1 /* $OpenBSD: ieee80211_input.c,v 1.250 2023/01/09 00:22:47 daniel Exp $ */ 2 /* $NetBSD: ieee80211_input.c,v 1.24 2004/05/31 11:12:24 dyoung Exp $ */ 3 4 /*- 5 * Copyright (c) 2001 Atsushi Onoe 6 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 7 * Copyright (c) 2007-2009 Damien Bergamini 8 * All rights reserved. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. The name of the author may not be used to endorse or promote products 19 * derived from this software without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 #include "bpfilter.h" 34 35 #include <sys/param.h> 36 #include <sys/systm.h> 37 #include <sys/mbuf.h> 38 #include <sys/malloc.h> 39 #include <sys/kernel.h> 40 #include <sys/socket.h> 41 #include <sys/sockio.h> 42 #include <sys/endian.h> 43 #include <sys/errno.h> 44 #include <sys/sysctl.h> 45 #include <sys/task.h> 46 47 #include <net/if.h> 48 #include <net/if_dl.h> 49 #include <net/if_media.h> 50 #include <net/if_llc.h> 51 52 #if NBPFILTER > 0 53 #include <net/bpf.h> 54 #endif 55 56 #include <netinet/in.h> 57 #include <netinet/if_ether.h> 58 59 #include <net80211/ieee80211_var.h> 60 #include <net80211/ieee80211_priv.h> 61 62 struct mbuf *ieee80211_input_hwdecrypt(struct ieee80211com *, 63 struct ieee80211_node *, struct mbuf *, 64 struct ieee80211_rxinfo *rxi); 65 struct mbuf *ieee80211_defrag(struct ieee80211com *, struct mbuf *, int); 66 void ieee80211_defrag_timeout(void *); 67 void ieee80211_input_ba(struct ieee80211com *, struct mbuf *, 68 struct ieee80211_node *, int, struct ieee80211_rxinfo *, 69 struct mbuf_list *); 70 void ieee80211_input_ba_flush(struct ieee80211com *, struct ieee80211_node *, 71 struct ieee80211_rx_ba *, struct mbuf_list *); 72 int ieee80211_input_ba_gap_skip(struct ieee80211_rx_ba *); 73 void ieee80211_input_ba_gap_timeout(void *arg); 74 void ieee80211_ba_move_window(struct ieee80211com *, 75 struct ieee80211_node *, u_int8_t, u_int16_t, struct mbuf_list *); 76 void ieee80211_input_ba_seq(struct ieee80211com *, 77 struct ieee80211_node *, uint8_t, uint16_t, struct mbuf_list *); 78 struct mbuf *ieee80211_align_mbuf(struct mbuf *); 79 void ieee80211_decap(struct ieee80211com *, struct mbuf *, 80 struct ieee80211_node *, int, struct mbuf_list *); 81 int ieee80211_amsdu_decap_validate(struct ieee80211com *, struct mbuf *, 82 struct ieee80211_node *); 83 void ieee80211_amsdu_decap(struct ieee80211com *, struct mbuf *, 84 struct ieee80211_node *, int, struct mbuf_list *); 85 void ieee80211_enqueue_data(struct ieee80211com *, struct mbuf *, 86 struct ieee80211_node *, int, struct mbuf_list *); 87 int ieee80211_parse_edca_params_body(struct ieee80211com *, 88 const u_int8_t *); 89 int ieee80211_parse_edca_params(struct ieee80211com *, const u_int8_t *); 90 int ieee80211_parse_wmm_params(struct ieee80211com *, const u_int8_t *); 91 enum ieee80211_cipher ieee80211_parse_rsn_cipher(const u_int8_t *); 92 enum ieee80211_akm ieee80211_parse_rsn_akm(const u_int8_t *); 93 int ieee80211_parse_rsn_body(struct ieee80211com *, const u_int8_t *, 94 u_int, struct ieee80211_rsnparams *); 95 int ieee80211_save_ie(const u_int8_t *, u_int8_t **); 96 void ieee80211_recv_probe_resp(struct ieee80211com *, struct mbuf *, 97 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 98 #ifndef IEEE80211_STA_ONLY 99 void ieee80211_recv_probe_req(struct ieee80211com *, struct mbuf *, 100 struct ieee80211_node *, struct ieee80211_rxinfo *); 101 #endif 102 void ieee80211_recv_auth(struct ieee80211com *, struct mbuf *, 103 struct ieee80211_node *, struct ieee80211_rxinfo *); 104 #ifndef IEEE80211_STA_ONLY 105 void ieee80211_recv_assoc_req(struct ieee80211com *, struct mbuf *, 106 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 107 #endif 108 void ieee80211_recv_assoc_resp(struct ieee80211com *, struct mbuf *, 109 struct ieee80211_node *, int); 110 void ieee80211_recv_deauth(struct ieee80211com *, struct mbuf *, 111 struct ieee80211_node *); 112 void ieee80211_recv_disassoc(struct ieee80211com *, struct mbuf *, 113 struct ieee80211_node *); 114 void ieee80211_recv_addba_req(struct ieee80211com *, struct mbuf *, 115 struct ieee80211_node *); 116 void ieee80211_recv_addba_resp(struct ieee80211com *, struct mbuf *, 117 struct ieee80211_node *); 118 void ieee80211_recv_delba(struct ieee80211com *, struct mbuf *, 119 struct ieee80211_node *); 120 void ieee80211_recv_sa_query_req(struct ieee80211com *, struct mbuf *, 121 struct ieee80211_node *); 122 #ifndef IEEE80211_STA_ONLY 123 void ieee80211_recv_sa_query_resp(struct ieee80211com *, struct mbuf *, 124 struct ieee80211_node *); 125 #endif 126 void ieee80211_recv_action(struct ieee80211com *, struct mbuf *, 127 struct ieee80211_node *); 128 #ifndef IEEE80211_STA_ONLY 129 void ieee80211_recv_pspoll(struct ieee80211com *, struct mbuf *, 130 struct ieee80211_node *); 131 #endif 132 void ieee80211_recv_bar(struct ieee80211com *, struct mbuf *, 133 struct ieee80211_node *); 134 void ieee80211_bar_tid(struct ieee80211com *, struct ieee80211_node *, 135 u_int8_t, u_int16_t); 136 137 /* 138 * Retrieve the length in bytes of an 802.11 header. 139 */ 140 u_int 141 ieee80211_get_hdrlen(const struct ieee80211_frame *wh) 142 { 143 u_int size = sizeof(*wh); 144 145 /* NB: does not work with control frames */ 146 KASSERT(ieee80211_has_seq(wh)); 147 148 if (ieee80211_has_addr4(wh)) 149 size += IEEE80211_ADDR_LEN; /* i_addr4 */ 150 if (ieee80211_has_qos(wh)) 151 size += sizeof(u_int16_t); /* i_qos */ 152 if (ieee80211_has_htc(wh)) 153 size += sizeof(u_int32_t); /* i_ht */ 154 return size; 155 } 156 157 /* Post-processing for drivers which perform decryption in hardware. */ 158 struct mbuf * 159 ieee80211_input_hwdecrypt(struct ieee80211com *ic, struct ieee80211_node *ni, 160 struct mbuf *m, struct ieee80211_rxinfo *rxi) 161 { 162 struct ieee80211_key *k; 163 struct ieee80211_frame *wh; 164 uint64_t pn, *prsc; 165 int hdrlen; 166 167 k = ieee80211_get_rxkey(ic, m, ni); 168 if (k == NULL) 169 return NULL; 170 171 wh = mtod(m, struct ieee80211_frame *); 172 hdrlen = ieee80211_get_hdrlen(wh); 173 174 /* 175 * Update the last-seen packet number (PN) for drivers using hardware 176 * crypto offloading. This cannot be done by drivers because A-MPDU 177 * reordering needs to occur before a valid lower bound can be 178 * determined for the PN. Drivers will read the PN we write here and 179 * are expected to discard replayed frames based on it. 180 * Drivers are expected to leave the IV of decrypted frames intact 181 * so we can update the last-seen PN and strip the IV here. 182 */ 183 switch (k->k_cipher) { 184 case IEEE80211_CIPHER_CCMP: 185 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 186 /* 187 * If the protected bit is clear then hardware has 188 * stripped the IV and we must trust that it handles 189 * replay detection correctly. 190 */ 191 break; 192 } 193 if (ieee80211_ccmp_get_pn(&pn, &prsc, m, k) != 0) 194 return NULL; 195 if (rxi->rxi_flags & IEEE80211_RXI_HWDEC_SAME_PN) { 196 if (pn < *prsc) { 197 ic->ic_stats.is_ccmp_replays++; 198 return NULL; 199 } 200 } else if (pn <= *prsc) { 201 ic->ic_stats.is_ccmp_replays++; 202 return NULL; 203 } 204 205 /* Update last-seen packet number. */ 206 *prsc = pn; 207 208 /* Clear Protected bit and strip IV. */ 209 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 210 memmove(mtod(m, caddr_t) + IEEE80211_CCMP_HDRLEN, wh, hdrlen); 211 m_adj(m, IEEE80211_CCMP_HDRLEN); 212 /* Drivers are expected to strip the MIC. */ 213 break; 214 case IEEE80211_CIPHER_TKIP: 215 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 216 /* 217 * If the protected bit is clear then hardware has 218 * stripped the IV and we must trust that it handles 219 * replay detection correctly. 220 */ 221 break; 222 } 223 if (ieee80211_tkip_get_tsc(&pn, &prsc, m, k) != 0) 224 return NULL; 225 if (rxi->rxi_flags & IEEE80211_RXI_HWDEC_SAME_PN) { 226 if (pn < *prsc) { 227 ic->ic_stats.is_tkip_replays++; 228 return NULL; 229 } 230 } else if (pn <= *prsc) { 231 ic->ic_stats.is_tkip_replays++; 232 return NULL; 233 } 234 235 /* Update last-seen packet number. */ 236 *prsc = pn; 237 238 /* Clear Protected bit and strip IV. */ 239 wh = mtod(m, struct ieee80211_frame *); 240 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 241 memmove(mtod(m, caddr_t) + IEEE80211_TKIP_HDRLEN, wh, hdrlen); 242 m_adj(m, IEEE80211_TKIP_HDRLEN); 243 /* Drivers are expected to strip the MIC. */ 244 break; 245 default: 246 break; 247 } 248 249 return m; 250 } 251 252 /* 253 * Process a received frame. The node associated with the sender 254 * should be supplied. If nothing was found in the node table then 255 * the caller is assumed to supply a reference to ic_bss instead. 256 * The RSSI and a timestamp are also supplied. The RSSI data is used 257 * during AP scanning to select a AP to associate with; it can have 258 * any units so long as values have consistent units and higher values 259 * mean ``better signal''. The receive timestamp is currently not used 260 * by the 802.11 layer. 261 * 262 * This function acts on management frames immediately and queues data frames 263 * on the specified mbuf list. Delivery of queued data frames to upper layers 264 * must be triggered with if_input(). Drivers should call if_input() only once 265 * per Rx interrupt to avoid triggering the input ifq pressure drop mechanism 266 * unnecessarily. 267 */ 268 void 269 ieee80211_inputm(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni, 270 struct ieee80211_rxinfo *rxi, struct mbuf_list *ml) 271 { 272 struct ieee80211com *ic = (void *)ifp; 273 struct ieee80211_frame *wh; 274 u_int16_t *orxseq, nrxseq, qos; 275 u_int8_t dir, type, subtype, tid; 276 int hdrlen, hasqos; 277 278 KASSERT(ni != NULL); 279 280 /* in monitor mode, send everything directly to bpf */ 281 if (ic->ic_opmode == IEEE80211_M_MONITOR) 282 goto out; 283 284 /* 285 * Do not process frames without an Address 2 field any further. 286 * Only CTS and ACK control frames do not have this field. 287 */ 288 if (m->m_len < sizeof(struct ieee80211_frame_min)) { 289 DPRINTF(("frame too short, len %u\n", m->m_len)); 290 ic->ic_stats.is_rx_tooshort++; 291 goto out; 292 } 293 294 wh = mtod(m, struct ieee80211_frame *); 295 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 296 IEEE80211_FC0_VERSION_0) { 297 DPRINTF(("frame with wrong version: %x\n", wh->i_fc[0])); 298 ic->ic_stats.is_rx_badversion++; 299 goto err; 300 } 301 302 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 303 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 304 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 305 306 if (type != IEEE80211_FC0_TYPE_CTL) { 307 hdrlen = ieee80211_get_hdrlen(wh); 308 if (m->m_len < hdrlen) { 309 DPRINTF(("frame too short, len %u\n", m->m_len)); 310 ic->ic_stats.is_rx_tooshort++; 311 goto err; 312 } 313 } else 314 hdrlen = 0; 315 if ((hasqos = ieee80211_has_qos(wh))) { 316 qos = ieee80211_get_qos(wh); 317 tid = qos & IEEE80211_QOS_TID; 318 } else { 319 qos = 0; 320 tid = 0; 321 } 322 323 if (ic->ic_state == IEEE80211_S_RUN && 324 type == IEEE80211_FC0_TYPE_DATA && hasqos && 325 (subtype & IEEE80211_FC0_SUBTYPE_NODATA) == 0 && 326 !(rxi->rxi_flags & IEEE80211_RXI_AMPDU_DONE) 327 #ifndef IEEE80211_STA_ONLY 328 && (ic->ic_opmode == IEEE80211_M_STA || ni != ic->ic_bss) 329 #endif 330 ) { 331 int ba_state = ni->ni_rx_ba[tid].ba_state; 332 333 #ifndef IEEE80211_STA_ONLY 334 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 335 if (!IEEE80211_ADDR_EQ(wh->i_addr1, 336 ic->ic_bss->ni_bssid)) { 337 ic->ic_stats.is_rx_wrongbss++; 338 goto err; 339 } 340 if (ni->ni_state != IEEE80211_S_ASSOC) { 341 ic->ic_stats.is_rx_notassoc++; 342 goto err; 343 } 344 } 345 #endif 346 /* 347 * If Block Ack was explicitly requested, check 348 * if we have a BA agreement for this RA/TID. 349 */ 350 if ((qos & IEEE80211_QOS_ACK_POLICY_MASK) == 351 IEEE80211_QOS_ACK_POLICY_BA && 352 ba_state != IEEE80211_BA_AGREED) { 353 DPRINTF(("no BA agreement for %s, TID %d\n", 354 ether_sprintf(ni->ni_macaddr), tid)); 355 /* send a DELBA with reason code UNKNOWN-BA */ 356 IEEE80211_SEND_ACTION(ic, ni, 357 IEEE80211_CATEG_BA, IEEE80211_ACTION_DELBA, 358 IEEE80211_REASON_SETUP_REQUIRED << 16 | tid); 359 goto err; 360 } 361 362 /* 363 * Check if we have an explicit or implicit 364 * Block Ack Request for a valid BA agreement. 365 */ 366 if (ba_state == IEEE80211_BA_AGREED && 367 ((qos & IEEE80211_QOS_ACK_POLICY_MASK) == 368 IEEE80211_QOS_ACK_POLICY_BA || 369 (qos & IEEE80211_QOS_ACK_POLICY_MASK) == 370 IEEE80211_QOS_ACK_POLICY_NORMAL)) { 371 /* go through A-MPDU reordering */ 372 ieee80211_input_ba(ic, m, ni, tid, rxi, ml); 373 return; /* don't free m! */ 374 } else if (ba_state == IEEE80211_BA_REQUESTED && 375 (qos & IEEE80211_QOS_ACK_POLICY_MASK) == 376 IEEE80211_QOS_ACK_POLICY_NORMAL) { 377 /* 378 * Apparently, qos frames for a tid where a 379 * block ack agreement was requested but not 380 * yet confirmed by us should still contribute 381 * to the sequence number for this tid. 382 */ 383 ieee80211_input_ba(ic, m, ni, tid, rxi, ml); 384 return; /* don't free m! */ 385 } 386 } 387 388 /* 389 * We do not yet support fragments. Drop any fragmented packets. 390 * Counter-measure against attacks where an arbitrary packet is 391 * injected via a fragment with attacker-controlled content. 