1 /* $OpenBSD: ieee80211_input.c,v 1.247 2022/03/20 12:01:58 stsp Exp $ */ 2 3 /*- 4 * Copyright (c) 2001 Atsushi Onoe 5 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 6 * Copyright (c) 2007-2009 Damien Bergamini 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. The name of the author may not be used to endorse or promote products 18 * derived from this software without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 21 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 22 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 23 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 25 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 29 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 #include "bpfilter.h" 33 34 #include <sys/param.h> 35 #include <sys/systm.h> 36 #include <sys/mbuf.h> 37 #include <sys/malloc.h> 38 #include <sys/kernel.h> 39 #include <sys/socket.h> 40 #include <sys/sockio.h> 41 #include <sys/endian.h> 42 #include <sys/errno.h> 43 #include <sys/sysctl.h> 44 #include <sys/task.h> 45 46 #include <net/if.h> 47 #include <net/if_dl.h> 48 #include <net/if_media.h> 49 #include <net/if_llc.h> 50 51 #if NBPFILTER > 0 52 #include <net/bpf.h> 53 #endif 54 55 #include <netinet/in.h> 56 #include <netinet/if_ether.h> 57 58 #include <net80211/ieee80211_var.h> 59 #include <net80211/ieee80211_priv.h> 60 61 struct mbuf *ieee80211_input_hwdecrypt(struct ieee80211com *, 62 struct ieee80211_node *, struct mbuf *, 63 struct ieee80211_rxinfo *rxi); 64 struct mbuf *ieee80211_defrag(struct ieee80211com *, struct mbuf *, int); 65 void ieee80211_defrag_timeout(void *); 66 void ieee80211_input_ba(struct ieee80211com *, struct mbuf *, 67 struct ieee80211_node *, int, struct ieee80211_rxinfo *, 68 struct mbuf_list *); 69 void ieee80211_input_ba_flush(struct ieee80211com *, struct ieee80211_node *, 70 struct ieee80211_rx_ba *, struct mbuf_list *); 71 int ieee80211_input_ba_gap_skip(struct ieee80211_rx_ba *); 72 void ieee80211_input_ba_gap_timeout(void *arg); 73 void ieee80211_ba_move_window(struct ieee80211com *, 74 struct ieee80211_node *, u_int8_t, u_int16_t, struct mbuf_list *); 75 void ieee80211_input_ba_seq(struct ieee80211com *, 76 struct ieee80211_node *, uint8_t, uint16_t, struct mbuf_list *); 77 struct mbuf *ieee80211_align_mbuf(struct mbuf *); 78 void ieee80211_decap(struct ieee80211com *, struct mbuf *, 79 struct ieee80211_node *, int, struct mbuf_list *); 80 int ieee80211_amsdu_decap_validate(struct ieee80211com *, struct mbuf *, 81 struct ieee80211_node *); 82 void ieee80211_amsdu_decap(struct ieee80211com *, struct mbuf *, 83 struct ieee80211_node *, int, struct mbuf_list *); 84 void ieee80211_enqueue_data(struct ieee80211com *, struct mbuf *, 85 struct ieee80211_node *, int, struct mbuf_list *); 86 int ieee80211_parse_edca_params_body(struct ieee80211com *, 87 const u_int8_t *); 88 int ieee80211_parse_edca_params(struct ieee80211com *, const u_int8_t *); 89 int ieee80211_parse_wmm_params(struct ieee80211com *, const u_int8_t *); 90 enum ieee80211_cipher ieee80211_parse_rsn_cipher(const u_int8_t[]); 91 enum ieee80211_akm ieee80211_parse_rsn_akm(const u_int8_t[]); 92 int ieee80211_parse_rsn_body(struct ieee80211com *, const u_int8_t *, 93 u_int, struct ieee80211_rsnparams *); 94 int ieee80211_save_ie(const u_int8_t *, u_int8_t **); 95 void ieee80211_recv_probe_resp(struct ieee80211com *, struct mbuf *, 96 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 97 #ifndef IEEE80211_STA_ONLY 98 void ieee80211_recv_probe_req(struct ieee80211com *, struct mbuf *, 99 struct ieee80211_node *, struct ieee80211_rxinfo *); 100 #endif 101 void ieee80211_recv_auth(struct ieee80211com *, struct mbuf *, 102 struct ieee80211_node *, struct ieee80211_rxinfo *); 103 #ifndef IEEE80211_STA_ONLY 104 void ieee80211_recv_assoc_req(struct ieee80211com *, struct mbuf *, 105 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 106 #endif 107 void ieee80211_recv_assoc_resp(struct ieee80211com *, struct mbuf *, 108 struct ieee80211_node *, int); 109 void ieee80211_recv_deauth(struct ieee80211com *, struct mbuf *, 110 struct ieee80211_node *); 111 void ieee80211_recv_disassoc(struct ieee80211com *, struct mbuf *, 112 struct ieee80211_node *); 113 void ieee80211_recv_addba_req(struct ieee80211com *, struct mbuf *, 114 struct ieee80211_node *); 115 void ieee80211_recv_addba_resp(struct ieee80211com *, struct mbuf *, 116 struct ieee80211_node *); 117 void ieee80211_recv_delba(struct ieee80211com *, struct mbuf *, 118 struct ieee80211_node *); 119 void ieee80211_recv_sa_query_req(struct ieee80211com *, struct mbuf *, 120 struct ieee80211_node *); 121 #ifndef IEEE80211_STA_ONLY 122 void ieee80211_recv_sa_query_resp(struct ieee80211com *, struct mbuf *, 123 struct ieee80211_node *); 124 #endif 125 void ieee80211_recv_action(struct ieee80211com *, struct mbuf *, 126 struct ieee80211_node *); 127 #ifndef IEEE80211_STA_ONLY 128 void ieee80211_recv_pspoll(struct ieee80211com *, struct mbuf *, 129 struct ieee80211_node *); 130 #endif 131 void ieee80211_recv_bar(struct ieee80211com *, struct mbuf *, 132 struct ieee80211_node *); 133 void ieee80211_bar_tid(struct ieee80211com *, struct ieee80211_node *, 134 u_int8_t, u_int16_t); 135 136 /* 137 * Retrieve the length in bytes of an 802.11 header. 138 */ 139 u_int 140 ieee80211_get_hdrlen(const struct ieee80211_frame *wh) 141 { 142 u_int size = sizeof(*wh); 143 144 /* NB: does not work with control frames */ 145 KASSERT(ieee80211_has_seq(wh)); 146 147 if (ieee80211_has_addr4(wh)) 148 size += IEEE80211_ADDR_LEN; /* i_addr4 */ 149 if (ieee80211_has_qos(wh)) 150 size += sizeof(u_int16_t); /* i_qos */ 151 if (ieee80211_has_htc(wh)) 152 size += sizeof(u_int32_t); /* i_ht */ 153 return size; 154 } 155 156 /* Post-processing for drivers which perform decryption in hardware. */ 157 struct mbuf * 158 ieee80211_input_hwdecrypt(struct ieee80211com *ic, struct ieee80211_node *ni, 159 struct mbuf *m, struct ieee80211_rxinfo *rxi) 160 { 161 struct ieee80211_key *k; 162 struct ieee80211_frame *wh; 163 uint64_t pn, *prsc; 164 int hdrlen; 165 166 k = ieee80211_get_rxkey(ic, m, ni); 167 if (k == NULL) 168 return NULL; 169 170 wh = mtod(m, struct ieee80211_frame *); 171 hdrlen = ieee80211_get_hdrlen(wh); 172 173 /* 174 * Update the last-seen packet number (PN) for drivers using hardware 175 * crypto offloading. This cannot be done by drivers because A-MPDU 176 * reordering needs to occur before a valid lower bound can be 177 * determined for the PN. Drivers will read the PN we write here and 178 * are expected to discard replayed frames based on it. 179 * Drivers are expected to leave the IV of decrypted frames intact 180 * so we can update the last-seen PN and strip the IV here. 181 */ 182 switch (k->k_cipher) { 183 case IEEE80211_CIPHER_CCMP: 184 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 185 /* 186 * If the protected bit is clear then hardware has 187 * stripped the IV and we must trust that it handles 188 * replay detection correctly. 189 */ 190 break; 191 } 192 if (ieee80211_ccmp_get_pn(&pn, &prsc, m, k) != 0) 193 return NULL; 194 if (rxi->rxi_flags & IEEE80211_RXI_HWDEC_SAME_PN) { 195 if (pn < *prsc) { 196 ic->ic_stats.is_ccmp_replays++; 197 return NULL; 198 } 199 } else if (pn <= *prsc) { 200 ic->ic_stats.is_ccmp_replays++; 201 return NULL; 202 } 203 204 /* Update last-seen packet number. */ 205 *prsc = pn; 206 207 /* Clear Protected bit and strip IV. */ 208 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 209 memmove(mtod(m, caddr_t) + IEEE80211_CCMP_HDRLEN, wh, hdrlen); 210 m_adj(m, IEEE80211_CCMP_HDRLEN); 211 /* Drivers are expected to strip the MIC. */ 212 break; 213 case IEEE80211_CIPHER_TKIP: 214 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 215 /* 216 * If the protected bit is clear then hardware has 217 * stripped the IV and we must trust that it handles 218 * replay detection correctly. 219 */ 220 break; 221 } 222 if (ieee80211_tkip_get_tsc(&pn, &prsc, m, k) != 0) 223 return NULL; 224 if (rxi->rxi_flags & IEEE80211_RXI_HWDEC_SAME_PN) { 225 if (pn < *prsc) { 226 ic->ic_stats.is_tkip_replays++; 227 return NULL; 228 } 229 } else if (pn <= *prsc) { 230 ic->ic_stats.is_tkip_replays++; 231 return NULL; 232 } 233 234 /* Update last-seen packet number. */ 235 *prsc = pn; 236 237 /* Clear Protected bit and strip IV. */ 238 wh = mtod(m, struct ieee80211_frame *); 239 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 240 memmove(mtod(m, caddr_t) + IEEE80211_TKIP_HDRLEN, wh, hdrlen); 241 m_adj(m, IEEE80211_TKIP_HDRLEN); 242 /* Drivers are expected to strip the MIC. */ 243 break; 244 default: 245 break; 246 } 247 248 return m; 249 } 250 251 /* 252 * Process a received frame. The node associated with the sender 253 * should be supplied. If nothing was found in the node table then 254 * the caller is assumed to supply a reference to ic_bss instead. 255 * The RSSI and a timestamp are also supplied. The RSSI data is used 256 * during AP scanning to select a AP to associate with; it can have 257 * any units so long as values have consistent units and higher values 258 * mean ``better signal''. The receive timestamp is currently not used 259 * by the 802.11 layer. 260 * 261 * This function acts on management frames immediately and queues data frames 262 * on the specified mbuf list. Delivery of queued data frames to upper layers 263 * must be triggered with if_input(). Drivers should call if_input() only once 264 * per Rx interrupt to avoid triggering the input ifq pressure drop mechanism 265 * unnecessarily. 266 */ 267 void 268 ieee80211_inputm(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni, 269 struct ieee80211_rxinfo *rxi, struct mbuf_list *ml) 270 { 271 struct ieee80211com *ic = (void *)ifp; 272 struct ieee80211_frame *wh; 273 u_int16_t *orxseq, nrxseq, qos; 274 u_int8_t dir, type, subtype, tid; 275 int hdrlen, hasqos; 276 277 KASSERT(ni != NULL); 278 279 /* in monitor mode, send everything directly to bpf */ 280 if (ic->ic_opmode == IEEE80211_M_MONITOR) 281 goto out; 282 283 /* 284 * Do not process frames without an Address 2 field any further. 285 * Only CTS and ACK control frames do not have this field. 286 */ 287 if (m->m_len < sizeof(struct ieee80211_frame_min)) { 288 DPRINTF(("frame too short, len %u\n", m->m_len)); 289 ic->ic_stats.is_rx_tooshort++; 290 goto out; 291 } 292 293 wh = mtod(m, struct ieee80211_frame *); 294 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 295 IEEE80211_FC0_VERSION_0) { 296 DPRINTF(("frame with wrong version: %x\n", wh->i_fc[0])); 297 ic->ic_stats.is_rx_badversion++; 298 goto err; 299 } 300 301 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 302 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 303 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 304 305 if (type != IEEE80211_FC0_TYPE_CTL) { 306 hdrlen = ieee80211_get_hdrlen(wh); 307 if (m->m_len < hdrlen) { 308 DPRINTF(("frame too short, len %u\n", m->m_len)); 309 ic->ic_stats.is_rx_tooshort++; 310 goto err; 311 } 312 } else 313 hdrlen = 0; 314 if ((hasqos = ieee80211_has_qos(wh))) { 315 qos = ieee80211_get_qos(wh); 316 tid = qos & IEEE80211_QOS_TID; 317 } else { 318 qos = 0; 319 tid = 0; 320 } 321 322 if (ic->ic_state == IEEE80211_S_RUN && 323 type == IEEE80211_FC0_TYPE_DATA && hasqos && 324 (subtype & IEEE80211_FC0_SUBTYPE_NODATA) == 0 && 325 !(rxi->rxi_flags & IEEE80211_RXI_AMPDU_DONE) 326 #ifndef IEEE80211_STA_ONLY 327 && (ic->ic_opmode == IEEE80211_M_STA || ni != ic->ic_bss) 328 #endif 329 ) { 330 int ba_state = ni->ni_rx_ba[tid].ba_state; 331 332 #ifndef IEEE80211_STA_ONLY 333 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 334 if (!IEEE80211_ADDR_EQ(wh->i_addr1, 335 ic->ic_bss->ni_bssid)) { 336 ic->ic_stats.is_rx_wrongbss++; 337 goto err; 338 } 339 if (ni->ni_state != IEEE80211_S_ASSOC) { 340 ic->ic_stats.is_rx_notassoc++; 341 goto err; 342 } 343 } 344 #endif 345 /* 346 * If Block Ack was explicitly requested, check 347 * if we have a BA agreement for this RA/TID. 348 */ 349 if ((qos & IEEE80211_QOS_ACK_POLICY_MASK) == 350 IEEE80211_QOS_ACK_POLICY_BA && 351 ba_state != IEEE80211_BA_AGREED) { 352 DPRINTF(("no BA agreement for %s, TID %d\n", 353 ether_sprintf(ni->ni_macaddr), tid)); 354 /* send a DELBA with reason code UNKNOWN-BA */ 355 IEEE80211_SEND_ACTION(ic, ni, 356 IEEE80211_CATEG_BA, IEEE80211_ACTION_DELBA, 357 IEEE80211_REASON_SETUP_REQUIRED << 16 | tid); 358 goto err; 359 } 360 361 /* 362 * Check if we have an explicit or implicit 363 * Block Ack Request for a valid BA agreement. 364 */ 365 if (ba_state == IEEE80211_BA_AGREED && 366 ((qos & IEEE80211_QOS_ACK_POLICY_MASK) == 367 IEEE80211_QOS_ACK_POLICY_BA || 368 (qos & IEEE80211_QOS_ACK_POLICY_MASK) == 369 IEEE80211_QOS_ACK_POLICY_NORMAL)) { 370 /* go through A-MPDU reordering */ 371 ieee80211_input_ba(ic, m, ni, tid, rxi, ml); 372 return; /* don't free m! */ 373 } else if (ba_state == IEEE80211_BA_REQUESTED && 374 (qos & IEEE80211_QOS_ACK_POLICY_MASK) == 375 IEEE80211_QOS_ACK_POLICY_NORMAL) { 376 /* 377 * Apparently, qos frames for a tid where a 378 * block ack agreement was requested but not 379 * yet confirmed by us should still contribute 380 * to the sequence number for this tid. 381 */ 382 ieee80211_input_ba(ic, m, ni, tid, rxi, ml); 383 return; /* don't free m! */ 384 } 385 } 386 387 /* 388 * We do not yet support fragments. Drop any fragmented packets. 389 * Counter-measure against attacks where an arbitrary packet is 390 * injected via a fragment with attacker-controlled content. 391 * See https://papers.mathyvanhoef.com/usenix2021.pdf 392 * Section 6.8 "Treating fragments as full frames" 393 */ 394 if (ieee80211_has_seq(wh)) { 395 uint16_t rxseq = letoh16(*(const u_int16_t *)wh->i_seq); 396 if ((wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG) || 397 (rxseq & IEEE80211_SEQ_FRAG_MASK)) 398 goto err; 399 } 400 401 /* duplicate detection (see 9.2.9) */ 402 if (ieee80211_has_seq(wh) && 403 ic->ic_state != IEEE80211_S_SCAN) { 404 nrxseq = letoh16(*(u_int16_t *)wh->i_seq) >> 405 IEEE80211_SEQ_SEQ_SHIFT; 406 if (hasqos) 407 orxseq = &ni->ni_qos_rxseqs[tid]; 408 else 409 orxseq = &ni->ni_rxseq; 410 if (rxi->rxi_flags & IEEE80211_RXI_SAME_SEQ) { 411 if (nrxseq != *orxseq) { 412 /* duplicate, silently discarded */ 413 ic->ic_stats.is_rx_dup++; 414 goto out; 415 } 416 } else if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) && 417 nrxseq == *orxseq) { 418 /* duplicate, silently discarded */ 419 ic->ic_stats.is_rx_dup++; 420 goto out; 421 } 422 *orxseq = nrxseq; 423 } 424 if (ic->ic_state > IEEE80211_S_SCAN) { 425 ni->ni_rssi = rxi->rxi_rssi; 426 ni->ni_rstamp = rxi->rxi_tstamp; 427 ni->ni_inact = 0; 428 429 if (ic->ic_state == IEEE80211_S_RUN && ic->ic_bgscan_start) { 430 /* Cancel or start background scan based on RSSI. */ 431 if ((*ic->ic_node_checkrssi)(ic, ni)) 432 timeout_del(&ic->ic_bgscan_timeout); 433 else if (!timeout_pending(&ic->ic_bgscan_timeout) && 434 (ic->ic_flags & IEEE80211_F_BGSCAN) == 0 && 435 (ic->ic_flags & IEEE80211_F_DESBSSID) == 0) 436 timeout_add_msec(&ic->ic_bgscan_timeout, 437 500 * (ic->ic_bgscan_fail + 1)); 438 } 439 } 440 441 #ifndef IEEE80211_STA_ONLY 442 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 443 (ic->ic_caps & IEEE80211_C_APPMGT) && 444 ni->ni_state == IEEE80211_STA_ASSOC) { 445 if (wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) { 446 if (ni->ni_pwrsave == IEEE80211_PS_AWAKE) { 447 /* turn on PS mode */ 448 ni->ni_pwrsave = IEEE80211_PS_DOZE; 449 DPRINTF(("PS mode on for %s\n", 450 ether_sprintf(wh->i_addr2))); 451 } 452 } else if (ni->ni_pwrsave == IEEE80211_PS_DOZE) { 453 struct mbuf *m; 454 455 /* turn off PS mode */ 456 ni->ni_pwrsave = IEEE80211_PS_AWAKE; 457 DPRINTF(("PS mode off for %s\n", 458 ether_sprintf(wh->i_addr2))); 459 460 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 461 462 /* dequeue buffered unicast frames */ 463 while ((m = mq_dequeue(&ni->ni_savedq)) != NULL) { 464 mq_enqueue(&ic->ic_pwrsaveq, m); 465 if_start(ifp); 466 } 467 } 468 } 469 #endif 470 switch (type) { 471 case IEEE80211_FC0_TYPE_DATA: 472 switch (ic->ic_opmode) { 473 case IEEE80211_M_STA: 474 if (dir != IEEE80211_FC1_DIR_FROMDS) { 475 ic->ic_stats.is_rx_wrongdir++; 476 goto out; 477 } 478 if (ic->ic_state != IEEE80211_S_SCAN && 479 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid)) { 480 /* Source address is not our BSS. */ 481 DPRINTF(("discard frame from SA %s\n", 482 ether_sprintf(wh->i_addr2))); 483 ic->ic_stats.is_rx_wrongbss++; 484 goto out; 485 } 486 if ((ifp->if_flags & IFF_SIMPLEX) && 487 IEEE80211_IS_MULTICAST(wh->i_addr1) && 488 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 489 /* 490 * In IEEE802.11 network, multicast frame 491 * sent from me is broadcasted from AP. 492 * It should be silently discarded for 493 * SIMPLEX interface. 494 */ 495 ic->ic_stats.is_rx_mcastecho++; 496 goto out; 497 } 498 break; 499 #ifndef IEEE80211_STA_ONLY 500 case IEEE80211_M_IBSS: 501 case IEEE80211_M_AHDEMO: 502 if (dir != IEEE80211_FC1_DIR_NODS) { 503 ic->ic_stats.is_rx_wrongdir++; 504 goto out; 505 } 506 if (ic->ic_state != IEEE80211_S_SCAN && 507 !IEEE80211_ADDR_EQ(wh->i_addr3, 508 ic->ic_bss->ni_bssid) && 509 !IEEE80211_ADDR_EQ(wh->i_addr3, 510 etherbroadcastaddr)) { 511 /* Destination is not our BSS or broadcast. */ 512 DPRINTF(("discard data frame to DA %s\n", 513 ether_sprintf(wh->i_addr3))); 514 ic->ic_stats.is_rx_wrongbss++; 515 goto out; 516 } 517 break; 518 case IEEE80211_M_HOSTAP: 519 if (dir != IEEE80211_FC1_DIR_TODS) { 520 ic->ic_stats.is_rx_wrongdir++; 521 goto out; 522 } 523 if (ic->ic_state != IEEE80211_S_SCAN && 524 !IEEE80211_ADDR_EQ(wh->i_addr1, 525 ic->ic_bss->ni_bssid) && 526 !IEEE80211_ADDR_EQ(wh->i_addr1, 527 etherbroadcastaddr)) { 528 /* BSS is not us or broadcast. */ 529 DPRINTF(("discard data frame to BSS %s\n", 530 ether_sprintf(wh->i_addr1))); 531 ic->ic_stats.is_rx_wrongbss++; 532 goto out; 533 } 534 /* check if source STA is associated */ 535 if (ni == ic->ic_bss) { 536 DPRINTF(("data from unknown src %s\n", 537 ether_sprintf(wh->i_addr2))); 538 /* NB: caller deals with reference */ 539 ni = ieee80211_find_node(ic, wh->i_addr2); 540 if (ni == NULL) 541 ni = ieee80211_dup_bss(ic, wh->i_addr2); 542 if (ni != NULL) { 543 IEEE80211_SEND_MGMT(ic, ni, 544 IEEE80211_FC0_SUBTYPE_DEAUTH, 545 IEEE80211_REASON_NOT_AUTHED); 546 } 547 ic->ic_stats.is_rx_notassoc++; 548 goto err; 549 } 550 if (ni->ni_state != IEEE80211_STA_ASSOC) { 551 DPRINTF(("data from unassoc src %s\n", 552 ether_sprintf(wh->i_addr2))); 553 IEEE80211_SEND_MGMT(ic, ni, 554 IEEE80211_FC0_SUBTYPE_DISASSOC, 555 IEEE80211_REASON_NOT_ASSOCED); 556 ic->ic_stats.is_rx_notassoc++; 557 goto err; 558 } 559 break; 560 #endif /* IEEE80211_STA_ONLY */ 561 default: 562 /* can't get there */ 563 goto out; 564 } 565 566 /* Do not process "no data" frames any further. */ 567 if (subtype & IEEE80211_FC0_SUBTYPE_NODATA) { 568 #if NBPFILTER > 0 569 if (ic->ic_rawbpf) 570 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 571 #endif 572 goto out; 573 } 574 575 if ((ic->ic_flags & IEEE80211_F_WEPON) || 576 ((ic->ic_flags & IEEE80211_F_RSNON) && 577 (ni->ni_flags & IEEE80211_NODE_RXPROT))) { 578 /* protection is on for Rx */ 579 if (!(rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 580 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 581 /* drop unencrypted */ 582 ic->ic_stats.is_rx_unencrypted++; 583 goto err; 584 } 585 /* do software decryption */ 586 m = ieee80211_decrypt(ic, m, ni); 587 if (m == NULL) { 588 ic->ic_stats.is_rx_wepfail++; 589 goto err; 590 } 591 } else { 592 m = ieee80211_input_hwdecrypt(ic, ni, m, rxi); 593 if (m == NULL) 594 goto err; 595 } 596 wh = mtod(m, struct ieee80211_frame *); 597 } else if ((wh->i_fc[1] & IEEE80211_FC1_PROTECTED) || 598 (rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 599 /* frame encrypted but protection off for Rx */ 600 ic->ic_stats.is_rx_nowep++; 601 goto out; 602 } 603 604 #if NBPFILTER > 0 605 /* copy to listener after decrypt */ 606 if (ic->ic_rawbpf) 607 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 608 #endif 609 610 if ((ni->ni_flags & IEEE80211_NODE_HT) && 611 hasqos && (qos & IEEE80211_QOS_AMSDU)) 612 ieee80211_amsdu_decap(ic, m, ni, hdrlen, ml); 613 else 614 ieee80211_decap(ic, m, ni, hdrlen, ml); 615 return; 616 617 case IEEE80211_FC0_TYPE_MGT: 618 if (dir != IEEE80211_FC1_DIR_NODS) { 619 ic->ic_stats.is_rx_wrongdir++; 620 goto err; 621 } 622 #ifndef IEEE80211_STA_ONLY 623 if (ic->ic_opmode == IEEE80211_M_AHDEMO) { 624 ic->ic_stats.is_rx_ahdemo_mgt++; 625 goto out; 626 } 627 #endif 628 /* drop frames without interest */ 629 if (ic->ic_state == IEEE80211_S_SCAN) { 630 if (subtype != IEEE80211_FC0_SUBTYPE_BEACON && 631 subtype != IEEE80211_FC0_SUBTYPE_PROBE_RESP) { 632 ic->ic_stats.is_rx_mgtdiscard++; 633 goto out; 634 } 635 } 636 637 if (ni->ni_flags & IEEE80211_NODE_RXMGMTPROT) { 638 /* MMPDU protection is on for Rx */ 639 if (subtype == IEEE80211_FC0_SUBTYPE_DISASSOC || 640 subtype == IEEE80211_FC0_SUBTYPE_DEAUTH || 641 subtype == IEEE80211_FC0_SUBTYPE_ACTION) { 642 if (!IEEE80211_IS_MULTICAST(wh->i_addr1) && 643 !(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 644 /* unicast mgmt not encrypted */ 645 goto out; 646 } 647 /* do software decryption */ 648 m = ieee80211_decrypt(ic, m, ni); 649 if (m == NULL) { 650 /* XXX stats */ 651 goto out; 652 } 653 wh = mtod(m, struct ieee80211_frame *); 654 } 655 } else if ((ic->ic_flags & IEEE80211_F_RSNON) && 656 (wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 657 /* encrypted but MMPDU Rx protection off for TA */ 658 goto out; 659 } 660 661 #if NBPFILTER > 0 662 if (bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN) != 0) { 663 /* 664 * Drop mbuf if it was filtered by bpf. Normally, 665 * this is done in ether_input() but IEEE 802.11 666 * management frames are a special case. 667 */ 668 m_freem(m); 669 return; 670 } 671 #endif 672 (*ic->ic_recv_mgmt)(ic, m, ni, rxi, subtype); 673 m_freem(m); 674 return; 675 676 case IEEE80211_FC0_TYPE_CTL: 677 switch (subtype) { 678 #ifndef IEEE80211_STA_ONLY 679 case IEEE80211_FC0_SUBTYPE_PS_POLL: 680 ieee80211_recv_pspoll(ic, m, ni); 681 break; 682 #endif 683 case IEEE80211_FC0_SUBTYPE_BAR: 684 ieee80211_recv_bar(ic, m, ni); 685 break; 686 default: 687 ic->ic_stats.is_rx_ctl++; 688 break; 689 } 690 goto out; 691 692 default: 693 DPRINTF(("bad frame type %x\n", type)); 694 /* should not come here */ 695 break; 696 } 697 err: 698 ifp->if_ierrors++; 699 out: 700 if (m != NULL) { 701 #if NBPFILTER > 0 702 if (ic->ic_rawbpf) 703 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 704 #endif 705 m_freem(m); 706 } 707 } 708 709 /* Input handler for drivers which only receive one frame per interrupt. */ 710 void 711 ieee80211_input(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni, 712 struct ieee80211_rxinfo *rxi) 713 { 714 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 715 716 ieee80211_inputm(ifp, m, ni, rxi, &ml); 717 if_input(ifp, &ml); 718 } 719 720 #ifdef notyet 721 /* 722 * Handle defragmentation (see 9.5 and Annex C). We support the concurrent 723 * reception of fragments of three fragmented MSDUs or MMPDUs. 724 */ 725 struct mbuf * 726 ieee80211_defrag(struct ieee80211com *ic, struct mbuf *m, int hdrlen) 727 { 728 const struct ieee80211_frame *owh, *wh; 729 struct ieee80211_defrag *df; 730 u_int16_t rxseq, seq; 731 u_int8_t frag; 732 int i; 733 734 wh = mtod(m, struct ieee80211_frame *); 735 rxseq = letoh16(*(const u_int16_t *)wh->i_seq); 736 seq = rxseq >> IEEE80211_SEQ_SEQ_SHIFT; 737 frag = rxseq & IEEE80211_SEQ_FRAG_MASK; 738 739 if (frag == 0 && !(wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG)) 740 return m; /* not fragmented */ 741 742 if (frag == 0) { 743 /* first fragment, setup entry in the fragment cache */ 744 if (++ic->ic_defrag_cur == IEEE80211_DEFRAG_SIZE) 745 ic->ic_defrag_cur = 0; 746 df = &ic->ic_defrag[ic->ic_defrag_cur]; 747 m_freem(df->df_m); /* discard old entry */ 748 df->df_seq = seq; 749 df->df_frag = 0; 750 df->df_m = m; 751 /* start receive MSDU timer of aMaxReceiveLifetime */ 752 timeout_add_sec(&df->df_to, 1); 753 return NULL; /* MSDU or MMPDU not yet complete */ 754 } 755 756 /* find matching entry in the fragment cache */ 757 for (i = 0; i < IEEE80211_DEFRAG_SIZE; i++) { 758 df = &ic->ic_defrag[i]; 759 if (df->df_m == NULL) 760 continue; 761 if (df->df_seq != seq || df->df_frag + 1 != frag) 762 continue; 763 owh = mtod(df->df_m, struct ieee80211_frame *); 764 /* frame type, source and destination must match */ 765 if (((wh->i_fc[0] ^ owh->i_fc[0]) & IEEE80211_FC0_TYPE_MASK) || 766 !IEEE80211_ADDR_EQ(wh->i_addr1, owh->i_addr1) || 767 !IEEE80211_ADDR_EQ(wh->i_addr2, owh->i_addr2)) 768 continue; 769 /* matching entry found */ 770 break; 771 } 772 if (i == IEEE80211_DEFRAG_SIZE) { 773 /* no matching entry found, discard fragment */ 774 ic->ic_if.if_ierrors++; 775 m_freem(m); 776 return NULL; 777 } 778 779 df->df_frag = frag; 780 /* strip 802.11 header and concatenate fragment */ 781 m_adj(m, hdrlen); 782 m_cat(df->df_m, m); 783 df->df_m->m_pkthdr.len += m->m_pkthdr.len; 784 785 if (wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG) 786 return NULL; /* MSDU or MMPDU not yet complete */ 787 788 /* MSDU or MMPDU complete */ 789 timeout_del(&df->df_to); 790 m = df->df_m; 791 df->df_m = NULL; 792 return m; 793 } 794 795 /* 796 * Receive MSDU defragmentation timer exceeds aMaxReceiveLifetime. 797 */ 798 void 799 ieee80211_defrag_timeout(void *arg) 800 { 801 struct ieee80211_defrag *df = arg; 802 int s = splnet(); 803 804 /* discard all received fragments */ 805 m_freem(df->df_m); 806 df->df_m = NULL; 807 808 splx(s); 809 } 810 #endif 811 812 /* 813 * Process a received data MPDU related to a specific HT-immediate Block Ack 814 * agreement (see 9.10.7.6). 815 */ 816 void 817 ieee80211_input_ba(struct ieee80211com *ic, struct mbuf *m, 818 struct ieee80211_node *ni, int tid, struct ieee80211_rxinfo *rxi, 819 struct mbuf_list *ml) 820 { 821 struct ifnet *ifp = &ic->ic_if; 822 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 823 struct ieee80211_frame *wh; 824 int idx, count; 825 u_int16_t sn; 826 827 wh = mtod(m, struct ieee80211_frame *); 828 sn = letoh16(*(u_int16_t *)wh->i_seq) >> IEEE80211_SEQ_SEQ_SHIFT; 829 830 /* reset Block Ack inactivity timer */ 831 if (ba->ba_timeout_val != 0) 832 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 833 834 if (SEQ_LT(sn, ba->ba_winstart)) { /* SN < WinStartB */ 835 ic->ic_stats.is_ht_rx_frame_below_ba_winstart++; 836 m_freem(m); /* discard the MPDU */ 837 return; 838 } 839 if (SEQ_LT(ba->ba_winend, sn)) { /* WinEndB < SN */ 840 ic->ic_stats.is_ht_rx_frame_above_ba_winend++; 841 count = (sn - ba->ba_winend) & 0xfff; 842 if (count > ba->ba_winsize) { 843 /* 844 * Check whether we're consistently behind the window, 845 * and let the window move forward if necessary. 