1 /* $OpenBSD: ieee80211_input.c,v 1.254 2024/05/23 11:19:13 stsp Exp $ */ 2 /* $NetBSD: ieee80211_input.c,v 1.24 2004/05/31 11:12:24 dyoung Exp $ */ 3 4 /*- 5 * Copyright (c) 2001 Atsushi Onoe 6 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 7 * Copyright (c) 2007-2009 Damien Bergamini 8 * All rights reserved. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. The name of the author may not be used to endorse or promote products 19 * derived from this software without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 #include "bpfilter.h" 34 35 #include <sys/param.h> 36 #include <sys/systm.h> 37 #include <sys/mbuf.h> 38 #include <sys/malloc.h> 39 #include <sys/kernel.h> 40 #include <sys/socket.h> 41 #include <sys/sockio.h> 42 #include <sys/endian.h> 43 #include <sys/errno.h> 44 #include <sys/sysctl.h> 45 #include <sys/task.h> 46 47 #include <net/if.h> 48 #include <net/if_dl.h> 49 #include <net/if_media.h> 50 #include <net/if_llc.h> 51 52 #if NBPFILTER > 0 53 #include <net/bpf.h> 54 #endif 55 56 #include <netinet/in.h> 57 #include <netinet/if_ether.h> 58 59 #include <net80211/ieee80211_var.h> 60 #include <net80211/ieee80211_priv.h> 61 62 struct mbuf *ieee80211_input_hwdecrypt(struct ieee80211com *, 63 struct ieee80211_node *, struct mbuf *, 64 struct ieee80211_rxinfo *rxi); 65 struct mbuf *ieee80211_defrag(struct ieee80211com *, struct mbuf *, int); 66 void ieee80211_defrag_timeout(void *); 67 void ieee80211_input_ba(struct ieee80211com *, struct mbuf *, 68 struct ieee80211_node *, int, struct ieee80211_rxinfo *, 69 struct mbuf_list *); 70 void ieee80211_input_ba_flush(struct ieee80211com *, struct ieee80211_node *, 71 struct ieee80211_rx_ba *, struct mbuf_list *); 72 int ieee80211_input_ba_gap_skip(struct ieee80211_rx_ba *); 73 void ieee80211_input_ba_gap_timeout(void *arg); 74 void ieee80211_ba_move_window(struct ieee80211com *, 75 struct ieee80211_node *, u_int8_t, u_int16_t, struct mbuf_list *); 76 void ieee80211_input_ba_seq(struct ieee80211com *, 77 struct ieee80211_node *, uint8_t, uint16_t, struct mbuf_list *); 78 void ieee80211_decap(struct ieee80211com *, struct mbuf *, 79 struct ieee80211_node *, int, struct mbuf_list *); 80 int ieee80211_amsdu_decap_validate(struct ieee80211com *, struct mbuf *, 81 struct ieee80211_node *); 82 void ieee80211_amsdu_decap(struct ieee80211com *, struct mbuf *, 83 struct ieee80211_node *, int, struct mbuf_list *); 84 void ieee80211_enqueue_data(struct ieee80211com *, struct mbuf *, 85 struct ieee80211_node *, int, struct mbuf_list *); 86 int ieee80211_parse_edca_params_body(struct ieee80211com *, 87 const u_int8_t *); 88 int ieee80211_parse_edca_params(struct ieee80211com *, const u_int8_t *); 89 int ieee80211_parse_wmm_params(struct ieee80211com *, const u_int8_t *); 90 enum ieee80211_cipher ieee80211_parse_rsn_cipher(const u_int8_t *); 91 enum ieee80211_akm ieee80211_parse_rsn_akm(const u_int8_t *); 92 int ieee80211_parse_rsn_body(struct ieee80211com *, const u_int8_t *, 93 u_int, struct ieee80211_rsnparams *); 94 int ieee80211_save_ie(const u_int8_t *, u_int8_t **); 95 void ieee80211_recv_probe_resp(struct ieee80211com *, struct mbuf *, 96 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 97 #ifndef IEEE80211_STA_ONLY 98 void ieee80211_recv_probe_req(struct ieee80211com *, struct mbuf *, 99 struct ieee80211_node *, struct ieee80211_rxinfo *); 100 #endif 101 void ieee80211_recv_auth(struct ieee80211com *, struct mbuf *, 102 struct ieee80211_node *, struct ieee80211_rxinfo *); 103 #ifndef IEEE80211_STA_ONLY 104 void ieee80211_recv_assoc_req(struct ieee80211com *, struct mbuf *, 105 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 106 #endif 107 void ieee80211_recv_assoc_resp(struct ieee80211com *, struct mbuf *, 108 struct ieee80211_node *, int); 109 void ieee80211_recv_deauth(struct ieee80211com *, struct mbuf *, 110 struct ieee80211_node *); 111 void ieee80211_recv_disassoc(struct ieee80211com *, struct mbuf *, 112 struct ieee80211_node *); 113 void ieee80211_recv_addba_req(struct ieee80211com *, struct mbuf *, 114 struct ieee80211_node *); 115 void ieee80211_recv_addba_resp(struct ieee80211com *, struct mbuf *, 116 struct ieee80211_node *); 117 void ieee80211_recv_delba(struct ieee80211com *, struct mbuf *, 118 struct ieee80211_node *); 119 void ieee80211_recv_sa_query_req(struct ieee80211com *, struct mbuf *, 120 struct ieee80211_node *); 121 #ifndef IEEE80211_STA_ONLY 122 void ieee80211_recv_sa_query_resp(struct ieee80211com *, struct mbuf *, 123 struct ieee80211_node *); 124 #endif 125 void ieee80211_recv_action(struct ieee80211com *, struct mbuf *, 126 struct ieee80211_node *); 127 #ifndef IEEE80211_STA_ONLY 128 void ieee80211_recv_pspoll(struct ieee80211com *, struct mbuf *, 129 struct ieee80211_node *); 130 #endif 131 void ieee80211_recv_bar(struct ieee80211com *, struct mbuf *, 132 struct ieee80211_node *); 133 void ieee80211_bar_tid(struct ieee80211com *, struct ieee80211_node *, 134 u_int8_t, u_int16_t); 135 136 /* 137 * Retrieve the length in bytes of an 802.11 header. 138 */ 139 u_int 140 ieee80211_get_hdrlen(const struct ieee80211_frame *wh) 141 { 142 u_int size = sizeof(*wh); 143 144 /* NB: does not work with control frames */ 145 KASSERT(ieee80211_has_seq(wh)); 146 147 if (ieee80211_has_addr4(wh)) 148 size += IEEE80211_ADDR_LEN; /* i_addr4 */ 149 if (ieee80211_has_qos(wh)) 150 size += sizeof(u_int16_t); /* i_qos */ 151 if (ieee80211_has_htc(wh)) 152 size += sizeof(u_int32_t); /* i_ht */ 153 return size; 154 } 155 156 /* Post-processing for drivers which perform decryption in hardware. */ 157 struct mbuf * 158 ieee80211_input_hwdecrypt(struct ieee80211com *ic, struct ieee80211_node *ni, 159 struct mbuf *m, struct ieee80211_rxinfo *rxi) 160 { 161 struct ieee80211_key *k; 162 struct ieee80211_frame *wh; 163 uint64_t pn, *prsc; 164 int hdrlen; 165 166 k = ieee80211_get_rxkey(ic, m, ni); 167 if (k == NULL) 168 return NULL; 169 170 wh = mtod(m, struct ieee80211_frame *); 171 hdrlen = ieee80211_get_hdrlen(wh); 172 173 /* 174 * Update the last-seen packet number (PN) for drivers using hardware 175 * crypto offloading. This cannot be done by drivers because A-MPDU 176 * reordering needs to occur before a valid lower bound can be 177 * determined for the PN. Drivers will read the PN we write here and 178 * are expected to discard replayed frames based on it. 179 * Drivers are expected to leave the IV of decrypted frames intact 180 * so we can update the last-seen PN and strip the IV here. 181 */ 182 switch (k->k_cipher) { 183 case IEEE80211_CIPHER_CCMP: 184 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 185 /* 186 * If the protected bit is clear then hardware has 187 * stripped the IV and we must trust that it handles 188 * replay detection correctly. 189 */ 190 break; 191 } 192 if (ieee80211_ccmp_get_pn(&pn, &prsc, m, k) != 0) { 193 ic->ic_stats.is_ccmp_dec_errs++; 194 return NULL; 195 } 196 if (rxi->rxi_flags & IEEE80211_RXI_HWDEC_SAME_PN) { 197 if (pn < *prsc) { 198 ic->ic_stats.is_ccmp_replays++; 199 return NULL; 200 } 201 } else if (pn <= *prsc) { 202 ic->ic_stats.is_ccmp_replays++; 203 return NULL; 204 } 205 206 /* Update last-seen packet number. */ 207 *prsc = pn; 208 209 /* Clear Protected bit and strip IV. */ 210 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 211 memmove(mtod(m, caddr_t) + IEEE80211_CCMP_HDRLEN, wh, hdrlen); 212 m_adj(m, IEEE80211_CCMP_HDRLEN); 213 /* Drivers are expected to strip the MIC. */ 214 break; 215 case IEEE80211_CIPHER_TKIP: 216 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 217 /* 218 * If the protected bit is clear then hardware has 219 * stripped the IV and we must trust that it handles 220 * replay detection correctly. 221 */ 222 break; 223 } 224 if (ieee80211_tkip_get_tsc(&pn, &prsc, m, k) != 0) 225 return NULL; 226 if (rxi->rxi_flags & IEEE80211_RXI_HWDEC_SAME_PN) { 227 if (pn < *prsc) { 228 ic->ic_stats.is_tkip_replays++; 229 return NULL; 230 } 231 } else if (pn <= *prsc) { 232 ic->ic_stats.is_tkip_replays++; 233 return NULL; 234 } 235 236 /* Update last-seen packet number. */ 237 *prsc = pn; 238 239 /* Clear Protected bit and strip IV. */ 240 wh = mtod(m, struct ieee80211_frame *); 241 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 242 memmove(mtod(m, caddr_t) + IEEE80211_TKIP_HDRLEN, wh, hdrlen); 243 m_adj(m, IEEE80211_TKIP_HDRLEN); 244 /* Drivers are expected to strip the MIC. */ 245 break; 246 default: 247 break; 248 } 249 250 return m; 251 } 252 253 /* 254 * Process a received frame. The node associated with the sender 255 * should be supplied. If nothing was found in the node table then 256 * the caller is assumed to supply a reference to ic_bss instead. 257 * The RSSI and a timestamp are also supplied. The RSSI data is used 258 * during AP scanning to select a AP to associate with; it can have 259 * any units so long as values have consistent units and higher values 260 * mean ``better signal''. The receive timestamp is currently not used 261 * by the 802.11 layer. 262 * 263 * This function acts on management frames immediately and queues data frames 264 * on the specified mbuf list. Delivery of queued data frames to upper layers 265 * must be triggered with if_input(). Drivers should call if_input() only once 266 * per Rx interrupt to avoid triggering the input ifq pressure drop mechanism 267 * unnecessarily. 268 */ 269 void 270 ieee80211_inputm(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni, 271 struct ieee80211_rxinfo *rxi, struct mbuf_list *ml) 272 { 273 struct ieee80211com *ic = (void *)ifp; 274 struct ieee80211_frame *wh; 275 u_int16_t *orxseq, nrxseq, qos; 276 u_int8_t dir, type, subtype, tid; 277 int hdrlen, hasqos; 278 279 KASSERT(ni != NULL); 280 281 /* in monitor mode, send everything directly to bpf */ 282 if (ic->ic_opmode == IEEE80211_M_MONITOR) 283 goto out; 284 285 /* 286 * Do not process frames without an Address 2 field any further. 287 * Only CTS and ACK control frames do not have this field. 288 */ 289 if (m->m_len < sizeof(struct ieee80211_frame_min)) { 290 DPRINTF(("frame too short, len %u\n", m->m_len)); 291 ic->ic_stats.is_rx_tooshort++; 292 goto out; 293 } 294 295 wh = mtod(m, struct ieee80211_frame *); 296 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 297 IEEE80211_FC0_VERSION_0) { 298 DPRINTF(("frame with wrong version: %x\n", wh->i_fc[0])); 299 ic->ic_stats.is_rx_badversion++; 300 goto err; 301 } 302 303 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 304 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 305 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 306 307 if (type != IEEE80211_FC0_TYPE_CTL) { 308 hdrlen = ieee80211_get_hdrlen(wh); 309 if (m->m_len < hdrlen) { 310 DPRINTF(("frame too short, len %u\n", m->m_len)); 311 ic->ic_stats.is_rx_tooshort++; 312 goto err; 313 } 314 } else 315 hdrlen = 0; 316 if ((hasqos = ieee80211_has_qos(wh))) { 317 qos = ieee80211_get_qos(wh); 318 tid = qos & IEEE80211_QOS_TID; 319 } else { 320 qos = 0; 321 tid = 0; 322 } 323 324 if (ic->ic_state == IEEE80211_S_RUN && 325 type == IEEE80211_FC0_TYPE_DATA && hasqos && 326 (subtype & IEEE80211_FC0_SUBTYPE_NODATA) == 0 && 327 !(rxi->rxi_flags & IEEE80211_RXI_AMPDU_DONE) 328 #ifndef IEEE80211_STA_ONLY 329 && (ic->ic_opmode == IEEE80211_M_STA || ni != ic->ic_bss) 330 #endif 331 ) { 332 int ba_state = ni->ni_rx_ba[tid].ba_state; 333 334 #ifndef IEEE80211_STA_ONLY 335 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 336 if (!IEEE80211_ADDR_EQ(wh->i_addr1, 337 ic->ic_bss->ni_bssid)) { 338 ic->ic_stats.is_rx_wrongbss++; 339 goto err; 340 } 341 if (ni->ni_state != IEEE80211_S_ASSOC) { 342 ic->ic_stats.is_rx_notassoc++; 343 goto err; 344 } 345 } 346 #endif 347 /* 348 * If Block Ack was explicitly requested, check 349 * if we have a BA agreement for this RA/TID. 350 */ 351 if ((qos & IEEE80211_QOS_ACK_POLICY_MASK) == 352 IEEE80211_QOS_ACK_POLICY_BA && 353 ba_state != IEEE80211_BA_AGREED) { 354 DPRINTF(("no BA agreement for %s, TID %d\n", 355 ether_sprintf(ni->ni_macaddr), tid)); 356 /* send a DELBA with reason code UNKNOWN-BA */ 357 IEEE80211_SEND_ACTION(ic, ni, 358 IEEE80211_CATEG_BA, IEEE80211_ACTION_DELBA, 359 IEEE80211_REASON_SETUP_REQUIRED << 16 | tid); 360 goto err; 361 } 362 363 /* 364 * Check if we have an explicit or implicit 365 * Block Ack Request for a valid BA agreement. 366 */ 367 if (ba_state == IEEE80211_BA_AGREED && 368 ((qos & IEEE80211_QOS_ACK_POLICY_MASK) == 369 IEEE80211_QOS_ACK_POLICY_BA || 370 (qos & IEEE80211_QOS_ACK_POLICY_MASK) == 371 IEEE80211_QOS_ACK_POLICY_NORMAL)) { 372 /* go through A-MPDU reordering */ 373 ieee80211_input_ba(ic, m, ni, tid, rxi, ml); 374 return; /* don't free m! */ 375 } else if (ba_state == IEEE80211_BA_REQUESTED && 376 (qos & IEEE80211_QOS_ACK_POLICY_MASK) == 377 IEEE80211_QOS_ACK_POLICY_NORMAL) { 378 /* 379 * Apparently, qos frames for a tid where a 380 * block ack agreement was requested but not 381 * yet confirmed by us should still contribute 382 * to the sequence number for this tid. 383 */ 384 ieee80211_input_ba(ic, m, ni, tid, rxi, ml); 385 return; /* don't free m! */ 386 } 387 } 388 389 /* 390 * We do not yet support fragments. Drop any fragmented packets. 391 * Counter-measure against attacks where an arbitrary packet is 392 * injected via a fragment with attacker-controlled content. 