Don't try to interpret htprot data if the last beacon didn't contain any such data. In other words, ensure we copied data from the beacon to ni->ni_htop1 before using ni->ni_htop1.
Note that read and write of ni->ni_htop1 are not visible in this diff's context, but happen close-by in surrounding lines. Index: ieee80211_input.c =================================================================== RCS file: /cvs/src/sys/net80211/ieee80211_input.c,v retrieving revision 1.152 diff -u -p -r1.152 ieee80211_input.c --- ieee80211_input.c 25 Jan 2016 11:27:11 -0000 1.152 +++ ieee80211_input.c 25 Jan 2016 12:43:02 -0000 @@ -1579,8 +1579,8 @@ ieee80211_recv_probe_resp(struct ieee802 if (htcaps) ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); - if (htop) - ieee80211_setup_htop(ni, htop + 2, htop[1]); + if (htop && !ieee80211_setup_htop(ni, htop + 2, htop[1])) + htop = NULL; /* invalid HTOP */ /* * When operating in station mode, check for state updates @@ -1603,7 +1603,7 @@ ieee80211_recv_probe_resp(struct ieee802 ic->ic_flags &= ~IEEE80211_F_USEPROT; ic->ic_bss->ni_erp = erp; } - if (ic->ic_bss->ni_flags & IEEE80211_NODE_HT) { + if (htop && (ic->ic_bss->ni_flags & IEEE80211_NODE_HT)) { enum ieee80211_htprot htprot_last, htprot; htprot_last = ((ic->ic_bss->ni_htop1 & IEEE80211_HTOP1_PROT_MASK) Index: ieee80211_node.c =================================================================== RCS file: /cvs/src/sys/net80211/ieee80211_node.c,v retrieving revision 1.97 diff -u -p -r1.97 ieee80211_node.c --- ieee80211_node.c 7 Jan 2016 23:22:31 -0000 1.97 +++ ieee80211_node.c 25 Jan 2016 12:46:50 -0000 @@ -1308,12 +1308,12 @@ ieee80211_setup_htcaps(struct ieee80211_ /* * Install received HT op information in the node's state block. */ -void +int ieee80211_setup_htop(struct ieee80211_node *ni, const uint8_t *data, uint8_t len) { if (len != 22) - return; + return 0; ni->ni_primary_chan = data[0]; /* XXX corresponds to ni_chan */ @@ -1322,6 +1322,8 @@ ieee80211_setup_htop(struct ieee80211_no ni->ni_htop2 = (data[3] | (data[4] << 8)); memcpy(ni->ni_basic_mcs, &data[6], sizeof(ni->ni_basic_mcs)); + + return 1; } /* Index: ieee80211_node.h =================================================================== RCS file: /cvs/src/sys/net80211/ieee80211_node.h,v retrieving revision 1.52 diff -u -p -r1.52 ieee80211_node.h --- ieee80211_node.h 7 Jan 2016 23:22:31 -0000 1.52 +++ ieee80211_node.h 21 Jan 2016 01:53:03 -0000 @@ -353,7 +353,7 @@ extern void ieee80211_clean_cached(struc extern void ieee80211_clean_nodes(struct ieee80211com *, int); void ieee80211_setup_htcaps(struct ieee80211_node *, const uint8_t *, uint8_t); -void ieee80211_setup_htop(struct ieee80211_node *, const uint8_t *, +int ieee80211_setup_htop(struct ieee80211_node *, const uint8_t *, uint8_t); extern int ieee80211_setup_rates(struct ieee80211com *, struct ieee80211_node *, const u_int8_t *, const u_int8_t *, int);