DF-0271
NULL deref in bridge_input: unchecked bridge_lookup_member_if result (race with member deletion)
Summary
bridge_input(:2738) bif=bridge_lookup_member_if(sc,ifp) then derefs bif->bif_flags(:2739) WITHOUT NULL check. Only call site of 11 that doesnt guard. Race: adjacent L2 attacker sends frame dst=bridge MAC + concurrent member deletion. bridge_lookup_member_if returns NULL -> kernel panic. Maintainer comment :1885 XXX Why bif will be NULL confirms.