DF-0053 OOB leak sample (3 runs, byte-identical because adjacent slab was zeroed by M_ZERO and the only non-zero OOB bytes are the IPs the kernel wrote past the buffer end during the IP loop). OOB-vs-alloc region: bytes [1152..1262] of the returned buffer (110 bytes). Of those, 37 are non-zero -- all are the IPs we wrote (" 10.0.0.4 10.0.0.3 ..."). Tail 128 bytes (offset 1134..1262), identical across runs 1/2/3: 046e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 047e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 048e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 049e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 04ae 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 04be 00 00 00 00 00 00 00 00 00 00 00 20 20 31 30 2e ........... 10. 04ce 30 2e 30 2e 34 20 31 30 2e 30 2e 30 2e 33 20 31 0.0.4 10.0.0.3 1 04de 30 2e 30 2e 30 2e 32 20 31 30 2e 30 2e 30 2e 31 0.0.0.2 10.0.0.1 Note on variance: this run does NOT show stale kernel pointer residue because the adjacent 1152-byte slab chunk was freshly allocated and zeroed (M_ZERO). A meaningful pointer leak would require heap grooming (spraying the 1152-byte bucket with objects containing function/data pointers before triggering the sysctl) -- the OOB read LENGTH (110 bytes) is proven regardless.