Project

General

Profile

Actions
Copy link

Bug #8619

open
SD PA

App-layer transaction cleanup indefinitely delayed with `pass` rules on UDP flows and causes unbounded memory growth

Bug #8619: App-layer transaction cleanup indefinitely delayed with `pass` rules on UDP flows and causes unbounded memory growth

Added by Shane Dugan 4 days ago. Updated about 13 hours ago.

Status:
In Review
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
9.0.0-beta1
Affected Versions:
8.0.3
Effort:
Difficulty:
Label:

Description

Commit d8ddef4c (https://github.com/OISF/suricata/commit/d8ddef4c) ("detect: delay tx cleanup in some edge case") added a condition in AppLayerParserTransactionsCleanup that delays transaction cleanup until FLOW_SGH_TOCLIENT is set. However, when a pass rule matches on a UDP flow, FLOW_ACTION_PASS causes DetectFlow() to skip all subsequent packets in both directions, so FLOW_SGH_TOCLIENT is never set and APP_LAYER_TX_INSPECTED_TC is never marked. This means transactions are never freed for the lifetime of the flow. On long-lived UDP flows (e.g. continuous SNMP polling), this results in unbounded memory growth as app-layer transactions accumulate indefinitely. The memory is eventually freed when the flow times out, but for continuously active flows that never happens. A minimal repro is attached: a single pass udp 10.0.0.0/8 any -> any any rule with looped SNMP traffic on one flow demonstrates linear heap growth via the SNMP add_pdu_info OID vectors in massif. Additionally, this likely happens with other UDP-based App Layer protocols (although I have not tested myself).

The repro was done using the af-packet runmode. I have included a pcap (replayed with tcpreplay), as well as all relevant config files for reproing this issue, along with a massif report that was generated while running valgrind on the Suricata binary (both the report file and the output from ms_print.

Files

Download all files
gen_plain_snmp_pcap.py (8.79 KB) gen_plain_snmp_pcap.py scapy script to gen the pcap Shane Dugan, 05/29/2026 08:01 PM
classification.config (116 Bytes) classification.config Shane Dugan, 05/29/2026 08:01 PM
massif.out.28951 (133 KB) massif.out.28951 massif out file Shane Dugan, 05/29/2026 08:01 PM
massif-output-msprint.txt (168 KB) massif-output-msprint.txt ms_print output of massif out file Shane Dugan, 05/29/2026 08:01 PM
reference.config (25 Bytes) reference.config Shane Dugan, 05/29/2026 08:01 PM
suricata.rules (352 Bytes) suricata.rules Shane Dugan, 05/29/2026 08:01 PM
suricata.yaml (1.87 KB) suricata.yaml Shane Dugan, 05/29/2026 08:01 PM
threshold.config (25 Bytes) threshold.config Shane Dugan, 05/29/2026 08:01 PM
snmp_leak_repro.pcap (5.17 MB) snmp_leak_repro.pcap Shane Dugan, 05/29/2026 08:01 PM

Subtasks 1 (1 open0 closed)

Bug #8620: App-layer transaction cleanup indefinitely delayed with `pass` rules on UDP flows and causes unbounded memory growth (8.0.x backport)AssignedOISF DevActions

VJ Updated by Victor Julien 4 days ago Actions
Copy link
 #1

  • Status changed from New to Triaged
  • Assignee set to OISF Dev
  • Target version changed from TBD to 9.0.0-beta1
  • Label Needs backport to 8.0 added

OT Updated by OISF Ticketbot 4 days ago Actions
Copy link
 #2

  • Subtask #8620 added

OT Updated by OISF Ticketbot 4 days ago Actions
Copy link
 #3

  • Label deleted (Needs backport to 8.0)

VJ Updated by Victor Julien 4 days ago Actions
Copy link
 #4

Thanks @shanedug for the detailed report. We'll have a look.

JF Updated by Juliana Fajardini Reichow 1 day ago Actions
Copy link
 #6

  • Description updated (diff)

VJ Updated by Victor Julien 1 day ago Actions
Copy link
 #7

  • Status changed from Triaged to Assigned
  • Assignee changed from OISF Dev to Philippe Antoine

PA Updated by Philippe Antoine about 13 hours ago Actions
Copy link
 #8

  • Status changed from Assigned to In Review
Actions
Copy link

Also available in: PDF Atom