Comment by piss_n_chips

There are compiler flags that OpenBSD could be using but aren't, which would have caught this bug without needing to convert the codebase to Rust. Using -Wconversion would have warned on the mismatched signedness of the MAX macro argument (the unsigned integer, sysno) and its result (being assigned to npins, a signed integer). Alternatively, adding -fsanitize=implicit-integer-sign-change, or a UBSan flag that includes this, would detect this at runtime for the actual range of values that end up causing a change of sign.

Though, these would also be triggered by statements like:

    pins[SYS_kbind] = -1;

Due to the pins array being of unsigned int, so all this sort of code would need to be fixed too.