[Lognorm] Memory Leak in liblognorm?

Rainer Gerhards rgerhards at hq.adiscon.com
Mon Jul 15 22:23:16 CEST 2013 

Ln 109 add es_deleteStr

Sent from phone, thus brief.
Am 15.07.2013 22:19 schrieb "Champ Clark III" <cclark at quadrantsec.com>:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> It's at:
>
> https://github.com/beave/sagan/blob/master/src/sagan-liblognorm.c
>
> See the function "sagan_normalize_liblognorm" (line 93).
>
> There's not a lot to it (right now).    When my blacklist function calls
> this as it is now,  the memory grows and grows.
> If I disable the call to liblognorm,  it stays consistent.
>
>
>
> On 07/15/2013 04:06 PM, Rainer Gerhards wrote:
> >
> > I forgot: is your test code available online?
> >
> > Sent from phone, thus brief.
> >
> > Am 15.07.2013 22:02 schrieb "Champ Clark III" <cclark at quadrantsec.com
> <mailto:cclark at quadrantsec.com> <cclark at quadrantsec.com>>:
> >
> >
> > Sorry,  but same results :(   I'm using the same test code below but
> with es_emptyStr(str) replaced with es_deleteStr(str)
> >
> >
> >
> > On 07/15/2013 03:46 PM, Rainer Gerhards wrote:
> >
> > > Use es_deleteStr instead of es_emptyStr. The latter just resets it but
> does not free.  More explanations follow tomorrow.  Please report back.
> >
> > > Sent from phone, thus brief.
> >
> > > Am 15.07.2013 21:06 schrieb "Champ Clark III" <cclark at quadrantsec.com
> <mailto:cclark at quadrantsec.com> <cclark at quadrantsec.com>
> <mailto:cclark at quadrantsec.com> <cclark at quadrantsec.com>
> <mailto:cclark at quadrantsec.com> <cclark at quadrantsec.com>>:
> >
> >
> >
> > > Hello,
> >
> > > So - I've stripped down the code a good bit to see if I can't isolate
> > > where I'm going wrong.  Below is what I got:
> >
> > > --<snip>--
> > > str = es_newStrFromCStr(syslog_msg, strlen(syslog_msg));
> > > ln_normalize(ctx, str, &lnevent);
> >
> > >        if(lnevent != NULL) {
> > >                 es_emptyStr(str);
> > >                 ee_fmtEventToRFC5424(lnevent, &str);
> > >                 }
> >
> > > free(cstr);
> > > es_deleteStr(str);
> > > ee_deleteEvent(lnevent);
> > > }
> > > --<snip>--
> >
> > > It appears as soon as I add the "ee_fmtEventToRFC5424",  valgrind
> starts
> > > to report the following:
> >
> > > ==21979== 69,872 bytes in 614 blocks are definitely lost in loss record
> > > 52 of 54
> > > ==21979==    at 0x4C2B6CD: malloc (in
> > > /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
> > > ==21979==    by 0x5457CD9: es_newStr (string.c:105)
> > > ==21979==    by 0x5457D0E: es_newStrFromCStr (string.c:125)
> > > ==21979==    by 0x40C167: sagan_normalize_liblognorm
> > > (sagan-liblognorm.c:103)
> > > ==21979==    by 0x41427F: Sagan_Blacklist (sagan-blacklist.c:167)
> > > ==21979==    by 0x40BC07: Sagan_Processor (sagan-processor.c:123)
> > > ==21979==    by 0x595EE99: start_thread (pthread_create.c:308)
> >
> > > If I remove the line,  that goes away.    Any thoughts?
> >
> > > Thanks for your time.
> >
> >
> > >     _______________________________________________
> > >     Lognorm mailing list
> > >     Lognorm at lists.adiscon.com <mailto:Lognorm at lists.adiscon.com><Lognorm at lists.adiscon.com>
> <mailto:Lognorm at lists.adiscon.com> <Lognorm at lists.adiscon.com>
> <mailto:Lognorm at lists.adiscon.com> <Lognorm at lists.adiscon.com>
> > >     http://lists.adiscon.net/mailman/listinfo/lognorm
> >
> >
> >
> > > _______________________________________________
> > > Lognorm mailing list
> > > Lognorm at lists.adiscon.com <mailto:Lognorm at lists.adiscon.com><Lognorm at lists.adiscon.com>
> > > http://lists.adiscon.net/mailman/listinfo/lognorm
> >
> >
> >
> >     _______________________________________________
> >     Lognorm mailing list
> >     Lognorm at lists.adiscon.com <mailto:Lognorm at lists.adiscon.com><Lognorm at lists.adiscon.com>
> >     http://lists.adiscon.net/mailman/listinfo/lognorm
> >
> >
> >
> > _______________________________________________
> > Lognorm mailing list
> > Lognorm at lists.adiscon.com
> > http://lists.adiscon.net/mailman/listinfo/lognorm
>
> - --
> - - Quadrant Information Security
>   Champ Clark III
>   o: 800.538.9357 x 101
>   c: 850.443.2440
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQEcBAEBAgAGBQJR5FlSAAoJENnmXt7Lmc3K/KkIAINRfPifLOsXVvdf8puDMMjH
> MIls2b8T6R73IUmtZA7+1yO3BtRQKAx50/yBofvXX3uc6v3TskzezjKDIkdCuQJv
> JieWERxsU7FcxoSfRPQT6QBEA6BGjKubwTPn7wwVBIhw5FfGkqMYTFfhcWoUovh5
> SnO5dzRcLQ1w2RpiajFFBFRfkPEwjpPgVut0LZLTMMBx+v1mHZTFROnA9o/b43Jb
> JSIjJRR6jPZYktGBhJZzvxfFB5FC9EX8n/gekhTBowC6nvJjVw1cg5CWyfzyIJ05
> ml7gsSizU7sAvBp14ByTuSHvcbgkuGmRr7923pdFGR0z9xbk11P7Hm/9i/LjHHg=
> =lZ/j
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com
> http://lists.adiscon.net/mailman/listinfo/lognorm
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.adiscon.net/pipermail/lognorm/attachments/20130715/dadbd555/attachment-0001.htm>

More information about the Lognorm mailing list