DF-0570
Remote OOB read: inbound port/icmp_id indexed into alias arrays without bounds check
Summary
Inbound path(:204/:209/:215): s2=alias->tcp_in[*old_port-ALIAS_BEGIN] / udp_in / icmp_in[*old_port]. *old_port is raw network-order dport/icmp_id from inbound packet. NO bounds check. TCP/UDP: dport<1024(network order interpretation) -> negative index before array. Values producing index>=64511 read past end. ICMP: icmp_id>=64511 read past icmp_in. s2==NULL check(:221) AFTER OOB read. Non-NULL garbage in OOB slot -> wild pointer deref at :335-341 (s2->alias_addr/src_addr). Remote attacker sends crafted packet to NAT alias IP. Fix: validate ntohs(old_port) bounds before indexing.