Project

General

Profile

Actions

Bug #2433

closed

memleak with suppression rules defined in threshold.conf

Added by Peter Manev about 6 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

If there is a suppression for a rule in the threshold.conf - for example -

suppress gen_id 1, sig_id 2011813, track by_src, ip 10.0.0.0/16

valgrind reports memleak -


[1810] 4/2/2018 -- 15:04:37 - (detect-engine-build.c:1704) <Info> (SigAddressCleanupStage1) -- cleaning up signature grouping structure... complete
==1810== 
==1810== HEAP SUMMARY:
==1810==     in use at exit: 19,935 bytes in 386 blocks
==1810==   total heap usage: 665,243 allocs, 664,857 frees, 105,359,022 bytes allocated
==1810== 
==1810== 7 bytes in 1 blocks are definitely lost in loss record 26 of 381
==1810==    at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==1810==    by 0x6AFEA69: pcre_get_substring (pcre_get.c:569)
==1810==    by 0x3C649B: ParseThresholdRule (util-threshold-config.c:819)
==1810==    by 0x3C79D2: SCThresholdConfAddThresholdtype (util-threshold-config.c:1015)
==1810==    by 0x3C7C5E: SCThresholdConfParseFile (util-threshold-config.c:1126)
==1810==    by 0x3C1774: SCThresholdConfInitContext (util-threshold-config.c:219)
==1810==    by 0x1FE964: SigLoadSignatures (detect-engine-loader.c:363)
==1810==    by 0x32A976: LoadSignatures (suricata.c:2373)
==1810==    by 0x32B307: PostConfLoadedDetectSetup (suricata.c:2504)
==1810==    by 0x32C79D: main (suricata.c:2851)
==1810== 
{
   <insert_a_suppression_name_here>
   Memcheck:Leak
   match-leak-kinds: definite
   fun:malloc
   fun:pcre_get_substring
   fun:ParseThresholdRule
   fun:SCThresholdConfAddThresholdtype
   fun:SCThresholdConfParseFile
   fun:SCThresholdConfInitContext
   fun:SigLoadSignatures
   fun:LoadSignatures
   fun:PostConfLoadedDetectSetup
   fun:main
}
==1810== 12 bytes in 1 blocks are definitely lost in loss record 35 of 381
==1810==    at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==1810==    by 0x6AFEA69: pcre_get_substring (pcre_get.c:569)
==1810==    by 0x3C65C7: ParseThresholdRule (util-threshold-config.c:825)
==1810==    by 0x3C79D2: SCThresholdConfAddThresholdtype (util-threshold-config.c:1015)
==1810==    by 0x3C7C5E: SCThresholdConfParseFile (util-threshold-config.c:1126)
==1810==    by 0x3C1774: SCThresholdConfInitContext (util-threshold-config.c:219)
==1810==    by 0x1FE964: SigLoadSignatures (detect-engine-loader.c:363)
==1810==    by 0x32A976: LoadSignatures (suricata.c:2373)
==1810==    by 0x32B307: PostConfLoadedDetectSetup (suricata.c:2504)
==1810==    by 0x32C79D: main (suricata.c:2851)
==1810== 
{
   <insert_a_suppression_name_here>
   Memcheck:Leak
   match-leak-kinds: definite
   fun:malloc
   fun:pcre_get_substring
   fun:ParseThresholdRule
   fun:SCThresholdConfAddThresholdtype
   fun:SCThresholdConfParseFile
   fun:SCThresholdConfInitContext
   fun:SigLoadSignatures
   fun:LoadSignatures
   fun:PostConfLoadedDetectSetup
   fun:main
}
==1810== LEAK SUMMARY:
==1810==    definitely lost: 19 bytes in 2 blocks
==1810==    indirectly lost: 0 bytes in 0 blocks
==1810==      possibly lost: 0 bytes in 0 blocks
==1810==    still reachable: 19,916 bytes in 384 blocks
==1810==         suppressed: 0 bytes in 0 blocks
==1810== Reachable blocks (those to which a pointer was found) are not shown.
==1810== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==1810== 
==1810== For counts of detected and suppressed errors, rerun with: -v
==1810== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)

Using -


sudo valgrind --gen-suppressions=all --leak-check=full  --suppressions=qa/valgrind.suppress suricata  -k none -r ../../tests/JA3/pcaps/ -S ../../tests/JA3/test.rules -vvv -l log/

pevma@DONPEDRO:~/Work/Suricata/suricomp/tests$ suricata --build-info
This is Suricata version 4.1.0-dev (rev d2121945)
Features: PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS MAGIC 
SIMD support: SSE_4_2 SSE_4_1 SSE_3 
Atomic intrisics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 6.3.0 20170516, C version 199901
compiled with _FORTIFY_SOURCE=0
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.25, linked against LibHTP v0.5.25

Suricata Configuration:
  AF_PACKET support:                       yes
  PF_RING support:                         no
  NFQueue support:                         no
  NFLOG support:                           no
  IPFW support:                            no
  Netmap support:                          no
  DAG enabled:                             no
  Napatech enabled:                        no

  Unix socket enabled:                     yes
  Detection enabled:                       yes

  Libmagic support:                        yes
  libnss support:                          yes
  libnspr support:                         yes
  libjansson support:                      yes
  liblzma support:                         no
  hiredis support:                         no
  hiredis async with libevent:             no
  Prelude support:                         no
  PCRE jit:                                yes
  LUA support:                             yes, through luajit
  libluajit:                               yes
  libgeoip:                                yes
  Non-bundled htp:                         no
  Old barnyard2 support:                   no
  Hyperscan support:                       no
  Libnet support:                          yes

  Rust support (experimental):             no
  Experimental Rust parsers:               no
  Rust strict mode:                        no
  Rust debug mode:                         no

  Suricatasc install:                      yes

  Profiling enabled:                       no
  Profiling locks enabled:                 no

Development settings:
  Coccinelle / spatch:                     yes
  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no

Generic build parameters:
  Installation prefix:                     /usr
  Configuration directory:                 /etc/suricata/
  Log directory:                           /var/log/suricata/

  --prefix                                 /usr
  --sysconfdir                             /etc
  --localstatedir                          /var

  Host:                                    x86_64-pc-linux-gnu
  Compiler:                                gcc (exec name) / gcc (real)
  GCC Protect enabled:                     no
  GCC march native enabled:                yes
  GCC Profile enabled:                     no
  Position Independent Executable enabled: no
  CFLAGS                                   -ggdb -O0 -march=native
  PCAP_CFLAGS                               -I/usr/include
  SECCFLAGS                               
Actions

Also available in: Atom PDF