1 /* $OpenBSD: ieee80211_input.c,v 1.254 2024/05/23 11:19:13 stsp Exp $ */
2 /* $NetBSD: ieee80211_input.c,v 1.24 2004/05/31 11:12:24 dyoung Exp $ */
3
4 /*-
5 * Copyright (c) 2001 Atsushi Onoe
6 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
7 * Copyright (c) 2007-2009 Damien Bergamini
8 * All rights reserved.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 * 3. The name of the author may not be used to endorse or promote products
19 * derived from this software without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 */
32
33 #include "bpfilter.h"
34
35 #include <sys/param.h>
36 #include <sys/systm.h>
37 #include <sys/mbuf.h>
38 #include <sys/malloc.h>
39 #include <sys/kernel.h>
40 #include <sys/socket.h>
41 #include <sys/sockio.h>
42 #include <sys/endian.h>
43 #include <sys/errno.h>
44 #include <sys/sysctl.h>
45 #include <sys/task.h>
46
47 #include <net/if.h>
48 #include <net/if_dl.h>
49 #include <net/if_media.h>
50 #include <net/if_llc.h>
51
52 #if NBPFILTER > 0
53 #include <net/bpf.h>
54 #endif
55
56 #include <netinet/in.h>
57 #include <netinet/if_ether.h>
58
59 #include <net80211/ieee80211_var.h>
60 #include <net80211/ieee80211_priv.h>
61
62 struct mbuf *ieee80211_input_hwdecrypt(struct ieee80211com *,
63 struct ieee80211_node *, struct mbuf *,
64 struct ieee80211_rxinfo *rxi);
65 struct mbuf *ieee80211_defrag(struct ieee80211com *, struct mbuf *, int);
66 void ieee80211_defrag_timeout(void *);
67 void ieee80211_input_ba(struct ieee80211com *, struct mbuf *,
68 struct ieee80211_node *, int, struct ieee80211_rxinfo *,
69 struct mbuf_list *);
70 void ieee80211_input_ba_flush(struct ieee80211com *, struct ieee80211_node *,
71 struct ieee80211_rx_ba *, struct mbuf_list *);
72 int ieee80211_input_ba_gap_skip(struct ieee80211_rx_ba *);
73 void ieee80211_input_ba_gap_timeout(void *arg);
74 void ieee80211_ba_move_window(struct ieee80211com *,
75 struct ieee80211_node *, u_int8_t, u_int16_t, struct mbuf_list *);
76 void ieee80211_input_ba_seq(struct ieee80211com *,
77 struct ieee80211_node *, uint8_t, uint16_t, struct mbuf_list *);
78 void ieee80211_decap(struct ieee80211com *, struct mbuf *,
79 struct ieee80211_node *, int, struct mbuf_list *);
80 int ieee80211_amsdu_decap_validate(struct ieee80211com *, struct mbuf *,
81 struct ieee80211_node *);
82 void ieee80211_amsdu_decap(struct ieee80211com *, struct mbuf *,
83 struct ieee80211_node *, int, struct mbuf_list *);
84 void ieee80211_enqueue_data(struct ieee80211com *, struct mbuf *,
85 struct ieee80211_node *, int, struct mbuf_list *);
86 int ieee80211_parse_edca_params_body(struct ieee80211com *,
87 const u_int8_t *);
88 int ieee80211_parse_edca_params(struct ieee80211com *, const u_int8_t *);
89 int ieee80211_parse_wmm_params(struct ieee80211com *, const u_int8_t *);
90 enum ieee80211_cipher ieee80211_parse_rsn_cipher(const u_int8_t *);
91 enum ieee80211_akm ieee80211_parse_rsn_akm(const u_int8_t *);
92 int ieee80211_parse_rsn_body(struct ieee80211com *, const u_int8_t *,
93 u_int, struct ieee80211_rsnparams *);
94 int ieee80211_save_ie(const u_int8_t *, u_int8_t **);
95 void ieee80211_recv_probe_resp(struct ieee80211com *, struct mbuf *,
96 struct ieee80211_node *, struct ieee80211_rxinfo *, int);
97 #ifndef IEEE80211_STA_ONLY
98 void ieee80211_recv_probe_req(struct ieee80211com *, struct mbuf *,
99 struct ieee80211_node *, struct ieee80211_rxinfo *);
100 #endif
101 void ieee80211_recv_auth(struct ieee80211com *, struct mbuf *,
102 struct ieee80211_node *, struct ieee80211_rxinfo *);
103 #ifndef IEEE80211_STA_ONLY
104 void ieee80211_recv_assoc_req(struct ieee80211com *, struct mbuf *,
105 struct ieee80211_node *, struct ieee80211_rxinfo *, int);
106 #endif
107 void ieee80211_recv_assoc_resp(struct ieee80211com *, struct mbuf *,
108 struct ieee80211_node *, int);
109 void ieee80211_recv_deauth(struct ieee80211com *, struct mbuf *,
110 struct ieee80211_node *);
111 void ieee80211_recv_disassoc(struct ieee80211com *, struct mbuf *,
112 struct ieee80211_node *);
113 void ieee80211_recv_addba_req(struct ieee80211com *, struct mbuf *,
114 struct ieee80211_node *);
115 void ieee80211_recv_addba_resp(struct ieee80211com *, struct mbuf *,
116 struct ieee80211_node *);
117 void ieee80211_recv_delba(struct ieee80211com *, struct mbuf *,
118 struct ieee80211_node *);
119 void ieee80211_recv_sa_query_req(struct ieee80211com *, struct mbuf *,
120 struct ieee80211_node *);
121 #ifndef IEEE80211_STA_ONLY
122 void ieee80211_recv_sa_query_resp(struct ieee80211com *, struct mbuf *,
123 struct ieee80211_node *);
124 #endif
125 void ieee80211_recv_action(struct ieee80211com *, struct mbuf *,
126 struct ieee80211_node *);
127 #ifndef IEEE80211_STA_ONLY
128 void ieee80211_recv_pspoll(struct ieee80211com *, struct mbuf *,
129 struct ieee80211_node *);
130 #endif
131 void ieee80211_recv_bar(struct ieee80211com *, struct mbuf *,
132 struct ieee80211_node *);
133 void ieee80211_bar_tid(struct ieee80211com *, struct ieee80211_node *,
134 u_int8_t, u_int16_t);
135
136 /*
137 * Retrieve the length in bytes of an 802.11 header.
138 */
139 u_int
ieee80211_get_hdrlen(const struct ieee80211_frame * wh)140 ieee80211_get_hdrlen(const struct ieee80211_frame *wh)
141 {
142 u_int size = sizeof(*wh);
143
144 /* NB: does not work with control frames */
145 KASSERT(ieee80211_has_seq(wh));
146
147 if (ieee80211_has_addr4(wh))
148 size += IEEE80211_ADDR_LEN; /* i_addr4 */
149 if (ieee80211_has_qos(wh))
150 size += sizeof(u_int16_t); /* i_qos */
151 if (ieee80211_has_htc(wh))
152 size += sizeof(u_int32_t); /* i_ht */
153 return size;
154 }
155
156 /* Post-processing for drivers which perform decryption in hardware. */
157 struct mbuf *
ieee80211_input_hwdecrypt(struct ieee80211com * ic,struct ieee80211_node * ni,struct mbuf * m,struct ieee80211_rxinfo * rxi)158 ieee80211_input_hwdecrypt(struct ieee80211com *ic, struct ieee80211_node *ni,
159 struct mbuf *m, struct ieee80211_rxinfo *rxi)
160 {
161 struct ieee80211_key *k;
162 struct ieee80211_frame *wh;
163 uint64_t pn, *prsc;
164 int hdrlen;
165
166 k = ieee80211_get_rxkey(ic, m, ni);
167 if (k == NULL)
168 return NULL;
169
170 wh = mtod(m, struct ieee80211_frame *);
171 hdrlen = ieee80211_get_hdrlen(wh);
172
173 /*
174 * Update the last-seen packet number (PN) for drivers using hardware
175 * crypto offloading. This cannot be done by drivers because A-MPDU
176 * reordering needs to occur before a valid lower bound can be
177 * determined for the PN. Drivers will read the PN we write here and
178 * are expected to discard replayed frames based on it.
179 * Drivers are expected to leave the IV of decrypted frames intact
180 * so we can update the last-seen PN and strip the IV here.
181 */
182 switch (k->k_cipher) {
183 case IEEE80211_CIPHER_CCMP:
184 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) {
185 /*
186 * If the protected bit is clear then hardware has
187 * stripped the IV and we must trust that it handles
188 * replay detection correctly.
189 */
190 break;
191 }
192 if (ieee80211_ccmp_get_pn(&pn, &prsc, m, k) != 0) {
193 ic->ic_stats.is_ccmp_dec_errs++;
194 return NULL;
195 }
196 if (rxi->rxi_flags & IEEE80211_RXI_HWDEC_SAME_PN) {
197 if (pn < *prsc) {
198 ic->ic_stats.is_ccmp_replays++;
199 return NULL;
200 }
201 } else if (pn <= *prsc) {
202 ic->ic_stats.is_ccmp_replays++;
203 return NULL;
204 }
205
206 /* Update last-seen packet number. */
207 *prsc = pn;
208
209 /* Clear Protected bit and strip IV. */
210 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
211 memmove(mtod(m, caddr_t) + IEEE80211_CCMP_HDRLEN, wh, hdrlen);
212 m_adj(m, IEEE80211_CCMP_HDRLEN);
213 /* Drivers are expected to strip the MIC. */
214 break;
215 case IEEE80211_CIPHER_TKIP:
216 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) {
217 /*
218 * If the protected bit is clear then hardware has
219 * stripped the IV and we must trust that it handles
220 * replay detection correctly.
221 */
222 break;
223 }
224 if (ieee80211_tkip_get_tsc(&pn, &prsc, m, k) != 0)
225 return NULL;
226 if (rxi->rxi_flags & IEEE80211_RXI_HWDEC_SAME_PN) {
227 if (pn < *prsc) {
228 ic->ic_stats.is_tkip_replays++;
229 return NULL;
230 }
231 } else if (pn <= *prsc) {
232 ic->ic_stats.is_tkip_replays++;
233 return NULL;
234 }
235
236 /* Update last-seen packet number. */
237 *prsc = pn;
238
239 /* Clear Protected bit and strip IV. */
240 wh = mtod(m, struct ieee80211_frame *);
241 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
242 memmove(mtod(m, caddr_t) + IEEE80211_TKIP_HDRLEN, wh, hdrlen);
243 m_adj(m, IEEE80211_TKIP_HDRLEN);
244 /* Drivers are expected to strip the MIC. */
245 break;
246 default:
247 break;
248 }
249
250 return m;
251 }
252
253 /*
254 * Process a received frame. The node associated with the sender
255 * should be supplied. If nothing was found in the node table then
256 * the caller is assumed to supply a reference to ic_bss instead.
257 * The RSSI and a timestamp are also supplied. The RSSI data is used
258 * during AP scanning to select a AP to associate with; it can have
259 * any units so long as values have consistent units and higher values
260 * mean ``better signal''. The receive timestamp is currently not used
261 * by the 802.11 layer.
262 *
263 * This function acts on management frames immediately and queues data frames
264 * on the specified mbuf list. Delivery of queued data frames to upper layers
265 * must be triggered with if_input(). Drivers should call if_input() only once
266 * per Rx interrupt to avoid triggering the input ifq pressure drop mechanism
267 * unnecessarily.
268 */
269 void
ieee80211_inputm(struct ifnet * ifp,struct mbuf * m,struct ieee80211_node * ni,struct ieee80211_rxinfo * rxi,struct mbuf_list * ml)270 ieee80211_inputm(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni,
271 struct ieee80211_rxinfo *rxi, struct mbuf_list *ml)
272 {
273 struct ieee80211com *ic = (void *)ifp;
274 struct ieee80211_frame *wh;
275 u_int16_t *orxseq, nrxseq, qos;
276 u_int8_t dir, type, subtype, tid;
277 int hdrlen, hasqos;
278
279 KASSERT(ni != NULL);
280
281 /* in monitor mode, send everything directly to bpf */
282 if (ic->ic_opmode == IEEE80211_M_MONITOR)
283 goto out;
284
285 /*
286 * Do not process frames without an Address 2 field any further.
287 * Only CTS and ACK control frames do not have this field.
288 */
289 if (m->m_len < sizeof(struct ieee80211_frame_min)) {
290 DPRINTF(("frame too short, len %u\n", m->m_len));
291 ic->ic_stats.is_rx_tooshort++;
292 goto out;
293 }
294
295 wh = mtod(m, struct ieee80211_frame *);
296 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
297 IEEE80211_FC0_VERSION_0) {
298 DPRINTF(("frame with wrong version: %x\n", wh->i_fc[0]));
299 ic->ic_stats.is_rx_badversion++;
300 goto err;
301 }
302
303 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
304 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
305 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
306
307 if (type != IEEE80211_FC0_TYPE_CTL) {
308 hdrlen = ieee80211_get_hdrlen(wh);
309 if (m->m_len < hdrlen) {
310 DPRINTF(("frame too short, len %u\n", m->m_len));
311 ic->ic_stats.is_rx_tooshort++;
312 goto err;
313 }
314 } else
315 hdrlen = 0;
316 if ((hasqos = ieee80211_has_qos(wh))) {
317 qos = ieee80211_get_qos(wh);
318 tid = qos & IEEE80211_QOS_TID;
319 } else {
320 qos = 0;
321 tid = 0;
322 }
323
324 if (ic->ic_state == IEEE80211_S_RUN &&
325 type == IEEE80211_FC0_TYPE_DATA && hasqos &&
326 (subtype & IEEE80211_FC0_SUBTYPE_NODATA) == 0 &&
327 !(rxi->rxi_flags & IEEE80211_RXI_AMPDU_DONE)
328 #ifndef IEEE80211_STA_ONLY
329 && (ic->ic_opmode == IEEE80211_M_STA || ni != ic->ic_bss)
330 #endif
331 ) {
332 int ba_state = ni->ni_rx_ba[tid].ba_state;
333
334 #ifndef IEEE80211_STA_ONLY
335 if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
336 if (!IEEE80211_ADDR_EQ(wh->i_addr1,
337 ic->ic_bss->ni_bssid)) {
338 ic->ic_stats.is_rx_wrongbss++;
339 goto err;
340 }
341 if (ni->ni_state != IEEE80211_S_ASSOC) {
342 ic->ic_stats.is_rx_notassoc++;
343 goto err;
344 }
345 }
346 #endif
347 /*
348 * If Block Ack was explicitly requested, check
349 * if we have a BA agreement for this RA/TID.
350 */
351 if ((qos & IEEE80211_QOS_ACK_POLICY_MASK) ==
352 IEEE80211_QOS_ACK_POLICY_BA &&
353 ba_state != IEEE80211_BA_AGREED) {
354 DPRINTF(("no BA agreement for %s, TID %d\n",
355 ether_sprintf(ni->ni_macaddr), tid));
356 /* send a DELBA with reason code UNKNOWN-BA */
357 IEEE80211_SEND_ACTION(ic, ni,
358 IEEE80211_CATEG_BA, IEEE80211_ACTION_DELBA,
359 IEEE80211_REASON_SETUP_REQUIRED << 16 | tid);
360 goto err;
361 }
362
363 /*
364 * Check if we have an explicit or implicit
365 * Block Ack Request for a valid BA agreement.
366 */
367 if (ba_state == IEEE80211_BA_AGREED &&
368 ((qos & IEEE80211_QOS_ACK_POLICY_MASK) ==
369 IEEE80211_QOS_ACK_POLICY_BA ||
370 (qos & IEEE80211_QOS_ACK_POLICY_MASK) ==
371 IEEE80211_QOS_ACK_POLICY_NORMAL)) {
372 /* go through A-MPDU reordering */
373 ieee80211_input_ba(ic, m, ni, tid, rxi, ml);
374 return; /* don't free m! */
375 } else if (ba_state == IEEE80211_BA_REQUESTED &&
376 (qos & IEEE80211_QOS_ACK_POLICY_MASK) ==
377 IEEE80211_QOS_ACK_POLICY_NORMAL) {
378 /*
379 * Apparently, qos frames for a tid where a
380 * block ack agreement was requested but not
381 * yet confirmed by us should still contribute
382 * to the sequence number for this tid.
383 */
384 ieee80211_input_ba(ic, m, ni, tid, rxi, ml);
385 return; /* don't free m! */
386 }
387 }
388
389 /*
390 * We do not yet support fragments. Drop any fragmented packets.
391 * Counter-measure against attacks where an arbitrary packet is
392 * injected via a fragment with attacker-controlled content.
393 * See https://papers.mathyvanhoef.com/usenix2021.pdf
394 * Section 6.8 "Treating fragments as full frames"
395 */
396 if (ieee80211_has_seq(wh)) {
397 uint16_t rxseq = letoh16(*(const u_int16_t *)wh->i_seq);
398 if ((wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG) ||
399 (rxseq & IEEE80211_SEQ_FRAG_MASK))
400 goto err;
401 }
402
403 /* duplicate detection (see 9.2.9) */
404 if (ieee80211_has_seq(wh) &&
405 ic->ic_state != IEEE80211_S_SCAN) {
406 nrxseq = letoh16(*(u_int16_t *)wh->i_seq) >>
407 IEEE80211_SEQ_SEQ_SHIFT;
408 if (hasqos)
409 orxseq = &ni->ni_qos_rxseqs[tid];
410 else
411 orxseq = &ni->ni_rxseq;
412 if (rxi->rxi_flags & IEEE80211_RXI_SAME_SEQ) {
413 if (nrxseq != *orxseq) {
414 /* duplicate, silently discarded */
415 ic->ic_stats.is_rx_dup++;
416 goto out;
417 }
418 } else if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) &&
419 nrxseq == *orxseq) {
420 /* duplicate, silently discarded */
421 ic->ic_stats.is_rx_dup++;
422 goto out;
423 }
424 *orxseq = nrxseq;
425 }
426 if (ic->ic_state > IEEE80211_S_SCAN) {
427 ni->ni_rssi = rxi->rxi_rssi;
428 ni->ni_rstamp = rxi->rxi_tstamp;
429 ni->ni_inact = 0;
430
431 if (ic->ic_state == IEEE80211_S_RUN && ic->ic_bgscan_start) {
432 /* Cancel or start background scan based on RSSI. */
433 if ((*ic->ic_node_checkrssi)(ic, ni))
434 timeout_del(&ic->ic_bgscan_timeout);
435 else if (!timeout_pending(&ic->ic_bgscan_timeout) &&
436 (ic->ic_flags & IEEE80211_F_BGSCAN) == 0 &&
437 (ic->ic_flags & IEEE80211_F_DESBSSID) == 0)
438 timeout_add_msec(&ic->ic_bgscan_timeout,
439 500 * (ic->ic_bgscan_fail + 1));
440 }
441 }
442
443 #ifndef IEEE80211_STA_ONLY
444 if (ic->ic_opmode == IEEE80211_M_HOSTAP &&
445 (ic->ic_caps & IEEE80211_C_APPMGT) &&
446 ni->ni_state == IEEE80211_STA_ASSOC) {
447 if (wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) {
448 if (ni->ni_pwrsave == IEEE80211_PS_AWAKE) {
449 /* turn on PS mode */
450 ni->ni_pwrsave = IEEE80211_PS_DOZE;
451 DPRINTF(("PS mode on for %s\n",
452 ether_sprintf(wh->i_addr2)));
453 }
454 } else if (ni->ni_pwrsave == IEEE80211_PS_DOZE) {
455 struct mbuf *m;
456
457 /* turn off PS mode */
458 ni->ni_pwrsave = IEEE80211_PS_AWAKE;
459 DPRINTF(("PS mode off for %s\n",
460 ether_sprintf(wh->i_addr2)));
461
462 (*ic->ic_set_tim)(ic, ni->ni_associd, 0);
463
464 /* dequeue buffered unicast frames */
465 while ((m = mq_dequeue(&ni->ni_savedq)) != NULL) {
466 mq_enqueue(&ic->ic_pwrsaveq, m);
467 if_start(ifp);
468 }
469 }
470 }
471 #endif
472 switch (type) {
473 case IEEE80211_FC0_TYPE_DATA:
474 switch (ic->ic_opmode) {
475 case IEEE80211_M_STA:
476 if (dir != IEEE80211_FC1_DIR_FROMDS) {
477 ic->ic_stats.is_rx_wrongdir++;
478 goto out;
479 }
480 if (ic->ic_state != IEEE80211_S_SCAN &&
481 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid)) {
482 /* Source address is not our BSS. */
483 DPRINTF(("discard frame from SA %s\n",
484 ether_sprintf(wh->i_addr2)));
485 ic->ic_stats.is_rx_wrongbss++;
486 goto out;
487 }
488 if ((ifp->if_flags & IFF_SIMPLEX) &&
489 IEEE80211_IS_MULTICAST(wh->i_addr1) &&
490 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) {
491 /*
492 * In IEEE802.11 network, multicast frame
493 * sent from me is broadcasted from AP.
