000032004 - DLP ICAP Server only generates audit violation when policy action is set to block due to c-icap failure

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000032004
Applies ToRSA Product Set: Data Loss Prevention (DLP)
RSA Product/Service Type: Network
RSA Version/Condition: 9.6 SP2
Platform: CentOS
O/S Version: EL6
IssueThe c-icap process crashes causing violation only triggering audit events where the policy action is specified to "Block and Audit".
ICAP Server logs show c-icap crash logs similar to the example below.

 
2015-11-13 14:14:34.597Z              ERROR  NW_902               xx.xx.xx.xx       ICAPServer0       c-icap-stderr:15                CICAPTHREAD   c-icap: ======= Backtrace: =========
2015-11-13 14:14:34.597Z              ERROR  NW_902               xx.xx.xx.xx       ICAPServer0       c-icap-stderr:15                CICAPTHREAD   c-icap: /lib64/libc.so.6(+0x75916)[0x7f057aa4e916]
2015-11-13 14:14:34.597Z              ERROR  NW_902               xx.xx.xx.xx       ICAPServer0       c-icap-stderr:15                CICAPTHREAD   c-icap: /opt/tablus/lib64/c_icap/srv_conalarm.so(doReqMod+0x4c14)[0x7f057a3a4524]
2015-11-13 14:14:34.598Z              ERROR  NW_902               xx.xx.xx.xx       ICAPServer0       c-icap-stderr:15                CICAPTHREAD   c-icap: /opt/tablus/lib64/c_icap/srv_conalarm.so(srvconalarm_end_of_data_handler+0x24)[0x7f057a39f8f7]
2015-11-13 14:14:34.598Z              ERROR  NW_902               xx.xx.xx.xx       ICAPServer0       c-icap-stderr:15                CICAPTHREAD   c-icap: /opt/tablus/bin/c-icap[0x4080d5]
2015-11-13 14:14:34.598Z              ERROR  NW_902               xx.xx.xx.xx       ICAPServer0       c-icap-stderr:15                CICAPTHREAD   c-icap: /opt/tablus/bin/c-icap[0x4144a6]
2015-11-13 14:14:34.598Z              ERROR  NW_902               xx.xx.xx.xx       ICAPServer0       c-icap-stderr:15                CICAPTHREAD   c-icap: /lib64/libpthread.so.0(+0x7851)[0x7f057ad73851]
2015-11-13 14:14:34.598Z              ERROR  NW_902               xx.xx.xx.xx       ICAPServer0       c-icap-stderr:15                CICAPTHREAD   c-icap: /lib64/libc.so.6(clone+0x6d)[0x7f057aac111d]
2015-11-13 14:14:34.599Z              ERROR  NW_902               xx.xx.xx.xx       ICAPServer0       c-icap-stderr:15                CICAPTHREAD   c-icap: ======= Memory map: ========
2015-11-13 14:14:34.599Z              ERROR  NW_902               xx.xx.xx.xx       ICAPServer0       c-icap-stderr:15                CICAPTHREAD   c-icap: 00400000-0041d000 r-xp 00000000 fd:00 7112                               /opt/tablus/bin/c-icap
2015-11-13 14:14:34.599Z              ERROR  NW_902               xx.xx.xx.xx       ICAPServer0       c-icap-stderr:15                CICAPTHREAD   c-icap: 0061d000-0061f000 rw-p 0001d000 fd:00 7112                               /opt/tablus/bin/c-icap
2015-11-13 14:14:34.599Z              ERROR  NW_902               xx.xx.xx.xx       ICAPServer0       c-icap-stderr:15                CICAPTHREAD   c-icap: 01776000-017bd000 rw-p 00000000 00:00 0                                  [heap].

 
Causec-icap crashes with null pointer exceptions. c-icap generates the exception as it tries to deallocate memory twice after parsing the same traffic. This is the error in the code.
ResolutionA fix will be available in DLP 9.6 SP2 P4.

Attachments

    Outcomes