Re: bash sockets: printf \x0a does TCP fragmentation

[Bob Proulx]

dirk+b...@testssl.sh wrote:
> we discovered a strange phenomenon in the project testssl.sh:

You are doing something that is quite unusual.  You are using a shell
script direction on a TCP socket.  That isn't very common.  More
typically one would use a C program instead.  So it isn't surprising
that you are finding interactions that are not well known.

> printf -- "$data" >&5 2>/dev/null

Why is stderr discarded?  That is almost always bad because it
discards any errors that might occur.  You probably shouldn't do this.

What happens if $data contains % format strings?  What happens if the
format contains a sequence such as \c?  This looks problematic.  This
is not a safe programming proctice.

> does not do what it is intended.

"Intent" is in the eye of the beholder.

> "$data" is  a ClientHello like
> 
> '\x16\x03\x01\x2\x00\x01\x00\x1\xfc\x03\x03\x54\x51\x1e\x7a\xde\xad\xbe\xef\x31\x33\x07\x00\x00\x00\x00\x00\xcf\xbd\x39\x04\xcc\x16\x0a\...'
> 
> Each \x0a like the last one causes a new TCP fragment to begin which can be 
> easily
> spotted when using wireshark while running e.g.

As Chet said the libc stdio library is probably doing line oriented
buffering.  The newline is causing a flush at that time.

> One would assume that a bash socket connection cannot influence the TCP
> fragmentation but obviously it does.

One would be in error to assume this.

> If there's a workaround, please let me know. (tried to add "%b" with no
> effect). Otherwise I believe it's a bug.

You can re-block the output stream using other tools such as 'cat' or
'dd'.  Since you are concerned about block size then perhaps dd is the
better of the two.

  | cat

Or probably better:

  | dd status=none bs=1M

Or use whatever block size you wish.  The 'dd' program will read the
input into its buffer and then output that block of data all in one
write(2).  That seems to be what you are wanting.

Good luck! :-)

Bob

P.S. You can possibly use the 'stdbuf' command to control the output
buffering depending upon the program.

  info stdbuf

Re: bash sockets: printf \x0a does TCP fragmentation

[Chet Ramey]

On 9/21/18 4:13 PM, dirk+b...@testssl.sh wrote:
> 
> Hello there,
> 
> we discovered a strange phenomenon in the project testssl.sh:
> 
> After opening a TCP socket with a fd (here: 5), when writing to it,
> it seems that
> 
> printf -- "$data" >&5 2>/dev/null
> 
> does not do what it is intended. "$data" is  a ClientHello like
> 
> '\x16\x03\x01\x2\x00\x01\x00\x1\xfc\x03\x03\x54\x51\x1e\x7a\xde\xad\xbe\xef\x31\x33\x07\x00\x00\x00\x00\x00\xcf\xbd\x39\x04\xcc\x16\x0a\...'
> 
> Each \x0a like the last one causes a new TCP fragment to begin which can be 
> easily
> spotted when using wireshark while running e.g.

Newline? It's probably that stdout is line-buffered and the newline causes
a flush, which results in a write(2).

> If there's a workaround, please let me know. (tried to add "%b" with no
> effect). Otherwise I believe it's a bug.

How? Does the emitted output not correspond to what's passed to printf
in some way?

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRUc...@case.eduhttp://tiswww.cwru.edu/~chet/

bash sockets: printf \x0a does TCP fragmentation

[dirk+bash]

Hello there,

we discovered a strange phenomenon in the project testssl.sh:

After opening a TCP socket with a fd (here: 5), when writing to it,
it seems that

printf -- "$data" >&5 2>/dev/null

does not do what it is intended. "$data" is  a ClientHello like

'\x16\x03\x01\x2\x00\x01\x00\x1\xfc\x03\x03\x54\x51\x1e\x7a\xde\xad\xbe\xef\x31\x33\x07\x00\x00\x00\x00\x00\xcf\xbd\x39\x04\xcc\x16\x0a\...'

Each \x0a like the last one causes a new TCP fragment to begin which can be 
easily
spotted when using wireshark while running e.g.

testssl.sh --assume-http -p testssl.sh

Starting from the SSLv3 ClientHello the first reassembled packet
ends with 0a.

See also discussion @ https://github.com/drwetter/testssl.sh/pull/1113.

One would assume that a bash socket connection cannot influence the TCP
fragmentation but obviously it does.

