1 /* $OpenBSD: ieee80211_input.c,v 1.228 2020/12/10 12:52:49 stsp Exp $ */ 2 3 /*- 4 * Copyright (c) 2001 Atsushi Onoe 5 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 6 * Copyright (c) 2007-2009 Damien Bergamini 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. The name of the author may not be used to endorse or promote products 18 * derived from this software without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 21 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 22 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 23 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 25 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 29 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 #include "bpfilter.h" 33 34 #include <sys/param.h> 35 #include <sys/systm.h> 36 #include <sys/mbuf.h> 37 #include <sys/malloc.h> 38 #include <sys/kernel.h> 39 #include <sys/socket.h> 40 #include <sys/sockio.h> 41 #include <sys/endian.h> 42 #include <sys/errno.h> 43 #include <sys/sysctl.h> 44 #include <sys/task.h> 45 46 #include <net/if.h> 47 #include <net/if_dl.h> 48 #include <net/if_media.h> 49 #include <net/if_llc.h> 50 51 #if NBPFILTER > 0 52 #include <net/bpf.h> 53 #endif 54 55 #include <netinet/in.h> 56 #include <netinet/if_ether.h> 57 58 #include <net80211/ieee80211_var.h> 59 #include <net80211/ieee80211_priv.h> 60 61 struct mbuf *ieee80211_input_hwdecrypt(struct ieee80211com *, 62 struct ieee80211_node *, struct mbuf *); 63 struct mbuf *ieee80211_defrag(struct ieee80211com *, struct mbuf *, int); 64 void ieee80211_defrag_timeout(void *); 65 void ieee80211_input_ba(struct ieee80211com *, struct mbuf *, 66 struct ieee80211_node *, int, struct ieee80211_rxinfo *, 67 struct mbuf_list *); 68 void ieee80211_input_ba_flush(struct ieee80211com *, struct ieee80211_node *, 69 struct ieee80211_rx_ba *, struct mbuf_list *); 70 int ieee80211_input_ba_gap_skip(struct ieee80211_rx_ba *); 71 void ieee80211_input_ba_gap_timeout(void *arg); 72 void ieee80211_ba_move_window(struct ieee80211com *, 73 struct ieee80211_node *, u_int8_t, u_int16_t, struct mbuf_list *); 74 void ieee80211_input_ba_seq(struct ieee80211com *, 75 struct ieee80211_node *, uint8_t, uint16_t, struct mbuf_list *); 76 struct mbuf *ieee80211_align_mbuf(struct mbuf *); 77 void ieee80211_decap(struct ieee80211com *, struct mbuf *, 78 struct ieee80211_node *, int, struct mbuf_list *); 79 void ieee80211_amsdu_decap(struct ieee80211com *, struct mbuf *, 80 struct ieee80211_node *, int, struct mbuf_list *); 81 void ieee80211_enqueue_data(struct ieee80211com *, struct mbuf *, 82 struct ieee80211_node *, int, struct mbuf_list *); 83 int ieee80211_parse_edca_params_body(struct ieee80211com *, 84 const u_int8_t *); 85 int ieee80211_parse_edca_params(struct ieee80211com *, const u_int8_t *); 86 int ieee80211_parse_wmm_params(struct ieee80211com *, const u_int8_t *); 87 enum ieee80211_cipher ieee80211_parse_rsn_cipher(const u_int8_t[]); 88 enum ieee80211_akm ieee80211_parse_rsn_akm(const u_int8_t[]); 89 int ieee80211_parse_rsn_body(struct ieee80211com *, const u_int8_t *, 90 u_int, struct ieee80211_rsnparams *); 91 int ieee80211_save_ie(const u_int8_t *, u_int8_t **); 92 void ieee80211_recv_probe_resp(struct ieee80211com *, struct mbuf *, 93 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 94 #ifndef IEEE80211_STA_ONLY 95 void ieee80211_recv_probe_req(struct ieee80211com *, struct mbuf *, 96 struct ieee80211_node *, struct ieee80211_rxinfo *); 97 #endif 98 void ieee80211_recv_auth(struct ieee80211com *, struct mbuf *, 99 struct ieee80211_node *, struct ieee80211_rxinfo *); 100 #ifndef IEEE80211_STA_ONLY 101 void ieee80211_recv_assoc_req(struct ieee80211com *, struct mbuf *, 102 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 103 #endif 104 void ieee80211_recv_assoc_resp(struct ieee80211com *, struct mbuf *, 105 struct ieee80211_node *, int); 106 void ieee80211_recv_deauth(struct ieee80211com *, struct mbuf *, 107 struct ieee80211_node *); 108 void ieee80211_recv_disassoc(struct ieee80211com *, struct mbuf *, 109 struct ieee80211_node *); 110 void ieee80211_recv_addba_req(struct ieee80211com *, struct mbuf *, 111 struct ieee80211_node *); 112 void ieee80211_recv_addba_resp(struct ieee80211com *, struct mbuf *, 113 struct ieee80211_node *); 114 void ieee80211_recv_delba(struct ieee80211com *, struct mbuf *, 115 struct ieee80211_node *); 116 void ieee80211_recv_sa_query_req(struct ieee80211com *, struct mbuf *, 117 struct ieee80211_node *); 118 #ifndef IEEE80211_STA_ONLY 119 void ieee80211_recv_sa_query_resp(struct ieee80211com *, struct mbuf *, 120 struct ieee80211_node *); 121 #endif 122 void ieee80211_recv_action(struct ieee80211com *, struct mbuf *, 123 struct ieee80211_node *); 124 #ifndef IEEE80211_STA_ONLY 125 void ieee80211_recv_pspoll(struct ieee80211com *, struct mbuf *, 126 struct ieee80211_node *); 127 #endif 128 void ieee80211_recv_bar(struct ieee80211com *, struct mbuf *, 129 struct ieee80211_node *); 130 void ieee80211_bar_tid(struct ieee80211com *, struct ieee80211_node *, 131 u_int8_t, u_int16_t); 132 133 /* 134 * Retrieve the length in bytes of an 802.11 header. 135 */ 136 u_int 137 ieee80211_get_hdrlen(const struct ieee80211_frame *wh) 138 { 139 u_int size = sizeof(*wh); 140 141 /* NB: does not work with control frames */ 142 KASSERT(ieee80211_has_seq(wh)); 143 144 if (ieee80211_has_addr4(wh)) 145 size += IEEE80211_ADDR_LEN; /* i_addr4 */ 146 if (ieee80211_has_qos(wh)) 147 size += sizeof(u_int16_t); /* i_qos */ 148 if (ieee80211_has_htc(wh)) 149 size += sizeof(u_int32_t); /* i_ht */ 150 return size; 151 } 152 153 /* Post-processing for drivers which perform decryption in hardware. */ 154 struct mbuf * 155 ieee80211_input_hwdecrypt(struct ieee80211com *ic, struct ieee80211_node *ni, 156 struct mbuf *m) 157 { 158 struct ieee80211_key *k; 159 struct ieee80211_frame *wh; 160 uint64_t pn, *prsc; 161 int hdrlen; 162 163 k = ieee80211_get_rxkey(ic, m, ni); 164 if (k == NULL) 165 return NULL; 166 167 wh = mtod(m, struct ieee80211_frame *); 168 hdrlen = ieee80211_get_hdrlen(wh); 169 170 /* 171 * Update the last-seen packet number (PN) for drivers using hardware 172 * crypto offloading. This cannot be done by drivers because A-MPDU 173 * reordering needs to occur before a valid lower bound can be 174 * determined for the PN. Drivers will read the PN we write here and 175 * are expected to discard replayed frames based on it. 176 * Drivers are expected to leave the IV of decrypted frames intact 177 * so we can update the last-seen PN and strip the IV here. 178 */ 179 switch (k->k_cipher) { 180 case IEEE80211_CIPHER_CCMP: 181 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 182 /* 183 * If the protected bit is clear then hardware has 184 * stripped the IV and we must trust that it handles 185 * replay detection correctly. 186 */ 187 break; 188 } 189 if (ieee80211_ccmp_get_pn(&pn, &prsc, m, k) != 0) 190 return NULL; 191 if (pn <= *prsc) { 192 ic->ic_stats.is_ccmp_replays++; 193 return NULL; 194 } 195 196 /* Update last-seen packet number. */ 197 *prsc = pn; 198 199 /* Clear Protected bit and strip IV. */ 200 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 201 memmove(mtod(m, caddr_t) + IEEE80211_CCMP_HDRLEN, wh, hdrlen); 202 m_adj(m, IEEE80211_CCMP_HDRLEN); 203 /* Drivers are expected to strip the MIC. */ 204 break; 205 case IEEE80211_CIPHER_TKIP: 206 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 207 /* 208 * If the protected bit is clear then hardware has 209 * stripped the IV and we must trust that it handles 210 * replay detection correctly. 211 */ 212 break; 213 } 214 if (ieee80211_tkip_get_tsc(&pn, &prsc, m, k) != 0) 215 return NULL; 216 217 if (pn <= *prsc) { 218 ic->ic_stats.is_tkip_replays++; 219 return NULL; 220 } 221 222 /* Update last-seen packet number. */ 223 *prsc = pn; 224 225 /* Clear Protected bit and strip IV. */ 226 wh = mtod(m, struct ieee80211_frame *); 227 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 228 memmove(mtod(m, caddr_t) + IEEE80211_TKIP_HDRLEN, wh, hdrlen); 229 m_adj(m, IEEE80211_TKIP_HDRLEN); 230 /* Drivers are expected to strip the MIC. */ 231 break; 232 default: 233 break; 234 } 235 236 return m; 237 } 238 239 /* 240 * Process a received frame. The node associated with the sender 241 * should be supplied. If nothing was found in the node table then 242 * the caller is assumed to supply a reference to ic_bss instead. 243 * The RSSI and a timestamp are also supplied. The RSSI data is used 244 * during AP scanning to select a AP to associate with; it can have 245 * any units so long as values have consistent units and higher values 246 * mean ``better signal''. The receive timestamp is currently not used 247 * by the 802.11 layer. 248 * 249 * This function acts on management frames immediately and queues data frames 250 * on the specified mbuf list. Delivery of queued data frames to upper layers 251 * must be triggered with if_input(). Drivers should call if_input() only once 252 * per Rx interrupt to avoid triggering the input ifq pressure drop mechanism 253 * unnecessarily. 254 */ 255 void 256 ieee80211_inputm(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni, 257 struct ieee80211_rxinfo *rxi, struct mbuf_list *ml) 258 { 259 struct ieee80211com *ic = (void *)ifp; 260 struct ieee80211_frame *wh; 261 u_int16_t *orxseq, nrxseq, qos; 262 u_int8_t dir, type, subtype, tid; 263 int hdrlen, hasqos; 264 265 KASSERT(ni != NULL); 266 267 /* in monitor mode, send everything directly to bpf */ 268 if (ic->ic_opmode == IEEE80211_M_MONITOR) 269 goto out; 270 271 /* 272 * Do not process frames without an Address 2 field any further. 273 * Only CTS and ACK control frames do not have this field. 274 */ 275 if (m->m_len < sizeof(struct ieee80211_frame_min)) { 276 DPRINTF(("frame too short, len %u\n", m->m_len)); 277 ic->ic_stats.is_rx_tooshort++; 278 goto out; 279 } 280 281 wh = mtod(m, struct ieee80211_frame *); 282 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 283 IEEE80211_FC0_VERSION_0) { 284 DPRINTF(("frame with wrong version: %x\n", wh->i_fc[0])); 285 ic->ic_stats.is_rx_badversion++; 286 goto err; 287 } 288 289 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 290 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 291 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 292 293 if (type != IEEE80211_FC0_TYPE_CTL) { 294 hdrlen = ieee80211_get_hdrlen(wh); 295 if (m->m_len < hdrlen) { 296 DPRINTF(("frame too short, len %u\n", m->m_len)); 297 ic->ic_stats.is_rx_tooshort++; 298 goto err; 299 } 300 } else 301 hdrlen = 0; 302 if ((hasqos = ieee80211_has_qos(wh))) { 303 qos = ieee80211_get_qos(wh); 304 tid = qos & IEEE80211_QOS_TID; 305 } else { 306 qos = 0; 307 tid = 0; 308 } 309 310 if (ic->ic_state == IEEE80211_S_RUN && 311 type == IEEE80211_FC0_TYPE_DATA && hasqos && 312 (subtype & IEEE80211_FC0_SUBTYPE_NODATA) == 0 && 313 !