[syslog-ng]Syslog-NG 1.6.6 memory leak when sending UDP logs
Balazs Scheidler
syslog-ng@lists.balabit.hu
Thu, 03 Mar 2005 13:27:34 +0100
On Wed, 2005-03-02 at 22:19 +0100, Roberto Nibali wrote:
> > io.c: Preparing fd 6 for writing
> > ==27361== Invalid read of size 2
>
> There seems to be a off-by-one error in a string. This is the result if
> you do something like follows:
This message is not triggered for me, but I'm going to try to use your
exact configuration as well.
> > ==27361== at 0x805A987: libnet_in_cksum (in /usr/local/sbin/syslog-ng)
> > ==27361== Address 0x1BA764E2 is 178 bytes inside a block of size 179
> > alloc'd
>
> There seems to be a wrong free, not really a missing one.
>
> > ==27361== at 0x1B902E28: malloc (vg_replace_malloc.c:131)
> > ==27361== by 0x805912D: libnet_pblock_coalesce (in
> > /usr/local/sbin/syslog-ng)
> > ==27361== by 0x804C063: do_handle_log (destinations.c:103)
> > ==27361== by 0x804B5EC: do_distribute_log (center.c:149)
> > ==27361== by 0x804B02A: do_add_source_name (sources.c:289)
> > ==27361== by 0x804AA8C: do_handle_line (sources.c:75)
> > ==27361== by 0x804ADA5: do_read_line (sources.c:134)
> > ==27361== by 0x8054AF8: read_callback (in /usr/local/sbin/syslog-ng)
> > ==27361== by 0x804A079: main_loop (main.c:253)
> > ==27361== by 0x804A75C: main (main.c:549)
> > io.c: Preparing fd 8 for writing
> > io.c: connecting using fd 11
> > io.c: connecting using fd 11
Again, this one does not show up in my valgrind output. In fact it
reports that no blocks are leaked.
I'm using 1.1.2.1-2 Debian package. The libnet changelog shows some
fixed leaks before 1.1.1, but as I see you also have a newer version.
Isn't it possible that you linked syslog-ng to an older libnet
statically and then upgraded your libnet package?
The funny part is that this version of libnet seem to expect port
numbers in host byte order whereas I pass it to libnet in network byte
order. I'm almost confident that this used to work when I originally did
the libnet support, judging the libnet changelog again, this was a
change between 1.0 <-> 1.1
Is your syslog-ng sending messages to the correct port? Can you check
that with tcpdump for example? Or maybe you are using a big-endian
machine?
This patch fixes the byte order issue, and I'm still hunting the memory
leak with your configuration:
diff -u -r1.25.4.6 afinet.c
--- afinet.c 5 Aug 2004 11:35:12 -0000 1.25.4.6
+++ afinet.c 3 Mar 2005 12:26:47 -0000
@@ -617,11 +617,10 @@
ADDRESS2SOCKADDR(msg->saddr, sizeof(src_addr), (struct sockaddr *) &src_addr);
ADDRESS2SOCKADDR(self->super.dest_addr, sizeof(dst_addr), (struct sockaddr *) &dst_addr);
-
libnet_clear_packet(self->lnet_ctx);
- udp = libnet_build_udp(src_addr.sin_port,
- dst_addr.sin_port,
+ udp = libnet_build_udp(ntohs(src_addr.sin_port),
+ ntohs(dst_addr.sin_port),
LIBNET_UDP_H + msg_line->length,
0,
msg_line->data,
>
> > Which doesent say too much. I'm using libnet 1.1.2.1. The valgrind
> > message only appears once - and does not appear as the memory leak
> > contiues.
>
> Was libnet linked statically against syslog-ng?
Yes, libnet is linked in statically by default.
>
> > I'm no valgrind expert, but I'm guessing it leaks one byte for each UDP
> > packet sent. Not sure why spoofing would cause this inside libnet.
>
> If you need to create a packet, you'd want to use libnet, unless you've
> got enough spare time to code. Otherwise I don't see why libnet could be
> used within syslog-ng.
syslog-ng uses libnet for creating UDP packets sent via a raw socket.
--
Bazsi