1 /*- 2 * Copyright (c) 2007-2009 Sam Leffler, Errno Consulting 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 * 25 * $FreeBSD: head/sys/net80211/ieee80211_adhoc.c 203422 2010-02-03 10:07:43Z rpaulo $ 26 * $DragonFly$ 27 */ 28 29 /* 30 * IEEE 802.11 IBSS mode support. 31 */ 32 #include "opt_inet.h" 33 #include "opt_wlan.h" 34 35 #include <sys/param.h> 36 #include <sys/systm.h> 37 #include <sys/mbuf.h> 38 #include <sys/malloc.h> 39 #include <sys/kernel.h> 40 41 #include <sys/socket.h> 42 #include <sys/sockio.h> 43 #include <sys/endian.h> 44 #include <sys/errno.h> 45 #include <sys/proc.h> 46 #include <sys/sysctl.h> 47 48 #include <net/if.h> 49 #include <net/if_media.h> 50 #include <net/if_llc.h> 51 #include <net/ethernet.h> 52 #include <net/route.h> 53 54 #include <net/bpf.h> 55 56 #include <netproto/802_11/ieee80211_var.h> 57 #include <netproto/802_11/ieee80211_adhoc.h> 58 #include <netproto/802_11/ieee80211_input.h> 59 #ifdef IEEE80211_SUPPORT_SUPERG 60 #include <netproto/802_11/ieee80211_superg.h> 61 #endif 62 #ifdef IEEE80211_SUPPORT_TDMA 63 #include <netproto/802_11/ieee80211_tdma.h> 64 #endif 65 66 #define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2) 67 68 static void adhoc_vattach(struct ieee80211vap *); 69 static int adhoc_newstate(struct ieee80211vap *, enum ieee80211_state, int); 70 static int adhoc_input(struct ieee80211_node *, struct mbuf *, int, int); 71 static void adhoc_recv_mgmt(struct ieee80211_node *, struct mbuf *, 72 int subtype, int, int); 73 static void ahdemo_recv_mgmt(struct ieee80211_node *, struct mbuf *, 74 int subtype, int, int); 75 static void adhoc_recv_ctl(struct ieee80211_node *, struct mbuf *, int subtype); 76 77 void 78 ieee80211_adhoc_attach(struct ieee80211com *ic) 79 { 80 ic->ic_vattach[IEEE80211_M_IBSS] = adhoc_vattach; 81 ic->ic_vattach[IEEE80211_M_AHDEMO] = adhoc_vattach; 82 } 83 84 void 85 ieee80211_adhoc_detach(struct ieee80211com *ic) 86 { 87 } 88 89 static void 90 adhoc_vdetach(struct ieee80211vap *vap) 91 { 92 } 93 94 static void 95 adhoc_vattach(struct ieee80211vap *vap) 96 { 97 vap->iv_newstate = adhoc_newstate; 98 vap->iv_input = adhoc_input; 99 if (vap->iv_opmode == IEEE80211_M_IBSS) 100 vap->iv_recv_mgmt = adhoc_recv_mgmt; 101 else 102 vap->iv_recv_mgmt = ahdemo_recv_mgmt; 103 vap->iv_recv_ctl = adhoc_recv_ctl; 104 vap->iv_opdetach = adhoc_vdetach; 105 #ifdef IEEE80211_SUPPORT_TDMA 106 /* 107 * Throw control to tdma support. Note we do this 108 * after setting up our callbacks so it can piggyback 109 * on top of us. 110 */ 111 if (vap->iv_caps & IEEE80211_C_TDMA) 112 ieee80211_tdma_vattach(vap); 113 #endif 114 } 115 116 static void 117 sta_leave(void *arg, struct ieee80211_node *ni) 118 { 119 struct ieee80211vap *vap = arg; 120 121 if (ni->ni_vap == vap && ni != vap->iv_bss) 122 ieee80211_node_leave(ni); 123 } 124 125 /* 126 * IEEE80211_M_IBSS+IEEE80211_M_AHDEMO vap state machine handler. 127 */ 128 static int 129 adhoc_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg) 130 { 131 struct ieee80211com *ic = vap->iv_ic; 132 struct ieee80211_node *ni; 133 enum ieee80211_state ostate; 134 135 IEEE80211_LOCK_ASSERT(vap->iv_ic); 136 137 ostate = vap->iv_state; 138 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n", 139 __func__, ieee80211_state_name[ostate], 140 ieee80211_state_name[nstate], arg); 141 vap->iv_state = nstate; /* state transition */ 142 if (ostate != IEEE80211_S_SCAN) 143 ieee80211_cancel_scan(vap); /* background