DF-0489
Neighbor Advertisement handler leaks route refcount on every received NA: remote kernel memory exhaustion DoS
Summary
nd6_na_input(:734): rt=nd6_lookup(&taddr6,0,ifp) acquires referenced route (rt_refcnt++ via route.c:276). NO rtfree() or --rt_refcnt anywhere in lines 601-907. Every exit path(freeit:900, bad:904) only m_freem(m). Contrast nd6_ns_input(:333-334) properly does if(rt!=NULL) --rt->rt_refcnt. Every NA for target with existing neighbor-cache entry permanently leaks one rt_refcnt. Pinned route+llinfo+gateway never freed -> progressive kernel kmem exhaustion -> system hang/panic. Remote unauth on-link attacker sends NAs to drive leak. rt_refcnt is long so integer-overflow-to-UAF impractical (~2^63) but resource-exhaustion DoS trivial. Fix: if(rt!=NULL) rtfree(rt) on all exit paths.