Advisories and Support

How to request technical support when you have a problem or found a bug --- ### Commercial edition users You are entitled to our timely expert professional support. Please [contact us](contact.html) for more details. ### Open source users Report bugs and submit patches by visiting the [SourceForge gSOAP issue tracker.]( We monitor these trackers and you can receive status updates as the issues are addressed over time. gSOAP 2.8.23-43 on windows platforms {#iphr} --- Upgrade to 2.8.44 or greater. If upgrading is not possible, check gsoap-2.8/gsoap/stdsoap2.h around line 1446 for the two macros `soap_strncpy` and `soap_strncat` that use `strncpy_s` and `strncat_s`. Remove the `#if _MSC_VER >= 1400` branch that defines the `_s`-based macros and keep the macro in the `#else` branch only. This prevents [Invalid Parameter Handler Routine]( invocation. The invocation is **very unlikely to occur**, but in one case there is no absolute guarantee. gSOAP 2.8.23-34 WCF MessageSecurity example --- The code in calculator.cpp uses the wrong `token_handler` function parameters, it should be the following for 2.8.34: static const void *token_handler(struct soap *soap, int *alg, const char *keyname, const unsigned char *keyid, size_t keyidlen, int *keylen) { const char *ctxId; struct ds__X509IssuerSerialType *issuer; switch (*alg) { and for releases prior to 2.8.33: static const void *token_handler(struct soap *soap, int *alg, const char *keyname, int *keylen) { const char *ctxId; struct ds__X509IssuerSerialType *issuer; switch (*alg) { gSOAP 2.8.23-30 crash in C++ nested dynamic arrays --- Nested dynamic arrays in classes and structs may cause the deserializer to crash (containers are fine). These nested arrays are classes or structs with a `__ptr` and a `__size` member such that the members also contain arrays. The patch for stdsoap2.h:3394 in `template<class T> struct soap_block` is: static void save(struct soap *soap, struct soap_blist *b, T *p) { if (!b) b = soap->blist; for (T *q = (T*)soap_first_block(soap, b); q; q = (T*)soap_next_block(soap, b)) { soap_update_pointers(soap, (const char*)p, (const char*)q, sizeof(T)); *p++ = *q; q->T::~T(); } soap_end_block(soap, b); // ADD THIS LINE } gSOAP 2.8.28 "SNI failed" error with OpenSSL 0.9.8 --- In stdsoap2.c/.cpp:4636 change the second line of: #elif (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && defined(SSL_CTRL_SET_TLSEXT_HOSTNAME) if (SSL_ctrl(soap->ssl, SSL_CTRL_SET_TLSEXT_HOSTNAME, TLSEXT_NAMETYPE_host_name, (void*)host)) to: #elif (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && defined(SSL_CTRL_SET_TLSEXT_HOSTNAME) if (!SSL_ctrl(soap->ssl, SSL_CTRL_SET_TLSEXT_HOSTNAME, TLSEXT_NAMETYPE_host_name, (void*)host)) gSOAP 2.8.25-26 WITH_NOIDREF may cause crash --- In stdsoap2.c/.cpp in `soap_versioning(soap_init)` close to line 2577 remove `#ifndef WITH_NOIDREF` to enable `soap_init_iht`: #ifndef WITH_NOIDREF // REMOVE soap_init_iht(soap); #endif // REMOVE gSOAP 2.8.1-2.8.28 and OpenSSL updates --- **Security advisory:** due to the recent publishing of information regarding a TLS/SSL protocol vulnerability [(ISC diary entry)]( OpenSSL has released a new version OpenSSL 0.9.8l. Please use the latest OpenSSL release with gSOAP. **Security advisory:** OpenSSL 1.0.1 users should upgrade to 1.0.1j to work around the SSLv3 POODLE vulnerability (CVE-2014-3566). The gSOAP version releases 2.8.20 and up support only TLS by default, with SSLv3 disabled (can be selectively enabled). For older