393 * See https://papers.mathyvanhoef.com/usenix2021.pdf 394 * Section 6.8 "Treating fragments as full frames" 395 */ 396 if (ieee80211_has_seq(wh)) { 397 uint16_t rxseq = letoh16(*(const u_int16_t *)wh->i_seq); 398 if ((wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG) || 399 (rxseq & IEEE80211_SEQ_FRAG_MASK)) 400 goto err; 401 } 402 403 /* duplicate detection (see 9.2.9) */ 404 if (ieee80211_has_seq(wh) && 405 ic->ic_state != IEEE80211_S_SCAN) { 406 nrxseq = letoh16(*(u_int16_t *)wh->i_seq) >> 407 IEEE80211_SEQ_SEQ_SHIFT; 408 if (hasqos) 409 orxseq = &ni->ni_qos_rxseqs[tid]; 410 else 411 orxseq = &ni->ni_rxseq; 412 if (rxi->rxi_flags & IEEE80211_RXI_SAME_SEQ) { 413 if (nrxseq != *orxseq) { 414 /* duplicate, silently discarded */ 415 ic->ic_stats.is_rx_dup++; 416 goto out; 417 } 418 } else if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) && 419 nrxseq == *orxseq) { 420 /* duplicate, silently discarded */ 421 ic->ic_stats.is_rx_dup++; 422 goto out; 423 } 424 *orxseq = nrxseq; 425 } 426 if (ic->ic_state > IEEE80211_S_SCAN) { 427 ni->ni_rssi = rxi->rxi_rssi; 428 ni->ni_rstamp = rxi->rxi_tstamp; 429 ni->ni_inact = 0; 430 431 if (ic->ic_state == IEEE80211_S_RUN && ic->ic_bgscan_start) { 432 /* Cancel or start background scan based on RSSI. */ 433 if ((*ic->ic_node_checkrssi)(ic, ni)) 434 timeout_del(&ic->ic_bgscan_timeout); 435 else if (!timeout_pending(&ic->ic_bgscan_timeout) && 436 (ic->ic_flags & IEEE80211_F_BGSCAN) == 0 && 437 (ic->ic_flags & IEEE80211_F_DESBSSID) == 0) 438 timeout_add_msec(&ic->ic_bgscan_timeout, 439 500 * (ic->ic_bgscan_fail + 1)); 440 } 441 } 442 443 #ifndef IEEE80211_STA_ONLY 444 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 445 (ic->ic_caps & IEEE80211_C_APPMGT) && 446 ni->ni_state == IEEE80211_STA_ASSOC) { 447 if (wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) { 448 if (ni->ni_pwrsave == IEEE80211_PS_AWAKE) { 449 /* turn on PS mode */ 450 ni->ni_pwrsave = IEEE80211_PS_DOZE; 451 DPRINTF(("PS mode on for %s\n", 452 ether_sprintf(wh->i_addr2))); 453 } 454 } else if (ni->ni_pwrsave == IEEE80211_PS_DOZE) { 455 struct mbuf *m; 456 457 /* turn off PS mode */ 458 ni->ni_pwrsave = IEEE80211_PS_AWAKE; 459 DPRINTF(("PS mode off for %s\n", 460 ether_sprintf(wh->i_addr2))); 461 462 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 463 464 /* dequeue buffered unicast frames */ 465 while ((m = mq_dequeue(&ni->ni_savedq)) != NULL) { 466 mq_enqueue(&ic->ic_pwrsaveq, m); 467 if_start(ifp); 468 } 469 } 470 } 471 #endif 472 switch (type) { 473 case IEEE80211_FC0_TYPE_DATA: 474 switch (ic->ic_opmode) { 475 case IEEE80211_M_STA: 476 if (dir != IEEE80211_FC1_DIR_FROMDS) { 477 ic->ic_stats.is_rx_wrongdir++; 478 goto out; 479 } 480 if (ic->ic_state != IEEE80211_S_SCAN && 481 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid)) { 482 /* Source address is not our BSS. */ 483 DPRINTF(("discard frame from SA %s\n", 484 ether_sprintf(wh->i_addr2))); 485 ic->ic_stats.is_rx_wrongbss++; 486 goto out; 487 } 488 if ((ifp->if_flags & IFF_SIMPLEX) && 489 IEEE80211_IS_MULTICAST(wh->i_addr1) && 490 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 491 /* 492 * In IEEE802.11 network, multicast frame 493 * sent from me is broadcasted from AP. 494 * It should be silently discarded for 495 * SIMPLEX interface. 496 */ 497 ic->ic_stats.is_rx_mcastecho++; 498 goto out; 499 } 500 break; 501 #ifndef IEEE80211_STA_ONLY 502 case IEEE80211_M_IBSS: 503 case IEEE80211_M_AHDEMO: 504 if (dir != IEEE80211_FC1_DIR_NODS) { 505 ic->ic_stats.is_rx_wrongdir++; 506 goto out; 507 } 508 if (ic->ic_state != IEEE80211_S_SCAN && 509 !IEEE80211_ADDR_EQ(wh->i_addr3, 510 ic->ic_bss->ni_bssid) && 511 !IEEE80211_ADDR_EQ(wh->i_addr3, 512 etherbroadcastaddr)) { 513 /* Destination is not our BSS or broadcast. */ 514 DPRINTF(("discard data frame to DA %s\n", 515 ether_sprintf(wh->i_addr3))); 516 ic->ic_stats.is_rx_wrongbss++; 517 goto out; 518 } 519 break; 520 case IEEE80211_M_HOSTAP: 521 if (dir != IEEE80211_FC1_DIR_TODS) { 522 ic->ic_stats.is_rx_wrongdir++; 523 goto out; 524 } 525 if (ic->ic_state != IEEE80211_S_SCAN && 526 !IEEE80211_ADDR_EQ(wh->i_addr1, 527 ic->ic_bss->ni_bssid) && 528 !IEEE80211_ADDR_EQ(wh->i_addr1, 529 etherbroadcastaddr)) { 530 /* BSS is not us or broadcast. */ 531 DPRINTF(("discard data frame to BSS %s\n", 532 ether_sprintf(wh->i_addr1))); 533 ic->ic_stats.is_rx_wrongbss++; 534 goto out; 535 } 536 /* check if source STA is associated */ 537 if (ni == ic->ic_bss) { 538 DPRINTF(("data from unknown src %s\n", 539 ether_sprintf(wh->i_addr2))); 540 /* NB: caller deals with reference */ 541 ni = ieee80211_find_node(ic, wh->i_addr2); 542 if (ni == NULL) 543 ni = ieee80211_dup_bss(ic, wh->i_addr2); 544 if (ni != NULL) { 545 IEEE80211_SEND_MGMT(ic, ni, 546 IEEE80211_FC0_SUBTYPE_DEAUTH, 547 IEEE80211_REASON_NOT_AUTHED); 548 } 549 ic->ic_stats.is_rx_notassoc++; 550 goto err; 551 } 552 if (ni->ni_state != IEEE80211_STA_ASSOC) { 553 DPRINTF(("data from unassoc src %s\n", 554 ether_sprintf(wh->i_addr2))); 555 IEEE80211_SEND_MGMT(ic, ni, 556 IEEE80211_FC0_SUBTYPE_DISASSOC, 557 IEEE80211_REASON_NOT_ASSOCED); 558 ic->ic_stats.is_rx_notassoc++; 559 goto err; 560 } 561 break; 562 #endif /* IEEE80211_STA_ONLY */ 563 default: 564 /* can't get there */ 565 goto out; 566 } 567 568 /* Do not process "no data" frames any further. */ 569 if (subtype & IEEE80211_FC0_SUBTYPE_NODATA) { 570 #if NBPFILTER > 0 571 if (ic->ic_rawbpf) 572 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 573 #endif 574 goto out; 575 } 576 577 if ((ic->ic_flags & IEEE80211_F_WEPON) || 578 ((ic->ic_flags & IEEE80211_F_RSNON) && 579 (ni->ni_flags & IEEE80211_NODE_RXPROT))) { 580 /* protection is on for Rx */ 581 if (!(rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 582 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 583 /* drop unencrypted */ 584 ic->ic_stats.is_rx_unencrypted++; 585 goto err; 586 } 587 /* do software decryption */ 588 m = ieee80211_decrypt(ic, m, ni); 589 if (m == NULL) { 590 ic->ic_stats.is_rx_wepfail++; 591 goto err; 592 } 593 } else { 594 m = ieee80211_input_hwdecrypt(ic, ni, m, rxi); 595 if (m == NULL) 596 goto err; 597 } 598 wh = mtod(m, struct ieee80211_frame *); 599 } else if ((wh->i_fc[1] & IEEE80211_FC1_PROTECTED) || 600 (rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 601 /* frame encrypted but protection off for Rx */ 602 ic->ic_stats.is_rx_nowep++; 603 goto out; 604 } 605 606 #if NBPFILTER > 0 607 /* copy to listener after decrypt */ 608 if (ic->ic_rawbpf) 609 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 610 #endif 611 612 if ((ni->ni_flags & IEEE80211_NODE_HT) && 613 hasqos && (qos & IEEE80211_QOS_AMSDU)) 614 ieee80211_amsdu_decap(ic, m, ni, hdrlen, ml); 615 else 616 ieee80211_decap(ic, m, ni, hdrlen, ml); 617 return; 618 619 case IEEE80211_FC0_TYPE_MGT: 620 if (dir != IEEE80211_FC1_DIR_NODS) { 621 ic->ic_stats.is_rx_wrongdir++; 622 goto err; 623 } 624 #ifndef IEEE80211_STA_ONLY 625 if (ic->ic_opmode == IEEE80211_M_AHDEMO) { 626 ic->ic_stats.is_rx_ahdemo_mgt++; 627 goto out; 628 } 629 #endif 630 /* drop frames without interest */ 631 if (ic->ic_state == IEEE80211_S_SCAN) { 632 if (subtype != IEEE80211_FC0_SUBTYPE_BEACON && 633 subtype != IEEE80211_FC0_SUBTYPE_PROBE_RESP) { 634 ic->ic_stats.is_rx_mgtdiscard++; 635 goto out; 636 } 637 } 638 639 if (ni->ni_flags & IEEE80211_NODE_RXMGMTPROT) { 640 /* MMPDU protection is on for Rx */ 641 if (subtype == IEEE80211_FC0_SUBTYPE_DISASSOC || 642 subtype == IEEE80211_FC0_SUBTYPE_DEAUTH || 643 subtype == IEEE80211_FC0_SUBTYPE_ACTION) { 644 if (!IEEE80211_IS_MULTICAST(wh->i_addr1) && 645 !(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 646 /* unicast mgmt not encrypted */ 647 goto out; 648 } 649 /* do software decryption */ 650 m = ieee80211_decrypt(ic, m, ni); 651 if (m == NULL) { 652 /* XXX stats */ 653 goto out; 654 } 655 wh = mtod(m, struct ieee80211_frame *); 656 } 657 } else if ((ic->ic_flags & IEEE80211_F_RSNON) && 658 (wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 659 /* encrypted but MMPDU Rx protection off for TA */ 660 goto out; 661 } 662 663 #if NBPFILTER > 0 664 if (bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN) != 0) { 665 /* 666 * Drop mbuf if it was filtered by bpf. Normally, 667 * this is done in ether_input() but IEEE 802.11 668 * management frames are a special case. 669 */ 670 m_freem(m); 671 return; 672 } 673 #endif 674 (*ic->ic_recv_mgmt)(ic, m, ni, rxi, subtype); 675 m_freem(m); 676 return; 677 678 case IEEE80211_FC0_TYPE_CTL: 679 switch (subtype) { 680 #ifndef IEEE80211_STA_ONLY 681 case IEEE80211_FC0_SUBTYPE_PS_POLL: 682 ieee80211_recv_pspoll(ic, m, ni); 683 break; 684 #endif 685 case IEEE80211_FC0_SUBTYPE_BAR: 686 ieee80211_recv_bar(ic, m, ni); 687 break; 688 default: 689 ic->ic_stats.is_rx_ctl++; 690 break; 691 } 692 goto out; 693 694 default: 695 DPRINTF(("bad frame type %x\n", type)); 696 /* should not come here */ 697 break; 698 } 699 err: 700 ifp->if_ierrors++; 701 out: 702 if (m != NULL) { 703 #if NBPFILTER > 0 704 if (ic->ic_rawbpf) 705 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 706 #endif 707 m_freem(m); 708 } 709 } 710 711 /* Input handler for drivers which only receive one frame per interrupt. */ 712 void 713 ieee80211_input(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni, 714 struct ieee80211_rxinfo *rxi) 715 { 716 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 717 718 ieee80211_inputm(ifp, m, ni, rxi, &ml); 719 if_input(ifp, &ml); 720 } 721 722 #ifdef notyet 723 /* 724 * Handle defragmentation (see 9.5 and Annex C). We support the concurrent 725 * reception of fragments of three fragmented MSDUs or MMPDUs. 726 */ 727 struct mbuf * 728 ieee80211_defrag(struct ieee80211com *ic, struct mbuf *m, int hdrlen) 729 { 730 const struct ieee80211_frame *owh, *wh; 731 struct ieee80211_defrag *df; 732 u_int16_t rxseq, seq; 733 u_int8_t frag; 734 int i; 735 736 wh = mtod(m, struct ieee80211_frame *); 737 rxseq = letoh16(*(const u_int16_t *)wh->i_seq); 738 seq = rxseq >> IEEE80211_SEQ_SEQ_SHIFT; 739 frag = rxseq & IEEE80211_SEQ_FRAG_MASK; 740 741 if (frag == 0 && !(wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG)) 742 return m; /* not fragmented */ 743 744 if (frag == 0) { 745 /* first fragment, setup entry in the fragment cache */ 746 if (++ic->ic_defrag_cur == IEEE80211_DEFRAG_SIZE) 747 ic->ic_defrag_cur = 0; 748 df = &ic->ic_defrag[ic->ic_defrag_cur]; 749 m_freem(df->df_m); /* discard old entry */ 750 df->df_seq = seq; 751 df->df_frag = 0; 752 df->df_m = m; 753 /* start receive MSDU timer of aMaxReceiveLifetime */ 754 timeout_add_sec(&df->df_to, 1); 755 return NULL; /* MSDU or MMPDU not yet complete */ 756 } 757 758 /* find matching entry in the fragment cache */ 759 for (i = 0; i < IEEE80211_DEFRAG_SIZE; i++) { 760 df = &ic->ic_defrag[i]; 761 if (df->df_m == NULL) 762 continue; 763 if (df->df_seq != seq || df->df_frag + 1 != frag) 764 continue; 765 owh = mtod(df->df_m, struct ieee80211_frame *); 766 /* frame type, source and destination must match */ 767 if (((wh->i_fc[0] ^ owh->i_fc[0]) & IEEE80211_FC0_TYPE_MASK) || 768 !IEEE80211_ADDR_EQ(wh->i_addr1, owh->i_addr1) || 769 !IEEE80211_ADDR_EQ(wh->i_addr2, owh->i_addr2)) 770 continue; 771 /* matching entry found */ 772 break; 773 } 774 if (i == IEEE80211_DEFRAG_SIZE) { 775 /* no matching entry found, discard fragment */ 776 ic->ic_if.if_ierrors++; 777 m_freem(m); 778 return NULL; 779 } 780 781 df->df_frag = frag; 782 /* strip 802.11 header and concatenate fragment */ 783 m_adj(m, hdrlen); 784 m_cat(df->df_m, m); 785 df->df_m->m_pkthdr.len += m->m_pkthdr.len; 786 787 if (wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG) 788 return NULL; /* MSDU or MMPDU not yet complete */ 789 790 /* MSDU or MMPDU complete */ 791 timeout_del(&df->df_to); 792 m = df->df_m; 793 df->df_m = NULL; 794 return m; 795 } 796 797 /* 798 * Receive MSDU defragmentation timer exceeds aMaxReceiveLifetime. 799 */ 800 void 801 ieee80211_defrag_timeout(void *arg) 802 { 803 struct ieee80211_defrag *df = arg; 804 int s = splnet(); 805 806 /* discard all received fragments */ 807 m_freem(df->df_m); 808 df->df_m = NULL; 809 810 splx(s); 811 } 812 #endif 813 814 /* 815 * Process a received data MPDU related to a specific HT-immediate Block Ack 816 * agreement (see 9.10.7.6). 817 */ 818 void 819 ieee80211_input_ba(struct ieee80211com *ic, struct mbuf *m, 820 struct ieee80211_node *ni, int tid, struct ieee80211_rxinfo *rxi, 821 struct mbuf_list *ml) 822 { 823 struct ifnet *ifp = &ic->ic_if; 824 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 825 struct ieee80211_frame *wh; 826 int idx, count; 827 u_int16_t sn; 828 829 wh = mtod(m, struct ieee80211_frame *); 830 sn = letoh16(*(u_int16_t *)wh->i_seq) >> IEEE80211_SEQ_SEQ_SHIFT; 831 832 /* reset Block Ack inactivity timer */ 833 if (ba->ba_timeout_val != 0) 834 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 835 836 if (SEQ_LT(sn, ba->ba_winstart)) { /* SN < WinStartB */ 837 ic->ic_stats.is_ht_rx_frame_below_ba_winstart++; 838 m_freem(m); /* discard the MPDU */ 839 return; 840 } 841 if (SEQ_LT(ba->ba_winend, sn)) { /* WinEndB < SN */ 842 ic->ic_stats.is_ht_rx_frame_above_ba_winend++; 843 count = (sn - ba->ba_winend) & 0xfff; 844 if (count > ba->ba_winsize) { 845 /* 846 * Check whether we're consistently behind the window, 847 * and let the window move forward if necessary. 