[Oisf-devel] LuaJIT running out of memory causing Suricata crashes?

Kyle Creyts kyle.creyts at gmail.com
Wed Dec 4 15:50:28 UTC 2013 

Thanks, Victor!


On Wed, Dec 4, 2013 at 6:39 AM, Victor Julien <victor at inliniac.net> wrote:

> On 12/04/2013 01:17 PM, Chris Wakelin wrote:
> > On 04/12/13 12:16, Victor Julien wrote:
> >> On 12/04/2013 01:13 PM, Victor Julien wrote:
> >>> On 12/04/2013 12:56 PM, Victor Julien wrote:
> >>>> On 12/04/2013 12:37 PM, Chris Wakelin wrote:
> >>>>>> [32578] 4/12/2013 -- 11:18:50 - (detect-luajit.c:281) <Info>
> (DetectLuajitMatchBuffer) -- failed to run script: not enough memory
> >>>>> I guess we could add more checks to the Lua scripts to avoid the
> >>>>> zlib/xor errors, which occur all the time, but I think they're
> probably
> >>>>> not significant. Is there a way we could prevent or at least debug
> the
> >>>>> "not enough memory" errors which are presumably what causes Suricata
> to
> >>>>> crash?
> >>>>
> >>>> Maybe you can try inserting a "return 0" on line 282, so:
> >>>>
> >>>>     int retval = lua_pcall(tluajit->luastate, 1, 1, 0);
> >>>>     if (retval != 0) {
> >>>>         SCLogInfo("failed to run script: %s",
> >>>> lua_tostring(tluajit->luastate, -1));
> >>>>         return 0;
> >>>>     }
> >>>>
> >>>
> >>> Actually, please ignore this. I found that the lua state isn't cleared
> >>> properly, will send a test patch in a few minutes.
> >>>
> >>
> >> Can you try the attached patch?
>
> I have pushed an lua update to the master. It should fix the issue some
> people were seeing "(DetectLuajitMatch) -- failed to run script: stack
> overflow". Hopefully it also addresses Chris' issue.
>
> Other than that, there was a fix to how flowvars were retrieved. In
> short, if the stored value was not a multiple of 4, the length was wrong.
>
> Finally, you can now get the gid, sid and rev from the rule calling the
> script:
>
> function match(args)
>     a = SCRuleSid
>     b = SCRuleRev
>     c = SCRuleGid
>     print (a .. " " .. b .. " " .. c)
> end
>
> Please test :)
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate:
> http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
>



-- 
Kyle Creyts

Information Assurance Professional
Founder BSidesDetroit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20131204/feee3f4e/attachment-0002.html>

More information about the Oisf-devel mailing list