DF-0550
Ring-size computation uses 32-bit multiply without overflow check: latent heap overflow
Summary
len=sizeof(netmap_ring)+ndesc*sizeof(netmap_slot)(:927-930,:955-958) computed in u_int(32-bit). ndesc from kring->nkr_num_slots(uint32). ndesc>~2^29 wraps multiply -> small value -> netmap_ring_malloc succeeds small object -> netmap_new_bufs writes ndesc slots past end -> heap overflow. Current callers bound ndesc well below. Defense-in-depth. Fix: size_t len + overflow check.