patch.
731 Socat 1.7.4.2 did not compile on OmniOS (and probably other OpenSolaris
732 distributions)
733 Thanks to Andy Fiddaman for sending a patch.
735 Socat since 1.7.4.0 did not compile on Solaris and its derivatives
736 because the getprotobynumber_r() function prototype differ from the
737 Linux version.
738 configure now checks for the variant.
739 Thanks to Robert Zybeck for reporting this issue.
741 The variable for the no-sni option was not initialized and could thus
742 break OpenSSL certificate verification. E.g., test OPENSSL_SNI on some
743 platform succeeded with -g but failed with -O compiler option.
744 Thanks to valgrind for quickly finding the cause.
746 Porting:
747 Again porting Socat to AIX (7.1) - Fixed configure and compile issues:
748 Adapted include requirements for IPv6
749 Guarded MSG_DONTWAIT
751 Continued porting Socat to AIX-7.1 - Fixed some runtime errors:
752 UNIX domain sockets of type SEQPACKET are not available.
753 Connecting to UNIX datagram socket fails with EPROTONOSUPPORT (vs.
754 EPROTOTYPE on most other OSes).
755 Streams: Must not push ldterm when it is already active (hangs).
757 Building:
758 Socats build date and time may now be set externally with environment
759 variable SOURCE_DATE_EPOCH.
760 Thanks to Viktor Kleinik for sending a patch.
762 Building Socat in a sub directory failed.
763 Now the following works even for the docu parts:
764 mkdir -p myos; cd myos; ../configure && make; cd ..
765 Thanks to Jon Ringle for sending a patch.
767 Testing:
768 test.sh: many corrections for AIX's older shell utilities, e.g.sleep(1)
769 does not allow fractions of seconds, grep does not understand '\<';
770 OpenIndiana/SunOS netstat format;
771 many more functional and cosmetic code corrections.
773 Documentation:
774 The socktype option was documented unspecifically as type option.
775 Thanks to Jonas Metzger for the hint.
777 ####################### V 1.7.4.2:
779 Corrections:
780 The per address parameters for OpenSSL overlapped in memory with socket
781 parameters. Magically this did not seem to cause problems except on
782 MacOS Catalina that reported errors like:
783 socat[3458] E Select(7, &0x80, NULL, NULL, {140392884396544.000000}):
784 Invalid argument
785 Test: OPENSSL_PARA_OVERLAP
786 Thanks to Ryo Ota for reporting this bug.
788 Fixed a few minor coding issues
790 A VSOCK warning message was generated with all listening addresses
791 instead of only with VSOCK-LISTEN
793 When an OPENSSL-CONNECT client presented a certificate with IPv6
794 subject alternate name and the OPENSSL-LISTEN server had no commonname
795 option, the server crashed with SIGSEGV in xioip6_pton().
796 Test: OPENSSL_CLIENT_IP6_CN
797 Red Hat bug 1981308
798 Thanks to Vlad Slepukhin for reporting this issue and providing a patch
800 Corrected a typo in configure.ac that broke option --enable-openssl-base
801 Thanks to john1doe for reporting this issue.
803 Socat looped endlessly, not responding to SIGTERM, when a service name
804 (for port) could not be resolved.
805 Test: BAD_SERVICE
807 Using options of NAMED group, e.g.chown, with abstract UNIX domain
808 sockets, produced errors because the function was applied with a normal
809 file system related call, e.g.chown(), using file "" (empty name). Instead of
810 chown(), Socat now uses fchown() on the file descriptor. However, such
811 a call usually has no real effect.
812 Test: ABSTRACT_USER
813 Thanks to Andreas Fink for reporting this issue.
815 Option -R did not only dump ("sniff") right-to-left, but also
816 left-to-right traffic to the given file.
817 Test: SNIFF_RIGHT_TO_LEFT
818 Thanks to 1314 gsf for reporting this bug and sending a patch.
820 Options -r and -R, when opening a named pipe that has no actual reader,
821 failed with "No such device or address". To solve this problem, Socat
822 now opens the pipe in rw-Mode.
823 Thanks to Cody J.Soultz for sending a patch.
825 The call "socat -r - PIPE" traced to file ./- instead of issuing a
826 syntax error.
828 Print a message when readbytes option causes EOF
830 The ip-recverr option had no effect. Corrected and improved its
831 handling of ancilliary messages, so it is able to analyze ICMP error
832 packets (Linux only?)
834 Setgui(), Setuid() calls in xio-progcall.c were useless.
836 Testing:
837 Prevent the TIMESTAMP tests from sporadically failing due do seconds
838 overflow
840 Fixed in test.sh a few issues reported by shellcheck
842 Documentation:
843 Added missing docu of OpenSSL options min-proto-version,
844 max-proto-version.
846 Added missing closing parenthesis in socat.yo.
847 Thanks to Emanuele Torre for reporting this issue.
849 Corrected more typos and added missing bug info to CHANGES, performed
850 some non functional corrections.
852 Porting:
853 Corrected building when clock_gettime() not available, with or without
854 gettimeofday().
856 ####################### V 1.7.4.1:
858 Corrections:
859 Socat 1.7.4.0 failed to compile especially on 32 bit systems.
860 Thanks to Wang Mingyu and others for sending a patch or reporting this
861 issue.
863 Under certain conditions OpenSSL stream connections, in particular bulk
864 data transfer in unidirectional mode, failed during transfer or near
865 its with Connection reset by peer on receiver side.
866 This happened with Socat versions 1.7.3.3 to 1.7.4.0. Reasons were
867 lazy SSL shutdown handling on the sender side in combination with
868 SSL_MODE_AUTO_RETRY turned off.
869 Fix: After SSH_shutdown but before socket shutdown call SSL_read()
870 Test: OPENSSL_STREAM_TO_SERVER
871 Fixes Red Hat issue 1870279.
873 ####################### V 1.7.4.0:
875 Security:
876 Buffer size option (-b) is internally doubled for CR-CRLF conversion,
877 but not checked for integer overflow. This could lead to heap based
878 buffer overflow, assuming the attacker could provide this parameter.
879 Test: BLKSIZE_INT_OVERFL
880 Thanks to Lê Hiếu Bùi for reporting this issue and sending an
881 example exploit.
883 Corrections:
884 Socats address parser read over end of string when there were unbalanced
885 quotes
886 Test: UNBALANCED_QUOTE
888 Removed unused usleep() call from sycls.c
890 Unsetenv() was conditional in sysutils.c but not in xio-openssl.c thus
891 building failed on Solaris 9.
892 Thanks to Greg Earle for reporting this issue and providing a patch.
894 Mitigated race condition of quickly terminating SYSTEM or EXEC child
895 processes.
897 Option o-direct might require alignment of read/write buffer to, e.g.,
898 512 bytes, Socat now takes care of this when allocating the buffer.
899 With this fix read() succeeds, however, write() still might fail when
900 not writing complete pages.
901 Test: O_DIRECT
903 There was a race condition in the way Socat UDP-RECVFROM and similar
904 addresses with option fork prevents one packet from triggering
905 multiple processes. The symptom was that Socat master process seemed to
906 hang and did not process further packets. The fix makes use of
907 pselect() system call.
908 Thanks to Fulvio Scapin for reporting this issue.
910 UNIX domain client addresses applied file system entry options (group
911 NAMED) to the server socket instead of the client (bind) socket entry.
912 Tests: UNIX_SENDTO_UNLINK UNIX_CONNECT_UNLINK
913 Thanks to Nico Williams for reporting this major issue.
915 Length of single address options was limited to 511 bytes. This value
916 is now increased to 2047 bytes.
917 Change suggested by Mario Camou.
919 Addresses of type RECVFROM with option fork looped with an error
920 message in case that the second address failed before consuming the
921 packet. The fix makes RECVFROM drop the packet when the second address
922 failed before reading it. Use retry or forever option with the second
923 address if you want to avoid data loss.
924 Fixes Red Hat bug 1907718
925 Thanks to Chunmei Xu for reporting this issue and proving the patch.
927 Socats DTLS implementation has been reworked and appears to work now
928 reasonably over UDP.
929 New addresses: OPENSSL-DTLS-SERVER (DTLS-L),
930 OPENSSL-DTLS-CLIENT (DTLS)
931 Tests: OPENSSL_DTLS_CLIENT OPENSSL_DTLS_SERVER
932 OPENSSL_METHOD_DTLS1 OPENSSL_METHOD_DTLS1.2
933 Thanks to Brandon Carpenter, Qing Wan, and Pavel Nakonechnyi for
934 sending patches.
936 filan did not output the socket protocol.
937 filan -s assumed each stream socket to be TCP and each datagram socket
938 to be UDP. Now it uses SO_PROTOCOL and getprotoent() for correct output.
940 Help text showed two parameters for UDP4-RECVFROM address, but only
941 <port> is allowed.
942 Thanks to John the Scott for reporting this issue.
944 Error messages from SSL_read() and SSL_write() sometimes stated
945 SSL_connect instead of originating function name.
947 Fixed some more non functional minor issues.
949 Porting:
950 In gcc version 10 the default changed from -fcommon to -fno-common.
951 Consequently, linking filan and procan failed with error
952 "multiple definition of `deny_severity'" and `allow_severity'
953 Fixed by removing definitions in filan.c and procan.c
954 Debian issue 957823
955 Thanks to László Böszörményi and others for reporting this issue.
957 Solaris 9 does not provide strndup(); added substitute code.
958 Thanks to Greg Earle for providing a patch.
960 Added configure option --enable-openssl-base to specify the location of
961 a non-OS OpenSSL installation
963 There are systems whose kernel understands SCTP but getaddrinfo does
964 not. As workaround after EIA_SOCKTYPE on name and service resolution
965 fall back to ai_socktype=0; if it fails with EAI_SERVICE, set
966 ai_protocol=0 and try again
967 Test: SCTP_SERVICENAME
969 Per file filesystem options were still named ext2-* and depended on
970 <linux/ext2_fs.h>. Now they are called fs-* and depend on <linux/fs.h>.
