[Bro-Dev] [JIRA] (BIT-1239) Crash because StringVal ref_cnt greater than INT_MAX

Johanna Amann (JIRA) jira at bro-tracker.atlassian.net
Thu Sep 4 16:56:07 PDT 2014 

Johanna Amann created BIT-1239:
----------------------------------

             Summary: Crash because StringVal ref_cnt greater than INT_MAX
                 Key: BIT-1239
                 URL: https://bro-tracker.atlassian.net/browse/BIT-1239
             Project: Bro Issue Tracker
          Issue Type: Problem
          Components: Bro
    Affects Versions: 2.3, git/master
            Reporter: Johanna Amann
             Fix For: 2.4


Several of the workers of our cluster recently crashed because of the compare in line 212 of Obj.h (function Ref, where o->ref_cnt is compared to INT_MAX).

Closer examination of the stack traces of a few systems reveals that it was the StringVal base_type which was ref'd more than INT_MAX times.

In the last few times, a user in our network performed tests generating a massive amount of connections, including test with just syn-packets. It is therefore probably a good guess that somewhere in the connection handling, a ref on a base_type is called without an corresponding unref.

Relevant part of a backtrace:

{code}
#0  0x000000080194cfcc in kill () from /lib/libc.so.7
#1  0x000000080194bdcb in abort () from /lib/libc.so.7
#2  0x00000000004ca550 in Reporter::InternalError (this=)
at /home/robin/bro/master/src/Reporter.cc:137
#3  0x00000000004d1d79 in bad_ref (type=)
at /home/robin/bro/master/src/Obj.cc:253
#4  0x00000000005273cd in base_type (tag=) at Obj.h:208
#5  0x0000000000538d8b in StringVal (this=0x87abca240, length=66,
s=0x85b5e3290 "[...]") at Val.h:369
{code}

stderr.log:
{code}
1406688636.803846 processing suspended
1406688636.803849 processing continued
1406688642.801786 Failed to open GeoIP Cityv6 database: /usr/local/share/GeoIP/GeoIPCityv6.dat
1406688642.801786 Failed to open GeoIPv6 Country database: /usr/local/share/GeoIP/GeoIPv6.dat
1409680506.073977 internal error: bad reference count [1]
/xa/bro/share/broctl/scripts/run-bro: line 85: 98029 Abort trap: 6           (core dumped) nohup $mybro "$@"
{code}



--
This message was sent by Atlassian JIRA
(v6.4-OD-04-006#64001)

More information about the bro-dev mailing list