Index: dev/iwi/if_iwi.c
===================================================================
RCS file: /home/ncvs/src/sys/dev/iwi/if_iwi.c,v
retrieving revision 1.80
diff -u -r1.80 if_iwi.c
--- dev/iwi/if_iwi.c	17 Dec 2011 10:23:17 -0000	1.80
+++ dev/iwi/if_iwi.c	7 Mar 2012 04:32:22 -0000
@@ -168,6 +168,7 @@
 		    struct ieee80211_node *, int);
 static int	iwi_raw_xmit(struct ieee80211_node *, struct mbuf *,
 		    const struct ieee80211_bpf_params *);
+static void	iwi_update_mcast(struct ifnet *);
 static void	iwi_start_locked(struct ifnet *);
 static void	iwi_start(struct ifnet *);
 static void	iwi_watchdog(void *);
@@ -413,6 +414,7 @@
 	sc->sc_node_free = ic->ic_node_free;
 	ic->ic_node_free = iwi_node_free;
 	ic->ic_raw_xmit = iwi_raw_xmit;
+	ic->ic_update_mcast = iwi_update_mcast;
 	ic->ic_scan_start = iwi_scan_start;
 	ic->ic_scan_end = iwi_scan_end;
 	ic->ic_set_channel = iwi_set_channel;
@@ -1357,8 +1359,8 @@
 	frm += 2;
 
 	wme = NULL;
-	while (frm < efrm) {
-		IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1], return);
+	while (efrm - frm > 1) {
+		IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
 		switch (*frm) {
 		case IEEE80211_ELEMID_VENDOR:
 			if (iswmeoui(frm))
@@ -1953,6 +1955,12 @@
 }
 
 static void
+iwi_update_mcast(struct ifnet *ifp)
+{
+	/* Ignore */
+}
+
+static void
 iwi_start_locked(struct ifnet *ifp)
 {
 	struct iwi_softc *sc = ifp->if_softc;