sys/net80211/ieee80211_input.c

*7aeb1bc9Sstsp/*	$OpenBSD: ieee80211_input.c,v 1.254 2024/05/23 11:19:13 stsp Exp $	*/
b16bc2beSdaniel/*	$NetBSD: ieee80211_input.c,v 1.24 2004/05/31 11:12:24 dyoung Exp $	*/
e03e709cSdamien
91b2158bSmillert/*-
91b2158bSmillert * Copyright (c) 2001 Atsushi Onoe
91b2158bSmillert * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
45eec175Sdamien * Copyright (c) 2007-2009 Damien Bergamini
91b2158bSmillert * All rights reserved.
91b2158bSmillert *
91b2158bSmillert * Redistribution and use in source and binary forms, with or without
91b2158bSmillert * modification, are permitted provided that the following conditions
91b2158bSmillert * are met:
91b2158bSmillert * 1. Redistributions of source code must retain the above copyright
91b2158bSmillert *    notice, this list of conditions and the following disclaimer.
91b2158bSmillert * 2. Redistributions in binary form must reproduce the above copyright
91b2158bSmillert *    notice, this list of conditions and the following disclaimer in the
91b2158bSmillert *    documentation and/or other materials provided with the distribution.
91b2158bSmillert * 3. The name of the author may not be used to endorse or promote products
91b2158bSmillert *    derived from this software without specific prior written permission.
91b2158bSmillert *
91b2158bSmillert * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
91b2158bSmillert * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
91b2158bSmillert * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
91b2158bSmillert * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
91b2158bSmillert * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
91b2158bSmillert * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
91b2158bSmillert * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
91b2158bSmillert * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
91b2158bSmillert * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
91b2158bSmillert * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
91b2158bSmillert */
91b2158bSmillert
91b2158bSmillert#include "bpfilter.h"
91b2158bSmillert
91b2158bSmillert#include <sys/param.h>
91b2158bSmillert#include <sys/systm.h>
91b2158bSmillert#include <sys/mbuf.h>
91b2158bSmillert#include <sys/malloc.h>
91b2158bSmillert#include <sys/kernel.h>
91b2158bSmillert#include <sys/socket.h>
91b2158bSmillert#include <sys/sockio.h>
91b2158bSmillert#include <sys/endian.h>
91b2158bSmillert#include <sys/errno.h>
91b2158bSmillert#include <sys/sysctl.h>
a1d10fefSblambert#include <sys/task.h>
91b2158bSmillert
91b2158bSmillert#include <net/if.h>
91b2158bSmillert#include <net/if_dl.h>
91b2158bSmillert#include <net/if_media.h>
91b2158bSmillert#include <net/if_llc.h>
91b2158bSmillert
91b2158bSmillert#if NBPFILTER > 0
91b2158bSmillert#include <net/bpf.h>
91b2158bSmillert#endif
91b2158bSmillert
91b2158bSmillert#include <netinet/in.h>
91b2158bSmillert#include <netinet/if_ether.h>
91b2158bSmillert
91b2158bSmillert#include <net80211/ieee80211_var.h>
6aaa29faSdamien#include <net80211/ieee80211_priv.h>
91b2158bSmillert
e995d523Sstspstruct	mbuf *ieee80211_input_hwdecrypt(struct ieee80211com *,
ccc2d1c4Sstsp	    struct ieee80211_node *, struct mbuf *,
ccc2d1c4Sstsp	    struct ieee80211_rxinfo *rxi);
0c2a2ba1Sdamienstruct	mbuf *ieee80211_defrag(struct ieee80211com *, struct mbuf *, int);
0c2a2ba1Sdamienvoid	ieee80211_defrag_timeout(void *);
20fce2ddSstspvoid	ieee80211_input_ba(struct ieee80211com *, struct mbuf *,
8fbaf8a2Sstsp	    struct ieee80211_node *, int, struct ieee80211_rxinfo *,
8fbaf8a2Sstsp	    struct mbuf_list *);
20fce2ddSstspvoid	ieee80211_input_ba_flush(struct ieee80211com *, struct ieee80211_node *,
8fbaf8a2Sstsp	    struct ieee80211_rx_ba *, struct mbuf_list *);
20599cf9Sstspint	ieee80211_input_ba_gap_skip(struct ieee80211_rx_ba *);
20fce2ddSstspvoid	ieee80211_input_ba_gap_timeout(void *arg);
45eec175Sdamienvoid	ieee80211_ba_move_window(struct ieee80211com *,
8fbaf8a2Sstsp	    struct ieee80211_node *, u_int8_t, u_int16_t, struct mbuf_list *);
2bfbd258Sstspvoid	ieee80211_input_ba_seq(struct ieee80211com *,
8fbaf8a2Sstsp	    struct ieee80211_node *, uint8_t, uint16_t, struct mbuf_list *);
45eec175Sdamienvoid	ieee80211_decap(struct ieee80211com *, struct mbuf *,
8fbaf8a2Sstsp	    struct ieee80211_node *, int, struct mbuf_list *);
e12e039eSstspint	ieee80211_amsdu_decap_validate(struct ieee80211com *, struct mbuf *,
e12e039eSstsp	    struct ieee80211_node *);
45eec175Sdamienvoid	ieee80211_amsdu_decap(struct ieee80211com *, struct mbuf *,
8fbaf8a2Sstsp	    struct ieee80211_node *, int, struct mbuf_list *);
8fbaf8a2Sstspvoid	ieee80211_enqueue_data(struct ieee80211com *, struct mbuf *,
8fbaf8a2Sstsp	    struct ieee80211_node *, int, struct mbuf_list *);
2d5bc21cSdamienint	ieee80211_parse_edca_params_body(struct ieee80211com *,
ab235185Sdamien	    const u_int8_t *);
ab235185Sdamienint	ieee80211_parse_edca_params(struct ieee80211com *, const u_int8_t *);
ab235185Sdamienint	ieee80211_parse_wmm_params(struct ieee80211com *, const u_int8_t *);
04cdc2f2Spatrickenum	ieee80211_cipher ieee80211_parse_rsn_cipher(const u_int8_t *);
04cdc2f2Spatrickenum	ieee80211_akm ieee80211_parse_rsn_akm(const u_int8_t *);
e03e709cSdamienint	ieee80211_parse_rsn_body(struct ieee80211com *, const u_int8_t *,
e03e709cSdamien	    u_int, struct ieee80211_rsnparams *);
b3a42803Sdamienint	ieee80211_save_ie(const u_int8_t *, u_int8_t **);
9e9787ffSdamienvoid	ieee80211_recv_probe_resp(struct ieee80211com *, struct mbuf *,
30d05aacSdamien	    struct ieee80211_node *, struct ieee80211_rxinfo *, int);
171ac09aSdamien#ifndef IEEE80211_STA_ONLY
9e9787ffSdamienvoid	ieee80211_recv_probe_req(struct ieee80211com *, struct mbuf *,
30d05aacSdamien	    struct ieee80211_node *, struct ieee80211_rxinfo *);
171ac09aSdamien#endif
9e9787ffSdamienvoid	ieee80211_recv_auth(struct ieee80211com *, struct mbuf *,
30d05aacSdamien	    struct ieee80211_node *, struct ieee80211_rxinfo *);
171ac09aSdamien#ifndef IEEE80211_STA_ONLY
9e9787ffSdamienvoid	ieee80211_recv_assoc_req(struct ieee80211com *, struct mbuf *,
30d05aacSdamien	    struct ieee80211_node *, struct ieee80211_rxinfo *, int);
171ac09aSdamien#endif
9e9787ffSdamienvoid	ieee80211_recv_assoc_resp(struct ieee80211com *, struct mbuf *,
e03e709cSdamien	    struct ieee80211_node *, int);
9e9787ffSdamienvoid	ieee80211_recv_deauth(struct ieee80211com *, struct mbuf *,
e03e709cSdamien	    struct ieee80211_node *);
9e9787ffSdamienvoid	ieee80211_recv_disassoc(struct ieee80211com *, struct mbuf *,
e03e709cSdamien	    struct ieee80211_node *);
45eec175Sdamienvoid	ieee80211_recv_addba_req(struct ieee80211com *, struct mbuf *,
45eec175Sdamien	    struct ieee80211_node *);
45eec175Sdamienvoid	ieee80211_recv_addba_resp(struct ieee80211com *, struct mbuf *,
45eec175Sdamien	    struct ieee80211_node *);
45eec175Sdamienvoid	ieee80211_recv_delba(struct ieee80211com *, struct mbuf *,
45eec175Sdamien	    struct ieee80211_node *);
45eec175Sdamienvoid	ieee80211_recv_sa_query_req(struct ieee80211com *, struct mbuf *,
45eec175Sdamien	    struct ieee80211_node *);
45eec175Sdamien#ifndef IEEE80211_STA_ONLY
45eec175Sdamienvoid	ieee80211_recv_sa_query_resp(struct ieee80211com *, struct mbuf *,
45eec175Sdamien	    struct ieee80211_node *);
45eec175Sdamien#endif
fcdd546dSdamienvoid	ieee80211_recv_action(struct ieee80211com *, struct mbuf *,
fcdd546dSdamien	    struct ieee80211_node *);
45eec175Sdamien#ifndef IEEE80211_STA_ONLY
45eec175Sdamienvoid	ieee80211_recv_pspoll(struct ieee80211com *, struct mbuf *,
45eec175Sdamien	    struct ieee80211_node *);
45eec175Sdamien#endif
45eec175Sdamienvoid	ieee80211_recv_bar(struct ieee80211com *, struct mbuf *,
45eec175Sdamien	    struct ieee80211_node *);
45eec175Sdamienvoid	ieee80211_bar_tid(struct ieee80211com *, struct ieee80211_node *,
45eec175Sdamien	    u_int8_t, u_int16_t);
a1d10fefSblambert
91b2158bSmillert/*
45eec175Sdamien * Retrieve the length in bytes of an 802.11 header.
27d2383aSdamien */
27d2383aSdamienu_int
b4e72b72Sdamienieee80211_get_hdrlen(const struct ieee80211_frame *wh)
27d2383aSdamien{
b4e72b72Sdamien	u_int size = sizeof(*wh);
27d2383aSdamien
b4e72b72Sdamien	/* NB: does not work with control frames */
b4e72b72Sdamien	KASSERT(ieee80211_has_seq(wh));
27d2383aSdamien
b4e72b72Sdamien	if (ieee80211_has_addr4(wh))
27d2383aSdamien		size += IEEE80211_ADDR_LEN;	/* i_addr4 */
b4e72b72Sdamien	if (ieee80211_has_qos(wh))
27d2383aSdamien		size += sizeof(u_int16_t);	/* i_qos */
b4e72b72Sdamien	if (ieee80211_has_htc(wh))
27d2383aSdamien		size += sizeof(u_int32_t);	/* i_ht */
27d2383aSdamien	return size;
27d2383aSdamien}
27d2383aSdamien
e995d523Sstsp/* Post-processing for drivers which perform decryption in hardware. */
e995d523Sstspstruct mbuf *
e995d523Sstspieee80211_input_hwdecrypt(struct ieee80211com *ic, struct ieee80211_node *ni,
ccc2d1c4Sstsp    struct mbuf *m, struct ieee80211_rxinfo *rxi)
e995d523Sstsp{
e995d523Sstsp	struct ieee80211_key *k;
e995d523Sstsp	struct ieee80211_frame *wh;
e995d523Sstsp	uint64_t pn, *prsc;
e995d523Sstsp	int hdrlen;
e995d523Sstsp
e995d523Sstsp	k = ieee80211_get_rxkey(ic, m, ni);
e995d523Sstsp	if (k == NULL)
e995d523Sstsp		return NULL;
e995d523Sstsp
e995d523Sstsp	wh = mtod(m, struct ieee80211_frame *);
e995d523Sstsp	hdrlen = ieee80211_get_hdrlen(wh);
e995d523Sstsp
e995d523Sstsp	/*
e995d523Sstsp	 * Update the last-seen packet number (PN) for drivers using hardware
e995d523Sstsp	 * crypto offloading. This cannot be done by drivers because A-MPDU
e995d523Sstsp	 * reordering needs to occur before a valid lower bound can be
e995d523Sstsp	 * determined for the PN. Drivers will read the PN we write here and
e995d523Sstsp	 * are expected to discard replayed frames based on it.
e995d523Sstsp	 * Drivers are expected to leave the IV of decrypted frames intact
e995d523Sstsp	 * so we can update the last-seen PN and strip the IV here.
e995d523Sstsp	 */
e995d523Sstsp	switch (k->k_cipher) {
e995d523Sstsp	case IEEE80211_CIPHER_CCMP:
e995d523Sstsp		if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) {
6b204e2aSstsp			/*
6b204e2aSstsp			 * If the protected bit is clear then hardware has
6b204e2aSstsp			 * stripped the IV and we must trust that it handles
6b204e2aSstsp			 * replay detection correctly.
6b204e2aSstsp			 */
6b204e2aSstsp			break;
e995d523Sstsp		}
*7aeb1bc9Sstsp		if (ieee80211_ccmp_get_pn(&pn, &prsc, m, k) != 0) {
*7aeb1bc9Sstsp			ic->ic_stats.is_ccmp_dec_errs++;
e995d523Sstsp			return NULL;
*7aeb1bc9Sstsp		}
ccc2d1c4Sstsp		if (rxi->rxi_flags & IEEE80211_RXI_HWDEC_SAME_PN) {
ccc2d1c4Sstsp			if (pn < *prsc) {
ccc2d1c4Sstsp				ic->ic_stats.is_ccmp_replays++;
ccc2d1c4Sstsp				return NULL;
ccc2d1c4Sstsp			}
ccc2d1c4Sstsp		} else if (pn <= *prsc) {
e995d523Sstsp			ic->ic_stats.is_ccmp_replays++;
e995d523Sstsp			return NULL;
e995d523Sstsp		}
e995d523Sstsp
e995d523Sstsp		/* Update last-seen packet number. */
e995d523Sstsp		*prsc = pn;
e995d523Sstsp
e995d523Sstsp		/* Clear Protected bit and strip IV. */
e995d523Sstsp		wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
e995d523Sstsp		memmove(mtod(m, caddr_t) + IEEE80211_CCMP_HDRLEN, wh, hdrlen);
e995d523Sstsp		m_adj(m, IEEE80211_CCMP_HDRLEN);
e995d523Sstsp		/* Drivers are expected to strip the MIC. */
e995d523Sstsp		break;
e995d523Sstsp	 case IEEE80211_CIPHER_TKIP:
e995d523Sstsp		if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) {
6b204e2aSstsp			/*
6b204e2aSstsp			 * If the protected bit is clear then hardware has
6b204e2aSstsp			 * stripped the IV and we must trust that it handles
6b204e2aSstsp			 * replay detection correctly.
6b204e2aSstsp			 */
6b204e2aSstsp			break;
e995d523Sstsp		}
e995d523Sstsp		if (ieee80211_tkip_get_tsc(&pn, &prsc, m, k) != 0)
e995d523Sstsp			return NULL;
ccc2d1c4Sstsp		if (rxi->rxi_flags & IEEE80211_RXI_HWDEC_SAME_PN) {
ccc2d1c4Sstsp			if (pn < *prsc) {
ccc2d1c4Sstsp				ic->ic_stats.is_tkip_replays++;
ccc2d1c4Sstsp				return NULL;
ccc2d1c4Sstsp			}
ccc2d1c4Sstsp		} else if (pn <= *prsc) {
e995d523Sstsp			ic->ic_stats.is_tkip_replays++;
e995d523Sstsp			return NULL;
e995d523Sstsp		}
e995d523Sstsp
e995d523Sstsp		/* Update last-seen packet number. */
e995d523Sstsp		*prsc = pn;
e995d523Sstsp
e995d523Sstsp		/* Clear Protected bit and strip IV. */
e995d523Sstsp		wh = mtod(m, struct ieee80211_frame *);
e995d523Sstsp		wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
e995d523Sstsp		memmove(mtod(m, caddr_t) + IEEE80211_TKIP_HDRLEN, wh, hdrlen);
e995d523Sstsp		m_adj(m, IEEE80211_TKIP_HDRLEN);
e995d523Sstsp		/* Drivers are expected to strip the MIC. */
e995d523Sstsp		break;
e995d523Sstsp	default:
e995d523Sstsp		break;
e995d523Sstsp	}
e995d523Sstsp
e995d523Sstsp	return m;
e995d523Sstsp}
e995d523Sstsp
27d2383aSdamien/*
91b2158bSmillert * Process a received frame.  The node associated with the sender
91b2158bSmillert * should be supplied.  If nothing was found in the node table then
91b2158bSmillert * the caller is assumed to supply a reference to ic_bss instead.
91b2158bSmillert * The RSSI and a timestamp are also supplied.  The RSSI data is used
91b2158bSmillert * during AP scanning to select a AP to associate with; it can have
91b2158bSmillert * any units so long as values have consistent units and higher values
91b2158bSmillert * mean ``better signal''.  The receive timestamp is currently not used
91b2158bSmillert * by the 802.11 layer.
8fbaf8a2Sstsp *
8fbaf8a2Sstsp * This function acts on management frames immediately and queues data frames
8fbaf8a2Sstsp * on the specified mbuf list. Delivery of queued data frames to upper layers
8fbaf8a2Sstsp * must be triggered with if_input(). Drivers should call if_input() only once
8fbaf8a2Sstsp * per Rx interrupt to avoid triggering the input ifq pressure drop mechanism
8fbaf8a2Sstsp * unnecessarily.
91b2158bSmillert */
91b2158bSmillertvoid
8fbaf8a2Sstspieee80211_inputm(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni,
8fbaf8a2Sstsp    struct ieee80211_rxinfo *rxi, struct mbuf_list *ml)
91b2158bSmillert{
91b2158bSmillert	struct ieee80211com *ic = (void *)ifp;
91b2158bSmillert	struct ieee80211_frame *wh;
45eec175Sdamien	u_int16_t *orxseq, nrxseq, qos;
aea3374dSdamien	u_int8_t dir, type, subtype, tid;
45eec175Sdamien	int hdrlen, hasqos;
91b2158bSmillert
45eec175Sdamien	KASSERT(ni != NULL);
45eec175Sdamien
361aed72Sdamien	/* in monitor mode, send everything directly to bpf */
159c9b61Sdamien	if (ic->ic_opmode == IEEE80211_M_MONITOR)
91b2158bSmillert		goto out;
91b2158bSmillert
361aed72Sdamien	/*
361aed72Sdamien	 * Do not process frames without an Address 2 field any further.
361aed72Sdamien	 * Only CTS and ACK control frames do not have this field.
361aed72Sdamien	 */
361aed72Sdamien	if (m->m_len < sizeof(struct ieee80211_frame_min)) {
361aed72Sdamien		DPRINTF(("frame too short, len %u\n", m->m_len));
159c9b61Sdamien		ic->ic_stats.is_rx_tooshort++;
159c9b61Sdamien		goto out;
159c9b61Sdamien	}
159c9b61Sdamien
91b2158bSmillert	wh = mtod(m, struct ieee80211_frame *);
91b2158bSmillert	if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
91b2158bSmillert	    IEEE80211_FC0_VERSION_0) {
361aed72Sdamien		DPRINTF(("frame with wrong version: %x\n", wh->i_fc[0]));
91b2158bSmillert		ic->ic_stats.is_rx_badversion++;
91b2158bSmillert		goto err;
91b2158bSmillert	}
91b2158bSmillert
91b2158bSmillert	dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
91b2158bSmillert	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
83c6196dSstsp	subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
fb4c23fcSdamien
361aed72Sdamien	if (type != IEEE80211_FC0_TYPE_CTL) {
361aed72Sdamien		hdrlen = ieee80211_get_hdrlen(wh);
361aed72Sdamien		if (m->m_len < hdrlen) {
361aed72Sdamien			DPRINTF(("frame too short, len %u\n", m->m_len));
91b2158bSmillert			ic->ic_stats.is_rx_tooshort++;
962c982dSdamien			goto err;
361aed72Sdamien		}
c8010ca2Stobhe	} else
c8010ca2Stobhe		hdrlen = 0;
45eec175Sdamien	if ((hasqos = ieee80211_has_qos(wh))) {
45eec175Sdamien		qos = ieee80211_get_qos(wh);
45eec175Sdamien		tid = qos & IEEE80211_QOS_TID;
3dc83bf9Shaesbaert	} else {
3dc83bf9Shaesbaert		qos = 0;
3dc83bf9Shaesbaert		tid = 0;
45eec175Sdamien	}
45eec175Sdamien
f330c64aSstsp	if (ic->ic_state == IEEE80211_S_RUN &&
f330c64aSstsp	    type == IEEE80211_FC0_TYPE_DATA && hasqos &&
94b1ed4eSstsp	    (subtype & IEEE80211_FC0_SUBTYPE_NODATA) == 0 &&
f330c64aSstsp	    !(rxi->rxi_flags & IEEE80211_RXI_AMPDU_DONE)
f330c64aSstsp#ifndef IEEE80211_STA_ONLY
f330c64aSstsp	    && (ic->ic_opmode == IEEE80211_M_STA || ni != ic->ic_bss)
f330c64aSstsp#endif
f330c64aSstsp	    ) {
633cd82cSstsp		int ba_state = ni->ni_rx_ba[tid].ba_state;
633cd82cSstsp
f330c64aSstsp#ifndef IEEE80211_STA_ONLY
f330c64aSstsp		if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
f330c64aSstsp			if (!IEEE80211_ADDR_EQ(wh->i_addr1,
f330c64aSstsp			    ic->ic_bss->ni_bssid)) {
f330c64aSstsp				ic->ic_stats.is_rx_wrongbss++;
f330c64aSstsp				goto err;
f330c64aSstsp			}
f330c64aSstsp			if (ni->ni_state != IEEE80211_S_ASSOC) {
f330c64aSstsp				ic->ic_stats.is_rx_notassoc++;
f330c64aSstsp				goto err;
f330c64aSstsp			}
f330c64aSstsp		}
f330c64aSstsp#endif
633cd82cSstsp		/*
633cd82cSstsp		 * If Block Ack was explicitly requested, check
633cd82cSstsp		 * if we have a BA agreement for this RA/TID.
633cd82cSstsp		 */
633cd82cSstsp		if ((qos & IEEE80211_QOS_ACK_POLICY_MASK) ==
633cd82cSstsp		    IEEE80211_QOS_ACK_POLICY_BA &&
633cd82cSstsp		    ba_state != IEEE80211_BA_AGREED) {
633cd82cSstsp			DPRINTF(("no BA agreement for %s, TID %d\n",
633cd82cSstsp			    ether_sprintf(ni->ni_macaddr), tid));
633cd82cSstsp			/* send a DELBA with reason code UNKNOWN-BA */
633cd82cSstsp			IEEE80211_SEND_ACTION(ic, ni,
633cd82cSstsp			    IEEE80211_CATEG_BA, IEEE80211_ACTION_DELBA,
633cd82cSstsp			    IEEE80211_REASON_SETUP_REQUIRED << 16 | tid);
633cd82cSstsp			goto err;
633cd82cSstsp		}
633cd82cSstsp
633cd82cSstsp		/*
633cd82cSstsp		 * Check if we have an explicit or implicit
633cd82cSstsp		 * Block Ack Request for a valid BA agreement.
633cd82cSstsp		 */
633cd82cSstsp		if (ba_state == IEEE80211_BA_AGREED &&
633cd82cSstsp		    ((qos & IEEE80211_QOS_ACK_POLICY_MASK) ==
633cd82cSstsp		    IEEE80211_QOS_ACK_POLICY_BA ||
633cd82cSstsp		    (qos & IEEE80211_QOS_ACK_POLICY_MASK) ==
633cd82cSstsp		    IEEE80211_QOS_ACK_POLICY_NORMAL)) {
633cd82cSstsp			/* go through A-MPDU reordering */
8fbaf8a2Sstsp			ieee80211_input_ba(ic, m, ni, tid, rxi, ml);
633cd82cSstsp			return;	/* don't free m! */
19817d19Stobhe		} else if (ba_state == IEEE80211_BA_REQUESTED &&
19817d19Stobhe		    (qos & IEEE80211_QOS_ACK_POLICY_MASK) ==
19817d19Stobhe		    IEEE80211_QOS_ACK_POLICY_NORMAL) {
19817d19Stobhe			/*
19817d19Stobhe			 * Apparently, qos frames for a tid where a
19817d19Stobhe			 * block ack agreement was requested but not
19817d19Stobhe			 * yet confirmed by us should still contribute
19817d19Stobhe			 * to the sequence number for this tid.