848 */ 849 if (ba->ba_winmiss < IEEE80211_BA_MAX_WINMISS) { 850 if (ba->ba_missedsn == ((sn - 1) & 0xfff)) 851 ba->ba_winmiss++; 852 else 853 ba->ba_winmiss = 0; 854 ba->ba_missedsn = sn; 855 ifp->if_ierrors++; 856 m_freem(m); /* discard the MPDU */ 857 return; 858 } 859 860 /* It appears the window has moved for real. */ 861 ic->ic_stats.is_ht_rx_ba_window_jump++; 862 ba->ba_winmiss = 0; 863 ba->ba_missedsn = 0; 864 ieee80211_ba_move_window(ic, ni, tid, sn, ml); 865 } else { 866 ic->ic_stats.is_ht_rx_ba_window_slide++; 867 ieee80211_input_ba_seq(ic, ni, tid, 868 (ba->ba_winstart + count) & 0xfff, ml); 869 ieee80211_input_ba_flush(ic, ni, ba, ml); 870 } 871 } 872 /* WinStartB <= SN <= WinEndB */ 873 874 ba->ba_winmiss = 0; 875 ba->ba_missedsn = 0; 876 idx = (sn - ba->ba_winstart) & 0xfff; 877 idx = (ba->ba_head + idx) % IEEE80211_BA_MAX_WINSZ; 878 /* store the received MPDU in the buffer */ 879 if (ba->ba_buf[idx].m != NULL) { 880 ifp->if_ierrors++; 881 ic->ic_stats.is_ht_rx_ba_no_buf++; 882 m_freem(m); 883 return; 884 } 885 ba->ba_buf[idx].m = m; 886 /* store Rx meta-data too */ 887 rxi->rxi_flags |= IEEE80211_RXI_AMPDU_DONE; 888 ba->ba_buf[idx].rxi = *rxi; 889 ba->ba_gapwait++; 890 891 if (ba->ba_buf[ba->ba_head].m == NULL && ba->ba_gapwait == 1) 892 timeout_add_msec(&ba->ba_gap_to, IEEE80211_BA_GAP_TIMEOUT); 893 894 ieee80211_input_ba_flush(ic, ni, ba, ml); 895 } 896 897 /* 898 * Forward buffered frames with sequence number lower than max_seq. 899 * See 802.11-2012 9.21.7.6.2 b. 900 */ 901 void 902 ieee80211_input_ba_seq(struct ieee80211com *ic, struct ieee80211_node *ni, 903 uint8_t tid, uint16_t max_seq, struct mbuf_list *ml) 904 { 905 struct ifnet *ifp = &ic->ic_if; 906 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 907 struct ieee80211_frame *wh; 908 uint16_t seq; 909 int i = 0; 910 911 while (i++ < ba->ba_winsize) { 912 /* gaps may exist */ 913 if (ba->ba_buf[ba->ba_head].m != NULL) { 914 wh = mtod(ba->ba_buf[ba->ba_head].m, 915 struct ieee80211_frame *); 916 KASSERT(ieee80211_has_seq(wh)); 917 seq = letoh16(*(u_int16_t *)wh->i_seq) >> 918 IEEE80211_SEQ_SEQ_SHIFT; 919 if (!SEQ_LT(seq, max_seq)) 920 break; 921 ieee80211_inputm(ifp, ba->ba_buf[ba->ba_head].m, 922 ni, &ba->ba_buf[ba->ba_head].rxi, ml); 923 ba->ba_buf[ba->ba_head].m = NULL; 924 ba->ba_gapwait--; 925 } else 926 ic->ic_stats.is_ht_rx_ba_frame_lost++; 927 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 928 /* move window forward */ 929 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 930 } 931 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 932 } 933 934 /* Flush a consecutive sequence of frames from the reorder buffer. */ 935 void 936 ieee80211_input_ba_flush(struct ieee80211com *ic, struct ieee80211_node *ni, 937 struct ieee80211_rx_ba *ba, struct mbuf_list *ml) 938 939 { 940 struct ifnet *ifp = &ic->ic_if; 941 942 /* Do not re-arm the gap timeout if we made no progress. */ 943 if (ba->ba_buf[ba->ba_head].m == NULL) 944 return; 945 946 /* pass reordered MPDUs up to the next MAC process */ 947 while (ba->ba_buf[ba->ba_head].m != NULL) { 948 ieee80211_inputm(ifp, ba->ba_buf[ba->ba_head].m, ni, 949 &ba->ba_buf[ba->ba_head].rxi, ml); 950 ba->ba_buf[ba->ba_head].m = NULL; 951 ba->ba_gapwait--; 952 953 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 954 /* move window forward */ 955 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 956 } 957 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 958 959 if (timeout_pending(&ba->ba_gap_to)) 960 timeout_del(&ba->ba_gap_to); 961 if (ba->ba_gapwait) 962 timeout_add_msec(&ba->ba_gap_to, IEEE80211_BA_GAP_TIMEOUT); 963 } 964 965 /* 966 * Forcibly move the BA window forward to remove a leading gap which has 967 * been causing frames to linger in the reordering buffer for too long. 968 * A leading gap will occur if a particular A-MPDU subframe never arrives 969 * or if a bug in the sender causes sequence numbers to jump forward by > 1. 970 */ 971 int 972 ieee80211_input_ba_gap_skip(struct ieee80211_rx_ba *ba) 973 { 974 int skipped = 0; 975 976 while (skipped < ba->ba_winsize && ba->ba_buf[ba->ba_head].m == NULL) { 977 /* move window forward */ 978 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 979 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 980 skipped++; 981 } 982 if (skipped > 0) 983 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 984 985 return skipped; 986 } 987 988 void 989 ieee80211_input_ba_gap_timeout(void *arg) 990 { 991 struct ieee80211_rx_ba *ba = arg; 992 struct ieee80211_node *ni = ba->ba_ni; 993 struct ieee80211com *ic = ni->ni_ic; 994 int s, skipped; 995 996 ic->ic_stats.is_ht_rx_ba_window_gap_timeout++; 997 998 s = splnet(); 999 1000 skipped = ieee80211_input_ba_gap_skip(ba); 1001 ic->ic_stats.is_ht_rx_ba_frame_lost += skipped; 1002 if (skipped) { 1003 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 1004 ieee80211_input_ba_flush(ic, ni, ba, &ml); 1005 if_input(&ic->ic_if, &ml); 1006 } 1007 1008 splx(s); 1009 } 1010 1011 1012 /* 1013 * Change the value of WinStartB (move window forward) upon reception of a 1014 * BlockAckReq frame or an ADDBA Request (PBAC). 1015 */ 1016 void 1017 ieee80211_ba_move_window(struct ieee80211com *ic, struct ieee80211_node *ni, 1018 u_int8_t tid, u_int16_t ssn, struct mbuf_list *ml) 1019 { 1020 struct ifnet *ifp = &ic->ic_if; 1021 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 1022 int count; 1023 1024 /* assert(WinStartB <= SSN) */ 1025 1026 count = (ssn - ba->ba_winstart) & 0xfff; 1027 if (count > ba->ba_winsize) /* no overlap */ 1028 count = ba->ba_winsize; 1029 while (count-- > 0) { 1030 /* gaps may exist */ 1031 if (ba->ba_buf[ba->ba_head].m != NULL) { 1032 ieee80211_inputm(ifp, ba->ba_buf[ba->ba_head].m, ni, 1033 &ba->ba_buf[ba->ba_head].rxi, ml); 1034 ba->ba_buf[ba->ba_head].m = NULL; 1035 ba->ba_gapwait--; 1036 } else 1037 ic->ic_stats.is_ht_rx_ba_frame_lost++; 1038 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 1039 } 1040 /* move window forward */ 1041 ba->ba_winstart = ssn; 1042 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 1043 1044 ieee80211_input_ba_flush(ic, ni, ba, ml); 1045 } 1046 1047 void 1048 ieee80211_enqueue_data(struct ieee80211com *ic, struct mbuf *m, 1049 struct ieee80211_node *ni, int mcast, struct mbuf_list *ml) 1050 { 1051 struct ifnet *ifp = &ic->ic_if; 1052 struct ether_header *eh; 1053 struct mbuf *m1; 1054 1055 eh = mtod(m, struct ether_header *); 1056 1057 if ((ic->ic_flags & IEEE80211_F_RSNON) && !ni->ni_port_valid && 1058 eh->ether_type != htons(ETHERTYPE_EAPOL)) { 1059 DPRINTF(("port not valid: %s\n", 1060 ether_sprintf(eh->ether_dhost))); 1061 ic->ic_stats.is_rx_unauth++; 1062 m_freem(m); 1063 return; 1064 } 1065 1066 /* 1067 * Perform as a bridge within the AP. Notice that we do not 1068 * bridge EAPOL frames as suggested in C.1.1 of IEEE Std 802.1X. 1069 * And we do not forward unicast frames received on a multicast address. 1070 */ 1071 m1 = NULL; 1072 #ifndef IEEE80211_STA_ONLY 1073 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 1074 !(ic->ic_userflags & IEEE80211_F_NOBRIDGE) && 1075 eh->ether_type != htons(ETHERTYPE_EAPOL)) { 1076 struct ieee80211_node *ni1; 1077 1078 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 1079 m1 = m_dup_pkt(m, ETHER_ALIGN, M_DONTWAIT); 1080 if (m1 == NULL) 1081 ifp->if_oerrors++; 1082 else 1083 m1->m_flags |= M_MCAST; 1084 } else if (!mcast) { 1085 ni1 = ieee80211_find_node(ic, eh->ether_dhost); 1086 if (ni1 != NULL && 1087 ni1->ni_state == IEEE80211_STA_ASSOC) { 1088 m1 = m; 1089 m = NULL; 1090 } 1091 } 1092 if (m1 != NULL) { 1093 if (if_enqueue(ifp, m1)) 1094 ifp->if_oerrors++; 1095 } 1096 } 1097 #endif 1098 if (m != NULL) { 1099 if ((ic->ic_flags & IEEE80211_F_RSNON) && 1100 eh->ether_type == htons(ETHERTYPE_EAPOL)) { 1101 ifp->if_ipackets++; 1102 #if NBPFILTER > 0 1103 /* 1104 * If we forward frame into transmitter of the AP, 1105 * we don't need to duplicate for DLT_EN10MB. 1106 */ 1107 if (ifp->if_bpf && m1 == NULL) 1108 bpf_mtap(ifp->if_bpf, m, BPF_DIRECTION_IN); 1109 #endif 1110 ieee80211_eapol_key_input(ic, m, ni); 1111 } else { 1112 ml_enqueue(ml, m); 1113 } 1114 } 1115 } 1116 1117 void 1118 ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, 1119 struct ieee80211_node *ni, int hdrlen, struct mbuf_list *ml) 1120 { 1121 struct ether_header eh; 1122 struct ieee80211_frame *wh; 1123 struct llc *llc; 1124 int mcast; 1125 1126 if (m->m_len < hdrlen + LLC_SNAPFRAMELEN && 1127 (m = m_pullup(m, hdrlen + LLC_SNAPFRAMELEN)) == NULL) { 1128 ic->ic_stats.is_rx_decap++; 1129 return; 1130 } 1131 wh = mtod(m, struct ieee80211_frame *); 1132 mcast = IEEE80211_IS_MULTICAST(wh->i_addr1); 1133 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 1134 case IEEE80211_FC1_DIR_NODS: 1135 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1); 1136 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2); 1137 break; 1138 case IEEE80211_FC1_DIR_TODS: 1139 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3); 1140 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2); 1141 break; 1142 case IEEE80211_FC1_DIR_FROMDS: 1143 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1); 1144 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr3); 1145 break; 1146 case IEEE80211_FC1_DIR_DSTODS: 1147 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3); 1148 IEEE80211_ADDR_COPY(eh.ether_shost, 1149 ((struct ieee80211_frame_addr4 *)wh)->i_addr4); 1150 break; 1151 } 1152 llc = (struct llc *)((caddr_t)wh + hdrlen); 1153 if (llc->llc_dsap == LLC_SNAP_LSAP && 1154 llc->llc_ssap == LLC_SNAP_LSAP && 1155 llc->llc_control == LLC_UI && 1156 llc->llc_snap.org_code[0] == 0 && 1157 llc->llc_snap.org_code[1] == 0 && 1158 llc->llc_snap.org_code[2] == 0) { 1159 eh.ether_type = llc->llc_snap.ether_type; 1160 m_adj(m, hdrlen + LLC_SNAPFRAMELEN - ETHER_HDR_LEN); 1161 } else { 1162 eh.ether_type = htons(m->m_pkthdr.len - hdrlen); 1163 m_adj(m, hdrlen - ETHER_HDR_LEN); 1164 } 1165 memcpy(mtod(m, caddr_t), &eh, ETHER_HDR_LEN); 1166 if (!ALIGNED_POINTER(mtod(m, caddr_t) + ETHER_HDR_LEN, u_int32_t)) { 1167 struct mbuf *m0 = m; 1168 m = m_dup_pkt(m0, ETHER_ALIGN, M_NOWAIT); 1169 m_freem(m0); 1170 if (m == NULL) { 1171 ic->ic_stats.is_rx_decap++; 1172 return; 1173 } 1174 } 1175 ieee80211_enqueue_data(ic, m, ni, mcast, ml); 1176 } 1177 1178 int 1179 ieee80211_amsdu_decap_validate(struct ieee80211com *ic, struct mbuf *m, 1180 struct ieee80211_node *ni) 1181 { 1182 struct ether_header *eh = mtod(m, struct ether_header *); 1183 const uint8_t llc_hdr_mac[ETHER_ADDR_LEN] = { 1184 /* MAC address matching the 802.2 LLC header. */ 1185 LLC_SNAP_LSAP, LLC_SNAP_LSAP, LLC_UI, 0, 0, 0 1186 }; 1187 1188 /* 1189 * We are sorry, but this particular MAC address cannot be used. 1190 * This mitigates an attack where a single 802.11 frame is interpreted 1191 * as an A-MSDU because of a forged AMSDU-present bit in the 802.11 1192 * QoS frame header: https://papers.mathyvanhoef.com/usenix2021.pdf 1193 * See Section 7.2, 'Countermeasures for the design flaws' 1194 */ 1195 if (ETHER_IS_EQ(eh->ether_dhost, llc_hdr_mac)) 1196 return 1; 1197 1198 switch (ic->ic_opmode) { 1199 #ifndef IEEE80211_STA_ONLY 1200 case IEEE80211_M_HOSTAP: 1201 /* 1202 * Subframes must use the source address of the node which 1203 * transmitted the A-MSDU. Prevents MAC spoofing. 1204 */ 1205 if (!ETHER_IS_EQ(ni->ni_macaddr, eh->ether_shost)) 1206 return 1; 1207 break; 1208 #endif 1209 case IEEE80211_M_STA: 1210 /* Subframes must be addressed to me. */ 1211 if (!ETHER_IS_EQ(ic->ic_myaddr, eh->ether_dhost)) 1212 return 1; 1213 break; 1214 default: 1215 /* Ignore MONITOR/IBSS modes for now. */ 1216 break; 1217 } 1218 1219 return 0; 1220 } 1221 1222 /* 1223 * Decapsulate an Aggregate MSDU (see 7.2.2.2). 1224 */ 1225 void 1226 ieee80211_amsdu_decap(struct ieee80211com *ic, struct mbuf *m, 1227 struct ieee80211_node *ni, int hdrlen, struct mbuf_list *ml) 1228 { 1229 struct mbuf *n; 1230 struct ether_header *eh; 1231 struct llc *llc; 1232 int len, pad, mcast; 1233 struct ieee80211_frame *wh; 1234 struct mbuf_list subframes = MBUF_LIST_INITIALIZER(); 1235 1236 wh = mtod(m, struct ieee80211_frame *); 1237 mcast = IEEE80211_IS_MULTICAST(wh->i_addr1); 1238 1239 /* strip 802.11 header */ 1240 m_adj(m, hdrlen); 1241 1242 while (m->m_pkthdr.len >= ETHER_HDR_LEN + LLC_SNAPFRAMELEN) { 1243 /* process an A-MSDU subframe */ 1244 m = m_pullup(m, ETHER_HDR_LEN + LLC_SNAPFRAMELEN); 1245 if (m == NULL) 1246 break; 1247 eh = mtod(m, struct ether_header *); 1248 /* examine 802.3 header */ 1249 len = ntohs(eh->ether_type); 1250 if (len < LLC_SNAPFRAMELEN) { 1251 DPRINTF(("A-MSDU subframe too short (%d)\n", len)); 1252 /* stop processing A-MSDU subframes */ 1253 ic->ic_stats.is_rx_decap++; 1254 ml_purge(&subframes); 1255 m_freem(m); 1256 return; 1257 } 1258 llc = (struct llc *)&eh[1]; 1259 /* Examine the 802.2 LLC header after the A-MSDU header. */ 1260 if (llc->llc_dsap == LLC_SNAP_LSAP && 1261 llc->llc_ssap == LLC_SNAP_LSAP && 1262 llc->llc_control == LLC_UI && 1263 llc->llc_snap.org_code[0] == 0 && 1264 llc->llc_snap.org_code[1] == 0 && 1265 llc->llc_snap.org_code[2] == 0) { 1266 /* convert to Ethernet II header */ 1267 eh->ether_type = llc->llc_snap.ether_type; 1268 /* strip LLC+SNAP headers */ 1269 memmove((u_int8_t *)eh + LLC_SNAPFRAMELEN, eh, 1270 ETHER_HDR_LEN); 1271 m_adj(m, LLC_SNAPFRAMELEN); 1272 len -= LLC_SNAPFRAMELEN; 1273 } 1274 len += ETHER_HDR_LEN; 1275 if (len > m->m_pkthdr.len) { 1276 /* stop processing A-MSDU subframes */ 1277 DPRINTF(("A-MSDU subframe too long (%d)\n", len)); 1278 ic->ic_stats.is_rx_decap++; 1279 ml_purge(&subframes); 1280 m_freem(m); 1281 return; 1282 } 1283 1284 /* "detach" our A-MSDU subframe from the others */ 1285 n = m_split(m, len, M_NOWAIT); 1286 if (n == NULL) { 1287 /* stop processing A-MSDU subframes */ 1288 ic->ic_stats.is_rx_decap++; 1289 ml_purge(&subframes); 1290 m_freem(m); 1291 return; 1292 } 1293 1294 if (ieee80211_amsdu_decap_validate(ic, m, ni)) { 1295 /* stop processing A-MSDU subframes */ 1296 ic->ic_stats.is_rx_decap++; 1297 ml_purge(&subframes); 1298 m_freem(m); 1299 return; 1300 } 1301 1302 ml_enqueue(&subframes, m); 1303 1304 m = n; 1305 /* remove padding */ 1306 pad = ((len + 3) & ~3) - len; 1307 m_adj(m, pad); 1308 } 1309 1310 while ((n = ml_dequeue(&subframes)) != NULL) 1311 ieee80211_enqueue_data(ic, n, ni, mcast, ml); 1312 1313 m_freem(m); 1314 } 1315 1316 /* 1317 * Parse an EDCA Parameter Set element (see 7.3.2.27). 