DF-0514
REJECT_RST copies full 20-byte tcphdr after PULLUP_TO guaranteed only 14: stale mbuf buffer leak in RST
Summary
TCP rule-match: PULLUP_TO(off+14)(:629) guarantees m_len>=off+14 (sport/dport/seq/ack/off_flags) NOT th_win/th_sum/th_urp. REJECT_RST(:773-816) sets tcp=(tcphdr*)(ip6+off)(:775), ti.th=*tcp(:788) copies sizeof(tcphdr)=20 bytes. Bytes [off+14,off+20) not guaranteed in m_len -> stale/leftover buffer content. Flows into RST via bcopy+tcp_respond(:812-813). Remote info leak ~4 bytes (th_win,th_urp) stale mbuf content per matched packet. Requires REJECT_RST rule + adversarial mbuf split. Fix: PULLUP_TO(off+sizeof(tcphdr)).