scan */ 144 ni = vap->iv_bss; /* NB: no reference held */ 145 switch (nstate) { 146 case IEEE80211_S_INIT: 147 switch (ostate) { 148 case IEEE80211_S_SCAN: 149 ieee80211_cancel_scan(vap); 150 break; 151 default: 152 break; 153 } 154 if (ostate != IEEE80211_S_INIT) { 155 /* NB: optimize INIT -> INIT case */ 156 ieee80211_reset_bss(vap); 157 } 158 break; 159 case IEEE80211_S_SCAN: 160 switch (ostate) { 161 case IEEE80211_S_RUN: /* beacon miss */ 162 /* purge station table; entries are stale */ 163 ieee80211_iterate_nodes(&ic->ic_sta, sta_leave, vap); 164 /* fall thru... */ 165 case IEEE80211_S_INIT: 166 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC && 167 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) { 168 /* 169 * Already have a channel; bypass the 170 * scan and startup immediately. 171 */ 172 ieee80211_create_ibss(vap, vap->iv_des_chan); 173 break; 174 } 175 /* 176 * Initiate a scan. We can come here as a result 177 * of an IEEE80211_IOC_SCAN_REQ too in which case 178 * the vap will be marked with IEEE80211_FEXT_SCANREQ 179 * and the scan request parameters will be present 180 * in iv_scanreq. Otherwise we do the default. 181 */ 182 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) { 183 ieee80211_check_scan(vap, 184 vap->iv_scanreq_flags, 185 vap->iv_scanreq_duration, 186 vap->iv_scanreq_mindwell, 187 vap->iv_scanreq_maxdwell, 188 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid); 189 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ; 190 } else 191 ieee80211_check_scan_current(vap); 192 break; 193 case IEEE80211_S_SCAN: 194 /* 195 * This can happen because of a change in state 196 * that requires a reset. Trigger a new scan 197 * unless we're in manual roaming mode in which 198 * case an application must issue an explicit request. 199 */ 200 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) 201 ieee80211_check_scan_current(vap); 202 break; 203 default: 204 goto invalid; 205 } 206 break; 207 case IEEE80211_S_RUN: 208 if (vap->iv_flags & IEEE80211_F_WPA) { 209 /* XXX validate prerequisites */ 210 } 211 switch (ostate) { 212 case IEEE80211_S_SCAN: 213 #ifdef IEEE80211_DEBUG 214 if (ieee80211_msg_debug(vap)) { 215 ieee80211_note(vap, 216 "synchronized with %6D ssid ", 217 ni->ni_bssid, ":"); 218 ieee80211_print_essid(vap->iv_bss->ni_essid, 219 ni->ni_esslen); 220 /* XXX MCS/HT */ 221 kprintf(" channel %d start %uMb\n", 222 ieee80211_chan2ieee(ic, ic->ic_curchan), 223 IEEE80211_RATE2MBS(ni->ni_txrate)); 224 } 225 #endif 226 break; 227 default: 228 goto invalid; 229 } 230 /* 231 * When 802.1x is not in use mark the port authorized 232 * at this point so traffic can flow. 233 */ 234 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 235 ieee80211_node_authorize(ni); 236 /* 237 * Fake association when joining an existing bss. 238 */ 239 if (!IEEE80211_ADDR_EQ(ni->ni_macaddr, vap->iv_myaddr) && 240 ic->ic_newassoc != NULL) 241 ic->ic_newassoc(ni, ostate != IEEE80211_S_RUN); 242 break; 243 case IEEE80211_S_SLEEP: 244 ieee80211_sta_pwrsave(vap, 0); 245 break; 246 default: 247 invalid: 248 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, 249 "%s: unexpected state transition %s -> %s\n", __func__, 250 ieee80211_state_name[ostate], ieee80211_state_name[nstate]); 251 break; 252 } 253 return 0; 254 } 255 256 /* 257 * Decide if a received management frame should be 258 * printed when debugging is enabled. This filters some 259 * of the less interesting frames that come frequently 260 * (e.g. beacons). 