1 /* $OpenBSD: ieee80211_input.c,v 1.240 2021/12/03 12:40:15 stsp Exp $ */ 2 3 /*- 4 * Copyright (c) 2001 Atsushi Onoe 5 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 6 * Copyright (c) 2007-2009 Damien Bergamini 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. The name of the author may not be used to endorse or promote products 18 * derived from this software without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 21 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 22 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 23 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 25 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 29 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 #include "bpfilter.h" 33 34 #include <sys/param.h> 35 #include <sys/systm.h> 36 #include <sys/mbuf.h> 37 #include <sys/malloc.h> 38 #include <sys/kernel.h> 39 #include <sys/socket.h> 40 #include <sys/sockio.h> 41 #include <sys/endian.h> 42 #include <sys/errno.h> 43 #include <sys/sysctl.h> 44 #include <sys/task.h> 45 46 #include <net/if.h> 47 #include <net/if_dl.h> 48 #include <net/if_media.h> 49 #include <net/if_llc.h> 50 51 #if NBPFILTER > 0 52 #include <net/bpf.h> 53 #endif 54 55 #include <netinet/in.h> 56 #include <netinet/if_ether.h> 57 58 #include <net80211/ieee80211_var.h> 59 #include <net80211/ieee80211_priv.h> 60 61 struct mbuf *ieee80211_input_hwdecrypt(struct ieee80211com *, 62 struct ieee80211_node *, struct mbuf *, 63 struct ieee80211_rxinfo *rxi); 64 struct mbuf *ieee80211_defrag(struct ieee80211com *, struct mbuf *, int); 65 void ieee80211_defrag_timeout(void *); 66 void ieee80211_input_ba(struct ieee80211com *, struct mbuf *, 67 struct ieee80211_node *, int, struct ieee80211_rxinfo *, 68 struct mbuf_list *); 69 void ieee80211_input_ba_flush(struct ieee80211com *, struct ieee80211_node *, 70 struct ieee80211_rx_ba *, struct mbuf_list *); 71 int ieee80211_input_ba_gap_skip(struct ieee80211_rx_ba *); 72 void ieee80211_input_ba_gap_timeout(void *arg); 73 void ieee80211_ba_move_window(struct ieee80211com *, 74 struct ieee80211_node *, u_int8_t, u_int16_t, struct mbuf_list *); 75 void ieee80211_input_ba_seq(struct ieee80211com *, 76 struct ieee80211_node *, uint8_t, uint16_t, struct mbuf_list *); 77 struct mbuf *ieee80211_align_mbuf(struct mbuf *); 78 void ieee80211_decap(struct ieee80211com *, struct mbuf *, 79 struct ieee80211_node *, int, struct mbuf_list *); 80 int ieee80211_amsdu_decap_validate(struct ieee80211com *, struct mbuf *, 81 struct ieee80211_node *); 82 void ieee80211_amsdu_decap(struct ieee80211com *, struct mbuf *, 83 struct ieee80211_node *, int, struct mbuf_list *); 84 void ieee80211_enqueue_data(struct ieee80211com *, struct mbuf *, 85 struct ieee80211_node *, int, struct mbuf_list *); 86 int ieee80211_parse_edca_params_body(struct ieee80211com *, 87 const u_int8_t *); 88 int ieee80211_parse_edca_params(struct ieee80211com *, const u_int8_t *); 89 int ieee80211_parse_wmm_params(struct ieee80211com *, const u_int8_t *); 90 enum ieee80211_cipher ieee80211_parse_rsn_cipher(const u_int8_t[]); 91 enum ieee80211_akm ieee80211_parse_rsn_akm(const u_int8_t[]); 92 int ieee80211_parse_rsn_body(struct ieee80211com *, const u_int8_t *, 93 u_int, struct ieee80211_rsnparams *); 94 int ieee80211_save_ie(const u_int8_t *, u_int8_t **); 95 void ieee80211_recv_probe_resp(struct ieee80211com *, struct mbuf *, 96 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 97 #ifndef IEEE80211_STA_ONLY 98 void ieee80211_recv_probe_req(struct ieee80211com *, struct mbuf *, 99 struct ieee80211_node *, struct ieee80211_rxinfo *); 100 #endif 101 void ieee80211_recv_auth(struct ieee80211com *, struct mbuf *, 102 struct ieee80211_node *, struct ieee80211_rxinfo *); 103 #ifndef IEEE80211_STA_ONLY 104 void ieee80211_recv_assoc_req(struct ieee80211com *, struct mbuf *, 105 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 106 #endif 107 void ieee80211_recv_assoc_resp(struct ieee80211com *, struct mbuf *, 108 struct ieee80211_node *, int); 109 void ieee80211_recv_deauth(struct ieee80211com *, struct mbuf *, 110 struct ieee80211_node *); 111 void ieee80211_recv_disassoc(struct ieee80211com *, struct mbuf *, 112 struct ieee80211_node *); 113 void ieee80211_recv_addba_req(struct ieee80211com *, struct mbuf *, 114 struct ieee80211_node *); 115 void ieee80211_recv_addba_resp(struct ieee80211com *, struct mbuf *, 116 struct ieee80211_node *); 117 void ieee80211_recv_delba(struct ieee80211com *, struct mbuf *, 118 struct ieee80211_node *); 119 void ieee80211_recv_sa_query_req(struct ieee80211com *, struct mbuf *, 120 struct ieee80211_node *); 121 #ifndef IEEE80211_STA_ONLY 122 void ieee80211_recv_sa_query_resp(struct ieee80211com *, struct mbuf *, 123 struct ieee80211_node *); 124 #endif 125 void ieee80211_recv_action(struct ieee80211com *, struct mbuf *, 126 struct ieee80211_node *); 127 #ifndef IEEE80211_STA_ONLY 128 void ieee80211_recv_pspoll(struct ieee80211com *, struct mbuf *, 129 struct ieee80211_node *); 130 #endif 131 void ieee80211_recv_bar(struct ieee80211com *, struct mbuf *, 132 struct ieee80211_node *); 133 void ieee80211_bar_tid(struct ieee80211com *, struct ieee80211_node *, 134 u_int8_t, u_int16_t); 135 136 /* 137 * Retrieve the length in bytes of an 802.11 header. 138 */ 139 u_int 140 ieee80211_get_hdrlen(const struct ieee80211_frame *wh) 141 { 142 u_int size = sizeof(*wh); 143 144 /* NB: does not work with control frames */ 145 KASSERT(ieee80211_has_seq(wh)); 146 147 if (ieee80211_has_addr4(wh)) 148 size += IEEE80211_ADDR_LEN; /* i_addr4 */ 149 if (ieee80211_has_qos(wh)) 150 size += sizeof(u_int16_t); /* i_qos */ 151 if (ieee80211_has_htc(wh)) 152 size += sizeof(u_int32_t); /* i_ht */ 153 return size; 154 } 155 156 /* Post-processing for drivers which perform decryption in hardware. */ 157 struct mbuf * 158 ieee80211_input_hwdecrypt(struct ieee80211com *ic, struct ieee80211_node *ni, 159 struct mbuf *m, struct ieee80211_rxinfo *rxi) 160 { 161 struct ieee80211_key *k; 162 struct ieee80211_frame *wh; 163 uint64_t pn, *prsc; 164 int hdrlen; 165 166 k = ieee80211_get_rxkey(ic, m, ni); 167 if (k == NULL) 168 return NULL; 169 170 wh = mtod(m, struct ieee80211_frame *); 171 hdrlen = ieee80211_get_hdrlen(wh); 172 173 /* 174 * Update the last-seen packet number (PN) for drivers using hardware 175 * crypto offloading. This cannot be done by drivers because A-MPDU 176 * reordering needs to occur before a valid lower bound can be 177 * determined for the PN. Drivers will read the PN we write here and 178 * are expected to discard replayed frames based on it. 179 * Drivers are expected to leave the IV of decrypted frames intact 180 * so we can update the last-seen PN and strip the IV here. 181 */ 182 switch (k->k_cipher) { 183 case IEEE80211_CIPHER_CCMP: 184 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 185 /* 186 * If the protected bit is clear then hardware has 187 * stripped the IV and we must trust that it handles 188 * replay detection correctly. 189 */ 190 break; 191 } 192 if (ieee80211_ccmp_get_pn(&pn, &prsc, m, k) != 0) 193 return NULL; 194 if (rxi->rxi_flags & IEEE80211_RXI_HWDEC_SAME_PN) { 195 if (pn < *prsc) { 196 ic->ic_stats.is_ccmp_replays++; 197 return NULL; 198 } 199 } else if (pn <= *prsc) { 200 ic->ic_stats.is_ccmp_replays++; 201 return NULL; 202 } 203 204 /* Update last-seen packet number. */ 205 *prsc = pn; 206 207 /* Clear Protected bit and strip IV. */ 208 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 209 memmove(mtod(m, caddr_t) + IEEE80211_CCMP_HDRLEN, wh, hdrlen); 210 m_adj(m, IEEE80211_CCMP_HDRLEN); 211 /* Drivers are expected to strip the MIC. */ 212 break; 213 case IEEE80211_CIPHER_TKIP: 214 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 215 /* 216 * If the protected bit is clear then hardware has 217 * stripped the IV and we must trust that it handles 218 * replay detection correctly. 219 */ 220 break; 221 } 222 if (ieee80211_tkip_get_tsc(&pn, &prsc, m, k) != 0) 223 return NULL; 224 if (rxi->rxi_flags & IEEE80211_RXI_HWDEC_SAME_PN) { 225 if (pn < *prsc) { 226 ic->ic_stats.is_tkip_replays++; 227 return NULL; 228 } 229 } else if (pn <= *prsc) { 230 ic->ic_stats.is_tkip_replays++; 231 return NULL; 232 } 233 234 /* Update last-seen packet number. */ 235 *prsc = pn; 236 237 /* Clear Protected bit and strip IV. */ 238 wh = mtod(m, struct ieee80211_frame *); 239 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 240 memmove(mtod(m, caddr_t) + IEEE80211_TKIP_HDRLEN, wh, hdrlen); 241 m_adj(m, IEEE80211_TKIP_HDRLEN); 242 /* Drivers are expected to strip the MIC. */ 243 break; 244 default: 245 break; 246 } 247 248 return m; 249 } 250 251 /* 252 * Process a received frame. The node associated with the sender 253 * should be supplied. If nothing was found in the node table then 254 * the caller is assumed to supply a reference to ic_bss instead. 255 * The RSSI and a timestamp are also supplied. The RSSI data is used 256 * during AP scanning to select a AP to associate with; it can have 257 * any units so long as values have consistent units and higher values 258 * mean ``better signal''. The receive timestamp is currently not used 259 * by the 802.11 layer. 260 * 261 * This function acts on management frames immediately and queues data frames 262 * on the specified mbuf list. Delivery of queued data frames to upper layers 263 * must be triggered with if_input(). Drivers should call if_input() only once 264 * per Rx interrupt to avoid triggering the input ifq pressure drop mechanism 265 * unnecessarily. 266 */ 267 void 268 ieee80211_inputm(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni, 269 struct ieee80211_rxinfo *rxi, struct mbuf_list *ml) 270 { 271 struct ieee80211com *ic = (void *)ifp; 272 struct ieee80211_frame *wh; 273 u_int16_t *orxseq, nrxseq, qos; 274 u_int8_t dir, type, subtype, tid; 275 int hdrlen, hasqos; 276 277 KASSERT(ni != NULL); 278 279 /* in monitor mode, send everything directly to bpf */ 280 if (ic->ic_opmode == IEEE80211_M_MONITOR) 281 goto out; 282 283 /* 284 * Do not process frames without an Address 2 field any further. 285 * Only CTS and ACK control frames do not have this field. 286 */ 287 if (m->m_len < sizeof(struct ieee80211_frame_min)) { 288 DPRINTF(("frame too short, len %u\n", m->m_len)); 289 ic->ic_stats.is_rx_tooshort++; 290 goto out; 291 } 292 293 wh = mtod(m, struct ieee80211_frame *); 294 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 295 IEEE80211_FC0_VERSION_0) { 296 DPRINTF(("frame with wrong version: %x\n", wh->i_fc[0])); 297 ic->ic_stats.is_rx_badversion++; 298 goto err; 299 } 300 301 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 302 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 303 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 304 305 if (type != IEEE80211_FC0_TYPE_CTL) { 306 hdrlen = ieee80211_get_hdrlen(wh); 307 if (m->m_len < hdrlen) { 308 DPRINTF(("frame too short, len %u\n", m->m_len)); 309 ic->ic_stats.is_rx_tooshort++; 310 goto err; 311 } 312 } else 313 hdrlen = 0; 314 if ((hasqos = ieee80211_has_qos(wh))) { 315 qos = ieee80211_get_qos(wh); 316 tid = qos & IEEE80211_QOS_TID; 317 } else { 318 qos = 0; 319 tid = 0; 320 } 321 322 if (ic->ic_state == IEEE80211_S_RUN && 323 type == IEEE80211_FC0_TYPE_DATA && hasqos && 324 (subtype & IEEE80211_FC0_SUBTYPE_NODATA) == 0 && 325 !(rxi->rxi_flags & IEEE80211_RXI_AMPDU_DONE) 326 #ifndef IEEE80211_STA_ONLY 327 && (ic->ic_opmode == IEEE80211_M_STA || ni != ic->ic_bss) 328 #endif 329 ) { 330 int ba_state = ni->ni_rx_ba[tid].ba_state; 331 332 #ifndef IEEE80211_STA_ONLY 333 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 334 if (!IEEE80211_ADDR_EQ(wh->i_addr1, 335 ic->ic_bss->ni_bssid)) { 336 ic->ic_stats.is_rx_wrongbss++; 337 goto err; 338 } 339 if (ni->ni_state != IEEE80211_S_ASSOC) { 340 ic->ic_stats.is_rx_notassoc++; 341 goto err; 342 } 343 } 344 #endif 345 /* 346 * If Block Ack was explicitly requested, check 347 * if we have a BA agreement for this RA/TID. 348 */ 349 if ((qos & IEEE80211_QOS_ACK_POLICY_MASK) == 350 IEEE80211_QOS_ACK_POLICY_BA && 351 ba_state != IEEE80211_BA_AGREED) { 352 DPRINTF(("no BA agreement for %s, TID %d\n", 353 ether_sprintf(ni->ni_macaddr), tid)); 354 /* send a DELBA with reason code UNKNOWN-BA */ 355 IEEE80211_SEND_ACTION(ic, ni, 356 IEEE80211_CATEG_BA, IEEE80211_ACTION_DELBA, 357 IEEE80211_REASON_SETUP_REQUIRED << 16 | tid); 358 goto err; 359 } 360 361 /* 362 * Check if we have an explicit or implicit 363 * Block Ack Request for a valid BA agreement. 364 */ 365 if (ba_state == IEEE80211_BA_AGREED && 366 ((qos & IEEE80211_QOS_ACK_POLICY_MASK) == 367 IEEE80211_QOS_ACK_POLICY_BA || 368 (qos & IEEE80211_QOS_ACK_POLICY_MASK) == 369 IEEE80211_QOS_ACK_POLICY_NORMAL)) { 370 /* go through A-MPDU reordering */ 371 ieee80211_input_ba(ic, m, ni, tid, rxi, ml); 372 return; /* don't free m! */ 373 } else if (ba_state == IEEE80211_BA_REQUESTED && 374 (qos & IEEE80211_QOS_ACK_POLICY_MASK) == 375 IEEE80211_QOS_ACK_POLICY_NORMAL) { 376 /* 377 * Apparently, qos frames for a tid where a 378 * block ack agreement was requested but not 379 * yet confirmed by us should still contribute 380 * to the sequence number for this tid. 381 */ 382 ieee80211_input_ba(ic, m, ni, tid, rxi, ml); 383 return; /* don't free m! */ 384 } 385 } 386 387 /* 388 * We do not yet support fragments. Drop any fragmented packets. 389 * Counter-measure against attacks where an arbitrary packet is 390 * injected via a fragment with attacker-controlled content. 