846 */ 847 if (ba->ba_winmiss < IEEE80211_BA_MAX_WINMISS) { 848 if (ba->ba_missedsn == ((sn - 1) & 0xfff)) 849 ba->ba_winmiss++; 850 else 851 ba->ba_winmiss = 0; 852 ba->ba_missedsn = sn; 853 ifp->if_ierrors++; 854 m_freem(m); /* discard the MPDU */ 855 return; 856 } 857 858 /* It appears the window has moved for real. */ 859 ic->ic_stats.is_ht_rx_ba_window_jump++; 860 ba->ba_winmiss = 0; 861 ba->ba_missedsn = 0; 862 ieee80211_ba_move_window(ic, ni, tid, sn, ml); 863 } else { 864 ic->ic_stats.is_ht_rx_ba_window_slide++; 865 ieee80211_input_ba_seq(ic, ni, tid, 866 (ba->ba_winstart + count) & 0xfff, ml); 867 ieee80211_input_ba_flush(ic, ni, ba, ml); 868 } 869 } 870 /* WinStartB <= SN <= WinEndB */ 871 872 ba->ba_winmiss = 0; 873 ba->ba_missedsn = 0; 874 idx = (sn - ba->ba_winstart) & 0xfff; 875 idx = (ba->ba_head + idx) % IEEE80211_BA_MAX_WINSZ; 876 /* store the received MPDU in the buffer */ 877 if (ba->ba_buf[idx].m != NULL) { 878 ifp->if_ierrors++; 879 ic->ic_stats.is_ht_rx_ba_no_buf++; 880 m_freem(m); 881 return; 882 } 883 ba->ba_buf[idx].m = m; 884 /* store Rx meta-data too */ 885 rxi->rxi_flags |= IEEE80211_RXI_AMPDU_DONE; 886 ba->ba_buf[idx].rxi = *rxi; 887 ba->ba_gapwait++; 888 889 if (ba->ba_buf[ba->ba_head].m == NULL && ba->ba_gapwait == 1) 890 timeout_add_msec(&ba->ba_gap_to, IEEE80211_BA_GAP_TIMEOUT); 891 892 ieee80211_input_ba_flush(ic, ni, ba, ml); 893 } 894 895 /* 896 * Forward buffered frames with sequence number lower than max_seq. 897 * See 802.11-2012 9.21.7.6.2 b. 898 */ 899 void 900 ieee80211_input_ba_seq(struct ieee80211com *ic, struct ieee80211_node *ni, 901 uint8_t tid, uint16_t max_seq, struct mbuf_list *ml) 902 { 903 struct ifnet *ifp = &ic->ic_if; 904 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 905 struct ieee80211_frame *wh; 906 uint16_t seq; 907 int i = 0; 908 909 while (i++ < ba->ba_winsize) { 910 /* gaps may exist */ 911 if (ba->ba_buf[ba->ba_head].m != NULL) { 912 wh = mtod(ba->ba_buf[ba->ba_head].m, 913 struct ieee80211_frame *); 914 KASSERT(ieee80211_has_seq(wh)); 915 seq = letoh16(*(u_int16_t *)wh->i_seq) >> 916 IEEE80211_SEQ_SEQ_SHIFT; 917 if (!SEQ_LT(seq, max_seq)) 918 break; 919 ieee80211_inputm(ifp, ba->ba_buf[ba->ba_head].m, 920 ni, &ba->ba_buf[ba->ba_head].rxi, ml); 921 ba->ba_buf[ba->ba_head].m = NULL; 922 ba->ba_gapwait--; 923 } else 924 ic->ic_stats.is_ht_rx_ba_frame_lost++; 925 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 926 /* move window forward */ 927 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 928 } 929 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 930 } 931 932 /* Flush a consecutive sequence of frames from the reorder buffer. */ 933 void 934 ieee80211_input_ba_flush(struct ieee80211com *ic, struct ieee80211_node *ni, 935 struct ieee80211_rx_ba *ba, struct mbuf_list *ml) 936 937 { 938 struct ifnet *ifp = &ic->ic_if; 939 940 /* Do not re-arm the gap timeout if we made no progress. */ 941 if (ba->ba_buf[ba->ba_head].m == NULL) 942 return; 943 944 /* pass reordered MPDUs up to the next MAC process */ 945 while (ba->ba_buf[ba->ba_head].m != NULL) { 946 ieee80211_inputm(ifp, ba->ba_buf[ba->ba_head].m, ni, 947 &ba->ba_buf[ba->ba_head].rxi, ml); 948 ba->ba_buf[ba->ba_head].m = NULL; 949 ba->ba_gapwait--; 950 951 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 952 /* move window forward */ 953 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 954 } 955 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 956 957 if (timeout_pending(&ba->ba_gap_to)) 958 timeout_del(&ba->ba_gap_to); 959 if (ba->ba_gapwait) 960 timeout_add_msec(&ba->ba_gap_to, IEEE80211_BA_GAP_TIMEOUT); 961 } 962 963 /* 964 * Forcibly move the BA window forward to remove a leading gap which has 965 * been causing frames to linger in the reordering buffer for too long. 966 * A leading gap will occur if a particular A-MPDU subframe never arrives 967 * or if a bug in the sender causes sequence numbers to jump forward by > 1. 968 */ 969 int 970 ieee80211_input_ba_gap_skip(struct ieee80211_rx_ba *ba) 971 { 972 int skipped = 0; 973 974 while (skipped < ba->ba_winsize && ba->ba_buf[ba->ba_head].m == NULL) { 975 /* move window forward */ 976 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 977 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 978 skipped++; 979 } 980 if (skipped > 0) 981 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 982 983 return skipped; 984 } 985 986 void 987 ieee80211_input_ba_gap_timeout(void *arg) 988 { 989 struct ieee80211_rx_ba *ba = arg; 990 struct ieee80211_node *ni = ba->ba_ni; 991 struct ieee80211com *ic = ni->ni_ic; 992 int s, skipped; 993 994 ic->ic_stats.is_ht_rx_ba_window_gap_timeout++; 995 996 s = splnet(); 997 998 skipped = ieee80211_input_ba_gap_skip(ba); 999 ic->ic_stats.is_ht_rx_ba_frame_lost += skipped; 1000 if (skipped) { 1001 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 1002 ieee80211_input_ba_flush(ic, ni, ba, &ml); 1003 if_input(&ic->ic_if, &ml); 1004 } 1005 1006 splx(s); 1007 } 1008 1009 1010 /* 1011 * Change the value of WinStartB (move window forward) upon reception of a 1012 * BlockAckReq frame or an ADDBA Request (PBAC). 1013 */ 1014 void 1015 ieee80211_ba_move_window(struct ieee80211com *ic, struct ieee80211_node *ni, 1016 u_int8_t tid, u_int16_t ssn, struct mbuf_list *ml) 1017 { 1018 struct ifnet *ifp = &ic->ic_if; 1019 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 1020 int count; 1021 1022 /* assert(WinStartB <= SSN) */ 1023 1024 count = (ssn - ba->ba_winstart) & 0xfff; 1025 if (count > ba->ba_winsize) /* no overlap */ 1026 count = ba->ba_winsize; 1027 while (count-- > 0) { 1028 /* gaps may exist */ 1029 if (ba->ba_buf[ba->ba_head].m != NULL) { 1030 ieee80211_inputm(ifp, ba->ba_buf[ba->ba_head].m, ni, 1031 &ba->ba_buf[ba->ba_head].rxi, ml); 1032 ba->ba_buf[ba->ba_head].m = NULL; 1033 ba->ba_gapwait--; 1034 } else 1035 ic->ic_stats.is_ht_rx_ba_frame_lost++; 1036 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 1037 } 1038 /* move window forward */ 1039 ba->ba_winstart = ssn; 1040 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 1041 1042 ieee80211_input_ba_flush(ic, ni, ba, ml); 1043 } 1044 1045 void 1046 ieee80211_enqueue_data(struct ieee80211com *ic, struct mbuf *m, 1047 struct ieee80211_node *ni, int mcast, struct mbuf_list *ml) 1048 { 1049 struct ifnet *ifp = &ic->ic_if; 1050 struct ether_header *eh; 1051 struct mbuf *m1; 1052 1053 eh = mtod(m, struct ether_header *); 1054 1055 if ((ic->ic_flags & IEEE80211_F_RSNON) && !ni->ni_port_valid && 1056 eh->ether_type != htons(ETHERTYPE_EAPOL)) { 1057 DPRINTF(("port not valid: %s\n", 1058 ether_sprintf(eh->ether_dhost))); 1059 ic->ic_stats.is_rx_unauth++; 1060 m_freem(m); 1061 return; 1062 } 1063 1064 /* 1065 * Perform as a bridge within the AP. Notice that we do not 1066 * bridge EAPOL frames as suggested in C.1.1 of IEEE Std 802.1X. 1067 * And we do not forward unicast frames received on a multicast address. 1068 */ 1069 m1 = NULL; 1070 #ifndef IEEE80211_STA_ONLY 1071 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 1072 !(ic->ic_userflags & IEEE80211_F_NOBRIDGE) && 1073 eh->ether_type != htons(ETHERTYPE_EAPOL)) { 1074 struct ieee80211_node *ni1; 1075 1076 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 1077 m1 = m_dup_pkt(m, ETHER_ALIGN, M_DONTWAIT); 1078 if (m1 == NULL) 1079 ifp->if_oerrors++; 1080 else 1081 m1->m_flags |= M_MCAST; 1082 } else if (!mcast) { 1083 ni1 = ieee80211_find_node(ic, eh->ether_dhost); 1084 if (ni1 != NULL && 1085 ni1->ni_state == IEEE80211_STA_ASSOC) { 1086 m1 = m; 1087 m = NULL; 1088 } 1089 } 1090 if (m1 != NULL) { 1091 if (if_enqueue(ifp, m1)) 1092 ifp->if_oerrors++; 1093 } 1094 } 1095 #endif 1096 if (m != NULL) { 1097 if ((ic->ic_flags & IEEE80211_F_RSNON) && 1098 eh->ether_type == htons(ETHERTYPE_EAPOL)) { 1099 ifp->if_ipackets++; 1100 #if NBPFILTER > 0 1101 /* 1102 * If we forward frame into transmitter of the AP, 1103 * we don't need to duplicate for DLT_EN10MB. 1104 */ 1105 if (ifp->if_bpf && m1 == NULL) 1106 bpf_mtap(ifp->if_bpf, m, BPF_DIRECTION_IN); 1107 #endif 1108 ieee80211_eapol_key_input(ic, m, ni); 1109 } else { 1110 ml_enqueue(ml, m); 1111 } 1112 } 1113 } 1114 1115 void 1116 ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, 1117 struct ieee80211_node *ni, int hdrlen, struct mbuf_list *ml) 1118 { 1119 struct ether_header eh; 1120 struct ieee80211_frame *wh; 1121 struct llc *llc; 1122 int mcast; 1123 1124 if (m->m_len < hdrlen + LLC_SNAPFRAMELEN && 1125 (m = m_pullup(m, hdrlen + LLC_SNAPFRAMELEN)) == NULL) { 1126 ic->ic_stats.is_rx_decap++; 1127 return; 1128 } 1129 wh = mtod(m, struct ieee80211_frame *); 1130 mcast = IEEE80211_IS_MULTICAST(wh->i_addr1); 1131 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 1132 case IEEE80211_FC1_DIR_NODS: 1133 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1); 1134 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2); 1135 break; 1136 case IEEE80211_FC1_DIR_TODS: 1137 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3); 1138 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2); 1139 break; 1140 case IEEE80211_FC1_DIR_FROMDS: 1141 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1); 1142 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr3); 1143 break; 1144 case IEEE80211_FC1_DIR_DSTODS: 1145 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3); 1146 IEEE80211_ADDR_COPY(eh.ether_shost, 1147 ((struct ieee80211_frame_addr4 *)wh)->i_addr4); 1148 break; 1149 } 1150 llc = (struct llc *)((caddr_t)wh + hdrlen); 1151 if (llc->llc_dsap == LLC_SNAP_LSAP && 1152 llc->llc_ssap == LLC_SNAP_LSAP && 1153 llc->llc_control == LLC_UI && 1154 llc->llc_snap.org_code[0] == 0 && 1155 llc->llc_snap.org_code[1] == 0 && 1156 llc->llc_snap.org_code[2] == 0) { 1157 eh.ether_type = llc->llc_snap.ether_type; 1158 m_adj(m, hdrlen + LLC_SNAPFRAMELEN - ETHER_HDR_LEN); 1159 } else { 1160 eh.ether_type = htons(m->m_pkthdr.len - hdrlen); 1161 m_adj(m, hdrlen - ETHER_HDR_LEN); 1162 } 1163 memcpy(mtod(m, caddr_t), &eh, ETHER_HDR_LEN); 1164 if (!ALIGNED_POINTER(mtod(m, caddr_t) + ETHER_HDR_LEN, u_int32_t)) { 1165 struct mbuf *m0 = m; 1166 m = m_dup_pkt(m0, ETHER_ALIGN, M_NOWAIT); 1167 m_freem(m0); 1168 if (m == NULL) { 1169 ic->ic_stats.is_rx_decap++; 1170 return; 1171 } 1172 } 1173 ieee80211_enqueue_data(ic, m, ni, mcast, ml); 1174 } 1175 1176 int 1177 ieee80211_amsdu_decap_validate(struct ieee80211com *ic, struct mbuf *m, 1178 struct ieee80211_node *ni) 1179 { 1180 struct ether_header *eh = mtod(m, struct ether_header *); 1181 const uint8_t llc_hdr_mac[ETHER_ADDR_LEN] = { 1182 /* MAC address matching the 802.2 LLC header. */ 1183 LLC_SNAP_LSAP, LLC_SNAP_LSAP, LLC_UI, 0, 0, 0 1184 }; 1185 1186 /* 1187 * We are sorry, but this particular MAC address cannot be used. 1188 * This mitigates an attack where a single 802.11 frame is interpreted 1189 * as an A-MSDU because of a forged AMSDU-present bit in the 802.11 1190 * QoS frame header: https://papers.mathyvanhoef.com/usenix2021.pdf 1191 * See Section 7.2, 'Countermeasures for the design flaws' 1192 */ 1193 if (ETHER_IS_EQ(eh->ether_dhost, llc_hdr_mac)) 1194 return 1; 1195 1196 switch (ic->ic_opmode) { 1197 #ifndef IEEE80211_STA_ONLY 1198 case IEEE80211_M_HOSTAP: 1199 /* 1200 * Subframes must use the source address of the node which 1201 * transmitted the A-MSDU. Prevents MAC spoofing. 1202 */ 1203 if (!ETHER_IS_EQ(ni->ni_macaddr, eh->ether_shost)) 1204 return 1; 1205 break; 1206 #endif 1207 case IEEE80211_M_STA: 1208 /* Subframes must be addressed to me. */ 1209 if (!ETHER_IS_EQ(ic->ic_myaddr, eh->ether_dhost)) 1210 return 1; 1211 break; 1212 default: 1213 /* Ignore MONITOR/IBSS modes for now. */ 1214 break; 1215 } 1216 1217 return 0; 1218 } 1219 1220 /* 1221 * Decapsulate an Aggregate MSDU (see 7.2.2.2). 1222 */ 1223 void 1224 ieee80211_amsdu_decap(struct ieee80211com *ic, struct mbuf *m, 1225 struct ieee80211_node *ni, int hdrlen, struct mbuf_list *ml) 1226 { 1227 struct mbuf *n; 1228 struct ether_header *eh; 1229 struct llc *llc; 1230 int len, pad, mcast; 1231 struct ieee80211_frame *wh; 1232 struct mbuf_list subframes = MBUF_LIST_INITIALIZER(); 1233 1234 wh = mtod(m, struct ieee80211_frame *); 1235 mcast = IEEE80211_IS_MULTICAST(wh->i_addr1); 1236 1237 /* strip 802.11 header */ 1238 m_adj(m, hdrlen); 1239 1240 while (m->m_pkthdr.len >= ETHER_HDR_LEN + LLC_SNAPFRAMELEN) { 1241 /* process an A-MSDU subframe */ 1242 m = m_pullup(m, ETHER_HDR_LEN + LLC_SNAPFRAMELEN); 1243 if (m == NULL) 1244 break; 1245 eh = mtod(m, struct ether_header *); 1246 /* examine 802.3 header */ 1247 len = ntohs(eh->ether_type); 1248 if (len < LLC_SNAPFRAMELEN) { 1249 DPRINTF(("A-MSDU subframe too short (%d)\n", len)); 1250 /* stop processing A-MSDU subframes */ 1251 ic->ic_stats.is_rx_decap++; 1252 ml_purge(&subframes); 1253 m_freem(m); 1254 return; 1255 } 1256 llc = (struct llc *)&eh[1]; 1257 /* Examine the 802.2 LLC header after the A-MSDU header. */ 1258 if (llc->llc_dsap == LLC_SNAP_LSAP && 1259 llc->llc_ssap == LLC_SNAP_LSAP && 1260 llc->llc_control == LLC_UI && 1261 llc->llc_snap.org_code[0] == 0 && 1262 llc->llc_snap.org_code[1] == 0 && 1263 llc->llc_snap.org_code[2] == 0) { 1264 /* convert to Ethernet II header */ 1265 eh->ether_type = llc->llc_snap.ether_type; 1266 /* strip LLC+SNAP headers */ 1267 memmove((u_int8_t *)eh + LLC_SNAPFRAMELEN, eh, 1268 ETHER_HDR_LEN); 1269 m_adj(m, LLC_SNAPFRAMELEN); 1270 len -= LLC_SNAPFRAMELEN; 1271 } 1272 len += ETHER_HDR_LEN; 1273 if (len > m->m_pkthdr.len) { 1274 /* stop processing A-MSDU subframes */ 1275 DPRINTF(("A-MSDU subframe too long (%d)\n", len)); 1276 ic->ic_stats.is_rx_decap++; 1277 ml_purge(&subframes); 1278 m_freem(m); 1279 return; 1280 } 1281 1282 /* "detach" our A-MSDU subframe from the others */ 1283 n = m_split(m, len, M_NOWAIT); 1284 if (n == NULL) { 1285 /* stop processing A-MSDU subframes */ 1286 ic->ic_stats.is_rx_decap++; 1287 ml_purge(&subframes); 1288 m_freem(m); 1289 return; 1290 } 1291 1292 if (ieee80211_amsdu_decap_validate(ic, m, ni)) { 1293 /* stop processing A-MSDU subframes */ 1294 ic->ic_stats.is_rx_decap++; 1295 ml_purge(&subframes); 1296 m_freem(m); 1297 return; 1298 } 1299 1300 ml_enqueue(&subframes, m); 1301 1302 m = n; 1303 /* remove padding */ 1304 pad = ((len + 3) & ~3) - len; 1305 m_adj(m, pad); 1306 } 1307 1308 while ((n = ml_dequeue(&subframes)) != NULL) 1309 ieee80211_enqueue_data(ic, n, ni, mcast, ml); 1310 1311 m_freem(m); 1312 } 1313 1314 /* 1315 * Parse an EDCA Parameter Set element (see 7.3.2.27). 