Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Memory leak in npcap 0.9988 with data on loopback when capture another eth? #318

Closed
yyjdelete opened this issue Mar 13, 2020 · 3 comments
Closed

Comments

@yyjdelete
Copy link

@yyjdelete yyjdelete commented Mar 13, 2020

Tested with npcap 0.9988 + win10

A lot of memory leak happen on paged pools with tag Mdl and NPBL. NPBL is only used by npcap.sys, and it leak 50% of allocs, and also the same leak count for Mdl.

This only happen for me when a lot of data is send and recv though loopback, and an capture (can also be tested with wireshark) on another eths.
(EVEN when loopback is not captured, which I used to think npcap should do nothing in this case, is it another bug?)

/* First NBL is pre-allocated, so skip that one. */
pFakeNetBuffer = NET_BUFFER_NEXT_NB(NET_BUFFER_LIST_FIRST_NB(pFakeNbl));

Is the comments here and NET_BUFFER_NEXT_NB really right? Seems the above logic didn't skip the first node.

image
Use https://github.com/zodiacon/AllTools/blob/master/PoolMonXv2.exe, can also get almost the same result with poolmon from Mircosoft.

@yyjdelete yyjdelete changed the title Memory leak in npcap with loopback capture? Memory leak in npcap 0.9988 with data on loopback when capture another eth? Mar 13, 2020
@dmiller-nmap
Copy link
Contributor

@dmiller-nmap dmiller-nmap commented Mar 13, 2020

Thanks for this report. This is new code in this version, but I'm disappointed I didn't catch this leak. I'll take a look at the function in question. Npcap does not unregister its WFP filter when the loopback handle is closed, which is why the leaks continue even when loopback capture is stopped. We may consider doing that to limit performance impact in the future.

@dmiller-nmap
Copy link
Contributor

@dmiller-nmap dmiller-nmap commented Mar 13, 2020

You were right about NET_BUFFER_NEXT_NB: though we need to skip freeing the first NB, we still need to free the MDL (tag 'Mdl') and its associated buffer (tag 'NPBL'), and that is what was leaking. We'll be doing a release soon with this fix.

@dmiller-nmap
Copy link
Contributor

@dmiller-nmap dmiller-nmap commented Mar 15, 2020

WORKAROUND: Until the next release can be made, a workaround is to disable loopback capture: Set the Registry value HKLM\SYSTEM\CurrentControlSet\Services\npcap\Parameters\LoopbackSupport to 0x0 and restart the npcap driver service: net stop npcap; net start npcap. This change will persist across reboots, but may be reset by the next installation or upgrade.

@fyodor fyodor transferred this issue from nmap/nmap May 5, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants