Just to add—in open networks masquerading as the AP is possible so long as you can reach the hosts with your Tx. This is mitigated with encryption, however, as I understand the WPA2 standard, I suppose you could send out a broadcast ARP response packet encrypted using the Group Transient Key pretending to be the AP. However, probably all sane clients would discard ARP responses that were broadcast, as normally, ARP responses should always be unicast to the requesting client.
Edit: Looks like I was spot-on! This is a real vulnerability, and is called Hole 196: http://www.airtightnetworks.com/wpa2-hole196.