This behavior has a performance penalty and other strange effects, e.g.
if the first segment is really small, some devices reject the ClientHello.


If there's a workaround, please let me know. (tried to add "%b" with no
effect). Otherwise I believe it's a bug.

Cheers, Dirk


PS: Would ulimit -b  help?

Re: Which commit for a bug in 4.3.48 which is fixed in 4.4.23

[Eduardo A . Bustamante López]

On Fri, Sep 21, 2018 at 01:11:38PM +0200, Dr. Werner Fink wrote:
> Hi,
> 
> with 4.3.48 the line
> 
>   T="";echo ">${T//*/ }<"
> 
> leads to
> 
>   ><
> 
> but with 4.4.23 the correct result is given back
> 
>   > <
> 
> in the git repro I do not find any useful login entry for this

Check commit 34ec1876071b76d3654a418682e3f34ca9a72f1a:

+lib/glob/gmisc.c
+   - match_pattern_char, match_pattern_wchar: if passed an empty string,
+ return a match if the first character of the pattern is `*'
+
+subst.c
+   - pat_subst: change to allow empty strings to be replaced as long as
+ pattern matches empty string.  Report and fix from isabella parakiss
+ 

In particular, this change to match_pattern:

@@ -4435,7 +4437,7 @@ match_pattern (string, pat, mtype, sp, ep)
   size_t slen, plen, mslen, mplen;
 #endif

-  if (string == 0 || *string == 0 || pat == 0 || *pat == 0)
+  if (string == 0 || pat == 0 || *pat == 0)
 return (0);

Re: Special parameter ?

[Enrique Soriano]

> The thing that creates the background job IS a foreground pipeline. It's a 
> foreground pipeline that creates a background
> job, if that makes sense.

Sure. That's the mechanism to implement the background job.

The problem is that the user that reads the manual is dealing with the
"background" and "foreground" abstractions; for him, the most recently
foreground command in my example is false.

> I recommend to store the value of $? in a variable if you plan on using it 
> afterwards, since it's extremely easy to end
> up overriding its value.

Thanks, but I am not trying to implement anything. I am trying to fix
the man page  :)

> You're right, but it might be less confusing if I removed the "foreground"
> from the description.

This could help.


-- 
Enrique Soriano
Escuela Superior de Ingeniería de Telecomunicación,
Universidad Rey Juan Carlos.
Tel: 914888762
http://gsyc.urjc.es/~esoriano

Re: suspend and ||

[Chet Ramey]

On 9/21/18 7:49 AM, esori...@gsyc.urjc.es wrote:
> According to the manual:
> 
> (I)  Typing the suspend character (typically ^Z, Control-Z) 
>  while a process is running causes that process to be
>  stopped and returns control to bash.
> 
> (II) An OR list has the form
> 
>   command1 || command2
> 
>  command2  is executed if and only if command1
>  returns a non-zero exit status.  The return status of
>  AND and OR lists is the exit status of the last 
>  command executed in the list.
> 
> In the following example:
> 
> esoriano@omac:~$ sleep 10 || echo hey
> ^Z
> [5]+  Stopped sleep 10
> hey
> esoriano@omac:~$ 
> 
> there are two different issues:
> 
> (I) echo is executed when sleep is suspended, i.e., command2 is 
>executed before command1 exits.

This is true, and it's the difference between a process, which is the
object you suspend, and a shell command. When you suspend the sleep,
it returns a status: 128+SIGTSTP. Since this is non-zero, the second
part of the AND-OR list gets executed.

The idiomatic way to do what you want is to get the command you want
to run as a unit into a construct like (...) -- if you want to run it
in the foreground -- so you have a single process that you can suspend.

This has come up many times, in the context of compound commands like
loops and command sequences.

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRUc...@case.eduhttp://tiswww.cwru.edu/~chet/

Re: Special parameter ?

[Chet Ramey]

On 9/21/18 11:17 AM, Eduardo A. Bustamante López wrote:
> On Fri, Sep 21, 2018 at 04:17:11PM +0200, Enrique Soriano wrote:
>>> You're seeing the status from the creation of the background job (which is
>>> always 0), not from its completion.
>>
>> Ah, I see.
>>
>> Anyway, the behavior is not coherent with the manual page: in this
>> case, $? has the status from the creation of the background job,
>> that's not "the status of the most recently executed foreground
>> pipeline".
> 
> The thing that creates the background job IS a foreground pipeline. It's a 
> foreground pipeline that creates a background
> job, if that makes sense.