1316 */ 1317 int 1318 ieee80211_parse_edca_params_body(struct ieee80211com *ic, const u_int8_t *frm) 1319 { 1320 u_int updtcount; 1321 int aci; 1322 1323 /* 1324 * Check if EDCA parameters have changed XXX if we miss more than 1325 * 15 consecutive beacons, we might not detect changes to EDCA 1326 * parameters due to wraparound of the 4-bit Update Count field. 1327 */ 1328 updtcount = frm[0] & 0xf; 1329 if (updtcount == ic->ic_edca_updtcount) 1330 return 0; /* no changes to EDCA parameters, ignore */ 1331 ic->ic_edca_updtcount = updtcount; 1332 1333 frm += 2; /* skip QoS Info & Reserved fields */ 1334 1335 /* parse AC Parameter Records */ 1336 for (aci = 0; aci < EDCA_NUM_AC; aci++) { 1337 struct ieee80211_edca_ac_params *ac = &ic->ic_edca_ac[aci]; 1338 1339 ac->ac_acm = (frm[0] >> 4) & 0x1; 1340 ac->ac_aifsn = frm[0] & 0xf; 1341 ac->ac_ecwmin = frm[1] & 0xf; 1342 ac->ac_ecwmax = frm[1] >> 4; 1343 ac->ac_txoplimit = LE_READ_2(frm + 2); 1344 frm += 4; 1345 } 1346 /* give drivers a chance to update their settings */ 1347 if ((ic->ic_flags & IEEE80211_F_QOS) && ic->ic_updateedca != NULL) 1348 (*ic->ic_updateedca)(ic); 1349 1350 return 0; 1351 } 1352 1353 int 1354 ieee80211_parse_edca_params(struct ieee80211com *ic, const u_int8_t *frm) 1355 { 1356 if (frm[1] < 18) { 1357 ic->ic_stats.is_rx_elem_toosmall++; 1358 return IEEE80211_REASON_IE_INVALID; 1359 } 1360 return ieee80211_parse_edca_params_body(ic, frm + 2); 1361 } 1362 1363 int 1364 ieee80211_parse_wmm_params(struct ieee80211com *ic, const u_int8_t *frm) 1365 { 1366 if (frm[1] < 24) { 1367 ic->ic_stats.is_rx_elem_toosmall++; 1368 return IEEE80211_REASON_IE_INVALID; 1369 } 1370 return ieee80211_parse_edca_params_body(ic, frm + 8); 1371 } 1372 1373 enum ieee80211_cipher 1374 ieee80211_parse_rsn_cipher(const u_int8_t selector[4]) 1375 { 1376 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1377 switch (selector[3]) { 1378 case 0: /* use group data cipher suite */ 1379 return IEEE80211_CIPHER_USEGROUP; 1380 case 1: /* WEP-40 */ 1381 return IEEE80211_CIPHER_WEP40; 1382 case 2: /* TKIP */ 1383 return IEEE80211_CIPHER_TKIP; 1384 case 4: /* CCMP (RSNA default) */ 1385 return IEEE80211_CIPHER_CCMP; 1386 case 5: /* WEP-104 */ 1387 return IEEE80211_CIPHER_WEP104; 1388 } 1389 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1390 /* see 802.11-2012 Table 8-99 */ 1391 switch (selector[3]) { 1392 case 0: /* use group data cipher suite */ 1393 return IEEE80211_CIPHER_USEGROUP; 1394 case 1: /* WEP-40 */ 1395 return IEEE80211_CIPHER_WEP40; 1396 case 2: /* TKIP */ 1397 return IEEE80211_CIPHER_TKIP; 1398 case 4: /* CCMP (RSNA default) */ 1399 return IEEE80211_CIPHER_CCMP; 1400 case 5: /* WEP-104 */ 1401 return IEEE80211_CIPHER_WEP104; 1402 case 6: /* BIP */ 1403 return IEEE80211_CIPHER_BIP; 1404 } 1405 } 1406 return IEEE80211_CIPHER_NONE; /* ignore unknown ciphers */ 1407 } 1408 1409 enum ieee80211_akm 1410 ieee80211_parse_rsn_akm(const u_int8_t selector[4]) 1411 { 1412 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1413 switch (selector[3]) { 1414 case 1: /* IEEE 802.1X (RSNA default) */ 1415 return IEEE80211_AKM_8021X; 1416 case 2: /* PSK */ 1417 return IEEE80211_AKM_PSK; 1418 } 1419 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1420 /* from IEEE Std 802.11i-2004 - Table 20dc */ 1421 switch (selector[3]) { 1422 case 1: /* IEEE 802.1X (RSNA default) */ 1423 return IEEE80211_AKM_8021X; 1424 case 2: /* PSK */ 1425 return IEEE80211_AKM_PSK; 1426 case 5: /* IEEE 802.1X with SHA256 KDF */ 1427 return IEEE80211_AKM_SHA256_8021X; 1428 case 6: /* PSK with SHA256 KDF */ 1429 return IEEE80211_AKM_SHA256_PSK; 1430 } 1431 } 1432 return IEEE80211_AKM_NONE; /* ignore unknown AKMs */ 1433 } 1434 1435 /* 1436 * Parse an RSN element (see 802.11-2012 8.4.2.27) 1437 */ 1438 int 1439 ieee80211_parse_rsn_body(struct ieee80211com *ic, const u_int8_t *frm, 1440 u_int len, struct ieee80211_rsnparams *rsn) 1441 { 1442 const u_int8_t *efrm; 1443 u_int16_t m, n, s; 1444 1445 efrm = frm + len; 1446 1447 /* check Version field */ 1448 if (LE_READ_2(frm) != 1) 1449 return IEEE80211_STATUS_RSN_IE_VER_UNSUP; 1450 frm += 2; 1451 1452 /* all fields after the Version field are optional */ 1453 1454 /* if Cipher Suite missing, default to CCMP */ 1455 rsn->rsn_groupcipher = IEEE80211_CIPHER_CCMP; 1456 rsn->rsn_nciphers = 1; 1457 rsn->rsn_ciphers = IEEE80211_CIPHER_CCMP; 1458 /* if Group Management Cipher Suite missing, default to BIP */ 1459 rsn->rsn_groupmgmtcipher = IEEE80211_CIPHER_BIP; 1460 /* if AKM Suite missing, default to 802.1X */ 1461 rsn->rsn_nakms = 1; 1462 rsn->rsn_akms = IEEE80211_AKM_8021X; 1463 /* if RSN capabilities missing, default to 0 */ 1464 rsn->rsn_caps = 0; 1465 rsn->rsn_npmkids = 0; 1466 1467 /* read Group Data Cipher Suite field */ 1468 if (frm + 4 > efrm) 1469 return 0; 1470 rsn->rsn_groupcipher = ieee80211_parse_rsn_cipher(frm); 1471 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_NONE || 1472 rsn->rsn_groupcipher == IEEE80211_CIPHER_USEGROUP || 1473 rsn->rsn_groupcipher == IEEE80211_CIPHER_BIP) 1474 return IEEE80211_STATUS_BAD_GROUP_CIPHER; 1475 frm += 4; 1476 1477 /* read Pairwise Cipher Suite Count field */ 1478 if (frm + 2 > efrm) 1479 return 0; 1480 m = rsn->rsn_nciphers = LE_READ_2(frm); 1481 frm += 2; 1482 1483 /* read Pairwise Cipher Suite List */ 1484 if (frm + m * 4 > efrm) 1485 return IEEE80211_STATUS_IE_INVALID; 1486 rsn->rsn_ciphers = IEEE80211_CIPHER_NONE; 1487 while (m-- > 0) { 1488 rsn->rsn_ciphers |= ieee80211_parse_rsn_cipher(frm); 1489 frm += 4; 1490 } 1491 if (rsn->rsn_ciphers & IEEE80211_CIPHER_USEGROUP) { 1492 if (rsn->rsn_ciphers != IEEE80211_CIPHER_USEGROUP) 1493 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1494 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_CCMP) 1495 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1496 } 1497 1498 /* read AKM Suite List Count field */ 1499 if (frm + 2 > efrm) 1500 return 0; 1501 n = rsn->rsn_nakms = LE_READ_2(frm); 1502 frm += 2; 1503 1504 /* read AKM Suite List */ 1505 if (frm + n * 4 > efrm) 1506 return IEEE80211_STATUS_IE_INVALID; 1507 rsn->rsn_akms = IEEE80211_AKM_NONE; 1508 while (n-- > 0) { 1509 rsn->rsn_akms |= ieee80211_parse_rsn_akm(frm); 1510 frm += 4; 1511 } 1512 1513 /* read RSN Capabilities field */ 1514 if (frm + 2 > efrm) 1515 return 0; 1516 rsn->rsn_caps = LE_READ_2(frm); 1517 frm += 2; 1518 1519 /* read PMKID Count field */ 1520 if (frm + 2 > efrm) 1521 return 0; 1522 s = rsn->rsn_npmkids = LE_READ_2(frm); 1523 frm += 2; 1524 1525 /* read PMKID List */ 1526 if (frm + s * IEEE80211_PMKID_LEN > efrm) 1527 return IEEE80211_STATUS_IE_INVALID; 1528 if (s != 0) { 1529 rsn->rsn_pmkids = frm; 1530 frm += s * IEEE80211_PMKID_LEN; 1531 } 1532 1533 /* read Group Management Cipher Suite field */ 1534 if (frm + 4 > efrm) 1535 return 0; 1536 rsn->rsn_groupmgmtcipher = ieee80211_parse_rsn_cipher(frm); 1537 if (rsn->rsn_groupmgmtcipher != IEEE80211_CIPHER_BIP) 1538 return IEEE80211_STATUS_BAD_GROUP_CIPHER; 1539 1540 return IEEE80211_STATUS_SUCCESS; 1541 } 1542 1543 int 1544 ieee80211_parse_rsn(struct ieee80211com *ic, const u_int8_t *frm, 1545 struct ieee80211_rsnparams *rsn) 1546 { 1547 if (frm[1] < 2) { 1548 ic->ic_stats.is_rx_elem_toosmall++; 1549 return IEEE80211_STATUS_IE_INVALID; 1550 } 1551 return ieee80211_parse_rsn_body(ic, frm + 2, frm[1], rsn); 1552 } 1553 1554 int 1555 ieee80211_parse_wpa(struct ieee80211com *ic, const u_int8_t *frm, 1556 struct ieee80211_rsnparams *rsn) 1557 { 1558 if (frm[1] < 6) { 1559 ic->ic_stats.is_rx_elem_toosmall++; 1560 return IEEE80211_STATUS_IE_INVALID; 1561 } 1562 return ieee80211_parse_rsn_body(ic, frm + 6, frm[1] - 4, rsn); 1563 } 1564 1565 /* 1566 * Create (or update) a copy of an information element. 1567 */ 1568 int 1569 ieee80211_save_ie(const u_int8_t *frm, u_int8_t **ie) 1570 { 1571 int olen = *ie ? 2 + (*ie)[1] : 0; 1572 int len = 2 + frm[1]; 1573 1574 if (*ie == NULL || olen != len) { 1575 if (*ie != NULL) 1576 free(*ie, M_DEVBUF, olen); 1577 *ie = malloc(len, M_DEVBUF, M_NOWAIT); 1578 if (*ie == NULL) 1579 return ENOMEM; 1580 } 1581 memcpy(*ie, frm, len); 1582 return 0; 1583 } 1584 1585 /*- 1586 * Beacon/Probe response frame format: 1587 * [8] Timestamp 1588 * [2] Beacon interval 1589 * [2] Capability 1590 * [tlv] Service Set Identifier (SSID) 1591 * [tlv] Supported rates 1592 * [tlv] DS Parameter Set (802.11g) 1593 * [tlv] ERP Information (802.11g) 1594 * [tlv] Extended Supported Rates (802.11g) 1595 * [tlv] RSN (802.11i) 1596 * [tlv] EDCA Parameter Set (802.11e) 1597 * [tlv] QoS Capability (Beacon only, 802.11e) 1598 * [tlv] HT Capabilities (802.11n) 1599 * [tlv] HT Operation (802.11n) 1600 */ 1601 void 1602 ieee80211_recv_probe_resp(struct ieee80211com *ic, struct mbuf *m, 1603 struct ieee80211_node *rni, struct ieee80211_rxinfo *rxi, int isprobe) 1604 { 1605 struct ieee80211_node *ni; 1606 const struct ieee80211_frame *wh; 1607 const u_int8_t *frm, *efrm; 1608 const u_int8_t *tstamp, *ssid, *rates, *xrates, *edcaie, *wmmie, *tim; 1609 const u_int8_t *rsnie, *wpaie, *htcaps, *htop, *vhtcaps, *vhtop; 1610 u_int16_t capinfo, bintval; 1611 u_int8_t chan, bchan, erp; 1612 int is_new; 1613 1614 /* 1615 * We process beacon/probe response frames for: 1616 * o station mode: to collect state 1617 * updates such as 802.11g slot time and for passive 1618 * scanning of APs 1619 * o adhoc mode: to discover neighbors 1620 * o hostap mode: for passive scanning of neighbor APs 1621 * o when scanning 1622 * In other words, in all modes other than monitor (which 1623 * does not process incoming frames) and adhoc-demo (which 1624 * does not use management frames at all). 1625 */ 1626 #ifdef DIAGNOSTIC 1627 if (ic->ic_opmode != IEEE80211_M_STA && 1628 #ifndef IEEE80211_STA_ONLY 1629 ic->ic_opmode != IEEE80211_M_IBSS && 1630 ic->ic_opmode != IEEE80211_M_HOSTAP && 1631 #endif 1632 ic->ic_state != IEEE80211_S_SCAN) { 1633 panic("%s: impossible operating mode", __func__); 1634 } 1635 #endif 1636 /* make sure all mandatory fixed fields are present */ 1637 if (m->m_len < sizeof(*wh) + 12) { 1638 DPRINTF(("frame too short\n")); 1639 return; 1640 } 1641 wh = mtod(m, struct ieee80211_frame *); 1642 frm = (const u_int8_t *)&wh[1]; 1643 efrm = mtod(m, u_int8_t *) + m->m_len; 1644 1645 tstamp = frm; frm += 8; 1646 bintval = LE_READ_2(frm); frm += 2; 1647 capinfo = LE_READ_2(frm); frm += 2; 1648 1649 ssid = rates = xrates = edcaie = wmmie = rsnie = wpaie = tim = NULL; 1650 htcaps = htop = vhtcaps = vhtop = NULL; 1651 if (rxi->rxi_chan) 1652 bchan = rxi->rxi_chan; 1653 else 1654 bchan = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan); 1655 chan = bchan; 1656 erp = 0; 1657 while (frm + 2 <= efrm) { 1658 if (frm + 2 + frm[1] > efrm) { 1659 ic->ic_stats.is_rx_elem_toosmall++; 1660 break; 1661 } 1662 switch (frm[0]) { 1663 case IEEE80211_ELEMID_SSID: 1664 ssid = frm; 1665 break; 1666 case IEEE80211_ELEMID_RATES: 1667 rates = frm; 1668 break; 1669 case IEEE80211_ELEMID_DSPARMS: 1670 if (frm[1] < 1) { 1671 ic->ic_stats.is_rx_elem_toosmall++; 1672 break; 1673 } 1674 chan = frm[2]; 1675 break; 1676 case IEEE80211_ELEMID_XRATES: 1677 xrates = frm; 1678 break; 1679 case IEEE80211_ELEMID_ERP: 1680 if (frm[1] < 1) { 1681 ic->ic_stats.is_rx_elem_toosmall++; 1682 break; 1683 } 1684 erp = frm[2]; 1685 break; 1686 case IEEE80211_ELEMID_RSN: 1687 rsnie = frm; 1688 break; 1689 case IEEE80211_ELEMID_EDCAPARMS: 1690 edcaie = frm; 1691 break; 1692 case IEEE80211_ELEMID_HTCAPS: 1693 htcaps = frm; 1694 break; 1695 case IEEE80211_ELEMID_HTOP: 1696 htop = frm; 1697 break; 1698 case IEEE80211_ELEMID_VHTCAPS: 1699 vhtcaps = frm; 1700 break; 1701 case IEEE80211_ELEMID_VHTOP: 1702 vhtop = frm; 1703 break; 1704 case IEEE80211_ELEMID_TIM: 1705 if (frm[1] < 4) { 1706 ic->ic_stats.is_rx_elem_toosmall++; 1707 break; 1708 } 1709 tim = frm; 1710 break; 1711 case IEEE80211_ELEMID_VENDOR: 1712 if (frm[1] < 4) { 1713 ic->ic_stats.is_rx_elem_toosmall++; 1714 break; 1715 } 1716 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 1717 if (frm[5] == 1) 1718 wpaie = frm; 1719 else if (frm[1] >= 5 && 1720 frm[5] == 2 && frm[6] == 1) 1721 wmmie = frm; 1722 } 1723 break; 1724 } 1725 frm += 2 + frm[1]; 1726 } 1727 /* supported rates element is mandatory */ 1728 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1729 DPRINTF(("invalid supported rates element\n")); 1730 return; 1731 } 1732 /* SSID element is mandatory */ 1733 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1734 DPRINTF(("invalid SSID element\n")); 1735 return; 1736 } 1737 1738 if ( 1739 #if IEEE80211_CHAN_MAX < 255 1740 chan > IEEE80211_CHAN_MAX || 1741 #endif 1742 (isclr(ic->ic_chan_active, chan) && 1743 ((ic->ic_caps & IEEE80211_C_SCANALL) == 0 || 1744 (ic->ic_flags & IEEE80211_F_BGSCAN) == 0))) { 1745 DPRINTF(("ignore %s with invalid channel %u\n", 1746 isprobe ? "probe response" : "beacon", chan)); 1747 ic->ic_stats.is_rx_badchan++; 1748 return; 1749 } 1750 if ((rxi->rxi_chan != 0 && chan != rxi->rxi_chan) || 1751 ((ic->ic_state != IEEE80211_S_SCAN || 1752 !(ic->ic_caps & IEEE80211_C_SCANALL)) && 1753 chan != bchan)) { 1754 /* 1755 * Frame was received on a channel different from the 1756 * one indicated in the DS params element id; 1757 * silently discard it. 1758 * 1759 * NB: this can happen due to signal leakage. 