2 ####################### V 1.7.3.4:
5 Header of xiotermios_speed() declared parameter unsigned int instead of
6 speed_t, thus compiling failed on MacOS
7 Thanks to Joe Strout and others for reporting this bug.
8 Thanks to Andrew Childs and others for sending a patch.
10 Under certain circumstances, termios options of the first address were
11 applied to the second address, resulting in error
12 "Inappropriate ioctl for device"
13 This affected version 1.7.3.3 only.
15 Thanks to Ivan J. for reporting this issue.
17 Socat failed to compile when no poll() system call was found by
19 Thanks to Jason White for sending a patch.
21 Due to use of SSL_CTX_clear_mode() Socat failed to compile on old
22 systems with, e.g., OpenSSL-0.9.8. Thanks to Simon Matter and Moritz B.
23 for reporting this problem and sending initial patches.
25 getaddrinfo() in IP4-SENDTO and IP6-SENDTO addresses failed with
26 "ai_socktype not supported" when protocol 6 was addressed.
27 The fix removes the possibility to use service names with SCTP.
29 Thanks to Sören for sending an initial patch.
31 Under certain circumstances, Socat printed the "socket ... is at EOF"
35 Newer parts of test.sh used substitutions ${x,,*} or ${x^^*} that are
36 not implemented in older bash versions.
38 ####################### V 1.7.3.3:
41 Makefile.in did not specify dependencies of filan on vsnprintf_r.o
43 Added definition of FILAN_OBJS
44 Thanks to Craig Leres, Clayton Shotwell, and Chris Packham for
47 configure option --enable-msglevel did not work with numbers
49 The autoconf mechanism for determining SHIFT_OFFSET did not work when
51 Thanks to Max Freisinger from Gentoo for sending a patch.
53 Socat still depended on obsolete gethostbyname() function, thus
54 compiling with MUSL libc failed.
55 Problem reported by Kennedy33.
57 The async signal safe diagnostic system used FDs 3 and 4 internally, so
58 use of appropriate fdin or fdout led to failures.
60 Problem reported by Onur Sentürk.
62 The socket based mechanism for passing messages and signal information
63 from signal handler to process could reach and kill the wrong process.
64 Introduces functions diag_sock_pair(), diag_fork()
65 Thanks to Darren Zhao for analysing and reporting this problem.
67 Option ipv6-join-group did not work because it was applied in the wrong
69 Test: UDP6MULTICAST_UNIDIR
70 Thanks to Angus Gratton for sending a patch.
72 Setting ispeed and ospeed failed for some serial devices because the
73 two settings were applied with two different get/set cycles, Thanks to
74 Alexandre Fenyo for providing an initial patch.
75 However, the actual fix is part of a conceptual change of the termios
76 module that aims for applying all changes in a single tcsetaddr call.
77 Fixes FreeBSD Bug 198441
79 Termios options TAB0,TAB1,TAB2,TAB3, and XTABS did not have an effect.
80 Thanks to Alan Walters for reporting this bug.
82 Substituted cumbersom ISPEED_OFFSET mechanism for cfsetispeed() calls
84 With TCP6-LISTEN and the other passive IPv6 addresses the range option
85 just failed: due to a bug in the syntax parser and two more bugs in
86 the xiocheckrange_ip6() function.
87 The syntax has now been changed from "[::1/128]" to "[::1]/128"!
88 Thanks Leah Neukirchen for sending an initial fix.
90 For name resolution Socat only checked the first character of the host
91 name to decide if it is an IPv4 address. This was not RFC conform. This
92 fix removes the possibility for use of IPv4 addresses with IPv6, e.g.
95 Thanks to Nicolas Fournil for reporting this issue.
97 Print a useful error message when single character options appear to be
98 merged in Socat invocation
101 Fixed some docu typos.
102 Thanks to Travis Wellman, Thomas <tjps636>, Dan Kenigsberg,
103 Julian Zinn, and Simon Matter
106 OpenSSL functions TLS1_client_method() and similar are
107 deprecated. Socat now uses recommended TLS_client_method(). The old
108 functions and dependend option openssl-method can still be
109 used when configuring socat with --enable-openssl-method
111 Shell scripts in socat distribution are now headed with:
113 to make them better portable to systems without /bin/bash
114 Thanks to Maya Rashish for sending a patch
116 RES_AAONLY, RES_PRIMARY are deprecated. You can still enable them with
117 configure option --enable-res-deprecated.
119 New versions of OpenSSL preset SSL_MODE_AUTO_RETRY which may hang socat.
120 Solution: clear SSL_MODE_AUTO_RETRY when it is set.
122 Renamed configure.in to configure.ac and set an appropriate symlink for
124 Related Gentoo bug 426262: Warning on configure.in
125 Thanks to Francesco Turco for reporting that warning.
127 Fixed new IPv6 range code for platforms without s6_addr32 component.
130 test.sh: Show a warning when phase-1 (insecure phase) of a security
133 OpenSSL tests failed on actual Linux distributions. Measures:
134 Increased key lengths from 768 to 1024 bits
135 Added test.sh option -C to delete temp certs from prevsious runs
136 Provide DH-parameter in certificate in PEM
137 OpenSSL s_server option -verify 0 must be omitted
138 OpenSSL authentication method aNULL no longer works
139 Failure of cipher aNULL is not a failure
140 Failure of methods SSL3 and SSL23 is desired
142 test.sh depended on ifconfig and netstat utilities which are no longer
143 availabie in some distributions. test.sh now checks for and prefers
145 Thanks to Ruediger Meier for reporting this problem.
147 More corrections to test.sh:
148 Language settings could still influence test results
149 netstat was still required
150 Suppress usleep deprecated messag
151 Force use of IPv4 with some certificates
152 Set timeout for UDPxMAXCHILDREN tests
155 Added missing Config/Makefile.DragonFly-2-8-2,
156 Config/config.DragonFly-2-8-2.h
157 Removed testcert.conf (to be generated by test.sh)
160 Simplified handling of missing termios defines.
163 Permit combined -d options as -dd etc.
165 ####################### V 1.7.3.2:
168 SIGSEGV and other signals could lead to a 100% CPU loop
170 Failing name resolution could lead to SIGSEGV
171 Thanks to Max for reporting this issue.
173 Include <stddef.h> for ptrdiff_t
174 Thanks to Jeroen Roovers for reporting this issue.
176 Building with --disable-sycls failed due to missing sslcls.h defines
178 Socat hung when configured with --disable-sycls.
180 Some minor corrections with includes etc.
182 Option so-reuseport did not work. Thanks to Some Raghavendra Prabhu
185 Programs invoked with EXEC, nofork, and -u or -U had stdin and stdout
187 Test: EXEC_NOFORK_UNIDIR
188 Thanks to David Reiss for reporting this problem.
190 Socat exited with status 0 even when a program invoked with SYSTEM or
192 Tests: SYSTEM_RC EXEC_RC
193 Issue reported by Felix Winkelmann.
195 AddressSanitizer reported a few buffer overflows (false positives).
196 Nevertheless fixed Socat source.
197 Issue reported by Hanno Böck.
199 Socat did not use option ipv6-join-group.
200 Test: USE_IPV6_JOIN_GROUP
201 Thanks to Linus Lüssing for sending a patch.
203 UDP-LISTEN did not honor the max-children option.
204 Test: UDP4MAXCHILDREN UDP6MAXCHILDREN
205 Thanks to Leander Berwers for reporting this issue.
207 Options so-rcvtimeo and so-sndtimeo do not work with poll()/select()
208 and therefore were useless.