261 */ 262 static __inline int 263 doprint(struct ieee80211vap *vap, int subtype) 264 { 265 switch (subtype) { 266 case IEEE80211_FC0_SUBTYPE_BEACON: 267 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN); 268 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 269 return 1; 270 } 271 return 1; 272 } 273 274 /* 275 * Process a received frame. The node associated with the sender 276 * should be supplied. If nothing was found in the node table then 277 * the caller is assumed to supply a reference to iv_bss instead. 278 * The RSSI and a timestamp are also supplied. The RSSI data is used 279 * during AP scanning to select a AP to associate with; it can have 280 * any units so long as values have consistent units and higher values 281 * mean ``better signal''. The receive timestamp is currently not used 282 * by the 802.11 layer. 283 */ 284 static int 285 adhoc_input(struct ieee80211_node *ni, struct mbuf *m, int rssi, int nf) 286 { 287 #define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0) 288 #define HAS_SEQ(type) ((type & 0x4) == 0) 289 struct ieee80211vap *vap = ni->ni_vap; 290 struct ieee80211com *ic = ni->ni_ic; 291 struct ifnet *ifp = vap->iv_ifp; 292 struct ieee80211_frame *wh; 293 struct ieee80211_key *key; 294 struct ether_header *eh; 295 int hdrspace, need_tap = 1; /* mbuf need to be tapped. */ 296 uint8_t dir, type, subtype, qos; 297 uint8_t *bssid; 298 uint16_t rxseq; 299 300 if (m->m_flags & M_AMPDU_MPDU) { 301 /* 302 * Fastpath for A-MPDU reorder q resubmission. Frames 303 * w/ M_AMPDU_MPDU marked have already passed through 304 * here but were received out of order and been held on 305 * the reorder queue. When resubmitted they are marked 306 * with the M_AMPDU_MPDU flag and we can bypass most of 307 * the normal processing. 308 */ 309 wh = mtod(m, struct ieee80211_frame *); 310 type = IEEE80211_FC0_TYPE_DATA; 311 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 312 subtype = IEEE80211_FC0_SUBTYPE_QOS; 313 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */ 314 goto resubmit_ampdu; 315 } 316 317 KASSERT(ni != NULL, ("null node")); 318 ni->ni_inact = ni->ni_inact_reload; 319 320 type = -1; /* undefined */ 321 322 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 323 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 324 ni->ni_macaddr, NULL, 325 "too short (1): len %u", m->m_pkthdr.len); 326 vap->iv_stats.is_rx_tooshort++; 327 goto out; 328 } 329 /* 330 * Bit of a cheat here, we use a pointer for a 3-address 331 * frame format but don't reference fields past outside 332 * ieee80211_frame_min w/o first validating the data is 333 * present. 334 */ 335 wh = mtod(m, struct ieee80211_frame *); 336 337 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 338 IEEE80211_FC0_VERSION_0) { 339 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 340 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x", 341 wh->i_fc[0], wh->i_fc[1]); 342 vap->iv_stats.is_rx_badversion++; 343 goto err; 344 } 345 346 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 347 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 348 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 349 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 350 if (dir != IEEE80211_FC1_DIR_NODS) 351 bssid = wh->i_addr1; 352 else if (type == IEEE80211_FC0_TYPE_CTL) 353 bssid = wh->i_addr1; 354 else { 355 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 356 IEEE80211_DISCARD_MAC(vap, 357 IEEE80211_MSG_ANY, ni->ni_macaddr, 358 NULL, "too short (2): len %u", 359 m->m_pkthdr.len); 360 vap->iv_stats.is_rx_tooshort++; 361 goto out; 362 } 363 bssid = wh->i_addr3; 364 } 365 /* 366 * Validate the bssid. 