[Snort-devel] Re: Frag memory leak data

Dragos Ruiu dr at ...40...
Wed Nov 8 21:34:00 EST 2000

On Wed, 08 Nov 2000, Christopher Cramer wrote:
> I may be missing something, but I don't see a place in spp_defrag.c where
> you walk the tree clearing up old frag packets that have expired.  You do
> seem to find all frags that are reassembled into ip packets, but what
> about frags never reassembled?  There seems to be an attempt at this by
> finding the frag w/ rank 1 and killing it if old, but this only happens
> when we receive a new frag (probably not a problem) and it doesn't seem to
> be a loop to check frag w/ rank 1 until something doesn't expire.
> My apologies if I am missing something obvious here.

No worries...
Correctly reassembled packets should get deallocated upon reassembly.

Garbage packets are supposed to hang around unitl the timeout.
I think the RFC says that you are supposed to tolerate up to 4 seconds
between fragments (I have go back and reread to verify) so I
approximated this with a  10 second maximum life for fragments
for all fragments rather than having do do the other more intensive check

The garbage sweeper below is supposed (!) to expire old fragments
It walks the tree and checks one fragment for every received fragment
and is supposed to check two fragments in case oif high memory utilization.
Note that during my testing apparently this condition is not triggered
but yet the core size still keeps increasing.  I'm running mroe tests now...

--dr .

               /* now check if we have to reassemble anything... */
                        froot = ReassembleIP(froot);

                /* OK now check for a fragment timeout - sweeping the clutter away :-) */
                        if(++fragsweep > node_size(froot)+1)
                                fragsweep = 1;
                        found = fragfind_rank(fragsweep,froot);
                                froot = fragsplay(found->key, froot);
                                addtime((time_struct *)&(froot->key->pkth->ts), &fragtimeout, &timecheck);
                                if(TIME_LT(timecheck. , p->pkth->ts.))
                                        fragmemuse -= froot->key->pkth->caplen + sizeof(Packet);
                                        freetemp = froot->key;
                                        froot = fragdelete(froot->key, froot);
                                        free(freetemp->pkth);  /* free packet copy */

                        /* and now do the whole thing again if we are being a memory hog */
                        if(froot && fragmemuse > FASTSWEEPLIM)

Dragos Ruiu <dr at ...9...>   dursec.com ltd. / kyx.net - we're from the future 
gpg/pgp key on file at wwwkeys.pgp.net

More information about the Snort-devel mailing list