Actions
Bug #2433
closedmemleak with suppression rules defined in threshold.conf
Affected Versions:
Effort:
Difficulty:
Label:
Description
If there is a suppression for a rule in the threshold.conf - for example -
suppress gen_id 1, sig_id 2011813, track by_src, ip 10.0.0.0/16
valgrind reports memleak -
[1810] 4/2/2018 -- 15:04:37 - (detect-engine-build.c:1704) <Info> (SigAddressCleanupStage1) -- cleaning up signature grouping structure... complete
==1810==
==1810== HEAP SUMMARY:
==1810== in use at exit: 19,935 bytes in 386 blocks
==1810== total heap usage: 665,243 allocs, 664,857 frees, 105,359,022 bytes allocated
==1810==
==1810== 7 bytes in 1 blocks are definitely lost in loss record 26 of 381
==1810== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==1810== by 0x6AFEA69: pcre_get_substring (pcre_get.c:569)
==1810== by 0x3C649B: ParseThresholdRule (util-threshold-config.c:819)
==1810== by 0x3C79D2: SCThresholdConfAddThresholdtype (util-threshold-config.c:1015)
==1810== by 0x3C7C5E: SCThresholdConfParseFile (util-threshold-config.c:1126)
==1810== by 0x3C1774: SCThresholdConfInitContext (util-threshold-config.c:219)
==1810== by 0x1FE964: SigLoadSignatures (detect-engine-loader.c:363)
==1810== by 0x32A976: LoadSignatures (suricata.c:2373)
==1810== by 0x32B307: PostConfLoadedDetectSetup (suricata.c:2504)
==1810== by 0x32C79D: main (suricata.c:2851)
==1810==
{
<insert_a_suppression_name_here>
Memcheck:Leak
match-leak-kinds: definite
fun:malloc
fun:pcre_get_substring
fun:ParseThresholdRule
fun:SCThresholdConfAddThresholdtype
fun:SCThresholdConfParseFile
fun:SCThresholdConfInitContext
fun:SigLoadSignatures
fun:LoadSignatures
fun:PostConfLoadedDetectSetup
fun:main
}
==1810== 12 bytes in 1 blocks are definitely lost in loss record 35 of 381
==1810== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==1810== by 0x6AFEA69: pcre_get_substring (pcre_get.c:569)
==1810== by 0x3C65C7: ParseThresholdRule (util-threshold-config.c:825)
==1810== by 0x3C79D2: SCThresholdConfAddThresholdtype (util-threshold-config.c:1015)
==1810== by 0x3C7C5E: SCThresholdConfParseFile (util-threshold-config.c:1126)
==1810== by 0x3C1774: SCThresholdConfInitContext (util-threshold-config.c:219)
==1810== by 0x1FE964: SigLoadSignatures (detect-engine-loader.c:363)
==1810== by 0x32A976: LoadSignatures (suricata.c:2373)
==1810== by 0x32B307: PostConfLoadedDetectSetup (suricata.c:2504)
==1810== by 0x32C79D: main (suricata.c:2851)
==1810==
{
<insert_a_suppression_name_here>
Memcheck:Leak
match-leak-kinds: definite
fun:malloc
fun:pcre_get_substring
fun:ParseThresholdRule
fun:SCThresholdConfAddThresholdtype
fun:SCThresholdConfParseFile
fun:SCThresholdConfInitContext
fun:SigLoadSignatures
fun:LoadSignatures
fun:PostConfLoadedDetectSetup
fun:main
}
==1810== LEAK SUMMARY:
==1810== definitely lost: 19 bytes in 2 blocks
==1810== indirectly lost: 0 bytes in 0 blocks
==1810== possibly lost: 0 bytes in 0 blocks
==1810== still reachable: 19,916 bytes in 384 blocks
==1810== suppressed: 0 bytes in 0 blocks
==1810== Reachable blocks (those to which a pointer was found) are not shown.
==1810== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==1810==
==1810== For counts of detected and suppressed errors, rerun with: -v
==1810== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
Using -
sudo valgrind --gen-suppressions=all --leak-check=full --suppressions=qa/valgrind.suppress suricata -k none -r ../../tests/JA3/pcaps/ -S ../../tests/JA3/test.rules -vvv -l log/
pevma@DONPEDRO:~/Work/Suricata/suricomp/tests$ suricata --build-info This is Suricata version 4.1.0-dev (rev d2121945) Features: PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS MAGIC SIMD support: SSE_4_2 SSE_4_1 SSE_3 Atomic intrisics: 1 2 4 8 16 byte(s) 64-bits, Little-endian architecture GCC version 6.3.0 20170516, C version 199901 compiled with _FORTIFY_SOURCE=0 L1 cache line size (CLS)=64 thread local storage method: __thread compiled with LibHTP v0.5.25, linked against LibHTP v0.5.25 Suricata Configuration: AF_PACKET support: yes PF_RING support: no NFQueue support: no NFLOG support: no IPFW support: no Netmap support: no DAG enabled: no Napatech enabled: no Unix socket enabled: yes Detection enabled: yes Libmagic support: yes libnss support: yes libnspr support: yes libjansson support: yes liblzma support: no hiredis support: no hiredis async with libevent: no Prelude support: no PCRE jit: yes LUA support: yes, through luajit libluajit: yes libgeoip: yes Non-bundled htp: no Old barnyard2 support: no Hyperscan support: no Libnet support: yes Rust support (experimental): no Experimental Rust parsers: no Rust strict mode: no Rust debug mode: no Suricatasc install: yes Profiling enabled: no Profiling locks enabled: no Development settings: Coccinelle / spatch: yes Unit tests enabled: no Debug output enabled: no Debug validation enabled: no Generic build parameters: Installation prefix: /usr Configuration directory: /etc/suricata/ Log directory: /var/log/suricata/ --prefix /usr --sysconfdir /etc --localstatedir /var Host: x86_64-pc-linux-gnu Compiler: gcc (exec name) / gcc (real) GCC Protect enabled: no GCC march native enabled: yes GCC Profile enabled: no Position Independent Executable enabled: no CFLAGS -ggdb -O0 -march=native PCAP_CFLAGS -I/usr/include SECCFLAGS
Actions