971 These fs-* options are also available on old systems with ext2_fs.h
973 New options openssl-min-proto-version (min-version) and
974 openssl-max-proto-version (max-version) give access to the related
975 OpenSSL set-macros and substitute deprecated version-specific methods.
976 Test: OPENSSL_MIN_VERSION
978 With OpenSSL use OPENSSL_init_SSL when available, instead of deprecated
979 SSL_library_init.
981 With OPENSSL_API_COMPAT=0x10000000L the files openssl/dh.h, openssl/bn.h
982 must explicitely be included.
983 Thanks to Rosen Penev for reporting and sending a patch.
985 Testing:
986 test.sh now produces a list of tests that could not be performed for
987 any reason. This helps to analyse these cases.
989 OpenSSL s_server appearently started to neglect TCPs half close feature.
990 Test OPENSSL_TCP4 has been changed to tolerate this.
992 OpenSSL changed its behaviour when connection is rejected. Tests
993 OPENSSLCERTSERVER, OPENSSL_CN_CLIENT_SECURITY, and
994 OPENSSL_CN_SERVER_SECURITY now tolerate this.
996 OpenSSL no longer allows explicit renegotiation with TLSv1.3, thus the
997 appropriate tests failed.
998 Fix: use TLSv1.2 for renegotiation tests
999 Tests: OPENSSLRENEG1 OPENSSLRENEG2
1001 Ubuntu 20.04 requires 2048 bit certificates with OpenSSL
1003 Archlinux 2020 has not which command; its ip,ss commands have modified
1004 version strings
1006 More testing issues solved:
1007 * ss to pipe might omit column separator
1008 * UDP6MULTICAST_UNIDIR fails on newer Linux kernels
1009 * do not use sort -V
1010 * renamed testaddrs() to testfeats(), and introduced new testaddrs()
1012 New features:
1013 GOPEN and UNIX-CLIENT addresses now support sockets of type SEQPACKET.
1014 Test: GOPENUNIXSEQPACKET
1015 Feature suggested by vi0oss.
1017 The generic setsockopt-int and related options are, in case of
1018 listening/accepting addresses, applied to the connected socket(s). To enable
1019 setting options on the listening socket, a new option setsockopt-listen
1020 has been implemented. See the documentation for info on data types.
1021 Tests: SETSOCKOPT SETSOCKOPT_LISTEN
1022 Thanks to Steven Danna and Korian Edeline for reporting this issue.
1024 Filan option -S gives short description like -s but with improved
1025 format
1027 Socat OpenSSL client, when server was specified using IP address, did
1028 not verify connection on certificates SubjectAltName IP entries.
1029 Tests: OPENSSL_SERVERALTAUTH OPENSSL_SERVERALTIP4AUTH OPENSSL_SERVERALTIP6AUTH
1030 Fixes Red Hat bug 1805132
1032 Added options -r and -R for raw dump of transferred data to files.
1033 Test: OPTION_RAW_DUMP
1035 Added option ip-transparent (socket option IP_TRANSPARENT)
1036 Thanks to Wang Shanker for sending a patch.
1038 OPENSSL-CONNECT now automatically uses the SNI feature, option
1039 openssl-no-sni turns it off. Option openssl-snihost overrides the value
1040 of option openssl-commonname or the server name.
1041 Tests: OPENSSL_SNI OPENSSL_NO_SNI
1042 Thanks to Travis Burtrum for providing the initial patch
1044 New option accept-timeout (listen-timeout)
1045 Test: ACCEPTTIMEOUT
1046 Proposed by Roland
1048 New option ip-add-source-membership
1049 Feature inspired by Brian (b f31415)
1051 INCOMPATIBLE CHANGE: Address UDP-DATAGRAM now does not check peerport
1052 of replies, as it did up to version 1.7.3.4. Use option sourceport when
1053 you need the old behaviour.
1054 Test: UDP_DATAGRAM_SOURCEPORT
1055 Feature inspired by Hans Bueckler for SSDP inquiry (for UPnP)
1057 New option proxy-authorization-file reads PROXY-CONNECT credentials
1058 from file and makes it possible to hide this data from the process
1059 table.
1060 Test: PROXYAUTHFILE
1061 Thanks to Charles Stephens for sending an initial patch.
1063 Added AF_VSOCK support with VSOCK-CONNECT and VSOCK-LISTEN addresses.
1064 Developed by Stefano Garzarella.
1066 Coding:
1067 Added printf formats for uint16_t etc.
1069 Documentation:
1070 Address UDP-RECV does not support option fork.
1071 Thanks to Fulvio Scapin for reporting that mistake in docu.
1073 TUN address documentation showed TCP for backend which may merge
1074 consecutive packets which causes data loss.
1075 Thanks to Tomasz Lakota for reporting this issue.
1077 ####################### V 1.7.3.4:
1079 Corrections:
1080 Header of xiotermios_speed() declared parameter unsigned int instead of
1081 speed_t, thus compiling failed on MacOS
1082 Thanks to Joe Strout and others for reporting this bug.
1083 Thanks to Andrew Childs and others for sending a patch.
1085 Under certain circumstances, termios options of the first address were
1086 applied to the second address, resulting in error
1087 "Inappropriate ioctl for device"
1088 This affected version 1.7.3.3 only.
1089 Test: TERMIOS_PH_ALL
1090 Thanks to Ivan J. for reporting this issue.
1092 Socat failed to compile when no poll() system call was found by
1093 configure.
1094 Thanks to Jason White for sending a patch.
1096 Due to use of SSL_CTX_clear_mode() Socat failed to compile on old
1097 systems with, e.g., OpenSSL-0.9.8. Thanks to Simon Matter and Moritz B.
1098 for reporting this problem and sending initial patches.
1100 getaddrinfo() in IP4-SENDTO and IP6-SENDTO addresses failed with
1101 "ai_socktype not supported" when protocol 6 was addressed.
1102 The fix removes the possibility to use service names with SCTP.
1103 Test: IP_SENDTO_6
1104 Thanks to Sören for sending an initial patch.
1106 Under certain circumstances, Socat printed the "socket ... is at EOF"
1107 multiple times.
1108 Test: MULTIPLE_EOF
1110 Newer parts of test.sh used substitutions ${x,,*} or ${x^^*} that are
1111 not implemented in older bash versions.
1113 ####################### V 1.7.3.3:
1115 Corrections:
1116 Makefile.in did not specify dependencies of filan on vsnprintf_r.o
1117 and snprinterr.o
1118 Added definition of FILAN_OBJS
1119 Thanks to Craig Leres, Clayton Shotwell, and Chris Packham for
1120 providing patches.
1122 configure option --enable-msglevel did not work with numbers
1124 The autoconf mechanism for determining SHIFT_OFFSET did not work when
1125 cross compiling.
1126 Thanks to Max Freisinger from Gentoo for sending a patch.
1128 Socat still depended on obsolete gethostbyname() function, thus
1129 compiling with MUSL libc failed.
1130 Problem reported by Kennedy33.
1132 The async signal safe diagnostic system used FDs 3 and 4 internally, so
1133 use of appropriate fdin or fdout led to failures.
1134 Test: DIAG_FDIN
1135 Problem reported by Onur Sentürk.
1137 The socket based mechanism for passing messages and signal information
1138 from signal handler to process could reach and kill the wrong process.
1139 Introduces functions diag_sock_pair(), diag_fork()
1140 Thanks to Darren Zhao for analysing and reporting this problem.
1142 Option ipv6-join-group did not work because it was applied in the wrong
1143 phase
1144 Test: UDP6MULTICAST_UNIDIR
1145 Thanks to Angus Gratton for sending a patch.
1147 Setting ispeed and ospeed failed for some serial devices because the
1148 two settings were applied with two different get/set cycles, Thanks to
1149 Alexandre Fenyo for providing an initial patch.
1150 However, the actual fix is part of a conceptual change of the termios
1151 module that aims for applying all changes in a single tcsetattr call.
1152 Fixes FreeBSD Bug 198441
1154 Termios options TAB0,TAB1,TAB2,TAB3, and XTABS did not have an effect.
1155 Thanks to Alan Walters for reporting this bug.
1157 Substituted cumbersom ISPEED_OFFSET mechanism for cfsetispeed() calls
1159 With TCP6-LISTEN and the other passive IPv6 addresses the range option
1160 just failed: due to a bug in the syntax parser and two more bugs in
1161 the xiocheckrange_ip6() function.
1162 The syntax has now been changed from "[::1/128]" to "[::1]/128"!
1163 Thanks Leah Neukirchen for sending an initial fix.
1165 For name resolution Socat only checked the first character of the host
1166 name to decide if it is an IPv4 address. This was not RFC conform. This
1167 fix removes the possibility for use of IPv4 addresses with IPv6, e.g.
1168 TCP6:127.0.0.1:80
1169 Debian issue 695885
1170 Thanks to Nicolas Fournil for reporting this issue.
1172 Print a useful error message when single character options appear to be
1173 merged in Socat invocation
1174 Test: SOCAT_OPT_HINT
1176 Fixed some docu typos.
1177 Thanks to Travis Wellman, Thomas <tjps636>, Dan Kenigsberg,
1178 Julian Zinn, and Simon Matter
1180 Porting:
1181 OpenSSL functions TLS1_client_method() and similar are
1182 deprecated. Socat now uses recommended TLS_client_method(). The old
1183 functions and dependend option openssl-method can still be
1184 used when configuring socat with --enable-openssl-method
1186 Shell scripts in socat distribution are now headed with:
1187 #! /usr/bin/env bash
1188 to make them better portable to systems without /bin/bash
1189 Thanks to Maya Rashish for sending a patch
1191 RES_AAONLY, RES_PRIMARY are deprecated. You can still enable them with
1192 configure option --enable-res-deprecated.
1194 New versions of OpenSSL preset SSL_MODE_AUTO_RETRY which may hang socat.
1195 Solution: clear SSL_MODE_AUTO_RETRY when it is set.
1197 Renamed configure.in to configure.ac and set an appropriate symlink for
1198 older environments.