391 * See https://papers.mathyvanhoef.com/usenix2021.pdf 392 * Section 6.8 "Treating fragments as full frames" 393 */ 394 if (ieee80211_has_seq(wh)) { 395 uint16_t rxseq = letoh16(*(const u_int16_t *)wh->i_seq); 396 if ((wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG) || 397 (rxseq & IEEE80211_SEQ_FRAG_MASK)) 398 goto err; 399 } 400 401 /* duplicate detection (see 9.2.9) */ 402 if (ieee80211_has_seq(wh) && 403 ic->ic_state != IEEE80211_S_SCAN) { 404 nrxseq = letoh16(*(u_int16_t *)wh->i_seq) >> 405 IEEE80211_SEQ_SEQ_SHIFT; 406 if (hasqos) 407 orxseq = &ni->ni_qos_rxseqs[tid]; 408 else 409 orxseq = &ni->ni_rxseq; 410 if (rxi->rxi_flags & IEEE80211_RXI_SAME_SEQ) { 411 if (nrxseq != *orxseq) { 412 /* duplicate, silently discarded */ 413 ic->ic_stats.is_rx_dup++; 414 goto out; 415 } 416 } else if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) && 417 nrxseq == *orxseq) { 418 /* duplicate, silently discarded */ 419 ic->ic_stats.is_rx_dup++; 420 goto out; 421 } 422 *orxseq = nrxseq; 423 } 424 if (ic->ic_state > IEEE80211_S_SCAN) { 425 ni->ni_rssi = rxi->rxi_rssi; 426 ni->ni_rstamp = rxi->rxi_tstamp; 427 ni->ni_inact = 0; 428 429 if (ic->ic_state == IEEE80211_S_RUN && ic->ic_bgscan_start) { 430 /* Cancel or start background scan based on RSSI. */ 431 if ((*ic->ic_node_checkrssi)(ic, ni)) 432 timeout_del(&ic->ic_bgscan_timeout); 433 else if (!timeout_pending(&ic->ic_bgscan_timeout) && 434 (ic->ic_flags & IEEE80211_F_BGSCAN) == 0 && 435 (ic->ic_flags & IEEE80211_F_DESBSSID) == 0) 436 timeout_add_msec(&ic->ic_bgscan_timeout, 437 500 * (ic->ic_bgscan_fail + 1)); 438 } 439 } 440 441 #ifndef IEEE80211_STA_ONLY 442 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 443 (ic->ic_caps & IEEE80211_C_APPMGT) && 444 ni->ni_state == IEEE80211_STA_ASSOC) { 445 if (wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) { 446 if (ni->ni_pwrsave == IEEE80211_PS_AWAKE) { 447 /* turn on PS mode */ 448 ni->ni_pwrsave = IEEE80211_PS_DOZE; 449 DPRINTF(("PS mode on for %s\n", 450 ether_sprintf(wh->i_addr2))); 451 } 452 } else if (ni->ni_pwrsave == IEEE80211_PS_DOZE) { 453 struct mbuf *m; 454 455 /* turn off PS mode */ 456 ni->ni_pwrsave = IEEE80211_PS_AWAKE; 457 DPRINTF(("PS mode off for %s\n", 458 ether_sprintf(wh->i_addr2))); 459 460 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 461 462 /* dequeue buffered unicast frames */ 463 while ((m = mq_dequeue(&ni->ni_savedq)) != NULL) { 464 mq_enqueue(&ic->ic_pwrsaveq, m); 465 if_start(ifp); 466 } 467 } 468 } 469 #endif 470 switch (type) { 471 case IEEE80211_FC0_TYPE_DATA: 472 switch (ic->ic_opmode) { 473 case IEEE80211_M_STA: 474 if (dir != IEEE80211_FC1_DIR_FROMDS) { 475 ic->ic_stats.is_rx_wrongdir++; 476 goto out; 477 } 478 if (ic->ic_state != IEEE80211_S_SCAN && 479 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid)) { 480 /* Source address is not our BSS. */ 481 DPRINTF(("discard frame from SA %s\n", 482 ether_sprintf(wh->i_addr2))); 483 ic->ic_stats.is_rx_wrongbss++; 484 goto out; 485 } 486 if ((ifp->if_flags & IFF_SIMPLEX) && 487 IEEE80211_IS_MULTICAST(wh->i_addr1) && 488 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 489 /* 490 * In IEEE802.11 network, multicast frame 491 * sent from me is broadcasted from AP. 492 * It should be silently discarded for 493 * SIMPLEX interface. 494 */ 495 ic->ic_stats.is_rx_mcastecho++; 496 goto out; 497 } 498 break; 499 #ifndef IEEE80211_STA_ONLY 500 case IEEE80211_M_IBSS: 501 case IEEE80211_M_AHDEMO: 502 if (dir != IEEE80211_FC1_DIR_NODS) { 503 ic->ic_stats.is_rx_wrongdir++; 504 goto out; 505 } 506 if (ic->ic_state != IEEE80211_S_SCAN && 507 !IEEE80211_ADDR_EQ(wh->i_addr3, 508 ic->ic_bss->ni_bssid) && 509 !IEEE80211_ADDR_EQ(wh->i_addr3, 510 etherbroadcastaddr)) { 511 /* Destination is not our BSS or broadcast. */ 512 DPRINTF(("discard data frame to DA %s\n", 513 ether_sprintf(wh->i_addr3))); 514 ic->ic_stats.is_rx_wrongbss++; 515 goto out; 516 } 517 break; 518 case IEEE80211_M_HOSTAP: 519 if (dir != IEEE80211_FC1_DIR_TODS) { 520 ic->ic_stats.is_rx_wrongdir++; 521 goto out; 522 } 523 if (ic->ic_state != IEEE80211_S_SCAN && 524 !IEEE80211_ADDR_EQ(wh->i_addr1, 525 ic->ic_bss->ni_bssid) && 526 !IEEE80211_ADDR_EQ(wh->i_addr1, 527 etherbroadcastaddr)) { 528 /* BSS is not us or broadcast. */ 529 DPRINTF(("discard data frame to BSS %s\n", 530 ether_sprintf(wh->i_addr1))); 531 ic->ic_stats.is_rx_wrongbss++; 532 goto out; 533 } 534 /* check if source STA is associated */ 535 if (ni == ic->ic_bss) { 536 DPRINTF(("data from unknown src %s\n", 537 ether_sprintf(wh->i_addr2))); 538 /* NB: caller deals with reference */ 539 ni = ieee80211_find_node(ic, wh->i_addr2); 540 if (ni == NULL) 541 ni = ieee80211_dup_bss(ic, wh->i_addr2); 542 if (ni != NULL) { 543 IEEE80211_SEND_MGMT(ic, ni, 544 IEEE80211_FC0_SUBTYPE_DEAUTH, 545 IEEE80211_REASON_NOT_AUTHED); 546 } 547 ic->ic_stats.is_rx_notassoc++; 548 goto err; 549 } 550 if (ni->ni_state != IEEE80211_STA_ASSOC) { 551 DPRINTF(("data from unassoc src %s\n", 552 ether_sprintf(wh->i_addr2))); 553 IEEE80211_SEND_MGMT(ic, ni, 554 IEEE80211_FC0_SUBTYPE_DISASSOC, 555 IEEE80211_REASON_NOT_ASSOCED); 556 ic->ic_stats.is_rx_notassoc++; 557 goto err; 558 } 559 break; 560 #endif /* IEEE80211_STA_ONLY */ 561 default: 562 /* can't get there */ 563 goto out; 564 } 565 566 /* Do not process "no data" frames any further. */ 567 if (subtype & IEEE80211_FC0_SUBTYPE_NODATA) { 568 #if NBPFILTER > 0 569 if (ic->ic_rawbpf) 570 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 571 #endif 572 goto out; 573 } 574 575 if ((ic->ic_flags & IEEE80211_F_WEPON) || 576 ((ic->ic_flags & IEEE80211_F_RSNON) && 577 (ni->ni_flags & IEEE80211_NODE_RXPROT))) { 578 /* protection is on for Rx */ 579 if (!(rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 580 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 581 /* drop unencrypted */ 582 ic->ic_stats.is_rx_unencrypted++; 583 goto err; 584 } 585 /* do software decryption */ 586 m = ieee80211_decrypt(ic, m, ni); 587 if (m == NULL) { 588 ic->ic_stats.is_rx_wepfail++; 589 goto err; 590 } 591 } else { 592 m = ieee80211_input_hwdecrypt(ic, ni, m, rxi); 593 if (m == NULL) 594 goto err; 595 } 596 wh = mtod(m, struct ieee80211_frame *); 597 } else if ((wh->i_fc[1] & IEEE80211_FC1_PROTECTED) || 598 (rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 599 /* frame encrypted but protection off for Rx */ 600 ic->ic_stats.is_rx_nowep++; 601 goto out; 602 } 603 604 #if NBPFILTER > 0 605 /* copy to listener after decrypt */ 606 if (ic->ic_rawbpf) 607 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 608 #endif 609 610 if ((ni->ni_flags & IEEE80211_NODE_HT) && 611 hasqos && (qos & IEEE80211_QOS_AMSDU)) 612 ieee80211_amsdu_decap(ic, m, ni, hdrlen, ml); 613 else 614 ieee80211_decap(ic, m, ni, hdrlen, ml); 615 return; 616 617 case IEEE80211_FC0_TYPE_MGT: 618 if (dir != IEEE80211_FC1_DIR_NODS) { 619 ic->ic_stats.is_rx_wrongdir++; 620 goto err; 621 } 622 #ifndef IEEE80211_STA_ONLY 623 if (ic->ic_opmode == IEEE80211_M_AHDEMO) { 624 ic->ic_stats.is_rx_ahdemo_mgt++; 625 goto out; 626 } 627 #endif 628 /* drop frames without interest */ 629 if (ic->ic_state == IEEE80211_S_SCAN) { 630 if (subtype != IEEE80211_FC0_SUBTYPE_BEACON && 631 subtype != IEEE80211_FC0_SUBTYPE_PROBE_RESP) { 632 ic->ic_stats.is_rx_mgtdiscard++; 633 goto out; 634 } 635 } 636 637 if (ni->ni_flags & IEEE80211_NODE_RXMGMTPROT) { 638 /* MMPDU protection is on for Rx */ 639 if (subtype == IEEE80211_FC0_SUBTYPE_DISASSOC || 640 subtype == IEEE80211_FC0_SUBTYPE_DEAUTH || 641 subtype == IEEE80211_FC0_SUBTYPE_ACTION) { 642 if (!IEEE80211_IS_MULTICAST(wh->i_addr1) && 643 !(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 644 /* unicast mgmt not encrypted */ 645 goto out; 646 } 647 /* do software decryption */ 648 m = ieee80211_decrypt(ic, m, ni); 649 if (m == NULL) { 650 /* XXX stats */ 651 goto out; 652 } 653 wh = mtod(m, struct ieee80211_frame *); 654 } 655 } else if ((ic->ic_flags & IEEE80211_F_RSNON) && 656 (wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 657 /* encrypted but MMPDU Rx protection off for TA */ 658 goto out; 659 } 660 661 #if NBPFILTER > 0 662 if (bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN) != 0) { 663 /* 664 * Drop mbuf if it was filtered by bpf. Normally, 665 * this is done in ether_input() but IEEE 802.11 666 * management frames are a special case. 667 */ 668 m_freem(m); 669 return; 670 } 671 #endif 672 (*ic->ic_recv_mgmt)(ic, m, ni, rxi, subtype); 673 m_freem(m); 674 return; 675 676 case IEEE80211_FC0_TYPE_CTL: 677 switch (subtype) { 678 #ifndef IEEE80211_STA_ONLY 679 case IEEE80211_FC0_SUBTYPE_PS_POLL: 680 ieee80211_recv_pspoll(ic, m, ni); 681 break; 682 #endif 683 case IEEE80211_FC0_SUBTYPE_BAR: 684 ieee80211_recv_bar(ic, m, ni); 685 break; 686 default: 687 ic->ic_stats.is_rx_ctl++; 688 break; 689 } 690 goto out; 691 692 default: 693 DPRINTF(("bad frame type %x\n", type)); 694 /* should not come here */ 695 break; 696 } 697 err: 698 ifp->if_ierrors++; 699 out: 700 if (m != NULL) { 701 #if NBPFILTER > 0 702 if (ic->ic_rawbpf) 703 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 704 #endif 705 m_freem(m); 706 } 707 } 708 709 /* Input handler for drivers which only receive one frame per interrupt. */ 710 void 711 ieee80211_input(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni, 712 struct ieee80211_rxinfo *rxi) 713 { 714 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 715 716 ieee80211_inputm(ifp, m, ni, rxi, &ml); 717 if_input(ifp, &ml); 718 } 719 720 #ifdef notyet 721 /* 722 * Handle defragmentation (see 9.5 and Annex C). We support the concurrent 723 * reception of fragments of three fragmented MSDUs or MMPDUs. 724 */ 725 struct mbuf * 726 ieee80211_defrag(struct ieee80211com *ic, struct mbuf *m, int hdrlen) 727 { 728 const struct ieee80211_frame *owh, *wh; 729 struct ieee80211_defrag *df; 730 u_int16_t rxseq, seq; 731 u_int8_t frag; 732 int i; 733 734 wh = mtod(m, struct ieee80211_frame *); 735 rxseq = letoh16(*(const u_int16_t *)wh->i_seq); 736 seq = rxseq >> IEEE80211_SEQ_SEQ_SHIFT; 737 frag = rxseq & IEEE80211_SEQ_FRAG_MASK; 738 739 if (frag == 0 && !(wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG)) 740 return m; /* not fragmented */ 741 742 if (frag == 0) { 743 /* first fragment, setup entry in the fragment cache */ 744 if (++ic->ic_defrag_cur == IEEE80211_DEFRAG_SIZE) 745 ic->ic_defrag_cur = 0; 746 df = &ic->ic_defrag[ic->ic_defrag_cur]; 747 m_freem(df->df_m); /* discard old entry */ 748 df->df_seq = seq; 749 df->df_frag = 0; 750 df->df_m = m; 751 /* start receive MSDU timer of aMaxReceiveLifetime */ 752 timeout_add_sec(&df->df_to, 1); 753 return NULL; /* MSDU or MMPDU not yet complete */ 754 } 755 756 /* find matching entry in the fragment cache */ 757 for (i = 0; i < IEEE80211_DEFRAG_SIZE; i++) { 758 df = &ic->ic_defrag[i]; 759 if (df->df_m == NULL) 760 continue; 761 if (df->df_seq != seq || df->df_frag + 1 != frag) 762 continue; 763 owh = mtod(df->df_m, struct ieee80211_frame *); 764 /* frame type, source and destination must match */ 765 if (((wh->i_fc[0] ^ owh->i_fc[0]) & IEEE80211_FC0_TYPE_MASK) || 766 !IEEE80211_ADDR_EQ(wh->i_addr1, owh->i_addr1) || 767 !IEEE80211_ADDR_EQ(wh->i_addr2, owh->i_addr2)) 768 continue; 769 /* matching entry found */ 770 break; 771 } 772 if (i == IEEE80211_DEFRAG_SIZE) { 773 /* no matching entry found, discard fragment */ 774 ic->ic_if.if_ierrors++; 775 m_freem(m); 776 return NULL; 777 } 778 779 df->df_frag = frag; 780 /* strip 802.11 header and concatenate fragment */ 781 m_adj(m, hdrlen); 782 m_cat(df->df_m, m); 783 df->df_m->m_pkthdr.len += m->m_pkthdr.len; 784 785 if (wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG) 786 return NULL; /* MSDU or MMPDU not yet complete */ 787 788 /* MSDU or MMPDU complete */ 789 timeout_del(&df->df_to); 790 m = df->df_m; 791 df->df_m = NULL; 792 return m; 793 } 794 795 /* 796 * Receive MSDU defragmentation timer exceeds aMaxReceiveLifetime. 797 */ 798 void 799 ieee80211_defrag_timeout(void *arg) 800 { 801 struct ieee80211_defrag *df = arg; 802 int s = splnet(); 803 804 /* discard all received fragments */ 805 m_freem(df->df_m); 806 df->df_m = NULL; 807 808 splx(s); 809 } 810 #endif 811 812 /* 813 * Process a received data MPDU related to a specific HT-immediate Block Ack 814 * agreement (see 9.10.7.6). 815 */ 816 void 817 ieee80211_input_ba(struct ieee80211com *ic, struct mbuf *m, 818 struct ieee80211_node *ni, int tid, struct ieee80211_rxinfo *rxi, 819 struct mbuf_list *ml) 820 { 821 struct ifnet *ifp = &ic->ic_if; 822 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 823 struct ieee80211_frame *wh; 824 int idx, count; 825 u_int16_t sn; 826 827 wh = mtod(m, struct ieee80211_frame *); 828 sn = letoh16(*(u_int16_t *)wh->i_seq) >> IEEE80211_SEQ_SEQ_SHIFT; 829 830 /* reset Block Ack inactivity timer */ 831 if (ba->ba_timeout_val != 0) 832 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 833 834 if (SEQ_LT(sn, ba->ba_winstart)) { /* SN < WinStartB */ 835 ic->ic_stats.is_ht_rx_frame_below_ba_winstart++; 836 m_freem(m); /* discard the MPDU */ 837 return; 838 } 839 if (SEQ_LT(ba->ba_winend, sn)) { /* WinEndB < SN */ 840 ic->ic_stats.is_ht_rx_frame_above_ba_winend++; 841 count = (sn - ba->ba_winend) & 0xfff; 842 if (count > ba->ba_winsize) { 843 /* 844 * Check whether we're consistently behind the window, 845 * and let the window move forward if necessary. 