392 * See https://papers.mathyvanhoef.com/usenix2021.pdf 393 * Section 6.8 "Treating fragments as full frames" 394 */ 395 if (ieee80211_has_seq(wh)) { 396 uint16_t rxseq = letoh16(*(const u_int16_t *)wh->i_seq); 397 if ((wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG) || 398 (rxseq & IEEE80211_SEQ_FRAG_MASK)) 399 goto err; 400 } 401 402 /* duplicate detection (see 9.2.9) */ 403 if (ieee80211_has_seq(wh) && 404 ic->ic_state != IEEE80211_S_SCAN) { 405 nrxseq = letoh16(*(u_int16_t *)wh->i_seq) >> 406 IEEE80211_SEQ_SEQ_SHIFT; 407 if (hasqos) 408 orxseq = &ni->ni_qos_rxseqs[tid]; 409 else 410 orxseq = &ni->ni_rxseq; 411 if (rxi->rxi_flags & IEEE80211_RXI_SAME_SEQ) { 412 if (nrxseq != *orxseq) { 413 /* duplicate, silently discarded */ 414 ic->ic_stats.is_rx_dup++; 415 goto out; 416 } 417 } else if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) && 418 nrxseq == *orxseq) { 419 /* duplicate, silently discarded */ 420 ic->ic_stats.is_rx_dup++; 421 goto out; 422 } 423 *orxseq = nrxseq; 424 } 425 if (ic->ic_state > IEEE80211_S_SCAN) { 426 ni->ni_rssi = rxi->rxi_rssi; 427 ni->ni_rstamp = rxi->rxi_tstamp; 428 ni->ni_inact = 0; 429 430 if (ic->ic_state == IEEE80211_S_RUN && ic->ic_bgscan_start) { 431 /* Cancel or start background scan based on RSSI. */ 432 if ((*ic->ic_node_checkrssi)(ic, ni)) 433 timeout_del(&ic->ic_bgscan_timeout); 434 else if (!timeout_pending(&ic->ic_bgscan_timeout) && 435 (ic->ic_flags & IEEE80211_F_BGSCAN) == 0 && 436 (ic->ic_flags & IEEE80211_F_DESBSSID) == 0) 437 timeout_add_msec(&ic->ic_bgscan_timeout, 438 500 * (ic->ic_bgscan_fail + 1)); 439 } 440 } 441 442 #ifndef IEEE80211_STA_ONLY 443 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 444 (ic->ic_caps & IEEE80211_C_APPMGT) && 445 ni->ni_state == IEEE80211_STA_ASSOC) { 446 if (wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) { 447 if (ni->ni_pwrsave == IEEE80211_PS_AWAKE) { 448 /* turn on PS mode */ 449 ni->ni_pwrsave = IEEE80211_PS_DOZE; 450 DPRINTF(("PS mode on for %s\n", 451 ether_sprintf(wh->i_addr2))); 452 } 453 } else if (ni->ni_pwrsave == IEEE80211_PS_DOZE) { 454 struct mbuf *m; 455 456 /* turn off PS mode */ 457 ni->ni_pwrsave = IEEE80211_PS_AWAKE; 458 DPRINTF(("PS mode off for %s\n", 459 ether_sprintf(wh->i_addr2))); 460 461 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 462 463 /* dequeue buffered unicast frames */ 464 while ((m = mq_dequeue(&ni->ni_savedq)) != NULL) { 465 mq_enqueue(&ic->ic_pwrsaveq, m); 466 if_start(ifp); 467 } 468 } 469 } 470 #endif 471 switch (type) { 472 case IEEE80211_FC0_TYPE_DATA: 473 switch (ic->ic_opmode) { 474 case IEEE80211_M_STA: 475 if (dir != IEEE80211_FC1_DIR_FROMDS) { 476 ic->ic_stats.is_rx_wrongdir++; 477 goto out; 478 } 479 if (ic->ic_state != IEEE80211_S_SCAN && 480 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid)) { 481 /* Source address is not our BSS. */ 482 DPRINTF(("discard frame from SA %s\n", 483 ether_sprintf(wh->i_addr2))); 484 ic->ic_stats.is_rx_wrongbss++; 485 goto out; 486 } 487 if ((ifp->if_flags & IFF_SIMPLEX) && 488 IEEE80211_IS_MULTICAST(wh->i_addr1) && 489 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 490 /* 491 * In IEEE802.11 network, multicast frame 492 * sent from me is broadcasted from AP. 493 * It should be silently discarded for 494 * SIMPLEX interface. 495 */ 496 ic->ic_stats.is_rx_mcastecho++; 497 goto out; 498 } 499 break; 500 #ifndef IEEE80211_STA_ONLY 501 case IEEE80211_M_IBSS: 502 case IEEE80211_M_AHDEMO: 503 if (dir != IEEE80211_FC1_DIR_NODS) { 504 ic->ic_stats.is_rx_wrongdir++; 505 goto out; 506 } 507 if (ic->ic_state != IEEE80211_S_SCAN && 508 !IEEE80211_ADDR_EQ(wh->i_addr3, 509 ic->ic_bss->ni_bssid) && 510 !IEEE80211_ADDR_EQ(wh->i_addr3, 511 etherbroadcastaddr)) { 512 /* Destination is not our BSS or broadcast. */ 513 DPRINTF(("discard data frame to DA %s\n", 514 ether_sprintf(wh->i_addr3))); 515 ic->ic_stats.is_rx_wrongbss++; 516 goto out; 517 } 518 break; 519 case IEEE80211_M_HOSTAP: 520 if (dir != IEEE80211_FC1_DIR_TODS) { 521 ic->ic_stats.is_rx_wrongdir++; 522 goto out; 523 } 524 if (ic->ic_state != IEEE80211_S_SCAN && 525 !IEEE80211_ADDR_EQ(wh->i_addr1, 526 ic->ic_bss->ni_bssid) && 527 !IEEE80211_ADDR_EQ(wh->i_addr1, 528 etherbroadcastaddr)) { 529 /* BSS is not us or broadcast. */ 530 DPRINTF(("discard data frame to BSS %s\n", 531 ether_sprintf(wh->i_addr1))); 532 ic->ic_stats.is_rx_wrongbss++; 533 goto out; 534 } 535 /* check if source STA is associated */ 536 if (ni == ic->ic_bss) { 537 DPRINTF(("data from unknown src %s\n", 538 ether_sprintf(wh->i_addr2))); 539 /* NB: caller deals with reference */ 540 ni = ieee80211_find_node(ic, wh->i_addr2); 541 if (ni == NULL) 542 ni = ieee80211_dup_bss(ic, wh->i_addr2); 543 if (ni != NULL) { 544 IEEE80211_SEND_MGMT(ic, ni, 545 IEEE80211_FC0_SUBTYPE_DEAUTH, 546 IEEE80211_REASON_NOT_AUTHED); 547 } 548 ic->ic_stats.is_rx_notassoc++; 549 goto err; 550 } 551 if (ni->ni_state != IEEE80211_STA_ASSOC) { 552 DPRINTF(("data from unassoc src %s\n", 553 ether_sprintf(wh->i_addr2))); 554 IEEE80211_SEND_MGMT(ic, ni, 555 IEEE80211_FC0_SUBTYPE_DISASSOC, 556 IEEE80211_REASON_NOT_ASSOCED); 557 ic->ic_stats.is_rx_notassoc++; 558 goto err; 559 } 560 break; 561 #endif /* IEEE80211_STA_ONLY */ 562 default: 563 /* can't get there */ 564 goto out; 565 } 566 567 /* Do not process "no data" frames any further. */ 568 if (subtype & IEEE80211_FC0_SUBTYPE_NODATA) { 569 #if NBPFILTER > 0 570 if (ic->ic_rawbpf) 571 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 572 #endif 573 goto out; 574 } 575 576 if ((ic->ic_flags & IEEE80211_F_WEPON) || 577 ((ic->ic_flags & IEEE80211_F_RSNON) && 578 (ni->ni_flags & IEEE80211_NODE_RXPROT))) { 579 /* protection is on for Rx */ 580 if (!(rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 581 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 582 /* drop unencrypted */ 583 ic->ic_stats.is_rx_unencrypted++; 584 goto err; 585 } 586 /* do software decryption */ 587 m = ieee80211_decrypt(ic, m, ni); 588 if (m == NULL) { 589 ic->ic_stats.is_rx_wepfail++; 590 goto err; 591 } 592 } else { 593 m = ieee80211_input_hwdecrypt(ic, ni, m, rxi); 594 if (m == NULL) 595 goto err; 596 } 597 wh = mtod(m, struct ieee80211_frame *); 598 } else if ((wh->i_fc[1] & IEEE80211_FC1_PROTECTED) || 599 (rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 600 /* frame encrypted but protection off for Rx */ 601 ic->ic_stats.is_rx_nowep++; 602 goto out; 603 } 604 605 #if NBPFILTER > 0 606 /* copy to listener after decrypt */ 607 if (ic->ic_rawbpf) 608 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 609 #endif 610 611 if ((ni->ni_flags & IEEE80211_NODE_HT) && 612 hasqos && (qos & IEEE80211_QOS_AMSDU)) 613 ieee80211_amsdu_decap(ic, m, ni, hdrlen, ml); 614 else 615 ieee80211_decap(ic, m, ni, hdrlen, ml); 616 return; 617 618 case IEEE80211_FC0_TYPE_MGT: 619 if (dir != IEEE80211_FC1_DIR_NODS) { 620 ic->ic_stats.is_rx_wrongdir++; 621 goto err; 622 } 623 #ifndef IEEE80211_STA_ONLY 624 if (ic->ic_opmode == IEEE80211_M_AHDEMO) { 625 ic->ic_stats.is_rx_ahdemo_mgt++; 626 goto out; 627 } 628 #endif 629 /* drop frames without interest */ 630 if (ic->ic_state == IEEE80211_S_SCAN) { 631 if (subtype != IEEE80211_FC0_SUBTYPE_BEACON && 632 subtype != IEEE80211_FC0_SUBTYPE_PROBE_RESP) { 633 ic->ic_stats.is_rx_mgtdiscard++; 634 goto out; 635 } 636 } 637 638 if (ni->ni_flags & IEEE80211_NODE_RXMGMTPROT) { 639 /* MMPDU protection is on for Rx */ 640 if (subtype == IEEE80211_FC0_SUBTYPE_DISASSOC || 641 subtype == IEEE80211_FC0_SUBTYPE_DEAUTH || 642 subtype == IEEE80211_FC0_SUBTYPE_ACTION) { 643 if (!IEEE80211_IS_MULTICAST(wh->i_addr1) && 644 !(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 645 /* unicast mgmt not encrypted */ 646 goto out; 647 } 648 /* do software decryption */ 649 m = ieee80211_decrypt(ic, m, ni); 650 if (m == NULL) { 651 /* XXX stats */ 652 goto out; 653 } 654 wh = mtod(m, struct ieee80211_frame *); 655 } 656 } else if ((ic->ic_flags & IEEE80211_F_RSNON) && 657 (wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 658 /* encrypted but MMPDU Rx protection off for TA */ 659 goto out; 660 } 661 662 #if NBPFILTER > 0 663 if (bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN) != 0) { 664 /* 665 * Drop mbuf if it was filtered by bpf. Normally, 666 * this is done in ether_input() but IEEE 802.11 667 * management frames are a special case. 668 */ 669 m_freem(m); 670 return; 671 } 672 #endif 673 (*ic->ic_recv_mgmt)(ic, m, ni, rxi, subtype); 674 m_freem(m); 675 return; 676 677 case IEEE80211_FC0_TYPE_CTL: 678 switch (subtype) { 679 #ifndef IEEE80211_STA_ONLY 680 case IEEE80211_FC0_SUBTYPE_PS_POLL: 681 ieee80211_recv_pspoll(ic, m, ni); 682 break; 683 #endif 684 case IEEE80211_FC0_SUBTYPE_BAR: 685 ieee80211_recv_bar(ic, m, ni); 686 break; 687 default: 688 ic->ic_stats.is_rx_ctl++; 689 break; 690 } 691 goto out; 692 693 default: 694 DPRINTF(("bad frame type %x\n", type)); 695 /* should not come here */ 696 break; 697 } 698 err: 699 ifp->if_ierrors++; 700 out: 701 if (m != NULL) { 702 #if NBPFILTER > 0 703 if (ic->ic_rawbpf) 704 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 705 #endif 706 m_freem(m); 707 } 708 } 709 710 /* Input handler for drivers which only receive one frame per interrupt. */ 711 void 712 ieee80211_input(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni, 713 struct ieee80211_rxinfo *rxi) 714 { 715 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 716 717 ieee80211_inputm(ifp, m, ni, rxi, &ml); 718 if_input(ifp, &ml); 719 } 720 721 #ifdef notyet 722 /* 723 * Handle defragmentation (see 9.5 and Annex C). We support the concurrent 724 * reception of fragments of three fragmented MSDUs or MMPDUs. 725 */ 726 struct mbuf * 727 ieee80211_defrag(struct ieee80211com *ic, struct mbuf *m, int hdrlen) 728 { 729 const struct ieee80211_frame *owh, *wh; 730 struct ieee80211_defrag *df; 731 u_int16_t rxseq, seq; 732 u_int8_t frag; 733 int i; 734 735 wh = mtod(m, struct ieee80211_frame *); 736 rxseq = letoh16(*(const u_int16_t *)wh->i_seq); 737 seq = rxseq >> IEEE80211_SEQ_SEQ_SHIFT; 738 frag = rxseq & IEEE80211_SEQ_FRAG_MASK; 739 740 if (frag == 0 && !(wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG)) 741 return m; /* not fragmented */ 742 743 if (frag == 0) { 744 /* first fragment, setup entry in the fragment cache */ 745 if (++ic->ic_defrag_cur == IEEE80211_DEFRAG_SIZE) 746 ic->ic_defrag_cur = 0; 747 df = &ic->ic_defrag[ic->ic_defrag_cur]; 748 m_freem(df->df_m); /* discard old entry */ 749 df->df_seq = seq; 750 df->df_frag = 0; 751 df->df_m = m; 752 /* start receive MSDU timer of aMaxReceiveLifetime */ 753 timeout_add_sec(&df->df_to, 1); 754 return NULL; /* MSDU or MMPDU not yet complete */ 755 } 756 757 /* find matching entry in the fragment cache */ 758 for (i = 0; i < IEEE80211_DEFRAG_SIZE; i++) { 759 df = &ic->ic_defrag[i]; 760 if (df->df_m == NULL) 761 continue; 762 if (df->df_seq != seq || df->df_frag + 1 != frag) 763 continue; 764 owh = mtod(df->df_m, struct ieee80211_frame *); 765 /* frame type, source and destination must match */ 766 if (((wh->i_fc[0] ^ owh->i_fc[0]) & IEEE80211_FC0_TYPE_MASK) || 767 !IEEE80211_ADDR_EQ(wh->i_addr1, owh->i_addr1) || 768 !IEEE80211_ADDR_EQ(wh->i_addr2, owh->i_addr2)) 769 continue; 770 /* matching entry found */ 771 break; 772 } 773 if (i == IEEE80211_DEFRAG_SIZE) { 774 /* no matching entry found, discard fragment */ 775 ic->ic_if.if_ierrors++; 776 m_freem(m); 777 return NULL; 778 } 779 780 df->df_frag = frag; 781 /* strip 802.11 header and concatenate fragment */ 782 m_adj(m, hdrlen); 783 m_cat(df->df_m, m); 784 df->df_m->m_pkthdr.len += m->m_pkthdr.len; 785 786 if (wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG) 787 return NULL; /* MSDU or MMPDU not yet complete */ 788 789 /* MSDU or MMPDU complete */ 790 timeout_del(&df->df_to); 791 m = df->df_m; 792 df->df_m = NULL; 793 return m; 794 } 795 796 /* 797 * Receive MSDU defragmentation timer exceeds aMaxReceiveLifetime. 798 */ 799 void 800 ieee80211_defrag_timeout(void *arg) 801 { 802 struct ieee80211_defrag *df = arg; 803 int s = splnet(); 804 805 /* discard all received fragments */ 806 m_freem(df->df_m); 807 df->df_m = NULL; 808 809 splx(s); 810 } 811 #endif 812 813 /* 814 * Process a received data MPDU related to a specific HT-immediate Block Ack 815 * agreement (see 9.10.7.6). 816 */ 817 void 818 ieee80211_input_ba(struct ieee80211com *ic, struct mbuf *m, 819 struct ieee80211_node *ni, int tid, struct ieee80211_rxinfo *rxi, 820 struct mbuf_list *ml) 821 { 822 struct ifnet *ifp = &ic->ic_if; 823 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 824 struct ieee80211_frame *wh; 825 int idx, count; 826 u_int16_t sn; 827 828 wh = mtod(m, struct ieee80211_frame *); 829 sn = letoh16(*(u_int16_t *)wh->i_seq) >> IEEE80211_SEQ_SEQ_SHIFT; 830 831 /* reset Block Ack inactivity timer */ 832 if (ba->ba_timeout_val != 0) 833 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 834 835 if (SEQ_LT(sn, ba->ba_winstart)) { /* SN < WinStartB */ 836 ic->ic_stats.is_ht_rx_frame_below_ba_winstart++; 837 m_freem(m); /* discard the MPDU */ 838 return; 839 } 840 if (SEQ_LT(ba->ba_winend, sn)) { /* WinEndB < SN */ 841 ic->ic_stats.is_ht_rx_frame_above_ba_winend++; 842 count = (sn - ba->ba_winend) & 0xfff; 843 if (count > ba->ba_winsize) { 844 /* 845 * Check whether we're consistently behind the window, 846 * and let the window move forward if necessary. 