DF-0280
Integer overflow in ptr_array allocation in pf_setup_pfsync_matching (32-bit only theoretical)
Summary
kmalloc(sizeof(caddr_t)*rcount,...) where rcount u32. On 32-bit size_t wraps -> small alloc -> TAILQ_FOREACH writes ptr_array[rule->nr] past end. amd64 size_t 64-bit no wrap. Latent.