[Oisf-devel] Crashing

Chris Wakelin c.d.wakelin at reading.ac.uk
Thu Feb 10 18:53:40 UTC 2011

On 10/02/11 00:02, Victor Julien wrote:
> On 02/08/2011 01:13 PM, Chris Wakelin wrote:
>> I wonder whether:
>>> commit a8417377e700ed69c719d2c1c31acdac656bfa4f
>>> Author: Eric Leblond <eric at regit.org>
>>> Date:   Wed Feb 2 22:50:53 2011 +0100
>>>     Don't use direct pkt access
>>>     pkt field in Packet needs to be accessed via macro. This
>>>     patch supress some direct access.
>> (or later ones) fixed the UDP issue
> That would have been an unintentional side effect then.

Not seen any more misses, but it was only a wild guess about this patch.

>>> commit addab7b5ee62f555e8743031ca8bb4178f893638
>>> Author: Victor Julien <victor at inliniac.net>
>>> Date:   Thu Feb 3 15:22:40 2011 +0100
>>>     Don't test the several packet detection checks against pseudo packets as the matches would not be meaningful anyway. Prevents a segv in the csum detection.
>> fixed the segfault.
> This could be possible. I never saw it outside of the checksum keywords
> though, they are not used by any ET/VRT rule by default.

Similarly a wild guess. However I've had more crashes since, so I guess
it's not fixed. I'm not getting any core dumps though, despite having
"ulimit -c unlimited" and for good measure starting Suricata with a CWD
of /var/log/suricata (i.e. which it can write to). Where is it likely to
leave them?

I'm also using the tcmalloc trick in
- will that make a difference do you think?

I didn't get crashes until a week or so ago, so I think my GIT version
as of 6th January is probably OK, except for the UDP port mismatches.

Today I've got a new Suricata instance on the other half of our network,
used by our student residences, which will be interesting :)

Best Wishes,

Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 6AF, UK              Fax: +44 (0)118 975 3094

More information about the Oisf-devel mailing list