847 */ 848 if (ba->ba_winmiss < IEEE80211_BA_MAX_WINMISS) { 849 if (ba->ba_missedsn == ((sn - 1) & 0xfff)) 850 ba->ba_winmiss++; 851 else 852 ba->ba_winmiss = 0; 853 ba->ba_missedsn = sn; 854 ifp->if_ierrors++; 855 m_freem(m); /* discard the MPDU */ 856 return; 857 } 858 859 /* It appears the window has moved for real. */ 860 ic->ic_stats.is_ht_rx_ba_window_jump++; 861 ba->ba_winmiss = 0; 862 ba->ba_missedsn = 0; 863 ieee80211_ba_move_window(ic, ni, tid, sn, ml); 864 } else { 865 ic->ic_stats.is_ht_rx_ba_window_slide++; 866 ieee80211_input_ba_seq(ic, ni, tid, 867 (ba->ba_winstart + count) & 0xfff, ml); 868 ieee80211_input_ba_flush(ic, ni, ba, ml); 869 } 870 } 871 /* WinStartB <= SN <= WinEndB */ 872 873 ba->ba_winmiss = 0; 874 ba->ba_missedsn = 0; 875 idx = (sn - ba->ba_winstart) & 0xfff; 876 idx = (ba->ba_head + idx) % IEEE80211_BA_MAX_WINSZ; 877 /* store the received MPDU in the buffer */ 878 if (ba->ba_buf[idx].m != NULL) { 879 ifp->if_ierrors++; 880 ic->ic_stats.is_ht_rx_ba_no_buf++; 881 m_freem(m); 882 return; 883 } 884 ba->ba_buf[idx].m = m; 885 /* store Rx meta-data too */ 886 rxi->rxi_flags |= IEEE80211_RXI_AMPDU_DONE; 887 ba->ba_buf[idx].rxi = *rxi; 888 ba->ba_gapwait++; 889 890 if (ba->ba_buf[ba->ba_head].m == NULL && ba->ba_gapwait == 1) 891 timeout_add_msec(&ba->ba_gap_to, IEEE80211_BA_GAP_TIMEOUT); 892 893 ieee80211_input_ba_flush(ic, ni, ba, ml); 894 } 895 896 /* 897 * Forward buffered frames with sequence number lower than max_seq. 898 * See 802.11-2012 9.21.7.6.2 b. 899 */ 900 void 901 ieee80211_input_ba_seq(struct ieee80211com *ic, struct ieee80211_node *ni, 902 uint8_t tid, uint16_t max_seq, struct mbuf_list *ml) 903 { 904 struct ifnet *ifp = &ic->ic_if; 905 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 906 struct ieee80211_frame *wh; 907 uint16_t seq; 908 int i = 0; 909 910 while (i++ < ba->ba_winsize) { 911 /* gaps may exist */ 912 if (ba->ba_buf[ba->ba_head].m != NULL) { 913 wh = mtod(ba->ba_buf[ba->ba_head].m, 914 struct ieee80211_frame *); 915 KASSERT(ieee80211_has_seq(wh)); 916 seq = letoh16(*(u_int16_t *)wh->i_seq) >> 917 IEEE80211_SEQ_SEQ_SHIFT; 918 if (!SEQ_LT(seq, max_seq)) 919 break; 920 ieee80211_inputm(ifp, ba->ba_buf[ba->ba_head].m, 921 ni, &ba->ba_buf[ba->ba_head].rxi, ml); 922 ba->ba_buf[ba->ba_head].m = NULL; 923 ba->ba_gapwait--; 924 } else 925 ic->ic_stats.is_ht_rx_ba_frame_lost++; 926 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 927 /* move window forward */ 928 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 929 } 930 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 931 } 932 933 /* Flush a consecutive sequence of frames from the reorder buffer. */ 934 void 935 ieee80211_input_ba_flush(struct ieee80211com *ic, struct ieee80211_node *ni, 936 struct ieee80211_rx_ba *ba, struct mbuf_list *ml) 937 938 { 939 struct ifnet *ifp = &ic->ic_if; 940 941 /* Do not re-arm the gap timeout if we made no progress. */ 942 if (ba->ba_buf[ba->ba_head].m == NULL) 943 return; 944 945 /* pass reordered MPDUs up to the next MAC process */ 946 while (ba->ba_buf[ba->ba_head].m != NULL) { 947 ieee80211_inputm(ifp, ba->ba_buf[ba->ba_head].m, ni, 948 &ba->ba_buf[ba->ba_head].rxi, ml); 949 ba->ba_buf[ba->ba_head].m = NULL; 950 ba->ba_gapwait--; 951 952 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 953 /* move window forward */ 954 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 955 } 956 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 957 958 if (timeout_pending(&ba->ba_gap_to)) 959 timeout_del(&ba->ba_gap_to); 960 if (ba->ba_gapwait) 961 timeout_add_msec(&ba->ba_gap_to, IEEE80211_BA_GAP_TIMEOUT); 962 } 963 964 /* 965 * Forcibly move the BA window forward to remove a leading gap which has 966 * been causing frames to linger in the reordering buffer for too long. 967 * A leading gap will occur if a particular A-MPDU subframe never arrives 968 * or if a bug in the sender causes sequence numbers to jump forward by > 1. 969 */ 970 int 971 ieee80211_input_ba_gap_skip(struct ieee80211_rx_ba *ba) 972 { 973 int skipped = 0; 974 975 while (skipped < ba->ba_winsize && ba->ba_buf[ba->ba_head].m == NULL) { 976 /* move window forward */ 977 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 978 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 979 skipped++; 980 } 981 if (skipped > 0) 982 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 983 984 return skipped; 985 } 986 987 void 988 ieee80211_input_ba_gap_timeout(void *arg) 989 { 990 struct ieee80211_rx_ba *ba = arg; 991 struct ieee80211_node *ni = ba->ba_ni; 992 struct ieee80211com *ic = ni->ni_ic; 993 int s, skipped; 994 995 ic->ic_stats.is_ht_rx_ba_window_gap_timeout++; 996 997 s = splnet(); 998 999 skipped = ieee80211_input_ba_gap_skip(ba); 1000 ic->ic_stats.is_ht_rx_ba_frame_lost += skipped; 1001 if (skipped) { 1002 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 1003 ieee80211_input_ba_flush(ic, ni, ba, &ml); 1004 if_input(&ic->ic_if, &ml); 1005 } 1006 1007 splx(s); 1008 } 1009 1010 1011 /* 1012 * Change the value of WinStartB (move window forward) upon reception of a 1013 * BlockAckReq frame or an ADDBA Request (PBAC). 1014 */ 1015 void 1016 ieee80211_ba_move_window(struct ieee80211com *ic, struct ieee80211_node *ni, 1017 u_int8_t tid, u_int16_t ssn, struct mbuf_list *ml) 1018 { 1019 struct ifnet *ifp = &ic->ic_if; 1020 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 1021 int count; 1022 1023 /* assert(WinStartB <= SSN) */ 1024 1025 count = (ssn - ba->ba_winstart) & 0xfff; 1026 if (count > ba->ba_winsize) /* no overlap */ 1027 count = ba->ba_winsize; 1028 while (count-- > 0) { 1029 /* gaps may exist */ 1030 if (ba->ba_buf[ba->ba_head].m != NULL) { 1031 ieee80211_inputm(ifp, ba->ba_buf[ba->ba_head].m, ni, 1032 &ba->ba_buf[ba->ba_head].rxi, ml); 1033 ba->ba_buf[ba->ba_head].m = NULL; 1034 ba->ba_gapwait--; 1035 } else 1036 ic->ic_stats.is_ht_rx_ba_frame_lost++; 1037 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 1038 } 1039 /* move window forward */ 1040 ba->ba_winstart = ssn; 1041 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 1042 1043 ieee80211_input_ba_flush(ic, ni, ba, ml); 1044 } 1045 1046 void 1047 ieee80211_enqueue_data(struct ieee80211com *ic, struct mbuf *m, 1048 struct ieee80211_node *ni, int mcast, struct mbuf_list *ml) 1049 { 1050 struct ifnet *ifp = &ic->ic_if; 1051 struct ether_header *eh; 1052 struct mbuf *m1; 1053 1054 eh = mtod(m, struct ether_header *); 1055 1056 if ((ic->ic_flags & IEEE80211_F_RSNON) && !ni->ni_port_valid && 1057 eh->ether_type != htons(ETHERTYPE_EAPOL)) { 1058 DPRINTF(("port not valid: %s\n", 1059 ether_sprintf(eh->ether_dhost))); 1060 ic->ic_stats.is_rx_unauth++; 1061 m_freem(m); 1062 return; 1063 } 1064 1065 /* 1066 * Perform as a bridge within the AP. Notice that we do not 1067 * bridge EAPOL frames as suggested in C.1.1 of IEEE Std 802.1X. 1068 * And we do not forward unicast frames received on a multicast address. 1069 */ 1070 m1 = NULL; 1071 #ifndef IEEE80211_STA_ONLY 1072 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 1073 !(ic->ic_userflags & IEEE80211_F_NOBRIDGE) && 1074 eh->ether_type != htons(ETHERTYPE_EAPOL)) { 1075 struct ieee80211_node *ni1; 1076 1077 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 1078 m1 = m_dup_pkt(m, ETHER_ALIGN, M_DONTWAIT); 1079 if (m1 == NULL) 1080 ifp->if_oerrors++; 1081 else 1082 m1->m_flags |= M_MCAST; 1083 } else if (!mcast) { 1084 ni1 = ieee80211_find_node(ic, eh->ether_dhost); 1085 if (ni1 != NULL && 1086 ni1->ni_state == IEEE80211_STA_ASSOC) { 1087 m1 = m; 1088 m = NULL; 1089 } 1090 } 1091 if (m1 != NULL) { 1092 if (if_enqueue(ifp, m1)) 1093 ifp->if_oerrors++; 1094 } 1095 } 1096 #endif 1097 if (m != NULL) { 1098 if ((ic->ic_flags & IEEE80211_F_RSNON) && 1099 eh->ether_type == htons(ETHERTYPE_EAPOL)) { 1100 ifp->if_ipackets++; 1101 #if NBPFILTER > 0 1102 /* 1103 * If we forward frame into transmitter of the AP, 1104 * we don't need to duplicate for DLT_EN10MB. 1105 */ 1106 if (ifp->if_bpf && m1 == NULL) 1107 bpf_mtap(ifp->if_bpf, m, BPF_DIRECTION_IN); 1108 #endif 1109 ieee80211_eapol_key_input(ic, m, ni); 1110 } else { 1111 ml_enqueue(ml, m); 1112 } 1113 } 1114 } 1115 1116 void 1117 ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, 1118 struct ieee80211_node *ni, int hdrlen, struct mbuf_list *ml) 1119 { 1120 struct ether_header eh; 1121 struct ieee80211_frame *wh; 1122 struct llc *llc; 1123 int mcast; 1124 1125 if (m->m_len < hdrlen + LLC_SNAPFRAMELEN && 1126 (m = m_pullup(m, hdrlen + LLC_SNAPFRAMELEN)) == NULL) { 1127 ic->ic_stats.is_rx_decap++; 1128 return; 1129 } 1130 wh = mtod(m, struct ieee80211_frame *); 1131 mcast = IEEE80211_IS_MULTICAST(wh->i_addr1); 1132 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 1133 case IEEE80211_FC1_DIR_NODS: 1134 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1); 1135 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2); 1136 break; 1137 case IEEE80211_FC1_DIR_TODS: 1138 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3); 1139 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2); 1140 break; 1141 case IEEE80211_FC1_DIR_FROMDS: 1142 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1); 1143 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr3); 1144 break; 1145 case IEEE80211_FC1_DIR_DSTODS: 1146 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3); 1147 IEEE80211_ADDR_COPY(eh.ether_shost, 1148 ((struct ieee80211_frame_addr4 *)wh)->i_addr4); 1149 break; 1150 } 1151 llc = (struct llc *)((caddr_t)wh + hdrlen); 1152 if (llc->llc_dsap == LLC_SNAP_LSAP && 1153 llc->llc_ssap == LLC_SNAP_LSAP && 1154 llc->llc_control == LLC_UI && 1155 llc->llc_snap.org_code[0] == 0 && 1156 llc->llc_snap.org_code[1] == 0 && 1157 llc->llc_snap.org_code[2] == 0) { 1158 eh.ether_type = llc->llc_snap.ether_type; 1159 m_adj(m, hdrlen + LLC_SNAPFRAMELEN - ETHER_HDR_LEN); 1160 } else { 1161 eh.ether_type = htons(m->m_pkthdr.len - hdrlen); 1162 m_adj(m, hdrlen - ETHER_HDR_LEN); 1163 } 1164 memcpy(mtod(m, caddr_t), &eh, ETHER_HDR_LEN); 1165 if (!ALIGNED_POINTER(mtod(m, caddr_t) + ETHER_HDR_LEN, u_int32_t)) { 1166 struct mbuf *m0 = m; 1167 m = m_dup_pkt(m0, ETHER_ALIGN, M_NOWAIT); 1168 m_freem(m0); 1169 if (m == NULL) { 1170 ic->ic_stats.is_rx_decap++; 1171 return; 1172 } 1173 } 1174 ieee80211_enqueue_data(ic, m, ni, mcast, ml); 1175 } 1176 1177 int 1178 ieee80211_amsdu_decap_validate(struct ieee80211com *ic, struct mbuf *m, 1179 struct ieee80211_node *ni) 1180 { 1181 struct ether_header *eh = mtod(m, struct ether_header *); 1182 const uint8_t llc_hdr_mac[ETHER_ADDR_LEN] = { 1183 /* MAC address matching the 802.2 LLC header. */ 1184 LLC_SNAP_LSAP, LLC_SNAP_LSAP, LLC_UI, 0, 0, 0 1185 }; 1186 1187 /* 1188 * We are sorry, but this particular MAC address cannot be used. 1189 * This mitigates an attack where a single 802.11 frame is interpreted 1190 * as an A-MSDU because of a forged AMSDU-present bit in the 802.11 1191 * QoS frame header: https://papers.mathyvanhoef.com/usenix2021.pdf 1192 * See Section 7.2, 'Countermeasures for the design flaws' 1193 */ 1194 if (ETHER_IS_EQ(eh->ether_dhost, llc_hdr_mac)) 1195 return 1; 1196 1197 switch (ic->ic_opmode) { 1198 #ifndef IEEE80211_STA_ONLY 1199 case IEEE80211_M_HOSTAP: 1200 /* 1201 * Subframes must use the source address of the node which 1202 * transmitted the A-MSDU. Prevents MAC spoofing. 1203 */ 1204 if (!ETHER_IS_EQ(ni->ni_macaddr, eh->ether_shost)) 1205 return 1; 1206 break; 1207 #endif 1208 case IEEE80211_M_STA: 1209 /* Subframes must be addressed to me. */ 1210 if (!ETHER_IS_EQ(ic->ic_myaddr, eh->ether_dhost)) 1211 return 1; 1212 break; 1213 default: 1214 /* Ignore MONITOR/IBSS modes for now. */ 1215 break; 1216 } 1217 1218 return 0; 1219 } 1220 1221 /* 1222 * Decapsulate an Aggregate MSDU (see 7.2.2.2). 1223 */ 1224 void 1225 ieee80211_amsdu_decap(struct ieee80211com *ic, struct mbuf *m, 1226 struct ieee80211_node *ni, int hdrlen, struct mbuf_list *ml) 1227 { 1228 struct mbuf *n; 1229 struct ether_header *eh; 1230 struct llc *llc; 1231 int len, pad, mcast; 1232 struct ieee80211_frame *wh; 1233 struct mbuf_list subframes = MBUF_LIST_INITIALIZER(); 1234 1235 wh = mtod(m, struct ieee80211_frame *); 1236 mcast = IEEE80211_IS_MULTICAST(wh->i_addr1); 1237 1238 /* strip 802.11 header */ 1239 m_adj(m, hdrlen); 1240 1241 while (m->m_pkthdr.len >= ETHER_HDR_LEN + LLC_SNAPFRAMELEN) { 1242 /* process an A-MSDU subframe */ 1243 m = m_pullup(m, ETHER_HDR_LEN + LLC_SNAPFRAMELEN); 1244 if (m == NULL) 1245 break; 1246 eh = mtod(m, struct ether_header *); 1247 /* examine 802.3 header */ 1248 len = ntohs(eh->ether_type); 1249 if (len < LLC_SNAPFRAMELEN) { 1250 DPRINTF(("A-MSDU subframe too short (%d)\n", len)); 1251 /* stop processing A-MSDU subframes */ 1252 ic->ic_stats.is_rx_decap++; 1253 ml_purge(&subframes); 1254 m_freem(m); 1255 return; 1256 } 1257 llc = (struct llc *)&eh[1]; 1258 /* Examine the 802.2 LLC header after the A-MSDU header. */ 1259 if (llc->llc_dsap == LLC_SNAP_LSAP && 1260 llc->llc_ssap == LLC_SNAP_LSAP && 1261 llc->llc_control == LLC_UI && 1262 llc->llc_snap.org_code[0] == 0 && 1263 llc->llc_snap.org_code[1] == 0 && 1264 llc->llc_snap.org_code[2] == 0) { 1265 /* convert to Ethernet II header */ 1266 eh->ether_type = llc->llc_snap.ether_type; 1267 /* strip LLC+SNAP headers */ 1268 memmove((u_int8_t *)eh + LLC_SNAPFRAMELEN, eh, 1269 ETHER_HDR_LEN); 1270 m_adj(m, LLC_SNAPFRAMELEN); 1271 len -= LLC_SNAPFRAMELEN; 1272 } 1273 len += ETHER_HDR_LEN; 1274 if (len > m->m_pkthdr.len) { 1275 /* stop processing A-MSDU subframes */ 1276 DPRINTF(("A-MSDU subframe too long (%d)\n", len)); 1277 ic->ic_stats.is_rx_decap++; 1278 ml_purge(&subframes); 1279 m_freem(m); 1280 return; 1281 } 1282 1283 /* "detach" our A-MSDU subframe from the others */ 1284 n = m_split(m, len, M_NOWAIT); 1285 if (n == NULL) { 1286 /* stop processing A-MSDU subframes */ 1287 ic->ic_stats.is_rx_decap++; 1288 ml_purge(&subframes); 1289 m_freem(m); 1290 return; 1291 } 1292 1293 if (ieee80211_amsdu_decap_validate(ic, m, ni)) { 1294 /* stop processing A-MSDU subframes */ 1295 ic->ic_stats.is_rx_decap++; 1296 ml_purge(&subframes); 1297 m_freem(m); 1298 return; 1299 } 1300 1301 ml_enqueue(&subframes, m); 1302 1303 m = n; 1304 /* remove padding */ 1305 pad = ((len + 3) & ~3) - len; 1306 m_adj(m, pad); 1307 } 1308 1309 while ((n = ml_dequeue(&subframes)) != NULL) 1310 ieee80211_enqueue_data(ic, n, ni, mcast, ml); 1311 1312 m_freem(m); 1313 } 1314 1315 /* 1316 * Parse an EDCA Parameter Set element (see 7.3.2.27). 