DF-0359
Unguarded uint32 subtraction can underflow nr_hwavail causing self-inflicted ring-state corruption
Summary
netmap_rxsync_from_host(:906-921): n=forward distance from nr_hwcur to user-supplied cur(:917); kring->nr_hwavail -= n(:918) has no guard that n<=nr_hwavail. ring->cur is user-controlled, only bounds-checked vs k>=lim(:902) not vs nr_hwavail. Malicious user sets cur implying n>nr_hwavail -> uint32 wraps to ~4e9 -> bogus ring->avail -> host RX ring appears permanently full -> drops host-stack packets (local DoS on own netmap path). No OOB write (nm_kr_rxpos taken mod nkr_num_slots). Bounded to owning fd.