You're right, but it might be less confusing if I removed the "foreground"
from the description.

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRUc...@case.eduhttp://tiswww.cwru.edu/~chet/

Re: Special parameter ?

[Eduardo A . Bustamante López]

On Fri, Sep 21, 2018 at 04:17:11PM +0200, Enrique Soriano wrote:
> > You're seeing the status from the creation of the background job (which is
> > always 0), not from its completion.
> 
> Ah, I see.
> 
> Anyway, the behavior is not coherent with the manual page: in this
> case, $? has the status from the creation of the background job,
> that's not "the status of the most recently executed foreground
> pipeline".

The thing that creates the background job IS a foreground pipeline. It's a 
foreground pipeline that creates a background
job, if that makes sense.

dualbus@ubuntu:~$ cat t.sh
(exit 2)
(exit 3) & pid=$!
echo $?
wait "$pid"
echo $?

dualbus@ubuntu:~$ bash t.sh
0
3

I recommend to store the value of $? in a variable if you plan on using it 
afterwards, since it's extremely easy to end
up overriding its value.

Re: Special parameter ?

[Enrique Soriano]

> You're seeing the status from the creation of the background job (which is
> always 0), not from its completion.

Ah, I see.

Anyway, the behavior is not coherent with the manual page: in this
case, $? has the status from the creation of the background job,
that's not "the status of the most recently executed foreground
pipeline".

Regards

Re: Special parameter ?

[Greg Wooledge]

On Fri, Sep 21, 2018 at 01:23:57PM +0200, esori...@gsyc.urjc.es wrote:
> The man page of bash (Special Parameters section) says:
> 
>? expands to the exit status of the most 
>recently executed foreground pipeline.
> 
> Nevertheless, background commands also modify the
> value of this variable. 

This is incorrect.  The exit status of a background command can only
be retrieved by calling "wait" (or if the background command itself
chooses to write the forthcoming exit status to stdout, or to a file,
etc.).

> Example:
> 
> esoriano@omac:~$ false
> esoriano@omac:~$ sleep 2 &
>(wait 3 seconds)
> esoriano@omac:~$ echo $?
> 0
> esoriano@omac:~$  
> 
> In this example, the most recently executed foreground 
> command is false, so the value of $? should be 1.

Under "Lists":

   If a command is terminated by the control operator &,  the  shell  exe‐
   cutes  the command in the background in a subshell.  The shell does not
   wait for the command to finish, and the return status is  0.

You're seeing the status from the creation of the background job (which is
always 0), not from its completion.

Compare:

wooledg:~$ (sleep 3; exit 47) & pid=$!
[1] 19112
wooledg:~$ echo $?
0
wooledg:~$ 
[1]+  Exit 47 ( sleep 3; exit 47 )
wooledg:~$ echo $?
0
wooledg:~$ wait $pid; echo $?
47

Even after the background job completes, its exit status is never
propagated into the foreground shell's $? parameter.  The only way
to retrieve the status is with a wait command which is given a PID or
a job specifier.

suspend and ||

[esoriano]

According to the manual:

(I)  Typing the suspend character (typically ^Z, Control-Z) 
 while a process is running causes that process to be
 stopped and returns control to bash.

(II) An OR list has the form

  command1 || command2

 command2  is executed if and only if command1
 returns a non-zero exit status.  The return status of
 AND and OR lists is the exit status of the last 
 command executed in the list.

In the following example:

esoriano@omac:~$ sleep 10 || echo hey
^Z
[5]+  Stopped sleep 10
hey
esoriano@omac:~$ 

there are two different issues:

(I) echo is executed when sleep is suspended, i.e., command2 is 
   executed before command1 exits.

(II) the exit status of command1 (when the job is resumed) will
   be 0 and command2 is (was) executed.

Configuration Information [Automatically generated, do not change]:
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS:  -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64' 
-DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='x86_64-pc-linux-gnu' 
-DCONF_VENDOR='pc' -DLOCALEDIR='/usr/share/locale' -DPACKAGE='bash' -DSHELL 
-DHAVE_CONFIG_H   -I.  -I../. -I.././include -I.././lib  -Wdate-time 
-D_FORTIFY_SOURCE=2 -g -O2 -fdebug-prefix-map=/build/bash-vEMnMR/bash-4.4.18=. 
-fstack-protector-strong -Wformat -Werror=format-security -Wall 
-Wno-parentheses -Wno-format-security
uname output: Linux omac 4.15.0-34-generic #37-Ubuntu SMP Mon Aug 27 15:21:48 
UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Machine Type: x86_64-pc-linux-gnu

Bash Version: 4.4
Patch Level: 19
Release Status: release

Description:
[Detailed description of the problem, suggestion, or complaint.]

