ra looping problem still in Beta 8 on FreeBSD

Russell Fulton r.fulton at auckland.ac.nz
Sat Mar 3 18:15:15 EST 2001 

The problem I reported with ra looping is still present in beta 8.  It 
is intermittent and *not* dependent  the file read by -r.  I stronly 
suspect that the problem is triggered runing out of memory.  The 
problem has surfaced since I started analysing utp traffic in my 
overnight slow scan detector. 

I have attached gdb to an ra process that has been running from many 
hours (top shows that free memory is around 3MB of 128MB).


Breakpoint 1, ArgusReadStreamSocket (input=0x8141000) at ./argus_parse.c:1394
1394    {
(gdb) n
1395       int retn = 0, fd = input->fd, cnt = 0;
(gdb)  
1402       if ((cnt = read (fd, input->ArgusReadPtr + input->ArgusReadSocketCnt,
(gdb) 
1448          if (!((errno == EAGAIN) || (errno == EINTR))) {
(gdb) p cnt
$3 = 0
(gdb) p errno
$4 = 35
(gdb) n
1464       return (retn);
(gdb) n
ArgusReadStream () at ./argus_parse.c:1619
1619                for (i = 0; i < ARGUS_MAX_REMOTE_CONN; i++) {
(gdb) l
1614       ArgusDebug (4, "ArgusReadStream() starting\n");
1615    #endif
1616       
1617          for (;;) {
1618             if ((retn = select (width, &readmask, NULL, NULL, &wait)) >= 0) {
1619                for (i = 0; i < ARGUS_MAX_REMOTE_CONN; i++) {
1620                   if ((input = ArgusRemoteFDs[i]) != NULL) {
1621                      if (FD_ISSET (input->fd, &readmask)) {
1622                         ArgusInput = input;
1623                         if (input->status & ARGUS_DATA_SOURCE) {

It seems to be stuck with the read always returning 0 and errno EAGAIN!

Perhaps we need a counter in the loop and quit with an error if we get 
EAGAIN more than some number of time in a row?

Could this be a FreeBSD problem where read fails when memory is low.  I 
have another identical box with Debian linux installed on it.  I will 
try moving everything on it it next week and see if we have the same 
problem.

One thing that makes me suspect that this is a memory problem is that 
the job ran happily for a couple of days after I deleted the history 
file where it keeps up to 7 days worth of history.  This drastically 
reduces the amount of memory needed to run.

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

More information about the argus mailing list