DF-0119
Latent OOB write if aux_data/aux_size invariant breaks
Summary
DMSG_DBG_SHELL reply handler: guard is if(msg->aux_data) but write msg->aux_data[msg->aux_size-1]=0(:208) assumes aux_size>0. If aux_size==0 with non-NULL aux_data, underflow to SIZE_MAX -> OOB write. Currently mitigated by kern_dmsg.c receive path always allocating aux_data with aux_size>0. Fragile defense.