Double free in suricata-5.0.3
We have implemented fiberblaze interface to read packets in suricata
Read loop looks like
//Read packet from fiberblaze
There is nothing under thread deinit.
We are seeing double free being reported in logs when suricata is stopped.
Jul 23 09:38:37
u4 suricata: 23/7/2021 - 09:38:37 - <Notice> - Signal Received. Stopping engine.
Jul 23 09:38:38 -u4 suricata: * Error in `/opt/suricata/bin/suricata': double free or corruption (out): 0x00007fc48535ff10 *
Jul 23 09:38:38 -u4 suricata: ======= Backtrace: =========
Jul 23 09:38:38 -u4 suricata: /lib64/libc.so.6(+0x7c619)[0x7fc49ba57619]
Jul 23 09:38:38 -u4 suricata: /opt/suricata/bin/suricata(+0x26bef0)[0x558f858abef0]
Jul 23 09:38:38 -u4 suricata: /opt/suricata/bin/suricata(+0x271aa9)[0x558f858b1aa9]
Jul 23 09:38:38 -u4 suricata: /lib64/libpthread.so.0(+0x7e25)[0x7fc49d162e25]
Jul 23 09:38:38 -u4 suricata: /lib64/libc.so.6(clone+0x6d)[0x7fc49bad334d]
By attaching to gdb, Looks like flow manager cleanup and PacketPoolDestroy are both freeing same pointer. But am not sure.
Can you let me know if there is some issue in the way we pass packets to suricata or if there is any known issue related to this.
Updated by sreenivasa penupolu about 2 months ago
Victor Julien wrote in #note-1:
Are you able to do a build with address sanitizer enabled? It may provide a more useful trace.
I get the following trace when I start suricata. So, as it doesnt start am not able to try stopping and seeing if double free happens.
Jul 29 07:08:50 unit-9 suricata: Out of memory. Dying.
Jul 29 07:08:50 unit-9 suricata: The process has exhausted 8192MB for size class 2816.
Attaching yaml file being used.
Updated by sreenivasa penupolu about 1 month ago
The issue was because of not setting ReleasePacket while passing the packet pointer.
Default ReleasePacket was releasing directly without removing from pool.
PacketPoolDestroy was doing second free and causing crash.
Please go ahead and close this bug.