209 Thanks to Steve Borenstein for reporting this issue.
211 Option dhparam was documented as dhparams. Added the alias name
212 dhparams to fix this.
213 Thanks to Alexander Neumann for sending a patch.
215 Options shut-down and shut-close did not work.
216 Thanks to Stefan Schimanski for providing a patch.
218 There was a bug in printing readline log message caused by a misleading
220 Thanks to Paul Wouters for reporting.
222 The internal vsnprintf_r function looped or crashed on size parameter
223 with hexadecimal output.
225 Ignore exit code of child process when it was killed by master due to
228 Corrected byte order on read of IPV6_TCLASS value from ancillary
231 Fixed type of the bool element in options. This had bug caused failures
232 e.g. of ignoreeof on big-endian systems when bool was not based on int.
234 On systems with predefined bool type whose size differs from int some
235 IPv6 and TCP options (per setsockopt()) failed.
237 Length of integral data in ancillary messages varies (TOS: 1 byte,
238 TTL: 4 bytes), the old implementation failed for TTL on big-endian
241 Fixed an issue in options processing: TUN and DNS flags had failed on
242 big-endian systems and the NO- forms had probable never worked.
245 Type conflict between int and sig_atomic_t between declaration and
246 definition of diag_immediate_type and diag_immediate_exit broke
247 compilation on FreeBSD 10.1 with clang. Thanks to Emanuel Haupt for
250 Socat failed to compile on platforms with OpenSSL without
251 DTLSv1_client_method or DTLSv1_server_method.
252 Thanks to Simon Matter for sending a patch.
254 NuttX OS headers do not provide struct ip, thus socat did not compile.
255 Made struct ip subject to configure.
256 Thanks to SP for reporting this issue.
258 Socat failed to compile with OpenSSL version 1.0.2d where
259 SSLv3_server_method and SSLv3_client_method are no longer defined.
260 Thanks to Mischa ter Smitten for reporting this issue and providing
263 configure checked for OpenSSL EC_KEY assuming it is a define but it
264 is a type, thus OpenSSL ECDHE ciphers failed even on Linux.
265 Thanks to Andrey Arapov for reporting this bug.
267 Changes to make socat compile with OpenSSL 1.1.
268 Thanks to Sebastian Andrzej Siewior e.a. from the Debian team for
269 providing the base patch.
272 Make Socat compatible with BoringSSL.
273 Thanks to Matt Braithwaite for providing a patch.
275 OpenSSL: Use RAND_status to determine PRNG state
276 Thanks to Adam Langley for providing a patch
278 AIX-7 uses an extended O_ACCMODE that does not fit socat's internal
279 requirements. Thanks to Garrick Trowsdale for providing a patch
281 LibreSSL support: check for OPENSSL_NO_COMP
282 Thanks to Bernard Spil for providing a patch
285 socks4echo.sh and socks4a-echo.sh hung with new bash with read -n
287 test.sh: stderr; option -v (verbose); FDOUT_ERROR description
289 improved proxy.sh - it now also takes hostnames
291 A few corrections in test.sh
293 DTLS1 test hangs on some distributions. Test is now only performed
294 with OpenSSL 1.0.2 or higher.
296 More corrections to test.sh that reveal a mistake with IPV6_TCLASS
299 Corrected source of socat man page to correctly show man references
300 like socket(2); removed obseolete entries from See Also
302 Docu and some comments mentioned addresses SSL-LISTEN and SSL-CONNECT
303 that do not exist (OPENSSL-LISTEN, SSL-L; and OPENNSSL-CONNECT, SSL
305 Thanks to Zhigang Wang for reporting this issue.
307 Fixed a couple of English spelling and grammar mistakes.
308 Thanks to Jakub Wild for sending the patches.
310 NOEXPAND() was not resolved 2 times.
312 More minor docu corrections
315 Added contributors to copyright notices. Suggested by Matt Braithwaite.
317 ####################### V 1.7.3.1:
320 Socat security advisory 8
321 A stack overflow in vulnerability was found that can be triggered when
322 command line arguments (complete address specifications, host names,
323 file names) are longer than 512 bytes.
324 Successful exploitation might allow an attacker to execute arbitrary
325 code with the privileges of the socat process.
326 This vulnerability can only be exploited when an attacker is able to
327 inject data into socat's command line.
328 A vulnerable scenario would be a CGI script that reads data from clients
329 and uses (parts of) this data as hostname for a Socat invocation.
331 Credits to Takumi Akiyama for finding and reporting this issue.
333 Socat security advisory 7
335 In the OpenSSL address implementation the hard coded 1024 bit DH p
336 parameter was not prime. The effective cryptographic strength of a key
337 exchange using these parameters was weaker than the one one could get by
338 using a prime p. Moreover, since there is no indication of how these
339 parameters were chosen, the existence of a trapdoor that makes possible
340 for an eavesdropper to recover the shared secret from a key exchange
341 that uses them cannot be ruled out.
342 Futhermore, 1024bit is not considered sufficiently secure.
343 Fix: generated a new 2048bit prime.
344 Thanks to Santiago Zanella-Beguelin and Microsoft Vulnerability
345 Research (MSVR) for finding and reporting this issue.
347 ####################### V 1.7.3.0:
350 Socat security advisory 6
351 CVE-2015-1379: Possible DoS with fork
352 Fixed problems with signal handling caused by use of not async signal
353 safe functions in signal handlers that could freeze socat, allowing
354 denial of service attacks.
355 Many changes in signal handling and the diagnostic messages system were
356 applied to make the code async signal safe but still provide detailled
357 logging from signal handlers:
358 Coded function vsnprintf_r() as async signal safe incomplete substitute
360 Coded function snprinterr() to replace %m in strings with a system error
362 Instead of gettimeofday() use clock_gettime() when available
363 Pass Diagnostic messages from signal handler per unix socket to the main
365 Use sigaction() instead of signal() for better control
366 Turn off nested signal handler invocations
367 Thanks to Peter Lobsinger for reporting and explaining this issue.
369 Red Hat issue 1019975: add TLS host name checks
370 OpenSSL client checks if the server certificates names in
371 extensions/subjectAltName/DNS or in subject/commonName match the name
372 used to connect or the value of the openssl-commonname option.
373 Test: OPENSSL_CN_CLIENT_SECURITY
375 OpenSSL server checks if the client certificates names in
376 extensions/subjectAltNames/DNS or subject/commonName match the value of
377 the openssl-commonname option when it is used.
378 Test: OPENSSL_CN_SERVER_SECURITY
380 Red Hat issue 1019964: socat now uses the system certificate store with
381 OPENSSL when neither options cafile nor capath are used
383 Red Hat issue 1019972: needs to specify OpenSSL cipher suites
384 Default cipherlist is now "HIGH:-NULL:-PSK:-aNULL" instead of empty to
385 prevent downgrade attacks
388 OpenSSL addresses set couple of environment variables from values in
389 peer certificate, e.g.:
390 SOCAT_OPENSSL_X509_SUBJECT, SOCAT_OPENSSL_X509_ISSUER,
391 SOCAT_OPENSSL_X509_COMMONNAME,
392 SOCAT_OPENSSL_X509V3_SUBJECTALTNAME_DNS
393 Tests: ENV_OPENSSL_{CLIENT,SERVER}_X509_*
395 Added support for methods TLSv1, TLSv1.1, TLSv1.2, and DTLS1
396 Tests: OPENSSL_METHOD_*
398 Enabled OpenSSL server side use of ECDHE ciphers. Feature suggested
401 Added a new option termios-rawer for ptys.
402 Thanks to Christian Vogelgsang for pointing me to this requirement
405 Bind with ABSTRACT commands used non-abstract namespace (Linux).
407 Thanks to Denis Shatov for reporting this bug.
409 Fixed return value of nestlex()
411 Option ignoreeof on the right address hung.
413 Thanks to Franz Fasching for reporting this bug.
415 Address SYSTEM, when terminating, shut down its parent addresses,
416 e.g. an SSL connection which the parent assumed to still be active.