494 * It should be silently discarded for
495 * SIMPLEX interface.
496 */
497 ic->ic_stats.is_rx_mcastecho++;
498 goto out;
499 }
500 break;
501 #ifndef IEEE80211_STA_ONLY
502 case IEEE80211_M_IBSS:
503 case IEEE80211_M_AHDEMO:
504 if (dir != IEEE80211_FC1_DIR_NODS) {
505 ic->ic_stats.is_rx_wrongdir++;
506 goto out;
507 }
508 if (ic->ic_state != IEEE80211_S_SCAN &&
509 !IEEE80211_ADDR_EQ(wh->i_addr3,
510 ic->ic_bss->ni_bssid) &&
511 !IEEE80211_ADDR_EQ(wh->i_addr3,
512 etherbroadcastaddr)) {
513 /* Destination is not our BSS or broadcast. */
514 DPRINTF(("discard data frame to DA %s\n",
515 ether_sprintf(wh->i_addr3)));
516 ic->ic_stats.is_rx_wrongbss++;
517 goto out;
518 }
519 break;
520 case IEEE80211_M_HOSTAP:
521 if (dir != IEEE80211_FC1_DIR_TODS) {
522 ic->ic_stats.is_rx_wrongdir++;
523 goto out;
524 }
525 if (ic->ic_state != IEEE80211_S_SCAN &&
526 !IEEE80211_ADDR_EQ(wh->i_addr1,
527 ic->ic_bss->ni_bssid) &&
528 !IEEE80211_ADDR_EQ(wh->i_addr1,
529 etherbroadcastaddr)) {
530 /* BSS is not us or broadcast. */
531 DPRINTF(("discard data frame to BSS %s\n",
532 ether_sprintf(wh->i_addr1)));
533 ic->ic_stats.is_rx_wrongbss++;
534 goto out;
535 }
536 /* check if source STA is associated */
537 if (ni == ic->ic_bss) {
538 DPRINTF(("data from unknown src %s\n",
539 ether_sprintf(wh->i_addr2)));
540 /* NB: caller deals with reference */
541 ni = ieee80211_find_node(ic, wh->i_addr2);
542 if (ni == NULL)
543 ni = ieee80211_dup_bss(ic, wh->i_addr2);
544 if (ni != NULL) {
545 IEEE80211_SEND_MGMT(ic, ni,
546 IEEE80211_FC0_SUBTYPE_DEAUTH,
547 IEEE80211_REASON_NOT_AUTHED);
548 }
549 ic->ic_stats.is_rx_notassoc++;
550 goto err;
551 }
552 if (ni->ni_state != IEEE80211_STA_ASSOC) {
553 DPRINTF(("data from unassoc src %s\n",
554 ether_sprintf(wh->i_addr2)));
555 IEEE80211_SEND_MGMT(ic, ni,
556 IEEE80211_FC0_SUBTYPE_DISASSOC,
557 IEEE80211_REASON_NOT_ASSOCED);
558 ic->ic_stats.is_rx_notassoc++;
559 goto err;
560 }
561 break;
562 #endif /* IEEE80211_STA_ONLY */
563 default:
564 /* can't get there */
565 goto out;
566 }
567
568 /* Do not process "no data" frames any further. */
569 if (subtype & IEEE80211_FC0_SUBTYPE_NODATA) {
570 #if NBPFILTER > 0
571 if (ic->ic_rawbpf)
572 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN);
573 #endif
574 goto out;
575 }
576
577 if ((ic->ic_flags & IEEE80211_F_WEPON) ||
578 ((ic->ic_flags & IEEE80211_F_RSNON) &&
579 (ni->ni_flags & IEEE80211_NODE_RXPROT))) {
580 /* protection is on for Rx */
581 if (!(rxi->rxi_flags & IEEE80211_RXI_HWDEC)) {
582 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) {
583 /* drop unencrypted */
584 ic->ic_stats.is_rx_unencrypted++;
585 goto err;
586 }
587 /* do software decryption */
588 m = ieee80211_decrypt(ic, m, ni);
589 if (m == NULL) {
590 ic->ic_stats.is_rx_wepfail++;
591 goto err;
592 }
593 } else {
594 m = ieee80211_input_hwdecrypt(ic, ni, m, rxi);
595 if (m == NULL)
596 goto err;
597 }
598 wh = mtod(m, struct ieee80211_frame *);
599 } else if ((wh->i_fc[1] & IEEE80211_FC1_PROTECTED) ||
600 (rxi->rxi_flags & IEEE80211_RXI_HWDEC)) {
601 /* frame encrypted but protection off for Rx */
602 ic->ic_stats.is_rx_nowep++;
603 goto out;
604 }
605
606 #if NBPFILTER > 0
607 /* copy to listener after decrypt */
608 if (ic->ic_rawbpf)
609 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN);
610 #endif
611
612 if ((ni->ni_flags & IEEE80211_NODE_HT) &&
613 hasqos && (qos & IEEE80211_QOS_AMSDU))
614 ieee80211_amsdu_decap(ic, m, ni, hdrlen, ml);
615 else
616 ieee80211_decap(ic, m, ni, hdrlen, ml);
617 return;
618
619 case IEEE80211_FC0_TYPE_MGT:
620 if (dir != IEEE80211_FC1_DIR_NODS) {
621 ic->ic_stats.is_rx_wrongdir++;
622 goto err;
623 }
624 #ifndef IEEE80211_STA_ONLY
625 if (ic->ic_opmode == IEEE80211_M_AHDEMO) {
626 ic->ic_stats.is_rx_ahdemo_mgt++;
627 goto out;
628 }
629 #endif
630 /* drop frames without interest */
631 if (ic->ic_state == IEEE80211_S_SCAN) {
632 if (subtype != IEEE80211_FC0_SUBTYPE_BEACON &&
633 subtype != IEEE80211_FC0_SUBTYPE_PROBE_RESP) {
634 ic->ic_stats.is_rx_mgtdiscard++;
635 goto out;
636 }
637 }
638
639 if (ni->ni_flags & IEEE80211_NODE_RXMGMTPROT) {
640 /* MMPDU protection is on for Rx */
641 if (subtype == IEEE80211_FC0_SUBTYPE_DISASSOC ||
642 subtype == IEEE80211_FC0_SUBTYPE_DEAUTH ||
643 subtype == IEEE80211_FC0_SUBTYPE_ACTION) {
644 if (!IEEE80211_IS_MULTICAST(wh->i_addr1) &&
645 !(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) {
646 /* unicast mgmt not encrypted */
647 goto out;
648 }
649 /* do software decryption */
650 m = ieee80211_decrypt(ic, m, ni);
651 if (m == NULL) {
652 /* XXX stats */
653 goto out;
654 }
655 wh = mtod(m, struct ieee80211_frame *);
656 }
657 } else if ((ic->ic_flags & IEEE80211_F_RSNON) &&
658 (wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) {
659 /* encrypted but MMPDU Rx protection off for TA */
660 goto out;
661 }
662
663 #if NBPFILTER > 0
664 if (bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN) != 0) {
665 /*
666 * Drop mbuf if it was filtered by bpf. Normally,
667 * this is done in ether_input() but IEEE 802.11
668 * management frames are a special case.
669 */
670 m_freem(m);
671 return;
672 }
673 #endif
674 (*ic->ic_recv_mgmt)(ic, m, ni, rxi, subtype);
675 m_freem(m);
676 return;
677
678 case IEEE80211_FC0_TYPE_CTL:
679 switch (subtype) {
680 #ifndef IEEE80211_STA_ONLY
681 case IEEE80211_FC0_SUBTYPE_PS_POLL:
682 ieee80211_recv_pspoll(ic, m, ni);
683 break;
684 #endif
685 case IEEE80211_FC0_SUBTYPE_BAR:
686 ieee80211_recv_bar(ic, m, ni);
687 break;
688 default:
689 ic->ic_stats.is_rx_ctl++;
690 break;
691 }
692 goto out;
693
694 default:
695 DPRINTF(("bad frame type %x\n", type));
696 /* should not come here */
697 break;
698 }
699 err:
700 ifp->if_ierrors++;
701 out:
702 if (m != NULL) {
703 #if NBPFILTER > 0
704 if (ic->ic_rawbpf)
705 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN);
706 #endif
707 m_freem(m);
708 }
709 }
710
711 /* Input handler for drivers which only receive one frame per interrupt. */
712 void
ieee80211_input(struct ifnet * ifp,struct mbuf * m,struct ieee80211_node * ni,struct ieee80211_rxinfo * rxi)713 ieee80211_input(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni,
714 struct ieee80211_rxinfo *rxi)
715 {
716 struct mbuf_list ml = MBUF_LIST_INITIALIZER();
717
718 ieee80211_inputm(ifp, m, ni, rxi, &ml);
719 if_input(ifp, &ml);
720 }
721
722 #ifdef notyet
723 /*
724 * Handle defragmentation (see 9.5 and Annex C). We support the concurrent
725 * reception of fragments of three fragmented MSDUs or MMPDUs.
726 */
727 struct mbuf *
ieee80211_defrag(struct ieee80211com * ic,struct mbuf * m,int hdrlen)728 ieee80211_defrag(struct ieee80211com *ic, struct mbuf *m, int hdrlen)
729 {
730 const struct ieee80211_frame *owh, *wh;
731 struct ieee80211_defrag *df;
732 u_int16_t rxseq, seq;
733 u_int8_t frag;
734 int i;
735
736 wh = mtod(m, struct ieee80211_frame *);
737 rxseq = letoh16(*(const u_int16_t *)wh->i_seq);
738 seq = rxseq >> IEEE80211_SEQ_SEQ_SHIFT;
739 frag = rxseq & IEEE80211_SEQ_FRAG_MASK;
740
741 if (frag == 0 && !(wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG))
742 return m; /* not fragmented */
743
744 if (frag == 0) {
745 /* first fragment, setup entry in the fragment cache */
746 if (++ic->ic_defrag_cur == IEEE80211_DEFRAG_SIZE)
747 ic->ic_defrag_cur = 0;
748 df = &ic->ic_defrag[ic->ic_defrag_cur];
749 m_freem(df->df_m); /* discard old entry */
750 df->df_seq = seq;
751 df->df_frag = 0;
752 df->df_m = m;
753 /* start receive MSDU timer of aMaxReceiveLifetime */
754 timeout_add_sec(&df->df_to, 1);
755 return NULL; /* MSDU or MMPDU not yet complete */
756 }
757
758 /* find matching entry in the fragment cache */
759 for (i = 0; i < IEEE80211_DEFRAG_SIZE; i++) {
760 df = &ic->ic_defrag[i];
761 if (df->df_m == NULL)
762 continue;
763 if (df->df_seq != seq || df->df_frag + 1 != frag)
764 continue;
765 owh = mtod(df->df_m, struct ieee80211_frame *);
766 /* frame type, source and destination must match */
767 if (((wh->i_fc[0] ^ owh->i_fc[0]) & IEEE80211_FC0_TYPE_MASK) ||
768 !IEEE80211_ADDR_EQ(wh->i_addr1, owh->i_addr1) ||
769 !IEEE80211_ADDR_EQ(wh->i_addr2, owh->i_addr2))
770 continue;
771 /* matching entry found */
772 break;
773 }
774 if (i == IEEE80211_DEFRAG_SIZE) {
775 /* no matching entry found, discard fragment */
776 ic->ic_if.if_ierrors++;
777 m_freem(m);
778 return NULL;
779 }
780
781 df->df_frag = frag;
782 /* strip 802.11 header and concatenate fragment */
783 m_adj(m, hdrlen);
784 m_cat(df->df_m, m);
785 df->df_m->m_pkthdr.len += m->m_pkthdr.len;
786
787 if (wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG)
788 return NULL; /* MSDU or MMPDU not yet complete */
789
790 /* MSDU or MMPDU complete */
791 timeout_del(&df->df_to);
792 m = df->df_m;
793 df->df_m = NULL;
794 return m;
795 }
796
797 /*
798 * Receive MSDU defragmentation timer exceeds aMaxReceiveLifetime.
799 */
800 void
ieee80211_defrag_timeout(void * arg)801 ieee80211_defrag_timeout(void *arg)
802 {
803 struct ieee80211_defrag *df = arg;
804 int s = splnet();
805
806 /* discard all received fragments */
807 m_freem(df->df_m);
808 df->df_m = NULL;
809
810 splx(s);
811 }
812 #endif
813
814 /*
815 * Process a received data MPDU related to a specific HT-immediate Block Ack
816 * agreement (see 9.10.7.6).
817 */
818 void
ieee80211_input_ba(struct ieee80211com * ic,struct mbuf * m,struct ieee80211_node * ni,int tid,struct ieee80211_rxinfo * rxi,struct mbuf_list * ml)819 ieee80211_input_ba(struct ieee80211com *ic, struct mbuf *m,
820 struct ieee80211_node *ni, int tid, struct ieee80211_rxinfo *rxi,
821 struct mbuf_list *ml)
822 {
823 struct ifnet *ifp = &ic->ic_if;
824 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid];
825 struct ieee80211_frame *wh;
826 int idx, count;
827 u_int16_t sn;
828
829 wh = mtod(m, struct ieee80211_frame *);
830 sn = letoh16(*(u_int16_t *)wh->i_seq) >> IEEE80211_SEQ_SEQ_SHIFT;
831
832 /* reset Block Ack inactivity timer */
833 if (ba->ba_timeout_val != 0)
834 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val);
835
836 if (SEQ_LT(sn, ba->ba_winstart)) { /* SN < WinStartB */
837 ic->ic_stats.is_ht_rx_frame_below_ba_winstart++;
838 m_freem(m); /* discard the MPDU */
839 return;
840 }
841 if (SEQ_LT(ba->ba_winend, sn)) { /* WinEndB < SN */
842 ic->ic_stats.is_ht_rx_frame_above_ba_winend++;
843 count = (sn - ba->ba_winend) & 0xfff;
844 if (count > ba->ba_winsize) {
845 /*
846 * Check whether we're consistently behind the window,
847 * and let the window move forward if necessary.
848 */
849 if (ba->ba_winmiss < IEEE80211_BA_MAX_WINMISS) {
850 if (ba->ba_missedsn == ((sn - 1) & 0xfff))
851 ba->ba_winmiss++;
852 else
853 ba->ba_winmiss = 0;
854 ba->ba_missedsn = sn;
855 ifp->if_ierrors++;
856 m_freem(m); /* discard the MPDU */
857 return;
858 }
859
860 /* It appears the window has moved for real. */
861 ic->ic_stats.is_ht_rx_ba_window_jump++;
862 ba->ba_winmiss = 0;
863 ba->ba_missedsn = 0;
864 ieee80211_ba_move_window(ic, ni, tid, sn, ml);
865 } else {
866 ic->ic_stats.is_ht_rx_ba_window_slide++;
867 ieee80211_input_ba_seq(ic, ni, tid,
868 (ba->ba_winstart + count) & 0xfff, ml);
869 ieee80211_input_ba_flush(ic, ni, ba, ml);
870 }
871 }
872 /* WinStartB <= SN <= WinEndB */
873
874 ba->ba_winmiss = 0;
875 ba->ba_missedsn = 0;
876 idx = (sn - ba->ba_winstart) & 0xfff;
877 idx = (ba->ba_head + idx) % IEEE80211_BA_MAX_WINSZ;
878 /* store the received MPDU in the buffer */
879 if (ba->ba_buf[idx].m != NULL) {
880 ifp->if_ierrors++;
881 ic->ic_stats.is_ht_rx_ba_no_buf++;
882 m_freem(m);
883 return;
884 }
885 ba->ba_buf[idx].m = m;
886 /* store Rx meta-data too */
887 rxi->rxi_flags |= IEEE80211_RXI_AMPDU_DONE;
888 ba->ba_buf[idx].rxi = *rxi;
889 ba->ba_gapwait++;
890
891 if (ba->ba_buf[ba->ba_head].m == NULL && ba->ba_gapwait == 1)
892 timeout_add_msec(&ba->ba_gap_to, IEEE80211_BA_GAP_TIMEOUT);
893
894 ieee80211_input_ba_flush(ic, ni, ba, ml);
895 }
896
897 /*
898 * Forward buffered frames with sequence number lower than max_seq.
899 * See 802.11-2012 9.21.7.6.2 b.
900 */
901 void
ieee80211_input_ba_seq(struct ieee80211com * ic,struct ieee80211_node * ni,uint8_t tid,uint16_t max_seq,struct mbuf_list * ml)902 ieee80211_input_ba_seq(struct ieee80211com *ic, struct ieee80211_node *ni,
903 uint8_t tid, uint16_t max_seq, struct mbuf_list *ml)
904 {
905 struct ifnet *ifp = &ic->ic_if;
906 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid];
907 struct ieee80211_frame *wh;
908 uint16_t seq;
909 int i = 0;
910
911 while (i++ < ba->ba_winsize) {
912 /* gaps may exist */
913 if (ba->ba_buf[ba->ba_head].m != NULL) {
914 wh = mtod(ba->ba_buf[ba->ba_head].m,
915 struct ieee80211_frame *);
916 KASSERT(ieee80211_has_seq(wh));
917 seq = letoh16(*(u_int16_t *)wh->i_seq) >>
918 IEEE80211_SEQ_SEQ_SHIFT;
919 if (!SEQ_LT(seq, max_seq))
920 break;
921 ieee80211_inputm(ifp, ba->ba_buf[ba->ba_head].m,
922 ni, &ba->ba_buf[ba->ba_head].rxi, ml);
923 ba->ba_buf[ba->ba_head].m = NULL;
924 ba->ba_gapwait--;
925 } else
926 ic->ic_stats.is_ht_rx_ba_frame_lost++;
927 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ;
928 /* move window forward */
929 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff;
930 }
931 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff;
932 }
933
934 /* Flush a consecutive sequence of frames from the reorder buffer. */
935 void
ieee80211_input_ba_flush(struct ieee80211com * ic,struct ieee80211_node * ni,struct ieee80211_rx_ba * ba,struct mbuf_list * ml)936 ieee80211_input_ba_flush(struct ieee80211com *ic, struct ieee80211_node *ni,
937 struct ieee80211_rx_ba *ba, struct mbuf_list *ml)
938
939 {
940 struct ifnet *ifp = &ic->ic_if;
941
942 /* Do not re-arm the gap timeout if we made no progress. */
943 if (ba->ba_buf[ba->ba_head].m == NULL)
944 return;
945
946 /* pass reordered MPDUs up to the next MAC process */
947 while (ba->ba_buf[ba->ba_head].m != NULL) {
948 ieee80211_inputm(ifp, ba->ba_buf[ba->ba_head].m, ni,
949 &ba->ba_buf[ba->ba_head].rxi, ml);
950 ba->ba_buf[ba->ba_head].m = NULL;
951 ba->ba_gapwait--;
952
953 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ;
954 /* move window forward */
955 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff;
956 }
957 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff;
958
959 if (timeout_pending(&ba->ba_gap_to))
960 timeout_del(&ba->ba_gap_to);
961 if (ba->ba_gapwait)
962 timeout_add_msec(&ba->ba_gap_to, IEEE80211_BA_GAP_TIMEOUT);
963 }
964
965 /*
966 * Forcibly move the BA window forward to remove a leading gap which has
967 * been causing frames to linger in the reordering buffer for too long.
968 * A leading gap will occur if a particular A-MPDU subframe never arrives
969 * or if a bug in the sender causes sequence numbers to jump forward by > 1.
970 */
971 int
ieee80211_input_ba_gap_skip(struct ieee80211_rx_ba * ba)972 ieee80211_input_ba_gap_skip(struct ieee80211_rx_ba *ba)
973 {
974 int skipped = 0;
975
976 while (skipped < ba->ba_winsize && ba->ba_buf[ba->ba_head].m == NULL) {
977 /* move window forward */
978 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ;
979 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff;
980 skipped++;
981 }
982 if (skipped > 0)
983 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff;
984
985 return skipped;
986 }
987
988 void
ieee80211_input_ba_gap_timeout(void * arg)989 ieee80211_input_ba_gap_timeout(void *arg)
990 {
991 struct ieee80211_rx_ba *ba = arg;
992 struct ieee80211_node *ni = ba->ba_ni;
993 struct ieee80211com *ic = ni->ni_ic;
994 int s, skipped;
995
996 ic->ic_stats.is_ht_rx_ba_window_gap_timeout++;
997
998 s = splnet();
999
1000 skipped = ieee80211_input_ba_gap_skip(ba);
1001 ic->ic_stats.is_ht_rx_ba_frame_lost += skipped;
1002 if (skipped) {
1003 struct mbuf_list ml = MBUF_LIST_INITIALIZER();
1004 ieee80211_input_ba_flush(ic, ni, ba, &ml);
1005 if_input(&ic->ic_if, &ml);
1006 }
1007
1008 splx(s);
1009 }
1010
1011
1012 /*
1013 * Change the value of WinStartB (move window forward) upon reception of a
1014 * BlockAckReq frame or an ADDBA Request (PBAC).
1015 */
1016 void
ieee80211_ba_move_window(struct ieee80211com * ic,struct ieee80211_node * ni,u_int8_t tid,u_int16_t ssn,struct mbuf_list * ml)1017 ieee80211_ba_move_window(struct ieee80211com *ic, struct ieee80211_node *ni,
1018 u_int8_t tid, u_int16_t ssn, struct mbuf_list *ml)
1019 {
1020 struct ifnet *ifp = &ic->ic_if;
1021 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid];
1022 int count;
1023
1024 /* assert(WinStartB <= SSN) */
1025
1026 count = (ssn - ba->ba_winstart) & 0xfff;
1027 if (count > ba->ba_winsize) /* no overlap */
1028 count = ba->ba_winsize;
1029 while (count-- > 0) {
1030 /* gaps may exist */
1031 if (ba->ba_buf[ba->ba_head].m != NULL) {
1032 ieee80211_inputm(ifp, ba->ba_buf[ba->ba_head].m, ni,
1033 &ba->ba_buf[ba->ba_head].rxi, ml);
1034 ba->ba_buf[ba->ba_head].m = NULL;
1035 ba->ba_gapwait--;
1036 } else
1037 ic->ic_stats.is_ht_rx_ba_frame_lost++;
1038 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ;
1039 }
1040 /* move window forward */
1041 ba->ba_winstart = ssn;
1042 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff;
1043
1044 ieee80211_input_ba_flush(ic, ni, ba, ml);
1045 }
1046
1047 void
ieee80211_enqueue_data(struct ieee80211com * ic,struct mbuf * m,struct ieee80211_node * ni,int mcast,struct mbuf_list * ml)1048 ieee80211_enqueue_data(struct ieee80211com *ic, struct mbuf *m,
1049 struct ieee80211_node *ni, int mcast, struct mbuf_list *ml)
1050 {
1051 struct ifnet *ifp = &ic->ic_if;
1052 struct ether_header *eh;
1053 struct mbuf *m1;
1054
1055 eh = mtod(m, struct ether_header *);
1056
1057 if ((ic->ic_flags & IEEE80211_F_RSNON) && !ni->ni_port_valid &&
1058 eh->ether_type != htons(ETHERTYPE_EAPOL)) {
1059 DPRINTF(("port not valid: %s\n",
1060 ether_sprintf(eh->ether_dhost)));
1061 ic->ic_stats.is_rx_unauth++;
1062 m_freem(m);
1063 return;
1064 }
1065
1066 /*
1067 * Perform as a bridge within the AP. Notice that we do not
1068 * bridge EAPOL frames as suggested in C.1.1 of IEEE Std 802.1X.
1069 * And we do not forward unicast frames received on a multicast address.
1070 */
1071 m1 = NULL;
1072 #ifndef IEEE80211_STA_ONLY
1073 if (ic->ic_opmode == IEEE80211_M_HOSTAP &&
1074 !(ic->ic_userflags & IEEE80211_F_NOBRIDGE) &&
1075 eh->ether_type != htons(ETHERTYPE_EAPOL)) {
1076 struct ieee80211_node *ni1;
1077
1078 if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
1079 m1 = m_dup_pkt(m, ETHER_ALIGN, M_DONTWAIT);
1080 if (m1 == NULL)
1081 ifp->if_oerrors++;
1082 else
1083 m1->m_flags |= M_MCAST;
1084 } else if (!mcast) {
1085 ni1 = ieee80211_find_node(ic, eh->ether_dhost);
1086 if (ni1 != NULL &&
1087 ni1->ni_state == IEEE80211_STA_ASSOC) {
1088 m1 = m;
1089 m = NULL;
1090 }
1091 }
1092 if (m1 != NULL) {
1093 if (if_enqueue(ifp, m1))
1094 ifp->if_oerrors++;
1095 }
1096 }
1097 #endif
1098 if (m != NULL) {
1099 if ((ic->ic_flags & IEEE80211_F_RSNON) &&
1100 eh->ether_type == htons(ETHERTYPE_EAPOL)) {
1101 ifp->if_ipackets++;
1102 #if NBPFILTER > 0
1103 /*
1104 * If we forward frame into transmitter of the AP,
1105 * we don't need to duplicate for DLT_EN10MB.
1106 */
1107 if (ifp->if_bpf && m1 == NULL)
1108 bpf_mtap(ifp->if_bpf, m, BPF_DIRECTION_IN);
1109 #endif
1110 ieee80211_eapol_key_input(ic, m, ni);
1111 } else {
1112 ml_enqueue(ml, m);
1113 }
1114 }
1115 }
1116
1117 void
ieee80211_decap(struct ieee80211com * ic,struct mbuf * m,struct ieee80211_node * ni,int hdrlen,struct mbuf_list * ml)1118 ieee80211_decap(struct ieee80211com *ic, struct mbuf *m,
1119 struct ieee80211_node *ni, int hdrlen, struct mbuf_list *ml)
1120 {
1121 struct ether_header eh;
1122 struct ieee80211_frame *wh;
1123 struct llc *llc;
1124 int mcast;
1125
1126 if (m->m_len < hdrlen + LLC_SNAPFRAMELEN &&
1127 (m = m_pullup(m, hdrlen + LLC_SNAPFRAMELEN)) == NULL) {
1128 ic->ic_stats.is_rx_decap++;
1129 return;
1130 }
1131 wh = mtod(m, struct ieee80211_frame *);
1132 mcast = IEEE80211_IS_MULTICAST(wh->i_addr1);
1133 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) {
1134 case IEEE80211_FC1_DIR_NODS:
1135 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1);
1136 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2);
1137 break;
1138 case IEEE80211_FC1_DIR_TODS:
1139 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3);
1140 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2);
1141 break;
1142 case IEEE80211_FC1_DIR_FROMDS:
1143 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1);
1144 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr3);
1145 break;
1146 case IEEE80211_FC1_DIR_DSTODS:
1147 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3);
1148 IEEE80211_ADDR_COPY(eh.ether_shost,
1149 ((struct ieee80211_frame_addr4 *)wh)->i_addr4);
1150 break;
1151 }
1152 llc = (struct llc *)((caddr_t)wh + hdrlen);
1153 if (llc->llc_dsap == LLC_SNAP_LSAP &&
1154 llc->llc_ssap == LLC_SNAP_LSAP &&
1155 llc->llc_control == LLC_UI &&
1156 llc->llc_snap.org_code[0] == 0 &&
1157 llc->llc_snap.org_code[1] == 0 &&
1158 llc->llc_snap.org_code[2] == 0) {
1159 eh.ether_type = llc->llc_snap.ether_type;
1160 m_adj(m, hdrlen + LLC_SNAPFRAMELEN - ETHER_HDR_LEN);
1161 } else {
1162 eh.ether_type = htons(m->m_pkthdr.len - hdrlen);
1163 m_adj(m, hdrlen - ETHER_HDR_LEN);
1164 }
1165 memcpy(mtod(m, caddr_t), &eh, ETHER_HDR_LEN);
1166 if (!ALIGNED_POINTER(mtod(m, caddr_t) + ETHER_HDR_LEN, u_int32_t)) {
1167 struct mbuf *m0 = m;
1168 m = m_dup_pkt(m0, ETHER_ALIGN, M_NOWAIT);
1169 m_freem(m0);
1170 if (m == NULL) {
1171 ic->ic_stats.is_rx_decap++;
1172 return;
1173 }
1174 }
1175 ieee80211_enqueue_data(ic, m, ni, mcast, ml);
1176 }
1177
1178 int
ieee80211_amsdu_decap_validate(struct ieee80211com * ic,struct mbuf * m,struct ieee80211_node * ni)1179 ieee80211_amsdu_decap_validate(struct ieee80211com *ic, struct mbuf *m,
1180 struct ieee80211_node *ni)
1181 {
1182 struct ether_header *eh = mtod(m, struct ether_header *);
1183 const uint8_t llc_hdr_mac[ETHER_ADDR_LEN] = {
1184 /* MAC address matching the 802.2 LLC header. */
1185 LLC_SNAP_LSAP, LLC_SNAP_LSAP, LLC_UI, 0, 0, 0
1186 };
1187
1188 /*
1189 * We are sorry, but this particular MAC address cannot be used.
1190 * This mitigates an attack where a single 802.11 frame is interpreted
1191 * as an A-MSDU because of a forged AMSDU-present bit in the 802.11
1192 * QoS frame header: https://papers.mathyvanhoef.com/usenix2021.pdf
1193 * See Section 7.2, 'Countermeasures for the design flaws'
1194 */
1195 if (ETHER_IS_EQ(eh->ether_dhost, llc_hdr_mac))
1196 return 1;
1197
1198 switch (ic->ic_opmode) {
1199 #ifndef IEEE80211_STA_ONLY
1200 case IEEE80211_M_HOSTAP:
1201 /*
1202 * Subframes must use the source address of the node which
1203 * transmitted the A-MSDU. Prevents MAC spoofing.
1204 */
1205 if (!ETHER_IS_EQ(ni->ni_macaddr, eh->ether_shost))
1206 return 1;
1207 break;
1208 #endif
1209 case IEEE80211_M_STA:
1210 /* Subframes must be addressed to me. */
1211 if (!ETHER_IS_EQ(ic->ic_myaddr, eh->ether_dhost))
1212 return 1;
1213 break;
1214 default:
1215 /* Ignore MONITOR/IBSS modes for now. */
1216 break;
1217 }
1218
1219 return 0;
1220 }
1221
1222 /*
1223 * Decapsulate an Aggregate MSDU (see 7.2.2.2).
1224 */
1225 void
ieee80211_amsdu_decap(struct ieee80211com * ic,struct mbuf * m,struct ieee80211_node * ni,int hdrlen,struct mbuf_list * ml)1226 ieee80211_amsdu_decap(struct ieee80211com *ic, struct mbuf *m,
1227 struct ieee80211_node *ni, int hdrlen, struct mbuf_list *ml)
1228 {
1229 struct mbuf *n;
1230 struct ether_header *eh;
1231 struct llc *llc;
1232 int len, pad, mcast;
1233 struct ieee80211_frame *wh;
1234 struct mbuf_list subframes = MBUF_LIST_INITIALIZER();
1235
1236 wh = mtod(m, struct ieee80211_frame *);
1237 mcast = IEEE80211_IS_MULTICAST(wh->i_addr1);
1238
1239 /* strip 802.11 header */
1240 m_adj(m, hdrlen);
1241
1242 while (m->m_pkthdr.len >= ETHER_HDR_LEN + LLC_SNAPFRAMELEN) {
1243 /* process an A-MSDU subframe */
1244 m = m_pullup(m, ETHER_HDR_LEN + LLC_SNAPFRAMELEN);
1245 if (m == NULL)
1246 break;
1247 eh = mtod(m, struct ether_header *);
1248 /* examine 802.3 header */
1249 len = ntohs(eh->ether_type);
1250 if (len < LLC_SNAPFRAMELEN) {
1251 DPRINTF(("A-MSDU subframe too short (%d)\n", len));
1252 /* stop processing A-MSDU subframes */
1253 ic->ic_stats.is_rx_decap++;
1254 ml_purge(&subframes);
1255 m_freem(m);
1256 return;
1257 }
1258 llc = (struct llc *)&eh[1];
1259 /* Examine the 802.2 LLC header after the A-MSDU header. */
1260 if (llc->llc_dsap == LLC_SNAP_LSAP &&
1261 llc->llc_ssap == LLC_SNAP_LSAP &&
1262 llc->llc_control == LLC_UI &&
1263 llc->llc_snap.org_code[0] == 0 &&
1264 llc->llc_snap.org_code[1] == 0 &&
1265 llc->llc_snap.org_code[2] == 0) {
1266 /* convert to Ethernet II header */
1267 eh->ether_type = llc->llc_snap.ether_type;
1268 /* strip LLC+SNAP headers */
1269 memmove((u_int8_t *)eh + LLC_SNAPFRAMELEN, eh,
1270 ETHER_HDR_LEN);
1271 m_adj(m, LLC_SNAPFRAMELEN);
1272 len -= LLC_SNAPFRAMELEN;
1273 }
1274 len += ETHER_HDR_LEN;
1275 if (len > m->m_pkthdr.len) {
1276 /* stop processing A-MSDU subframes */
1277 DPRINTF(("A-MSDU subframe too long (%d)\n", len));
1278 ic->ic_stats.is_rx_decap++;
1279 ml_purge(&subframes);
1280 m_freem(m);
1281 return;
1282 }
1283
1284 /* "detach" our A-MSDU subframe from the others */
1285 n = m_split(m, len, M_NOWAIT);
1286 if (n == NULL) {
1287 /* stop processing A-MSDU subframes */
1288 ic->ic_stats.is_rx_decap++;
1289 ml_purge(&subframes);
1290 m_freem(m);
1291 return;
1292 }
1293
1294 if (ieee80211_amsdu_decap_validate(ic, m, ni)) {
1295 /* stop processing A-MSDU subframes */
1296 ic->ic_stats.is_rx_decap++;
1297 ml_purge(&subframes);
1298 m_freem(m);
1299 return;
1300 }
1301
1302 ml_enqueue(&subframes, m);
1303
1304 m = n;
1305 /* remove padding */
1306 pad = ((len + 3) & ~3) - len;
1307 m_adj(m, pad);
1308 }
1309
1310 while ((n = ml_dequeue(&subframes)) != NULL)
1311 ieee80211_enqueue_data(ic, n, ni, mcast, ml);
1312
1313 m_freem(m);
1314 }
1315
1316 /*
1317 * Parse an EDCA Parameter Set element (see 7.3.2.27).
1318 */
1319 int
ieee80211_parse_edca_params_body(struct ieee80211com * ic,const u_int8_t * frm)1320 ieee80211_parse_edca_params_body(struct ieee80211com *ic, const u_int8_t *frm)
1321 {
1322 u_int updtcount;
1323 int aci;
1324
1325 /*
1326 * Check if EDCA parameters have changed XXX if we miss more than
1327 * 15 consecutive beacons, we might not detect changes to EDCA
1328 * parameters due to wraparound of the 4-bit Update Count field.