367 */ 368 if (!IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) && 369 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 370 /* not interested in */ 371 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 372 bssid, NULL, "%s", "not to bss"); 373 vap->iv_stats.is_rx_wrongbss++; 374 goto out; 375 } 376 /* 377 * Data frame, cons up a node when it doesn't 378 * exist. This should probably done after an ACL check. 379 */ 380 if (type == IEEE80211_FC0_TYPE_DATA && 381 ni == vap->iv_bss && 382 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 383 /* 384 * Beware of frames that come in too early; we 385 * can receive broadcast frames and creating sta 386 * entries will blow up because there is no bss 387 * channel yet. 388 */ 389 if (vap->iv_state != IEEE80211_S_RUN) { 390 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 391 wh, "data", "not in RUN state (%s)", 392 ieee80211_state_name[vap->iv_state]); 393 vap->iv_stats.is_rx_badstate++; 394 goto err; 395 } 396 /* 397 * Fake up a node for this newly 398 * discovered member of the IBSS. 399 */ 400 ni = ieee80211_fakeup_adhoc_node(vap, wh->i_addr2); 401 if (ni == NULL) { 402 /* NB: stat kept for alloc failure */ 403 goto err; 404 } 405 } 406 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 407 ni->ni_noise = nf; 408 if (HAS_SEQ(type)) { 409 uint8_t tid = ieee80211_gettid(wh); 410 if (IEEE80211_QOS_HAS_SEQ(wh) && 411 TID_TO_WME_AC(tid) >= WME_AC_VI) 412 ic->ic_wme.wme_hipri_traffic++; 413 rxseq = le16toh(*(uint16_t *)wh->i_seq); 414 if ((ni->ni_flags & IEEE80211_NODE_HT) == 0 && 415 (wh->i_fc[1] & IEEE80211_FC1_RETRY) && 416 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) { 417 /* duplicate, discard */ 418 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 419 bssid, "duplicate", 420 "seqno <%u,%u> fragno <%u,%u> tid %u", 421 rxseq >> IEEE80211_SEQ_SEQ_SHIFT, 422 ni->ni_rxseqs[tid] >> 423 IEEE80211_SEQ_SEQ_SHIFT, 424 rxseq & IEEE80211_SEQ_FRAG_MASK, 425 ni->ni_rxseqs[tid] & 426 IEEE80211_SEQ_FRAG_MASK, 427 tid); 428 vap->iv_stats.is_rx_dup++; 429 IEEE80211_NODE_STAT(ni, rx_dup); 430 goto out; 431 } 432 ni->ni_rxseqs[tid] = rxseq; 433 } 434 } 435 436 switch (type) { 437 case IEEE80211_FC0_TYPE_DATA: 438 hdrspace = ieee80211_hdrspace(ic, wh); 439 if (m->m_len < hdrspace && 440 (m = m_pullup(m, hdrspace)) == NULL) { 441 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 442 ni->ni_macaddr, NULL, 443 "data too short: expecting %u", hdrspace); 444 vap->iv_stats.is_rx_tooshort++; 445 goto out; /* XXX */ 446 } 447 if (dir != IEEE80211_FC1_DIR_NODS) { 448 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 449 wh, "data", "incorrect dir 0x%x", dir); 450 vap->iv_stats.is_rx_wrongdir++; 451 goto out; 452 } 453 /* XXX no power-save support */ 454 455 /* 456 * Handle A-MPDU re-ordering. If the frame is to be 457 * processed directly then ieee80211_ampdu_reorder 458 * will return 0; otherwise it has consumed the mbuf 459 * and we should do nothing more with it. 460 */ 461 if ((m->m_flags & M_AMPDU) && 462 ieee80211_ampdu_reorder(ni, m) != 0) { 463 m = NULL; 464 goto out; 465 } 466 resubmit_ampdu: 467 468 /* 469 * Handle privacy requirements. Note that we 470 * must not be preempted from here until after 471 * we (potentially) call ieee80211_crypto_demic; 472 * otherwise we may violate assumptions in the 473 * crypto cipher modules used to do delayed update 474 * of replay sequence numbers. 