versions of gSOAP we recommend removing SSLv3 support. Thus enabling TLSv1 (TLS 1.0, 1.1, and 1.2) only. This provides a safe workaround this issue in general (for any OpenSSL version). To do so, on the client side set the SSL context as follows: soap_ssl_client_context(soap, SOAP_SSL_REQUIRE_SERVER_AUTHENTICATION | SOAP_TLSv1, ...) On the server side set the context as follows: soap_ssl_server_context(soap, SOAP_TLSv1, ...) or set the context as follows when the client is required to authenticate: soap_ssl_server_context(soap, SOAP_SSL_REQUIRE_CLIENT_AUTHENTICATION | SOAP_TLSv1, ...) Changes in the OpenSSL API can lead to a client-side crash in the gSOAP engine for all gSOAP versions 2.8.11 and earlier. This is fixed in 2.8.12 and later. The fix is to replace `tcp_connect()` in `stdsoap2.c` and `stdsoap2.cpp` with [this new tcp_connect.c]( code that replaces the host name check code that is no longer supported in newer OpenSSL versions (releases 0.9.8 and up). Compilation error when compiling threads.c --- Add the following line to `threads.c`: #include "stdsoap2.h" Patch for 2.8.19 and 2.8.20 --- For versions 2.8.19 and 2.8.20: Visual Studio does not support `%F` and `%T` in `strftime`. In `stdsoap2.c` and `stdsoap2.cpp`, replace all occurrences of `%F` with `%Y-%m-%d` and `%T` with `%H:%M:%S`. Version 2.8.17r is a revision release of 2.8.17 to include a fix for IO timeout settings. Patch for 2.8.x HTTP digest plugin module --- In `gsoap/plugin/md5evp.c` change line 81 from EVP_DigestFinal(ctx, (unsigned char*)hash, &size); to EVP_DigestFinal_ex(ctx, (unsigned char*)hash, &size); to avoid double deallocation issues. Patch for 2.8.13 to 2.8.15 ISAPI module link errors --- Changes have to be made to avoid link errors to `soap_init` (which is renamed to `soap_initialize` in `stdsoap2.def` exports) in the patch. ![Download](images/download.png) [Download 2.8.15 patch.]( Patch for 2.8.13 and 2.8.14 DIME/MTOM attachment processing and HTTP Digest authentication --- ![Download](images/download.png) [Download 2.8.14 patch.]( This patch also replaces `mode` with `omode` in these two functions (as shown): soap_reference(struct soap *soap, const void *p, int t) { struct soap_plist *pp; if (!p || (!soap->encodingStyle && !(soap->omode & (SOAP_ENC_DIME|SOAP_ENC_MIME|SOAP_ENC_MTOM|SOAP_XML_GRAPH))) || (soap->omode & SOAP_XML_TREE)) return 1; and soap_array_reference(struct soap *soap, const void *p, const struct soap_array *a, int n, int t) { struct soap_plist *pp; if (!p || !a->__ptr || (!soap->encodingStyle && !(soap->omode & (SOAP_ENC_DIME|SOAP_ENC_MIME|SOAP_ENC_MTOM|SOAP_XML_GRAPH))) || (soap->omode & SOAP_XML_TREE)) return 1; Correction for 2.8.9 samples/wcf/WS/DualHttp --- The Makefile `wsxrClient.cpp` build should reference `wsrm5.h`: wsrxClient.cpp wsrxServer.cpp: $(GSOAP) $(GSFLAGS) -A -pwsrx ../../../../import/wsrm5.h Patch for 2.8.2 and 2.8.3 --- To patch a bug in `stdsoap2.c` and `stdsoap2.cpp` function `soap_copy_context()` line 8264 (2.8.3 release), change to: soap_set_namespaces(copy, soap->namespaces); // REMOVE local_ Update for the 2.8.3 release --- Includes an XML-RPC update with JSON support to patch array and struct construction, for all pre-2.8.3 releases. New README instructions included. ![Download](images/download.png) [Download patch.]