846 */ 847 if (ba->ba_winmiss < IEEE80211_BA_MAX_WINMISS) { 848 if (ba->ba_missedsn == ((sn - 1) & 0xfff)) 849 ba->ba_winmiss++; 850 else 851 ba->ba_winmiss = 0; 852 ba->ba_missedsn = sn; 853 ifp->if_ierrors++; 854 m_freem(m); /* discard the MPDU */ 855 return; 856 } 857 858 /* It appears the window has moved for real. */ 859 ic->ic_stats.is_ht_rx_ba_window_jump++; 860 ba->ba_winmiss = 0; 861 ba->ba_missedsn = 0; 862 ieee80211_ba_move_window(ic, ni, tid, sn, ml); 863 } else { 864 ic->ic_stats.is_ht_rx_ba_window_slide++; 865 ieee80211_input_ba_seq(ic, ni, tid, 866 (ba->ba_winstart + count) & 0xfff, ml); 867 ieee80211_input_ba_flush(ic, ni, ba, ml); 868 } 869 } 870 /* WinStartB <= SN <= WinEndB */ 871 872 ba->ba_winmiss = 0; 873 ba->ba_missedsn = 0; 874 idx = (sn - ba->ba_winstart) & 0xfff; 875 idx = (ba->ba_head + idx) % IEEE80211_BA_MAX_WINSZ; 876 /* store the received MPDU in the buffer */ 877 if (ba->ba_buf[idx].m != NULL) { 878 ifp->if_ierrors++; 879 ic->ic_stats.is_ht_rx_ba_no_buf++; 880 m_freem(m); 881 return; 882 } 883 ba->ba_buf[idx].m = m; 884 /* store Rx meta-data too */ 885 rxi->rxi_flags |= IEEE80211_RXI_AMPDU_DONE; 886 ba->ba_buf[idx].rxi = *rxi; 887 ba->ba_gapwait++; 888 889 if (ba->ba_buf[ba->ba_head].m == NULL && ba->ba_gapwait == 1) 890 timeout_add_msec(&ba->ba_gap_to, IEEE80211_BA_GAP_TIMEOUT); 891 892 ieee80211_input_ba_flush(ic, ni, ba, ml); 893 } 894 895 /* 896 * Forward buffered frames with sequence number lower than max_seq. 897 * See 802.11-2012 9.21.7.6.2 b. 898 */ 899 void 900 ieee80211_input_ba_seq(struct ieee80211com *ic, struct ieee80211_node *ni, 901 uint8_t tid, uint16_t max_seq, struct mbuf_list *ml) 902 { 903 struct ifnet *ifp = &ic->ic_if; 904 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 905 struct ieee80211_frame *wh; 906 uint16_t seq; 907 int i = 0; 908 909 while (i++ < ba->ba_winsize) { 910 /* gaps may exist */ 911 if (ba->ba_buf[ba->ba_head].m != NULL) { 912 wh = mtod(ba->ba_buf[ba->ba_head].m, 913 struct ieee80211_frame *); 914 KASSERT(ieee80211_has_seq(wh)); 915 seq = letoh16(*(u_int16_t *)wh->i_seq) >> 916 IEEE80211_SEQ_SEQ_SHIFT; 917 if (!SEQ_LT(seq, max_seq)) 918 break; 919 ieee80211_inputm(ifp, ba->ba_buf[ba->ba_head].m, 920 ni, &ba->ba_buf[ba->ba_head].rxi, ml); 921 ba->ba_buf[ba->ba_head].m = NULL; 922 ba->ba_gapwait--; 923 } else 924 ic->ic_stats.is_ht_rx_ba_frame_lost++; 925 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 926 /* move window forward */ 927 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 928 } 929 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 930 } 931 932 /* Flush a consecutive sequence of frames from the reorder buffer. */ 933 void 934 ieee80211_input_ba_flush(struct ieee80211com *ic, struct ieee80211_node *ni, 935 struct ieee80211_rx_ba *ba, struct mbuf_list *ml) 936 937 { 938 struct ifnet *ifp = &ic->ic_if; 939 940 /* Do not re-arm the gap timeout if we made no progress. */ 941 if (ba->ba_buf[ba->ba_head].m == NULL) 942 return; 943 944 /* pass reordered MPDUs up to the next MAC process */ 945 while (ba->ba_buf[ba->ba_head].m != NULL) { 946 ieee80211_inputm(ifp, ba->ba_buf[ba->ba_head].m, ni, 947 &ba->ba_buf[ba->ba_head].rxi, ml); 948 ba->ba_buf[ba->ba_head].m = NULL; 949 ba->ba_gapwait--; 950 951 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 952 /* move window forward */ 953 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 954 } 955 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 956 957 if (timeout_pending(&ba->ba_gap_to)) 958 timeout_del(&ba->ba_gap_to); 959 if (ba->ba_gapwait) 960 timeout_add_msec(&ba->ba_gap_to, IEEE80211_BA_GAP_TIMEOUT); 961 } 962 963 /* 964 * Forcibly move the BA window forward to remove a leading gap which has 965 * been causing frames to linger in the reordering buffer for too long. 966 * A leading gap will occur if a particular A-MPDU subframe never arrives 967 * or if a bug in the sender causes sequence numbers to jump forward by > 1. 968 */ 969 int 970 ieee80211_input_ba_gap_skip(struct ieee80211_rx_ba *ba) 971 { 972 int skipped = 0; 973 974 while (skipped < ba->ba_winsize && ba->ba_buf[ba->ba_head].m == NULL) { 975 /* move window forward */ 976 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 977 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 978 skipped++; 979 } 980 if (skipped > 0) 981 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 982 983 return skipped; 984 } 985 986 void 987 ieee80211_input_ba_gap_timeout(void *arg) 988 { 989 struct ieee80211_rx_ba *ba = arg; 990 struct ieee80211_node *ni = ba->ba_ni; 991 struct ieee80211com *ic = ni->ni_ic; 992 int s, skipped; 993 994 ic->ic_stats.is_ht_rx_ba_window_gap_timeout++; 995 996 s = splnet(); 997 998 skipped = ieee80211_input_ba_gap_skip(ba); 999 ic->ic_stats.is_ht_rx_ba_frame_lost += skipped; 1000 if (skipped) { 1001 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 1002 ieee80211_input_ba_flush(ic, ni, ba, &ml); 1003 if_input(&ic->ic_if, &ml); 1004 } 1005 1006 splx(s); 1007 } 1008 1009 1010 /* 1011 * Change the value of WinStartB (move window forward) upon reception of a 1012 * BlockAckReq frame or an ADDBA Request (PBAC). 1013 */ 1014 void 1015 ieee80211_ba_move_window(struct ieee80211com *ic, struct ieee80211_node *ni, 1016 u_int8_t tid, u_int16_t ssn, struct mbuf_list *ml) 1017 { 1018 struct ifnet *ifp = &ic->ic_if; 1019 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 1020 int count; 1021 1022 /* assert(WinStartB <= SSN) */ 1023 1024 count = (ssn - ba->ba_winstart) & 0xfff; 1025 if (count > ba->ba_winsize) /* no overlap */ 1026 count = ba->ba_winsize; 1027 while (count-- > 0) { 1028 /* gaps may exist */ 1029 if (ba->ba_buf[ba->ba_head].m != NULL) { 1030 ieee80211_inputm(ifp, ba->ba_buf[ba->ba_head].m, ni, 1031 &ba->ba_buf[ba->ba_head].rxi, ml); 1032 ba->ba_buf[ba->ba_head].m = NULL; 1033 ba->ba_gapwait--; 1034 } else 1035 ic->ic_stats.is_ht_rx_ba_frame_lost++; 1036 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 1037 } 1038 /* move window forward */ 1039 ba->ba_winstart = ssn; 1040 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 1041 1042 ieee80211_input_ba_flush(ic, ni, ba, ml); 1043 } 1044 1045 void 1046 ieee80211_enqueue_data(struct ieee80211com *ic, struct mbuf *m, 1047 struct ieee80211_node *ni, int mcast, struct mbuf_list *ml) 1048 { 1049 struct ifnet *ifp = &ic->ic_if; 1050 struct ether_header *eh; 1051 struct mbuf *m1; 1052 1053 eh = mtod(m, struct ether_header *); 1054 1055 if ((ic->ic_flags & IEEE80211_F_RSNON) && !ni->ni_port_valid && 1056 eh->ether_type != htons(ETHERTYPE_PAE)) { 1057 DPRINTF(("port not valid: %s\n", 1058 ether_sprintf(eh->ether_dhost))); 1059 ic->ic_stats.is_rx_unauth++; 1060 m_freem(m); 1061 return; 1062 } 1063 1064 /* 1065 * Perform as a bridge within the AP. Notice that we do not 1066 * bridge EAPOL frames as suggested in C.1.1 of IEEE Std 802.1X. 1067 * And we do not forward unicast frames received on a multicast address. 1068 */ 1069 m1 = NULL; 1070 #ifndef IEEE80211_STA_ONLY 1071 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 1072 !(ic->ic_userflags & IEEE80211_F_NOBRIDGE) && 1073 eh->ether_type != htons(ETHERTYPE_PAE)) { 1074 struct ieee80211_node *ni1; 1075 1076 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 1077 m1 = m_dup_pkt(m, ETHER_ALIGN, M_DONTWAIT); 1078 if (m1 == NULL) 1079 ifp->if_oerrors++; 1080 else 1081 m1->m_flags |= M_MCAST; 1082 } else if (!mcast) { 1083 ni1 = ieee80211_find_node(ic, eh->ether_dhost); 1084 if (ni1 != NULL && 1085 ni1->ni_state == IEEE80211_STA_ASSOC) { 1086 m1 = m; 1087 m = NULL; 1088 } 1089 } 1090 if (m1 != NULL) { 1091 if (if_enqueue(ifp, m1)) 1092 ifp->if_oerrors++; 1093 } 1094 } 1095 #endif 1096 if (m != NULL) { 1097 if ((ic->ic_flags & IEEE80211_F_RSNON) && 1098 eh->ether_type == htons(ETHERTYPE_PAE)) { 1099 ifp->if_ipackets++; 1100 #if NBPFILTER > 0 1101 /* 1102 * If we forward frame into transmitter of the AP, 1103 * we don't need to duplicate for DLT_EN10MB. 1104 */ 1105 if (ifp->if_bpf && m1 == NULL) 1106 bpf_mtap(ifp->if_bpf, m, BPF_DIRECTION_IN); 1107 #endif 1108 ieee80211_eapol_key_input(ic, m, ni); 1109 } else { 1110 ml_enqueue(ml, m); 1111 } 1112 } 1113 } 1114 1115 void 1116 ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, 1117 struct ieee80211_node *ni, int hdrlen, struct mbuf_list *ml) 1118 { 1119 struct ether_header eh; 1120 struct ieee80211_frame *wh; 1121 struct llc *llc; 1122 int mcast; 1123 1124 if (m->m_len < hdrlen + LLC_SNAPFRAMELEN && 1125 (m = m_pullup(m, hdrlen + LLC_SNAPFRAMELEN)) == NULL) { 1126 ic->ic_stats.is_rx_decap++; 1127 return; 1128 } 1129 wh = mtod(m, struct ieee80211_frame *); 1130 mcast = IEEE80211_IS_MULTICAST(wh->i_addr1); 1131 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 1132 case IEEE80211_FC1_DIR_NODS: 1133 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1); 1134 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2); 1135 break; 1136 case IEEE80211_FC1_DIR_TODS: 1137 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3); 1138 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2); 1139 break; 1140 case IEEE80211_FC1_DIR_FROMDS: 1141 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1); 1142 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr3); 1143 break; 1144 case IEEE80211_FC1_DIR_DSTODS: 1145 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3); 1146 IEEE80211_ADDR_COPY(eh.ether_shost, 1147 ((struct ieee80211_frame_addr4 *)wh)->i_addr4); 1148 break; 1149 } 1150 llc = (struct llc *)((caddr_t)wh + hdrlen); 1151 if (llc->llc_dsap == LLC_SNAP_LSAP && 1152 llc->llc_ssap == LLC_SNAP_LSAP && 1153 llc->llc_control == LLC_UI && 1154 llc->llc_snap.org_code[0] == 0 && 1155 llc->llc_snap.org_code[1] == 0 && 1156 llc->llc_snap.org_code[2] == 0) { 1157 eh.ether_type = llc->llc_snap.ether_type; 1158 m_adj(m, hdrlen + LLC_SNAPFRAMELEN - ETHER_HDR_LEN); 1159 } else { 1160 eh.ether_type = htons(m->m_pkthdr.len - hdrlen); 1161 m_adj(m, hdrlen - ETHER_HDR_LEN); 1162 } 1163 memcpy(mtod(m, caddr_t), &eh, ETHER_HDR_LEN); 1164 if (!ALIGNED_POINTER(mtod(m, caddr_t) + ETHER_HDR_LEN, u_int32_t)) { 1165 struct mbuf *m0 = m; 1166 m = m_dup_pkt(m0, ETHER_ALIGN, M_NOWAIT); 1167 m_freem(m0); 1168 if (m == NULL) { 1169 ic->ic_stats.is_rx_decap++; 1170 return; 1171 } 1172 } 1173 ieee80211_enqueue_data(ic, m, ni, mcast, ml); 1174 } 1175 1176 int 1177 ieee80211_amsdu_decap_validate(struct ieee80211com *ic, struct mbuf *m, 1178 struct ieee80211_node *ni) 1179 { 1180 struct ether_header *eh = mtod(m, struct ether_header *); 1181 const uint8_t llc_hdr_mac[ETHER_ADDR_LEN] = { 1182 /* MAC address matching the 802.2 LLC header. */ 1183 LLC_SNAP_LSAP, LLC_SNAP_LSAP, LLC_UI, 0, 0, 0 1184 }; 1185 1186 /* 1187 * We are sorry, but this particular MAC address cannot be used. 1188 * This mitigates an attack where a single 802.11 frame is interpreted 1189 * as an A-MSDU because of a forged AMSDU-present bit in the 802.11 1190 * QoS frame header: https://papers.mathyvanhoef.com/usenix2021.pdf 1191 * See Section 7.2, 'Countermeasures for the design flaws' 1192 */ 1193 if (ETHER_IS_EQ(eh->ether_dhost, llc_hdr_mac)) 1194 return 1; 1195 1196 switch (ic->ic_opmode) { 1197 #ifndef IEEE80211_STA_ONLY 1198 case IEEE80211_M_HOSTAP: 1199 /* 1200 * Subframes must use the source address of the node which 1201 * transmitted the A-MSDU. Prevents MAC spoofing. 1202 */ 1203 if (!ETHER_IS_EQ(ni->ni_macaddr, eh->ether_shost)) 1204 return 1; 1205 break; 1206 #endif 1207 case IEEE80211_M_STA: 1208 /* Subframes must be addressed to me. */ 1209 if (!ETHER_IS_EQ(ic->ic_myaddr, eh->ether_dhost)) 1210 return 1; 1211 break; 1212 default: 1213 /* Ignore MONITOR/IBSS modes for now. */ 1214 break; 1215 } 1216 1217 return 0; 1218 } 1219 1220 /* 1221 * Decapsulate an Aggregate MSDU (see 7.2.2.2). 1222 */ 1223 void 1224 ieee80211_amsdu_decap(struct ieee80211com *ic, struct mbuf *m, 1225 struct ieee80211_node *ni, int hdrlen, struct mbuf_list *ml) 1226 { 1227 struct mbuf *n; 1228 struct ether_header *eh; 1229 struct llc *llc; 1230 int len, pad, mcast; 1231 struct ieee80211_frame *wh; 1232 struct mbuf_list subframes = MBUF_LIST_INITIALIZER(); 1233 1234 wh = mtod(m, struct ieee80211_frame *); 1235 mcast = IEEE80211_IS_MULTICAST(wh->i_addr1); 1236 1237 /* strip 802.11 header */ 1238 m_adj(m, hdrlen); 1239 1240 while (m->m_pkthdr.len >= ETHER_HDR_LEN + LLC_SNAPFRAMELEN) { 1241 /* process an A-MSDU subframe */ 1242 m = m_pullup(m, ETHER_HDR_LEN + LLC_SNAPFRAMELEN); 1243 if (m == NULL) 1244 break; 1245 eh = mtod(m, struct ether_header *); 1246 /* examine 802.3 header */ 1247 len = ntohs(eh->ether_type); 1248 if (len < LLC_SNAPFRAMELEN) { 1249 DPRINTF(("A-MSDU subframe too short (%d)\n", len)); 1250 /* stop processing A-MSDU subframes */ 1251 ic->ic_stats.is_rx_decap++; 1252 ml_purge(&subframes); 1253 m_freem(m); 1254 return; 1255 } 1256 llc = (struct llc *)&eh[1]; 1257 /* Examine the 802.2 LLC header after the A-MSDU header. */ 1258 if (llc->llc_dsap == LLC_SNAP_LSAP && 1259 llc->llc_ssap == LLC_SNAP_LSAP && 1260 llc->llc_control == LLC_UI && 1261 llc->llc_snap.org_code[0] == 0 && 1262 llc->llc_snap.org_code[1] == 0 && 1263 llc->llc_snap.org_code[2] == 0) { 1264 /* convert to Ethernet II header */ 1265 eh->ether_type = llc->llc_snap.ether_type; 1266 /* strip LLC+SNAP headers */ 1267 memmove((u_int8_t *)eh + LLC_SNAPFRAMELEN, eh, 1268 ETHER_HDR_LEN); 1269 m_adj(m, LLC_SNAPFRAMELEN); 1270 len -= LLC_SNAPFRAMELEN; 1271 } 1272 len += ETHER_HDR_LEN; 1273 if (len > m->m_pkthdr.len) { 1274 /* stop processing A-MSDU subframes */ 1275 DPRINTF(("A-MSDU subframe too long (%d)\n", len)); 1276 ic->ic_stats.is_rx_decap++; 1277 ml_purge(&subframes); 1278 m_freem(m); 1279 return; 1280 } 1281 1282 /* "detach" our A-MSDU subframe from the others */ 1283 n = m_split(m, len, M_NOWAIT); 1284 if (n == NULL) { 1285 /* stop processing A-MSDU subframes */ 1286 ic->ic_stats.is_rx_decap++; 1287 ml_purge(&subframes); 1288 m_freem(m); 1289 return; 1290 } 1291 1292 if (ieee80211_amsdu_decap_validate(ic, m, ni)) { 1293 /* stop processing A-MSDU subframes */ 1294 ic->ic_stats.is_rx_decap++; 1295 ml_purge(&subframes); 1296 m_freem(m); 1297 return; 1298 } 1299 1300 ml_enqueue(&subframes, m); 1301 1302 m = n; 1303 /* remove padding */ 1304 pad = ((len + 3) & ~3) - len; 1305 m_adj(m, pad); 1306 } 1307 1308 while ((n = ml_dequeue(&subframes)) != NULL) 1309 ieee80211_enqueue_data(ic, n, ni, mcast, ml); 1310 1311 m_freem(m); 1312 } 1313 1314 /* 1315 * Parse an EDCA Parameter Set element (see 7.3.2.27). 1316 */ 1317 int 1318 ieee80211_parse_edca_params_body(struct ieee80211com *ic, const u_int8_t *frm) 1319 { 1320 u_int updtcount; 1321 int aci; 1322 1323 /* 1324 * Check if EDCA parameters have changed XXX if we miss more than 1325 * 15 consecutive beacons, we might not detect changes to EDCA 1326 * parameters due to wraparound of the 4-bit Update Count field. 1327 */ 1328 updtcount = frm[0] & 0xf; 1329 if (updtcount == ic->ic_edca_updtcount) 1330 return 0; /* no changes to EDCA parameters, ignore */ 1331 ic->ic_edca_updtcount = updtcount; 1332 1333 frm += 2; /* skip QoS Info & Reserved fields */ 1334 1335 /* parse AC Parameter Records */ 1336 for (aci = 0; aci < EDCA_NUM_AC; aci++) { 1337 struct ieee80211_edca_ac_params *ac = &ic->ic_edca_ac[aci]; 1338 1339 ac->ac_acm = (frm[0] >> 4) & 0x1; 1340 ac->ac_aifsn = frm[0] & 0xf; 1341 ac->ac_ecwmin = frm[1] & 0xf; 1342 ac->ac_ecwmax = frm[1] >> 4; 1343 ac->ac_txoplimit = LE_READ_2(frm + 2); 1344 frm += 4; 1345 } 1346 /* give drivers a chance to update their settings */ 1347 if ((ic->ic_flags & IEEE80211_F_QOS) && ic->ic_updateedca != NULL) 1348 (*ic->ic_updateedca)(ic); 1349 1350 return 0; 1351 } 1352 1353 int 1354 ieee80211_parse_edca_params(struct ieee80211com *ic, const u_int8_t *frm) 1355 { 1356 if (frm[1] < 18) { 1357 ic->ic_stats.is_rx_elem_toosmall++; 1358 return IEEE80211_REASON_IE_INVALID; 1359 } 1360 return ieee80211_parse_edca_params_body(ic, frm + 2); 1361 } 1362 1363 int 1364 ieee80211_parse_wmm_params(struct ieee80211com *ic, const u_int8_t *frm) 1365 { 1366 if (frm[1] < 24) { 1367 ic->ic_stats.is_rx_elem_toosmall++; 1368 return IEEE80211_REASON_IE_INVALID; 1369 } 1370 return ieee80211_parse_edca_params_body(ic, frm + 8); 1371 } 1372 1373 enum ieee80211_cipher 1374 ieee80211_parse_rsn_cipher(const u_int8_t selector[4]) 1375 { 1376 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1377 switch (selector[3]) { 1378 case 0: /* use group data cipher suite */ 1379 return IEEE80211_CIPHER_USEGROUP; 1380 case 1: /* WEP-40 */ 1381 return IEEE80211_CIPHER_WEP40; 1382 case 2: /* TKIP */ 1383 return IEEE80211_CIPHER_TKIP; 1384 case 4: /* CCMP (RSNA default) */ 1385 return IEEE80211_CIPHER_CCMP; 1386 case 5: /* WEP-104 */ 1387 return IEEE80211_CIPHER_WEP104; 1388 } 1389 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1390 /* see 802.11-2012 Table 8-99 */ 1391 switch (selector[3]) { 1392 case 0: /* use group data cipher suite */ 1393 return IEEE80211_CIPHER_USEGROUP; 1394 case 1: /* WEP-40 */ 1395 return IEEE80211_CIPHER_WEP40; 1396 case 2: /* TKIP */ 1397 return IEEE80211_CIPHER_TKIP; 1398 case 4: /* CCMP (RSNA default) */ 1399 return IEEE80211_CIPHER_CCMP; 1400 case 5: /* WEP-104 */ 1401 return IEEE80211_CIPHER_WEP104; 1402 case 6: /* BIP */ 1403 return IEEE80211_CIPHER_BIP; 1404 } 1405 } 1406 return IEEE80211_CIPHER_NONE; /* ignore unknown ciphers */ 1407 } 1408 1409 enum ieee80211_akm 1410 ieee80211_parse_rsn_akm(const u_int8_t selector[4]) 1411 { 1412 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1413 switch (selector[3]) { 1414 case 1: /* IEEE 802.1X (RSNA default) */ 1415 return IEEE80211_AKM_8021X; 1416 case 2: /* PSK */ 1417 return IEEE80211_AKM_PSK; 1418 } 1419 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1420 /* from IEEE Std 802.11i-2004 - Table 20dc */ 1421 switch (selector[3]) { 1422 case 1: /* IEEE 802.1X (RSNA default) */ 1423 return IEEE80211_AKM_8021X; 1424 case 2: /* PSK */ 1425 return IEEE80211_AKM_PSK; 1426 case 5: /* IEEE 802.1X with SHA256 KDF */ 1427 return IEEE80211_AKM_SHA256_8021X; 1428 case 6: /* PSK with SHA256 KDF */ 1429 return IEEE80211_AKM_SHA256_PSK; 1430 } 1431 } 1432 return IEEE80211_AKM_NONE; /* ignore unknown AKMs */ 1433 } 1434 1435 /* 1436 * Parse an RSN element (see 802.11-2012 8.4.2.27) 1437 */ 1438 int 1439 ieee80211_parse_rsn_body(struct ieee80211com *ic, const u_int8_t *frm, 1440 u_int len, struct ieee80211_rsnparams *rsn) 1441 { 1442 const u_int8_t *efrm; 1443 u_int16_t m, n, s; 1444 1445 efrm = frm + len; 1446 1447 /* check Version field */ 1448 if (LE_READ_2(frm) != 1) 1449 return IEEE80211_STATUS_RSN_IE_VER_UNSUP; 1450 frm += 2; 1451 1452 /* all fields after the Version field are optional */ 1453 1454 /* if Cipher Suite missing, default to CCMP */ 1455 rsn->rsn_groupcipher = IEEE80211_CIPHER_CCMP; 1456 rsn->rsn_nciphers = 1; 1457 rsn->rsn_ciphers = IEEE80211_CIPHER_CCMP; 1458 /* if Group Management Cipher Suite missing, default to BIP */ 1459 rsn->rsn_groupmgmtcipher = IEEE80211_CIPHER_BIP; 1460 /* if AKM Suite missing, default to 802.1X */ 1461 rsn->rsn_nakms = 1; 1462 rsn->rsn_akms = IEEE80211_AKM_8021X; 1463 /* if RSN capabilities missing, default to 0 */ 1464 rsn->rsn_caps = 0; 1465 rsn->rsn_npmkids = 0; 1466 1467 /* read Group Data Cipher Suite field */ 1468 if (frm + 4 > efrm) 1469 return 0; 1470 rsn->rsn_groupcipher = ieee80211_parse_rsn_cipher(frm); 1471 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_NONE || 1472 rsn->rsn_groupcipher == IEEE80211_CIPHER_USEGROUP || 1473 rsn->rsn_groupcipher == IEEE80211_CIPHER_BIP) 1474 return IEEE80211_STATUS_BAD_GROUP_CIPHER; 1475 frm += 4; 1476 1477 /* read Pairwise Cipher Suite Count field */ 1478 if (frm + 2 > efrm) 1479 return 0; 1480 m = rsn->rsn_nciphers = LE_READ_2(frm); 1481 frm += 2; 1482 1483 /* read Pairwise Cipher Suite List */ 1484 if (frm + m * 4 > efrm) 1485 return IEEE80211_STATUS_IE_INVALID; 1486 rsn->rsn_ciphers = IEEE80211_CIPHER_NONE; 1487 while (m-- > 0) { 1488 rsn->rsn_ciphers |= ieee80211_parse_rsn_cipher(frm); 1489 frm += 4; 1490 } 1491 if (rsn->rsn_ciphers & IEEE80211_CIPHER_USEGROUP) { 1492 if (rsn->rsn_ciphers != IEEE80211_CIPHER_USEGROUP) 1493 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1494 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_CCMP) 1495 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1496 } 1497 1498 /* read AKM Suite List Count field */ 1499 if (frm + 2 > efrm) 1500 return 0; 1501 n = rsn->rsn_nakms = LE_READ_2(frm); 1502 frm += 2; 1503 1504 /* read AKM Suite List */ 1505 if (frm + n * 4 > efrm) 1506 return IEEE80211_STATUS_IE_INVALID; 1507 rsn->rsn_akms = IEEE80211_AKM_NONE; 1508 while (n-- > 0) { 1509 rsn->rsn_akms |= ieee80211_parse_rsn_akm(frm); 1510 frm += 4; 1511 } 1512 1513 /* read RSN Capabilities field */ 1514 if (frm + 2 > efrm) 1515 return 0; 1516 rsn->rsn_caps = LE_READ_2(frm); 1517 frm += 2; 1518 1519 /* read PMKID Count field */ 1520 if (frm + 2 > efrm) 1521 return 0; 1522 s = rsn->rsn_npmkids = LE_READ_2(frm); 1523 frm += 2; 1524 1525 /* read PMKID List */ 1526 if (frm + s * IEEE80211_PMKID_LEN > efrm) 1527 return IEEE80211_STATUS_IE_INVALID; 1528 if (s != 0) { 1529 rsn->rsn_pmkids = frm; 1530 frm += s * IEEE80211_PMKID_LEN; 1531 } 1532 1533 /* read Group Management Cipher Suite field */ 1534 if (frm + 4 > efrm) 1535 return 0; 1536 rsn->rsn_groupmgmtcipher = ieee80211_parse_rsn_cipher(frm); 1537 if (rsn->rsn_groupmgmtcipher != IEEE80211_CIPHER_BIP) 1538 return IEEE80211_STATUS_BAD_GROUP_CIPHER; 1539 1540 return IEEE80211_STATUS_SUCCESS; 1541 } 1542 1543 int 1544 ieee80211_parse_rsn(struct ieee80211com *ic, const u_int8_t *frm, 1545 struct ieee80211_rsnparams *rsn) 1546 { 1547 if (frm[1] < 2) { 1548 ic->ic_stats.is_rx_elem_toosmall++; 1549 return IEEE80211_STATUS_IE_INVALID; 1550 } 1551 return ieee80211_parse_rsn_body(ic, frm + 2, frm[1], rsn); 1552 } 1553 1554 int 1555 ieee80211_parse_wpa(struct ieee80211com *ic, const u_int8_t *frm, 1556 struct ieee80211_rsnparams *rsn) 1557 { 1558 if (frm[1] < 6) { 1559 ic->ic_stats.is_rx_elem_toosmall++; 1560 return IEEE80211_STATUS_IE_INVALID; 1561 } 1562 return ieee80211_parse_rsn_body(ic, frm + 6, frm[1] - 4, rsn); 1563 } 1564 1565 /* 1566 * Create (or update) a copy of an information element. 1567 */ 1568 int 1569 ieee80211_save_ie(const u_int8_t *frm, u_int8_t **ie) 1570 { 1571 int olen = *ie ? 2 + (*ie)[1] : 0; 1572 int len = 2 + frm[1]; 1573 1574 if (*ie == NULL || olen != len) { 1575 if (*ie != NULL) 1576 free(*ie, M_DEVBUF, olen); 1577 *ie = malloc(len, M_DEVBUF, M_NOWAIT); 1578 if (*ie == NULL) 1579 return ENOMEM; 1580 } 1581 memcpy(*ie, frm, len); 1582 return 0; 1583 } 1584 1585 /*- 1586 * Beacon/Probe response frame format: 1587 * [8] Timestamp 1588 * [2] Beacon interval 1589 * [2] Capability 1590 * [tlv] Service Set Identifier (SSID) 1591 * [tlv] Supported rates 1592 * [tlv] DS Parameter Set (802.11g) 1593 * [tlv] ERP Information (802.11g) 1594 * [tlv] Extended Supported Rates (802.11g) 1595 * [tlv] RSN (802.11i) 1596 * [tlv] EDCA Parameter Set (802.11e) 1597 * [tlv] QoS Capability (Beacon only, 802.11e) 1598 * [tlv] HT Capabilities (802.11n) 1599 * [tlv] HT Operation (802.11n) 1600 */ 1601 void 1602 ieee80211_recv_probe_resp(struct ieee80211com *ic, struct mbuf *m, 1603 struct ieee80211_node *rni, struct ieee80211_rxinfo *rxi, int isprobe) 1604 { 1605 struct ieee80211_node *ni; 1606 const struct ieee80211_frame *wh; 1607 const u_int8_t *frm, *efrm; 1608 const u_int8_t *tstamp, *ssid, *rates, *xrates, *edcaie, *wmmie; 1609 const u_int8_t *rsnie, *wpaie, *htcaps, *htop; 1610 u_int16_t capinfo, bintval; 1611 u_int8_t chan, bchan, erp, dtim_count, dtim_period; 1612 int is_new; 1613 1614 /* 1615 * We process beacon/probe response frames for: 1616 * o station mode: to collect state 1617 * updates such as 802.11g slot time and for passive 1618 * scanning of APs 1619 * o adhoc mode: to discover neighbors 1620 * o hostap mode: for passive scanning of neighbor APs 1621 * o when scanning 1622 * In other words, in all modes other than monitor (which 1623 * does not process incoming frames) and adhoc-demo (which 1624 * does not use management frames at all). 1625 */ 1626 #ifdef DIAGNOSTIC 1627 if (ic->ic_opmode != IEEE80211_M_STA && 1628 #ifndef IEEE80211_STA_ONLY 1629 ic->ic_opmode != IEEE80211_M_IBSS && 1630 ic->ic_opmode != IEEE80211_M_HOSTAP && 1631 #endif 1632 ic->ic_state != IEEE80211_S_SCAN) { 1633 panic("%s: impossible operating mode", __func__); 1634 } 1635 #endif 1636 /* make sure all mandatory fixed fields are present */ 1637 if (m->m_len < sizeof(*wh) + 12) { 1638 DPRINTF(("frame too short\n")); 1639 return; 1640 } 1641 wh = mtod(m, struct ieee80211_frame *); 1642 frm = (const u_int8_t *)&wh[1]; 1643 efrm = mtod(m, u_int8_t *) + m->m_len; 1644 1645 tstamp = frm; frm += 8; 1646 bintval = LE_READ_2(frm); frm += 2; 1647 capinfo = LE_READ_2(frm); frm += 2; 1648 1649 ssid = rates = xrates = edcaie = wmmie = rsnie = wpaie = NULL; 1650 htcaps = htop = NULL; 1651 bchan = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan); 1652 chan = bchan; 1653 erp = 0; 1654 dtim_count = dtim_period = 0; 1655 while (frm + 2 <= efrm) { 1656 if (frm + 2 + frm[1] > efrm) { 1657 ic->ic_stats.is_rx_elem_toosmall++; 1658 break; 1659 } 1660 switch (frm[0]) { 1661 case IEEE80211_ELEMID_SSID: 1662 ssid = frm; 1663 break; 1664 case IEEE80211_ELEMID_RATES: 1665 rates = frm; 1666 break; 1667 case IEEE80211_ELEMID_DSPARMS: 1668 if (frm[1] < 1) { 1669 ic->ic_stats.is_rx_elem_toosmall++; 1670 break; 1671 } 1672 chan = frm[2]; 1673 break; 1674 case IEEE80211_ELEMID_XRATES: 1675 xrates = frm; 1676 break; 1677 case IEEE80211_ELEMID_ERP: 1678 if (frm[1] < 1) { 1679 ic->ic_stats.is_rx_elem_toosmall++; 1680 break; 1681 } 1682 erp = frm[2]; 1683 break; 1684 case IEEE80211_ELEMID_RSN: 1685 rsnie = frm; 1686 break; 1687 case IEEE80211_ELEMID_EDCAPARMS: 1688 edcaie = frm; 1689 break; 1690 case IEEE80211_ELEMID_HTCAPS: 1691 htcaps = frm; 1692 break; 1693 case IEEE80211_ELEMID_HTOP: 1694 htop = frm; 1695 break; 1696 case IEEE80211_ELEMID_TIM: 1697 if (frm[1] > 3) { 1698 dtim_count = frm[2]; 1699 dtim_period = frm[3]; 1700 } 1701 break; 1702 case IEEE80211_ELEMID_VENDOR: 1703 if (frm[1] < 4) { 1704 ic->ic_stats.is_rx_elem_toosmall++; 1705 break; 1706 } 1707 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 1708 if (frm[5] == 1) 1709 wpaie = frm; 1710 else if (frm[1] >= 5 && 1711 frm[5] == 2 && frm[6] == 1) 1712 wmmie = frm; 1713 } 1714 break; 1715 } 1716 frm += 2 + frm[1]; 1717 } 1718 /* supported rates element is mandatory */ 1719 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1720 DPRINTF(("invalid supported rates element\n")); 1721 return; 1722 } 1723 /* SSID element is mandatory */ 1724 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1725 DPRINTF(("invalid SSID element\n")); 1726 return; 1727 } 1728 1729 if ( 1730 #if IEEE80211_CHAN_MAX < 255 1731 chan > IEEE80211_CHAN_MAX || 1732 #endif 1733 isclr(ic->ic_chan_active, chan)) { 1734 DPRINTF(("ignore %s with invalid channel %u\n", 1735 isprobe ? "probe response" : "beacon", chan)); 1736 ic->ic_stats.is_rx_badchan++; 1737 return; 1738 } 1739 if ((ic->ic_state != IEEE80211_S_SCAN || 1740 !(ic->ic_caps & IEEE80211_C_SCANALL)) && 1741 chan != bchan) { 1742 /* 1743 * Frame was received on a channel different from the 1744 * one indicated in the DS params element id; 1745 * silently discard it. 1746 * 1747 * NB: this can happen due to signal leakage. 1748 */ 1749 DPRINTF(("ignore %s on channel %u marked for channel %u\n", 1750 isprobe ? "probe response" : "beacon", bchan, chan)); 1751 ic->ic_stats.is_rx_chanmismatch++; 1752 return; 1753 } 1754 /* 1755 * Use mac, channel and rssi so we collect only the 1756 * best potential AP with the equal bssid while scanning. 