[syslog-ng]Syslog-NG 1.6.6 memory leak when sending UDP logs

syslog-ng@lists.balabit.hu syslog-ng@lists.balabit.hu
Wed, 2 Mar 2005 12:07:33 -0500


This is a multipart message in MIME format.
--=_alternative 005E2EEC85256FB8_=
Content-Type: text/plain; charset="US-ASCII"

Ok, so Valgrind came up with something(thanks for the suggestion Robert): 

With UDP Spoof Turned on: 


==27361== Memcheck, a memory error detector for x86-linux. 
==27361== Copyright (C) 2002-2004, and GNU GPL'd, by Julian Seward et al. 
==27361== Using valgrind-2.2.0, a program supervision framework for 
x86-linux. 
==27361== Copyright (C) 2000-2004, and GNU GPL'd, by Julian Seward et al. 
==27361== For more details, rerun with: -v 
==27361== 
io.c: Preparing fd 3 for reading 
io.c: Preparing fd 4 for reading 
io.c: listening on fd 5 
io.c: connecting using fd 6 
io.c: connecting using fd 8 
io.c: connecting using fd 8 
syslog-ng version 1.6.6 starting 
io.c: Preparing fd 6 for writing 
==27361== Invalid read of size 2 
==27361==    at 0x805A987: libnet_in_cksum (in /usr/local/sbin/syslog-ng) 
==27361==  Address 0x1BA764E2 is 178 bytes inside a block of size 179 
alloc'd 
==27361==    at 0x1B902E28: malloc (vg_replace_malloc.c:131) 
==27361==    by 0x805912D: libnet_pblock_coalesce (in 
/usr/local/sbin/syslog-ng) 
==27361==    by 0x804C063: do_handle_log (destinations.c:103) 
==27361==    by 0x804B5EC: do_distribute_log (center.c:149) 
==27361==    by 0x804B02A: do_add_source_name (sources.c:289) 
==27361==    by 0x804AA8C: do_handle_line (sources.c:75) 
==27361==    by 0x804ADA5: do_read_line (sources.c:134) 
==27361==    by 0x8054AF8: read_callback (in /usr/local/sbin/syslog-ng) 
==27361==    by 0x804A079: main_loop (main.c:253) 
==27361==    by 0x804A75C: main (main.c:549) 
io.c: Preparing fd 8 for writing 
io.c: connecting using fd 11 
io.c: connecting using fd 11 





With UDP spoof turned off: 



==27373== Memcheck, a memory error detector for x86-linux. 
==27373== Copyright (C) 2002-2004, and GNU GPL'd, by Julian Seward et al. 
==27373== Using valgrind-2.2.0, a program supervision framework for 
x86-linux. 
==27373== Copyright (C) 2000-2004, and GNU GPL'd, by Julian Seward et al. 
==27373== For more details, rerun with: -v 
==27373== 
io.c: Preparing fd 3 for reading 
io.c: Preparing fd 4 for reading 
io.c: listening on fd 5 
io.c: connecting using fd 6 
io.c: connecting using fd 7 
io.c: connecting using fd 7 
syslog-ng version 1.6.6 starting 
io.c: Preparing fd 6 for writing 
io.c: Preparing fd 7 for writing 




Which doesent say too much.  I'm using libnet 1.1.2.1. The valgrind 
message only appears once - and does not appear as the memory leak 
contiues. 
I'm no valgrind expert, but I'm guessing it leaks one byte for each UDP 
packet sent. Not sure why spoofing would cause this inside libnet.   







Roberto Nibali <ratz@tac.ch> 
Sent by: syslog-ng-admin@lists.balabit.hu
03/02/2005 10:13 AM
Please respond to
syslog-ng@lists.balabit.hu


To
syslog-ng@lists.balabit.hu
cc

Subject
Re: [syslog-ng]Syslog-NG 1.6.6 memory leak when sending UDP logs






henry@shoelacecity.com wrote:
> 
> Let me understand this, you were seeing a leak when using a PERL script
> to send UDP packets using
> Net::RawIP    _to_ syslong_ng.

Exact, the perl-related process was leaking, no syslog involved. We had to
hand-craft the UDP packets since the spoofing only works partially from 
our POV.

> I am still experiencing clear leak behavior when using syslog-ng to send
> spoffed UDP packets to other syslog-ng's.
> The syslog-ng sender is leaking, the receiver is exhibitning normal
> behavior.