(rxi->rxi_flags & IEEE80211_RXI_AMPDU_DONE) 314 #ifndef IEEE80211_STA_ONLY 315 && (ic->ic_opmode == IEEE80211_M_STA || ni != ic->ic_bss) 316 #endif 317 ) { 318 int ba_state = ni->ni_rx_ba[tid].ba_state; 319 320 #ifndef IEEE80211_STA_ONLY 321 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 322 if (!IEEE80211_ADDR_EQ(wh->i_addr1, 323 ic->ic_bss->ni_bssid)) { 324 ic->ic_stats.is_rx_wrongbss++; 325 goto err; 326 } 327 if (ni->ni_state != IEEE80211_S_ASSOC) { 328 ic->ic_stats.is_rx_notassoc++; 329 goto err; 330 } 331 } 332 #endif 333 /* 334 * If Block Ack was explicitly requested, check 335 * if we have a BA agreement for this RA/TID. 336 */ 337 if ((qos & IEEE80211_QOS_ACK_POLICY_MASK) == 338 IEEE80211_QOS_ACK_POLICY_BA && 339 ba_state != IEEE80211_BA_AGREED) { 340 DPRINTF(("no BA agreement for %s, TID %d\n", 341 ether_sprintf(ni->ni_macaddr), tid)); 342 /* send a DELBA with reason code UNKNOWN-BA */ 343 IEEE80211_SEND_ACTION(ic, ni, 344 IEEE80211_CATEG_BA, IEEE80211_ACTION_DELBA, 345 IEEE80211_REASON_SETUP_REQUIRED << 16 | tid); 346 goto err; 347 } 348 349 /* 350 * Check if we have an explicit or implicit 351 * Block Ack Request for a valid BA agreement. 352 */ 353 if (ba_state == IEEE80211_BA_AGREED && 354 ((qos & IEEE80211_QOS_ACK_POLICY_MASK) == 355 IEEE80211_QOS_ACK_POLICY_BA || 356 (qos & IEEE80211_QOS_ACK_POLICY_MASK) == 357 IEEE80211_QOS_ACK_POLICY_NORMAL)) { 358 /* go through A-MPDU reordering */ 359 ieee80211_input_ba(ic, m, ni, tid, rxi, ml); 360 return; /* don't free m! */ 361 } else if (ba_state == IEEE80211_BA_REQUESTED && 362 (qos & IEEE80211_QOS_ACK_POLICY_MASK) == 363 IEEE80211_QOS_ACK_POLICY_NORMAL) { 364 /* 365 * Apparently, qos frames for a tid where a 366 * block ack agreement was requested but not 367 * yet confirmed by us should still contribute 368 * to the sequence number for this tid. 369 */ 370 ieee80211_input_ba(ic, m, ni, tid, rxi, ml); 371 return; /* don't free m! */ 372 } 373 } 374 375 /* duplicate detection (see 9.2.9) */ 376 if (ieee80211_has_seq(wh) && 377 ic->ic_state != IEEE80211_S_SCAN) { 378 nrxseq = letoh16(*(u_int16_t *)wh->i_seq) >> 379 IEEE80211_SEQ_SEQ_SHIFT; 380 if (hasqos) 381 orxseq = &ni->ni_qos_rxseqs[tid]; 382 else 383 orxseq = &ni->ni_rxseq; 384 if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) && 385 nrxseq == *orxseq) { 386 /* duplicate, silently discarded */ 387 ic->ic_stats.is_rx_dup++; 388 goto out; 389 } 390 *orxseq = nrxseq; 391 } 392 if (ic->ic_state > IEEE80211_S_SCAN) { 393 ni->ni_rssi = rxi->rxi_rssi; 394 ni->ni_rstamp = rxi->rxi_tstamp; 395 ni->ni_inact = 0; 396 397 if (ic->ic_state == IEEE80211_S_RUN && ic->ic_bgscan_start) { 398 /* Cancel or start background scan based on RSSI. */ 399 if ((*ic->ic_node_checkrssi)(ic, ni)) 400 timeout_del(&ic->ic_bgscan_timeout); 401 else if (!timeout_pending(&ic->ic_bgscan_timeout) && 402 (ic->ic_flags & IEEE80211_F_BGSCAN) == 0 && 403 (ic->ic_flags & IEEE80211_F_DESBSSID) == 0) 404 timeout_add_msec(&ic->ic_bgscan_timeout, 405 500 * (ic->ic_bgscan_fail + 1)); 406 } 407 } 408 409 #ifndef IEEE80211_STA_ONLY 410 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 411 (ic->ic_caps & IEEE80211_C_APPMGT) && 412 ni->ni_state == IEEE80211_STA_ASSOC) { 413 if (wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) { 414 if (ni->ni_pwrsave == IEEE80211_PS_AWAKE) { 415 /* turn on PS mode */ 416 ni->ni_pwrsave = IEEE80211_PS_DOZE; 417 DPRINTF(("PS mode on for %s\n", 418 ether_sprintf(wh->i_addr2))); 419 } 420 } else if (ni->ni_pwrsave == IEEE80211_PS_DOZE) { 421 struct mbuf *m; 422 423 /* turn off PS mode */ 424 ni->ni_pwrsave = IEEE80211_PS_AWAKE; 425 DPRINTF(("PS mode off for %s\n", 426 ether_sprintf(wh->i_addr2))); 427 428 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 429 430 /* dequeue buffered unicast frames */ 431 while ((m = mq_dequeue(&ni->ni_savedq)) != NULL) { 432 mq_enqueue(&ic->ic_pwrsaveq, m); 433 if_start(ifp); 434 } 435 } 436 } 437 #endif 438 switch (type) { 439 case IEEE80211_FC0_TYPE_DATA: 440 switch (ic->ic_opmode) { 441 case IEEE80211_M_STA: 442 if (dir != IEEE80211_FC1_DIR_FROMDS) { 443 ic->ic_stats.is_rx_wrongdir++; 444 goto out; 445 } 446 if (ic->ic_state != IEEE80211_S_SCAN && 447 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid)) { 448 /* Source address is not our BSS. */ 449 DPRINTF(("discard frame from SA %s\n", 450 ether_sprintf(wh->i_addr2))); 451 ic->ic_stats.is_rx_wrongbss++; 452 goto out; 453 } 454 if ((ifp->if_flags & IFF_SIMPLEX) && 455 IEEE80211_IS_MULTICAST(wh->i_addr1) && 456 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 457 /* 458 * In IEEE802.11 network, multicast frame 459 * sent from me is broadcasted from AP. 460 * It should be silently discarded for 461 * SIMPLEX interface. 462 */ 463 ic->ic_stats.is_rx_mcastecho++; 464 goto out; 465 } 466 break; 467 #ifndef IEEE80211_STA_ONLY 468 case IEEE80211_M_IBSS: 469 case IEEE80211_M_AHDEMO: 470 if (dir != IEEE80211_FC1_DIR_NODS) { 471 ic->ic_stats.is_rx_wrongdir++; 472 goto out; 473 } 474 if (ic->ic_state != IEEE80211_S_SCAN && 475 !IEEE80211_ADDR_EQ(wh->i_addr3, 476 ic->ic_bss->ni_bssid) && 477 !IEEE80211_ADDR_EQ(wh->i_addr3, 478 etherbroadcastaddr)) { 479 /* Destination is not our BSS or broadcast. */ 480 DPRINTF(("discard data frame to DA %s\n", 481 ether_sprintf(wh->i_addr3))); 482 ic->ic_stats.is_rx_wrongbss++; 483 goto out; 484 } 485 break; 486 case IEEE80211_M_HOSTAP: 487 if (dir != IEEE80211_FC1_DIR_TODS) { 488 ic->ic_stats.is_rx_wrongdir++; 489 goto out; 490 } 491 if (ic->ic_state != IEEE80211_S_SCAN && 492 !IEEE80211_ADDR_EQ(wh->i_addr1, 493 ic->ic_bss->ni_bssid) && 494 !IEEE80211_ADDR_EQ(wh->i_addr1, 495 etherbroadcastaddr)) { 496 /* BSS is not us or broadcast. */ 497 DPRINTF(("discard data frame to BSS %s\n", 498 ether_sprintf(wh->i_addr1))); 499 ic->ic_stats.is_rx_wrongbss++; 500 goto out; 501 } 502 /* check if source STA is associated */ 503 if (ni == ic->ic_bss) { 504 DPRINTF(("data from unknown src %s\n", 505 ether_sprintf(wh->i_addr2))); 506 /* NB: caller deals with reference */ 507 ni = ieee80211_find_node(ic, wh->i_addr2); 508 if (ni == NULL) 509 ni = ieee80211_dup_bss(ic, wh->i_addr2); 510 if (ni != NULL) { 511 IEEE80211_SEND_MGMT(ic, ni, 512 IEEE80211_FC0_SUBTYPE_DEAUTH, 513 IEEE80211_REASON_NOT_AUTHED); 514 } 515 ic->ic_stats.is_rx_notassoc++; 516 goto err; 517 } 518 if (ni->ni_state != IEEE80211_STA_ASSOC) { 519 DPRINTF(("data from unassoc src %s\n", 520 ether_sprintf(wh->i_addr2))); 521 IEEE80211_SEND_MGMT(ic, ni, 522 IEEE80211_FC0_SUBTYPE_DISASSOC, 523 IEEE80211_REASON_NOT_ASSOCED); 524 ic->ic_stats.is_rx_notassoc++; 525 goto err; 526 } 527 break; 528 #endif /* IEEE80211_STA_ONLY */ 529 default: 530 /* can't get there */ 531 goto out; 532 } 533 534 /* Do not process "no data" frames any further. */ 535 if (subtype & IEEE80211_FC0_SUBTYPE_NODATA) { 536 #if NBPFILTER > 0 537 if (ic->ic_rawbpf) 538 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 539 #endif 540 goto out; 541 } 542 543 if ((ic->ic_flags & IEEE80211_F_WEPON) || 544 ((ic->ic_flags & IEEE80211_F_RSNON) && 545 (ni->ni_flags & IEEE80211_NODE_RXPROT))) { 546 /* protection is on for Rx */ 547 if (!(rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 548 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 549 /* drop unencrypted */ 550 ic->ic_stats.is_rx_unencrypted++; 551 goto err; 552 } 553 /* do software decryption */ 554 m = ieee80211_decrypt(ic, m, ni); 555 if (m == NULL) { 556 ic->ic_stats.is_rx_wepfail++; 557 goto err; 558 } 559 } else { 560 m = ieee80211_input_hwdecrypt(ic, ni, m); 561 if (m == NULL) 562 goto err; 563 } 564 wh = mtod(m, struct ieee80211_frame *); 565 } else if ((wh->i_fc[1] & IEEE80211_FC1_PROTECTED) || 566 (rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 567 /* frame encrypted but protection off for Rx */ 568 ic->ic_stats.is_rx_nowep++; 569 goto out; 570 } 571 572 #if NBPFILTER > 0 573 /* copy to listener after decrypt */ 574 if (ic->ic_rawbpf) 575 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 576 #endif 577 578 if ((ni->ni_flags & IEEE80211_NODE_HT) && 579 hasqos && (qos & IEEE80211_QOS_AMSDU)) 580 ieee80211_amsdu_decap(ic, m, ni, hdrlen, ml); 581 else 582 ieee80211_decap(ic, m, ni, hdrlen, ml); 583 return; 584 585 case IEEE80211_FC0_TYPE_MGT: 586 if (dir != IEEE80211_FC1_DIR_NODS) { 587 ic->ic_stats.is_rx_wrongdir++; 588 goto err; 589 } 590 #ifndef IEEE80211_STA_ONLY 591 if (ic->ic_opmode == IEEE80211_M_AHDEMO) { 592 ic->ic_stats.is_rx_ahdemo_mgt++; 593 goto out; 594 } 595 #endif 596 /* drop frames without interest */ 597 if (ic->ic_state == IEEE80211_S_SCAN) { 598 if (subtype != IEEE80211_FC0_SUBTYPE_BEACON && 599 subtype != IEEE80211_FC0_SUBTYPE_PROBE_RESP) { 600 ic->ic_stats.is_rx_mgtdiscard++; 601 goto out; 602 } 603 } 604 605 if (ni->ni_flags & IEEE80211_NODE_RXMGMTPROT) { 606 /* MMPDU protection is on for Rx */ 607 if (subtype == IEEE80211_FC0_SUBTYPE_DISASSOC || 608 subtype == IEEE80211_FC0_SUBTYPE_DEAUTH || 609 subtype == IEEE80211_FC0_SUBTYPE_ACTION) { 610 if (!IEEE80211_IS_MULTICAST(wh->i_addr1) && 611 !(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 612 /* unicast mgmt not encrypted */ 613 goto out; 614 } 615 /* do software decryption */ 616 m = ieee80211_decrypt(ic, m, ni); 617 if (m == NULL) { 618 /* XXX stats */ 619 goto out; 620 } 621 wh = mtod(m, struct ieee80211_frame *); 622 } 623 } else if ((ic->ic_flags & IEEE80211_F_RSNON) && 624 (wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 625 /* encrypted but MMPDU Rx protection off for TA */ 626 goto out; 627 } 628 629 #if NBPFILTER > 0 630 if (bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN) != 0) { 631 /* 632 * Drop mbuf if it was filtered by bpf. Normally, 633 * this is done in ether_input() but IEEE 802.11 634 * management frames are a special case. 635 */ 636 m_freem(m); 637 return; 638 } 639 #endif 640 (*ic->ic_recv_mgmt)(ic, m, ni, rxi, subtype); 641 m_freem(m); 642 return; 643 644 case IEEE80211_FC0_TYPE_CTL: 645 switch (subtype) { 646 #ifndef IEEE80211_STA_ONLY 647 case IEEE80211_FC0_SUBTYPE_PS_POLL: 648 ieee80211_recv_pspoll(ic, m, ni); 649 break; 650 #endif 651 case IEEE80211_FC0_SUBTYPE_BAR: 652 ieee80211_recv_bar(ic, m, ni); 653 break; 654 default: 655 ic->ic_stats.is_rx_ctl++; 656 break; 657 } 658 goto out; 659 660 default: 661 DPRINTF(("bad frame type %x\n", type)); 662 /* should not come here */ 663 break; 664 } 665 err: 666 ifp->if_ierrors++; 667 out: 668 if (m != NULL) { 669 #if NBPFILTER > 0 670 if (ic->ic_rawbpf) 671 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 672 #endif 673 m_freem(m); 674 } 675 } 676 677 /* Input handler for drivers which only receive one frame per interrupt. */ 678 void 679 ieee80211_input(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni, 680 struct ieee80211_rxinfo *rxi) 681 { 682 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 683 684 ieee80211_inputm(ifp, m, ni, rxi, &ml); 685 if_input(ifp, &ml); 686 } 687 688 /* 689 * Handle defragmentation (see 9.5 and Annex C). We support the concurrent 690 * reception of fragments of three fragmented MSDUs or MMPDUs. 691 */ 692 struct mbuf * 693 ieee80211_defrag(struct ieee80211com *ic, struct mbuf *m, int hdrlen) 694 { 695 const struct ieee80211_frame *owh, *wh; 696 struct ieee80211_defrag *df; 697 u_int16_t rxseq, seq; 698 u_int8_t frag; 699 int i; 700 701 wh = mtod(m, struct ieee80211_frame *); 702 rxseq = letoh16(*(const u_int16_t *)wh->i_seq); 703 seq = rxseq >> IEEE80211_SEQ_SEQ_SHIFT; 704 frag = rxseq & IEEE80211_SEQ_FRAG_MASK; 705 706 if (frag == 0 && !(wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG)) 707 return m; /* not fragmented */ 708 709 if (frag == 0) { 710 /* first fragment, setup entry in the fragment cache */ 711 if (++ic->ic_defrag_cur == IEEE80211_DEFRAG_SIZE) 712 ic->ic_defrag_cur = 0; 713 df = &ic->ic_defrag[ic->ic_defrag_cur]; 714 m_freem(df->df_m); /* discard old entry */ 715 df->df_seq = seq; 716 df->df_frag = 0; 717 df->df_m = m; 718 /* start receive MSDU timer of aMaxReceiveLifetime */ 719 timeout_add_sec(&df->df_to, 1); 720 return NULL; /* MSDU or MMPDU not yet complete */ 721 } 722 723 /* find matching entry in the fragment cache */ 724 for (i = 0; i < IEEE80211_DEFRAG_SIZE; i++) { 725 df = &ic->ic_defrag[i]; 726 if (df->df_m == NULL) 727 continue; 728 if (df->df_seq != seq || df->df_frag + 1 != frag) 729 continue; 730 owh = mtod(df->df_m, struct ieee80211_frame *); 731 /* frame type, source and destination must match */ 732 if (((wh->i_fc[0] ^ owh->i_fc[0]) & IEEE80211_FC0_TYPE_MASK) || 733 !IEEE80211_ADDR_EQ(wh->i_addr1, owh->i_addr1) || 734 !IEEE80211_ADDR_EQ(wh->i_addr2, owh->i_addr2)) 735 continue; 736 /* matching entry found */ 737 break; 738 } 739 if (i == IEEE80211_DEFRAG_SIZE) { 740 /* no matching entry found, discard fragment */ 741 ic->ic_if.if_ierrors++; 742 m_freem(m); 743 return NULL; 744 } 745 746 df->df_frag = frag; 747 /* strip 802.11 header and concatenate fragment */ 748 m_adj(m, hdrlen); 749 m_cat(df->df_m, m); 750 df->df_m->m_pkthdr.len += m->m_pkthdr.len; 751 752 if (wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG) 753 return NULL; /* MSDU or MMPDU not yet complete */ 754 755 /* MSDU or MMPDU complete */ 756 timeout_del(&df->df_to); 757 m = df->df_m; 758 df->df_m = NULL; 759 return m; 760 } 761 762 /* 763 * Receive MSDU defragmentation timer exceeds aMaxReceiveLifetime. 764 */ 765 void 766 ieee80211_defrag_timeout(void *arg) 767 { 768 struct ieee80211_defrag *df = arg; 769 int s = splnet(); 770 771 /* discard all received fragments */ 772 m_freem(df->df_m); 773 df->df_m = NULL; 774 775 splx(s); 776 } 777 778 /* 779 * Process a received data MPDU related to a specific HT-immediate Block Ack 780 * agreement (see 9.10.7.6). 781 */ 782 void 783 ieee80211_input_ba(struct ieee80211com *ic, struct mbuf *m, 784 struct ieee80211_node *ni, int tid, struct ieee80211_rxinfo *rxi, 785 struct mbuf_list *ml) 786 { 787 struct ifnet *ifp = &ic->ic_if; 788 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 789 struct ieee80211_frame *wh; 790 int idx, count; 791 u_int16_t sn; 792 793 wh = mtod(m, struct ieee80211_frame *); 794 sn = letoh16(*(u_int16_t *)wh->i_seq) >> IEEE80211_SEQ_SEQ_SHIFT; 795 796 /* reset Block Ack inactivity timer */ 797 if (ba->ba_timeout_val != 0) 798 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 799 800 if (SEQ_LT(sn, ba->ba_winstart)) { /* SN < WinStartB */ 801 ic->ic_stats.is_ht_rx_frame_below_ba_winstart++; 802 m_freem(m); /* discard the MPDU */ 803 return; 804 } 805 if (SEQ_LT(ba->ba_winend, sn)) { /* WinEndB < SN */ 806 ic->ic_stats.is_ht_rx_frame_above_ba_winend++; 807 count = (sn - ba->ba_winend) & 0xfff; 808 if (count > ba->ba_winsize) { 809 /* 810 * Check whether we're consistently behind the window, 811 * and let the window move forward if neccessary. 812 */ 813 if (ba->ba_winmiss < IEEE80211_BA_MAX_WINMISS) { 814 if (ba->ba_missedsn == ((sn - 1) & 0xfff)) 815 ba->ba_winmiss++; 816 else 817 ba->ba_winmiss = 0; 818 ba->ba_missedsn = sn; 819 ifp->if_ierrors++; 820 m_freem(m); /* discard the MPDU */ 821 return; 822 } 823 824 /* It appears the window has moved for real. */ 825 ic->ic_stats.is_ht_rx_ba_window_jump++; 826 ba->ba_winmiss = 0; 827 ba->ba_missedsn = 0; 828 ieee80211_ba_move_window(ic, ni, tid, sn, ml); 829 } else { 830 ic->ic_stats.is_ht_rx_ba_window_slide++; 831 ieee80211_input_ba_seq(ic, ni, tid, 832 (ba->ba_winstart + count) & 0xfff, ml); 833 ieee80211_input_ba_flush(ic, ni, ba, ml); 834 } 835 } 836 /* WinStartB <= SN <= WinEndB */ 837 838 ba->ba_winmiss = 0; 839 ba->ba_missedsn = 0; 840 idx = (sn - ba->ba_winstart) & 0xfff; 841 idx = (ba->ba_head + idx) % IEEE80211_BA_MAX_WINSZ; 842 /* store the received MPDU in the buffer */ 843 if (ba->ba_buf[idx].m != NULL) { 844 ifp->if_ierrors++; 845 ic->ic_stats.is_ht_rx_ba_no_buf++; 846 m_freem(m); 847 return; 848 } 849 ba->ba_buf[idx].m = m; 850 /* store Rx meta-data too */ 851 rxi->rxi_flags |= IEEE80211_RXI_AMPDU_DONE; 852 ba->ba_buf[idx].rxi = *rxi; 853 ba->ba_gapwait++; 854 855 if (ba->ba_buf[ba->ba_head].m == NULL && ba->ba_gapwait == 1) 856 timeout_add_msec(&ba->ba_gap_to, IEEE80211_BA_GAP_TIMEOUT); 857 858 ieee80211_input_ba_flush(ic, ni, ba, ml); 859 } 860 861 /* 862 * Forward buffered frames with sequence number lower than max_seq. 863 * See 802.11-2012 9.21.7.6.2 b. 864 */ 865 void 866 ieee80211_input_ba_seq(struct ieee80211com *ic, struct ieee80211_node *ni, 867 uint8_t tid, uint16_t max_seq, struct mbuf_list *ml) 868 { 869 struct ifnet *ifp = &ic->ic_if; 870 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 871 struct ieee80211_frame *wh; 872 uint16_t seq; 873 int i = 0; 874 875 while (i++ < ba->ba_winsize) { 876 /* gaps may exist */ 877 if (ba->ba_buf[ba->ba_head].m != NULL) { 878 wh = mtod(ba->ba_buf[ba->ba_head].m, 879 struct ieee80211_frame *); 880 KASSERT(ieee80211_has_seq(wh)); 881 seq = letoh16(*(u_int16_t *)wh->i_seq) >> 882 IEEE80211_SEQ_SEQ_SHIFT; 883 if (!SEQ_LT(seq, max_seq)) 884 return; 885 ieee80211_inputm(ifp, ba->ba_buf[ba->ba_head].m, 886 ni, &ba->ba_buf[ba->ba_head].rxi, ml); 887 ba->ba_buf[ba->ba_head].m = NULL; 888 ba->ba_gapwait--; 889 } else 890 ic->ic_stats.is_ht_rx_ba_frame_lost++; 891 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 892 /* move window forward */ 893 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 894 } 895 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 896 } 897 898 /* Flush a consecutive sequence of frames from the reorder buffer. */ 899 void 900 ieee80211_input_ba_flush(struct ieee80211com *ic, struct ieee80211_node *ni, 901 struct ieee80211_rx_ba *ba, struct mbuf_list *ml) 902 903 { 904 struct ifnet *ifp = &ic->ic_if; 905 906 /* pass reordered MPDUs up to the next MAC process */ 907 while (ba->ba_buf[ba->ba_head].m != NULL) { 908 ieee80211_inputm(ifp, ba->ba_buf[ba->ba_head].m, ni, 909 &ba->ba_buf[ba->ba_head].rxi, ml); 910 ba->ba_buf[ba->ba_head].m = NULL; 911 ba->ba_gapwait--; 912 913 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 914 /* move window forward */ 915 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 916 } 917 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 918 919 if (timeout_pending(&ba->ba_gap_to)) 920 timeout_del(&ba->ba_gap_to); 921 if (ba->ba_gapwait) 922 timeout_add_msec(&ba->ba_gap_to, IEEE80211_BA_GAP_TIMEOUT); 923 } 924 925 /* 926 * Forcibly move the BA window forward to remove a leading gap which has 927 * been causing frames to linger in the reordering buffer for too long. 928 * A leading gap will occur if a particular A-MPDU subframe never arrives 929 * or if a bug in the sender causes sequence numbers to jump forward by > 1. 930 */ 931 int 932 ieee80211_input_ba_gap_skip(struct ieee80211_rx_ba *ba) 933 { 934 int skipped = 0; 935 936 while (skipped < ba->ba_winsize && ba->ba_buf[ba->ba_head].m == NULL) { 937 /* move window forward */ 938 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 939 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 940 skipped++; 941 } 942 if (skipped > 0) 943 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 944 945 return skipped; 946 } 947 948 void 949 ieee80211_input_ba_gap_timeout(void *arg) 950 { 951 struct ieee80211_rx_ba *ba = arg; 952 struct ieee80211_node *ni = ba->ba_ni; 953 struct ieee80211com *ic = ni->ni_ic; 954 int s, skipped; 955 956 ic->ic_stats.is_ht_rx_ba_window_gap_timeout++; 957 958 s = splnet(); 959 960 skipped = ieee80211_input_ba_gap_skip(ba); 961 ic->ic_stats.is_ht_rx_ba_frame_lost += skipped; 962 if (skipped) { 963 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 964 ieee80211_input_ba_flush(ic, ni, ba, &ml); 965 if_input(&ic->ic_if, &ml); 966 } 967 968 splx(s); 969 } 970 971 972 /* 973 * Change the value of WinStartB (move window forward) upon reception of a 974 * BlockAckReq frame or an ADDBA Request (PBAC). 975 */ 976 void 977 ieee80211_ba_move_window(struct ieee80211com *ic, struct ieee80211_node *ni, 978 u_int8_t tid, u_int16_t ssn, struct mbuf_list *ml) 979 { 980 struct ifnet *ifp = &ic->ic_if; 981 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 982 int count; 983 984 /* assert(WinStartB <= SSN) */ 985 986 count = (ssn - ba->ba_winstart) & 0xfff; 987 if (count > ba->ba_winsize) /* no overlap */ 988 count = ba->ba_winsize; 989 while (count-- > 0) { 990 /* gaps may exist */ 991 if (ba->ba_buf[ba->ba_head].m != NULL) { 992 ieee80211_inputm(ifp, ba->ba_buf[ba->ba_head].m, ni, 993 &ba->ba_buf[ba->ba_head].rxi, ml); 994 ba->ba_buf[ba->ba_head].m = NULL; 995 ba->ba_gapwait--; 996 } else 997 ic->ic_stats.is_ht_rx_ba_frame_lost++; 998 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 999 } 1000 /* move window forward */ 1001 ba->ba_winstart = ssn; 1002 1003 ieee80211_input_ba_flush(ic, ni, ba, ml); 1004 } 1005 1006 void 1007 ieee80211_enqueue_data(struct ieee80211com *ic, struct mbuf *m, 1008 struct ieee80211_node *ni, int mcast, struct mbuf_list *ml) 1009 { 1010 struct ifnet *ifp = &ic->ic_if; 1011 struct ether_header *eh; 1012 struct mbuf *m1; 1013 1014 eh = mtod(m, struct ether_header *); 1015 1016 if ((ic->ic_flags & IEEE80211_F_RSNON) && !ni->ni_port_valid && 1017 eh->ether_type != htons(ETHERTYPE_PAE)) { 1018 DPRINTF(("port not valid: %s\n", 1019 ether_sprintf(eh->ether_dhost))); 1020 ic->ic_stats.is_rx_unauth++; 1021 m_freem(m); 1022 return; 1023 } 1024 1025 /* 1026 * Perform as a bridge within the AP. Notice that we do not 1027 * bridge EAPOL frames as suggested in C.1.1 of IEEE Std 802.1X. 1028 * And we do not forward unicast frames received on a multicast address. 1029 */ 1030 m1 = NULL; 1031 #ifndef IEEE80211_STA_ONLY 1032 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 1033 !(ic->ic_userflags & IEEE80211_F_NOBRIDGE) && 1034 eh->ether_type != htons(ETHERTYPE_PAE)) { 1035 struct ieee80211_node *ni1; 1036 1037 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 1038 m1 = m_dup_pkt(m, ETHER_ALIGN, M_DONTWAIT); 1039 if (m1 == NULL) 1040 ifp->if_oerrors++; 1041 else 1042 m1->m_flags |= M_MCAST; 1043 } else if (!mcast) { 1044 ni1 = ieee80211_find_node(ic, eh->ether_dhost); 1045 if (ni1 != NULL && 1046 ni1->ni_state == IEEE80211_STA_ASSOC) { 1047 m1 = m; 1048 m = NULL; 1049 } 1050 } 1051 if (m1 != NULL) { 1052 if (if_enqueue(ifp, m1)) 1053 ifp->if_oerrors++; 1054 } 1055 } 1056 #endif 1057 if (m != NULL) { 1058 if ((ic->ic_flags & IEEE80211_F_RSNON) && 1059 eh->ether_type == htons(ETHERTYPE_PAE)) { 1060 ifp->if_ipackets++; 1061 #if NBPFILTER > 0 1062 /* 1063 * If we forward frame into transmitter of the AP, 1064 * we don't need to duplicate for DLT_EN10MB. 1065 */ 1066 if (ifp->if_bpf && m1 == NULL) 1067 bpf_mtap(ifp->if_bpf, m, BPF_DIRECTION_IN); 1068 #endif 1069 ieee80211_eapol_key_input(ic, m, ni); 1070 } else { 1071 ml_enqueue(ml, m); 1072 } 1073 } 1074 } 1075 1076 void 1077 ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, 1078 struct ieee80211_node *ni, int hdrlen, struct mbuf_list *ml) 1079 { 1080 struct ether_header eh; 1081 struct ieee80211_frame *wh; 1082 struct llc *llc; 1083 int mcast; 1084 1085 if (m->m_len < hdrlen + LLC_SNAPFRAMELEN && 1086 (m = m_pullup(m, hdrlen + LLC_SNAPFRAMELEN)) == NULL) { 1087 ic->ic_stats.is_rx_decap++; 1088 return; 1089 } 1090 wh = mtod(m, struct ieee80211_frame *); 1091 mcast = IEEE80211_IS_MULTICAST(wh->i_addr1); 1092 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 1093 case IEEE80211_FC1_DIR_NODS: 1094 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1); 1095 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2); 1096 break; 1097 case IEEE80211_FC1_DIR_TODS: 1098 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3); 1099 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2); 1100 break; 1101 case IEEE80211_FC1_DIR_FROMDS: 1102 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1); 1103 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr3); 1104 break; 1105 case IEEE80211_FC1_DIR_DSTODS: 1106 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3); 1107 IEEE80211_ADDR_COPY(eh.ether_shost, 1108 ((struct ieee80211_frame_addr4 *)wh)->i_addr4); 1109 break; 1110 } 1111 llc = (struct llc *)((caddr_t)wh + hdrlen); 1112 if (llc->llc_dsap == LLC_SNAP_LSAP && 1113 llc->llc_ssap == LLC_SNAP_LSAP && 1114 llc->llc_control == LLC_UI && 1115 llc->llc_snap.org_code[0] == 0 && 1116 llc->llc_snap.org_code[1] == 0 && 1117 llc->llc_snap.org_code[2] == 0) { 1118 eh.ether_type = llc->llc_snap.ether_type; 1119 m_adj(m, hdrlen + LLC_SNAPFRAMELEN - ETHER_HDR_LEN); 1120 } else { 1121 eh.ether_type = htons(m->m_pkthdr.len - hdrlen); 1122 m_adj(m, hdrlen - ETHER_HDR_LEN); 1123 } 1124 memcpy(mtod(m, caddr_t), &eh, ETHER_HDR_LEN); 1125 if (!ALIGNED_POINTER(mtod(m, caddr_t) + ETHER_HDR_LEN, u_int32_t)) { 1126 struct mbuf *m0 = m; 1127 m = m_dup_pkt(m0, ETHER_ALIGN, M_NOWAIT); 1128 m_freem(m0); 1129 if (m == NULL) { 1130 ic->ic_stats.is_rx_decap++; 1131 return; 1132 } 1133 } 1134 ieee80211_enqueue_data(ic, m, ni, mcast, ml); 1135 } 1136 1137 /* 1138 * Decapsulate an Aggregate MSDU (see 7.2.2.2). 