The linked article is most interesting.
It seems like TDLS has to be carefully implemented. The standard put in all sorts of checks to make sure the devices establishing a TDLS connection were on the same network, but it seems like this vendor left in code that allows send a tunneled probe request without even having a TDLS connection. That was probably for convenience in debugging, but when you move something to production you’re supposed to take these hooks out.
Looking at the overall architecture described in the article, it looks pretty much like a kludge. They probably had multiple programmers working on it, and had to allow executable code in the stack to maintain memory-management discipline among the team.
‘Production’ environments (outside of specialized domains) have been In Name Only for close to a decade.
He who shoves crap out fastest in two week (or less) sprints is now winner.