417 Test: SYSTEM_SHUTDOWN
419 Passive (listening or receiving) addresses with empty port field bound
420 to a random port instead of terminating with error.
423 configure with some combination of disable options produced config
424 files that failed to compile due to missing IPPROTO_TCP.
425 Thanks to Thierry Fournier for report and patch.
427 fixed a few minor bugs with OpenSSL in configure and with messages
429 Socat did not work in FIPS mode because 1024 instead of 512 bit DH prime
430 is required. Thanks to Zhigang Wang for reporting and sending a patch.
432 Christophe Leroy provided a patch that fixes memory leaks reported by
435 Help for filan -L was bad, is now corrected to:
436 "follow symbolic links instead of showing their properties"
438 Address options fdin and fdout were silently ignored when not applicable
439 due to -u or -U option. Now these combinations are caught as errors.
441 Issue reported by Hendrik.
443 Added option termios-cfmakeraw that calls cfmakeraw() and is preferred
444 over option raw which is now obsolote. On SysV systems this call is
445 simulated by appropriate setting.
446 Thanks to Youfu Zhang for reporting issue with option raw.
449 Socat included <sys/poll.h> instead of POSIX <poll.h>
450 Thanks to John Spencer for reporting this issue.
452 Version 1.7.2.4 changed the check for gcc in configure.ac; this
453 broke cross compiling. The particular check gets reverted.
454 Thanks to Ross Burton and Danomi Manchego for reporting this issue.
456 Debian Bug#764251: Set the build timestamp to a deterministic time:
457 support external BUILD_DATE env var to allow to build reproducable
460 Joachim Fenkes provided an new adapted spec file.
462 Type bool and macros Min and Max are defined by socat which led to
463 compile errors when they were already provided by build framework.
464 Thanks to Liyu Liu for providing a patch.
466 David Arnstein contributed a patch for NetBSD 5.1 including stdbool.h
467 support and appropriate files in Config/
469 Lauri Tirkkonen contributed a patch regarding netinet/if_ether.h
472 Changes for Openindiana: define _XPG4_2, __EXTENSIONS__,
473 _POSIX_PTHREAD_SEMANTICS; and minor changes
475 Red Hat issue 1182005: socat 1.7.2.4 build failure missing
477 Socat failed to compile on on PPC due to new requirements for
478 including <linux/errqueue.h> and a weakness in the conditional code.
479 Thanks to Michel Normand for reporting this issue.
482 In the man page the PTY example was badly formatted. Thanks to
483 J.F.Sebastian for sending a patch.
485 Added missing CVE ids to security issues in CHANGES
488 Do not distribute testcert.conf with socat source but generate it
489 (and new testcert6.conf) during test.sh run.
491 ####################### V 1.7.2.4:
494 LISTEN based addresses applied some address options, e.g. so-keepalive,
495 to the listening file descriptor instead of the connected file
497 Thanks to Ulises Alonso for reporting this bug
499 make failed after configure with non gcc compiler due to missing
500 include. Thanks to Horacio Mijail for reporting this problem
502 configure checked for --disable-rawsocket but printed
503 --disable-genericsocket in the help text. Thanks to Ben Gardiner for
504 reporting and patching this bug
506 In xioshutdown() a wrong branch was chosen after RECVFROM type addresses.
508 Thanks to David Binderman for reporting this issue.
510 procan could not cleanly format ulimit values longer than 16 decimal
511 digits. Thanks to Frank Dana for providing a patch that increases field
514 OPENSSL-CONNECT with bind option failed on some systems, eg.FreeBSD, with
516 Thanks to Emile den Tex for reporting this bug.
518 Changed some variable definitions to make gcc -O2 aliasing checker happy
519 Thanks to Ilya Gordeev for reporting these warnings
521 On big endian platforms with type long >32bit the range option applied a
522 bad base address. Thanks to hejia hejia for reporting and fixing this bug.
524 Red Hat issue 1022070: missing length check in xiolog_ancillary_socket()
526 Red Hat issue 1022063: out-of-range shifts on net mask bits
528 Red Hat issue 1022062: strcpy misuse in xiosetsockaddrenv_ip4()
530 Red Hat issue 1022048: strncpy hardening: corrected suspicious strncpy()
533 Red Hat issue 1021958: fixed a bug with faulty buffer/data length
534 calculation in xio-ascii.c:_xiodump()
536 Red Hat issue 1021972: fixed a missing NUL termination in return string
537 of sysutils.c:sockaddr_info() for the AF_UNIX case
539 fixed some typos and minor issues, including:
540 Red Hat issue 1021967: formatting error in manual page
542 UNIX-LISTEN with fork option did not remove the socket file system entry
543 when exiting. Other file system based passive address types had similar
544 issues or failed to apply options umask, user e.a.
545 Thanks to Lorenzo Monti for pointing me to this issue
548 Red Hat issue 1020203: configure checks fail with some compilers.
551 Performed changes for Fedora release 19
553 Adapted, improved test.sh script
555 Red Hat issue 1021429: getgroupent fails with large number of groups;
556 use getgrouplist() when available instead of sequence of calls to
559 Red Hat issue 1021948: snprintf API change;
560 Implemented xio_snprintf() function as wrapper that tries to emulate C99
561 behaviour on old glibc systems, and adapted all affected calls
564 Mike Frysinger provided a patch that supports long long for time_t,
565 socklen_t and a few other libc types.
567 Artem Mygaiev extended Cedril Priscals Android build script with pty code
569 The check for fips.h required stddef.h
570 Thanks to Matt Hilt for reporting this issue and sending a patch
572 Check for linux/errqueue.h failed on some systems due to lack of
573 linux/types.h inclusion. Thanks to Michael Vastola for sending a patch.
575 autoconf now prefers configure.ac over configure.in
576 Thanks to Michael Vastola for sending a patch.
578 type of struct cmsghdr.cmsg is system dependend, determine it with
579 configure; some more print format corrections
582 libwrap always logs to syslog
584 added actual text version of GPLv2
586 ####################### V 1.7.2.3:
589 Socat security advisory 5
590 CVE-2014-0019: socats PROXY-CONNECT address was vulnerable to a buffer
591 overflow with data from command line (see socat-secadv5.txt)
592 Credits to Florian Weimer of the Red Hat Product Security Team
594 ####################### V 1.7.2.2:
597 Socat security advisory 4
599 after refusing a client connection due to bad source address or source
600 port socat shutdown() the socket but did not close() it, resulting in
601 a file descriptor leak in the listening process, visible with lsof and
602 possibly resulting in EMFILE Too many open files. This issue could be
603 misused for a denial of service attack.
604 Full credits to Catalin Mitrofan for finding and reporting this issue.
606 ####################### V 1.7.2.1:
609 Socat security advisory 3
611 fixed a possible heap buffer overflow in the readline address. This bug
612 could be exploited when all of the following conditions were met:
613 1) one of the addresses is READLINE without the noprompt and without the
615 2) the other (almost arbitrary address) reads malicious data (which is
616 then transferred by socat to READLINE).