475 */ 476 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 477 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 478 /* 479 * Discard encrypted frames when privacy is off. 480 */ 481 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 482 wh, "WEP", "%s", "PRIVACY off"); 483 vap->iv_stats.is_rx_noprivacy++; 484 IEEE80211_NODE_STAT(ni, rx_noprivacy); 485 goto out; 486 } 487 key = ieee80211_crypto_decap(ni, m, hdrspace); 488 if (key == NULL) { 489 /* NB: stats+msgs handled in crypto_decap */ 490 IEEE80211_NODE_STAT(ni, rx_wepfail); 491 goto out; 492 } 493 wh = mtod(m, struct ieee80211_frame *); 494 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 495 } else { 496 /* XXX M_WEP and IEEE80211_F_PRIVACY */ 497 key = NULL; 498 } 499 500 /* 501 * Save QoS bits for use below--before we strip the header. 502 */ 503 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) { 504 qos = (dir == IEEE80211_FC1_DIR_DSTODS) ? 505 ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] : 506 ((struct ieee80211_qosframe *)wh)->i_qos[0]; 507 } else 508 qos = 0; 509 510 /* 511 * Next up, any fragmentation. 512 */ 513 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 514 m = ieee80211_defrag(ni, m, hdrspace); 515 if (m == NULL) { 516 /* Fragment dropped or frame not complete yet */ 517 goto out; 518 } 519 } 520 wh = NULL; /* no longer valid, catch any uses */ 521 522 /* 523 * Next strip any MSDU crypto bits. 524 */ 525 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) { 526 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 527 ni->ni_macaddr, "data", "%s", "demic error"); 528 vap->iv_stats.is_rx_demicfail++; 529 IEEE80211_NODE_STAT(ni, rx_demicfail); 530 goto out; 531 } 532 533 /* copy to listener after decrypt */ 534 if (ieee80211_radiotap_active_vap(vap)) 535 ieee80211_radiotap_rx(vap, m); 536 need_tap = 0; 537 538 /* 539 * Finally, strip the 802.11 header. 540 */ 541 m = ieee80211_decap(vap, m, hdrspace); 542 if (m == NULL) { 543 /* XXX mask bit to check for both */ 544 /* don't count Null data frames as errors */ 545 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA || 546 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL) 547 goto out; 548 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 549 ni->ni_macaddr, "data", "%s", "decap error"); 550 vap->iv_stats.is_rx_decap++; 551 IEEE80211_NODE_STAT(ni, rx_decap); 552 goto err; 553 } 554 eh = mtod(m, struct ether_header *); 555 if (!ieee80211_node_is_authorized(ni)) { 556 /* 557 * Deny any non-PAE frames received prior to 558 * authorization. For open/shared-key 559 * authentication the port is mark authorized 560 * after authentication completes. For 802.1x 561 * the port is not marked authorized by the 562 * authenticator until the handshake has completed. 563 */ 564 if (eh->ether_type != htons(ETHERTYPE_PAE)) { 565 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 566 eh->ether_shost, "data", 567 "unauthorized port: ether type 0x%x len %u", 568 eh->ether_type, m->m_pkthdr.len); 569 vap->iv_stats.is_rx_unauth++; 570 IEEE80211_NODE_STAT(ni, rx_unauth); 571 goto err; 572 } 573 } else { 574 /* 575 * When denying unencrypted frames, discard 576 * any non-PAE frames received without encryption. 