[Bro-Dev] #400: file descriptor leak in bro remote serializer

Bro Tracker bro at tracker.icir.org
Fri Feb 18 21:04:25 PST 2011


#400: file descriptor leak in bro remote serializer
-----------------------+---------------------
 Reporter:  scampbell  |       Type:  Problem
   Status:  new        |   Priority:  High
Milestone:             |  Component:  Bro
  Version:  1.5.2      |   Keywords:
-----------------------+---------------------
 In child proxy process these seems to be a file descriptor leak -
 noticed we were getting a kern.maxfiles exceeded error.  Looking at lsof
 output identified the leaking process and truss shows:


 {{{
 socket(PF_INET,SOCK_STREAM,0)                    = 69 (0x45)
 setsockopt(0x45,0xffff,0x4,0xbfbfe5a8,0x4,0x0)   = 0 (0x0)
 bind(69,{ AF_INET 0.0.0.0:47761 },16)            ERR#48 'Address already
 in use'
 gettimeofday({1298082809.001388},0x0)            = 0 (0x0)
 write(27,"\0\0\0\b\^E\M^P\M-,\t\0\0\0\0\0"...,65) = 65 (0x41)
 select(28,{27},0x0,0x0,{0.000000})               = 0 (0x0)
 }}}


 for every call to socket(), returned file descriptor is incremeted:


 {{{
 bind(69,{ AF_INET 0.0.0.0:47761 },16)            ERR#48 'Address already
 in use'
 bind(70,{ AF_INET 0.0.0.0:47761 },16)            ERR#48 'Address already
 in use'
 bind(71,{ AF_INET 0.0.0.0:47761 },16)            ERR#48 'Address already
 in use'
 bind(72,{ AF_INET 0.0.0.0:47761 },16)            ERR#48 'Address already
 in use'
 bind(73,{ AF_INET 0.0.0.0:47761 },16)            ERR#48 'Address already
 in use'
 bind(74,{ AF_INET 0.0.0.0:47761 },16)            ERR#48 'Address already
 in use'
 bind(75,{ AF_INET 0.0.0.0:47761 },16)            ERR#48 'Address already
 in use'
 bind(76,{ AF_INET 0.0.0.0:47761 },16)            ERR#48 'Address already
 in use'

 }}}

 in RemoteSearializer.cc @ 3587 in SocketComm::Listen


 {{{
         if ( bind(*listen_fd, (sockaddr*) &server, sizeof(server)) < 0 )
                 {
                 Error(fmt("can't bind to port %d, %s", port,
 strerror(errno)));
                 *listen_fd = -1;

                 if ( errno == EADDRINUSE )
                         {
                         listen_if = ip;
                         listen_port = port;
                         listen_ssl = expect_ssl;
                         // FIXME: Make this timeout configurable.
                         listen_next_try = time(0) + 30;
                         }
                 return false;
                 }
 }}}

 in the error loop, listen_fd needs to be closed since there is nothing
 done to it.

-- 
Ticket URL: <http://tracker.icir.org/bro/ticket/400>
Bro Tracker <http://tracker.icir.org/bro>
Bro Issue Tracker



More information about the bro-dev mailing list