1199 Related Gentoo bug 426262: Warning on configure.in
1200 Thanks to Francesco Turco for reporting that warning.
1202 Fixed new IPv6 range code for platforms without s6_addr32 component.
1204 Testing:
1205 test.sh: Show a warning when phase-1 (insecure phase) of a security
1206 test fails
1208 OpenSSL tests failed on actual Linux distributions. Measures:
1209 Increased key lengths from 768 to 1024 bits
1210 Added test.sh option -C to delete temp certs from prevsious runs
1211 Provide DH-parameter in certificate in PEM
1212 OpenSSL s_server option -verify 0 must be omitted
1213 OpenSSL authentication method aNULL no longer works
1214 Failure of cipher aNULL is not a failure
1215 Failure of methods SSL3 and SSL23 is desired
1217 test.sh depended on ifconfig and netstat utilities which are no longer
1218 availabie in some distributions. test.sh now checks for and prefers
1219 ip and ss.
1220 Thanks to Ruediger Meier for reporting this problem.
1222 More corrections to test.sh:
1223 Language settings could still influence test results
1224 netstat was still required
1225 Suppress usleep deprecated messag
1226 Force use of IPv4 with some certificates
1227 Set timeout for UDPxMAXCHILDREN tests
1229 Git:
1230 Added missing Config/Makefile.DragonFly-2-8-2,
1231 Config/config.DragonFly-2-8-2.h
1232 Removed testcert.conf (to be generated by test.sh)
1234 Cosmetics:
1235 Simplified handling of missing termios defines.
1237 New features:
1238 Permit combined -d options as -dd etc.
1240 porting:
1241 ext2 options are now fs options.
1243 ####################### V 1.7.3.2:
1245 corrections:
1246 SIGSEGV and other signals could lead to a 100% CPU loop
1248 Failing name resolution could lead to SIGSEGV
1249 Thanks to Max for reporting this issue.
1251 Include <stddef.h> for ptrdiff_t
1252 Thanks to Jeroen Roovers for reporting this issue.
1254 Building with --disable-sycls failed due to missing sslcls.h defines
1256 Socat hung when configured with --disable-sycls.
1258 Some minor corrections with includes etc.
1260 Option so-reuseport did not work. Thanks to Some Raghavendra Prabhu
1261 for sending a patch.
1263 Programs invoked with EXEC, nofork, and -u or -U had stdin and stdout
1264 incorrectly assigned
1265 Test: EXEC_NOFORK_UNIDIR
1266 Thanks to David Reiss for reporting this problem.
1268 Socat exited with status 0 even when a program invoked with SYSTEM or
1269 EXEC failed.
1270 Tests: SYSTEM_RC EXEC_RC
1271 Issue reported by Felix Winkelmann.
1273 AddressSanitizer reported a few buffer overflows (false positives).
1274 Nevertheless fixed Socat source.
1275 Issue reported by Hanno Böck.
1277 Socat did not use option ipv6-join-group.
1278 Test: USE_IPV6_JOIN_GROUP
1279 Thanks to Linus Lüssing for sending a patch.
1281 UDP-LISTEN did not honor the max-children option.
1282 Test: UDP4MAXCHILDREN UDP6MAXCHILDREN
1283 Thanks to Leander Berwers for reporting this issue.
1285 Options so-rcvtimeo and so-sndtimeo do not work with poll()/select()
1286 and therefore were useless.
1287 Thanks to Steve Borenstein for reporting this issue.
1289 Option dhparam was documented as dhparams. Added the alias name
1290 dhparams to fix this.
1291 Thanks to Alexander Neumann for sending a patch.
1293 Options shut-down and shut-close did not work.
1294 Thanks to Stefan Schimanski for providing a patch.
1296 There was a bug in printing readline log message caused by a misleading
1297 indentation.
1298 Thanks to Paul Wouters for reporting.
1300 The internal vsnprintf_r function looped or crashed on size parameter
1301 with hexadecimal output.
1303 Ignore exit code of child process when it was killed by master due to
1304 EOF
1306 Corrected byte order on read of IPV6_TCLASS value from ancillary
1307 message
1309 Fixed type of the bool element in options. This had bug caused failures
1310 e.g. of ignoreeof on big-endian systems when bool was not based on int.
1312 On systems with predefined bool type whose size differs from int some
1313 IPv6 and TCP options (per setsockopt()) failed.
1315 Length of integral data in ancillary messages varies (TOS: 1 byte,
1316 TTL: 4 bytes), the old implementation failed for TTL on big-endian
1317 hosts.
1319 Fixed an issue in options processing: TUN and DNS flags had failed on
1320 big-endian systems and the NO- forms had probable never worked.
1322 porting:
1323 Type conflict between int and sig_atomic_t between declaration and
1324 definition of diag_immediate_type and diag_immediate_exit broke
1325 compilation on FreeBSD 10.1 with clang. Thanks to Emanuel Haupt for
1326 reporting this bug.
1328 Socat failed to compile on platforms with OpenSSL without
1329 DTLSv1_client_method or DTLSv1_server_method.
1330 Thanks to Simon Matter for sending a patch.
1332 NuttX OS headers do not provide struct ip, thus socat did not compile.
1333 Made struct ip subject to configure.
1334 Thanks to SP for reporting this issue.
1336 Socat failed to compile with OpenSSL version 1.0.2d where
1337 SSLv3_server_method and SSLv3_client_method are no longer defined.
1338 Thanks to Mischa ter Smitten for reporting this issue and providing
1339 a patch.
1341 configure checked for OpenSSL EC_KEY assuming it is a define but it
1342 is a type, thus OpenSSL ECDHE ciphers failed even on Linux.
1343 Thanks to Andrey Arapov for reporting this bug.
1345 Changes to make socat compile with OpenSSL 1.1.
1346 Thanks to Sebastian Andrzej Siewior e.a. from the Debian team for
1347 providing the base patch.
1348 Debian Bug#828550
1350 Make Socat compatible with BoringSSL.
1351 Thanks to Matt Braithwaite for providing a patch.
1353 OpenSSL: Use RAND_status to determine PRNG state
1354 Thanks to Adam Langley for providing a patch
1356 AIX-7 uses an extended O_ACCMODE that does not fit socat's internal
1357 requirements. Thanks to Garrick Trowsdale for providing a patch
1359 LibreSSL support: check for OPENSSL_NO_COMP
1360 Thanks to Bernard Spil for providing a patch
1362 testing:
1363 socks4echo.sh and socks4a-echo.sh hung with new bash with read -n
1365 test.sh: stderr; option -v (verbose); FDOUT_ERROR description
1367 improved proxy.sh - it now also takes hostnames
1369 A few corrections in test.sh
1371 DTLS1 test hangs on some distributions. Test is now only performed
1372 with OpenSSL 1.0.2 or higher.
1374 More corrections to test.sh that reveal a mistake with IPV6_TCLASS
1376 docu:
1377 Corrected source of socat man page to correctly show man references
1378 like socket(2); removed obseolete entries from See Also
1380 Docu and some comments mentioned addresses SSL-LISTEN and SSL-CONNECT
1381 that do not exist (OPENSSL-LISTEN, SSL-L; and OPENNSSL-CONNECT, SSL
1382 are correct).
1383 Thanks to Zhigang Wang for reporting this issue.
1385 Fixed a couple of English spelling and grammar mistakes.
1386 Thanks to Jakub Wild for sending the patches.
1388 NOEXPAND() was not resolved 2 times.
1390 More minor docu corrections
1392 legal:
1393 Added contributors to copyright notices. Suggested by Matt Braithwaite.
1395 ####################### V 1.7.3.1:
1397 security:
1398 Socat security advisory 8
1399 A stack overflow in vulnerability was found that can be triggered when
1400 command line arguments (complete address specifications, host names,
1401 file names) are longer than 512 bytes.
1402 Successful exploitation might allow an attacker to execute arbitrary
1403 code with the privileges of the socat process.
1404 This vulnerability can only be exploited when an attacker is able to
1405 inject data into socat's command line.
1406 A vulnerable scenario would be a CGI script that reads data from clients
1407 and uses (parts of) this data as hostname for a Socat invocation.
1408 Test: NESTEDOVFL
1409 Credits to Takumi Akiyama for finding and reporting this issue.
1411 Socat security advisory 7
1412 MSVR-1499
1413 In the OpenSSL address implementation the hard coded 1024 bit DH p
1414 parameter was not prime. The effective cryptographic strength of a key
1415 exchange using these parameters was weaker than the one one could get by
1416 using a prime p. Moreover, since there is no indication of how these
1417 parameters were chosen, the existence of a trapdoor that makes possible
1418 for an eavesdropper to recover the shared secret from a key exchange
1419 that uses them cannot be ruled out.
1420 Futhermore, 1024bit is not considered sufficiently secure.
1421 Fix: generated a new 2048bit prime.
1422 Thanks to Santiago Zanella-Beguelin and Microsoft Vulnerability
1423 Research (MSVR) for finding and reporting this issue.
1425 ####################### V 1.7.3.0:
1427 security:
1428 Socat security advisory 6
1429 CVE-2015-1379: Possible DoS with fork
1430 Fixed problems with signal handling caused by use of not async signal
1431 safe functions in signal handlers that could freeze socat, allowing
1432 denial of service attacks.
1433 Many changes in signal handling and the diagnostic messages system were
1434 applied to make the code async signal safe but still provide detailled
1435 logging from signal handlers:
1436 Coded function vsnprintf_r() as async signal safe incomplete substitute
1437 of libc vsnprintf()
1438 Coded function snprinterr() to replace %m in strings with a system error
1439 message
1440 Instead of gettimeofday() use clock_gettime() when available
1441 Pass Diagnostic messages from signal handler per unix socket to the main
1442 program flow
1443 Use sigaction() instead of signal() for better control
1444 Turn off nested signal handler invocations
1445 Thanks to Peter Lobsinger for reporting and explaining this issue.
1447 Red Hat issue 1019975: add TLS host name checks
1448 OpenSSL client checks if the server certificates names in
1449 extensions/subjectAltName/DNS or in subject/commonName match the name
1450 used to connect or the value of the openssl-commonname option.
1451 Test: OPENSSL_CN_CLIENT_SECURITY
1453 OpenSSL server checks if the client certificates names in
1454 extensions/subjectAltNames/DNS or subject/commonName match the value of
1455 the openssl-commonname option when it is used.
