[prev in list] [next in list] [prev in thread] [next in thread] 

List:       syslog-ng
Subject:    [syslog-ng] [Bug 39] New: Memory exhaustion when using UDP
From:       bugzilla () www ! balabit ! com
Date:       2009-03-16 19:06:14
Message-ID: bug-39-3 () https ! bugzilla ! balabit ! com/
[Download RAW message or body]

https://bugzilla.balabit.com/show_bug.cgi?id=39

           Summary: Memory exhaustion when using UDP destination to send to
                    a remote server.
           Product: syslog-ng
           Version: 2.1.x
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: unspecified
         Component: syslog-ng
        AssignedTo: bazsi@balabit.hu
        ReportedBy: gillespiem@pa.net
Type of the Report: ---
   Estimated Hours: 0.0


I have noticed that if syslog-ng receives an ICMP Type 3 / Code 3 message from a \
syslog-ng server configured as a remote destination (using UDP as the transport), the \
syslog-ng process starts consuming more and more memory, finally exhausting all \
resources. I've found this issue can be  consistently replicated.

Centos 5.2 (Final)
syslog-ng 2.1.3

syslog-ng.conf (snippet from sending server)
 destination d_syslog_rtr0 {udp("syslog-server.blah.com" port(514));};

Config on receiving server doesn't matter, you can send the packets to a blackhole \
when replicating the issue.

Steps to replicate:

Using tcpdump, determine the port the sending server is using to send messages. Then, \
using sing (or any packetcrafting tool), do the following (or similar):

sing -du -S <receiving syslog server IP> -x port-unreach -prot udp -psrc <Sending \
server source port (determined above)> --pdst 514 <Sending syslog server>

When viewing processes using "top", it's apparent that memory usage of the syslog-ng \
process starts increasing every ~2 seconds, until the server has exhausted all \
memory. (I can replicate this on 3 separate servers)


-- 
Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic