Ok, so Valgrind came up with something(thanks for the suggestion Robert):

With UDP Spoof Turned on:


==27361== Memcheck, a memory error detector for x86-linux.
==27361== Copyright (C) 2002-2004, and GNU GPL'd, by Julian Seward et al.
==27361== Using valgrind-2.2.0, a program supervision framework for x86-linux.
==27361== Copyright (C) 2000-2004, and GNU GPL'd, by Julian Seward et al.
==27361== For more details, rerun with: -v
==27361==
io.c: Preparing fd 3 for reading
io.c: Preparing fd 4 for reading
io.c: listening on fd 5
io.c: connecting using fd 6
io.c: connecting using fd 8
io.c: connecting using fd 8
syslog-ng version 1.6.6 starting
io.c: Preparing fd 6 for writing
==27361== Invalid read of size 2
==27361==    at 0x805A987: libnet_in_cksum (in /usr/local/sbin/syslog-ng)
==27361==  Address 0x1BA764E2 is 178 bytes inside a block of size 179 alloc'd
==27361==    at 0x1B902E28: malloc (vg_replace_malloc.c:131)
==27361==    by 0x805912D: libnet_pblock_coalesce (in /usr/local/sbin/syslog-ng)
==27361==    by 0x804C063: do_handle_log (destinations.c:103)
==27361==    by 0x804B5EC: do_distribute_log (center.c:149)
==27361==    by 0x804B02A: do_add_source_name (sources.c:289)
==27361==    by 0x804AA8C: do_handle_line (sources.c:75)
==27361==    by 0x804ADA5: do_read_line (sources.c:134)
==27361==    by 0x8054AF8: read_callback (in /usr/local/sbin/syslog-ng)
==27361==    by 0x804A079: main_loop (main.c:253)
==27361==    by 0x804A75C: main (main.c:549)
io.c: Preparing fd 8 for writing
io.c: connecting using fd 11
io.c: connecting using fd 11





With UDP spoof turned off:



==27373== Memcheck, a memory error detector for x86-linux.
==27373== Copyright (C) 2002-2004, and GNU GPL'd, by Julian Seward et al.
==27373== Using valgrind-2.2.0, a program supervision framework for x86-linux.
==27373== Copyright (C) 2000-2004, and GNU GPL'd, by Julian Seward et al.
==27373== For more details, rerun with: -v
==27373==
io.c: Preparing fd 3 for reading
io.c: Preparing fd 4 for reading
io.c: listening on fd 5
io.c: connecting using fd 6
io.c: connecting using fd 7
io.c: connecting using fd 7
syslog-ng version 1.6.6 starting
io.c: Preparing fd 6 for writing
io.c: Preparing fd 7 for writing




Which doesent say too much.  I'm using libnet 1.1.2.1. The valgrind message only appears once - and does not appear as the memory leak contiues.
I'm no valgrind expert, but I'm guessing it leaks one byte for each UDP packet sent. Not sure why spoofing would cause this inside libnet.  






Roberto Nibali <ratz@tac.ch>
Sent by: syslog-ng-admin@lists.balabit.hu

03/02/2005 10:13 AM
Please respond to
syslog-ng@lists.balabit.hu
To
syslog-ng@lists.balabit.hu
cc
Subject
Re: [syslog-ng]Syslog-NG 1.6.6 memory leak when sending UDP logs





henry@shoelacecity.com wrote:
>
> Let me understand this, you were seeing a leak when using a PERL script
> to send UDP packets using
> Net::RawIP    _to_ syslong_ng.

Exact, the perl-related process was leaking, no syslog involved. We had to
hand-craft the UDP packets since the spoofing only works partially from our POV.

> I am still experiencing clear leak behavior when using syslog-ng to send
> spoffed UDP packets to other syslog-ng's.
> The syslog-ng sender is leaking, the receiver is exhibitning normal
> behavior.

You could valgrind the process ... http://valgrind.kde.org/

Sorry for not being more helpful to you in this matter,
Roberto Nibali, ratz
--
-------------------------------------------------------------
addr://Rathausgasse 31, CH-5001 Aarau  tel://++41 62 823 9355
http://www.terreactive.com             fax://++41 62 823 9356
-------------------------------------------------------------
terreActive AG                       Wir sichern Ihren Erfolg
-------------------------------------------------------------
_______________________________________________
syslog-ng maillist  -  syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html