1139 */ 1140 void 1141 ieee80211_amsdu_decap(struct ieee80211com *ic, struct mbuf *m, 1142 struct ieee80211_node *ni, int hdrlen, struct mbuf_list *ml) 1143 { 1144 struct mbuf *n; 1145 struct ether_header *eh; 1146 struct llc *llc; 1147 int len, pad, mcast; 1148 struct ieee80211_frame *wh; 1149 1150 wh = mtod(m, struct ieee80211_frame *); 1151 mcast = IEEE80211_IS_MULTICAST(wh->i_addr1); 1152 1153 /* strip 802.11 header */ 1154 m_adj(m, hdrlen); 1155 1156 while (m->m_pkthdr.len >= ETHER_HDR_LEN + LLC_SNAPFRAMELEN) { 1157 /* process an A-MSDU subframe */ 1158 m = m_pullup(m, ETHER_HDR_LEN + LLC_SNAPFRAMELEN); 1159 if (m == NULL) { 1160 ic->ic_stats.is_rx_decap++; 1161 return; 1162 } 1163 eh = mtod(m, struct ether_header *); 1164 /* examine 802.3 header */ 1165 len = ntohs(eh->ether_type); 1166 if (len < LLC_SNAPFRAMELEN) { 1167 DPRINTF(("A-MSDU subframe too short (%d)\n", len)); 1168 /* stop processing A-MSDU subframes */ 1169 ic->ic_stats.is_rx_decap++; 1170 m_freem(m); 1171 return; 1172 } 1173 llc = (struct llc *)&eh[1]; 1174 /* examine 802.2 LLC header */ 1175 if (llc->llc_dsap == LLC_SNAP_LSAP && 1176 llc->llc_ssap == LLC_SNAP_LSAP && 1177 llc->llc_control == LLC_UI && 1178 llc->llc_snap.org_code[0] == 0 && 1179 llc->llc_snap.org_code[1] == 0 && 1180 llc->llc_snap.org_code[2] == 0) { 1181 /* convert to Ethernet II header */ 1182 eh->ether_type = llc->llc_snap.ether_type; 1183 /* strip LLC+SNAP headers */ 1184 memmove((u_int8_t *)eh + LLC_SNAPFRAMELEN, eh, 1185 ETHER_HDR_LEN); 1186 m_adj(m, LLC_SNAPFRAMELEN); 1187 len -= LLC_SNAPFRAMELEN; 1188 } 1189 len += ETHER_HDR_LEN; 1190 if (len > m->m_pkthdr.len) { 1191 /* stop processing A-MSDU subframes */ 1192 DPRINTF(("A-MSDU subframe too long (%d)\n", len)); 1193 ic->ic_stats.is_rx_decap++; 1194 m_freem(m); 1195 return; 1196 } 1197 1198 /* "detach" our A-MSDU subframe from the others */ 1199 n = m_split(m, len, M_NOWAIT); 1200 if (n == NULL) { 1201 /* stop processing A-MSDU subframes */ 1202 ic->ic_stats.is_rx_decap++; 1203 m_freem(m); 1204 return; 1205 } 1206 ieee80211_enqueue_data(ic, m, ni, mcast, ml); 1207 1208 m = n; 1209 /* remove padding */ 1210 pad = ((len + 3) & ~3) - len; 1211 m_adj(m, pad); 1212 } 1213 1214 m_freem(m); 1215 } 1216 1217 /* 1218 * Parse an EDCA Parameter Set element (see 7.3.2.27). 1219 */ 1220 int 1221 ieee80211_parse_edca_params_body(struct ieee80211com *ic, const u_int8_t *frm) 1222 { 1223 u_int updtcount; 1224 int aci; 1225 1226 /* 1227 * Check if EDCA parameters have changed XXX if we miss more than 1228 * 15 consecutive beacons, we might not detect changes to EDCA 1229 * parameters due to wraparound of the 4-bit Update Count field. 1230 */ 1231 updtcount = frm[0] & 0xf; 1232 if (updtcount == ic->ic_edca_updtcount) 1233 return 0; /* no changes to EDCA parameters, ignore */ 1234 ic->ic_edca_updtcount = updtcount; 1235 1236 frm += 2; /* skip QoS Info & Reserved fields */ 1237 1238 /* parse AC Parameter Records */ 1239 for (aci = 0; aci < EDCA_NUM_AC; aci++) { 1240 struct ieee80211_edca_ac_params *ac = &ic->ic_edca_ac[aci]; 1241 1242 ac->ac_acm = (frm[0] >> 4) & 0x1; 1243 ac->ac_aifsn = frm[0] & 0xf; 1244 ac->ac_ecwmin = frm[1] & 0xf; 1245 ac->ac_ecwmax = frm[1] >> 4; 1246 ac->ac_txoplimit = LE_READ_2(frm + 2); 1247 frm += 4; 1248 } 1249 /* give drivers a chance to update their settings */ 1250 if ((ic->ic_flags & IEEE80211_F_QOS) && ic->ic_updateedca != NULL) 1251 (*ic->ic_updateedca)(ic); 1252 1253 return 0; 1254 } 1255 1256 int 1257 ieee80211_parse_edca_params(struct ieee80211com *ic, const u_int8_t *frm) 1258 { 1259 if (frm[1] < 18) { 1260 ic->ic_stats.is_rx_elem_toosmall++; 1261 return IEEE80211_REASON_IE_INVALID; 1262 } 1263 return ieee80211_parse_edca_params_body(ic, frm + 2); 1264 } 1265 1266 int 1267 ieee80211_parse_wmm_params(struct ieee80211com *ic, const u_int8_t *frm) 1268 { 1269 if (frm[1] < 24) { 1270 ic->ic_stats.is_rx_elem_toosmall++; 1271 return IEEE80211_REASON_IE_INVALID; 1272 } 1273 return ieee80211_parse_edca_params_body(ic, frm + 8); 1274 } 1275 1276 enum ieee80211_cipher 1277 ieee80211_parse_rsn_cipher(const u_int8_t selector[4]) 1278 { 1279 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1280 switch (selector[3]) { 1281 case 0: /* use group data cipher suite */ 1282 return IEEE80211_CIPHER_USEGROUP; 1283 case 1: /* WEP-40 */ 1284 return IEEE80211_CIPHER_WEP40; 1285 case 2: /* TKIP */ 1286 return IEEE80211_CIPHER_TKIP; 1287 case 4: /* CCMP (RSNA default) */ 1288 return IEEE80211_CIPHER_CCMP; 1289 case 5: /* WEP-104 */ 1290 return IEEE80211_CIPHER_WEP104; 1291 } 1292 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1293 /* see 802.11-2012 Table 8-99 */ 1294 switch (selector[3]) { 1295 case 0: /* use group data cipher suite */ 1296 return IEEE80211_CIPHER_USEGROUP; 1297 case 1: /* WEP-40 */ 1298 return IEEE80211_CIPHER_WEP40; 1299 case 2: /* TKIP */ 1300 return IEEE80211_CIPHER_TKIP; 1301 case 4: /* CCMP (RSNA default) */ 1302 return IEEE80211_CIPHER_CCMP; 1303 case 5: /* WEP-104 */ 1304 return IEEE80211_CIPHER_WEP104; 1305 case 6: /* BIP */ 1306 return IEEE80211_CIPHER_BIP; 1307 } 1308 } 1309 return IEEE80211_CIPHER_NONE; /* ignore unknown ciphers */ 1310 } 1311 1312 enum ieee80211_akm 1313 ieee80211_parse_rsn_akm(const u_int8_t selector[4]) 1314 { 1315 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1316 switch (selector[3]) { 1317 case 1: /* IEEE 802.1X (RSNA default) */ 1318 return IEEE80211_AKM_8021X; 1319 case 2: /* PSK */ 1320 return IEEE80211_AKM_PSK; 1321 } 1322 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1323 /* from IEEE Std 802.11i-2004 - Table 20dc */ 1324 switch (selector[3]) { 1325 case 1: /* IEEE 802.1X (RSNA default) */ 1326 return IEEE80211_AKM_8021X; 1327 case 2: /* PSK */ 1328 return IEEE80211_AKM_PSK; 1329 case 5: /* IEEE 802.1X with SHA256 KDF */ 1330 return IEEE80211_AKM_SHA256_8021X; 1331 case 6: /* PSK with SHA256 KDF */ 1332 return IEEE80211_AKM_SHA256_PSK; 1333 } 1334 } 1335 return IEEE80211_AKM_NONE; /* ignore unknown AKMs */ 1336 } 1337 1338 /* 1339 * Parse an RSN element (see 802.11-2012 8.4.2.27) 1340 */ 1341 int 1342 ieee80211_parse_rsn_body(struct ieee80211com *ic, const u_int8_t *frm, 1343 u_int len, struct ieee80211_rsnparams *rsn) 1344 { 1345 const u_int8_t *efrm; 1346 u_int16_t m, n, s; 1347 1348 efrm = frm + len; 1349 1350 /* check Version field */ 1351 if (LE_READ_2(frm) != 1) 1352 return IEEE80211_STATUS_RSN_IE_VER_UNSUP; 1353 frm += 2; 1354 1355 /* all fields after the Version field are optional */ 1356 1357 /* if Cipher Suite missing, default to CCMP */ 1358 rsn->rsn_groupcipher = IEEE80211_CIPHER_CCMP; 1359 rsn->rsn_nciphers = 1; 1360 rsn->rsn_ciphers = IEEE80211_CIPHER_CCMP; 1361 /* if Group Management Cipher Suite missing, defaut to BIP */ 1362 rsn->rsn_groupmgmtcipher = IEEE80211_CIPHER_BIP; 1363 /* if AKM Suite missing, default to 802.1X */ 1364 rsn->rsn_nakms = 1; 1365 rsn->rsn_akms = IEEE80211_AKM_8021X; 1366 /* if RSN capabilities missing, default to 0 */ 1367 rsn->rsn_caps = 0; 1368 rsn->rsn_npmkids = 0; 1369 1370 /* read Group Data Cipher Suite field */ 1371 if (frm + 4 > efrm) 1372 return 0; 1373 rsn->rsn_groupcipher = ieee80211_parse_rsn_cipher(frm); 1374 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_NONE || 1375 rsn->rsn_groupcipher == IEEE80211_CIPHER_USEGROUP || 1376 rsn->rsn_groupcipher == IEEE80211_CIPHER_BIP) 1377 return IEEE80211_STATUS_BAD_GROUP_CIPHER; 1378 frm += 4; 1379 1380 /* read Pairwise Cipher Suite Count field */ 1381 if (frm + 2 > efrm) 1382 return 0; 1383 m = rsn->rsn_nciphers = LE_READ_2(frm); 1384 frm += 2; 1385 1386 /* read Pairwise Cipher Suite List */ 1387 if (frm + m * 4 > efrm) 1388 return IEEE80211_STATUS_IE_INVALID; 1389 rsn->rsn_ciphers = IEEE80211_CIPHER_NONE; 1390 while (m-- > 0) { 1391 rsn->rsn_ciphers |= ieee80211_parse_rsn_cipher(frm); 1392 frm += 4; 1393 } 1394 if (rsn->rsn_ciphers & IEEE80211_CIPHER_USEGROUP) { 1395 if (rsn->rsn_ciphers != IEEE80211_CIPHER_USEGROUP) 1396 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1397 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_CCMP) 1398 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1399 } 1400 1401 /* read AKM Suite List Count field */ 1402 if (frm + 2 > efrm) 1403 return 0; 1404 n = rsn->rsn_nakms = LE_READ_2(frm); 1405 frm += 2; 1406 1407 /* read AKM Suite List */ 1408 if (frm + n * 4 > efrm) 1409 return IEEE80211_STATUS_IE_INVALID; 1410 rsn->rsn_akms = IEEE80211_AKM_NONE; 1411 while (n-- > 0) { 1412 rsn->rsn_akms |= ieee80211_parse_rsn_akm(frm); 1413 frm += 4; 1414 } 1415 1416 /* read RSN Capabilities field */ 1417 if (frm + 2 > efrm) 1418 return 0; 1419 rsn->rsn_caps = LE_READ_2(frm); 1420 frm += 2; 1421 1422 /* read PMKID Count field */ 1423 if (frm + 2 > efrm) 1424 return 0; 1425 s = rsn->rsn_npmkids = LE_READ_2(frm); 1426 frm += 2; 1427 1428 /* read PMKID List */ 1429 if (frm + s * IEEE80211_PMKID_LEN > efrm) 1430 return IEEE80211_STATUS_IE_INVALID; 1431 if (s != 0) { 1432 rsn->rsn_pmkids = frm; 1433 frm += s * IEEE80211_PMKID_LEN; 1434 } 1435 1436 /* read Group Management Cipher Suite field */ 1437 if (frm + 4 > efrm) 1438 return 0; 1439 rsn->rsn_groupmgmtcipher = ieee80211_parse_rsn_cipher(frm); 1440 if (rsn->rsn_groupmgmtcipher != IEEE80211_CIPHER_BIP) 1441 return IEEE80211_STATUS_BAD_GROUP_CIPHER; 1442 1443 return IEEE80211_STATUS_SUCCESS; 1444 } 1445 1446 int 1447 ieee80211_parse_rsn(struct ieee80211com *ic, const u_int8_t *frm, 1448 struct ieee80211_rsnparams *rsn) 1449 { 1450 if (frm[1] < 2) { 1451 ic->ic_stats.is_rx_elem_toosmall++; 1452 return IEEE80211_STATUS_IE_INVALID; 1453 } 1454 return ieee80211_parse_rsn_body(ic, frm + 2, frm[1], rsn); 1455 } 1456 1457 int 1458 ieee80211_parse_wpa(struct ieee80211com *ic, const u_int8_t *frm, 1459 struct ieee80211_rsnparams *rsn) 1460 { 1461 if (frm[1] < 6) { 1462 ic->ic_stats.is_rx_elem_toosmall++; 1463 return IEEE80211_STATUS_IE_INVALID; 1464 } 1465 return ieee80211_parse_rsn_body(ic, frm + 6, frm[1] - 4, rsn); 1466 } 1467 1468 /* 1469 * Create (or update) a copy of an information element. 1470 */ 1471 int 1472 ieee80211_save_ie(const u_int8_t *frm, u_int8_t **ie) 1473 { 1474 int olen = *ie ? 2 + (*ie)[1] : 0; 1475 int len = 2 + frm[1]; 1476 1477 if (*ie == NULL || olen != len) { 1478 if (*ie != NULL) 1479 free(*ie, M_DEVBUF, olen); 1480 *ie = malloc(len, M_DEVBUF, M_NOWAIT); 1481 if (*ie == NULL) 1482 return ENOMEM; 1483 } 1484 memcpy(*ie, frm, len); 1485 return 0; 1486 } 1487 1488 /*- 1489 * Beacon/Probe response frame format: 1490 * [8] Timestamp 1491 * [2] Beacon interval 1492 * [2] Capability 1493 * [tlv] Service Set Identifier (SSID) 1494 * [tlv] Supported rates 1495 * [tlv] DS Parameter Set (802.11g) 1496 * [tlv] ERP Information (802.11g) 1497 * [tlv] Extended Supported Rates (802.11g) 1498 * [tlv] RSN (802.11i) 1499 * [tlv] EDCA Parameter Set (802.11e) 1500 * [tlv] QoS Capability (Beacon only, 802.11e) 1501 * [tlv] HT Capabilities (802.11n) 1502 * [tlv] HT Operation (802.11n) 1503 */ 1504 void 1505 ieee80211_recv_probe_resp(struct ieee80211com *ic, struct mbuf *m, 1506 struct ieee80211_node *rni, struct ieee80211_rxinfo *rxi, int isprobe) 1507 { 1508 struct ieee80211_node *ni; 1509 const struct ieee80211_frame *wh; 1510 const u_int8_t *frm, *efrm; 1511 const u_int8_t *tstamp, *ssid, *rates, *xrates, *edcaie, *wmmie; 1512 const u_int8_t *rsnie, *wpaie, *htcaps, *htop; 1513 u_int16_t capinfo, bintval; 1514 u_int8_t chan, bchan, erp, dtim_count, dtim_period; 1515 int is_new; 1516 1517 /* 1518 * We process beacon/probe response frames for: 1519 * o station mode: to collect state 1520 * updates such as 802.11g slot time and for passive 1521 * scanning of APs 1522 * o adhoc mode: to discover neighbors 1523 * o hostap mode: for passive scanning of neighbor APs 1524 * o when scanning 1525 * In other words, in all modes other than monitor (which 1526 * does not process incoming frames) and adhoc-demo (which 1527 * does not use management frames at all). 1528 */ 1529 #ifdef DIAGNOSTIC 1530 if (ic->ic_opmode != IEEE80211_M_STA && 1531 #ifndef IEEE80211_STA_ONLY 1532 ic->ic_opmode != IEEE80211_M_IBSS && 1533 ic->ic_opmode != IEEE80211_M_HOSTAP && 1534 #endif 1535 ic->ic_state != IEEE80211_S_SCAN) { 1536 panic("%s: impossible operating mode", __func__); 1537 } 1538 #endif 1539 /* make sure all mandatory fixed fields are present */ 1540 if (m->m_len < sizeof(*wh) + 12) { 1541 DPRINTF(("frame too short\n")); 1542 return; 1543 } 1544 wh = mtod(m, struct ieee80211_frame *); 1545 frm = (const u_int8_t *)&wh[1]; 1546 efrm = mtod(m, u_int8_t *) + m->m_len; 1547 1548 tstamp = frm; frm += 8; 1549 bintval = LE_READ_2(frm); frm += 2; 1550 capinfo = LE_READ_2(frm); frm += 2; 1551 1552 ssid = rates = xrates = edcaie = wmmie = rsnie = wpaie = NULL; 1553 htcaps = htop = NULL; 1554 bchan = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan); 1555 chan = bchan; 1556 erp = 0; 1557 dtim_count = dtim_period = 0; 1558 while (frm + 2 <= efrm) { 1559 if (frm + 2 + frm[1] > efrm) { 1560 ic->ic_stats.is_rx_elem_toosmall++; 1561 break; 1562 } 1563 switch (frm[0]) { 1564 case IEEE80211_ELEMID_SSID: 1565 ssid = frm; 1566 break; 1567 case IEEE80211_ELEMID_RATES: 1568 rates = frm; 1569 break; 1570 case IEEE80211_ELEMID_DSPARMS: 1571 if (frm[1] < 1) { 1572 ic->ic_stats.is_rx_elem_toosmall++; 1573 break; 1574 } 1575 chan = frm[2]; 1576 break; 1577 case IEEE80211_ELEMID_XRATES: 1578 xrates = frm; 1579 break; 1580 case IEEE80211_ELEMID_ERP: 1581 if (frm[1] < 1) { 1582 ic->ic_stats.is_rx_elem_toosmall++; 1583 break; 1584 } 1585 erp = frm[2]; 1586 break; 1587 case IEEE80211_ELEMID_RSN: 1588 rsnie = frm; 1589 break; 1590 case IEEE80211_ELEMID_EDCAPARMS: 1591 edcaie = frm; 1592 break; 1593 case IEEE80211_ELEMID_HTCAPS: 1594 htcaps = frm; 1595 break; 1596 case IEEE80211_ELEMID_HTOP: 1597 htop = frm; 1598 break; 1599 case IEEE80211_ELEMID_TIM: 1600 if (frm[1] > 3) { 1601 dtim_count = frm[2]; 1602 dtim_period = frm[3]; 1603 } 1604 break; 1605 case IEEE80211_ELEMID_VENDOR: 1606 if (frm[1] < 4) { 1607 ic->ic_stats.is_rx_elem_toosmall++; 1608 break; 1609 } 1610 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 1611 if (frm[5] == 1) 1612 wpaie = frm; 1613 else if (frm[1] >= 5 && 1614 frm[5] == 2 && frm[6] == 1) 1615 wmmie = frm; 1616 } 1617 break; 1618 } 1619 frm += 2 + frm[1]; 1620 } 1621 /* supported rates element is mandatory */ 1622 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1623 DPRINTF(("invalid supported rates element\n")); 1624 return; 1625 } 1626 /* SSID element is mandatory */ 1627 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1628 DPRINTF(("invalid SSID element\n")); 1629 return; 1630 } 1631 1632 if ( 1633 #if IEEE80211_CHAN_MAX < 255 1634 chan > IEEE80211_CHAN_MAX || 1635 #endif 1636 isclr(ic->ic_chan_active, chan)) { 1637 DPRINTF(("ignore %s with invalid channel %u\n", 1638 isprobe ? "probe response" : "beacon", chan)); 1639 ic->ic_stats.is_rx_badchan++; 1640 return; 1641 } 1642 if ((ic->ic_state != IEEE80211_S_SCAN || 1643 !(ic->ic_caps & IEEE80211_C_SCANALL)) && 1644 chan != bchan) { 1645 /* 1646 * Frame was received on a channel different from the 1647 * one indicated in the DS params element id; 1648 * silently discard it. 1649 * 1650 * NB: this can happen due to signal leakage. 1651 */ 1652 DPRINTF(("ignore %s on channel %u marked for channel %u\n", 1653 isprobe ? "probe response" : "beacon", bchan, chan)); 1654 ic->ic_stats.is_rx_chanmismatch++; 1655 return; 1656 } 1657 /* 1658 * Use mac, channel and rssi so we collect only the 1659 * best potential AP with the equal bssid while scanning. 1660 * Collecting all potential APs may result in bloat of 1661 * the node tree. This call will return NULL if the node 1662 * for this APs does not exist or if the new node is the 1663 * potential better one. 1664 */ 1665 ni = ieee80211_find_node_for_beacon(ic, wh->i_addr2, 1666 &ic->ic_channels[chan], ssid, rxi->rxi_rssi); 1667 if (ni != NULL) { 1668 /* 1669 * If we are doing a directed scan for an AP with a hidden SSID 1670 * we must collect the SSID from a probe response to override 1671 * a non-zero-length SSID filled with zeroes that we may have 1672 * received earlier in a beacon. 1673 */ 1674 if (isprobe && ssid[1] != 0 && ni->ni_essid[0] == '\0') { 1675 ni->ni_esslen = ssid[1]; 1676 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1677 /* we know that ssid[1] <= IEEE80211_NWID_LEN */ 1678 memcpy(ni->ni_essid, &ssid[2], ssid[1]); 1679 } 1680 1681 /* Update channel in case AP has switched */ 1682 if (ic->ic_opmode == IEEE80211_M_STA) 1683 ni->ni_chan = rni->ni_chan; 1684 1685 return; 1686 } 1687 1688 #ifdef IEEE80211_DEBUG 1689 if (ieee80211_debug > 1 && 1690 (ni == NULL || ic->ic_state == IEEE80211_S_SCAN || 1691 (ic->ic_flags & IEEE80211_F_BGSCAN))) { 1692 printf("%s: %s%s on chan %u (bss chan %u) ", 1693 __func__, (ni == NULL ? "new " : ""), 1694 isprobe ? "probe response" : "beacon", 1695 chan, bchan); 1696 ieee80211_print_essid(ssid + 2, ssid[1]); 1697 printf(" from %s\n", ether_sprintf((u_int8_t *)wh->i_addr2)); 1698 printf("%s: caps 0x%x bintval %u erp 0x%x\n", 1699 __func__, capinfo, bintval, erp); 1700 } 1701 #endif 1702 1703 if ((ni = ieee80211_find_node(ic, wh->i_addr2)) == NULL) { 1704 ni = ieee80211_alloc_node(ic, wh->i_addr2); 1705 if (ni == NULL) 1706 return; 1707 is_new = 1; 1708 } else 1709 is_new = 0; 1710 1711 if (htcaps) 1712 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 1713 if (htop && !ieee80211_setup_htop(ni, htop + 2, htop[1], 1)) 1714 htop = NULL; /* invalid HTOP */ 1715 1716 ni->ni_dtimcount = dtim_count; 1717 ni->ni_dtimperiod = dtim_period; 1718 1719 /* 1720 * When operating in station mode, check for state updates 1721 * while we're associated. 1722 */ 1723 if (ic->ic_opmode == IEEE80211_M_STA && 1724 ic->ic_state == IEEE80211_S_RUN && 1725 ni->ni_state == IEEE80211_STA_BSS) { 1726 /* 1727 * Check if protection mode has changed since last beacon. 1728 */ 1729 if (ni->ni_erp != erp) { 1730 DPRINTF(("[%s] erp change: was 0x%x, now 0x%x\n", 1731 ether_sprintf((u_int8_t *)wh->i_addr2), 1732 ni->ni_erp, erp)); 1733 if ((ic->ic_curmode == IEEE80211_MODE_11G || 1734 (ic->ic_curmode == IEEE80211_MODE_11N && 1735 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))) && 1736 (erp & IEEE80211_ERP_USE_PROTECTION)) 1737 ic->ic_flags |= IEEE80211_F_USEPROT; 1738 else 1739 ic->ic_flags &= ~IEEE80211_F_USEPROT; 1740 ic->ic_bss->ni_erp = erp; 1741 } 1742 if (htop && (ic->ic_bss->ni_flags & IEEE80211_NODE_HT)) { 1743 enum ieee80211_htprot htprot_last, htprot; 1744 htprot_last = 1745 ((ic->ic_bss->ni_htop1 & IEEE80211_HTOP1_PROT_MASK) 1746 >> IEEE80211_HTOP1_PROT_SHIFT); 1747 htprot = ((ni->ni_htop1 & IEEE80211_HTOP1_PROT_MASK) >> 1748 IEEE80211_HTOP1_PROT_SHIFT); 1749 if (htprot_last != htprot) { 1750 DPRINTF(("[%s] htprot change: was %d, now %d\n", 1751 ether_sprintf((u_int8_t *)wh->i_addr2), 1752 htprot_last, htprot)); 1753 ic->ic_stats.is_ht_prot_change++; 1754 ic->ic_bss->ni_htop1 = ni->ni_htop1; 1755 if (ic->ic_update_htprot) 1756 ic->ic_update_htprot(ic, ic->ic_bss); 1757 } 1758 } 1759 1760 /* 1761 * Check if AP short slot time setting has changed 1762 * since last beacon and give the driver a chance to 1763 * update the hardware. 1764 */ 1765 if ((ni->ni_capinfo ^ capinfo) & 1766 IEEE80211_CAPINFO_SHORT_SLOTTIME) { 1767 ieee80211_set_shortslottime(ic, 1768 ic->ic_curmode == IEEE80211_MODE_11A || 1769 (capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 1770 } 1771 1772 /* 1773 * Reset management timer. If it is non-zero in RUN state, the 1774 * driver sent a probe request after a missed beacon event. 1775 * This probe response indicates the AP is still serving us 1776 * so don't allow ieee80211_watchdog() to move us into SCAN. 1777 */ 1778 if ((ic->ic_flags & IEEE80211_F_BGSCAN) == 0) 1779 ic->ic_mgt_timer = 0; 1780 } 1781 /* 1782 * We do not try to update EDCA parameters if QoS was not negotiated 1783 * with the AP at association time. 1784 */ 1785 if (ni->ni_flags & IEEE80211_NODE_QOS) { 1786 /* always prefer EDCA IE over Wi-Fi Alliance WMM IE */ 1787 if ((edcaie != NULL && 1788 ieee80211_parse_edca_params(ic, edcaie) == 0) || 1789 (wmmie != NULL && 1790 ieee80211_parse_wmm_params(ic, wmmie) == 0)) 1791 ni->ni_flags |= IEEE80211_NODE_QOS; 1792 else 1793 ni->ni_flags &= ~IEEE80211_NODE_QOS; 1794 } 1795 1796 if (ic->ic_state == IEEE80211_S_SCAN || 1797 (ic->ic_flags & IEEE80211_F_BGSCAN)) { 1798 struct ieee80211_rsnparams rsn, wpa; 1799 1800 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 1801 ni->ni_supported_rsnprotos = IEEE80211_PROTO_NONE; 1802 ni->ni_rsnakms = 0; 1803 ni->ni_supported_rsnakms = 0; 1804 ni->ni_rsnciphers = 0; 1805 ni->ni_rsngroupcipher = 0; 1806 ni->ni_rsngroupmgmtcipher = 0; 1807 ni->ni_rsncaps = 0; 1808 1809 if (rsnie != NULL && 1810 ieee80211_parse_rsn(ic, rsnie, &rsn) == 0) { 1811 ni->ni_supported_rsnprotos |= IEEE80211_PROTO_RSN; 1812 ni->ni_supported_rsnakms |= rsn.rsn_akms; 1813 } 1814 if (wpaie != NULL && 1815 ieee80211_parse_wpa(ic, wpaie, &wpa) == 0) { 1816 ni->ni_supported_rsnprotos |= IEEE80211_PROTO_WPA; 1817 ni->ni_supported_rsnakms |= wpa.rsn_akms; 1818 } 1819 1820 /* 1821 * If the AP advertises both WPA and RSN IEs (WPA1+WPA2), 1822 * we only use the highest protocol version we support. 