Memory leak for EMSGSIZE errors when writing to a BPF device

Guy Harris guy at
Fri Jul 8 10:30:31 PDT 2005

bpfwrite() does:

	error = bpf_movein(uio, (int)d->bd_bif->bif_dlt, &m, &dst, &datlen);
	if (error)
	if (datlen > ifp->if_mtu)
The mbuf chain pointed to by m isn't freed in that case.

FreeBSD 5.x fixes this by passing the MTU as an argument to 
bpf_movein(), and has bpf_movein() return EMSGSIZE before copying 
anything if the data length is greater than the MTU.

Current CVS NetBSD and OpenBSD free the mbuf chain before returning 

More information about the Bugs mailing list