1757 * Collecting all potential APs may result in bloat of 1758 * the node tree. This call will return NULL if the node 1759 * for this APs does not exist or if the new node is the 1760 * potential better one. 1761 */ 1762 ni = ieee80211_find_node_for_beacon(ic, wh->i_addr2, 1763 &ic->ic_channels[chan], ssid, rxi->rxi_rssi); 1764 if (ni != NULL) { 1765 /* 1766 * If we are doing a directed scan for an AP with a hidden SSID 1767 * we must collect the SSID from a probe response to override 1768 * a non-zero-length SSID filled with zeroes that we may have 1769 * received earlier in a beacon. 1770 */ 1771 if (isprobe && ssid[1] != 0 && ni->ni_essid[0] == '\0') { 1772 ni->ni_esslen = ssid[1]; 1773 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1774 /* we know that ssid[1] <= IEEE80211_NWID_LEN */ 1775 memcpy(ni->ni_essid, &ssid[2], ssid[1]); 1776 } 1777 1778 /* Update channel in case AP has switched */ 1779 if (ic->ic_opmode == IEEE80211_M_STA) 1780 ni->ni_chan = rni->ni_chan; 1781 1782 return; 1783 } 1784 1785 #ifdef IEEE80211_DEBUG 1786 if (ieee80211_debug > 1 && 1787 (ni == NULL || ic->ic_state == IEEE80211_S_SCAN || 1788 (ic->ic_flags & IEEE80211_F_BGSCAN))) { 1789 printf("%s: %s%s on chan %u (bss chan %u) ", 1790 __func__, (ni == NULL ? "new " : ""), 1791 isprobe ? "probe response" : "beacon", 1792 chan, bchan); 1793 ieee80211_print_essid(ssid + 2, ssid[1]); 1794 printf(" from %s\n", ether_sprintf((u_int8_t *)wh->i_addr2)); 1795 printf("%s: caps 0x%x bintval %u erp 0x%x\n", 1796 __func__, capinfo, bintval, erp); 1797 } 1798 #endif 1799 1800 if ((ni = ieee80211_find_node(ic, wh->i_addr2)) == NULL) { 1801 ni = ieee80211_alloc_node(ic, wh->i_addr2); 1802 if (ni == NULL) 1803 return; 1804 is_new = 1; 1805 } else 1806 is_new = 0; 1807 1808 if (htcaps) 1809 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 1810 if (htop && !ieee80211_setup_htop(ni, htop + 2, htop[1], 1)) 1811 htop = NULL; /* invalid HTOP */ 1812 1813 ni->ni_dtimcount = dtim_count; 1814 ni->ni_dtimperiod = dtim_period; 1815 1816 /* 1817 * When operating in station mode, check for state updates 1818 * while we're associated. 1819 */ 1820 if (ic->ic_opmode == IEEE80211_M_STA && 1821 ic->ic_state == IEEE80211_S_RUN && 1822 ni->ni_state == IEEE80211_STA_BSS) { 1823 int updateprot = 0; 1824 /* 1825 * Check if protection mode has changed since last beacon. 1826 */ 1827 if (ni->ni_erp != erp) { 1828 DPRINTF(("[%s] erp change: was 0x%x, now 0x%x\n", 1829 ether_sprintf((u_int8_t *)wh->i_addr2), 1830 ni->ni_erp, erp)); 1831 if ((ic->ic_curmode == IEEE80211_MODE_11G || 1832 (ic->ic_curmode == IEEE80211_MODE_11N && 1833 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))) && 1834 (erp & IEEE80211_ERP_USE_PROTECTION)) 1835 ic->ic_flags |= IEEE80211_F_USEPROT; 1836 else 1837 ic->ic_flags &= ~IEEE80211_F_USEPROT; 1838 ic->ic_bss->ni_erp = erp; 1839 updateprot = 1; 1840 } 1841 if (htop && (ic->ic_bss->ni_flags & IEEE80211_NODE_HT)) { 1842 enum ieee80211_htprot htprot_last, htprot; 1843 htprot_last = 1844 ((ic->ic_bss->ni_htop1 & IEEE80211_HTOP1_PROT_MASK) 1845 >> IEEE80211_HTOP1_PROT_SHIFT); 1846 htprot = ((ni->ni_htop1 & IEEE80211_HTOP1_PROT_MASK) >> 1847 IEEE80211_HTOP1_PROT_SHIFT); 1848 if (htprot_last != htprot) { 1849 DPRINTF(("[%s] htprot change: was %d, now %d\n", 1850 ether_sprintf((u_int8_t *)wh->i_addr2), 1851 htprot_last, htprot)); 1852 ic->ic_stats.is_ht_prot_change++; 1853 ic->ic_bss->ni_htop1 = ni->ni_htop1; 1854 updateprot = 1; 1855 } 1856 } 1857 if (updateprot && ic->ic_updateprot != NULL) 1858 ic->ic_updateprot(ic); 1859 1860 /* 1861 * Check if 40MHz channel mode has changed since last beacon. 1862 */ 1863 if (htop && (ic->ic_bss->ni_flags & IEEE80211_NODE_HT) && 1864 (ic->ic_htcaps & IEEE80211_HTCAP_CBW20_40)) { 1865 uint8_t chw_last, chw, sco_last, sco; 1866 chw_last = (ic->ic_bss->ni_htop0 & IEEE80211_HTOP0_CHW); 1867 chw = (ni->ni_htop0 & IEEE80211_HTOP0_CHW); 1868 sco_last = 1869 ((ic->ic_bss->ni_htop0 & IEEE80211_HTOP0_SCO_MASK) 1870 >> IEEE80211_HTOP0_SCO_SHIFT); 1871 sco = ((ni->ni_htop0 & IEEE80211_HTOP0_SCO_MASK) >> 1872 IEEE80211_HTOP0_SCO_SHIFT); 1873 ic->ic_bss->ni_htop0 = ni->ni_htop0; 1874 if (chw_last != chw || sco_last != sco) { 1875 if (ic->ic_updatechan != NULL) 1876 ic->ic_updatechan(ic); 1877 } 1878 } else if (htop) 1879 ic->ic_bss->ni_htop0 = ni->ni_htop0; 1880 1881 /* 1882 * Check if AP short slot time setting has changed 1883 * since last beacon and give the driver a chance to 1884 * update the hardware. 1885 */ 1886 if ((ni->ni_capinfo ^ capinfo) & 1887 IEEE80211_CAPINFO_SHORT_SLOTTIME) { 1888 ieee80211_set_shortslottime(ic, 1889 ic->ic_curmode == IEEE80211_MODE_11A || 1890 (capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 1891 } 1892 1893 /* 1894 * Reset management timer. If it is non-zero in RUN state, the 1895 * driver sent a probe request after a missed beacon event. 1896 * This probe response indicates the AP is still serving us 1897 * so don't allow ieee80211_watchdog() to move us into SCAN. 1898 */ 1899 if ((ic->ic_flags & IEEE80211_F_BGSCAN) == 0) 1900 ic->ic_mgt_timer = 0; 1901 } 1902 /* 1903 * We do not try to update EDCA parameters if QoS was not negotiated 1904 * with the AP at association time. 1905 */ 1906 if (ni->ni_flags & IEEE80211_NODE_QOS) { 1907 /* always prefer EDCA IE over Wi-Fi Alliance WMM IE */ 1908 if ((edcaie != NULL && 1909 ieee80211_parse_edca_params(ic, edcaie) == 0) || 1910 (wmmie != NULL && 1911 ieee80211_parse_wmm_params(ic, wmmie) == 0)) 1912 ni->ni_flags |= IEEE80211_NODE_QOS; 1913 else 1914 ni->ni_flags &= ~IEEE80211_NODE_QOS; 1915 } 1916 1917 if (ic->ic_state == IEEE80211_S_SCAN || 1918 (ic->ic_flags & IEEE80211_F_BGSCAN)) { 1919 struct ieee80211_rsnparams rsn, wpa; 1920 1921 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 1922 ni->ni_supported_rsnprotos = IEEE80211_PROTO_NONE; 1923 ni->ni_rsnakms = 0; 1924 ni->ni_supported_rsnakms = 0; 1925 ni->ni_rsnciphers = 0; 1926 ni->ni_rsngroupcipher = 0; 1927 ni->ni_rsngroupmgmtcipher = 0; 1928 ni->ni_rsncaps = 0; 1929 1930 if (rsnie != NULL && 1931 ieee80211_parse_rsn(ic, rsnie, &rsn) == 0) { 1932 ni->ni_supported_rsnprotos |= IEEE80211_PROTO_RSN; 1933 ni->ni_supported_rsnakms |= rsn.rsn_akms; 1934 } 1935 if (wpaie != NULL && 1936 ieee80211_parse_wpa(ic, wpaie, &wpa) == 0) { 1937 ni->ni_supported_rsnprotos |= IEEE80211_PROTO_WPA; 1938 ni->ni_supported_rsnakms |= wpa.rsn_akms; 1939 } 1940 1941 /* 1942 * If the AP advertises both WPA and RSN IEs (WPA1+WPA2), 1943 * we only use the highest protocol version we support. 1944 */ 1945 if (rsnie != NULL && 1946 (ni->ni_supported_rsnprotos & IEEE80211_PROTO_RSN) && 1947 (ic->ic_caps & IEEE80211_C_RSN)) { 1948 if (ieee80211_save_ie(rsnie, &ni->ni_rsnie) == 0 1949 #ifndef IEEE80211_STA_ONLY 1950 && ic->ic_opmode != IEEE80211_M_HOSTAP 1951 #endif 1952 ) { 1953 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 1954 ni->ni_rsnakms = rsn.rsn_akms; 1955 ni->ni_rsnciphers = rsn.rsn_ciphers; 1956 ni->ni_rsngroupcipher = rsn.rsn_groupcipher; 1957 ni->ni_rsngroupmgmtcipher = 1958 rsn.rsn_groupmgmtcipher; 1959 ni->ni_rsncaps = rsn.rsn_caps; 1960 } 1961 } else if (wpaie != NULL && 1962 (ni->ni_supported_rsnprotos & IEEE80211_PROTO_WPA) && 1963 (ic->ic_caps & IEEE80211_C_RSN)) { 1964 if (ieee80211_save_ie(wpaie, &ni->ni_rsnie) == 0 1965 #ifndef IEEE80211_STA_ONLY 1966 && ic->ic_opmode != IEEE80211_M_HOSTAP 1967 #endif 1968 ) { 1969 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 1970 ni->ni_rsnakms = wpa.rsn_akms; 1971 ni->ni_rsnciphers = wpa.rsn_ciphers; 1972 ni->ni_rsngroupcipher = wpa.rsn_groupcipher; 1973 ni->ni_rsngroupmgmtcipher = 1974 wpa.rsn_groupmgmtcipher; 1975 ni->ni_rsncaps = wpa.rsn_caps; 1976 } 1977 } 1978 } 1979 1980 if (ssid[1] != 0 && ni->ni_essid[0] == '\0') { 1981 ni->ni_esslen = ssid[1]; 1982 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1983 /* we know that ssid[1] <= IEEE80211_NWID_LEN */ 1984 memcpy(ni->ni_essid, &ssid[2], ssid[1]); 1985 } 1986 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3); 1987 /* XXX validate channel # */ 1988 ni->ni_chan = &ic->ic_channels[chan]; 1989 if (ic->ic_state == IEEE80211_S_SCAN && 1990 IEEE80211_IS_CHAN_5GHZ(ni->ni_chan)) { 1991 /* 1992 * During a scan on 5Ghz, prefer RSSI measured for probe 1993 * response frames. i.e. don't allow beacons to lower the 1994 * measured RSSI. Some 5GHz APs send beacons with much 1995 * less Tx power than they use for probe responses. 1996 */ 1997 if (isprobe || ni->ni_rssi == 0) 1998 ni->ni_rssi = rxi->rxi_rssi; 1999 else if (ni->ni_rssi < rxi->rxi_rssi) 2000 ni->ni_rssi = rxi->rxi_rssi; 2001 } else 2002 ni->ni_rssi = rxi->rxi_rssi; 2003 ni->ni_rstamp = rxi->rxi_tstamp; 2004 memcpy(ni->ni_tstamp, tstamp, sizeof(ni->ni_tstamp)); 2005 ni->ni_intval = bintval; 2006 ni->ni_capinfo = capinfo; 2007 ni->ni_erp = erp; 2008 /* NB: must be after ni_chan is setup */ 2009 ieee80211_setup_rates(ic, ni, rates, xrates, IEEE80211_F_DOSORT); 2010 #ifndef IEEE80211_STA_ONLY 2011 if (ic->ic_opmode == IEEE80211_M_IBSS && is_new && isprobe) { 2012 /* 2013 * Fake an association so the driver can setup it's 2014 * private state. The rate set has been setup above; 2015 * there is no handshake as in ap/station operation. 2016 */ 2017 if (ic->ic_newassoc) 2018 (*ic->ic_newassoc)(ic, ni, 1); 2019 } 2020 #endif 2021 } 2022 2023 #ifndef IEEE80211_STA_ONLY 2024 /*- 2025 * Probe request frame format: 2026 * [tlv] SSID 2027 * [tlv] Supported rates 2028 * [tlv] Extended Supported Rates (802.11g) 2029 * [tlv] HT Capabilities (802.11n) 2030 */ 2031 void 2032 ieee80211_recv_probe_req(struct ieee80211com *ic, struct mbuf *m, 2033 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 2034 { 2035 const struct ieee80211_frame *wh; 2036 const u_int8_t *frm, *efrm; 2037 const u_int8_t *ssid, *rates, *xrates, *htcaps; 2038 u_int8_t rate; 2039 2040 if (ic->ic_opmode == IEEE80211_M_STA || 2041 ic->ic_state != IEEE80211_S_RUN) 2042 return; 2043 2044 wh = mtod(m, struct ieee80211_frame *); 2045 frm = (const u_int8_t *)&wh[1]; 2046 efrm = mtod(m, u_int8_t *) + m->m_len; 2047 2048 ssid = rates = xrates = htcaps = NULL; 2049 while (frm + 2 <= efrm) { 2050 if (frm + 2 + frm[1] > efrm) { 2051 ic->ic_stats.is_rx_elem_toosmall++; 2052 break; 2053 } 2054 switch (frm[0]) { 2055 case IEEE80211_ELEMID_SSID: 2056 ssid = frm; 2057 break; 2058 case IEEE80211_ELEMID_RATES: 2059 rates = frm; 2060 break; 2061 case IEEE80211_ELEMID_XRATES: 2062 xrates = frm; 2063 break; 2064 case IEEE80211_ELEMID_HTCAPS: 2065 htcaps = frm; 2066 break; 2067 } 2068 frm += 2 + frm[1]; 2069 } 2070 /* supported rates element is mandatory */ 2071 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 2072 DPRINTF(("invalid supported rates element\n")); 2073 return; 2074 } 2075 /* SSID element is mandatory */ 2076 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 2077 DPRINTF(("invalid SSID element\n")); 2078 return; 2079 } 2080 /* check that the specified SSID (if not wildcard) matches ours */ 2081 if (ssid[1] != 0 && (ssid[1] != ic->ic_bss->ni_esslen || 2082 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen))) { 2083 DPRINTF(("SSID mismatch\n")); 2084 ic->ic_stats.is_rx_ssidmismatch++; 2085 return; 2086 } 2087 /* refuse wildcard SSID if we're hiding our SSID in beacons */ 2088 if (ssid[1] == 0 && (ic->ic_userflags & IEEE80211_F_HIDENWID)) { 2089 DPRINTF(("wildcard SSID rejected")); 2090 ic->ic_stats.is_rx_ssidmismatch++; 2091 return; 2092 } 2093 2094 if (ni == ic->ic_bss) { 2095 ni = ieee80211_find_node(ic, wh->i_addr2); 2096 if (ni == NULL) 2097 ni = ieee80211_dup_bss(ic, wh->i_addr2); 2098 if (ni == NULL) 2099 return; 2100 DPRINTF(("new probe req from %s\n", 2101 ether_sprintf((u_int8_t *)wh->i_addr2))); 2102 } 2103 ni->ni_rssi = rxi->rxi_rssi; 2104 ni->ni_rstamp = rxi->rxi_tstamp; 2105 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2106 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2107 IEEE80211_F_DODEL); 2108 if (rate & IEEE80211_RATE_BASIC) { 2109 DPRINTF(("rate mismatch for %s\n", 2110 ether_sprintf((u_int8_t *)wh->i_addr2))); 2111 return; 2112 } 2113 if (htcaps) 2114 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 2115 else 2116 ieee80211_clear_htcaps(ni); 2117 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 2118 } 2119 #endif /* IEEE80211_STA_ONLY */ 2120 2121 /*- 2122 * Authentication frame format: 2123 * [2] Authentication algorithm number 2124 * [2] Authentication transaction sequence number 2125 * [2] Status code 2126 */ 2127 void 2128 ieee80211_recv_auth(struct ieee80211com *ic, struct mbuf *m, 2129 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 2130 { 2131 const struct ieee80211_frame *wh; 2132 const u_int8_t *frm; 2133 u_int16_t algo, seq, status; 2134 2135 /* make sure all mandatory fixed fields are present */ 2136 if (m->m_len < sizeof(*wh) + 6) { 2137 DPRINTF(("frame too short\n")); 2138 return; 2139 } 2140 wh = mtod(m, struct ieee80211_frame *); 2141 frm = (const u_int8_t *)&wh[1]; 2142 2143 algo = LE_READ_2(frm); frm += 2; 2144 seq = LE_READ_2(frm); frm += 2; 2145 status = LE_READ_2(frm); frm += 2; 2146 DPRINTF(("auth %d seq %d from %s\n", algo, seq, 2147 ether_sprintf((u_int8_t *)wh->i_addr2))); 2148 2149 /* only "open" auth mode is supported */ 2150 if (algo != IEEE80211_AUTH_ALG_OPEN) { 2151 DPRINTF(("unsupported auth algorithm %d from %s\n", 2152 algo, ether_sprintf((u_int8_t *)wh->i_addr2))); 2153 ic->ic_stats.is_rx_auth_unsupported++; 2154 #ifndef IEEE80211_STA_ONLY 2155 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2156 /* XXX hack to workaround calling convention */ 2157 IEEE80211_SEND_MGMT(ic, ni, 2158 IEEE80211_FC0_SUBTYPE_AUTH, 2159 IEEE80211_STATUS_ALG << 16 | ((seq + 1) & 0xfff)); 2160 } 2161 #endif 2162 return; 2163 } 2164 ieee80211_auth_open(ic, wh, ni, rxi, seq, status); 2165 } 2166 2167 #ifndef IEEE80211_STA_ONLY 2168 /*- 2169 * (Re)Association request frame format: 2170 * [2] Capability information 2171 * [2] Listen interval 2172 * [6*] Current AP address (Reassociation only) 2173 * [tlv] SSID 2174 * [tlv] Supported rates 2175 * [tlv] Extended Supported Rates (802.11g) 2176 * [tlv] RSN (802.11i) 2177 * [tlv] QoS Capability (802.11e) 2178 * [tlv] HT Capabilities (802.11n) 2179 */ 2180 void 2181 ieee80211_recv_assoc_req(struct ieee80211com *ic, struct mbuf *m, 2182 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int reassoc) 2183 { 2184 const struct ieee80211_frame *wh; 2185 const u_int8_t *frm, *efrm; 2186 const u_int8_t *ssid, *rates, *xrates, *rsnie, *wpaie, *wmeie, *htcaps; 2187 u_int16_t capinfo, bintval; 2188 int resp, status = 0; 2189 struct ieee80211_rsnparams rsn; 2190 u_int8_t rate; 2191 const u_int8_t *saveie = NULL; 2192 2193 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 2194 ic->ic_state != IEEE80211_S_RUN) 2195 return; 2196 2197 /* make sure all mandatory fixed fields are present */ 2198 if (m->m_len < sizeof(*wh) + (reassoc ? 