DF-0328
node_getmimoinfo loops on untrusted ni_mimo_chains without clamping to array size
Summary
node_getmimoinfo(:1164) for(i<ni_mimo_chains) indexes ni_mimo_rssi_ctl[i]/ni_mimo_noise_ctl[i] (sized IEEE80211_MAX_CHAINS=3). ni_mimo_chains uint8_t from driver no clamp. >3 -> OOB read node struct + OOB write info struct (stack). Driver-gated.