617 Workaround: when using the READLINE address apply option prompt or
619 Full credits to Johan Thillemann for finding and reporting this issue.
621 ####################### V 1.7.2.0:
624 when UNIX-LISTEN was applied to an existing file it failed as expected
625 but removed the file. Thanks to Bjoern Bosselmann for reporting this
628 fixed a bug where socat might crash when connecting to a unix domain
629 socket using address GOPEN. Thanks to Martin Forssen for bug report and
632 UDP-LISTEN would alway set SO_REUSEADDR even without fork option and
633 when user set it to 0. Thanks to Michal Svoboda for reporting this bug.
635 UNIX-CONNECT did not support half-close. Thanks to Greg Hughes who
636 pointed me to that bug
638 TCP-CONNECT with option nonblock reported successful connect even when
641 address option ioctl-intp failed with "unimplemented type 26". Thanks
642 to Jeremy W. Sherman for reporting and fixing that bug
644 socat option -x did not print packet direction, timestamp etc; thanks
645 to Anthony Sharobaiko for sending a patch
647 address PTY does not take any parameters but did not report an error
650 Marcus Meissner provided a patch that fixes invalid output and possible
651 process crash when socat prints info about an unnamed unix domain
654 Michal Soltys reported the following problem and provided an initial
655 patch: when socat was interrupted, e.g. by SIGSTOP, and resumed during
656 data transfer only parts of the data might have been written.
658 Option o-nonblock in combination with large transfer block sizes
659 may result in partial writes and/or EAGAIN errors that were not handled
660 properly but resulted in data loss or process termination.
662 Fixed a bug that could freeze socat when during assembly of a log
663 message a signal was handled that also printed a log message. socat
664 development had been aware that localtime() is not thread safe but had
665 only expected broken messages, not corrupted stack (glibc 2.11.1,
668 an internal store for child pids was susceptible to pid reuse which
669 could lead to sporadic data loss when both fork option and exec address
670 were used. Thanks to Tetsuya Sodo for reporting this problem and
673 OpenSSL server failed with "no shared cipher" when using cipher aNULL.
674 Fixed by providing temporary DH parameters. Thanks to Philip Rowlands
675 for drawing my attention to this issue.
677 UDP-LISTEN slept 1s after accepting a connection. This is not required.
678 Thanks to Peter Valdemar Morch for reporting this issue
680 fixed a bug that could lead to error or socat crash after a client
681 connection with option retry had been established
683 fixed configure.in bug on net/if.h check that caused IF_NAMESIZE to be
686 improved dev_t print format definition
689 Cedril Priscal ported socat to Android (using Googles cross compiler).
690 The port includes the socat_buildscript_for_android.sh script
692 added check for component ipi_spec_dst in struct in_pktinfo so
693 compilation does not fail on Cygwin (thanks to Peter Wagemans for
694 reporting this problem)
696 build failed on RHEL6 due to presence of fips.h; configure now checks
697 for fipsld too. Thanks to Andreas Gruenbacher for reporting this
700 check for netinet6/in6.h only when IPv6 is available and enabled
702 don't fail to compile when the following defines are missing:
703 IPV6_PKTINFO IPV6_RTHDR IPV6_DSTOPTS IPV6_HOPOPTS IPV6_HOPLIMIT
704 Thanks to Jerry Jacobs for reporting this problem (Mac OS X Lion 10.7)
706 check if define __APPLE_USE_RFC_2292 helps to enable IPV6_* (MacOSX
707 Lion 7.1); thanks to Jerry Jacobs to reporting this problem and
710 fixed compiler warnings on Mac OS X 64bit. Thanks to Guy Harris for
713 corrections for OpenEmbedded, especially termios SHIFT values and
714 ISPEED/OSPEED. Thanks to John Faith for providing the patch
716 minor corrections to docu and test.sh resulting from local compilation
719 fixed sa_family_t compile error on DragonFly. Thanks to Tony Young for
720 reporting this issue and sending a patch.
722 Ubuntu Oneiric: OpenSSL no longer provides SSLv2 functions; libutil.sh
723 is now bsd/libutil.h; compiler warns on vars that is only written to
726 added option max-children that limits the number of concurrent child
727 processes. Thanks to Sam Liddicott for providing the patch.
729 Till Maas added support for tun/tap addresses without IP address
731 added an option openssl-compress that allows to disable the compression
732 feature of newer OpenSSL versions. Thanks to Michael Hanselmann for
733 providing this contribution (sponsored by Google Inc.)
736 minor corrections in docu (thanks to Paggas)
738 client process -> child process
740 ####################### V 1.7.1.3:
743 Socat security advisory 2
745 fixed a stack overflow vulnerability that occurred when command
746 line arguments (whole addresses, host names, file names) were longer
748 Note that this could only be exploited when an attacker was able to
749 inject data into socat's command line.
750 Full credits to Felix Gröbert, Google Security Team, for finding and
753 ####################### V 1.7.1.2:
756 user-late and group-late, when applied to a pty, affected the system
757 device /dev/ptmx instead of the pty (thanks to Matthew Cloke for
758 pointing me to this bug)
760 socats openssl addresses failed with "nonblocking operation did not
761 complete" when the peer performed a renegotiation. Thanks to Benjamin
762 Delpy for reporting this bug.
764 info message during socks connect showed bad port number on little
765 endian systems due to wrong byte order (thanks to Peter M. Galbavy for
766 bug report and patch)
768 Debian bug 531078: socat execs children with SIGCHLD ignored; corrected
769 to default. Thanks to Martin Dorey for reporting this bug.
772 building socat on systems that predefined the CFLAGS environment to
773 contain -Wall failed (esp.RedHat). Thanks to Paul Wouters for reporting
774 this problem and to Simon Matter for providing the patch
776 support for Solaris 8 and Sun Studio support (thanks to Sebastian
777 Kayser for providing the patches)
779 on some 64bit systems a compiler warning "cast from pointer to integer
780 of different size" was issued on some option definitions
782 added struct sockaddr_ll to union sockaddr_union to avoid "strict
783 aliasing" warnings (problem reported by Paul Wouters)
786 minor corrections in docu
788 ####################### V 1.7.1.1:
791 corrected the "fixed possible SIGSEGV" fix because SIGSEGV still might
792 occur under those conditions. Thanks to Toni Mattila for first
793 reporting this problem.
795 ftruncate64 cut its argument to 32 bits on systems with 32 bit long type
797 socat crashed on systems without setenv() (esp. SunOS up to Solaris 9);
798 thanks to Todd Stansell for reporting this bug
800 with unidirectional EXEC and SYSTEM a close() operation was performed
801 on a random number which could result in hanging e.a.
803 fixed a compile problem caused by size_t/socklen_t mismatch on 64bit
806 docu mentioned option so-bindtodev but correct name is so-bindtodevice.
807 Thanks to Jim Zimmerman for reporting.
810 added environment variables example to doc/socat-multicast.html
812 ####################### V 1.7.1.0:
815 address options shut-none, shut-down, and shut-close allow to control
816 socat's half close behaviour
818 with address option shut-null socat sends an empty packet to the peer
821 option null-eof changes the behaviour of sockets that receive an empty
822 packet to see EOF instead of ignoring it
824 introduced option names substuser-early and su-e, currently equivalent
825 to option substuser (thanks to Mike Perry for providing the patch)
828 fixed some typos and improved some comments
830 ####################### V 1.7.0.1:
833 fixed possible SIGSEGV in listening addresses when a new connection was
834 reset by peer before the socket addresses could be retrieved. Thanks to
835 Mike Perry for sending a patch.
837 fixed a bug, introduced with version 1.7.0.0, that let client
838 connections with option connect-timeout fail when the connections
839 succeeded. Thanks to Bruno De Fraine for reporting this bug.