19817d19Stobhe			 */
19817d19Stobhe			ieee80211_input_ba(ic, m, ni, tid, rxi, ml);
19817d19Stobhe			return;	/* don't free m! */
633cd82cSstsp		}
633cd82cSstsp	}
633cd82cSstsp
fe5684e3Sstsp	/*
fe5684e3Sstsp	 * We do not yet support fragments. Drop any fragmented packets.
fe5684e3Sstsp	 * Counter-measure against attacks where an arbitrary packet is
fe5684e3Sstsp	 * injected via a fragment with attacker-controlled content.
fe5684e3Sstsp	 * See https://papers.mathyvanhoef.com/usenix2021.pdf
fe5684e3Sstsp	 * Section 6.8 "Treating fragments as full frames"
fe5684e3Sstsp	 */
fe5684e3Sstsp	if (ieee80211_has_seq(wh)) {
fe5684e3Sstsp		uint16_t rxseq = letoh16(*(const u_int16_t *)wh->i_seq);
fe5684e3Sstsp		if ((wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG) ||
fe5684e3Sstsp		    (rxseq & IEEE80211_SEQ_FRAG_MASK))
fe5684e3Sstsp			goto err;
fe5684e3Sstsp	}
fe5684e3Sstsp
45eec175Sdamien	/* duplicate detection (see 9.2.9) */
b4e72b72Sdamien	if (ieee80211_has_seq(wh) &&
b4e72b72Sdamien	    ic->ic_state != IEEE80211_S_SCAN) {
361aed72Sdamien		nrxseq = letoh16(*(u_int16_t *)wh->i_seq) >>
361aed72Sdamien		    IEEE80211_SEQ_SEQ_SHIFT;
45eec175Sdamien		if (hasqos)
361aed72Sdamien			orxseq = &ni->ni_qos_rxseqs[tid];
45eec175Sdamien		else
361aed72Sdamien			orxseq = &ni->ni_rxseq;
ccc2d1c4Sstsp		if (rxi->rxi_flags & IEEE80211_RXI_SAME_SEQ) {
ccc2d1c4Sstsp			if (nrxseq != *orxseq) {
ccc2d1c4Sstsp				/* duplicate, silently discarded */
ccc2d1c4Sstsp				ic->ic_stats.is_rx_dup++;
ccc2d1c4Sstsp				goto out;
ccc2d1c4Sstsp			}
ccc2d1c4Sstsp		} else if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) &&
361aed72Sdamien		    nrxseq == *orxseq) {
361aed72Sdamien			/* duplicate, silently discarded */
361aed72Sdamien			ic->ic_stats.is_rx_dup++;
0fd4e251Sreyk			goto out;
91b2158bSmillert		}
361aed72Sdamien		*orxseq = nrxseq;
361aed72Sdamien	}
c0bda930Sstsp	if (ic->ic_state > IEEE80211_S_SCAN) {
30d05aacSdamien		ni->ni_rssi = rxi->rxi_rssi;
30d05aacSdamien		ni->ni_rstamp = rxi->rxi_tstamp;
91b2158bSmillert		ni->ni_inact = 0;
06e069b5Sstsp
de9919e2Sstsp		if (ic->ic_state == IEEE80211_S_RUN && ic->ic_bgscan_start) {
06e069b5Sstsp			/* Cancel or start background scan based on RSSI. */
06e069b5Sstsp			if ((*ic->ic_node_checkrssi)(ic, ni))
06e069b5Sstsp				timeout_del(&ic->ic_bgscan_timeout);
06e069b5Sstsp			else if (!timeout_pending(&ic->ic_bgscan_timeout) &&
cc580788Sstsp			    (ic->ic_flags & IEEE80211_F_BGSCAN) == 0 &&
cc580788Sstsp			    (ic->ic_flags & IEEE80211_F_DESBSSID) == 0)
06e069b5Sstsp				timeout_add_msec(&ic->ic_bgscan_timeout,
06e069b5Sstsp				    500 * (ic->ic_bgscan_fail + 1));
91b2158bSmillert		}
c0bda930Sstsp	}
91b2158bSmillert
171ac09aSdamien#ifndef IEEE80211_STA_ONLY
93d01030Sdamien	if (ic->ic_opmode == IEEE80211_M_HOSTAP &&
93d01030Sdamien	    (ic->ic_caps & IEEE80211_C_APPMGT) &&
3945a2e1Sdamien	    ni->ni_state == IEEE80211_STA_ASSOC) {
3945a2e1Sdamien		if (wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) {
3945a2e1Sdamien			if (ni->ni_pwrsave == IEEE80211_PS_AWAKE) {
361aed72Sdamien				/* turn on PS mode */
361aed72Sdamien				ni->ni_pwrsave = IEEE80211_PS_DOZE;
ca7fda7eSstsp				DPRINTF(("PS mode on for %s\n",
ca7fda7eSstsp				    ether_sprintf(wh->i_addr2)));
91b2158bSmillert			}
3945a2e1Sdamien		} else if (ni->ni_pwrsave == IEEE80211_PS_DOZE) {
351e1934Sdlg			struct mbuf *m;
351e1934Sdlg
361aed72Sdamien			/* turn off PS mode */
361aed72Sdamien			ni->ni_pwrsave = IEEE80211_PS_AWAKE;
ca7fda7eSstsp			DPRINTF(("PS mode off for %s\n",
ca7fda7eSstsp			    ether_sprintf(wh->i_addr2)));
91b2158bSmillert
158c4605Sdamien			(*ic->ic_set_tim)(ic, ni->ni_associd, 0);
91b2158bSmillert
361aed72Sdamien			/* dequeue buffered unicast frames */
351e1934Sdlg			while ((m = mq_dequeue(&ni->ni_savedq)) != NULL) {
351e1934Sdlg				mq_enqueue(&ic->ic_pwrsaveq, m);
67de757dSmpi				if_start(ifp);
91b2158bSmillert			}
91b2158bSmillert		}
e03e709cSdamien	}
171ac09aSdamien#endif
91b2158bSmillert	switch (type) {
91b2158bSmillert	case IEEE80211_FC0_TYPE_DATA:
91b2158bSmillert		switch (ic->ic_opmode) {
91b2158bSmillert		case IEEE80211_M_STA:
91b2158bSmillert			if (dir != IEEE80211_FC1_DIR_FROMDS) {
91b2158bSmillert				ic->ic_stats.is_rx_wrongdir++;
91b2158bSmillert				goto out;
91b2158bSmillert			}
0fd4e251Sreyk			if (ic->ic_state != IEEE80211_S_SCAN &&
0fd4e251Sreyk			    !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid)) {
0fd4e251Sreyk				/* Source address is not our BSS. */
932b9027Sdamien				DPRINTF(("discard frame from SA %s\n",
932b9027Sdamien				    ether_sprintf(wh->i_addr2)));
0fd4e251Sreyk				ic->ic_stats.is_rx_wrongbss++;
0fd4e251Sreyk				goto out;
0fd4e251Sreyk			}
91b2158bSmillert			if ((ifp->if_flags & IFF_SIMPLEX) &&
91b2158bSmillert			    IEEE80211_IS_MULTICAST(wh->i_addr1) &&
91b2158bSmillert			    IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) {
91b2158bSmillert				/*
361aed72Sdamien				 * In IEEE802.11 network, multicast frame
91b2158bSmillert				 * sent from me is broadcasted from AP.
91b2158bSmillert				 * It should be silently discarded for
91b2158bSmillert				 * SIMPLEX interface.
91b2158bSmillert				 */
91b2158bSmillert				ic->ic_stats.is_rx_mcastecho++;
91b2158bSmillert				goto out;
91b2158bSmillert			}
91b2158bSmillert			break;
171ac09aSdamien#ifndef IEEE80211_STA_ONLY
91b2158bSmillert		case IEEE80211_M_IBSS:
91b2158bSmillert		case IEEE80211_M_AHDEMO:
91b2158bSmillert			if (dir != IEEE80211_FC1_DIR_NODS) {
91b2158bSmillert				ic->ic_stats.is_rx_wrongdir++;
91b2158bSmillert				goto out;
91b2158bSmillert			}
0fd4e251Sreyk			if (ic->ic_state != IEEE80211_S_SCAN &&
0fd4e251Sreyk			    !IEEE80211_ADDR_EQ(wh->i_addr3,
0fd4e251Sreyk				ic->ic_bss->ni_bssid) &&
cf1b8840Smickey			    !IEEE80211_ADDR_EQ(wh->i_addr3,
cf1b8840Smickey				etherbroadcastaddr)) {
0fd4e251Sreyk				/* Destination is not our BSS or broadcast. */
932b9027Sdamien				DPRINTF(("discard data frame to DA %s\n",
932b9027Sdamien				    ether_sprintf(wh->i_addr3)));
0fd4e251Sreyk				ic->ic_stats.is_rx_wrongbss++;
0fd4e251Sreyk				goto out;
0fd4e251Sreyk			}
91b2158bSmillert			break;
91b2158bSmillert		case IEEE80211_M_HOSTAP:
91b2158bSmillert			if (dir != IEEE80211_FC1_DIR_TODS) {
91b2158bSmillert				ic->ic_stats.is_rx_wrongdir++;
91b2158bSmillert				goto out;
91b2158bSmillert			}
0fd4e251Sreyk			if (ic->ic_state != IEEE80211_S_SCAN &&
0fd4e251Sreyk			    !IEEE80211_ADDR_EQ(wh->i_addr1,
0fd4e251Sreyk				ic->ic_bss->ni_bssid) &&
cf1b8840Smickey			    !IEEE80211_ADDR_EQ(wh->i_addr1,
cf1b8840Smickey				etherbroadcastaddr)) {
0fd4e251Sreyk				/* BSS is not us or broadcast. */
932b9027Sdamien				DPRINTF(("discard data frame to BSS %s\n",
932b9027Sdamien				    ether_sprintf(wh->i_addr1)));
0fd4e251Sreyk				ic->ic_stats.is_rx_wrongbss++;
0fd4e251Sreyk				goto out;
0fd4e251Sreyk			}
91b2158bSmillert			/* check if source STA is associated */
91b2158bSmillert			if (ni == ic->ic_bss) {
932b9027Sdamien				DPRINTF(("data from unknown src %s\n",
91b2158bSmillert				    ether_sprintf(wh->i_addr2)));
91b2158bSmillert				/* NB: caller deals with reference */
d4dcdec6Sstsp				ni = ieee80211_find_node(ic, wh->i_addr2);
d4dcdec6Sstsp				if (ni == NULL)
91b2158bSmillert					ni = ieee80211_dup_bss(ic, wh->i_addr2);
91b2158bSmillert				if (ni != NULL) {
91b2158bSmillert					IEEE80211_SEND_MGMT(ic, ni,
91b2158bSmillert					    IEEE80211_FC0_SUBTYPE_DEAUTH,
91b2158bSmillert					    IEEE80211_REASON_NOT_AUTHED);
91b2158bSmillert				}
91b2158bSmillert				ic->ic_stats.is_rx_notassoc++;
91b2158bSmillert				goto err;
91b2158bSmillert			}
63711141Sstsp			if (ni->ni_state != IEEE80211_STA_ASSOC) {
932b9027Sdamien				DPRINTF(("data from unassoc src %s\n",
91b2158bSmillert				    ether_sprintf(wh->i_addr2)));
91b2158bSmillert				IEEE80211_SEND_MGMT(ic, ni,
91b2158bSmillert				    IEEE80211_FC0_SUBTYPE_DISASSOC,
91b2158bSmillert				    IEEE80211_REASON_NOT_ASSOCED);
91b2158bSmillert				ic->ic_stats.is_rx_notassoc++;
91b2158bSmillert				goto err;
91b2158bSmillert			}
91b2158bSmillert			break;
171ac09aSdamien#endif	/* IEEE80211_STA_ONLY */
171ac09aSdamien		default:
fb4c23fcSdamien			/* can't get there */
fb4c23fcSdamien			goto out;
91b2158bSmillert		}
23726d56Sdamien
39356ae6Sstsp		/* Do not process "no data" frames any further. */
39356ae6Sstsp		if (subtype & IEEE80211_FC0_SUBTYPE_NODATA) {
e8ee43aaSmvs#if NBPFILTER > 0
39356ae6Sstsp			if (ic->ic_rawbpf)
39356ae6Sstsp				bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN);
e8ee43aaSmvs#endif
39356ae6Sstsp			goto out;
39356ae6Sstsp		}
39356ae6Sstsp
01ad6d9fSdamien		if ((ic->ic_flags & IEEE80211_F_WEPON) ||
01ad6d9fSdamien		    ((ic->ic_flags & IEEE80211_F_RSNON) &&
01ad6d9fSdamien		     (ni->ni_flags & IEEE80211_NODE_RXPROT))) {
01ad6d9fSdamien			/* protection is on for Rx */
01ad6d9fSdamien			if (!(rxi->rxi_flags & IEEE80211_RXI_HWDEC)) {
01ad6d9fSdamien				if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) {
01ad6d9fSdamien					/* drop unencrypted */
01ad6d9fSdamien					ic->ic_stats.is_rx_unencrypted++;
01ad6d9fSdamien					goto err;
01ad6d9fSdamien				}
01ad6d9fSdamien				/* do software decryption */
e03e709cSdamien				m = ieee80211_decrypt(ic, m, ni);
91b2158bSmillert				if (m == NULL) {
91b2158bSmillert					ic->ic_stats.is_rx_wepfail++;
91b2158bSmillert					goto err;
91b2158bSmillert				}
e995d523Sstsp			} else {
ccc2d1c4Sstsp				m = ieee80211_input_hwdecrypt(ic, ni, m, rxi);
e995d523Sstsp				if (m == NULL)
e995d523Sstsp					goto err;
01ad6d9fSdamien			}
e995d523Sstsp			wh = mtod(m, struct ieee80211_frame *);
01ad6d9fSdamien		} else if ((wh->i_fc[1] & IEEE80211_FC1_PROTECTED) ||
01ad6d9fSdamien		    (rxi->rxi_flags & IEEE80211_RXI_HWDEC)) {
01ad6d9fSdamien			/* frame encrypted but protection off for Rx */
91b2158bSmillert			ic->ic_stats.is_rx_nowep++;
91b2158bSmillert			goto out;
91b2158bSmillert		}
01ad6d9fSdamien
91b2158bSmillert#if NBPFILTER > 0
91b2158bSmillert		/* copy to listener after decrypt */
91b2158bSmillert		if (ic->ic_rawbpf)
c4acdf64Sdjm			bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN);
91b2158bSmillert#endif
45eec175Sdamien
45eec175Sdamien		if ((ni->ni_flags & IEEE80211_NODE_HT) &&
45eec175Sdamien		    hasqos && (qos & IEEE80211_QOS_AMSDU))
8fbaf8a2Sstsp			ieee80211_amsdu_decap(ic, m, ni, hdrlen, ml);
45eec175Sdamien		else
8fbaf8a2Sstsp			ieee80211_decap(ic, m, ni, hdrlen, ml);
91b2158bSmillert		return;
91b2158bSmillert
91b2158bSmillert	case IEEE80211_FC0_TYPE_MGT:
91b2158bSmillert		if (dir != IEEE80211_FC1_DIR_NODS) {
91b2158bSmillert			ic->ic_stats.is_rx_wrongdir++;
91b2158bSmillert			goto err;
91b2158bSmillert		}
171ac09aSdamien#ifndef IEEE80211_STA_ONLY
91b2158bSmillert		if (ic->ic_opmode == IEEE80211_M_AHDEMO) {
91b2158bSmillert			ic->ic_stats.is_rx_ahdemo_mgt++;
91b2158bSmillert			goto out;
91b2158bSmillert		}
171ac09aSdamien#endif
91b2158bSmillert		/* drop frames without interest */
91b2158bSmillert		if (ic->ic_state == IEEE80211_S_SCAN) {
91b2158bSmillert			if (subtype != IEEE80211_FC0_SUBTYPE_BEACON &&
91b2158bSmillert			    subtype != IEEE80211_FC0_SUBTYPE_PROBE_RESP) {
91b2158bSmillert				ic->ic_stats.is_rx_mgtdiscard++;
91b2158bSmillert				goto out;
91b2158bSmillert			}
91b2158bSmillert		}
91b2158bSmillert
e8163130Sdamien		if (ni->ni_flags & IEEE80211_NODE_RXMGMTPROT) {
e8163130Sdamien			/* MMPDU protection is on for Rx */
e8163130Sdamien			if (subtype == IEEE80211_FC0_SUBTYPE_DISASSOC ||
e8163130Sdamien			    subtype == IEEE80211_FC0_SUBTYPE_DEAUTH ||
e8163130Sdamien			    subtype == IEEE80211_FC0_SUBTYPE_ACTION) {
e8163130Sdamien				if (!IEEE80211_IS_MULTICAST(wh->i_addr1) &&
e8163130Sdamien				    !(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) {
e8163130Sdamien					/* unicast mgmt not encrypted */
e8163130Sdamien					goto out;
e8163130Sdamien				}
e8163130Sdamien				/* do software decryption */
e8163130Sdamien				m = ieee80211_decrypt(ic, m, ni);
e8163130Sdamien				if (m == NULL) {
e8163130Sdamien					/* XXX stats */
e8163130Sdamien					goto out;
e8163130Sdamien				}
e8163130Sdamien				wh = mtod(m, struct ieee80211_frame *);
e8163130Sdamien			}
e8163130Sdamien		} else if ((ic->ic_flags & IEEE80211_F_RSNON) &&
e8163130Sdamien		    (wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) {
e8163130Sdamien			/* encrypted but MMPDU Rx protection off for TA */
e8163130Sdamien			goto out;
e8163130Sdamien		}
e8163130Sdamien
91b2158bSmillert#if NBPFILTER > 0
de3fab2cSdlg		if (bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN) != 0) {
832330f3Sreyk			/*
de3fab2cSdlg			 * Drop mbuf if it was filtered by bpf. Normally,
de3fab2cSdlg			 * this is done in ether_input() but IEEE 802.11
de3fab2cSdlg			 * management frames are a special case.
832330f3Sreyk			 */
832330f3Sreyk			m_freem(m);
832330f3Sreyk			return;
832330f3Sreyk		}
91b2158bSmillert#endif
30d05aacSdamien		(*ic->ic_recv_mgmt)(ic, m, ni, rxi, subtype);
91b2158bSmillert		m_freem(m);
91b2158bSmillert		return;
91b2158bSmillert
91b2158bSmillert	case IEEE80211_FC0_TYPE_CTL:
361aed72Sdamien		switch (subtype) {
171ac09aSdamien#ifndef IEEE80211_STA_ONLY
361aed72Sdamien		case IEEE80211_FC0_SUBTYPE_PS_POLL:
3945a2e1Sdamien			ieee80211_recv_pspoll(ic, m, ni);
361aed72Sdamien			break;
171ac09aSdamien#endif
f2b57c48Sdamien		case IEEE80211_FC0_SUBTYPE_BAR:
45eec175Sdamien			ieee80211_recv_bar(ic, m, ni);
f2b57c48Sdamien			break;
45eec175Sdamien		default:
100ae3fbSstsp			ic->ic_stats.is_rx_ctl++;
f2b57c48Sdamien			break;
91b2158bSmillert		}
91b2158bSmillert		goto out;
91b2158bSmillert
91b2158bSmillert	default:
361aed72Sdamien		DPRINTF(("bad frame type %x\n", type));
91b2158bSmillert		/* should not come here */
91b2158bSmillert		break;
91b2158bSmillert	}
91b2158bSmillert err:
91b2158bSmillert	ifp->if_ierrors++;
91b2158bSmillert out:
91b2158bSmillert	if (m != NULL) {
91b2158bSmillert#if NBPFILTER > 0
91b2158bSmillert		if (ic->ic_rawbpf)
c4acdf64Sdjm			bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN);
91b2158bSmillert#endif
91b2158bSmillert		m_freem(m);
91b2158bSmillert	}
91b2158bSmillert}
91b2158bSmillert
8fbaf8a2Sstsp/* Input handler for drivers which only receive one frame per interrupt. */
8fbaf8a2Sstspvoid
8fbaf8a2Sstspieee80211_input(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni,
8fbaf8a2Sstsp    struct ieee80211_rxinfo *rxi)
8fbaf8a2Sstsp{
8fbaf8a2Sstsp	struct mbuf_list ml = MBUF_LIST_INITIALIZER();
8fbaf8a2Sstsp
8fbaf8a2Sstsp	ieee80211_inputm(ifp, m, ni, rxi, &ml);
8fbaf8a2Sstsp	if_input(ifp, &ml);
8fbaf8a2Sstsp}
8fbaf8a2Sstsp
4d38a678Sstsp#ifdef notyet
0c2a2ba1Sdamien/*
0c2a2ba1Sdamien * Handle defragmentation (see 9.5 and Annex C).  We support the concurrent
0c2a2ba1Sdamien * reception of fragments of three fragmented MSDUs or MMPDUs.
0c2a2ba1Sdamien */
0c2a2ba1Sdamienstruct mbuf *
0c2a2ba1Sdamienieee80211_defrag(struct ieee80211com *ic, struct mbuf *m, int hdrlen)
0c2a2ba1Sdamien{
0c2a2ba1Sdamien	const struct ieee80211_frame *owh, *wh;
0c2a2ba1Sdamien	struct ieee80211_defrag *df;
0c2a2ba1Sdamien	u_int16_t rxseq, seq;
0c2a2ba1Sdamien	u_int8_t frag;
0c2a2ba1Sdamien	int i;
0c2a2ba1Sdamien
0c2a2ba1Sdamien	wh = mtod(m, struct ieee80211_frame *);
0c2a2ba1Sdamien	rxseq = letoh16(*(const u_int16_t *)wh->i_seq);
0c2a2ba1Sdamien	seq = rxseq >> IEEE80211_SEQ_SEQ_SHIFT;
0c2a2ba1Sdamien	frag = rxseq & IEEE80211_SEQ_FRAG_MASK;
0c2a2ba1Sdamien
0c2a2ba1Sdamien	if (frag == 0 && !(wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG))
0c2a2ba1Sdamien		return m;	/* not fragmented */
0c2a2ba1Sdamien
0c2a2ba1Sdamien	if (frag == 0) {
0c2a2ba1Sdamien		/* first fragment, setup entry in the fragment cache */
0c2a2ba1Sdamien		if (++ic->ic_defrag_cur == IEEE80211_DEFRAG_SIZE)
0c2a2ba1Sdamien			ic->ic_defrag_cur = 0;
0c2a2ba1Sdamien		df = &ic->ic_defrag[ic->ic_defrag_cur];
0c2a2ba1Sdamien		m_freem(df->df_m);	/* discard old entry */
0c2a2ba1Sdamien		df->df_seq = seq;
0c2a2ba1Sdamien		df->df_frag = 0;
0c2a2ba1Sdamien		df->df_m = m;
0c2a2ba1Sdamien		/* start receive MSDU timer of aMaxReceiveLifetime */
0c2a2ba1Sdamien		timeout_add_sec(&df->df_to, 1);
0c2a2ba1Sdamien		return NULL;	/* MSDU or MMPDU not yet complete */
0c2a2ba1Sdamien	}
0c2a2ba1Sdamien
0c2a2ba1Sdamien	/* find matching entry in the fragment cache */
0c2a2ba1Sdamien	for (i = 0; i < IEEE80211_DEFRAG_SIZE; i++) {
0c2a2ba1Sdamien		df = &ic->ic_defrag[i];
0c2a2ba1Sdamien		if (df->df_m == NULL)
0c2a2ba1Sdamien			continue;
0c2a2ba1Sdamien		if (df->df_seq != seq || df->df_frag + 1 != frag)
0c2a2ba1Sdamien			continue;
0c2a2ba1Sdamien		owh = mtod(df->df_m, struct ieee80211_frame *);
0c2a2ba1Sdamien		/* frame type, source and destination must match */
0c2a2ba1Sdamien		if (((wh->i_fc[0] ^ owh->i_fc[0]) & IEEE80211_FC0_TYPE_MASK) ||
0c2a2ba1Sdamien		    !IEEE80211_ADDR_EQ(wh->i_addr1, owh->i_addr1) ||
0c2a2ba1Sdamien		    !IEEE80211_ADDR_EQ(wh->i_addr2, owh->i_addr2))
0c2a2ba1Sdamien			continue;
0c2a2ba1Sdamien		/* matching entry found */
0c2a2ba1Sdamien		break;
0c2a2ba1Sdamien	}
0c2a2ba1Sdamien	if (i == IEEE80211_DEFRAG_SIZE) {
0c2a2ba1Sdamien		/* no matching entry found, discard fragment */
0c2a2ba1Sdamien		ic->ic_if.if_ierrors++;
0c2a2ba1Sdamien		m_freem(m);
0c2a2ba1Sdamien		return NULL;
0c2a2ba1Sdamien	}
0c2a2ba1Sdamien
0c2a2ba1Sdamien	df->df_frag = frag;
0c2a2ba1Sdamien	/* strip 802.11 header and concatenate fragment */
0c2a2ba1Sdamien	m_adj(m, hdrlen);
0c2a2ba1Sdamien	m_cat(df->df_m, m);
0c2a2ba1Sdamien	df->df_m->m_pkthdr.len += m->m_pkthdr.len;
0c2a2ba1Sdamien
0c2a2ba1Sdamien	if (wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG)
0c2a2ba1Sdamien		return NULL;	/* MSDU or MMPDU not yet complete */
0c2a2ba1Sdamien
0c2a2ba1Sdamien	/* MSDU or MMPDU complete */
0c2a2ba1Sdamien	timeout_del(&df->df_to);
0c2a2ba1Sdamien	m = df->df_m;
0c2a2ba1Sdamien	df->df_m = NULL;
0c2a2ba1Sdamien	return m;
0c2a2ba1Sdamien}
0c2a2ba1Sdamien
0c2a2ba1Sdamien/*
0c2a2ba1Sdamien * Receive MSDU defragmentation timer exceeds aMaxReceiveLifetime.
0c2a2ba1Sdamien */
0c2a2ba1Sdamienvoid
0c2a2ba1Sdamienieee80211_defrag_timeout(void *arg)
0c2a2ba1Sdamien{
0c2a2ba1Sdamien	struct ieee80211_defrag *df = arg;
0c2a2ba1Sdamien	int s = splnet();
0c2a2ba1Sdamien
0c2a2ba1Sdamien	/* discard all received fragments */
0c2a2ba1Sdamien	m_freem(df->df_m);
0c2a2ba1Sdamien	df->df_m = NULL;
0c2a2ba1Sdamien
0c2a2ba1Sdamien	splx(s);
0c2a2ba1Sdamien}
4d38a678Sstsp#endif
0c2a2ba1Sdamien
45eec175Sdamien/*
45eec175Sdamien * Process a received data MPDU related to a specific HT-immediate Block Ack
45eec175Sdamien * agreement (see 9.10.7.6).
45eec175Sdamien */
45eec175Sdamienvoid
20fce2ddSstspieee80211_input_ba(struct ieee80211com *ic, struct mbuf *m,
8fbaf8a2Sstsp    struct ieee80211_node *ni, int tid, struct ieee80211_rxinfo *rxi,
8fbaf8a2Sstsp    struct mbuf_list *ml)
45eec175Sdamien{
20fce2ddSstsp	struct ifnet *ifp = &ic->ic_if;
ec69e05aSdamien	struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid];
45eec175Sdamien	struct ieee80211_frame *wh;
45eec175Sdamien	int idx, count;
45eec175Sdamien	u_int16_t sn;
45eec175Sdamien
45eec175Sdamien	wh = mtod(m, struct ieee80211_frame *);
45eec175Sdamien	sn = letoh16(*(u_int16_t *)wh->i_seq) >> IEEE80211_SEQ_SEQ_SHIFT;
45eec175Sdamien
45eec175Sdamien	/* reset Block Ack inactivity timer */
5c7c7275Sstsp	if (ba->ba_timeout_val != 0)
45eec175Sdamien		timeout_add_usec(&ba->ba_to, ba->ba_timeout_val);
45eec175Sdamien
45eec175Sdamien	if (SEQ_LT(sn, ba->ba_winstart)) {	/* SN < WinStartB */
44fdf27cSstsp		ic->ic_stats.is_ht_rx_frame_below_ba_winstart++;
45eec175Sdamien		m_freem(m);	/* discard the MPDU */
45eec175Sdamien		return;
45eec175Sdamien	}
45eec175Sdamien	if (SEQ_LT(ba->ba_winend, sn)) {	/* WinEndB < SN */
44fdf27cSstsp		ic->ic_stats.is_ht_rx_frame_above_ba_winend++;
2bfbd258Sstsp		count = (sn - ba->ba_winend) & 0xfff;
737c942dSstsp		if (count > ba->ba_winsize) {
2bfbd258Sstsp			/*
2bfbd258Sstsp			 * Check whether we're consistently behind the window,
678831beSjsg			 * and let the window move forward if necessary.
