[Lognorm] Memory Leak in liblognorm?
Champ Clark III
cclark at quadrantsec.com
Mon Jul 15 22:19:30 CEST 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
It's at:
https://github.com/beave/sagan/blob/master/src/sagan-liblognorm.c
See the function "sagan_normalize_liblognorm" (line 93).
There's not a lot to it (right now). When my blacklist function calls
this as it is now, the memory grows and grows.
If I disable the call to liblognorm, it stays consistent.
On 07/15/2013 04:06 PM, Rainer Gerhards wrote:
>
> I forgot: is your test code available online?
>
> Sent from phone, thus brief.
>
> Am 15.07.2013 22:02 schrieb "Champ Clark III" <cclark at quadrantsec.com
<mailto:cclark at quadrantsec.com>>:
>
>
> Sorry, but same results :( I'm using the same test code below but
with es_emptyStr(str) replaced with es_deleteStr(str)
>
>
>
> On 07/15/2013 03:46 PM, Rainer Gerhards wrote:
>
> > Use es_deleteStr instead of es_emptyStr. The latter just resets it
but does not free. More explanations follow tomorrow. Please report back.
>
> > Sent from phone, thus brief.
>
> > Am 15.07.2013 21:06 schrieb "Champ Clark III"
<cclark at quadrantsec.com <mailto:cclark at quadrantsec.com>
<mailto:cclark at quadrantsec.com> <mailto:cclark at quadrantsec.com>>:
>
>
>
> > Hello,
>
> > So - I've stripped down the code a good bit to see if I can't isolate
> > where I'm going wrong. Below is what I got:
>
> > --<snip>--
> > str = es_newStrFromCStr(syslog_msg, strlen(syslog_msg));
> > ln_normalize(ctx, str, &lnevent);
>
> > if(lnevent != NULL) {
> > es_emptyStr(str);
> > ee_fmtEventToRFC5424(lnevent, &str);
> > }
>
> > free(cstr);
> > es_deleteStr(str);
> > ee_deleteEvent(lnevent);
> > }
> > --<snip>--
>
> > It appears as soon as I add the "ee_fmtEventToRFC5424", valgrind starts
> > to report the following:
>
> > ==21979== 69,872 bytes in 614 blocks are definitely lost in loss record
> > 52 of 54
> > ==21979== at 0x4C2B6CD: malloc (in
> > /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
> > ==21979== by 0x5457CD9: es_newStr (string.c:105)
> > ==21979== by 0x5457D0E: es_newStrFromCStr (string.c:125)
> > ==21979== by 0x40C167: sagan_normalize_liblognorm
> > (sagan-liblognorm.c:103)
> > ==21979== by 0x41427F: Sagan_Blacklist (sagan-blacklist.c:167)
> > ==21979== by 0x40BC07: Sagan_Processor (sagan-processor.c:123)
> > ==21979== by 0x595EE99: start_thread (pthread_create.c:308)
>
> > If I remove the line, that goes away. Any thoughts?
>
> > Thanks for your time.
>
>
> > _______________________________________________
> > Lognorm mailing list
> > Lognorm at lists.adiscon.com <mailto:Lognorm at lists.adiscon.com>
<mailto:Lognorm at lists.adiscon.com> <mailto:Lognorm at lists.adiscon.com>
> > http://lists.adiscon.net/mailman/listinfo/lognorm
>
>
>
> > _______________________________________________
> > Lognorm mailing list
> > Lognorm at lists.adiscon.com <mailto:Lognorm at lists.adiscon.com>
> > http://lists.adiscon.net/mailman/listinfo/lognorm
>
>
>
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com <mailto:Lognorm at lists.adiscon.com>
> http://lists.adiscon.net/mailman/listinfo/lognorm
>
>
>
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com
> http://lists.adiscon.net/mailman/listinfo/lognorm
- --
- - Quadrant Information Security
Champ Clark III
o: 800.538.9357 x 101
c: 850.443.2440
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJR5FlSAAoJENnmXt7Lmc3K/KkIAINRfPifLOsXVvdf8puDMMjH
MIls2b8T6R73IUmtZA7+1yO3BtRQKAx50/yBofvXX3uc6v3TskzezjKDIkdCuQJv
JieWERxsU7FcxoSfRPQT6QBEA6BGjKubwTPn7wwVBIhw5FfGkqMYTFfhcWoUovh5
SnO5dzRcLQ1w2RpiajFFBFRfkPEwjpPgVut0LZLTMMBx+v1mHZTFROnA9o/b43Jb
JSIjJRR6jPZYktGBhJZzvxfFB5FC9EX8n/gekhTBowC6nvJjVw1cg5CWyfzyIJ05
ml7gsSizU7sAvBp14ByTuSHvcbgkuGmRr7923pdFGR0z9xbk11P7Hm/9i/LjHHg=
=lZ/j
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.adiscon.net/pipermail/lognorm/attachments/20130715/948018cd/attachment.htm>
More information about the Lognorm
mailing list