841 option end-close "did not apply" to addresses PTY, SOCKET-CONNECT,
842 and most UNIX-* and ABSTRACT-*
844 half close of EXEC and SYSTEM addresses did not work for pipes and
847 help displayed for some option a wrong type
849 under some circumstances shutdown was called multiple times for the
852 ####################### V 1.7.0.0:
855 new address types SCTP-CONNECT and SCTP-LISTEN implement SCTP stream
856 mode for IPv4 and IPv6; new address options sctp-maxseg and
857 sctp-nodelay (suggested by David A. Madore; thanks to Jonathan Brannan
858 for providing an initial patch)
860 new address "INTERFACE" for transparent network interface handling
861 (suggested by Stuart Nicholson)
863 added generic socket addresses: SOCKET-CONNECT, SOCKET-LISTEN,
864 SOCKET-SENDTO, SOCKET-RECVFROM, SOCKET-RECV, SOCKET-DATAGRAM allow
865 protocol independent socket handling; all parameters are explicitely
866 specified as numbers or hex data
868 added address options ioctl-void, ioctl-int, ioctl-intp, ioctl-string,
869 ioctl-bin for generic ioctl() calls.
871 added address options setsockopt-int, setsockopt-bin, and
872 setsockopt-string for generic setsockopt() calls
874 option so-type now only affects the socket() and socketpair() calls,
875 not the name resolution. so-type and so-prototype can now be applied to
876 all socket based addresses.
878 new address option "escape" allows to break a socat instance even when
879 raw terminal mode prevents ^C etc. (feature suggested by Guido Trotter)
881 socat sets environment variables SOCAT_VERSION, SOCAT_PID, SOCAT_PPID
882 for use in executed scripts
884 socat sets environment variables SOCAT_SOCKADDR, SOCAT_SOCKPORT,
885 SOCAT_PEERADDR, SOCAT_PEERPORT in LISTEN type addresses (feature
886 suggested by Ed Sawicki)
888 socat receives all ancillary messages with each received packet on
889 datagram related addresses. The messages are logged in raw form with
890 debug level, and broken down with info level. note: each type of
891 ancillary message must be enabled by appropriate address options.
893 socat provides the contents of ancillary messages received on RECVFROM
894 addresses in appropriate environment variables:
895 SOCAT_TIMESTAMP, SOCAT_IP_DSTADDR, SOCAT_IP_IF, SOCAT_IP_LOCADDR,
896 SOCAT_IP_OPTIONS, SOCAT_IP_TOS, SOCAT_IP_TTL, SOCAT_IPV6_DSTADDR,
897 SOCAT_IPV6_HOPLIMIT, SOCAT_IPV6_TCLASS
899 the following address options were added to enable ancillary messages:
900 so-timestamp, ip-pktinfo (not BSD), ip-recvdstaddr (BSD), ip-recverr,
901 ip-recvif (BSD), ip-recvopts, ip-recvtos, ip-recvttl, ipv6-recvdstopts,
902 ipv6-recverr, ipv6-recvhoplimit, ipv6-recvhopopts, ipv6-recvpathmtu,
903 ipv6-recvpktinfo, ipv6-recvrthdr, ipv6-recvtclass
905 new address options ipv6-tclass and ipv6-unicast-hops set the related
908 STREAMS (UNIX System V STREAMS) can be configured with the new address
909 options i-pop-all and i-push (thanks to Michal Rysavy for providing a
913 some raw IP and UNIX datagram modes failed on BSD systems
915 when UDP-LISTEN continued to listen after packet dropped by, e.g.,
916 range option, the old listen socket would not be closed but a new one
917 created. open sockets could accumulate.
919 there was a bug in ip*-recv with bind option: it did not bind, and
920 with the first received packet an error occurred:
921 socket_init(): unknown address family 0
924 RECVFROM addresses with FORK option hung after processing the first
925 packet. test: UDP4RECVFROM_FORK
927 corrected a few mistakes that caused compiler warnings on 64bit hosts
928 (thanks to Jonathan Brannan e.a. for providing a patch)
930 EXEC and SYSTEM with stderr injected socat messages into the data
931 stream. test: EXECSTDERRLOG
933 when the EXEC address got a string with consecutive spaces it created
934 additional empty arguments (thanks to Olivier Hervieu for reporting
935 this bug). test: EXECSPACES
937 in ignoreeof polling mode socat also blocked data transfer in the other
938 direction during the 1s wait intervalls (thanks to Jorgen Cederlof for
941 corrected alphabetical order of options (proxy-auth)
943 some minor corrections
945 improved test.sh script: more stable timing, corrections for BSD
947 replaced the select() calls by poll() to cleanly fix the problems with
948 many file descriptors already open
950 socat option -lf did not log to file but to stderr
952 socat did not compile on Solaris when configured without termios
953 feature (thanks to Pavan Gadi for reporting this bug)
956 socat compiles and runs on AIX with gcc (thanks to Andi Mather for his
959 socat compiles and runs on Cygwin (thanks to Jan Just Keijser for his
962 socat compiles and runs on HP-UX with gcc (thanks to Michal Rysavy for
965 socat compiles and runs on MacOS X (thanks to Camillo Lugaresi for his
969 filan -s prefixes output with FD number if more than one FD
971 Makefile now supports datarootdir (thanks to Camillo Lugaresi for
974 cleanup in xio-unix.c
976 ####################### V 1.6.0.1:
979 new make target "gitclean"
981 docu source doc/socat.yo released
984 exec:...,pty did not kill child process under some circumstances; fixed
985 by correcting typo in xio-progcall.c (thanks to Ralph Forsythe for
986 reporting this problem)
988 service name resolution failed due to byte order mistake
989 (thanks to James Sainsbury for reporting this problem)
991 socat would hang when invoked with many file descriptors already opened
992 fix: replaced FOPEN_MAX with FD_SETSIZE
993 thanks to Daniel Lucq for reporting this problem.
995 fixed bugs where sub processes would become zombies because the master
996 process did not catch SIGCHLD. this affected addresses UDP-LISTEN,
997 UDP-CONNECT, TCP-CONNECT, OPENSSL, PROXY, UNIX-CONNECT, UNIX-CLIENT,
998 ABSTRACT-CONNECT, ABSTRACT-CLIENT, SOCKSA, SOCKS4A
999 (thanks to Fernanda G Weiden for reporting this problem)
1001 fixed a bug where sub processes would become zombies because the master
1002 process caught SIGCHLD but did not wait(). this affected addresses
1003 UDP-RECVFROM, IP-RECVFROM, UNIX-RECVFROM, ABSTRACT-RECVFROM
1004 (thanks to Evan Borgstrom for reporting this problem)
1006 corrected option handling with STDIO; usecase: cool-write
1008 configure --disable-pty also disabled option waitlock
1010 fixed small bugs on systems with struct ip_mreq without struct ip_mreqn
1011 (thanks to Roland Illig for sending a patch)
1013 corrected name of option intervall to interval (old form still valid
1014 for us German speaking guys)
1016 corrected some print statements and variable names
1018 make uninstall did not uninstall procan
1020 fixed lots of weaknesses in test.sh
1022 corrected some bugs and typos in doc/socat.yo, EXAMPLES, C comments
1025 procan -c prints C defines important for socat
1027 added test OPENSSLEOF for OpenSSL half close
1029 ####################### V 1.6.0.0:
1032 new addresses IP-DATAGRAM and UDP-DATAGRAM allow versatile broadcast
1035 new option ip-add-membership for control of multicast group membership
1037 new address TUN for generation of Linux TUN/TAP pseudo network
1038 interfaces (suggested by Mat Caughron); associated options tun-device,
1039 tun-name, tun-type; iff-up, iff-promisc, iff-noarp, iff-no-pi etc.