2bfbd258Sstsp			 */
0b126c70Sstsp			if (ba->ba_winmiss < IEEE80211_BA_MAX_WINMISS) {
2f33e90fStb				if (ba->ba_missedsn == ((sn - 1) & 0xfff))
0b126c70Sstsp					ba->ba_winmiss++;
0b126c70Sstsp				else
0b126c70Sstsp					ba->ba_winmiss = 0;
0b126c70Sstsp				ba->ba_missedsn = sn;
0b126c70Sstsp				ifp->if_ierrors++;
0b126c70Sstsp				m_freem(m);	/* discard the MPDU */
0b126c70Sstsp				return;
0b126c70Sstsp			}
0b126c70Sstsp
0b126c70Sstsp			/* It appears the window has moved for real. */
44fdf27cSstsp			ic->ic_stats.is_ht_rx_ba_window_jump++;
0b126c70Sstsp			ba->ba_winmiss = 0;
0b126c70Sstsp			ba->ba_missedsn = 0;
8fbaf8a2Sstsp			ieee80211_ba_move_window(ic, ni, tid, sn, ml);
2bfbd258Sstsp		} else {
2bfbd258Sstsp			ic->ic_stats.is_ht_rx_ba_window_slide++;
2bfbd258Sstsp			ieee80211_input_ba_seq(ic, ni, tid,
8fbaf8a2Sstsp			    (ba->ba_winstart + count) & 0xfff, ml);
8fbaf8a2Sstsp			ieee80211_input_ba_flush(ic, ni, ba, ml);
0b126c70Sstsp		}
45eec175Sdamien	}
45eec175Sdamien	/* WinStartB <= SN <= WinEndB */
45eec175Sdamien
08fd8c90Sstsp	ba->ba_winmiss = 0;
08fd8c90Sstsp	ba->ba_missedsn = 0;
45eec175Sdamien	idx = (sn - ba->ba_winstart) & 0xfff;
45eec175Sdamien	idx = (ba->ba_head + idx) % IEEE80211_BA_MAX_WINSZ;
45eec175Sdamien	/* store the received MPDU in the buffer */
45eec175Sdamien	if (ba->ba_buf[idx].m != NULL) {
45eec175Sdamien		ifp->if_ierrors++;
44fdf27cSstsp		ic->ic_stats.is_ht_rx_ba_no_buf++;
45eec175Sdamien		m_freem(m);
45eec175Sdamien		return;
45eec175Sdamien	}
45eec175Sdamien	ba->ba_buf[idx].m = m;
45eec175Sdamien	/* store Rx meta-data too */
45eec175Sdamien	rxi->rxi_flags |= IEEE80211_RXI_AMPDU_DONE;
45eec175Sdamien	ba->ba_buf[idx].rxi = *rxi;
20599cf9Sstsp	ba->ba_gapwait++;
e565f475Stobhe
e565f475Stobhe	if (ba->ba_buf[ba->ba_head].m == NULL && ba->ba_gapwait == 1)
e565f475Stobhe		timeout_add_msec(&ba->ba_gap_to, IEEE80211_BA_GAP_TIMEOUT);
20fce2ddSstsp
8fbaf8a2Sstsp	ieee80211_input_ba_flush(ic, ni, ba, ml);
20fce2ddSstsp}
20fce2ddSstsp
2bfbd258Sstsp/*
2bfbd258Sstsp * Forward buffered frames with sequence number lower than max_seq.
2bfbd258Sstsp * See 802.11-2012 9.21.7.6.2 b.
2bfbd258Sstsp */
2bfbd258Sstspvoid
2bfbd258Sstspieee80211_input_ba_seq(struct ieee80211com *ic, struct ieee80211_node *ni,
8fbaf8a2Sstsp    uint8_t tid, uint16_t max_seq, struct mbuf_list *ml)
2bfbd258Sstsp{
2bfbd258Sstsp	struct ifnet *ifp = &ic->ic_if;
2bfbd258Sstsp	struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid];
2bfbd258Sstsp	struct ieee80211_frame *wh;
2bfbd258Sstsp	uint16_t seq;
2bfbd258Sstsp	int i = 0;
2bfbd258Sstsp
2bfbd258Sstsp	while (i++ < ba->ba_winsize) {
2bfbd258Sstsp		/* gaps may exist */
2bfbd258Sstsp		if (ba->ba_buf[ba->ba_head].m != NULL) {
2bfbd258Sstsp			wh = mtod(ba->ba_buf[ba->ba_head].m,
2bfbd258Sstsp			    struct ieee80211_frame *);
2bfbd258Sstsp			KASSERT(ieee80211_has_seq(wh));
2bfbd258Sstsp			seq = letoh16(*(u_int16_t *)wh->i_seq) >>
2bfbd258Sstsp			    IEEE80211_SEQ_SEQ_SHIFT;
2bfbd258Sstsp			if (!SEQ_LT(seq, max_seq))
04b94a2bSstsp				break;
8fbaf8a2Sstsp			ieee80211_inputm(ifp, ba->ba_buf[ba->ba_head].m,
8fbaf8a2Sstsp			    ni, &ba->ba_buf[ba->ba_head].rxi, ml);
2bfbd258Sstsp			ba->ba_buf[ba->ba_head].m = NULL;
e565f475Stobhe			ba->ba_gapwait--;
2bfbd258Sstsp		} else
2bfbd258Sstsp			ic->ic_stats.is_ht_rx_ba_frame_lost++;
2bfbd258Sstsp		ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ;
cda29a62Sstsp		/* move window forward */
cda29a62Sstsp		ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff;
2bfbd258Sstsp	}
cda29a62Sstsp	ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff;
2bfbd258Sstsp}
2bfbd258Sstsp
20fce2ddSstsp/* Flush a consecutive sequence of frames from the reorder buffer. */
20fce2ddSstspvoid
20fce2ddSstspieee80211_input_ba_flush(struct ieee80211com *ic, struct ieee80211_node *ni,
8fbaf8a2Sstsp    struct ieee80211_rx_ba *ba, struct mbuf_list *ml)
20fce2ddSstsp
20fce2ddSstsp{
20fce2ddSstsp	struct ifnet *ifp = &ic->ic_if;
20fce2ddSstsp
8d36f12dSstsp	/* Do not re-arm the gap timeout if we made no progress. */
8d36f12dSstsp	if (ba->ba_buf[ba->ba_head].m == NULL)
8d36f12dSstsp		return;
8d36f12dSstsp
45eec175Sdamien	/* pass reordered MPDUs up to the next MAC process */
45eec175Sdamien	while (ba->ba_buf[ba->ba_head].m != NULL) {
8fbaf8a2Sstsp		ieee80211_inputm(ifp, ba->ba_buf[ba->ba_head].m, ni,
8fbaf8a2Sstsp		    &ba->ba_buf[ba->ba_head].rxi, ml);
45eec175Sdamien		ba->ba_buf[ba->ba_head].m = NULL;
e565f475Stobhe		ba->ba_gapwait--;
45eec175Sdamien
45eec175Sdamien		ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ;
45eec175Sdamien		/* move window forward */
45eec175Sdamien		ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff;
45eec175Sdamien	}
45eec175Sdamien	ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff;
e565f475Stobhe
e565f475Stobhe	if (timeout_pending(&ba->ba_gap_to))
e565f475Stobhe		timeout_del(&ba->ba_gap_to);
e565f475Stobhe	if (ba->ba_gapwait)
e565f475Stobhe		timeout_add_msec(&ba->ba_gap_to, IEEE80211_BA_GAP_TIMEOUT);
45eec175Sdamien}
45eec175Sdamien
45eec175Sdamien/*
20fce2ddSstsp * Forcibly move the BA window forward to remove a leading gap which has
20fce2ddSstsp * been causing frames to linger in the reordering buffer for too long.
20fce2ddSstsp * A leading gap will occur if a particular A-MPDU subframe never arrives
20fce2ddSstsp * or if a bug in the sender causes sequence numbers to jump forward by > 1.
20fce2ddSstsp */
20599cf9Sstspint
20599cf9Sstspieee80211_input_ba_gap_skip(struct ieee80211_rx_ba *ba)
20599cf9Sstsp{
20599cf9Sstsp	int skipped = 0;
20599cf9Sstsp
20599cf9Sstsp	while (skipped < ba->ba_winsize && ba->ba_buf[ba->ba_head].m == NULL) {
20599cf9Sstsp		/* move window forward */
20599cf9Sstsp		ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ;
20599cf9Sstsp		ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff;
20599cf9Sstsp		skipped++;
20599cf9Sstsp	}
20599cf9Sstsp	if (skipped > 0)
20599cf9Sstsp		ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff;
20599cf9Sstsp
20599cf9Sstsp	return skipped;
20599cf9Sstsp}
20599cf9Sstsp
20fce2ddSstspvoid
20fce2ddSstspieee80211_input_ba_gap_timeout(void *arg)
20fce2ddSstsp{
20fce2ddSstsp	struct ieee80211_rx_ba *ba = arg;
20fce2ddSstsp	struct ieee80211_node *ni = ba->ba_ni;
20fce2ddSstsp	struct ieee80211com *ic = ni->ni_ic;
20fce2ddSstsp	int s, skipped;
20fce2ddSstsp
44fdf27cSstsp	ic->ic_stats.is_ht_rx_ba_window_gap_timeout++;
44fdf27cSstsp
20fce2ddSstsp	s = splnet();
20fce2ddSstsp
20599cf9Sstsp	skipped = ieee80211_input_ba_gap_skip(ba);
20599cf9Sstsp	ic->ic_stats.is_ht_rx_ba_frame_lost += skipped;
86cf434eStobhe	if (skipped) {
86cf434eStobhe		struct mbuf_list ml = MBUF_LIST_INITIALIZER();
86cf434eStobhe		ieee80211_input_ba_flush(ic, ni, ba, &ml);
86cf434eStobhe		if_input(&ic->ic_if, &ml);
86cf434eStobhe	}
20fce2ddSstsp
20fce2ddSstsp	splx(s);
20fce2ddSstsp}
20fce2ddSstsp
20fce2ddSstsp
20fce2ddSstsp/*
45eec175Sdamien * Change the value of WinStartB (move window forward) upon reception of a
ec69e05aSdamien * BlockAckReq frame or an ADDBA Request (PBAC).
45eec175Sdamien */
45eec175Sdamienvoid
45eec175Sdamienieee80211_ba_move_window(struct ieee80211com *ic, struct ieee80211_node *ni,
8fbaf8a2Sstsp    u_int8_t tid, u_int16_t ssn, struct mbuf_list *ml)
45eec175Sdamien{
45eec175Sdamien	struct ifnet *ifp = &ic->ic_if;
ec69e05aSdamien	struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid];
45eec175Sdamien	int count;
45eec175Sdamien
45eec175Sdamien	/* assert(WinStartB <= SSN) */
45eec175Sdamien
45eec175Sdamien	count = (ssn - ba->ba_winstart) & 0xfff;
45eec175Sdamien	if (count > ba->ba_winsize)	/* no overlap */
45eec175Sdamien		count = ba->ba_winsize;
45eec175Sdamien	while (count-- > 0) {
45eec175Sdamien		/* gaps may exist */
45eec175Sdamien		if (ba->ba_buf[ba->ba_head].m != NULL) {
8fbaf8a2Sstsp			ieee80211_inputm(ifp, ba->ba_buf[ba->ba_head].m, ni,
8fbaf8a2Sstsp			    &ba->ba_buf[ba->ba_head].rxi, ml);
45eec175Sdamien			ba->ba_buf[ba->ba_head].m = NULL;
e565f475Stobhe			ba->ba_gapwait--;
44fdf27cSstsp		} else
44fdf27cSstsp			ic->ic_stats.is_ht_rx_ba_frame_lost++;
45eec175Sdamien		ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ;
45eec175Sdamien	}
45eec175Sdamien	/* move window forward */
45eec175Sdamien	ba->ba_winstart = ssn;
04b94a2bSstsp	ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff;
45eec175Sdamien
8fbaf8a2Sstsp	ieee80211_input_ba_flush(ic, ni, ba, ml);
45eec175Sdamien}
45eec175Sdamien
aea3374dSdamienvoid
8fbaf8a2Sstspieee80211_enqueue_data(struct ieee80211com *ic, struct mbuf *m,
8fbaf8a2Sstsp    struct ieee80211_node *ni, int mcast, struct mbuf_list *ml)
aea3374dSdamien{
aea3374dSdamien	struct ifnet *ifp = &ic->ic_if;
aea3374dSdamien	struct ether_header *eh;
aea3374dSdamien	struct mbuf *m1;
aea3374dSdamien
aea3374dSdamien	eh = mtod(m, struct ether_header *);
aea3374dSdamien
aea3374dSdamien	if ((ic->ic_flags & IEEE80211_F_RSNON) && !ni->ni_port_valid &&
83aa0ba6Sdlg	    eh->ether_type != htons(ETHERTYPE_EAPOL)) {
aea3374dSdamien		DPRINTF(("port not valid: %s\n",
aea3374dSdamien		    ether_sprintf(eh->ether_dhost)));
aea3374dSdamien		ic->ic_stats.is_rx_unauth++;
aea3374dSdamien		m_freem(m);
aea3374dSdamien		return;
aea3374dSdamien	}
aea3374dSdamien
aea3374dSdamien	/*
aea3374dSdamien	 * Perform as a bridge within the AP.  Notice that we do not
aea3374dSdamien	 * bridge EAPOL frames as suggested in C.1.1 of IEEE Std 802.1X.
a97608f4Sstsp	 * And we do not forward unicast frames received on a multicast address.
aea3374dSdamien	 */
aea3374dSdamien	m1 = NULL;
171ac09aSdamien#ifndef IEEE80211_STA_ONLY
aea3374dSdamien	if (ic->ic_opmode == IEEE80211_M_HOSTAP &&
534bf8f4Sstsp	    !(ic->ic_userflags & IEEE80211_F_NOBRIDGE) &&
83aa0ba6Sdlg	    eh->ether_type != htons(ETHERTYPE_EAPOL)) {
171ac09aSdamien		struct ieee80211_node *ni1;
171ac09aSdamien
aea3374dSdamien		if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
dca41f6bSdlg			m1 = m_dup_pkt(m, ETHER_ALIGN, M_DONTWAIT);
aea3374dSdamien			if (m1 == NULL)
aea3374dSdamien				ifp->if_oerrors++;
aea3374dSdamien			else
aea3374dSdamien				m1->m_flags |= M_MCAST;
a97608f4Sstsp		} else if (!mcast) {
aea3374dSdamien			ni1 = ieee80211_find_node(ic, eh->ether_dhost);
aea3374dSdamien			if (ni1 != NULL &&
aea3374dSdamien			    ni1->ni_state == IEEE80211_STA_ASSOC) {
aea3374dSdamien				m1 = m;
aea3374dSdamien				m = NULL;
aea3374dSdamien			}
aea3374dSdamien		}
aea3374dSdamien		if (m1 != NULL) {
c38eb4ffSmpi			if (if_enqueue(ifp, m1))
aea3374dSdamien				 ifp->if_oerrors++;
aea3374dSdamien		}
aea3374dSdamien	}
171ac09aSdamien#endif
aea3374dSdamien	if (m != NULL) {
ced35d8fSmpi		if ((ic->ic_flags & IEEE80211_F_RSNON) &&
83aa0ba6Sdlg		    eh->ether_type == htons(ETHERTYPE_EAPOL)) {
db4dc9aaSmpi			ifp->if_ipackets++;
aea3374dSdamien#if NBPFILTER > 0
aea3374dSdamien			/*
aea3374dSdamien			 * If we forward frame into transmitter of the AP,
aea3374dSdamien			 * we don't need to duplicate for DLT_EN10MB.
aea3374dSdamien			 */
aea3374dSdamien			if (ifp->if_bpf && m1 == NULL)
aea3374dSdamien				bpf_mtap(ifp->if_bpf, m, BPF_DIRECTION_IN);
aea3374dSdamien#endif
aea3374dSdamien			ieee80211_eapol_key_input(ic, m, ni);
86666264Sdlg		} else {
8fbaf8a2Sstsp			ml_enqueue(ml, m);
86666264Sdlg		}
aea3374dSdamien	}
aea3374dSdamien}
aea3374dSdamien
45eec175Sdamienvoid
45eec175Sdamienieee80211_decap(struct ieee80211com *ic, struct mbuf *m,
8fbaf8a2Sstsp    struct ieee80211_node *ni, int hdrlen, struct mbuf_list *ml)
45eec175Sdamien{
ef001a37Sdamien	struct ether_header eh;
ef001a37Sdamien	struct ieee80211_frame *wh;
45eec175Sdamien	struct llc *llc;
a97608f4Sstsp	int mcast;
45eec175Sdamien
45eec175Sdamien	if (m->m_len < hdrlen + LLC_SNAPFRAMELEN &&
45eec175Sdamien	    (m = m_pullup(m, hdrlen + LLC_SNAPFRAMELEN)) == NULL) {
45eec175Sdamien		ic->ic_stats.is_rx_decap++;
45eec175Sdamien		return;
45eec175Sdamien	}
ef001a37Sdamien	wh = mtod(m, struct ieee80211_frame *);
a97608f4Sstsp	mcast = IEEE80211_IS_MULTICAST(wh->i_addr1);
ef001a37Sdamien	switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) {
ef001a37Sdamien	case IEEE80211_FC1_DIR_NODS:
ef001a37Sdamien		IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1);
ef001a37Sdamien		IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2);
ef001a37Sdamien		break;
ef001a37Sdamien	case IEEE80211_FC1_DIR_TODS:
ef001a37Sdamien		IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3);
ef001a37Sdamien		IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2);
ef001a37Sdamien		break;
ef001a37Sdamien	case IEEE80211_FC1_DIR_FROMDS:
ef001a37Sdamien		IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1);
ef001a37Sdamien		IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr3);
ef001a37Sdamien		break;
ef001a37Sdamien	case IEEE80211_FC1_DIR_DSTODS:
ef001a37Sdamien		IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3);
ef001a37Sdamien		IEEE80211_ADDR_COPY(eh.ether_shost,
ef001a37Sdamien		    ((struct ieee80211_frame_addr4 *)wh)->i_addr4);
ef001a37Sdamien		break;
ef001a37Sdamien	}
ef001a37Sdamien	llc = (struct llc *)((caddr_t)wh + hdrlen);
45eec175Sdamien	if (llc->llc_dsap == LLC_SNAP_LSAP &&
45eec175Sdamien	    llc->llc_ssap == LLC_SNAP_LSAP &&
45eec175Sdamien	    llc->llc_control == LLC_UI &&
45eec175Sdamien	    llc->llc_snap.org_code[0] == 0 &&
45eec175Sdamien	    llc->llc_snap.org_code[1] == 0 &&
45eec175Sdamien	    llc->llc_snap.org_code[2] == 0) {
ef001a37Sdamien		eh.ether_type = llc->llc_snap.ether_type;
45eec175Sdamien		m_adj(m, hdrlen + LLC_SNAPFRAMELEN - ETHER_HDR_LEN);
45eec175Sdamien	} else {
ef001a37Sdamien		eh.ether_type = htons(m->m_pkthdr.len - hdrlen);
45eec175Sdamien		m_adj(m, hdrlen - ETHER_HDR_LEN);
45eec175Sdamien	}
ef001a37Sdamien	memcpy(mtod(m, caddr_t), &eh, ETHER_HDR_LEN);
45eec175Sdamien	if (!ALIGNED_POINTER(mtod(m, caddr_t) + ETHER_HDR_LEN, u_int32_t)) {
9d147a27Sdlg		struct mbuf *m0 = m;
9d147a27Sdlg		m = m_dup_pkt(m0, ETHER_ALIGN, M_NOWAIT);
9d147a27Sdlg		m_freem(m0);
9d147a27Sdlg		if (m == NULL) {
45eec175Sdamien			ic->ic_stats.is_rx_decap++;
45eec175Sdamien			return;
45eec175Sdamien		}
91b2158bSmillert	}
8fbaf8a2Sstsp	ieee80211_enqueue_data(ic, m, ni, mcast, ml);
91b2158bSmillert}
91b2158bSmillert
e12e039eSstspint
e12e039eSstspieee80211_amsdu_decap_validate(struct ieee80211com *ic, struct mbuf *m,
e12e039eSstsp    struct ieee80211_node *ni)
e12e039eSstsp{
e12e039eSstsp	struct ether_header *eh = mtod(m, struct ether_header *);
e12e039eSstsp	const uint8_t llc_hdr_mac[ETHER_ADDR_LEN] = {
e12e039eSstsp		/* MAC address matching the 802.2 LLC header. */
e12e039eSstsp		LLC_SNAP_LSAP, LLC_SNAP_LSAP, LLC_UI, 0, 0, 0
e12e039eSstsp	};
e12e039eSstsp
e12e039eSstsp	/*
e12e039eSstsp	 * We are sorry, but this particular MAC address cannot be used.
e12e039eSstsp	 * This mitigates an attack where a single 802.11 frame is interpreted
e12e039eSstsp	 * as an A-MSDU because of a forged AMSDU-present bit in the 802.11
e12e039eSstsp	 * QoS frame header: https://papers.mathyvanhoef.com/usenix2021.pdf
e12e039eSstsp	 * See Section 7.2, 'Countermeasures for the design flaws'
e12e039eSstsp	 */
e12e039eSstsp	if (ETHER_IS_EQ(eh->ether_dhost, llc_hdr_mac))
e12e039eSstsp		return 1;
e12e039eSstsp
e12e039eSstsp	switch (ic->ic_opmode) {
e12e039eSstsp#ifndef IEEE80211_STA_ONLY
e12e039eSstsp	case IEEE80211_M_HOSTAP:
e12e039eSstsp		/*
e12e039eSstsp		 * Subframes must use the source address of the node which
e12e039eSstsp		 * transmitted the A-MSDU. Prevents MAC spoofing.
e12e039eSstsp		 */
e12e039eSstsp		if (!ETHER_IS_EQ(ni->ni_macaddr, eh->ether_shost))
e12e039eSstsp			return 1;
e12e039eSstsp		break;
e12e039eSstsp#endif
e12e039eSstsp	case IEEE80211_M_STA:
e12e039eSstsp		/* Subframes must be addressed to me. */
e12e039eSstsp		if (!ETHER_IS_EQ(ic->ic_myaddr, eh->ether_dhost))
e12e039eSstsp			return 1;
e12e039eSstsp		break;
e12e039eSstsp	default:
e12e039eSstsp		/* Ignore MONITOR/IBSS modes for now. */
e12e039eSstsp		break;
e12e039eSstsp	}
e12e039eSstsp
e12e039eSstsp	return 0;
e12e039eSstsp}
e12e039eSstsp
45eec175Sdamien/*
45eec175Sdamien * Decapsulate an Aggregate MSDU (see 7.2.2.2).
45eec175Sdamien */
45eec175Sdamienvoid
45eec175Sdamienieee80211_amsdu_decap(struct ieee80211com *ic, struct mbuf *m,
8fbaf8a2Sstsp    struct ieee80211_node *ni, int hdrlen, struct mbuf_list *ml)
45eec175Sdamien{
45eec175Sdamien	struct mbuf *n;
45eec175Sdamien	struct ether_header *eh;
45eec175Sdamien	struct llc *llc;
a97608f4Sstsp	int len, pad, mcast;
a97608f4Sstsp	struct ieee80211_frame *wh;
e12e039eSstsp	struct mbuf_list subframes = MBUF_LIST_INITIALIZER();
a97608f4Sstsp
a97608f4Sstsp	wh = mtod(m, struct ieee80211_frame *);
a97608f4Sstsp	mcast = IEEE80211_IS_MULTICAST(wh->i_addr1);
45eec175Sdamien
45eec175Sdamien	/* strip 802.11 header */
45eec175Sdamien	m_adj(m, hdrlen);
45eec175Sdamien
e9230c34Sstsp	while (m->m_pkthdr.len >= ETHER_HDR_LEN + LLC_SNAPFRAMELEN) {
45eec175Sdamien		/* process an A-MSDU subframe */
45eec175Sdamien		m = m_pullup(m, ETHER_HDR_LEN + LLC_SNAPFRAMELEN);
e12e039eSstsp		if (m == NULL)
e12e039eSstsp			break;
45eec175Sdamien		eh = mtod(m, struct ether_header *);
45eec175Sdamien		/* examine 802.3 header */
45eec175Sdamien		len = ntohs(eh->ether_type);
45eec175Sdamien		if (len < LLC_SNAPFRAMELEN) {
45eec175Sdamien			DPRINTF(("A-MSDU subframe too short (%d)\n", len));
45eec175Sdamien			/* stop processing A-MSDU subframes */
45eec175Sdamien			ic->ic_stats.is_rx_decap++;
e12e039eSstsp			ml_purge(&subframes);
45eec175Sdamien			m_freem(m);
d0faa20eSstsp			return;
45eec175Sdamien		}
45eec175Sdamien		llc = (struct llc *)&eh[1];
e12e039eSstsp		/* Examine the 802.2 LLC header after the A-MSDU header. */
45eec175Sdamien		if (llc->llc_dsap == LLC_SNAP_LSAP &&
45eec175Sdamien		    llc->llc_ssap == LLC_SNAP_LSAP &&
45eec175Sdamien		    llc->llc_control == LLC_UI &&
45eec175Sdamien		    llc->llc_snap.org_code[0] == 0 &&
45eec175Sdamien		    llc->llc_snap.org_code[1] == 0 &&
45eec175Sdamien		    llc->llc_snap.org_code[2] == 0) {
45eec175Sdamien			/* convert to Ethernet II header */
45eec175Sdamien			eh->ether_type = llc->llc_snap.ether_type;
45eec175Sdamien			/* strip LLC+SNAP headers */
8f51fbe3Sderaadt			memmove((u_int8_t *)eh + LLC_SNAPFRAMELEN, eh,
45eec175Sdamien			    ETHER_HDR_LEN);
45eec175Sdamien			m_adj(m, LLC_SNAPFRAMELEN);
45eec175Sdamien			len -= LLC_SNAPFRAMELEN;
45eec175Sdamien		}
45eec175Sdamien		len += ETHER_HDR_LEN;
a2f74cd9Sstsp		if (len > m->m_pkthdr.len) {
a2f74cd9Sstsp			/* stop processing A-MSDU subframes */
a2f74cd9Sstsp			DPRINTF(("A-MSDU subframe too long (%d)\n", len));
a2f74cd9Sstsp			ic->ic_stats.is_rx_decap++;
e12e039eSstsp			ml_purge(&subframes);
a2f74cd9Sstsp			m_freem(m);
d0faa20eSstsp			return;
a2f74cd9Sstsp		}
45eec175Sdamien
45eec175Sdamien		/* "detach" our A-MSDU subframe from the others */
45eec175Sdamien		n = m_split(m, len, M_NOWAIT);
45eec175Sdamien		if (n == NULL) {
45eec175Sdamien			/* stop processing A-MSDU subframes */
45eec175Sdamien			ic->ic_stats.is_rx_decap++;
e12e039eSstsp			ml_purge(&subframes);
45eec175Sdamien			m_freem(m);
d0faa20eSstsp			return;
45eec175Sdamien		}
e12e039eSstsp
e12e039eSstsp		if (ieee80211_amsdu_decap_validate(ic, m, ni)) {
e12e039eSstsp			/* stop processing A-MSDU subframes */
e12e039eSstsp			ic->ic_stats.is_rx_decap++;
e12e039eSstsp			ml_purge(&subframes);
e12e039eSstsp			m_freem(m);
e12e039eSstsp			return;
e12e039eSstsp		}
e12e039eSstsp
e12e039eSstsp		ml_enqueue(&subframes, m);
45eec175Sdamien
45eec175Sdamien		m = n;
45eec175Sdamien		/* remove padding */
45eec175Sdamien		pad = ((len + 3) & ~3) - len;
45eec175Sdamien		m_adj(m, pad);
45eec175Sdamien	}
e9230c34Sstsp
e12e039eSstsp	while ((n = ml_dequeue(&subframes)) != NULL)
e12e039eSstsp		ieee80211_enqueue_data(ic, n, ni, mcast, ml);
e12e039eSstsp
e9230c34Sstsp	m_freem(m);
45eec175Sdamien}
45eec175Sdamien
16b96e48Sdamien/*
16b96e48Sdamien * Parse an EDCA Parameter Set element (see 7.3.2.27).
