DF-0536
Unprivileged kernel heap over-read via non-NUL-terminated sg_data in ng_connect_data
Summary
ng_connect_data(:752-778): casts nam to sockaddr_ng, passes sap->sg_data to ng_address_path() as C string(:775) WITHOUT verifying NUL-termination within sa_len bytes. ng_bind(:824) checks sg_data[sg_len-3]!=\0 but connect omits this check. Data sockets require NO privilege (ngd_attach:387 no caps_priv_check). Unprivileged user calls connect(2) on AF_NETGRAPH SOCK_DGRAM with sockaddr sg_len bytes no NUL. Syscall layer allocates exactly sa_len bytes M_SONAME no M_ZERO. ng_address_path strlcpy/strcmp scans past allocation into adjacent slab. Crosses page boundary -> panic DoS. Minor info side-channel. Fix: replicate ng_bind validation sg_len>=3 sg_data[sg_len-3]==\0.