1760 */ 1761 DPRINTF(("ignore %s on channel %u marked for channel %u\n", 1762 isprobe ? "probe response" : "beacon", bchan, chan)); 1763 ic->ic_stats.is_rx_chanmismatch++; 1764 return; 1765 } 1766 1767 #ifdef IEEE80211_DEBUG 1768 if (ieee80211_debug > 1 && 1769 (ni == NULL || ic->ic_state == IEEE80211_S_SCAN || 1770 (ic->ic_flags & IEEE80211_F_BGSCAN))) { 1771 printf("%s: %s%s on chan %u (bss chan %u) ", 1772 __func__, (ni == NULL ? "new " : ""), 1773 isprobe ? "probe response" : "beacon", 1774 chan, bchan); 1775 ieee80211_print_essid(ssid + 2, ssid[1]); 1776 printf(" from %s\n", ether_sprintf((u_int8_t *)wh->i_addr2)); 1777 printf("%s: caps 0x%x bintval %u erp 0x%x\n", 1778 __func__, capinfo, bintval, erp); 1779 } 1780 #endif 1781 1782 if ((ni = ieee80211_find_node(ic, wh->i_addr2)) == NULL) { 1783 ni = ieee80211_alloc_node(ic, wh->i_addr2); 1784 if (ni == NULL) 1785 return; 1786 is_new = 1; 1787 } else 1788 is_new = 0; 1789 1790 ni->ni_chan = &ic->ic_channels[chan]; 1791 1792 if (htcaps) 1793 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 1794 if (htop && !ieee80211_setup_htop(ni, htop + 2, htop[1], 1)) 1795 htop = NULL; /* invalid HTOP */ 1796 if (htcaps && vhtcaps && IEEE80211_IS_CHAN_5GHZ(ni->ni_chan)) { 1797 ieee80211_setup_vhtcaps(ni, vhtcaps + 2, vhtcaps[1]); 1798 if (vhtop && !ieee80211_setup_vhtop(ni, vhtop + 2, vhtop[1], 1)) 1799 vhtop = NULL; /* invalid VHTOP */ 1800 } 1801 1802 if (tim) { 1803 ni->ni_dtimcount = tim[2]; 1804 ni->ni_dtimperiod = tim[3]; 1805 } 1806 1807 /* 1808 * When operating in station mode, check for state updates 1809 * while we're associated. 1810 */ 1811 if (ic->ic_opmode == IEEE80211_M_STA && 1812 ic->ic_state == IEEE80211_S_RUN && 1813 ni->ni_state == IEEE80211_STA_BSS) { 1814 int updateprot = 0; 1815 /* 1816 * Check if protection mode has changed since last beacon. 1817 */ 1818 if (ni->ni_erp != erp) { 1819 DPRINTF(("[%s] erp change: was 0x%x, now 0x%x\n", 1820 ether_sprintf((u_int8_t *)wh->i_addr2), 1821 ni->ni_erp, erp)); 1822 if ((ic->ic_curmode == IEEE80211_MODE_11G || 1823 (ic->ic_curmode == IEEE80211_MODE_11N && 1824 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))) && 1825 (erp & IEEE80211_ERP_USE_PROTECTION)) 1826 ic->ic_flags |= IEEE80211_F_USEPROT; 1827 else 1828 ic->ic_flags &= ~IEEE80211_F_USEPROT; 1829 ic->ic_bss->ni_erp = erp; 1830 updateprot = 1; 1831 } 1832 if (htop && (ic->ic_bss->ni_flags & IEEE80211_NODE_HT)) { 1833 enum ieee80211_htprot htprot_last, htprot; 1834 htprot_last = 1835 ((ic->ic_bss->ni_htop1 & IEEE80211_HTOP1_PROT_MASK) 1836 >> IEEE80211_HTOP1_PROT_SHIFT); 1837 htprot = ((ni->ni_htop1 & IEEE80211_HTOP1_PROT_MASK) >> 1838 IEEE80211_HTOP1_PROT_SHIFT); 1839 if (htprot_last != htprot) { 1840 DPRINTF(("[%s] htprot change: was %d, now %d\n", 1841 ether_sprintf((u_int8_t *)wh->i_addr2), 1842 htprot_last, htprot)); 1843 ic->ic_stats.is_ht_prot_change++; 1844 ic->ic_bss->ni_htop1 = ni->ni_htop1; 1845 updateprot = 1; 1846 } 1847 } 1848 if (updateprot && ic->ic_updateprot != NULL) 1849 ic->ic_updateprot(ic); 1850 1851 /* 1852 * Check if 40MHz channel mode has changed since last beacon. 1853 */ 1854 if (htop && (ic->ic_bss->ni_flags & IEEE80211_NODE_HT) && 1855 (ic->ic_htcaps & IEEE80211_HTCAP_CBW20_40)) { 1856 uint8_t chw_last, chw, sco_last, sco; 1857 chw_last = (ic->ic_bss->ni_htop0 & IEEE80211_HTOP0_CHW); 1858 chw = (ni->ni_htop0 & IEEE80211_HTOP0_CHW); 1859 sco_last = 1860 ((ic->ic_bss->ni_htop0 & IEEE80211_HTOP0_SCO_MASK) 1861 >> IEEE80211_HTOP0_SCO_SHIFT); 1862 sco = ((ni->ni_htop0 & IEEE80211_HTOP0_SCO_MASK) >> 1863 IEEE80211_HTOP0_SCO_SHIFT); 1864 ic->ic_bss->ni_htop0 = ni->ni_htop0; 1865 if (chw_last != chw || sco_last != sco) { 1866 if (ic->ic_updatechan != NULL) 1867 ic->ic_updatechan(ic); 1868 } 1869 } else if (htop) 1870 ic->ic_bss->ni_htop0 = ni->ni_htop0; 1871 1872 /* 1873 * Check if AP short slot time setting has changed 1874 * since last beacon and give the driver a chance to 1875 * update the hardware. 1876 */ 1877 if ((ni->ni_capinfo ^ capinfo) & 1878 IEEE80211_CAPINFO_SHORT_SLOTTIME) { 1879 ieee80211_set_shortslottime(ic, 1880 ic->ic_curmode == IEEE80211_MODE_11A || 1881 (capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 1882 } 1883 1884 if (tim && ic->ic_bss->ni_dtimperiod != ni->ni_dtimperiod) { 1885 ic->ic_bss->ni_dtimperiod = ni->ni_dtimperiod; 1886 ic->ic_bss->ni_dtimcount = ni->ni_dtimcount; 1887 1888 if (ic->ic_updatedtim != NULL) 1889 ic->ic_updatedtim(ic); 1890 } 1891 1892 /* 1893 * Reset management timer. If it is non-zero in RUN state, the 1894 * driver sent a probe request after a missed beacon event. 1895 * This probe response indicates the AP is still serving us 1896 * so don't allow ieee80211_watchdog() to move us into SCAN. 1897 */ 1898 if ((ic->ic_flags & IEEE80211_F_BGSCAN) == 0) 1899 ic->ic_mgt_timer = 0; 1900 } 1901 /* 1902 * We do not try to update EDCA parameters if QoS was not negotiated 1903 * with the AP at association time. 1904 */ 1905 if (ni->ni_flags & IEEE80211_NODE_QOS) { 1906 /* always prefer EDCA IE over Wi-Fi Alliance WMM IE */ 1907 if ((edcaie != NULL && 1908 ieee80211_parse_edca_params(ic, edcaie) == 0) || 1909 (wmmie != NULL && 1910 ieee80211_parse_wmm_params(ic, wmmie) == 0)) 1911 ni->ni_flags |= IEEE80211_NODE_QOS; 1912 else 1913 ni->ni_flags &= ~IEEE80211_NODE_QOS; 1914 } 1915 1916 if (ic->ic_state == IEEE80211_S_SCAN || 1917 (ic->ic_flags & IEEE80211_F_BGSCAN)) { 1918 struct ieee80211_rsnparams rsn, wpa; 1919 1920 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 1921 ni->ni_supported_rsnprotos = IEEE80211_PROTO_NONE; 1922 ni->ni_rsnakms = 0; 1923 ni->ni_supported_rsnakms = 0; 1924 ni->ni_rsnciphers = 0; 1925 ni->ni_rsngroupcipher = 0; 1926 ni->ni_rsngroupmgmtcipher = 0; 1927 ni->ni_rsncaps = 0; 1928 1929 if (rsnie != NULL && 1930 ieee80211_parse_rsn(ic, rsnie, &rsn) == 0) { 1931 ni->ni_supported_rsnprotos |= IEEE80211_PROTO_RSN; 1932 ni->ni_supported_rsnakms |= rsn.rsn_akms; 1933 } 1934 if (wpaie != NULL && 1935 ieee80211_parse_wpa(ic, wpaie, &wpa) == 0) { 1936 ni->ni_supported_rsnprotos |= IEEE80211_PROTO_WPA; 1937 ni->ni_supported_rsnakms |= wpa.rsn_akms; 1938 } 1939 1940 /* 1941 * If the AP advertises both WPA and RSN IEs (WPA1+WPA2), 1942 * we only use the highest protocol version we support. 1943 */ 1944 if (rsnie != NULL && 1945 (ni->ni_supported_rsnprotos & IEEE80211_PROTO_RSN) && 1946 (ic->ic_caps & IEEE80211_C_RSN)) { 1947 if (ieee80211_save_ie(rsnie, &ni->ni_rsnie) == 0 1948 #ifndef IEEE80211_STA_ONLY 1949 && ic->ic_opmode != IEEE80211_M_HOSTAP 1950 #endif 1951 ) { 1952 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 1953 ni->ni_rsnakms = rsn.rsn_akms; 1954 ni->ni_rsnciphers = rsn.rsn_ciphers; 1955 ni->ni_rsngroupcipher = rsn.rsn_groupcipher; 1956 ni->ni_rsngroupmgmtcipher = 1957 rsn.rsn_groupmgmtcipher; 1958 ni->ni_rsncaps = rsn.rsn_caps; 1959 } 1960 } else if (wpaie != NULL && 1961 (ni->ni_supported_rsnprotos & IEEE80211_PROTO_WPA) && 1962 (ic->ic_caps & IEEE80211_C_RSN)) { 1963 if (ieee80211_save_ie(wpaie, &ni->ni_rsnie) == 0 1964 #ifndef IEEE80211_STA_ONLY 1965 && ic->ic_opmode != IEEE80211_M_HOSTAP 1966 #endif 1967 ) { 1968 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 1969 ni->ni_rsnakms = wpa.rsn_akms; 1970 ni->ni_rsnciphers = wpa.rsn_ciphers; 1971 ni->ni_rsngroupcipher = wpa.rsn_groupcipher; 1972 ni->ni_rsngroupmgmtcipher = 1973 wpa.rsn_groupmgmtcipher; 1974 ni->ni_rsncaps = wpa.rsn_caps; 1975 } 1976 } 1977 } 1978 1979 /* 1980 * Set our SSID if we do not know it yet. 1981 * If we are doing a directed scan for an AP with a hidden SSID 1982 * we must collect the SSID from a probe response to override 1983 * a non-zero-length SSID filled with zeroes that we may have 1984 * received earlier in a beacon. 1985 */ 1986 if (ssid[1] != 0 && ni->ni_essid[0] == '\0') { 1987 ni->ni_esslen = ssid[1]; 1988 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1989 /* we know that ssid[1] <= IEEE80211_NWID_LEN */ 1990 memcpy(ni->ni_essid, &ssid[2], ssid[1]); 1991 } 1992 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3); 1993 if (ic->ic_state == IEEE80211_S_SCAN && 1994 IEEE80211_IS_CHAN_5GHZ(ni->ni_chan)) { 1995 /* 1996 * During a scan on 5Ghz, prefer RSSI measured for probe 1997 * response frames. i.e. don't allow beacons to lower the 1998 * measured RSSI. Some 5GHz APs send beacons with much 1999 * less Tx power than they use for probe responses. 2000 */ 2001 if (isprobe || ni->ni_rssi == 0) 2002 ni->ni_rssi = rxi->rxi_rssi; 2003 else if (ni->ni_rssi < rxi->rxi_rssi) 2004 ni->ni_rssi = rxi->rxi_rssi; 2005 } else 2006 ni->ni_rssi = rxi->rxi_rssi; 2007 ni->ni_rstamp = rxi->rxi_tstamp; 2008 memcpy(ni->ni_tstamp, tstamp, sizeof(ni->ni_tstamp)); 2009 ni->ni_intval = bintval; 2010 ni->ni_capinfo = capinfo; 2011 ni->ni_erp = erp; 2012 /* NB: must be after ni_chan is setup */ 2013 ieee80211_setup_rates(ic, ni, rates, xrates, IEEE80211_F_DOSORT); 2014 #ifndef IEEE80211_STA_ONLY 2015 if (ic->ic_opmode == IEEE80211_M_IBSS && is_new && isprobe) { 2016 /* 2017 * Fake an association so the driver can setup its 2018 * private state. The rate set has been setup above; 2019 * there is no handshake as in ap/station operation. 2020 */ 2021 if (ic->ic_newassoc) 2022 (*ic->ic_newassoc)(ic, ni, 1); 2023 } 2024 #endif 2025 } 2026 2027 #ifndef IEEE80211_STA_ONLY 2028 /*- 2029 * Probe request frame format: 2030 * [tlv] SSID 2031 * [tlv] Supported rates 2032 * [tlv] Extended Supported Rates (802.11g) 2033 * [tlv] HT Capabilities (802.11n) 2034 */ 2035 void 2036 ieee80211_recv_probe_req(struct ieee80211com *ic, struct mbuf *m, 2037 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 2038 { 2039 const struct ieee80211_frame *wh; 2040 const u_int8_t *frm, *efrm; 2041 const u_int8_t *ssid, *rates, *xrates, *htcaps, *vhtcaps; 2042 u_int8_t rate; 2043 2044 if (ic->ic_opmode == IEEE80211_M_STA || 2045 ic->ic_state != IEEE80211_S_RUN) 2046 return; 2047 2048 wh = mtod(m, struct ieee80211_frame *); 2049 frm = (const u_int8_t *)&wh[1]; 2050 efrm = mtod(m, u_int8_t *) + m->m_len; 2051 2052 ssid = rates = xrates = htcaps = vhtcaps = NULL; 2053 while (frm + 2 <= efrm) { 2054 if (frm + 2 + frm[1] > efrm) { 2055 ic->ic_stats.is_rx_elem_toosmall++; 2056 break; 2057 } 2058 switch (frm[0]) { 2059 case IEEE80211_ELEMID_SSID: 2060 ssid = frm; 2061 break; 2062 case IEEE80211_ELEMID_RATES: 2063 rates = frm; 2064 break; 2065 case IEEE80211_ELEMID_XRATES: 2066 xrates = frm; 2067 break; 2068 case IEEE80211_ELEMID_HTCAPS: 2069 htcaps = frm; 2070 break; 2071 case IEEE80211_ELEMID_VHTCAPS: 2072 vhtcaps = frm; 2073 break; 2074 } 2075 frm += 2 + frm[1]; 2076 } 2077 /* supported rates element is mandatory */ 2078 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 2079 DPRINTF(("invalid supported rates element\n")); 2080 return; 2081 } 2082 /* SSID element is mandatory */ 2083 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 2084 DPRINTF(("invalid SSID element\n")); 2085 return; 2086 } 2087 /* check that the specified SSID (if not wildcard) matches ours */ 2088 if (ssid[1] != 0 && (ssid[1] != ic->ic_bss->ni_esslen || 2089 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen))) { 2090 DPRINTF(("SSID mismatch\n")); 2091 ic->ic_stats.is_rx_ssidmismatch++; 2092 return; 2093 } 2094 /* refuse wildcard SSID if we're hiding our SSID in beacons */ 2095 if (ssid[1] == 0 && (ic->ic_userflags & IEEE80211_F_HIDENWID)) { 2096 DPRINTF(("wildcard SSID rejected")); 2097 ic->ic_stats.is_rx_ssidmismatch++; 2098 return; 2099 } 2100 2101 if (ni == ic->ic_bss) { 2102 ni = ieee80211_find_node(ic, wh->i_addr2); 2103 if (ni == NULL) 2104 ni = ieee80211_dup_bss(ic, wh->i_addr2); 2105 if (ni == NULL) 2106 return; 2107 DPRINTF(("new probe req from %s\n", 2108 ether_sprintf((u_int8_t *)wh->i_addr2))); 2109 } 2110 ni->ni_rssi = rxi->rxi_rssi; 2111 ni->ni_rstamp = rxi->rxi_tstamp; 2112 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2113 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2114 IEEE80211_F_DODEL); 2115 if (rate & IEEE80211_RATE_BASIC) { 2116 DPRINTF(("rate mismatch for %s\n", 2117 ether_sprintf((u_int8_t *)wh->i_addr2))); 2118 return; 2119 } 2120 if (htcaps) 2121 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 2122 else 2123 ieee80211_clear_htcaps(ni); 2124 if (htcaps && vhtcaps && IEEE80211_IS_CHAN_5GHZ(ic->ic_bss->ni_chan)) 2125 ieee80211_setup_vhtcaps(ni, vhtcaps + 2, vhtcaps[1]); 2126 else 2127 ieee80211_clear_vhtcaps(ni); 2128 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 2129 } 2130 #endif /* IEEE80211_STA_ONLY */ 2131 2132 /*- 2133 * Authentication frame format: 2134 * [2] Authentication algorithm number 2135 * [2] Authentication transaction sequence number 2136 * [2] Status code 2137 */ 2138 void 2139 ieee80211_recv_auth(struct ieee80211com *ic, struct mbuf *m, 2140 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 2141 { 2142 const struct ieee80211_frame *wh; 2143 const u_int8_t *frm; 2144 u_int16_t algo, seq, status; 2145 2146 /* make sure all mandatory fixed fields are present */ 2147 if (m->m_len < sizeof(*wh) + 6) { 2148 DPRINTF(("frame too short\n")); 2149 return; 2150 } 2151 wh = mtod(m, struct ieee80211_frame *); 2152 frm = (const u_int8_t *)&wh[1]; 2153 2154 algo = LE_READ_2(frm); frm += 2; 2155 seq = LE_READ_2(frm); frm += 2; 2156 status = LE_READ_2(frm); frm += 2; 2157 DPRINTF(("auth %d seq %d from %s\n", algo, seq, 2158 ether_sprintf((u_int8_t *)wh->i_addr2))); 2159 2160 /* only "open" auth mode is supported */ 2161 if (algo != IEEE80211_AUTH_ALG_OPEN) { 2162 DPRINTF(("unsupported auth algorithm %d from %s\n", 2163 algo, ether_sprintf((u_int8_t *)wh->i_addr2))); 2164 ic->ic_stats.is_rx_auth_unsupported++; 2165 #ifndef IEEE80211_STA_ONLY 2166 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2167 /* XXX hack to workaround calling convention */ 2168 IEEE80211_SEND_MGMT(ic, ni, 2169 IEEE80211_FC0_SUBTYPE_AUTH, 2170 IEEE80211_STATUS_ALG << 16 | ((seq + 1) & 0xfff)); 2171 } 2172 #endif 2173 return; 2174 } 2175 ieee80211_auth_open(ic, wh, ni, rxi, seq, status); 2176 } 2177 2178 #ifndef IEEE80211_STA_ONLY 2179 /*- 2180 * (Re)Association request frame format: 2181 * [2] Capability information 2182 * [2] Listen interval 2183 * [6*] Current AP address (Reassociation only) 2184 * [tlv] SSID 2185 * [tlv] Supported rates 2186 * [tlv] Extended Supported Rates (802.11g) 2187 * [tlv] RSN (802.11i) 2188 * [tlv] QoS Capability (802.11e) 2189 * [tlv] HT Capabilities (802.11n) 2190 */ 2191 void 2192 ieee80211_recv_assoc_req(struct ieee80211com *ic, struct mbuf *m, 2193 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int reassoc) 2194 { 2195 const struct ieee80211_frame *wh; 2196 const u_int8_t *frm, *efrm; 2197 const u_int8_t *ssid, *rates, *xrates, *rsnie, *wpaie, *wmeie; 2198 const u_int8_t *htcaps, *vhtcaps; 2199 u_int16_t capinfo, bintval; 2200 int resp, status = 0; 2201 struct ieee80211_rsnparams rsn; 2202 u_int8_t rate; 2203 const u_int8_t *saveie = NULL; 2204 2205 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 2206 ic->ic_state != IEEE80211_S_RUN) 2207 return; 2208 2209 /* make sure all mandatory fixed fields are present */ 2210 if (m->m_len < sizeof(*wh) + (reassoc ? 