1317 */ 1318 int 1319 ieee80211_parse_edca_params_body(struct ieee80211com *ic, const u_int8_t *frm) 1320 { 1321 u_int updtcount; 1322 int aci; 1323 1324 /* 1325 * Check if EDCA parameters have changed XXX if we miss more than 1326 * 15 consecutive beacons, we might not detect changes to EDCA 1327 * parameters due to wraparound of the 4-bit Update Count field. 1328 */ 1329 updtcount = frm[0] & 0xf; 1330 if (updtcount == ic->ic_edca_updtcount) 1331 return 0; /* no changes to EDCA parameters, ignore */ 1332 ic->ic_edca_updtcount = updtcount; 1333 1334 frm += 2; /* skip QoS Info & Reserved fields */ 1335 1336 /* parse AC Parameter Records */ 1337 for (aci = 0; aci < EDCA_NUM_AC; aci++) { 1338 struct ieee80211_edca_ac_params *ac = &ic->ic_edca_ac[aci]; 1339 1340 ac->ac_acm = (frm[0] >> 4) & 0x1; 1341 ac->ac_aifsn = frm[0] & 0xf; 1342 ac->ac_ecwmin = frm[1] & 0xf; 1343 ac->ac_ecwmax = frm[1] >> 4; 1344 ac->ac_txoplimit = LE_READ_2(frm + 2); 1345 frm += 4; 1346 } 1347 /* give drivers a chance to update their settings */ 1348 if ((ic->ic_flags & IEEE80211_F_QOS) && ic->ic_updateedca != NULL) 1349 (*ic->ic_updateedca)(ic); 1350 1351 return 0; 1352 } 1353 1354 int 1355 ieee80211_parse_edca_params(struct ieee80211com *ic, const u_int8_t *frm) 1356 { 1357 if (frm[1] < 18) { 1358 ic->ic_stats.is_rx_elem_toosmall++; 1359 return IEEE80211_REASON_IE_INVALID; 1360 } 1361 return ieee80211_parse_edca_params_body(ic, frm + 2); 1362 } 1363 1364 int 1365 ieee80211_parse_wmm_params(struct ieee80211com *ic, const u_int8_t *frm) 1366 { 1367 if (frm[1] < 24) { 1368 ic->ic_stats.is_rx_elem_toosmall++; 1369 return IEEE80211_REASON_IE_INVALID; 1370 } 1371 return ieee80211_parse_edca_params_body(ic, frm + 8); 1372 } 1373 1374 enum ieee80211_cipher 1375 ieee80211_parse_rsn_cipher(const u_int8_t selector[4]) 1376 { 1377 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1378 switch (selector[3]) { 1379 case 0: /* use group data cipher suite */ 1380 return IEEE80211_CIPHER_USEGROUP; 1381 case 1: /* WEP-40 */ 1382 return IEEE80211_CIPHER_WEP40; 1383 case 2: /* TKIP */ 1384 return IEEE80211_CIPHER_TKIP; 1385 case 4: /* CCMP (RSNA default) */ 1386 return IEEE80211_CIPHER_CCMP; 1387 case 5: /* WEP-104 */ 1388 return IEEE80211_CIPHER_WEP104; 1389 } 1390 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1391 /* see 802.11-2012 Table 8-99 */ 1392 switch (selector[3]) { 1393 case 0: /* use group data cipher suite */ 1394 return IEEE80211_CIPHER_USEGROUP; 1395 case 1: /* WEP-40 */ 1396 return IEEE80211_CIPHER_WEP40; 1397 case 2: /* TKIP */ 1398 return IEEE80211_CIPHER_TKIP; 1399 case 4: /* CCMP (RSNA default) */ 1400 return IEEE80211_CIPHER_CCMP; 1401 case 5: /* WEP-104 */ 1402 return IEEE80211_CIPHER_WEP104; 1403 case 6: /* BIP */ 1404 return IEEE80211_CIPHER_BIP; 1405 } 1406 } 1407 return IEEE80211_CIPHER_NONE; /* ignore unknown ciphers */ 1408 } 1409 1410 enum ieee80211_akm 1411 ieee80211_parse_rsn_akm(const u_int8_t selector[4]) 1412 { 1413 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1414 switch (selector[3]) { 1415 case 1: /* IEEE 802.1X (RSNA default) */ 1416 return IEEE80211_AKM_8021X; 1417 case 2: /* PSK */ 1418 return IEEE80211_AKM_PSK; 1419 } 1420 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1421 /* from IEEE Std 802.11i-2004 - Table 20dc */ 1422 switch (selector[3]) { 1423 case 1: /* IEEE 802.1X (RSNA default) */ 1424 return IEEE80211_AKM_8021X; 1425 case 2: /* PSK */ 1426 return IEEE80211_AKM_PSK; 1427 case 5: /* IEEE 802.1X with SHA256 KDF */ 1428 return IEEE80211_AKM_SHA256_8021X; 1429 case 6: /* PSK with SHA256 KDF */ 1430 return IEEE80211_AKM_SHA256_PSK; 1431 } 1432 } 1433 return IEEE80211_AKM_NONE; /* ignore unknown AKMs */ 1434 } 1435 1436 /* 1437 * Parse an RSN element (see 802.11-2012 8.4.2.27) 1438 */ 1439 int 1440 ieee80211_parse_rsn_body(struct ieee80211com *ic, const u_int8_t *frm, 1441 u_int len, struct ieee80211_rsnparams *rsn) 1442 { 1443 const u_int8_t *efrm; 1444 u_int16_t m, n, s; 1445 1446 efrm = frm + len; 1447 1448 /* check Version field */ 1449 if (LE_READ_2(frm) != 1) 1450 return IEEE80211_STATUS_RSN_IE_VER_UNSUP; 1451 frm += 2; 1452 1453 /* all fields after the Version field are optional */ 1454 1455 /* if Cipher Suite missing, default to CCMP */ 1456 rsn->rsn_groupcipher = IEEE80211_CIPHER_CCMP; 1457 rsn->rsn_nciphers = 1; 1458 rsn->rsn_ciphers = IEEE80211_CIPHER_CCMP; 1459 /* if Group Management Cipher Suite missing, default to BIP */ 1460 rsn->rsn_groupmgmtcipher = IEEE80211_CIPHER_BIP; 1461 /* if AKM Suite missing, default to 802.1X */ 1462 rsn->rsn_nakms = 1; 1463 rsn->rsn_akms = IEEE80211_AKM_8021X; 1464 /* if RSN capabilities missing, default to 0 */ 1465 rsn->rsn_caps = 0; 1466 rsn->rsn_npmkids = 0; 1467 1468 /* read Group Data Cipher Suite field */ 1469 if (frm + 4 > efrm) 1470 return 0; 1471 rsn->rsn_groupcipher = ieee80211_parse_rsn_cipher(frm); 1472 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_NONE || 1473 rsn->rsn_groupcipher == IEEE80211_CIPHER_USEGROUP || 1474 rsn->rsn_groupcipher == IEEE80211_CIPHER_BIP) 1475 return IEEE80211_STATUS_BAD_GROUP_CIPHER; 1476 frm += 4; 1477 1478 /* read Pairwise Cipher Suite Count field */ 1479 if (frm + 2 > efrm) 1480 return 0; 1481 m = rsn->rsn_nciphers = LE_READ_2(frm); 1482 frm += 2; 1483 1484 /* read Pairwise Cipher Suite List */ 1485 if (frm + m * 4 > efrm) 1486 return IEEE80211_STATUS_IE_INVALID; 1487 rsn->rsn_ciphers = IEEE80211_CIPHER_NONE; 1488 while (m-- > 0) { 1489 rsn->rsn_ciphers |= ieee80211_parse_rsn_cipher(frm); 1490 frm += 4; 1491 } 1492 if (rsn->rsn_ciphers & IEEE80211_CIPHER_USEGROUP) { 1493 if (rsn->rsn_ciphers != IEEE80211_CIPHER_USEGROUP) 1494 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1495 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_CCMP) 1496 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1497 } 1498 1499 /* read AKM Suite List Count field */ 1500 if (frm + 2 > efrm) 1501 return 0; 1502 n = rsn->rsn_nakms = LE_READ_2(frm); 1503 frm += 2; 1504 1505 /* read AKM Suite List */ 1506 if (frm + n * 4 > efrm) 1507 return IEEE80211_STATUS_IE_INVALID; 1508 rsn->rsn_akms = IEEE80211_AKM_NONE; 1509 while (n-- > 0) { 1510 rsn->rsn_akms |= ieee80211_parse_rsn_akm(frm); 1511 frm += 4; 1512 } 1513 1514 /* read RSN Capabilities field */ 1515 if (frm + 2 > efrm) 1516 return 0; 1517 rsn->rsn_caps = LE_READ_2(frm); 1518 frm += 2; 1519 1520 /* read PMKID Count field */ 1521 if (frm + 2 > efrm) 1522 return 0; 1523 s = rsn->rsn_npmkids = LE_READ_2(frm); 1524 frm += 2; 1525 1526 /* read PMKID List */ 1527 if (frm + s * IEEE80211_PMKID_LEN > efrm) 1528 return IEEE80211_STATUS_IE_INVALID; 1529 if (s != 0) { 1530 rsn->rsn_pmkids = frm; 1531 frm += s * IEEE80211_PMKID_LEN; 1532 } 1533 1534 /* read Group Management Cipher Suite field */ 1535 if (frm + 4 > efrm) 1536 return 0; 1537 rsn->rsn_groupmgmtcipher = ieee80211_parse_rsn_cipher(frm); 1538 if (rsn->rsn_groupmgmtcipher != IEEE80211_CIPHER_BIP) 1539 return IEEE80211_STATUS_BAD_GROUP_CIPHER; 1540 1541 return IEEE80211_STATUS_SUCCESS; 1542 } 1543 1544 int 1545 ieee80211_parse_rsn(struct ieee80211com *ic, const u_int8_t *frm, 1546 struct ieee80211_rsnparams *rsn) 1547 { 1548 if (frm[1] < 2) { 1549 ic->ic_stats.is_rx_elem_toosmall++; 1550 return IEEE80211_STATUS_IE_INVALID; 1551 } 1552 return ieee80211_parse_rsn_body(ic, frm + 2, frm[1], rsn); 1553 } 1554 1555 int 1556 ieee80211_parse_wpa(struct ieee80211com *ic, const u_int8_t *frm, 1557 struct ieee80211_rsnparams *rsn) 1558 { 1559 if (frm[1] < 6) { 1560 ic->ic_stats.is_rx_elem_toosmall++; 1561 return IEEE80211_STATUS_IE_INVALID; 1562 } 1563 return ieee80211_parse_rsn_body(ic, frm + 6, frm[1] - 4, rsn); 1564 } 1565 1566 /* 1567 * Create (or update) a copy of an information element. 1568 */ 1569 int 1570 ieee80211_save_ie(const u_int8_t *frm, u_int8_t **ie) 1571 { 1572 int olen = *ie ? 2 + (*ie)[1] : 0; 1573 int len = 2 + frm[1]; 1574 1575 if (*ie == NULL || olen != len) { 1576 if (*ie != NULL) 1577 free(*ie, M_DEVBUF, olen); 1578 *ie = malloc(len, M_DEVBUF, M_NOWAIT); 1579 if (*ie == NULL) 1580 return ENOMEM; 1581 } 1582 memcpy(*ie, frm, len); 1583 return 0; 1584 } 1585 1586 /*- 1587 * Beacon/Probe response frame format: 1588 * [8] Timestamp 1589 * [2] Beacon interval 1590 * [2] Capability 1591 * [tlv] Service Set Identifier (SSID) 1592 * [tlv] Supported rates 1593 * [tlv] DS Parameter Set (802.11g) 1594 * [tlv] ERP Information (802.11g) 1595 * [tlv] Extended Supported Rates (802.11g) 1596 * [tlv] RSN (802.11i) 1597 * [tlv] EDCA Parameter Set (802.11e) 1598 * [tlv] QoS Capability (Beacon only, 802.11e) 1599 * [tlv] HT Capabilities (802.11n) 1600 * [tlv] HT Operation (802.11n) 1601 */ 1602 void 1603 ieee80211_recv_probe_resp(struct ieee80211com *ic, struct mbuf *m, 1604 struct ieee80211_node *rni, struct ieee80211_rxinfo *rxi, int isprobe) 1605 { 1606 struct ieee80211_node *ni; 1607 const struct ieee80211_frame *wh; 1608 const u_int8_t *frm, *efrm; 1609 const u_int8_t *tstamp, *ssid, *rates, *xrates, *edcaie, *wmmie, *tim; 1610 const u_int8_t *rsnie, *wpaie, *htcaps, *htop, *vhtcaps, *vhtop; 1611 u_int16_t capinfo, bintval; 1612 u_int8_t chan, bchan, erp; 1613 int is_new; 1614 1615 /* 1616 * We process beacon/probe response frames for: 1617 * o station mode: to collect state 1618 * updates such as 802.11g slot time and for passive 1619 * scanning of APs 1620 * o adhoc mode: to discover neighbors 1621 * o hostap mode: for passive scanning of neighbor APs 1622 * o when scanning 1623 * In other words, in all modes other than monitor (which 1624 * does not process incoming frames) and adhoc-demo (which 1625 * does not use management frames at all). 1626 */ 1627 #ifdef DIAGNOSTIC 1628 if (ic->ic_opmode != IEEE80211_M_STA && 1629 #ifndef IEEE80211_STA_ONLY 1630 ic->ic_opmode != IEEE80211_M_IBSS && 1631 ic->ic_opmode != IEEE80211_M_HOSTAP && 1632 #endif 1633 ic->ic_state != IEEE80211_S_SCAN) { 1634 panic("%s: impossible operating mode", __func__); 1635 } 1636 #endif 1637 /* make sure all mandatory fixed fields are present */ 1638 if (m->m_len < sizeof(*wh) + 12) { 1639 DPRINTF(("frame too short\n")); 1640 return; 1641 } 1642 wh = mtod(m, struct ieee80211_frame *); 1643 frm = (const u_int8_t *)&wh[1]; 1644 efrm = mtod(m, u_int8_t *) + m->m_len; 1645 1646 tstamp = frm; frm += 8; 1647 bintval = LE_READ_2(frm); frm += 2; 1648 capinfo = LE_READ_2(frm); frm += 2; 1649 1650 ssid = rates = xrates = edcaie = wmmie = rsnie = wpaie = tim = NULL; 1651 htcaps = htop = vhtcaps = vhtop = NULL; 1652 if (rxi->rxi_chan) 1653 bchan = rxi->rxi_chan; 1654 else 1655 bchan = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan); 1656 chan = bchan; 1657 erp = 0; 1658 while (frm + 2 <= efrm) { 1659 if (frm + 2 + frm[1] > efrm) { 1660 ic->ic_stats.is_rx_elem_toosmall++; 1661 break; 1662 } 1663 switch (frm[0]) { 1664 case IEEE80211_ELEMID_SSID: 1665 ssid = frm; 1666 break; 1667 case IEEE80211_ELEMID_RATES: 1668 rates = frm; 1669 break; 1670 case IEEE80211_ELEMID_DSPARMS: 1671 if (frm[1] < 1) { 1672 ic->ic_stats.is_rx_elem_toosmall++; 1673 break; 1674 } 1675 chan = frm[2]; 1676 break; 1677 case IEEE80211_ELEMID_XRATES: 1678 xrates = frm; 1679 break; 1680 case IEEE80211_ELEMID_ERP: 1681 if (frm[1] < 1) { 1682 ic->ic_stats.is_rx_elem_toosmall++; 1683 break; 1684 } 1685 erp = frm[2]; 1686 break; 1687 case IEEE80211_ELEMID_RSN: 1688 rsnie = frm; 1689 break; 1690 case IEEE80211_ELEMID_EDCAPARMS: 1691 edcaie = frm; 1692 break; 1693 case IEEE80211_ELEMID_HTCAPS: 1694 htcaps = frm; 1695 break; 1696 case IEEE80211_ELEMID_HTOP: 1697 if (frm[1] < 22) { 1698 ic->ic_stats.is_rx_elem_toosmall++; 1699 break; 1700 } 1701 htop = frm; 1702 chan = frm[2]; 1703 break; 1704 case IEEE80211_ELEMID_VHTCAPS: 1705 vhtcaps = frm; 1706 break; 1707 case IEEE80211_ELEMID_VHTOP: 1708 vhtop = frm; 1709 break; 1710 case IEEE80211_ELEMID_TIM: 1711 if (frm[1] < 4) { 1712 ic->ic_stats.is_rx_elem_toosmall++; 1713 break; 1714 } 1715 tim = frm; 1716 break; 1717 case IEEE80211_ELEMID_VENDOR: 1718 if (frm[1] < 4) { 1719 ic->ic_stats.is_rx_elem_toosmall++; 1720 break; 1721 } 1722 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 1723 if (frm[5] == 1) 1724 wpaie = frm; 1725 else if (frm[1] >= 5 && 1726 frm[5] == 2 && frm[6] == 1) 1727 wmmie = frm; 1728 } 1729 break; 1730 } 1731 frm += 2 + frm[1]; 1732 } 1733 /* supported rates element is mandatory */ 1734 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1735 DPRINTF(("invalid supported rates element\n")); 1736 return; 1737 } 1738 /* SSID element is mandatory */ 1739 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1740 DPRINTF(("invalid SSID element\n")); 1741 return; 1742 } 1743 1744 if ( 1745 #if IEEE80211_CHAN_MAX < 255 1746 chan > IEEE80211_CHAN_MAX || 1747 #endif 1748 (isclr(ic->ic_chan_active, chan) && 1749 ((ic->ic_caps & IEEE80211_C_SCANALL) == 0 || 1750 (ic->ic_flags & IEEE80211_F_BGSCAN) == 0))) { 1751 DPRINTF(("ignore %s with invalid channel %u\n", 1752 isprobe ? "probe response" : "beacon", chan)); 1753 ic->ic_stats.is_rx_badchan++; 1754 return; 1755 } 1756 if ((rxi->rxi_chan != 0 && chan != rxi->rxi_chan) || 1757 ((ic->ic_state != IEEE80211_S_SCAN || 1758 !(ic->ic_caps & IEEE80211_C_SCANALL)) && 1759 chan != bchan)) { 1760 /* 1761 * Frame was received on a channel different from the 1762 * one indicated in the DS params element id; 1763 * silently discard it. 1764 * 1765 * NB: this can happen due to signal leakage. 