[Snort-devel] now a crash in spp_tcp_stream3

Bill Gercken bgercken at ...351...
Sat May 12 19:55:29 EDT 2001


I was running the code yesterday and noticed that sptr structure contained
valid data and was not freed before doing the free( sptr ) in
TcpSream3PruneSession().
For example: sptr->s_data and or sptr->c_data contained valid data. I was
under the impression that these pointers would need to be freed before
freeing the parent memory.
Wouldn't this cause a memory leak? Has CVS been updated with your latest
changes? I will pull the code tonight and try running it on our network.

Regards,
-bill


--
William C. Gercken                          Email:
bgercken at ...351...
Provident Analysis Corporation

-----Original Message-----
From: snort-devel-admin at lists.sourceforge.net
[mailto:snort-devel-admin at lists.sourceforge.net]On Behalf Of Martin Roesch
Sent: Saturday, May 12, 2001 6:01 PM
To: Todd Lewis
Cc: snort-devel at lists.sourceforge.net
Subject: Re: [Snort-devel] now a crash in spp_tcp_stream3

I've been playing with it.  AVL nodes are being allocated and popped off
the tree properly, nothing's hanging around.  I've been seeing "snort in
free(): warning: chunk is already free." warning messages in
TcpStream3PruneSession() where it frees the sptr near the bottom of the
function.  I think memory is getting stomped someplace and I can't
figure out where.  I've been seeing occaisional crashes in
TcpStream3FillBuffer() where the sptr is completely hosed (sp and cp set
to 0 or something improbable, c_stream_size at 0 but c_count at 17000+,
etc).

Here's my latest run:
Starting dump at: Sat May 12 17:11:36 2001

==========================================
Session 0, Sat May 12 17:11:24 2001

[s_count: 7  s_size: 79]
[c_count: 5  c_size: 9]
==========================================

Starting dump at: Sat May 12 17:11:52 2001

==========================================
Session 0, Sat May 12 17:11:24 2001

[s_count: 7  s_size: 79]
[c_count: 25  c_size: 40]
==========================================

Starting dump at: Sat May 12 17:13:55 2001

==========================================
==========================================

Starting dump at: Sat May 12 17:15:26 2001

==========================================
Session 4, Sat May 12 17:15:25 2001

[s_count: 0  s_size: 0]
[c_count: 1  c_size: 494]
Session 2, Sat May 12 17:15:25 2001

[s_count: 2  s_size: 0]
[c_count: 0  c_size: 0]
Session 6, Sat May 12 17:15:25 2001

[s_count: 1  s_size: 0]
[c_count: 0  c_size: 0]
==========================================

Starting dump at: Sat May 12 17:17:52 2001

==========================================
Session 4, Sat May 12 17:15:25 2001

[s_count: 0  s_size: 0]
[c_count: 0  c_size: 0]
Session 2, Sat May 12 17:15:25 2001

[s_count: 2  s_size: 0]
[c_count: 0  c_size: 0]
Session 6, Sat May 12 17:15:25 2001

[s_count: 1  s_size: 0]
[c_count: 0  c_size: 0]
==========================================



Todd Lewis wrote:
>
> BTW, if anyone else is not having the problem I reported, then could
> you please apply the patch, run some traffic through snort, send it
> SIGUSR2 every minute or so until the memory leak is good and visible,
> and send me back the resulting file stream3_leak_finder.log?
>
> --
> Todd Lewis
> tlewis at ...255...
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch
roesch at ...402...
http://www.sourcefire.com - http://www.snort.org

_______________________________________________
Snort-devel mailing list
Snort-devel at lists.sourceforge.net
http://lists.sourceforge.net/lists/listinfo/snort-devel





More information about the Snort-devel mailing list