[syslog-ng]Syslog-NG 1.6.6 memory leak when sending UDP logs
syslog-ng@lists.balabit.hu
syslog-ng@lists.balabit.hu
Wed, 2 Mar 2005 12:07:33 -0500
This is a multipart message in MIME format.
--=_alternative 005E2EEC85256FB8_=
Content-Type: text/plain; charset="US-ASCII"
Ok, so Valgrind came up with something(thanks for the suggestion Robert):
With UDP Spoof Turned on:
==27361== Memcheck, a memory error detector for x86-linux.
==27361== Copyright (C) 2002-2004, and GNU GPL'd, by Julian Seward et al.
==27361== Using valgrind-2.2.0, a program supervision framework for
x86-linux.
==27361== Copyright (C) 2000-2004, and GNU GPL'd, by Julian Seward et al.
==27361== For more details, rerun with: -v
==27361==
io.c: Preparing fd 3 for reading
io.c: Preparing fd 4 for reading
io.c: listening on fd 5
io.c: connecting using fd 6
io.c: connecting using fd 8
io.c: connecting using fd 8
syslog-ng version 1.6.6 starting
io.c: Preparing fd 6 for writing
==27361== Invalid read of size 2
==27361== at 0x805A987: libnet_in_cksum (in /usr/local/sbin/syslog-ng)
==27361== Address 0x1BA764E2 is 178 bytes inside a block of size 179
alloc'd
==27361== at 0x1B902E28: malloc (vg_replace_malloc.c:131)
==27361== by 0x805912D: libnet_pblock_coalesce (in
/usr/local/sbin/syslog-ng)
==27361== by 0x804C063: do_handle_log (destinations.c:103)
==27361== by 0x804B5EC: do_distribute_log (center.c:149)
==27361== by 0x804B02A: do_add_source_name (sources.c:289)
==27361== by 0x804AA8C: do_handle_line (sources.c:75)
==27361== by 0x804ADA5: do_read_line (sources.c:134)
==27361== by 0x8054AF8: read_callback (in /usr/local/sbin/syslog-ng)
==27361== by 0x804A079: main_loop (main.c:253)
==27361== by 0x804A75C: main (main.c:549)
io.c: Preparing fd 8 for writing
io.c: connecting using fd 11
io.c: connecting using fd 11
With UDP spoof turned off:
==27373== Memcheck, a memory error detector for x86-linux.
==27373== Copyright (C) 2002-2004, and GNU GPL'd, by Julian Seward et al.
==27373== Using valgrind-2.2.0, a program supervision framework for
x86-linux.
==27373== Copyright (C) 2000-2004, and GNU GPL'd, by Julian Seward et al.
==27373== For more details, rerun with: -v
==27373==
io.c: Preparing fd 3 for reading
io.c: Preparing fd 4 for reading
io.c: listening on fd 5
io.c: connecting using fd 6
io.c: connecting using fd 7
io.c: connecting using fd 7
syslog-ng version 1.6.6 starting
io.c: Preparing fd 6 for writing
io.c: Preparing fd 7 for writing
Which doesent say too much. I'm using libnet 1.1.2.1. The valgrind
message only appears once - and does not appear as the memory leak
contiues.
I'm no valgrind expert, but I'm guessing it leaks one byte for each UDP
packet sent. Not sure why spoofing would cause this inside libnet.
Roberto Nibali <ratz@tac.ch>
Sent by: syslog-ng-admin@lists.balabit.hu
03/02/2005 10:13 AM
Please respond to
syslog-ng@lists.balabit.hu
To
syslog-ng@lists.balabit.hu
cc
Subject
Re: [syslog-ng]Syslog-NG 1.6.6 memory leak when sending UDP logs
henry@shoelacecity.com wrote:
>
> Let me understand this, you were seeing a leak when using a PERL script
> to send UDP packets using
> Net::RawIP _to_ syslong_ng.
Exact, the perl-related process was leaking, no syslog involved. We had to
hand-craft the UDP packets since the spoofing only works partially from
our POV.
> I am still experiencing clear leak behavior when using syslog-ng to send
> spoffed UDP packets to other syslog-ng's.
> The syslog-ng sender is leaking, the receiver is exhibitning normal
> behavior.
