[Clamav-users] clamav-milter & nscd problem

[Apostolos Papayanakis]

Last month I started getting 10-20 random clamav-milter segfaults
each day. The load is a few tens of thousand scans daily.

The very same clamav-milter segfaults can also be induced
persistently by "clmilter_watch". That was a surprize to me, because
clmilter_watch is only a health monitoring utility for the clamav-milter
daemon (see http://www.itg.uiuc.edu/itg_software/clmilter_watch).

On a completely quiet system when tested with clmilter_watch, the
segfaults happen only when using nscd (name service cache daemon) which
comes as a part of glibc (v2.3.5). This means that if I just "pkill nscd"
then the problem vanishes, but if I have nscd running, restart clamav-milter,
then probe it with clmilter_watch, clamav-milter segfaults immediately.

Aug  8 22:07:30 alpha clamav-milter[13116]: clamfi_eoh
Aug  8 22:07:30 alpha clamav-milter[13116]: clamfi_envbody: 4756 bytes
Aug  8 22:07:30 alpha clamav-milter[13116]: clamfi_eom
Aug  8 22:07:30 alpha clamav-milter[13116]: j78RCJ7TXH930484: clean message 
from <>
Aug  8 22:07:30 alpha clamav-milter[13116]: clamfi_close
Aug  8 22:07:30 alpha clamav-milter[13116]: Segmentation fault :-( Bye..

I have enabled debug code and modes and then tried to strace the
problem, with limited results. It seems that clamav-milter segfaults right
after reading from the nscd socket a hostname resolution result (for
localhost.localdomain), and before anything else. It maybe a glibc problem
as there was a glibc upgrade last month indeed.

Here are the command lines used:

/usr/sbin/clamav-milter --debug --max-children 150 --force-scan 
--timeout=0 --quiet --local inet:33100
/noc/scripts/nst/clmilter_watch -L /dev/null -s 43210  -t 5 # monitor 
of clamav-milter

Here are the options from /etc/clamd.conf

LogClean
LogSyslog
LogVerbose
PidFile /var/run/clamav/clamd.pid
TemporaryDirectory /var/tmp
LocalSocket /var/run/clamav/clamd.sock
FixStaleSocket
StreamMaxLength 20M
MaxThreads 150
User clamav
Foreground
Debug
DetectBrokenExecutables
ScanRAR

I am currently in the process of testing with a previous version of
glibc, just in case I have hit a new bug, but this will take time. Does any
body else have another hint?

-- 
Apostolis Papayanakis
[EMAIL PROTECTED], 2310-998416
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] clamav-milter & nscd problem

[James Kosin]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Apostolos Papayanakis wrote:

|Last month I started getting 10-20 random clamav-milter segfaults
|each day. The load is a few tens of thousand scans daily.
|
|The very same clamav-milter segfaults can also be induced
|persistently by "clmilter_watch". That was a surprize to me, because
|clmilter_watch is only a health monitoring utility for the clamav-milter
|daemon (see http://www.itg.uiuc.edu/itg_software/clmilter_watch).
|
|On a completely quiet system when tested with clmilter_watch, the
|segfaults happen only when using nscd (name service cache daemon) which
|comes as a part of glibc (v2.3.5). This means that if I just "pkill nscd"
|then the problem vanishes, but if I have nscd running, restart
clamav-milter,
|then probe it with clmilter_watch, clamav-milter segfaults immediately.
|
|Aug  8 22:07:30 alpha clamav-milter[13116]: clamfi_eoh
|Aug  8 22:07:30 alpha clamav-milter[13116]: clamfi_envbody: 4756 bytes
|Aug  8 22:07:30 alpha clamav-milter[13116]: clamfi_eom
|Aug  8 22:07:30 alpha clamav-milter[13116]: j78RCJ7TXH930484: clean
message from <>
|Aug  8 22:07:30 alpha clamav-milter[13116]: clamfi_close
|Aug  8 22:07:30 alpha clamav-milter[13116]: Segmentation fault :-( Bye..
|
|I have enabled debug code and modes and then tried to strace the
|problem, with limited results. It seems that clamav-milter segfaults
right
|after reading from the nscd socket a hostname resolution result (for
|localhost.localdomain), and before anything else. It maybe a glibc
problem
|as there was a glibc upgrade last month indeed.
|
|Here are the command lines used:
|
|/usr/sbin/clamav-milter --debug --max-children 150 --force-scan
- --timeout=0 --quiet --local inet:33100
|/noc/scripts/nst/clmilter_watch -L /dev/null -s 43210  -t 5 #
monitor of clamav-milter
|
|Here are the options from /etc/clamd.conf
|
|LogClean
|LogSyslog
|LogVerbose
|PidFile /var/run/clamav/clamd.pid
|TemporaryDirectory /var/tmp
|LocalSocket /var/run/clamav/clamd.sock
|FixStaleSocket
|StreamMaxLength 20M
|MaxThreads 150
|User clamav
|Foreground
|Debug
|DetectBrokenExecutables
|ScanRAR
|
|I am currently in the process of testing with a previous version of
|glibc, just in case I have hit a new bug, but this will take time.
Does any
|body else have another hint?
|
I had a simular problem.  That seemed to be fixed with the latest ZLib
libraries:
~http://www.zlib.net

I would get errors from clamav-milter looking something like the
following:
~Aug  5 12:02:39 beta sendmail[29124]: j75G2dHC029124: Milter
(clmilter): local socket name /var/run/clamav/clamav-milter.sock unsafe
~Aug  5 12:02:39 beta sendmail[29124]: j75G2dHC029124: Milter
(clmilter): to error state

(1)  What platform are you using?  Debian, Redhat, Fedora, Gentoo?

Good Luck,
James Kosin
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFC+KxAkNLDmnu1kSkRAnLNAJ0VFBCueEfieCuHzn7H6xRGN4avmACeNbAC
o72K07OSDcrXwzzHv7X8EpU=
=QVey
-END PGP SIGNATURE-

___
http://lurker.clamav.net/list/clamav-users.html