DF-0284
Missing per-command payload bounds checks in MCC handlers (OOB read)
Summary
receive_mcc(:2521) checks total length matches but handlers cast hdr+1 to fixed struct without checking length>=sizeof. MSC/RLS/RPN/PN handlers read stale mbuf bytes past declared payload when length<struct size. Reads stay in mbuf buffer no crash but stale data influences protocol logic.