1766 */ 1767 DPRINTF(("ignore %s on channel %u marked for channel %u\n", 1768 isprobe ? "probe response" : "beacon", bchan, chan)); 1769 ic->ic_stats.is_rx_chanmismatch++; 1770 return; 1771 } 1772 1773 #ifdef IEEE80211_DEBUG 1774 if (ieee80211_debug > 1 && 1775 (ni == NULL || ic->ic_state == IEEE80211_S_SCAN || 1776 (ic->ic_flags & IEEE80211_F_BGSCAN))) { 1777 printf("%s: %s%s on chan %u (bss chan %u) ", 1778 __func__, (ni == NULL ? "new " : ""), 1779 isprobe ? "probe response" : "beacon", 1780 chan, bchan); 1781 ieee80211_print_essid(ssid + 2, ssid[1]); 1782 printf(" from %s\n", ether_sprintf((u_int8_t *)wh->i_addr2)); 1783 printf("%s: caps 0x%x bintval %u erp 0x%x\n", 1784 __func__, capinfo, bintval, erp); 1785 } 1786 #endif 1787 1788 if ((ni = ieee80211_find_node(ic, wh->i_addr2)) == NULL) { 1789 ni = ieee80211_alloc_node(ic, wh->i_addr2); 1790 if (ni == NULL) 1791 return; 1792 is_new = 1; 1793 } else 1794 is_new = 0; 1795 1796 ni->ni_chan = &ic->ic_channels[chan]; 1797 1798 if (htcaps) 1799 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 1800 if (htop && !ieee80211_setup_htop(ni, htop + 2, htop[1], 1)) 1801 htop = NULL; /* invalid HTOP */ 1802 if (htcaps && vhtcaps && IEEE80211_IS_CHAN_5GHZ(ni->ni_chan)) { 1803 ieee80211_setup_vhtcaps(ni, vhtcaps + 2, vhtcaps[1]); 1804 if (vhtop && !ieee80211_setup_vhtop(ni, vhtop + 2, vhtop[1], 1)) 1805 vhtop = NULL; /* invalid VHTOP */ 1806 } 1807 1808 if (tim) { 1809 ni->ni_dtimcount = tim[2]; 1810 ni->ni_dtimperiod = tim[3]; 1811 } 1812 1813 /* 1814 * When operating in station mode, check for state updates 1815 * while we're associated. 1816 */ 1817 if (ic->ic_opmode == IEEE80211_M_STA && 1818 ic->ic_state == IEEE80211_S_RUN && 1819 ni->ni_state == IEEE80211_STA_BSS) { 1820 int updateprot = 0; 1821 /* 1822 * Check if protection mode has changed since last beacon. 1823 */ 1824 if (ni->ni_erp != erp) { 1825 DPRINTF(("[%s] erp change: was 0x%x, now 0x%x\n", 1826 ether_sprintf((u_int8_t *)wh->i_addr2), 1827 ni->ni_erp, erp)); 1828 if ((ic->ic_curmode == IEEE80211_MODE_11G || 1829 (ic->ic_curmode == IEEE80211_MODE_11N && 1830 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))) && 1831 (erp & IEEE80211_ERP_USE_PROTECTION)) 1832 ic->ic_flags |= IEEE80211_F_USEPROT; 1833 else 1834 ic->ic_flags &= ~IEEE80211_F_USEPROT; 1835 ic->ic_bss->ni_erp = erp; 1836 updateprot = 1; 1837 } 1838 if (htop && (ic->ic_bss->ni_flags & IEEE80211_NODE_HT)) { 1839 enum ieee80211_htprot htprot_last, htprot; 1840 htprot_last = 1841 ((ic->ic_bss->ni_htop1 & IEEE80211_HTOP1_PROT_MASK) 1842 >> IEEE80211_HTOP1_PROT_SHIFT); 1843 htprot = ((ni->ni_htop1 & IEEE80211_HTOP1_PROT_MASK) >> 1844 IEEE80211_HTOP1_PROT_SHIFT); 1845 if (htprot_last != htprot) { 1846 DPRINTF(("[%s] htprot change: was %d, now %d\n", 1847 ether_sprintf((u_int8_t *)wh->i_addr2), 1848 htprot_last, htprot)); 1849 ic->ic_stats.is_ht_prot_change++; 1850 ic->ic_bss->ni_htop1 = ni->ni_htop1; 1851 updateprot = 1; 1852 } 1853 } 1854 if (updateprot && ic->ic_updateprot != NULL) 1855 ic->ic_updateprot(ic); 1856 1857 /* 1858 * Check if 40MHz channel mode has changed since last beacon. 1859 */ 1860 if (htop && (ic->ic_bss->ni_flags & IEEE80211_NODE_HT) && 1861 (ic->ic_htcaps & IEEE80211_HTCAP_CBW20_40)) { 1862 uint8_t chw_last, chw, sco_last, sco; 1863 chw_last = (ic->ic_bss->ni_htop0 & IEEE80211_HTOP0_CHW); 1864 chw = (ni->ni_htop0 & IEEE80211_HTOP0_CHW); 1865 sco_last = 1866 ((ic->ic_bss->ni_htop0 & IEEE80211_HTOP0_SCO_MASK) 1867 >> IEEE80211_HTOP0_SCO_SHIFT); 1868 sco = ((ni->ni_htop0 & IEEE80211_HTOP0_SCO_MASK) >> 1869 IEEE80211_HTOP0_SCO_SHIFT); 1870 ic->ic_bss->ni_htop0 = ni->ni_htop0; 1871 if (chw_last != chw || sco_last != sco) { 1872 if (ic->ic_updatechan != NULL) 1873 ic->ic_updatechan(ic); 1874 } 1875 } else if (htop) 1876 ic->ic_bss->ni_htop0 = ni->ni_htop0; 1877 1878 /* 1879 * Check if AP short slot time setting has changed 1880 * since last beacon and give the driver a chance to 1881 * update the hardware. 1882 */ 1883 if ((ni->ni_capinfo ^ capinfo) & 1884 IEEE80211_CAPINFO_SHORT_SLOTTIME) { 1885 ieee80211_set_shortslottime(ic, 1886 ic->ic_curmode == IEEE80211_MODE_11A || 1887 (capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 1888 } 1889 1890 if (tim && ic->ic_bss->ni_dtimperiod != ni->ni_dtimperiod) { 1891 ic->ic_bss->ni_dtimperiod = ni->ni_dtimperiod; 1892 ic->ic_bss->ni_dtimcount = ni->ni_dtimcount; 1893 1894 if (ic->ic_updatedtim != NULL) 1895 ic->ic_updatedtim(ic); 1896 } 1897 1898 /* 1899 * Reset management timer. If it is non-zero in RUN state, the 1900 * driver sent a probe request after a missed beacon event. 1901 * This probe response indicates the AP is still serving us 1902 * so don't allow ieee80211_watchdog() to move us into SCAN. 1903 */ 1904 if ((ic->ic_flags & IEEE80211_F_BGSCAN) == 0) 1905 ic->ic_mgt_timer = 0; 1906 } 1907 /* 1908 * We do not try to update EDCA parameters if QoS was not negotiated 1909 * with the AP at association time. 1910 */ 1911 if (ni->ni_flags & IEEE80211_NODE_QOS) { 1912 /* always prefer EDCA IE over Wi-Fi Alliance WMM IE */ 1913 if ((edcaie != NULL && 1914 ieee80211_parse_edca_params(ic, edcaie) == 0) || 1915 (wmmie != NULL && 1916 ieee80211_parse_wmm_params(ic, wmmie) == 0)) 1917 ni->ni_flags |= IEEE80211_NODE_QOS; 1918 else 1919 ni->ni_flags &= ~IEEE80211_NODE_QOS; 1920 } 1921 1922 if (ic->ic_state == IEEE80211_S_SCAN || 1923 (ic->ic_flags & IEEE80211_F_BGSCAN)) { 1924 struct ieee80211_rsnparams rsn, wpa; 1925 1926 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 1927 ni->ni_supported_rsnprotos = IEEE80211_PROTO_NONE; 1928 ni->ni_rsnakms = 0; 1929 ni->ni_supported_rsnakms = 0; 1930 ni->ni_rsnciphers = 0; 1931 ni->ni_rsngroupcipher = 0; 1932 ni->ni_rsngroupmgmtcipher = 0; 1933 ni->ni_rsncaps = 0; 1934 1935 if (rsnie != NULL && 1936 ieee80211_parse_rsn(ic, rsnie, &rsn) == 0) { 1937 ni->ni_supported_rsnprotos |= IEEE80211_PROTO_RSN; 1938 ni->ni_supported_rsnakms |= rsn.rsn_akms; 1939 } 1940 if (wpaie != NULL && 1941 ieee80211_parse_wpa(ic, wpaie, &wpa) == 0) { 1942 ni->ni_supported_rsnprotos |= IEEE80211_PROTO_WPA; 1943 ni->ni_supported_rsnakms |= wpa.rsn_akms; 1944 } 1945 1946 /* 1947 * If the AP advertises both WPA and RSN IEs (WPA1+WPA2), 1948 * we only use the highest protocol version we support. 1949 */ 1950 if (rsnie != NULL && 1951 (ni->ni_supported_rsnprotos & IEEE80211_PROTO_RSN) && 1952 (ic->ic_caps & IEEE80211_C_RSN)) { 1953 if (ieee80211_save_ie(rsnie, &ni->ni_rsnie) == 0 1954 #ifndef IEEE80211_STA_ONLY 1955 && ic->ic_opmode != IEEE80211_M_HOSTAP 1956 #endif 1957 ) { 1958 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 1959 ni->ni_rsnakms = rsn.rsn_akms; 1960 ni->ni_rsnciphers = rsn.rsn_ciphers; 1961 ni->ni_rsngroupcipher = rsn.rsn_groupcipher; 1962 ni->ni_rsngroupmgmtcipher = 1963 rsn.rsn_groupmgmtcipher; 1964 ni->ni_rsncaps = rsn.rsn_caps; 1965 } 1966 } else if (wpaie != NULL && 1967 (ni->ni_supported_rsnprotos & IEEE80211_PROTO_WPA) && 1968 (ic->ic_caps & IEEE80211_C_RSN)) { 1969 if (ieee80211_save_ie(wpaie, &ni->ni_rsnie) == 0 1970 #ifndef IEEE80211_STA_ONLY 1971 && ic->ic_opmode != IEEE80211_M_HOSTAP 1972 #endif 1973 ) { 1974 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 1975 ni->ni_rsnakms = wpa.rsn_akms; 1976 ni->ni_rsnciphers = wpa.rsn_ciphers; 1977 ni->ni_rsngroupcipher = wpa.rsn_groupcipher; 1978 ni->ni_rsngroupmgmtcipher = 1979 wpa.rsn_groupmgmtcipher; 1980 ni->ni_rsncaps = wpa.rsn_caps; 1981 } 1982 } 1983 } 1984 1985 /* 1986 * Set our SSID if we do not know it yet. 1987 * If we are doing a directed scan for an AP with a hidden SSID 1988 * we must collect the SSID from a probe response to override 1989 * a non-zero-length SSID filled with zeroes that we may have 1990 * received earlier in a beacon. 1991 */ 1992 if (ssid[1] != 0 && ni->ni_essid[0] == '\0') { 1993 ni->ni_esslen = ssid[1]; 1994 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1995 /* we know that ssid[1] <= IEEE80211_NWID_LEN */ 1996 memcpy(ni->ni_essid, &ssid[2], ssid[1]); 1997 } 1998 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3); 1999 if (ic->ic_state == IEEE80211_S_SCAN && 2000 IEEE80211_IS_CHAN_5GHZ(ni->ni_chan)) { 2001 /* 2002 * During a scan on 5Ghz, prefer RSSI measured for probe 2003 * response frames. i.e. don't allow beacons to lower the 2004 * measured RSSI. Some 5GHz APs send beacons with much 2005 * less Tx power than they use for probe responses. 2006 */ 2007 if (isprobe || ni->ni_rssi == 0) 2008 ni->ni_rssi = rxi->rxi_rssi; 2009 else if (ni->ni_rssi < rxi->rxi_rssi) 2010 ni->ni_rssi = rxi->rxi_rssi; 2011 } else 2012 ni->ni_rssi = rxi->rxi_rssi; 2013 ni->ni_rstamp = rxi->rxi_tstamp; 2014 memcpy(ni->ni_tstamp, tstamp, sizeof(ni->ni_tstamp)); 2015 ni->ni_intval = bintval; 2016 ni->ni_capinfo = capinfo; 2017 ni->ni_erp = erp; 2018 /* NB: must be after ni_chan is setup */ 2019 ieee80211_setup_rates(ic, ni, rates, xrates, IEEE80211_F_DOSORT); 2020 #ifndef IEEE80211_STA_ONLY 2021 if (ic->ic_opmode == IEEE80211_M_IBSS && is_new && isprobe) { 2022 /* 2023 * Fake an association so the driver can setup its 2024 * private state. The rate set has been setup above; 2025 * there is no handshake as in ap/station operation. 2026 */ 2027 if (ic->ic_newassoc) 2028 (*ic->ic_newassoc)(ic, ni, 1); 2029 } 2030 #endif 2031 } 2032 2033 #ifndef IEEE80211_STA_ONLY 2034 /*- 2035 * Probe request frame format: 2036 * [tlv] SSID 2037 * [tlv] Supported rates 2038 * [tlv] Extended Supported Rates (802.11g) 2039 * [tlv] HT Capabilities (802.11n) 2040 */ 2041 void 2042 ieee80211_recv_probe_req(struct ieee80211com *ic, struct mbuf *m, 2043 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 2044 { 2045 const struct ieee80211_frame *wh; 2046 const u_int8_t *frm, *efrm; 2047 const u_int8_t *ssid, *rates, *xrates, *htcaps, *vhtcaps; 2048 u_int8_t rate; 2049 2050 if (ic->ic_opmode == IEEE80211_M_STA || 2051 ic->ic_state != IEEE80211_S_RUN) 2052 return; 2053 2054 wh = mtod(m, struct ieee80211_frame *); 2055 frm = (const u_int8_t *)&wh[1]; 2056 efrm = mtod(m, u_int8_t *) + m->m_len; 2057 2058 ssid = rates = xrates = htcaps = vhtcaps = NULL; 2059 while (frm + 2 <= efrm) { 2060 if (frm + 2 + frm[1] > efrm) { 2061 ic->ic_stats.is_rx_elem_toosmall++; 2062 break; 2063 } 2064 switch (frm[0]) { 2065 case IEEE80211_ELEMID_SSID: 2066 ssid = frm; 2067 break; 2068 case IEEE80211_ELEMID_RATES: 2069 rates = frm; 2070 break; 2071 case IEEE80211_ELEMID_XRATES: 2072 xrates = frm; 2073 break; 2074 case IEEE80211_ELEMID_HTCAPS: 2075 htcaps = frm; 2076 break; 2077 case IEEE80211_ELEMID_VHTCAPS: 2078 vhtcaps = frm; 2079 break; 2080 } 2081 frm += 2 + frm[1]; 2082 } 2083 /* supported rates element is mandatory */ 2084 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 2085 DPRINTF(("invalid supported rates element\n")); 2086 return; 2087 } 2088 /* SSID element is mandatory */ 2089 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 2090 DPRINTF(("invalid SSID element\n")); 2091 return; 2092 } 2093 /* check that the specified SSID (if not wildcard) matches ours */ 2094 if (ssid[1] != 0 && (ssid[1] != ic->ic_bss->ni_esslen || 2095 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen))) { 2096 DPRINTF(("SSID mismatch\n")); 2097 ic->ic_stats.is_rx_ssidmismatch++; 2098 return; 2099 } 2100 /* refuse wildcard SSID if we're hiding our SSID in beacons */ 2101 if (ssid[1] == 0 && (ic->ic_userflags & IEEE80211_F_HIDENWID)) { 2102 DPRINTF(("wildcard SSID rejected")); 2103 ic->ic_stats.is_rx_ssidmismatch++; 2104 return; 2105 } 2106 2107 if (ni == ic->ic_bss) { 2108 ni = ieee80211_find_node(ic, wh->i_addr2); 2109 if (ni == NULL) 2110 ni = ieee80211_dup_bss(ic, wh->i_addr2); 2111 if (ni == NULL) 2112 return; 2113 DPRINTF(("new probe req from %s\n", 2114 ether_sprintf((u_int8_t *)wh->i_addr2))); 2115 } 2116 ni->ni_rssi = rxi->rxi_rssi; 2117 ni->ni_rstamp = rxi->rxi_tstamp; 2118 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2119 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2120 IEEE80211_F_DODEL); 2121 if (rate & IEEE80211_RATE_BASIC) { 2122 DPRINTF(("rate mismatch for %s\n", 2123 ether_sprintf((u_int8_t *)wh->i_addr2))); 2124 return; 2125 } 2126 if (htcaps) 2127 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 2128 else 2129 ieee80211_clear_htcaps(ni); 2130 if (htcaps && vhtcaps && IEEE80211_IS_CHAN_5GHZ(ic->ic_bss->ni_chan)) 2131 ieee80211_setup_vhtcaps(ni, vhtcaps + 2, vhtcaps[1]); 2132 else 2133 ieee80211_clear_vhtcaps(ni); 2134 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 2135 } 2136 #endif /* IEEE80211_STA_ONLY */ 2137 2138 /*- 2139 * Authentication frame format: 2140 * [2] Authentication algorithm number 2141 * [2] Authentication transaction sequence number 2142 * [2] Status code 2143 */ 2144 void 2145 ieee80211_recv_auth(struct ieee80211com *ic, struct mbuf *m, 2146 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 2147 { 2148 const struct ieee80211_frame *wh; 2149 const u_int8_t *frm; 2150 u_int16_t algo, seq, status; 2151 2152 /* make sure all mandatory fixed fields are present */ 2153 if (m->m_len < sizeof(*wh) + 6) { 2154 DPRINTF(("frame too short\n")); 2155 return; 2156 } 2157 wh = mtod(m, struct ieee80211_frame *); 2158 frm = (const u_int8_t *)&wh[1]; 2159 2160 algo = LE_READ_2(frm); frm += 2; 2161 seq = LE_READ_2(frm); frm += 2; 2162 status = LE_READ_2(frm); frm += 2; 2163 DPRINTF(("auth %d seq %d from %s\n", algo, seq, 2164 ether_sprintf((u_int8_t *)wh->i_addr2))); 2165 2166 /* only "open" auth mode is supported */ 2167 if (algo != IEEE80211_AUTH_ALG_OPEN) { 2168 DPRINTF(("unsupported auth algorithm %d from %s\n", 2169 algo, ether_sprintf((u_int8_t *)wh->i_addr2))); 2170 ic->ic_stats.is_rx_auth_unsupported++; 2171 #ifndef IEEE80211_STA_ONLY 2172 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2173 /* XXX hack to workaround calling convention */ 2174 IEEE80211_SEND_MGMT(ic, ni, 2175 IEEE80211_FC0_SUBTYPE_AUTH, 2176 IEEE80211_STATUS_ALG << 16 | ((seq + 1) & 0xfff)); 2177 } 2178 #endif 2179 return; 2180 } 2181 ieee80211_auth_open(ic, wh, ni, rxi, seq, status); 2182 } 2183 2184 #ifndef IEEE80211_STA_ONLY 2185 /*- 2186 * (Re)Association request frame format: 2187 * [2] Capability information 2188 * [2] Listen interval 2189 * [6*] Current AP address (Reassociation only) 2190 * [tlv] SSID 2191 * [tlv] Supported rates 2192 * [tlv] Extended Supported Rates (802.11g) 2193 * [tlv] RSN (802.11i) 2194 * [tlv] QoS Capability (802.11e) 2195 * [tlv] HT Capabilities (802.11n) 2196 */ 2197 void 2198 ieee80211_recv_assoc_req(struct ieee80211com *ic, struct mbuf *m, 2199 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int reassoc) 2200 { 2201 const struct ieee80211_frame *wh; 2202 const u_int8_t *frm, *efrm; 2203 const u_int8_t *ssid, *rates, *xrates, *rsnie, *wpaie, *wmeie; 2204 const u_int8_t *htcaps, *vhtcaps; 2205 u_int16_t capinfo, bintval; 2206 int resp, status = 0; 2207 struct ieee80211_rsnparams rsn; 2208 u_int8_t rate; 2209 const u_int8_t *saveie = NULL; 2210 2211 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 2212 ic->ic_state != IEEE80211_S_RUN) 2213 return; 2214 2215 /* make sure all mandatory fixed fields are present */ 2216 if (m->m_len < sizeof(*wh) + (reassoc ? 