1456 Test: OPENSSL_CN_SERVER_SECURITY
1458 Red Hat issue 1019964: socat now uses the system certificate store with
1459 OPENSSL when neither options cafile nor capath are used
1461 Red Hat issue 1019972: needs to specify OpenSSL cipher suites
1462 Default cipherlist is now "HIGH:-NULL:-PSK:-aNULL" instead of empty to
1463 prevent downgrade attacks
1465 new features:
1466 OpenSSL addresses set couple of environment variables from values in
1467 peer certificate, e.g.:
1468 SOCAT_OPENSSL_X509_SUBJECT, SOCAT_OPENSSL_X509_ISSUER,
1469 SOCAT_OPENSSL_X509_COMMONNAME,
1470 SOCAT_OPENSSL_X509V3_SUBJECTALTNAME_DNS
1471 Tests: ENV_OPENSSL_{CLIENT,SERVER}_X509_*
1473 Added support for methods TLSv1, TLSv1.1, TLSv1.2, and DTLS1
1474 Tests: OPENSSL_METHOD_*
1476 Enabled OpenSSL server side use of ECDHE ciphers. Feature suggested
1477 by Andrey Arapov.
1479 Added a new option termios-rawer for ptys.
1480 Thanks to Christian Vogelgsang for pointing me to this requirement
1482 corrections:
1483 Bind with ABSTRACT commands used non-abstract namespace (Linux).
1484 Test: ABSTRACT_BIND
1485 Thanks to Denis Shatov for reporting this bug.
1487 Fixed return value of nestlex()
1489 Option ignoreeof on the right address hung.
1490 Test: IGNOREEOF_REV
1491 Thanks to Franz Fasching for reporting this bug.
1493 Address SYSTEM, when terminating, shut down its parent addresses,
1494 e.g. an SSL connection which the parent assumed to still be active.
1495 Test: SYSTEM_SHUTDOWN
1497 Passive (listening or receiving) addresses with empty port field bound
1498 to a random port instead of terminating with error.
1499 Test: TCP4_NOPORT
1501 configure with some combination of disable options produced config
1502 files that failed to compile due to missing IPPROTO_TCP.
1503 Thanks to Thierry Fournier for report and patch.
1505 fixed a few minor bugs with OpenSSL in configure and with messages
1507 Socat did not work in FIPS mode because 1024 instead of 512 bit DH prime
1508 is required. Thanks to Zhigang Wang for reporting and sending a patch.
1510 Christophe Leroy provided a patch that fixes memory leaks reported by
1511 valgrind
1513 Help for filan -L was bad, is now corrected to:
1514 "follow symbolic links instead of showing their properties"
1516 Address options fdin and fdout were silently ignored when not applicable
1517 due to -u or -U option. Now these combinations are caught as errors.
1518 Test: FDOUT_ERROR
1519 Issue reported by Hendrik.
1521 Added option termios-cfmakeraw that calls cfmakeraw() and is preferred
1522 over option raw which is now obsolote. On SysV systems this call is
1523 simulated by appropriate setting.
1524 Thanks to Youfu Zhang for reporting issue with option raw.
1526 porting:
1527 Socat included <sys/poll.h> instead of POSIX <poll.h>
1528 Thanks to John Spencer for reporting this issue.
1530 Version 1.7.2.4 changed the check for gcc in configure.ac; this
1531 broke cross compiling. The particular check gets reverted.
1532 Thanks to Ross Burton and Danomi Manchego for reporting this issue.
1534 Debian Bug#764251: Set the build timestamp to a deterministic time:
1535 support external BUILD_DATE env var to allow to build reproducable
1536 binaries
1538 Joachim Fenkes provided an new adapted spec file.
1540 Type bool and macros Min and Max are defined by socat which led to
1541 compile errors when they were already provided by build framework.
1542 Thanks to Liyu Liu for providing a patch.
1544 David Arnstein contributed a patch for NetBSD 5.1 including stdbool.h
1545 support and appropriate files in Config/
1547 Lauri Tirkkonen contributed a patch regarding netinet/if_ether.h
1548 on Illumos
1550 Changes for Openindiana: define _XPG4_2, __EXTENSIONS__,
1551 _POSIX_PTHREAD_SEMANTICS; and minor changes
1553 Red Hat issue 1182005: socat 1.7.2.4 build failure missing
1554 linux/errqueue.h
1555 Socat failed to compile on on PPC due to new requirements for
1556 including <linux/errqueue.h> and a weakness in the conditional code.
1557 Thanks to Michel Normand for reporting this issue.
1559 doc:
1560 In the man page the PTY example was badly formatted. Thanks to
1561 J.F.Sebastian for sending a patch.
1563 Added missing CVE ids to security issues in CHANGES
1565 testing:
1566 Do not distribute testcert.conf with socat source but generate it
1567 (and new testcert6.conf) during test.sh run.
1569 ####################### V 1.7.2.4:
1571 corrections:
1572 LISTEN based addresses applied some address options, e.g. so-keepalive,
1573 to the listening file descriptor instead of the connected file
1574 descriptor
1575 Thanks to Ulises Alonso for reporting this bug
1577 make failed after configure with non gcc compiler due to missing
1578 include. Thanks to Horacio Mijail for reporting this problem
1580 configure checked for --disable-rawsocket but printed
1581 --disable-genericsocket in the help text. Thanks to Ben Gardiner for
1582 reporting and patching this bug
1584 In xioshutdown() a wrong branch was chosen after RECVFROM type addresses.
1585 Probably no impact.
1586 Thanks to David Binderman for reporting this issue.
1588 procan could not cleanly format ulimit values longer than 16 decimal
1589 digits. Thanks to Frank Dana for providing a patch that increases field
1590 width to 24 digits.
1592 OPENSSL-CONNECT with bind option failed on some systems, eg.FreeBSD, with
1593 "Invalid argument"
1594 Thanks to Emile den Tex for reporting this bug.
1596 Changed some variable definitions to make gcc -O2 aliasing checker happy
1597 Thanks to Ilya Gordeev for reporting these warnings
1599 On big endian platforms with type long >32bit the range option applied a
1600 bad base address. Thanks to hejia hejia for reporting and fixing this bug.
1602 Red Hat issue 1022070: missing length check in xiolog_ancillary_socket()
1604 Red Hat issue 1022063: out-of-range shifts on net mask bits
1606 Red Hat issue 1022062: strcpy misuse in xiosetsockaddrenv_ip4()
1608 Red Hat issue 1022048: strncpy hardening: corrected suspicious strncpy()
1609 uses
1611 Red Hat issue 1021958: fixed a bug with faulty buffer/data length
1612 calculation in xio-ascii.c:_xiodump()
1614 Red Hat issue 1021972: fixed a missing NUL termination in return string
1615 of sysutils.c:sockaddr_info() for the AF_UNIX case
1617 fixed some typos and minor issues, including:
1618 Red Hat issue 1021967: formatting error in manual page
1620 UNIX-LISTEN with fork option did not remove the socket file system entry
1621 when exiting. Other file system based passive address types had similar
1622 issues or failed to apply options umask, user e.a.
1623 Thanks to Lorenzo Monti for pointing me to this issue
1625 porting:
1626 Red Hat issue 1020203: configure checks fail with some compilers.
1627 Use case: clang
1629 Performed changes for Fedora release 19
1631 Adapted, improved test.sh script
1633 Red Hat issue 1021429: getgroupent fails with large number of groups;
1634 use getgrouplist() when available instead of sequence of calls to
1635 getgrent()
1637 Red Hat issue 1021948: snprintf API change;
1638 Implemented xio_snprintf() function as wrapper that tries to emulate C99
1639 behaviour on old glibc systems, and adapted all affected calls
1640 appropriately
1642 Mike Frysinger provided a patch that supports long long for time_t,
1643 socklen_t and a few other libc types.
1645 Artem Mygaiev extended Cedril Priscals Android build script with pty code
1647 The check for fips.h required stddef.h
1648 Thanks to Matt Hilt for reporting this issue and sending a patch
1650 Check for linux/errqueue.h failed on some systems due to lack of
1651 linux/types.h inclusion. Thanks to Michael Vastola for sending a patch.
1653 autoconf now prefers configure.ac over configure.in
1654 Thanks to Michael Vastola for sending a patch.
1656 type of struct cmsghdr.cmsg is system dependend, determine it with
1657 configure; some more print format corrections
1659 docu:
1660 libwrap always logs to syslog
1662 added actual text version of GPLv2
1664 ####################### V 1.7.2.3:
1666 security:
1667 Socat security advisory 5
1668 CVE-2014-0019: socats PROXY-CONNECT address was vulnerable to a buffer
1669 overflow with data from command line (see socat-secadv5.txt)
1670 Credits to Florian Weimer of the Red Hat Product Security Team
1672 ####################### V 1.7.2.2:
1674 security:
1675 Socat security advisory 4
1676 CVE-2013-3571:
1677 after refusing a client connection due to bad source address or source
1678 port socat shutdown() the socket but did not close() it, resulting in
1679 a file descriptor leak in the listening process, visible with lsof and
1680 possibly resulting in EMFILE Too many open files. This issue could be
1681 misused for a denial of service attack.
1682 Full credits to Catalin Mitrofan for finding and reporting this issue.
1684 ####################### V 1.7.2.1:
1686 security:
1687 Socat security advisory 3
1688 CVE-2012-0219:
1689 fixed a possible heap buffer overflow in the readline address. This bug
1690 could be exploited when all of the following conditions were met:
1691 1) one of the addresses is READLINE without the noprompt and without the
1692 prompt options.
1693 2) the other (almost arbitrary address) reads malicious data (which is
1694 then transferred by socat to READLINE).
1695 Workaround: when using the READLINE address apply option prompt or
1696 noprompt.
1697 Full credits to Johan Thillemann for finding and reporting this issue.
1699 ####################### V 1.7.2.0:
1701 corrections:
1702 when UNIX-LISTEN was applied to an existing file it failed as expected
1703 but removed the file. Thanks to Bjoern Bosselmann for reporting this
1704 problem
1706 fixed a bug where socat might crash when connecting to a unix domain
1707 socket using address GOPEN. Thanks to Martin Forssen for bug report and
1708 patch.