577 */ 578 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && 579 (key == NULL && (m->m_flags & M_WEP) == 0) && 580 eh->ether_type != htons(ETHERTYPE_PAE)) { 581 /* 582 * Drop unencrypted frames. 583 */ 584 vap->iv_stats.is_rx_unencrypted++; 585 IEEE80211_NODE_STAT(ni, rx_unencrypted); 586 goto out; 587 } 588 } 589 /* XXX require HT? */ 590 if (qos & IEEE80211_QOS_AMSDU) { 591 m = ieee80211_decap_amsdu(ni, m); 592 if (m == NULL) 593 return IEEE80211_FC0_TYPE_DATA; 594 } else { 595 #ifdef IEEE80211_SUPPORT_SUPERG 596 m = ieee80211_decap_fastframe(vap, ni, m); 597 if (m == NULL) 598 return IEEE80211_FC0_TYPE_DATA; 599 #endif 600 } 601 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL) 602 ieee80211_deliver_data(ni->ni_wdsvap, ni, m); 603 else 604 ieee80211_deliver_data(vap, ni, m); 605 return IEEE80211_FC0_TYPE_DATA; 606 607 case IEEE80211_FC0_TYPE_MGT: 608 vap->iv_stats.is_rx_mgmt++; 609 IEEE80211_NODE_STAT(ni, rx_mgmt); 610 if (dir != IEEE80211_FC1_DIR_NODS) { 611 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 612 wh, "data", "incorrect dir 0x%x", dir); 613 vap->iv_stats.is_rx_wrongdir++; 614 goto err; 615 } 616 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 617 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 618 ni->ni_macaddr, "mgt", "too short: len %u", 619 m->m_pkthdr.len); 620 vap->iv_stats.is_rx_tooshort++; 621 goto out; 622 } 623 #ifdef IEEE80211_DEBUG 624 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) || 625 ieee80211_msg_dumppkts(vap)) { 626 if_printf(ifp, "received %s from %6D rssi %d\n", 627 ieee80211_mgt_subtype_name[subtype >> 628 IEEE80211_FC0_SUBTYPE_SHIFT], 629 wh->i_addr2, ":", rssi); 630 } 631 #endif 632 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 633 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 634 wh, NULL, "%s", "WEP set but not permitted"); 635 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */ 636 goto out; 637 } 638 vap->iv_recv_mgmt(ni, m, subtype, rssi, nf); 639 goto out; 640 641 case IEEE80211_FC0_TYPE_CTL: 642 vap->iv_stats.is_rx_ctl++; 643 IEEE80211_NODE_STAT(ni, rx_ctrl); 644 vap->iv_recv_ctl(ni, m, subtype); 645 goto out; 646 647 default: 648 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 649 wh, "bad", "frame type 0x%x", type); 650 /* should not come here */ 651 break; 652 } 653 err: 654 ifp->if_ierrors++; 655 out: 656 if (m != NULL) { 657 if (need_tap && ieee80211_radiotap_active_vap(vap)) 658 ieee80211_radiotap_rx(vap, m); 659 m_freem(m); 660 } 661 return type; 662 #undef SEQ_LEQ 663 } 664 665 static int 666 is11bclient(const uint8_t *rates, const uint8_t *xrates) 667 { 668 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11); 669 int i; 670 671 /* NB: the 11b clients we care about will not have xrates */ 672 if (xrates != NULL || rates == NULL) 673 return 0; 674 for (i = 0; i < rates[1]; i++) { 675 int r = rates[2+i] & IEEE80211_RATE_VAL; 676 if (r > 2*11 || ((1<<r) & brates) == 0) 677 return 0; 678 } 679 return 1; 680 } 681 682 static void 683 adhoc_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, 684 int subtype, int rssi, int nf) 685 { 686 struct ieee80211vap *vap = ni->ni_vap; 687 struct ieee80211com *ic = ni->ni_ic; 688 struct ieee80211_frame *wh; 689 uint8_t *frm, *efrm, *sfrm; 690 uint8_t *ssid, *rates, *xrates; 691 692 wh = mtod(m0, struct ieee80211_frame *); 693 frm = (uint8_t *)&wh[1]; 694 efrm = mtod(m0, uint8_t *) + m0->m_len; 695 switch (subtype) { 696 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 697 case IEEE80211_FC0_SUBTYPE_BEACON: { 698 struct ieee80211_scanparams scan; 699 /* 700 * We process beacon/probe response 701 * frames to discover neighbors. 