1329 */
1330 updtcount = frm[0] & 0xf;
1331 if (updtcount == ic->ic_edca_updtcount)
1332 return 0; /* no changes to EDCA parameters, ignore */
1333 ic->ic_edca_updtcount = updtcount;
1334
1335 frm += 2; /* skip QoS Info & Reserved fields */
1336
1337 /* parse AC Parameter Records */
1338 for (aci = 0; aci < EDCA_NUM_AC; aci++) {
1339 struct ieee80211_edca_ac_params *ac = &ic->ic_edca_ac[aci];
1340
1341 ac->ac_acm = (frm[0] >> 4) & 0x1;
1342 ac->ac_aifsn = frm[0] & 0xf;
1343 ac->ac_ecwmin = frm[1] & 0xf;
1344 ac->ac_ecwmax = frm[1] >> 4;
1345 ac->ac_txoplimit = LE_READ_2(frm + 2);
1346 frm += 4;
1347 }
1348 /* give drivers a chance to update their settings */
1349 if ((ic->ic_flags & IEEE80211_F_QOS) && ic->ic_updateedca != NULL)
1350 (*ic->ic_updateedca)(ic);
1351
1352 return 0;
1353 }
1354
1355 int
ieee80211_parse_edca_params(struct ieee80211com * ic,const u_int8_t * frm)1356 ieee80211_parse_edca_params(struct ieee80211com *ic, const u_int8_t *frm)
1357 {
1358 if (frm[1] < 18) {
1359 ic->ic_stats.is_rx_elem_toosmall++;
1360 return IEEE80211_REASON_IE_INVALID;
1361 }
1362 return ieee80211_parse_edca_params_body(ic, frm + 2);
1363 }
1364
1365 int
ieee80211_parse_wmm_params(struct ieee80211com * ic,const u_int8_t * frm)1366 ieee80211_parse_wmm_params(struct ieee80211com *ic, const u_int8_t *frm)
1367 {
1368 if (frm[1] < 24) {
1369 ic->ic_stats.is_rx_elem_toosmall++;
1370 return IEEE80211_REASON_IE_INVALID;
1371 }
1372 return ieee80211_parse_edca_params_body(ic, frm + 8);
1373 }
1374
1375 enum ieee80211_cipher
ieee80211_parse_rsn_cipher(const u_int8_t selector[4])1376 ieee80211_parse_rsn_cipher(const u_int8_t selector[4])
1377 {
1378 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */
1379 switch (selector[3]) {
1380 case 0: /* use group data cipher suite */
1381 return IEEE80211_CIPHER_USEGROUP;
1382 case 1: /* WEP-40 */
1383 return IEEE80211_CIPHER_WEP40;
1384 case 2: /* TKIP */
1385 return IEEE80211_CIPHER_TKIP;
1386 case 4: /* CCMP (RSNA default) */
1387 return IEEE80211_CIPHER_CCMP;
1388 case 5: /* WEP-104 */
1389 return IEEE80211_CIPHER_WEP104;
1390 }
1391 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */
1392 /* see 802.11-2012 Table 8-99 */
1393 switch (selector[3]) {
1394 case 0: /* use group data cipher suite */
1395 return IEEE80211_CIPHER_USEGROUP;
1396 case 1: /* WEP-40 */
1397 return IEEE80211_CIPHER_WEP40;
1398 case 2: /* TKIP */
1399 return IEEE80211_CIPHER_TKIP;
1400 case 4: /* CCMP (RSNA default) */
1401 return IEEE80211_CIPHER_CCMP;
1402 case 5: /* WEP-104 */
1403 return IEEE80211_CIPHER_WEP104;
1404 case 6: /* BIP */
1405 return IEEE80211_CIPHER_BIP;
1406 }
1407 }
1408 return IEEE80211_CIPHER_NONE; /* ignore unknown ciphers */
1409 }
1410
1411 enum ieee80211_akm
ieee80211_parse_rsn_akm(const u_int8_t selector[4])1412 ieee80211_parse_rsn_akm(const u_int8_t selector[4])
1413 {
1414 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */
1415 switch (selector[3]) {
1416 case 1: /* IEEE 802.1X (RSNA default) */
1417 return IEEE80211_AKM_8021X;
1418 case 2: /* PSK */
1419 return IEEE80211_AKM_PSK;
1420 }
1421 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */
1422 /* from IEEE Std 802.11i-2004 - Table 20dc */
1423 switch (selector[3]) {
1424 case 1: /* IEEE 802.1X (RSNA default) */
1425 return IEEE80211_AKM_8021X;
1426 case 2: /* PSK */
1427 return IEEE80211_AKM_PSK;
1428 case 5: /* IEEE 802.1X with SHA256 KDF */
1429 return IEEE80211_AKM_SHA256_8021X;
1430 case 6: /* PSK with SHA256 KDF */
1431 return IEEE80211_AKM_SHA256_PSK;
1432 }
1433 }
1434 return IEEE80211_AKM_NONE; /* ignore unknown AKMs */
1435 }
1436
1437 /*
1438 * Parse an RSN element (see 802.11-2012 8.4.2.27)
1439 */
1440 int
ieee80211_parse_rsn_body(struct ieee80211com * ic,const u_int8_t * frm,u_int len,struct ieee80211_rsnparams * rsn)1441 ieee80211_parse_rsn_body(struct ieee80211com *ic, const u_int8_t *frm,
1442 u_int len, struct ieee80211_rsnparams *rsn)
1443 {
1444 const u_int8_t *efrm;
1445 u_int16_t m, n, s;
1446
1447 efrm = frm + len;
1448
1449 /* check Version field */
1450 if (LE_READ_2(frm) != 1)
1451 return IEEE80211_STATUS_RSN_IE_VER_UNSUP;
1452 frm += 2;
1453
1454 /* all fields after the Version field are optional */
1455
1456 /* if Cipher Suite missing, default to CCMP */
1457 rsn->rsn_groupcipher = IEEE80211_CIPHER_CCMP;
1458 rsn->rsn_nciphers = 1;
1459 rsn->rsn_ciphers = IEEE80211_CIPHER_CCMP;
1460 /* if Group Management Cipher Suite missing, default to BIP */
1461 rsn->rsn_groupmgmtcipher = IEEE80211_CIPHER_BIP;
1462 /* if AKM Suite missing, default to 802.1X */
1463 rsn->rsn_nakms = 1;
1464 rsn->rsn_akms = IEEE80211_AKM_8021X;
1465 /* if RSN capabilities missing, default to 0 */
1466 rsn->rsn_caps = 0;
1467 rsn->rsn_npmkids = 0;
1468
1469 /* read Group Data Cipher Suite field */
1470 if (frm + 4 > efrm)
1471 return 0;
1472 rsn->rsn_groupcipher = ieee80211_parse_rsn_cipher(frm);
1473 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_NONE ||
1474 rsn->rsn_groupcipher == IEEE80211_CIPHER_USEGROUP ||
1475 rsn->rsn_groupcipher == IEEE80211_CIPHER_BIP)
1476 return IEEE80211_STATUS_BAD_GROUP_CIPHER;
1477 frm += 4;
1478
1479 /* read Pairwise Cipher Suite Count field */
1480 if (frm + 2 > efrm)
1481 return 0;
1482 m = rsn->rsn_nciphers = LE_READ_2(frm);
1483 frm += 2;
1484
1485 /* read Pairwise Cipher Suite List */
1486 if (frm + m * 4 > efrm)
1487 return IEEE80211_STATUS_IE_INVALID;
1488 rsn->rsn_ciphers = IEEE80211_CIPHER_NONE;
1489 while (m-- > 0) {
1490 rsn->rsn_ciphers |= ieee80211_parse_rsn_cipher(frm);
1491 frm += 4;
1492 }
1493 if (rsn->rsn_ciphers & IEEE80211_CIPHER_USEGROUP) {
1494 if (rsn->rsn_ciphers != IEEE80211_CIPHER_USEGROUP)
1495 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER;
1496 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_CCMP)
1497 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER;
1498 }
1499
1500 /* read AKM Suite List Count field */
1501 if (frm + 2 > efrm)
1502 return 0;
1503 n = rsn->rsn_nakms = LE_READ_2(frm);
1504 frm += 2;
1505
1506 /* read AKM Suite List */
1507 if (frm + n * 4 > efrm)
1508 return IEEE80211_STATUS_IE_INVALID;
1509 rsn->rsn_akms = IEEE80211_AKM_NONE;
1510 while (n-- > 0) {
1511 rsn->rsn_akms |= ieee80211_parse_rsn_akm(frm);
1512 frm += 4;
1513 }
1514
1515 /* read RSN Capabilities field */
1516 if (frm + 2 > efrm)
1517 return 0;
1518 rsn->rsn_caps = LE_READ_2(frm);
1519 frm += 2;
1520
1521 /* read PMKID Count field */
1522 if (frm + 2 > efrm)
1523 return 0;
1524 s = rsn->rsn_npmkids = LE_READ_2(frm);
1525 frm += 2;
1526
1527 /* read PMKID List */
1528 if (frm + s * IEEE80211_PMKID_LEN > efrm)
1529 return IEEE80211_STATUS_IE_INVALID;
1530 if (s != 0) {
1531 rsn->rsn_pmkids = frm;
1532 frm += s * IEEE80211_PMKID_LEN;
1533 }
1534
1535 /* read Group Management Cipher Suite field */
1536 if (frm + 4 > efrm)
1537 return 0;
1538 rsn->rsn_groupmgmtcipher = ieee80211_parse_rsn_cipher(frm);
1539 if (rsn->rsn_groupmgmtcipher != IEEE80211_CIPHER_BIP)
1540 return IEEE80211_STATUS_BAD_GROUP_CIPHER;
1541
1542 return IEEE80211_STATUS_SUCCESS;
1543 }
1544
1545 int
ieee80211_parse_rsn(struct ieee80211com * ic,const u_int8_t * frm,struct ieee80211_rsnparams * rsn)1546 ieee80211_parse_rsn(struct ieee80211com *ic, const u_int8_t *frm,
1547 struct ieee80211_rsnparams *rsn)
1548 {
1549 if (frm[1] < 2) {
1550 ic->ic_stats.is_rx_elem_toosmall++;
1551 return IEEE80211_STATUS_IE_INVALID;
1552 }
1553 return ieee80211_parse_rsn_body(ic, frm + 2, frm[1], rsn);
1554 }
1555
1556 int
ieee80211_parse_wpa(struct ieee80211com * ic,const u_int8_t * frm,struct ieee80211_rsnparams * rsn)1557 ieee80211_parse_wpa(struct ieee80211com *ic, const u_int8_t *frm,
1558 struct ieee80211_rsnparams *rsn)
1559 {
1560 if (frm[1] < 6) {
1561 ic->ic_stats.is_rx_elem_toosmall++;
1562 return IEEE80211_STATUS_IE_INVALID;
1563 }
1564 return ieee80211_parse_rsn_body(ic, frm + 6, frm[1] - 4, rsn);
1565 }
1566
1567 /*
1568 * Create (or update) a copy of an information element.
1569 */
1570 int
ieee80211_save_ie(const u_int8_t * frm,u_int8_t ** ie)1571 ieee80211_save_ie(const u_int8_t *frm, u_int8_t **ie)
1572 {
1573 int olen = *ie ? 2 + (*ie)[1] : 0;
1574 int len = 2 + frm[1];
1575
1576 if (*ie == NULL || olen != len) {
1577 if (*ie != NULL)
1578 free(*ie, M_DEVBUF, olen);
1579 *ie = malloc(len, M_DEVBUF, M_NOWAIT);
1580 if (*ie == NULL)
1581 return ENOMEM;
1582 }
1583 memcpy(*ie, frm, len);
1584 return 0;
1585 }
1586
1587 /*-
1588 * Beacon/Probe response frame format:
1589 * [8] Timestamp
1590 * [2] Beacon interval
1591 * [2] Capability
1592 * [tlv] Service Set Identifier (SSID)
1593 * [tlv] Supported rates
1594 * [tlv] DS Parameter Set (802.11g)
1595 * [tlv] ERP Information (802.11g)
1596 * [tlv] Extended Supported Rates (802.11g)
1597 * [tlv] RSN (802.11i)
1598 * [tlv] EDCA Parameter Set (802.11e)
1599 * [tlv] QoS Capability (Beacon only, 802.11e)
1600 * [tlv] HT Capabilities (802.11n)
1601 * [tlv] HT Operation (802.11n)
1602 */
1603 void
ieee80211_recv_probe_resp(struct ieee80211com * ic,struct mbuf * m,struct ieee80211_node * rni,struct ieee80211_rxinfo * rxi,int isprobe)1604 ieee80211_recv_probe_resp(struct ieee80211com *ic, struct mbuf *m,
1605 struct ieee80211_node *rni, struct ieee80211_rxinfo *rxi, int isprobe)
1606 {
1607 struct ieee80211_node *ni;
1608 const struct ieee80211_frame *wh;
1609 const u_int8_t *frm, *efrm;
1610 const u_int8_t *tstamp, *ssid, *rates, *xrates, *edcaie, *wmmie, *tim;
1611 const u_int8_t *rsnie, *wpaie, *htcaps, *htop, *vhtcaps, *vhtop;
1612 u_int16_t capinfo, bintval;
1613 u_int8_t chan, bchan, erp;
1614 int is_new;
1615
1616 /*
1617 * We process beacon/probe response frames for:
1618 * o station mode: to collect state
1619 * updates such as 802.11g slot time and for passive
1620 * scanning of APs
1621 * o adhoc mode: to discover neighbors
1622 * o hostap mode: for passive scanning of neighbor APs
1623 * o when scanning
1624 * In other words, in all modes other than monitor (which
1625 * does not process incoming frames) and adhoc-demo (which
1626 * does not use management frames at all).
1627 */
1628 #ifdef DIAGNOSTIC
1629 if (ic->ic_opmode != IEEE80211_M_STA &&
1630 #ifndef IEEE80211_STA_ONLY
1631 ic->ic_opmode != IEEE80211_M_IBSS &&
1632 ic->ic_opmode != IEEE80211_M_HOSTAP &&
1633 #endif
1634 ic->ic_state != IEEE80211_S_SCAN) {
1635 panic("%s: impossible operating mode", __func__);
1636 }
1637 #endif
1638 /* make sure all mandatory fixed fields are present */
1639 if (m->m_len < sizeof(*wh) + 12) {
1640 DPRINTF(("frame too short\n"));
1641 return;
1642 }
1643 wh = mtod(m, struct ieee80211_frame *);
1644 frm = (const u_int8_t *)&wh[1];
1645 efrm = mtod(m, u_int8_t *) + m->m_len;
1646
1647 tstamp = frm; frm += 8;
1648 bintval = LE_READ_2(frm); frm += 2;
1649 capinfo = LE_READ_2(frm); frm += 2;
1650
1651 ssid = rates = xrates = edcaie = wmmie = rsnie = wpaie = tim = NULL;
1652 htcaps = htop = vhtcaps = vhtop = NULL;
1653 if (rxi->rxi_chan)
1654 bchan = rxi->rxi_chan;
1655 else
1656 bchan = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan);
1657 chan = bchan;
1658 erp = 0;
1659 while (frm + 2 <= efrm) {
1660 if (frm + 2 + frm[1] > efrm) {
1661 ic->ic_stats.is_rx_elem_toosmall++;
1662 break;
1663 }
1664 switch (frm[0]) {
1665 case IEEE80211_ELEMID_SSID:
1666 ssid = frm;
1667 break;
1668 case IEEE80211_ELEMID_RATES:
1669 rates = frm;
1670 break;
1671 case IEEE80211_ELEMID_DSPARMS:
1672 if (frm[1] < 1) {
1673 ic->ic_stats.is_rx_elem_toosmall++;
1674 break;
1675 }
1676 chan = frm[2];
1677 break;
1678 case IEEE80211_ELEMID_XRATES:
1679 xrates = frm;
1680 break;
1681 case IEEE80211_ELEMID_ERP:
1682 if (frm[1] < 1) {
1683 ic->ic_stats.is_rx_elem_toosmall++;
1684 break;
1685 }
1686 erp = frm[2];
1687 break;
1688 case IEEE80211_ELEMID_RSN:
1689 rsnie = frm;
1690 break;
1691 case IEEE80211_ELEMID_EDCAPARMS:
1692 edcaie = frm;
1693 break;
1694 case IEEE80211_ELEMID_HTCAPS:
1695 htcaps = frm;
1696 break;
1697 case IEEE80211_ELEMID_HTOP:
1698 if (frm[1] < 22) {
1699 ic->ic_stats.is_rx_elem_toosmall++;
1700 break;
1701 }
1702 htop = frm;
1703 chan = frm[2];
1704 break;
1705 case IEEE80211_ELEMID_VHTCAPS:
1706 vhtcaps = frm;
1707 break;
1708 case IEEE80211_ELEMID_VHTOP:
1709 vhtop = frm;
1710 break;
1711 case IEEE80211_ELEMID_TIM:
1712 if (frm[1] < 4) {
1713 ic->ic_stats.is_rx_elem_toosmall++;
1714 break;
1715 }
1716 tim = frm;
1717 break;
1718 case IEEE80211_ELEMID_VENDOR:
1719 if (frm[1] < 4) {
1720 ic->ic_stats.is_rx_elem_toosmall++;
1721 break;
1722 }
1723 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) {
1724 if (frm[5] == 1)
1725 wpaie = frm;
1726 else if (frm[1] >= 5 &&
1727 frm[5] == 2 && frm[6] == 1)
1728 wmmie = frm;
1729 }
1730 break;
1731 }
1732 frm += 2 + frm[1];
1733 }
1734 /* supported rates element is mandatory */
1735 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) {
1736 DPRINTF(("invalid supported rates element\n"));
1737 return;
1738 }
1739 /* SSID element is mandatory */
1740 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) {
1741 DPRINTF(("invalid SSID element\n"));
1742 return;
1743 }
1744
1745 if (
1746 #if IEEE80211_CHAN_MAX < 255
1747 chan > IEEE80211_CHAN_MAX ||
1748 #endif
1749 (isclr(ic->ic_chan_active, chan) &&
1750 ((ic->ic_caps & IEEE80211_C_SCANALL) == 0 ||
1751 (ic->ic_flags & IEEE80211_F_BGSCAN) == 0))) {
1752 DPRINTF(("ignore %s with invalid channel %u\n",
1753 isprobe ? "probe response" : "beacon", chan));
1754 ic->ic_stats.is_rx_badchan++;
1755 return;
1756 }
1757 if ((rxi->rxi_chan != 0 && chan != rxi->rxi_chan) ||
1758 ((ic->ic_state != IEEE80211_S_SCAN ||
1759 !(ic->ic_caps & IEEE80211_C_SCANALL)) &&
1760 chan != bchan)) {
1761 /*
1762 * Frame was received on a channel different from the
1763 * one indicated in the DS params element id;
1764 * silently discard it.
1765 *
1766 * NB: this can happen due to signal leakage.
1767 */
1768 DPRINTF(("ignore %s on channel %u marked for channel %u\n",
1769 isprobe ? "probe response" : "beacon", bchan, chan));
1770 ic->ic_stats.is_rx_chanmismatch++;
1771 return;
1772 }
1773
1774 #ifdef IEEE80211_DEBUG
1775 if (ieee80211_debug > 1 &&
1776 (ni == NULL || ic->ic_state == IEEE80211_S_SCAN ||
1777 (ic->ic_flags & IEEE80211_F_BGSCAN))) {
1778 printf("%s: %s%s on chan %u (bss chan %u) ",
1779 __func__, (ni == NULL ? "new " : ""),
1780 isprobe ? "probe response" : "beacon",
1781 chan, bchan);
1782 ieee80211_print_essid(ssid + 2, ssid[1]);
1783 printf(" from %s\n", ether_sprintf((u_int8_t *)wh->i_addr2));
1784 printf("%s: caps 0x%x bintval %u erp 0x%x\n",
1785 __func__, capinfo, bintval, erp);
1786 }
1787 #endif
1788
1789 if ((ni = ieee80211_find_node(ic, wh->i_addr2)) == NULL) {
1790 ni = ieee80211_alloc_node(ic, wh->i_addr2);
1791 if (ni == NULL)
1792 return;
1793 is_new = 1;
1794 } else
1795 is_new = 0;
1796
1797 ni->ni_chan = &ic->ic_channels[chan];
1798
1799 if (htcaps)
1800 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]);
1801 if (htop && !ieee80211_setup_htop(ni, htop + 2, htop[1], 1))
1802 htop = NULL; /* invalid HTOP */
1803 if (htcaps && vhtcaps && IEEE80211_IS_CHAN_5GHZ(ni->ni_chan)) {
1804 ieee80211_setup_vhtcaps(ni, vhtcaps + 2, vhtcaps[1]);
1805 if (vhtop && !ieee80211_setup_vhtop(ni, vhtop + 2, vhtop[1], 1))
1806 vhtop = NULL; /* invalid VHTOP */
1807 }
1808
1809 if (tim) {
1810 ni->ni_dtimcount = tim[2];
1811 ni->ni_dtimperiod = tim[3];
1812 }
1813
1814 /*
1815 * When operating in station mode, check for state updates
1816 * while we're associated.
