+Index: madwifi-ng-r2420-20070602/net80211/ieee80211_output.c
+===================================================================
+--- madwifi-ng-r2420-20070602.orig/net80211/ieee80211_output.c 2007-06-30 23:52:00.118999750 +0200
++++ madwifi-ng-r2420-20070602/net80211/ieee80211_output.c 2007-06-30 23:52:01.355077000 +0200
+@@ -1077,13 +1077,16 @@
+ cip = (struct ieee80211_cipher *) key->wk_cipher;
+ ciphdrsize = cip->ic_header;
+ tailsize += (cip->ic_trailer + cip->ic_miclen);
++
++ /* add the 8 bytes MIC length */
++ if (cip->ic_cipher == IEEE80211_CIPHER_TKIP)
++ pktlen += IEEE80211_WEP_MICLEN;
+ }
+
+ pdusize = vap->iv_fragthreshold - (hdrsize_nopad + ciphdrsize);
+ fragcnt = *framecnt =
+- ((pktlen - (hdrsize_nopad + ciphdrsize)) / pdusize) +
+- (((pktlen - (hdrsize_nopad + ciphdrsize)) %
+- pdusize == 0) ? 0 : 1);
++ ((pktlen - hdrsize_nopad) / pdusize) +
++ (((pktlen - hdrsize_nopad) % pdusize == 0) ? 0 : 1);
+
+ /*
+ * Allocate sk_buff for each subsequent fragment; First fragment
+Index: madwifi-ng-r2420-20070602/net80211/ieee80211_node.c
+===================================================================
+--- madwifi-ng-r2420-20070602.orig/net80211/ieee80211_node.c 2007-06-30 23:52:54.850420250 +0200
++++ madwifi-ng-r2420-20070602/net80211/ieee80211_node.c 2007-07-01 00:18:32.370509250 +0200
+@@ -1885,11 +1885,13 @@
+ /* From this point onwards we can no longer find the node,
+ * so no more references are generated
+ */
+- ieee80211_remove_wds_addr(nt, ni->ni_macaddr);
+- ieee80211_del_wds_node(nt, ni);
+- IEEE80211_NODE_TABLE_LOCK_IRQ(nt);
+- _node_table_leave(nt, ni);
+- IEEE80211_NODE_TABLE_UNLOCK_IRQ(nt);
++ if (nt) {
++ ieee80211_remove_wds_addr(nt, ni->ni_macaddr);
++ ieee80211_del_wds_node(nt, ni);
++ IEEE80211_NODE_TABLE_LOCK_IRQ(nt);
++ _node_table_leave(nt, ni);
++ IEEE80211_NODE_TABLE_UNLOCK_IRQ(nt);
++ }
+
+ /*
+ * If node wasn't previously associated all