702 */ 703 if (ieee80211_parse_beacon(ni, m0, &scan) != 0) 704 return; 705 /* 706 * Count frame now that we know it's to be processed. 707 */ 708 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 709 vap->iv_stats.is_rx_beacon++; /* XXX remove */ 710 IEEE80211_NODE_STAT(ni, rx_beacons); 711 } else 712 IEEE80211_NODE_STAT(ni, rx_proberesp); 713 /* 714 * If scanning, just pass information to the scan module. 715 */ 716 if (ic->ic_flags & IEEE80211_F_SCAN) { 717 if (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN) { 718 /* 719 * Actively scanning a channel marked passive; 720 * send a probe request now that we know there 721 * is 802.11 traffic present. 722 * 723 * XXX check if the beacon we recv'd gives 724 * us what we need and suppress the probe req 725 */ 726 ieee80211_probe_curchan(vap, 1); 727 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 728 } 729 ieee80211_add_scan(vap, &scan, wh, subtype, rssi, nf); 730 return; 731 } 732 if (scan.capinfo & IEEE80211_CAPINFO_IBSS) { 733 if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 734 /* 735 * Create a new entry in the neighbor table. 736 */ 737 ni = ieee80211_add_neighbor(vap, wh, &scan); 738 } else if (ni->ni_capinfo == 0) { 739 /* 740 * Update faked node created on transmit. 741 * Note this also updates the tsf. 742 */ 743 ieee80211_init_neighbor(ni, wh, &scan); 744 } else { 745 /* 746 * Record tsf for potential resync. 747 */ 748 memcpy(ni->ni_tstamp.data, scan.tstamp, 749 sizeof(ni->ni_tstamp)); 750 } 751 if (ni != NULL) { 752 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 753 ni->ni_noise = nf; 754 } 755 } 756 break; 757 } 758 759 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 760 if (vap->iv_state != IEEE80211_S_RUN) { 761 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 762 wh, NULL, "wrong state %s", 763 ieee80211_state_name[vap->iv_state]); 764 vap->iv_stats.is_rx_mgtdiscard++; 765 return; 766 } 767 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 768 /* frame must be directed */ 769 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 770 wh, NULL, "%s", "not unicast"); 771 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */ 772 return; 773 } 774 775 /* 776 * prreq frame format 777 * [tlv] ssid 778 * [tlv] supported rates 779 * [tlv] extended supported rates 780 */ 781 ssid = rates = xrates = NULL; 782 sfrm = frm; 783 while (efrm - frm > 1) { 784 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 785 switch (*frm) { 786 case IEEE80211_ELEMID_SSID: 787 ssid = frm; 788 break; 789 case IEEE80211_ELEMID_RATES: 790 rates = frm; 791 break; 792 case IEEE80211_ELEMID_XRATES: 793 xrates = frm; 794 break; 795 } 796 frm += frm[1] + 2; 797 } 798 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 799 if (xrates != NULL) 800 IEEE80211_VERIFY_ELEMENT(xrates, 801 IEEE80211_RATE_MAXSIZE - rates[1], return); 802 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 803 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 804 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 805 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 806 wh, NULL, 807 "%s", "no ssid with ssid suppression enabled"); 808 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/ 