10 : 4)) { 2199 DPRINTF(("frame too short\n")); 2200 return; 2201 } 2202 wh = mtod(m, struct ieee80211_frame *); 2203 frm = (const u_int8_t *)&wh[1]; 2204 efrm = mtod(m, u_int8_t *) + m->m_len; 2205 2206 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 2207 DPRINTF(("ignore other bss from %s\n", 2208 ether_sprintf((u_int8_t *)wh->i_addr2))); 2209 ic->ic_stats.is_rx_assoc_bss++; 2210 return; 2211 } 2212 capinfo = LE_READ_2(frm); frm += 2; 2213 bintval = LE_READ_2(frm); frm += 2; 2214 if (reassoc) { 2215 frm += IEEE80211_ADDR_LEN; /* skip current AP address */ 2216 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 2217 } else 2218 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 2219 2220 ssid = rates = xrates = rsnie = wpaie = wmeie = htcaps = NULL; 2221 while (frm + 2 <= efrm) { 2222 if (frm + 2 + frm[1] > efrm) { 2223 ic->ic_stats.is_rx_elem_toosmall++; 2224 break; 2225 } 2226 switch (frm[0]) { 2227 case IEEE80211_ELEMID_SSID: 2228 ssid = frm; 2229 break; 2230 case IEEE80211_ELEMID_RATES: 2231 rates = frm; 2232 break; 2233 case IEEE80211_ELEMID_XRATES: 2234 xrates = frm; 2235 break; 2236 case IEEE80211_ELEMID_RSN: 2237 rsnie = frm; 2238 break; 2239 case IEEE80211_ELEMID_QOS_CAP: 2240 break; 2241 case IEEE80211_ELEMID_HTCAPS: 2242 htcaps = frm; 2243 break; 2244 case IEEE80211_ELEMID_VENDOR: 2245 if (frm[1] < 4) { 2246 ic->ic_stats.is_rx_elem_toosmall++; 2247 break; 2248 } 2249 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 2250 if (frm[5] == 1) 2251 wpaie = frm; 2252 /* WME info IE: len=7 type=2 subtype=0 */ 2253 if (frm[1] == 7 && frm[5] == 2 && frm[6] == 0) 2254 wmeie = frm; 2255 } 2256 break; 2257 } 2258 frm += 2 + frm[1]; 2259 } 2260 /* supported rates element is mandatory */ 2261 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 2262 DPRINTF(("invalid supported rates element\n")); 2263 return; 2264 } 2265 /* SSID element is mandatory */ 2266 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 2267 DPRINTF(("invalid SSID element\n")); 2268 return; 2269 } 2270 /* check that the specified SSID matches ours */ 2271 if (ssid[1] != ic->ic_bss->ni_esslen || 2272 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen)) { 2273 DPRINTF(("SSID mismatch\n")); 2274 ic->ic_stats.is_rx_ssidmismatch++; 2275 return; 2276 } 2277 2278 if (ni->ni_state != IEEE80211_STA_AUTH && 2279 ni->ni_state != IEEE80211_STA_ASSOC) { 2280 DPRINTF(("deny %sassoc from %s, not authenticated\n", 2281 reassoc ? "re" : "", 2282 ether_sprintf((u_int8_t *)wh->i_addr2))); 2283 ni = ieee80211_find_node(ic, wh->i_addr2); 2284 if (ni == NULL) 2285 ni = ieee80211_dup_bss(ic, wh->i_addr2); 2286 if (ni != NULL) { 2287 IEEE80211_SEND_MGMT(ic, ni, 2288 IEEE80211_FC0_SUBTYPE_DEAUTH, 2289 IEEE80211_REASON_ASSOC_NOT_AUTHED); 2290 } 2291 ic->ic_stats.is_rx_assoc_notauth++; 2292 return; 2293 } 2294 2295 if (ni->ni_state == IEEE80211_STA_ASSOC && 2296 (ni->ni_flags & IEEE80211_NODE_MFP)) { 2297 if (ni->ni_flags & IEEE80211_NODE_SA_QUERY_FAILED) { 2298 /* send a protected Disassociate frame */ 2299 IEEE80211_SEND_MGMT(ic, ni, 2300 IEEE80211_FC0_SUBTYPE_DISASSOC, 2301 IEEE80211_REASON_AUTH_EXPIRE); 2302 /* terminate the old SA */ 2303 ieee80211_node_leave(ic, ni); 2304 } else { 2305 /* reject the (Re)Association Request temporarily */ 2306 IEEE80211_SEND_MGMT(ic, ni, resp, 2307 IEEE80211_STATUS_TRY_AGAIN_LATER); 2308 /* start SA Query procedure if not already engaged */ 2309 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) 2310 ieee80211_sa_query_request(ic, ni); 2311 /* do not modify association state */ 2312 } 2313 return; 2314 } 2315 2316 if (!(capinfo & IEEE80211_CAPINFO_ESS)) { 2317 ic->ic_stats.is_rx_assoc_capmismatch++; 2318 status = IEEE80211_STATUS_CAPINFO; 2319 goto end; 2320 } 2321 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2322 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2323 IEEE80211_F_DODEL); 2324 if (rate & IEEE80211_RATE_BASIC) { 2325 ic->ic_stats.is_rx_assoc_norate++; 2326 status = IEEE80211_STATUS_BASIC_RATE; 2327 goto end; 2328 } 2329 2330 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2331 ni->ni_supported_rsnprotos = IEEE80211_PROTO_NONE; 2332 ni->ni_rsnakms = 0; 2333 ni->ni_supported_rsnakms = 0; 2334 ni->ni_rsnciphers = 0; 2335 ni->ni_rsngroupcipher = 0; 2336 ni->ni_rsngroupmgmtcipher = 0; 2337 ni->ni_rsncaps = 0; 2338 2339 /* 2340 * A station should never include both a WPA and an RSN IE 2341 * in its (Re)Association Requests, but if it does, we only 2342 * consider the IE of the highest version of the protocol 2343 * that is allowed (ie RSN over WPA). 2344 */ 2345 if (rsnie != NULL) { 2346 status = ieee80211_parse_rsn(ic, rsnie, &rsn); 2347 if (status != 0) 2348 goto end; 2349 ni->ni_supported_rsnprotos = IEEE80211_PROTO_RSN; 2350 ni->ni_supported_rsnakms = rsn.rsn_akms; 2351 if ((ic->ic_flags & IEEE80211_F_RSNON) && 2352 (ic->ic_rsnprotos & IEEE80211_PROTO_RSN)) { 2353 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 2354 saveie = rsnie; 2355 } 2356 } else if (wpaie != NULL) { 2357 status = ieee80211_parse_wpa(ic, wpaie, &rsn); 2358 if (status != 0) 2359 goto end; 2360 ni->ni_supported_rsnprotos = IEEE80211_PROTO_WPA; 2361 ni->ni_supported_rsnakms = rsn.rsn_akms; 2362 if ((ic->ic_flags & IEEE80211_F_RSNON) && 2363 (ic->ic_rsnprotos & IEEE80211_PROTO_WPA)) { 2364 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 2365 saveie = wpaie; 2366 } 2367 } 2368 2369 if (ic->ic_flags & IEEE80211_F_QOS) { 2370 if (wmeie != NULL) 2371 ni->ni_flags |= IEEE80211_NODE_QOS; 2372 else /* for Reassociation */ 2373 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2374 } 2375 2376 if (ic->ic_flags & IEEE80211_F_RSNON) { 2377 if (ni->ni_rsnprotos == IEEE80211_PROTO_NONE) { 2378 /* 2379 * In an RSN, an AP shall not associate with STAs 2380 * that fail to include the RSN IE in the 2381 * (Re)Association Request. 2382 */ 2383 status = IEEE80211_STATUS_IE_INVALID; 2384 goto end; 2385 } 2386 /* 2387 * The initiating STA's RSN IE shall include one authentication 2388 * and pairwise cipher suite among those advertised by the 2389 * targeted AP. It shall also specify the group cipher suite 2390 * specified by the targeted AP. 2391 */ 2392 if (rsn.rsn_nakms != 1 || 2393 !(rsn.rsn_akms & ic->ic_bss->ni_rsnakms)) { 2394 status = IEEE80211_STATUS_BAD_AKMP; 2395 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2396 goto end; 2397 } 2398 if (rsn.rsn_nciphers != 1 || 2399 !(rsn.rsn_ciphers & ic->ic_bss->ni_rsnciphers)) { 2400 status = IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 2401 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2402 goto end; 2403 } 2404 if (rsn.rsn_groupcipher != ic->ic_bss->ni_rsngroupcipher) { 2405 status = IEEE80211_STATUS_BAD_GROUP_CIPHER; 2406 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2407 goto end; 2408 } 2409 2410 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPR) && 2411 !(rsn.rsn_caps & IEEE80211_RSNCAP_MFPC)) { 2412 status = IEEE80211_STATUS_MFP_POLICY; 2413 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2414 goto end; 2415 } 2416 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPC) && 2417 (rsn.rsn_caps & (IEEE80211_RSNCAP_MFPC | 2418 IEEE80211_RSNCAP_MFPR)) == IEEE80211_RSNCAP_MFPR) { 2419 /* STA advertises an invalid setting */ 2420 status = IEEE80211_STATUS_MFP_POLICY; 2421 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2422 goto end; 2423 } 2424 /* 2425 * A STA that has associated with Management Frame Protection 2426 * enabled shall not use cipher suite pairwise selector WEP40, 2427 * WEP104, TKIP, or "Use Group cipher suite". 2428 */ 2429 if ((rsn.rsn_caps & IEEE80211_RSNCAP_MFPC) && 2430 (rsn.rsn_ciphers != IEEE80211_CIPHER_CCMP || 2431 rsn.rsn_groupmgmtcipher != 2432 ic->ic_bss->ni_rsngroupmgmtcipher)) { 2433 status = IEEE80211_STATUS_MFP_POLICY; 2434 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2435 goto end; 2436 } 2437 2438 /* 2439 * Disallow new associations using TKIP if countermeasures 2440 * are active. 2441 */ 2442 if ((ic->ic_flags & IEEE80211_F_COUNTERM) && 2443 (rsn.rsn_ciphers == IEEE80211_CIPHER_TKIP || 2444 rsn.rsn_groupcipher == IEEE80211_CIPHER_TKIP)) { 2445 status = IEEE80211_STATUS_CIPHER_REJ_POLICY; 2446 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2447 goto end; 2448 } 2449 2450 /* everything looks fine, save IE and parameters */ 2451 if (saveie == NULL || 2452 ieee80211_save_ie(saveie, &ni->ni_rsnie) != 0) { 2453 status = IEEE80211_STATUS_TOOMANY; 2454 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2455 goto end; 2456 } 2457 ni->ni_rsnakms = rsn.rsn_akms; 2458 ni->ni_rsnciphers = rsn.rsn_ciphers; 2459 ni->ni_rsngroupcipher = ic->ic_bss->ni_rsngroupcipher; 2460 ni->ni_rsngroupmgmtcipher = ic->ic_bss->ni_rsngroupmgmtcipher; 2461 ni->ni_rsncaps = rsn.rsn_caps; 2462 2463 if (ieee80211_is_8021x_akm(ni->ni_rsnakms)) { 2464 struct ieee80211_pmk *pmk = NULL; 2465 const u_int8_t *pmkid = rsn.rsn_pmkids; 2466 /* 2467 * Check if we have a cached PMK entry matching one 2468 * of the PMKIDs specified in the RSN IE. 2469 */ 2470 while (rsn.rsn_npmkids-- > 0) { 2471 pmk = ieee80211_pmksa_find(ic, ni, pmkid); 2472 if (pmk != NULL) 2473 break; 2474 pmkid += IEEE80211_PMKID_LEN; 2475 } 2476 if (pmk != NULL) { 2477 memcpy(ni->ni_pmk, pmk->pmk_key, 2478 IEEE80211_PMK_LEN); 2479 memcpy(ni->ni_pmkid, pmk->pmk_pmkid, 2480 IEEE80211_PMKID_LEN); 2481 ni->ni_flags |= IEEE80211_NODE_PMK; 2482 } 2483 } 2484 } 2485 2486 ni->ni_rssi = rxi->rxi_rssi; 2487 ni->ni_rstamp = rxi->rxi_tstamp; 2488 ni->ni_intval = bintval; 2489 ni->ni_capinfo = capinfo; 2490 ni->ni_chan = ic->ic_bss->ni_chan; 2491 if (htcaps) 2492 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 2493 else 2494 ieee80211_clear_htcaps(ni); 2495 end: 2496 if (status != 0) { 2497 IEEE80211_SEND_MGMT(ic, ni, resp, status); 2498 ieee80211_node_leave(ic, ni); 2499 } else 2500 ieee80211_node_join(ic, ni, resp); 2501 } 2502 #endif /* IEEE80211_STA_ONLY */ 2503 2504 /*- 2505 * (Re)Association response frame format: 2506 * [2] Capability information 2507 * [2] Status code 2508 * [2] Association ID (AID) 2509 * [tlv] Supported rates 2510 * [tlv] Extended Supported Rates (802.11g) 2511 * [tlv] EDCA Parameter Set (802.11e) 2512 * [tlv] HT Capabilities (802.11n) 2513 * [tlv] HT Operation (802.11n) 2514 */ 2515 void 2516 ieee80211_recv_assoc_resp(struct ieee80211com *ic, struct mbuf *m, 2517 struct ieee80211_node *ni, int reassoc) 2518 { 2519 struct ifnet *ifp = &ic->ic_if; 2520 const struct ieee80211_frame *wh; 2521 const u_int8_t *frm, *efrm; 2522 const u_int8_t *rates, *xrates, *edcaie, *wmmie, *htcaps, *htop; 2523 u_int16_t capinfo, status, associd; 2524 u_int8_t rate; 2525 2526 if (ic->ic_opmode != IEEE80211_M_STA || 2527 ic->ic_state != IEEE80211_S_ASSOC) { 2528 ic->ic_stats.is_rx_mgtdiscard++; 2529 return; 2530 } 2531 2532 /* make sure all mandatory fixed fields are present */ 2533 if (m->m_len < sizeof(*wh) + 6) { 2534 DPRINTF(("frame too short\n")); 2535 return; 2536 } 2537 wh = mtod(m, struct ieee80211_frame *); 2538 frm = (const u_int8_t *)&wh[1]; 2539 efrm = mtod(m, u_int8_t *) + m->m_len; 2540 2541 capinfo = LE_READ_2(frm); frm += 2; 2542 status = LE_READ_2(frm); frm += 2; 2543 if (status != IEEE80211_STATUS_SUCCESS) { 2544 if (ifp->if_flags & IFF_DEBUG) 2545 printf("%s: %sassociation failed (status %d)" 2546 " for %s\n", ifp->if_xname, 2547 reassoc ? "re" : "", 2548 status, ether_sprintf((u_int8_t *)wh->i_addr3)); 2549 if (ni != ic->ic_bss) 2550 ni->ni_fails++; 2551 ic->ic_stats.is_rx_auth_fail++; 2552 return; 2553 } 2554 associd = LE_READ_2(frm); frm += 2; 2555 2556 rates = xrates = edcaie = wmmie = htcaps = htop = NULL; 2557 while (frm + 2 <= efrm) { 2558 if (frm + 2 + frm[1] > efrm) { 2559 ic->ic_stats.is_rx_elem_toosmall++; 2560 break; 2561 } 2562 switch (frm[0]) { 2563 case IEEE80211_ELEMID_RATES: 2564 rates = frm; 2565 break; 2566 case IEEE80211_ELEMID_XRATES: 2567 xrates = frm; 2568 break; 2569 case IEEE80211_ELEMID_EDCAPARMS: 2570 edcaie = frm; 2571 break; 2572 case IEEE80211_ELEMID_HTCAPS: 2573 htcaps = frm; 2574 break; 2575 case IEEE80211_ELEMID_HTOP: 2576 htop = frm; 2577 break; 2578 case IEEE80211_ELEMID_VENDOR: 2579 if (frm[1] < 4) { 2580 ic->ic_stats.is_rx_elem_toosmall++; 2581 break; 2582 } 2583 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 2584 if (frm[1] >= 5 && frm[5] == 2 && frm[6] == 1) 2585 wmmie = frm; 2586 } 2587 break; 2588 } 2589 frm += 2 + frm[1]; 2590 } 2591 /* supported rates element is mandatory */ 2592 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 2593 DPRINTF(("invalid supported rates element\n")); 2594 return; 2595 } 2596 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2597 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2598 IEEE80211_F_DODEL); 2599 if (rate & IEEE80211_RATE_BASIC) { 2600 DPRINTF(("rate mismatch for %s\n", 2601 ether_sprintf((u_int8_t *)wh->i_addr2))); 2602 ic->ic_stats.is_rx_assoc_norate++; 2603 return; 2604 } 2605 ni->ni_capinfo = capinfo; 2606 ni->ni_associd = associd; 2607 if (edcaie != NULL || wmmie != NULL) { 2608 /* force update of EDCA parameters */ 2609 ic->ic_edca_updtcount = -1; 2610 2611 if ((edcaie != NULL && 2612 ieee80211_parse_edca_params(ic, edcaie) == 0) || 2613 (wmmie != NULL && 2614 ieee80211_parse_wmm_params(ic, wmmie) == 0)) 2615 ni->ni_flags |= IEEE80211_NODE_QOS; 2616 else /* for Reassociation */ 2617 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2618 } 2619 if (htcaps) 2620 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 2621 if (htop) 2622 ieee80211_setup_htop(ni, htop + 2, htop[1], 0); 2623 ieee80211_ht_negotiate(ic, ni); 2624 2625 /* Hop into 11n mode after associating to an HT AP in a non-11n mode. */ 2626 if (ni->ni_flags & IEEE80211_NODE_HT) 2627 ieee80211_setmode(ic, IEEE80211_MODE_11N); 2628 else 2629 ieee80211_setmode(ic, ieee80211_chan2mode(ic, ni->ni_chan)); 2630 /* 2631 * Reset the erp state (mostly the slot time) now that 2632 * our operating mode has been nailed down. 2633 */ 2634 ieee80211_reset_erp(ic); 2635 2636 /* 2637 * Configure state now that we are associated. 