[Lognorm] Memory Leak in liblognorm?

Champ Clark III cclark at quadrantsec.com
Mon Jul 15 22:41:27 CEST 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ok.. Tried that earlier, but let me make sure.  Will let you  know the
results ASAP.


On 07/15/2013 04:23 PM, Rainer Gerhards wrote:
>
> Ln 109 add es_deleteStr
>
> Sent from phone, thus brief.
>
> Am 15.07.2013 22:19 schrieb "Champ Clark III" <cclark at quadrantsec.com
<mailto:cclark at quadrantsec.com>>:
>
>
> It's at:
>
> https://github.com/beave/sagan/blob/master/src/sagan-liblognorm.c
>
> See the function "sagan_normalize_liblognorm" (line 93).
>
> There's not a lot to it (right now).    When my blacklist function
calls this as it is now,  the memory grows and grows.
> If I disable the call to liblognorm,  it stays consistent.
>
>
>
> On 07/15/2013 04:06 PM, Rainer Gerhards wrote:
>
> > I forgot: is your test code available online?
>
> > Sent from phone, thus brief.
>
> > Am 15.07.2013 22:02 schrieb "Champ Clark III"
<cclark at quadrantsec.com <mailto:cclark at quadrantsec.com>
<mailto:cclark at quadrantsec.com> <mailto:cclark at quadrantsec.com>>:
>
>
> > Sorry,  but same results :(   I'm using the same test code below but
with es_emptyStr(str) replaced with es_deleteStr(str)
>
>
>
> > On 07/15/2013 03:46 PM, Rainer Gerhards wrote:
>
> > > Use es_deleteStr instead of es_emptyStr. The latter just resets it
but does not free.  More explanations follow tomorrow.  Please report back.
>
> > > Sent from phone, thus brief.
>
> > > Am 15.07.2013 21:06 schrieb "Champ Clark III"
<cclark at quadrantsec.com <mailto:cclark at quadrantsec.com>
<mailto:cclark at quadrantsec.com> <mailto:cclark at quadrantsec.com>
<mailto:cclark at quadrantsec.com> <mailto:cclark at quadrantsec.com>
<mailto:cclark at quadrantsec.com> <mailto:cclark at quadrantsec.com>>:
>
>
>
> > > Hello,
>
> > > So - I've stripped down the code a good bit to see if I can't isolate
> > > where I'm going wrong.  Below is what I got:
>
> > > --<snip>--
> > > str = es_newStrFromCStr(syslog_msg, strlen(syslog_msg));
> > > ln_normalize(ctx, str, &lnevent);
>
> > >        if(lnevent != NULL) {
> > >                 es_emptyStr(str);
> > >                 ee_fmtEventToRFC5424(lnevent, &str);
> > >                 }
>
> > > free(cstr);
> > > es_deleteStr(str);
> > > ee_deleteEvent(lnevent);
> > > }
> > > --<snip>--
>
> > > It appears as soon as I add the "ee_fmtEventToRFC5424",  valgrind
starts
> > > to report the following:
>
> > > ==21979== 69,872 bytes in 614 blocks are definitely lost in loss
record
> > > 52 of 54
> > > ==21979==    at 0x4C2B6CD: malloc (in
> > > /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
> > > ==21979==    by 0x5457CD9: es_newStr (string.c:105)
> > > ==21979==    by 0x5457D0E: es_newStrFromCStr (string.c:125)
> > > ==21979==    by 0x40C167: sagan_normalize_liblognorm
> > > (sagan-liblognorm.c:103)
> > > ==21979==    by 0x41427F: Sagan_Blacklist (sagan-blacklist.c:167)
> > > ==21979==    by 0x40BC07: Sagan_Processor (sagan-processor.c:123)
> > > ==21979==    by 0x595EE99: start_thread (pthread_create.c:308)
>
> > > If I remove the line,  that goes away.    Any thoughts?
>
> > > Thanks for your time.
>
>
> > >     _______________________________________________
> > >     Lognorm mailing list
> > >     Lognorm at lists.adiscon.com <mailto:Lognorm at lists.adiscon.com>
<mailto:Lognorm at lists.adiscon.com> <mailto:Lognorm at lists.adiscon.com>
<mailto:Lognorm at lists.adiscon.com> <mailto:Lognorm at lists.adiscon.com>
<mailto:Lognorm at lists.adiscon.com> <mailto:Lognorm at lists.adiscon.com>
> > >     http://lists.adiscon.net/mailman/listinfo/lognorm
>
>
>
> > > _______________________________________________
> > > Lognorm mailing list
> > > Lognorm at lists.adiscon.com <mailto:Lognorm at lists.adiscon.com>
<mailto:Lognorm at lists.adiscon.com> <mailto:Lognorm at lists.adiscon.com>
> > > http://lists.adiscon.net/mailman/listinfo/lognorm
>
>
>
> >     _______________________________________________
> >     Lognorm mailing list
> >     Lognorm at lists.adiscon.com <mailto:Lognorm at lists.adiscon.com>
<mailto:Lognorm at lists.adiscon.com> <mailto:Lognorm at lists.adiscon.com>
> >     http://lists.adiscon.net/mailman/listinfo/lognorm
>
>
>
> > _______________________________________________
> > Lognorm mailing list
> > Lognorm at lists.adiscon.com <mailto:Lognorm at lists.adiscon.com>
> > http://lists.adiscon.net/mailman/listinfo/lognorm
>
>
>
>     _______________________________________________
>     Lognorm mailing list
>     Lognorm at lists.adiscon.com <mailto:Lognorm at lists.adiscon.com>
>     http://lists.adiscon.net/mailman/listinfo/lognorm
>
>
>
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com
> http://lists.adiscon.net/mailman/listinfo/lognorm

- -- 
- - Quadrant Information Security
  Champ Clark III
  o: 800.538.9357 x 101
  c: 850.443.2440
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJR5F53AAoJENnmXt7Lmc3K2yAH/jiD2MRjALwF78X72PGObxnC
fqVjlydZ0z5u9wH6aDeFhfs8QVkx52pxOucMQootXA6AIAYyexr+A7RTQE1RaRxL
iWv68ZJOaCeRgTvnywZh9yozykEuhAa3FgwI2weXipWfnAjxPpoQvD/eSir4XAoy
B7OVqm8nvqa0jrRvTm9MZZeu712GqqMRPJm4VXutxzmZDmQrqaJ2KYnHIfvAwkv2
iCvAiHHbkH1yJSB7X8MbNxlCmig7loPC8hWLSiWD+1blcp5AtknpBdKp9HYEa/cs
uU4vQVx3t0tEzY1Nh8vQCKGpdPGMNUi6oHGycdKWJZAJI609GVWRNKAdYK5KTJE=
=1Vjd
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.adiscon.net/pipermail/lognorm/attachments/20130715/20926b15/attachment.htm>

More information about the Lognorm mailing list