( Update for 2.8.2 and earlier to improve performance --- A speed improvement trick for MS Windows applications (implemented in the latest 2.8 releases). In `stdsoap2.c` and `stdsoap2.cpp` functions `soap_accept()`, `soap_bind()`, `tcp_connect()` change the code to set the `len` variable as follows: #ifndef WITH_WIN32 int len = SOAP_BUFLEN; #else int len = SOAP_BUFLEN + 1; /* speeds up windows xfer */ #endif This should speed up transfers of 64KB and up to a fraction of a second. Patches for 2.7.x --- A problem with `soapcpp2` option `-b` has been reported, where the deserialized fixed-size array is not populated in the soapcpp2-generated code. Rebuild soapcpp2 with the patch for src/symbol2.c:9890: if (is_fixedstring(typ)) { fprintf(fhead,"\nSOAP_FMAC3 char* SOAP_FMAC4 soap_in_%s(struct soap*, const char*, char[], const char*);", c_ident(typ)); fprintf(fout,"\n\nSOAP_FMAC3 char* SOAP_FMAC4 soap_in_%s(struct soap *soap, const char *tag, char a[], const char *type)\n{\tchar *p;\n\tif (soap_instring(soap, tag, &p, type, %s, 1, 0, %d))\n\t\treturn strcpy(a, p);\n\treturn NULL;\n}", c_ident(typ), soap_type(typ), typ->width / ((Tnode*)typ->ref)->width - 1); return; WSRM plugin leak fix wsrmapi.c:3231, insert two lines: for (q = p->list; q; q = r) { r = q->next; if (q->buf) free((void*)q->buf); free((void*)q); } Problem with `#import "custom/duration.h"` that is using an incorrect file name Patch by changing `typemap.dat` line 94: xsd__duration = #import "custom/duration.h" | xsd__duration to: xsd__duration = #import "custom/duration.h" | xsd__duration Patch for using QT with gSOAP --- A problem with floating point data has been reported when using QT with gSOAP: QApplication app(argc, argv); or QCoreApplication app(argc, argv); before the gSOAP call, produced a truncated float that keeps only the integer part. It seems that this could be a locale problem (using decimal `.` versus `,`). For correct locale usage in gSOAP, compile the sources with `-DWITH_C_LOCALE`. Patch for gSOAP 2.7.14 --- A win32 bug with `select()` was found when send/recv timeouts are used. This may lead to premature connection termination. Patch in `stdsoap2.c` and `stdsoap2.cpp` line 4349: static int tcp_select(struct soap *soap, SOAP_SOCKET s, int flags, int timeout) { register int r; struct timeval tv; fd_set fd[3], *rfd, *sfd, *efd; soap->errnum = 0; #ifndef WIN32 // ADD /* if fd max set size exceeded, use poll() when available */ #if defined(__QNX__) || defined(QNX) /* select() is not MT safe on some QNX */ if (1) ... #else { soap->error = SOAP_FD_EXCEEDED; return -1; } #endif #endif // ADD rfd = sfd = efd = NULL; Patch for 2.7.x SSL --- The following is a fix to improve SSL shutdown speed. Change `stdsoap2.c` and `stdsoap2.cpp` line 4630 by replacing `SOAP_TCP_SELECT_SND` by `SOAP_TCP_SELECT_RCV`: { /* wait up to 10 seconds for close_notify to be sent by peer (if peer not present, this avoids calling SSL_shutdown() which has a lengthy return timeout) */ r = tcp_select(soap, soap->socket, SOAP_TCP_SELECT_RCV | SOAP_TCP_SELECT_ERR, 10); Patch for gSOAP 2.7.12 --- Patch for a `xsd:dateTime` numeric timezone normalization issue when converting to a dateTime with numeric timezone `(+hh:mm)` to `time_t` (e.g. `2000-03-04T02:00:00+03:00`). Patch `stdsoap2.c` and `stdsoap2.cpp` line 10886: /* put hour and min in range */ T.tm_hour += T.tm_min / 60; T.tm_min %= 60; if (T.tm_min < 0) { T.tm_min += 60; T.tm_hour--; } T.tm_mday += T.tm_hour / 24; T.tm_hour %= 24; if (T.tm_hour < 0) { T.tm_hour += 24; T.tm_mday--; } /* note: day of the month may be out of range, timegm() handles it */ Patch for gSOAP 2.7.11 --- In `wsseapi.c` line 2721 initialization of `count = 0` is missing: static size_t soap_wsse_verify_nested(struct