[Lognorm] Memory Leak in liblognorm?

Rainer Gerhards rgerhards at hq.adiscon.com
Mon Jul 15 22:17:08 CEST 2013 

The fmt function creates a new string:
http://git.adiscon.com/?p=libee.git;a=blob;f=src/syslog_enc.c;h=d559521581242ec73a5687aae1de83ba4f2fbbe3;hb=HEAD#l150

So i think i need to see the full test code.

Sent from phone, thus brief.
Am 15.07.2013 22:10 schrieb "Champ Clark III" <cclark at quadrantsec.com>:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Not yet,  but that can be arranged :)
>
> I literally just commented out all the 80% of it.   I'll throw it up and
> let you know.
>
>
> On 07/15/2013 04:06 PM, Rainer Gerhards wrote:
> >
> > I forgot: is your test code available online?
> >
> > Sent from phone, thus brief.
> >
> > Am 15.07.2013 22:02 schrieb "Champ Clark III" <cclark at quadrantsec.com
> <mailto:cclark at quadrantsec.com> <cclark at quadrantsec.com>>:
> >
> >
> > Sorry,  but same results :(   I'm using the same test code below but
> with es_emptyStr(str) replaced with es_deleteStr(str)
> >
> >
> >
> > On 07/15/2013 03:46 PM, Rainer Gerhards wrote:
> >
> > > Use es_deleteStr instead of es_emptyStr. The latter just resets it but
> does not free.  More explanations follow tomorrow.  Please report back.
> >
> > > Sent from phone, thus brief.
> >
> > > Am 15.07.2013 21:06 schrieb "Champ Clark III" <cclark at quadrantsec.com
> <mailto:cclark at quadrantsec.com> <cclark at quadrantsec.com>
> <mailto:cclark at quadrantsec.com> <cclark at quadrantsec.com>
> <mailto:cclark at quadrantsec.com> <cclark at quadrantsec.com>>:
> >
> >
> >
> > > Hello,
> >
> > > So - I've stripped down the code a good bit to see if I can't isolate
> > > where I'm going wrong.  Below is what I got:
> >
> > > --<snip>--
> > > str = es_newStrFromCStr(syslog_msg, strlen(syslog_msg));
> > > ln_normalize(ctx, str, &lnevent);
> >
> > >        if(lnevent != NULL) {
> > >                 es_emptyStr(str);
> > >                 ee_fmtEventToRFC5424(lnevent, &str);
> > >                 }
> >
> > > free(cstr);
> > > es_deleteStr(str);
> > > ee_deleteEvent(lnevent);
> > > }
> > > --<snip>--
> >
> > > It appears as soon as I add the "ee_fmtEventToRFC5424",  valgrind
> starts
> > > to report the following:
> >
> > > ==21979== 69,872 bytes in 614 blocks are definitely lost in loss record
> > > 52 of 54
> > > ==21979==    at 0x4C2B6CD: malloc (in
> > > /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
> > > ==21979==    by 0x5457CD9: es_newStr (string.c:105)
> > > ==21979==    by 0x5457D0E: es_newStrFromCStr (string.c:125)
> > > ==21979==    by 0x40C167: sagan_normalize_liblognorm
> > > (sagan-liblognorm.c:103)
> > > ==21979==    by 0x41427F: Sagan_Blacklist (sagan-blacklist.c:167)
> > > ==21979==    by 0x40BC07: Sagan_Processor (sagan-processor.c:123)
> > > ==21979==    by 0x595EE99: start_thread (pthread_create.c:308)
> >
> > > If I remove the line,  that goes away.    Any thoughts?
> >
> > > Thanks for your time.
> >
> >
> > >     _______________________________________________
> > >     Lognorm mailing list
> > >     Lognorm at lists.adiscon.com <mailto:Lognorm at lists.adiscon.com><Lognorm at lists.adiscon.com>
> <mailto:Lognorm at lists.adiscon.com> <Lognorm at lists.adiscon.com>
> <mailto:Lognorm at lists.adiscon.com> <Lognorm at lists.adiscon.com>
> > >     http://lists.adiscon.net/mailman/listinfo/lognorm
> >
> >
> >
> > > _______________________________________________
> > > Lognorm mailing list
> > > Lognorm at lists.adiscon.com <mailto:Lognorm at lists.adiscon.com><Lognorm at lists.adiscon.com>
> > > http://lists.adiscon.net/mailman/listinfo/lognorm
> >
> >
> >
> >     _______________________________________________
> >     Lognorm mailing list
> >     Lognorm at lists.adiscon.com <mailto:Lognorm at lists.adiscon.com><Lognorm at lists.adiscon.com>
> >     http://lists.adiscon.net/mailman/listinfo/lognorm
> >
> >
> >
> > _______________________________________________
> > Lognorm mailing list
> > Lognorm at lists.adiscon.com
> > http://lists.adiscon.net/mailman/listinfo/lognorm
>
> - --
> - - Quadrant Information Security
>   Champ Clark III
>   o: 800.538.9357 x 101
>   c: 850.443.2440
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQEcBAEBAgAGBQJR5FciAAoJENnmXt7Lmc3KVHAH/3+MA7bDO/ejGiOU/2WX24fl
> 3IXnZh/hmBFknXsiXQwWVy4X1Un/tQUJqYHtQ/TE+r3A7pp16WmJRhz0CzW9ySME
> oJof02TXJZgiweFTOg3+JdK5JwWBdU7iPXzvCOB/IKbtsEladMcYCxYkPlaYWNA1
> iQ37ZcHaUBej1FvW+qkCl0EMtcUdfolhcK2+NJMtPBxrxwfRDRcBRXDXuz2SzizE
> EvJ1pMelkRRLhi5UIGONYQkFMF8FBGxb8tBp4iCLSRAzQHuoSuhpUHOhT6NzaVIg
> GtQFscsYBHFDhl52E6Y3Rdv6/FZ2/C0yjrlHbGWACJPtvWLk47jsDiQxNQHodIw=
> =+1FU
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com
> http://lists.adiscon.net/mailman/listinfo/lognorm
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.adiscon.net/pipermail/lognorm/attachments/20130715/e45653ee/attachment-0001.htm>

More information about the Lognorm mailing list