1318 */ 1319 int 1320 ieee80211_parse_edca_params_body(struct ieee80211com *ic, const u_int8_t *frm) 1321 { 1322 u_int updtcount; 1323 int aci; 1324 1325 /* 1326 * Check if EDCA parameters have changed XXX if we miss more than 1327 * 15 consecutive beacons, we might not detect changes to EDCA 1328 * parameters due to wraparound of the 4-bit Update Count field. 1329 */ 1330 updtcount = frm[0] & 0xf; 1331 if (updtcount == ic->ic_edca_updtcount) 1332 return 0; /* no changes to EDCA parameters, ignore */ 1333 ic->ic_edca_updtcount = updtcount; 1334 1335 frm += 2; /* skip QoS Info & Reserved fields */ 1336 1337 /* parse AC Parameter Records */ 1338 for (aci = 0; aci < EDCA_NUM_AC; aci++) { 1339 struct ieee80211_edca_ac_params *ac = &ic->ic_edca_ac[aci]; 1340 1341 ac->ac_acm = (frm[0] >> 4) & 0x1; 1342 ac->ac_aifsn = frm[0] & 0xf; 1343 ac->ac_ecwmin = frm[1] & 0xf; 1344 ac->ac_ecwmax = frm[1] >> 4; 1345 ac->ac_txoplimit = LE_READ_2(frm + 2); 1346 frm += 4; 1347 } 1348 /* give drivers a chance to update their settings */ 1349 if ((ic->ic_flags & IEEE80211_F_QOS) && ic->ic_updateedca != NULL) 1350 (*ic->ic_updateedca)(ic); 1351 1352 return 0; 1353 } 1354 1355 int 1356 ieee80211_parse_edca_params(struct ieee80211com *ic, const u_int8_t *frm) 1357 { 1358 if (frm[1] < 18) { 1359 ic->ic_stats.is_rx_elem_toosmall++; 1360 return IEEE80211_REASON_IE_INVALID; 1361 } 1362 return ieee80211_parse_edca_params_body(ic, frm + 2); 1363 } 1364 1365 int 1366 ieee80211_parse_wmm_params(struct ieee80211com *ic, const u_int8_t *frm) 1367 { 1368 if (frm[1] < 24) { 1369 ic->ic_stats.is_rx_elem_toosmall++; 1370 return IEEE80211_REASON_IE_INVALID; 1371 } 1372 return ieee80211_parse_edca_params_body(ic, frm + 8); 1373 } 1374 1375 enum ieee80211_cipher 1376 ieee80211_parse_rsn_cipher(const u_int8_t selector[4]) 1377 { 1378 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1379 switch (selector[3]) { 1380 case 0: /* use group data cipher suite */ 1381 return IEEE80211_CIPHER_USEGROUP; 1382 case 1: /* WEP-40 */ 1383 return IEEE80211_CIPHER_WEP40; 1384 case 2: /* TKIP */ 1385 return IEEE80211_CIPHER_TKIP; 1386 case 4: /* CCMP (RSNA default) */ 1387 return IEEE80211_CIPHER_CCMP; 1388 case 5: /* WEP-104 */ 1389 return IEEE80211_CIPHER_WEP104; 1390 } 1391 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1392 /* see 802.11-2012 Table 8-99 */ 1393 switch (selector[3]) { 1394 case 0: /* use group data cipher suite */ 1395 return IEEE80211_CIPHER_USEGROUP; 1396 case 1: /* WEP-40 */ 1397 return IEEE80211_CIPHER_WEP40; 1398 case 2: /* TKIP */ 1399 return IEEE80211_CIPHER_TKIP; 1400 case 4: /* CCMP (RSNA default) */ 1401 return IEEE80211_CIPHER_CCMP; 1402 case 5: /* WEP-104 */ 1403 return IEEE80211_CIPHER_WEP104; 1404 case 6: /* BIP */ 1405 return IEEE80211_CIPHER_BIP; 1406 } 1407 } 1408 return IEEE80211_CIPHER_NONE; /* ignore unknown ciphers */ 1409 } 1410 1411 enum ieee80211_akm 1412 ieee80211_parse_rsn_akm(const u_int8_t selector[4]) 1413 { 1414 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1415 switch (selector[3]) { 1416 case 1: /* IEEE 802.1X (RSNA default) */ 1417 return IEEE80211_AKM_8021X; 1418 case 2: /* PSK */ 1419 return IEEE80211_AKM_PSK; 1420 } 1421 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1422 /* from IEEE Std 802.11i-2004 - Table 20dc */ 1423 switch (selector[3]) { 1424 case 1: /* IEEE 802.1X (RSNA default) */ 1425 return IEEE80211_AKM_8021X; 1426 case 2: /* PSK */ 1427 return IEEE80211_AKM_PSK; 1428 case 5: /* IEEE 802.1X with SHA256 KDF */ 1429 return IEEE80211_AKM_SHA256_8021X; 1430 case 6: /* PSK with SHA256 KDF */ 1431 return IEEE80211_AKM_SHA256_PSK; 1432 } 1433 } 1434 return IEEE80211_AKM_NONE; /* ignore unknown AKMs */ 1435 } 1436 1437 /* 1438 * Parse an RSN element (see 802.11-2012 8.4.2.27) 1439 */ 1440 int 1441 ieee80211_parse_rsn_body(struct ieee80211com *ic, const u_int8_t *frm, 1442 u_int len, struct ieee80211_rsnparams *rsn) 1443 { 1444 const u_int8_t *efrm; 1445 u_int16_t m, n, s; 1446 1447 efrm = frm + len; 1448 1449 /* check Version field */ 1450 if (LE_READ_2(frm) != 1) 1451 return IEEE80211_STATUS_RSN_IE_VER_UNSUP; 1452 frm += 2; 1453 1454 /* all fields after the Version field are optional */ 1455 1456 /* if Cipher Suite missing, default to CCMP */ 1457 rsn->rsn_groupcipher = IEEE80211_CIPHER_CCMP; 1458 rsn->rsn_nciphers = 1; 1459 rsn->rsn_ciphers = IEEE80211_CIPHER_CCMP; 1460 /* if Group Management Cipher Suite missing, default to BIP */ 1461 rsn->rsn_groupmgmtcipher = IEEE80211_CIPHER_BIP; 1462 /* if AKM Suite missing, default to 802.1X */ 1463 rsn->rsn_nakms = 1; 1464 rsn->rsn_akms = IEEE80211_AKM_8021X; 1465 /* if RSN capabilities missing, default to 0 */ 1466 rsn->rsn_caps = 0; 1467 rsn->rsn_npmkids = 0; 1468 1469 /* read Group Data Cipher Suite field */ 1470 if (frm + 4 > efrm) 1471 return 0; 1472 rsn->rsn_groupcipher = ieee80211_parse_rsn_cipher(frm); 1473 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_NONE || 1474 rsn->rsn_groupcipher == IEEE80211_CIPHER_USEGROUP || 1475 rsn->rsn_groupcipher == IEEE80211_CIPHER_BIP) 1476 return IEEE80211_STATUS_BAD_GROUP_CIPHER; 1477 frm += 4; 1478 1479 /* read Pairwise Cipher Suite Count field */ 1480 if (frm + 2 > efrm) 1481 return 0; 1482 m = rsn->rsn_nciphers = LE_READ_2(frm); 1483 frm += 2; 1484 1485 /* read Pairwise Cipher Suite List */ 1486 if (frm + m * 4 > efrm) 1487 return IEEE80211_STATUS_IE_INVALID; 1488 rsn->rsn_ciphers = IEEE80211_CIPHER_NONE; 1489 while (m-- > 0) { 1490 rsn->rsn_ciphers |= ieee80211_parse_rsn_cipher(frm); 1491 frm += 4; 1492 } 1493 if (rsn->rsn_ciphers & IEEE80211_CIPHER_USEGROUP) { 1494 if (rsn->rsn_ciphers != IEEE80211_CIPHER_USEGROUP) 1495 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1496 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_CCMP) 1497 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1498 } 1499 1500 /* read AKM Suite List Count field */ 1501 if (frm + 2 > efrm) 1502 return 0; 1503 n = rsn->rsn_nakms = LE_READ_2(frm); 1504 frm += 2; 1505 1506 /* read AKM Suite List */ 1507 if (frm + n * 4 > efrm) 1508 return IEEE80211_STATUS_IE_INVALID; 1509 rsn->rsn_akms = IEEE80211_AKM_NONE; 1510 while (n-- > 0) { 1511 rsn->rsn_akms |= ieee80211_parse_rsn_akm(frm); 1512 frm += 4; 1513 } 1514 1515 /* read RSN Capabilities field */ 1516 if (frm + 2 > efrm) 1517 return 0; 1518 rsn->rsn_caps = LE_READ_2(frm); 1519 frm += 2; 1520 1521 /* read PMKID Count field */ 1522 if (frm + 2 > efrm) 1523 return 0; 1524 s = rsn->rsn_npmkids = LE_READ_2(frm); 1525 frm += 2; 1526 1527 /* read PMKID List */ 1528 if (frm + s * IEEE80211_PMKID_LEN > efrm) 1529 return IEEE80211_STATUS_IE_INVALID; 1530 if (s != 0) { 1531 rsn->rsn_pmkids = frm; 1532 frm += s * IEEE80211_PMKID_LEN; 1533 } 1534 1535 /* read Group Management Cipher Suite field */ 1536 if (frm + 4 > efrm) 1537 return 0; 1538 rsn->rsn_groupmgmtcipher = ieee80211_parse_rsn_cipher(frm); 1539 if (rsn->rsn_groupmgmtcipher != IEEE80211_CIPHER_BIP) 1540 return IEEE80211_STATUS_BAD_GROUP_CIPHER; 1541 1542 return IEEE80211_STATUS_SUCCESS; 1543 } 1544 1545 int 1546 ieee80211_parse_rsn(struct ieee80211com *ic, const u_int8_t *frm, 1547 struct ieee80211_rsnparams *rsn) 1548 { 1549 if (frm[1] < 2) { 1550 ic->ic_stats.is_rx_elem_toosmall++; 1551 return IEEE80211_STATUS_IE_INVALID; 1552 } 1553 return ieee80211_parse_rsn_body(ic, frm + 2, frm[1], rsn); 1554 } 1555 1556 int 1557 ieee80211_parse_wpa(struct ieee80211com *ic, const u_int8_t *frm, 1558 struct ieee80211_rsnparams *rsn) 1559 { 1560 if (frm[1] < 6) { 1561 ic->ic_stats.is_rx_elem_toosmall++; 1562 return IEEE80211_STATUS_IE_INVALID; 1563 } 1564 return ieee80211_parse_rsn_body(ic, frm + 6, frm[1] - 4, rsn); 1565 } 1566 1567 /* 1568 * Create (or update) a copy of an information element. 1569 */ 1570 int 1571 ieee80211_save_ie(const u_int8_t *frm, u_int8_t **ie) 1572 { 1573 int olen = *ie ? 2 + (*ie)[1] : 0; 1574 int len = 2 + frm[1]; 1575 1576 if (*ie == NULL || olen != len) { 1577 if (*ie != NULL) 1578 free(*ie, M_DEVBUF, olen); 1579 *ie = malloc(len, M_DEVBUF, M_NOWAIT); 1580 if (*ie == NULL) 1581 return ENOMEM; 1582 } 1583 memcpy(*ie, frm, len); 1584 return 0; 1585 } 1586 1587 /*- 1588 * Beacon/Probe response frame format: 1589 * [8] Timestamp 1590 * [2] Beacon interval 1591 * [2] Capability 1592 * [tlv] Service Set Identifier (SSID) 1593 * [tlv] Supported rates 1594 * [tlv] DS Parameter Set (802.11g) 1595 * [tlv] ERP Information (802.11g) 1596 * [tlv] Extended Supported Rates (802.11g) 1597 * [tlv] RSN (802.11i) 1598 * [tlv] EDCA Parameter Set (802.11e) 1599 * [tlv] QoS Capability (Beacon only, 802.11e) 1600 * [tlv] HT Capabilities (802.11n) 1601 * [tlv] HT Operation (802.11n) 1602 */ 1603 void 1604 ieee80211_recv_probe_resp(struct ieee80211com *ic, struct mbuf *m, 1605 struct ieee80211_node *rni, struct ieee80211_rxinfo *rxi, int isprobe) 1606 { 1607 struct ieee80211_node *ni; 1608 const struct ieee80211_frame *wh; 1609 const u_int8_t *frm, *efrm; 1610 const u_int8_t *tstamp, *ssid, *rates, *xrates, *edcaie, *wmmie, *tim; 1611 const u_int8_t *rsnie, *wpaie, *htcaps, *htop, *vhtcaps, *vhtop; 1612 u_int16_t capinfo, bintval; 1613 u_int8_t chan, bchan, erp; 1614 int is_new; 1615 1616 /* 1617 * We process beacon/probe response frames for: 1618 * o station mode: to collect state 1619 * updates such as 802.11g slot time and for passive 1620 * scanning of APs 1621 * o adhoc mode: to discover neighbors 1622 * o hostap mode: for passive scanning of neighbor APs 1623 * o when scanning 1624 * In other words, in all modes other than monitor (which 1625 * does not process incoming frames) and adhoc-demo (which 1626 * does not use management frames at all). 1627 */ 1628 #ifdef DIAGNOSTIC 1629 if (ic->ic_opmode != IEEE80211_M_STA && 1630 #ifndef IEEE80211_STA_ONLY 1631 ic->ic_opmode != IEEE80211_M_IBSS && 1632 ic->ic_opmode != IEEE80211_M_HOSTAP && 1633 #endif 1634 ic->ic_state != IEEE80211_S_SCAN) { 1635 panic("%s: impossible operating mode", __func__); 1636 } 1637 #endif 1638 /* make sure all mandatory fixed fields are present */ 1639 if (m->m_len < sizeof(*wh) + 12) { 1640 DPRINTF(("frame too short\n")); 1641 return; 1642 } 1643 wh = mtod(m, struct ieee80211_frame *); 1644 frm = (const u_int8_t *)&wh[1]; 1645 efrm = mtod(m, u_int8_t *) + m->m_len; 1646 1647 tstamp = frm; frm += 8; 1648 bintval = LE_READ_2(frm); frm += 2; 1649 capinfo = LE_READ_2(frm); frm += 2; 1650 1651 ssid = rates = xrates = edcaie = wmmie = rsnie = wpaie = tim = NULL; 1652 htcaps = htop = vhtcaps = vhtop = NULL; 1653 if (rxi->rxi_chan) 1654 bchan = rxi->rxi_chan; 1655 else 1656 bchan = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan); 1657 chan = bchan; 1658 erp = 0; 1659 while (frm + 2 <= efrm) { 1660 if (frm + 2 + frm[1] > efrm) { 1661 ic->ic_stats.is_rx_elem_toosmall++; 1662 break; 1663 } 1664 switch (frm[0]) { 1665 case IEEE80211_ELEMID_SSID: 1666 ssid = frm; 1667 break; 1668 case IEEE80211_ELEMID_RATES: 1669 rates = frm; 1670 break; 1671 case IEEE80211_ELEMID_DSPARMS: 1672 if (frm[1] < 1) { 1673 ic->ic_stats.is_rx_elem_toosmall++; 1674 break; 1675 } 1676 chan = frm[2]; 1677 break; 1678 case IEEE80211_ELEMID_XRATES: 1679 xrates = frm; 1680 break; 1681 case IEEE80211_ELEMID_ERP: 1682 if (frm[1] < 1) { 1683 ic->ic_stats.is_rx_elem_toosmall++; 1684 break; 1685 } 1686 erp = frm[2]; 1687 break; 1688 case IEEE80211_ELEMID_RSN: 1689 rsnie = frm; 1690 break; 1691 case IEEE80211_ELEMID_EDCAPARMS: 1692 edcaie = frm; 1693 break; 1694 case IEEE80211_ELEMID_HTCAPS: 1695 htcaps = frm; 1696 break; 1697 case IEEE80211_ELEMID_HTOP: 1698 if (frm[1] < 22) { 1699 ic->ic_stats.is_rx_elem_toosmall++; 1700 break; 1701 } 1702 htop = frm; 1703 chan = frm[2]; 1704 break; 1705 case IEEE80211_ELEMID_VHTCAPS: 1706 vhtcaps = frm; 1707 break; 1708 case IEEE80211_ELEMID_VHTOP: 1709 vhtop = frm; 1710 break; 1711 case IEEE80211_ELEMID_TIM: 1712 if (frm[1] < 4) { 1713 ic->ic_stats.is_rx_elem_toosmall++; 1714 break; 1715 } 1716 tim = frm; 1717 break; 1718 case IEEE80211_ELEMID_VENDOR: 1719 if (frm[1] < 4) { 1720 ic->ic_stats.is_rx_elem_toosmall++; 1721 break; 1722 } 1723 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 1724 if (frm[5] == 1) 1725 wpaie = frm; 1726 else if (frm[1] >= 5 && 1727 frm[5] == 2 && frm[6] == 1) 1728 wmmie = frm; 1729 } 1730 break; 1731 } 1732 frm += 2 + frm[1]; 1733 } 1734 /* supported rates element is mandatory */ 1735 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1736 DPRINTF(("invalid supported rates element\n")); 1737 return; 1738 } 1739 /* SSID element is mandatory */ 1740 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1741 DPRINTF(("invalid SSID element\n")); 1742 return; 1743 } 1744 1745 if ( 1746 #if IEEE80211_CHAN_MAX < 255 1747 chan > IEEE80211_CHAN_MAX || 1748 #endif 1749 (isclr(ic->ic_chan_active, chan) && 1750 ((ic->ic_caps & IEEE80211_C_SCANALL) == 0 || 1751 (ic->ic_flags & IEEE80211_F_BGSCAN) == 0))) { 1752 DPRINTF(("ignore %s with invalid channel %u\n", 1753 isprobe ? "probe response" : "beacon", chan)); 1754 ic->ic_stats.is_rx_badchan++; 1755 return; 1756 } 1757 if ((rxi->rxi_chan != 0 && chan != rxi->rxi_chan) || 1758 ((ic->ic_state != IEEE80211_S_SCAN || 1759 !(ic->ic_caps & IEEE80211_C_SCANALL)) && 1760 chan != bchan)) { 1761 /* 1762 * Frame was received on a channel different from the 1763 * one indicated in the DS params element id; 1764 * silently discard it. 1765 * 1766 * NB: this can happen due to signal leakage. 