DF-0462
bzero targets wrong field (&conf not &stats) with wrong size (session_stats=32 not sess_config=8): 24-byte intra-struct overflow
Summary
ng_l2tp_reset_session(:748-753): bzero(&hpriv->conf, sizeof(struct ng_l2tp_session_stats)=32). Copy/paste bug: intent was bzero(&hpriv->stats,...). conf is ~8 bytes, writes 32 -> overflows 24 bytes into adjacent stats field. Zeroes session_id+peer_id+include_length+control_dseq+enable_dseq (clobbering the 2 prior assignments at :750-751) + first 16 bytes of stats. Hash chain still keyed on OLD session_id -> stale/mismatched hash entry + lost config. Privileged netgraph control trigger (node shutdown / SET_CONFIG enabled=0). Layout-contained heap overflow today but brittle.