Heap OOB write via byte-swapped alias_port used as array index: every NAT deployment corrupts heap ~1.6% of connections
Summary
pick_alias_port(:439): s->alias_port=htons(krandom()%ALIAS_RANGE+ALIAS_BEGIN) stores NETWORK byte order. Line :423 alias->tcp_in[s->alias_port-ALIAS_BEGIN]=s2 uses raw value as array index WITHOUT ntohs. On little-endian x86-64 only DragonFly target: host v=0x0401(1025) -> htons=0x0104(260) -> index 260-1024 wraps unsigned to ~64772 past tcp_in[64511]. ~1.6% of new connections when low byte of host value is 0-3. OOB write of 8-byte pointer past array end into adjacent heap. Read side(:204) uses same wrong index so connection appears to work while corrupting. Every NAT deployment. Remote-triggered by any host sending traffic through NAT. cfg_alias ~1.5MB single OOB slot wild pointer store into neighboring heap. Fix: store host-order index separately use ntohs consistently.