10 : 4)) { 2211 DPRINTF(("frame too short\n")); 2212 return; 2213 } 2214 wh = mtod(m, struct ieee80211_frame *); 2215 frm = (const u_int8_t *)&wh[1]; 2216 efrm = mtod(m, u_int8_t *) + m->m_len; 2217 2218 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 2219 DPRINTF(("ignore other bss from %s\n", 2220 ether_sprintf((u_int8_t *)wh->i_addr2))); 2221 ic->ic_stats.is_rx_assoc_bss++; 2222 return; 2223 } 2224 capinfo = LE_READ_2(frm); frm += 2; 2225 bintval = LE_READ_2(frm); frm += 2; 2226 if (reassoc) { 2227 frm += IEEE80211_ADDR_LEN; /* skip current AP address */ 2228 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 2229 } else 2230 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 2231 2232 ssid = rates = xrates = rsnie = wpaie = wmeie = htcaps = vhtcaps = NULL; 2233 while (frm + 2 <= efrm) { 2234 if (frm + 2 + frm[1] > efrm) { 2235 ic->ic_stats.is_rx_elem_toosmall++; 2236 break; 2237 } 2238 switch (frm[0]) { 2239 case IEEE80211_ELEMID_SSID: 2240 ssid = frm; 2241 break; 2242 case IEEE80211_ELEMID_RATES: 2243 rates = frm; 2244 break; 2245 case IEEE80211_ELEMID_XRATES: 2246 xrates = frm; 2247 break; 2248 case IEEE80211_ELEMID_RSN: 2249 rsnie = frm; 2250 break; 2251 case IEEE80211_ELEMID_QOS_CAP: 2252 break; 2253 case IEEE80211_ELEMID_HTCAPS: 2254 htcaps = frm; 2255 break; 2256 case IEEE80211_ELEMID_VHTCAPS: 2257 vhtcaps = frm; 2258 break; 2259 case IEEE80211_ELEMID_VENDOR: 2260 if (frm[1] < 4) { 2261 ic->ic_stats.is_rx_elem_toosmall++; 2262 break; 2263 } 2264 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 2265 if (frm[5] == 1) 2266 wpaie = frm; 2267 /* WME info IE: len=7 type=2 subtype=0 */ 2268 if (frm[1] == 7 && frm[5] == 2 && frm[6] == 0) 2269 wmeie = frm; 2270 } 2271 break; 2272 } 2273 frm += 2 + frm[1]; 2274 } 2275 /* supported rates element is mandatory */ 2276 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 2277 DPRINTF(("invalid supported rates element\n")); 2278 return; 2279 } 2280 /* SSID element is mandatory */ 2281 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 2282 DPRINTF(("invalid SSID element\n")); 2283 return; 2284 } 2285 /* check that the specified SSID matches ours */ 2286 if (ssid[1] != ic->ic_bss->ni_esslen || 2287 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen)) { 2288 DPRINTF(("SSID mismatch\n")); 2289 ic->ic_stats.is_rx_ssidmismatch++; 2290 return; 2291 } 2292 2293 if (ni->ni_state != IEEE80211_STA_AUTH && 2294 ni->ni_state != IEEE80211_STA_ASSOC) { 2295 DPRINTF(("deny %sassoc from %s, not authenticated\n", 2296 reassoc ? "re" : "", 2297 ether_sprintf((u_int8_t *)wh->i_addr2))); 2298 ni = ieee80211_find_node(ic, wh->i_addr2); 2299 if (ni == NULL) 2300 ni = ieee80211_dup_bss(ic, wh->i_addr2); 2301 if (ni != NULL) { 2302 IEEE80211_SEND_MGMT(ic, ni, 2303 IEEE80211_FC0_SUBTYPE_DEAUTH, 2304 IEEE80211_REASON_ASSOC_NOT_AUTHED); 2305 } 2306 ic->ic_stats.is_rx_assoc_notauth++; 2307 return; 2308 } 2309 2310 if (ni->ni_state == IEEE80211_STA_ASSOC && 2311 (ni->ni_flags & IEEE80211_NODE_MFP)) { 2312 if (ni->ni_flags & IEEE80211_NODE_SA_QUERY_FAILED) { 2313 /* send a protected Disassociate frame */ 2314 IEEE80211_SEND_MGMT(ic, ni, 2315 IEEE80211_FC0_SUBTYPE_DISASSOC, 2316 IEEE80211_REASON_AUTH_EXPIRE); 2317 /* terminate the old SA */ 2318 ieee80211_node_leave(ic, ni); 2319 } else { 2320 /* reject the (Re)Association Request temporarily */ 2321 IEEE80211_SEND_MGMT(ic, ni, resp, 2322 IEEE80211_STATUS_TRY_AGAIN_LATER); 2323 /* start SA Query procedure if not already engaged */ 2324 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) 2325 ieee80211_sa_query_request(ic, ni); 2326 /* do not modify association state */ 2327 } 2328 return; 2329 } 2330 2331 if (!(capinfo & IEEE80211_CAPINFO_ESS)) { 2332 ic->ic_stats.is_rx_assoc_capmismatch++; 2333 status = IEEE80211_STATUS_CAPINFO; 2334 goto end; 2335 } 2336 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2337 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2338 IEEE80211_F_DODEL); 2339 if (rate & IEEE80211_RATE_BASIC) { 2340 ic->ic_stats.is_rx_assoc_norate++; 2341 status = IEEE80211_STATUS_BASIC_RATE; 2342 goto end; 2343 } 2344 2345 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2346 ni->ni_supported_rsnprotos = IEEE80211_PROTO_NONE; 2347 ni->ni_rsnakms = 0; 2348 ni->ni_supported_rsnakms = 0; 2349 ni->ni_rsnciphers = 0; 2350 ni->ni_rsngroupcipher = 0; 2351 ni->ni_rsngroupmgmtcipher = 0; 2352 ni->ni_rsncaps = 0; 2353 2354 /* 2355 * A station should never include both a WPA and an RSN IE 2356 * in its (Re)Association Requests, but if it does, we only 2357 * consider the IE of the highest version of the protocol 2358 * that is allowed (ie RSN over WPA). 2359 */ 2360 if (rsnie != NULL) { 2361 status = ieee80211_parse_rsn(ic, rsnie, &rsn); 2362 if (status != 0) 2363 goto end; 2364 ni->ni_supported_rsnprotos = IEEE80211_PROTO_RSN; 2365 ni->ni_supported_rsnakms = rsn.rsn_akms; 2366 if ((ic->ic_flags & IEEE80211_F_RSNON) && 2367 (ic->ic_rsnprotos & IEEE80211_PROTO_RSN)) { 2368 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 2369 saveie = rsnie; 2370 } 2371 } else if (wpaie != NULL) { 2372 status = ieee80211_parse_wpa(ic, wpaie, &rsn); 2373 if (status != 0) 2374 goto end; 2375 ni->ni_supported_rsnprotos = IEEE80211_PROTO_WPA; 2376 ni->ni_supported_rsnakms = rsn.rsn_akms; 2377 if ((ic->ic_flags & IEEE80211_F_RSNON) && 2378 (ic->ic_rsnprotos & IEEE80211_PROTO_WPA)) { 2379 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 2380 saveie = wpaie; 2381 } 2382 } 2383 2384 if (ic->ic_flags & IEEE80211_F_QOS) { 2385 if (wmeie != NULL) 2386 ni->ni_flags |= IEEE80211_NODE_QOS; 2387 else /* for Reassociation */ 2388 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2389 } 2390 2391 if (ic->ic_flags & IEEE80211_F_RSNON) { 2392 if (ni->ni_rsnprotos == IEEE80211_PROTO_NONE) { 2393 /* 2394 * In an RSN, an AP shall not associate with STAs 2395 * that fail to include the RSN IE in the 2396 * (Re)Association Request. 2397 */ 2398 status = IEEE80211_STATUS_IE_INVALID; 2399 goto end; 2400 } 2401 /* 2402 * The initiating STA's RSN IE shall include one authentication 2403 * and pairwise cipher suite among those advertised by the 2404 * targeted AP. It shall also specify the group cipher suite 2405 * specified by the targeted AP. 2406 */ 2407 if (rsn.rsn_nakms != 1 || 2408 !(rsn.rsn_akms & ic->ic_bss->ni_rsnakms)) { 2409 status = IEEE80211_STATUS_BAD_AKMP; 2410 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2411 goto end; 2412 } 2413 if (rsn.rsn_nciphers != 1 || 2414 !(rsn.rsn_ciphers & ic->ic_bss->ni_rsnciphers)) { 2415 status = IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 2416 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2417 goto end; 2418 } 2419 if (rsn.rsn_groupcipher != ic->ic_bss->ni_rsngroupcipher) { 2420 status = IEEE80211_STATUS_BAD_GROUP_CIPHER; 2421 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2422 goto end; 2423 } 2424 2425 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPR) && 2426 !(rsn.rsn_caps & IEEE80211_RSNCAP_MFPC)) { 2427 status = IEEE80211_STATUS_MFP_POLICY; 2428 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2429 goto end; 2430 } 2431 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPC) && 2432 (rsn.rsn_caps & (IEEE80211_RSNCAP_MFPC | 2433 IEEE80211_RSNCAP_MFPR)) == IEEE80211_RSNCAP_MFPR) { 2434 /* STA advertises an invalid setting */ 2435 status = IEEE80211_STATUS_MFP_POLICY; 2436 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2437 goto end; 2438 } 2439 /* 2440 * A STA that has associated with Management Frame Protection 2441 * enabled shall not use cipher suite pairwise selector WEP40, 2442 * WEP104, TKIP, or "Use Group cipher suite". 2443 */ 2444 if ((rsn.rsn_caps & IEEE80211_RSNCAP_MFPC) && 2445 (rsn.rsn_ciphers != IEEE80211_CIPHER_CCMP || 2446 rsn.rsn_groupmgmtcipher != 2447 ic->ic_bss->ni_rsngroupmgmtcipher)) { 2448 status = IEEE80211_STATUS_MFP_POLICY; 2449 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2450 goto end; 2451 } 2452 2453 /* 2454 * Disallow new associations using TKIP if countermeasures 2455 * are active. 2456 */ 2457 if ((ic->ic_flags & IEEE80211_F_COUNTERM) && 2458 (rsn.rsn_ciphers == IEEE80211_CIPHER_TKIP || 2459 rsn.rsn_groupcipher == IEEE80211_CIPHER_TKIP)) { 2460 status = IEEE80211_STATUS_CIPHER_REJ_POLICY; 2461 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2462 goto end; 2463 } 2464 2465 /* everything looks fine, save IE and parameters */ 2466 if (saveie == NULL || 2467 ieee80211_save_ie(saveie, &ni->ni_rsnie) != 0) { 2468 status = IEEE80211_STATUS_TOOMANY; 2469 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2470 goto end; 2471 } 2472 ni->ni_rsnakms = rsn.rsn_akms; 2473 ni->ni_rsnciphers = rsn.rsn_ciphers; 2474 ni->ni_rsngroupcipher = ic->ic_bss->ni_rsngroupcipher; 2475 ni->ni_rsngroupmgmtcipher = ic->ic_bss->ni_rsngroupmgmtcipher; 2476 ni->ni_rsncaps = rsn.rsn_caps; 2477 2478 if (ieee80211_is_8021x_akm(ni->ni_rsnakms)) { 2479 struct ieee80211_pmk *pmk = NULL; 2480 const u_int8_t *pmkid = rsn.rsn_pmkids; 2481 /* 2482 * Check if we have a cached PMK entry matching one 2483 * of the PMKIDs specified in the RSN IE. 2484 */ 2485 while (rsn.rsn_npmkids-- > 0) { 2486 pmk = ieee80211_pmksa_find(ic, ni, pmkid); 2487 if (pmk != NULL) 2488 break; 2489 pmkid += IEEE80211_PMKID_LEN; 2490 } 2491 if (pmk != NULL) { 2492 memcpy(ni->ni_pmk, pmk->pmk_key, 2493 IEEE80211_PMK_LEN); 2494 memcpy(ni->ni_pmkid, pmk->pmk_pmkid, 2495 IEEE80211_PMKID_LEN); 2496 ni->ni_flags |= IEEE80211_NODE_PMK; 2497 } 2498 } 2499 } 2500 2501 ni->ni_rssi = rxi->rxi_rssi; 2502 ni->ni_rstamp = rxi->rxi_tstamp; 2503 ni->ni_intval = bintval; 2504 ni->ni_capinfo = capinfo; 2505 ni->ni_chan = ic->ic_bss->ni_chan; 2506 if (htcaps) 2507 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 2508 else 2509 ieee80211_clear_htcaps(ni); 2510 if (htcaps && vhtcaps && IEEE80211_IS_CHAN_5GHZ(ic->ic_bss->ni_chan)) 2511 ieee80211_setup_vhtcaps(ni, vhtcaps + 2, vhtcaps[1]); 2512 else 2513 ieee80211_clear_vhtcaps(ni); 2514 end: 2515 if (status != 0) { 2516 IEEE80211_SEND_MGMT(ic, ni, resp, status); 2517 ieee80211_node_leave(ic, ni); 2518 } else 2519 ieee80211_node_join(ic, ni, resp); 2520 } 2521 #endif /* IEEE80211_STA_ONLY */ 2522 2523 /*- 2524 * (Re)Association response frame format: 2525 * [2] Capability information 2526 * [2] Status code 2527 * [2] Association ID (AID) 2528 * [tlv] Supported rates 2529 * [tlv] Extended Supported Rates (802.11g) 2530 * [tlv] EDCA Parameter Set (802.11e) 2531 * [tlv] HT Capabilities (802.11n) 2532 * [tlv] HT Operation (802.11n) 2533 */ 2534 void 2535 ieee80211_recv_assoc_resp(struct ieee80211com *ic, struct mbuf *m, 2536 struct ieee80211_node *ni, int reassoc) 2537 { 2538 struct ifnet *ifp = &ic->ic_if; 2539 const struct ieee80211_frame *wh; 2540 const u_int8_t *frm, *efrm; 2541 const u_int8_t *rates, *xrates, *edcaie, *wmmie, *htcaps, *htop; 2542 const u_int8_t *vhtcaps, *vhtop; 2543 u_int16_t capinfo, status, associd; 2544 u_int8_t rate; 2545 2546 if (ic->ic_opmode != IEEE80211_M_STA || 2547 ic->ic_state != IEEE80211_S_ASSOC) { 2548 ic->ic_stats.is_rx_mgtdiscard++; 2549 return; 2550 } 2551 2552 /* make sure all mandatory fixed fields are present */ 2553 if (m->m_len < sizeof(*wh) + 6) { 2554 DPRINTF(("frame too short\n")); 2555 return; 2556 } 2557 wh = mtod(m, struct ieee80211_frame *); 2558 frm = (const u_int8_t *)&wh[1]; 2559 efrm = mtod(m, u_int8_t *) + m->m_len; 2560 2561 capinfo = LE_READ_2(frm); frm += 2; 2562 status = LE_READ_2(frm); frm += 2; 2563 if (status != IEEE80211_STATUS_SUCCESS) { 2564 if (ifp->if_flags & IFF_DEBUG) 2565 printf("%s: %sassociation failed (status %d)" 2566 " for %s\n", ifp->if_xname, 2567 reassoc ? "re" : "", 2568 status, ether_sprintf((u_int8_t *)wh->i_addr3)); 2569 if (ni != ic->ic_bss) 2570 ni->ni_fails++; 2571 ic->ic_stats.is_rx_auth_fail++; 2572 return; 2573 } 2574 associd = LE_READ_2(frm); frm += 2; 2575 2576 rates = xrates = edcaie = wmmie = htcaps = htop = NULL; 2577 vhtcaps = vhtop = NULL; 2578 while (frm + 2 <= efrm) { 2579 if (frm + 2 + frm[1] > efrm) { 2580 ic->ic_stats.is_rx_elem_toosmall++; 2581 break; 2582 } 2583 switch (frm[0]) { 2584 case IEEE80211_ELEMID_RATES: 2585 rates = frm; 2586 break; 2587 case IEEE80211_ELEMID_XRATES: 2588 xrates = frm; 2589 break; 2590 case IEEE80211_ELEMID_EDCAPARMS: 2591 edcaie = frm; 2592 break; 2593 case IEEE80211_ELEMID_HTCAPS: 2594 htcaps = frm; 2595 break; 2596 case IEEE80211_ELEMID_HTOP: 2597 htop = frm; 2598 break; 2599 case IEEE80211_ELEMID_VHTCAPS: 2600 vhtcaps = frm; 2601 break; 2602 case IEEE80211_ELEMID_VHTOP: 2603 vhtop = frm; 2604 break; 2605 case IEEE80211_ELEMID_VENDOR: 2606 if (frm[1] < 4) { 2607 ic->ic_stats.is_rx_elem_toosmall++; 2608 break; 2609 } 2610 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 