10 : 4)) { 2217 DPRINTF(("frame too short\n")); 2218 return; 2219 } 2220 wh = mtod(m, struct ieee80211_frame *); 2221 frm = (const u_int8_t *)&wh[1]; 2222 efrm = mtod(m, u_int8_t *) + m->m_len; 2223 2224 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 2225 DPRINTF(("ignore other bss from %s\n", 2226 ether_sprintf((u_int8_t *)wh->i_addr2))); 2227 ic->ic_stats.is_rx_assoc_bss++; 2228 return; 2229 } 2230 capinfo = LE_READ_2(frm); frm += 2; 2231 bintval = LE_READ_2(frm); frm += 2; 2232 if (reassoc) { 2233 frm += IEEE80211_ADDR_LEN; /* skip current AP address */ 2234 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 2235 } else 2236 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 2237 2238 ssid = rates = xrates = rsnie = wpaie = wmeie = htcaps = vhtcaps = NULL; 2239 while (frm + 2 <= efrm) { 2240 if (frm + 2 + frm[1] > efrm) { 2241 ic->ic_stats.is_rx_elem_toosmall++; 2242 break; 2243 } 2244 switch (frm[0]) { 2245 case IEEE80211_ELEMID_SSID: 2246 ssid = frm; 2247 break; 2248 case IEEE80211_ELEMID_RATES: 2249 rates = frm; 2250 break; 2251 case IEEE80211_ELEMID_XRATES: 2252 xrates = frm; 2253 break; 2254 case IEEE80211_ELEMID_RSN: 2255 rsnie = frm; 2256 break; 2257 case IEEE80211_ELEMID_QOS_CAP: 2258 break; 2259 case IEEE80211_ELEMID_HTCAPS: 2260 htcaps = frm; 2261 break; 2262 case IEEE80211_ELEMID_VHTCAPS: 2263 vhtcaps = frm; 2264 break; 2265 case IEEE80211_ELEMID_VENDOR: 2266 if (frm[1] < 4) { 2267 ic->ic_stats.is_rx_elem_toosmall++; 2268 break; 2269 } 2270 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 2271 if (frm[5] == 1) 2272 wpaie = frm; 2273 /* WME info IE: len=7 type=2 subtype=0 */ 2274 if (frm[1] == 7 && frm[5] == 2 && frm[6] == 0) 2275 wmeie = frm; 2276 } 2277 break; 2278 } 2279 frm += 2 + frm[1]; 2280 } 2281 /* supported rates element is mandatory */ 2282 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 2283 DPRINTF(("invalid supported rates element\n")); 2284 return; 2285 } 2286 /* SSID element is mandatory */ 2287 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 2288 DPRINTF(("invalid SSID element\n")); 2289 return; 2290 } 2291 /* check that the specified SSID matches ours */ 2292 if (ssid[1] != ic->ic_bss->ni_esslen || 2293 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen)) { 2294 DPRINTF(("SSID mismatch\n")); 2295 ic->ic_stats.is_rx_ssidmismatch++; 2296 return; 2297 } 2298 2299 if (ni->ni_state != IEEE80211_STA_AUTH && 2300 ni->ni_state != IEEE80211_STA_ASSOC) { 2301 DPRINTF(("deny %sassoc from %s, not authenticated\n", 2302 reassoc ? "re" : "", 2303 ether_sprintf((u_int8_t *)wh->i_addr2))); 2304 ni = ieee80211_find_node(ic, wh->i_addr2); 2305 if (ni == NULL) 2306 ni = ieee80211_dup_bss(ic, wh->i_addr2); 2307 if (ni != NULL) { 2308 IEEE80211_SEND_MGMT(ic, ni, 2309 IEEE80211_FC0_SUBTYPE_DEAUTH, 2310 IEEE80211_REASON_ASSOC_NOT_AUTHED); 2311 } 2312 ic->ic_stats.is_rx_assoc_notauth++; 2313 return; 2314 } 2315 2316 if (ni->ni_state == IEEE80211_STA_ASSOC && 2317 (ni->ni_flags & IEEE80211_NODE_MFP)) { 2318 if (ni->ni_flags & IEEE80211_NODE_SA_QUERY_FAILED) { 2319 /* send a protected Disassociate frame */ 2320 IEEE80211_SEND_MGMT(ic, ni, 2321 IEEE80211_FC0_SUBTYPE_DISASSOC, 2322 IEEE80211_REASON_AUTH_EXPIRE); 2323 /* terminate the old SA */ 2324 ieee80211_node_leave(ic, ni); 2325 } else { 2326 /* reject the (Re)Association Request temporarily */ 2327 IEEE80211_SEND_MGMT(ic, ni, resp, 2328 IEEE80211_STATUS_TRY_AGAIN_LATER); 2329 /* start SA Query procedure if not already engaged */ 2330 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) 2331 ieee80211_sa_query_request(ic, ni); 2332 /* do not modify association state */ 2333 } 2334 return; 2335 } 2336 2337 if (!(capinfo & IEEE80211_CAPINFO_ESS)) { 2338 ic->ic_stats.is_rx_assoc_capmismatch++; 2339 status = IEEE80211_STATUS_CAPINFO; 2340 goto end; 2341 } 2342 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2343 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2344 IEEE80211_F_DODEL); 2345 if (rate & IEEE80211_RATE_BASIC) { 2346 ic->ic_stats.is_rx_assoc_norate++; 2347 status = IEEE80211_STATUS_BASIC_RATE; 2348 goto end; 2349 } 2350 2351 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2352 ni->ni_supported_rsnprotos = IEEE80211_PROTO_NONE; 2353 ni->ni_rsnakms = 0; 2354 ni->ni_supported_rsnakms = 0; 2355 ni->ni_rsnciphers = 0; 2356 ni->ni_rsngroupcipher = 0; 2357 ni->ni_rsngroupmgmtcipher = 0; 2358 ni->ni_rsncaps = 0; 2359 2360 /* 2361 * A station should never include both a WPA and an RSN IE 2362 * in its (Re)Association Requests, but if it does, we only 2363 * consider the IE of the highest version of the protocol 2364 * that is allowed (ie RSN over WPA). 2365 */ 2366 if (rsnie != NULL) { 2367 status = ieee80211_parse_rsn(ic, rsnie, &rsn); 2368 if (status != 0) 2369 goto end; 2370 ni->ni_supported_rsnprotos = IEEE80211_PROTO_RSN; 2371 ni->ni_supported_rsnakms = rsn.rsn_akms; 2372 if ((ic->ic_flags & IEEE80211_F_RSNON) && 2373 (ic->ic_rsnprotos & IEEE80211_PROTO_RSN)) { 2374 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 2375 saveie = rsnie; 2376 } 2377 } else if (wpaie != NULL) { 2378 status = ieee80211_parse_wpa(ic, wpaie, &rsn); 2379 if (status != 0) 2380 goto end; 2381 ni->ni_supported_rsnprotos = IEEE80211_PROTO_WPA; 2382 ni->ni_supported_rsnakms = rsn.rsn_akms; 2383 if ((ic->ic_flags & IEEE80211_F_RSNON) && 2384 (ic->ic_rsnprotos & IEEE80211_PROTO_WPA)) { 2385 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 2386 saveie = wpaie; 2387 } 2388 } 2389 2390 if (ic->ic_flags & IEEE80211_F_QOS) { 2391 if (wmeie != NULL) 2392 ni->ni_flags |= IEEE80211_NODE_QOS; 2393 else /* for Reassociation */ 2394 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2395 } 2396 2397 if (ic->ic_flags & IEEE80211_F_RSNON) { 2398 if (ni->ni_rsnprotos == IEEE80211_PROTO_NONE) { 2399 /* 2400 * In an RSN, an AP shall not associate with STAs 2401 * that fail to include the RSN IE in the 2402 * (Re)Association Request. 2403 */ 2404 status = IEEE80211_STATUS_IE_INVALID; 2405 goto end; 2406 } 2407 /* 2408 * The initiating STA's RSN IE shall include one authentication 2409 * and pairwise cipher suite among those advertised by the 2410 * targeted AP. It shall also specify the group cipher suite 2411 * specified by the targeted AP. 2412 */ 2413 if (rsn.rsn_nakms != 1 || 2414 !(rsn.rsn_akms & ic->ic_bss->ni_rsnakms)) { 2415 status = IEEE80211_STATUS_BAD_AKMP; 2416 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2417 goto end; 2418 } 2419 if (rsn.rsn_nciphers != 1 || 2420 !(rsn.rsn_ciphers & ic->ic_bss->ni_rsnciphers)) { 2421 status = IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 2422 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2423 goto end; 2424 } 2425 if (rsn.rsn_groupcipher != ic->ic_bss->ni_rsngroupcipher) { 2426 status = IEEE80211_STATUS_BAD_GROUP_CIPHER; 2427 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2428 goto end; 2429 } 2430 2431 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPR) && 2432 !(rsn.rsn_caps & IEEE80211_RSNCAP_MFPC)) { 2433 status = IEEE80211_STATUS_MFP_POLICY; 2434 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2435 goto end; 2436 } 2437 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPC) && 2438 (rsn.rsn_caps & (IEEE80211_RSNCAP_MFPC | 2439 IEEE80211_RSNCAP_MFPR)) == IEEE80211_RSNCAP_MFPR) { 2440 /* STA advertises an invalid setting */ 2441 status = IEEE80211_STATUS_MFP_POLICY; 2442 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2443 goto end; 2444 } 2445 /* 2446 * A STA that has associated with Management Frame Protection 2447 * enabled shall not use cipher suite pairwise selector WEP40, 2448 * WEP104, TKIP, or "Use Group cipher suite". 2449 */ 2450 if ((rsn.rsn_caps & IEEE80211_RSNCAP_MFPC) && 2451 (rsn.rsn_ciphers != IEEE80211_CIPHER_CCMP || 2452 rsn.rsn_groupmgmtcipher != 2453 ic->ic_bss->ni_rsngroupmgmtcipher)) { 2454 status = IEEE80211_STATUS_MFP_POLICY; 2455 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2456 goto end; 2457 } 2458 2459 /* 2460 * Disallow new associations using TKIP if countermeasures 2461 * are active. 2462 */ 2463 if ((ic->ic_flags & IEEE80211_F_COUNTERM) && 2464 (rsn.rsn_ciphers == IEEE80211_CIPHER_TKIP || 2465 rsn.rsn_groupcipher == IEEE80211_CIPHER_TKIP)) { 2466 status = IEEE80211_STATUS_CIPHER_REJ_POLICY; 2467 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2468 goto end; 2469 } 2470 2471 /* everything looks fine, save IE and parameters */ 2472 if (saveie == NULL || 2473 ieee80211_save_ie(saveie, &ni->ni_rsnie) != 0) { 2474 status = IEEE80211_STATUS_TOOMANY; 2475 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2476 goto end; 2477 } 2478 ni->ni_rsnakms = rsn.rsn_akms; 2479 ni->ni_rsnciphers = rsn.rsn_ciphers; 2480 ni->ni_rsngroupcipher = ic->ic_bss->ni_rsngroupcipher; 2481 ni->ni_rsngroupmgmtcipher = ic->ic_bss->ni_rsngroupmgmtcipher; 2482 ni->ni_rsncaps = rsn.rsn_caps; 2483 2484 if (ieee80211_is_8021x_akm(ni->ni_rsnakms)) { 2485 struct ieee80211_pmk *pmk = NULL; 2486 const u_int8_t *pmkid = rsn.rsn_pmkids; 2487 /* 2488 * Check if we have a cached PMK entry matching one 2489 * of the PMKIDs specified in the RSN IE. 2490 */ 2491 while (rsn.rsn_npmkids-- > 0) { 2492 pmk = ieee80211_pmksa_find(ic, ni, pmkid); 2493 if (pmk != NULL) 2494 break; 2495 pmkid += IEEE80211_PMKID_LEN; 2496 } 2497 if (pmk != NULL) { 2498 memcpy(ni->ni_pmk, pmk->pmk_key, 2499 IEEE80211_PMK_LEN); 2500 memcpy(ni->ni_pmkid, pmk->pmk_pmkid, 2501 IEEE80211_PMKID_LEN); 2502 ni->ni_flags |= IEEE80211_NODE_PMK; 2503 } 2504 } 2505 } 2506 2507 ni->ni_rssi = rxi->rxi_rssi; 2508 ni->ni_rstamp = rxi->rxi_tstamp; 2509 ni->ni_intval = bintval; 2510 ni->ni_capinfo = capinfo; 2511 ni->ni_chan = ic->ic_bss->ni_chan; 2512 if (htcaps) 2513 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 2514 else 2515 ieee80211_clear_htcaps(ni); 2516 if (htcaps && vhtcaps && IEEE80211_IS_CHAN_5GHZ(ic->ic_bss->ni_chan)) 2517 ieee80211_setup_vhtcaps(ni, vhtcaps + 2, vhtcaps[1]); 2518 else 2519 ieee80211_clear_vhtcaps(ni); 2520 end: 2521 if (status != 0) { 2522 IEEE80211_SEND_MGMT(ic, ni, resp, status); 2523 ieee80211_node_leave(ic, ni); 2524 } else 2525 ieee80211_node_join(ic, ni, resp); 2526 } 2527 #endif /* IEEE80211_STA_ONLY */ 2528 2529 /*- 2530 * (Re)Association response frame format: 2531 * [2] Capability information 2532 * [2] Status code 2533 * [2] Association ID (AID) 2534 * [tlv] Supported rates 2535 * [tlv] Extended Supported Rates (802.11g) 2536 * [tlv] EDCA Parameter Set (802.11e) 2537 * [tlv] HT Capabilities (802.11n) 2538 * [tlv] HT Operation (802.11n) 2539 */ 2540 void 2541 ieee80211_recv_assoc_resp(struct ieee80211com *ic, struct mbuf *m, 2542 struct ieee80211_node *ni, int reassoc) 2543 { 2544 struct ifnet *ifp = &ic->ic_if; 2545 const struct ieee80211_frame *wh; 2546 const u_int8_t *frm, *efrm; 2547 const u_int8_t *rates, *xrates, *edcaie, *wmmie, *htcaps, *htop; 2548 const u_int8_t *vhtcaps, *vhtop; 2549 u_int16_t capinfo, status, associd; 2550 u_int8_t rate; 2551 2552 if (ic->ic_opmode != IEEE80211_M_STA || 2553 ic->ic_state != IEEE80211_S_ASSOC) { 2554 ic->ic_stats.is_rx_mgtdiscard++; 2555 return; 2556 } 2557 2558 /* make sure all mandatory fixed fields are present */ 2559 if (m->m_len < sizeof(*wh) + 6) { 2560 DPRINTF(("frame too short\n")); 2561 return; 2562 } 2563 wh = mtod(m, struct ieee80211_frame *); 2564 frm = (const u_int8_t *)&wh[1]; 2565 efrm = mtod(m, u_int8_t *) + m->m_len; 2566 2567 capinfo = LE_READ_2(frm); frm += 2; 2568 status = LE_READ_2(frm); frm += 2; 2569 if (status != IEEE80211_STATUS_SUCCESS) { 2570 if (ifp->if_flags & IFF_DEBUG) 2571 printf("%s: %sassociation failed (status %d)" 2572 " for %s\n", ifp->if_xname, 2573 reassoc ? "re" : "", 2574 status, ether_sprintf((u_int8_t *)wh->i_addr3)); 2575 if (ni != ic->ic_bss) 2576 ni->ni_fails++; 2577 ic->ic_stats.is_rx_auth_fail++; 2578 return; 2579 } 2580 associd = LE_READ_2(frm); frm += 2; 2581 2582 rates = xrates = edcaie = wmmie = htcaps = htop = NULL; 2583 vhtcaps = vhtop = NULL; 2584 while (frm + 2 <= efrm) { 2585 if (frm + 2 + frm[1] > efrm) { 2586 ic->ic_stats.is_rx_elem_toosmall++; 2587 break; 2588 } 2589 switch (frm[0]) { 2590 case IEEE80211_ELEMID_RATES: 2591 rates = frm; 2592 break; 2593 case IEEE80211_ELEMID_XRATES: 2594 xrates = frm; 2595 break; 2596 case IEEE80211_ELEMID_EDCAPARMS: 2597 edcaie = frm; 2598 break; 2599 case IEEE80211_ELEMID_HTCAPS: 2600 htcaps = frm; 2601 break; 2602 case IEEE80211_ELEMID_HTOP: 2603 htop = frm; 2604 break; 2605 case IEEE80211_ELEMID_VHTCAPS: 2606 vhtcaps = frm; 2607 break; 2608 case IEEE80211_ELEMID_VHTOP: 2609 vhtop = frm; 2610 break; 2611 case IEEE80211_ELEMID_VENDOR: 2612 if (frm[1] < 4) { 2613 ic->ic_stats.is_rx_elem_toosmall++; 2614 break; 2615 } 2616 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 