DF-0425
MRT6 setsockopt handlers cast mtod() without verifying m_len against struct size: reads uninitialized mbuf data
Summary
ip6_mrouter_set(:277-309): only MRT6_INIT validates m_len(:426). ADD_MIF/DEL_MIF/ADD_MFC/DEL_MFC/PIM all mtod(m,struct X*) and deref fields with no m_len check. Too-short buffer reads bytes past m_len but inside mbuf data area — uninitialized kernel heap/stack. Garbage values drive control flow: mifi/flags/parent/pim int. Error-code oracle for privileged user; can install mif/mfc entries partially from kernel memory.