once you enqueue an mbuf, you no longer own it. therefore you cant read the length out of it.
this reads the length first, then tries to enq it. also, call if_start instead of a bare call to the underlying start routine. ok? Index: if_spppsubr.c =================================================================== RCS file: /cvs/src/sys/net/if_spppsubr.c,v retrieving revision 1.146 diff -u -p -r1.146 if_spppsubr.c --- if_spppsubr.c 11 Nov 2015 01:49:17 -0000 1.146 +++ if_spppsubr.c 20 Nov 2015 03:46:10 -0000 @@ -997,14 +997,15 @@ sppp_cp_send(struct sppp *sp, u_short pr sppp_print_bytes ((u_char*) (lh+1), len); addlog(">\n"); } + + len = m->m_pkthdr.len + sp->pp_framebytes; if (mq_enqueue(&sp->pp_cpq, m) != 0) { - ++ifp->if_oerrors; - m = NULL; + ifp->if_oerrors++; + return; } - if (!(ifp->if_flags & IFF_OACTIVE)) - (*ifp->if_start) (ifp); - if (m != NULL) - ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; + + ifp->if_obytes += len; + if_start(ifp); } /* @@ -4101,14 +4102,15 @@ sppp_auth_send(const struct cp *cp, stru sppp_print_bytes((u_char*) (lh+1), len); addlog(">\n"); } + + len = m->m_pkthdr.len + sp->pp_framebytes; if (mq_enqueue(&sp->pp_cpq, m) != 0) { - ++ifp->if_oerrors; - m = NULL; + ifp->if_oerrors++; + return; } - if (! (ifp->if_flags & IFF_OACTIVE)) - (*ifp->if_start) (ifp); - if (m != NULL) - ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; + + ifp->if_obytes += len; + if_start(ifp); } /*