diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_input.c madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_input.c
--- madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_input.c	2007-05-04 02:10:06.000000000 +0200
+++ madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_input.c	2007-05-13 18:17:56.027051632 +0200
@@ -2854,7 +2854,7 @@
 				IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3);
 				memcpy(ni->ni_tstamp.data, scan.tstamp,
 					sizeof(ni->ni_tstamp));
-				ni->ni_intval = scan.bintval;
+				ni->ni_intval = IEEE80211_BINTVAL_SANITISE(scan.bintval);
 				ni->ni_capinfo = scan.capinfo;
 				ni->ni_chan = ic->ic_curchan;
 				ni->ni_fhdwell = scan.fhdwell;
@@ -3279,7 +3279,7 @@
 		ni->ni_rssi = rssi;
 		ni->ni_rstamp = rstamp;
 		ni->ni_last_rx = jiffies;
-		ni->ni_intval = bintval;
+		ni->ni_intval = IEEE80211_BINTVAL_SANITISE(bintval);
 		ni->ni_capinfo = capinfo;
 		ni->ni_chan = ic->ic_curchan;
 		ni->ni_fhdwell = vap->iv_bss->ni_fhdwell;
diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_node.c madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_node.c
--- madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_node.c	2007-05-13 18:17:55.862076712 +0200
+++ madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_node.c	2007-05-13 18:17:56.028051480 +0200
@@ -658,7 +658,7 @@
 	memcpy(ni->ni_essid, se->se_ssid + 2, ni->ni_esslen);
 	ni->ni_rstamp = se->se_rstamp;
 	ni->ni_tstamp.tsf = se->se_tstamp.tsf;
-	ni->ni_intval = se->se_intval;
+	ni->ni_intval = IEEE80211_BINTVAL_SANITISE(se->se_intval);
 	ni->ni_capinfo = se->se_capinfo;
 	ni->ni_chan = se->se_chan;
 	ni->ni_timoff = se->se_timoff;
@@ -1191,7 +1191,7 @@
 		memcpy(ni->ni_essid, sp->ssid + 2, sp->ssid[1]);
 		IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3);
 		memcpy(ni->ni_tstamp.data, sp->tstamp, sizeof(ni->ni_tstamp));
-		ni->ni_intval = sp->bintval;
+		ni->ni_intval = IEEE80211_BINTVAL_SANITISE(sp->bintval);
 		ni->ni_capinfo = sp->capinfo;
 		ni->ni_chan = ic->ic_curchan;
 		ni->ni_fhdwell = sp->fhdwell;
diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_scan.h madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_scan.h
--- madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_scan.h	2007-04-04 04:39:58.000000000 +0200
+++ madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_scan.h	2007-05-13 18:17:56.029051328 +0200
@@ -131,7 +131,7 @@
 	u_int8_t bchan;
 	u_int8_t fhindex;
 	u_int8_t erp;
-	u_int8_t bintval;
+	u_int16_t bintval;
 	u_int8_t timoff;
 	u_int8_t *tim;
 	u_int8_t *tstamp;
diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_var.h madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_var.h
--- madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_var.h	2007-04-25 22:29:55.000000000 +0200
+++ madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_var.h	2007-05-13 18:17:56.029051328 +0200
@@ -61,6 +61,12 @@
 #define	IEEE80211_BINTVAL_MAX	500		/* max beacon interval (TU's) */
 #define	IEEE80211_BINTVAL_MIN	25		/* min beacon interval (TU's) */
 #define	IEEE80211_BINTVAL_DEFAULT 100		/* default beacon interval (TU's) */
+#define IEEE80211_BINTVAL_VALID(_bi) \
+	((IEEE80211_BINTVAL_MIN <= (_bi)) && \
+	 ((_bi) <= IEEE80211_BINTVAL_MAX))
+#define IEEE80211_BINTVAL_SANITISE(_bi) \
+	(IEEE80211_BINTVAL_VALID(_bi) ? \
+	 (_bi) : IEEE80211_BINTVAL_DEFAULT)
 
 #define	IEEE80211_BGSCAN_INTVAL_MIN	15	/* min bg scan intvl (secs) */
 #define	IEEE80211_BGSCAN_INTVAL_DEFAULT	(5*60)	/* default bg scan intvl */
diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_wireless.c madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_wireless.c
--- madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_wireless.c	2007-05-04 02:10:06.000000000 +0200
+++ madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_wireless.c	2007-05-13 18:17:56.031051024 +0200
@@ -1271,12 +1271,16 @@
 		case IW_POWER_UNICAST_R:
 		case IW_POWER_ALL_R:
 		case IW_POWER_ON:
-			ic->ic_flags |= IEEE80211_F_PMGTON;
-			
+			if (wrq->flags & IW_POWER_PERIOD) {
+				if (IEEE80211_BINTVAL_VALID(wrq->value))
+					ic->ic_lintval = IEEE80211_MS_TO_TU(wrq->value);
+				else
+					return -EINVAL;
+			}
 			if (wrq->flags & IW_POWER_TIMEOUT)
 				ic->ic_holdover = IEEE80211_MS_TO_TU(wrq->value);
-			if (wrq->flags & IW_POWER_PERIOD)
-				ic->ic_lintval = IEEE80211_MS_TO_TU(wrq->value);
+			
+			ic->ic_flags |= IEEE80211_F_PMGTON;
 			break;
 		default:
 			return -EINVAL;
@@ -2364,8 +2368,7 @@
 		if (vap->iv_opmode != IEEE80211_M_HOSTAP &&
 		    vap->iv_opmode != IEEE80211_M_IBSS)
 			return -EINVAL;
-		if (IEEE80211_BINTVAL_MIN <= value &&
-		    value <= IEEE80211_BINTVAL_MAX) {
+		if (IEEE80211_BINTVAL_VALID(value)) {
 			ic->ic_lintval = value;		/* XXX multi-bss */
 			retv = ENETRESET;		/* requires restart */
 		} else