You could valgrind the process ... http://valgrind.kde.org/

Sorry for not being more helpful to you in this matter,
Roberto Nibali, ratz
-- 
-------------------------------------------------------------
addr://Rathausgasse 31, CH-5001 Aarau  tel://++41 62 823 9355
http://www.terreactive.com             fax://++41 62 823 9356
-------------------------------------------------------------
terreActive AG                       Wir sichern Ihren Erfolg
-------------------------------------------------------------
_______________________________________________
syslog-ng maillist  -  syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html



--=_alternative 005E2EEC85256FB8_=
Content-Type: text/html; charset="US-ASCII"


<br><font size=2 face="sans-serif">Ok, so Valgrind came up with something(thanks
for the suggestion Robert):</font><font size=3> <br>
</font><font size=2 face="sans-serif"><br>
With UDP Spoof Turned on:</font><font size=3> <br>
<br>
</font><font size=2 face="sans-serif"><br>
==27361== Memcheck, a memory error detector for x86-linux.</font><font size=3>
</font><font size=2 face="sans-serif"><br>
==27361== Copyright (C) 2002-2004, and GNU GPL'd, by Julian Seward et al.</font><font size=3>
</font><font size=2 face="sans-serif"><br>
==27361== Using valgrind-2.2.0, a program supervision framework for x86-linux.</font><font size=3>
</font><font size=2 face="sans-serif"><br>
==27361== Copyright (C) 2000-2004, and GNU GPL'd, by Julian Seward et al.</font><font size=3>
</font><font size=2 face="sans-serif"><br>
==27361== For more details, rerun with: -v</font><font size=3> </font><font size=2 face="sans-serif"><br>
==27361==</font><font size=3> </font><font size=2 face="sans-serif"><br>
io.c: Preparing fd 3 for reading</font><font size=3> </font><font size=2 face="sans-serif"><br>
io.c: Preparing fd 4 for reading</font><font size=3> </font><font size=2 face="sans-serif"><br>
io.c: listening on fd 5</font><font size=3> </font><font size=2 face="sans-serif"><br>
io.c: connecting using fd 6</font><font size=3> </font><font size=2 face="sans-serif"><br>
io.c: connecting using fd 8</font><font size=3> </font><font size=2 face="sans-serif"><br>
io.c: connecting using fd 8</font><font size=3> </font><font size=2 face="sans-serif"><br>
syslog-ng version 1.6.6 starting</font><font size=3> </font><font size=2 face="sans-serif"><br>
io.c: Preparing fd 6 for writing</font><font size=3> </font><font size=2 face="sans-serif"><br>
==27361== Invalid read of size 2</font><font size=3> </font><font size=2 face="sans-serif"><br>
==27361== &nbsp; &nbsp;at 0x805A987: libnet_in_cksum (in /usr/local/sbin/syslog-ng)</font><font size=3>
</font><font size=2 face="sans-serif"><br>
==27361== &nbsp;Address 0x1BA764E2 is 178 bytes inside a block of size
179 alloc'd</font><font size=3> </font><font size=2 face="sans-serif"><br>
==27361== &nbsp; &nbsp;at 0x1B902E28: malloc (vg_replace_malloc.c:131)</font><font size=3>
</font><font size=2 face="sans-serif"><br>
==27361== &nbsp; &nbsp;by 0x805912D: libnet_pblock_coalesce (in /usr/local/sbin/syslog-ng)</font><font size=3>
</font><font size=2 face="sans-serif"><br>
==27361== &nbsp; &nbsp;by 0x804C063: do_handle_log (destinations.c:103)</font><font size=3>
</font><font size=2 face="sans-serif"><br>
==27361== &nbsp; &nbsp;by 0x804B5EC: do_distribute_log (center.c:149)</font><font size=3>
</font><font size=2 face="sans-serif"><br>
==27361== &nbsp; &nbsp;by 0x804B02A: do_add_source_name (sources.c:289)</font><font size=3>
</font><font size=2 face="sans-serif"><br>
==27361== &nbsp; &nbsp;by 0x804AA8C: do_handle_line (sources.c:75)</font><font size=3>
</font><font size=2 face="sans-serif"><br>
==27361== &nbsp; &nbsp;by 0x804ADA5: do_read_line (sources.c:134)</font><font size=3>
</font><font size=2 face="sans-serif"><br>
==27361== &nbsp; &nbsp;by 0x8054AF8: read_callback (in /usr/local/sbin/syslog-ng)</font><font size=3>
</font><font size=2 face="sans-serif"><br>
==27361== &nbsp; &nbsp;by 0x804A079: main_loop (main.c:253)</font><font size=3>
</font><font size=2 face="sans-serif"><br>
==27361== &nbsp; &nbsp;by 0x804A75C: main (main.c:549)</font><font size=3>
</font><font size=2 face="sans-serif"><br>
io.c: Preparing fd 8 for writing</font><font size=3> </font><font size=2 face="sans-serif"><br>
io.c: connecting using fd 11</font><font size=3> </font><font size=2 face="sans-serif"><br>
io.c: connecting using fd 11</font><font size=3> <br>
<br>
<br>
<br>
<br>
</font><font size=2 face="sans-serif"><br>
With UDP spoof turned off:</font><font size=3> <br>
<br>
<br>
</font><font size=2 face="sans-serif"><br>