fdcb679cSdamien */
ab235185Sdamienint
2d5bc21cSdamienieee80211_parse_edca_params_body(struct ieee80211com *ic, const u_int8_t *frm)
ab235185Sdamien{
ab235185Sdamien	u_int updtcount;
ab235185Sdamien	int aci;
ab235185Sdamien
ab235185Sdamien	/*
ab235185Sdamien	 * Check if EDCA parameters have changed XXX if we miss more than
ab235185Sdamien	 * 15 consecutive beacons, we might not detect changes to EDCA
ab235185Sdamien	 * parameters due to wraparound of the 4-bit Update Count field.
ab235185Sdamien	 */
ab235185Sdamien	updtcount = frm[0] & 0xf;
ab235185Sdamien	if (updtcount == ic->ic_edca_updtcount)
ab235185Sdamien		return 0;	/* no changes to EDCA parameters, ignore */
ab235185Sdamien	ic->ic_edca_updtcount = updtcount;
ab235185Sdamien
d813d27eSdamien	frm += 2;	/* skip QoS Info & Reserved fields */
ab235185Sdamien
ab235185Sdamien	/* parse AC Parameter Records */
ab235185Sdamien	for (aci = 0; aci < EDCA_NUM_AC; aci++) {
ab235185Sdamien		struct ieee80211_edca_ac_params *ac = &ic->ic_edca_ac[aci];
ab235185Sdamien
ab235185Sdamien		ac->ac_acm       = (frm[0] >> 4) & 0x1;
ab235185Sdamien		ac->ac_aifsn     = frm[0] & 0xf;
ab235185Sdamien		ac->ac_ecwmin    = frm[1] & 0xf;
ab235185Sdamien		ac->ac_ecwmax    = frm[1] >> 4;
ab235185Sdamien		ac->ac_txoplimit = LE_READ_2(frm + 2);
ab235185Sdamien		frm += 4;
ab235185Sdamien	}
ab235185Sdamien	/* give drivers a chance to update their settings */
ab235185Sdamien	if ((ic->ic_flags & IEEE80211_F_QOS) && ic->ic_updateedca != NULL)
ab235185Sdamien		(*ic->ic_updateedca)(ic);
ab235185Sdamien
ab235185Sdamien	return 0;
ab235185Sdamien}
ab235185Sdamien
ab235185Sdamienint
ab235185Sdamienieee80211_parse_edca_params(struct ieee80211com *ic, const u_int8_t *frm)
ab235185Sdamien{
ab235185Sdamien	if (frm[1] < 18) {
ab235185Sdamien		ic->ic_stats.is_rx_elem_toosmall++;
4b3a03eeSdamien		return IEEE80211_REASON_IE_INVALID;
ab235185Sdamien	}
2d5bc21cSdamien	return ieee80211_parse_edca_params_body(ic, frm + 2);
ab235185Sdamien}
ab235185Sdamien
ab235185Sdamienint
ab235185Sdamienieee80211_parse_wmm_params(struct ieee80211com *ic, const u_int8_t *frm)
ab235185Sdamien{
ab235185Sdamien	if (frm[1] < 24) {
ab235185Sdamien		ic->ic_stats.is_rx_elem_toosmall++;
4b3a03eeSdamien		return IEEE80211_REASON_IE_INVALID;
ab235185Sdamien	}
2d5bc21cSdamien	return ieee80211_parse_edca_params_body(ic, frm + 8);
2d5bc21cSdamien}
2d5bc21cSdamien
2d5bc21cSdamienenum ieee80211_cipher
2d5bc21cSdamienieee80211_parse_rsn_cipher(const u_int8_t selector[4])
2d5bc21cSdamien{
db011a80Sdamien	if (memcmp(selector, MICROSOFT_OUI, 3) == 0) {	/* WPA */
2d5bc21cSdamien		switch (selector[3]) {
db011a80Sdamien		case 0:	/* use group data cipher suite */
2d5bc21cSdamien			return IEEE80211_CIPHER_USEGROUP;
2d5bc21cSdamien		case 1:	/* WEP-40 */
2d5bc21cSdamien			return IEEE80211_CIPHER_WEP40;
2d5bc21cSdamien		case 2:	/* TKIP */
2d5bc21cSdamien			return IEEE80211_CIPHER_TKIP;
0e5a82c2Sdamien		case 4:	/* CCMP (RSNA default) */
2d5bc21cSdamien			return IEEE80211_CIPHER_CCMP;
2d5bc21cSdamien		case 5:	/* WEP-104 */
2d5bc21cSdamien			return IEEE80211_CIPHER_WEP104;
2d5bc21cSdamien		}
db011a80Sdamien	} else if (memcmp(selector, IEEE80211_OUI, 3) == 0) {	/* RSN */
90af3bf7Sstsp		/* see 802.11-2012 Table 8-99 */
db011a80Sdamien		switch (selector[3]) {
db011a80Sdamien		case 0:	/* use group data cipher suite */
db011a80Sdamien			return IEEE80211_CIPHER_USEGROUP;
db011a80Sdamien		case 1:	/* WEP-40 */
db011a80Sdamien			return IEEE80211_CIPHER_WEP40;
db011a80Sdamien		case 2:	/* TKIP */
db011a80Sdamien			return IEEE80211_CIPHER_TKIP;
db011a80Sdamien		case 4:	/* CCMP (RSNA default) */
db011a80Sdamien			return IEEE80211_CIPHER_CCMP;
db011a80Sdamien		case 5:	/* WEP-104 */
db011a80Sdamien			return IEEE80211_CIPHER_WEP104;
45eec175Sdamien		case 6:	/* BIP */
45eec175Sdamien			return IEEE80211_CIPHER_BIP;
db011a80Sdamien		}
2d5bc21cSdamien	}
2d5bc21cSdamien	return IEEE80211_CIPHER_NONE;	/* ignore unknown ciphers */
2d5bc21cSdamien}
2d5bc21cSdamien
2d5bc21cSdamienenum ieee80211_akm
2d5bc21cSdamienieee80211_parse_rsn_akm(const u_int8_t selector[4])
2d5bc21cSdamien{
c7c53e5eSdamien	if (memcmp(selector, MICROSOFT_OUI, 3) == 0) {	/* WPA */
2d5bc21cSdamien		switch (selector[3]) {
2d5bc21cSdamien		case 1:	/* IEEE 802.1X (RSNA default) */
c7c53e5eSdamien			return IEEE80211_AKM_8021X;
2d5bc21cSdamien		case 2:	/* PSK */
2d5bc21cSdamien			return IEEE80211_AKM_PSK;
2d5bc21cSdamien		}
c7c53e5eSdamien	} else if (memcmp(selector, IEEE80211_OUI, 3) == 0) {	/* RSN */
c7c53e5eSdamien		/* from IEEE Std 802.11i-2004 - Table 20dc */
c7c53e5eSdamien		switch (selector[3]) {
c7c53e5eSdamien		case 1:	/* IEEE 802.1X (RSNA default) */
c7c53e5eSdamien			return IEEE80211_AKM_8021X;
c7c53e5eSdamien		case 2:	/* PSK */
c7c53e5eSdamien			return IEEE80211_AKM_PSK;
c7c53e5eSdamien		case 5:	/* IEEE 802.1X with SHA256 KDF */
c7c53e5eSdamien			return IEEE80211_AKM_SHA256_8021X;
c7c53e5eSdamien		case 6:	/* PSK with SHA256 KDF */
c7c53e5eSdamien			return IEEE80211_AKM_SHA256_PSK;
c7c53e5eSdamien		}
2d5bc21cSdamien	}
2d5bc21cSdamien	return IEEE80211_AKM_NONE;	/* ignore unknown AKMs */
ab235185Sdamien}
ab235185Sdamien
16b96e48Sdamien/*
90af3bf7Sstsp * Parse an RSN element (see 802.11-2012 8.4.2.27)
fdcb679cSdamien */
fdcb679cSdamienint
e03e709cSdamienieee80211_parse_rsn_body(struct ieee80211com *ic, const u_int8_t *frm,
e03e709cSdamien    u_int len, struct ieee80211_rsnparams *rsn)
fdcb679cSdamien{
fdcb679cSdamien	const u_int8_t *efrm;
fdcb679cSdamien	u_int16_t m, n, s;
fdcb679cSdamien
2d5bc21cSdamien	efrm = frm + len;
fdcb679cSdamien
fdcb679cSdamien	/* check Version field */
fdcb679cSdamien	if (LE_READ_2(frm) != 1)
e03e709cSdamien		return IEEE80211_STATUS_RSN_IE_VER_UNSUP;
fdcb679cSdamien	frm += 2;
fdcb679cSdamien
fdcb679cSdamien	/* all fields after the Version field are optional */
fdcb679cSdamien
fdcb679cSdamien	/* if Cipher Suite missing, default to CCMP */
e03e709cSdamien	rsn->rsn_groupcipher = IEEE80211_CIPHER_CCMP;
e03e709cSdamien	rsn->rsn_nciphers = 1;
e03e709cSdamien	rsn->rsn_ciphers = IEEE80211_CIPHER_CCMP;
678831beSjsg	/* if Group Management Cipher Suite missing, default to BIP */
45eec175Sdamien	rsn->rsn_groupmgmtcipher = IEEE80211_CIPHER_BIP;
fdcb679cSdamien	/* if AKM Suite missing, default to 802.1X */
e03e709cSdamien	rsn->rsn_nakms = 1;
c7c53e5eSdamien	rsn->rsn_akms = IEEE80211_AKM_8021X;
e03e709cSdamien	/* if RSN capabilities missing, default to 0 */
e03e709cSdamien	rsn->rsn_caps = 0;
f91ff320Sdamien	rsn->rsn_npmkids = 0;
fdcb679cSdamien
db011a80Sdamien	/* read Group Data Cipher Suite field */
fdcb679cSdamien	if (frm + 4 > efrm)
fdcb679cSdamien		return 0;
e03e709cSdamien	rsn->rsn_groupcipher = ieee80211_parse_rsn_cipher(frm);
7fda7cd9Sstsp	if (rsn->rsn_groupcipher == IEEE80211_CIPHER_NONE ||
7fda7cd9Sstsp	    rsn->rsn_groupcipher == IEEE80211_CIPHER_USEGROUP ||
7fda7cd9Sstsp	    rsn->rsn_groupcipher == IEEE80211_CIPHER_BIP)
e03e709cSdamien		return IEEE80211_STATUS_BAD_GROUP_CIPHER;
fdcb679cSdamien	frm += 4;
fdcb679cSdamien
fdcb679cSdamien	/* read Pairwise Cipher Suite Count field */
fdcb679cSdamien	if (frm + 2 > efrm)
fdcb679cSdamien		return 0;
e03e709cSdamien	m = rsn->rsn_nciphers = LE_READ_2(frm);
fdcb679cSdamien	frm += 2;
fdcb679cSdamien
fdcb679cSdamien	/* read Pairwise Cipher Suite List */
fdcb679cSdamien	if (frm + m * 4 > efrm)
e03e709cSdamien		return IEEE80211_STATUS_IE_INVALID;
e03e709cSdamien	rsn->rsn_ciphers = IEEE80211_CIPHER_NONE;
fdcb679cSdamien	while (m-- > 0) {
e03e709cSdamien		rsn->rsn_ciphers |= ieee80211_parse_rsn_cipher(frm);
fdcb679cSdamien		frm += 4;
fdcb679cSdamien	}
e03e709cSdamien	if (rsn->rsn_ciphers & IEEE80211_CIPHER_USEGROUP) {
e03e709cSdamien		if (rsn->rsn_ciphers != IEEE80211_CIPHER_USEGROUP)
e03e709cSdamien			return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER;
e03e709cSdamien		if (rsn->rsn_groupcipher == IEEE80211_CIPHER_CCMP)
e03e709cSdamien			return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER;
fdcb679cSdamien	}
fdcb679cSdamien
fdcb679cSdamien	/* read AKM Suite List Count field */
fdcb679cSdamien	if (frm + 2 > efrm)
fdcb679cSdamien		return 0;
e03e709cSdamien	n = rsn->rsn_nakms = LE_READ_2(frm);
fdcb679cSdamien	frm += 2;
fdcb679cSdamien
fdcb679cSdamien	/* read AKM Suite List */
fdcb679cSdamien	if (frm + n * 4 > efrm)
e03e709cSdamien		return IEEE80211_STATUS_IE_INVALID;
e03e709cSdamien	rsn->rsn_akms = IEEE80211_AKM_NONE;
fdcb679cSdamien	while (n-- > 0) {
e03e709cSdamien		rsn->rsn_akms |= ieee80211_parse_rsn_akm(frm);
fdcb679cSdamien		frm += 4;
fdcb679cSdamien	}
fdcb679cSdamien
fdcb679cSdamien	/* read RSN Capabilities field */
fdcb679cSdamien	if (frm + 2 > efrm)
fdcb679cSdamien		return 0;
e03e709cSdamien	rsn->rsn_caps = LE_READ_2(frm);
fdcb679cSdamien	frm += 2;
fdcb679cSdamien
fdcb679cSdamien	/* read PMKID Count field */
fdcb679cSdamien	if (frm + 2 > efrm)
fdcb679cSdamien		return 0;
f91ff320Sdamien	s = rsn->rsn_npmkids = LE_READ_2(frm);
fdcb679cSdamien	frm += 2;
fdcb679cSdamien
fdcb679cSdamien	/* read PMKID List */
4b3a03eeSdamien	if (frm + s * IEEE80211_PMKID_LEN > efrm)
e03e709cSdamien		return IEEE80211_STATUS_IE_INVALID;
f91ff320Sdamien	if (s != 0) {
f91ff320Sdamien		rsn->rsn_pmkids = frm;
f91ff320Sdamien		frm += s * IEEE80211_PMKID_LEN;
fdcb679cSdamien	}
fdcb679cSdamien
db011a80Sdamien	/* read Group Management Cipher Suite field */
db011a80Sdamien	if (frm + 4 > efrm)
db011a80Sdamien		return 0;
db011a80Sdamien	rsn->rsn_groupmgmtcipher = ieee80211_parse_rsn_cipher(frm);
7fda7cd9Sstsp	if (rsn->rsn_groupmgmtcipher != IEEE80211_CIPHER_BIP)
7fda7cd9Sstsp		return IEEE80211_STATUS_BAD_GROUP_CIPHER;
db011a80Sdamien
e03e709cSdamien	return IEEE80211_STATUS_SUCCESS;
fdcb679cSdamien}
fdcb679cSdamien
2d5bc21cSdamienint
e03e709cSdamienieee80211_parse_rsn(struct ieee80211com *ic, const u_int8_t *frm,
e03e709cSdamien    struct ieee80211_rsnparams *rsn)
fdcb679cSdamien{
ba53b1fcSdamien	if (frm[1] < 2) {
2d5bc21cSdamien		ic->ic_stats.is_rx_elem_toosmall++;
e03e709cSdamien		return IEEE80211_STATUS_IE_INVALID;
fdcb679cSdamien	}
e03e709cSdamien	return ieee80211_parse_rsn_body(ic, frm + 2, frm[1], rsn);
fdcb679cSdamien}
fdcb679cSdamien
2d5bc21cSdamienint
e03e709cSdamienieee80211_parse_wpa(struct ieee80211com *ic, const u_int8_t *frm,
e03e709cSdamien    struct ieee80211_rsnparams *rsn)
fdcb679cSdamien{
ba53b1fcSdamien	if (frm[1] < 6) {
2d5bc21cSdamien		ic->ic_stats.is_rx_elem_toosmall++;
e03e709cSdamien		return IEEE80211_STATUS_IE_INVALID;
fdcb679cSdamien	}
e03e709cSdamien	return ieee80211_parse_rsn_body(ic, frm + 6, frm[1] - 4, rsn);
fdcb679cSdamien}
fdcb679cSdamien
b3a42803Sdamien/*
e03e709cSdamien * Create (or update) a copy of an information element.
b3a42803Sdamien */
b3a42803Sdamienint
b3a42803Sdamienieee80211_save_ie(const u_int8_t *frm, u_int8_t **ie)
b3a42803Sdamien{
e93df640Stb	int olen = *ie ? 2 + (*ie)[1] : 0;
e93df640Stb	int len = 2 + frm[1];
e93df640Stb
e93df640Stb	if (*ie == NULL || olen != len) {
b3a42803Sdamien		if (*ie != NULL)
e93df640Stb			free(*ie, M_DEVBUF, olen);
e93df640Stb		*ie = malloc(len, M_DEVBUF, M_NOWAIT);
b3a42803Sdamien		if (*ie == NULL)
b3a42803Sdamien			return ENOMEM;
b3a42803Sdamien	}
e93df640Stb	memcpy(*ie, frm, len);
b3a42803Sdamien	return 0;
b3a42803Sdamien}
b3a42803Sdamien
fdcb679cSdamien/*-
9e9787ffSdamien * Beacon/Probe response frame format:
9e9787ffSdamien * [8]   Timestamp
9e9787ffSdamien * [2]   Beacon interval
5252db7eSdamien * [2]   Capability
5252db7eSdamien * [tlv] Service Set Identifier (SSID)
9e9787ffSdamien * [tlv] Supported rates
45eec175Sdamien * [tlv] DS Parameter Set (802.11g)
9e9787ffSdamien * [tlv] ERP Information (802.11g)
9e9787ffSdamien * [tlv] Extended Supported Rates (802.11g)
fdcb679cSdamien * [tlv] RSN (802.11i)
ab235185Sdamien * [tlv] EDCA Parameter Set (802.11e)
ab235185Sdamien * [tlv] QoS Capability (Beacon only, 802.11e)
45eec175Sdamien * [tlv] HT Capabilities (802.11n)
45eec175Sdamien * [tlv] HT Operation (802.11n)
9e9787ffSdamien */
91b2158bSmillertvoid
ec69e05aSdamienieee80211_recv_probe_resp(struct ieee80211com *ic, struct mbuf *m,
b639b680Stobhe    struct ieee80211_node *rni, struct ieee80211_rxinfo *rxi, int isprobe)
91b2158bSmillert{
b639b680Stobhe	struct ieee80211_node *ni;
9e9787ffSdamien	const struct ieee80211_frame *wh;
f22d9adcSdamien	const u_int8_t *frm, *efrm;
7b7ad45cSstsp	const u_int8_t *tstamp, *ssid, *rates, *xrates, *edcaie, *wmmie, *tim;
50e8fe1cSstsp	const u_int8_t *rsnie, *wpaie, *htcaps, *htop, *vhtcaps, *vhtop;
e63afc57Sdamien	u_int16_t capinfo, bintval;
7b7ad45cSstsp	u_int8_t chan, bchan, erp;
9e9787ffSdamien	int is_new;
91b2158bSmillert
0fd4e251Sreyk	/*
0fd4e251Sreyk	 * We process beacon/probe response frames for:
0fd4e251Sreyk	 *    o station mode: to collect state
0fd4e251Sreyk	 *      updates such as 802.11g slot time and for passive
0fd4e251Sreyk	 *      scanning of APs
0fd4e251Sreyk	 *    o adhoc mode: to discover neighbors
0fd4e251Sreyk	 *    o hostap mode: for passive scanning of neighbor APs
0fd4e251Sreyk	 *    o when scanning
0fd4e251Sreyk	 * In other words, in all modes other than monitor (which
361aed72Sdamien	 * does not process incoming frames) and adhoc-demo (which
0fd4e251Sreyk	 * does not use management frames at all).
0fd4e251Sreyk	 */
0fd4e251Sreyk#ifdef DIAGNOSTIC
0fd4e251Sreyk	if (ic->ic_opmode != IEEE80211_M_STA &&
171ac09aSdamien#ifndef IEEE80211_STA_ONLY
0fd4e251Sreyk	    ic->ic_opmode != IEEE80211_M_IBSS &&
0fd4e251Sreyk	    ic->ic_opmode != IEEE80211_M_HOSTAP &&
171ac09aSdamien#endif
91b2158bSmillert	    ic->ic_state != IEEE80211_S_SCAN) {
0fd4e251Sreyk		panic("%s: impossible operating mode", __func__);
91b2158bSmillert	}
0fd4e251Sreyk#endif
361aed72Sdamien	/* make sure all mandatory fixed fields are present */
ec69e05aSdamien	if (m->m_len < sizeof(*wh) + 12) {
361aed72Sdamien		DPRINTF(("frame too short\n"));
361aed72Sdamien		return;
361aed72Sdamien	}
ec69e05aSdamien	wh = mtod(m, struct ieee80211_frame *);
9e9787ffSdamien	frm = (const u_int8_t *)&wh[1];
ec69e05aSdamien	efrm = mtod(m, u_int8_t *) + m->m_len;
91b2158bSmillert
91b2158bSmillert	tstamp  = frm; frm += 8;
3a65e8c8Sdamien	bintval = LE_READ_2(frm); frm += 2;
3a65e8c8Sdamien	capinfo = LE_READ_2(frm); frm += 2;
fcdd546dSdamien
7b7ad45cSstsp	ssid = rates = xrates = edcaie = wmmie = rsnie = wpaie = tim = NULL;
50e8fe1cSstsp	htcaps = htop = vhtcaps = vhtop = NULL;
7307575aSstsp	if (rxi->rxi_chan)
7307575aSstsp		bchan = rxi->rxi_chan;
7307575aSstsp	else
91b2158bSmillert		bchan = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan);
91b2158bSmillert	chan = bchan;
91b2158bSmillert	erp = 0;
df33438bSdamien	while (frm + 2 <= efrm) {
df33438bSdamien		if (frm + 2 + frm[1] > efrm) {
df33438bSdamien			ic->ic_stats.is_rx_elem_toosmall++;
b2985342Sdamien			break;
df33438bSdamien		}
df33438bSdamien		switch (frm[0]) {
91b2158bSmillert		case IEEE80211_ELEMID_SSID:
91b2158bSmillert			ssid = frm;
91b2158bSmillert			break;
91b2158bSmillert		case IEEE80211_ELEMID_RATES:
91b2158bSmillert			rates = frm;
91b2158bSmillert			break;
91b2158bSmillert		case IEEE80211_ELEMID_DSPARMS:
df33438bSdamien			if (frm[1] < 1) {
df33438bSdamien				ic->ic_stats.is_rx_elem_toosmall++;
df33438bSdamien				break;
df33438bSdamien			}
91b2158bSmillert			chan = frm[2];
91b2158bSmillert			break;
91b2158bSmillert		case IEEE80211_ELEMID_XRATES:
91b2158bSmillert			xrates = frm;
91b2158bSmillert			break;
91b2158bSmillert		case IEEE80211_ELEMID_ERP:
df33438bSdamien			if (frm[1] < 1) {
df33438bSdamien				ic->ic_stats.is_rx_elem_toosmall++;
91b2158bSmillert				break;
91b2158bSmillert			}
91b2158bSmillert			erp = frm[2];
91b2158bSmillert			break;
fdcb679cSdamien		case IEEE80211_ELEMID_RSN:
e03e709cSdamien			rsnie = frm;
fdcb679cSdamien			break;
ab235185Sdamien		case IEEE80211_ELEMID_EDCAPARMS:
e03e709cSdamien			edcaie = frm;
ab235185Sdamien			break;
45eec175Sdamien		case IEEE80211_ELEMID_HTCAPS:
45eec175Sdamien			htcaps = frm;
45eec175Sdamien			break;
45eec175Sdamien		case IEEE80211_ELEMID_HTOP:
b5c5cec8Sstsp			if (frm[1] < 22) {
b5c5cec8Sstsp				ic->ic_stats.is_rx_elem_toosmall++;
b5c5cec8Sstsp				break;
b5c5cec8Sstsp			}
45eec175Sdamien			htop = frm;
b5c5cec8Sstsp			chan = frm[2];
45eec175Sdamien			break;
50e8fe1cSstsp		case IEEE80211_ELEMID_VHTCAPS:
50e8fe1cSstsp			vhtcaps = frm;
50e8fe1cSstsp			break;
50e8fe1cSstsp		case IEEE80211_ELEMID_VHTOP:
50e8fe1cSstsp			vhtop = frm;
50e8fe1cSstsp			break;
bacd9707Sstsp		case IEEE80211_ELEMID_TIM:
7b7ad45cSstsp			if (frm[1] < 4) {
7b7ad45cSstsp				ic->ic_stats.is_rx_elem_toosmall++;
7b7ad45cSstsp				break;
bacd9707Sstsp			}
7b7ad45cSstsp			tim = frm;
bacd9707Sstsp			break;
ba56bee9Sdamien		case IEEE80211_ELEMID_VENDOR:
ba56bee9Sdamien			if (frm[1] < 4) {
ba56bee9Sdamien				ic->ic_stats.is_rx_elem_toosmall++;
ba56bee9Sdamien				break;
ba56bee9Sdamien			}
7c7d9786Sdamien			if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) {
4b3a03eeSdamien				if (frm[5] == 1)
e03e709cSdamien					wpaie = frm;
4b3a03eeSdamien				else if (frm[1] >= 5 &&
4b3a03eeSdamien				    frm[5] == 2 && frm[6] == 1)
e03e709cSdamien					wmmie = frm;
ba56bee9Sdamien			}
ba56bee9Sdamien			break;
91b2158bSmillert		}
df33438bSdamien		frm += 2 + frm[1];
91b2158bSmillert	}
fcdd546dSdamien	/* supported rates element is mandatory */
fcdd546dSdamien	if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) {
932b9027Sdamien		DPRINTF(("invalid supported rates element\n"));
fcdd546dSdamien		return;
fcdd546dSdamien	}
fcdd546dSdamien	/* SSID element is mandatory */
fcdd546dSdamien	if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) {
932b9027Sdamien		DPRINTF(("invalid SSID element\n"));
fcdd546dSdamien		return;
fcdd546dSdamien	}
171ac09aSdamien
91b2158bSmillert	if (
91b2158bSmillert#if IEEE80211_CHAN_MAX < 255
91b2158bSmillert	    chan > IEEE80211_CHAN_MAX ||
91b2158bSmillert#endif
ef1d73a0Sstsp	    (isclr(ic->ic_chan_active, chan) &&
ef1d73a0Sstsp	     ((ic->ic_caps & IEEE80211_C_SCANALL) == 0 ||
ef1d73a0Sstsp	     (ic->ic_flags & IEEE80211_F_BGSCAN) == 0))) {
932b9027Sdamien		DPRINTF(("ignore %s with invalid channel %u\n",
932b9027Sdamien		    isprobe ? "probe response" : "beacon", chan));
91b2158bSmillert		ic->ic_stats.is_rx_badchan++;
91b2158bSmillert		return;
91b2158bSmillert	}
7307575aSstsp	if ((rxi->rxi_chan != 0 && chan != rxi->rxi_chan) ||
7307575aSstsp	    ((ic->ic_state != IEEE80211_S_SCAN ||
2c86ad7bSdamien	     !(ic->ic_caps & IEEE80211_C_SCANALL)) &&
7307575aSstsp	    chan != bchan)) {
91b2158bSmillert		/*
91b2158bSmillert		 * Frame was received on a channel different from the
91b2158bSmillert		 * one indicated in the DS params element id;
91b2158bSmillert		 * silently discard it.
