DF-0406
in_delayed_cksum: unchecked m_pullup return leads to NULL pointer write panic
Summary
in_delayed_cksum(:940-951): when checksum field straddles mbuf boundary, m=m_pullup(m,offset+sizeof(u_short))(:949) — return NOT checked for NULL. Next line *(u_short*)(m->m_data+offset)=csum(:951) dereferences NULL+offset. Comment "XXX this shouldnt happen but if it does" acknowledges without handling. Reachable from ip_output on any TX packet with CSUM_DELAY_DATA on non-offloading NIC. Unpriv local user via UDP sendmsg with fragmented iovec + memory pressure, or remote peer eliciting large reply.