1710 UDP-LISTEN would alway set SO_REUSEADDR even without fork option and
1711 when user set it to 0. Thanks to Michal Svoboda for reporting this bug.
1713 UNIX-CONNECT did not support half-close. Thanks to Greg Hughes who
1714 pointed me to that bug
1716 TCP-CONNECT with option nonblock reported successful connect even when
1717 it was still pending
1719 address option ioctl-intp failed with "unimplemented type 26". Thanks
1720 to Jeremy W. Sherman for reporting and fixing that bug
1722 socat option -x did not print packet direction, timestamp etc; thanks
1723 to Anthony Sharobaiko for sending a patch
1725 address PTY does not take any parameters but did not report an error
1726 when some were given
1728 Marcus Meissner provided a patch that fixes invalid output and possible
1729 process crash when socat prints info about an unnamed unix domain
1730 socket
1732 Michal Soltys reported the following problem and provided an initial
1733 patch: when socat was interrupted, e.g. by SIGSTOP, and resumed during
1734 data transfer only parts of the data might have been written.
1736 Option o-nonblock in combination with large transfer block sizes
1737 may result in partial writes and/or EAGAIN errors that were not handled
1738 properly but resulted in data loss or process termination.
1740 Fixed a bug that could freeze socat when during assembly of a log
1741 message a signal was handled that also printed a log message. socat
1742 development had been aware that localtime() is not thread safe but had
1743 only expected broken messages, not corrupted stack (glibc 2.11.1,
1744 Ubuntu 10.4)
1746 an internal store for child pids was susceptible to pid reuse which
1747 could lead to sporadic data loss when both fork option and exec address
1748 were used. Thanks to Tetsuya Sodo for reporting this problem and
1749 sending a patch
1751 OpenSSL server failed with "no shared cipher" when using cipher aNULL.
1752 Fixed by providing temporary DH parameters. Thanks to Philip Rowlands
1753 for drawing my attention to this issue.
1755 UDP-LISTEN slept 1s after accepting a connection. This is not required.
1756 Thanks to Peter Valdemar Morch for reporting this issue
1758 fixed a bug that could lead to error or socat crash after a client
1759 connection with option retry had been established
1761 fixed configure.in bug on net/if.h check that caused IF_NAMESIZE to be
1762 undefined
1764 improved dev_t print format definition
1766 porting:
1767 Cedril Priscal ported socat to Android (using Googles cross compiler).
1768 The port includes the socat_buildscript_for_android.sh script
1770 added check for component ipi_spec_dst in struct in_pktinfo so
1771 compilation does not fail on Cygwin (thanks to Peter Wagemans for
1772 reporting this problem)
1774 build failed on RHEL6 due to presence of fips.h; configure now checks
1775 for fipsld too. Thanks to Andreas Gruenbacher for reporting this
1776 problem
1778 check for netinet6/in6.h only when IPv6 is available and enabled
1780 don't fail to compile when the following defines are missing:
1781 IPV6_PKTINFO IPV6_RTHDR IPV6_DSTOPTS IPV6_HOPOPTS IPV6_HOPLIMIT
1782 Thanks to Jerry Jacobs for reporting this problem (Mac OS X Lion 10.7)
1784 check if define __APPLE_USE_RFC_2292 helps to enable IPV6_* (MacOSX
1785 Lion 7.1); thanks to Jerry Jacobs to reporting this problem and
1786 proposing a solution
1788 fixed compiler warnings on Mac OS X 64bit. Thanks to Guy Harris for
1789 providing the patch.
1791 corrections for OpenEmbedded, especially termios SHIFT values and
1792 ISPEED/OSPEED. Thanks to John Faith for providing the patch
1794 minor corrections to docu and test.sh resulting from local compilation
1795 on Openmoko SHR
1797 fixed sa_family_t compile error on DragonFly. Thanks to Tony Young for
1798 reporting this issue and sending a patch.
1800 Ubuntu Oneiric: OpenSSL no longer provides SSLv2 functions; libutil.sh
1801 is now bsd/libutil.h; compiler warns on vars that is only written to
1803 new features:
1804 added option max-children that limits the number of concurrent child
1805 processes. Thanks to Sam Liddicott for providing the patch.
1807 Till Maas added support for tun/tap addresses without IP address
1809 added an option openssl-compress that allows to disable the compression
1810 feature of newer OpenSSL versions. Thanks to Michael Hanselmann for
1811 providing this contribution (sponsored by Google Inc.)
1813 docu:
1814 minor corrections in docu (thanks to Paggas)
1816 client process -> child process
1818 ####################### V 1.7.1.3:
1820 security:
1821 Socat security advisory 2
1822 CVE-2010-2799:
1823 fixed a stack overflow vulnerability that occurred when command
1824 line arguments (whole addresses, host names, file names) were longer
1825 than 512 bytes.
1826 Note that this could only be exploited when an attacker was able to
1827 inject data into socat's command line.
1828 Full credits to Felix Gröbert, Google Security Team, for finding and
1829 reporting this issue
1831 ####################### V 1.7.1.2:
1833 corrections:
1834 user-late and group-late, when applied to a pty, affected the system
1835 device /dev/ptmx instead of the pty (thanks to Matthew Cloke for
1836 pointing me to this bug)
1838 socats openssl addresses failed with "nonblocking operation did not
1839 complete" when the peer performed a renegotiation. Thanks to Benjamin
1840 Delpy for reporting this bug.
1842 info message during socks connect showed bad port number on little
1843 endian systems due to wrong byte order (thanks to Peter M. Galbavy for
1844 bug report and patch)
1846 Debian bug 531078: socat execs children with SIGCHLD ignored; corrected
1847 to default. Thanks to Martin Dorey for reporting this bug.
1849 porting:
1850 building socat on systems that predefined the CFLAGS environment to
1851 contain -Wall failed (esp.RedHat). Thanks to Paul Wouters for reporting
1852 this problem and to Simon Matter for providing the patch
1854 support for Solaris 8 and Sun Studio support (thanks to Sebastian
1855 Kayser for providing the patches)
1857 on some 64bit systems a compiler warning "cast from pointer to integer
1858 of different size" was issued on some option definitions
1860 added struct sockaddr_ll to union sockaddr_union to avoid "strict
1861 aliasing" warnings (problem reported by Paul Wouters)
1863 docu:
1864 minor corrections in docu
1866 ####################### V 1.7.1.1:
1868 corrections:
1869 corrected the "fixed possible SIGSEGV" fix because SIGSEGV still might
1870 occur under those conditions. Thanks to Toni Mattila for first
1871 reporting this problem.
1873 ftruncate64 cut its argument to 32 bits on systems with 32 bit long type
1875 socat crashed on systems without setenv() (esp. SunOS up to Solaris 9);
1876 thanks to Todd Stansell for reporting this bug
1878 with unidirectional EXEC and SYSTEM a close() operation was performed
1879 on a random number which could result in hanging e.a.
1881 fixed a compile problem caused by size_t/socklen_t mismatch on 64bit
1882 systems
1884 docu mentioned option so-bindtodev but correct name is so-bindtodevice.
1885 Thanks to Jim Zimmerman for reporting.
1887 docu changes:
1888 added environment variables example to doc/socat-multicast.html
1890 ####################### V 1.7.1.0:
1892 new features:
1893 address options shut-none, shut-down, and shut-close allow to control
1894 socat's half close behaviour
1896 with address option shut-null socat sends an empty packet to the peer
1897 to indicate EOF
1899 option null-eof changes the behaviour of sockets that receive an empty
1900 packet to see EOF instead of ignoring it
1902 introduced option names substuser-early and su-e, currently equivalent
1903 to option substuser (thanks to Mike Perry for providing the patch)
1905 corrections:
1906 fixed some typos and improved some comments
1908 ####################### V 1.7.0.1:
1910 corrections:
1911 fixed possible SIGSEGV in listening addresses when a new connection was
1912 reset by peer before the socket addresses could be retrieved. Thanks to
1913 Mike Perry for sending a patch.
1915 fixed a bug, introduced with version 1.7.0.0, that let client
1916 connections with option connect-timeout fail when the connections
1917 succeeded. Thanks to Bruno De Fraine for reporting this bug.
1919 option end-close "did not apply" to addresses PTY, SOCKET-CONNECT,
1920 and most UNIX-* and ABSTRACT-*
1922 half close of EXEC and SYSTEM addresses did not work for pipes and
1923 sometimes socketpair
1925 help displayed for some option a wrong type
1927 under some circumstances shutdown was called multiple times for the
1928 same fd
1930 ####################### V 1.7.0.0:
1932 new features:
1933 new address types SCTP-CONNECT and SCTP-LISTEN implement SCTP stream
1934 mode for IPv4 and IPv6; new address options sctp-maxseg and
1935 sctp-nodelay (suggested by David A. Madore; thanks to Jonathan Brannan
1936 for providing an initial patch)
1938 new address "INTERFACE" for transparent network interface handling
1939 (suggested by Stuart Nicholson)
1941 added generic socket addresses: SOCKET-CONNECT, SOCKET-LISTEN,
1942 SOCKET-SENDTO, SOCKET-RECVFROM, SOCKET-RECV, SOCKET-DATAGRAM allow
1943 protocol independent socket handling; all parameters are explicitely
1944 specified as numbers or hex data
1946 added address options ioctl-void, ioctl-int, ioctl-intp, ioctl-string,
1947 ioctl-bin for generic ioctl() calls.
1949 added address options setsockopt-int, setsockopt-bin, and
1950 setsockopt-string for generic setsockopt() calls
1952 option so-type now only affects the socket() and socketpair() calls,
1953 not the name resolution. so-type and so-prototype can now be applied to
1954 all socket based addresses.
1956 new address option "escape" allows to break a socat instance even when
1957 raw terminal mode prevents ^C etc. (feature suggested by Guido Trotter)
1959 socat sets environment variables SOCAT_VERSION, SOCAT_PID, SOCAT_PPID
1960 for use in executed scripts
1962 socat sets environment variables SOCAT_SOCKADDR, SOCAT_SOCKPORT,
1963 SOCAT_PEERADDR, SOCAT_PEERPORT in LISTEN type addresses (feature
1964 suggested by Ed Sawicki)
1966 socat receives all ancillary messages with each received packet on
1967 datagram related addresses. The messages are logged in raw form with
1968 debug level, and broken down with info level. note: each type of
1969 ancillary message must be enabled by appropriate address options.
