MacOS/iOS kernel double free due to incorrect API usage in flow divert socket option handling(CVE-2017-13867)

SOFLOWDIVERTTOKEN is a socket option on the SOLSOCKETlayer. It's implemented by flowdiverttokensetstruct socket so, struct sockopt sopt in flowdivert.c. The relevant code is: error = sooptgetmsopt, &token; if error goto done; error = sooptmcopyinsopt, token; if error goto done; ... done: if token...