Associd out of (hardware) bounds

Hey folks,

I have a reproducable failure in my version of the net80211 code
where I don't clearly see if (or why not) this would happen in the
FreeBSD original too...

I have a run(4) usb wifi adapter, which has a hardware limit on the
assoc table and so sets vap->iv_max_aid (to RT2870_WCID_MAX) and also
sets the ic->ic_newassoc callback to run_newassoc to handle this.

I am in station mode and start wpa_supplicant to join my home network.

When I receive the IEEE80211_FC0_SUBTYPE_ASSOC_RESP frame this goes
via ieee80211_sta.c:sta_recv_mgmt() and in line 1783 the associd
gets extracted from the received frame.

At this point no checks are done.

Later in line 1851 this value is written into the nodes ni_associd.
No check is done here either and now I have an out of bounds value
in the node - 0xc083 but if_max_aid is 0x40 (the 0xc00 part is
irrelevant, but 0x83 > 0x40).

This leads to memory corruption as there is a if_max_aid sized
array with rate adaption statistics and the driver will try to clear
the stats for this new node.

So what am I missing? Should that associd from the received frame be
validated here against iv_max_aid, or should the ic_newassoc callback be 
invoked and deal with it?

Or did I break something else and in FreeBSD this case does not happen because
the new node is passed to ic_newassoc somewhere else before we get here?

Any here tested a run(4) recently?

Martin