2638 */ 2639 if (ic->ic_curmode == IEEE80211_MODE_11A || 2640 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) 2641 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 2642 else 2643 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 2644 2645 ieee80211_set_shortslottime(ic, 2646 ic->ic_curmode == IEEE80211_MODE_11A || 2647 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2648 /* 2649 * Honor ERP protection. 2650 */ 2651 if ((ic->ic_curmode == IEEE80211_MODE_11G || 2652 (ic->ic_curmode == IEEE80211_MODE_11N && 2653 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))) && 2654 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2655 ic->ic_flags |= IEEE80211_F_USEPROT; 2656 else 2657 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2658 /* 2659 * If not an RSNA, mark the port as valid, otherwise wait for 2660 * 802.1X authentication and 4-way handshake to complete.. 2661 */ 2662 if (ic->ic_flags & IEEE80211_F_RSNON) { 2663 /* XXX ic->ic_mgt_timer = 5; */ 2664 ni->ni_rsn_supp_state = RSNA_SUPP_PTKSTART; 2665 } else if (ic->ic_flags & IEEE80211_F_WEPON) 2666 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 2667 2668 ieee80211_new_state(ic, IEEE80211_S_RUN, 2669 IEEE80211_FC0_SUBTYPE_ASSOC_RESP); 2670 } 2671 2672 /*- 2673 * Deauthentication frame format: 2674 * [2] Reason code 2675 */ 2676 void 2677 ieee80211_recv_deauth(struct ieee80211com *ic, struct mbuf *m, 2678 struct ieee80211_node *ni) 2679 { 2680 const struct ieee80211_frame *wh; 2681 const u_int8_t *frm; 2682 u_int16_t reason; 2683 2684 /* make sure all mandatory fixed fields are present */ 2685 if (m->m_len < sizeof(*wh) + 2) { 2686 DPRINTF(("frame too short\n")); 2687 return; 2688 } 2689 wh = mtod(m, struct ieee80211_frame *); 2690 frm = (const u_int8_t *)&wh[1]; 2691 2692 reason = LE_READ_2(frm); 2693 2694 ic->ic_stats.is_rx_deauth++; 2695 switch (ic->ic_opmode) { 2696 case IEEE80211_M_STA: { 2697 int bgscan = ((ic->ic_flags & IEEE80211_F_BGSCAN) && 2698 ic->ic_state == IEEE80211_S_RUN); 2699 int stay_auth = ((ic->ic_userflags & IEEE80211_F_STAYAUTH) && 2700 ic->ic_state >= IEEE80211_S_AUTH); 2701 if (!(bgscan || stay_auth)) 2702 ieee80211_new_state(ic, IEEE80211_S_AUTH, 2703 IEEE80211_FC0_SUBTYPE_DEAUTH); 2704 } 2705 break; 2706 #ifndef IEEE80211_STA_ONLY 2707 case IEEE80211_M_HOSTAP: 2708 if (ni != ic->ic_bss) { 2709 int stay_auth = 2710 ((ic->ic_userflags & IEEE80211_F_STAYAUTH) && 2711 (ni->ni_state == IEEE80211_STA_AUTH || 2712 ni->ni_state == IEEE80211_STA_ASSOC)); 2713 if (ic->ic_if.if_flags & IFF_DEBUG) 2714 printf("%s: station %s deauthenticated " 2715 "by peer (reason %d)\n", 2716 ic->ic_if.if_xname, 2717 ether_sprintf(ni->ni_macaddr), 2718 reason); 2719 if (!stay_auth) 2720 ieee80211_node_leave(ic, ni); 2721 } 2722 break; 2723 #endif 2724 default: 2725 break; 2726 } 2727 } 2728 2729 /*- 2730 * Disassociation frame format: 2731 * [2] Reason code 2732 */ 2733 void 2734 ieee80211_recv_disassoc(struct ieee80211com *ic, struct mbuf *m, 2735 struct ieee80211_node *ni) 2736 { 2737 const struct ieee80211_frame *wh; 2738 const u_int8_t *frm; 2739 u_int16_t reason; 2740 2741 /* make sure all mandatory fixed fields are present */ 2742 if (m->m_len < sizeof(*wh) + 2) { 2743 DPRINTF(("frame too short\n")); 2744 return; 2745 } 2746 wh = mtod(m, struct ieee80211_frame *); 2747 frm = (const u_int8_t *)&wh[1]; 2748 2749 reason = LE_READ_2(frm); 2750 2751 ic->ic_stats.is_rx_disassoc++; 2752 switch (ic->ic_opmode) { 2753 case IEEE80211_M_STA: { 2754 int bgscan = ((ic->ic_flags & IEEE80211_F_BGSCAN) && 2755 ic->ic_state == IEEE80211_S_RUN); 2756 if (!bgscan) /* ignore disassoc during bgscan */ 2757 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 2758 IEEE80211_FC0_SUBTYPE_DISASSOC); 2759 } 2760 break; 2761 #ifndef IEEE80211_STA_ONLY 2762 case IEEE80211_M_HOSTAP: 2763 if (ni != ic->ic_bss) { 2764 if (ic->ic_if.if_flags & IFF_DEBUG) 2765 printf("%s: station %s disassociated " 2766 "by peer (reason %d)\n", 2767 ic->ic_if.if_xname, 2768 ether_sprintf(ni->ni_macaddr), 2769 reason); 2770 ieee80211_node_leave(ic, ni); 2771 } 2772 break; 2773 #endif 2774 default: 2775 break; 2776 } 2777 } 2778 2779 /*- 2780 * ADDBA Request frame format: 2781 * [1] Category 2782 * [1] Action 2783 * [1] Dialog Token 2784 * [2] Block Ack Parameter Set 2785 * [2] Block Ack Timeout Value 2786 * [2] Block Ack Starting Sequence Control 2787 */ 2788 void 2789 ieee80211_recv_addba_req(struct ieee80211com *ic, struct mbuf *m, 2790 struct ieee80211_node *ni) 2791 { 2792 const struct ieee80211_frame *wh; 2793 const u_int8_t *frm; 2794 struct ieee80211_rx_ba *ba; 2795 u_int16_t params, ssn, bufsz, timeout; 2796 u_int8_t token, tid; 2797 int err = 0; 2798 2799 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 2800 DPRINTF(("received ADDBA req from non-HT STA %s\n", 2801 ether_sprintf(ni->ni_macaddr))); 2802 return; 2803 } 2804 if (m->m_len < sizeof(*wh) + 9) { 2805 DPRINTF(("frame too short\n")); 2806 return; 2807 } 2808 /* MLME-ADDBA.indication */ 2809 wh = mtod(m, struct ieee80211_frame *); 2810 frm = (const u_int8_t *)&wh[1]; 2811 2812 token = frm[2]; 2813 params = LE_READ_2(&frm[3]); 2814 tid = ((params & IEEE80211_ADDBA_TID_MASK) >> 2815 IEEE80211_ADDBA_TID_SHIFT); 2816 bufsz = (params & IEEE80211_ADDBA_BUFSZ_MASK) >> 2817 IEEE80211_ADDBA_BUFSZ_SHIFT; 2818 timeout = LE_READ_2(&frm[5]); 2819 ssn = LE_READ_2(&frm[7]) >> 4; 2820 2821 ba = &ni->ni_rx_ba[tid]; 2822 /* The driver is still processing an ADDBA request for this tid. */ 2823 if (ba->ba_state == IEEE80211_BA_REQUESTED) 2824 return; 2825 /* If we are in the process of roaming between APs, ignore. */ 2826 if ((ic->ic_flags & IEEE80211_F_BGSCAN) && 2827 (ic->ic_xflags & IEEE80211_F_TX_MGMT_ONLY)) 2828 return; 2829 /* check if we already have a Block Ack agreement for this RA/TID */ 2830 if (ba->ba_state == IEEE80211_BA_AGREED) { 2831 /* XXX should we update the timeout value? */ 2832 /* reset Block Ack inactivity timer */ 2833 if (ba->ba_timeout_val != 0) 2834 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2835 2836 /* check if it's a Protected Block Ack agreement */ 2837 if (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2838 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) 2839 return; /* not a PBAC, ignore */ 2840 2841 /* PBAC: treat the ADDBA Request like a BlockAckReq */ 2842 if (SEQ_LT(ba->ba_winstart, ssn)) { 2843 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 2844 ieee80211_ba_move_window(ic, ni, tid, ssn, &ml); 2845 if_input(&ic->ic_if, &ml); 2846 } 2847 return; 2848 } 2849 2850 /* if PBAC required but RA does not support it, refuse request */ 2851 if ((ic->ic_flags & IEEE80211_F_PBAR) && 2852 (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2853 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC))) 2854 goto refuse; 2855 /* 2856 * If the TID for which the Block Ack agreement is requested is 2857 * configured with a no-ACK policy, refuse the agreement. 2858 */ 2859 if (ic->ic_tid_noack & (1 << tid)) 2860 goto refuse; 2861 2862 /* check that we support the requested Block Ack Policy */ 2863 if (!(ic->ic_htcaps & IEEE80211_HTCAP_DELAYEDBA) && 2864 !(params & IEEE80211_ADDBA_BA_POLICY)) 2865 goto refuse; 2866 2867 /* setup Block Ack agreement */ 2868 ba->ba_state = IEEE80211_BA_REQUESTED; 2869 ba->ba_timeout_val = timeout * IEEE80211_DUR_TU; 2870 ba->ba_ni = ni; 2871 ba->ba_token = token; 2872 timeout_set(&ba->ba_to, ieee80211_rx_ba_timeout, ba); 2873 timeout_set(&ba->ba_gap_to, ieee80211_input_ba_gap_timeout, ba); 2874 ba->ba_gapwait = 0; 2875 ba->ba_winsize = bufsz; 2876 if (ba->ba_winsize == 0 || ba->ba_winsize > IEEE80211_BA_MAX_WINSZ) 2877 ba->ba_winsize = IEEE80211_BA_MAX_WINSZ; 2878 ba->ba_params = (params & IEEE80211_ADDBA_BA_POLICY); 2879 ba->ba_params |= ((ba->ba_winsize << IEEE80211_ADDBA_BUFSZ_SHIFT) | 2880 (tid << IEEE80211_ADDBA_TID_SHIFT)); 2881 ba->ba_params |= IEEE80211_ADDBA_AMSDU; 2882 ba->ba_winstart = ssn; 2883 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 2884 /* allocate and setup our reordering buffer */ 2885 ba->ba_buf = malloc(IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf), 2886 M_DEVBUF, M_NOWAIT | M_ZERO); 2887 if (ba->ba_buf == NULL) 2888 goto refuse; 2889 2890 ba->ba_head = 0; 2891 2892 /* notify drivers of this new Block Ack agreement */ 2893 if (ic->ic_ampdu_rx_start != NULL) 2894 err = ic->ic_ampdu_rx_start(ic, ni, tid); 2895 if (err == EBUSY) { 2896 /* driver will accept or refuse agreement when done */ 2897 return; 2898 } else if (err) { 2899 /* driver failed to setup, rollback */ 2900 ieee80211_addba_req_refuse(ic, ni, tid); 2901 } else 2902 ieee80211_addba_req_accept(ic, ni, tid); 2903 return; 2904 2905 refuse: 2906 /* MLME-ADDBA.response */ 2907 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2908 IEEE80211_ACTION_ADDBA_RESP, 2909 IEEE80211_STATUS_REFUSED << 16 | token << 8 | tid); 2910 } 2911 2912 void 2913 ieee80211_addba_req_accept(struct ieee80211com *ic, struct ieee80211_node *ni, 2914 uint8_t tid) 2915 { 2916 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2917 2918 ba->ba_state = IEEE80211_BA_AGREED; 2919 ic->ic_stats.is_ht_rx_ba_agreements++; 2920 /* start Block Ack inactivity timer */ 2921 if (ba->ba_timeout_val != 0) 2922 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2923 2924 /* MLME-ADDBA.response */ 2925 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2926 IEEE80211_ACTION_ADDBA_RESP, 2927 IEEE80211_STATUS_SUCCESS << 16 | ba->ba_token << 8 | tid); 2928 } 2929 2930 void 2931 ieee80211_addba_req_refuse(struct ieee80211com *ic, struct ieee80211_node *ni, 2932 uint8_t tid) 2933 { 2934 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2935 2936 free(ba->ba_buf, M_DEVBUF, 2937 IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf)); 2938 ba->ba_buf = NULL; 2939 ba->ba_state = IEEE80211_BA_INIT; 2940 2941 /* MLME-ADDBA.response */ 2942 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2943 IEEE80211_ACTION_ADDBA_RESP, 2944 IEEE80211_STATUS_REFUSED << 16 | ba->ba_token << 8 | tid); 2945 } 2946 2947 /*- 2948 * ADDBA Response frame format: 2949 * [1] Category 2950 * [1] Action 2951 * [1] Dialog Token 2952 * [2] Status Code 2953 * [2] Block Ack Parameter Set 2954 * [2] Block Ack Timeout Value 2955 */ 2956 void 2957 ieee80211_recv_addba_resp(struct ieee80211com *ic, struct mbuf *m, 2958 struct ieee80211_node *ni) 2959 { 2960 const struct ieee80211_frame *wh; 2961 const u_int8_t *frm; 2962 struct ieee80211_tx_ba *ba; 2963 u_int16_t status, params, bufsz, timeout; 2964 u_int8_t token, tid; 2965 int err = 0; 2966 2967 if (m->m_len < sizeof(*wh) + 9) { 2968 DPRINTF(("frame too short\n")); 2969 return; 2970 } 2971 wh = mtod(m, struct ieee80211_frame *); 2972 frm = (const u_int8_t *)&wh[1]; 2973 2974 token = frm[2]; 2975 status = LE_READ_2(&frm[3]); 2976 params = LE_READ_2(&frm[5]); 2977 tid = (params >> 2) & 0xf; 2978 bufsz = (params >> 6) & 0x3ff; 2979 timeout = LE_READ_2(&frm[7]); 2980 2981 DPRINTF(("received ADDBA resp from %s, TID %d, status %d\n", 2982 ether_sprintf(ni->ni_macaddr), tid, status)); 2983 2984 /* 2985 * Ignore if no ADDBA request has been sent for this RA/TID or 2986 * if we already have a Block Ack agreement. 2987 */ 2988 ba = &ni->ni_tx_ba[tid]; 2989 if (ba->ba_state != IEEE80211_BA_REQUESTED) { 2990 DPRINTF(("no matching ADDBA req found\n")); 2991 return; 2992 } 2993 if (token != ba->ba_token) { 2994 DPRINTF(("ignoring ADDBA resp from %s: token %x!