1767 */ 1768 DPRINTF(("ignore %s on channel %u marked for channel %u\n", 1769 isprobe ? "probe response" : "beacon", bchan, chan)); 1770 ic->ic_stats.is_rx_chanmismatch++; 1771 return; 1772 } 1773 1774 #ifdef IEEE80211_DEBUG 1775 if (ieee80211_debug > 1 && 1776 (ni == NULL || ic->ic_state == IEEE80211_S_SCAN || 1777 (ic->ic_flags & IEEE80211_F_BGSCAN))) { 1778 printf("%s: %s%s on chan %u (bss chan %u) ", 1779 __func__, (ni == NULL ? "new " : ""), 1780 isprobe ? "probe response" : "beacon", 1781 chan, bchan); 1782 ieee80211_print_essid(ssid + 2, ssid[1]); 1783 printf(" from %s\n", ether_sprintf((u_int8_t *)wh->i_addr2)); 1784 printf("%s: caps 0x%x bintval %u erp 0x%x\n", 1785 __func__, capinfo, bintval, erp); 1786 } 1787 #endif 1788 1789 if ((ni = ieee80211_find_node(ic, wh->i_addr2)) == NULL) { 1790 ni = ieee80211_alloc_node(ic, wh->i_addr2); 1791 if (ni == NULL) 1792 return; 1793 is_new = 1; 1794 } else 1795 is_new = 0; 1796 1797 ni->ni_chan = &ic->ic_channels[chan]; 1798 1799 if (htcaps) 1800 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 1801 if (htop && !ieee80211_setup_htop(ni, htop + 2, htop[1], 1)) 1802 htop = NULL; /* invalid HTOP */ 1803 if (htcaps && vhtcaps && IEEE80211_IS_CHAN_5GHZ(ni->ni_chan)) { 1804 ieee80211_setup_vhtcaps(ni, vhtcaps + 2, vhtcaps[1]); 1805 if (vhtop && !ieee80211_setup_vhtop(ni, vhtop + 2, vhtop[1], 1)) 1806 vhtop = NULL; /* invalid VHTOP */ 1807 } 1808 1809 if (tim) { 1810 ni->ni_dtimcount = tim[2]; 1811 ni->ni_dtimperiod = tim[3]; 1812 } 1813 1814 /* 1815 * When operating in station mode, check for state updates 1816 * while we're associated. 1817 */ 1818 if (ic->ic_opmode == IEEE80211_M_STA && 1819 ic->ic_state == IEEE80211_S_RUN && 1820 ni->ni_state == IEEE80211_STA_BSS) { 1821 int updateprot = 0; 1822 /* 1823 * Check if protection mode has changed since last beacon. 1824 */ 1825 if (ni->ni_erp != erp) { 1826 DPRINTF(("[%s] erp change: was 0x%x, now 0x%x\n", 1827 ether_sprintf((u_int8_t *)wh->i_addr2), 1828 ni->ni_erp, erp)); 1829 if ((ic->ic_curmode == IEEE80211_MODE_11G || 1830 (ic->ic_curmode == IEEE80211_MODE_11N && 1831 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))) && 1832 (erp & IEEE80211_ERP_USE_PROTECTION)) 1833 ic->ic_flags |= IEEE80211_F_USEPROT; 1834 else 1835 ic->ic_flags &= ~IEEE80211_F_USEPROT; 1836 ic->ic_bss->ni_erp = erp; 1837 updateprot = 1; 1838 } 1839 if (htop && (ic->ic_bss->ni_flags & IEEE80211_NODE_HT)) { 1840 enum ieee80211_htprot htprot_last, htprot; 1841 htprot_last = 1842 ((ic->ic_bss->ni_htop1 & IEEE80211_HTOP1_PROT_MASK) 1843 >> IEEE80211_HTOP1_PROT_SHIFT); 1844 htprot = ((ni->ni_htop1 & IEEE80211_HTOP1_PROT_MASK) >> 1845 IEEE80211_HTOP1_PROT_SHIFT); 1846 if (htprot_last != htprot) { 1847 DPRINTF(("[%s] htprot change: was %d, now %d\n", 1848 ether_sprintf((u_int8_t *)wh->i_addr2), 1849 htprot_last, htprot)); 1850 ic->ic_stats.is_ht_prot_change++; 1851 ic->ic_bss->ni_htop1 = ni->ni_htop1; 1852 updateprot = 1; 1853 } 1854 } 1855 if (updateprot && ic->ic_updateprot != NULL) 1856 ic->ic_updateprot(ic); 1857 1858 /* 1859 * Check if 40MHz channel mode has changed since last beacon. 1860 */ 1861 if (htop && (ic->ic_bss->ni_flags & IEEE80211_NODE_HT) && 1862 (ic->ic_htcaps & IEEE80211_HTCAP_CBW20_40)) { 1863 uint8_t chw_last, chw, sco_last, sco; 1864 chw_last = (ic->ic_bss->ni_htop0 & IEEE80211_HTOP0_CHW); 1865 chw = (ni->ni_htop0 & IEEE80211_HTOP0_CHW); 1866 sco_last = 1867 ((ic->ic_bss->ni_htop0 & IEEE80211_HTOP0_SCO_MASK) 1868 >> IEEE80211_HTOP0_SCO_SHIFT); 1869 sco = ((ni->ni_htop0 & IEEE80211_HTOP0_SCO_MASK) >> 1870 IEEE80211_HTOP0_SCO_SHIFT); 1871 ic->ic_bss->ni_htop0 = ni->ni_htop0; 1872 if (chw_last != chw || sco_last != sco) { 1873 if (ic->ic_updatechan != NULL) 1874 ic->ic_updatechan(ic); 1875 } 1876 } else if (htop) 1877 ic->ic_bss->ni_htop0 = ni->ni_htop0; 1878 1879 /* 1880 * Check if AP short slot time setting has changed 1881 * since last beacon and give the driver a chance to 1882 * update the hardware. 1883 */ 1884 if ((ni->ni_capinfo ^ capinfo) & 1885 IEEE80211_CAPINFO_SHORT_SLOTTIME) { 1886 ieee80211_set_shortslottime(ic, 1887 ic->ic_curmode == IEEE80211_MODE_11A || 1888 (capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 1889 } 1890 1891 if (tim && ic->ic_bss->ni_dtimperiod != ni->ni_dtimperiod) { 1892 ic->ic_bss->ni_dtimperiod = ni->ni_dtimperiod; 1893 ic->ic_bss->ni_dtimcount = ni->ni_dtimcount; 1894 1895 if (ic->ic_updatedtim != NULL) 1896 ic->ic_updatedtim(ic); 1897 } 1898 1899 /* 1900 * Reset management timer. If it is non-zero in RUN state, the 1901 * driver sent a probe request after a missed beacon event. 1902 * This probe response indicates the AP is still serving us 1903 * so don't allow ieee80211_watchdog() to move us into SCAN. 1904 */ 1905 if ((ic->ic_flags & IEEE80211_F_BGSCAN) == 0) 1906 ic->ic_mgt_timer = 0; 1907 } 1908 /* 1909 * We do not try to update EDCA parameters if QoS was not negotiated 1910 * with the AP at association time. 1911 */ 1912 if (ni->ni_flags & IEEE80211_NODE_QOS) { 1913 /* always prefer EDCA IE over Wi-Fi Alliance WMM IE */ 1914 if ((edcaie != NULL && 1915 ieee80211_parse_edca_params(ic, edcaie) == 0) || 1916 (wmmie != NULL && 1917 ieee80211_parse_wmm_params(ic, wmmie) == 0)) 1918 ni->ni_flags |= IEEE80211_NODE_QOS; 1919 else 1920 ni->ni_flags &= ~IEEE80211_NODE_QOS; 1921 } 1922 1923 if (ic->ic_state == IEEE80211_S_SCAN || 1924 (ic->ic_flags & IEEE80211_F_BGSCAN)) { 1925 struct ieee80211_rsnparams rsn, wpa; 1926 1927 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 1928 ni->ni_supported_rsnprotos = IEEE80211_PROTO_NONE; 1929 ni->ni_rsnakms = 0; 1930 ni->ni_supported_rsnakms = 0; 1931 ni->ni_rsnciphers = 0; 1932 ni->ni_rsngroupcipher = 0; 1933 ni->ni_rsngroupmgmtcipher = 0; 1934 ni->ni_rsncaps = 0; 1935 1936 if (rsnie != NULL && 1937 ieee80211_parse_rsn(ic, rsnie, &rsn) == 0) { 1938 ni->ni_supported_rsnprotos |= IEEE80211_PROTO_RSN; 1939 ni->ni_supported_rsnakms |= rsn.rsn_akms; 1940 } 1941 if (wpaie != NULL && 1942 ieee80211_parse_wpa(ic, wpaie, &wpa) == 0) { 1943 ni->ni_supported_rsnprotos |= IEEE80211_PROTO_WPA; 1944 ni->ni_supported_rsnakms |= wpa.rsn_akms; 1945 } 1946 1947 /* 1948 * If the AP advertises both WPA and RSN IEs (WPA1+WPA2), 1949 * we only use the highest protocol version we support. 1950 */ 1951 if (rsnie != NULL && 1952 (ni->ni_supported_rsnprotos & IEEE80211_PROTO_RSN) && 1953 (ic->ic_caps & IEEE80211_C_RSN)) { 1954 if (ieee80211_save_ie(rsnie, &ni->ni_rsnie) == 0 1955 #ifndef IEEE80211_STA_ONLY 1956 && ic->ic_opmode != IEEE80211_M_HOSTAP 1957 #endif 1958 ) { 1959 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 1960 ni->ni_rsnakms = rsn.rsn_akms; 1961 ni->ni_rsnciphers = rsn.rsn_ciphers; 1962 ni->ni_rsngroupcipher = rsn.rsn_groupcipher; 1963 ni->ni_rsngroupmgmtcipher = 1964 rsn.rsn_groupmgmtcipher; 1965 ni->ni_rsncaps = rsn.rsn_caps; 1966 } 1967 } else if (wpaie != NULL && 1968 (ni->ni_supported_rsnprotos & IEEE80211_PROTO_WPA) && 1969 (ic->ic_caps & IEEE80211_C_RSN)) { 1970 if (ieee80211_save_ie(wpaie, &ni->ni_rsnie) == 0 1971 #ifndef IEEE80211_STA_ONLY 1972 && ic->ic_opmode != IEEE80211_M_HOSTAP 1973 #endif 1974 ) { 1975 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 1976 ni->ni_rsnakms = wpa.rsn_akms; 1977 ni->ni_rsnciphers = wpa.rsn_ciphers; 1978 ni->ni_rsngroupcipher = wpa.rsn_groupcipher; 1979 ni->ni_rsngroupmgmtcipher = 1980 wpa.rsn_groupmgmtcipher; 1981 ni->ni_rsncaps = wpa.rsn_caps; 1982 } 1983 } 1984 } 1985 1986 /* 1987 * Set our SSID if we do not know it yet. 1988 * If we are doing a directed scan for an AP with a hidden SSID 1989 * we must collect the SSID from a probe response to override 1990 * a non-zero-length SSID filled with zeroes that we may have 1991 * received earlier in a beacon. 1992 */ 1993 if (ssid[1] != 0 && ni->ni_essid[0] == '\0') { 1994 ni->ni_esslen = ssid[1]; 1995 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1996 /* we know that ssid[1] <= IEEE80211_NWID_LEN */ 1997 memcpy(ni->ni_essid, &ssid[2], ssid[1]); 1998 } 1999 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3); 2000 if (ic->ic_state == IEEE80211_S_SCAN && 2001 IEEE80211_IS_CHAN_5GHZ(ni->ni_chan)) { 2002 /* 2003 * During a scan on 5Ghz, prefer RSSI measured for probe 2004 * response frames. i.e. don't allow beacons to lower the 2005 * measured RSSI. Some 5GHz APs send beacons with much 2006 * less Tx power than they use for probe responses. 2007 */ 2008 if (isprobe || ni->ni_rssi == 0) 2009 ni->ni_rssi = rxi->rxi_rssi; 2010 else if (ni->ni_rssi < rxi->rxi_rssi) 2011 ni->ni_rssi = rxi->rxi_rssi; 2012 } else 2013 ni->ni_rssi = rxi->rxi_rssi; 2014 ni->ni_rstamp = rxi->rxi_tstamp; 2015 memcpy(ni->ni_tstamp, tstamp, sizeof(ni->ni_tstamp)); 2016 ni->ni_intval = bintval; 2017 ni->ni_capinfo = capinfo; 2018 ni->ni_erp = erp; 2019 /* NB: must be after ni_chan is setup */ 2020 ieee80211_setup_rates(ic, ni, rates, xrates, IEEE80211_F_DOSORT); 2021 #ifndef IEEE80211_STA_ONLY 2022 if (ic->ic_opmode == IEEE80211_M_IBSS && is_new && isprobe) { 2023 /* 2024 * Fake an association so the driver can setup its 2025 * private state. The rate set has been setup above; 2026 * there is no handshake as in ap/station operation. 2027 */ 2028 if (ic->ic_newassoc) 2029 (*ic->ic_newassoc)(ic, ni, 1); 2030 } 2031 #endif 2032 } 2033 2034 #ifndef IEEE80211_STA_ONLY 2035 /*- 2036 * Probe request frame format: 2037 * [tlv] SSID 2038 * [tlv] Supported rates 2039 * [tlv] Extended Supported Rates (802.11g) 2040 * [tlv] HT Capabilities (802.11n) 2041 */ 2042 void 2043 ieee80211_recv_probe_req(struct ieee80211com *ic, struct mbuf *m, 2044 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 2045 { 2046 const struct ieee80211_frame *wh; 2047 const u_int8_t *frm, *efrm; 2048 const u_int8_t *ssid, *rates, *xrates, *htcaps, *vhtcaps; 2049 u_int8_t rate; 2050 2051 if (ic->ic_opmode == IEEE80211_M_STA || 2052 ic->ic_state != IEEE80211_S_RUN) 2053 return; 2054 2055 wh = mtod(m, struct ieee80211_frame *); 2056 frm = (const u_int8_t *)&wh[1]; 2057 efrm = mtod(m, u_int8_t *) + m->m_len; 2058 2059 ssid = rates = xrates = htcaps = vhtcaps = NULL; 2060 while (frm + 2 <= efrm) { 2061 if (frm + 2 + frm[1] > efrm) { 2062 ic->ic_stats.is_rx_elem_toosmall++; 2063 break; 2064 } 2065 switch (frm[0]) { 2066 case IEEE80211_ELEMID_SSID: 2067 ssid = frm; 2068 break; 2069 case IEEE80211_ELEMID_RATES: 2070 rates = frm; 2071 break; 2072 case IEEE80211_ELEMID_XRATES: 2073 xrates = frm; 2074 break; 2075 case IEEE80211_ELEMID_HTCAPS: 2076 htcaps = frm; 2077 break; 2078 case IEEE80211_ELEMID_VHTCAPS: 2079 vhtcaps = frm; 2080 break; 2081 } 2082 frm += 2 + frm[1]; 2083 } 2084 /* supported rates element is mandatory */ 2085 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 2086 DPRINTF(("invalid supported rates element\n")); 2087 return; 2088 } 2089 /* SSID element is mandatory */ 2090 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 2091 DPRINTF(("invalid SSID element\n")); 2092 return; 2093 } 2094 /* check that the specified SSID (if not wildcard) matches ours */ 2095 if (ssid[1] != 0 && (ssid[1] != ic->ic_bss->ni_esslen || 2096 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen))) { 2097 DPRINTF(("SSID mismatch\n")); 2098 ic->ic_stats.is_rx_ssidmismatch++; 2099 return; 2100 } 2101 /* refuse wildcard SSID if we're hiding our SSID in beacons */ 2102 if (ssid[1] == 0 && (ic->ic_userflags & IEEE80211_F_HIDENWID)) { 2103 DPRINTF(("wildcard SSID rejected")); 2104 ic->ic_stats.is_rx_ssidmismatch++; 2105 return; 2106 } 2107 2108 if (ni == ic->ic_bss) { 2109 ni = ieee80211_find_node(ic, wh->i_addr2); 2110 if (ni == NULL) 2111 ni = ieee80211_dup_bss(ic, wh->i_addr2); 2112 if (ni == NULL) 2113 return; 2114 DPRINTF(("new probe req from %s\n", 2115 ether_sprintf((u_int8_t *)wh->i_addr2))); 2116 } 2117 ni->ni_rssi = rxi->rxi_rssi; 2118 ni->ni_rstamp = rxi->rxi_tstamp; 2119 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2120 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2121 IEEE80211_F_DODEL); 2122 if (rate & IEEE80211_RATE_BASIC) { 2123 DPRINTF(("rate mismatch for %s\n", 2124 ether_sprintf((u_int8_t *)wh->i_addr2))); 2125 return; 2126 } 2127 if (htcaps) 2128 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 2129 else 2130 ieee80211_clear_htcaps(ni); 2131 if (htcaps && vhtcaps && IEEE80211_IS_CHAN_5GHZ(ic->ic_bss->ni_chan)) 2132 ieee80211_setup_vhtcaps(ni, vhtcaps + 2, vhtcaps[1]); 2133 else 2134 ieee80211_clear_vhtcaps(ni); 2135 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 2136 } 2137 #endif /* IEEE80211_STA_ONLY */ 2138 2139 /*- 2140 * Authentication frame format: 2141 * [2] Authentication algorithm number 2142 * [2] Authentication transaction sequence number 2143 * [2] Status code 2144 */ 2145 void 2146 ieee80211_recv_auth(struct ieee80211com *ic, struct mbuf *m, 2147 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 2148 { 2149 const struct ieee80211_frame *wh; 2150 const u_int8_t *frm; 2151 u_int16_t algo, seq, status; 2152 2153 /* make sure all mandatory fixed fields are present */ 2154 if (m->m_len < sizeof(*wh) + 6) { 2155 DPRINTF(("frame too short\n")); 2156 return; 2157 } 2158 wh = mtod(m, struct ieee80211_frame *); 2159 frm = (const u_int8_t *)&wh[1]; 2160 2161 algo = LE_READ_2(frm); frm += 2; 2162 seq = LE_READ_2(frm); frm += 2; 2163 status = LE_READ_2(frm); frm += 2; 2164 DPRINTF(("auth %d seq %d from %s\n", algo, seq, 2165 ether_sprintf((u_int8_t *)wh->i_addr2))); 2166 2167 /* only "open" auth mode is supported */ 2168 if (algo != IEEE80211_AUTH_ALG_OPEN) { 2169 DPRINTF(("unsupported auth algorithm %d from %s\n", 2170 algo, ether_sprintf((u_int8_t *)wh->i_addr2))); 2171 ic->ic_stats.is_rx_auth_unsupported++; 2172 #ifndef IEEE80211_STA_ONLY 2173 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2174 /* XXX hack to workaround calling convention */ 2175 IEEE80211_SEND_MGMT(ic, ni, 2176 IEEE80211_FC0_SUBTYPE_AUTH, 2177 IEEE80211_STATUS_ALG << 16 | ((seq + 1) & 0xfff)); 2178 } 2179 #endif 2180 return; 2181 } 2182 ieee80211_auth_open(ic, wh, ni, rxi, seq, status); 2183 } 2184 2185 #ifndef IEEE80211_STA_ONLY 2186 /*- 2187 * (Re)Association request frame format: 2188 * [2] Capability information 2189 * [2] Listen interval 2190 * [6*] Current AP address (Reassociation only) 2191 * [tlv] SSID 2192 * [tlv] Supported rates 2193 * [tlv] Extended Supported Rates (802.11g) 2194 * [tlv] RSN (802.11i) 2195 * [tlv] QoS Capability (802.11e) 2196 * [tlv] HT Capabilities (802.11n) 2197 */ 2198 void 2199 ieee80211_recv_assoc_req(struct ieee80211com *ic, struct mbuf *m, 2200 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int reassoc) 2201 { 2202 const struct ieee80211_frame *wh; 2203 const u_int8_t *frm, *efrm; 2204 const u_int8_t *ssid, *rates, *xrates, *rsnie, *wpaie, *wmeie; 2205 const u_int8_t *htcaps, *vhtcaps; 2206 u_int16_t capinfo, bintval; 2207 int resp, status = 0; 2208 struct ieee80211_rsnparams rsn; 2209 u_int8_t rate; 2210 const u_int8_t *saveie = NULL; 2211 2212 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 2213 ic->ic_state != IEEE80211_S_RUN) 2214 return; 2215 2216 /* make sure all mandatory fixed fields are present */ 2217 if (m->m_len < sizeof(*wh) + (reassoc ? 