[Snort-devel] Memory leak in spo_database.c

roman at ...49... roman at ...49...
Thu Jun 6 07:51:03 EDT 2002


Dirk,

You are quite right.  There are a couple of places related to signature handling that leak
because strings from snort_escape_string() are not free()ed.

A fix has been committed to CVS (SNORT-HEAD).

cheers,
Roman

> Hi all,
> 
> after a long search for the memory leak I found it in
> spo_database.c:
> 
> If a ruleset is used the first time the whole rule together
> with all available id's is logged to the database. 
> 
> In creation of the INSERT/SELECT string the function snort_escape_string
> is directly used with snprintf, e.g.:
> 
>                    snprintf(select1, MAX_QUERY_LENGTH, 
>                             "SELECT sig_class_id FROM sig_class WHERE "
>                             " sig_class_name = '%s'", 
>                             snort_escape_string(class_ptr->type, data));
> 
> The function snort_escape_string now allocates new memory
> for the escaped string. With this usage this is never freed.
> 
> The correct use would be something like:
> 
>                    tmp1=snort_escape_string(class_ptr->type, data);
>                    snprintf(select1, MAX_QUERY_LENGTH,
>                             "SELECT sig_class_id FROM sig_class WHERE "
>                             " sig_class_name = '%s'",
>                             tmp1);
>                    free(tmp1);
> 
> This will only result in a slow increase of memory usage
> but on a heavy used snort...
> 
> Best regards
> 
> Dirk
> 
> +------------------------------------------------------------+
> | Dr. Dirk Geschke            | E-mail: geschke at ...802...     |
> | Gesellschaft fuer Netzwerk  | Tel.  : +49-(0)-89-991950-31 |
> | und Unix Administration mbH | Fax   : +49-(0)-89-991950-99 |
> | 85551 Kirchheim / Germany   | Raeter Stra/3e 26            |
> +------------------------------------------------------------+
> 
> 
> _______________________________________________________________
> 
> Don't miss the 2002 Sprint PCS Application Developer's Conference
> August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 
> 



---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/






More information about the Snort-devel mailing list