2617 if (frm[1] >= 5 && frm[5] == 2 && frm[6] == 1) 2618 wmmie = frm; 2619 } 2620 break; 2621 } 2622 frm += 2 + frm[1]; 2623 } 2624 /* supported rates element is mandatory */ 2625 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 2626 DPRINTF(("invalid supported rates element\n")); 2627 return; 2628 } 2629 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2630 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2631 IEEE80211_F_DODEL); 2632 if (rate & IEEE80211_RATE_BASIC) { 2633 DPRINTF(("rate mismatch for %s\n", 2634 ether_sprintf((u_int8_t *)wh->i_addr2))); 2635 ic->ic_stats.is_rx_assoc_norate++; 2636 return; 2637 } 2638 ni->ni_capinfo = capinfo; 2639 ni->ni_associd = associd; 2640 if (edcaie != NULL || wmmie != NULL) { 2641 /* force update of EDCA parameters */ 2642 ic->ic_edca_updtcount = -1; 2643 2644 if ((edcaie != NULL && 2645 ieee80211_parse_edca_params(ic, edcaie) == 0) || 2646 (wmmie != NULL && 2647 ieee80211_parse_wmm_params(ic, wmmie) == 0)) 2648 ni->ni_flags |= IEEE80211_NODE_QOS; 2649 else /* for Reassociation */ 2650 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2651 } 2652 if (htcaps) 2653 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 2654 if (htop) 2655 ieee80211_setup_htop(ni, htop + 2, htop[1], 0); 2656 ieee80211_ht_negotiate(ic, ni); 2657 2658 if (htcaps && vhtcaps && IEEE80211_IS_CHAN_5GHZ(ni->ni_chan)) { 2659 ieee80211_setup_vhtcaps(ni, vhtcaps + 2, vhtcaps[1]); 2660 if (vhtop && !ieee80211_setup_vhtop(ni, vhtop + 2, vhtop[1], 1)) 2661 vhtop = NULL; /* invalid VHTOP */ 2662 } 2663 ieee80211_vht_negotiate(ic, ni); 2664 2665 /* Hop into 11n/11ac modes after associating to a HT/VHT AP. */ 2666 if (ni->ni_flags & IEEE80211_NODE_VHT) 2667 ieee80211_setmode(ic, IEEE80211_MODE_11AC); 2668 else if (ni->ni_flags & IEEE80211_NODE_HT) 2669 ieee80211_setmode(ic, IEEE80211_MODE_11N); 2670 else 2671 ieee80211_setmode(ic, ieee80211_chan2mode(ic, ni->ni_chan)); 2672 /* 2673 * Reset the erp state (mostly the slot time) now that 2674 * our operating mode has been nailed down. 2675 */ 2676 ieee80211_reset_erp(ic); 2677 2678 /* 2679 * Configure state now that we are associated. 2680 */ 2681 if (ic->ic_curmode == IEEE80211_MODE_11A || 2682 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) 2683 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 2684 else 2685 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 2686 2687 ieee80211_set_shortslottime(ic, 2688 ic->ic_curmode == IEEE80211_MODE_11A || 2689 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2690 /* 2691 * Honor ERP protection. 2692 */ 2693 if ((ic->ic_curmode == IEEE80211_MODE_11G || 2694 (ic->ic_curmode == IEEE80211_MODE_11N && 2695 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))) && 2696 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2697 ic->ic_flags |= IEEE80211_F_USEPROT; 2698 else 2699 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2700 /* 2701 * If not an RSNA, mark the port as valid, otherwise wait for 2702 * 802.1X authentication and 4-way handshake to complete.. 2703 */ 2704 if (ic->ic_flags & IEEE80211_F_RSNON) { 2705 /* XXX ic->ic_mgt_timer = 5; */ 2706 ni->ni_rsn_supp_state = RSNA_SUPP_PTKSTART; 2707 } else if (ic->ic_flags & IEEE80211_F_WEPON) 2708 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 2709 2710 ieee80211_new_state(ic, IEEE80211_S_RUN, 2711 IEEE80211_FC0_SUBTYPE_ASSOC_RESP); 2712 } 2713 2714 /*- 2715 * Deauthentication frame format: 2716 * [2] Reason code 2717 */ 2718 void 2719 ieee80211_recv_deauth(struct ieee80211com *ic, struct mbuf *m, 2720 struct ieee80211_node *ni) 2721 { 2722 const struct ieee80211_frame *wh; 2723 const u_int8_t *frm; 2724 u_int16_t reason; 2725 2726 /* make sure all mandatory fixed fields are present */ 2727 if (m->m_len < sizeof(*wh) + 2) { 2728 DPRINTF(("frame too short\n")); 2729 return; 2730 } 2731 wh = mtod(m, struct ieee80211_frame *); 2732 frm = (const u_int8_t *)&wh[1]; 2733 2734 reason = LE_READ_2(frm); 2735 2736 ic->ic_stats.is_rx_deauth++; 2737 switch (ic->ic_opmode) { 2738 case IEEE80211_M_STA: { 2739 int bgscan = ((ic->ic_flags & IEEE80211_F_BGSCAN) && 2740 ic->ic_state == IEEE80211_S_RUN); 2741 int stay_auth = ((ic->ic_userflags & IEEE80211_F_STAYAUTH) && 2742 ic->ic_state >= IEEE80211_S_AUTH); 2743 if (!(bgscan || stay_auth)) 2744 ieee80211_new_state(ic, IEEE80211_S_AUTH, 2745 IEEE80211_FC0_SUBTYPE_DEAUTH); 2746 } 2747 break; 2748 #ifndef IEEE80211_STA_ONLY 2749 case IEEE80211_M_HOSTAP: 2750 if (ni != ic->ic_bss) { 2751 int stay_auth = 2752 ((ic->ic_userflags & IEEE80211_F_STAYAUTH) && 2753 (ni->ni_state == IEEE80211_STA_AUTH || 2754 ni->ni_state == IEEE80211_STA_ASSOC)); 2755 if (ic->ic_if.if_flags & IFF_DEBUG) 2756 printf("%s: station %s deauthenticated " 2757 "by peer (reason %d)\n", 2758 ic->ic_if.if_xname, 2759 ether_sprintf(ni->ni_macaddr), 2760 reason); 2761 if (!stay_auth) 2762 ieee80211_node_leave(ic, ni); 2763 } 2764 break; 2765 #endif 2766 default: 2767 break; 2768 } 2769 } 2770 2771 /*- 2772 * Disassociation frame format: 2773 * [2] Reason code 2774 */ 2775 void 2776 ieee80211_recv_disassoc(struct ieee80211com *ic, struct mbuf *m, 2777 struct ieee80211_node *ni) 2778 { 2779 const struct ieee80211_frame *wh; 2780 const u_int8_t *frm; 2781 u_int16_t reason; 2782 2783 /* make sure all mandatory fixed fields are present */ 2784 if (m->m_len < sizeof(*wh) + 2) { 2785 DPRINTF(("frame too short\n")); 2786 return; 2787 } 2788 wh = mtod(m, struct ieee80211_frame *); 2789 frm = (const u_int8_t *)&wh[1]; 2790 2791 reason = LE_READ_2(frm); 2792 2793 ic->ic_stats.is_rx_disassoc++; 2794 switch (ic->ic_opmode) { 2795 case IEEE80211_M_STA: { 2796 int bgscan = ((ic->ic_flags & IEEE80211_F_BGSCAN) && 2797 ic->ic_state == IEEE80211_S_RUN); 2798 if (!bgscan) /* ignore disassoc during bgscan */ 2799 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 2800 IEEE80211_FC0_SUBTYPE_DISASSOC); 2801 } 2802 break; 2803 #ifndef IEEE80211_STA_ONLY 2804 case IEEE80211_M_HOSTAP: 2805 if (ni != ic->ic_bss) { 2806 if (ic->ic_if.if_flags & IFF_DEBUG) 2807 printf("%s: station %s disassociated " 2808 "by peer (reason %d)\n", 2809 ic->ic_if.if_xname, 2810 ether_sprintf(ni->ni_macaddr), 2811 reason); 2812 ieee80211_node_leave(ic, ni); 2813 } 2814 break; 2815 #endif 2816 default: 2817 break; 2818 } 2819 } 2820 2821 /*- 2822 * ADDBA Request frame format: 2823 * [1] Category 2824 * [1] Action 2825 * [1] Dialog Token 2826 * [2] Block Ack Parameter Set 2827 * [2] Block Ack Timeout Value 2828 * [2] Block Ack Starting Sequence Control 2829 */ 2830 void 2831 ieee80211_recv_addba_req(struct ieee80211com *ic, struct mbuf *m, 2832 struct ieee80211_node *ni) 2833 { 2834 const struct ieee80211_frame *wh; 2835 const u_int8_t *frm; 2836 struct ieee80211_rx_ba *ba; 2837 u_int16_t params, ssn, bufsz, timeout; 2838 u_int8_t token, tid; 2839 int err = 0; 2840 2841 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 2842 DPRINTF(("received ADDBA req from non-HT STA %s\n", 2843 ether_sprintf(ni->ni_macaddr))); 2844 return; 2845 } 2846 if (m->m_len < sizeof(*wh) + 9) { 2847 DPRINTF(("frame too short\n")); 2848 return; 2849 } 2850 /* MLME-ADDBA.indication */ 2851 wh = mtod(m, struct ieee80211_frame *); 2852 frm = (const u_int8_t *)&wh[1]; 2853 2854 token = frm[2]; 2855 params = LE_READ_2(&frm[3]); 2856 tid = ((params & IEEE80211_ADDBA_TID_MASK) >> 2857 IEEE80211_ADDBA_TID_SHIFT); 2858 bufsz = (params & IEEE80211_ADDBA_BUFSZ_MASK) >> 2859 IEEE80211_ADDBA_BUFSZ_SHIFT; 2860 timeout = LE_READ_2(&frm[5]); 2861 ssn = LE_READ_2(&frm[7]) >> 4; 2862 2863 ba = &ni->ni_rx_ba[tid]; 2864 /* The driver is still processing an ADDBA request for this tid. */ 2865 if (ba->ba_state == IEEE80211_BA_REQUESTED) 2866 return; 2867 /* If we are in the process of roaming between APs, ignore. */ 2868 if ((ic->ic_flags & IEEE80211_F_BGSCAN) && 2869 (ic->ic_xflags & IEEE80211_F_TX_MGMT_ONLY)) 2870 return; 2871 /* check if we already have a Block Ack agreement for this RA/TID */ 2872 if (ba->ba_state == IEEE80211_BA_AGREED) { 2873 /* XXX should we update the timeout value? */ 2874 /* reset Block Ack inactivity timer */ 2875 if (ba->ba_timeout_val != 0) 2876 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2877 2878 /* check if it's a Protected Block Ack agreement */ 2879 if (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2880 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) 2881 return; /* not a PBAC, ignore */ 2882 2883 /* PBAC: treat the ADDBA Request like a BlockAckReq */ 2884 if (SEQ_LT(ba->ba_winstart, ssn)) { 2885 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 2886 ieee80211_ba_move_window(ic, ni, tid, ssn, &ml); 2887 if_input(&ic->ic_if, &ml); 2888 } 2889 return; 2890 } 2891 2892 /* if PBAC required but RA does not support it, refuse request */ 2893 if ((ic->ic_flags & IEEE80211_F_PBAR) && 2894 (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2895 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC))) 2896 goto refuse; 2897 /* 2898 * If the TID for which the Block Ack agreement is requested is 2899 * configured with a no-ACK policy, refuse the agreement. 2900 */ 2901 if (ic->ic_tid_noack & (1 << tid)) 2902 goto refuse; 2903 2904 /* check that we support the requested Block Ack Policy */ 2905 if (!(ic->ic_htcaps & IEEE80211_HTCAP_DELAYEDBA) && 2906 !(params & IEEE80211_ADDBA_BA_POLICY)) 2907 goto refuse; 2908 2909 /* setup Block Ack agreement */ 2910 ba->ba_state = IEEE80211_BA_REQUESTED; 2911 ba->ba_timeout_val = timeout * IEEE80211_DUR_TU; 2912 ba->ba_ni = ni; 2913 ba->ba_token = token; 2914 timeout_set(&ba->ba_to, ieee80211_rx_ba_timeout, ba); 2915 timeout_set(&ba->ba_gap_to, ieee80211_input_ba_gap_timeout, ba); 2916 ba->ba_gapwait = 0; 2917 ba->ba_winsize = bufsz; 2918 if (ba->ba_winsize == 0 || ba->ba_winsize > IEEE80211_BA_MAX_WINSZ) 2919 ba->ba_winsize = IEEE80211_BA_MAX_WINSZ; 2920 ba->ba_params = (params & IEEE80211_ADDBA_BA_POLICY); 2921 ba->ba_params |= ((ba->ba_winsize << IEEE80211_ADDBA_BUFSZ_SHIFT) | 2922 (tid << IEEE80211_ADDBA_TID_SHIFT)); 2923 ba->ba_params |= IEEE80211_ADDBA_AMSDU; 2924 ba->ba_winstart = ssn; 2925 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 2926 /* allocate and setup our reordering buffer */ 2927 ba->ba_buf = malloc(IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf), 2928 M_DEVBUF, M_NOWAIT | M_ZERO); 2929 if (ba->ba_buf == NULL) 2930 goto refuse; 2931 2932 ba->ba_head = 0; 2933 2934 /* notify drivers of this new Block Ack agreement */ 2935 if (ic->ic_ampdu_rx_start != NULL) 2936 err = ic->ic_ampdu_rx_start(ic, ni, tid); 2937 if (err == EBUSY) { 2938 /* driver will accept or refuse agreement when done */ 2939 return; 2940 } else if (err) { 2941 /* driver failed to setup, rollback */ 2942 ieee80211_addba_req_refuse(ic, ni, tid); 2943 } else 2944 ieee80211_addba_req_accept(ic, ni, tid); 2945 return; 2946 2947 refuse: 2948 /* MLME-ADDBA.response */ 2949 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2950 IEEE80211_ACTION_ADDBA_RESP, 2951 IEEE80211_STATUS_REFUSED << 16 | token << 8 | tid); 2952 } 2953 2954 void 2955 ieee80211_addba_req_accept(struct ieee80211com *ic, struct ieee80211_node *ni, 2956 uint8_t tid) 2957 { 2958 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2959 2960 ba->ba_state = IEEE80211_BA_AGREED; 2961 ic->ic_stats.is_ht_rx_ba_agreements++; 2962 /* start Block Ack inactivity timer */ 2963 if (ba->ba_timeout_val != 0) 2964 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2965 2966 /* MLME-ADDBA.response */ 2967 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2968 IEEE80211_ACTION_ADDBA_RESP, 2969 IEEE80211_STATUS_SUCCESS << 16 | ba->ba_token << 8 | tid); 2970 } 2971 2972 void 2973 ieee80211_addba_req_refuse(struct ieee80211com *ic, struct ieee80211_node *ni, 2974 uint8_t tid) 2975 { 2976 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2977 2978 free(ba->ba_buf, M_DEVBUF, 2979 IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf)); 2980 ba->ba_buf = NULL; 2981 ba->ba_state = IEEE80211_BA_INIT; 2982 2983 /* MLME-ADDBA.response */ 2984 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2985 IEEE80211_ACTION_ADDBA_RESP, 2986 IEEE80211_STATUS_REFUSED << 16 | ba->ba_token << 8 | tid); 2987 } 2988 2989 /*- 2990 * ADDBA Response frame format: 2991 * [1] Category 2992 * [1] Action 2993 * [1] Dialog Token 2994 * [2] Status Code 2995 * [2] Block Ack Parameter Set 2996 * [2] Block Ack Timeout Value 2997 */ 2998 void 2999 ieee80211_recv_addba_resp(struct ieee80211com *ic, struct mbuf *m, 3000 struct ieee80211_node *ni) 3001 { 3002 const struct ieee80211_frame *wh; 3003 const u_int8_t *frm; 3004 struct ieee80211_tx_ba *ba; 3005 u_int16_t status, params, bufsz, timeout; 3006 u_int8_t token, tid; 3007 int err = 0; 3008 3009 if (m->m_len < sizeof(*wh) + 9) { 3010 DPRINTF(("frame too short\n")); 3011 return; 3012 } 3013 wh = mtod(m, struct ieee80211_frame *); 3014 frm = (const u_int8_t *)&wh[1]; 3015 3016 token = frm[2]; 3017 status = LE_READ_2(&frm[3]); 3018 params = LE_READ_2(&frm[5]); 3019 tid = (params >> 2) & 0xf; 3020 bufsz = (params >> 6) & 0x3ff; 3021 timeout = LE_READ_2(&frm[7]); 3022 3023 DPRINTF(("received ADDBA resp from %s, TID %d, status %d\n", 3024 ether_sprintf(ni->ni_macaddr), tid, status)); 3025 3026 /* 3027 * Ignore if no ADDBA request has been sent for this RA/TID or 3028 * if we already have a Block Ack agreement. 3029 */ 3030 ba = &ni->ni_tx_ba[tid]; 3031 if (ba->ba_state != IEEE80211_BA_REQUESTED) { 3032 DPRINTF(("no matching ADDBA req found\n")); 3033 return; 3034 } 3035 if (token != ba->ba_token) { 3036 DPRINTF(("ignoring ADDBA resp from %s: token %x!