socat security advisory 8: stack overflow in nestlex()

2025-07-29 21:52:58 +00:00 · 2016-01-26 19:08:18 +01:00 · 2016-01-26 19:08:18 +01:00 · 226c555edb
commit 226c555edb
parent eab3c89f2d
4 changed files with 92 additions and 10 deletions
--- a/test.sh
+++ b/test.sh
@ -10989,6 +10989,42 @@ esac
 PORT=$((PORT+1))
 N=$((N+1))

+# socat up to 1.7.3.0 had a stack overflow vulnerability that occurred when
+# command line arguments (whole addresses, host names, file names) were longer
+# than 512 bytes and specially crafted.
+NAME=NESTEDOVFL
+case "$TESTS" in
+*%$N%*|*%functions%*|*%bugs%*|*%security%*|*%exec%*|*%$NAME%*)
+TEST="$NAME: stack overflow on overly long nested arg"
+# provide a long host name to TCP-CONNECT and check socats exit code
+if ! eval $NUMCOND; then :; else
+tf="$td/test$N.stdout"
+te="$td/test$N.stderr"
+tdiff="$td/test$N.diff"
+da="test$N $(date) $RANDOM"
+# prepare long data - perl might not be installed
+rm -f "$td/test$N.dat"
+i=0; while [ $i -lt 64 ]; do  echo -n "AAAAAAAAAAAAAAAA" >>"$td/test$N.dat"; i=$((i+1)); done
+CMD0="$TRACE $SOCAT $opts EXEC:[$(cat "$td/test$N.dat")] STDIO"
+printf "test $F_n $TEST... " $N
+$CMD0 </dev/null 1>&0 2>"${te}0"
+rc0=$?
+if [ $rc0 -lt 128 ] || [ $rc0 -eq 255 ]; then
+    $PRINTF "$OK\n"
+    numOK=$((numOK+1))
+else
+    $PRINTF "$FAILED\n"
+    echo "$CMD0"
+    cat "${te}0"
+    numFAIL=$((numFAIL+1))
+    listFAIL="$listFAIL $N"
+fi
+fi # NUMCOND
+ ;;
+esac
+PORT=$((PORT+1))
+N=$((N+1))
+

 # test for a bug in gopen that lead to crash or warning when opening a unix
 # domain socket with GOPEN