l2: fix null pointer access in l2-efp-filter

[yelenaRad]

Problem:
VPP may crash in l2-efp-filter with a SIGSEGV (faulting address 0x0) in the post-rewrite EFP filter path.
Observed backtrace example:
received signal SIGSEGV ... faulting address 0x0
#0 l2_efp_filter_node_fn_hsw ... (libvnet.so.25.10)
#1 vlib_main ...

Root Cause:
Two unsafe assumptions in the post-rewrite EFP filter processing:
extract_keys() always reads h0[0] and h0[1] (outer/inner VLAN headers) without verifying that the packet actually contains enough VLAN headers / bytes in the buffer.
eth_vlan_table_lookups() may return hi == NULL for some inputs, and the code then calls eth_identify_subint(hi, ...), which can dereference NULL and crash.

Fix:
This patch hardens l2_efp_filter.c in two places:
Make extract_keys() safe
Initialize outer_id / inner_id to 0 by default.
Validate l2_len and current_length.
Clamp bytes-after-ethernet to what is actually available in the buffer.
Derive VLAN tag count safely and cap it to max 2 tags.
Only read VLAN headers when tag_num >= 1/2.
Guard eth_identify_subint()
Introduce safe_eth_identify_subint() wrapper.
If hi == NULL, avoid calling eth_identify_subint() and force a mismatch (set subint_sw_if_index = ~0), so the packet is dropped by the existing EFP filter logic instead of crashing.

Behavior / Impact:

No behavior change for valid packets and normal configurations.
For malformed/short frames or unexpected lookup results, VPP no longer crashes; packets are handled safely (typically dropped by EFP filter as intended).

Testing
Generated traffic on VLAN subinterfaces (e.g., .2000) and verified packets traverse l2-efp-filter without triggering a crash.
Verified l2-efp-filter counters increment and post-rewrite drop counter behaves as expected for mismatches.

[github-actions]

Thank you so much for your interest! VPP takes patches at https://gerrit.fd.io/
git clone https://gerrit.fd.io/r/vpp
Using git review to contribute patches is recommended