The memory tag "4321" (represented in code as '1234', a.k.a. NPF_ALLOC_TAG) is leaking about 5% of allocations, which leads to an eventual out-of-memory system hang in high-traffic or long-running captures. We have had one private report, and it is also mentioned in this comment: #206 (comment)
The memory tag in question is used in 4 places:
- For the NetBufferListPool
NPCAP_FILTER_MODULE::PacketPool, which is used for packet injection and loopback capture.
- For the NetBufferPool
NPCAP_FILTER_MODULE::TapNBPool, which is used to copy captured packet data.
- For cloning OID requests that pass through
NPF_OidRequest() LWF callback.
- For allocating extra buffer space for packets that are larger than will fit into the default NetBuffers from
TapNBPool (NPF_NBCOPY_INITIAL_DATA_SIZE, currently 256 bytes).
Code for cases 1 and 3 have not changed in recent releases, so they can most likely be ruled out. Allocations for 2 and 4 are both freed in NPF_FreeNBCopies(), which is a callback invoked from NPF_ObjectPoolReturn(), and which is implicated in the crash reported in #212, which currently looks like a double-free. This function is called based on a reference-counting system that is intended to be safe from concurrency problems, but obviously something is wrong.
The memory tag "4321" (represented in code as
'1234', a.k.a.NPF_ALLOC_TAG) is leaking about 5% of allocations, which leads to an eventual out-of-memory system hang in high-traffic or long-running captures. We have had one private report, and it is also mentioned in this comment: #206 (comment)The memory tag in question is used in 4 places:
NPCAP_FILTER_MODULE::PacketPool, which is used for packet injection and loopback capture.NPCAP_FILTER_MODULE::TapNBPool, which is used to copy captured packet data.NPF_OidRequest()LWF callback.TapNBPool(NPF_NBCOPY_INITIAL_DATA_SIZE, currently 256 bytes).Code for cases 1 and 3 have not changed in recent releases, so they can most likely be ruled out. Allocations for 2 and 4 are both freed in
NPF_FreeNBCopies(), which is a callback invoked fromNPF_ObjectPoolReturn(), and which is implicated in the crash reported in #212, which currently looks like a double-free. This function is called based on a reference-counting system that is intended to be safe from concurrency problems, but obviously something is wrong.