Repeat-By:
[Describe the sequence of events that causes the problem
to occur.]

Fix:
[Description of how to fix the problem.  If you don't know a
fix for the problem, don't include this section.]

Special parameter ?

[esoriano]

The man page of bash (Special Parameters section) says:

   ? expands to the exit status of the most 
   recently executed foreground pipeline.

Nevertheless, background commands also modify the
value of this variable. 

Example:

esoriano@omac:~$ false
esoriano@omac:~$ sleep 2 &
   (wait 3 seconds)
esoriano@omac:~$ echo $?
0
esoriano@omac:~$  

In this example, the most recently executed foreground 
command is false, so the value of $? should be 1.

Configuration Information [Automatically generated, do not change]:
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS:  -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64' 
-DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='x86_64-pc-linux-gnu' 
-DCONF_VENDOR='pc' -DLOCALEDIR='/usr/share/locale' -DPACKAGE='bash' -DSHELL 
-DHAVE_CONFIG_H   -I.  -I../. -I.././include -I.././lib  -Wdate-time 
-D_FORTIFY_SOURCE=2 -g -O2 -fdebug-prefix-map=/build/bash-vEMnMR/bash-4.4.18=. 
-fstack-protector-strong -Wformat -Werror=format-security -Wall 
-Wno-parentheses -Wno-format-security
uname output: Linux omac 4.15.0-34-generic #37-Ubuntu SMP Mon Aug 27 15:21:48 
UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Machine Type: x86_64-pc-linux-gnu

Bash Version: 4.4
Patch Level: 19
Release Status: release

Description:
[Detailed description of the problem, suggestion, or complaint.]

Repeat-By:
[Describe the sequence of events that causes the problem
to occur.]

Fix:
[Description of how to fix the problem.  If you don't know a
fix for the problem, don't include this section.]

Re: trap - inconsistent behaviour

[Chet Ramey]

On 9/20/18 7:39 PM, Jeremy Townshend wrote:

> Bash Version: 4.4
> Patch Level: 19
> Release Status: release
> 
> Description:
>   The behaviour of the "trap" builtin command changes merely by printing 
> the
>   list of commands associated with each signal (trap command issued 
> without
>   arguments).
> 
> Repeat-By:
>   Case 1: In a fresh terminal emulator issue the following:
> 
>   ( trap 'echo trapped >&2' HUP; { sleep 10 & sleepPID=$!; wait 
> $sleepPID; } > >( sleep 1; kill -HUP $BASHPID; cat ) )
> 
>   Case 2: Then in a fresh terminal emulator issue the following:
> 
>   ( trap 'echo trapped >&2' HUP; { sleep 10 & sleepPID=$!; wait 
> $sleepPID; } > >( trap; sleep 1; kill -HUP $BASHPID; cat ) )
> 
>   Expected outcome: either the trap is triggered in both cases or in 
> neither
>   since the only difference is the additional trap command with no 
> arguments
>   (for printing the list of commands associated with each signal).  That 
> is, in
>   this case, "trapped" is expected to be printed in both cases or in 
> neither
>   case.

The trap command shouldn't be executed in either case. The process
substitution is executed in a subshell environment, which doesn't inherit
traps from its parent (though it inherits the trap strings; see
http://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_28).

The process substitution sends the SIGHUP to itself ($BASHPID), which
should cause it to terminate but not result in a signal being sent to its
parent. However, the parent is getting a SIGHUP from somewhere.

It seems like this behavior is the result of the shell being interactive.
I'll take a look.

Chet

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRUc...@case.eduhttp://tiswww.cwru.edu/~chet/

Which commit for a bug in 4.3.48 which is fixed in 4.4.23

[Dr. Werner Fink]

Hi,

with 4.3.48 the line

  T="";echo ">${T//*/ }<"

leads to

  ><

but with 4.4.23 the correct result is given back

  > <

in the git repro I do not find any useful login entry for this

Werner

-- 
  "Having a smoking section in a restaurant is like having
  a peeing section in a swimming pool." -- Edward Burr


signature.asc
Description: PGP signature