VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 14, 2010· Updated Apr 29, 2026

CVE-2010-2799

CVE-2010-2799

Description

Stack-based buffer overflow in the nestlex function in nestlex.c in Socat 1.5.0.0 through 1.7.1.2 and 2.0.0-b1 through 2.0.0-b3, when bidirectional data relay is enabled, allows context-dependent attackers to execute arbitrary code via long command-line arguments.

Affected products

10
  • Dest Unreach/Socat10 versions
    cpe:2.3:a:dest-unreach:socat:1.5.0.0:*:*:*:*:*:*:*+ 9 more
    • cpe:2.3:a:dest-unreach:socat:1.5.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:dest-unreach:socat:1.6.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:dest-unreach:socat:1.6.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:dest-unreach:socat:1.7.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:dest-unreach:socat:1.7.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:dest-unreach:socat:1.7.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:dest-unreach:socat:1.7.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:dest-unreach:socat:2.0.0:b1:*:*:*:*:*:*
    • cpe:2.3:a:dest-unreach:socat:2.0.0:b2:*:*:*:*:*:*
    • cpe:2.3:a:dest-unreach:socat:2.0.0:b3:*:*:*:*:*:*

Patches

1
6340d5d2c81e

fixed a stack overflow vulnerability with long command line args

https://github.com/msmania/poodimGerhard RiegerOct 3, 2010via osv
commit
3 files changed · +85 4
  • CHANGES+9 0 modified
    @@ -1,4 +1,13 @@
 
+security:
+	fixed a stack overflow vulnerability that occurred when command
+	line arguments (whole addresses, host names, file names) were longer
+	than 512 bytes.
+	Note that this could only be exploited when an attacker was able to
+	inject data into socat's command line.
+	Full credits to Felix Gröbert, Google Security Team, for finding and
+	reporting this issue
+
 ####################### V 1.7.1.2:
 
 corrections:
  • nestlex.c+3 3 modified
    @@ -1,5 +1,5 @@
 /* source: nestlex.c */
-/* Copyright Gerhard Rieger 2006 */
+/* Copyright Gerhard Rieger 2006-2010 */
 /* Published under the GNU General Public License V.2, see file COPYING */
 
 /* a function for lexical scanning of nested character patterns */
@@ -211,7 +211,7 @@ int nestlex(const char **addr,	/* input string; aft points to end token */
 	 }
 	 *out++ = c;
 	 --*len;
-	 if (len == 0) {
+	 if (*len == 0) {
 	    *addr = in;
 	    *token = out;
 	    return -1;	/* output overflow */
@@ -222,7 +222,7 @@ int nestlex(const char **addr,	/* input string; aft points to end token */
       /* just a simple char */
       *out++ = c;
       --*len;
-      if (len == 0) {
+      if (*len == 0) {
 	 *addr = in;
 	 *token = out;
 	 return -1;	/* output overflow */
  • test.sh+73 1 modified
    @@ -10115,6 +10115,7 @@ fi
 fi # NUMCOND
  ;;
 esac
+PORT=$((PORT+1))
 N=$((N+1))
 
