Project

General

Profile

Actions

Bug #1731

closed

detect-tls memory leak

Added by Andreas Herz over 8 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

We found some memory leaks within detect-tls.c (details on dev ml) which are also related to #1046 and could also lead to the increase memory consumption on reloads.
Code needs some improvement in any case.

Actions #1

Updated by Andreas Herz over 8 years ago

Output from valgrind:

==3607== 60 bytes in 60 blocks are definitely lost in loss record 171 of 415
==3607==    at 0x4C28C10: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3607==    by 0x61630FA: pcre_get_substring (in /usr/lib/libpcre.so.1.2.6)
==3607==    by 0x4C5751: DetectTlsFingerprintParse (detect-tls.c:623)
==3607==    by 0x4C60FC: DetectTlsFingerprintSetup (detect-tls.c:741)
==3607==    by 0x4B40D6: SigParseOptions (detect-parse.c:540)
==3607==    by 0x4B40D6: SigParse (detect-parse.c:858)
==3607==    by 0x4B531C: SigInitHelper (detect-parse.c:1370)
==3607==    by 0x4B5778: SigInit (detect-parse.c:1565)
==3607==    by 0x4B5879: DetectEngineAppendSig (detect-parse.c:1830)
==3607==    by 0x45A5EF: DetectLoadSigFile (detect.c:355)
==3607==    by 0x45A5EF: ProcessSigFiles (detect.c:417)
==3607==    by 0x462238: SigLoadSignatures (detect.c:482)
==3607==    by 0x40E9C1: LoadSignatures (suricata.c:1976)
==3607==    by 0x40E9C1: main (suricata.c:2342)
==3607== 
==3607== 60 bytes in 60 blocks are definitely lost in loss record 172 of 415
==3607==    at 0x4C28C10: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3607==    by 0x61630FA: pcre_get_substring (in /usr/lib/libpcre.so.1.2.6)
==3607==    by 0x4C5751: DetectTlsFingerprintParse (detect-tls.c:623)
==3607==    by 0x4C60FC: DetectTlsFingerprintSetup (detect-tls.c:741)
==3607==    by 0x4B40D6: SigParseOptions (detect-parse.c:540)
==3607==    by 0x4B40D6: SigParse (detect-parse.c:858)
==3607==    by 0x4B531C: SigInitHelper (detect-parse.c:1370)
==3607==    by 0x4B5778: SigInit (detect-parse.c:1565)
==3607==    by 0x4B5879: DetectEngineAppendSig (detect-parse.c:1830)
==3607==    by 0x45A5EF: DetectLoadSigFile (detect.c:355)
==3607==    by 0x45A5EF: ProcessSigFiles (detect.c:417)
==3607==    by 0x462238: SigLoadSignatures (detect.c:482)
==3607==    by 0x47D362: DetectEngineReload (detect-engine.c:2548)
==3607==    by 0x40F9D2: main (suricata.c:2457)

Occurs several times as well as this

==3607== 3,720 bytes in 60 blocks are definitely lost in loss record 402 of 415
==3607==    at 0x4C28C10: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3607==    by 0x61630FA: pcre_get_substring (in /usr/lib/libpcre.so.1.2.6)
==3607==    by 0x4C578A: DetectTlsFingerprintParse (detect-tls.c:631)
==3607==    by 0x4C60FC: DetectTlsFingerprintSetup (detect-tls.c:741)
==3607==    by 0x4B40D6: SigParseOptions (detect-parse.c:540)
==3607==    by 0x4B40D6: SigParse (detect-parse.c:858)
==3607==    by 0x4B531C: SigInitHelper (detect-parse.c:1370)
==3607==    by 0x4B5778: SigInit (detect-parse.c:1565)
==3607==    by 0x4B5879: DetectEngineAppendSig (detect-parse.c:1830)
==3607==    by 0x45A5EF: DetectLoadSigFile (detect.c:355)
==3607==    by 0x45A5EF: ProcessSigFiles (detect.c:417)
==3607==    by 0x462238: SigLoadSignatures (detect.c:482)
==3607==    by 0x40E9C1: LoadSignatures (suricata.c:1976)
==3607==    by 0x40E9C1: main (suricata.c:2342)
==3607== 
==3607== 3,720 bytes in 60 blocks are definitely lost in loss record 403 of 415
==3607==    at 0x4C28C10: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3607==    by 0x61630FA: pcre_get_substring (in /usr/lib/libpcre.so.1.2.6)
==3607==    by 0x4C578A: DetectTlsFingerprintParse (detect-tls.c:631)
==3607==    by 0x4C60FC: DetectTlsFingerprintSetup (detect-tls.c:741)
==3607==    by 0x4B40D6: SigParseOptions (detect-parse.c:540)
==3607==    by 0x4B40D6: SigParse (detect-parse.c:858)
==3607==    by 0x4B531C: SigInitHelper (detect-parse.c:1370)
==3607==    by 0x4B5778: SigInit (detect-parse.c:1565)
==3607==    by 0x4B5879: DetectEngineAppendSig (detect-parse.c:1830)
==3607==    by 0x45A5EF: DetectLoadSigFile (detect.c:355)
==3607==    by 0x45A5EF: ProcessSigFiles (detect.c:417)
==3607==    by 0x462238: SigLoadSignatures (detect.c:482)
==3607==    by 0x47D362: DetectEngineReload (detect-engine.c:2548)
==3607==    by 0x40F9D2: main (suricata.c:2457)

But are all nearly the same issue. 3 allocations (get_substring, two SCStrdups) where 1 would be enough.

Actions #2

Updated by Victor Julien over 8 years ago

  • Status changed from New to Assigned
  • Assignee changed from Andreas Herz to Mats Klepsland

Can you take this one Mats? :)

Actions #3

Updated by Mats Klepsland over 8 years ago

Sure, Victor :)

Actions #4

Updated by Mats Klepsland over 8 years ago

This bug was fixed by Eric Leblond in commit 50ea76a [1].

[1] - https://github.com/inliniac/suricata/commit/50ea76a88b2ebcdcfeb6aa5a2a37975a99140fbd

Actions #5

Updated by Victor Julien over 8 years ago

  • Status changed from Assigned to Closed
  • Assignee changed from Mats Klepsland to Eric Leblond
  • Target version changed from 70 to 3.0.1RC1
Actions

Also available in: Atom PDF