10 : 4)) { 2218 DPRINTF(("frame too short\n")); 2219 return; 2220 } 2221 wh = mtod(m, struct ieee80211_frame *); 2222 frm = (const u_int8_t *)&wh[1]; 2223 efrm = mtod(m, u_int8_t *) + m->m_len; 2224 2225 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 2226 DPRINTF(("ignore other bss from %s\n", 2227 ether_sprintf((u_int8_t *)wh->i_addr2))); 2228 ic->ic_stats.is_rx_assoc_bss++; 2229 return; 2230 } 2231 capinfo = LE_READ_2(frm); frm += 2; 2232 bintval = LE_READ_2(frm); frm += 2; 2233 if (reassoc) { 2234 frm += IEEE80211_ADDR_LEN; /* skip current AP address */ 2235 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 2236 } else 2237 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 2238 2239 ssid = rates = xrates = rsnie = wpaie = wmeie = htcaps = vhtcaps = NULL; 2240 while (frm + 2 <= efrm) { 2241 if (frm + 2 + frm[1] > efrm) { 2242 ic->ic_stats.is_rx_elem_toosmall++; 2243 break; 2244 } 2245 switch (frm[0]) { 2246 case IEEE80211_ELEMID_SSID: 2247 ssid = frm; 2248 break; 2249 case IEEE80211_ELEMID_RATES: 2250 rates = frm; 2251 break; 2252 case IEEE80211_ELEMID_XRATES: 2253 xrates = frm; 2254 break; 2255 case IEEE80211_ELEMID_RSN: 2256 rsnie = frm; 2257 break; 2258 case IEEE80211_ELEMID_QOS_CAP: 2259 break; 2260 case IEEE80211_ELEMID_HTCAPS: 2261 htcaps = frm; 2262 break; 2263 case IEEE80211_ELEMID_VHTCAPS: 2264 vhtcaps = frm; 2265 break; 2266 case IEEE80211_ELEMID_VENDOR: 2267 if (frm[1] < 4) { 2268 ic->ic_stats.is_rx_elem_toosmall++; 2269 break; 2270 } 2271 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 2272 if (frm[5] == 1) 2273 wpaie = frm; 2274 /* WME info IE: len=7 type=2 subtype=0 */ 2275 if (frm[1] == 7 && frm[5] == 2 && frm[6] == 0) 2276 wmeie = frm; 2277 } 2278 break; 2279 } 2280 frm += 2 + frm[1]; 2281 } 2282 /* supported rates element is mandatory */ 2283 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 2284 DPRINTF(("invalid supported rates element\n")); 2285 return; 2286 } 2287 /* SSID element is mandatory */ 2288 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 2289 DPRINTF(("invalid SSID element\n")); 2290 return; 2291 } 2292 /* check that the specified SSID matches ours */ 2293 if (ssid[1] != ic->ic_bss->ni_esslen || 2294 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen)) { 2295 DPRINTF(("SSID mismatch\n")); 2296 ic->ic_stats.is_rx_ssidmismatch++; 2297 return; 2298 } 2299 2300 if (ni->ni_state != IEEE80211_STA_AUTH && 2301 ni->ni_state != IEEE80211_STA_ASSOC) { 2302 DPRINTF(("deny %sassoc from %s, not authenticated\n", 2303 reassoc ? "re" : "", 2304 ether_sprintf((u_int8_t *)wh->i_addr2))); 2305 ni = ieee80211_find_node(ic, wh->i_addr2); 2306 if (ni == NULL) 2307 ni = ieee80211_dup_bss(ic, wh->i_addr2); 2308 if (ni != NULL) { 2309 IEEE80211_SEND_MGMT(ic, ni, 2310 IEEE80211_FC0_SUBTYPE_DEAUTH, 2311 IEEE80211_REASON_ASSOC_NOT_AUTHED); 2312 } 2313 ic->ic_stats.is_rx_assoc_notauth++; 2314 return; 2315 } 2316 2317 if (ni->ni_state == IEEE80211_STA_ASSOC && 2318 (ni->ni_flags & IEEE80211_NODE_MFP)) { 2319 if (ni->ni_flags & IEEE80211_NODE_SA_QUERY_FAILED) { 2320 /* send a protected Disassociate frame */ 2321 IEEE80211_SEND_MGMT(ic, ni, 2322 IEEE80211_FC0_SUBTYPE_DISASSOC, 2323 IEEE80211_REASON_AUTH_EXPIRE); 2324 /* terminate the old SA */ 2325 ieee80211_node_leave(ic, ni); 2326 } else { 2327 /* reject the (Re)Association Request temporarily */ 2328 IEEE80211_SEND_MGMT(ic, ni, resp, 2329 IEEE80211_STATUS_TRY_AGAIN_LATER); 2330 /* start SA Query procedure if not already engaged */ 2331 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) 2332 ieee80211_sa_query_request(ic, ni); 2333 /* do not modify association state */ 2334 } 2335 return; 2336 } 2337 2338 if (!(capinfo & IEEE80211_CAPINFO_ESS)) { 2339 ic->ic_stats.is_rx_assoc_capmismatch++; 2340 status = IEEE80211_STATUS_CAPINFO; 2341 goto end; 2342 } 2343 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2344 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2345 IEEE80211_F_DODEL); 2346 if (rate & IEEE80211_RATE_BASIC) { 2347 ic->ic_stats.is_rx_assoc_norate++; 2348 status = IEEE80211_STATUS_BASIC_RATE; 2349 goto end; 2350 } 2351 2352 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2353 ni->ni_supported_rsnprotos = IEEE80211_PROTO_NONE; 2354 ni->ni_rsnakms = 0; 2355 ni->ni_supported_rsnakms = 0; 2356 ni->ni_rsnciphers = 0; 2357 ni->ni_rsngroupcipher = 0; 2358 ni->ni_rsngroupmgmtcipher = 0; 2359 ni->ni_rsncaps = 0; 2360 2361 /* 2362 * A station should never include both a WPA and an RSN IE 2363 * in its (Re)Association Requests, but if it does, we only 2364 * consider the IE of the highest version of the protocol 2365 * that is allowed (ie RSN over WPA). 2366 */ 2367 if (rsnie != NULL) { 2368 status = ieee80211_parse_rsn(ic, rsnie, &rsn); 2369 if (status != 0) 2370 goto end; 2371 ni->ni_supported_rsnprotos = IEEE80211_PROTO_RSN; 2372 ni->ni_supported_rsnakms = rsn.rsn_akms; 2373 if ((ic->ic_flags & IEEE80211_F_RSNON) && 2374 (ic->ic_rsnprotos & IEEE80211_PROTO_RSN)) { 2375 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 2376 saveie = rsnie; 2377 } 2378 } else if (wpaie != NULL) { 2379 status = ieee80211_parse_wpa(ic, wpaie, &rsn); 2380 if (status != 0) 2381 goto end; 2382 ni->ni_supported_rsnprotos = IEEE80211_PROTO_WPA; 2383 ni->ni_supported_rsnakms = rsn.rsn_akms; 2384 if ((ic->ic_flags & IEEE80211_F_RSNON) && 2385 (ic->ic_rsnprotos & IEEE80211_PROTO_WPA)) { 2386 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 2387 saveie = wpaie; 2388 } 2389 } 2390 2391 if (ic->ic_flags & IEEE80211_F_QOS) { 2392 if (wmeie != NULL) 2393 ni->ni_flags |= IEEE80211_NODE_QOS; 2394 else /* for Reassociation */ 2395 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2396 } 2397 2398 if (ic->ic_flags & IEEE80211_F_RSNON) { 2399 if (ni->ni_rsnprotos == IEEE80211_PROTO_NONE) { 2400 /* 2401 * In an RSN, an AP shall not associate with STAs 2402 * that fail to include the RSN IE in the 2403 * (Re)Association Request. 2404 */ 2405 status = IEEE80211_STATUS_IE_INVALID; 2406 goto end; 2407 } 2408 /* 2409 * The initiating STA's RSN IE shall include one authentication 2410 * and pairwise cipher suite among those advertised by the 2411 * targeted AP. It shall also specify the group cipher suite 2412 * specified by the targeted AP. 2413 */ 2414 if (rsn.rsn_nakms != 1 || 2415 !(rsn.rsn_akms & ic->ic_bss->ni_rsnakms)) { 2416 status = IEEE80211_STATUS_BAD_AKMP; 2417 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2418 goto end; 2419 } 2420 if (rsn.rsn_nciphers != 1 || 2421 !(rsn.rsn_ciphers & ic->ic_bss->ni_rsnciphers)) { 2422 status = IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 2423 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2424 goto end; 2425 } 2426 if (rsn.rsn_groupcipher != ic->ic_bss->ni_rsngroupcipher) { 2427 status = IEEE80211_STATUS_BAD_GROUP_CIPHER; 2428 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2429 goto end; 2430 } 2431 2432 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPR) && 2433 !(rsn.rsn_caps & IEEE80211_RSNCAP_MFPC)) { 2434 status = IEEE80211_STATUS_MFP_POLICY; 2435 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2436 goto end; 2437 } 2438 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPC) && 2439 (rsn.rsn_caps & (IEEE80211_RSNCAP_MFPC | 2440 IEEE80211_RSNCAP_MFPR)) == IEEE80211_RSNCAP_MFPR) { 2441 /* STA advertises an invalid setting */ 2442 status = IEEE80211_STATUS_MFP_POLICY; 2443 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2444 goto end; 2445 } 2446 /* 2447 * A STA that has associated with Management Frame Protection 2448 * enabled shall not use cipher suite pairwise selector WEP40, 2449 * WEP104, TKIP, or "Use Group cipher suite". 2450 */ 2451 if ((rsn.rsn_caps & IEEE80211_RSNCAP_MFPC) && 2452 (rsn.rsn_ciphers != IEEE80211_CIPHER_CCMP || 2453 rsn.rsn_groupmgmtcipher != 2454 ic->ic_bss->ni_rsngroupmgmtcipher)) { 2455 status = IEEE80211_STATUS_MFP_POLICY; 2456 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2457 goto end; 2458 } 2459 2460 /* 2461 * Disallow new associations using TKIP if countermeasures 2462 * are active. 2463 */ 2464 if ((ic->ic_flags & IEEE80211_F_COUNTERM) && 2465 (rsn.rsn_ciphers == IEEE80211_CIPHER_TKIP || 2466 rsn.rsn_groupcipher == IEEE80211_CIPHER_TKIP)) { 2467 status = IEEE80211_STATUS_CIPHER_REJ_POLICY; 2468 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2469 goto end; 2470 } 2471 2472 /* everything looks fine, save IE and parameters */ 2473 if (saveie == NULL || 2474 ieee80211_save_ie(saveie, &ni->ni_rsnie) != 0) { 2475 status = IEEE80211_STATUS_TOOMANY; 2476 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2477 goto end; 2478 } 2479 ni->ni_rsnakms = rsn.rsn_akms; 2480 ni->ni_rsnciphers = rsn.rsn_ciphers; 2481 ni->ni_rsngroupcipher = ic->ic_bss->ni_rsngroupcipher; 2482 ni->ni_rsngroupmgmtcipher = ic->ic_bss->ni_rsngroupmgmtcipher; 2483 ni->ni_rsncaps = rsn.rsn_caps; 2484 2485 if (ieee80211_is_8021x_akm(ni->ni_rsnakms)) { 2486 struct ieee80211_pmk *pmk = NULL; 2487 const u_int8_t *pmkid = rsn.rsn_pmkids; 2488 /* 2489 * Check if we have a cached PMK entry matching one 2490 * of the PMKIDs specified in the RSN IE. 2491 */ 2492 while (rsn.rsn_npmkids-- > 0) { 2493 pmk = ieee80211_pmksa_find(ic, ni, pmkid); 2494 if (pmk != NULL) 2495 break; 2496 pmkid += IEEE80211_PMKID_LEN; 2497 } 2498 if (pmk != NULL) { 2499 memcpy(ni->ni_pmk, pmk->pmk_key, 2500 IEEE80211_PMK_LEN); 2501 memcpy(ni->ni_pmkid, pmk->pmk_pmkid, 2502 IEEE80211_PMKID_LEN); 2503 ni->ni_flags |= IEEE80211_NODE_PMK; 2504 } 2505 } 2506 } 2507 2508 ni->ni_rssi = rxi->rxi_rssi; 2509 ni->ni_rstamp = rxi->rxi_tstamp; 2510 ni->ni_intval = bintval; 2511 ni->ni_capinfo = capinfo; 2512 ni->ni_chan = ic->ic_bss->ni_chan; 2513 if (htcaps) 2514 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 2515 else 2516 ieee80211_clear_htcaps(ni); 2517 if (htcaps && vhtcaps && IEEE80211_IS_CHAN_5GHZ(ic->ic_bss->ni_chan)) 2518 ieee80211_setup_vhtcaps(ni, vhtcaps + 2, vhtcaps[1]); 2519 else 2520 ieee80211_clear_vhtcaps(ni); 2521 end: 2522 if (status != 0) { 2523 IEEE80211_SEND_MGMT(ic, ni, resp, status); 2524 ieee80211_node_leave(ic, ni); 2525 } else 2526 ieee80211_node_join(ic, ni, resp); 2527 } 2528 #endif /* IEEE80211_STA_ONLY */ 2529 2530 /*- 2531 * (Re)Association response frame format: 2532 * [2] Capability information 2533 * [2] Status code 2534 * [2] Association ID (AID) 2535 * [tlv] Supported rates 2536 * [tlv] Extended Supported Rates (802.11g) 2537 * [tlv] EDCA Parameter Set (802.11e) 2538 * [tlv] HT Capabilities (802.11n) 2539 * [tlv] HT Operation (802.11n) 2540 */ 2541 void 2542 ieee80211_recv_assoc_resp(struct ieee80211com *ic, struct mbuf *m, 2543 struct ieee80211_node *ni, int reassoc) 2544 { 2545 struct ifnet *ifp = &ic->ic_if; 2546 const struct ieee80211_frame *wh; 2547 const u_int8_t *frm, *efrm; 2548 const u_int8_t *rates, *xrates, *edcaie, *wmmie, *htcaps, *htop; 2549 const u_int8_t *vhtcaps, *vhtop; 2550 u_int16_t capinfo, status, associd; 2551 u_int8_t rate; 2552 2553 if (ic->ic_opmode != IEEE80211_M_STA || 2554 ic->ic_state != IEEE80211_S_ASSOC) { 2555 ic->ic_stats.is_rx_mgtdiscard++; 2556 return; 2557 } 2558 2559 /* make sure all mandatory fixed fields are present */ 2560 if (m->m_len < sizeof(*wh) + 6) { 2561 DPRINTF(("frame too short\n")); 2562 return; 2563 } 2564 wh = mtod(m, struct ieee80211_frame *); 2565 frm = (const u_int8_t *)&wh[1]; 2566 efrm = mtod(m, u_int8_t *) + m->m_len; 2567 2568 capinfo = LE_READ_2(frm); frm += 2; 2569 status = LE_READ_2(frm); frm += 2; 2570 if (status != IEEE80211_STATUS_SUCCESS) { 2571 if (ifp->if_flags & IFF_DEBUG) 2572 printf("%s: %sassociation failed (status %d)" 2573 " for %s\n", ifp->if_xname, 2574 reassoc ? "re" : "", 2575 status, ether_sprintf((u_int8_t *)wh->i_addr3)); 2576 if (ni != ic->ic_bss) 2577 ni->ni_fails++; 2578 ic->ic_stats.is_rx_auth_fail++; 2579 return; 2580 } 2581 associd = LE_READ_2(frm); frm += 2; 2582 2583 rates = xrates = edcaie = wmmie = htcaps = htop = NULL; 2584 vhtcaps = vhtop = NULL; 2585 while (frm + 2 <= efrm) { 2586 if (frm + 2 + frm[1] > efrm) { 2587 ic->ic_stats.is_rx_elem_toosmall++; 2588 break; 2589 } 2590 switch (frm[0]) { 2591 case IEEE80211_ELEMID_RATES: 2592 rates = frm; 2593 break; 2594 case IEEE80211_ELEMID_XRATES: 2595 xrates = frm; 2596 break; 2597 case IEEE80211_ELEMID_EDCAPARMS: 2598 edcaie = frm; 2599 break; 2600 case IEEE80211_ELEMID_HTCAPS: 2601 htcaps = frm; 2602 break; 2603 case IEEE80211_ELEMID_HTOP: 2604 htop = frm; 2605 break; 2606 case IEEE80211_ELEMID_VHTCAPS: 2607 vhtcaps = frm; 2608 break; 2609 case IEEE80211_ELEMID_VHTOP: 2610 vhtop = frm; 2611 break; 2612 case IEEE80211_ELEMID_VENDOR: 2613 if (frm[1] < 4) { 2614 ic->ic_stats.is_rx_elem_toosmall++; 2615 break; 2616 } 2617 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 2618 if (frm[1] >= 5 && frm[5] == 2 && frm[6] == 1) 2619 wmmie = frm; 2620 } 2621 break; 2622 } 2623 frm += 2 + frm[1]; 2624 } 2625 /* supported rates element is mandatory */ 2626 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 2627 DPRINTF(("invalid supported rates element\n")); 2628 return; 2629 } 2630 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2631 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2632 IEEE80211_F_DODEL); 2633 if (rate & IEEE80211_RATE_BASIC) { 2634 DPRINTF(("rate mismatch for %s\n", 2635 ether_sprintf((u_int8_t *)wh->i_addr2))); 2636 ic->ic_stats.is_rx_assoc_norate++; 2637 return; 2638 } 2639 ni->ni_capinfo = capinfo; 2640 ni->ni_associd = associd; 2641 if (edcaie != NULL || wmmie != NULL) { 2642 /* force update of EDCA parameters */ 2643 ic->ic_edca_updtcount = -1; 2644 2645 if ((edcaie != NULL && 2646 ieee80211_parse_edca_params(ic, edcaie) == 0) || 2647 (wmmie != NULL && 2648 ieee80211_parse_wmm_params(ic, wmmie) == 0)) 2649 ni->ni_flags |= IEEE80211_NODE_QOS; 2650 else /* for Reassociation */ 2651 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2652 } 2653 if (htcaps) 2654 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 2655 if (htop) 2656 ieee80211_setup_htop(ni, htop + 2, htop[1], 0); 2657 ieee80211_ht_negotiate(ic, ni); 2658 2659 if (htcaps && vhtcaps && IEEE80211_IS_CHAN_5GHZ(ni->ni_chan)) { 2660 ieee80211_setup_vhtcaps(ni, vhtcaps + 2, vhtcaps[1]); 2661 if (vhtop && !ieee80211_setup_vhtop(ni, vhtop + 2, vhtop[1], 1)) 2662 vhtop = NULL; /* invalid VHTOP */ 2663 } 2664 ieee80211_vht_negotiate(ic, ni); 2665 2666 /* Hop into 11n/11ac modes after associating to a HT/VHT AP. */ 2667 if (ni->ni_flags & IEEE80211_NODE_VHT) 2668 ieee80211_setmode(ic, IEEE80211_MODE_11AC); 2669 else if (ni->ni_flags & IEEE80211_NODE_HT) 2670 ieee80211_setmode(ic, IEEE80211_MODE_11N); 2671 else 2672 ieee80211_setmode(ic, ieee80211_chan2mode(ic, ni->ni_chan)); 2673 /* 2674 * Reset the erp state (mostly the slot time) now that 2675 * our operating mode has been nailed down. 2676 */ 2677 ieee80211_reset_erp(ic); 2678 2679 /* 2680 * Configure state now that we are associated. 