1817 */
1818 if (ic->ic_opmode == IEEE80211_M_STA &&
1819 ic->ic_state == IEEE80211_S_RUN &&
1820 ni->ni_state == IEEE80211_STA_BSS) {
1821 int updateprot = 0;
1822 /*
1823 * Check if protection mode has changed since last beacon.
1824 */
1825 if (ni->ni_erp != erp) {
1826 DPRINTF(("[%s] erp change: was 0x%x, now 0x%x\n",
1827 ether_sprintf((u_int8_t *)wh->i_addr2),
1828 ni->ni_erp, erp));
1829 if ((ic->ic_curmode == IEEE80211_MODE_11G ||
1830 (ic->ic_curmode == IEEE80211_MODE_11N &&
1831 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))) &&
1832 (erp & IEEE80211_ERP_USE_PROTECTION))
1833 ic->ic_flags |= IEEE80211_F_USEPROT;
1834 else
1835 ic->ic_flags &= ~IEEE80211_F_USEPROT;
1836 ic->ic_bss->ni_erp = erp;
1837 updateprot = 1;
1838 }
1839 if (htop && (ic->ic_bss->ni_flags & IEEE80211_NODE_HT)) {
1840 enum ieee80211_htprot htprot_last, htprot;
1841 htprot_last =
1842 ((ic->ic_bss->ni_htop1 & IEEE80211_HTOP1_PROT_MASK)
1843 >> IEEE80211_HTOP1_PROT_SHIFT);
1844 htprot = ((ni->ni_htop1 & IEEE80211_HTOP1_PROT_MASK) >>
1845 IEEE80211_HTOP1_PROT_SHIFT);
1846 if (htprot_last != htprot) {
1847 DPRINTF(("[%s] htprot change: was %d, now %d\n",
1848 ether_sprintf((u_int8_t *)wh->i_addr2),
1849 htprot_last, htprot));
1850 ic->ic_stats.is_ht_prot_change++;
1851 ic->ic_bss->ni_htop1 = ni->ni_htop1;
1852 updateprot = 1;
1853 }
1854 }
1855 if (updateprot && ic->ic_updateprot != NULL)
1856 ic->ic_updateprot(ic);
1857
1858 /*
1859 * Check if 40MHz channel mode has changed since last beacon.
1860 */
1861 if (htop && (ic->ic_bss->ni_flags & IEEE80211_NODE_HT) &&
1862 (ic->ic_htcaps & IEEE80211_HTCAP_CBW20_40)) {
1863 uint8_t chw_last, chw, sco_last, sco;
1864 chw_last = (ic->ic_bss->ni_htop0 & IEEE80211_HTOP0_CHW);
1865 chw = (ni->ni_htop0 & IEEE80211_HTOP0_CHW);
1866 sco_last =
1867 ((ic->ic_bss->ni_htop0 & IEEE80211_HTOP0_SCO_MASK)
1868 >> IEEE80211_HTOP0_SCO_SHIFT);
1869 sco = ((ni->ni_htop0 & IEEE80211_HTOP0_SCO_MASK) >>
1870 IEEE80211_HTOP0_SCO_SHIFT);
1871 ic->ic_bss->ni_htop0 = ni->ni_htop0;
1872 if (chw_last != chw || sco_last != sco) {
1873 if (ic->ic_updatechan != NULL)
1874 ic->ic_updatechan(ic);
1875 }
1876 } else if (htop)
1877 ic->ic_bss->ni_htop0 = ni->ni_htop0;
1878
1879 /*
1880 * Check if AP short slot time setting has changed
1881 * since last beacon and give the driver a chance to
1882 * update the hardware.
1883 */
1884 if ((ni->ni_capinfo ^ capinfo) &
1885 IEEE80211_CAPINFO_SHORT_SLOTTIME) {
1886 ieee80211_set_shortslottime(ic,
1887 ic->ic_curmode == IEEE80211_MODE_11A ||
1888 (capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
1889 }
1890
1891 if (tim && ic->ic_bss->ni_dtimperiod != ni->ni_dtimperiod) {
1892 ic->ic_bss->ni_dtimperiod = ni->ni_dtimperiod;
1893 ic->ic_bss->ni_dtimcount = ni->ni_dtimcount;
1894
1895 if (ic->ic_updatedtim != NULL)
1896 ic->ic_updatedtim(ic);
1897 }
1898
1899 /*
1900 * Reset management timer. If it is non-zero in RUN state, the
1901 * driver sent a probe request after a missed beacon event.
1902 * This probe response indicates the AP is still serving us
1903 * so don't allow ieee80211_watchdog() to move us into SCAN.
1904 */
1905 if ((ic->ic_flags & IEEE80211_F_BGSCAN) == 0)
1906 ic->ic_mgt_timer = 0;
1907 }
1908 /*
1909 * We do not try to update EDCA parameters if QoS was not negotiated
1910 * with the AP at association time.
1911 */
1912 if (ni->ni_flags & IEEE80211_NODE_QOS) {
1913 /* always prefer EDCA IE over Wi-Fi Alliance WMM IE */
1914 if ((edcaie != NULL &&
1915 ieee80211_parse_edca_params(ic, edcaie) == 0) ||
1916 (wmmie != NULL &&
1917 ieee80211_parse_wmm_params(ic, wmmie) == 0))
1918 ni->ni_flags |= IEEE80211_NODE_QOS;
1919 else
1920 ni->ni_flags &= ~IEEE80211_NODE_QOS;
1921 }
1922
1923 if (ic->ic_state == IEEE80211_S_SCAN ||
1924 (ic->ic_flags & IEEE80211_F_BGSCAN)) {
1925 struct ieee80211_rsnparams rsn, wpa;
1926
1927 ni->ni_rsnprotos = IEEE80211_PROTO_NONE;
1928 ni->ni_supported_rsnprotos = IEEE80211_PROTO_NONE;
1929 ni->ni_rsnakms = 0;
1930 ni->ni_supported_rsnakms = 0;
1931 ni->ni_rsnciphers = 0;
1932 ni->ni_rsngroupcipher = 0;
1933 ni->ni_rsngroupmgmtcipher = 0;
1934 ni->ni_rsncaps = 0;
1935
1936 if (rsnie != NULL &&
1937 ieee80211_parse_rsn(ic, rsnie, &rsn) == 0) {
1938 ni->ni_supported_rsnprotos |= IEEE80211_PROTO_RSN;
1939 ni->ni_supported_rsnakms |= rsn.rsn_akms;
1940 }
1941 if (wpaie != NULL &&
1942 ieee80211_parse_wpa(ic, wpaie, &wpa) == 0) {
1943 ni->ni_supported_rsnprotos |= IEEE80211_PROTO_WPA;
1944 ni->ni_supported_rsnakms |= wpa.rsn_akms;
1945 }
1946
1947 /*
1948 * If the AP advertises both WPA and RSN IEs (WPA1+WPA2),
1949 * we only use the highest protocol version we support.
1950 */
1951 if (rsnie != NULL &&
1952 (ni->ni_supported_rsnprotos & IEEE80211_PROTO_RSN) &&
1953 (ic->ic_caps & IEEE80211_C_RSN)) {
1954 if (ieee80211_save_ie(rsnie, &ni->ni_rsnie) == 0
1955 #ifndef IEEE80211_STA_ONLY
1956 && ic->ic_opmode != IEEE80211_M_HOSTAP
1957 #endif
1958 ) {
1959 ni->ni_rsnprotos = IEEE80211_PROTO_RSN;
1960 ni->ni_rsnakms = rsn.rsn_akms;
1961 ni->ni_rsnciphers = rsn.rsn_ciphers;
1962 ni->ni_rsngroupcipher = rsn.rsn_groupcipher;
1963 ni->ni_rsngroupmgmtcipher =
1964 rsn.rsn_groupmgmtcipher;
1965 ni->ni_rsncaps = rsn.rsn_caps;
1966 }
1967 } else if (wpaie != NULL &&
1968 (ni->ni_supported_rsnprotos & IEEE80211_PROTO_WPA) &&
1969 (ic->ic_caps & IEEE80211_C_RSN)) {
1970 if (ieee80211_save_ie(wpaie, &ni->ni_rsnie) == 0
1971 #ifndef IEEE80211_STA_ONLY
1972 && ic->ic_opmode != IEEE80211_M_HOSTAP
1973 #endif
1974 ) {
1975 ni->ni_rsnprotos = IEEE80211_PROTO_WPA;
1976 ni->ni_rsnakms = wpa.rsn_akms;
1977 ni->ni_rsnciphers = wpa.rsn_ciphers;
1978 ni->ni_rsngroupcipher = wpa.rsn_groupcipher;
1979 ni->ni_rsngroupmgmtcipher =
1980 wpa.rsn_groupmgmtcipher;
1981 ni->ni_rsncaps = wpa.rsn_caps;
1982 }
1983 }
1984 }
1985
1986 /*
1987 * Set our SSID if we do not know it yet.
1988 * If we are doing a directed scan for an AP with a hidden SSID
1989 * we must collect the SSID from a probe response to override
1990 * a non-zero-length SSID filled with zeroes that we may have
1991 * received earlier in a beacon.
1992 */
1993 if (ssid[1] != 0 && ni->ni_essid[0] == '\0') {
1994 ni->ni_esslen = ssid[1];
1995 memset(ni->ni_essid, 0, sizeof(ni->ni_essid));
1996 /* we know that ssid[1] <= IEEE80211_NWID_LEN */
1997 memcpy(ni->ni_essid, &ssid[2], ssid[1]);
1998 }
1999 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3);
2000 if (ic->ic_state == IEEE80211_S_SCAN &&
2001 IEEE80211_IS_CHAN_5GHZ(ni->ni_chan)) {
2002 /*
2003 * During a scan on 5Ghz, prefer RSSI measured for probe
2004 * response frames. i.e. don't allow beacons to lower the
2005 * measured RSSI. Some 5GHz APs send beacons with much
2006 * less Tx power than they use for probe responses.
2007 */
2008 if (isprobe || ni->ni_rssi == 0)
2009 ni->ni_rssi = rxi->rxi_rssi;
2010 else if (ni->ni_rssi < rxi->rxi_rssi)
2011 ni->ni_rssi = rxi->rxi_rssi;
2012 } else
2013 ni->ni_rssi = rxi->rxi_rssi;
2014 ni->ni_rstamp = rxi->rxi_tstamp;
2015 memcpy(ni->ni_tstamp, tstamp, sizeof(ni->ni_tstamp));
2016 ni->ni_intval = bintval;
2017 ni->ni_capinfo = capinfo;
2018 ni->ni_erp = erp;
2019 /* NB: must be after ni_chan is setup */
2020 ieee80211_setup_rates(ic, ni, rates, xrates, IEEE80211_F_DOSORT);
2021 #ifndef IEEE80211_STA_ONLY
2022 if (ic->ic_opmode == IEEE80211_M_IBSS && is_new && isprobe) {
2023 /*
2024 * Fake an association so the driver can setup its
2025 * private state. The rate set has been setup above;
2026 * there is no handshake as in ap/station operation.
2027 */
2028 if (ic->ic_newassoc)
2029 (*ic->ic_newassoc)(ic, ni, 1);
2030 }
2031 #endif
2032 }
2033
2034 #ifndef IEEE80211_STA_ONLY
2035 /*-
2036 * Probe request frame format:
2037 * [tlv] SSID
2038 * [tlv] Supported rates
2039 * [tlv] Extended Supported Rates (802.11g)
2040 * [tlv] HT Capabilities (802.11n)
2041 */
2042 void
ieee80211_recv_probe_req(struct ieee80211com * ic,struct mbuf * m,struct ieee80211_node * ni,struct ieee80211_rxinfo * rxi)2043 ieee80211_recv_probe_req(struct ieee80211com *ic, struct mbuf *m,
2044 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi)
2045 {
2046 const struct ieee80211_frame *wh;
2047 const u_int8_t *frm, *efrm;
2048 const u_int8_t *ssid, *rates, *xrates, *htcaps, *vhtcaps;
2049 u_int8_t rate;
2050
2051 if (ic->ic_opmode == IEEE80211_M_STA ||
2052 ic->ic_state != IEEE80211_S_RUN)
2053 return;
2054
2055 wh = mtod(m, struct ieee80211_frame *);
2056 frm = (const u_int8_t *)&wh[1];
2057 efrm = mtod(m, u_int8_t *) + m->m_len;
2058
2059 ssid = rates = xrates = htcaps = vhtcaps = NULL;
2060 while (frm + 2 <= efrm) {
2061 if (frm + 2 + frm[1] > efrm) {
2062 ic->ic_stats.is_rx_elem_toosmall++;
2063 break;
2064 }
2065 switch (frm[0]) {
2066 case IEEE80211_ELEMID_SSID:
2067 ssid = frm;
2068 break;
2069 case IEEE80211_ELEMID_RATES:
2070 rates = frm;
2071 break;
2072 case IEEE80211_ELEMID_XRATES:
2073 xrates = frm;
2074 break;
2075 case IEEE80211_ELEMID_HTCAPS:
2076 htcaps = frm;
2077 break;
2078 case IEEE80211_ELEMID_VHTCAPS:
2079 vhtcaps = frm;
2080 break;
2081 }
2082 frm += 2 + frm[1];
2083 }
2084 /* supported rates element is mandatory */
2085 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) {
2086 DPRINTF(("invalid supported rates element\n"));
2087 return;
2088 }
2089 /* SSID element is mandatory */
2090 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) {
2091 DPRINTF(("invalid SSID element\n"));
2092 return;
2093 }
2094 /* check that the specified SSID (if not wildcard) matches ours */
2095 if (ssid[1] != 0 && (ssid[1] != ic->ic_bss->ni_esslen ||
2096 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen))) {
2097 DPRINTF(("SSID mismatch\n"));
2098 ic->ic_stats.is_rx_ssidmismatch++;
2099 return;
2100 }
2101 /* refuse wildcard SSID if we're hiding our SSID in beacons */
2102 if (ssid[1] == 0 && (ic->ic_userflags & IEEE80211_F_HIDENWID)) {
2103 DPRINTF(("wildcard SSID rejected"));
2104 ic->ic_stats.is_rx_ssidmismatch++;
2105 return;
2106 }
2107
2108 if (ni == ic->ic_bss) {
2109 ni = ieee80211_find_node(ic, wh->i_addr2);
2110 if (ni == NULL)
2111 ni = ieee80211_dup_bss(ic, wh->i_addr2);
2112 if (ni == NULL)
2113 return;
2114 DPRINTF(("new probe req from %s\n",
2115 ether_sprintf((u_int8_t *)wh->i_addr2)));
2116 }
2117 ni->ni_rssi = rxi->rxi_rssi;
2118 ni->ni_rstamp = rxi->rxi_tstamp;
2119 rate = ieee80211_setup_rates(ic, ni, rates, xrates,
2120 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO |
2121 IEEE80211_F_DODEL);
2122 if (rate & IEEE80211_RATE_BASIC) {
2123 DPRINTF(("rate mismatch for %s\n",
2124 ether_sprintf((u_int8_t *)wh->i_addr2)));
2125 return;
2126 }
2127 if (htcaps)
2128 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]);
2129 else
2130 ieee80211_clear_htcaps(ni);
2131 if (htcaps && vhtcaps && IEEE80211_IS_CHAN_5GHZ(ic->ic_bss->ni_chan))
2132 ieee80211_setup_vhtcaps(ni, vhtcaps + 2, vhtcaps[1]);
2133 else
2134 ieee80211_clear_vhtcaps(ni);
2135 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0);
2136 }
2137 #endif /* IEEE80211_STA_ONLY */
2138
2139 /*-
2140 * Authentication frame format:
2141 * [2] Authentication algorithm number
2142 * [2] Authentication transaction sequence number
2143 * [2] Status code
2144 */
2145 void
ieee80211_recv_auth(struct ieee80211com * ic,struct mbuf * m,struct ieee80211_node * ni,struct ieee80211_rxinfo * rxi)2146 ieee80211_recv_auth(struct ieee80211com *ic, struct mbuf *m,
2147 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi)
2148 {
2149 const struct ieee80211_frame *wh;
2150 const u_int8_t *frm;
2151 u_int16_t algo, seq, status;
2152
2153 /* make sure all mandatory fixed fields are present */
2154 if (m->m_len < sizeof(*wh) + 6) {
2155 DPRINTF(("frame too short\n"));
2156 return;
2157 }
2158 wh = mtod(m, struct ieee80211_frame *);
2159 frm = (const u_int8_t *)&wh[1];
2160
2161 algo = LE_READ_2(frm); frm += 2;
2162 seq = LE_READ_2(frm); frm += 2;
2163 status = LE_READ_2(frm); frm += 2;
2164 DPRINTF(("auth %d seq %d from %s\n", algo, seq,
2165 ether_sprintf((u_int8_t *)wh->i_addr2)));
2166
2167 /* only "open" auth mode is supported */
2168 if (algo != IEEE80211_AUTH_ALG_OPEN) {
2169 DPRINTF(("unsupported auth algorithm %d from %s\n",
2170 algo, ether_sprintf((u_int8_t *)wh->i_addr2)));
2171 ic->ic_stats.is_rx_auth_unsupported++;
2172 #ifndef IEEE80211_STA_ONLY
2173 if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
2174 /* XXX hack to workaround calling convention */
2175 IEEE80211_SEND_MGMT(ic, ni,
2176 IEEE80211_FC0_SUBTYPE_AUTH,
2177 IEEE80211_STATUS_ALG << 16 | ((seq + 1) & 0xfff));
2178 }
2179 #endif
2180 return;
2181 }
2182 ieee80211_auth_open(ic, wh, ni, rxi, seq, status);
2183 }
2184
2185 #ifndef IEEE80211_STA_ONLY
2186 /*-
2187 * (Re)Association request frame format:
2188 * [2] Capability information
2189 * [2] Listen interval
2190 * [6*] Current AP address (Reassociation only)
2191 * [tlv] SSID
2192 * [tlv] Supported rates
2193 * [tlv] Extended Supported Rates (802.11g)
2194 * [tlv] RSN (802.11i)
2195 * [tlv] QoS Capability (802.11e)
2196 * [tlv] HT Capabilities (802.11n)
2197 */
2198 void
ieee80211_recv_assoc_req(struct ieee80211com * ic,struct mbuf * m,struct ieee80211_node * ni,struct ieee80211_rxinfo * rxi,int reassoc)2199 ieee80211_recv_assoc_req(struct ieee80211com *ic, struct mbuf *m,
2200 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int reassoc)
2201 {
2202 const struct ieee80211_frame *wh;
2203 const u_int8_t *frm, *efrm;
2204 const u_int8_t *ssid, *rates, *xrates, *rsnie, *wpaie, *wmeie;
2205 const u_int8_t *htcaps, *vhtcaps;
2206 u_int16_t capinfo, bintval;
2207 int resp, status = 0;
2208 struct ieee80211_rsnparams rsn;
2209 u_int8_t rate;
2210 const u_int8_t *saveie = NULL;
2211
2212 if (ic->ic_opmode != IEEE80211_M_HOSTAP ||
2213 ic->ic_state != IEEE80211_S_RUN)
2214 return;
2215
2216 /* make sure all mandatory fixed fields are present */
2217 if (m->m_len < sizeof(*wh) + (reassoc ? 10 : 4)) {
2218 DPRINTF(("frame too short\n"));
2219 return;
2220 }
2221 wh = mtod(m, struct ieee80211_frame *);
2222 frm = (const u_int8_t *)&wh[1];
2223 efrm = mtod(m, u_int8_t *) + m->m_len;
2224
2225 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) {
2226 DPRINTF(("ignore other bss from %s\n",
2227 ether_sprintf((u_int8_t *)wh->i_addr2)));
2228 ic->ic_stats.is_rx_assoc_bss++;
2229 return;
2230 }
2231 capinfo = LE_READ_2(frm); frm += 2;
