DF-0351
uint32 metric accumulation overflow enables route poisoning / route hijacking
Summary
metric=preq_metric+link_metric in plain uint32(:1089,:1453,:1972). Attacker sets preq_metric so sum wraps to ~0. Fresh sequence bypasses metric comparison(:1090-1102). Wrapped near-0 metric stored unconditionally(:1095). Route poisoning/hijacking: MITM/blackhole/partition. HWMP spec mandates bounded accumulation; code has no saturation.