You could valgrind the process ... http://valgrind.kde.org/
Sorry for not being more helpful to you in this matter,
Roberto Nibali, ratz
--
-------------------------------------------------------------
addr://Rathausgasse 31, CH-5001 Aarau tel://++41 62 823 9355
http://www.terreactive.com fax://++41 62 823 9356
-------------------------------------------------------------
terreActive AG Wir sichern Ihren Erfolg
-------------------------------------------------------------
_______________________________________________
syslog-ng maillist - syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
--=_alternative 005E2EEC85256FB8_=
Content-Type: text/html; charset="US-ASCII"
<br><font size=2 face="sans-serif">Ok, so Valgrind came up with something(thanks
for the suggestion Robert):</font><font size=3> <br>
</font><font size=2 face="sans-serif"><br>
With UDP Spoof Turned on:</font><font size=3> <br>
<br>
</font><font size=2 face="sans-serif"><br>
==27361== Memcheck, a memory error detector for x86-linux.</font><font size=3>
</font><font size=2 face="sans-serif"><br>
==27361== Copyright (C) 2002-2004, and GNU GPL'd, by Julian Seward et al.</font><font size=3>
</font><font size=2 face="sans-serif"><br>
==27361== Using valgrind-2.2.0, a program supervision framework for x86-linux.</font><font size=3>
</font><font size=2 face="sans-serif"><br>
==27361== Copyright (C) 2000-2004, and GNU GPL'd, by Julian Seward et al.</font><font size=3>
</font><font size=2 face="sans-serif"><br>
==27361== For more details, rerun with: -v</font><font size=3> </font><font size=2 face="sans-serif"><br>
==27361==</font><font size=3> </font><font size=2 face="sans-serif"><br>
io.c: Preparing fd 3 for reading</font><font size=3> </font><font size=2 face="sans-serif"><br>
io.c: Preparing fd 4 for reading</font><font size=3> </font><font size=2 face="sans-serif"><br>
io.c: listening on fd 5</font><font size=3> </font><font size=2 face="sans-serif"><br>
io.c: connecting using fd 6</font><font size=3> </font><font size=2 face="sans-serif"><br>
io.c: connecting using fd 8</font><font size=3> </font><font size=2 face="sans-serif"><br>
io.c: connecting using fd 8</font><font size=3> </font><font size=2 face="sans-serif"><br>
syslog-ng version 1.6.6 starting</font><font size=3> </font><font size=2 face="sans-serif"><br>
io.c: Preparing fd 6 for writing</font><font size=3> </font><font size=2 face="sans-serif"><br>
==27361== Invalid read of size 2</font><font size=3> </font><font size=2 face="sans-serif"><br>
==27361== at 0x805A987: libnet_in_cksum (in /usr/local/sbin/syslog-ng)</font><font size=3>
</font><font size=2 face="sans-serif"><br>
==27361== Address 0x1BA764E2 is 178 bytes inside a block of size
179 alloc'd</font><font size=3> </font><font size=2 face="sans-serif"><br>
==27361== at 0x1B902E28: malloc (vg_replace_malloc.c:131)</font><font size=3>
</font><font size=2 face="sans-serif"><br>
==27361== by 0x805912D: libnet_pblock_coalesce (in /usr/local/sbin/syslog-ng)</font><font size=3>
</font><font size=2 face="sans-serif"><br>
==27361== by 0x804C063: do_handle_log (destinations.c:103)</font><font size=3>
</font><font size=2 face="sans-serif"><br>
==27361== by 0x804B5EC: do_distribute_log (center.c:149)</font><font size=3>
</font><font size=2 face="sans-serif"><br>
==27361== by 0x804B02A: do_add_source_name (sources.c:289)</font><font size=3>
</font><font size=2 face="sans-serif"><br>
==27361== by 0x804AA8C: do_handle_line (sources.c:75)</font><font size=3>
</font><font size=2 face="sans-serif"><br>
==27361== by 0x804ADA5: do_read_line (sources.c:134)</font><font size=3>
</font><font size=2 face="sans-serif"><br>
==27361== by 0x8054AF8: read_callback (in /usr/local/sbin/syslog-ng)</font><font size=3>
</font><font size=2 face="sans-serif"><br>
==27361== by 0x804A079: main_loop (main.c:253)</font><font size=3>
</font><font size=2 face="sans-serif"><br>
==27361== by 0x804A75C: main (main.c:549)</font><font size=3>
</font><font size=2 face="sans-serif"><br>
io.c: Preparing fd 8 for writing</font><font size=3> </font><font size=2 face="sans-serif"><br>
io.c: connecting using fd 11</font><font size=3> </font><font size=2 face="sans-serif"><br>
io.c: connecting using fd 11</font><font size=3> <br>
<br>
<br>
<br>
<br>
</font><font size=2 face="sans-serif"><br>
With UDP spoof turned off:</font><font size=3> <br>
<br>
<br>
</font><font size=2 face="sans-serif"><br>
