ID: 45405 User updated by: Federico Cuello <fedux at lugmen dot org dot ar> Reported By: Federico Cuello <fedux at lugmen dot org dot ar> Status: Open Bug Type: SNMP related Operating System: Linux PHP Version: 5.2.6 New Comment:
Leak fix patch: --- ext/snmp/snmp.c.orig 2008-07-01 11:21:10.000000000 -0300 +++ ext/snmp/snmp.c 2008-07-01 11:21:18.000000000 -0300 @@ -417,13 +417,13 @@ while (keepwalking) { keepwalking = 0; if ((st == SNMP_CMD_GET) || (st == SNMP_CMD_GETNEXT)) { - pdu = snmp_pdu_create((st == SNMP_CMD_GET) ? SNMP_MSG_GET : SNMP_MSG_GETNEXT); name_length = MAX_OID_LEN; if (!snmp_parse_oid(objid, name, &name_length)) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid object identifier: %s", objid); snmp_close(ss); RETURN_FALSE; } + pdu = snmp_pdu_create((st == SNMP_CMD_GET) ? SNMP_MSG_GET : SNMP_MSG_GETNEXT); snmp_add_null_var(pdu, name, name_length); } else if (st == SNMP_CMD_SET) { pdu = snmp_pdu_create(SNMP_MSG_SET); @@ -434,6 +434,7 @@ sprint_objid(buf, name, name_length); #endif php_error_docref(NULL TSRMLS_CC, E_WARNING, "Could not add variable: %s %c %s", buf, type, value); + snmp_free_pdu(pdu); snmp_close(ss); RETURN_FALSE; } @@ -455,6 +456,7 @@ for (vars = response->variables; vars; vars = vars->next_variable) { if (st >= SNMP_CMD_WALK && st != SNMP_CMD_SET && (vars->name_length < rootlen || memcmp(root, vars->name, rootlen * sizeof(oid)))) { + snmp_free_pdu(response); continue; /* not part of this subtree */ } @@ -467,11 +469,13 @@ *return_value = *snmpval; zval_copy_ctor(return_value); zval_ptr_dtor(&snmpval); + snmp_free_pdu(response); snmp_close(ss); return; } else if (st == SNMP_CMD_GETNEXT) { *return_value = *snmpval; zval_copy_ctor(return_value); + snmp_free_pdu(response); snmp_close(ss); return; } else if (st == SNMP_CMD_WALK) { @@ -510,23 +514,28 @@ } if (st == SNMP_CMD_GET) { if ((pdu = snmp_fix_pdu(response, SNMP_MSG_GET)) != NULL) { + snmp_free_pdu(response); goto retry; } } else if (st == SNMP_CMD_SET) { if ((pdu = snmp_fix_pdu(response, SNMP_MSG_SET)) != NULL) { + snmp_free_pdu(response); goto retry; } } else if (st == SNMP_CMD_GETNEXT) { if ((pdu = snmp_fix_pdu(response, SNMP_MSG_GETNEXT)) != NULL) { + snmp_free_pdu(response); goto retry; } } else if (st >= SNMP_CMD_WALK) { /* Here we do walks. */ if ((pdu = snmp_fix_pdu(response, ((session->version == SNMP_VERSION_1) ? SNMP_MSG_GETNEXT : SNMP_MSG_GETBULK))) != NULL) { + snmp_free_pdu(response); goto retry; } } + snmp_free_pdu(response); snmp_close(ss); if (st == SNMP_CMD_WALK || st == SNMP_CMD_REALWALK) { zval_dtor(return_value); Previous Comments: ------------------------------------------------------------------------ [2008-07-01 14:52:40] Federico Cuello <fedux at lugmen dot org dot ar> Description: ------------ The snmp extension leaks memory. Reproduce code: --------------- <?php while(1) { $oid = "HOST-RESOURCES-MIB::hrSystemUptime.0"; $data = snmpget('localhost', 'public' , $oid); print "\n"; var_export($data); } ?> Expected result: ---------------- Memory use should not increment continuously. Actual result: -------------- Memory use increases. Valgrind output: ==21733== 2,280 (432 direct, 1,848 indirect) bytes in 3 blocks are definitely lost in loss record 64 of 67 ==21733== at 0x4022998: malloc (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==21733== by 0x45F01A3: _clone_pdu_header (in /usr/lib/libnetsnmp.so.15.0.0) ==21733== by 0x45F0374: _clone_pdu (in /usr/lib/libnetsnmp.so.15.0.0) ==21733== by 0x45F0595: snmp_synch_input (in /usr/lib/libnetsnmp.so.15.0.0) ==21733== by 0x4617F0B: _sess_process_packet (in /usr/lib/libnetsnmp.so.15.0.0) ==21733== by 0x461A2DD: _sess_read (in /usr/lib/libnetsnmp.so.15.0.0) ==21733== by 0x461B1F8: snmp_sess_read (in /usr/lib/libnetsnmp.so.15.0.0) ==21733== by 0x461B25B: snmp_read (in /usr/lib/libnetsnmp.so.15.0.0) ==21733== by 0x45EF7C1: snmp_synch_response_cb (in /usr/lib/libnetsnmp.so.15.0.0) ==21733== by 0x45EF8A4: snmp_synch_response (in /usr/lib/libnetsnmp.so.15.0.0) ==21733== by 0x818BBAA: php_snmp_internal (in /usr/lib/php5/bin/php) ==21733== by 0x818D910: php_snmp (in /usr/lib/php5/bin/php) ==21733== by 0x82CDC17: zend_do_fcall_common_helper_SPEC (in /usr/lib/php5/bin/php) ==21733== by 0x82CCA2B: execute (in /usr/lib/php5/bin/php) ==21733== by 0x82ABE0B: zend_execute_scripts (in /usr/lib/php5/bin/php) ==21733== by 0x8264941: php_execute_script (in /usr/lib/php5/bin/php) ==21733== by 0x83397C2: main (in /usr/lib/php5/bin/php) ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=45405&edit=1