1823 */ 1824 if (rsnie != NULL && 1825 (ni->ni_supported_rsnprotos & IEEE80211_PROTO_RSN) && 1826 (ic->ic_caps & IEEE80211_C_RSN)) { 1827 if (ieee80211_save_ie(rsnie, &ni->ni_rsnie) == 0 1828 #ifndef IEEE80211_STA_ONLY 1829 && ic->ic_opmode != IEEE80211_M_HOSTAP 1830 #endif 1831 ) { 1832 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 1833 ni->ni_rsnakms = rsn.rsn_akms; 1834 ni->ni_rsnciphers = rsn.rsn_ciphers; 1835 ni->ni_rsngroupcipher = rsn.rsn_groupcipher; 1836 ni->ni_rsngroupmgmtcipher = 1837 rsn.rsn_groupmgmtcipher; 1838 ni->ni_rsncaps = rsn.rsn_caps; 1839 } 1840 } else if (wpaie != NULL && 1841 (ni->ni_supported_rsnprotos & IEEE80211_PROTO_WPA) && 1842 (ic->ic_caps & IEEE80211_C_RSN)) { 1843 if (ieee80211_save_ie(wpaie, &ni->ni_rsnie) == 0 1844 #ifndef IEEE80211_STA_ONLY 1845 && ic->ic_opmode != IEEE80211_M_HOSTAP 1846 #endif 1847 ) { 1848 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 1849 ni->ni_rsnakms = wpa.rsn_akms; 1850 ni->ni_rsnciphers = wpa.rsn_ciphers; 1851 ni->ni_rsngroupcipher = wpa.rsn_groupcipher; 1852 ni->ni_rsngroupmgmtcipher = 1853 wpa.rsn_groupmgmtcipher; 1854 ni->ni_rsncaps = wpa.rsn_caps; 1855 } 1856 } 1857 } 1858 1859 if (ssid[1] != 0 && ni->ni_essid[0] == '\0') { 1860 ni->ni_esslen = ssid[1]; 1861 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1862 /* we know that ssid[1] <= IEEE80211_NWID_LEN */ 1863 memcpy(ni->ni_essid, &ssid[2], ssid[1]); 1864 } 1865 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3); 1866 /* XXX validate channel # */ 1867 ni->ni_chan = &ic->ic_channels[chan]; 1868 if (ic->ic_state == IEEE80211_S_SCAN && 1869 IEEE80211_IS_CHAN_5GHZ(ni->ni_chan)) { 1870 /* 1871 * During a scan on 5Ghz, prefer RSSI measured for probe 1872 * response frames. i.e. don't allow beacons to lower the 1873 * measured RSSI. Some 5GHz APs send beacons with much 1874 * less Tx power than they use for probe responses. 1875 */ 1876 if (isprobe || ni->ni_rssi == 0) 1877 ni->ni_rssi = rxi->rxi_rssi; 1878 else if (ni->ni_rssi < rxi->rxi_rssi) 1879 ni->ni_rssi = rxi->rxi_rssi; 1880 } else 1881 ni->ni_rssi = rxi->rxi_rssi; 1882 ni->ni_rstamp = rxi->rxi_tstamp; 1883 memcpy(ni->ni_tstamp, tstamp, sizeof(ni->ni_tstamp)); 1884 ni->ni_intval = bintval; 1885 ni->ni_capinfo = capinfo; 1886 ni->ni_erp = erp; 1887 /* NB: must be after ni_chan is setup */ 1888 ieee80211_setup_rates(ic, ni, rates, xrates, IEEE80211_F_DOSORT); 1889 #ifndef IEEE80211_STA_ONLY 1890 if (ic->ic_opmode == IEEE80211_M_IBSS && is_new && isprobe) { 1891 /* 1892 * Fake an association so the driver can setup it's 1893 * private state. The rate set has been setup above; 1894 * there is no handshake as in ap/station operation. 1895 */ 1896 if (ic->ic_newassoc) 1897 (*ic->ic_newassoc)(ic, ni, 1); 1898 } 1899 #endif 1900 } 1901 1902 #ifndef IEEE80211_STA_ONLY 1903 /*- 1904 * Probe request frame format: 1905 * [tlv] SSID 1906 * [tlv] Supported rates 1907 * [tlv] Extended Supported Rates (802.11g) 1908 * [tlv] HT Capabilities (802.11n) 1909 */ 1910 void 1911 ieee80211_recv_probe_req(struct ieee80211com *ic, struct mbuf *m, 1912 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 1913 { 1914 const struct ieee80211_frame *wh; 1915 const u_int8_t *frm, *efrm; 1916 const u_int8_t *ssid, *rates, *xrates, *htcaps; 1917 u_int8_t rate; 1918 1919 if (ic->ic_opmode == IEEE80211_M_STA || 1920 ic->ic_state != IEEE80211_S_RUN) 1921 return; 1922 1923 wh = mtod(m, struct ieee80211_frame *); 1924 frm = (const u_int8_t *)&wh[1]; 1925 efrm = mtod(m, u_int8_t *) + m->m_len; 1926 1927 ssid = rates = xrates = htcaps = NULL; 1928 while (frm + 2 <= efrm) { 1929 if (frm + 2 + frm[1] > efrm) { 1930 ic->ic_stats.is_rx_elem_toosmall++; 1931 break; 1932 } 1933 switch (frm[0]) { 1934 case IEEE80211_ELEMID_SSID: 1935 ssid = frm; 1936 break; 1937 case IEEE80211_ELEMID_RATES: 1938 rates = frm; 1939 break; 1940 case IEEE80211_ELEMID_XRATES: 1941 xrates = frm; 1942 break; 1943 case IEEE80211_ELEMID_HTCAPS: 1944 htcaps = frm; 1945 break; 1946 } 1947 frm += 2 + frm[1]; 1948 } 1949 /* supported rates element is mandatory */ 1950 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1951 DPRINTF(("invalid supported rates element\n")); 1952 return; 1953 } 1954 /* SSID element is mandatory */ 1955 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1956 DPRINTF(("invalid SSID element\n")); 1957 return; 1958 } 1959 /* check that the specified SSID (if not wildcard) matches ours */ 1960 if (ssid[1] != 0 && (ssid[1] != ic->ic_bss->ni_esslen || 1961 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen))) { 1962 DPRINTF(("SSID mismatch\n")); 1963 ic->ic_stats.is_rx_ssidmismatch++; 1964 return; 1965 } 1966 /* refuse wildcard SSID if we're hiding our SSID in beacons */ 1967 if (ssid[1] == 0 && (ic->ic_userflags & IEEE80211_F_HIDENWID)) { 1968 DPRINTF(("wildcard SSID rejected")); 1969 ic->ic_stats.is_rx_ssidmismatch++; 1970 return; 1971 } 1972 1973 if (ni == ic->ic_bss) { 1974 ni = ieee80211_find_node(ic, wh->i_addr2); 1975 if (ni == NULL) 1976 ni = ieee80211_dup_bss(ic, wh->i_addr2); 1977 if (ni == NULL) 1978 return; 1979 DPRINTF(("new probe req from %s\n", 1980 ether_sprintf((u_int8_t *)wh->i_addr2))); 1981 } 1982 ni->ni_rssi = rxi->rxi_rssi; 1983 ni->ni_rstamp = rxi->rxi_tstamp; 1984 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 1985 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 1986 IEEE80211_F_DODEL); 1987 if (rate & IEEE80211_RATE_BASIC) { 1988 DPRINTF(("rate mismatch for %s\n", 1989 ether_sprintf((u_int8_t *)wh->i_addr2))); 1990 return; 1991 } 1992 if (htcaps) 1993 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 1994 else 1995 ieee80211_clear_htcaps(ni); 1996 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 1997 } 1998 #endif /* IEEE80211_STA_ONLY */ 1999 2000 /*- 2001 * Authentication frame format: 2002 * [2] Authentication algorithm number 2003 * [2] Authentication transaction sequence number 2004 * [2] Status code 2005 */ 2006 void 2007 ieee80211_recv_auth(struct ieee80211com *ic, struct mbuf *m, 2008 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 2009 { 2010 const struct ieee80211_frame *wh; 2011 const u_int8_t *frm; 2012 u_int16_t algo, seq, status; 2013 2014 /* make sure all mandatory fixed fields are present */ 2015 if (m->m_len < sizeof(*wh) + 6) { 2016 DPRINTF(("frame too short\n")); 2017 return; 2018 } 2019 wh = mtod(m, struct ieee80211_frame *); 2020 frm = (const u_int8_t *)&wh[1]; 2021 2022 algo = LE_READ_2(frm); frm += 2; 2023 seq = LE_READ_2(frm); frm += 2; 2024 status = LE_READ_2(frm); frm += 2; 2025 DPRINTF(("auth %d seq %d from %s\n", algo, seq, 2026 ether_sprintf((u_int8_t *)wh->i_addr2))); 2027 2028 /* only "open" auth mode is supported */ 2029 if (algo != IEEE80211_AUTH_ALG_OPEN) { 2030 DPRINTF(("unsupported auth algorithm %d from %s\n", 2031 algo, ether_sprintf((u_int8_t *)wh->i_addr2))); 2032 ic->ic_stats.is_rx_auth_unsupported++; 2033 #ifndef IEEE80211_STA_ONLY 2034 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2035 /* XXX hack to workaround calling convention */ 2036 IEEE80211_SEND_MGMT(ic, ni, 2037 IEEE80211_FC0_SUBTYPE_AUTH, 2038 IEEE80211_STATUS_ALG << 16 | ((seq + 1) & 0xffff)); 2039 } 2040 #endif 2041 return; 2042 } 2043 ieee80211_auth_open(ic, wh, ni, rxi, seq, status); 2044 } 2045 2046 #ifndef IEEE80211_STA_ONLY 2047 /*- 2048 * (Re)Association request frame format: 2049 * [2] Capability information 2050 * [2] Listen interval 2051 * [6*] Current AP address (Reassociation only) 2052 * [tlv] SSID 2053 * [tlv] Supported rates 2054 * [tlv] Extended Supported Rates (802.11g) 2055 * [tlv] RSN (802.11i) 2056 * [tlv] QoS Capability (802.11e) 2057 * [tlv] HT Capabilities (802.11n) 2058 */ 2059 void 2060 ieee80211_recv_assoc_req(struct ieee80211com *ic, struct mbuf *m, 2061 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int reassoc) 2062 { 2063 const struct ieee80211_frame *wh; 2064 const u_int8_t *frm, *efrm; 2065 const u_int8_t *ssid, *rates, *xrates, *rsnie, *wpaie, *wmeie, *htcaps; 2066 u_int16_t capinfo, bintval; 2067 int resp, status = 0; 2068 struct ieee80211_rsnparams rsn; 2069 u_int8_t rate; 2070 const u_int8_t *saveie = NULL; 2071 2072 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 2073 ic->ic_state != IEEE80211_S_RUN) 2074 return; 2075 2076 /* make sure all mandatory fixed fields are present */ 2077 if (m->m_len < sizeof(*wh) + (reassoc ? 10 : 4)) { 2078 DPRINTF(("frame too short\n")); 2079 return; 2080 } 2081 wh = mtod(m, struct ieee80211_frame *); 2082 frm = (const u_int8_t *)&wh[1]; 2083 efrm = mtod(m, u_int8_t *) + m->m_len; 2084 2085 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 2086 DPRINTF(("ignore other bss from %s\n", 2087 ether_sprintf((u_int8_t *)wh->i_addr2))); 2088 ic->ic_stats.is_rx_assoc_bss++; 2089 return; 2090 } 2091 capinfo = LE_READ_2(frm); frm += 2; 2092 bintval = LE_READ_2(frm); frm += 2; 2093 if (reassoc) { 2094 frm += IEEE80211_ADDR_LEN; /* skip current AP address */ 2095 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 2096 } else 2097 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 2098 2099 ssid = rates = xrates = rsnie = wpaie = wmeie = htcaps = NULL; 2100 while (frm + 2 <= efrm) { 2101 if (frm + 2 + frm[1] > efrm) { 2102 ic->ic_stats.is_rx_elem_toosmall++; 2103 break; 2104 } 2105 switch (frm[0]) { 2106 case IEEE80211_ELEMID_SSID: 2107 ssid = frm; 2108 break; 2109 case IEEE80211_ELEMID_RATES: 2110 rates = frm; 2111 break; 2112 case IEEE80211_ELEMID_XRATES: 2113 xrates = frm; 2114 break; 2115 case IEEE80211_ELEMID_RSN: 2116 rsnie = frm; 2117 break; 2118 case IEEE80211_ELEMID_QOS_CAP: 2119 break; 2120 case IEEE80211_ELEMID_HTCAPS: 2121 htcaps = frm; 2122 break; 2123 case IEEE80211_ELEMID_VENDOR: 2124 if (frm[1] < 4) { 2125 ic->ic_stats.is_rx_elem_toosmall++; 2126 break; 2127 } 2128 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 2129 if (frm[5] == 1) 2130 wpaie = frm; 2131 /* WME info IE: len=7 type=2 subtype=0 */ 2132 if (frm[1] == 7 && frm[5] == 2 && frm[6] == 0) 2133 wmeie = frm; 2134 } 2135 break; 2136 } 2137 frm += 2 + frm[1]; 2138 } 2139 /* supported rates element is mandatory */ 2140 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 2141 DPRINTF(("invalid supported rates element\n")); 2142 return; 2143 } 2144 /* SSID element is mandatory */ 2145 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 2146 DPRINTF(("invalid SSID element\n")); 2147 return; 2148 } 2149 /* check that the specified SSID matches ours */ 2150 if (ssid[1] != ic->ic_bss->ni_esslen || 2151 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen)) { 2152 DPRINTF(("SSID mismatch\n")); 2153 ic->ic_stats.is_rx_ssidmismatch++; 2154 return; 2155 } 2156 2157 if (ni->ni_state != IEEE80211_STA_AUTH && 2158 ni->ni_state != IEEE80211_STA_ASSOC) { 2159 DPRINTF(("deny %sassoc from %s, not authenticated\n", 2160 reassoc ? "re" : "", 2161 ether_sprintf((u_int8_t *)wh->i_addr2))); 2162 ni = ieee80211_find_node(ic, wh->i_addr2); 2163 if (ni == NULL) 2164 ni = ieee80211_dup_bss(ic, wh->i_addr2); 2165 if (ni != NULL) { 2166 IEEE80211_SEND_MGMT(ic, ni, 2167 IEEE80211_FC0_SUBTYPE_DEAUTH, 2168 IEEE80211_REASON_ASSOC_NOT_AUTHED); 2169 } 2170 ic->ic_stats.is_rx_assoc_notauth++; 2171 return; 2172 } 2173 2174 if (ni->ni_state == IEEE80211_STA_ASSOC && 2175 (ni->ni_flags & IEEE80211_NODE_MFP)) { 2176 if (ni->ni_flags & IEEE80211_NODE_SA_QUERY_FAILED) { 2177 /* send a protected Disassociate frame */ 2178 IEEE80211_SEND_MGMT(ic, ni, 2179 IEEE80211_FC0_SUBTYPE_DISASSOC, 2180 IEEE80211_REASON_AUTH_EXPIRE); 2181 /* terminate the old SA */ 2182 ieee80211_node_leave(ic, ni); 2183 } else { 2184 /* reject the (Re)Association Request temporarily */ 2185 IEEE80211_SEND_MGMT(ic, ni, resp, 2186 IEEE80211_STATUS_TRY_AGAIN_LATER); 2187 /* start SA Query procedure if not already engaged */ 2188 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) 2189 ieee80211_sa_query_request(ic, ni); 2190 /* do not modify association state */ 2191 } 2192 return; 2193 } 2194 2195 if (!