91b2158bSmillert		 *
91b2158bSmillert		 * NB: this can happen due to signal leakage.
91b2158bSmillert		 */
932b9027Sdamien		DPRINTF(("ignore %s on channel %u marked for channel %u\n",
932b9027Sdamien		    isprobe ? "probe response" : "beacon", bchan, chan));
91b2158bSmillert		ic->ic_stats.is_rx_chanmismatch++;
91b2158bSmillert		return;
91b2158bSmillert	}
3ce67372Sreyk
91b2158bSmillert#ifdef IEEE80211_DEBUG
1edcfd58Sstsp	if (ieee80211_debug > 1 &&
06e069b5Sstsp	    (ni == NULL || ic->ic_state == IEEE80211_S_SCAN ||
06e069b5Sstsp	    (ic->ic_flags & IEEE80211_F_BGSCAN))) {
91b2158bSmillert		printf("%s: %s%s on chan %u (bss chan %u) ",
91b2158bSmillert		    __func__, (ni == NULL ? "new " : ""),
e03e709cSdamien		    isprobe ? "probe response" : "beacon",
91b2158bSmillert		    chan, bchan);
91b2158bSmillert		ieee80211_print_essid(ssid + 2, ssid[1]);
d813d27eSdamien		printf(" from %s\n", ether_sprintf((u_int8_t *)wh->i_addr2));
91b2158bSmillert		printf("%s: caps 0x%x bintval %u erp 0x%x\n",
3a65e8c8Sdamien			__func__, capinfo, bintval, erp);
91b2158bSmillert	}
91b2158bSmillert#endif
3ce67372Sreyk
3ce67372Sreyk	if ((ni = ieee80211_find_node(ic, wh->i_addr2)) == NULL) {
91b2158bSmillert		ni = ieee80211_alloc_node(ic, wh->i_addr2);
91b2158bSmillert		if (ni == NULL)
91b2158bSmillert			return;
0fd4e251Sreyk		is_new = 1;
0fd4e251Sreyk	} else
0fd4e251Sreyk		is_new = 0;
0fd4e251Sreyk
7307575aSstsp	ni->ni_chan = &ic->ic_channels[chan];
7307575aSstsp
cb2109bfSstsp	if (htcaps)
cb2109bfSstsp		ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]);
f9214ef6Sstsp	if (htop && !ieee80211_setup_htop(ni, htop + 2, htop[1], 1))
7a831903Sstsp		htop = NULL; /* invalid HTOP */
7307575aSstsp	if (htcaps && vhtcaps && IEEE80211_IS_CHAN_5GHZ(ni->ni_chan)) {
50e8fe1cSstsp		ieee80211_setup_vhtcaps(ni, vhtcaps + 2, vhtcaps[1]);
50e8fe1cSstsp		if (vhtop && !ieee80211_setup_vhtop(ni, vhtop + 2, vhtop[1], 1))
50e8fe1cSstsp			vhtop = NULL; /* invalid VHTOP */
50e8fe1cSstsp	}
cb2109bfSstsp
7b7ad45cSstsp	if (tim) {
7b7ad45cSstsp		ni->ni_dtimcount = tim[2];
7b7ad45cSstsp		ni->ni_dtimperiod = tim[3];
7b7ad45cSstsp	}
bacd9707Sstsp
1bb78573Sdamien	/*
1bb78573Sdamien	 * When operating in station mode, check for state updates
cb2109bfSstsp	 * while we're associated.
1bb78573Sdamien	 */
1bb78573Sdamien	if (ic->ic_opmode == IEEE80211_M_STA &&
e03e709cSdamien	    ic->ic_state == IEEE80211_S_RUN &&
7ff1e41dSdamien	    ni->ni_state == IEEE80211_STA_BSS) {
09268e1fSstsp		int updateprot = 0;
1bb78573Sdamien		/*
e03e709cSdamien		 * Check if protection mode has changed since last beacon.
1bb78573Sdamien		 */
1bb78573Sdamien		if (ni->ni_erp != erp) {
932b9027Sdamien			DPRINTF(("[%s] erp change: was 0x%x, now 0x%x\n",
d813d27eSdamien			    ether_sprintf((u_int8_t *)wh->i_addr2),
d813d27eSdamien			    ni->ni_erp, erp));
a3e15932Sstsp			if ((ic->ic_curmode == IEEE80211_MODE_11G ||
a3e15932Sstsp			    (ic->ic_curmode == IEEE80211_MODE_11N &&
a3e15932Sstsp			    IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))) &&
1bb78573Sdamien			    (erp & IEEE80211_ERP_USE_PROTECTION))
1bb78573Sdamien				ic->ic_flags |= IEEE80211_F_USEPROT;
1bb78573Sdamien			else
1bb78573Sdamien				ic->ic_flags &= ~IEEE80211_F_USEPROT;
7ff1e41dSdamien			ic->ic_bss->ni_erp = erp;
09268e1fSstsp			updateprot = 1;
1bb78573Sdamien		}
7a831903Sstsp		if (htop && (ic->ic_bss->ni_flags & IEEE80211_NODE_HT)) {
cb2109bfSstsp			enum ieee80211_htprot htprot_last, htprot;
cb2109bfSstsp			htprot_last =
cb2109bfSstsp			    ((ic->ic_bss->ni_htop1 & IEEE80211_HTOP1_PROT_MASK)
cb2109bfSstsp			    >> IEEE80211_HTOP1_PROT_SHIFT);
cb2109bfSstsp			htprot = ((ni->ni_htop1 & IEEE80211_HTOP1_PROT_MASK) >>
cb2109bfSstsp			    IEEE80211_HTOP1_PROT_SHIFT);
cb2109bfSstsp			if (htprot_last != htprot) {
cb2109bfSstsp				DPRINTF(("[%s] htprot change: was %d, now %d\n",
cb2109bfSstsp				    ether_sprintf((u_int8_t *)wh->i_addr2),
cb2109bfSstsp				    htprot_last, htprot));
44fdf27cSstsp				ic->ic_stats.is_ht_prot_change++;
cb2109bfSstsp				ic->ic_bss->ni_htop1 = ni->ni_htop1;
09268e1fSstsp				updateprot = 1;
cb2109bfSstsp			}
cb2109bfSstsp		}
09268e1fSstsp		if (updateprot && ic->ic_updateprot != NULL)
09268e1fSstsp			ic->ic_updateprot(ic);
cb2109bfSstsp
1bb78573Sdamien		/*
88290e74Sstsp		 * Check if 40MHz channel mode has changed since last beacon.
88290e74Sstsp		 */
88290e74Sstsp		if (htop && (ic->ic_bss->ni_flags & IEEE80211_NODE_HT) &&
88290e74Sstsp		    (ic->ic_htcaps & IEEE80211_HTCAP_CBW20_40)) {
88290e74Sstsp			uint8_t chw_last, chw, sco_last, sco;
88290e74Sstsp			chw_last = (ic->ic_bss->ni_htop0 & IEEE80211_HTOP0_CHW);
88290e74Sstsp			chw = (ni->ni_htop0 & IEEE80211_HTOP0_CHW);
88290e74Sstsp			sco_last =
88290e74Sstsp			    ((ic->ic_bss->ni_htop0 & IEEE80211_HTOP0_SCO_MASK)
88290e74Sstsp			    >> IEEE80211_HTOP0_SCO_SHIFT);
88290e74Sstsp			sco = ((ni->ni_htop0 & IEEE80211_HTOP0_SCO_MASK) >>
88290e74Sstsp			    IEEE80211_HTOP0_SCO_SHIFT);
88290e74Sstsp			ic->ic_bss->ni_htop0 = ni->ni_htop0;
88290e74Sstsp			if (chw_last != chw || sco_last != sco) {
88290e74Sstsp				if (ic->ic_updatechan != NULL)
88290e74Sstsp					ic->ic_updatechan(ic);
88290e74Sstsp			}
88290e74Sstsp		} else if (htop)
88290e74Sstsp			ic->ic_bss->ni_htop0 = ni->ni_htop0;
88290e74Sstsp
88290e74Sstsp		/*
1bb78573Sdamien		 * Check if AP short slot time setting has changed
1bb78573Sdamien		 * since last beacon and give the driver a chance to
1bb78573Sdamien		 * update the hardware.
1bb78573Sdamien		 */
3a65e8c8Sdamien		if ((ni->ni_capinfo ^ capinfo) &
1bb78573Sdamien		    IEEE80211_CAPINFO_SHORT_SLOTTIME) {
1bb78573Sdamien			ieee80211_set_shortslottime(ic,
1bb78573Sdamien			    ic->ic_curmode == IEEE80211_MODE_11A ||
3a65e8c8Sdamien			    (capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
1bb78573Sdamien		}
69759a96Sstsp
7b7ad45cSstsp		if (tim && ic->ic_bss->ni_dtimperiod != ni->ni_dtimperiod) {
7b7ad45cSstsp			ic->ic_bss->ni_dtimperiod = ni->ni_dtimperiod;
7b7ad45cSstsp			ic->ic_bss->ni_dtimcount = ni->ni_dtimcount;
7b7ad45cSstsp
7b7ad45cSstsp			if (ic->ic_updatedtim != NULL)
7b7ad45cSstsp				ic->ic_updatedtim(ic);
7b7ad45cSstsp		}
7b7ad45cSstsp
69759a96Sstsp		/*
69759a96Sstsp		 * Reset management timer. If it is non-zero in RUN state, the
69759a96Sstsp		 * driver sent a probe request after a missed beacon event.
69759a96Sstsp		 * This probe response indicates the AP is still serving us
69759a96Sstsp		 * so don't allow ieee80211_watchdog() to move us into SCAN.
69759a96Sstsp		 */
06e069b5Sstsp		if ((ic->ic_flags & IEEE80211_F_BGSCAN) == 0)
69759a96Sstsp		 	ic->ic_mgt_timer = 0;
1bb78573Sdamien	}
e03e709cSdamien	/*
e03e709cSdamien	 * We do not try to update EDCA parameters if QoS was not negotiated
e03e709cSdamien	 * with the AP at association time.
e03e709cSdamien	 */
ba56bee9Sdamien	if (ni->ni_flags & IEEE80211_NODE_QOS) {
e03e709cSdamien		/* always prefer EDCA IE over Wi-Fi Alliance WMM IE */
7e37070fSstsp		if ((edcaie != NULL &&
7e37070fSstsp		     ieee80211_parse_edca_params(ic, edcaie) == 0) ||
7e37070fSstsp		    (wmmie != NULL &&
7e37070fSstsp		     ieee80211_parse_wmm_params(ic, wmmie) == 0))
7e37070fSstsp			ni->ni_flags |= IEEE80211_NODE_QOS;
7e37070fSstsp		else
7e37070fSstsp			ni->ni_flags &= ~IEEE80211_NODE_QOS;
ba56bee9Sdamien	}
e03e709cSdamien
06e069b5Sstsp	if (ic->ic_state == IEEE80211_S_SCAN ||
06e069b5Sstsp	    (ic->ic_flags & IEEE80211_F_BGSCAN)) {
b2709672Sstsp		struct ieee80211_rsnparams rsn, wpa;
b2709672Sstsp
b2709672Sstsp		ni->ni_rsnprotos = IEEE80211_PROTO_NONE;
b2709672Sstsp		ni->ni_supported_rsnprotos = IEEE80211_PROTO_NONE;
b2709672Sstsp		ni->ni_rsnakms = 0;
b2709672Sstsp		ni->ni_supported_rsnakms = 0;
b2709672Sstsp		ni->ni_rsnciphers = 0;
b2709672Sstsp		ni->ni_rsngroupcipher = 0;
b2709672Sstsp		ni->ni_rsngroupmgmtcipher = 0;
b2709672Sstsp		ni->ni_rsncaps = 0;
b2709672Sstsp
b2709672Sstsp		if (rsnie != NULL &&
b2709672Sstsp		    ieee80211_parse_rsn(ic, rsnie, &rsn) == 0) {
b2709672Sstsp			ni->ni_supported_rsnprotos |= IEEE80211_PROTO_RSN;
b2709672Sstsp			ni->ni_supported_rsnakms |= rsn.rsn_akms;
b2709672Sstsp		}
b2709672Sstsp		if (wpaie != NULL &&
b2709672Sstsp		    ieee80211_parse_wpa(ic, wpaie, &wpa) == 0) {
b2709672Sstsp			ni->ni_supported_rsnprotos |= IEEE80211_PROTO_WPA;
b2709672Sstsp			ni->ni_supported_rsnakms |= wpa.rsn_akms;
b2709672Sstsp		}
b2709672Sstsp
e03e709cSdamien		/*
b2709672Sstsp		 * If the AP advertises both WPA and RSN IEs (WPA1+WPA2),
b2709672Sstsp		 * we only use the highest protocol version we support.
e03e709cSdamien		 */
e03e709cSdamien		if (rsnie != NULL &&
b2709672Sstsp		    (ni->ni_supported_rsnprotos & IEEE80211_PROTO_RSN) &&
0deee38cSstsp		    (ic->ic_caps & IEEE80211_C_RSN)) {
12672b37Sstsp			if (ieee80211_save_ie(rsnie, &ni->ni_rsnie) == 0
12672b37Sstsp#ifndef IEEE80211_STA_ONLY
12672b37Sstsp	    		&& ic->ic_opmode != IEEE80211_M_HOSTAP
12672b37Sstsp#endif
12672b37Sstsp			) {
e03e709cSdamien				ni->ni_rsnprotos = IEEE80211_PROTO_RSN;
e03e709cSdamien				ni->ni_rsnakms = rsn.rsn_akms;
e03e709cSdamien				ni->ni_rsnciphers = rsn.rsn_ciphers;
e03e709cSdamien				ni->ni_rsngroupcipher = rsn.rsn_groupcipher;
b2709672Sstsp				ni->ni_rsngroupmgmtcipher =
b2709672Sstsp				    rsn.rsn_groupmgmtcipher;
e03e709cSdamien				ni->ni_rsncaps = rsn.rsn_caps;
b2709672Sstsp			}
b2709672Sstsp		} else if (wpaie != NULL &&
b2709672Sstsp		    (ni->ni_supported_rsnprotos & IEEE80211_PROTO_WPA) &&
0deee38cSstsp		    (ic->ic_caps & IEEE80211_C_RSN)) {
12672b37Sstsp			if (ieee80211_save_ie(wpaie, &ni->ni_rsnie) == 0
12672b37Sstsp#ifndef IEEE80211_STA_ONLY
12672b37Sstsp	    		&& ic->ic_opmode != IEEE80211_M_HOSTAP
12672b37Sstsp#endif
12672b37Sstsp			) {
b2709672Sstsp				ni->ni_rsnprotos = IEEE80211_PROTO_WPA;
b2709672Sstsp				ni->ni_rsnakms = wpa.rsn_akms;
b2709672Sstsp				ni->ni_rsnciphers = wpa.rsn_ciphers;
b2709672Sstsp				ni->ni_rsngroupcipher = wpa.rsn_groupcipher;
b2709672Sstsp				ni->ni_rsngroupmgmtcipher =
b2709672Sstsp				    wpa.rsn_groupmgmtcipher;
b2709672Sstsp				ni->ni_rsncaps = wpa.rsn_caps;
b2709672Sstsp			}
b2709672Sstsp		}
a3353d28Sstsp	}
e03e709cSdamien
7c94704cSstsp	/*
7c94704cSstsp	 * Set our SSID if we do not know it yet.
7c94704cSstsp	 * If we are doing a directed scan for an AP with a hidden SSID
7c94704cSstsp	 * we must collect the SSID from a probe response to override
7c94704cSstsp	 * a non-zero-length SSID filled with zeroes that we may have
7c94704cSstsp	 * received earlier in a beacon.
7c94704cSstsp	 */
466498d2Sstsp	if (ssid[1] != 0 && ni->ni_essid[0] == '\0') {
91b2158bSmillert		ni->ni_esslen = ssid[1];
91b2158bSmillert		memset(ni->ni_essid, 0, sizeof(ni->ni_essid));
2c86ad7bSdamien		/* we know that ssid[1] <= IEEE80211_NWID_LEN */
2c86ad7bSdamien		memcpy(ni->ni_essid, &ssid[2], ssid[1]);
0fd4e251Sreyk	}
91b2158bSmillert	IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3);
0981e7bcSstsp	if (ic->ic_state == IEEE80211_S_SCAN &&
0981e7bcSstsp	    IEEE80211_IS_CHAN_5GHZ(ni->ni_chan)) {
0981e7bcSstsp		/*
0981e7bcSstsp		 * During a scan on 5Ghz, prefer RSSI measured for probe
0981e7bcSstsp		 * response frames. i.e. don't allow beacons to lower the
0981e7bcSstsp		 * measured RSSI. Some 5GHz APs send beacons with much
0981e7bcSstsp		 * less Tx power than they use for probe responses.
0981e7bcSstsp		 */
14e9f9eeSpatrick		if (isprobe || ni->ni_rssi == 0)
0981e7bcSstsp			ni->ni_rssi = rxi->rxi_rssi;
0981e7bcSstsp		else if (ni->ni_rssi < rxi->rxi_rssi)
0981e7bcSstsp			ni->ni_rssi = rxi->rxi_rssi;
0981e7bcSstsp	} else
30d05aacSdamien		ni->ni_rssi = rxi->rxi_rssi;
30d05aacSdamien	ni->ni_rstamp = rxi->rxi_tstamp;
91b2158bSmillert	memcpy(ni->ni_tstamp, tstamp, sizeof(ni->ni_tstamp));
3a65e8c8Sdamien	ni->ni_intval = bintval;
3a65e8c8Sdamien	ni->ni_capinfo = capinfo;
91b2158bSmillert	ni->ni_erp = erp;
91b2158bSmillert	/* NB: must be after ni_chan is setup */
9e9787ffSdamien	ieee80211_setup_rates(ic, ni, rates, xrates, IEEE80211_F_DOSORT);
171ac09aSdamien#ifndef IEEE80211_STA_ONLY
9f0d6530Sstsp	if (ic->ic_opmode == IEEE80211_M_IBSS && is_new && isprobe) {
91b2158bSmillert		/*
a671ffa0Sguenther		 * Fake an association so the driver can setup its
91b2158bSmillert		 * private state.  The rate set has been setup above;
91b2158bSmillert		 * there is no handshake as in ap/station operation.