2611 if (frm[1] >= 5 && frm[5] == 2 && frm[6] == 1) 2612 wmmie = frm; 2613 } 2614 break; 2615 } 2616 frm += 2 + frm[1]; 2617 } 2618 /* supported rates element is mandatory */ 2619 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 2620 DPRINTF(("invalid supported rates element\n")); 2621 return; 2622 } 2623 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2624 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2625 IEEE80211_F_DODEL); 2626 if (rate & IEEE80211_RATE_BASIC) { 2627 DPRINTF(("rate mismatch for %s\n", 2628 ether_sprintf((u_int8_t *)wh->i_addr2))); 2629 ic->ic_stats.is_rx_assoc_norate++; 2630 return; 2631 } 2632 ni->ni_capinfo = capinfo; 2633 ni->ni_associd = associd; 2634 if (edcaie != NULL || wmmie != NULL) { 2635 /* force update of EDCA parameters */ 2636 ic->ic_edca_updtcount = -1; 2637 2638 if ((edcaie != NULL && 2639 ieee80211_parse_edca_params(ic, edcaie) == 0) || 2640 (wmmie != NULL && 2641 ieee80211_parse_wmm_params(ic, wmmie) == 0)) 2642 ni->ni_flags |= IEEE80211_NODE_QOS; 2643 else /* for Reassociation */ 2644 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2645 } 2646 if (htcaps) 2647 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 2648 if (htop) 2649 ieee80211_setup_htop(ni, htop + 2, htop[1], 0); 2650 ieee80211_ht_negotiate(ic, ni); 2651 2652 if (htcaps && vhtcaps && IEEE80211_IS_CHAN_5GHZ(ni->ni_chan)) { 2653 ieee80211_setup_vhtcaps(ni, vhtcaps + 2, vhtcaps[1]); 2654 if (vhtop && !ieee80211_setup_vhtop(ni, vhtop + 2, vhtop[1], 1)) 2655 vhtop = NULL; /* invalid VHTOP */ 2656 } 2657 ieee80211_vht_negotiate(ic, ni); 2658 2659 /* Hop into 11n/11ac modes after associating to a HT/VHT AP. */ 2660 if (ni->ni_flags & IEEE80211_NODE_VHT) 2661 ieee80211_setmode(ic, IEEE80211_MODE_11AC); 2662 else if (ni->ni_flags & IEEE80211_NODE_HT) 2663 ieee80211_setmode(ic, IEEE80211_MODE_11N); 2664 else 2665 ieee80211_setmode(ic, ieee80211_chan2mode(ic, ni->ni_chan)); 2666 /* 2667 * Reset the erp state (mostly the slot time) now that 2668 * our operating mode has been nailed down. 2669 */ 2670 ieee80211_reset_erp(ic); 2671 2672 /* 2673 * Configure state now that we are associated. 2674 */ 2675 if (ic->ic_curmode == IEEE80211_MODE_11A || 2676 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) 2677 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 2678 else 2679 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 2680 2681 ieee80211_set_shortslottime(ic, 2682 ic->ic_curmode == IEEE80211_MODE_11A || 2683 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2684 /* 2685 * Honor ERP protection. 2686 */ 2687 if ((ic->ic_curmode == IEEE80211_MODE_11G || 2688 (ic->ic_curmode == IEEE80211_MODE_11N && 2689 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))) && 2690 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2691 ic->ic_flags |= IEEE80211_F_USEPROT; 2692 else 2693 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2694 /* 2695 * If not an RSNA, mark the port as valid, otherwise wait for 2696 * 802.1X authentication and 4-way handshake to complete.. 2697 */ 2698 if (ic->ic_flags & IEEE80211_F_RSNON) { 2699 /* XXX ic->ic_mgt_timer = 5; */ 2700 ni->ni_rsn_supp_state = RSNA_SUPP_PTKSTART; 2701 } else if (ic->ic_flags & IEEE80211_F_WEPON) 2702 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 2703 2704 ieee80211_new_state(ic, IEEE80211_S_RUN, 2705 IEEE80211_FC0_SUBTYPE_ASSOC_RESP); 2706 } 2707 2708 /*- 2709 * Deauthentication frame format: 2710 * [2] Reason code 2711 */ 2712 void 2713 ieee80211_recv_deauth(struct ieee80211com *ic, struct mbuf *m, 2714 struct ieee80211_node *ni) 2715 { 2716 const struct ieee80211_frame *wh; 2717 const u_int8_t *frm; 2718 u_int16_t reason; 2719 2720 /* make sure all mandatory fixed fields are present */ 2721 if (m->m_len < sizeof(*wh) + 2) { 2722 DPRINTF(("frame too short\n")); 2723 return; 2724 } 2725 wh = mtod(m, struct ieee80211_frame *); 2726 frm = (const u_int8_t *)&wh[1]; 2727 2728 reason = LE_READ_2(frm); 2729 2730 ic->ic_stats.is_rx_deauth++; 2731 switch (ic->ic_opmode) { 2732 case IEEE80211_M_STA: { 2733 int bgscan = ((ic->ic_flags & IEEE80211_F_BGSCAN) && 2734 ic->ic_state == IEEE80211_S_RUN); 2735 int stay_auth = ((ic->ic_userflags & IEEE80211_F_STAYAUTH) && 2736 ic->ic_state >= IEEE80211_S_AUTH); 2737 if (!(bgscan || stay_auth)) 2738 ieee80211_new_state(ic, IEEE80211_S_AUTH, 2739 IEEE80211_FC0_SUBTYPE_DEAUTH); 2740 } 2741 break; 2742 #ifndef IEEE80211_STA_ONLY 2743 case IEEE80211_M_HOSTAP: 2744 if (ni != ic->ic_bss) { 2745 int stay_auth = 2746 ((ic->ic_userflags & IEEE80211_F_STAYAUTH) && 2747 (ni->ni_state == IEEE80211_STA_AUTH || 2748 ni->ni_state == IEEE80211_STA_ASSOC)); 2749 if (ic->ic_if.if_flags & IFF_DEBUG) 2750 printf("%s: station %s deauthenticated " 2751 "by peer (reason %d)\n", 2752 ic->ic_if.if_xname, 2753 ether_sprintf(ni->ni_macaddr), 2754 reason); 2755 if (!stay_auth) 2756 ieee80211_node_leave(ic, ni); 2757 } 2758 break; 2759 #endif 2760 default: 2761 break; 2762 } 2763 } 2764 2765 /*- 2766 * Disassociation frame format: 2767 * [2] Reason code 2768 */ 2769 void 2770 ieee80211_recv_disassoc(struct ieee80211com *ic, struct mbuf *m, 2771 struct ieee80211_node *ni) 2772 { 2773 const struct ieee80211_frame *wh; 2774 const u_int8_t *frm; 2775 u_int16_t reason; 2776 2777 /* make sure all mandatory fixed fields are present */ 2778 if (m->m_len < sizeof(*wh) + 2) { 2779 DPRINTF(("frame too short\n")); 2780 return; 2781 } 2782 wh = mtod(m, struct ieee80211_frame *); 2783 frm = (const u_int8_t *)&wh[1]; 2784 2785 reason = LE_READ_2(frm); 2786 2787 ic->ic_stats.is_rx_disassoc++; 2788 switch (ic->ic_opmode) { 2789 case IEEE80211_M_STA: { 2790 int bgscan = ((ic->ic_flags & IEEE80211_F_BGSCAN) && 2791 ic->ic_state == IEEE80211_S_RUN); 2792 if (!bgscan) /* ignore disassoc during bgscan */ 2793 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 2794 IEEE80211_FC0_SUBTYPE_DISASSOC); 2795 } 2796 break; 2797 #ifndef IEEE80211_STA_ONLY 2798 case IEEE80211_M_HOSTAP: 2799 if (ni != ic->ic_bss) { 2800 if (ic->ic_if.if_flags & IFF_DEBUG) 2801 printf("%s: station %s disassociated " 2802 "by peer (reason %d)\n", 2803 ic->ic_if.if_xname, 2804 ether_sprintf(ni->ni_macaddr), 2805 reason); 2806 ieee80211_node_leave(ic, ni); 2807 } 2808 break; 2809 #endif 2810 default: 2811 break; 2812 } 2813 } 2814 2815 /*- 2816 * ADDBA Request frame format: 2817 * [1] Category 2818 * [1] Action 2819 * [1] Dialog Token 2820 * [2] Block Ack Parameter Set 2821 * [2] Block Ack Timeout Value 2822 * [2] Block Ack Starting Sequence Control 2823 */ 2824 void 2825 ieee80211_recv_addba_req(struct ieee80211com *ic, struct mbuf *m, 2826 struct ieee80211_node *ni) 2827 { 2828 const struct ieee80211_frame *wh; 2829 const u_int8_t *frm; 2830 struct ieee80211_rx_ba *ba; 2831 u_int16_t params, ssn, bufsz, timeout; 2832 u_int8_t token, tid; 2833 int err = 0; 2834 2835 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 2836 DPRINTF(("received ADDBA req from non-HT STA %s\n", 2837 ether_sprintf(ni->ni_macaddr))); 2838 return; 2839 } 2840 if (m->m_len < sizeof(*wh) + 9) { 2841 DPRINTF(("frame too short\n")); 2842 return; 2843 } 2844 /* MLME-ADDBA.indication */ 2845 wh = mtod(m, struct ieee80211_frame *); 2846 frm = (const u_int8_t *)&wh[1]; 2847 2848 token = frm[2]; 2849 params = LE_READ_2(&frm[3]); 2850 tid = ((params & IEEE80211_ADDBA_TID_MASK) >> 2851 IEEE80211_ADDBA_TID_SHIFT); 2852 bufsz = (params & IEEE80211_ADDBA_BUFSZ_MASK) >> 2853 IEEE80211_ADDBA_BUFSZ_SHIFT; 2854 timeout = LE_READ_2(&frm[5]); 2855 ssn = LE_READ_2(&frm[7]) >> 4; 2856 2857 ba = &ni->ni_rx_ba[tid]; 2858 /* The driver is still processing an ADDBA request for this tid. */ 2859 if (ba->ba_state == IEEE80211_BA_REQUESTED) 2860 return; 2861 /* If we are in the process of roaming between APs, ignore. */ 2862 if ((ic->ic_flags & IEEE80211_F_BGSCAN) && 2863 (ic->ic_xflags & IEEE80211_F_TX_MGMT_ONLY)) 2864 return; 2865 /* check if we already have a Block Ack agreement for this RA/TID */ 2866 if (ba->ba_state == IEEE80211_BA_AGREED) { 2867 /* XXX should we update the timeout value? */ 2868 /* reset Block Ack inactivity timer */ 2869 if (ba->ba_timeout_val != 0) 2870 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2871 2872 /* check if it's a Protected Block Ack agreement */ 2873 if (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2874 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) 2875 return; /* not a PBAC, ignore */ 2876 2877 /* PBAC: treat the ADDBA Request like a BlockAckReq */ 2878 if (SEQ_LT(ba->ba_winstart, ssn)) { 2879 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 2880 ieee80211_ba_move_window(ic, ni, tid, ssn, &ml); 2881 if_input(&ic->ic_if, &ml); 2882 } 2883 return; 2884 } 2885 2886 /* if PBAC required but RA does not support it, refuse request */ 2887 if ((ic->ic_flags & IEEE80211_F_PBAR) && 2888 (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2889 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC))) 2890 goto refuse; 2891 /* 2892 * If the TID for which the Block Ack agreement is requested is 2893 * configured with a no-ACK policy, refuse the agreement. 2894 */ 2895 if (ic->ic_tid_noack & (1 << tid)) 2896 goto refuse; 2897 2898 /* check that we support the requested Block Ack Policy */ 2899 if (!(ic->ic_htcaps & IEEE80211_HTCAP_DELAYEDBA) && 2900 !(params & IEEE80211_ADDBA_BA_POLICY)) 2901 goto refuse; 2902 2903 /* setup Block Ack agreement */ 2904 ba->ba_state = IEEE80211_BA_REQUESTED; 2905 ba->ba_timeout_val = timeout * IEEE80211_DUR_TU; 2906 ba->ba_ni = ni; 2907 ba->ba_token = token; 2908 timeout_set(&ba->ba_to, ieee80211_rx_ba_timeout, ba); 2909 timeout_set(&ba->ba_gap_to, ieee80211_input_ba_gap_timeout, ba); 2910 ba->ba_gapwait = 0; 2911 ba->ba_winsize = bufsz; 2912 if (ba->ba_winsize == 0 || ba->ba_winsize > IEEE80211_BA_MAX_WINSZ) 2913 ba->ba_winsize = IEEE80211_BA_MAX_WINSZ; 2914 ba->ba_params = (params & IEEE80211_ADDBA_BA_POLICY); 2915 ba->ba_params |= ((ba->ba_winsize << IEEE80211_ADDBA_BUFSZ_SHIFT) | 2916 (tid << IEEE80211_ADDBA_TID_SHIFT)); 2917 ba->ba_params |= IEEE80211_ADDBA_AMSDU; 2918 ba->ba_winstart = ssn; 2919 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 2920 /* allocate and setup our reordering buffer */ 2921 ba->ba_buf = malloc(IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf), 2922 M_DEVBUF, M_NOWAIT | M_ZERO); 2923 if (ba->ba_buf == NULL) 2924 goto refuse; 2925 2926 ba->ba_head = 0; 2927 2928 /* notify drivers of this new Block Ack agreement */ 2929 if (ic->ic_ampdu_rx_start != NULL) 2930 err = ic->ic_ampdu_rx_start(ic, ni, tid); 2931 if (err == EBUSY) { 2932 /* driver will accept or refuse agreement when done */ 2933 return; 2934 } else if (err) { 2935 /* driver failed to setup, rollback */ 2936 ieee80211_addba_req_refuse(ic, ni, tid); 2937 } else 2938 ieee80211_addba_req_accept(ic, ni, tid); 2939 return; 2940 2941 refuse: 2942 /* MLME-ADDBA.response */ 2943 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2944 IEEE80211_ACTION_ADDBA_RESP, 2945 IEEE80211_STATUS_REFUSED << 16 | token << 8 | tid); 2946 } 2947 2948 void 2949 ieee80211_addba_req_accept(struct ieee80211com *ic, struct ieee80211_node *ni, 2950 uint8_t tid) 2951 { 2952 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2953 2954 ba->ba_state = IEEE80211_BA_AGREED; 2955 ic->ic_stats.is_ht_rx_ba_agreements++; 2956 /* start Block Ack inactivity timer */ 2957 if (ba->ba_timeout_val != 0) 2958 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2959 2960 /* MLME-ADDBA.response */ 2961 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2962 IEEE80211_ACTION_ADDBA_RESP, 2963 IEEE80211_STATUS_SUCCESS << 16 | ba->ba_token << 8 | tid); 2964 } 2965 2966 void 2967 ieee80211_addba_req_refuse(struct ieee80211com *ic, struct ieee80211_node *ni, 2968 uint8_t tid) 2969 { 2970 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2971 2972 free(ba->ba_buf, M_DEVBUF, 2973 IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf)); 2974 ba->ba_buf = NULL; 2975 ba->ba_state = IEEE80211_BA_INIT; 2976 2977 /* MLME-ADDBA.response */ 2978 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2979 IEEE80211_ACTION_ADDBA_RESP, 2980 IEEE80211_STATUS_REFUSED << 16 | ba->ba_token << 8 | tid); 2981 } 2982 2983 /*- 2984 * ADDBA Response frame format: 2985 * [1] Category 2986 * [1] Action 2987 * [1] Dialog Token 2988 * [2] Status Code 2989 * [2] Block Ack Parameter Set 2990 * [2] Block Ack Timeout Value 2991 */ 2992 void 2993 ieee80211_recv_addba_resp(struct ieee80211com *ic, struct mbuf *m, 2994 struct ieee80211_node *ni) 2995 { 2996 const struct ieee80211_frame *wh; 2997 const u_int8_t *frm; 2998 struct ieee80211_tx_ba *ba; 2999 u_int16_t status, params, bufsz, timeout; 3000 u_int8_t token, tid; 3001 int err = 0; 3002 3003 if (m->m_len < sizeof(*wh) + 9) { 3004 DPRINTF(("frame too short\n")); 3005 return; 3006 } 3007 wh = mtod(m, struct ieee80211_frame *); 3008 frm = (const u_int8_t *)&wh[1]; 3009 3010 token = frm[2]; 3011 status = LE_READ_2(&frm[3]); 3012 params = LE_READ_2(&frm[5]); 3013 tid = (params >> 2) & 0xf; 3014 bufsz = (params >> 6) & 0x3ff; 3015 timeout = LE_READ_2(&frm[7]); 3016 3017 DPRINTF(("received ADDBA resp from %s, TID %d, status %d\n", 3018 ether_sprintf(ni->ni_macaddr), tid, status)); 3019 3020 /* 3021 * Ignore if no ADDBA request has been sent for this RA/TID or 3022 * if we already have a Block Ack agreement. 3023 */ 3024 ba = &ni->ni_tx_ba[tid]; 3025 if (ba->ba_state != IEEE80211_BA_REQUESTED) { 3026 DPRINTF(("no matching ADDBA req found\n")); 3027 return; 3028 } 3029 if (token != ba->ba_token) { 3030 DPRINTF(("ignoring ADDBA resp from %s: token %x!