fixed a bug where socat might crash when connecting to a unix domain socket using address GOPEN

This commit is contained in:
Gerhard Rieger 2012-07-22 15:00:56 +02:00
parent 364edd63df
commit 51d9b5d76a
3 changed files with 64 additions and 2 deletions

View file

@ -30,6 +30,10 @@ corrections:
endian systems due to wrong byte order (thanks to Peter M. Galbavy for endian systems due to wrong byte order (thanks to Peter M. Galbavy for
bug report and patch) bug report and patch)
fixed a bug where socat might crash when connecting to a unix domain
socket using address GOPEN. Thanks to Martin Forssen for bug report and
patch.
docu mentions option so-bindtodev but correct name is so-bindtodevice. docu mentions option so-bindtodev but correct name is so-bindtodevice.
Thanks to Jim Zimmerman for reporting. Thanks to Jim Zimmerman for reporting.

58
test.sh
View file

@ -10697,6 +10697,64 @@ PORT=$((PORT+1))
N=$((N+1)) N=$((N+1))
# test for a bug in gopen that lead to crash or warning when opening a unix
# domain socket with GOPEN
NAME=GOPEN_UNIX_CRASH
case "$TESTS" in
*%functions%*|*%bugs%*|*%gopen%*|*%unix%*|*%socket%*|*%$NAME%*)
TEST="$NAME: check crash when connecting to a unix domain socket using address GOPEN"
# a unix domain server is started in background. the check process connects to
# its socket. when this process crashes or issues a warning the bug is present.
# please note that a clean behaviour does not proof anything; behaviour of bug
# depends on the value of an uninitialized var
#set -vx
if ! eval $NUMCOND; then :; else
tf="$td/test$N.stdout"
te="$td/test$N.stderr"
ts="$td/test$N.sock"
tdiff="$td/test$N.diff"
da="test$N $(date) $RANDOM"
CMD0="$SOCAT $opts UNIX-LISTEN:$ts PIPE"
CMD1="$SOCAT $opts -d - GOPEN:$ts"
printf "test $F_n $TEST... " $N
$CMD0 >/dev/null 2>"${te}0" </dev/null &
pid0=$!
waitunixport "$ts" 1
echo "$da" |$CMD1 >"${tf}1" 2>"${te}1"
rc1=$?
kill $pid0 2>/dev/null; wait
if [ $rc1 -ne 0 ]; then
$PRINTF "$FAILED\n"
echo "$CMD0 &"
echo "$CMD1"
cat "${te}0"
cat "${te}1"
numFAIL=$((numFAIL+1))
elif grep -q ' W ' "${te}1"; then
$PRINTF "$FAILED\n"
echo "$CMD0 &"
echo "$CMD1"
cat "${te}0"
cat "${te}1"
numFAIL=$((numFAIL+1))
elif ! echo "$da" |diff - ${tf}1 >"$tdiff"; then
$PRINTF "$FAILED\n"
echo "$CMD0 &"
echo "$CMD1"
cat "${te}0"
cat "${te}1"
cat "$tdiff"
numFAIL=$((numFAIL+1))
else
$PRINTF "$OK\n"
numOK=$((numOK+1))
fi
fi # NUMCOND
;;
esac
N=$((N+1))
# socat up to 1.7.2.0 and 2.0.0-b4 had a bug in xioscan_readline() that could # socat up to 1.7.2.0 and 2.0.0-b4 had a bug in xioscan_readline() that could
# be exploited # be exploited
# to overflow a heap based buffer (socat security advisory 3) # to overflow a heap based buffer (socat security advisory 3)

View file

@ -1,5 +1,5 @@
/* source: xio-gopen.c */ /* source: xio-gopen.c */
/* Copyright Gerhard Rieger 2001-2008 */ /* Copyright Gerhard Rieger 2001-2012 */
/* Published under the GNU General Public License V.2, see file COPYING */ /* Published under the GNU General Public License V.2, see file COPYING */
/* this file contains the source for opening addresses of generic open type */ /* this file contains the source for opening addresses of generic open type */
@ -53,7 +53,7 @@ static int xioopen_gopen1(int argc, const char *argv[], struct opt *opts, int xi
if (exists && S_ISSOCK(st_mode)) { if (exists && S_ISSOCK(st_mode)) {
#if WITH_UNIX #if WITH_UNIX
union sockaddr_union us; union sockaddr_union us;
socklen_t uslen; socklen_t uslen = sizeof(us);
char infobuff[256]; char infobuff[256];
Info1("\"%s\" is a socket, connecting to it", filename); Info1("\"%s\" is a socket, connecting to it", filename);