==27373== Memcheck, a memory error detector for x86-linux.</font><font size=3>
</font><font size=2 face="sans-serif"><br>
==27373== Copyright (C) 2002-2004, and GNU GPL'd, by Julian Seward et al.</font><font size=3>
</font><font size=2 face="sans-serif"><br>
==27373== Using valgrind-2.2.0, a program supervision framework for x86-linux.</font><font size=3>
</font><font size=2 face="sans-serif"><br>
==27373== Copyright (C) 2000-2004, and GNU GPL'd, by Julian Seward et al.</font><font size=3>
</font><font size=2 face="sans-serif"><br>
==27373== For more details, rerun with: -v</font><font size=3> </font><font size=2 face="sans-serif"><br>
==27373==</font><font size=3> </font><font size=2 face="sans-serif"><br>
io.c: Preparing fd 3 for reading</font><font size=3> </font><font size=2 face="sans-serif"><br>
io.c: Preparing fd 4 for reading</font><font size=3> </font><font size=2 face="sans-serif"><br>
io.c: listening on fd 5</font><font size=3> </font><font size=2 face="sans-serif"><br>
io.c: connecting using fd 6</font><font size=3> </font><font size=2 face="sans-serif"><br>
io.c: connecting using fd 7</font><font size=3> </font><font size=2 face="sans-serif"><br>
io.c: connecting using fd 7</font><font size=3> </font><font size=2 face="sans-serif"><br>
syslog-ng version 1.6.6 starting</font><font size=3> </font><font size=2 face="sans-serif"><br>
io.c: Preparing fd 6 for writing</font><font size=3> </font><font size=2 face="sans-serif"><br>
io.c: Preparing fd 7 for writing</font><font size=3> <br>
<br>
<br>
<br>
</font><font size=2 face="sans-serif"><br>
Which doesent say too much. I'm using libnet 1.1.2.1. The valgrind
message only appears once - and does not appear as the memory leak contiues.</font><font size=3>
</font><font size=2 face="sans-serif"><br>
I'm no valgrind expert, but I'm guessing it leaks one byte for each UDP
packet sent. Not sure why spoofing would cause this inside libnet.
</font><font size=3><br>
<br>
<br>
<br>
</font>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td width=40%><font size=1 face="sans-serif"><b>Roberto Nibali <ratz@tac.ch></b>
</font>
<br><font size=1 face="sans-serif">Sent by: syslog-ng-admin@lists.balabit.hu</font>
<p><font size=1 face="sans-serif">03/02/2005 10:13 AM</font>
<table border>
<tr valign=top>
<td bgcolor=white>
<div align=center><font size=1 face="sans-serif">Please respond to<br>
syslog-ng@lists.balabit.hu</font></div></table>
<br>
<td width=59%>
<table width=100%>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">To</font></div>
<td valign=top><font size=1 face="sans-serif">syslog-ng@lists.balabit.hu</font>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">cc</font></div>
<td valign=top>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">Subject</font></div>
<td valign=top><font size=1 face="sans-serif">Re: [syslog-ng]Syslog-NG
1.6.6 memory leak when sending UDP logs</font></table>
<br>
<table>
<tr valign=top>
<td>
<td></table>
<br></table>
<br>
<br>
<br><font size=2><tt>henry@shoelacecity.com wrote:<br>
> <br>
> Let me understand this, you were seeing a leak when using a PERL script<br>
> to send UDP packets using<br>
> Net::RawIP _to_ syslong_ng.<br>
<br>
Exact, the perl-related process was leaking, no syslog involved. We had
to<br>
hand-craft the UDP packets since the spoofing only works partially from
our POV.<br>
<br>
> I am still experiencing clear leak behavior when using syslog-ng to
send<br>
> spoffed UDP packets to other syslog-ng's.<br>
> The syslog-ng sender is leaking, the receiver is exhibitning normal<br>
> behavior.<br>
<br>
You could valgrind the process ... http://valgrind.kde.org/<br>
<br>
Sorry for not being more helpful to you in this matter,<br>
Roberto Nibali, ratz<br>
-- <br>
-------------------------------------------------------------<br>
addr://Rathausgasse 31, CH-5001 Aarau tel://++41 62 823 9355<br>
http://www.terreactive.com fax://++41
62 823 9356<br>
-------------------------------------------------------------<br>
terreActive AG
Wir sichern Ihren Erfolg<br>
-------------------------------------------------------------<br>
_______________________________________________<br>
syslog-ng maillist - syslog-ng@lists.balabit.hu<br>
https://lists.balabit.hu/mailman/listinfo/syslog-ng<br>
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html<br>
<br>
</tt></font>
<br>
--=_alternative 005E2EEC85256FB8_=--