91b2158bSmillert		 */
91b2158bSmillert		if (ic->ic_newassoc)
91b2158bSmillert			(*ic->ic_newassoc)(ic, ni, 1);
91b2158bSmillert	}
9f0d6530Sstsp#endif
91b2158bSmillert}
91b2158bSmillert
171ac09aSdamien#ifndef IEEE80211_STA_ONLY
9e9787ffSdamien/*-
9e9787ffSdamien * Probe request frame format:
9e9787ffSdamien * [tlv] SSID
9e9787ffSdamien * [tlv] Supported rates
9e9787ffSdamien * [tlv] Extended Supported Rates (802.11g)
45eec175Sdamien * [tlv] HT Capabilities (802.11n)
9e9787ffSdamien */
9e9787ffSdamienvoid
ec69e05aSdamienieee80211_recv_probe_req(struct ieee80211com *ic, struct mbuf *m,
30d05aacSdamien    struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi)
9e9787ffSdamien{
9e9787ffSdamien	const struct ieee80211_frame *wh;
9e9787ffSdamien	const u_int8_t *frm, *efrm;
50e8fe1cSstsp	const u_int8_t *ssid, *rates, *xrates, *htcaps, *vhtcaps;
91b2158bSmillert	u_int8_t rate;
91b2158bSmillert
1bb78573Sdamien	if (ic->ic_opmode == IEEE80211_M_STA ||
1bb78573Sdamien	    ic->ic_state != IEEE80211_S_RUN)
91b2158bSmillert		return;
91b2158bSmillert
ec69e05aSdamien	wh = mtod(m, struct ieee80211_frame *);
9e9787ffSdamien	frm = (const u_int8_t *)&wh[1];
ec69e05aSdamien	efrm = mtod(m, u_int8_t *) + m->m_len;
9e9787ffSdamien
50e8fe1cSstsp	ssid = rates = xrates = htcaps = vhtcaps = NULL;
df33438bSdamien	while (frm + 2 <= efrm) {
df33438bSdamien		if (frm + 2 + frm[1] > efrm) {
df33438bSdamien			ic->ic_stats.is_rx_elem_toosmall++;
b2985342Sdamien			break;
df33438bSdamien		}
df33438bSdamien		switch (frm[0]) {
91b2158bSmillert		case IEEE80211_ELEMID_SSID:
91b2158bSmillert			ssid = frm;
91b2158bSmillert			break;
91b2158bSmillert		case IEEE80211_ELEMID_RATES:
91b2158bSmillert			rates = frm;
91b2158bSmillert			break;
91b2158bSmillert		case IEEE80211_ELEMID_XRATES:
91b2158bSmillert			xrates = frm;
91b2158bSmillert			break;
45eec175Sdamien		case IEEE80211_ELEMID_HTCAPS:
45eec175Sdamien			htcaps = frm;
45eec175Sdamien			break;
50e8fe1cSstsp		case IEEE80211_ELEMID_VHTCAPS:
50e8fe1cSstsp			vhtcaps = frm;
50e8fe1cSstsp			break;
91b2158bSmillert		}
df33438bSdamien		frm += 2 + frm[1];
91b2158bSmillert	}
fcdd546dSdamien	/* supported rates element is mandatory */
fcdd546dSdamien	if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) {
932b9027Sdamien		DPRINTF(("invalid supported rates element\n"));
fcdd546dSdamien		return;
fcdd546dSdamien	}
fcdd546dSdamien	/* SSID element is mandatory */
fcdd546dSdamien	if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) {
932b9027Sdamien		DPRINTF(("invalid SSID element\n"));
fcdd546dSdamien		return;
fcdd546dSdamien	}
fcdd546dSdamien	/* check that the specified SSID (if not wildcard) matches ours */
2c86ad7bSdamien	if (ssid[1] != 0 && (ssid[1] != ic->ic_bss->ni_esslen ||
2c86ad7bSdamien	    memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen))) {
932b9027Sdamien		DPRINTF(("SSID mismatch\n"));
fcdd546dSdamien		ic->ic_stats.is_rx_ssidmismatch++;
fcdd546dSdamien		return;
fcdd546dSdamien	}
fcdd546dSdamien	/* refuse wildcard SSID if we're hiding our SSID in beacons */
eb9f82c0Sstsp	if (ssid[1] == 0 && (ic->ic_userflags & IEEE80211_F_HIDENWID)) {
932b9027Sdamien		DPRINTF(("wildcard SSID rejected"));
75175d43Sreyk		ic->ic_stats.is_rx_ssidmismatch++;
75175d43Sreyk		return;
75175d43Sreyk	}
91b2158bSmillert
91b2158bSmillert	if (ni == ic->ic_bss) {
d4dcdec6Sstsp		ni = ieee80211_find_node(ic, wh->i_addr2);
d4dcdec6Sstsp		if (ni == NULL)
91b2158bSmillert			ni = ieee80211_dup_bss(ic, wh->i_addr2);
91b2158bSmillert		if (ni == NULL)
91b2158bSmillert			return;
932b9027Sdamien		DPRINTF(("new probe req from %s\n",
932b9027Sdamien		    ether_sprintf((u_int8_t *)wh->i_addr2)));
0fd4e251Sreyk	}
30d05aacSdamien	ni->ni_rssi = rxi->rxi_rssi;
30d05aacSdamien	ni->ni_rstamp = rxi->rxi_tstamp;
91b2158bSmillert	rate = ieee80211_setup_rates(ic, ni, rates, xrates,
16b96e48Sdamien	    IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO |
16b96e48Sdamien	    IEEE80211_F_DODEL);
91b2158bSmillert	if (rate & IEEE80211_RATE_BASIC) {
932b9027Sdamien		DPRINTF(("rate mismatch for %s\n",
932b9027Sdamien		    ether_sprintf((u_int8_t *)wh->i_addr2)));
e03e709cSdamien		return;
91b2158bSmillert	}
fe8f5243Sstsp	if (htcaps)
fe8f5243Sstsp		ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]);
2040b0e1Sstsp	else
2040b0e1Sstsp		ieee80211_clear_htcaps(ni);
50e8fe1cSstsp	if (htcaps && vhtcaps && IEEE80211_IS_CHAN_5GHZ(ic->ic_bss->ni_chan))
50e8fe1cSstsp		ieee80211_setup_vhtcaps(ni, vhtcaps + 2, vhtcaps[1]);
50e8fe1cSstsp	else
50e8fe1cSstsp		ieee80211_clear_vhtcaps(ni);
e03e709cSdamien	IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0);
91b2158bSmillert}
171ac09aSdamien#endif	/* IEEE80211_STA_ONLY */
91b2158bSmillert
9e9787ffSdamien/*-
9e9787ffSdamien * Authentication frame format:
9e9787ffSdamien * [2] Authentication algorithm number
9e9787ffSdamien * [2] Authentication transaction sequence number
9e9787ffSdamien * [2] Status code
91b2158bSmillert */
9e9787ffSdamienvoid
ec69e05aSdamienieee80211_recv_auth(struct ieee80211com *ic, struct mbuf *m,
30d05aacSdamien    struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi)
9e9787ffSdamien{
9e9787ffSdamien	const struct ieee80211_frame *wh;
361aed72Sdamien	const u_int8_t *frm;
9e9787ffSdamien	u_int16_t algo, seq, status;
9e9787ffSdamien
fcdd546dSdamien	/* make sure all mandatory fixed fields are present */
ec69e05aSdamien	if (m->m_len < sizeof(*wh) + 6) {
932b9027Sdamien		DPRINTF(("frame too short\n"));
fcdd546dSdamien		return;
fcdd546dSdamien	}
ec69e05aSdamien	wh = mtod(m, struct ieee80211_frame *);
361aed72Sdamien	frm = (const u_int8_t *)&wh[1];
361aed72Sdamien
5252db7eSdamien	algo   = LE_READ_2(frm); frm += 2;
5252db7eSdamien	seq    = LE_READ_2(frm); frm += 2;
5252db7eSdamien	status = LE_READ_2(frm); frm += 2;
932b9027Sdamien	DPRINTF(("auth %d seq %d from %s\n", algo, seq,
932b9027Sdamien	    ether_sprintf((u_int8_t *)wh->i_addr2)));
91b2158bSmillert
fcdd546dSdamien	/* only "open" auth mode is supported */
fcdd546dSdamien	if (algo != IEEE80211_AUTH_ALG_OPEN) {
932b9027Sdamien		DPRINTF(("unsupported auth algorithm %d from %s\n",
932b9027Sdamien		    algo, ether_sprintf((u_int8_t *)wh->i_addr2)));
91b2158bSmillert		ic->ic_stats.is_rx_auth_unsupported++;
171ac09aSdamien#ifndef IEEE80211_STA_ONLY
8490403bSmillert		if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
8490403bSmillert			/* XXX hack to workaround calling convention */
8490403bSmillert			IEEE80211_SEND_MGMT(ic, ni,
8490403bSmillert			    IEEE80211_FC0_SUBTYPE_AUTH,
01c40890Sstsp			    IEEE80211_STATUS_ALG << 16 | ((seq + 1) & 0xfff));
8490403bSmillert		}
171ac09aSdamien#endif
fcdd546dSdamien		return;
91b2158bSmillert	}
30d05aacSdamien	ieee80211_auth_open(ic, wh, ni, rxi, seq, status);
91b2158bSmillert}
91b2158bSmillert
171ac09aSdamien#ifndef IEEE80211_STA_ONLY
9e9787ffSdamien/*-
9e9787ffSdamien * (Re)Association request frame format:
9e9787ffSdamien * [2]   Capability information
9e9787ffSdamien * [2]   Listen interval
9e9787ffSdamien * [6*]  Current AP address (Reassociation only)
9e9787ffSdamien * [tlv] SSID
9e9787ffSdamien * [tlv] Supported rates
9e9787ffSdamien * [tlv] Extended Supported Rates (802.11g)
fdcb679cSdamien * [tlv] RSN (802.11i)
ab235185Sdamien * [tlv] QoS Capability (802.11e)
45eec175Sdamien * [tlv] HT Capabilities (802.11n)
9e9787ffSdamien */
9e9787ffSdamienvoid
ec69e05aSdamienieee80211_recv_assoc_req(struct ieee80211com *ic, struct mbuf *m,
30d05aacSdamien    struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int reassoc)
9e9787ffSdamien{
9e9787ffSdamien	const struct ieee80211_frame *wh;
9e9787ffSdamien	const u_int8_t *frm, *efrm;
50e8fe1cSstsp	const u_int8_t *ssid, *rates, *xrates, *rsnie, *wpaie, *wmeie;
50e8fe1cSstsp	const u_int8_t *htcaps, *vhtcaps;
91b2158bSmillert	u_int16_t capinfo, bintval;
e03e709cSdamien	int resp, status = 0;
e03e709cSdamien	struct ieee80211_rsnparams rsn;
16b96e48Sdamien	u_int8_t rate;
12672b37Sstsp	const u_int8_t *saveie = NULL;
91b2158bSmillert
91b2158bSmillert	if (ic->ic_opmode != IEEE80211_M_HOSTAP ||
1bb78573Sdamien	    ic->ic_state != IEEE80211_S_RUN)
91b2158bSmillert		return;
91b2158bSmillert
361aed72Sdamien	/* make sure all mandatory fixed fields are present */
ec69e05aSdamien	if (m->m_len < sizeof(*wh) + (reassoc ? 10 : 4)) {
361aed72Sdamien		DPRINTF(("frame too short\n"));
361aed72Sdamien		return;
361aed72Sdamien	}
ec69e05aSdamien	wh = mtod(m, struct ieee80211_frame *);
9e9787ffSdamien	frm = (const u_int8_t *)&wh[1];
ec69e05aSdamien	efrm = mtod(m, u_int8_t *) + m->m_len;
9e9787ffSdamien
91b2158bSmillert	if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) {
932b9027Sdamien		DPRINTF(("ignore other bss from %s\n",
932b9027Sdamien		    ether_sprintf((u_int8_t *)wh->i_addr2)));
91b2158bSmillert		ic->ic_stats.is_rx_assoc_bss++;
91b2158bSmillert		return;
91b2158bSmillert	}
5252db7eSdamien	capinfo = LE_READ_2(frm); frm += 2;
5252db7eSdamien	bintval = LE_READ_2(frm); frm += 2;
45eec175Sdamien	if (reassoc) {
5252db7eSdamien		frm += IEEE80211_ADDR_LEN;	/* skip current AP address */
45eec175Sdamien		resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP;
45eec175Sdamien	} else
45eec175Sdamien		resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP;
fcdd546dSdamien
50e8fe1cSstsp	ssid = rates = xrates = rsnie = wpaie = wmeie = htcaps = vhtcaps = NULL;
df33438bSdamien	while (frm + 2 <= efrm) {
df33438bSdamien		if (frm + 2 + frm[1] > efrm) {
df33438bSdamien			ic->ic_stats.is_rx_elem_toosmall++;
b2985342Sdamien			break;
df33438bSdamien		}
df33438bSdamien		switch (frm[0]) {
91b2158bSmillert		case IEEE80211_ELEMID_SSID:
91b2158bSmillert			ssid = frm;
91b2158bSmillert			break;
91b2158bSmillert		case IEEE80211_ELEMID_RATES:
91b2158bSmillert			rates = frm;
91b2158bSmillert			break;
91b2158bSmillert		case IEEE80211_ELEMID_XRATES:
91b2158bSmillert			xrates = frm;
91b2158bSmillert			break;
fdcb679cSdamien		case IEEE80211_ELEMID_RSN:
e03e709cSdamien			rsnie = frm;
fdcb679cSdamien			break;
ab235185Sdamien		case IEEE80211_ELEMID_QOS_CAP:
ab235185Sdamien			break;
45eec175Sdamien		case IEEE80211_ELEMID_HTCAPS:
45eec175Sdamien			htcaps = frm;
45eec175Sdamien			break;
50e8fe1cSstsp		case IEEE80211_ELEMID_VHTCAPS:
50e8fe1cSstsp			vhtcaps = frm;
50e8fe1cSstsp			break;
4b3a03eeSdamien		case IEEE80211_ELEMID_VENDOR:
4b3a03eeSdamien			if (frm[1] < 4) {
4b3a03eeSdamien				ic->ic_stats.is_rx_elem_toosmall++;
4b3a03eeSdamien				break;
4b3a03eeSdamien			}
4b3a03eeSdamien			if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) {
4b3a03eeSdamien				if (frm[5] == 1)
e03e709cSdamien					wpaie = frm;
aefc44daSstsp				/* WME info IE: len=7 type=2 subtype=0 */
aefc44daSstsp				if (frm[1] == 7 && frm[5] == 2 && frm[6] == 0)
aefc44daSstsp					wmeie = frm;
4b3a03eeSdamien			}
4b3a03eeSdamien			break;
91b2158bSmillert		}
df33438bSdamien		frm += 2 + frm[1];
91b2158bSmillert	}
fcdd546dSdamien	/* supported rates element is mandatory */
fcdd546dSdamien	if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) {
932b9027Sdamien		DPRINTF(("invalid supported rates element\n"));
fcdd546dSdamien		return;
fcdd546dSdamien	}
fcdd546dSdamien	/* SSID element is mandatory */
fcdd546dSdamien	if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) {
932b9027Sdamien		DPRINTF(("invalid SSID element\n"));
fcdd546dSdamien		return;
fcdd546dSdamien	}
e26cab71Sdamien	/* check that the specified SSID matches ours */
2c86ad7bSdamien	if (ssid[1] != ic->ic_bss->ni_esslen ||
2c86ad7bSdamien	    memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen)) {
932b9027Sdamien		DPRINTF(("SSID mismatch\n"));
fcdd546dSdamien		ic->ic_stats.is_rx_ssidmismatch++;
fcdd546dSdamien		return;
fcdd546dSdamien	}
fcdd546dSdamien
0fd4e251Sreyk	if (ni->ni_state != IEEE80211_STA_AUTH &&
0fd4e251Sreyk	    ni->ni_state != IEEE80211_STA_ASSOC) {
932b9027Sdamien		DPRINTF(("deny %sassoc from %s, not authenticated\n",
932b9027Sdamien		    reassoc ? "re" : "",
d813d27eSdamien		    ether_sprintf((u_int8_t *)wh->i_addr2)));
d4dcdec6Sstsp		ni = ieee80211_find_node(ic, wh->i_addr2);
d4dcdec6Sstsp		if (ni == NULL)
91b2158bSmillert			ni = ieee80211_dup_bss(ic, wh->i_addr2);
91b2158bSmillert		if (ni != NULL) {
91b2158bSmillert			IEEE80211_SEND_MGMT(ic, ni,
91b2158bSmillert			    IEEE80211_FC0_SUBTYPE_DEAUTH,
91b2158bSmillert			    IEEE80211_REASON_ASSOC_NOT_AUTHED);
91b2158bSmillert		}
91b2158bSmillert		ic->ic_stats.is_rx_assoc_notauth++;
91b2158bSmillert		return;
91b2158bSmillert	}
e03e709cSdamien
45eec175Sdamien	if (ni->ni_state == IEEE80211_STA_ASSOC &&
45eec175Sdamien	    (ni->ni_flags & IEEE80211_NODE_MFP)) {
45eec175Sdamien		if (ni->ni_flags & IEEE80211_NODE_SA_QUERY_FAILED) {
45eec175Sdamien			/* send a protected Disassociate frame */
45eec175Sdamien			IEEE80211_SEND_MGMT(ic, ni,
45eec175Sdamien			    IEEE80211_FC0_SUBTYPE_DISASSOC,
45eec175Sdamien			    IEEE80211_REASON_AUTH_EXPIRE);
45eec175Sdamien			/* terminate the old SA */
45eec175Sdamien			ieee80211_node_leave(ic, ni);
45eec175Sdamien		} else {
45eec175Sdamien			/* reject the (Re)Association Request temporarily */
45eec175Sdamien			IEEE80211_SEND_MGMT(ic, ni, resp,
45eec175Sdamien			    IEEE80211_STATUS_TRY_AGAIN_LATER);
45eec175Sdamien			/* start SA Query procedure if not already engaged */
45eec175Sdamien			if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY))
45eec175Sdamien				ieee80211_sa_query_request(ic, ni);
45eec175Sdamien			/* do not modify association state */
45eec175Sdamien		}
45eec175Sdamien		return;
45eec175Sdamien	}
45eec175Sdamien
9ff893c9Sdamien	if (!(capinfo & IEEE80211_CAPINFO_ESS)) {
91b2158bSmillert		ic->ic_stats.is_rx_assoc_capmismatch++;
e03e709cSdamien		status = IEEE80211_STATUS_CAPINFO;
e03e709cSdamien		goto end;
91b2158bSmillert	}
16b96e48Sdamien	rate = ieee80211_setup_rates(ic, ni, rates, xrates,
16b96e48Sdamien	    IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO |
16b96e48Sdamien	    IEEE80211_F_DODEL);
16b96e48Sdamien	if (rate & IEEE80211_RATE_BASIC) {
91b2158bSmillert		ic->ic_stats.is_rx_assoc_norate++;
e03e709cSdamien		status = IEEE80211_STATUS_BASIC_RATE;
e03e709cSdamien		goto end;
91b2158bSmillert	}
e03e709cSdamien
b2709672Sstsp	ni->ni_rsnprotos = IEEE80211_PROTO_NONE;
b2709672Sstsp	ni->ni_supported_rsnprotos = IEEE80211_PROTO_NONE;
b2709672Sstsp	ni->ni_rsnakms = 0;
b2709672Sstsp	ni->ni_supported_rsnakms = 0;
b2709672Sstsp	ni->ni_rsnciphers = 0;
b2709672Sstsp	ni->ni_rsngroupcipher = 0;
b2709672Sstsp	ni->ni_rsngroupmgmtcipher = 0;
b2709672Sstsp	ni->ni_rsncaps = 0;
b2709672Sstsp
e03e709cSdamien	/*
e03e709cSdamien	 * A station should never include both a WPA and an RSN IE
e03e709cSdamien	 * in its (Re)Association Requests, but if it does, we only
e03e709cSdamien	 * consider the IE of the highest version of the protocol
e03e709cSdamien	 * that is allowed (ie RSN over WPA).
e03e709cSdamien	 */
12672b37Sstsp	if (rsnie != NULL) {
e03e709cSdamien		status = ieee80211_parse_rsn(ic, rsnie, &rsn);
e03e709cSdamien		if (status != 0)
e03e709cSdamien			goto end;
b2709672Sstsp		ni->ni_supported_rsnprotos = IEEE80211_PROTO_RSN;
12672b37Sstsp		ni->ni_supported_rsnakms = rsn.rsn_akms;
12672b37Sstsp		if ((ic->ic_flags & IEEE80211_F_RSNON) &&
12672b37Sstsp		    (ic->ic_rsnprotos & IEEE80211_PROTO_RSN)) {
12672b37Sstsp			ni->ni_rsnprotos = IEEE80211_PROTO_RSN;
e03e709cSdamien			saveie = rsnie;
12672b37Sstsp		}
12672b37Sstsp	} else if (wpaie != NULL) {
e03e709cSdamien		status = ieee80211_parse_wpa(ic, wpaie, &rsn);
e03e709cSdamien		if (status != 0)
e03e709cSdamien			goto end;
b2709672Sstsp		ni->ni_supported_rsnprotos = IEEE80211_PROTO_WPA;
12672b37Sstsp		ni->ni_supported_rsnakms = rsn.rsn_akms;
12672b37Sstsp		if ((ic->ic_flags & IEEE80211_F_RSNON) &&
12672b37Sstsp		    (ic->ic_rsnprotos & IEEE80211_PROTO_WPA)) {
12672b37Sstsp			ni->ni_rsnprotos = IEEE80211_PROTO_WPA;
e03e709cSdamien			saveie = wpaie;
12672b37Sstsp		}
12672b37Sstsp	}
12672b37Sstsp
aefc44daSstsp	if (ic->ic_flags & IEEE80211_F_QOS) {
aefc44daSstsp		if (wmeie != NULL)
aefc44daSstsp			ni->ni_flags |= IEEE80211_NODE_QOS;
aefc44daSstsp		else	/* for Reassociation */
aefc44daSstsp			ni->ni_flags &= ~IEEE80211_NODE_QOS;
aefc44daSstsp	}
aefc44daSstsp
12672b37Sstsp	if (ic->ic_flags & IEEE80211_F_RSNON) {
12672b37Sstsp		if (ni->ni_rsnprotos == IEEE80211_PROTO_NONE) {
e03e709cSdamien			/*
e03e709cSdamien			 * In an RSN, an AP shall not associate with STAs
e03e709cSdamien			 * that fail to include the RSN IE in the
e03e709cSdamien			 * (Re)Association Request.
e03e709cSdamien			 */
e03e709cSdamien			status = IEEE80211_STATUS_IE_INVALID;
e03e709cSdamien			goto end;
e03e709cSdamien		}
e03e709cSdamien		/*
e03e709cSdamien		 * The initiating STA's RSN IE shall include one authentication
e03e709cSdamien		 * and pairwise cipher suite among those advertised by the
e03e709cSdamien		 * targeted AP.  It shall also specify the group cipher suite
e03e709cSdamien		 * specified by the targeted AP.
e03e709cSdamien		 */
e03e709cSdamien		if (rsn.rsn_nakms != 1 ||
e03e709cSdamien		    !(rsn.rsn_akms & ic->ic_bss->ni_rsnakms)) {
e03e709cSdamien			status = IEEE80211_STATUS_BAD_AKMP;
12672b37Sstsp			ni->ni_rsnprotos = IEEE80211_PROTO_NONE;
e03e709cSdamien			goto end;
e03e709cSdamien		}
e03e709cSdamien		if (rsn.rsn_nciphers != 1 ||
e03e709cSdamien		    !(rsn.rsn_ciphers & ic->ic_bss->ni_rsnciphers)) {
e03e709cSdamien			status = IEEE80211_STATUS_BAD_PAIRWISE_CIPHER;
12672b37Sstsp			ni->ni_rsnprotos = IEEE80211_PROTO_NONE;
e03e709cSdamien			goto end;
e03e709cSdamien		}
e03e709cSdamien		if (rsn.rsn_groupcipher != ic->ic_bss->ni_rsngroupcipher) {
e03e709cSdamien			status = IEEE80211_STATUS_BAD_GROUP_CIPHER;
12672b37Sstsp			ni->ni_rsnprotos = IEEE80211_PROTO_NONE;
e03e709cSdamien			goto end;
e03e709cSdamien		}
db011a80Sdamien
45eec175Sdamien		if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPR) &&
45eec175Sdamien		    !(rsn.rsn_caps & IEEE80211_RSNCAP_MFPC)) {
45eec175Sdamien			status = IEEE80211_STATUS_MFP_POLICY;
12672b37Sstsp			ni->ni_rsnprotos = IEEE80211_PROTO_NONE;
db011a80Sdamien			goto end;
db011a80Sdamien		}
db011a80Sdamien		if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPC) &&
db011a80Sdamien		    (rsn.rsn_caps & (IEEE80211_RSNCAP_MFPC |
db011a80Sdamien		     IEEE80211_RSNCAP_MFPR)) == IEEE80211_RSNCAP_MFPR) {
db011a80Sdamien			/* STA advertises an invalid setting */
45eec175Sdamien			status = IEEE80211_STATUS_MFP_POLICY;
12672b37Sstsp			ni->ni_rsnprotos = IEEE80211_PROTO_NONE;
db011a80Sdamien			goto end;
db011a80Sdamien		}
45eec175Sdamien		/*
45eec175Sdamien		 * A STA that has associated with Management Frame Protection
45eec175Sdamien		 * enabled shall not use cipher suite pairwise selector WEP40,
45eec175Sdamien		 * WEP104, TKIP, or "Use Group cipher suite".
45eec175Sdamien		 */
db011a80Sdamien		if ((rsn.rsn_caps & IEEE80211_RSNCAP_MFPC) &&
45eec175Sdamien		    (rsn.rsn_ciphers != IEEE80211_CIPHER_CCMP ||
db011a80Sdamien		     rsn.rsn_groupmgmtcipher !=
45eec175Sdamien		     ic->ic_bss->ni_rsngroupmgmtcipher)) {
45eec175Sdamien			status = IEEE80211_STATUS_MFP_POLICY;
12672b37Sstsp			ni->ni_rsnprotos = IEEE80211_PROTO_NONE;
db011a80Sdamien			goto end;
db011a80Sdamien		}
db011a80Sdamien
e03e709cSdamien		/*
e03e709cSdamien		 * Disallow new associations using TKIP if countermeasures
e03e709cSdamien		 * are active.
e03e709cSdamien		 */
e03e709cSdamien		if ((ic->ic_flags & IEEE80211_F_COUNTERM) &&
e03e709cSdamien		    (rsn.rsn_ciphers == IEEE80211_CIPHER_TKIP ||
e03e709cSdamien		     rsn.rsn_groupcipher == IEEE80211_CIPHER_TKIP)) {
e03e709cSdamien			status = IEEE80211_STATUS_CIPHER_REJ_POLICY;
12672b37Sstsp			ni->ni_rsnprotos = IEEE80211_PROTO_NONE;
e03e709cSdamien			goto end;
e03e709cSdamien		}
e03e709cSdamien
e03e709cSdamien		/* everything looks fine, save IE and parameters */
12672b37Sstsp		if (saveie == NULL ||
12672b37Sstsp		    ieee80211_save_ie(saveie, &ni->ni_rsnie) != 0) {
e03e709cSdamien			status = IEEE80211_STATUS_TOOMANY;
12672b37Sstsp			ni->ni_rsnprotos = IEEE80211_PROTO_NONE;
e03e709cSdamien			goto end;
e03e709cSdamien		}
e03e709cSdamien		ni->ni_rsnakms = rsn.rsn_akms;
e03e709cSdamien		ni->ni_rsnciphers = rsn.rsn_ciphers;
e03e709cSdamien		ni->ni_rsngroupcipher = ic->ic_bss->ni_rsngroupcipher;
7afadc6eSdamien		ni->ni_rsngroupmgmtcipher = ic->ic_bss->ni_rsngroupmgmtcipher;
e03e709cSdamien		ni->ni_rsncaps = rsn.rsn_caps;
f91ff320Sdamien
f91ff320Sdamien		if (ieee80211_is_8021x_akm(ni->ni_rsnakms)) {
f91ff320Sdamien			struct ieee80211_pmk *pmk = NULL;
f91ff320Sdamien			const u_int8_t *pmkid = rsn.rsn_pmkids;
f91ff320Sdamien			/*
f91ff320Sdamien			 * Check if we have a cached PMK entry matching one
f91ff320Sdamien			 * of the PMKIDs specified in the RSN IE.
f91ff320Sdamien			 */
f91ff320Sdamien			while (rsn.rsn_npmkids-- > 0) {
f91ff320Sdamien				pmk = ieee80211_pmksa_find(ic, ni, pmkid);
f91ff320Sdamien				if (pmk != NULL)
f91ff320Sdamien					break;
f91ff320Sdamien				pmkid += IEEE80211_PMKID_LEN;
f91ff320Sdamien			}
f91ff320Sdamien			if (pmk != NULL) {
f91ff320Sdamien				memcpy(ni->ni_pmk, pmk->pmk_key,
f91ff320Sdamien				    IEEE80211_PMK_LEN);
f91ff320Sdamien				memcpy(ni->ni_pmkid, pmk->pmk_pmkid,
f91ff320Sdamien				    IEEE80211_PMKID_LEN);
f91ff320Sdamien				ni->ni_flags |= IEEE80211_NODE_PMK;
f91ff320Sdamien			}
f91ff320Sdamien		}
b2709672Sstsp	}
e03e709cSdamien
30d05aacSdamien	ni->ni_rssi = rxi->rxi_rssi;
30d05aacSdamien	ni->ni_rstamp = rxi->rxi_tstamp;
91b2158bSmillert	ni->ni_intval = bintval;
91b2158bSmillert	ni->ni_capinfo = capinfo;
91b2158bSmillert	ni->ni_chan = ic->ic_bss->ni_chan;
fe8f5243Sstsp	if (htcaps)
fe8f5243Sstsp		ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]);
2040b0e1Sstsp	else
2040b0e1Sstsp		ieee80211_clear_htcaps(ni);
50e8fe1cSstsp	if (htcaps && vhtcaps && IEEE80211_IS_CHAN_5GHZ(ic->ic_bss->ni_chan))
50e8fe1cSstsp		ieee80211_setup_vhtcaps(ni, vhtcaps + 2, vhtcaps[1]);
50e8fe1cSstsp	else
50e8fe1cSstsp		ieee80211_clear_vhtcaps(ni);
e03e709cSdamien end:
962c982dSdamien	if (status != 0) {
e03e709cSdamien		IEEE80211_SEND_MGMT(ic, ni, resp, status);
e03e709cSdamien		ieee80211_node_leave(ic, ni);
e03e709cSdamien	} else
0fd4e251Sreyk		ieee80211_node_join(ic, ni, resp);
91b2158bSmillert}
171ac09aSdamien#endif	/* IEEE80211_STA_ONLY */
91b2158bSmillert
9e9787ffSdamien/*-
9e9787ffSdamien * (Re)Association response frame format:
9e9787ffSdamien * [2]   Capability information
9e9787ffSdamien * [2]   Status code
9e9787ffSdamien * [2]   Association ID (AID)
9e9787ffSdamien * [tlv] Supported rates
9e9787ffSdamien * [tlv] Extended Supported Rates (802.11g)
ab235185Sdamien * [tlv] EDCA Parameter Set (802.11e)
45eec175Sdamien * [tlv] HT Capabilities (802.11n)
45eec175Sdamien * [tlv] HT Operation (802.11n)
9e9787ffSdamien */
9e9787ffSdamienvoid
ec69e05aSdamienieee80211_recv_assoc_resp(struct ieee80211com *ic, struct mbuf *m,
e03e709cSdamien    struct ieee80211_node *ni, int reassoc)
9e9787ffSdamien{
9e9787ffSdamien	struct ifnet *ifp = &ic->ic_if;
9e9787ffSdamien	const struct ieee80211_frame *wh;
9e9787ffSdamien	const u_int8_t *frm, *efrm;
45eec175Sdamien	const u_int8_t *rates, *xrates, *edcaie, *wmmie, *htcaps, *htop;
50e8fe1cSstsp	const u_int8_t *vhtcaps, *vhtop;
c890af98Sdamien	u_int16_t capinfo, status, associd;
16b96e48Sdamien	u_int8_t rate;
91b2158bSmillert
91b2158bSmillert	if (ic->ic_opmode != IEEE80211_M_STA ||
0fd4e251Sreyk	    ic->ic_state != IEEE80211_S_ASSOC) {
0fd4e251Sreyk		ic->ic_stats.is_rx_mgtdiscard++;
91b2158bSmillert		return;
0fd4e251Sreyk	}
91b2158bSmillert
361aed72Sdamien	/* make sure all mandatory fixed fields are present */
ec69e05aSdamien	if (m->m_len < sizeof(*wh) + 6) {
962c982dSdamien		DPRINTF(("frame too short\n"));
361aed72Sdamien		return;
361aed72Sdamien	}
ec69e05aSdamien	wh = mtod(m, struct ieee80211_frame *);
9e9787ffSdamien	frm = (const u_int8_t *)&wh[1];
ec69e05aSdamien	efrm = mtod(m, u_int8_t *) + m->m_len;
9e9787ffSdamien
c890af98Sdamien	capinfo = LE_READ_2(frm); frm += 2;
c890af98Sdamien	status =  LE_READ_2(frm); frm += 2;
fcdd546dSdamien	if (status != IEEE80211_STATUS_SUCCESS) {
91b2158bSmillert		if (ifp->if_flags & IFF_DEBUG)
a0981291Sdamien			printf("%s: %sassociation failed (status %d)"
a0068c42Sjsg			    " for %s\n", ifp->if_xname,
e03e709cSdamien			    reassoc ?  "re" : "",
9e9787ffSdamien			    status, ether_sprintf((u_int8_t *)wh->i_addr3));
91b2158bSmillert		if (ni != ic->ic_bss)
91b2158bSmillert			ni->ni_fails++;
91b2158bSmillert		ic->ic_stats.is_rx_auth_fail++;
91b2158bSmillert		return;
91b2158bSmillert	}
c890af98Sdamien	associd = LE_READ_2(frm); frm += 2;
91b2158bSmillert
45eec175Sdamien	rates = xrates = edcaie = wmmie = htcaps = htop = NULL;
50e8fe1cSstsp	vhtcaps = vhtop = NULL;
df33438bSdamien	while (frm + 2 <= efrm) {
df33438bSdamien		if (frm + 2 + frm[1] > efrm) {
df33438bSdamien			ic->ic_stats.is_rx_elem_toosmall++;
b2985342Sdamien			break;
df33438bSdamien		}
df33438bSdamien		switch (frm[0]) {
91b2158bSmillert		case IEEE80211_ELEMID_RATES:
91b2158bSmillert			rates = frm;
91b2158bSmillert			break;
91b2158bSmillert		case IEEE80211_ELEMID_XRATES:
91b2158bSmillert			xrates = frm;
91b2158bSmillert			break;
ab235185Sdamien		case IEEE80211_ELEMID_EDCAPARMS:
e03e709cSdamien			edcaie = frm;
ab235185Sdamien			break;
45eec175Sdamien		case IEEE80211_ELEMID_HTCAPS:
45eec175Sdamien			htcaps = frm;
45eec175Sdamien			break;
45eec175Sdamien		case IEEE80211_ELEMID_HTOP:
45eec175Sdamien			htop = frm;
45eec175Sdamien			break;
50e8fe1cSstsp		case IEEE80211_ELEMID_VHTCAPS:
50e8fe1cSstsp			vhtcaps = frm;
50e8fe1cSstsp			break;
50e8fe1cSstsp		case IEEE80211_ELEMID_VHTOP:
50e8fe1cSstsp			vhtop = frm;
50e8fe1cSstsp			break;
ba56bee9Sdamien		case IEEE80211_ELEMID_VENDOR:
ba56bee9Sdamien			if (frm[1] < 4) {
ba56bee9Sdamien				ic->ic_stats.is_rx_elem_toosmall++;
ba56bee9Sdamien				break;
ba56bee9Sdamien			}
7c7d9786Sdamien			if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) {
4b3a03eeSdamien				if (frm[1] >= 5 && frm[5] == 2 && frm[6] == 1)
e03e709cSdamien					wmmie = frm;
ba56bee9Sdamien			}
ba56bee9Sdamien			break;
91b2158bSmillert		}
df33438bSdamien		frm += 2 + frm[1];
91b2158bSmillert	}
fcdd546dSdamien	/* supported rates element is mandatory */
fcdd546dSdamien	if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) {
932b9027Sdamien		DPRINTF(("invalid supported rates element\n"));
fcdd546dSdamien		return;
fcdd546dSdamien	}
16b96e48Sdamien	rate = ieee80211_setup_rates(ic, ni, rates, xrates,
16b96e48Sdamien	    IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO |
16b96e48Sdamien	    IEEE80211_F_DODEL);
16b96e48Sdamien	if (rate & IEEE80211_RATE_BASIC) {
932b9027Sdamien		DPRINTF(("rate mismatch for %s\n",
932b9027Sdamien		    ether_sprintf((u_int8_t *)wh->i_addr2)));
16b96e48Sdamien		ic->ic_stats.is_rx_assoc_norate++;
9e9787ffSdamien		return;
16b96e48Sdamien	}
c890af98Sdamien	ni->ni_capinfo = capinfo;
c890af98Sdamien	ni->ni_associd = associd;
e03e709cSdamien	if (edcaie != NULL || wmmie != NULL) {
ab235185Sdamien		/* force update of EDCA parameters */
ab235185Sdamien		ic->ic_edca_updtcount = -1;
ab235185Sdamien
e03e709cSdamien		if ((edcaie != NULL &&
e03e709cSdamien		     ieee80211_parse_edca_params(ic, edcaie) == 0) ||
e03e709cSdamien		    (wmmie != NULL &&
e03e709cSdamien		     ieee80211_parse_wmm_params(ic, wmmie) == 0))
ab235185Sdamien			ni->ni_flags |= IEEE80211_NODE_QOS;
ab235185Sdamien		else	/* for Reassociation */
ab235185Sdamien			ni->ni_flags &= ~IEEE80211_NODE_QOS;
ab235185Sdamien	}
e52a7d1aSstsp	if (htcaps)
e52a7d1aSstsp		ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]);
e52a7d1aSstsp	if (htop)
f9214ef6Sstsp		ieee80211_setup_htop(ni, htop + 2, htop[1], 0);
e52a7d1aSstsp	ieee80211_ht_negotiate(ic, ni);
e52a7d1aSstsp
7307575aSstsp	if (htcaps && vhtcaps && IEEE80211_IS_CHAN_5GHZ(ni->ni_chan)) {
50e8fe1cSstsp		ieee80211_setup_vhtcaps(ni, vhtcaps + 2, vhtcaps[1]);
50e8fe1cSstsp		if (vhtop && !ieee80211_setup_vhtop(ni, vhtop + 2, vhtop[1], 1))
50e8fe1cSstsp			vhtop = NULL; /* invalid VHTOP */
50e8fe1cSstsp	}
50e8fe1cSstsp	ieee80211_vht_negotiate(ic, ni);
50e8fe1cSstsp
50e8fe1cSstsp	/* Hop into 11n/11ac modes after associating to a HT/VHT AP. */
50e8fe1cSstsp	if (ni->ni_flags & IEEE80211_NODE_VHT)
50e8fe1cSstsp		ieee80211_setmode(ic, IEEE80211_MODE_11AC);
50e8fe1cSstsp	else if (ni->ni_flags & IEEE80211_NODE_HT)
e52a7d1aSstsp		ieee80211_setmode(ic, IEEE80211_MODE_11N);
e52a7d1aSstsp	else
7b907937Sstsp		ieee80211_setmode(ic, ieee80211_chan2mode(ic, ni->ni_chan));
7b907937Sstsp	/*
7b907937Sstsp	 * Reset the erp state (mostly the slot time) now that
7b907937Sstsp	 * our operating mode has been nailed down.
