DF-0534
Heap OOB read in ngc_send: ng_mesg buffer under-allocated, header fields read out of bounds
Summary
ngc_send(:254-307): sums mbuf chain into int len, kmalloc(len+1), bcopy user payload. NO minimum-size check. Immediately derefs msg->header.version(:264), typecookie/cmd(:276-277), and on MKPEER reads mkp->type at offset sizeof(ng_msghdr)(~24 bytes) past data(:278,281,291). 1-byte control msg -> 2 bytes allocated, version byte 0 user-controlled(can set NG_VERSION=8 to pass check), all subsequent header access OOB. ksnprintf(ng_%s.ko,...,mkp->type)(:291) unbounded %s scan over freed/adjacent slab. Requires control socket(privileged :182). Fix: if(len<sizeof(ng_mesg)) return EINVAL after :262.