1041 new addresses ABSTRACT-CONNECT, ABSTRACT-LISTEN, ABSTRACT-SENDTO,
1042 ABSTRACT-RECV, and ABSTRACT-RECVFROM for abstract UNIX domain addresses
1043 on Linux (requested by Zeeshan Ali); option unix-tightsocklen controls
1044 socklen parameter on system calls.
1046 option end-close for control of connection closing allows FD sharing
1049 range option supports form address:mask with IPv4
1051 changed behaviour of OPENSSL-LISTEN to require and verify client
1052 certificate per default
1054 options f-setlkw-rd, f-setlkw-wr, f-setlk-rd, f-setlk-wr allow finer
1055 grained locking on regular files
1057 uninstall target in Makefile (lack reported by Zeeshan Ali)
1060 fixed bug where only first tcpwrap option was applied; fixed bug where
1061 tcpwrap IPv6 check always failed (thanks to Rudolf Cejka for reporting
1062 and fixing this bug)
1064 filan (and socat -D) could hang when a socket was involved
1066 corrected PTYs on HP-UX (and maybe others) using STREAMS (inspired by
1069 correct bind with udp6-listen (thanks to Jan Horak for reporting this
1072 corrected filan.c peekbuff[0] which did not compile with Sun Studio Pro
1073 (thanks to Leo Zhadanovsky for reporting this problem)
1075 corrected problem with read data buffered in OpenSSL layer (thanks to
1076 Jon Nelson for reporting this bug)
1078 corrected problem with option readbytes when input stream stayed idle
1081 fixed a bug where a datagram receiver with option fork could fork two
1082 sub processes per packet
1085 moved documentation to new doc/ subdir
1087 new documents (kind of mini tutorials) are provided in doc/
1089 ####################### V 1.5.0.0:
1092 new datagram modes for udp, rawip, unix domain sockets
1094 socat option -T specifies inactivity timeout
1096 rewrote lexical analysis to allow nested socat calls
1098 addresses tcp, udp, tcp-l, udp-l, and rawip now support IPv4 and IPv6
1100 socat options -4, -6 and environment variables SOCAT_DEFAULT_LISTEN_IP,
1101 SOCAT_PREFERRED_RESOLVE_IP for control of protocol selection
1103 addresses ssl, ssl-l, socks, proxy now support IPv4 and IPv6
1105 option protocol-family (pf), esp. for openssl-listen
1107 range option supports IPv6 - syntax: range=[::1/128]
1109 option ipv6-v6only (ipv6only)
1111 new tcp-wrappers options allow-table, deny-table, tcpwrap-etc
1113 FIPS version of OpenSSL can be integrated - initial patch provided by
1114 David Acker. See README.FIPS
1116 support for resolver options res-debug, aaonly, usevc, primary, igntc,
1117 recurse, defnames, stayopen, dnsrch
1119 options for file attributes on advanced filesystems (ext2, ext3,
1120 reiser): secrm, unrm, compr, ext2-sync, immutable, ext2-append, nodump,
1121 ext2-noatime, journal-data etc.
1123 option cool-write controls severeness of write failure (EPIPE,
1128 socat option -lh for hostname in log output
1130 traffic dumping provides packet headers
1132 configure.in became part of distribution
1134 socats unpack directory now has full version, e.g. socat-1.5.0.0/
1136 corrected docu of option verify
1139 fixed tcpwrappers integration - initial fix provided by Rudolf Cejka
1141 exec with pipes,stderr produced error
1143 setuid-early was ignored with many address types
1145 some minor corrections
1147 ####################### V 1.4.3.1:
1150 PROBLEM: UNIX socket listen accepted only one (or a few) connections.
1151 FIX: do not remove listening UNIX socket in child process
1153 PROBLEM: SIGSEGV when TCP part of SSL connect failed
1154 FIX: check ssl pointer before calling SSL_shutdown
1156 In debug mode, show connect client port even when connect fails
1158 ####################### V 1.4.3.0:
1161 socat options -L, -W for application level locking
1163 options "lockfile", "waitlock" for address level locking
1166 option "readbytes" limits read length (Adam Osuchowski)
1168 option "retry" for unix-connect, unix-listen, tcp6-listen (Dale Dude)
1170 pty symlink, unix listen socket, and named pipe are per default removed
1171 after use; option unlink-close overrides this new behaviour and also
1172 controls removal of other socat generated files (Stefan Luethje)
1175 option "retry" did not work with tcp-listen
1177 EPIPE condition could result in a 100% CPU loop
1180 support systems without SHUT_RD etc.
1181 handle more size_t types
1182 try to find makedepend options with gcc 3 (richard/OpenMacNews)
1184 ####################### V 1.4.2.0:
1187 option "connect-timeout" limits wait time for connect operations
1188 (requested by Giulio Orsero)
1190 option "dhparam" for explicit Diffie-Hellman parameter file
1193 support for OpenSSL DSA certificates (Miika Komu)
1195 create install directories before copying files (Miika Komu)
1197 when exiting on signal, return status 128+signum instead of 1
1199 on EPIPE and ECONNRESET, only issue a warning (Santiago Garcia
1202 -lu could cause a core dump on long messages
1205 modifications to simplify using socats features in applications
1207 ####################### V 1.4.1.0:
1210 option "wait-slave" blocks open of pty master side until a client
1211 connects, "pty-intervall" controls polling
1213 option -h as synonym to -? for help (contributed by Christian
1216 filan prints formatted time stamps and rdev (disable with -r)
1218 redirect filan's output, so stdout is not affected (contributed by
1221 filan option -L to follow symbolic links
1223 filan shows termios control characters
1226 proxy address no longer performs unsolicited retries
1228 filan -f no longer needs read permission to analyze a file (but still
1229 needs access permission to directory, of course)
1233 FreeBSD options noopt, nopush, md5sig
1234 OpenBSD options sack-disable, signature-enable
1235 HP-UX, Solaris options abort-threshold, conn-abort-threshold
1236 HP-UX options b900, b3600, b7200
1237 Tru64/OSF1 options keepinit, paws, sackena, tsoptena
1239 further corrections:
1240 address pty now uses ptmx as default if openpty is also available
1242 ####################### V 1.4.0.3:
1245 Socat security advisory 1
1247 fix to a syslog() based format string vulnerability that can lead to
1248 remote code execution. See advisory socat-adv-1.txt
1250 ####################### V 1.4.0.2:
1253 exec'd write-only addresses get a chance to flush before being killed
1255 error handler: print notice on error-exit
1257 filan printed wrong file type information
1259 ####################### V 1.4.0.1:
1262 socks4a constructed invalid header. Problem found, reported, and fixed
1263 by Thomas Themel, by Peter Palfrader, and by rik
1265 with nofork, don't forget to apply some process related options
1266 (chroot, setsid, setpgid, ...)