=%x\n", 2995 ether_sprintf(ni->ni_macaddr), token, ba->ba_token)); 2996 return; 2997 } 2998 /* we got an ADDBA Response matching our request, stop timeout */ 2999 timeout_del(&ba->ba_to); 3000 3001 if (status != IEEE80211_STATUS_SUCCESS) { 3002 if (ni->ni_addba_req_intval[tid] < 3003 IEEE80211_ADDBA_REQ_INTVAL_MAX) 3004 ni->ni_addba_req_intval[tid]++; 3005 3006 ieee80211_addba_resp_refuse(ic, ni, tid, status); 3007 3008 /* 3009 * In case the peer believes there is an existing 3010 * block ack agreement with us, try to delete it. 3011 */ 3012 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 3013 IEEE80211_ACTION_DELBA, 3014 IEEE80211_REASON_SETUP_REQUIRED << 16 | 1 << 8 | tid); 3015 return; 3016 } 3017 3018 /* notify drivers of this new Block Ack agreement */ 3019 if (ic->ic_ampdu_tx_start != NULL) 3020 err = ic->ic_ampdu_tx_start(ic, ni, tid); 3021 3022 if (err == EBUSY) { 3023 /* driver will accept or refuse agreement when done */ 3024 return; 3025 } else if (err) { 3026 /* driver failed to setup, rollback */ 3027 ieee80211_addba_resp_refuse(ic, ni, tid, 3028 IEEE80211_STATUS_UNSPECIFIED); 3029 } else 3030 ieee80211_addba_resp_accept(ic, ni, tid); 3031 } 3032 3033 void 3034 ieee80211_addba_resp_accept(struct ieee80211com *ic, 3035 struct ieee80211_node *ni, uint8_t tid) 3036 { 3037 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 3038 3039 /* MLME-ADDBA.confirm(Success) */ 3040 ba->ba_state = IEEE80211_BA_AGREED; 3041 ic->ic_stats.is_ht_tx_ba_agreements++; 3042 3043 /* Reset ADDBA request interval. */ 3044 ni->ni_addba_req_intval[tid] = 1; 3045 3046 ni->ni_qos_txseqs[tid] = ba->ba_winstart; 3047 3048 /* start Block Ack inactivity timeout */ 3049 if (ba->ba_timeout_val != 0) 3050 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 3051 } 3052 3053 void 3054 ieee80211_addba_resp_refuse(struct ieee80211com *ic, 3055 struct ieee80211_node *ni, uint8_t tid, uint16_t status) 3056 { 3057 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 3058 3059 /* MLME-ADDBA.confirm(Failure) */ 3060 ba->ba_state = IEEE80211_BA_INIT; 3061 } 3062 3063 /*- 3064 * DELBA frame format: 3065 * [1] Category 3066 * [1] Action 3067 * [2] DELBA Parameter Set 3068 * [2] Reason Code 3069 */ 3070 void 3071 ieee80211_recv_delba(struct ieee80211com *ic, struct mbuf *m, 3072 struct ieee80211_node *ni) 3073 { 3074 const struct ieee80211_frame *wh; 3075 const u_int8_t *frm; 3076 u_int16_t params, reason; 3077 u_int8_t tid; 3078 int i; 3079 3080 if (m->m_len < sizeof(*wh) + 6) { 3081 DPRINTF(("frame too short\n")); 3082 return; 3083 } 3084 wh = mtod(m, struct ieee80211_frame *); 3085 frm = (const u_int8_t *)&wh[1]; 3086 3087 params = LE_READ_2(&frm[2]); 3088 reason = LE_READ_2(&frm[4]); 3089 tid = params >> 12; 3090 3091 DPRINTF(("received DELBA from %s, TID %d, reason %d\n", 3092 ether_sprintf(ni->ni_macaddr), tid, reason)); 3093 3094 if (params & IEEE80211_DELBA_INITIATOR) { 3095 /* MLME-DELBA.indication(Originator) */ 3096 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 3097 3098 if (ba->ba_state != IEEE80211_BA_AGREED) { 3099 DPRINTF(("no matching Block Ack agreement\n")); 3100 return; 3101 } 3102 /* notify drivers of the end of the Block Ack agreement */ 3103 if (ic->ic_ampdu_rx_stop != NULL) 3104 ic->ic_ampdu_rx_stop(ic, ni, tid); 3105 3106 ba->ba_state = IEEE80211_BA_INIT; 3107 /* stop Block Ack inactivity timer */ 3108 timeout_del(&ba->ba_to); 3109 timeout_del(&ba->ba_gap_to); 3110 ba->ba_gapwait = 0; 3111 3112 if (ba->ba_buf != NULL) { 3113 /* free all MSDUs stored in reordering buffer */ 3114 for (i = 0; i < IEEE80211_BA_MAX_WINSZ; i++) 3115 m_freem(ba->ba_buf[i].m); 3116 /* free reordering buffer */ 3117 free(ba->ba_buf, M_DEVBUF, 3118 IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf)); 3119 ba->ba_buf = NULL; 3120 } 3121 } else { 3122 /* MLME-DELBA.indication(Recipient) */ 3123 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 3124 3125 if (ba->ba_state != IEEE80211_BA_AGREED) { 3126 DPRINTF(("no matching Block Ack agreement\n")); 3127 return; 3128 } 3129 /* notify drivers of the end of the Block Ack agreement */ 3130 if (ic->ic_ampdu_tx_stop != NULL) 3131 ic->ic_ampdu_tx_stop(ic, ni, tid); 3132 3133 ba->ba_state = IEEE80211_BA_INIT; 3134 /* stop Block Ack inactivity timer */ 3135 timeout_del(&ba->ba_to); 3136 } 3137 } 3138 3139 /*- 3140 * SA Query Request frame format: 3141 * [1] Category 3142 * [1] Action 3143 * [2] Transaction Identifier 3144 */ 3145 void 3146 ieee80211_recv_sa_query_req(struct ieee80211com *ic, struct mbuf *m, 3147 struct ieee80211_node *ni) 3148 { 3149 const struct ieee80211_frame *wh; 3150 const u_int8_t *frm; 3151 3152 if (ic->ic_opmode != IEEE80211_M_STA || 3153 !(ni->ni_flags & IEEE80211_NODE_MFP)) { 3154 DPRINTF(("unexpected SA Query req from %s\n", 3155 ether_sprintf(ni->ni_macaddr))); 3156 return; 3157 } 3158 if (m->m_len < sizeof(*wh) + 4) { 3159 DPRINTF(("frame too short\n")); 3160 return; 3161 } 3162 wh = mtod(m, struct ieee80211_frame *); 3163 frm = (const u_int8_t *)&wh[1]; 3164 3165 /* MLME-SAQuery.indication */ 3166 3167 /* save Transaction Identifier for SA Query Response */ 3168 ni->ni_sa_query_trid = LE_READ_2(&frm[2]); 3169 3170 /* MLME-SAQuery.response */ 3171 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_SA_QUERY, 3172 IEEE80211_ACTION_SA_QUERY_RESP, 0); 3173 } 3174 3175 #ifndef IEEE80211_STA_ONLY 3176 /*- 3177 * SA Query Response frame format: 3178 * [1] Category 3179 * [1] Action 3180 * [2] Transaction Identifier 3181 */ 3182 void 3183 ieee80211_recv_sa_query_resp(struct ieee80211com *ic, struct mbuf *m, 3184 struct ieee80211_node *ni) 3185 { 3186 const struct ieee80211_frame *wh; 3187 const u_int8_t *frm; 3188 3189 /* ignore if we're not engaged in an SA Query with that STA */ 3190 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) { 3191 DPRINTF(("unexpected SA Query resp from %s\n", 3192 ether_sprintf(ni->ni_macaddr))); 3193 return; 3194 } 3195 if (m->m_len < sizeof(*wh) + 4) { 3196 DPRINTF(("frame too short\n")); 3197 return; 3198 } 3199 wh = mtod(m, struct ieee80211_frame *); 3200 frm = (const u_int8_t *)&wh[1]; 3201 3202 /* check that Transaction Identifier matches */ 3203 if (ni->ni_sa_query_trid != LE_READ_2(&frm[2])) { 3204 DPRINTF(("transaction identifier does not match\n")); 3205 return; 3206 } 3207 /* MLME-SAQuery.confirm */ 3208 timeout_del(&ni->ni_sa_query_to); 3209 ni->ni_flags &= ~IEEE80211_NODE_SA_QUERY; 3210 } 3211 #endif 3212 3213 /*- 3214 * Action frame format: 3215 * [1] Category 3216 * [1] Action 3217 */ 3218 void 3219 ieee80211_recv_action(struct ieee80211com *ic, struct mbuf *m, 3220 struct ieee80211_node *ni) 3221 { 3222 const struct ieee80211_frame *wh; 3223 const u_int8_t *frm; 3224 3225 if (m->m_len < sizeof(*wh) + 2) { 3226 DPRINTF(("frame too short\n")); 3227 return; 3228 } 3229 wh = mtod(m, struct ieee80211_frame *); 3230 frm = (const u_int8_t *)&wh[1]; 3231 3232 switch (frm[0]) { 3233 case IEEE80211_CATEG_BA: 3234 switch (frm[1]) { 3235 case IEEE80211_ACTION_ADDBA_REQ: 3236 ieee80211_recv_addba_req(ic, m, ni); 3237 break; 3238 case IEEE80211_ACTION_ADDBA_RESP: 3239 ieee80211_recv_addba_resp(ic, m, ni); 3240 break; 3241 case IEEE80211_ACTION_DELBA: 3242 ieee80211_recv_delba(ic, m, ni); 3243 break; 3244 } 3245 break; 3246 case IEEE80211_CATEG_SA_QUERY: 3247 switch (frm[1]) { 3248 case IEEE80211_ACTION_SA_QUERY_REQ: 3249 ieee80211_recv_sa_query_req(ic, m, ni); 3250 break; 3251 #ifndef IEEE80211_STA_ONLY 3252 case IEEE80211_ACTION_SA_QUERY_RESP: 3253 ieee80211_recv_sa_query_resp(ic, m, ni); 3254 break; 3255 #endif 3256 } 3257 break; 3258 default: 3259 DPRINTF(("action frame category %d not handled\n", frm[0])); 3260 break; 3261 } 3262 } 3263 3264 void 3265 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m, 3266 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int subtype) 3267 { 3268 switch (subtype) { 3269 case IEEE80211_FC0_SUBTYPE_BEACON: 3270 ieee80211_recv_probe_resp(ic, m, ni, rxi, 0); 3271 break; 3272 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 3273 ieee80211_recv_probe_resp(ic, m, ni, rxi, 1); 3274 break; 3275 #ifndef IEEE80211_STA_ONLY 3276 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 3277 ieee80211_recv_probe_req(ic, m, ni, rxi); 3278 break; 3279 #endif 3280 case IEEE80211_FC0_SUBTYPE_AUTH: 3281 ieee80211_recv_auth(ic, m, ni, rxi); 3282 break; 3283 #ifndef IEEE80211_STA_ONLY 3284 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 3285 ieee80211_recv_assoc_req(ic, m, ni, rxi, 0); 3286 break; 3287 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 3288 ieee80211_recv_assoc_req(ic, m, ni, rxi, 1); 3289 break; 3290 #endif 3291 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 3292 ieee80211_recv_assoc_resp(ic, m, ni, 0); 3293 break; 3294 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 3295 ieee80211_recv_assoc_resp(ic, m, ni, 1); 3296 break; 3297 case IEEE80211_FC0_SUBTYPE_DEAUTH: 3298 ieee80211_recv_deauth(ic, m, ni); 3299 break; 3300 case IEEE80211_FC0_SUBTYPE_DISASSOC: 3301 ieee80211_recv_disassoc(ic, m, ni); 3302 break; 3303 case IEEE80211_FC0_SUBTYPE_ACTION: 3304 ieee80211_recv_action(ic, m, ni); 3305 break; 3306 default: 3307 DPRINTF(("mgmt frame with subtype 0x%x not handled\n", 3308 subtype)); 3309 ic->ic_stats.is_rx_badsubtype++; 3310 break; 3311 } 3312 } 3313 3314 #ifndef IEEE80211_STA_ONLY 3315 /* 3316 * Process an incoming PS-Poll control frame (see 11.2). 3317 */ 3318 void 3319 ieee80211_recv_pspoll(struct ieee80211com *ic, struct mbuf *m, 3320 struct ieee80211_node *ni) 3321 { 3322 struct ifnet *ifp = &ic->ic_if; 3323 struct ieee80211_frame_pspoll *psp; 3324 struct ieee80211_frame *wh; 3325 u_int16_t aid; 3326 3327 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 3328 !(ic->ic_caps & IEEE80211_C_APPMGT) || 3329 ni->ni_state != IEEE80211_STA_ASSOC) 3330 return; 3331 3332 if (m->m_len < sizeof(*psp)) { 3333 DPRINTF(("frame too short, len %u\n", m->m_len)); 3334 ic->ic_stats.is_rx_tooshort++; 3335 return; 3336 } 3337 psp = mtod(m, struct ieee80211_frame_pspoll *); 3338 if (!IEEE80211_ADDR_EQ(psp->i_bssid, ic->ic_bss->ni_bssid)) { 3339 DPRINTF(("discard pspoll frame to BSS %s\n", 3340 ether_sprintf(psp->i_bssid))); 3341 ic->ic_stats.is_rx_wrongbss++; 3342 return; 3343 } 3344 aid = letoh16(*(u_int16_t *)psp->i_aid); 3345 if (aid != ni->ni_associd) { 3346 DPRINTF(("invalid pspoll aid %x from %s\n", aid, 3347 ether_sprintf(psp->i_ta))); 3348 return; 3349 } 3350 3351 /* take the first queued frame and put it out.. */ 3352 m = mq_dequeue(&ni->ni_savedq); 3353 if (m == NULL) 3354 return; 3355 if (mq_empty(&ni->ni_savedq)) { 3356 /* last queued frame, turn off the TIM bit */ 3357 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 3358 } else { 3359 /* more queued frames, set the more data bit */ 3360 wh = mtod(m, struct ieee80211_frame *); 3361 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 3362 } 3363 mq_enqueue(&ic->ic_pwrsaveq, m); 3364 if_start(ifp); 3365 } 3366 #endif /* IEEE80211_STA_ONLY */ 3367 3368 /* 3369 * Process an incoming BlockAckReq control frame (see 7.2.1.7). 3370 */ 3371 void 3372 ieee80211_recv_bar(struct ieee80211com *ic, struct mbuf *m, 3373 struct ieee80211_node *ni) 3374 { 3375 const struct ieee80211_frame_min *wh; 3376 const u_int8_t *frm; 3377 u_int16_t ctl, ssn; 3378 u_int8_t tid, ntids; 3379 3380 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 3381 DPRINTF(("received BlockAckReq from non-HT STA %s\n", 3382 ether_sprintf(ni->ni_macaddr))); 3383 return; 3384 } 3385 if (m->m_len < sizeof(*wh) + 4) { 3386 DPRINTF(("frame too short\n")); 3387 return; 3388 } 3389 wh = mtod(m, struct ieee80211_frame_min *); 3390 frm = (const u_int8_t *)&wh[1]; 3391 3392 /* read BlockAckReq Control field */ 3393 ctl = LE_READ_2(&frm[0]); 3394 tid = ctl >> 12; 3395 3396 /* determine BlockAckReq frame variant */ 3397 if (ctl & IEEE80211_BA_MULTI_TID) { 3398 /* Multi-TID BlockAckReq variant (PSMP only) */ 3399 ntids = tid + 1; 3400 3401 if (m->m_len < sizeof(*wh) + 2 + 4 * ntids) { 3402 DPRINTF(("MTBAR frame too short\n")); 3403 return; 3404 } 3405 frm += 2; /* skip BlockAckReq Control field */ 3406 while (ntids-- > 0) { 3407 /* read MTBAR Information field */ 3408 tid = LE_READ_2(&frm[0]) >> 12; 3409 ssn = LE_READ_2(&frm[2]) >> 4; 3410 ieee80211_bar_tid(ic, ni, tid, ssn); 3411 frm += 4; 3412 } 3413 } else { 3414 /* Basic or Compressed BlockAckReq variants */ 3415 ssn = LE_READ_2(&frm[2]) >> 4; 3416 ieee80211_bar_tid(ic, ni, tid, ssn); 3417 } 3418 } 3419 3420 /* 3421 * Process a BlockAckReq for a specific TID (see 9.10.7.6.3). 3422 * This is the common back-end for all BlockAckReq frame variants. 3423 */ 3424 void 3425 ieee80211_bar_tid(struct ieee80211com *ic, struct ieee80211_node *ni, 3426 u_int8_t tid, u_int16_t ssn) 3427 { 3428 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 3429 3430 /* check if we have a Block Ack agreement for RA/TID */ 3431 if (ba->ba_state != IEEE80211_BA_AGREED) { 3432 /* XXX not sure in PBAC case */ 3433 /* send a DELBA with reason code UNKNOWN-BA */ 3434 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 3435 IEEE80211_ACTION_DELBA, 3436 IEEE80211_REASON_SETUP_REQUIRED << 16 | tid); 3437 return; 3438 } 3439 /* check if it is a Protected Block Ack agreement */ 3440 if ((ni->ni_flags & IEEE80211_NODE_MFP) && 3441 (ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) { 3442 /* ADDBA Requests must be used in PBAC case */ 3443 if (SEQ_LT(ssn, ba->ba_winstart) || 3444 SEQ_LT(ba->ba_winend, ssn)) 3445 ic->ic_stats.is_pbac_errs++; 3446 return; /* PBAC, do not move window */ 3447 } 3448 /* reset Block Ack inactivity timer */ 3449 if (ba->ba_timeout_val != 0) 3450 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 3451 3452 if (SEQ_LT(ba->ba_winstart, ssn)) { 3453 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 3454 ieee80211_ba_move_window(ic, ni, tid, ssn, &ml); 3455 if_input(&ic->ic_if, &ml); 3456 } 3457 } 3458