2232 bintval = LE_READ_2(frm); frm += 2;
2233 if (reassoc) {
2234 frm += IEEE80211_ADDR_LEN; /* skip current AP address */
2235 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP;
2236 } else
2237 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP;
2238
2239 ssid = rates = xrates = rsnie = wpaie = wmeie = htcaps = vhtcaps = NULL;
2240 while (frm + 2 <= efrm) {
2241 if (frm + 2 + frm[1] > efrm) {
2242 ic->ic_stats.is_rx_elem_toosmall++;
2243 break;
2244 }
2245 switch (frm[0]) {
2246 case IEEE80211_ELEMID_SSID:
2247 ssid = frm;
2248 break;
2249 case IEEE80211_ELEMID_RATES:
2250 rates = frm;
2251 break;
2252 case IEEE80211_ELEMID_XRATES:
2253 xrates = frm;
2254 break;
2255 case IEEE80211_ELEMID_RSN:
2256 rsnie = frm;
2257 break;
2258 case IEEE80211_ELEMID_QOS_CAP:
2259 break;
2260 case IEEE80211_ELEMID_HTCAPS:
2261 htcaps = frm;
2262 break;
2263 case IEEE80211_ELEMID_VHTCAPS:
2264 vhtcaps = frm;
2265 break;
2266 case IEEE80211_ELEMID_VENDOR:
2267 if (frm[1] < 4) {
2268 ic->ic_stats.is_rx_elem_toosmall++;
2269 break;
2270 }
2271 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) {
2272 if (frm[5] == 1)
2273 wpaie = frm;
2274 /* WME info IE: len=7 type=2 subtype=0 */
2275 if (frm[1] == 7 && frm[5] == 2 && frm[6] == 0)
2276 wmeie = frm;
2277 }
2278 break;
2279 }
2280 frm += 2 + frm[1];
2281 }
2282 /* supported rates element is mandatory */
2283 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) {
2284 DPRINTF(("invalid supported rates element\n"));
2285 return;
2286 }
2287 /* SSID element is mandatory */
2288 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) {
2289 DPRINTF(("invalid SSID element\n"));
2290 return;
2291 }
2292 /* check that the specified SSID matches ours */
2293 if (ssid[1] != ic->ic_bss->ni_esslen ||
2294 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen)) {
2295 DPRINTF(("SSID mismatch\n"));
2296 ic->ic_stats.is_rx_ssidmismatch++;
2297 return;
2298 }
2299
2300 if (ni->ni_state != IEEE80211_STA_AUTH &&
2301 ni->ni_state != IEEE80211_STA_ASSOC) {
2302 DPRINTF(("deny %sassoc from %s, not authenticated\n",
2303 reassoc ? "re" : "",
2304 ether_sprintf((u_int8_t *)wh->i_addr2)));
2305 ni = ieee80211_find_node(ic, wh->i_addr2);
2306 if (ni == NULL)
2307 ni = ieee80211_dup_bss(ic, wh->i_addr2);
2308 if (ni != NULL) {
2309 IEEE80211_SEND_MGMT(ic, ni,
2310 IEEE80211_FC0_SUBTYPE_DEAUTH,
2311 IEEE80211_REASON_ASSOC_NOT_AUTHED);
2312 }
2313 ic->ic_stats.is_rx_assoc_notauth++;
2314 return;
2315 }
2316
2317 if (ni->ni_state == IEEE80211_STA_ASSOC &&
2318 (ni->ni_flags & IEEE80211_NODE_MFP)) {
2319 if (ni->ni_flags & IEEE80211_NODE_SA_QUERY_FAILED) {
2320 /* send a protected Disassociate frame */
2321 IEEE80211_SEND_MGMT(ic, ni,
2322 IEEE80211_FC0_SUBTYPE_DISASSOC,
2323 IEEE80211_REASON_AUTH_EXPIRE);
2324 /* terminate the old SA */
2325 ieee80211_node_leave(ic, ni);
2326 } else {
2327 /* reject the (Re)Association Request temporarily */
2328 IEEE80211_SEND_MGMT(ic, ni, resp,
2329 IEEE80211_STATUS_TRY_AGAIN_LATER);
2330 /* start SA Query procedure if not already engaged */
2331 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY))
2332 ieee80211_sa_query_request(ic, ni);
2333 /* do not modify association state */
2334 }
2335 return;
2336 }
2337
2338 if (!(capinfo & IEEE80211_CAPINFO_ESS)) {
2339 ic->ic_stats.is_rx_assoc_capmismatch++;
2340 status = IEEE80211_STATUS_CAPINFO;
2341 goto end;
2342 }
2343 rate = ieee80211_setup_rates(ic, ni, rates, xrates,
2344 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO |
2345 IEEE80211_F_DODEL);
2346 if (rate & IEEE80211_RATE_BASIC) {
2347 ic->ic_stats.is_rx_assoc_norate++;
2348 status = IEEE80211_STATUS_BASIC_RATE;
2349 goto end;
2350 }
2351
2352 ni->ni_rsnprotos = IEEE80211_PROTO_NONE;
2353 ni->ni_supported_rsnprotos = IEEE80211_PROTO_NONE;
2354 ni->ni_rsnakms = 0;
2355 ni->ni_supported_rsnakms = 0;
2356 ni->ni_rsnciphers = 0;
2357 ni->ni_rsngroupcipher = 0;
2358 ni->ni_rsngroupmgmtcipher = 0;
2359 ni->ni_rsncaps = 0;
2360
2361 /*
2362 * A station should never include both a WPA and an RSN IE
2363 * in its (Re)Association Requests, but if it does, we only
2364 * consider the IE of the highest version of the protocol
2365 * that is allowed (ie RSN over WPA).
2366 */
2367 if (rsnie != NULL) {
2368 status = ieee80211_parse_rsn(ic, rsnie, &rsn);
2369 if (status != 0)
2370 goto end;
2371 ni->ni_supported_rsnprotos = IEEE80211_PROTO_RSN;
2372 ni->ni_supported_rsnakms = rsn.rsn_akms;
2373 if ((ic->ic_flags & IEEE80211_F_RSNON) &&
2374 (ic->ic_rsnprotos & IEEE80211_PROTO_RSN)) {
2375 ni->ni_rsnprotos = IEEE80211_PROTO_RSN;
2376 saveie = rsnie;
2377 }
2378 } else if (wpaie != NULL) {
2379 status = ieee80211_parse_wpa(ic, wpaie, &rsn);
2380 if (status != 0)
2381 goto end;
2382 ni->ni_supported_rsnprotos = IEEE80211_PROTO_WPA;
2383 ni->ni_supported_rsnakms = rsn.rsn_akms;
2384 if ((ic->ic_flags & IEEE80211_F_RSNON) &&
2385 (ic->ic_rsnprotos & IEEE80211_PROTO_WPA)) {
2386 ni->ni_rsnprotos = IEEE80211_PROTO_WPA;
2387 saveie = wpaie;
2388 }
2389 }
2390
2391 if (ic->ic_flags & IEEE80211_F_QOS) {
2392 if (wmeie != NULL)
2393 ni->ni_flags |= IEEE80211_NODE_QOS;
2394 else /* for Reassociation */
2395 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2396 }
2397
2398 if (ic->ic_flags & IEEE80211_F_RSNON) {
2399 if (ni->ni_rsnprotos == IEEE80211_PROTO_NONE) {
2400 /*
2401 * In an RSN, an AP shall not associate with STAs
2402 * that fail to include the RSN IE in the
2403 * (Re)Association Request.
2404 */
2405 status = IEEE80211_STATUS_IE_INVALID;
2406 goto end;
2407 }
2408 /*
2409 * The initiating STA's RSN IE shall include one authentication
2410 * and pairwise cipher suite among those advertised by the
2411 * targeted AP. It shall also specify the group cipher suite
2412 * specified by the targeted AP.
2413 */
2414 if (rsn.rsn_nakms != 1 ||
2415 !(rsn.rsn_akms & ic->ic_bss->ni_rsnakms)) {
2416 status = IEEE80211_STATUS_BAD_AKMP;
2417 ni->ni_rsnprotos = IEEE80211_PROTO_NONE;
2418 goto end;
2419 }
2420 if (rsn.rsn_nciphers != 1 ||
2421 !(rsn.rsn_ciphers & ic->ic_bss->ni_rsnciphers)) {
2422 status = IEEE80211_STATUS_BAD_PAIRWISE_CIPHER;
2423 ni->ni_rsnprotos = IEEE80211_PROTO_NONE;
2424 goto end;
2425 }
2426 if (rsn.rsn_groupcipher != ic->ic_bss->ni_rsngroupcipher) {
2427 status = IEEE80211_STATUS_BAD_GROUP_CIPHER;
2428 ni->ni_rsnprotos = IEEE80211_PROTO_NONE;
2429 goto end;
2430 }
2431
2432 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPR) &&
2433 !(rsn.rsn_caps & IEEE80211_RSNCAP_MFPC)) {
2434 status = IEEE80211_STATUS_MFP_POLICY;
2435 ni->ni_rsnprotos = IEEE80211_PROTO_NONE;
2436 goto end;
2437 }
2438 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPC) &&
2439 (rsn.rsn_caps & (IEEE80211_RSNCAP_MFPC |
2440 IEEE80211_RSNCAP_MFPR)) == IEEE80211_RSNCAP_MFPR) {
2441 /* STA advertises an invalid setting */
2442 status = IEEE80211_STATUS_MFP_POLICY;
2443 ni->ni_rsnprotos = IEEE80211_PROTO_NONE;
2444 goto end;
2445 }
2446 /*
2447 * A STA that has associated with Management Frame Protection
2448 * enabled shall not use cipher suite pairwise selector WEP40,
2449 * WEP104, TKIP, or "Use Group cipher suite".
2450 */
2451 if ((rsn.rsn_caps & IEEE80211_RSNCAP_MFPC) &&
2452 (rsn.rsn_ciphers != IEEE80211_CIPHER_CCMP ||
2453 rsn.rsn_groupmgmtcipher !=
2454 ic->ic_bss->ni_rsngroupmgmtcipher)) {
2455 status = IEEE80211_STATUS_MFP_POLICY;
2456 ni->ni_rsnprotos = IEEE80211_PROTO_NONE;
2457 goto end;
2458 }
2459
2460 /*
2461 * Disallow new associations using TKIP if countermeasures
2462 * are active.
2463 */
2464 if ((ic->ic_flags & IEEE80211_F_COUNTERM) &&
2465 (rsn.rsn_ciphers == IEEE80211_CIPHER_TKIP ||
2466 rsn.rsn_groupcipher == IEEE80211_CIPHER_TKIP)) {
2467 status = IEEE80211_STATUS_CIPHER_REJ_POLICY;
2468 ni->ni_rsnprotos = IEEE80211_PROTO_NONE;
2469 goto end;
2470 }
2471
2472 /* everything looks fine, save IE and parameters */
2473 if (saveie == NULL ||
2474 ieee80211_save_ie(saveie, &ni->ni_rsnie) != 0) {
2475 status = IEEE80211_STATUS_TOOMANY;
2476 ni->ni_rsnprotos = IEEE80211_PROTO_NONE;
2477 goto end;
2478 }
2479 ni->ni_rsnakms = rsn.rsn_akms;
2480 ni->ni_rsnciphers = rsn.rsn_ciphers;
2481 ni->ni_rsngroupcipher = ic->ic_bss->ni_rsngroupcipher;
2482 ni->ni_rsngroupmgmtcipher = ic->ic_bss->ni_rsngroupmgmtcipher;
2483 ni->ni_rsncaps = rsn.rsn_caps;
2484
2485 if (ieee80211_is_8021x_akm(ni->ni_rsnakms)) {
2486 struct ieee80211_pmk *pmk = NULL;
2487 const u_int8_t *pmkid = rsn.rsn_pmkids;
2488 /*
2489 * Check if we have a cached PMK entry matching one
2490 * of the PMKIDs specified in the RSN IE.
2491 */
2492 while (rsn.rsn_npmkids-- > 0) {
2493 pmk = ieee80211_pmksa_find(ic, ni, pmkid);
2494 if (pmk != NULL)
2495 break;
2496 pmkid += IEEE80211_PMKID_LEN;
2497 }
2498 if (pmk != NULL) {
2499 memcpy(ni->ni_pmk, pmk->pmk_key,
2500 IEEE80211_PMK_LEN);
2501 memcpy(ni->ni_pmkid, pmk->pmk_pmkid,
2502 IEEE80211_PMKID_LEN);
2503 ni->ni_flags |= IEEE80211_NODE_PMK;
2504 }
2505 }
2506 }
2507
2508 ni->ni_rssi = rxi->rxi_rssi;
2509 ni->ni_rstamp = rxi->rxi_tstamp;
2510 ni->ni_intval = bintval;
2511 ni->ni_capinfo = capinfo;
2512 ni->ni_chan = ic->ic_bss->ni_chan;
2513 if (htcaps)
2514 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]);
2515 else
2516 ieee80211_clear_htcaps(ni);
2517 if (htcaps && vhtcaps && IEEE80211_IS_CHAN_5GHZ(ic->ic_bss->ni_chan))
2518 ieee80211_setup_vhtcaps(ni, vhtcaps + 2, vhtcaps[1]);
2519 else
2520 ieee80211_clear_vhtcaps(ni);
2521 end:
2522 if (status != 0) {
2523 IEEE80211_SEND_MGMT(ic, ni, resp, status);
2524 ieee80211_node_leave(ic, ni);
2525 } else
2526 ieee80211_node_join(ic, ni, resp);
2527 }
2528 #endif /* IEEE80211_STA_ONLY */
2529
2530 /*-
2531 * (Re)Association response frame format:
2532 * [2] Capability information
2533 * [2] Status code
2534 * [2] Association ID (AID)
2535 * [tlv] Supported rates
2536 * [tlv] Extended Supported Rates (802.11g)
2537 * [tlv] EDCA Parameter Set (802.11e)
2538 * [tlv] HT Capabilities (802.11n)
2539 * [tlv] HT Operation (802.11n)
2540 */
2541 void
ieee80211_recv_assoc_resp(struct ieee80211com * ic,struct mbuf * m,struct ieee80211_node * ni,int reassoc)2542 ieee80211_recv_assoc_resp(struct ieee80211com *ic, struct mbuf *m,
2543 struct ieee80211_node *ni, int reassoc)
2544 {
2545 struct ifnet *ifp = &ic->ic_if;
2546 const struct ieee80211_frame *wh;
2547 const u_int8_t *frm, *efrm;
2548 const u_int8_t *rates, *xrates, *edcaie, *wmmie, *htcaps, *htop;
2549 const u_int8_t *vhtcaps, *vhtop;
2550 u_int16_t capinfo, status, associd;
2551 u_int8_t rate;
2552
2553 if (ic->ic_opmode != IEEE80211_M_STA ||
2554 ic->ic_state != IEEE80211_S_ASSOC) {
2555 ic->ic_stats.is_rx_mgtdiscard++;
2556 return;
2557 }
2558
2559 /* make sure all mandatory fixed fields are present */
2560 if (m->m_len < sizeof(*wh) + 6) {
2561 DPRINTF(("frame too short\n"));
2562 return;
2563 }
2564 wh = mtod(m, struct ieee80211_frame *);
2565 frm = (const u_int8_t *)&wh[1];
2566 efrm = mtod(m, u_int8_t *) + m->m_len;
2567
2568 capinfo = LE_READ_2(frm); frm += 2;
2569 status = LE_READ_2(frm); frm += 2;
2570 if (status != IEEE80211_STATUS_SUCCESS) {
2571 if (ifp->if_flags & IFF_DEBUG)
2572 printf("%s: %sassociation failed (status %d)"
2573 " for %s\n", ifp->if_xname,
2574 reassoc ? "re" : "",
2575 status, ether_sprintf((u_int8_t *)wh->i_addr3));
2576 if (ni != ic->ic_bss)
2577 ni->ni_fails++;
2578 ic->ic_stats.is_rx_auth_fail++;
2579 return;
2580 }
2581 associd = LE_READ_2(frm); frm += 2;
2582
2583 rates = xrates = edcaie = wmmie = htcaps = htop = NULL;
2584 vhtcaps = vhtop = NULL;
2585 while (frm + 2 <= efrm) {
2586 if (frm + 2 + frm[1] > efrm) {
2587 ic->ic_stats.is_rx_elem_toosmall++;
2588 break;
2589 }
2590 switch (frm[0]) {
2591 case IEEE80211_ELEMID_RATES:
2592 rates = frm;
2593 break;
2594 case IEEE80211_ELEMID_XRATES:
2595 xrates = frm;
2596 break;
2597 case IEEE80211_ELEMID_EDCAPARMS:
2598 edcaie = frm;
2599 break;
2600 case IEEE80211_ELEMID_HTCAPS:
2601 htcaps = frm;
2602 break;
2603 case IEEE80211_ELEMID_HTOP:
2604 htop = frm;
2605 break;
2606 case IEEE80211_ELEMID_VHTCAPS:
2607 vhtcaps = frm;
2608 break;
2609 case IEEE80211_ELEMID_VHTOP:
2610 vhtop = frm;
2611 break;
2612 case IEEE80211_ELEMID_VENDOR:
2613 if (frm[1] < 4) {
2614 ic->ic_stats.is_rx_elem_toosmall++;
2615 break;
2616 }
2617 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) {
2618 if (frm[1] >= 5 && frm[5] == 2 && frm[6] == 1)
2619 wmmie = frm;
2620 }
2621 break;
2622 }
2623 frm += 2 + frm[1];
2624 }
2625 /* supported rates element is mandatory */
2626 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) {
2627 DPRINTF(("invalid supported rates element\n"));
2628 return;
2629 }
2630 rate = ieee80211_setup_rates(ic, ni, rates, xrates,
2631 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO |
2632 IEEE80211_F_DODEL);
2633 if (rate & IEEE80211_RATE_BASIC) {
2634 DPRINTF(("rate mismatch for %s\n",
2635 ether_sprintf((u_int8_t *)wh->i_addr2)));
2636 ic->ic_stats.is_rx_assoc_norate++;
2637 return;
2638 }
2639 ni->ni_capinfo = capinfo;
2640 ni->ni_associd = associd;
2641 if (edcaie != NULL || wmmie != NULL) {
2642 /* force update of EDCA parameters */
2643 ic->ic_edca_updtcount = -1;
2644
2645 if ((edcaie != NULL &&
2646 ieee80211_parse_edca_params(ic, edcaie) == 0) ||
2647 (wmmie != NULL &&
2648 ieee80211_parse_wmm_params(ic, wmmie) == 0))
2649 ni->ni_flags |= IEEE80211_NODE_QOS;
2650 else /* for Reassociation */
2651 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2652 }
2653 if (htcaps)
2654 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]);
2655 if (htop)
2656 ieee80211_setup_htop(ni, htop + 2, htop[1], 0);
2657 ieee80211_ht_negotiate(ic, ni);
2658
2659 if (htcaps && vhtcaps && IEEE80211_IS_CHAN_5GHZ(ni->ni_chan)) {
2660 ieee80211_setup_vhtcaps(ni, vhtcaps + 2, vhtcaps[1]);
2661 if (vhtop && !ieee80211_setup_vhtop(ni, vhtop + 2, vhtop[1], 1))
2662 vhtop = NULL; /* invalid VHTOP */
2663 }
2664 ieee80211_vht_negotiate(ic, ni);
2665
2666 /* Hop into 11n/11ac modes after associating to a HT/VHT AP. */
2667 if (ni->ni_flags & IEEE80211_NODE_VHT)
2668 ieee80211_setmode(ic, IEEE80211_MODE_11AC);
2669 else if (ni->ni_flags & IEEE80211_NODE_HT)
2670 ieee80211_setmode(ic, IEEE80211_MODE_11N);
2671 else
2672 ieee80211_setmode(ic, ieee80211_chan2mode(ic, ni->ni_chan));
2673 /*
2674 * Reset the erp state (mostly the slot time) now that
2675 * our operating mode has been nailed down.