1268 ####################### V 1.4.0.0:
1271 simple openssl server (ssl-l), experimental openssl trust
1273 new options "cafile", "capath", "key", "cert", "egd", and "pseudo" for
1276 new options "retry", "forever", and "intervall"
1278 option "fork" for address TCP improves `gender changer´
1280 options "sigint", "sigquit", and "sighup" control passing of signals to
1281 sub process (thanks to David Shea who contributed to this issue)
1283 readline takes respect to the prompt issued by the peer address
1285 options "prompt" and "noprompt" allow to override readline's new
1288 readline supports invisible password with option "noecho"
1290 socat option -lp allows to set hostname in log output
1292 socat option -lu turns on microsecond resolution in log output
1296 before reading available data, check if writing on other channel is
1299 tcp6, udp6: support hostname specification (not only IP address), and
1300 map IP4 names to IP6 addresses
1302 openssl client checks server certificate per default
1304 support unidirectional communication with exec/system subprocess
1306 try to restore original terminal settings when terminating
1308 test.sh uses tmp dir /tmp/$USER/$$ instead of /tmp/$$
1310 socks4 failed on platforms where long does not have 32 bits
1311 (thanks to Peter Palfrader and Thomas Seyrat)
1313 hstrerror substitute wrote wrong messages (HP-UX, Solaris)
1315 proxy error message was truncated when answer contained multiple spaces
1319 compiles with AIX xlc, HP-UX cc, Tru64 cc (but might not link)
1321 ####################### V 1.3.2.2:
1324 PROXY CONNECT failed when the status reply from the proxy server
1325 contained more than one consecutive spaces. Problem reported by
1326 Alexandre Bezroutchko
1328 do not SIGSEGV when proxy address fails to resolve server name
1330 udp-listen failed on systems where AF_INET != SOCK_DGRAM (e.g. SunOS).
1331 Problem reported by Christoph Schittel
1333 test.sh only tests available features
1335 added missing IP and TCP options in filan analyzer
1337 do not apply stdio address options to both directions when in
1340 on systems lacking /dev/*random and egd, provide (weak) entropy from
1345 changes for HP-UX (VREPRINT, h_NETDB_INTERNAL)
1347 compiles on True64, FreeBSD (again), NetBSD, OpenBSD
1349 support for long long as st_ino type (Cygwin 1.5)
1351 compile on systems where pty can not be featured
1353 ####################### V 1.3.2.1:
1356 "final" solution for the ENOCHLD problem
1358 corrected "make strip"
1360 default gcc debug/opt is "-O" again
1362 check for /proc at runtime, even if configure found it
1364 src.rpm accidently supported SuSE instead of RedHat
1366 ####################### V 1.3.2.0:
1369 option "nofork" connects an exec'd script or program directly
1370 to the file descriptors of the other address, circumventing the socat
1373 support for files >2GB, using ftruncate64(), lseek64(), stat64()
1375 filan has new "simple" output style (filan -s)
1379 options "binary" and "text" for controlling line termination on Cygwin
1380 file system access (hint from Yang Wu-Zhou)
1382 fix by Yang Wu-Zhou for the Cygwin "No Children" problem
1384 improved support for OSR: _SVID3; no IS_SOCK, no F_GETOWN (thanks to
1387 minor corrections to avoid warnings with gcc 3
1390 further corrections and minor improvements:
1391 configure script is generated with autoconf 2.57 (no longer 2.52)
1393 configure passes CFLAGS to Makefile
1395 option -??? for complete list of address options and their short forms
1397 program name in syslog messages is derived from argv[0]
1399 SIGHUP now prints notice instead of error
1401 EIO during read of pty now gives Notice instead of Error, and
1404 use of hstrerror() for printing resolver error messages
1406 setgrent() got required endgrent()
1408 ####################### V 1.3.1.0:
1411 integration of Wietse Venema's tcpwrapper library (libwrap)
1413 with "proxy" address, option "resolve" controls if hostname or IP
1414 address is sent in request
1416 option "lowport" establishes limited authorization for TCP and UDP
1419 improvement of .spec file for RPM creation (thanks to Gerd v. Egidy)
1420 An accompanying change in the numbering scheme results in an
1421 incompatibility with earlier socat RPMs!
1424 solved problems and bugs:
1425 PROBLEM: socat daemon terminated when the address of a connecting
1426 client did not match range option value instead of continue listening
1427 SOLVED: in this case, print warning instead of error to keep daemon
1430 PROBLEM: tcp-listen with fork sometimes left excessive number of zombie
1432 SOLVED: dont assume that each exiting child process generates SIGCHLD
1434 when converting CRNL to CR, socat converted to NL
1437 further corrections:
1438 configure script now disables features that depend on missing files
1439 making it more robust in "unsupported" environments
1441 server.pem permissions corrected to 600
1443 "make install" now does not strip; use "make strip; make install"
1444 if you like strip (suggested by Peter Bray)
1446 ####################### V 1.3.0.1:
1448 solved problems and bugs:
1449 PROBLEM: OPENSSL did not apply tcp, ip, and socket options
1450 SOLVED: OPENSSL now correctly handles the options list
1452 PROBLEM: CRNL to NL and CRNL to CR conversions failed when CRNL crossed
1454 SOLVED: these conversions now simply strip all CR's or NL's from input
1459 SunOS ptys now work on x86, too (thanks to Peter Bray)
1461 configure looks for freeware libs in /pkgs/lib/ (thanks to Peter Bray)
1464 further corrections:
1465 added WITH_PROXY value to -V output
1467 added compile dependencies of WITH_PTY and WITH_PROXY
1469 -?? did not print option group of proxy options
1471 corrected syntax for bind option in docu
1473 corrected an issue with stdio in unidirectional mode
1475 options socksport and proxyport support service names
1477 ftp.sh script supports proxy address
1479 man page no longer installed with execute permissions (thanks to Peter
1482 fixed a malloc call bug that could cause SIGSEGV or false "out of
1483 memory" errors on EXEC and SYSTEM, depending on program name length and
1486 ####################### V 1.3.0.0:
1489 proxy connect with optional proxy authentication
1491 combined hex and text dump mode, credits to Gregory Margo
1493 address pty applies options user, group, and perm to device
1496 solved problems and bugs:
1497 PROBLEM: option reuseport was not applied (BSD, AIX)
1498 SOLVED: option reuseport now in phase PASTSOCKET instead of PREBIND,
1499 credits to Jean-Baptiste Marchand
1501 PROBLEM: ignoreeof with stdio was ignored
1502 SOLVED: ignoreeof now works correctly with address stdio
1504 PROBLEM: ftp.sh did not use user supplied password
1505 SOLVED: ftp.sh now correctly passes password from command line
1507 PROBLEM: server.pem had expired
1508 SOLVED: new server.pem valid for ten years
1510 PROBLEM: socks notice printed wrong port on some platforms
1511 SOLVED: socks now uses correct byte-order for port number in notice
1514 further corrections:
1515 option name o_trunc corrected to o-trunc
1517 combined use of -u and -U is now detected and prevented
1519 made message system a little more robust against format string attacks
1522 ####################### V 1.2.0.0:
1525 address pty for putting socat behind a new pseudo terminal that may
1526 fake a serial line, modem etc.
1528 experimental openssl integration
1529 (it does not provide any trust between the peers because is does not
1530 check certificates!)
