Hello,

There is a heap overflow in pokeSockAddr that was fixed in release 3.0.0.0 when using Linux abstract Unix sockets. As far as I know it is present in at least all versions from 2.6.3.3 to 2.8.0.0.

The following program reproduces a segfault with ghc 8.6.3 when compiled with the threaded runtime

import Network.Socket
import Control.Monad (forM)

main :: IO ()
main = do
    forM [1..100] $ \n -> do
        putStrLn (show n ++ " characters")
        sock <- socket AF_UNIX Stream defaultProtocol
        bind sock (SockAddrUnix ("\0" ++ (replicate n 't')))
        close sock
    return ()

with the following output:

$ ghc -threaded -dynamic -package network test.hs
$ ./test
...
86 characters
zsh: segmentation fault (core dumped)  ./test

Since many systems are still using network 2.8.0.0 (like the Stackage distribution) I would like to know whether a 2.8.0.1 version could be released.

The fix would be to have pokeSockAddr _ sa@(SockAddrUnix _) always use

zeroMemory p $ fromIntegral $ sizeOfSockAddr sa

like it does in the 3.x version.