1971 socat provides the contents of ancillary messages received on RECVFROM
1972 addresses in appropriate environment variables:
1973 SOCAT_TIMESTAMP, SOCAT_IP_DSTADDR, SOCAT_IP_IF, SOCAT_IP_LOCADDR,
1974 SOCAT_IP_OPTIONS, SOCAT_IP_TOS, SOCAT_IP_TTL, SOCAT_IPV6_DSTADDR,
1975 SOCAT_IPV6_HOPLIMIT, SOCAT_IPV6_TCLASS
1977 the following address options were added to enable ancillary messages:
1978 so-timestamp, ip-pktinfo (not BSD), ip-recvdstaddr (BSD), ip-recverr,
1979 ip-recvif (BSD), ip-recvopts, ip-recvtos, ip-recvttl, ipv6-recvdstopts,
1980 ipv6-recverr, ipv6-recvhoplimit, ipv6-recvhopopts, ipv6-recvpathmtu,
1981 ipv6-recvpktinfo, ipv6-recvrthdr, ipv6-recvtclass
1983 new address options ipv6-tclass and ipv6-unicast-hops set the related
1984 socket options.
1986 STREAMS (UNIX System V STREAMS) can be configured with the new address
1987 options i-pop-all and i-push (thanks to Michal Rysavy for providing a
1988 patch)
1990 corrections:
1991 some raw IP and UNIX datagram modes failed on BSD systems
1993 when UDP-LISTEN continued to listen after packet dropped by, e.g.,
1994 range option, the old listen socket would not be closed but a new one
1995 created. open sockets could accumulate.
1997 there was a bug in ip*-recv with bind option: it did not bind, and
1998 with the first received packet an error occurred:
1999 socket_init(): unknown address family 0
2000 test: RAWIP4RECVBIND
2002 RECVFROM addresses with FORK option hung after processing the first
2003 packet. test: UDP4RECVFROM_FORK
2005 corrected a few mistakes that caused compiler warnings on 64bit hosts
2006 (thanks to Jonathan Brannan e.a. for providing a patch)
2008 EXEC and SYSTEM with stderr injected socat messages into the data
2009 stream. test: EXECSTDERRLOG
2011 when the EXEC address got a string with consecutive spaces it created
2012 additional empty arguments (thanks to Olivier Hervieu for reporting
2013 this bug). test: EXECSPACES
2015 in ignoreeof polling mode socat also blocked data transfer in the other
2016 direction during the 1s wait intervalls (thanks to Jorgen Cederlof for
2017 reporting this bug)
2019 corrected alphabetical order of options (proxy-auth)
2021 some minor corrections
2023 improved test.sh script: more stable timing, corrections for BSD
2025 replaced the select() calls by poll() to cleanly fix the problems with
2026 many file descriptors already open
2028 socat option -lf did not log to file but to stderr
2030 socat did not compile on Solaris when configured without termios
2031 feature (thanks to Pavan Gadi for reporting this bug)
2033 porting:
2034 socat compiles and runs on AIX with gcc (thanks to Andi Mather for his
2035 help)
2037 socat compiles and runs on Cygwin (thanks to Jan Just Keijser for his
2038 help)
2040 socat compiles and runs on HP-UX with gcc (thanks to Michal Rysavy for
2041 his help)
2043 socat compiles and runs on MacOS X (thanks to Camillo Lugaresi for his
2044 help)
2046 further changes:
2047 filan -s prefixes output with FD number if more than one FD
2049 Makefile now supports datarootdir (thanks to Camillo Lugaresi for
2050 providing the patch)
2052 cleanup in xio-unix.c
2054 ####################### V 1.6.0.1:
2056 new features:
2057 new make target "gitclean"
2059 docu source doc/socat.yo released
2061 corrections:
2062 exec:...,pty did not kill child process under some circumstances; fixed
2063 by correcting typo in xio-progcall.c (thanks to Ralph Forsythe for
2064 reporting this problem)
2066 service name resolution failed due to byte order mistake
2067 (thanks to James Sainsbury for reporting this problem)
2069 socat would hang when invoked with many file descriptors already opened
2070 fix: replaced FOPEN_MAX with FD_SETSIZE
2071 thanks to Daniel Lucq for reporting this problem.
2073 fixed bugs where sub processes would become zombies because the master
2074 process did not catch SIGCHLD. this affected addresses UDP-LISTEN,
2075 UDP-CONNECT, TCP-CONNECT, OPENSSL, PROXY, UNIX-CONNECT, UNIX-CLIENT,
2076 ABSTRACT-CONNECT, ABSTRACT-CLIENT, SOCKSA, SOCKS4A
2077 (thanks to Fernanda G Weiden for reporting this problem)
2079 fixed a bug where sub processes would become zombies because the master
2080 process caught SIGCHLD but did not wait(). this affected addresses
2081 UDP-RECVFROM, IP-RECVFROM, UNIX-RECVFROM, ABSTRACT-RECVFROM
2082 (thanks to Evan Borgstrom for reporting this problem)
2084 corrected option handling with STDIO; usecase: cool-write
2086 configure --disable-pty also disabled option waitlock
2088 fixed small bugs on systems with struct ip_mreq without struct ip_mreqn
2089 (thanks to Roland Illig for sending a patch)
2091 corrected name of option intervall to interval (old form still valid
2092 for us German speaking guys)
2094 corrected some print statements and variable names
2096 make uninstall did not uninstall procan
2098 fixed lots of weaknesses in test.sh
2100 corrected some bugs and typos in doc/socat.yo, EXAMPLES, C comments
2102 further changes:
2103 procan -c prints C defines important for socat
2105 added test OPENSSLEOF for OpenSSL half close
2107 ####################### V 1.6.0.0:
2109 new features:
2110 new addresses IP-DATAGRAM and UDP-DATAGRAM allow versatile broadcast
2111 and multicast modes
2113 new option ip-add-membership for control of multicast group membership
2115 new address TUN for generation of Linux TUN/TAP pseudo network
2116 interfaces (suggested by Mat Caughron); associated options tun-device,
2117 tun-name, tun-type; iff-up, iff-promisc, iff-noarp, iff-no-pi etc.
2119 new addresses ABSTRACT-CONNECT, ABSTRACT-LISTEN, ABSTRACT-SENDTO,
2120 ABSTRACT-RECV, and ABSTRACT-RECVFROM for abstract UNIX domain addresses
2121 on Linux (requested by Zeeshan Ali); option unix-tightsocklen controls
2122 socklen parameter on system calls.
2124 option end-close for control of connection closing allows FD sharing
2125 by sub processes
2127 range option supports form address:mask with IPv4
2129 changed behaviour of OPENSSL-LISTEN to require and verify client
2130 certificate per default
2132 options f-setlkw-rd, f-setlkw-wr, f-setlk-rd, f-setlk-wr allow finer
2133 grained locking on regular files
2135 uninstall target in Makefile (lack reported by Zeeshan Ali)
2137 corrections:
2138 fixed bug where only first tcpwrap option was applied; fixed bug where
2139 tcpwrap IPv6 check always failed (thanks to Rudolf Cejka for reporting
2140 and fixing this bug)
2142 filan (and socat -D) could hang when a socket was involved
2144 corrected PTYs on HP-UX (and maybe others) using STREAMS (inspired by
2145 Roberto Mackun)
2147 correct bind with udp6-listen (thanks to Jan Horak for reporting this
2148 bug)
2150 corrected filan.c peekbuff[0] which did not compile with Sun Studio Pro
2151 (thanks to Leo Zhadanovsky for reporting this problem)
2153 corrected problem with read data buffered in OpenSSL layer (thanks to
2154 Jon Nelson for reporting this bug)
2156 corrected problem with option readbytes when input stream stayed idle
2157 after so many bytes
2159 fixed a bug where a datagram receiver with option fork could fork two
2160 sub processes per packet
2162 further changes:
2163 moved documentation to new doc/ subdir
2165 new documents (kind of mini tutorials) are provided in doc/
2167 ####################### V 1.5.0.0:
2169 new features:
2170 new datagram modes for udp, rawip, unix domain sockets
2172 socat option -T specifies inactivity timeout
2174 rewrote lexical analysis to allow nested socat calls
2176 addresses tcp, udp, tcp-l, udp-l, and rawip now support IPv4 and IPv6
2178 socat options -4, -6 and environment variables SOCAT_DEFAULT_LISTEN_IP,
2179 SOCAT_PREFERRED_RESOLVE_IP for control of protocol selection
2181 addresses ssl, ssl-l, socks, proxy now support IPv4 and IPv6
2183 option protocol-family (pf), esp. for openssl-listen
2185 range option supports IPv6 - syntax: range=[::1/128]
2187 option ipv6-v6only (ipv6only)
2189 new tcp-wrappers options allow-table, deny-table, tcpwrap-etc
2191 FIPS version of OpenSSL can be integrated - initial patch provided by
2192 David Acker. See README.FIPS
2194 support for resolver options res-debug, aaonly, usevc, primary, igntc,
2195 recurse, defnames, stayopen, dnsrch
2197 options for file attributes on advanced filesystems (ext2, ext3,
2198 reiser): secrm, unrm, compr, ext2-sync, immutable, ext2-append, nodump,
2199 ext2-noatime, journal-data etc.
