[Snort-devel] Memory leaks

Douglas Drinka drinka at ...498...
Mon Jul 2 17:57:29 EDT 2001


Running Snort through Rational Purify for Solaris produced some useful
information on a couple memory management problems in Snort.  Using all
available alerts from snort.org, 509706 bytes were not freed once the 
alert configuration file processing was complete.

There were also some array boundry problems that aren't likely to affect
anyone, but are still not correct.  I made a diff of my fixes, which
reduce the leaked memory down to 25737 bytes.  I don't know enough about
the internals of Snort to free up the rest.  These fixes also reduce the
number of errors (array over-boundry read and writes) from 4785 to 1469.

If these diffs would work better in a different form (context?) let me
know.



Huge memory leak, num_toks was being used to free allocated memory, but was always 0, as it was used as a counter above.  Also, the double pointer was never freed, only its pointed to pointers.

Index: rules.c
===================================================================
RCS file: /cvsroot/snort/snort/rules.c,v
retrieving revision 1.71
diff -r1.71 rules.c
743a744
> 	free(toks);
1581c1582,1584
<     int i;
---
> 	int orig_num_toks;
> 	char *orig_opts;
>     int i,j;
1674a1678,1679
> 		orig_num_toks=num_toks;
> 
1697a1703,1704
> 			//Save the original location of opts[0] so we can free it
> 			orig_opts=opts[0];
1782c1789,1791
< 
---
> 			free(orig_opts);
> 			for(j=1;j<num_opts;j++)
> 				free(opts[j]);
1881c1890,1891
<         for(i=0;i<num_toks;i++)
---
> 	{
>         for(i=0;i<orig_num_toks;i++)
1882a1893,1894
> 		free(toks);
> 	}
2455a2468
> 	free(toks);



Not enough space was being allocated.  Need another character to avoid array bound write.

Index: sp_reference.c
===================================================================
RCS file: /cvsroot/snort/snort/sp_reference.c,v
retrieving revision 1.5
diff -r1.5 sp_reference.c
168c168
<        url = calloc(strlen(BUGTRAQ_URL_HEAD) + strlen(id) + 1, sizeof(char));
---
>        url = calloc(strlen(BUGTRAQ_URL_HEAD) + strlen(id) + 2, sizeof(char));
175c175
<        url = calloc(strlen(CVE_URL_HEAD) + strlen(id) + 1, sizeof(char));
---
>        url = calloc(strlen(CVE_URL_HEAD) + strlen(id) + 2, sizeof(char));
182c182
<        url = calloc(strlen(ARACHNIDS_URL_HEAD) + strlen(id) + 1, sizeof(char));
---
>        url = calloc(strlen(ARACHNIDS_URL_HEAD) + strlen(id) + 2, sizeof(char));
189c189
<        url = calloc(strlen(MCAFEE_URL_HEAD) + strlen(id) + 1, sizeof(char));
---
>        url = calloc(strlen(MCAFEE_URL_HEAD) + strlen(id) + 2, sizeof(char));
196c196
<        url = calloc(strlen(URL_HEAD) + strlen(id) + 1, sizeof(char));
---
>        url = calloc(strlen(URL_HEAD) + strlen(id) + 2, sizeof(char));



strtol is expecting one more character available. Need to grow the array to avoid array bound read.

Index: sp_pattern_match.c
===================================================================
RCS file: /cvsroot/snort/snort/sp_pattern_match.c,v
retrieving revision 1.18
diff -r1.18 sp_pattern_match.c
325c325
<     char hex_buf[9];
---
>     char hex_buf[10];
476a477
>                                 hex_buf[9]='\0';





More information about the Snort-devel mailing list