DF-0346
Uninitialized stack read of rsnparms on WPS/TSN assoc path bypasses HT-cipher downgrade protection
Summary
hostap_recv_mgmt ASSOC_REQ(:1934) rsnparms uninitialized stack var. wpa_assocreq returns 1 early for WPS/TSN without calling parse_wpa/rsn (no memset). HT-cipher check(:2103-2106) reads rsnparms.rsn_ucastcipher under F_WPA condition. Garbage==AES_CCM(3) -> HT not disabled for WPS/TSN station with weak cipher. Remote unauth: assoc req no WPA IE + FEXT_WPS/TSN + HT cap. Non-deterministic.