[Snort-devel] Re: bug/memory leak in rules.c

Chris Green cmg at ...402...
Wed Aug 7 09:11:06 EDT 2002

Jonathan <rakocy at ...1503...> writes:

> Hi,  I wrote about two weeks about complaining about a bug.  Snort would
> die approximately every day and a half.  I was able to look at
> the core with gdb and found a segmentation fault.

Do you have backtraces?  I may have missed it.  I apologize.  I could
use about 5 more eye balls and arms :) 

> After looking into it further, we found that snort (the computer) was
> running out of memory.  After more hours of frustration, we compiled snort on
> solaris and took advantage of some school software, purify, which found a
> memory leak in rules.c.  The biggest problems were found in the
> function ParseRuleOptions were toks and opts would only be partially
> freed or not freed at all.  We fixed as much as we could in rules.c.

Yes, this is ugly and its being redone for 1.9. That's all static data

> This is from an ~1.5M tcpdump file. 
> old: Memory leaked: 554613 bytes (14.6%); potentially leaked: 1098
> bytes (0.0289%)
> new: Memory leaked: 24673 bytes (0.762%); potentially leaked: 160 bytes
> (0.00494%)
> There is still a few small problems (AllocAddrNode [rules.c:2275] and 
> uninitialized memory reads) but as you can see there is a big difference.  
> Snort has been running solidly since I recompiled.
> Where can I send a diff file, code and anything else to?

Me.  Use diff -Nur snort-1.9.orig snort-1.9-patched .  Is the patch
against current CVS?
Chris Green <cmg at ...402...>
"Yeah, but you're taking the universe out of context."

More information about the Snort-devel mailing list