1532 options flock-ex, flock-ex-nb, flock-sh, flock-sh-nb to control all
1533 locking mechanism provided by flock()
1535 options setsid and setpgid now available with all address types
1537 option ctty (controlling terminal) now available for all TERMIOS
1540 option truncate (a hybrid of open(.., O_TRUNC) and ftruncate()) is
1541 replaced by options o-trunc and ftruncate=offset
1543 option sourceport now available with TCP and UDP listen addresses to
1544 restrict incoming client connections
1546 unidirectional mode right-to-left (-U)
1549 solved problems and bugs:
1550 PROBLEM: addresses without required parameters but an option containing
1551 a '/' were incorrectly interpreted as implicit GOPEN address
1552 SOLVED: if an address does not have ':' separator but contains '/',
1553 check if the slash is before the first ',' before assuming
1558 ptys under SunOS work now due to use of stream options
1561 further corrections:
1562 with -d -d -d -d -D, don't print debug info during file analysis
1565 ####################### V 1.1.0.1:
1568 .spec file for RPM generation
1571 solved problems and bugs:
1572 PROBLEM: GOPEN on socket did not apply option unlink-late
1573 SOLUTION: GOPEN for socket now applies group NAMED, phase PASTOPEN
1576 PROBLEM: with unidirectional mode, an unnecessary close timeout was
1578 SOLUTION: in unidirectional mode, terminate without wait time
1580 PROBLEM: using GOPEN on a unix domain socket failed for datagram
1582 SOLUTION: when connect() fails with EPROTOTYPE, use a datagram socket
1585 further corrections:
1587 open() flag options had names starting with "o_", now corrected to "o-"
1589 in docu, *-listen addresses were called *_listen
1591 address unix now called unix-connect because it does not handle unix
1594 in test.sh, apply global command line options with all tests
1597 ####################### V 1.1.0.0:
1600 regular man page and html doc - thanks to kromJx for prototype
1602 new address type "readline", utilizing GNU readline and history libs
1604 address option "history-file" for readline
1606 new option "dash" to "exec" address that allows to start login shells
1608 syslog facility can be set per command line option
1610 new address option "tcp-quickack", found in Linux 2.4
1612 option -g prevents option group checking
1614 filan and procan can print usage
1616 procan prints rlimit infos
1619 solved problems and bugs:
1620 PROBLEM: raw IP socket SIGSEGV'ed when it had been shut down.
1621 SOLVED: set eof flag of channel on shutdown.
1623 PROBLEM: if channel 2 uses a single non-socket FD in bidirectional mode
1624 and has data available while channel 1 reaches EOF, the data is
1626 SOLVED: during one loop run, first handle all data transfers and
1627 _afterwards_ handle EOF.
1629 PROBLEM: despite to option NONBLOCK, the connect() call blocked
1630 SOLVED: option NONBLOCK is now applied in phase FD instead of LATE
1632 PROBLEM: UNLINK options issued error when file did not exist,
1634 SOLVED: failure of unlink() is only warning if errno==ENOENT
1636 PROBLEM: TCP6-LISTEN required numeric port specification
1637 SOLVED: now uses common TCP service resolver
1639 PROBLEM: with PIPE, wrong FDs were shown for data transfer loop
1640 SOLVED: retrieval of FDs now pays respect to PIPE pecularities
1642 PROBLEM: using address EXEC against an address with IGNOREEOF, socat
1644 SOLVED: corrected EOF handling of sigchld
1648 MacOS and old AIX versions now have pty
1650 flock() now available on Linux (configure check was wrong)
1652 named pipe were generated using mknod(), which requires root under BSD
1653 now they are generated using mkfifo
1656 further corrections:
1657 lots of address options that were "forgotten" at runtime are now
1660 option BINDTODEVICE now also called SO-BINDTODEVICE, IF
1662 "make install" now installs binaries with ownership 0:0
1665 ####################### V 1.0.4.2:
1667 solved problems and bugs:
1668 PROBLEM: EOF of one stream caused close of other stream, giving it no
1669 chance to go down regularly
1670 SOLVED: EOF of one stream now causes shutdown of write part of other
1673 PROBLEM: sending mail via socks address to qmail showed that crlf
1674 option does not work
1675 SOLVED: socks address applies PH_LATE options
1677 PROBLEM: in debug mode, no info about socat and platform was issued
1678 SOLVED: print socat version and uname output in debug mode
1680 PROBLEM: invoking socat with -t and no following parameters caused
1682 SOLVED: -t and -b now check next argv entry
1684 PROBLEM: when opening of logfile (-lf) failed, no error was reported
1685 and no further messages were printed
1686 SOLVED: check result of fopen and print error message if it failed
1689 address type UDP-LISTEN now supports option fork: it internally applies
1690 socket option SO_REUSEADDR so a new UDP socket can bind to port after
1691 `accepting´ a connection (child processes might live forever though)
1692 (suggestion from Damjan Lango)
1695 ####################### V 1.0.4.1:
1697 solved problems and bugs:
1698 PROB: assert in libc caused an endless recursion
1699 SOLVED: no longer catch SIGABRT
1701 PROB: socat printed wrong verbose prefix for "right to left" packets
1702 SOLVED: new parameter for xiotransfer() passes correct prefix
1705 in debug mode, socat prints its command line arguments
1706 in verbose mode, escape special characters and replace unprintables
1707 with '.'. Patch from Adrian Thurston.
1710 ####################### V 1.0.4.0:
1712 solved problems and bugs:
1713 Debug output for lstat and fstat said "stat"
1715 further corrections:
1716 FreeBSD now includes libutil.h
1719 option setsid with exec/pty
1720 option setpgid with exec/pty
1721 option ctty with exec/pty
1723 gettimeofday in sycls.c (no use yet)
1726 before Gethostbyname, invoke inet_aton for MacOSX
1729 ####################### V 1.0.3.0:
1731 solved problems and bugs:
1733 PROB: test 9 of test.sh (echo via file) failed on some platforms,
1734 socat exited without error message
1735 SOLVED: _xioopen_named_early(): preset statbuf.st_mode with 0
1737 PROB: test 17 hung forever
1738 REASON: child death before select loop did not result in EOF
1739 SOLVED: check of existence of children before starting select loop
1741 PROB: test 17 failed
1742 REASON: child dead triggered EOF before last data was read
1743 SOLVED: after child death, read last data before setting EOF
1745 PROB: filan showed that exec processes incorrectly had fd3 open
1746 REASON: inherited open fd3 from main process
1747 SOLVED: set CLOEXEC flag on pty fd in main process
1749 PROB: help printed "undef" instead of group "FORK"
1750 SOLVED: added "FORK" to group name array
1752 PROB: fatal messages did not include severity classifier
1753 SOLVED: added "F" to severity classifier array
1755 PROB: IP6 addresses where printed incorrectly
1756 SOLVED: removed type casts to unsigned short *
1758 further corrections:
1759 socat catches illegal -l modes
1760 corrected error message on setsockopt(linger)
1761 option tabdly is of type uint
1762 correction for UDP over IP6
1763 more cpp conditionals, esp. for IP6 situations
1764 better handling of group NAMED options with listening UNIX sockets
1765 applyopts2 now includes last given phase
1766 corrected option group handling for most address types
1767 introduce dropping of unappliable options (dropopts, dropopts2)
1768 gopen now accepts socket and unix-socket options
1769 exec and system now accept all socket and termios options
1770 child process for exec and system addresses with option pty
1771 improved descriptions and options for EXAMPLES
1772 printf format for file mode changed to "0%03o" with length spec.
1773 added va_end() in branch of msg()
1774 changed phase of lock options from PASTOPEN to FD
1775 support up to four early dying processes
1778 xiosysincludes now includes sysincludes.h for non xio files
1783 TYPE_DOUBLE, u_double
1785 added getsid(), setsid(), send() to sycls
1786 procan prints sid (session id)
1787 mail.sh gets -f (from) option
1788 new EXAMPLEs for file creation
1789 gatherinfo.sh now tells about failures
1790 test.sh can check for much more address/option combinations
1793 ispeed, ospeed for termios on FreeBSD
1794 getpgid() conditional for MacOS 10
1795 added ranlib in Makefile.in for MacOS 10
1796 disable pty option if no pty mechanism is available (MacOS 10)
1797 now compiles and runs on MacOS 10 (still some tests fail)
1798 setgroups() conditional for cygwin
1799 sighandler_t defined conditionally
1800 use gcc option -D_GNU_SOURCE