 
@@ -10167,6 +10168,76 @@ fi
 fi # NUMCOND
  ;;
 esac
+PORT=$((PORT+1))
+N=$((N+1))
+
+
+# socat up to 1.7.1.2 had a stack overflow vulnerability that occurred when
+# command line arguments (whole addresses, host names, file names) were longer
+# than 512 bytes.
+NAME=HOSTNAMEOVFL
+case "$TESTS" in
+*%functions%*|*%bugs%*|*%security%*|*%socket%*|*%$NAME%*)
+TEST="$NAME: stack overflow on overly long host name"
+# provide a long host name to TCP-CONNECT and check socats exit code
+if ! eval $NUMCOND; then :; else
+tf="$td/test$N.stdout"
+te="$td/test$N.stderr"
+tdiff="$td/test$N.diff"
+da="test$N $(date) $RANDOM"
+# prepare long data - perl might not be installed
+rm -f "$td/terst$N.dat"
+i=0; while [ $i -lt 64 ]; do  echo -n "AAAAAAAAAAAAAAAA" >>"$td/test$N.dat"; i=$((i+1)); done
+CMD0="$SOCAT $opts TCP-CONNECT:$(cat "$td/test$N.dat"):$PORT STDIO"
+printf "test $F_n $TEST... " $N
+$CMD0 </dev/null 1>&0 2>"${te}0"
+rc0=$?
+if [ $rc0 -lt 128 ] || [ $rc0 -eq 255 ]; then
+    $PRINTF "$OK\n"
+    numOK=$((numOK+1))
+else
+    $PRINTF "$FAILED\n"
+    echo "$CMD0"
+    cat "${te}0"
+    numFAIL=$((numFAIL+1))
+fi
+fi # NUMCOND
+ ;;
+esac
+PORT=$((PORT+1))
+N=$((N+1))
+
+# socat up to 1.7.1.2 had a stack overflow vulnerability that occurred when
+# command line arguments (whole addresses, host names, file names) were longer
+# than 512 bytes.
+NAME=FILENAMEOVFL
+case "$TESTS" in
+*%functions%*|*%bugs%*|*%security%*|*%openssl%*|*%$NAME%*)
+TEST="$NAME: stack overflow on overly long file name"
+# provide a 600 bytes long key file option to SSL-CONNECT and check socats exit code
+if ! eval $NUMCOND; then :; else
+tf="$td/test$N.stdout"
+te="$td/test$N.stderr"
+tdiff="$td/test$N.diff"
+da="test$N $(date) $RANDOM"
+i=0; while [ $i -lt 64 ]; do  echo -n "AAAAAAAAAAAAAAAA" >>"$td/test$N.dat"; i=$((i+1)); done
+CMD0="$SOCAT $opts OPENSSL:localhost:$PORT,key=$(cat "$td/test$N.dat") STDIO"
+printf "test $F_n $TEST... " $N
+$CMD0 </dev/null 1>&0 2>"${te}0"
+rc0=$?
+if [ $rc0 -lt 128 ] || [ $rc0 -eq 255 ]; then
+    $PRINTF "$OK\n"
+    numOK=$((numOK+1))
+else
+    $PRINTF "$FAILED\n"
+    echo "$CMD0"
+    cat "${te}0"
+    numFAIL=$((numFAIL+1))
+fi
+fi # NUMCOND
+ ;;
+esac
+PORT=$((PORT+1))
 N=$((N+1))
 
 
@@ -10276,7 +10347,7 @@ CMD1="$SOCAT $opts - client-address"
 printf "test $F_n $TEST... " $N
 $CMD0 >/dev/null 2>"${te}0" &
 pid0=$!
-wait<something>port $xy 1
+wait<something>port $PORT 1
 echo "$da" |$CMD1 >"${tf}1" 2>"${te}1"
 rc1=$?
 kill $pid0 2>/dev/null; wait
@@ -10294,4 +10365,5 @@ fi
 fi # NUMCOND
  ;;
 esac
+PORT=$((PORT+1))
 N=$((N+1))

Vulnerability mechanics

Root cause

"Missing pointer dereference in buffer-length checks within the nestlex function allows stack-based buffer overflow when command-line arguments exceed 512 bytes."

Attack vector

An attacker who can inject data into socat's command line (e.g., via a controlled host name, file name, or address argument) can trigger the vulnerability. When bidirectional data relay is enabled, the nestlex function copies the long argument into a fixed-size stack buffer without properly checking the remaining space. The bug is that the code compares the pointer `len` against zero instead of dereferencing it (`*len`), so the length check never fires and the copy continues past the buffer boundary [CWE-119].

Affected code

The vulnerability resides in the `nestlex` function in `nestlex.c`. Two buffer-length checks at lines 214 and 223 compare the pointer `len` to zero instead of dereferencing it as `*len`, causing the overflow guard to never activate. The patch also updates the copyright year and adds test cases in `test.sh` for long host names and file names.

What the fix does

The patch changes two `if (len == 0)` checks to `if (*len == 0)` in nestlex.c [patch_id=39]. The original code compared the pointer value itself to zero rather than the integer it points to, meaning the buffer-overflow guard was never triggered. By dereferencing the pointer, the function now correctly checks whether the remaining output buffer space has been exhausted and returns -1 before writing past the end of the stack buffer.

Preconditions

  • inputAttacker must be able to supply a command-line argument (host name, file name, or address) longer than 512 bytes
  • configBidirectional data relay must be enabled
  • authNo authentication required; the attacker only needs the ability to influence socat's command-line invocation

Generated by deepseek/deepseek-v4-flash-20260423 on May 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.