2201 option cool-write controls severeness of write failure (EPIPE,
2202 ECONNRESET)
2204 option o-noatime
2206 socat option -lh for hostname in log output
2208 traffic dumping provides packet headers
2210 configure.in became part of distribution
2212 socats unpack directory now has full version, e.g. socat-1.5.0.0/
2214 corrected docu of option verify
2216 corrections:
2217 fixed tcpwrappers integration - initial fix provided by Rudolf Cejka
2219 exec with pipes,stderr produced error
2221 setuid-early was ignored with many address types
2223 some minor corrections
2225 ####################### V 1.4.3.1:
2227 corrections:
2228 PROBLEM: UNIX socket listen accepted only one (or a few) connections.
2229 FIX: do not remove listening UNIX socket in child process
2231 PROBLEM: SIGSEGV when TCP part of SSL connect failed
2232 FIX: check ssl pointer before calling SSL_shutdown
2234 In debug mode, show connect client port even when connect fails
2236 ####################### V 1.4.3.0:
2238 new features:
2239 socat options -L, -W for application level locking
2241 options "lockfile", "waitlock" for address level locking
2242 (Stefan Luethje)
2244 option "readbytes" limits read length (Adam Osuchowski)
2246 option "retry" for unix-connect, unix-listen, tcp6-listen (Dale Dude)
2248 pty symlink, unix listen socket, and named pipe are per default removed
2249 after use; option unlink-close overrides this new behaviour and also
2250 controls removal of other socat generated files (Stefan Luethje)
2252 corrections:
2253 option "retry" did not work with tcp-listen
2255 EPIPE condition could result in a 100% CPU loop
2257 further changes:
2258 support systems without SHUT_RD etc.
2259 handle more size_t types
2260 try to find makedepend options with gcc 3 (richard/OpenMacNews)
2262 ####################### V 1.4.2.0:
2264 new features:
2265 option "connect-timeout" limits wait time for connect operations
2266 (requested by Giulio Orsero)
2268 option "dhparam" for explicit Diffie-Hellman parameter file
2270 corrections:
2271 support for OpenSSL DSA certificates (Miika Komu)
2273 create install directories before copying files (Miika Komu)
2275 when exiting on signal, return status 128+signum instead of 1
2277 on EPIPE and ECONNRESET, only issue a warning (Santiago Garcia
2278 Mantinan)
2280 -lu could cause a core dump on long messages
2282 further changes:
2283 modifications to simplify using socats features in applications
2285 ####################### V 1.4.1.0:
2287 new features:
2288 option "wait-slave" blocks open of pty master side until a client
2289 connects, "pty-intervall" controls polling
2291 option -h as synonym to -? for help (contributed by Christian
2292 Lademann)
2294 filan prints formatted time stamps and rdev (disable with -r)
2296 redirect filan's output, so stdout is not affected (contributed by
2297 Luigi Iotti)
2299 filan option -L to follow symbolic links
2301 filan shows termios control characters
2303 corrections:
2304 proxy address no longer performs unsolicited retries
2306 filan -f no longer needs read permission to analyze a file (but still
2307 needs access permission to directory, of course)
2309 porting:
2310 Option dsusp
2311 FreeBSD options noopt, nopush, md5sig
2312 OpenBSD options sack-disable, signature-enable
2313 HP-UX, Solaris options abort-threshold, conn-abort-threshold
2314 HP-UX options b900, b3600, b7200
2315 Tru64/OSF1 options keepinit, paws, sackena, tsoptena
2317 further corrections:
2318 address pty now uses ptmx as default if openpty is also available
2320 ####################### V 1.4.0.3:
2322 security:
2323 Socat security advisory 1
2324 CVE-2004-1484:
2325 fix to a syslog() based format string vulnerability that can lead to
2326 remote code execution. See advisory socat-adv-1.txt
2328 ####################### V 1.4.0.2:
2330 corrections:
2331 exec'd write-only addresses get a chance to flush before being killed
2333 error handler: print notice on error-exit
2335 filan printed wrong file type information
2337 ####################### V 1.4.0.1:
2339 corrections:
2340 socks4a constructed invalid header. Problem found, reported, and fixed
2341 by Thomas Themel, by Peter Palfrader, and by rik
2343 with nofork, don't forget to apply some process related options
2344 (chroot, setsid, setpgid, ...)
2346 ####################### V 1.4.0.0:
2348 new features:
2349 simple openssl server (ssl-l), experimental openssl trust
2351 new options "cafile", "capath", "key", "cert", "egd", and "pseudo" for
2352 openssl
2354 new options "retry", "forever", and "intervall"
2356 option "fork" for address TCP improves `gender changer´
2358 options "sigint", "sigquit", and "sighup" control passing of signals to
2359 sub process (thanks to David Shea who contributed to this issue)
2361 readline takes respect to the prompt issued by the peer address
2363 options "prompt" and "noprompt" allow to override readline's new
2364 default behaviour
2366 readline supports invisible password with option "noecho"
2368 socat option -lp allows to set hostname in log output
2370 socat option -lu turns on microsecond resolution in log output
2373 corrections:
2374 before reading available data, check if writing on other channel is
2375 possible
2377 tcp6, udp6: support hostname specification (not only IP address), and
2378 map IP4 names to IP6 addresses
2380 openssl client checks server certificate per default
2382 support unidirectional communication with exec/system subprocess
2384 try to restore original terminal settings when terminating
2386 test.sh uses tmp dir /tmp/$USER/$$ instead of /tmp/$$
2388 socks4 failed on platforms where long does not have 32 bits
2389 (thanks to Peter Palfrader and Thomas Seyrat)
2391 hstrerror substitute wrote wrong messages (HP-UX, Solaris)
2393 proxy error message was truncated when answer contained multiple spaces
2396 porting:
2397 compiles with AIX xlc, HP-UX cc, Tru64 cc (but might not link)
2399 ####################### V 1.3.2.2:
2401 corrections:
2402 PROXY CONNECT failed when the status reply from the proxy server
2403 contained more than one consecutive spaces. Problem reported by
2404 Alexandre Bezroutchko
2406 do not SIGSEGV when proxy address fails to resolve server name
2408 udp-listen failed on systems where AF_INET != SOCK_DGRAM (e.g. SunOS).
2409 Problem reported by Christoph Schittel
2411 test.sh only tests available features
2413 added missing IP and TCP options in filan analyzer
2415 do not apply stdio address options to both directions when in
2416 unidirectional mode
2418 on systems lacking /dev/*random and egd, provide (weak) entropy from
2419 libc random()
2422 porting:
2423 changes for HP-UX (VREPRINT, h_NETDB_INTERNAL)
2425 compiles on True64, FreeBSD (again), NetBSD, OpenBSD
2427 support for long long as st_ino type (Cygwin 1.5)
2429 compile on systems where pty can not be featured
2431 ####################### V 1.3.2.1:
2433 corrections:
2434 "final" solution for the ENOCHLD problem
2436 corrected "make strip"
2438 default gcc debug/opt is "-O" again
2440 check for /proc at runtime, even if configure found it
2442 src.rpm accidently supported SuSE instead of RedHat
2444 ####################### V 1.3.2.0:
2446 new features:
2447 option "nofork" connects an exec'd script or program directly
2448 to the file descriptors of the other address, circumventing the socat
2449 transfer engine
2451 support for files >2GB, using ftruncate64(), lseek64(), stat64()
2453 filan has new "simple" output style (filan -s)
2456 porting:
2457 options "binary" and "text" for controlling line termination on Cygwin
2458 file system access (hint from Yang Wu-Zhou)
2460 fix by Yang Wu-Zhou for the Cygwin "No Children" problem
2462 improved support for OSR: _SVID3; no IS_SOCK, no F_GETOWN (thanks to
2463 John DuBois)
2465 minor corrections to avoid warnings with gcc 3
2468 further corrections and minor improvements:
2469 configure script is generated with autoconf 2.57 (no longer 2.52)
2471 configure passes CFLAGS to Makefile
2473 option -??? for complete list of address options and their short forms
2475 program name in syslog messages is derived from argv[0]
2477 SIGHUP now prints notice instead of error
2479 EIO during read of pty now gives Notice instead of Error, and
2480 triggers EOF
2482 use of hstrerror() for printing resolver error messages
2484 setgrent() got required endgrent()
2486 ####################### V 1.3.1.0:
2488 new features:
2489 integration of Wietse Venema's tcpwrapper library (libwrap)
2491 with "proxy" address, option "resolve" controls if hostname or IP
2492 address is sent in request
2494 option "lowport" establishes limited authorization for TCP and UDP
2495 connections
2497 improvement of .spec file for RPM creation (thanks to Gerd v. Egidy)
2498 An accompanying change in the numbering scheme results in an
2499 incompatibility with earlier socat RPMs!
2502 solved problems and bugs:
2503 PROBLEM: socat daemon terminated when the address of a connecting
2504 client did not match range option value instead of continue listening
2505 SOLVED: in this case, print warning instead of error to keep daemon
2506 active
2508 PROBLEM: tcp-listen with fork sometimes left excessive number of zombie
2509 processes
2510 SOLVED: dont assume that each exiting child process generates SIGCHLD
2512 when converting CRNL to CR, socat converted to NL
2515 further corrections:
2516 configure script now disables features that depend on missing files
2517 making it more robust in "unsupported" environments
2519 server.pem permissions corrected to 600
2521 "make install" now does not strip; use "make strip; make install"
2522 if you like strip (suggested by Peter Bray)
2524 ####################### V 1.3.0.1:
2526 solved problems and bugs:
2527 PROBLEM: OPENSSL did not apply tcp, ip, and socket options
2528 SOLVED: OPENSSL now correctly handles the options list
2530 PROBLEM: CRNL to NL and CRNL to CR conversions failed when CRNL crossed
2531 block boundary
2532 SOLVED: these conversions now simply strip all CR's or NL's from input
2533 stream
2536 porting:
2537 SunOS ptys now work on x86, too (thanks to Peter Bray)
2539 configure looks for freeware libs in /pkgs/lib/ (thanks to Peter Bray)
2542 further corrections:
2543 added WITH_PROXY value to -V output
2545 added compile dependencies of WITH_PTY and WITH_PROXY
2547 -?? did not print option group of proxy options
2549 corrected syntax for bind option in docu
2551 corrected an issue with stdio in unidirectional mode
2553 options socksport and proxyport support service names
2555 ftp.sh script supports proxy address
2557 man page no longer installed with execute permissions (thanks to Peter
2558 Bray)
2560 fixed a malloc call bug that could cause SIGSEGV or false "out of
2561 memory" errors on EXEC and SYSTEM, depending on program name length and
2562 libc.
