The sendmsg system call allow a program to specify some options
to modify the behaviour of outgoing packets. One of its option allow to
specify the source address of the packets. I had to use this option to take
benefit of source-sensitive routing with UDP-based applications.
One interesting thing is that even if Mac OS is based on freeBSD for almost
anything, it doesn't use the BSD constants (IP_SENDSRCADDR) for
this particular case, but the Linux ones (IP_PKTINFO). Another
intersting thing is that we can (currently) crash Mac OS just by sending a
message with specific source address over an unbound socket.
You can download a 80 lines-of-code program that crash Mac OS by kernel panic. It has been tested on 10.7 and 10.9 on different computers.
The bug is that the kernel wants to have a bound socket, so uncommenting line 60 will avoid the problem. The thing is that we are binding the socket with the (undefined) 0.0.0.0 address, and without specifying a port number: this is without any interest from the programmer point of view. The natural thing would be that the kernel bind itself the socket to that special address. We can hope this will be fixed in a near future...
For now, you can use this « feature » to admire the beautiful Mac OS kernel panic screen, and share this to your friends.