OS X 10.6.5 kernel crash upon wlan roaming with disabled mandatory MCS

During the buildup at the CCC 27c3 congress in Berlin we noticed several Apple
Macbooks kernel paniced while connected to the wireless network. We identified the
cause of this issue and we are able to reproduce this as well.

It seems to be limited to the aluminum unibody Macbooks, running OS X 10.6.5 with
the following Broadcom wireless chip:

Card Type: AirPort Extreme (0x14E4, 0x8D)
Firmware Version: Broadcom BCM43xx 1.0 (5.10.131.36.1)

The problem occurs when 802.11n MCS0 (Modulation and coding scheme) is disabled on
a Cisco Wireless Controller. This scheme is mandatory according to the IEEE
standard (802.11n-2009, page 265). Deselecting this MCS is available through the
web interface (both WCS and WLC) and the console without a notification about the
fact that it is mandatory:

(Cisco Controller) >config 802.11a disable network
Disabling the 802.11a network may strand mesh APs. Are you sure you want to
continue? (y/n)y
(Cisco Controller) >
(Cisco Controller) >config 802.11a 11nSupport mcs tx 0 disable
(Cisco Controller) >config 802.11a enable network

When this option is configured and an affected Mac OSX client roams from one Cisco
AP to the other, the kernel panics. This is easily reproducible by just walking to
another room in the congress center.

Thanks for helping identifying the issue:
Willem Hengeveld <itsme at xs4all dot nl>
Hartmut Schroeder <hacko at hacko dot org>

Best regards,
Attilla de Groot

Relevant files:
WCS config:
http://www.attilla.nl/osx_crash/80211n_config_wcs.png
Multiple NOC macbooks crash: http://www.attilla.nl/osx_crash/4macbooks.jpg
Normal association response:
http://www.attilla.nl/osx_crash/association_response_normal.pcap
Response when MCS disabled:
http://www.attilla.nl/osx_crash/association_response_crash.pcap
OSX kernel panic: http://www.attilla.nl/osx_crash/kernel_panic.txt
OSX kernel panic reproduced:
http://www.attilla.nl/osx_crash/kernel_panic_reproduced.txt