Created attachment 237745 [details]
provoke crash in netgraph due to missing { NULL } array terminator

This in sys/netgraph/ng_bridge.h:

#define NG_BRIDGE_MOVE_HOST_TYPE_INFO(entype)   {               \
          { "addr",             (entype)                },      \
          { "hook",             &ng_parse_hookbuf_type  },      \
}

I believe there should be a { NULL } at the end to prevent code from
running off the end of this array.

I've attached a demo. ng_unparse_composite() calls
ng_get_composite_len(), which returns 3 rather than the correct 2 due
to lack of the { NULL }, causing ng_unparse_composite()'s loop to
index off the end of the type array. Then ng_parse_get_elem_pad()
fetches a garbage function pointer in ALIGNMENT() using a too-large
index and calls it.

# cc ng6a.c -lnetgraph
# ./a.out
panic: Fatal page fault at 0x7070705f676e007c: 0x7070705f676e007c
panic() at panic+0x2a
page_fault_handler() at page_fault_handler+0x1d6
do_trap_supervisor() at do_trap_supervisor+0x74
cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70
--- exception 12, tval = 0x7070705f676e007c
(null)() at 0x7070705f676e007c
ng_unparse_composite() at ng_unparse_composite+0xf6
ng_struct_unparse() at ng_struct_unparse+0xe
ng_unparse() at ng_unparse+0x30
ng_generic_msg() at ng_generic_msg+0x938
ng_apply_item() at ng_apply_item+0xf6
ng_snd_item() at ng_snd_item+0x1bc
ngc_send() at ngc_send+0x260
sosend_generic() at sosend_generic+0x384
sosend() at sosend+0x68
kern_sendit() at kern_sendit+0x170
sendit() at sendit+0x9c
sys_sendto() at sys_sendto+0x40
syscallenter() at syscallenter+0xec
ecall_handler() at ecall_handler+0x18
do_trap_user() at do_trap_user+0xf6
cpu_exception_handler_user() at cpu_exception_handler_user+0x72
--- syscall (133, FreeBSD ELF64, sys_sendto)