7b907937Sstsp	 */
7b907937Sstsp	ieee80211_reset_erp(ic);
7b907937Sstsp
1bb78573Sdamien	/*
1bb78573Sdamien	 * Configure state now that we are associated.
1bb78573Sdamien	 */
1bb78573Sdamien	if (ic->ic_curmode == IEEE80211_MODE_11A ||
1bb78573Sdamien	    (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE))
1bb78573Sdamien		ic->ic_flags |= IEEE80211_F_SHPREAMBLE;
1bb78573Sdamien	else
1bb78573Sdamien		ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE;
1bb78573Sdamien
1bb78573Sdamien	ieee80211_set_shortslottime(ic,
1bb78573Sdamien	    ic->ic_curmode == IEEE80211_MODE_11A ||
1bb78573Sdamien	    (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
1bb78573Sdamien	/*
1bb78573Sdamien	 * Honor ERP protection.
1bb78573Sdamien	 */
0126ded1Sstsp	if ((ic->ic_curmode == IEEE80211_MODE_11G ||
0126ded1Sstsp	    (ic->ic_curmode == IEEE80211_MODE_11N &&
0126ded1Sstsp	    IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))) &&
1bb78573Sdamien	    (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION))
1bb78573Sdamien		ic->ic_flags |= IEEE80211_F_USEPROT;
1bb78573Sdamien	else
1bb78573Sdamien		ic->ic_flags &= ~IEEE80211_F_USEPROT;
e03e709cSdamien	/*
e03e709cSdamien	 * If not an RSNA, mark the port as valid, otherwise wait for
e03e709cSdamien	 * 802.1X authentication and 4-way handshake to complete..
e03e709cSdamien	 */
e03e709cSdamien	if (ic->ic_flags & IEEE80211_F_RSNON) {
e03e709cSdamien		/* XXX ic->ic_mgt_timer = 5; */
98998980Sstsp		ni->ni_rsn_supp_state = RSNA_SUPP_PTKSTART;
8fc1098aSdamien	} else if (ic->ic_flags & IEEE80211_F_WEPON)
8fc1098aSdamien		ni->ni_flags |= IEEE80211_NODE_TXRXPROT;
8fc1098aSdamien
91b2158bSmillert	ieee80211_new_state(ic, IEEE80211_S_RUN,
e03e709cSdamien	    IEEE80211_FC0_SUBTYPE_ASSOC_RESP);
91b2158bSmillert}
91b2158bSmillert
9e9787ffSdamien/*-
9e9787ffSdamien * Deauthentication frame format:
9e9787ffSdamien * [2] Reason code
91b2158bSmillert */
9e9787ffSdamienvoid
ec69e05aSdamienieee80211_recv_deauth(struct ieee80211com *ic, struct mbuf *m,
e03e709cSdamien    struct ieee80211_node *ni)
9e9787ffSdamien{
9e9787ffSdamien	const struct ieee80211_frame *wh;
361aed72Sdamien	const u_int8_t *frm;
9e9787ffSdamien	u_int16_t reason;
9e9787ffSdamien
fcdd546dSdamien	/* make sure all mandatory fixed fields are present */
ec69e05aSdamien	if (m->m_len < sizeof(*wh) + 2) {
932b9027Sdamien		DPRINTF(("frame too short\n"));
fcdd546dSdamien		return;
fcdd546dSdamien	}
ec69e05aSdamien	wh = mtod(m, struct ieee80211_frame *);
361aed72Sdamien	frm = (const u_int8_t *)&wh[1];
361aed72Sdamien
5252db7eSdamien	reason = LE_READ_2(frm);
fcdd546dSdamien
91b2158bSmillert	ic->ic_stats.is_rx_deauth++;
91b2158bSmillert	switch (ic->ic_opmode) {
06e069b5Sstsp	case IEEE80211_M_STA: {
06e069b5Sstsp		int bgscan = ((ic->ic_flags & IEEE80211_F_BGSCAN) &&
06e069b5Sstsp		    ic->ic_state == IEEE80211_S_RUN);
534bf8f4Sstsp		int stay_auth = ((ic->ic_userflags & IEEE80211_F_STAYAUTH) &&
534bf8f4Sstsp		    ic->ic_state >= IEEE80211_S_AUTH);
534bf8f4Sstsp		if (!(bgscan || stay_auth))
91b2158bSmillert			ieee80211_new_state(ic, IEEE80211_S_AUTH,
e03e709cSdamien			    IEEE80211_FC0_SUBTYPE_DEAUTH);
06e069b5Sstsp		}
91b2158bSmillert		break;
171ac09aSdamien#ifndef IEEE80211_STA_ONLY
91b2158bSmillert	case IEEE80211_M_HOSTAP:
91b2158bSmillert		if (ni != ic->ic_bss) {
534bf8f4Sstsp			int stay_auth =
534bf8f4Sstsp			    ((ic->ic_userflags & IEEE80211_F_STAYAUTH) &&
534bf8f4Sstsp			    (ni->ni_state == IEEE80211_STA_AUTH ||
534bf8f4Sstsp			    ni->ni_state == IEEE80211_STA_ASSOC));
171ac09aSdamien			if (ic->ic_if.if_flags & IFF_DEBUG)
a0068c42Sjsg				printf("%s: station %s deauthenticated "
91b2158bSmillert				    "by peer (reason %d)\n",
171ac09aSdamien				    ic->ic_if.if_xname,
0fd4e251Sreyk				    ether_sprintf(ni->ni_macaddr),
0fd4e251Sreyk				    reason);
534bf8f4Sstsp			if (!stay_auth)
0fd4e251Sreyk				ieee80211_node_leave(ic, ni);
91b2158bSmillert		}
91b2158bSmillert		break;
171ac09aSdamien#endif
91b2158bSmillert	default:
91b2158bSmillert		break;
91b2158bSmillert	}
91b2158bSmillert}
91b2158bSmillert
9e9787ffSdamien/*-
9e9787ffSdamien * Disassociation frame format:
9e9787ffSdamien * [2] Reason code
91b2158bSmillert */
9e9787ffSdamienvoid
ec69e05aSdamienieee80211_recv_disassoc(struct ieee80211com *ic, struct mbuf *m,
e03e709cSdamien    struct ieee80211_node *ni)
9e9787ffSdamien{
9e9787ffSdamien	const struct ieee80211_frame *wh;
361aed72Sdamien	const u_int8_t *frm;
9e9787ffSdamien	u_int16_t reason;
9e9787ffSdamien
fcdd546dSdamien	/* make sure all mandatory fixed fields are present */
ec69e05aSdamien	if (m->m_len < sizeof(*wh) + 2) {
932b9027Sdamien		DPRINTF(("frame too short\n"));
fcdd546dSdamien		return;
fcdd546dSdamien	}
ec69e05aSdamien	wh = mtod(m, struct ieee80211_frame *);
361aed72Sdamien	frm = (const u_int8_t *)&wh[1];
361aed72Sdamien
5252db7eSdamien	reason = LE_READ_2(frm);
fcdd546dSdamien
91b2158bSmillert	ic->ic_stats.is_rx_disassoc++;
91b2158bSmillert	switch (ic->ic_opmode) {
06e069b5Sstsp	case IEEE80211_M_STA: {
06e069b5Sstsp		int bgscan = ((ic->ic_flags & IEEE80211_F_BGSCAN) &&
06e069b5Sstsp		    ic->ic_state == IEEE80211_S_RUN);
06e069b5Sstsp		if (!bgscan) /* ignore disassoc during bgscan */
91b2158bSmillert			ieee80211_new_state(ic, IEEE80211_S_ASSOC,
e03e709cSdamien			    IEEE80211_FC0_SUBTYPE_DISASSOC);
06e069b5Sstsp		}
91b2158bSmillert		break;
171ac09aSdamien#ifndef IEEE80211_STA_ONLY
91b2158bSmillert	case IEEE80211_M_HOSTAP:
91b2158bSmillert		if (ni != ic->ic_bss) {
171ac09aSdamien			if (ic->ic_if.if_flags & IFF_DEBUG)
a0068c42Sjsg				printf("%s: station %s disassociated "
91b2158bSmillert				    "by peer (reason %d)\n",
171ac09aSdamien				    ic->ic_if.if_xname,
0fd4e251Sreyk				    ether_sprintf(ni->ni_macaddr),
0fd4e251Sreyk				    reason);
0fd4e251Sreyk			ieee80211_node_leave(ic, ni);
91b2158bSmillert		}
91b2158bSmillert		break;
171ac09aSdamien#endif
91b2158bSmillert	default:
91b2158bSmillert		break;
91b2158bSmillert	}
91b2158bSmillert}
9e9787ffSdamien
45eec175Sdamien/*-
45eec175Sdamien * ADDBA Request frame format:
45eec175Sdamien * [1] Category
45eec175Sdamien * [1] Action
45eec175Sdamien * [1] Dialog Token
45eec175Sdamien * [2] Block Ack Parameter Set
45eec175Sdamien * [2] Block Ack Timeout Value
45eec175Sdamien * [2] Block Ack Starting Sequence Control
45eec175Sdamien */
45eec175Sdamienvoid
45eec175Sdamienieee80211_recv_addba_req(struct ieee80211com *ic, struct mbuf *m,
45eec175Sdamien    struct ieee80211_node *ni)
45eec175Sdamien{
45eec175Sdamien	const struct ieee80211_frame *wh;
45eec175Sdamien	const u_int8_t *frm;
ec69e05aSdamien	struct ieee80211_rx_ba *ba;
71c11c14Sstsp	u_int16_t params, ssn, bufsz, timeout;
45eec175Sdamien	u_int8_t token, tid;
935facd7Sstsp	int err = 0;
45eec175Sdamien
4c1980a1Sstsp	/* Ignore if we are not ready to receive data frames. */
4c1980a1Sstsp	if (ic->ic_state != IEEE80211_S_RUN ||
4c1980a1Sstsp	    ((ic->ic_flags & IEEE80211_F_RSNON) && !ni->ni_port_valid))
4c1980a1Sstsp		return;
4c1980a1Sstsp
45eec175Sdamien	if (!(ni->ni_flags & IEEE80211_NODE_HT)) {
45eec175Sdamien		DPRINTF(("received ADDBA req from non-HT STA %s\n",
45eec175Sdamien		    ether_sprintf(ni->ni_macaddr)));
45eec175Sdamien		return;
45eec175Sdamien	}
45eec175Sdamien	if (m->m_len < sizeof(*wh) + 9) {
45eec175Sdamien		DPRINTF(("frame too short\n"));
45eec175Sdamien		return;
45eec175Sdamien	}
45eec175Sdamien	/* MLME-ADDBA.indication */
45eec175Sdamien	wh = mtod(m, struct ieee80211_frame *);
45eec175Sdamien	frm = (const u_int8_t *)&wh[1];
45eec175Sdamien
45eec175Sdamien	token = frm[2];
45eec175Sdamien	params = LE_READ_2(&frm[3]);
e8518fa6Sstsp	tid = ((params & IEEE80211_ADDBA_TID_MASK) >>
e8518fa6Sstsp	    IEEE80211_ADDBA_TID_SHIFT);
e8518fa6Sstsp	bufsz = (params & IEEE80211_ADDBA_BUFSZ_MASK) >>
e8518fa6Sstsp	    IEEE80211_ADDBA_BUFSZ_SHIFT;
45eec175Sdamien	timeout = LE_READ_2(&frm[5]);
45eec175Sdamien	ssn = LE_READ_2(&frm[7]) >> 4;
45eec175Sdamien
ec69e05aSdamien	ba = &ni->ni_rx_ba[tid];
19817d19Stobhe	/* The driver is still processing an ADDBA request for this tid. */
19817d19Stobhe	if (ba->ba_state == IEEE80211_BA_REQUESTED)
19817d19Stobhe		return;
66df67e6Sstsp	/* If we are in the process of roaming between APs, ignore. */
66df67e6Sstsp	if ((ic->ic_flags & IEEE80211_F_BGSCAN) &&
66df67e6Sstsp	    (ic->ic_xflags & IEEE80211_F_TX_MGMT_ONLY))
66df67e6Sstsp		return;
ec69e05aSdamien	/* check if we already have a Block Ack agreement for this RA/TID */
45eec175Sdamien	if (ba->ba_state == IEEE80211_BA_AGREED) {
45eec175Sdamien		/* XXX should we update the timeout value? */
ec69e05aSdamien		/* reset Block Ack inactivity timer */
5c7c7275Sstsp		if (ba->ba_timeout_val != 0)
45eec175Sdamien			timeout_add_usec(&ba->ba_to, ba->ba_timeout_val);
45eec175Sdamien
45eec175Sdamien		/* check if it's a Protected Block Ack agreement */
45eec175Sdamien		if (!(ni->ni_flags & IEEE80211_NODE_MFP) ||
45eec175Sdamien		    !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC))
45eec175Sdamien			return;	/* not a PBAC, ignore */
45eec175Sdamien
ec69e05aSdamien		/* PBAC: treat the ADDBA Request like a BlockAckReq */
8fbaf8a2Sstsp		if (SEQ_LT(ba->ba_winstart, ssn)) {
8fbaf8a2Sstsp			struct mbuf_list ml = MBUF_LIST_INITIALIZER();
8fbaf8a2Sstsp			ieee80211_ba_move_window(ic, ni, tid, ssn, &ml);
8fbaf8a2Sstsp			if_input(&ic->ic_if, &ml);
8fbaf8a2Sstsp		}
45eec175Sdamien		return;
45eec175Sdamien	}
71c11c14Sstsp
45eec175Sdamien	/* if PBAC required but RA does not support it, refuse request */
45eec175Sdamien	if ((ic->ic_flags & IEEE80211_F_PBAR) &&
45eec175Sdamien	    (!(ni->ni_flags & IEEE80211_NODE_MFP) ||
71c11c14Sstsp	     !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)))
71c11c14Sstsp		goto refuse;
45eec175Sdamien	/*
45eec175Sdamien	 * If the TID for which the Block Ack agreement is requested is
45eec175Sdamien	 * configured with a no-ACK policy, refuse the agreement.
45eec175Sdamien	 */
71c11c14Sstsp	if (ic->ic_tid_noack & (1 << tid))
71c11c14Sstsp		goto refuse;
71c11c14Sstsp
45eec175Sdamien	/* check that we support the requested Block Ack Policy */
45eec175Sdamien	if (!(ic->ic_htcaps & IEEE80211_HTCAP_DELAYEDBA) &&
71c11c14Sstsp	    !(params & IEEE80211_ADDBA_BA_POLICY))
71c11c14Sstsp		goto refuse;
45eec175Sdamien
45eec175Sdamien	/* setup Block Ack agreement */
19817d19Stobhe	ba->ba_state = IEEE80211_BA_REQUESTED;
45eec175Sdamien	ba->ba_timeout_val = timeout * IEEE80211_DUR_TU;
633cd82cSstsp	ba->ba_ni = ni;
71c11c14Sstsp	ba->ba_token = token;
ec69e05aSdamien	timeout_set(&ba->ba_to, ieee80211_rx_ba_timeout, ba);
20fce2ddSstsp	timeout_set(&ba->ba_gap_to, ieee80211_input_ba_gap_timeout, ba);
20599cf9Sstsp	ba->ba_gapwait = 0;
45eec175Sdamien	ba->ba_winsize = bufsz;
45eec175Sdamien	if (ba->ba_winsize == 0 || ba->ba_winsize > IEEE80211_BA_MAX_WINSZ)
45eec175Sdamien		ba->ba_winsize = IEEE80211_BA_MAX_WINSZ;
3367136cSstsp	ba->ba_params = (params & IEEE80211_ADDBA_BA_POLICY);
3367136cSstsp	ba->ba_params |= ((ba->ba_winsize << IEEE80211_ADDBA_BUFSZ_SHIFT) |
aefc44daSstsp	    (tid << IEEE80211_ADDBA_TID_SHIFT));
aefc44daSstsp	ba->ba_params |= IEEE80211_ADDBA_AMSDU;
45eec175Sdamien	ba->ba_winstart = ssn;
45eec175Sdamien	ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff;
45eec175Sdamien	/* allocate and setup our reordering buffer */
265a1ec5Sdhill	ba->ba_buf = malloc(IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf),
45eec175Sdamien	    M_DEVBUF, M_NOWAIT | M_ZERO);
71c11c14Sstsp	if (ba->ba_buf == NULL)
71c11c14Sstsp		goto refuse;
71c11c14Sstsp
45eec175Sdamien	ba->ba_head = 0;
45eec175Sdamien
45eec175Sdamien	/* notify drivers of this new Block Ack agreement */
935facd7Sstsp	if (ic->ic_ampdu_rx_start != NULL)
71c11c14Sstsp		err = ic->ic_ampdu_rx_start(ic, ni, tid);
71c11c14Sstsp	if (err == EBUSY) {
71c11c14Sstsp		/* driver will accept or refuse agreement when done */
71c11c14Sstsp		return;
71c11c14Sstsp	} else if (err) {
45eec175Sdamien		/* driver failed to setup, rollback */
71c11c14Sstsp		ieee80211_addba_req_refuse(ic, ni, tid);
71c11c14Sstsp	} else
71c11c14Sstsp		ieee80211_addba_req_accept(ic, ni, tid);
71c11c14Sstsp	return;
71c11c14Sstsp
71c11c14Sstsp refuse:
71c11c14Sstsp	/* MLME-ADDBA.response */
71c11c14Sstsp	IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA,
71c11c14Sstsp	    IEEE80211_ACTION_ADDBA_RESP,
71c11c14Sstsp	    IEEE80211_STATUS_REFUSED << 16 | token << 8 | tid);
45eec175Sdamien}
71c11c14Sstsp
71c11c14Sstspvoid
71c11c14Sstspieee80211_addba_req_accept(struct ieee80211com *ic, struct ieee80211_node *ni,
71c11c14Sstsp    uint8_t tid)
71c11c14Sstsp{
71c11c14Sstsp	struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid];
71c11c14Sstsp
45eec175Sdamien	ba->ba_state = IEEE80211_BA_AGREED;
44fdf27cSstsp	ic->ic_stats.is_ht_rx_ba_agreements++;
45eec175Sdamien	/* start Block Ack inactivity timer */
5c7c7275Sstsp	if (ba->ba_timeout_val != 0)
45eec175Sdamien		timeout_add_usec(&ba->ba_to, ba->ba_timeout_val);
71c11c14Sstsp
45eec175Sdamien	/* MLME-ADDBA.response */
45eec175Sdamien	IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA,
71c11c14Sstsp	    IEEE80211_ACTION_ADDBA_RESP,
71c11c14Sstsp	    IEEE80211_STATUS_SUCCESS << 16 | ba->ba_token << 8 | tid);
71c11c14Sstsp}
71c11c14Sstsp
71c11c14Sstspvoid
71c11c14Sstspieee80211_addba_req_refuse(struct ieee80211com *ic, struct ieee80211_node *ni,
71c11c14Sstsp    uint8_t tid)
71c11c14Sstsp{
71c11c14Sstsp	struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid];
71c11c14Sstsp
4adcc1c9Stb	free(ba->ba_buf, M_DEVBUF,
4adcc1c9Stb	    IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf));
71c11c14Sstsp	ba->ba_buf = NULL;
19817d19Stobhe	ba->ba_state = IEEE80211_BA_INIT;
71c11c14Sstsp
71c11c14Sstsp	/* MLME-ADDBA.response */
71c11c14Sstsp	IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA,
71c11c14Sstsp	    IEEE80211_ACTION_ADDBA_RESP,
71c11c14Sstsp	    IEEE80211_STATUS_REFUSED << 16 | ba->ba_token << 8 | tid);
45eec175Sdamien}
45eec175Sdamien
45eec175Sdamien/*-
45eec175Sdamien * ADDBA Response frame format:
45eec175Sdamien * [1] Category
45eec175Sdamien * [1] Action
45eec175Sdamien * [1] Dialog Token
45eec175Sdamien * [2] Status Code
45eec175Sdamien * [2] Block Ack Parameter Set
45eec175Sdamien * [2] Block Ack Timeout Value
45eec175Sdamien */
45eec175Sdamienvoid
45eec175Sdamienieee80211_recv_addba_resp(struct ieee80211com *ic, struct mbuf *m,
45eec175Sdamien    struct ieee80211_node *ni)
45eec175Sdamien{
45eec175Sdamien	const struct ieee80211_frame *wh;
45eec175Sdamien	const u_int8_t *frm;
ec69e05aSdamien	struct ieee80211_tx_ba *ba;
45eec175Sdamien	u_int16_t status, params, bufsz, timeout;
45eec175Sdamien	u_int8_t token, tid;
aefc44daSstsp	int err = 0;
45eec175Sdamien
45eec175Sdamien	if (m->m_len < sizeof(*wh) + 9) {
45eec175Sdamien		DPRINTF(("frame too short\n"));
45eec175Sdamien		return;
45eec175Sdamien	}
45eec175Sdamien	wh = mtod(m, struct ieee80211_frame *);
45eec175Sdamien	frm = (const u_int8_t *)&wh[1];
45eec175Sdamien
45eec175Sdamien	token = frm[2];
45eec175Sdamien	status = LE_READ_2(&frm[3]);
45eec175Sdamien	params = LE_READ_2(&frm[5]);
45eec175Sdamien	tid = (params >> 2) & 0xf;
45eec175Sdamien	bufsz = (params >> 6) & 0x3ff;
45eec175Sdamien	timeout = LE_READ_2(&frm[7]);
45eec175Sdamien
45eec175Sdamien	DPRINTF(("received ADDBA resp from %s, TID %d, status %d\n",
45eec175Sdamien	    ether_sprintf(ni->ni_macaddr), tid, status));
45eec175Sdamien
45eec175Sdamien	/*
45eec175Sdamien	 * Ignore if no ADDBA request has been sent for this RA/TID or
45eec175Sdamien	 * if we already have a Block Ack agreement.
