`gsstest` function from `sys/kgssapi/gsstest.c` performs `malloc` with an unlimited, user controlled, `size_t` value, and the `M_WAITOK` flag. Passing large values of `input_token.length` through the userland `args` would result in panic on systems where the `gsstest` kernel module is running. sys/kgssapi/gsstest.c: static int gsstest(struct thread *td, struct gsstest_args *uap) { int error; switch (uap->a_op) { case 1: return (gsstest_1(td)); case 2: { struct gsstest_2_args args; struct gsstest_2_res res; gss_buffer_desc input_token, output_token; OM_uint32 junk; error = copyin(uap->a_args, &args, sizeof(args)); if (error) return (error); input_token.length = args.input_token.length; input_token.value = malloc(input_token.length, M_GSSAPI, M_WAITOK); ... sys/kgssapi/gssapi.h: typedef struct gss_buffer_desc_struct { size_t length; void *value; } gss_buffer_desc, *gss_buffer_t; After copying the arguments from userland, the length should be checked against an upper limit.