necp_client_copy_interface contains this code where interface_index is an attacker controlled a uint32_t that: if (interface_index != IFSCOPE_NONE && (int)interface_index <= if_index) { interface = ifindex2ifnet[interface_index]; }
This leads to an interface pointer being read out of bounds. This can lead to kernel memory disclosure and also memory corruption as a lock is taken on the interface object.
tested on MacOS 10.12.3 (16D32) on MacbookAir5,2
Attachment: necp_sign. c