diff --git a/CHANGES b/CHANGES index 3330212..f1583cf 100644 --- a/CHANGES +++ b/CHANGES @@ -30,6 +30,10 @@ corrections: endian systems due to wrong byte order (thanks to Peter M. Galbavy for bug report and patch) + fixed a bug where socat might crash when connecting to a unix domain + socket using address GOPEN. Thanks to Martin Forssen for bug report and + patch. + docu mentions option so-bindtodev but correct name is so-bindtodevice. Thanks to Jim Zimmerman for reporting. diff --git a/test.sh b/test.sh index 8ffca4f..12f0f1c 100755 --- a/test.sh +++ b/test.sh @@ -10697,6 +10697,64 @@ PORT=$((PORT+1)) N=$((N+1)) +# test for a bug in gopen that lead to crash or warning when opening a unix +# domain socket with GOPEN +NAME=GOPEN_UNIX_CRASH +case "$TESTS" in +*%functions%*|*%bugs%*|*%gopen%*|*%unix%*|*%socket%*|*%$NAME%*) +TEST="$NAME: check crash when connecting to a unix domain socket using address GOPEN" +# a unix domain server is started in background. the check process connects to +# its socket. when this process crashes or issues a warning the bug is present. +# please note that a clean behaviour does not proof anything; behaviour of bug +# depends on the value of an uninitialized var +#set -vx +if ! eval $NUMCOND; then :; else +tf="$td/test$N.stdout" +te="$td/test$N.stderr" +ts="$td/test$N.sock" +tdiff="$td/test$N.diff" +da="test$N $(date) $RANDOM" +CMD0="$SOCAT $opts UNIX-LISTEN:$ts PIPE" +CMD1="$SOCAT $opts -d - GOPEN:$ts" +printf "test $F_n $TEST... " $N +$CMD0 >/dev/null 2>"${te}0" "${tf}1" 2>"${te}1" +rc1=$? +kill $pid0 2>/dev/null; wait +if [ $rc1 -ne 0 ]; then + $PRINTF "$FAILED\n" + echo "$CMD0 &" + echo "$CMD1" + cat "${te}0" + cat "${te}1" + numFAIL=$((numFAIL+1)) +elif grep -q ' W ' "${te}1"; then + $PRINTF "$FAILED\n" + echo "$CMD0 &" + echo "$CMD1" + cat "${te}0" + cat "${te}1" + numFAIL=$((numFAIL+1)) +elif ! echo "$da" |diff - ${tf}1 >"$tdiff"; then + $PRINTF "$FAILED\n" + echo "$CMD0 &" + echo "$CMD1" + cat "${te}0" + cat "${te}1" + cat "$tdiff" + numFAIL=$((numFAIL+1)) +else + $PRINTF "$OK\n" + numOK=$((numOK+1)) +fi +fi # NUMCOND + ;; +esac +N=$((N+1)) + + # socat up to 1.7.2.0 and 2.0.0-b4 had a bug in xioscan_readline() that could # be exploited # to overflow a heap based buffer (socat security advisory 3) diff --git a/xio-gopen.c b/xio-gopen.c index 62f049b..f44acdc 100644 --- a/xio-gopen.c +++ b/xio-gopen.c @@ -1,5 +1,5 @@ /* source: xio-gopen.c */ -/* Copyright Gerhard Rieger 2001-2008 */ +/* Copyright Gerhard Rieger 2001-2012 */ /* Published under the GNU General Public License V.2, see file COPYING */ /* this file contains the source for opening addresses of generic open type */ @@ -53,7 +53,7 @@ static int xioopen_gopen1(int argc, const char *argv[], struct opt *opts, int xi if (exists && S_ISSOCK(st_mode)) { #if WITH_UNIX union sockaddr_union us; - socklen_t uslen; + socklen_t uslen = sizeof(us); char infobuff[256]; Info1("\"%s\" is a socket, connecting to it", filename);