DF-0364
ieee80211_fix_rate and findrix iterate rs_rates without validating rs_nrates <= IEEE80211_RATE_MAXSIZE: missing defense-in-depth
Summary
findrix(:628) and ieee80211_fix_rate(:685) loop i<rs->rs_nrates accessing rs_rates[i] without validating rs_nrates<=IEEE80211_RATE_MAXSIZE (array size). fix_rate both reads AND writes the array (sort swap :693-695, compaction :734-736). If any upstream IE parser fails to clamp count, these loops yield heap OOB R/W on node rateset. No direct exploit in this file — depends on separate IE parsing bug. Defense-in-depth hardening at shared rate-processing primitive.