[Snort-devel] Re: bug/memory leak in rules.c

Jonathan rakocy at ...1503...
Wed Aug 7 08:23:01 EDT 2002

Hi,  I wrote about two weeks about complaining about a bug.  Snort would
die approximately every day and a half.  I was able to look at
the core with gdb and found a segmentation fault.   

After looking into it further, we found that snort (the computer) was
running out of memory.  After more hours of frustration, we compiled snort on
solaris and took advantage of some school software, purify, which found a
memory leak in rules.c.  The biggest problems were found in the
function ParseRuleOptions were toks and opts would only be partially
freed or not freed at all.  We fixed as much as we could in rules.c.  

This is from an ~1.5M tcpdump file. 

old: Memory leaked: 554613 bytes (14.6%); potentially leaked: 1098
bytes (0.0289%)
new: Memory leaked: 24673 bytes (0.762%); potentially leaked: 160 bytes

There is still a few small problems (AllocAddrNode [rules.c:2275] and 
uninitialized memory reads) but as you can see there is a big difference.  
Snort has been running solidly since I recompiled.

Where can I send a diff file, code and anything else to?


~Jonathan Rakocy & David Parter (dparter at ...1503...)

Computer Systems Lab
Computer Science Dept.
University of Wisconsin Madison

More information about the Snort-devel mailing list