2681 */ 2682 if (ic->ic_curmode == IEEE80211_MODE_11A || 2683 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) 2684 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 2685 else 2686 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 2687 2688 ieee80211_set_shortslottime(ic, 2689 ic->ic_curmode == IEEE80211_MODE_11A || 2690 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2691 /* 2692 * Honor ERP protection. 2693 */ 2694 if ((ic->ic_curmode == IEEE80211_MODE_11G || 2695 (ic->ic_curmode == IEEE80211_MODE_11N && 2696 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))) && 2697 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2698 ic->ic_flags |= IEEE80211_F_USEPROT; 2699 else 2700 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2701 /* 2702 * If not an RSNA, mark the port as valid, otherwise wait for 2703 * 802.1X authentication and 4-way handshake to complete.. 2704 */ 2705 if (ic->ic_flags & IEEE80211_F_RSNON) { 2706 /* XXX ic->ic_mgt_timer = 5; */ 2707 ni->ni_rsn_supp_state = RSNA_SUPP_PTKSTART; 2708 } else if (ic->ic_flags & IEEE80211_F_WEPON) 2709 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 2710 2711 ieee80211_new_state(ic, IEEE80211_S_RUN, 2712 IEEE80211_FC0_SUBTYPE_ASSOC_RESP); 2713 } 2714 2715 /*- 2716 * Deauthentication frame format: 2717 * [2] Reason code 2718 */ 2719 void 2720 ieee80211_recv_deauth(struct ieee80211com *ic, struct mbuf *m, 2721 struct ieee80211_node *ni) 2722 { 2723 const struct ieee80211_frame *wh; 2724 const u_int8_t *frm; 2725 u_int16_t reason; 2726 2727 /* make sure all mandatory fixed fields are present */ 2728 if (m->m_len < sizeof(*wh) + 2) { 2729 DPRINTF(("frame too short\n")); 2730 return; 2731 } 2732 wh = mtod(m, struct ieee80211_frame *); 2733 frm = (const u_int8_t *)&wh[1]; 2734 2735 reason = LE_READ_2(frm); 2736 2737 ic->ic_stats.is_rx_deauth++; 2738 switch (ic->ic_opmode) { 2739 case IEEE80211_M_STA: { 2740 int bgscan = ((ic->ic_flags & IEEE80211_F_BGSCAN) && 2741 ic->ic_state == IEEE80211_S_RUN); 2742 int stay_auth = ((ic->ic_userflags & IEEE80211_F_STAYAUTH) && 2743 ic->ic_state >= IEEE80211_S_AUTH); 2744 if (!(bgscan || stay_auth)) 2745 ieee80211_new_state(ic, IEEE80211_S_AUTH, 2746 IEEE80211_FC0_SUBTYPE_DEAUTH); 2747 } 2748 break; 2749 #ifndef IEEE80211_STA_ONLY 2750 case IEEE80211_M_HOSTAP: 2751 if (ni != ic->ic_bss) { 2752 int stay_auth = 2753 ((ic->ic_userflags & IEEE80211_F_STAYAUTH) && 2754 (ni->ni_state == IEEE80211_STA_AUTH || 2755 ni->ni_state == IEEE80211_STA_ASSOC)); 2756 if (ic->ic_if.if_flags & IFF_DEBUG) 2757 printf("%s: station %s deauthenticated " 2758 "by peer (reason %d)\n", 2759 ic->ic_if.if_xname, 2760 ether_sprintf(ni->ni_macaddr), 2761 reason); 2762 if (!stay_auth) 2763 ieee80211_node_leave(ic, ni); 2764 } 2765 break; 2766 #endif 2767 default: 2768 break; 2769 } 2770 } 2771 2772 /*- 2773 * Disassociation frame format: 2774 * [2] Reason code 2775 */ 2776 void 2777 ieee80211_recv_disassoc(struct ieee80211com *ic, struct mbuf *m, 2778 struct ieee80211_node *ni) 2779 { 2780 const struct ieee80211_frame *wh; 2781 const u_int8_t *frm; 2782 u_int16_t reason; 2783 2784 /* make sure all mandatory fixed fields are present */ 2785 if (m->m_len < sizeof(*wh) + 2) { 2786 DPRINTF(("frame too short\n")); 2787 return; 2788 } 2789 wh = mtod(m, struct ieee80211_frame *); 2790 frm = (const u_int8_t *)&wh[1]; 2791 2792 reason = LE_READ_2(frm); 2793 2794 ic->ic_stats.is_rx_disassoc++; 2795 switch (ic->ic_opmode) { 2796 case IEEE80211_M_STA: { 2797 int bgscan = ((ic->ic_flags & IEEE80211_F_BGSCAN) && 2798 ic->ic_state == IEEE80211_S_RUN); 2799 if (!bgscan) /* ignore disassoc during bgscan */ 2800 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 2801 IEEE80211_FC0_SUBTYPE_DISASSOC); 2802 } 2803 break; 2804 #ifndef IEEE80211_STA_ONLY 2805 case IEEE80211_M_HOSTAP: 2806 if (ni != ic->ic_bss) { 2807 if (ic->ic_if.if_flags & IFF_DEBUG) 2808 printf("%s: station %s disassociated " 2809 "by peer (reason %d)\n", 2810 ic->ic_if.if_xname, 2811 ether_sprintf(ni->ni_macaddr), 2812 reason); 2813 ieee80211_node_leave(ic, ni); 2814 } 2815 break; 2816 #endif 2817 default: 2818 break; 2819 } 2820 } 2821 2822 /*- 2823 * ADDBA Request frame format: 2824 * [1] Category 2825 * [1] Action 2826 * [1] Dialog Token 2827 * [2] Block Ack Parameter Set 2828 * [2] Block Ack Timeout Value 2829 * [2] Block Ack Starting Sequence Control 2830 */ 2831 void 2832 ieee80211_recv_addba_req(struct ieee80211com *ic, struct mbuf *m, 2833 struct ieee80211_node *ni) 2834 { 2835 const struct ieee80211_frame *wh; 2836 const u_int8_t *frm; 2837 struct ieee80211_rx_ba *ba; 2838 u_int16_t params, ssn, bufsz, timeout; 2839 u_int8_t token, tid; 2840 int err = 0; 2841 2842 /* Ignore if we are not ready to receive data frames. */ 2843 if (ic->ic_state != IEEE80211_S_RUN || 2844 ((ic->ic_flags & IEEE80211_F_RSNON) && !ni->ni_port_valid)) 2845 return; 2846 2847 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 2848 DPRINTF(("received ADDBA req from non-HT STA %s\n", 2849 ether_sprintf(ni->ni_macaddr))); 2850 return; 2851 } 2852 if (m->m_len < sizeof(*wh) + 9) { 2853 DPRINTF(("frame too short\n")); 2854 return; 2855 } 2856 /* MLME-ADDBA.indication */ 2857 wh = mtod(m, struct ieee80211_frame *); 2858 frm = (const u_int8_t *)&wh[1]; 2859 2860 token = frm[2]; 2861 params = LE_READ_2(&frm[3]); 2862 tid = ((params & IEEE80211_ADDBA_TID_MASK) >> 2863 IEEE80211_ADDBA_TID_SHIFT); 2864 bufsz = (params & IEEE80211_ADDBA_BUFSZ_MASK) >> 2865 IEEE80211_ADDBA_BUFSZ_SHIFT; 2866 timeout = LE_READ_2(&frm[5]); 2867 ssn = LE_READ_2(&frm[7]) >> 4; 2868 2869 ba = &ni->ni_rx_ba[tid]; 2870 /* The driver is still processing an ADDBA request for this tid. */ 2871 if (ba->ba_state == IEEE80211_BA_REQUESTED) 2872 return; 2873 /* If we are in the process of roaming between APs, ignore. */ 2874 if ((ic->ic_flags & IEEE80211_F_BGSCAN) && 2875 (ic->ic_xflags & IEEE80211_F_TX_MGMT_ONLY)) 2876 return; 2877 /* check if we already have a Block Ack agreement for this RA/TID */ 2878 if (ba->ba_state == IEEE80211_BA_AGREED) { 2879 /* XXX should we update the timeout value? */ 2880 /* reset Block Ack inactivity timer */ 2881 if (ba->ba_timeout_val != 0) 2882 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2883 2884 /* check if it's a Protected Block Ack agreement */ 2885 if (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2886 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) 2887 return; /* not a PBAC, ignore */ 2888 2889 /* PBAC: treat the ADDBA Request like a BlockAckReq */ 2890 if (SEQ_LT(ba->ba_winstart, ssn)) { 2891 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 2892 ieee80211_ba_move_window(ic, ni, tid, ssn, &ml); 2893 if_input(&ic->ic_if, &ml); 2894 } 2895 return; 2896 } 2897 2898 /* if PBAC required but RA does not support it, refuse request */ 2899 if ((ic->ic_flags & IEEE80211_F_PBAR) && 2900 (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2901 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC))) 2902 goto refuse; 2903 /* 2904 * If the TID for which the Block Ack agreement is requested is 2905 * configured with a no-ACK policy, refuse the agreement. 2906 */ 2907 if (ic->ic_tid_noack & (1 << tid)) 2908 goto refuse; 2909 2910 /* check that we support the requested Block Ack Policy */ 2911 if (!(ic->ic_htcaps & IEEE80211_HTCAP_DELAYEDBA) && 2912 !(params & IEEE80211_ADDBA_BA_POLICY)) 2913 goto refuse; 2914 2915 /* setup Block Ack agreement */ 2916 ba->ba_state = IEEE80211_BA_REQUESTED; 2917 ba->ba_timeout_val = timeout * IEEE80211_DUR_TU; 2918 ba->ba_ni = ni; 2919 ba->ba_token = token; 2920 timeout_set(&ba->ba_to, ieee80211_rx_ba_timeout, ba); 2921 timeout_set(&ba->ba_gap_to, ieee80211_input_ba_gap_timeout, ba); 2922 ba->ba_gapwait = 0; 2923 ba->ba_winsize = bufsz; 2924 if (ba->ba_winsize == 0 || ba->ba_winsize > IEEE80211_BA_MAX_WINSZ) 2925 ba->ba_winsize = IEEE80211_BA_MAX_WINSZ; 2926 ba->ba_params = (params & IEEE80211_ADDBA_BA_POLICY); 2927 ba->ba_params |= ((ba->ba_winsize << IEEE80211_ADDBA_BUFSZ_SHIFT) | 2928 (tid << IEEE80211_ADDBA_TID_SHIFT)); 2929 ba->ba_params |= IEEE80211_ADDBA_AMSDU; 2930 ba->ba_winstart = ssn; 2931 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 2932 /* allocate and setup our reordering buffer */ 2933 ba->ba_buf = malloc(IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf), 2934 M_DEVBUF, M_NOWAIT | M_ZERO); 2935 if (ba->ba_buf == NULL) 2936 goto refuse; 2937 2938 ba->ba_head = 0; 2939 2940 /* notify drivers of this new Block Ack agreement */ 2941 if (ic->ic_ampdu_rx_start != NULL) 2942 err = ic->ic_ampdu_rx_start(ic, ni, tid); 2943 if (err == EBUSY) { 2944 /* driver will accept or refuse agreement when done */ 2945 return; 2946 } else if (err) { 2947 /* driver failed to setup, rollback */ 2948 ieee80211_addba_req_refuse(ic, ni, tid); 2949 } else 2950 ieee80211_addba_req_accept(ic, ni, tid); 2951 return; 2952 2953 refuse: 2954 /* MLME-ADDBA.response */ 2955 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2956 IEEE80211_ACTION_ADDBA_RESP, 2957 IEEE80211_STATUS_REFUSED << 16 | token << 8 | tid); 2958 } 2959 2960 void 2961 ieee80211_addba_req_accept(struct ieee80211com *ic, struct ieee80211_node *ni, 2962 uint8_t tid) 2963 { 2964 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2965 2966 ba->ba_state = IEEE80211_BA_AGREED; 2967 ic->ic_stats.is_ht_rx_ba_agreements++; 2968 /* start Block Ack inactivity timer */ 2969 if (ba->ba_timeout_val != 0) 2970 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2971 2972 /* MLME-ADDBA.response */ 2973 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2974 IEEE80211_ACTION_ADDBA_RESP, 2975 IEEE80211_STATUS_SUCCESS << 16 | ba->ba_token << 8 | tid); 2976 } 2977 2978 void 2979 ieee80211_addba_req_refuse(struct ieee80211com *ic, struct ieee80211_node *ni, 2980 uint8_t tid) 2981 { 2982 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2983 2984 free(ba->ba_buf, M_DEVBUF, 2985 IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf)); 2986 ba->ba_buf = NULL; 2987 ba->ba_state = IEEE80211_BA_INIT; 2988 2989 /* MLME-ADDBA.response */ 2990 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2991 IEEE80211_ACTION_ADDBA_RESP, 2992 IEEE80211_STATUS_REFUSED << 16 | ba->ba_token << 8 | tid); 2993 } 2994 2995 /*- 2996 * ADDBA Response frame format: 2997 * [1] Category 2998 * [1] Action 2999 * [1] Dialog Token 3000 * [2] Status Code 3001 * [2] Block Ack Parameter Set 3002 * [2] Block Ack Timeout Value 3003 */ 3004 void 3005 ieee80211_recv_addba_resp(struct ieee80211com *ic, struct mbuf *m, 3006 struct ieee80211_node *ni) 3007 { 3008 const struct ieee80211_frame *wh; 3009 const u_int8_t *frm; 3010 struct ieee80211_tx_ba *ba; 3011 u_int16_t status, params, bufsz, timeout; 3012 u_int8_t token, tid; 3013 int err = 0; 3014 3015 if (m->m_len < sizeof(*wh) + 9) { 3016 DPRINTF(("frame too short\n")); 3017 return; 3018 } 3019 wh = mtod(m, struct ieee80211_frame *); 3020 frm = (const u_int8_t *)&wh[1]; 3021 3022 token = frm[2]; 3023 status = LE_READ_2(&frm[3]); 3024 params = LE_READ_2(&frm[5]); 3025 tid = (params >> 2) & 0xf; 3026 bufsz = (params >> 6) & 0x3ff; 3027 timeout = LE_READ_2(&frm[7]); 3028 3029 DPRINTF(("received ADDBA resp from %s, TID %d, status %d\n", 3030 ether_sprintf(ni->ni_macaddr), tid, status)); 3031 3032 /* 3033 * Ignore if no ADDBA request has been sent for this RA/TID or 3034 * if we already have a Block Ack agreement. 3035 */ 3036 ba = &ni->ni_tx_ba[tid]; 3037 if (ba->ba_state != IEEE80211_BA_REQUESTED) { 3038 DPRINTF(("no matching ADDBA req found\n")); 3039 return; 3040 } 3041 if (token != ba->ba_token) { 3042 DPRINTF(("ignoring ADDBA resp from %s: token %x!