(capinfo & IEEE80211_CAPINFO_ESS)) { 2196 ic->ic_stats.is_rx_assoc_capmismatch++; 2197 status = IEEE80211_STATUS_CAPINFO; 2198 goto end; 2199 } 2200 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2201 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2202 IEEE80211_F_DODEL); 2203 if (rate & IEEE80211_RATE_BASIC) { 2204 ic->ic_stats.is_rx_assoc_norate++; 2205 status = IEEE80211_STATUS_BASIC_RATE; 2206 goto end; 2207 } 2208 2209 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2210 ni->ni_supported_rsnprotos = IEEE80211_PROTO_NONE; 2211 ni->ni_rsnakms = 0; 2212 ni->ni_supported_rsnakms = 0; 2213 ni->ni_rsnciphers = 0; 2214 ni->ni_rsngroupcipher = 0; 2215 ni->ni_rsngroupmgmtcipher = 0; 2216 ni->ni_rsncaps = 0; 2217 2218 /* 2219 * A station should never include both a WPA and an RSN IE 2220 * in its (Re)Association Requests, but if it does, we only 2221 * consider the IE of the highest version of the protocol 2222 * that is allowed (ie RSN over WPA). 2223 */ 2224 if (rsnie != NULL) { 2225 status = ieee80211_parse_rsn(ic, rsnie, &rsn); 2226 if (status != 0) 2227 goto end; 2228 ni->ni_supported_rsnprotos = IEEE80211_PROTO_RSN; 2229 ni->ni_supported_rsnakms = rsn.rsn_akms; 2230 if ((ic->ic_flags & IEEE80211_F_RSNON) && 2231 (ic->ic_rsnprotos & IEEE80211_PROTO_RSN)) { 2232 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 2233 saveie = rsnie; 2234 } 2235 } else if (wpaie != NULL) { 2236 status = ieee80211_parse_wpa(ic, wpaie, &rsn); 2237 if (status != 0) 2238 goto end; 2239 ni->ni_supported_rsnprotos = IEEE80211_PROTO_WPA; 2240 ni->ni_supported_rsnakms = rsn.rsn_akms; 2241 if ((ic->ic_flags & IEEE80211_F_RSNON) && 2242 (ic->ic_rsnprotos & IEEE80211_PROTO_WPA)) { 2243 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 2244 saveie = wpaie; 2245 } 2246 } 2247 2248 if (ic->ic_flags & IEEE80211_F_QOS) { 2249 if (wmeie != NULL) 2250 ni->ni_flags |= IEEE80211_NODE_QOS; 2251 else /* for Reassociation */ 2252 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2253 } 2254 2255 if (ic->ic_flags & IEEE80211_F_RSNON) { 2256 if (ni->ni_rsnprotos == IEEE80211_PROTO_NONE) { 2257 /* 2258 * In an RSN, an AP shall not associate with STAs 2259 * that fail to include the RSN IE in the 2260 * (Re)Association Request. 2261 */ 2262 status = IEEE80211_STATUS_IE_INVALID; 2263 goto end; 2264 } 2265 /* 2266 * The initiating STA's RSN IE shall include one authentication 2267 * and pairwise cipher suite among those advertised by the 2268 * targeted AP. It shall also specify the group cipher suite 2269 * specified by the targeted AP. 2270 */ 2271 if (rsn.rsn_nakms != 1 || 2272 !(rsn.rsn_akms & ic->ic_bss->ni_rsnakms)) { 2273 status = IEEE80211_STATUS_BAD_AKMP; 2274 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2275 goto end; 2276 } 2277 if (rsn.rsn_nciphers != 1 || 2278 !(rsn.rsn_ciphers & ic->ic_bss->ni_rsnciphers)) { 2279 status = IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 2280 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2281 goto end; 2282 } 2283 if (rsn.rsn_groupcipher != ic->ic_bss->ni_rsngroupcipher) { 2284 status = IEEE80211_STATUS_BAD_GROUP_CIPHER; 2285 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2286 goto end; 2287 } 2288 2289 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPR) && 2290 !(rsn.rsn_caps & IEEE80211_RSNCAP_MFPC)) { 2291 status = IEEE80211_STATUS_MFP_POLICY; 2292 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2293 goto end; 2294 } 2295 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPC) && 2296 (rsn.rsn_caps & (IEEE80211_RSNCAP_MFPC | 2297 IEEE80211_RSNCAP_MFPR)) == IEEE80211_RSNCAP_MFPR) { 2298 /* STA advertises an invalid setting */ 2299 status = IEEE80211_STATUS_MFP_POLICY; 2300 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2301 goto end; 2302 } 2303 /* 2304 * A STA that has associated with Management Frame Protection 2305 * enabled shall not use cipher suite pairwise selector WEP40, 2306 * WEP104, TKIP, or "Use Group cipher suite". 2307 */ 2308 if ((rsn.rsn_caps & IEEE80211_RSNCAP_MFPC) && 2309 (rsn.rsn_ciphers != IEEE80211_CIPHER_CCMP || 2310 rsn.rsn_groupmgmtcipher != 2311 ic->ic_bss->ni_rsngroupmgmtcipher)) { 2312 status = IEEE80211_STATUS_MFP_POLICY; 2313 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2314 goto end; 2315 } 2316 2317 /* 2318 * Disallow new associations using TKIP if countermeasures 2319 * are active. 2320 */ 2321 if ((ic->ic_flags & IEEE80211_F_COUNTERM) && 2322 (rsn.rsn_ciphers == IEEE80211_CIPHER_TKIP || 2323 rsn.rsn_groupcipher == IEEE80211_CIPHER_TKIP)) { 2324 status = IEEE80211_STATUS_CIPHER_REJ_POLICY; 2325 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2326 goto end; 2327 } 2328 2329 /* everything looks fine, save IE and parameters */ 2330 if (saveie == NULL || 2331 ieee80211_save_ie(saveie, &ni->ni_rsnie) != 0) { 2332 status = IEEE80211_STATUS_TOOMANY; 2333 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2334 goto end; 2335 } 2336 ni->ni_rsnakms = rsn.rsn_akms; 2337 ni->ni_rsnciphers = rsn.rsn_ciphers; 2338 ni->ni_rsngroupcipher = ic->ic_bss->ni_rsngroupcipher; 2339 ni->ni_rsngroupmgmtcipher = ic->ic_bss->ni_rsngroupmgmtcipher; 2340 ni->ni_rsncaps = rsn.rsn_caps; 2341 2342 if (ieee80211_is_8021x_akm(ni->ni_rsnakms)) { 2343 struct ieee80211_pmk *pmk = NULL; 2344 const u_int8_t *pmkid = rsn.rsn_pmkids; 2345 /* 2346 * Check if we have a cached PMK entry matching one 2347 * of the PMKIDs specified in the RSN IE. 2348 */ 2349 while (rsn.rsn_npmkids-- > 0) { 2350 pmk = ieee80211_pmksa_find(ic, ni, pmkid); 2351 if (pmk != NULL) 2352 break; 2353 pmkid += IEEE80211_PMKID_LEN; 2354 } 2355 if (pmk != NULL) { 2356 memcpy(ni->ni_pmk, pmk->pmk_key, 2357 IEEE80211_PMK_LEN); 2358 memcpy(ni->ni_pmkid, pmk->pmk_pmkid, 2359 IEEE80211_PMKID_LEN); 2360 ni->ni_flags |= IEEE80211_NODE_PMK; 2361 } 2362 } 2363 } 2364 2365 ni->ni_rssi = rxi->rxi_rssi; 2366 ni->ni_rstamp = rxi->rxi_tstamp; 2367 ni->ni_intval = bintval; 2368 ni->ni_capinfo = capinfo; 2369 ni->ni_chan = ic->ic_bss->ni_chan; 2370 if (htcaps) 2371 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 2372 else 2373 ieee80211_clear_htcaps(ni); 2374 end: 2375 if (status != 0) { 2376 IEEE80211_SEND_MGMT(ic, ni, resp, status); 2377 ieee80211_node_leave(ic, ni); 2378 } else 2379 ieee80211_node_join(ic, ni, resp); 2380 } 2381 #endif /* IEEE80211_STA_ONLY */ 2382 2383 /*- 2384 * (Re)Association response frame format: 2385 * [2] Capability information 2386 * [2] Status code 2387 * [2] Association ID (AID) 2388 * [tlv] Supported rates 2389 * [tlv] Extended Supported Rates (802.11g) 2390 * [tlv] EDCA Parameter Set (802.11e) 2391 * [tlv] HT Capabilities (802.11n) 2392 * [tlv] HT Operation (802.11n) 2393 */ 2394 void 2395 ieee80211_recv_assoc_resp(struct ieee80211com *ic, struct mbuf *m, 2396 struct ieee80211_node *ni, int reassoc) 2397 { 2398 struct ifnet *ifp = &ic->ic_if; 2399 const struct ieee80211_frame *wh; 2400 const u_int8_t *frm, *efrm; 2401 const u_int8_t *rates, *xrates, *edcaie, *wmmie, *htcaps, *htop; 2402 u_int16_t capinfo, status, associd; 2403 u_int8_t rate; 2404 2405 if (ic->ic_opmode != IEEE80211_M_STA || 2406 ic->ic_state != IEEE80211_S_ASSOC) { 2407 ic->ic_stats.is_rx_mgtdiscard++; 2408 return; 2409 } 2410 2411 /* make sure all mandatory fixed fields are present */ 2412 if (m->m_len < sizeof(*wh) + 6) { 2413 DPRINTF(("frame too short\n")); 2414 return; 2415 } 2416 wh = mtod(m, struct ieee80211_frame *); 2417 frm = (const u_int8_t *)&wh[1]; 2418 efrm = mtod(m, u_int8_t *) + m->m_len; 2419 2420 capinfo = LE_READ_2(frm); frm += 2; 2421 status = LE_READ_2(frm); frm += 2; 2422 if (status != IEEE80211_STATUS_SUCCESS) { 2423 if (ifp->if_flags & IFF_DEBUG) 2424 printf("%s: %sassociation failed (status %d)" 2425 " for %s\n", ifp->if_xname, 2426 reassoc ? "re" : "", 2427 status, ether_sprintf((u_int8_t *)wh->i_addr3)); 2428 if (ni != ic->ic_bss) 2429 ni->ni_fails++; 2430 ic->ic_stats.is_rx_auth_fail++; 2431 return; 2432 } 2433 associd = LE_READ_2(frm); frm += 2; 2434 2435 rates = xrates = edcaie = wmmie = htcaps = htop = NULL; 2436 while (frm + 2 <= efrm) { 2437 if (frm + 2 + frm[1] > efrm) { 2438 ic->ic_stats.is_rx_elem_toosmall++; 2439 break; 2440 } 2441 switch (frm[0]) { 2442 case IEEE80211_ELEMID_RATES: 2443 rates = frm; 2444 break; 2445 case IEEE80211_ELEMID_XRATES: 2446 xrates = frm; 2447 break; 2448 case IEEE80211_ELEMID_EDCAPARMS: 2449 edcaie = frm; 2450 break; 2451 case IEEE80211_ELEMID_HTCAPS: 2452 htcaps = frm; 2453 break; 2454 case IEEE80211_ELEMID_HTOP: 2455 htop = frm; 2456 break; 2457 case IEEE80211_ELEMID_VENDOR: 2458 if (frm[1] < 4) { 2459 ic->ic_stats.is_rx_elem_toosmall++; 2460 break; 2461 } 2462 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 2463 if (frm[1] >= 5 && frm[5] == 2 && frm[6] == 1) 2464 wmmie = frm; 2465 } 2466 break; 2467 } 2468 frm += 2 + frm[1]; 2469 } 2470 /* supported rates element is mandatory */ 2471 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 2472 DPRINTF(("invalid supported rates element\n")); 2473 return; 2474 } 2475 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2476 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2477 IEEE80211_F_DODEL); 2478 if (rate & IEEE80211_RATE_BASIC) { 2479 DPRINTF(("rate mismatch for %s\n", 2480 ether_sprintf((u_int8_t *)wh->i_addr2))); 2481 ic->ic_stats.is_rx_assoc_norate++; 2482 return; 2483 } 2484 ni->ni_capinfo = capinfo; 2485 ni->ni_associd = associd; 2486 if (edcaie != NULL || wmmie != NULL) { 2487 /* force update of EDCA parameters */ 2488 ic->ic_edca_updtcount = -1; 2489 2490 if ((edcaie != NULL && 2491 ieee80211_parse_edca_params(ic, edcaie) == 0) || 2492 (wmmie != NULL && 2493 ieee80211_parse_wmm_params(ic, wmmie) == 0)) 2494 ni->ni_flags |= IEEE80211_NODE_QOS; 2495 else /* for Reassociation */ 2496 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2497 } 2498 if (htcaps) 2499 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 2500 if (htop) 2501 ieee80211_setup_htop(ni, htop + 2, htop[1], 0); 2502 ieee80211_ht_negotiate(ic, ni); 2503 2504 /* Hop into 11n mode after associating to an HT AP in a non-11n mode. */ 2505 if (ni->ni_flags & IEEE80211_NODE_HT) 2506 ieee80211_setmode(ic, IEEE80211_MODE_11N); 2507 else 2508 ieee80211_setmode(ic, ieee80211_chan2mode(ic, ni->ni_chan)); 2509 /* 2510 * Reset the erp state (mostly the slot time) now that 2511 * our operating mode has been nailed down. 2512 */ 2513 ieee80211_reset_erp(ic); 2514 2515 /* 2516 * Configure state now that we are associated. 2517 */ 2518 if (ic->ic_curmode == IEEE80211_MODE_11A || 2519 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) 2520 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 2521 else 2522 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 2523 2524 ieee80211_set_shortslottime(ic, 2525 ic->ic_curmode == IEEE80211_MODE_11A || 2526 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2527 /* 2528 * Honor ERP protection. 