2676 */
2677 ieee80211_reset_erp(ic);
2678
2679 /*
2680 * Configure state now that we are associated.
2681 */
2682 if (ic->ic_curmode == IEEE80211_MODE_11A ||
2683 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE))
2684 ic->ic_flags |= IEEE80211_F_SHPREAMBLE;
2685 else
2686 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE;
2687
2688 ieee80211_set_shortslottime(ic,
2689 ic->ic_curmode == IEEE80211_MODE_11A ||
2690 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
2691 /*
2692 * Honor ERP protection.
2693 */
2694 if ((ic->ic_curmode == IEEE80211_MODE_11G ||
2695 (ic->ic_curmode == IEEE80211_MODE_11N &&
2696 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))) &&
2697 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION))
2698 ic->ic_flags |= IEEE80211_F_USEPROT;
2699 else
2700 ic->ic_flags &= ~IEEE80211_F_USEPROT;
2701 /*
2702 * If not an RSNA, mark the port as valid, otherwise wait for
2703 * 802.1X authentication and 4-way handshake to complete..
2704 */
2705 if (ic->ic_flags & IEEE80211_F_RSNON) {
2706 /* XXX ic->ic_mgt_timer = 5; */
2707 ni->ni_rsn_supp_state = RSNA_SUPP_PTKSTART;
2708 } else if (ic->ic_flags & IEEE80211_F_WEPON)
2709 ni->ni_flags |= IEEE80211_NODE_TXRXPROT;
2710
2711 ieee80211_new_state(ic, IEEE80211_S_RUN,
2712 IEEE80211_FC0_SUBTYPE_ASSOC_RESP);
2713 }
2714
2715 /*-
2716 * Deauthentication frame format:
2717 * [2] Reason code
2718 */
2719 void
ieee80211_recv_deauth(struct ieee80211com * ic,struct mbuf * m,struct ieee80211_node * ni)2720 ieee80211_recv_deauth(struct ieee80211com *ic, struct mbuf *m,
2721 struct ieee80211_node *ni)
2722 {
2723 const struct ieee80211_frame *wh;
2724 const u_int8_t *frm;
2725 u_int16_t reason;
2726
2727 /* make sure all mandatory fixed fields are present */
2728 if (m->m_len < sizeof(*wh) + 2) {
2729 DPRINTF(("frame too short\n"));
2730 return;
2731 }
2732 wh = mtod(m, struct ieee80211_frame *);
2733 frm = (const u_int8_t *)&wh[1];
2734
2735 reason = LE_READ_2(frm);
2736
2737 ic->ic_stats.is_rx_deauth++;
2738 switch (ic->ic_opmode) {
2739 case IEEE80211_M_STA: {
2740 int bgscan = ((ic->ic_flags & IEEE80211_F_BGSCAN) &&
2741 ic->ic_state == IEEE80211_S_RUN);
2742 int stay_auth = ((ic->ic_userflags & IEEE80211_F_STAYAUTH) &&
2743 ic->ic_state >= IEEE80211_S_AUTH);
2744 if (!(bgscan || stay_auth))
2745 ieee80211_new_state(ic, IEEE80211_S_AUTH,
2746 IEEE80211_FC0_SUBTYPE_DEAUTH);
2747 }
2748 break;
2749 #ifndef IEEE80211_STA_ONLY
2750 case IEEE80211_M_HOSTAP:
2751 if (ni != ic->ic_bss) {
2752 int stay_auth =
2753 ((ic->ic_userflags & IEEE80211_F_STAYAUTH) &&
2754 (ni->ni_state == IEEE80211_STA_AUTH ||
2755 ni->ni_state == IEEE80211_STA_ASSOC));
2756 if (ic->ic_if.if_flags & IFF_DEBUG)
2757 printf("%s: station %s deauthenticated "
2758 "by peer (reason %d)\n",
2759 ic->ic_if.if_xname,
2760 ether_sprintf(ni->ni_macaddr),
2761 reason);
2762 if (!stay_auth)
2763 ieee80211_node_leave(ic, ni);
2764 }
2765 break;
2766 #endif
2767 default:
2768 break;
2769 }
2770 }
2771
2772 /*-
2773 * Disassociation frame format:
2774 * [2] Reason code
2775 */
2776 void
ieee80211_recv_disassoc(struct ieee80211com * ic,struct mbuf * m,struct ieee80211_node * ni)2777 ieee80211_recv_disassoc(struct ieee80211com *ic, struct mbuf *m,
2778 struct ieee80211_node *ni)
2779 {
2780 const struct ieee80211_frame *wh;
2781 const u_int8_t *frm;
2782 u_int16_t reason;
2783
2784 /* make sure all mandatory fixed fields are present */
2785 if (m->m_len < sizeof(*wh) + 2) {
2786 DPRINTF(("frame too short\n"));
2787 return;
2788 }
2789 wh = mtod(m, struct ieee80211_frame *);
2790 frm = (const u_int8_t *)&wh[1];
2791
2792 reason = LE_READ_2(frm);
2793
2794 ic->ic_stats.is_rx_disassoc++;
2795 switch (ic->ic_opmode) {
2796 case IEEE80211_M_STA: {
2797 int bgscan = ((ic->ic_flags & IEEE80211_F_BGSCAN) &&
2798 ic->ic_state == IEEE80211_S_RUN);
2799 if (!bgscan) /* ignore disassoc during bgscan */
2800 ieee80211_new_state(ic, IEEE80211_S_ASSOC,
2801 IEEE80211_FC0_SUBTYPE_DISASSOC);
2802 }
2803 break;
2804 #ifndef IEEE80211_STA_ONLY
2805 case IEEE80211_M_HOSTAP:
2806 if (ni != ic->ic_bss) {
2807 if (ic->ic_if.if_flags & IFF_DEBUG)
2808 printf("%s: station %s disassociated "
2809 "by peer (reason %d)\n",
2810 ic->ic_if.if_xname,
2811 ether_sprintf(ni->ni_macaddr),
2812 reason);
2813 ieee80211_node_leave(ic, ni);
2814 }
2815 break;
2816 #endif
2817 default:
2818 break;
2819 }
2820 }
2821
2822 /*-
2823 * ADDBA Request frame format:
2824 * [1] Category
2825 * [1] Action
2826 * [1] Dialog Token
2827 * [2] Block Ack Parameter Set
2828 * [2] Block Ack Timeout Value
2829 * [2] Block Ack Starting Sequence Control
2830 */
2831 void
ieee80211_recv_addba_req(struct ieee80211com * ic,struct mbuf * m,struct ieee80211_node * ni)2832 ieee80211_recv_addba_req(struct ieee80211com *ic, struct mbuf *m,
2833 struct ieee80211_node *ni)
2834 {
2835 const struct ieee80211_frame *wh;
2836 const u_int8_t *frm;
2837 struct ieee80211_rx_ba *ba;
2838 u_int16_t params, ssn, bufsz, timeout;
2839 u_int8_t token, tid;
2840 int err = 0;
2841
2842 /* Ignore if we are not ready to receive data frames. */
2843 if (ic->ic_state != IEEE80211_S_RUN ||
2844 ((ic->ic_flags & IEEE80211_F_RSNON) && !ni->ni_port_valid))
2845 return;
2846
2847 if (!(ni->ni_flags & IEEE80211_NODE_HT)) {
2848 DPRINTF(("received ADDBA req from non-HT STA %s\n",
2849 ether_sprintf(ni->ni_macaddr)));
2850 return;
2851 }
2852 if (m->m_len < sizeof(*wh) + 9) {
2853 DPRINTF(("frame too short\n"));
2854 return;
2855 }
2856 /* MLME-ADDBA.indication */
2857 wh = mtod(m, struct ieee80211_frame *);
2858 frm = (const u_int8_t *)&wh[1];
2859
2860 token = frm[2];
2861 params = LE_READ_2(&frm[3]);
2862 tid = ((params & IEEE80211_ADDBA_TID_MASK) >>
2863 IEEE80211_ADDBA_TID_SHIFT);
2864 bufsz = (params & IEEE80211_ADDBA_BUFSZ_MASK) >>
2865 IEEE80211_ADDBA_BUFSZ_SHIFT;
2866 timeout = LE_READ_2(&frm[5]);
2867 ssn = LE_READ_2(&frm[7]) >> 4;
2868
2869 ba = &ni->ni_rx_ba[tid];
2870 /* The driver is still processing an ADDBA request for this tid. */
2871 if (ba->ba_state == IEEE80211_BA_REQUESTED)
2872 return;
2873 /* If we are in the process of roaming between APs, ignore. */
2874 if ((ic->ic_flags & IEEE80211_F_BGSCAN) &&
2875 (ic->ic_xflags & IEEE80211_F_TX_MGMT_ONLY))
2876 return;
2877 /* check if we already have a Block Ack agreement for this RA/TID */
2878 if (ba->ba_state == IEEE80211_BA_AGREED) {
2879 /* XXX should we update the timeout value? */
2880 /* reset Block Ack inactivity timer */
2881 if (ba->ba_timeout_val != 0)
2882 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val);
2883
2884 /* check if it's a Protected Block Ack agreement */
2885 if (!(ni->ni_flags & IEEE80211_NODE_MFP) ||
2886 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC))
2887 return; /* not a PBAC, ignore */
2888
2889 /* PBAC: treat the ADDBA Request like a BlockAckReq */
2890 if (SEQ_LT(ba->ba_winstart, ssn)) {
2891 struct mbuf_list ml = MBUF_LIST_INITIALIZER();
2892 ieee80211_ba_move_window(ic, ni, tid, ssn, &ml);
2893 if_input(&ic->ic_if, &ml);
2894 }
2895 return;
2896 }
2897
2898 /* if PBAC required but RA does not support it, refuse request */
2899 if ((ic->ic_flags & IEEE80211_F_PBAR) &&
2900 (!(ni->ni_flags & IEEE80211_NODE_MFP) ||
2901 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)))
2902 goto refuse;
2903 /*
2904 * If the TID for which the Block Ack agreement is requested is
2905 * configured with a no-ACK policy, refuse the agreement.
2906 */
2907 if (ic->ic_tid_noack & (1 << tid))
2908 goto refuse;
2909
2910 /* check that we support the requested Block Ack Policy */
2911 if (!(ic->ic_htcaps & IEEE80211_HTCAP_DELAYEDBA) &&
2912 !(params & IEEE80211_ADDBA_BA_POLICY))
2913 goto refuse;
2914
2915 /* setup Block Ack agreement */
2916 ba->ba_state = IEEE80211_BA_REQUESTED;
2917 ba->ba_timeout_val = timeout * IEEE80211_DUR_TU;
2918 ba->ba_ni = ni;
2919 ba->ba_token = token;
2920 timeout_set(&ba->ba_to, ieee80211_rx_ba_timeout, ba);
2921 timeout_set(&ba->ba_gap_to, ieee80211_input_ba_gap_timeout, ba);
2922 ba->ba_gapwait = 0;
2923 ba->ba_winsize = bufsz;
2924 if (ba->ba_winsize == 0 || ba->ba_winsize > IEEE80211_BA_MAX_WINSZ)
2925 ba->ba_winsize = IEEE80211_BA_MAX_WINSZ;
2926 ba->ba_params = (params & IEEE80211_ADDBA_BA_POLICY);
2927 ba->ba_params |= ((ba->ba_winsize << IEEE80211_ADDBA_BUFSZ_SHIFT) |
2928 (tid << IEEE80211_ADDBA_TID_SHIFT));
2929 ba->ba_params |= IEEE80211_ADDBA_AMSDU;
2930 ba->ba_winstart = ssn;
2931 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff;
2932 /* allocate and setup our reordering buffer */
2933 ba->ba_buf = malloc(IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf),
2934 M_DEVBUF, M_NOWAIT | M_ZERO);
2935 if (ba->ba_buf == NULL)
2936 goto refuse;
2937
2938 ba->ba_head = 0;
2939
2940 /* notify drivers of this new Block Ack agreement */
2941 if (ic->ic_ampdu_rx_start != NULL)
2942 err = ic->ic_ampdu_rx_start(ic, ni, tid);
2943 if (err == EBUSY) {
2944 /* driver will accept or refuse agreement when done */
2945 return;
2946 } else if (err) {
2947 /* driver failed to setup, rollback */
2948 ieee80211_addba_req_refuse(ic, ni, tid);
2949 } else
2950 ieee80211_addba_req_accept(ic, ni, tid);
2951 return;
2952
2953 refuse:
2954 /* MLME-ADDBA.response */
2955 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA,
2956 IEEE80211_ACTION_ADDBA_RESP,
2957 IEEE80211_STATUS_REFUSED << 16 | token << 8 | tid);
2958 }
2959
2960 void
ieee80211_addba_req_accept(struct ieee80211com * ic,struct ieee80211_node * ni,uint8_t tid)2961 ieee80211_addba_req_accept(struct ieee80211com *ic, struct ieee80211_node *ni,
2962 uint8_t tid)
2963 {
2964 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid];
2965
2966 ba->ba_state = IEEE80211_BA_AGREED;
2967 ic->ic_stats.is_ht_rx_ba_agreements++;
2968 /* start Block Ack inactivity timer */
2969 if (ba->ba_timeout_val != 0)
2970 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val);
2971
2972 /* MLME-ADDBA.response */
2973 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA,
2974 IEEE80211_ACTION_ADDBA_RESP,
2975 IEEE80211_STATUS_SUCCESS << 16 | ba->ba_token << 8 | tid);
2976 }
2977
2978 void
ieee80211_addba_req_refuse(struct ieee80211com * ic,struct ieee80211_node * ni,uint8_t tid)2979 ieee80211_addba_req_refuse(struct ieee80211com *ic, struct ieee80211_node *ni,
2980 uint8_t tid)
2981 {
2982 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid];
2983
2984 free(ba->ba_buf, M_DEVBUF,
2985 IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf));
2986 ba->ba_buf = NULL;
2987 ba->ba_state = IEEE80211_BA_INIT;
2988
2989 /* MLME-ADDBA.response */
2990 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA,
2991 IEEE80211_ACTION_ADDBA_RESP,
2992 IEEE80211_STATUS_REFUSED << 16 | ba->ba_token << 8 | tid);
2993 }
2994
2995 /*-
2996 * ADDBA Response frame format:
2997 * [1] Category
2998 * [1] Action
2999 * [1] Dialog Token
3000 * [2] Status Code
3001 * [2] Block Ack Parameter Set
3002 * [2] Block Ack Timeout Value
3003 */
3004 void
ieee80211_recv_addba_resp(struct ieee80211com * ic,struct mbuf * m,struct ieee80211_node * ni)3005 ieee80211_recv_addba_resp(struct ieee80211com *ic, struct mbuf *m,
3006 struct ieee80211_node *ni)
3007 {
3008 const struct ieee80211_frame *wh;
3009 const u_int8_t *frm;
3010 struct ieee80211_tx_ba *ba;
3011 u_int16_t status, params, bufsz, timeout;
3012 u_int8_t token, tid;
3013 int err = 0;
3014
3015 if (m->m_len < sizeof(*wh) + 9) {
3016 DPRINTF(("frame too short\n"));
3017 return;
3018 }
3019 wh = mtod(m, struct ieee80211_frame *);
3020 frm = (const u_int8_t *)&wh[1];
3021
3022 token = frm[2];
3023 status = LE_READ_2(&frm[3]);
3024 params = LE_READ_2(&frm[5]);
3025 tid = (params >> 2) & 0xf;
3026 bufsz = (params >> 6) & 0x3ff;
3027 timeout = LE_READ_2(&frm[7]);
3028
3029 DPRINTF(("received ADDBA resp from %s, TID %d, status %d\n",
3030 ether_sprintf(ni->ni_macaddr), tid, status));
3031
3032 /*
3033 * Ignore if no ADDBA request has been sent for this RA/TID or
3034 * if we already have a Block Ack agreement.
3035 */
3036 ba = &ni->ni_tx_ba[tid];
3037 if (ba->ba_state != IEEE80211_BA_REQUESTED) {
3038 DPRINTF(("no matching ADDBA req found\n"));
3039 return;
3040 }
3041 if (token != ba->ba_token) {
3042 DPRINTF(("ignoring ADDBA resp from %s: token %x!=%x\n",
3043 ether_sprintf(ni->ni_macaddr), token, ba->ba_token));
3044 return;
3045 }
3046 /* we got an ADDBA Response matching our request, stop timeout */
3047 timeout_del(&ba->ba_to);
3048
3049 if (status != IEEE80211_STATUS_SUCCESS) {
3050 if (ni->ni_addba_req_intval[tid] <
3051 IEEE80211_ADDBA_REQ_INTVAL_MAX)
3052 ni->ni_addba_req_intval[tid]++;
3053
3054 ieee80211_addba_resp_refuse(ic, ni, tid, status);
3055
3056 /*
3057 * In case the peer believes there is an existing
3058 * block ack agreement with us, try to delete it.
