In iwm(4), IWM_MAX_PAYLOAD_SIZE needs to be at least one byte smaller.

"IWM_MAX_CMD_PAYLOAD_SIZE + sizeof(struct iwm_cmdheader)" must be smaller
than 4096, otherwise the payload length could get truncated to 0 in this
assignment from iwm_send_cmd(), because 4096 doesn't fit into 12 bits:

desc->tbs[0].hi_n_len = htole16(iwm_get_dma_hi_addr(paddr)
| ((sizeof(cmd->hdr) + paylen) << 4));


Also, in Linux's iwlwifi in iwl-fh.h (at the "struct iwl_tfd" declaration),
there is a comment that
"Each buffer has max size of (4K - 4)."
So it seems logical to make IWM_MAX_CMD_PAYLOAD_SIZE 4 bytes smaller:

Index: sys/dev/pci/if_iwmreg.h
===================================================================
RCS file: /cvs/src/sys/dev/pci/if_iwmreg.h,v
retrieving revision 1.9
diff -u -r1.9 if_iwmreg.h
--- sys/dev/pci/if_iwmreg.h 14 Dec 2015 08:34:56 -0000 1.9
+++ sys/dev/pci/if_iwmreg.h 14 Jan 2016 21:14:13 -0000
@@ -5231,7 +5231,7 @@
};

#define IWM_DEF_CMD_PAYLOAD_SIZE 320
-#define IWM_MAX_CMD_PAYLOAD_SIZE (4096 - sizeof(struct iwm_cmd_header))
+#define IWM_MAX_CMD_PAYLOAD_SIZE ((4096 - 4) - sizeof(struct iwm_cmd_header))
#define IWM_CMD_FAILED_MSK 0x40

struct iwm_device_cmd {