From: Jan Klemkow <jan@openbsd.org>
Subject: veb(4): Fix double m_freem() and refcnt leak
To: tech@openbsd.org
Date: Fri, 1 Aug 2025 21:43:02 +0200

Hi,

bluhm pointed out a double m_freem() and refcnt leak in veb(4).  The
following diff fixes the issues.

ok?

bye,
Jan

Index: net/if_veb.c
===================================================================
RCS file: /cvs/src/sys/net/if_veb.c,v
diff -u -p -r1.41 if_veb.c
--- net/if_veb.c	7 Jul 2025 02:28:50 -0000	1.41
+++ net/if_veb.c	1 Aug 2025 19:33:33 -0000
@@ -1027,8 +1027,10 @@ veb_broadcast(struct veb_softc *sc, stru
 		if (veb_rule_filter(tp, VEB_RULE_LIST_OUT, m0, src, dst))
 			continue;
 
-		if ((m0 = veb_offload(ifp, ifp0, m0)) == NULL)
-			goto done;
+		if ((m0 = veb_offload(ifp, ifp0, m0)) == NULL) {
+			refcnt_rele_wake(&pm->m_refs);
+			return;
+		}
 
 		m = m_dup_pkt(m0, max_linkhdr + ETHER_ALIGN, M_NOWAIT);
 		if (m == NULL) {
@@ -1083,7 +1085,7 @@ veb_transmit(struct veb_softc *sc, struc
 	    m->m_pkthdr.len);
 
 	if ((m = veb_offload(ifp, ifp0, m)) == NULL)
-		goto drop;
+		return (NULL);
 
 	(*tp->p_enqueue)(ifp0, m); /* XXX count error */