Memory leak for EMSGSIZE errors when writing to a BPF device
Guy Harris
guy at alum.mit.edu
Fri Jul 8 10:30:31 PDT 2005
bpfwrite() does:
error = bpf_movein(uio, (int)d->bd_bif->bif_dlt, &m, &dst, &datlen);
if (error)
return(error);
if (datlen > ifp->if_mtu)
return(EMSGSIZE);
The mbuf chain pointed to by m isn't freed in that case.
FreeBSD 5.x fixes this by passing the MTU as an argument to
bpf_movein(), and has bpf_movein() return EMSGSIZE before copying
anything if the data length is greater than the MTU.
Current CVS NetBSD and OpenBSD free the mbuf chain before returning
EMSGSIZE.
More information about the Bugs
mailing list