Stack buffer overflow in ng_ksocket_sockaddr_unparse via negative pathlen (PF_LOCAL sun_len underflow)
Summary
ng_ksocket_sockaddr_unparse(:323-339) PF_LOCAL case: pathlen=sun->sun_len-pathoff where pathoff=OFFSETOF(sockaddr_un,sun_path)=2(:325). NO validation sun_len>=pathoff. BIND/CONNECT sanity(:678-680,:739-741) checks arglen>=SADATA_OFFSET and arglen>=sa_len but NOT sa_len>=SADATA_OFFSET. sa_len<2 passes check -> sobind accepts short sockaddr. GETNAME calls unparse -> line :327 pathlen=sun_len-2=negative int. Line :331 bcopy(sun->sun_path, pathbuf, pathlen) interprets negative as size_t~2^64 -> massive stack OOB write into 256-byte pathbuf[SOCK_MAXADDRLEN+1] + OOB read from sun_path. Kernel panic/RCE. Generic parser getLength guards this (returns 0 when sa_len<SADATA_OFFSET) but unparse omits guard. Requires netgraph control access. Fix: if(sun_len<pathoff) return EINVAL; also harden BIND/CONNECT sa_len>=SADATA_OFFSET.