=%x\n", 3031 ether_sprintf(ni->ni_macaddr), token, ba->ba_token)); 3032 return; 3033 } 3034 /* we got an ADDBA Response matching our request, stop timeout */ 3035 timeout_del(&ba->ba_to); 3036 3037 if (status != IEEE80211_STATUS_SUCCESS) { 3038 if (ni->ni_addba_req_intval[tid] < 3039 IEEE80211_ADDBA_REQ_INTVAL_MAX) 3040 ni->ni_addba_req_intval[tid]++; 3041 3042 ieee80211_addba_resp_refuse(ic, ni, tid, status); 3043 3044 /* 3045 * In case the peer believes there is an existing 3046 * block ack agreement with us, try to delete it. 3047 */ 3048 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 3049 IEEE80211_ACTION_DELBA, 3050 IEEE80211_REASON_SETUP_REQUIRED << 16 | 1 << 8 | tid); 3051 return; 3052 } 3053 3054 /* notify drivers of this new Block Ack agreement */ 3055 if (ic->ic_ampdu_tx_start != NULL) 3056 err = ic->ic_ampdu_tx_start(ic, ni, tid); 3057 3058 if (err == EBUSY) { 3059 /* driver will accept or refuse agreement when done */ 3060 return; 3061 } else if (err) { 3062 /* driver failed to setup, rollback */ 3063 ieee80211_addba_resp_refuse(ic, ni, tid, 3064 IEEE80211_STATUS_UNSPECIFIED); 3065 } else 3066 ieee80211_addba_resp_accept(ic, ni, tid); 3067 } 3068 3069 void 3070 ieee80211_addba_resp_accept(struct ieee80211com *ic, 3071 struct ieee80211_node *ni, uint8_t tid) 3072 { 3073 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 3074 3075 /* MLME-ADDBA.confirm(Success) */ 3076 ba->ba_state = IEEE80211_BA_AGREED; 3077 ic->ic_stats.is_ht_tx_ba_agreements++; 3078 3079 /* Reset ADDBA request interval. */ 3080 ni->ni_addba_req_intval[tid] = 1; 3081 3082 ni->ni_qos_txseqs[tid] = ba->ba_winstart; 3083 3084 /* start Block Ack inactivity timeout */ 3085 if (ba->ba_timeout_val != 0) 3086 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 3087 } 3088 3089 void 3090 ieee80211_addba_resp_refuse(struct ieee80211com *ic, 3091 struct ieee80211_node *ni, uint8_t tid, uint16_t status) 3092 { 3093 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 3094 3095 /* MLME-ADDBA.confirm(Failure) */ 3096 ba->ba_state = IEEE80211_BA_INIT; 3097 } 3098 3099 /*- 3100 * DELBA frame format: 3101 * [1] Category 3102 * [1] Action 3103 * [2] DELBA Parameter Set 3104 * [2] Reason Code 3105 */ 3106 void 3107 ieee80211_recv_delba(struct ieee80211com *ic, struct mbuf *m, 3108 struct ieee80211_node *ni) 3109 { 3110 const struct ieee80211_frame *wh; 3111 const u_int8_t *frm; 3112 u_int16_t params, reason; 3113 u_int8_t tid; 3114 int i; 3115 3116 if (m->m_len < sizeof(*wh) + 6) { 3117 DPRINTF(("frame too short\n")); 3118 return; 3119 } 3120 wh = mtod(m, struct ieee80211_frame *); 3121 frm = (const u_int8_t *)&wh[1]; 3122 3123 params = LE_READ_2(&frm[2]); 3124 reason = LE_READ_2(&frm[4]); 3125 tid = params >> 12; 3126 3127 DPRINTF(("received DELBA from %s, TID %d, reason %d\n", 3128 ether_sprintf(ni->ni_macaddr), tid, reason)); 3129 3130 if (params & IEEE80211_DELBA_INITIATOR) { 3131 /* MLME-DELBA.indication(Originator) */ 3132 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 3133 3134 if (ba->ba_state != IEEE80211_BA_AGREED) { 3135 DPRINTF(("no matching Block Ack agreement\n")); 3136 return; 3137 } 3138 /* notify drivers of the end of the Block Ack agreement */ 3139 if (ic->ic_ampdu_rx_stop != NULL) 3140 ic->ic_ampdu_rx_stop(ic, ni, tid); 3141 3142 ba->ba_state = IEEE80211_BA_INIT; 3143 /* stop Block Ack inactivity timer */ 3144 timeout_del(&ba->ba_to); 3145 timeout_del(&ba->ba_gap_to); 3146 ba->ba_gapwait = 0; 3147 3148 if (ba->ba_buf != NULL) { 3149 /* free all MSDUs stored in reordering buffer */ 3150 for (i = 0; i < IEEE80211_BA_MAX_WINSZ; i++) 3151 m_freem(ba->ba_buf[i].m); 3152 /* free reordering buffer */ 3153 free(ba->ba_buf, M_DEVBUF, 3154 IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf)); 3155 ba->ba_buf = NULL; 3156 } 3157 } else { 3158 /* MLME-DELBA.indication(Recipient) */ 3159 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 3160 3161 if (ba->ba_state != IEEE80211_BA_AGREED) { 3162 DPRINTF(("no matching Block Ack agreement\n")); 3163 return; 3164 } 3165 /* notify drivers of the end of the Block Ack agreement */ 3166 if (ic->ic_ampdu_tx_stop != NULL) 3167 ic->ic_ampdu_tx_stop(ic, ni, tid); 3168 3169 ba->ba_state = IEEE80211_BA_INIT; 3170 /* stop Block Ack inactivity timer */ 3171 timeout_del(&ba->ba_to); 3172 } 3173 } 3174 3175 /*- 3176 * SA Query Request frame format: 3177 * [1] Category 3178 * [1] Action 3179 * [2] Transaction Identifier 3180 */ 3181 void 3182 ieee80211_recv_sa_query_req(struct ieee80211com *ic, struct mbuf *m, 3183 struct ieee80211_node *ni) 3184 { 3185 const struct ieee80211_frame *wh; 3186 const u_int8_t *frm; 3187 3188 if (ic->ic_opmode != IEEE80211_M_STA || 3189 !(ni->ni_flags & IEEE80211_NODE_MFP)) { 3190 DPRINTF(("unexpected SA Query req from %s\n", 3191 ether_sprintf(ni->ni_macaddr))); 3192 return; 3193 } 3194 if (m->m_len < sizeof(*wh) + 4) { 3195 DPRINTF(("frame too short\n")); 3196 return; 3197 } 3198 wh = mtod(m, struct ieee80211_frame *); 3199 frm = (const u_int8_t *)&wh[1]; 3200 3201 /* MLME-SAQuery.indication */ 3202 3203 /* save Transaction Identifier for SA Query Response */ 3204 ni->ni_sa_query_trid = LE_READ_2(&frm[2]); 3205 3206 /* MLME-SAQuery.response */ 3207 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_SA_QUERY, 3208 IEEE80211_ACTION_SA_QUERY_RESP, 0); 3209 } 3210 3211 #ifndef IEEE80211_STA_ONLY 3212 /*- 3213 * SA Query Response frame format: 3214 * [1] Category 3215 * [1] Action 3216 * [2] Transaction Identifier 3217 */ 3218 void 3219 ieee80211_recv_sa_query_resp(struct ieee80211com *ic, struct mbuf *m, 3220 struct ieee80211_node *ni) 3221 { 3222 const struct ieee80211_frame *wh; 3223 const u_int8_t *frm; 3224 3225 /* ignore if we're not engaged in an SA Query with that STA */ 3226 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) { 3227 DPRINTF(("unexpected SA Query resp from %s\n", 3228 ether_sprintf(ni->ni_macaddr))); 3229 return; 3230 } 3231 if (m->m_len < sizeof(*wh) + 4) { 3232 DPRINTF(("frame too short\n")); 3233 return; 3234 } 3235 wh = mtod(m, struct ieee80211_frame *); 3236 frm = (const u_int8_t *)&wh[1]; 3237 3238 /* check that Transaction Identifier matches */ 3239 if (ni->ni_sa_query_trid != LE_READ_2(&frm[2])) { 3240 DPRINTF(("transaction identifier does not match\n")); 3241 return; 3242 } 3243 /* MLME-SAQuery.confirm */ 3244 timeout_del(&ni->ni_sa_query_to); 3245 ni->ni_flags &= ~IEEE80211_NODE_SA_QUERY; 3246 } 3247 #endif 3248 3249 /*- 3250 * Action frame format: 3251 * [1] Category 3252 * [1] Action 3253 */ 3254 void 3255 ieee80211_recv_action(struct ieee80211com *ic, struct mbuf *m, 3256 struct ieee80211_node *ni) 3257 { 3258 const struct ieee80211_frame *wh; 3259 const u_int8_t *frm; 3260 3261 if (m->m_len < sizeof(*wh) + 2) { 3262 DPRINTF(("frame too short\n")); 3263 return; 3264 } 3265 wh = mtod(m, struct ieee80211_frame *); 3266 frm = (const u_int8_t *)&wh[1]; 3267 3268 switch (frm[0]) { 3269 case IEEE80211_CATEG_BA: 3270 switch (frm[1]) { 3271 case IEEE80211_ACTION_ADDBA_REQ: 3272 ieee80211_recv_addba_req(ic, m, ni); 3273 break; 3274 case IEEE80211_ACTION_ADDBA_RESP: 3275 ieee80211_recv_addba_resp(ic, m, ni); 3276 break; 3277 case IEEE80211_ACTION_DELBA: 3278 ieee80211_recv_delba(ic, m, ni); 3279 break; 3280 } 3281 break; 3282 case IEEE80211_CATEG_SA_QUERY: 3283 switch (frm[1]) { 3284 case IEEE80211_ACTION_SA_QUERY_REQ: 3285 ieee80211_recv_sa_query_req(ic, m, ni); 3286 break; 3287 #ifndef IEEE80211_STA_ONLY 3288 case IEEE80211_ACTION_SA_QUERY_RESP: 3289 ieee80211_recv_sa_query_resp(ic, m, ni); 3290 break; 3291 #endif 3292 } 3293 break; 3294 default: 3295 DPRINTF(("action frame category %d not handled\n", frm[0])); 3296 break; 3297 } 3298 } 3299 3300 void 3301 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m, 3302 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int subtype) 3303 { 3304 switch (subtype) { 3305 case IEEE80211_FC0_SUBTYPE_BEACON: 3306 ieee80211_recv_probe_resp(ic, m, ni, rxi, 0); 3307 break; 3308 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 3309 ieee80211_recv_probe_resp(ic, m, ni, rxi, 1); 3310 break; 3311 #ifndef IEEE80211_STA_ONLY 3312 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 3313 ieee80211_recv_probe_req(ic, m, ni, rxi); 3314 break; 3315 #endif 3316 case IEEE80211_FC0_SUBTYPE_AUTH: 3317 ieee80211_recv_auth(ic, m, ni, rxi); 3318 break; 3319 #ifndef IEEE80211_STA_ONLY 3320 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 3321 ieee80211_recv_assoc_req(ic, m, ni, rxi, 0); 3322 break; 3323 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 3324 ieee80211_recv_assoc_req(ic, m, ni, rxi, 1); 3325 break; 3326 #endif 3327 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 3328 ieee80211_recv_assoc_resp(ic, m, ni, 0); 3329 break; 3330 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 3331 ieee80211_recv_assoc_resp(ic, m, ni, 1); 3332 break; 3333 case IEEE80211_FC0_SUBTYPE_DEAUTH: 3334 ieee80211_recv_deauth(ic, m, ni); 3335 break; 3336 case IEEE80211_FC0_SUBTYPE_DISASSOC: 3337 ieee80211_recv_disassoc(ic, m, ni); 3338 break; 3339 case IEEE80211_FC0_SUBTYPE_ACTION: 3340 ieee80211_recv_action(ic, m, ni); 3341 break; 3342 default: 3343 DPRINTF(("mgmt frame with subtype 0x%x not handled\n", 3344 subtype)); 3345 ic->ic_stats.is_rx_badsubtype++; 3346 break; 3347 } 3348 } 3349 3350 #ifndef IEEE80211_STA_ONLY 3351 /* 3352 * Process an incoming PS-Poll control frame (see 11.2). 3353 */ 3354 void 3355 ieee80211_recv_pspoll(struct ieee80211com *ic, struct mbuf *m, 3356 struct ieee80211_node *ni) 3357 { 3358 struct ifnet *ifp = &ic->ic_if; 3359 struct ieee80211_frame_pspoll *psp; 3360 struct ieee80211_frame *wh; 3361 u_int16_t aid; 3362 3363 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 3364 !(ic->ic_caps & IEEE80211_C_APPMGT) || 3365 ni->ni_state != IEEE80211_STA_ASSOC) 3366 return; 3367 3368 if (m->m_len < sizeof(*psp)) { 3369 DPRINTF(("frame too short, len %u\n", m->m_len)); 3370 ic->ic_stats.is_rx_tooshort++; 3371 return; 3372 } 3373 psp = mtod(m, struct ieee80211_frame_pspoll *); 3374 if (!IEEE80211_ADDR_EQ(psp->i_bssid, ic->ic_bss->ni_bssid)) { 3375 DPRINTF(("discard pspoll frame to BSS %s\n", 3376 ether_sprintf(psp->i_bssid))); 3377 ic->ic_stats.is_rx_wrongbss++; 3378 return; 3379 } 3380 aid = letoh16(*(u_int16_t *)psp->i_aid); 3381 if (aid != ni->ni_associd) { 3382 DPRINTF(("invalid pspoll aid %x from %s\n", aid, 3383 ether_sprintf(psp->i_ta))); 3384 return; 3385 } 3386 3387 /* take the first queued frame and put it out.. */ 3388 m = mq_dequeue(&ni->ni_savedq); 3389 if (m == NULL) 3390 return; 3391 if (mq_empty(&ni->ni_savedq)) { 3392 /* last queued frame, turn off the TIM bit */ 3393 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 3394 } else { 3395 /* more queued frames, set the more data bit */ 3396 wh = mtod(m, struct ieee80211_frame *); 3397 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 3398 } 3399 mq_enqueue(&ic->ic_pwrsaveq, m); 3400 if_start(ifp); 3401 } 3402 #endif /* IEEE80211_STA_ONLY */ 3403 3404 /* 3405 * Process an incoming BlockAckReq control frame (see 7.2.1.7). 3406 */ 3407 void 3408 ieee80211_recv_bar(struct ieee80211com *ic, struct mbuf *m, 3409 struct ieee80211_node *ni) 3410 { 3411 const struct ieee80211_frame_min *wh; 3412 const u_int8_t *frm; 3413 u_int16_t ctl, ssn; 3414 u_int8_t tid, ntids; 3415 3416 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 3417 DPRINTF(("received BlockAckReq from non-HT STA %s\n", 3418 ether_sprintf(ni->ni_macaddr))); 3419 return; 3420 } 3421 if (m->m_len < sizeof(*wh) + 4) { 3422 DPRINTF(("frame too short\n")); 3423 return; 3424 } 3425 wh = mtod(m, struct ieee80211_frame_min *); 3426 frm = (const u_int8_t *)&wh[1]; 3427 3428 /* read BlockAckReq Control field */ 3429 ctl = LE_READ_2(&frm[0]); 3430 tid = ctl >> 12; 3431 3432 /* determine BlockAckReq frame variant */ 3433 if (ctl & IEEE80211_BA_MULTI_TID) { 3434 /* Multi-TID BlockAckReq variant (PSMP only) */ 3435 ntids = tid + 1; 3436 3437 if (m->m_len < sizeof(*wh) + 2 + 4 * ntids) { 3438 DPRINTF(("MTBAR frame too short\n")); 3439 return; 3440 } 3441 frm += 2; /* skip BlockAckReq Control field */ 3442 while (ntids-- > 0) { 3443 /* read MTBAR Information field */ 3444 tid = LE_READ_2(&frm[0]) >> 12; 3445 ssn = LE_READ_2(&frm[2]) >> 4; 3446 ieee80211_bar_tid(ic, ni, tid, ssn); 3447 frm += 4; 3448 } 3449 } else { 3450 /* Basic or Compressed BlockAckReq variants */ 3451 ssn = LE_READ_2(&frm[2]) >> 4; 3452 ieee80211_bar_tid(ic, ni, tid, ssn); 3453 } 3454 } 3455 3456 /* 3457 * Process a BlockAckReq for a specific TID (see 9.10.7.6.3). 3458 * This is the common back-end for all BlockAckReq frame variants. 3459 */ 3460 void 3461 ieee80211_bar_tid(struct ieee80211com *ic, struct ieee80211_node *ni, 3462 u_int8_t tid, u_int16_t ssn) 3463 { 3464 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 3465 3466 /* check if we have a Block Ack agreement for RA/TID */ 3467 if (ba->ba_state != IEEE80211_BA_AGREED) { 3468 /* XXX not sure in PBAC case */ 3469 /* send a DELBA with reason code UNKNOWN-BA */ 3470 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 3471 IEEE80211_ACTION_DELBA, 3472 IEEE80211_REASON_SETUP_REQUIRED << 16 | tid); 3473 return; 3474 } 3475 /* check if it is a Protected Block Ack agreement */ 3476 if ((ni->ni_flags & IEEE80211_NODE_MFP) && 3477 (ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) { 3478 /* ADDBA Requests must be used in PBAC case */ 3479 if (SEQ_LT(ssn, ba->ba_winstart) || 3480 SEQ_LT(ba->ba_winend, ssn)) 3481 ic->ic_stats.is_pbac_errs++; 3482 return; /* PBAC, do not move window */ 3483 } 3484 /* reset Block Ack inactivity timer */ 3485 if (ba->ba_timeout_val != 0) 3486 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 3487 3488 if (SEQ_LT(ba->ba_winstart, ssn)) { 3489 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 3490 ieee80211_ba_move_window(ic, ni, tid, ssn, &ml); 3491 if_input(&ic->ic_if, &ml); 3492 } 3493 } 3494