Bug #2201
closedaf_packet: suricata leaks memory with use-mmap enabled and incorrect BPF filter
Description
It appears that suricata leaks memory in af_packet mode when 'use-mmap' option is enabled and incorrect BPF filter is specified (e.g., 1.1.1.1/24 with non-network bits set). The reason is that suricata doesn't treat erroneous BPF filter as a fatal error and tries to reopen a capture interface. However, munmap() is not called in this case and suricata calls mmap() again and again, causing a memory leak (and it's not detected by valgrind). As a result, this behavior can lead to a system crash.
There're two possible options:
1) return AFP_FATAL_ERROR if AFPSetBPFFilter() fails;
2) add new function that does munmap().
Actually, I don't think that option 2 is correct because there's no reason for setting erroneous BPF filter again and again. IMHO, this should be treated as something like socket error.
Updated by Alexander Gozman about 7 years ago
- Status changed from New to Resolved
- Assignee set to Alexander Gozman
- % Done changed from 0 to 100
Updated by Victor Julien about 7 years ago
- Status changed from Resolved to Closed
- Target version set to 4.0.1