wget src/ftp.c TOCTOU + readlink length handling in symlink verification

In src/ftp.c, when opt.retr_symlinks is disabled, wget creates a local symlink after unlinking an existing target. Before creating, it tries to verify whether the current symlink matches the expected link target. The code calls readlink(con->target, link_target, len) where len=strlen(f->linkto)+1, then checks (n==len-1) and memcmp(link_target,f->linkto,n). This forms a TOCTOU sequence (lstat/readlink/unlink/symlink) where an attacker controlling con->target can race changes between checks, bypass the 'already have correct symlink' guard, and influence the subsequent unlink/symlink target. Additionally, the readlink buffer is not explicitly NUL-terminated, making any later string use unsafe (even if current code uses memcmp-by-length).