soap *soap, struct soap_dom_element *dom, const char *URI, const char *tag) { size_t count = 0; Patch for issues with strtof --- Fix for known problems with `strtof()` on some platforms (e.g. SUSE 11). Replace `stdsoap2.c` and `stdsoap2.cpp` line 9724: #if defined(HAVE_STRTOF_L) char *r; *p = strtof_l((char*)s, &r, soap->c_locale); if (*r) #elif defined(HAVE_STRTOD_L) char *r; *p = (float)strtod_l(s, &r, soap->c_locale); if (*r) #elif defined(HAVE_STRTOF) char *r; *p = strtof((char*)s, &r); if (*r) #elif defined(HAVE_STRTOD) char *r; *p = (float)strtod(s, &r); if (*r) #endif with: #if defined(HAVE_STRTOD_L) char *r; *p = (float)strtod_l(s, &r, soap->c_locale); if (*r) #elif defined(HAVE_STRTOD) char *r; *p = (float)strtod(s, &r); if (*r) #endif Patch for gSOAP 2.7.10 --- ![Download](images/download.png) [Download stdsoap2.h/.c/.cpp)]( to fix a floating point conversion with GLIBC using C locale, fixed `xsd:dateTime` timezone offset handling (+/-HH.MM), and fixed SOAPAction output. Patch for gSOAP 2.7.9l/k --- ![Download](images/download.png) [Download dom.h]( with missing `xsd__anyAttribute` definitions ![Download](images/download.png) [Download stdsoap2.h/.c/.cpp]( with improved HTTP chunking and improved socket timeout support. ![Download](images/download.png) [Download soapcpp2 sources]( with fix for option `-i` one-way send/recv operations. Patch for gSOAP 2.7.9j and earier --- ![Download](images/download.png) [Download corrections for wsaapi.c]( plugin. Patch for gSOAP 2.7.9h --- To run the `soapcpp2.exe` and `wsdl2h.exe` binaries, you need to install the DLLs that ship with MS VS 2005 (or install MS VS 2005). Patch for gSOAP 2.7.9g --- Minor correction needed for `samples/components/cpp/main.cpp`: rename `calc::Service` to `calc::ServiceService`. Patch for gSOAP 2.7.9a --- To prevent HTTP chunked transfer responses from server to show `202 ACCEPTED`, change `stdsoap2.c` and `stdosap2.cpp` line 13381 into (`mode` should be `omode`): if (count || ((soap->omode & SOAP_IO) == SOAP_IO_CHUNK)) Patch for gSOAP 2.7.9 --- Issue with an `elementFormDefault="unqualified"` bug for C++ class members that represent complexTypes. The `wsdl2h` translator may ignore option `-o`. Download gSOAP 2.7.9a with a fix. Updated gSOAP 2.7.8c OpenSSL extension support --- ![Download](images/download.png) [Download stdsoap2.h]( 2.7.8c updated source code ![Download](images/download.png) [Download stdsoap2.c]( 2.7.8c updated source code ![Download](images/download.png) [Download stdsoap2.cpp]( 2.7.8c updated source code Fix for wsse plugin API HMAC SHA1 signature verification: ![Download](images/download.png) [Download wsseapi.h]( plugin ![Download](images/download.png) [Download wsseapi.c]( plugin Patch for gSOAP 2.7.x OpenSSL portability --- In `stdsoap2.c` and `stdsoap2.cpp` OpenSSL code `meth->d2i()` produces an error on certain platforms. Suggested fix for GCC 4.x and MSVC: 3758c3758 < val = meth->i2v(meth, meth->d2i(NULL, &ext->value->data, ext->value->length), NULL); --- > val = meth->i2v(meth, meth->d2i(NULL, (unsigned const char**)&ext->value->data, ext->value->length), NULL); Patch for gSOAP 2.7.8b and earlier --- Fix for HTTPS proxy CONNECT. The `stdsoap2.c` and `stdsoap2.cpp` function `tcp_connect()` contains the following code: #ifdef WITH_OPENSSL ... userid = soap->userid; /* preserve */ passwd = soap->passwd; /* preserve */ if (soap_begin_recv(soap)) { soap->fclosesocket(soap, (SOAP_SOCKET)fd); return SOAP_INVALID_SOCKET; } soap->userid = userid; /* restore */ soap->passwd = passwd; /* restore */ ... To resolve the problem, change this into: userid = soap->userid; /* preserve */ passwd = soap->passwd; /* preserve */ if ((soap->error = soap->fparse(soap))) { soap->fclosesocket(soap, (SOAP_SOCKET)fd); return SOAP_INVALID_SOCKET; } soap->userid = userid; /* restore */ soap->passwd = passwd; /* restore */ Patch for gSOAP 2.7.8(a/b) GCC 4.1 with OpenSSL In `stdsoap2.c` and `stdsoap2.cpp` line 3737: const char *ext_str = OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext))); if (!strcmp(ext_str, "subjectAltName")) { int j; - unsigned char *data; + unsigned const char *data; STACK_OF(CONF_VALUE) *val; Patch for gSOAP 2.7.8a --- On some systems the use of `soap_isnan()` may fail with a FP exception. The culprit is in `stdsoap2.h` line 847: #define soap_isnan(n) ((double)(n) == DBL_NAN) Either enable isnan checking with `-DHAVE_ISNAN` or change `stdsoap2.h` line 847 by: #define soap_isnan(n) (0) Patch for XML-RPC array handling in gSOAP 2.7.6c and earlier --- ![Download](images/download.png) [Download]( and install in samples directory to replace xml-rpc. Known issue with gSOAP 2.7.4/.5 --- The `soapcpp2` WSDL output may include additional `</message>` tags that must be removed. For some RPC encoded Response messages in the WSDL the name attribute is missing in the `<message>` element. Patches for gSOAP 2.7.3 --- Fix for hexBinary- and base64Binary-typed XML attribute parsing: ![Download](images/download.png) [Download stdsoap2.c.]( ![Download](images/download.png) [Download stdsoap2.cpp.]( Patches for gSOAP 2.7.0f --- Server-side fix for transmitting fault message responses to clients, which might get lost over socket that is still open but has an error state: ![Download](images/download.png) [Download stdsoap2-2.7.0f.c.]( ![Download](images/download.png) [Download stdsoap2-2.7.0f.cpp.]( Patches for gSOAP 2.7.0d --- The gSOAP 2.7 releases provide explicit support for schema `elementFormDefault` and `attributeFormDefault`. This enables the mixing of schemas with default qualified element/attribute tags together with schemas with unqualified element/attribute tags in the same WSDL document. As a result of these changes, when you define a document/literal service, you should add the following directive to your header file to set the element and attribute form defaults to `"qualified"`: //gsoap ns schema form: qualified or: //gsoap ns schema elementForm: qualified //gsoap ns schema attributeForm: unqualified to declare form defaults for elements and attributes (i.e. schema `elementFormDefault="qualified"` and `attributeFormDefault="unqualified"`). Repeat this for all your schemas, e.g. ns1, ns2, and so on. The difference is profound. Validating parsers require full element/attribute qualification when the schema form default is "qualified". With the directives above, the gSOAP messages conform to this requirement by producing qualified elements and attributes. The directive is automatically generated by the wsdl2h importer, so you don't need to do this again by hand. However, if you are using an older version of the wsdl2h importer (prior to 1.1.4) you should either try the new importer OR add these directives to the .h file by hand. Known issues with gSOAP 2.6.x and earlier --- The gSOAP version releases 2.6.x and earlier are no longer officially supported by Genivia. The issues listed below are for archival purposes only. ### gSOAP 2.6.2 A bug in `stdsoap2.c` and `stdsoap2.cpp` prevents the deserialization of `xsd:short`: soap_s2short(struct soap *soap, const char *s, short *p) { if (s) { long n; char *r; n = soap_strtol(s, &r, 10); if (*r || n < -32768 || n > 32767) return soap->error = SOAP_TYPE; *p = (char)n; ^^^^^^^^^^^ Should be *p = (short)n The gSOAP 2.6 releases have known problems with dropped STL vector elements under multi-ref (id-ref) encoding, which can occur under certain circumstances with pointer-based STL vector items. A robust id-ref resolution algorithm for STL container elements was added. In addition, an improvement was made to the WSDL output for document/literal services. ### gSOAP 2.4.1 In `stdsoap2.c` and `stdsoap2.cpp` change line 5230 to fix exception when `tag == NULL`: SOAP_FMAC1 int SOAP_FMAC2 soap_element_begin_in(struct soap *soap, const char *tag) { if (tag && *tag == '-') return SOAP_OK; if (!soap_peek_element(soap)) { if (soap->other) return soap->error = SOAP_TAG_MISMATCH; if (!(soap->error = soap_match_tag(soap, soap->tag, tag))) { if (tag && !soap->encodingStyle) /* ADDED check tag!=NULL */ { const char *s = strchr(tag, ':'); if (s) soap_push_default_namespace(soap, tag, s - tag); } ### gSOAP 2.3.8 Fix for a memory leak with gSOAP 2.3.8 for the combination of Zlib compression with the httpget plugin (the fix is to remove all `soap_begin_send` calls before the `soap_response` calls). Improved client-side thread support for OpenSSL: use the new `soap_ssl_server_context()` and `soap_ssl_client_context()` functions (see updated online documentation). In `stdsoap2.c` and `stdsoap2.cpp` line 8704, patch for base64 and HTTP authentication: t[0] = '\0'; /* INSERTED */ if (n > 0) { m = 0; for (i = 0; i < n; i++) m = (m << 8) | *s++; for (; i < 3; i++) m <<= 8; for (i++; i > 0; m >>= 6) t[--i] = soap_base64o[m & 0x3F]; for (i = 3; i > n; i--) t[i] = '='; t[4] = '\0'; /* MOVED UP */ } return SOAP_OK; } Change both lines 1155 and 8699 as follows: { m = ((unsigned long)((unsigned char*)s)[0] << 16) | ((unsigned long)((unsigned char*)s)[1] << 8) | (unsigned long)((unsigned char*)s)[2]; Change line 9130 for short recv/send timeout settings with HTTP keep-alive enabled: if ((status != SOAP_EOF || (!soap->recv_timeout && !soap->send_timeout)) && soap_poll(soap) == SOAP_OK) /* REPLACED */ Change line 3905 for server-side `SOAP_IO_STORE` setting (affects httpget plugin): else if (soap->status != SOAP_STOP) /* REPLACED */ Change line 4490 for correct `SOAP-ENC:position[]` placement: soap->null = 0; soap->position = 0; /* INSERTED */ return SOAP_OK; } /* END OF soap_element() */ Change lines 5107 and 5116 for rejecting invalid SOAP XML attribute content: if (t && tp->value) /* ADDED tp->value check */ { if (soap_push_namespace(soap, t, tp->value)) and: for (tp = soap->attributes; tp; tp = tp->next) { if (tp->visible && tp->value) /* ADDED tp->value check */ ### gSOAP 2.3.7 and earlier The following issues are known to occur. These early gSOAP releases are not recommended and are no longer supported. Client-side SSL + HTTP keep-alive problem. DOM parser with gSOAP deserializers problem with `SOAP_XML_GRAPH` set to deserialize data. Streaming DIME with `fdimereadclose` callback. Client-side SSL memory leak. A gSOAP client application may experience problems receiving subsequent messages from a server _after_ a SOAP Fault occurred with the server. Double floating point numbers may be truncated. DIME transfers may fail with .NET when the following HTTP header is used: Content-Type: application/dime; charset=us-ascii [![To top](images/go-up.png) To top](advisory.html)