809 return; 810 } 811 812 /* XXX find a better class or define it's own */ 813 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2, 814 "%s", "recv probe req"); 815 /* 816 * Some legacy 11b clients cannot hack a complete 817 * probe response frame. When the request includes 818 * only a bare-bones rate set, communicate this to 819 * the transmit side. 820 */ 821 ieee80211_send_proberesp(vap, wh->i_addr2, 822 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0); 823 break; 824 825 case IEEE80211_FC0_SUBTYPE_ACTION: { 826 const struct ieee80211_action *ia; 827 828 if (vap->iv_state != IEEE80211_S_RUN) { 829 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 830 wh, NULL, "wrong state %s", 831 ieee80211_state_name[vap->iv_state]); 832 vap->iv_stats.is_rx_mgtdiscard++; 833 return; 834 } 835 /* 836 * action frame format: 837 * [1] category 838 * [1] action 839 * [tlv] parameters 840 */ 841 IEEE80211_VERIFY_LENGTH(efrm - frm, 842 sizeof(struct ieee80211_action), return); 843 ia = (const struct ieee80211_action *) frm; 844 845 vap->iv_stats.is_rx_action++; 846 IEEE80211_NODE_STAT(ni, rx_action); 847 848 /* verify frame payloads but defer processing */ 849 /* XXX maybe push this to method */ 850 switch (ia->ia_category) { 851 case IEEE80211_ACTION_CAT_BA: 852 switch (ia->ia_action) { 853 case IEEE80211_ACTION_BA_ADDBA_REQUEST: 854 IEEE80211_VERIFY_LENGTH(efrm - frm, 855 sizeof(struct ieee80211_action_ba_addbarequest), 856 return); 857 break; 858 case IEEE80211_ACTION_BA_ADDBA_RESPONSE: 859 IEEE80211_VERIFY_LENGTH(efrm - frm, 860 sizeof(struct ieee80211_action_ba_addbaresponse), 861 return); 862 break; 863 case IEEE80211_ACTION_BA_DELBA: 864 IEEE80211_VERIFY_LENGTH(efrm - frm, 865 sizeof(struct ieee80211_action_ba_delba), 866 return); 867 break; 868 } 869 break; 870 case IEEE80211_ACTION_CAT_HT: 871 switch (ia->ia_action) { 872 case IEEE80211_ACTION_HT_TXCHWIDTH: 873 IEEE80211_VERIFY_LENGTH(efrm - frm, 874 sizeof(struct ieee80211_action_ht_txchwidth), 875 return); 876 break; 877 } 878 break; 879 } 880 ic->ic_recv_action(ni, wh, frm, efrm); 881 break; 882 } 883 884 case IEEE80211_FC0_SUBTYPE_AUTH: 885 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 886 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 887 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 888 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 889 case IEEE80211_FC0_SUBTYPE_DEAUTH: 890 case IEEE80211_FC0_SUBTYPE_DISASSOC: 891 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 892 wh, NULL, "%s", "not handled"); 893 vap->iv_stats.is_rx_mgtdiscard++; 894 return; 895 896 default: 897 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 898 wh, "mgt", "subtype 0x%x not handled", subtype); 899 vap->iv_stats.is_rx_badsubtype++; 900 break; 901 } 902 } 903 #undef IEEE80211_VERIFY_LENGTH 904 #undef IEEE80211_VERIFY_ELEMENT 905 906 static void 907 ahdemo_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, 908 int subtype, int rssi, int nf) 909 { 910 struct ieee80211vap *vap = ni->ni_vap; 911 struct ieee80211com *ic = ni->ni_ic; 912 913 /* 914 * Process management frames when scanning; useful for doing 915 * a site-survey. 916 */ 917 if (ic->ic_flags & IEEE80211_F_SCAN) 918 adhoc_recv_mgmt(ni, m0, subtype, rssi, nf); 919 else 920 vap->iv_stats.is_rx_mgtdiscard++; 921 } 922 923 static void 924 adhoc_recv_ctl(struct ieee80211_node *ni, struct mbuf *m0, int subtype) 925 { 926 } 927