Bug #2515: memleak: when using smb rules without rust - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #2515

closed

memleak: when using smb rules without rust

Added by Peter Manev almost 6 years ago. Updated almost 6 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Victor Julien

Target version:

4.1rc1

Affected Versions:

Effort:

Difficulty:

Label:

Description

Jason Ish and Giuseppe Longo - thanks for the help in investigating this.

Using latest git at the time of this report - 325f336f637f8a3f4f2fb00c6cd6d0f04d5ca62f
It seems there is a memleak only visible when using the smb rules and when surictaa is compiled without rust

Steps to reproduce (you can skip the docker steps of course if you have clang 6) -


docker pull pevma/sqard:debian-testing && docker run --cap-add=SYS_PTRACE   --name sqard-debian-testing-01 -d -ti pevma/sqard:debian-testing   /bin/bash && docker attach $(docker ps -a |grep sqard-debian-testing-01 | awk '{print $1}')

git clone  https://github.com/OISF/suricata.git && cd suricata && git clone https://github.com/OISF/libhtp.git -b 0.5.x &&  ./autogen.sh && ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-hiredis --enable-unittests CC=clang-6.0 CFLAGS="-ggdb3 -Werror -Wchar-subscripts -fno-strict-aliasing -fstack-protector-all -fsanitize=address -fno-omit-frame-pointer -Wno-unused-parameter -Wno-unused-function" ac_cv_func_malloc_0_nonnull=yes ac_cv_func_realloc_0_nonnull=yes && make clean && make -j4 && make install-full && ldconfig 

git clone https://github.com/pevma/mrp.git

LSAN_OPTIONS=suppressions=qa/lsan.suppress ASAN_SYMBOLIZER_PATH=/usr/lib/llvm-6.0/bin/llvm-symbolizer /usr/bin/suricata -S rules/smb-events.rules -r mrp/dns.pcap 

Direct leak of 192 byte(s) in 6 object(s) allocated from:
    #0 0x4e3610 in __interceptor_malloc (/usr/bin/suricata+0x4e3610)
    #1 0x12712bc in SigMatchAlloc /suricata/src/detect-parse.c:227:20
    #2 0xa3a190 in DetectAppLayerEventSetupP1 /suricata/src/detect-app-layer-event.c:307:10
    #3 0x127a36e in SigParseOptions /suricata/src/detect-parse.c:723:13
    #4 0x1276426 in SigParse /suricata/src/detect-parse.c:1154:19
    #5 0x1280113 in SigInitHelper /suricata/src/detect-parse.c:1798:9
    #6 0x127fa85 in SigInit /suricata/src/detect-parse.c:1931:16
    #7 0x1281b34 in DetectEngineAppendSig /suricata/src/detect-parse.c:2205:22
    #8 0xedd309 in DetectLoadSigFile /suricata/src/detect-engine-loader.c:169:15
    #9 0xed8520 in ProcessSigFiles /suricata/src/detect-engine-loader.c:248:13
    #10 0xed648d in SigLoadSignatures /suricata/src/detect-engine-loader.c:327:15
    #11 0x17ad336 in LoadSignatures /suricata/src/suricata.c:2380:9
    #12 0x17a2da1 in PostConfLoadedDetectSetup /suricata/src/suricata.c:2513:17
    #13 0x178eb61 in main /suricata/src/suricata.c:2876:5
    #14 0x7ff33cf4ba86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21a86)

Indirect leak of 144 byte(s) in 6 object(s) allocated from:
    #0 0x4e3610 in __interceptor_malloc (/usr/bin/suricata+0x4e3610)
    #1 0xa3ce3a in DetectAppLayerEventParseAppP1 /suricata/src/detect-app-layer-event.c:244:12
    #2 0xa3b6d1 in DetectAppLayerEventParse /suricata/src/detect-app-layer-event.c:276:16
    #3 0xa3a171 in DetectAppLayerEventSetupP1 /suricata/src/detect-app-layer-event.c:303:12
    #4 0x127a36e in SigParseOptions /suricata/src/detect-parse.c:723:13
    #5 0x1276426 in SigParse /suricata/src/detect-parse.c:1154:19
    #6 0x1280113 in SigInitHelper /suricata/src/detect-parse.c:1798:9
    #7 0x127fa85 in SigInit /suricata/src/detect-parse.c:1931:16
    #8 0x1281b34 in DetectEngineAppendSig /suricata/src/detect-parse.c:2205:22
    #9 0xedd309 in DetectLoadSigFile /suricata/src/detect-engine-loader.c:169:15
    #10 0xed8520 in ProcessSigFiles /suricata/src/detect-engine-loader.c:248:13
    #11 0xed648d in SigLoadSignatures /suricata/src/detect-engine-loader.c:327:15
    #12 0x17ad336 in LoadSignatures /suricata/src/suricata.c:2380:9
    #13 0x17a2da1 in PostConfLoadedDetectSetup /suricata/src/suricata.c:2513:17
    #14 0x178eb61 in main /suricata/src/suricata.c:2876:5
    #15 0x7ff33cf4ba86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21a86)

