DF-0574
Uninitialized kernel stack read as alias IPs via count mismatch in copyin
Summary
ip_fw3_ctl_nat_add(:756-763): sooptcopyin copies at most sizeof(ioc_nat)=12 bytes(one in_addr). nat_add_dispatch iterates for(n=0;n<ioc->count;n++) memcpy(&alias->ip,ip,LEN_IN_ADDR) ip++(:770-783). count>1 -> ip walks past single copied IP into rest of on-stack netmsg_nat_add and beyond. Uninitialized stack memory becomes alias IPs. nat_add_msg declared on stack(:772). Config readable back via IP_FW_NAT_GET -> kernel stack info leak to root. Multi-IP NAT broken. Fix: variable-length ioc format copyin full count*sizeof(in_addr) zero buffer before copyin.