DF-0583
ieee80211_parse_ath heap over-read via short Atheros vendor IE
Summary
ieee80211_parse_ath(:198-206): derefs IE as full struct ieee80211_ath_ie reads ath->ath_capability(byte 8)+le16dec(ath_defkeyix)(bytes 9-10) requiring body>=sizeof(ath_ie)-2=9 bytes. But isatherosoui(ieee80211_input.h:112-115) accepts ie[1]>3 (body>=4). Crafted Atheros IE ie[1] in [4..8] passes isatherosoui but parse_ath reads 1-5 bytes past IE body. IE blob kmallocd to exact total length(ieee80211_node.c:949). When short IE is last element reads past kmallocd blob into adjacent heap. Sibling parse_athparams(:218) DOES validate len<sizeof(ath_ie)-2 proving check intended but omitted here. Remote rogue AP beacon/probe-response with short Atheros IE -> heap leak. Fix: if(ie[1]<sizeof(ath_ie)-2) return.