45eec175Sdamien	 */
ec69e05aSdamien	ba = &ni->ni_tx_ba[tid];
45eec175Sdamien	if (ba->ba_state != IEEE80211_BA_REQUESTED) {
45eec175Sdamien		DPRINTF(("no matching ADDBA req found\n"));
45eec175Sdamien		return;
45eec175Sdamien	}
45eec175Sdamien	if (token != ba->ba_token) {
45eec175Sdamien		DPRINTF(("ignoring ADDBA resp from %s: token %x!=%x\n",
45eec175Sdamien		    ether_sprintf(ni->ni_macaddr), token, ba->ba_token));
45eec175Sdamien		return;
45eec175Sdamien	}
45eec175Sdamien	/* we got an ADDBA Response matching our request, stop timeout */
45eec175Sdamien	timeout_del(&ba->ba_to);
45eec175Sdamien
45eec175Sdamien	if (status != IEEE80211_STATUS_SUCCESS) {
aefc44daSstsp		if (ni->ni_addba_req_intval[tid] <
aefc44daSstsp		    IEEE80211_ADDBA_REQ_INTVAL_MAX)
aefc44daSstsp			ni->ni_addba_req_intval[tid]++;
aefc44daSstsp
aefc44daSstsp		ieee80211_addba_resp_refuse(ic, ni, tid, status);
aefc44daSstsp
aefc44daSstsp		/*
aefc44daSstsp		 * In case the peer believes there is an existing
aefc44daSstsp		 * block ack agreement with us, try to delete it.
aefc44daSstsp		 */
aefc44daSstsp		IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA,
aefc44daSstsp		    IEEE80211_ACTION_DELBA,
aefc44daSstsp		    IEEE80211_REASON_SETUP_REQUIRED << 16 | 1 << 8 | tid);
45eec175Sdamien		return;
45eec175Sdamien	}
aefc44daSstsp
aefc44daSstsp	/* notify drivers of this new Block Ack agreement */
aefc44daSstsp	if (ic->ic_ampdu_tx_start != NULL)
aefc44daSstsp		err = ic->ic_ampdu_tx_start(ic, ni, tid);
aefc44daSstsp
aefc44daSstsp	if (err == EBUSY) {
aefc44daSstsp		/* driver will accept or refuse agreement when done */
aefc44daSstsp		return;
aefc44daSstsp	} else if (err) {
aefc44daSstsp		/* driver failed to setup, rollback */
aefc44daSstsp		ieee80211_addba_resp_refuse(ic, ni, tid,
aefc44daSstsp		    IEEE80211_STATUS_UNSPECIFIED);
aefc44daSstsp	} else
aefc44daSstsp		ieee80211_addba_resp_accept(ic, ni, tid);
aefc44daSstsp}
aefc44daSstsp
aefc44daSstspvoid
aefc44daSstspieee80211_addba_resp_accept(struct ieee80211com *ic,
aefc44daSstsp    struct ieee80211_node *ni, uint8_t tid)
aefc44daSstsp{
aefc44daSstsp	struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid];
aefc44daSstsp
45eec175Sdamien	/* MLME-ADDBA.confirm(Success) */
45eec175Sdamien	ba->ba_state = IEEE80211_BA_AGREED;
44fdf27cSstsp	ic->ic_stats.is_ht_tx_ba_agreements++;
45eec175Sdamien
aefc44daSstsp	/* Reset ADDBA request interval. */
aefc44daSstsp	ni->ni_addba_req_intval[tid] = 1;
45eec175Sdamien
bc7d1191Sstsp	ni->ni_qos_txseqs[tid] = ba->ba_winstart;
bc7d1191Sstsp
45eec175Sdamien	/* start Block Ack inactivity timeout */
ec69e05aSdamien	if (ba->ba_timeout_val != 0)
45eec175Sdamien		timeout_add_usec(&ba->ba_to, ba->ba_timeout_val);
45eec175Sdamien}
45eec175Sdamien
aefc44daSstspvoid
aefc44daSstspieee80211_addba_resp_refuse(struct ieee80211com *ic,
aefc44daSstsp    struct ieee80211_node *ni, uint8_t tid, uint16_t status)
aefc44daSstsp{
aefc44daSstsp	struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid];
aefc44daSstsp
aefc44daSstsp	/* MLME-ADDBA.confirm(Failure) */
aefc44daSstsp	ba->ba_state = IEEE80211_BA_INIT;
aefc44daSstsp}
aefc44daSstsp
45eec175Sdamien/*-
45eec175Sdamien * DELBA frame format:
45eec175Sdamien * [1] Category
45eec175Sdamien * [1] Action
45eec175Sdamien * [2] DELBA Parameter Set
45eec175Sdamien * [2] Reason Code
45eec175Sdamien */
45eec175Sdamienvoid
45eec175Sdamienieee80211_recv_delba(struct ieee80211com *ic, struct mbuf *m,
45eec175Sdamien    struct ieee80211_node *ni)
45eec175Sdamien{
45eec175Sdamien	const struct ieee80211_frame *wh;
45eec175Sdamien	const u_int8_t *frm;
45eec175Sdamien	u_int16_t params, reason;
45eec175Sdamien	u_int8_t tid;
45eec175Sdamien	int i;
45eec175Sdamien
45eec175Sdamien	if (m->m_len < sizeof(*wh) + 6) {
45eec175Sdamien		DPRINTF(("frame too short\n"));
45eec175Sdamien		return;
45eec175Sdamien	}
45eec175Sdamien	wh = mtod(m, struct ieee80211_frame *);
45eec175Sdamien	frm = (const u_int8_t *)&wh[1];
45eec175Sdamien
45eec175Sdamien	params = LE_READ_2(&frm[2]);
45eec175Sdamien	reason = LE_READ_2(&frm[4]);
45eec175Sdamien	tid = params >> 12;
45eec175Sdamien
45eec175Sdamien	DPRINTF(("received DELBA from %s, TID %d, reason %d\n",
45eec175Sdamien	    ether_sprintf(ni->ni_macaddr), tid, reason));
45eec175Sdamien
ec69e05aSdamien	if (params & IEEE80211_DELBA_INITIATOR) {
ec69e05aSdamien		/* MLME-DELBA.indication(Originator) */
ec69e05aSdamien		struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid];
ec69e05aSdamien
ec69e05aSdamien		if (ba->ba_state != IEEE80211_BA_AGREED) {
ec69e05aSdamien			DPRINTF(("no matching Block Ack agreement\n"));
45eec175Sdamien			return;
45eec175Sdamien		}
45eec175Sdamien		/* notify drivers of the end of the Block Ack agreement */
ec69e05aSdamien		if (ic->ic_ampdu_rx_stop != NULL)
ec69e05aSdamien			ic->ic_ampdu_rx_stop(ic, ni, tid);
45eec175Sdamien
45eec175Sdamien		ba->ba_state = IEEE80211_BA_INIT;
45eec175Sdamien		/* stop Block Ack inactivity timer */
45eec175Sdamien		timeout_del(&ba->ba_to);
20fce2ddSstsp		timeout_del(&ba->ba_gap_to);
20599cf9Sstsp		ba->ba_gapwait = 0;
ec69e05aSdamien
45eec175Sdamien		if (ba->ba_buf != NULL) {
45eec175Sdamien			/* free all MSDUs stored in reordering buffer */
45eec175Sdamien			for (i = 0; i < IEEE80211_BA_MAX_WINSZ; i++)
45eec175Sdamien				m_freem(ba->ba_buf[i].m);
45eec175Sdamien			/* free reordering buffer */
4adcc1c9Stb			free(ba->ba_buf, M_DEVBUF,
4adcc1c9Stb			    IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf));
45eec175Sdamien			ba->ba_buf = NULL;
45eec175Sdamien		}
ec69e05aSdamien	} else {
ec69e05aSdamien		/* MLME-DELBA.indication(Recipient) */
ec69e05aSdamien		struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid];
ec69e05aSdamien
ec69e05aSdamien		if (ba->ba_state != IEEE80211_BA_AGREED) {
ec69e05aSdamien			DPRINTF(("no matching Block Ack agreement\n"));
ec69e05aSdamien			return;
ec69e05aSdamien		}
ec69e05aSdamien		/* notify drivers of the end of the Block Ack agreement */
ec69e05aSdamien		if (ic->ic_ampdu_tx_stop != NULL)
ec69e05aSdamien			ic->ic_ampdu_tx_stop(ic, ni, tid);
ec69e05aSdamien
ec69e05aSdamien		ba->ba_state = IEEE80211_BA_INIT;
ec69e05aSdamien		/* stop Block Ack inactivity timer */
ec69e05aSdamien		timeout_del(&ba->ba_to);
ec69e05aSdamien	}
45eec175Sdamien}
45eec175Sdamien
45eec175Sdamien/*-
45eec175Sdamien * SA Query Request frame format:
45eec175Sdamien * [1] Category
45eec175Sdamien * [1] Action
643bf791Sdamien * [2] Transaction Identifier
45eec175Sdamien */
45eec175Sdamienvoid
45eec175Sdamienieee80211_recv_sa_query_req(struct ieee80211com *ic, struct mbuf *m,
45eec175Sdamien    struct ieee80211_node *ni)
45eec175Sdamien{
45eec175Sdamien	const struct ieee80211_frame *wh;
45eec175Sdamien	const u_int8_t *frm;
45eec175Sdamien
45eec175Sdamien	if (ic->ic_opmode != IEEE80211_M_STA ||
45eec175Sdamien	    !(ni->ni_flags & IEEE80211_NODE_MFP)) {
45eec175Sdamien		DPRINTF(("unexpected SA Query req from %s\n",
45eec175Sdamien		    ether_sprintf(ni->ni_macaddr)));
45eec175Sdamien		return;
45eec175Sdamien	}
199d5af3Sdamien	if (m->m_len < sizeof(*wh) + 4) {
45eec175Sdamien		DPRINTF(("frame too short\n"));
45eec175Sdamien		return;
45eec175Sdamien	}
45eec175Sdamien	wh = mtod(m, struct ieee80211_frame *);
45eec175Sdamien	frm = (const u_int8_t *)&wh[1];
45eec175Sdamien
45eec175Sdamien	/* MLME-SAQuery.indication */
45eec175Sdamien
45eec175Sdamien	/* save Transaction Identifier for SA Query Response */
199d5af3Sdamien	ni->ni_sa_query_trid = LE_READ_2(&frm[2]);
45eec175Sdamien
45eec175Sdamien	/* MLME-SAQuery.response */
45eec175Sdamien	IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_SA_QUERY,
45eec175Sdamien	    IEEE80211_ACTION_SA_QUERY_RESP, 0);
45eec175Sdamien}
45eec175Sdamien
45eec175Sdamien#ifndef IEEE80211_STA_ONLY
45eec175Sdamien/*-
45eec175Sdamien * SA Query Response frame format:
45eec175Sdamien * [1] Category
45eec175Sdamien * [1] Action
643bf791Sdamien * [2] Transaction Identifier
45eec175Sdamien */
45eec175Sdamienvoid
45eec175Sdamienieee80211_recv_sa_query_resp(struct ieee80211com *ic, struct mbuf *m,
45eec175Sdamien    struct ieee80211_node *ni)
45eec175Sdamien{
45eec175Sdamien	const struct ieee80211_frame *wh;
45eec175Sdamien	const u_int8_t *frm;
45eec175Sdamien
45eec175Sdamien	/* ignore if we're not engaged in an SA Query with that STA */
45eec175Sdamien	if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) {
45eec175Sdamien		DPRINTF(("unexpected SA Query resp from %s\n",
45eec175Sdamien		    ether_sprintf(ni->ni_macaddr)));
45eec175Sdamien		return;
45eec175Sdamien	}
199d5af3Sdamien	if (m->m_len < sizeof(*wh) + 4) {
45eec175Sdamien		DPRINTF(("frame too short\n"));
45eec175Sdamien		return;
45eec175Sdamien	}
45eec175Sdamien	wh = mtod(m, struct ieee80211_frame *);
45eec175Sdamien	frm = (const u_int8_t *)&wh[1];
45eec175Sdamien
45eec175Sdamien	/* check that Transaction Identifier matches */
199d5af3Sdamien	if (ni->ni_sa_query_trid != LE_READ_2(&frm[2])) {
45eec175Sdamien		DPRINTF(("transaction identifier does not match\n"));
45eec175Sdamien		return;
45eec175Sdamien	}
45eec175Sdamien	/* MLME-SAQuery.confirm */
45eec175Sdamien	timeout_del(&ni->ni_sa_query_to);
45eec175Sdamien	ni->ni_flags &= ~IEEE80211_NODE_SA_QUERY;
45eec175Sdamien}
45eec175Sdamien#endif
45eec175Sdamien
fcdd546dSdamien/*-
fcdd546dSdamien * Action frame format:
f2b57c48Sdamien * [1] Category
fcdd546dSdamien * [1] Action
fcdd546dSdamien */
fcdd546dSdamienvoid
45eec175Sdamienieee80211_recv_action(struct ieee80211com *ic, struct mbuf *m,
fcdd546dSdamien    struct ieee80211_node *ni)
fcdd546dSdamien{
f2b57c48Sdamien	const struct ieee80211_frame *wh;
f2b57c48Sdamien	const u_int8_t *frm;
f2b57c48Sdamien
45eec175Sdamien	if (m->m_len < sizeof(*wh) + 2) {
f2b57c48Sdamien		DPRINTF(("frame too short\n"));
f2b57c48Sdamien		return;
f2b57c48Sdamien	}
45eec175Sdamien	wh = mtod(m, struct ieee80211_frame *);
f2b57c48Sdamien	frm = (const u_int8_t *)&wh[1];
f2b57c48Sdamien
f2b57c48Sdamien	switch (frm[0]) {
f2b57c48Sdamien	case IEEE80211_CATEG_BA:
f2b57c48Sdamien		switch (frm[1]) {
f2b57c48Sdamien		case IEEE80211_ACTION_ADDBA_REQ:
45eec175Sdamien			ieee80211_recv_addba_req(ic, m, ni);
f2b57c48Sdamien			break;
f2b57c48Sdamien		case IEEE80211_ACTION_ADDBA_RESP:
45eec175Sdamien			ieee80211_recv_addba_resp(ic, m, ni);
f2b57c48Sdamien			break;
f2b57c48Sdamien		case IEEE80211_ACTION_DELBA:
45eec175Sdamien			ieee80211_recv_delba(ic, m, ni);
f2b57c48Sdamien			break;
f2b57c48Sdamien		}
f2b57c48Sdamien		break;
45eec175Sdamien	case IEEE80211_CATEG_SA_QUERY:
f2b57c48Sdamien		switch (frm[1]) {
45eec175Sdamien		case IEEE80211_ACTION_SA_QUERY_REQ:
45eec175Sdamien			ieee80211_recv_sa_query_req(ic, m, ni);
f2b57c48Sdamien			break;
45eec175Sdamien#ifndef IEEE80211_STA_ONLY
45eec175Sdamien		case IEEE80211_ACTION_SA_QUERY_RESP:
45eec175Sdamien			ieee80211_recv_sa_query_resp(ic, m, ni);
f2b57c48Sdamien			break;
45eec175Sdamien#endif
f2b57c48Sdamien		}
f2b57c48Sdamien		break;
f2b57c48Sdamien	default:
acbef1c8Sdamien		DPRINTF(("action frame category %d not handled\n", frm[0]));
f2b57c48Sdamien		break;
f2b57c48Sdamien	}
fcdd546dSdamien}
fcdd546dSdamien
9e9787ffSdamienvoid
45eec175Sdamienieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m,
30d05aacSdamien    struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int subtype)
9e9787ffSdamien{
9e9787ffSdamien	switch (subtype) {
9e9787ffSdamien	case IEEE80211_FC0_SUBTYPE_BEACON:
45eec175Sdamien		ieee80211_recv_probe_resp(ic, m, ni, rxi, 0);
e03e709cSdamien		break;
e03e709cSdamien	case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
45eec175Sdamien		ieee80211_recv_probe_resp(ic, m, ni, rxi, 1);
9e9787ffSdamien		break;
171ac09aSdamien#ifndef IEEE80211_STA_ONLY
9e9787ffSdamien	case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
45eec175Sdamien		ieee80211_recv_probe_req(ic, m, ni, rxi);
9e9787ffSdamien		break;
171ac09aSdamien#endif
9e9787ffSdamien	case IEEE80211_FC0_SUBTYPE_AUTH:
45eec175Sdamien		ieee80211_recv_auth(ic, m, ni, rxi);
9e9787ffSdamien		break;
171ac09aSdamien#ifndef IEEE80211_STA_ONLY
9e9787ffSdamien	case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
45eec175Sdamien		ieee80211_recv_assoc_req(ic, m, ni, rxi, 0);
e03e709cSdamien		break;
9e9787ffSdamien	case IEEE80211_FC0_SUBTYPE_REASSOC_REQ:
45eec175Sdamien		ieee80211_recv_assoc_req(ic, m, ni, rxi, 1);
9e9787ffSdamien		break;
171ac09aSdamien#endif
9e9787ffSdamien	case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
45eec175Sdamien		ieee80211_recv_assoc_resp(ic, m, ni, 0);
e03e709cSdamien		break;
9e9787ffSdamien	case IEEE80211_FC0_SUBTYPE_REASSOC_RESP:
45eec175Sdamien		ieee80211_recv_assoc_resp(ic, m, ni, 1);
9e9787ffSdamien		break;
9e9787ffSdamien	case IEEE80211_FC0_SUBTYPE_DEAUTH:
45eec175Sdamien		ieee80211_recv_deauth(ic, m, ni);
9e9787ffSdamien		break;
9e9787ffSdamien	case IEEE80211_FC0_SUBTYPE_DISASSOC:
45eec175Sdamien		ieee80211_recv_disassoc(ic, m, ni);
9e9787ffSdamien		break;
fcdd546dSdamien	case IEEE80211_FC0_SUBTYPE_ACTION:
45eec175Sdamien		ieee80211_recv_action(ic, m, ni);
fcdd546dSdamien		break;
91b2158bSmillert	default:
932b9027Sdamien		DPRINTF(("mgmt frame with subtype 0x%x not handled\n",
932b9027Sdamien		    subtype));
91b2158bSmillert		ic->ic_stats.is_rx_badsubtype++;
91b2158bSmillert		break;
91b2158bSmillert	}
91b2158bSmillert}
91b2158bSmillert
171ac09aSdamien#ifndef IEEE80211_STA_ONLY
7afadc6eSdamien/*
7afadc6eSdamien * Process an incoming PS-Poll control frame (see 11.2).
7afadc6eSdamien */
250085e6Sdamienvoid
3945a2e1Sdamienieee80211_recv_pspoll(struct ieee80211com *ic, struct mbuf *m,
3945a2e1Sdamien    struct ieee80211_node *ni)
91b2158bSmillert{
91b2158bSmillert	struct ifnet *ifp = &ic->ic_if;
361aed72Sdamien	struct ieee80211_frame_pspoll *psp;
91b2158bSmillert	struct ieee80211_frame *wh;
91b2158bSmillert	u_int16_t aid;
91b2158bSmillert
93d01030Sdamien	if (ic->ic_opmode != IEEE80211_M_HOSTAP ||
93d01030Sdamien	    !(ic->ic_caps & IEEE80211_C_APPMGT) ||
3945a2e1Sdamien	    ni->ni_state != IEEE80211_STA_ASSOC)
91b2158bSmillert		return;
91b2158bSmillert
361aed72Sdamien	if (m->m_len < sizeof(*psp)) {
361aed72Sdamien		DPRINTF(("frame too short, len %u\n", m->m_len));
361aed72Sdamien		ic->ic_stats.is_rx_tooshort++;
91b2158bSmillert		return;
91b2158bSmillert	}
361aed72Sdamien	psp = mtod(m, struct ieee80211_frame_pspoll *);
361aed72Sdamien	if (!IEEE80211_ADDR_EQ(psp->i_bssid, ic->ic_bss->ni_bssid)) {
361aed72Sdamien		DPRINTF(("discard pspoll frame to BSS %s\n",
361aed72Sdamien		    ether_sprintf(psp->i_bssid)));
361aed72Sdamien		ic->ic_stats.is_rx_wrongbss++;
91b2158bSmillert		return;
91b2158bSmillert	}
361aed72Sdamien	aid = letoh16(*(u_int16_t *)psp->i_aid);
91b2158bSmillert	if (aid != ni->ni_associd) {
361aed72Sdamien		DPRINTF(("invalid pspoll aid %x from %s\n", aid,
962c982dSdamien		    ether_sprintf(psp->i_ta)));
91b2158bSmillert		return;
91b2158bSmillert	}
91b2158bSmillert
361aed72Sdamien	/* take the first queued frame and put it out.. */
351e1934Sdlg	m = mq_dequeue(&ni->ni_savedq);
361aed72Sdamien	if (m == NULL)
91b2158bSmillert		return;
351e1934Sdlg	if (mq_empty(&ni->ni_savedq)) {
361aed72Sdamien		/* last queued frame, turn off the TIM bit */
158c4605Sdamien		(*ic->ic_set_tim)(ic, ni->ni_associd, 0);
361aed72Sdamien	} else {
361aed72Sdamien		/* more queued frames, set the more data bit */
361aed72Sdamien		wh = mtod(m, struct ieee80211_frame *);
91b2158bSmillert		wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA;
361aed72Sdamien	}
351e1934Sdlg	mq_enqueue(&ic->ic_pwrsaveq, m);
67de757dSmpi	if_start(ifp);
91b2158bSmillert}
171ac09aSdamien#endif	/* IEEE80211_STA_ONLY */
45eec175Sdamien
45eec175Sdamien/*
ec69e05aSdamien * Process an incoming BlockAckReq control frame (see 7.2.1.7).
45eec175Sdamien */
45eec175Sdamienvoid
45eec175Sdamienieee80211_recv_bar(struct ieee80211com *ic, struct mbuf *m,
45eec175Sdamien    struct ieee80211_node *ni)
45eec175Sdamien{
45eec175Sdamien	const struct ieee80211_frame_min *wh;
45eec175Sdamien	const u_int8_t *frm;
45eec175Sdamien	u_int16_t ctl, ssn;
45eec175Sdamien	u_int8_t tid, ntids;
45eec175Sdamien
45eec175Sdamien	if (!(ni->ni_flags & IEEE80211_NODE_HT)) {
ec69e05aSdamien		DPRINTF(("received BlockAckReq from non-HT STA %s\n",
45eec175Sdamien		    ether_sprintf(ni->ni_macaddr)));
45eec175Sdamien		return;
45eec175Sdamien	}
45eec175Sdamien	if (m->m_len < sizeof(*wh) + 4) {
45eec175Sdamien		DPRINTF(("frame too short\n"));
45eec175Sdamien		return;
45eec175Sdamien	}
45eec175Sdamien	wh = mtod(m, struct ieee80211_frame_min *);
45eec175Sdamien	frm = (const u_int8_t *)&wh[1];
45eec175Sdamien
ec69e05aSdamien	/* read BlockAckReq Control field */
45eec175Sdamien	ctl = LE_READ_2(&frm[0]);
45eec175Sdamien	tid = ctl >> 12;
45eec175Sdamien
45eec175Sdamien	/* determine BlockAckReq frame variant */
45eec175Sdamien	if (ctl & IEEE80211_BA_MULTI_TID) {
45eec175Sdamien		/* Multi-TID BlockAckReq variant (PSMP only) */
45eec175Sdamien		ntids = tid + 1;
45eec175Sdamien
45eec175Sdamien		if (m->m_len < sizeof(*wh) + 2 + 4 * ntids) {
45eec175Sdamien			DPRINTF(("MTBAR frame too short\n"));
45eec175Sdamien			return;
45eec175Sdamien		}
ec69e05aSdamien		frm += 2;	/* skip BlockAckReq Control field */
45eec175Sdamien		while (ntids-- > 0) {
45eec175Sdamien			/* read MTBAR Information field */
45eec175Sdamien			tid = LE_READ_2(&frm[0]) >> 12;
45eec175Sdamien			ssn = LE_READ_2(&frm[2]) >> 4;
45eec175Sdamien			ieee80211_bar_tid(ic, ni, tid, ssn);
45eec175Sdamien			frm += 4;
45eec175Sdamien		}
45eec175Sdamien	} else {
45eec175Sdamien		/* Basic or Compressed BlockAckReq variants */
45eec175Sdamien		ssn = LE_READ_2(&frm[2]) >> 4;
45eec175Sdamien		ieee80211_bar_tid(ic, ni, tid, ssn);
45eec175Sdamien	}
45eec175Sdamien}
45eec175Sdamien
45eec175Sdamien/*
ec69e05aSdamien * Process a BlockAckReq for a specific TID (see 9.10.7.6.3).
45eec175Sdamien * This is the common back-end for all BlockAckReq frame variants.
45eec175Sdamien */
45eec175Sdamienvoid
45eec175Sdamienieee80211_bar_tid(struct ieee80211com *ic, struct ieee80211_node *ni,
45eec175Sdamien    u_int8_t tid, u_int16_t ssn)
45eec175Sdamien{
ec69e05aSdamien	struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid];
45eec175Sdamien
45eec175Sdamien	/* check if we have a Block Ack agreement for RA/TID */
45eec175Sdamien	if (ba->ba_state != IEEE80211_BA_AGREED) {
45eec175Sdamien		/* XXX not sure in PBAC case */
45eec175Sdamien		/* send a DELBA with reason code UNKNOWN-BA */
45eec175Sdamien		IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA,
45eec175Sdamien		    IEEE80211_ACTION_DELBA,
45eec175Sdamien		    IEEE80211_REASON_SETUP_REQUIRED << 16 | tid);
45eec175Sdamien		return;
45eec175Sdamien	}
45eec175Sdamien	/* check if it is a Protected Block Ack agreement */
45eec175Sdamien	if ((ni->ni_flags & IEEE80211_NODE_MFP) &&
45eec175Sdamien	    (ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) {
45eec175Sdamien		/* ADDBA Requests must be used in PBAC case */
45eec175Sdamien		if (SEQ_LT(ssn, ba->ba_winstart) ||
45eec175Sdamien		    SEQ_LT(ba->ba_winend, ssn))
45eec175Sdamien			ic->ic_stats.is_pbac_errs++;
45eec175Sdamien		return;	/* PBAC, do not move window */
45eec175Sdamien	}
45eec175Sdamien	/* reset Block Ack inactivity timer */
5c7c7275Sstsp	if (ba->ba_timeout_val != 0)
45eec175Sdamien		timeout_add_usec(&ba->ba_to, ba->ba_timeout_val);
45eec175Sdamien
8fbaf8a2Sstsp	if (SEQ_LT(ba->ba_winstart, ssn)) {
8fbaf8a2Sstsp		struct mbuf_list ml = MBUF_LIST_INITIALIZER();
8fbaf8a2Sstsp		ieee80211_ba_move_window(ic, ni, tid, ssn, &ml);
8fbaf8a2Sstsp		if_input(&ic->ic_if, &ml);
8fbaf8a2Sstsp	}
45eec175Sdamien}