==27373== Memcheck, a memory error detector for x86-linux.</font><font size=3>
</font><font size=2 face="sans-serif"><br>
==27373== Copyright (C) 2002-2004, and GNU GPL'd, by Julian Seward et al.</font><font size=3>
</font><font size=2 face="sans-serif"><br>
==27373== Using valgrind-2.2.0, a program supervision framework for x86-linux.</font><font size=3>
</font><font size=2 face="sans-serif"><br>
==27373== Copyright (C) 2000-2004, and GNU GPL'd, by Julian Seward et al.</font><font size=3>
</font><font size=2 face="sans-serif"><br>
==27373== For more details, rerun with: -v</font><font size=3> </font><font size=2 face="sans-serif"><br>
==27373==</font><font size=3> </font><font size=2 face="sans-serif"><br>
io.c: Preparing fd 3 for reading</font><font size=3> </font><font size=2 face="sans-serif"><br>
io.c: Preparing fd 4 for reading</font><font size=3> </font><font size=2 face="sans-serif"><br>
io.c: listening on fd 5</font><font size=3> </font><font size=2 face="sans-serif"><br>
io.c: connecting using fd 6</font><font size=3> </font><font size=2 face="sans-serif"><br>
io.c: connecting using fd 7</font><font size=3> </font><font size=2 face="sans-serif"><br>
io.c: connecting using fd 7</font><font size=3> </font><font size=2 face="sans-serif"><br>
syslog-ng version 1.6.6 starting</font><font size=3> </font><font size=2 face="sans-serif"><br>
io.c: Preparing fd 6 for writing</font><font size=3> </font><font size=2 face="sans-serif"><br>
io.c: Preparing fd 7 for writing</font><font size=3> <br>
<br>
<br>
<br>
</font><font size=2 face="sans-serif"><br>
Which doesent say too much. &nbsp;I'm using libnet 1.1.2.1. The valgrind
message only appears once - and does not appear as the memory leak contiues.</font><font size=3>
</font><font size=2 face="sans-serif"><br>
I'm no valgrind expert, but I'm guessing it leaks one byte for each UDP
packet sent. Not sure why spoofing would cause this inside libnet. &nbsp;
</font><font size=3><br>
<br>
<br>
<br>
</font>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td width=40%><font size=1 face="sans-serif"><b>Roberto Nibali &lt;ratz@tac.ch&gt;</b>
</font>
<br><font size=1 face="sans-serif">Sent by: syslog-ng-admin@lists.balabit.hu</font>
<p><font size=1 face="sans-serif">03/02/2005 10:13 AM</font>
<table border>
<tr valign=top>
<td bgcolor=white>
<div align=center><font size=1 face="sans-serif">Please respond to<br>
syslog-ng@lists.balabit.hu</font></div></table>
<br>
<td width=59%>
<table width=100%>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">To</font></div>
<td valign=top><font size=1 face="sans-serif">syslog-ng@lists.balabit.hu</font>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">cc</font></div>
<td valign=top>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">Subject</font></div>
<td valign=top><font size=1 face="sans-serif">Re: [syslog-ng]Syslog-NG
1.6.6 memory leak when sending UDP logs</font></table>
<br>
<table>
<tr valign=top>
<td>
<td></table>
<br></table>
<br>
<br>
<br><font size=2><tt>henry@shoelacecity.com wrote:<br>
&gt; <br>
&gt; Let me understand this, you were seeing a leak when using a PERL script<br>
&gt; to send UDP packets using<br>
&gt; Net::RawIP &nbsp; &nbsp;_to_ syslong_ng.<br>
<br>
Exact, the perl-related process was leaking, no syslog involved. We had
to<br>
hand-craft the UDP packets since the spoofing only works partially from
our POV.<br>
<br>
&gt; I am still experiencing clear leak behavior when using syslog-ng to
send<br>
&gt; spoffed UDP packets to other syslog-ng's.<br>
&gt; The syslog-ng sender is leaking, the receiver is exhibitning normal<br>
&gt; behavior.<br>
<br>
You could valgrind the process ... http://valgrind.kde.org/<br>
<br>
Sorry for not being more helpful to you in this matter,<br>
Roberto Nibali, ratz<br>
-- <br>
-------------------------------------------------------------<br>
addr://Rathausgasse 31, CH-5001 Aarau &nbsp;tel://++41 62 823 9355<br>
http://www.terreactive.com &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; fax://++41
62 823 9356<br>
-------------------------------------------------------------<br>
terreActive AG &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; Wir sichern Ihren Erfolg<br>
-------------------------------------------------------------<br>
_______________________________________________<br>
syslog-ng maillist &nbsp;- &nbsp;syslog-ng@lists.balabit.hu<br>
https://lists.balabit.hu/mailman/listinfo/syslog-ng<br>
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html<br>
<br>
</tt></font>
<br>
--=_alternative 005E2EEC85256FB8_=--