2564 ####################### V 1.3.0.0:
2566 new features:
2567 proxy connect with optional proxy authentication
2569 combined hex and text dump mode, credits to Gregory Margo
2571 address pty applies options user, group, and perm to device
2574 solved problems and bugs:
2575 PROBLEM: option reuseport was not applied (BSD, AIX)
2576 SOLVED: option reuseport now in phase PASTSOCKET instead of PREBIND,
2577 credits to Jean-Baptiste Marchand
2579 PROBLEM: ignoreeof with stdio was ignored
2580 SOLVED: ignoreeof now works correctly with address stdio
2582 PROBLEM: ftp.sh did not use user supplied password
2583 SOLVED: ftp.sh now correctly passes password from command line
2585 PROBLEM: server.pem had expired
2586 SOLVED: new server.pem valid for ten years
2588 PROBLEM: socks notice printed wrong port on some platforms
2589 SOLVED: socks now uses correct byte-order for port number in notice
2592 further corrections:
2593 option name o_trunc corrected to o-trunc
2595 combined use of -u and -U is now detected and prevented
2597 made message system a little more robust against format string attacks
2600 ####################### V 1.2.0.0:
2602 new features:
2603 address pty for putting socat behind a new pseudo terminal that may
2604 fake a serial line, modem etc.
2606 experimental openssl integration
2607 (it does not provide any trust between the peers because is does not
2608 check certificates!)
2610 options flock-ex, flock-ex-nb, flock-sh, flock-sh-nb to control all
2611 locking mechanism provided by flock()
2613 options setsid and setpgid now available with all address types
2615 option ctty (controlling terminal) now available for all TERMIOS
2616 addresses
2618 option truncate (a hybrid of open(.., O_TRUNC) and ftruncate()) is
2619 replaced by options o-trunc and ftruncate=offset
2621 option sourceport now available with TCP and UDP listen addresses to
2622 restrict incoming client connections
2624 unidirectional mode right-to-left (-U)
2627 solved problems and bugs:
2628 PROBLEM: addresses without required parameters but an option containing
2629 a '/' were incorrectly interpreted as implicit GOPEN address
2630 SOLVED: if an address does not have ':' separator but contains '/',
2631 check if the slash is before the first ',' before assuming
2632 implicit GOPEN.
2635 porting:
2636 ptys under SunOS work now due to use of stream options
2639 further corrections:
2640 with -d -d -d -d -D, don't print debug info during file analysis
2643 ####################### V 1.1.0.1:
2645 new features:
2646 .spec file for RPM generation
2649 solved problems and bugs:
2650 PROBLEM: GOPEN on socket did not apply option unlink-late
2651 SOLUTION: GOPEN for socket now applies group NAMED, phase PASTOPEN
2652 options
2654 PROBLEM: with unidirectional mode, an unnecessary close timeout was
2655 applied
2656 SOLUTION: in unidirectional mode, terminate without wait time
2658 PROBLEM: using GOPEN on a unix domain socket failed for datagram
2659 sockets
2660 SOLUTION: when connect() fails with EPROTOTYPE, use a datagram socket
2663 further corrections:
2665 open() flag options had names starting with "o_", now corrected to "o-"
2667 in docu, *-listen addresses were called *_listen
2669 address unix now called unix-connect because it does not handle unix
2670 datagram sockets
2672 in test.sh, apply global command line options with all tests
2675 ####################### V 1.1.0.0:
2677 new features:
2678 regular man page and html doc - thanks to kromJx for prototype
2680 new address type "readline", utilizing GNU readline and history libs
2682 address option "history-file" for readline
2684 new option "dash" to "exec" address that allows to start login shells
2686 syslog facility can be set per command line option
2688 new address option "tcp-quickack", found in Linux 2.4
2690 option -g prevents option group checking
2692 filan and procan can print usage
2694 procan prints rlimit infos
2697 solved problems and bugs:
2698 PROBLEM: raw IP socket SIGSEGV'ed when it had been shut down.
2699 SOLVED: set eof flag of channel on shutdown.
2701 PROBLEM: if channel 2 uses a single non-socket FD in bidirectional mode
2702 and has data available while channel 1 reaches EOF, the data is
2703 lost.
2704 SOLVED: during one loop run, first handle all data transfers and
2705 _afterwards_ handle EOF.
2707 PROBLEM: despite to option NONBLOCK, the connect() call blocked
2708 SOLVED: option NONBLOCK is now applied in phase FD instead of LATE
2710 PROBLEM: UNLINK options issued error when file did not exist,
2711 terminating socat
2712 SOLVED: failure of unlink() is only warning if errno==ENOENT
2714 PROBLEM: TCP6-LISTEN required numeric port specification
2715 SOLVED: now uses common TCP service resolver
2717 PROBLEM: with PIPE, wrong FDs were shown for data transfer loop
2718 SOLVED: retrieval of FDs now pays respect to PIPE pecularities
2720 PROBLEM: using address EXEC against an address with IGNOREEOF, socat
2721 never terminated
2722 SOLVED: corrected EOF handling of sigchld
2725 porting:
2726 MacOS and old AIX versions now have pty
2728 flock() now available on Linux (configure check was wrong)
2730 named pipe were generated using mknod(), which requires root under BSD
2731 now they are generated using mkfifo
2734 further corrections:
2735 lots of address options that were "forgotten" at runtime are now
2736 available
2738 option BINDTODEVICE now also called SO-BINDTODEVICE, IF
2740 "make install" now installs binaries with ownership 0:0
2743 ####################### V 1.0.4.2:
2745 solved problems and bugs:
2746 PROBLEM: EOF of one stream caused close of other stream, giving it no
2747 chance to go down regularly
2748 SOLVED: EOF of one stream now causes shutdown of write part of other
2749 stream
2751 PROBLEM: sending mail via socks address to qmail showed that crlf
2752 option does not work
2753 SOLVED: socks address applies PH_LATE options
2755 PROBLEM: in debug mode, no info about socat and platform was issued
2756 SOLVED: print socat version and uname output in debug mode
2758 PROBLEM: invoking socat with -t and no following parameters caused
2759 SIGSEGV
2760 SOLVED: -t and -b now check next argv entry
2762 PROBLEM: when opening of logfile (-lf) failed, no error was reported
2763 and no further messages were printed
2764 SOLVED: check result of fopen and print error message if it failed
2766 new features:
2767 address type UDP-LISTEN now supports option fork: it internally applies
2768 socket option SO_REUSEADDR so a new UDP socket can bind to port after
2769 `accepting´ a connection (child processes might live forever though)
2770 (suggestion from Damjan Lango)
2773 ####################### V 1.0.4.1:
2775 solved problems and bugs:
2776 PROB: assert in libc caused an endless recursion
2777 SOLVED: no longer catch SIGABRT
2779 PROB: socat printed wrong verbose prefix for "right to left" packets
2780 SOLVED: new parameter for xiotransfer() passes correct prefix
2782 new features:
2783 in debug mode, socat prints its command line arguments
2784 in verbose mode, escape special characters and replace unprintables
2785 with '.'. Patch from Adrian Thurston.
2788 ####################### V 1.0.4.0:
2790 solved problems and bugs:
2791 Debug output for lstat and fstat said "stat"
2793 further corrections:
2794 FreeBSD now includes libutil.h
2796 new features:
2797 option setsid with exec/pty
2798 option setpgid with exec/pty
2799 option ctty with exec/pty
2800 TCP V6 connect test
2801 gettimeofday in sycls.c (no use yet)
2803 porting:
2804 before Gethostbyname, invoke inet_aton for MacOSX
2807 ####################### V 1.0.3.0:
2809 solved problems and bugs:
2811 PROB: test 9 of test.sh (echo via file) failed on some platforms,
2812 socat exited without error message
2813 SOLVED: _xioopen_named_early(): preset statbuf.st_mode with 0
2815 PROB: test 17 hung forever
2816 REASON: child death before select loop did not result in EOF
2817 SOLVED: check of existence of children before starting select loop
2819 PROB: test 17 failed
2820 REASON: child dead triggered EOF before last data was read
2821 SOLVED: after child death, read last data before setting EOF
2823 PROB: filan showed that exec processes incorrectly had fd3 open
2824 REASON: inherited open fd3 from main process
2825 SOLVED: set CLOEXEC flag on pty fd in main process
2827 PROB: help printed "undef" instead of group "FORK"
2828 SOLVED: added "FORK" to group name array
2830 PROB: fatal messages did not include severity classifier
2831 SOLVED: added "F" to severity classifier array
2833 PROB: IP6 addresses where printed incorrectly
2834 SOLVED: removed type casts to unsigned short *
2836 further corrections:
2837 socat catches illegal -l modes
2838 corrected error message on setsockopt(linger)
2839 option tabdly is of type uint
2840 correction for UDP over IP6
2841 more cpp conditionals, esp. for IP6 situations
2842 better handling of group NAMED options with listening UNIX sockets
2843 applyopts2 now includes last given phase
2844 corrected option group handling for most address types
2845 introduce dropping of unappliable options (dropopts, dropopts2)
2846 gopen now accepts socket and unix-socket options
2847 exec and system now accept all socket and termios options
2848 child process for exec and system addresses with option pty
2849 improved descriptions and options for EXAMPLES
2850 printf format for file mode changed to "0%03o" with length spec.
2851 added va_end() in branch of msg()
2852 changed phase of lock options from PASTOPEN to FD
2853 support up to four early dying processes
2855 structural changes:
2856 xiosysincludes now includes sysincludes.h for non xio files
2858 new features:
2859 option umask
2860 CHANGES file
2861 TYPE_DOUBLE, u_double
2862 OFUNC_OFFSET
2863 added getsid(), setsid(), send() to sycls
2864 procan prints sid (session id)
2865 mail.sh gets -f (from) option
2866 new EXAMPLEs for file creation
2867 gatherinfo.sh now tells about failures
2868 test.sh can check for much more address/option combinations
2870 porting:
2871 ispeed, ospeed for termios on FreeBSD
2872 getpgid() conditional for MacOS 10
2873 added ranlib in Makefile.in for MacOS 10
2874 disable pty option if no pty mechanism is available (MacOS 10)
2875 now compiles and runs on MacOS 10 (still some tests fail)
2876 setgroups() conditional for cygwin
2877 sighandler_t defined conditionally
2878 use gcc option -D_GNU_SOURCE