ipf_nat_putent() copies an ap_session_t from ipnn->ipn_data and then
uses aps->aps_psiz to allocate and copy a variable-length payload. The
code does not verify that the user-supplied buffer (ipnn->ipn_data)
actually contains at least sizeof(*aps) + aps->aps_psiz bytes. Even if
aps->aps_psiz itself is legitimate (e.g., originating from previously
saved kernel state), a truncated IPFOBJ_NATSAVE object can cause the
subsequent copy to read past the end of ipnn->ipn_data, resulting in an
out-of-bounds read in the kernel.

Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>
MFC after: 1 day