=%x\n", 3037 ether_sprintf(ni->ni_macaddr), token, ba->ba_token)); 3038 return; 3039 } 3040 /* we got an ADDBA Response matching our request, stop timeout */ 3041 timeout_del(&ba->ba_to); 3042 3043 if (status != IEEE80211_STATUS_SUCCESS) { 3044 if (ni->ni_addba_req_intval[tid] < 3045 IEEE80211_ADDBA_REQ_INTVAL_MAX) 3046 ni->ni_addba_req_intval[tid]++; 3047 3048 ieee80211_addba_resp_refuse(ic, ni, tid, status); 3049 3050 /* 3051 * In case the peer believes there is an existing 3052 * block ack agreement with us, try to delete it. 3053 */ 3054 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 3055 IEEE80211_ACTION_DELBA, 3056 IEEE80211_REASON_SETUP_REQUIRED << 16 | 1 << 8 | tid); 3057 return; 3058 } 3059 3060 /* notify drivers of this new Block Ack agreement */ 3061 if (ic->ic_ampdu_tx_start != NULL) 3062 err = ic->ic_ampdu_tx_start(ic, ni, tid); 3063 3064 if (err == EBUSY) { 3065 /* driver will accept or refuse agreement when done */ 3066 return; 3067 } else if (err) { 3068 /* driver failed to setup, rollback */ 3069 ieee80211_addba_resp_refuse(ic, ni, tid, 3070 IEEE80211_STATUS_UNSPECIFIED); 3071 } else 3072 ieee80211_addba_resp_accept(ic, ni, tid); 3073 } 3074 3075 void 3076 ieee80211_addba_resp_accept(struct ieee80211com *ic, 3077 struct ieee80211_node *ni, uint8_t tid) 3078 { 3079 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 3080 3081 /* MLME-ADDBA.confirm(Success) */ 3082 ba->ba_state = IEEE80211_BA_AGREED; 3083 ic->ic_stats.is_ht_tx_ba_agreements++; 3084 3085 /* Reset ADDBA request interval. */ 3086 ni->ni_addba_req_intval[tid] = 1; 3087 3088 ni->ni_qos_txseqs[tid] = ba->ba_winstart; 3089 3090 /* start Block Ack inactivity timeout */ 3091 if (ba->ba_timeout_val != 0) 3092 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 3093 } 3094 3095 void 3096 ieee80211_addba_resp_refuse(struct ieee80211com *ic, 3097 struct ieee80211_node *ni, uint8_t tid, uint16_t status) 3098 { 3099 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 3100 3101 /* MLME-ADDBA.confirm(Failure) */ 3102 ba->ba_state = IEEE80211_BA_INIT; 3103 } 3104 3105 /*- 3106 * DELBA frame format: 3107 * [1] Category 3108 * [1] Action 3109 * [2] DELBA Parameter Set 3110 * [2] Reason Code 3111 */ 3112 void 3113 ieee80211_recv_delba(struct ieee80211com *ic, struct mbuf *m, 3114 struct ieee80211_node *ni) 3115 { 3116 const struct ieee80211_frame *wh; 3117 const u_int8_t *frm; 3118 u_int16_t params, reason; 3119 u_int8_t tid; 3120 int i; 3121 3122 if (m->m_len < sizeof(*wh) + 6) { 3123 DPRINTF(("frame too short\n")); 3124 return; 3125 } 3126 wh = mtod(m, struct ieee80211_frame *); 3127 frm = (const u_int8_t *)&wh[1]; 3128 3129 params = LE_READ_2(&frm[2]); 3130 reason = LE_READ_2(&frm[4]); 3131 tid = params >> 12; 3132 3133 DPRINTF(("received DELBA from %s, TID %d, reason %d\n", 3134 ether_sprintf(ni->ni_macaddr), tid, reason)); 3135 3136 if (params & IEEE80211_DELBA_INITIATOR) { 3137 /* MLME-DELBA.indication(Originator) */ 3138 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 3139 3140 if (ba->ba_state != IEEE80211_BA_AGREED) { 3141 DPRINTF(("no matching Block Ack agreement\n")); 3142 return; 3143 } 3144 /* notify drivers of the end of the Block Ack agreement */ 3145 if (ic->ic_ampdu_rx_stop != NULL) 3146 ic->ic_ampdu_rx_stop(ic, ni, tid); 3147 3148 ba->ba_state = IEEE80211_BA_INIT; 3149 /* stop Block Ack inactivity timer */ 3150 timeout_del(&ba->ba_to); 3151 timeout_del(&ba->ba_gap_to); 3152 ba->ba_gapwait = 0; 3153 3154 if (ba->ba_buf != NULL) { 3155 /* free all MSDUs stored in reordering buffer */ 3156 for (i = 0; i < IEEE80211_BA_MAX_WINSZ; i++) 3157 m_freem(ba->ba_buf[i].m); 3158 /* free reordering buffer */ 3159 free(ba->ba_buf, M_DEVBUF, 3160 IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf)); 3161 ba->ba_buf = NULL; 3162 } 3163 } else { 3164 /* MLME-DELBA.indication(Recipient) */ 3165 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 3166 3167 if (ba->ba_state != IEEE80211_BA_AGREED) { 3168 DPRINTF(("no matching Block Ack agreement\n")); 3169 return; 3170 } 3171 /* notify drivers of the end of the Block Ack agreement */ 3172 if (ic->ic_ampdu_tx_stop != NULL) 3173 ic->ic_ampdu_tx_stop(ic, ni, tid); 3174 3175 ba->ba_state = IEEE80211_BA_INIT; 3176 /* stop Block Ack inactivity timer */ 3177 timeout_del(&ba->ba_to); 3178 } 3179 } 3180 3181 /*- 3182 * SA Query Request frame format: 3183 * [1] Category 3184 * [1] Action 3185 * [2] Transaction Identifier 3186 */ 3187 void 3188 ieee80211_recv_sa_query_req(struct ieee80211com *ic, struct mbuf *m, 3189 struct ieee80211_node *ni) 3190 { 3191 const struct ieee80211_frame *wh; 3192 const u_int8_t *frm; 3193 3194 if (ic->ic_opmode != IEEE80211_M_STA || 3195 !(ni->ni_flags & IEEE80211_NODE_MFP)) { 3196 DPRINTF(("unexpected SA Query req from %s\n", 3197 ether_sprintf(ni->ni_macaddr))); 3198 return; 3199 } 3200 if (m->m_len < sizeof(*wh) + 4) { 3201 DPRINTF(("frame too short\n")); 3202 return; 3203 } 3204 wh = mtod(m, struct ieee80211_frame *); 3205 frm = (const u_int8_t *)&wh[1]; 3206 3207 /* MLME-SAQuery.indication */ 3208 3209 /* save Transaction Identifier for SA Query Response */ 3210 ni->ni_sa_query_trid = LE_READ_2(&frm[2]); 3211 3212 /* MLME-SAQuery.response */ 3213 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_SA_QUERY, 3214 IEEE80211_ACTION_SA_QUERY_RESP, 0); 3215 } 3216 3217 #ifndef IEEE80211_STA_ONLY 3218 /*- 3219 * SA Query Response frame format: 3220 * [1] Category 3221 * [1] Action 3222 * [2] Transaction Identifier 3223 */ 3224 void 3225 ieee80211_recv_sa_query_resp(struct ieee80211com *ic, struct mbuf *m, 3226 struct ieee80211_node *ni) 3227 { 3228 const struct ieee80211_frame *wh; 3229 const u_int8_t *frm; 3230 3231 /* ignore if we're not engaged in an SA Query with that STA */ 3232 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) { 3233 DPRINTF(("unexpected SA Query resp from %s\n", 3234 ether_sprintf(ni->ni_macaddr))); 3235 return; 3236 } 3237 if (m->m_len < sizeof(*wh) + 4) { 3238 DPRINTF(("frame too short\n")); 3239 return; 3240 } 3241 wh = mtod(m, struct ieee80211_frame *); 3242 frm = (const u_int8_t *)&wh[1]; 3243 3244 /* check that Transaction Identifier matches */ 3245 if (ni->ni_sa_query_trid != LE_READ_2(&frm[2])) { 3246 DPRINTF(("transaction identifier does not match\n")); 3247 return; 3248 } 3249 /* MLME-SAQuery.confirm */ 3250 timeout_del(&ni->ni_sa_query_to); 3251 ni->ni_flags &= ~IEEE80211_NODE_SA_QUERY; 3252 } 3253 #endif 3254 3255 /*- 3256 * Action frame format: 3257 * [1] Category 3258 * [1] Action 3259 */ 3260 void 3261 ieee80211_recv_action(struct ieee80211com *ic, struct mbuf *m, 3262 struct ieee80211_node *ni) 3263 { 3264 const struct ieee80211_frame *wh; 3265 const u_int8_t *frm; 3266 3267 if (m->m_len < sizeof(*wh) + 2) { 3268 DPRINTF(("frame too short\n")); 3269 return; 3270 } 3271 wh = mtod(m, struct ieee80211_frame *); 3272 frm = (const u_int8_t *)&wh[1]; 3273 3274 switch (frm[0]) { 3275 case IEEE80211_CATEG_BA: 3276 switch (frm[1]) { 3277 case IEEE80211_ACTION_ADDBA_REQ: 3278 ieee80211_recv_addba_req(ic, m, ni); 3279 break; 3280 case IEEE80211_ACTION_ADDBA_RESP: 3281 ieee80211_recv_addba_resp(ic, m, ni); 3282 break; 3283 case IEEE80211_ACTION_DELBA: 3284 ieee80211_recv_delba(ic, m, ni); 3285 break; 3286 } 3287 break; 3288 case IEEE80211_CATEG_SA_QUERY: 3289 switch (frm[1]) { 3290 case IEEE80211_ACTION_SA_QUERY_REQ: 3291 ieee80211_recv_sa_query_req(ic, m, ni); 3292 break; 3293 #ifndef IEEE80211_STA_ONLY 3294 case IEEE80211_ACTION_SA_QUERY_RESP: 3295 ieee80211_recv_sa_query_resp(ic, m, ni); 3296 break; 3297 #endif 3298 } 3299 break; 3300 default: 3301 DPRINTF(("action frame category %d not handled\n", frm[0])); 3302 break; 3303 } 3304 } 3305 3306 void 3307 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m, 3308 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int subtype) 3309 { 3310 switch (subtype) { 3311 case IEEE80211_FC0_SUBTYPE_BEACON: 3312 ieee80211_recv_probe_resp(ic, m, ni, rxi, 0); 3313 break; 3314 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 3315 ieee80211_recv_probe_resp(ic, m, ni, rxi, 1); 3316 break; 3317 #ifndef IEEE80211_STA_ONLY 3318 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 3319 ieee80211_recv_probe_req(ic, m, ni, rxi); 3320 break; 3321 #endif 3322 case IEEE80211_FC0_SUBTYPE_AUTH: 3323 ieee80211_recv_auth(ic, m, ni, rxi); 3324 break; 3325 #ifndef IEEE80211_STA_ONLY 3326 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 3327 ieee80211_recv_assoc_req(ic, m, ni, rxi, 0); 3328 break; 3329 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 3330 ieee80211_recv_assoc_req(ic, m, ni, rxi, 1); 3331 break; 3332 #endif 3333 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 3334 ieee80211_recv_assoc_resp(ic, m, ni, 0); 3335 break; 3336 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 3337 ieee80211_recv_assoc_resp(ic, m, ni, 1); 3338 break; 3339 case IEEE80211_FC0_SUBTYPE_DEAUTH: 3340 ieee80211_recv_deauth(ic, m, ni); 3341 break; 3342 case IEEE80211_FC0_SUBTYPE_DISASSOC: 3343 ieee80211_recv_disassoc(ic, m, ni); 3344 break; 3345 case IEEE80211_FC0_SUBTYPE_ACTION: 3346 ieee80211_recv_action(ic, m, ni); 3347 break; 3348 default: 3349 DPRINTF(("mgmt frame with subtype 0x%x not handled\n", 3350 subtype)); 3351 ic->ic_stats.is_rx_badsubtype++; 3352 break; 3353 } 3354 } 3355 3356 #ifndef IEEE80211_STA_ONLY 3357 /* 3358 * Process an incoming PS-Poll control frame (see 11.2). 3359 */ 3360 void 3361 ieee80211_recv_pspoll(struct ieee80211com *ic, struct mbuf *m, 3362 struct ieee80211_node *ni) 3363 { 3364 struct ifnet *ifp = &ic->ic_if; 3365 struct ieee80211_frame_pspoll *psp; 3366 struct ieee80211_frame *wh; 3367 u_int16_t aid; 3368 3369 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 3370 !(ic->ic_caps & IEEE80211_C_APPMGT) || 3371 ni->ni_state != IEEE80211_STA_ASSOC) 3372 return; 3373 3374 if (m->m_len < sizeof(*psp)) { 3375 DPRINTF(("frame too short, len %u\n", m->m_len)); 3376 ic->ic_stats.is_rx_tooshort++; 3377 return; 3378 } 3379 psp = mtod(m, struct ieee80211_frame_pspoll *); 3380 if (!IEEE80211_ADDR_EQ(psp->i_bssid, ic->ic_bss->ni_bssid)) { 3381 DPRINTF(("discard pspoll frame to BSS %s\n", 3382 ether_sprintf(psp->i_bssid))); 3383 ic->ic_stats.is_rx_wrongbss++; 3384 return; 3385 } 3386 aid = letoh16(*(u_int16_t *)psp->i_aid); 3387 if (aid != ni->ni_associd) { 3388 DPRINTF(("invalid pspoll aid %x from %s\n", aid, 3389 ether_sprintf(psp->i_ta))); 3390 return; 3391 } 3392 3393 /* take the first queued frame and put it out.. */ 3394 m = mq_dequeue(&ni->ni_savedq); 3395 if (m == NULL) 3396 return; 3397 if (mq_empty(&ni->ni_savedq)) { 3398 /* last queued frame, turn off the TIM bit */ 3399 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 3400 } else { 3401 /* more queued frames, set the more data bit */ 3402 wh = mtod(m, struct ieee80211_frame *); 3403 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 3404 } 3405 mq_enqueue(&ic->ic_pwrsaveq, m); 3406 if_start(ifp); 3407 } 3408 #endif /* IEEE80211_STA_ONLY */ 3409 3410 /* 3411 * Process an incoming BlockAckReq control frame (see 7.2.1.7). 3412 */ 3413 void 3414 ieee80211_recv_bar(struct ieee80211com *ic, struct mbuf *m, 3415 struct ieee80211_node *ni) 3416 { 3417 const struct ieee80211_frame_min *wh; 3418 const u_int8_t *frm; 3419 u_int16_t ctl, ssn; 3420 u_int8_t tid, ntids; 3421 3422 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 3423 DPRINTF(("received BlockAckReq from non-HT STA %s\n", 3424 ether_sprintf(ni->ni_macaddr))); 3425 return; 3426 } 3427 if (m->m_len < sizeof(*wh) + 4) { 3428 DPRINTF(("frame too short\n")); 3429 return; 3430 } 3431 wh = mtod(m, struct ieee80211_frame_min *); 3432 frm = (const u_int8_t *)&wh[1]; 3433 3434 /* read BlockAckReq Control field */ 3435 ctl = LE_READ_2(&frm[0]); 3436 tid = ctl >> 12; 3437 3438 /* determine BlockAckReq frame variant */ 3439 if (ctl & IEEE80211_BA_MULTI_TID) { 3440 /* Multi-TID BlockAckReq variant (PSMP only) */ 3441 ntids = tid + 1; 3442 3443 if (m->m_len < sizeof(*wh) + 2 + 4 * ntids) { 3444 DPRINTF(("MTBAR frame too short\n")); 3445 return; 3446 } 3447 frm += 2; /* skip BlockAckReq Control field */ 3448 while (ntids-- > 0) { 3449 /* read MTBAR Information field */ 3450 tid = LE_READ_2(&frm[0]) >> 12; 3451 ssn = LE_READ_2(&frm[2]) >> 4; 3452 ieee80211_bar_tid(ic, ni, tid, ssn); 3453 frm += 4; 3454 } 3455 } else { 3456 /* Basic or Compressed BlockAckReq variants */ 3457 ssn = LE_READ_2(&frm[2]) >> 4; 3458 ieee80211_bar_tid(ic, ni, tid, ssn); 3459 } 3460 } 3461 3462 /* 3463 * Process a BlockAckReq for a specific TID (see 9.10.7.6.3). 3464 * This is the common back-end for all BlockAckReq frame variants. 3465 */ 3466 void 3467 ieee80211_bar_tid(struct ieee80211com *ic, struct ieee80211_node *ni, 3468 u_int8_t tid, u_int16_t ssn) 3469 { 3470 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 3471 3472 /* check if we have a Block Ack agreement for RA/TID */ 3473 if (ba->ba_state != IEEE80211_BA_AGREED) { 3474 /* XXX not sure in PBAC case */ 3475 /* send a DELBA with reason code UNKNOWN-BA */ 3476 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 3477 IEEE80211_ACTION_DELBA, 3478 IEEE80211_REASON_SETUP_REQUIRED << 16 | tid); 3479 return; 3480 } 3481 /* check if it is a Protected Block Ack agreement */ 3482 if ((ni->ni_flags & IEEE80211_NODE_MFP) && 3483 (ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) { 3484 /* ADDBA Requests must be used in PBAC case */ 3485 if (SEQ_LT(ssn, ba->ba_winstart) || 3486 SEQ_LT(ba->ba_winend, ssn)) 3487 ic->ic_stats.is_pbac_errs++; 3488 return; /* PBAC, do not move window */ 3489 } 3490 /* reset Block Ack inactivity timer */ 3491 if (ba->ba_timeout_val != 0) 3492 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 3493 3494 if (SEQ_LT(ba->ba_winstart, ssn)) { 3495 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 3496 ieee80211_ba_move_window(ic, ni, tid, ssn, &ml); 3497 if_input(&ic->ic_if, &ml); 3498 } 3499 } 3500