DF-0584
ieee80211_ff_decap skips framelen validation: truncated frame delivery
Summary
ieee80211_ff_decap(:309-339): first sub-frame framelen from ieee80211_decap1(ntohs(eh->ether_type)+6 :399-400) attacker-controlled. Passed unchecked to m_split(m,framelen,M_NOWAIT)+m_adj(n,roundup2(framelen,4)-framelen). Comment :338 "XXX verify framelen against mbuf contents". Memory-safe(m_split returns NULL on overflow :317 checked) but too-small framelen delivers truncated first frame via iv_deliver_data(:326)+mis-frames second sub-frame. Rogue AP with FF support. Robustness/DoS not memory corruption. Fix: validate framelen<=pkthdr.len+>=FF_LLC_SIZE before m_split.