TCP-MD5 signature option construction overflows 40-byte opt[] stack buffer (disabled by default)
Summary
TCP options built into opt[TCP_MAXOLEN=40](:186). SYN with all standard options accumulates 24 bytes before TCP_SIGNATURE block(MSS=4+window-scale=4+SACK-permitted=4+timestamp=12). TCP_SIGNATURE block(:786-798) writes 20 more bytes: TCPOPT_SIGNATURE+TCPOLEN_SIGNATURE at opt[24..25], TCP_SIGLEN(16) zeros at opt[26..41], NOP+NOP at opt[42..43] -> optlen=44, 4 bytes past 40-byte buffer. KASSERT(optlen<=TCP_MAXOLEN)(:801) compiled out non-DEBUG. Non-SYN case worse: tcp_sack_fill_report fills optlen up to 40, then TCP_SIGNATURE writes 20 more -> 20-byte stack overflow. HOWEVER TCP_SIGNATURE is DISABLED by default: commented out in sys/conf/options:271 and sys/config/LINT64:416 (documented as broken after IPsec removal). Not reachable on stock kernels. Fix: check optlen+TCPOLEN_SIGNATURE+2>TCP_MAXOLEN before writing; reserve MD5 space in SACK fill.