Indirect leak of 139 byte(s) in 6 object(s) allocated from:
    #0 0x43fe30 in strdup (/usr/bin/suricata+0x43fe30)
    #1 0xa3d56f in DetectAppLayerEventParseAppP1 /suricata/src/detect-app-layer-event.c:249:17
    #2 0xa3a190 in DetectAppLayerEventSetupP1 /suricata/src/detect-app-layer-event.c:307:10
    #3 0x127a36e in SigParseOptions /suricata/src/detect-parse.c:723:13
    #4 0x1276426 in SigParse /suricata/src/detect-parse.c:1154:19
    #5 0x1280113 in SigInitHelper /suricata/src/detect-parse.c:1798:9
    #6 0x127fa85 in SigInit /suricata/src/detect-parse.c:1931:16
    #7 0x1281b34 in DetectEngineAppendSig /suricata/src/detect-parse.c:2205:22
    #8 0xedd309 in DetectLoadSigFile /suricata/src/detect-engine-loader.c:169:15
    #9 0xed8520 in ProcessSigFiles /suricata/src/detect-engine-loader.c:248:13
    #10 0xed648d in SigLoadSignatures /suricata/src/detect-engine-loader.c:327:15
    #11 0x17ad336 in LoadSignatures /suricata/src/suricata.c:2380:9
    #12 0x17a2da1 in PostConfLoadedDetectSetup /suricata/src/suricata.c:2513:17
    #13 0x178eb61 in main /suricata/src/suricata.c:2876:5
    #14 0x7ff33cf4ba86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21a86)

Indirect leak of 144 byte(s) in 6 object(s) allocated from:
    #0 0x4e3610 in __interceptor_malloc (/usr/bin/suricata+0x4e3610)
    #1 0xa3ce3a in DetectAppLayerEventParseAppP1 /suricata/src/detect-app-layer-event.c:244:12
    #2 0xa3b6d1 in DetectAppLayerEventParse /suricata/src/detect-app-layer-event.c:276:16
    #3 0xa3a171 in DetectAppLayerEventSetupP1 /suricata/src/detect-app-layer-event.c:303:12
    #4 0x127a36e in SigParseOptions /suricata/src/detect-parse.c:723:13
    #5 0x1276426 in SigParse /suricata/src/detect-parse.c:1154:19
    #6 0x1280113 in SigInitHelper /suricata/src/detect-parse.c:1798:9
    #7 0x127fa85 in SigInit /suricata/src/detect-parse.c:1931:16
    #8 0x1281b34 in DetectEngineAppendSig /suricata/src/detect-parse.c:2205:22
    #9 0xedd309 in DetectLoadSigFile /suricata/src/detect-engine-loader.c:169:15
    #10 0xed8520 in ProcessSigFiles /suricata/src/detect-engine-loader.c:248:13
    #11 0xed648d in SigLoadSignatures /suricata/src/detect-engine-loader.c:327:15
    #12 0x17ad336 in LoadSignatures /suricata/src/suricata.c:2380:9
    #13 0x17a2da1 in PostConfLoadedDetectSetup /suricata/src/suricata.c:2513:17
    #14 0x178eb61 in main /suricata/src/suricata.c:2876:5
    #15 0x7ff33cf4ba86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21a86)

Indirect leak of 139 byte(s) in 6 object(s) allocated from:
    #0 0x43fe30 in strdup (/usr/bin/suricata+0x43fe30)
    #1 0xa3d56f in DetectAppLayerEventParseAppP1 /suricata/src/detect-app-layer-event.c:249:17
    #2 0xa3b6d1 in DetectAppLayerEventParse /suricata/src/detect-app-layer-event.c:276:16
    #3 0xa3a171 in DetectAppLayerEventSetupP1 /suricata/src/detect-app-layer-event.c:303:12
    #4 0x127a36e in SigParseOptions /suricata/src/detect-parse.c:723:13
    #5 0x1276426 in SigParse /suricata/src/detect-parse.c:1154:19
    #6 0x1280113 in SigInitHelper /suricata/src/detect-parse.c:1798:9
    #7 0x127fa85 in SigInit /suricata/src/detect-parse.c:1931:16
    #8 0x1281b34 in DetectEngineAppendSig /suricata/src/detect-parse.c:2205:22
    #9 0xedd309 in DetectLoadSigFile /suricata/src/detect-engine-loader.c:169:15
    #10 0xed8520 in ProcessSigFiles /suricata/src/detect-engine-loader.c:248:13
    #11 0xed648d in SigLoadSignatures /suricata/src/detect-engine-loader.c:327:15
    #12 0x17ad336 in LoadSignatures /suricata/src/suricata.c:2380:9
    #13 0x17a2da1 in PostConfLoadedDetectSetup /suricata/src/suricata.c:2513:17
    #14 0x178eb61 in main /suricata/src/suricata.c:2876:5
    #15 0x7ff33cf4ba86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21a86)

SUMMARY: AddressSanitizer: 475 byte(s) leaked in 18 allocation(s).