3059 */
3060 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA,
3061 IEEE80211_ACTION_DELBA,
3062 IEEE80211_REASON_SETUP_REQUIRED << 16 | 1 << 8 | tid);
3063 return;
3064 }
3065
3066 /* notify drivers of this new Block Ack agreement */
3067 if (ic->ic_ampdu_tx_start != NULL)
3068 err = ic->ic_ampdu_tx_start(ic, ni, tid);
3069
3070 if (err == EBUSY) {
3071 /* driver will accept or refuse agreement when done */
3072 return;
3073 } else if (err) {
3074 /* driver failed to setup, rollback */
3075 ieee80211_addba_resp_refuse(ic, ni, tid,
3076 IEEE80211_STATUS_UNSPECIFIED);
3077 } else
3078 ieee80211_addba_resp_accept(ic, ni, tid);
3079 }
3080
3081 void
ieee80211_addba_resp_accept(struct ieee80211com * ic,struct ieee80211_node * ni,uint8_t tid)3082 ieee80211_addba_resp_accept(struct ieee80211com *ic,
3083 struct ieee80211_node *ni, uint8_t tid)
3084 {
3085 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid];
3086
3087 /* MLME-ADDBA.confirm(Success) */
3088 ba->ba_state = IEEE80211_BA_AGREED;
3089 ic->ic_stats.is_ht_tx_ba_agreements++;
3090
3091 /* Reset ADDBA request interval. */
3092 ni->ni_addba_req_intval[tid] = 1;
3093
3094 ni->ni_qos_txseqs[tid] = ba->ba_winstart;
3095
3096 /* start Block Ack inactivity timeout */
3097 if (ba->ba_timeout_val != 0)
3098 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val);
3099 }
3100
3101 void
ieee80211_addba_resp_refuse(struct ieee80211com * ic,struct ieee80211_node * ni,uint8_t tid,uint16_t status)3102 ieee80211_addba_resp_refuse(struct ieee80211com *ic,
3103 struct ieee80211_node *ni, uint8_t tid, uint16_t status)
3104 {
3105 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid];
3106
3107 /* MLME-ADDBA.confirm(Failure) */
3108 ba->ba_state = IEEE80211_BA_INIT;
3109 }
3110
3111 /*-
3112 * DELBA frame format:
3113 * [1] Category
3114 * [1] Action
3115 * [2] DELBA Parameter Set
3116 * [2] Reason Code
3117 */
3118 void
ieee80211_recv_delba(struct ieee80211com * ic,struct mbuf * m,struct ieee80211_node * ni)3119 ieee80211_recv_delba(struct ieee80211com *ic, struct mbuf *m,
3120 struct ieee80211_node *ni)
3121 {
3122 const struct ieee80211_frame *wh;
3123 const u_int8_t *frm;
3124 u_int16_t params, reason;
3125 u_int8_t tid;
3126 int i;
3127
3128 if (m->m_len < sizeof(*wh) + 6) {
3129 DPRINTF(("frame too short\n"));
3130 return;
3131 }
3132 wh = mtod(m, struct ieee80211_frame *);
3133 frm = (const u_int8_t *)&wh[1];
3134
3135 params = LE_READ_2(&frm[2]);
3136 reason = LE_READ_2(&frm[4]);
3137 tid = params >> 12;
3138
3139 DPRINTF(("received DELBA from %s, TID %d, reason %d\n",
3140 ether_sprintf(ni->ni_macaddr), tid, reason));
3141
3142 if (params & IEEE80211_DELBA_INITIATOR) {
3143 /* MLME-DELBA.indication(Originator) */
3144 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid];
3145
3146 if (ba->ba_state != IEEE80211_BA_AGREED) {
3147 DPRINTF(("no matching Block Ack agreement\n"));
3148 return;
3149 }
3150 /* notify drivers of the end of the Block Ack agreement */
3151 if (ic->ic_ampdu_rx_stop != NULL)
3152 ic->ic_ampdu_rx_stop(ic, ni, tid);
3153
3154 ba->ba_state = IEEE80211_BA_INIT;
3155 /* stop Block Ack inactivity timer */
3156 timeout_del(&ba->ba_to);
3157 timeout_del(&ba->ba_gap_to);
3158 ba->ba_gapwait = 0;
3159
3160 if (ba->ba_buf != NULL) {
3161 /* free all MSDUs stored in reordering buffer */
3162 for (i = 0; i < IEEE80211_BA_MAX_WINSZ; i++)
3163 m_freem(ba->ba_buf[i].m);
3164 /* free reordering buffer */
3165 free(ba->ba_buf, M_DEVBUF,
3166 IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf));
3167 ba->ba_buf = NULL;
3168 }
3169 } else {
3170 /* MLME-DELBA.indication(Recipient) */
3171 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid];
3172
3173 if (ba->ba_state != IEEE80211_BA_AGREED) {
3174 DPRINTF(("no matching Block Ack agreement\n"));
3175 return;
3176 }
3177 /* notify drivers of the end of the Block Ack agreement */
3178 if (ic->ic_ampdu_tx_stop != NULL)
3179 ic->ic_ampdu_tx_stop(ic, ni, tid);
3180
3181 ba->ba_state = IEEE80211_BA_INIT;
3182 /* stop Block Ack inactivity timer */
3183 timeout_del(&ba->ba_to);
3184 }
3185 }
3186
3187 /*-
3188 * SA Query Request frame format:
3189 * [1] Category
3190 * [1] Action
3191 * [2] Transaction Identifier
3192 */
3193 void
ieee80211_recv_sa_query_req(struct ieee80211com * ic,struct mbuf * m,struct ieee80211_node * ni)3194 ieee80211_recv_sa_query_req(struct ieee80211com *ic, struct mbuf *m,
3195 struct ieee80211_node *ni)
3196 {
3197 const struct ieee80211_frame *wh;
3198 const u_int8_t *frm;
3199
3200 if (ic->ic_opmode != IEEE80211_M_STA ||
3201 !(ni->ni_flags & IEEE80211_NODE_MFP)) {
3202 DPRINTF(("unexpected SA Query req from %s\n",
3203 ether_sprintf(ni->ni_macaddr)));
3204 return;
3205 }
3206 if (m->m_len < sizeof(*wh) + 4) {
3207 DPRINTF(("frame too short\n"));
3208 return;
3209 }
3210 wh = mtod(m, struct ieee80211_frame *);
3211 frm = (const u_int8_t *)&wh[1];
3212
3213 /* MLME-SAQuery.indication */
3214
3215 /* save Transaction Identifier for SA Query Response */
3216 ni->ni_sa_query_trid = LE_READ_2(&frm[2]);
3217
3218 /* MLME-SAQuery.response */
3219 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_SA_QUERY,
3220 IEEE80211_ACTION_SA_QUERY_RESP, 0);
3221 }
3222
3223 #ifndef IEEE80211_STA_ONLY
3224 /*-
3225 * SA Query Response frame format:
3226 * [1] Category
3227 * [1] Action
3228 * [2] Transaction Identifier
3229 */
3230 void
ieee80211_recv_sa_query_resp(struct ieee80211com * ic,struct mbuf * m,struct ieee80211_node * ni)3231 ieee80211_recv_sa_query_resp(struct ieee80211com *ic, struct mbuf *m,
3232 struct ieee80211_node *ni)
3233 {
3234 const struct ieee80211_frame *wh;
3235 const u_int8_t *frm;
3236
3237 /* ignore if we're not engaged in an SA Query with that STA */
3238 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) {
3239 DPRINTF(("unexpected SA Query resp from %s\n",
3240 ether_sprintf(ni->ni_macaddr)));
3241 return;
3242 }
3243 if (m->m_len < sizeof(*wh) + 4) {
3244 DPRINTF(("frame too short\n"));
3245 return;
3246 }
3247 wh = mtod(m, struct ieee80211_frame *);
3248 frm = (const u_int8_t *)&wh[1];
3249
3250 /* check that Transaction Identifier matches */
3251 if (ni->ni_sa_query_trid != LE_READ_2(&frm[2])) {
3252 DPRINTF(("transaction identifier does not match\n"));
3253 return;
3254 }
3255 /* MLME-SAQuery.confirm */
3256 timeout_del(&ni->ni_sa_query_to);
3257 ni->ni_flags &= ~IEEE80211_NODE_SA_QUERY;
3258 }
3259 #endif
3260
3261 /*-
3262 * Action frame format:
3263 * [1] Category
3264 * [1] Action
3265 */
3266 void
ieee80211_recv_action(struct ieee80211com * ic,struct mbuf * m,struct ieee80211_node * ni)3267 ieee80211_recv_action(struct ieee80211com *ic, struct mbuf *m,
3268 struct ieee80211_node *ni)
3269 {
3270 const struct ieee80211_frame *wh;
3271 const u_int8_t *frm;
3272
3273 if (m->m_len < sizeof(*wh) + 2) {
3274 DPRINTF(("frame too short\n"));
3275 return;
3276 }
3277 wh = mtod(m, struct ieee80211_frame *);
3278 frm = (const u_int8_t *)&wh[1];
3279
3280 switch (frm[0]) {
3281 case IEEE80211_CATEG_BA:
3282 switch (frm[1]) {
3283 case IEEE80211_ACTION_ADDBA_REQ:
3284 ieee80211_recv_addba_req(ic, m, ni);
3285 break;
3286 case IEEE80211_ACTION_ADDBA_RESP:
3287 ieee80211_recv_addba_resp(ic, m, ni);
3288 break;
3289 case IEEE80211_ACTION_DELBA:
3290 ieee80211_recv_delba(ic, m, ni);
3291 break;
3292 }
3293 break;
3294 case IEEE80211_CATEG_SA_QUERY:
3295 switch (frm[1]) {
3296 case IEEE80211_ACTION_SA_QUERY_REQ:
3297 ieee80211_recv_sa_query_req(ic, m, ni);
3298 break;
3299 #ifndef IEEE80211_STA_ONLY
3300 case IEEE80211_ACTION_SA_QUERY_RESP:
3301 ieee80211_recv_sa_query_resp(ic, m, ni);
3302 break;
3303 #endif
3304 }
3305 break;
3306 default:
3307 DPRINTF(("action frame category %d not handled\n", frm[0]));
3308 break;
3309 }
3310 }
3311
3312 void
ieee80211_recv_mgmt(struct ieee80211com * ic,struct mbuf * m,struct ieee80211_node * ni,struct ieee80211_rxinfo * rxi,int subtype)3313 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m,
3314 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int subtype)
3315 {
3316 switch (subtype) {
3317 case IEEE80211_FC0_SUBTYPE_BEACON:
3318 ieee80211_recv_probe_resp(ic, m, ni, rxi, 0);
3319 break;
3320 case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
3321 ieee80211_recv_probe_resp(ic, m, ni, rxi, 1);
3322 break;
3323 #ifndef IEEE80211_STA_ONLY
3324 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
3325 ieee80211_recv_probe_req(ic, m, ni, rxi);
3326 break;
3327 #endif
3328 case IEEE80211_FC0_SUBTYPE_AUTH:
3329 ieee80211_recv_auth(ic, m, ni, rxi);
3330 break;
3331 #ifndef IEEE80211_STA_ONLY
3332 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
3333 ieee80211_recv_assoc_req(ic, m, ni, rxi, 0);
3334 break;
3335 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ:
3336 ieee80211_recv_assoc_req(ic, m, ni, rxi, 1);
3337 break;
3338 #endif
3339 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
3340 ieee80211_recv_assoc_resp(ic, m, ni, 0);
3341 break;
3342 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP:
3343 ieee80211_recv_assoc_resp(ic, m, ni, 1);
3344 break;
3345 case IEEE80211_FC0_SUBTYPE_DEAUTH:
3346 ieee80211_recv_deauth(ic, m, ni);
3347 break;
3348 case IEEE80211_FC0_SUBTYPE_DISASSOC:
3349 ieee80211_recv_disassoc(ic, m, ni);
3350 break;
3351 case IEEE80211_FC0_SUBTYPE_ACTION:
3352 ieee80211_recv_action(ic, m, ni);
3353 break;
3354 default:
3355 DPRINTF(("mgmt frame with subtype 0x%x not handled\n",
3356 subtype));
3357 ic->ic_stats.is_rx_badsubtype++;
3358 break;
3359 }
3360 }
3361
3362 #ifndef IEEE80211_STA_ONLY
3363 /*
3364 * Process an incoming PS-Poll control frame (see 11.2).
3365 */
3366 void
ieee80211_recv_pspoll(struct ieee80211com * ic,struct mbuf * m,struct ieee80211_node * ni)3367 ieee80211_recv_pspoll(struct ieee80211com *ic, struct mbuf *m,
3368 struct ieee80211_node *ni)
3369 {
3370 struct ifnet *ifp = &ic->ic_if;
3371 struct ieee80211_frame_pspoll *psp;
3372 struct ieee80211_frame *wh;
3373 u_int16_t aid;
3374
3375 if (ic->ic_opmode != IEEE80211_M_HOSTAP ||
3376 !(ic->ic_caps & IEEE80211_C_APPMGT) ||
3377 ni->ni_state != IEEE80211_STA_ASSOC)
3378 return;
3379
3380 if (m->m_len < sizeof(*psp)) {
3381 DPRINTF(("frame too short, len %u\n", m->m_len));
3382 ic->ic_stats.is_rx_tooshort++;
3383 return;
3384 }
3385 psp = mtod(m, struct ieee80211_frame_pspoll *);
3386 if (!IEEE80211_ADDR_EQ(psp->i_bssid, ic->ic_bss->ni_bssid)) {
3387 DPRINTF(("discard pspoll frame to BSS %s\n",
3388 ether_sprintf(psp->i_bssid)));
3389 ic->ic_stats.is_rx_wrongbss++;
3390 return;
3391 }
3392 aid = letoh16(*(u_int16_t *)psp->i_aid);
3393 if (aid != ni->ni_associd) {
3394 DPRINTF(("invalid pspoll aid %x from %s\n", aid,
3395 ether_sprintf(psp->i_ta)));
3396 return;
3397 }
3398
3399 /* take the first queued frame and put it out.. */
3400 m = mq_dequeue(&ni->ni_savedq);
3401 if (m == NULL)
3402 return;
3403 if (mq_empty(&ni->ni_savedq)) {
3404 /* last queued frame, turn off the TIM bit */
3405 (*ic->ic_set_tim)(ic, ni->ni_associd, 0);
3406 } else {
3407 /* more queued frames, set the more data bit */
3408 wh = mtod(m, struct ieee80211_frame *);
3409 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA;
3410 }
3411 mq_enqueue(&ic->ic_pwrsaveq, m);
3412 if_start(ifp);
3413 }
3414 #endif /* IEEE80211_STA_ONLY */
3415
3416 /*
3417 * Process an incoming BlockAckReq control frame (see 7.2.1.7).
3418 */
3419 void
ieee80211_recv_bar(struct ieee80211com * ic,struct mbuf * m,struct ieee80211_node * ni)3420 ieee80211_recv_bar(struct ieee80211com *ic, struct mbuf *m,
3421 struct ieee80211_node *ni)
3422 {
3423 const struct ieee80211_frame_min *wh;
3424 const u_int8_t *frm;
3425 u_int16_t ctl, ssn;
3426 u_int8_t tid, ntids;
3427
3428 if (!(ni->ni_flags & IEEE80211_NODE_HT)) {
3429 DPRINTF(("received BlockAckReq from non-HT STA %s\n",
3430 ether_sprintf(ni->ni_macaddr)));
3431 return;
3432 }
3433 if (m->m_len < sizeof(*wh) + 4) {
3434 DPRINTF(("frame too short\n"));
3435 return;
3436 }
3437 wh = mtod(m, struct ieee80211_frame_min *);
3438 frm = (const u_int8_t *)&wh[1];
3439
3440 /* read BlockAckReq Control field */
3441 ctl = LE_READ_2(&frm[0]);
3442 tid = ctl >> 12;
3443
3444 /* determine BlockAckReq frame variant */
3445 if (ctl & IEEE80211_BA_MULTI_TID) {
3446 /* Multi-TID BlockAckReq variant (PSMP only) */
3447 ntids = tid + 1;
3448
3449 if (m->m_len < sizeof(*wh) + 2 + 4 * ntids) {
3450 DPRINTF(("MTBAR frame too short\n"));
3451 return;
3452 }
3453 frm += 2; /* skip BlockAckReq Control field */
3454 while (ntids-- > 0) {
3455 /* read MTBAR Information field */
3456 tid = LE_READ_2(&frm[0]) >> 12;
3457 ssn = LE_READ_2(&frm[2]) >> 4;
3458 ieee80211_bar_tid(ic, ni, tid, ssn);
3459 frm += 4;
3460 }
3461 } else {
3462 /* Basic or Compressed BlockAckReq variants */
3463 ssn = LE_READ_2(&frm[2]) >> 4;
3464 ieee80211_bar_tid(ic, ni, tid, ssn);
3465 }
3466 }
3467
3468 /*
3469 * Process a BlockAckReq for a specific TID (see 9.10.7.6.3).
3470 * This is the common back-end for all BlockAckReq frame variants.
3471 */
3472 void
ieee80211_bar_tid(struct ieee80211com * ic,struct ieee80211_node * ni,u_int8_t tid,u_int16_t ssn)3473 ieee80211_bar_tid(struct ieee80211com *ic, struct ieee80211_node *ni,
3474 u_int8_t tid, u_int16_t ssn)
3475 {
3476 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid];
3477
3478 /* check if we have a Block Ack agreement for RA/TID */
3479 if (ba->ba_state != IEEE80211_BA_AGREED) {
3480 /* XXX not sure in PBAC case */
3481 /* send a DELBA with reason code UNKNOWN-BA */
3482 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA,
3483 IEEE80211_ACTION_DELBA,
3484 IEEE80211_REASON_SETUP_REQUIRED << 16 | tid);
3485 return;
3486 }
3487 /* check if it is a Protected Block Ack agreement */
3488 if ((ni->ni_flags & IEEE80211_NODE_MFP) &&
3489 (ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) {
3490 /* ADDBA Requests must be used in PBAC case */
3491 if (SEQ_LT(ssn, ba->ba_winstart) ||
3492 SEQ_LT(ba->ba_winend, ssn))
3493 ic->ic_stats.is_pbac_errs++;
3494 return; /* PBAC, do not move window */
3495 }
3496 /* reset Block Ack inactivity timer */
3497 if (ba->ba_timeout_val != 0)
3498 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val);
3499
3500 if (SEQ_LT(ba->ba_winstart, ssn)) {
3501 struct mbuf_list ml = MBUF_LIST_INITIALIZER();
3502 ieee80211_ba_move_window(ic, ni, tid, ssn, &ml);
3503 if_input(&ic->ic_if, &ml);
3504 }
3505 }
3506