=%x\n", 3043 ether_sprintf(ni->ni_macaddr), token, ba->ba_token)); 3044 return; 3045 } 3046 /* we got an ADDBA Response matching our request, stop timeout */ 3047 timeout_del(&ba->ba_to); 3048 3049 if (status != IEEE80211_STATUS_SUCCESS) { 3050 if (ni->ni_addba_req_intval[tid] < 3051 IEEE80211_ADDBA_REQ_INTVAL_MAX) 3052 ni->ni_addba_req_intval[tid]++; 3053 3054 ieee80211_addba_resp_refuse(ic, ni, tid, status); 3055 3056 /* 3057 * In case the peer believes there is an existing 3058 * block ack agreement with us, try to delete it. 3059 */ 3060 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 3061 IEEE80211_ACTION_DELBA, 3062 IEEE80211_REASON_SETUP_REQUIRED << 16 | 1 << 8 | tid); 3063 return; 3064 } 3065 3066 /* notify drivers of this new Block Ack agreement */ 3067 if (ic->ic_ampdu_tx_start != NULL) 3068 err = ic->ic_ampdu_tx_start(ic, ni, tid); 3069 3070 if (err == EBUSY) { 3071 /* driver will accept or refuse agreement when done */ 3072 return; 3073 } else if (err) { 3074 /* driver failed to setup, rollback */ 3075 ieee80211_addba_resp_refuse(ic, ni, tid, 3076 IEEE80211_STATUS_UNSPECIFIED); 3077 } else 3078 ieee80211_addba_resp_accept(ic, ni, tid); 3079 } 3080 3081 void 3082 ieee80211_addba_resp_accept(struct ieee80211com *ic, 3083 struct ieee80211_node *ni, uint8_t tid) 3084 { 3085 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 3086 3087 /* MLME-ADDBA.confirm(Success) */ 3088 ba->ba_state = IEEE80211_BA_AGREED; 3089 ic->ic_stats.is_ht_tx_ba_agreements++; 3090 3091 /* Reset ADDBA request interval. */ 3092 ni->ni_addba_req_intval[tid] = 1; 3093 3094 ni->ni_qos_txseqs[tid] = ba->ba_winstart; 3095 3096 /* start Block Ack inactivity timeout */ 3097 if (ba->ba_timeout_val != 0) 3098 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 3099 } 3100 3101 void 3102 ieee80211_addba_resp_refuse(struct ieee80211com *ic, 3103 struct ieee80211_node *ni, uint8_t tid, uint16_t status) 3104 { 3105 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 3106 3107 /* MLME-ADDBA.confirm(Failure) */ 3108 ba->ba_state = IEEE80211_BA_INIT; 3109 } 3110 3111 /*- 3112 * DELBA frame format: 3113 * [1] Category 3114 * [1] Action 3115 * [2] DELBA Parameter Set 3116 * [2] Reason Code 3117 */ 3118 void 3119 ieee80211_recv_delba(struct ieee80211com *ic, struct mbuf *m, 3120 struct ieee80211_node *ni) 3121 { 3122 const struct ieee80211_frame *wh; 3123 const u_int8_t *frm; 3124 u_int16_t params, reason; 3125 u_int8_t tid; 3126 int i; 3127 3128 if (m->m_len < sizeof(*wh) + 6) { 3129 DPRINTF(("frame too short\n")); 3130 return; 3131 } 3132 wh = mtod(m, struct ieee80211_frame *); 3133 frm = (const u_int8_t *)&wh[1]; 3134 3135 params = LE_READ_2(&frm[2]); 3136 reason = LE_READ_2(&frm[4]); 3137 tid = params >> 12; 3138 3139 DPRINTF(("received DELBA from %s, TID %d, reason %d\n", 3140 ether_sprintf(ni->ni_macaddr), tid, reason)); 3141 3142 if (params & IEEE80211_DELBA_INITIATOR) { 3143 /* MLME-DELBA.indication(Originator) */ 3144 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 3145 3146 if (ba->ba_state != IEEE80211_BA_AGREED) { 3147 DPRINTF(("no matching Block Ack agreement\n")); 3148 return; 3149 } 3150 /* notify drivers of the end of the Block Ack agreement */ 3151 if (ic->ic_ampdu_rx_stop != NULL) 3152 ic->ic_ampdu_rx_stop(ic, ni, tid); 3153 3154 ba->ba_state = IEEE80211_BA_INIT; 3155 /* stop Block Ack inactivity timer */ 3156 timeout_del(&ba->ba_to); 3157 timeout_del(&ba->ba_gap_to); 3158 ba->ba_gapwait = 0; 3159 3160 if (ba->ba_buf != NULL) { 3161 /* free all MSDUs stored in reordering buffer */ 3162 for (i = 0; i < IEEE80211_BA_MAX_WINSZ; i++) 3163 m_freem(ba->ba_buf[i].m); 3164 /* free reordering buffer */ 3165 free(ba->ba_buf, M_DEVBUF, 3166 IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf)); 3167 ba->ba_buf = NULL; 3168 } 3169 } else { 3170 /* MLME-DELBA.indication(Recipient) */ 3171 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 3172 3173 if (ba->ba_state != IEEE80211_BA_AGREED) { 3174 DPRINTF(("no matching Block Ack agreement\n")); 3175 return; 3176 } 3177 /* notify drivers of the end of the Block Ack agreement */ 3178 if (ic->ic_ampdu_tx_stop != NULL) 3179 ic->ic_ampdu_tx_stop(ic, ni, tid); 3180 3181 ba->ba_state = IEEE80211_BA_INIT; 3182 /* stop Block Ack inactivity timer */ 3183 timeout_del(&ba->ba_to); 3184 } 3185 } 3186 3187 /*- 3188 * SA Query Request frame format: 3189 * [1] Category 3190 * [1] Action 3191 * [2] Transaction Identifier 3192 */ 3193 void 3194 ieee80211_recv_sa_query_req(struct ieee80211com *ic, struct mbuf *m, 3195 struct ieee80211_node *ni) 3196 { 3197 const struct ieee80211_frame *wh; 3198 const u_int8_t *frm; 3199 3200 if (ic->ic_opmode != IEEE80211_M_STA || 3201 !(ni->ni_flags & IEEE80211_NODE_MFP)) { 3202 DPRINTF(("unexpected SA Query req from %s\n", 3203 ether_sprintf(ni->ni_macaddr))); 3204 return; 3205 } 3206 if (m->m_len < sizeof(*wh) + 4) { 3207 DPRINTF(("frame too short\n")); 3208 return; 3209 } 3210 wh = mtod(m, struct ieee80211_frame *); 3211 frm = (const u_int8_t *)&wh[1]; 3212 3213 /* MLME-SAQuery.indication */ 3214 3215 /* save Transaction Identifier for SA Query Response */ 3216 ni->ni_sa_query_trid = LE_READ_2(&frm[2]); 3217 3218 /* MLME-SAQuery.response */ 3219 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_SA_QUERY, 3220 IEEE80211_ACTION_SA_QUERY_RESP, 0); 3221 } 3222 3223 #ifndef IEEE80211_STA_ONLY 3224 /*- 3225 * SA Query Response frame format: 3226 * [1] Category 3227 * [1] Action 3228 * [2] Transaction Identifier 3229 */ 3230 void 3231 ieee80211_recv_sa_query_resp(struct ieee80211com *ic, struct mbuf *m, 3232 struct ieee80211_node *ni) 3233 { 3234 const struct ieee80211_frame *wh; 3235 const u_int8_t *frm; 3236 3237 /* ignore if we're not engaged in an SA Query with that STA */ 3238 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) { 3239 DPRINTF(("unexpected SA Query resp from %s\n", 3240 ether_sprintf(ni->ni_macaddr))); 3241 return; 3242 } 3243 if (m->m_len < sizeof(*wh) + 4) { 3244 DPRINTF(("frame too short\n")); 3245 return; 3246 } 3247 wh = mtod(m, struct ieee80211_frame *); 3248 frm = (const u_int8_t *)&wh[1]; 3249 3250 /* check that Transaction Identifier matches */ 3251 if (ni->ni_sa_query_trid != LE_READ_2(&frm[2])) { 3252 DPRINTF(("transaction identifier does not match\n")); 3253 return; 3254 } 3255 /* MLME-SAQuery.confirm */ 3256 timeout_del(&ni->ni_sa_query_to); 3257 ni->ni_flags &= ~IEEE80211_NODE_SA_QUERY; 3258 } 3259 #endif 3260 3261 /*- 3262 * Action frame format: 3263 * [1] Category 3264 * [1] Action 3265 */ 3266 void 3267 ieee80211_recv_action(struct ieee80211com *ic, struct mbuf *m, 3268 struct ieee80211_node *ni) 3269 { 3270 const struct ieee80211_frame *wh; 3271 const u_int8_t *frm; 3272 3273 if (m->m_len < sizeof(*wh) + 2) { 3274 DPRINTF(("frame too short\n")); 3275 return; 3276 } 3277 wh = mtod(m, struct ieee80211_frame *); 3278 frm = (const u_int8_t *)&wh[1]; 3279 3280 switch (frm[0]) { 3281 case IEEE80211_CATEG_BA: 3282 switch (frm[1]) { 3283 case IEEE80211_ACTION_ADDBA_REQ: 3284 ieee80211_recv_addba_req(ic, m, ni); 3285 break; 3286 case IEEE80211_ACTION_ADDBA_RESP: 3287 ieee80211_recv_addba_resp(ic, m, ni); 3288 break; 3289 case IEEE80211_ACTION_DELBA: 3290 ieee80211_recv_delba(ic, m, ni); 3291 break; 3292 } 3293 break; 3294 case IEEE80211_CATEG_SA_QUERY: 3295 switch (frm[1]) { 3296 case IEEE80211_ACTION_SA_QUERY_REQ: 3297 ieee80211_recv_sa_query_req(ic, m, ni); 3298 break; 3299 #ifndef IEEE80211_STA_ONLY 3300 case IEEE80211_ACTION_SA_QUERY_RESP: 3301 ieee80211_recv_sa_query_resp(ic, m, ni); 3302 break; 3303 #endif 3304 } 3305 break; 3306 default: 3307 DPRINTF(("action frame category %d not handled\n", frm[0])); 3308 break; 3309 } 3310 } 3311 3312 void 3313 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m, 3314 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int subtype) 3315 { 3316 switch (subtype) { 3317 case IEEE80211_FC0_SUBTYPE_BEACON: 3318 ieee80211_recv_probe_resp(ic, m, ni, rxi, 0); 3319 break; 3320 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 3321 ieee80211_recv_probe_resp(ic, m, ni, rxi, 1); 3322 break; 3323 #ifndef IEEE80211_STA_ONLY 3324 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 3325 ieee80211_recv_probe_req(ic, m, ni, rxi); 3326 break; 3327 #endif 3328 case IEEE80211_FC0_SUBTYPE_AUTH: 3329 ieee80211_recv_auth(ic, m, ni, rxi); 3330 break; 3331 #ifndef IEEE80211_STA_ONLY 3332 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 3333 ieee80211_recv_assoc_req(ic, m, ni, rxi, 0); 3334 break; 3335 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 3336 ieee80211_recv_assoc_req(ic, m, ni, rxi, 1); 3337 break; 3338 #endif 3339 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 3340 ieee80211_recv_assoc_resp(ic, m, ni, 0); 3341 break; 3342 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 3343 ieee80211_recv_assoc_resp(ic, m, ni, 1); 3344 break; 3345 case IEEE80211_FC0_SUBTYPE_DEAUTH: 3346 ieee80211_recv_deauth(ic, m, ni); 3347 break; 3348 case IEEE80211_FC0_SUBTYPE_DISASSOC: 3349 ieee80211_recv_disassoc(ic, m, ni); 3350 break; 3351 case IEEE80211_FC0_SUBTYPE_ACTION: 3352 ieee80211_recv_action(ic, m, ni); 3353 break; 3354 default: 3355 DPRINTF(("mgmt frame with subtype 0x%x not handled\n", 3356 subtype)); 3357 ic->ic_stats.is_rx_badsubtype++; 3358 break; 3359 } 3360 } 3361 3362 #ifndef IEEE80211_STA_ONLY 3363 /* 3364 * Process an incoming PS-Poll control frame (see 11.2). 3365 */ 3366 void 3367 ieee80211_recv_pspoll(struct ieee80211com *ic, struct mbuf *m, 3368 struct ieee80211_node *ni) 3369 { 3370 struct ifnet *ifp = &ic->ic_if; 3371 struct ieee80211_frame_pspoll *psp; 3372 struct ieee80211_frame *wh; 3373 u_int16_t aid; 3374 3375 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 3376 !(ic->ic_caps & IEEE80211_C_APPMGT) || 3377 ni->ni_state != IEEE80211_STA_ASSOC) 3378 return; 3379 3380 if (m->m_len < sizeof(*psp)) { 3381 DPRINTF(("frame too short, len %u\n", m->m_len)); 3382 ic->ic_stats.is_rx_tooshort++; 3383 return; 3384 } 3385 psp = mtod(m, struct ieee80211_frame_pspoll *); 3386 if (!IEEE80211_ADDR_EQ(psp->i_bssid, ic->ic_bss->ni_bssid)) { 3387 DPRINTF(("discard pspoll frame to BSS %s\n", 3388 ether_sprintf(psp->i_bssid))); 3389 ic->ic_stats.is_rx_wrongbss++; 3390 return; 3391 } 3392 aid = letoh16(*(u_int16_t *)psp->i_aid); 3393 if (aid != ni->ni_associd) { 3394 DPRINTF(("invalid pspoll aid %x from %s\n", aid, 3395 ether_sprintf(psp->i_ta))); 3396 return; 3397 } 3398 3399 /* take the first queued frame and put it out.. */ 3400 m = mq_dequeue(&ni->ni_savedq); 3401 if (m == NULL) 3402 return; 3403 if (mq_empty(&ni->ni_savedq)) { 3404 /* last queued frame, turn off the TIM bit */ 3405 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 3406 } else { 3407 /* more queued frames, set the more data bit */ 3408 wh = mtod(m, struct ieee80211_frame *); 3409 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 3410 } 3411 mq_enqueue(&ic->ic_pwrsaveq, m); 3412 if_start(ifp); 3413 } 3414 #endif /* IEEE80211_STA_ONLY */ 3415 3416 /* 3417 * Process an incoming BlockAckReq control frame (see 7.2.1.7). 3418 */ 3419 void 3420 ieee80211_recv_bar(struct ieee80211com *ic, struct mbuf *m, 3421 struct ieee80211_node *ni) 3422 { 3423 const struct ieee80211_frame_min *wh; 3424 const u_int8_t *frm; 3425 u_int16_t ctl, ssn; 3426 u_int8_t tid, ntids; 3427 3428 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 3429 DPRINTF(("received BlockAckReq from non-HT STA %s\n", 3430 ether_sprintf(ni->ni_macaddr))); 3431 return; 3432 } 3433 if (m->m_len < sizeof(*wh) + 4) { 3434 DPRINTF(("frame too short\n")); 3435 return; 3436 } 3437 wh = mtod(m, struct ieee80211_frame_min *); 3438 frm = (const u_int8_t *)&wh[1]; 3439 3440 /* read BlockAckReq Control field */ 3441 ctl = LE_READ_2(&frm[0]); 3442 tid = ctl >> 12; 3443 3444 /* determine BlockAckReq frame variant */ 3445 if (ctl & IEEE80211_BA_MULTI_TID) { 3446 /* Multi-TID BlockAckReq variant (PSMP only) */ 3447 ntids = tid + 1; 3448 3449 if (m->m_len < sizeof(*wh) + 2 + 4 * ntids) { 3450 DPRINTF(("MTBAR frame too short\n")); 3451 return; 3452 } 3453 frm += 2; /* skip BlockAckReq Control field */ 3454 while (ntids-- > 0) { 3455 /* read MTBAR Information field */ 3456 tid = LE_READ_2(&frm[0]) >> 12; 3457 ssn = LE_READ_2(&frm[2]) >> 4; 3458 ieee80211_bar_tid(ic, ni, tid, ssn); 3459 frm += 4; 3460 } 3461 } else { 3462 /* Basic or Compressed BlockAckReq variants */ 3463 ssn = LE_READ_2(&frm[2]) >> 4; 3464 ieee80211_bar_tid(ic, ni, tid, ssn); 3465 } 3466 } 3467 3468 /* 3469 * Process a BlockAckReq for a specific TID (see 9.10.7.6.3). 3470 * This is the common back-end for all BlockAckReq frame variants. 3471 */ 3472 void 3473 ieee80211_bar_tid(struct ieee80211com *ic, struct ieee80211_node *ni, 3474 u_int8_t tid, u_int16_t ssn) 3475 { 3476 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 3477 3478 /* check if we have a Block Ack agreement for RA/TID */ 3479 if (ba->ba_state != IEEE80211_BA_AGREED) { 3480 /* XXX not sure in PBAC case */ 3481 /* send a DELBA with reason code UNKNOWN-BA */ 3482 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 3483 IEEE80211_ACTION_DELBA, 3484 IEEE80211_REASON_SETUP_REQUIRED << 16 | tid); 3485 return; 3486 } 3487 /* check if it is a Protected Block Ack agreement */ 3488 if ((ni->ni_flags & IEEE80211_NODE_MFP) && 3489 (ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) { 3490 /* ADDBA Requests must be used in PBAC case */ 3491 if (SEQ_LT(ssn, ba->ba_winstart) || 3492 SEQ_LT(ba->ba_winend, ssn)) 3493 ic->ic_stats.is_pbac_errs++; 3494 return; /* PBAC, do not move window */ 3495 } 3496 /* reset Block Ack inactivity timer */ 3497 if (ba->ba_timeout_val != 0) 3498 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 3499 3500 if (SEQ_LT(ba->ba_winstart, ssn)) { 3501 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 3502 ieee80211_ba_move_window(ic, ni, tid, ssn, &ml); 3503 if_input(&ic->ic_if, &ml); 3504 } 3505 } 3506