Project

General

Profile

Actions

Bug #2201

closed

af_packet: suricata leaks memory with use-mmap enabled and incorrect BPF filter

Added by Alexander Gozman over 6 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

It appears that suricata leaks memory in af_packet mode when 'use-mmap' option is enabled and incorrect BPF filter is specified (e.g., 1.1.1.1/24 with non-network bits set). The reason is that suricata doesn't treat erroneous BPF filter as a fatal error and tries to reopen a capture interface. However, munmap() is not called in this case and suricata calls mmap() again and again, causing a memory leak (and it's not detected by valgrind). As a result, this behavior can lead to a system crash.

There're two possible options:
1) return AFP_FATAL_ERROR if AFPSetBPFFilter() fails;
2) add new function that does munmap().

Actually, I don't think that option 2 is correct because there's no reason for setting erroneous BPF filter again and again. IMHO, this should be treated as something like socket error.

Actions

Also available in: Atom PDF