[Oisf-devel] Segfault in 1.0.5
Joel Ebrahimi
jebrahimi at bivio.net
Tue Aug 30 22:20:42 UTC 2011
Hi All,
I have been having problems with segfaulting since using the 1.0.2
branch but I have not had time to find out if it was Bivio related or
something in Suricata until now. I have indentified the problem, though
Im not sure why no one using pcap to grab packets has reported this
before. Here is a breakdown of the problem:
When the pcap_dispatch function is called, the cnt field is evaluated by
the conditional operator "(pcap_max_read_packets < packet_q_len) ?
pcap_max_read_packets : packet_q_len". In my case this results in 0,
which when passed into pcap_dispatch means to grab all the packets in
the queue or until an error occurs. When I start suricata and run
traffic at high speeds, there is generally around 20,000 packets already
in the queue.
The pcap handler function PcapCallback is called, it process all those
20,000 packets and stores them in the PcapThreadVars ptv->array. The
problem is that the array is allocated with the defined variable
PCAP_FILE_MAX_PKTS which has a value of 256. So ultimately I segfault
when accessing ptv->array when the index is greater than 256.
The solution would be either to restrict cnt in pcap_dispatch to 256 or
change PCAP_FILE_MAX_PKTS. I found it easier for me to just change
PCAP_FILE_MAX_PKTS to 65536. When changed I do not experience any more
segfaulting.
Cheers,
// Joel
Joel Ebrahimi
Senior Solutions Architect
Bivio Networks Inc.
http://www.bivio.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20110830/23ff2dc7/attachment-0002.html>
More information about the Oisf-devel
mailing list