2529 */ 2530 if ((ic->ic_curmode == IEEE80211_MODE_11G || 2531 (ic->ic_curmode == IEEE80211_MODE_11N && 2532 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))) && 2533 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2534 ic->ic_flags |= IEEE80211_F_USEPROT; 2535 else 2536 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2537 /* 2538 * If not an RSNA, mark the port as valid, otherwise wait for 2539 * 802.1X authentication and 4-way handshake to complete.. 2540 */ 2541 if (ic->ic_flags & IEEE80211_F_RSNON) { 2542 /* XXX ic->ic_mgt_timer = 5; */ 2543 ni->ni_rsn_supp_state = RSNA_SUPP_PTKSTART; 2544 } else if (ic->ic_flags & IEEE80211_F_WEPON) 2545 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 2546 2547 ieee80211_new_state(ic, IEEE80211_S_RUN, 2548 IEEE80211_FC0_SUBTYPE_ASSOC_RESP); 2549 } 2550 2551 /*- 2552 * Deauthentication frame format: 2553 * [2] Reason code 2554 */ 2555 void 2556 ieee80211_recv_deauth(struct ieee80211com *ic, struct mbuf *m, 2557 struct ieee80211_node *ni) 2558 { 2559 const struct ieee80211_frame *wh; 2560 const u_int8_t *frm; 2561 u_int16_t reason; 2562 2563 /* make sure all mandatory fixed fields are present */ 2564 if (m->m_len < sizeof(*wh) + 2) { 2565 DPRINTF(("frame too short\n")); 2566 return; 2567 } 2568 wh = mtod(m, struct ieee80211_frame *); 2569 frm = (const u_int8_t *)&wh[1]; 2570 2571 reason = LE_READ_2(frm); 2572 2573 ic->ic_stats.is_rx_deauth++; 2574 switch (ic->ic_opmode) { 2575 case IEEE80211_M_STA: { 2576 int bgscan = ((ic->ic_flags & IEEE80211_F_BGSCAN) && 2577 ic->ic_state == IEEE80211_S_RUN); 2578 int stay_auth = ((ic->ic_userflags & IEEE80211_F_STAYAUTH) && 2579 ic->ic_state >= IEEE80211_S_AUTH); 2580 if (!(bgscan || stay_auth)) 2581 ieee80211_new_state(ic, IEEE80211_S_AUTH, 2582 IEEE80211_FC0_SUBTYPE_DEAUTH); 2583 } 2584 break; 2585 #ifndef IEEE80211_STA_ONLY 2586 case IEEE80211_M_HOSTAP: 2587 if (ni != ic->ic_bss) { 2588 int stay_auth = 2589 ((ic->ic_userflags & IEEE80211_F_STAYAUTH) && 2590 (ni->ni_state == IEEE80211_STA_AUTH || 2591 ni->ni_state == IEEE80211_STA_ASSOC)); 2592 if (ic->ic_if.if_flags & IFF_DEBUG) 2593 printf("%s: station %s deauthenticated " 2594 "by peer (reason %d)\n", 2595 ic->ic_if.if_xname, 2596 ether_sprintf(ni->ni_macaddr), 2597 reason); 2598 if (!stay_auth) 2599 ieee80211_node_leave(ic, ni); 2600 } 2601 break; 2602 #endif 2603 default: 2604 break; 2605 } 2606 } 2607 2608 /*- 2609 * Disassociation frame format: 2610 * [2] Reason code 2611 */ 2612 void 2613 ieee80211_recv_disassoc(struct ieee80211com *ic, struct mbuf *m, 2614 struct ieee80211_node *ni) 2615 { 2616 const struct ieee80211_frame *wh; 2617 const u_int8_t *frm; 2618 u_int16_t reason; 2619 2620 /* make sure all mandatory fixed fields are present */ 2621 if (m->m_len < sizeof(*wh) + 2) { 2622 DPRINTF(("frame too short\n")); 2623 return; 2624 } 2625 wh = mtod(m, struct ieee80211_frame *); 2626 frm = (const u_int8_t *)&wh[1]; 2627 2628 reason = LE_READ_2(frm); 2629 2630 ic->ic_stats.is_rx_disassoc++; 2631 switch (ic->ic_opmode) { 2632 case IEEE80211_M_STA: { 2633 int bgscan = ((ic->ic_flags & IEEE80211_F_BGSCAN) && 2634 ic->ic_state == IEEE80211_S_RUN); 2635 if (!bgscan) /* ignore disassoc during bgscan */ 2636 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 2637 IEEE80211_FC0_SUBTYPE_DISASSOC); 2638 } 2639 break; 2640 #ifndef IEEE80211_STA_ONLY 2641 case IEEE80211_M_HOSTAP: 2642 if (ni != ic->ic_bss) { 2643 if (ic->ic_if.if_flags & IFF_DEBUG) 2644 printf("%s: station %s disassociated " 2645 "by peer (reason %d)\n", 2646 ic->ic_if.if_xname, 2647 ether_sprintf(ni->ni_macaddr), 2648 reason); 2649 ieee80211_node_leave(ic, ni); 2650 } 2651 break; 2652 #endif 2653 default: 2654 break; 2655 } 2656 } 2657 2658 /*- 2659 * ADDBA Request frame format: 2660 * [1] Category 2661 * [1] Action 2662 * [1] Dialog Token 2663 * [2] Block Ack Parameter Set 2664 * [2] Block Ack Timeout Value 2665 * [2] Block Ack Starting Sequence Control 2666 */ 2667 void 2668 ieee80211_recv_addba_req(struct ieee80211com *ic, struct mbuf *m, 2669 struct ieee80211_node *ni) 2670 { 2671 const struct ieee80211_frame *wh; 2672 const u_int8_t *frm; 2673 struct ieee80211_rx_ba *ba; 2674 u_int16_t params, ssn, bufsz, timeout; 2675 u_int8_t token, tid; 2676 int err = 0; 2677 2678 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 2679 DPRINTF(("received ADDBA req from non-HT STA %s\n", 2680 ether_sprintf(ni->ni_macaddr))); 2681 return; 2682 } 2683 if (m->m_len < sizeof(*wh) + 9) { 2684 DPRINTF(("frame too short\n")); 2685 return; 2686 } 2687 /* MLME-ADDBA.indication */ 2688 wh = mtod(m, struct ieee80211_frame *); 2689 frm = (const u_int8_t *)&wh[1]; 2690 2691 token = frm[2]; 2692 params = LE_READ_2(&frm[3]); 2693 tid = ((params & IEEE80211_ADDBA_TID_MASK) >> 2694 IEEE80211_ADDBA_TID_SHIFT); 2695 bufsz = (params & IEEE80211_ADDBA_BUFSZ_MASK) >> 2696 IEEE80211_ADDBA_BUFSZ_SHIFT; 2697 timeout = LE_READ_2(&frm[5]); 2698 ssn = LE_READ_2(&frm[7]) >> 4; 2699 2700 ba = &ni->ni_rx_ba[tid]; 2701 /* The driver is still processing an ADDBA request for this tid. */ 2702 if (ba->ba_state == IEEE80211_BA_REQUESTED) 2703 return; 2704 /* check if we already have a Block Ack agreement for this RA/TID */ 2705 if (ba->ba_state == IEEE80211_BA_AGREED) { 2706 /* XXX should we update the timeout value? */ 2707 /* reset Block Ack inactivity timer */ 2708 if (ba->ba_timeout_val != 0) 2709 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2710 2711 /* check if it's a Protected Block Ack agreement */ 2712 if (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2713 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) 2714 return; /* not a PBAC, ignore */ 2715 2716 /* PBAC: treat the ADDBA Request like a BlockAckReq */ 2717 if (SEQ_LT(ba->ba_winstart, ssn)) { 2718 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 2719 ieee80211_ba_move_window(ic, ni, tid, ssn, &ml); 2720 if_input(&ic->ic_if, &ml); 2721 } 2722 return; 2723 } 2724 2725 /* if PBAC required but RA does not support it, refuse request */ 2726 if ((ic->ic_flags & IEEE80211_F_PBAR) && 2727 (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2728 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC))) 2729 goto refuse; 2730 /* 2731 * If the TID for which the Block Ack agreement is requested is 2732 * configured with a no-ACK policy, refuse the agreement. 2733 */ 2734 if (ic->ic_tid_noack & (1 << tid)) 2735 goto refuse; 2736 2737 /* check that we support the requested Block Ack Policy */ 2738 if (!(ic->ic_htcaps & IEEE80211_HTCAP_DELAYEDBA) && 2739 !(params & IEEE80211_ADDBA_BA_POLICY)) 2740 goto refuse; 2741 2742 /* setup Block Ack agreement */ 2743 ba->ba_state = IEEE80211_BA_REQUESTED; 2744 ba->ba_timeout_val = timeout * IEEE80211_DUR_TU; 2745 ba->ba_ni = ni; 2746 ba->ba_token = token; 2747 timeout_set(&ba->ba_to, ieee80211_rx_ba_timeout, ba); 2748 timeout_set(&ba->ba_gap_to, ieee80211_input_ba_gap_timeout, ba); 2749 ba->ba_gapwait = 0; 2750 ba->ba_winsize = bufsz; 2751 if (ba->ba_winsize == 0 || ba->ba_winsize > IEEE80211_BA_MAX_WINSZ) 2752 ba->ba_winsize = IEEE80211_BA_MAX_WINSZ; 2753 ba->ba_params = (params & IEEE80211_ADDBA_BA_POLICY); 2754 ba->ba_params |= ((ba->ba_winsize << IEEE80211_ADDBA_BUFSZ_SHIFT) | 2755 (tid << IEEE80211_ADDBA_TID_SHIFT)); 2756 #if 0 2757 /* iwm(4) 9k and iwx(4) need more work before AMSDU can be enabled. */ 2758 ba->ba_params |= IEEE80211_ADDBA_AMSDU; 2759 #endif 2760 ba->ba_winstart = ssn; 2761 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 2762 /* allocate and setup our reordering buffer */ 2763 ba->ba_buf = malloc(IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf), 2764 M_DEVBUF, M_NOWAIT | M_ZERO); 2765 if (ba->ba_buf == NULL) 2766 goto refuse; 2767 2768 ba->ba_head = 0; 2769 2770 /* notify drivers of this new Block Ack agreement */ 2771 if (ic->ic_ampdu_rx_start != NULL) 2772 err = ic->ic_ampdu_rx_start(ic, ni, tid); 2773 if (err == EBUSY) { 2774 /* driver will accept or refuse agreement when done */ 2775 return; 2776 } else if (err) { 2777 /* driver failed to setup, rollback */ 2778 ieee80211_addba_req_refuse(ic, ni, tid); 2779 } else 2780 ieee80211_addba_req_accept(ic, ni, tid); 2781 return; 2782 2783 refuse: 2784 /* MLME-ADDBA.response */ 2785 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2786 IEEE80211_ACTION_ADDBA_RESP, 2787 IEEE80211_STATUS_REFUSED << 16 | token << 8 | tid); 2788 } 2789 2790 void 2791 ieee80211_addba_req_accept(struct ieee80211com *ic, struct ieee80211_node *ni, 2792 uint8_t tid) 2793 { 2794 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2795 2796 ba->ba_state = IEEE80211_BA_AGREED; 2797 ic->ic_stats.is_ht_rx_ba_agreements++; 2798 /* start Block Ack inactivity timer */ 2799 if (ba->ba_timeout_val != 0) 2800 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2801 2802 /* MLME-ADDBA.response */ 2803 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2804 IEEE80211_ACTION_ADDBA_RESP, 2805 IEEE80211_STATUS_SUCCESS << 16 | ba->ba_token << 8 | tid); 2806 } 2807 2808 void 2809 ieee80211_addba_req_refuse(struct ieee80211com *ic, struct ieee80211_node *ni, 2810 uint8_t tid) 2811 { 2812 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2813 2814 free(ba->ba_buf, M_DEVBUF, 2815 IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf)); 2816 ba->ba_buf = NULL; 2817 ba->ba_state = IEEE80211_BA_INIT; 2818 2819 /* MLME-ADDBA.response */ 2820 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2821 IEEE80211_ACTION_ADDBA_RESP, 2822 IEEE80211_STATUS_REFUSED << 16 | ba->ba_token << 8 | tid); 2823 } 2824 2825 /*- 2826 * ADDBA Response frame format: 2827 * [1] Category 2828 * [1] Action 2829 * [1] Dialog Token 2830 * [2] Status Code 2831 * [2] Block Ack Parameter Set 2832 * [2] Block Ack Timeout Value 2833 */ 2834 void 2835 ieee80211_recv_addba_resp(struct ieee80211com *ic, struct mbuf *m, 2836 struct ieee80211_node *ni) 2837 { 2838 const struct ieee80211_frame *wh; 2839 const u_int8_t *frm; 2840 struct ieee80211_tx_ba *ba; 2841 u_int16_t status, params, bufsz, timeout; 2842 u_int8_t token, tid; 2843 int err = 0; 2844 2845 if (m->m_len < sizeof(*wh) + 9) { 2846 DPRINTF(("frame too short\n")); 2847 return; 2848 } 2849 wh = mtod(m, struct ieee80211_frame *); 2850 frm = (const u_int8_t *)&wh[1]; 2851 2852 token = frm[2]; 2853 status = LE_READ_2(&frm[3]); 2854 params = LE_READ_2(&frm[5]); 2855 tid = (params >> 2) & 0xf; 2856 bufsz = (params >> 6) & 0x3ff; 2857 timeout = LE_READ_2(&frm[7]); 2858 2859 DPRINTF(("received ADDBA resp from %s, TID %d, status %d\n", 2860 ether_sprintf(ni->ni_macaddr), tid, status)); 2861 2862 /* 2863 * Ignore if no ADDBA request has been sent for this RA/TID or 2864 * if we already have a Block Ack agreement. 2865 */ 2866 ba = &ni->ni_tx_ba[tid]; 2867 if (ba->ba_state != IEEE80211_BA_REQUESTED) { 2868 DPRINTF(("no matching ADDBA req found\n")); 2869 return; 2870 } 2871 if (token != ba->ba_token) { 2872 DPRINTF(("ignoring ADDBA resp from %s: token %x!=%x\n", 2873 ether_sprintf(ni->ni_macaddr), token, ba->ba_token)); 2874 return; 2875 } 2876 /* we got an ADDBA Response matching our request, stop timeout */ 2877 timeout_del(&ba->ba_to); 2878 2879 if (status != IEEE80211_STATUS_SUCCESS) { 2880 if (ni->ni_addba_req_intval[tid] < 2881 IEEE80211_ADDBA_REQ_INTVAL_MAX) 2882 ni->ni_addba_req_intval[tid]++; 2883 2884 ieee80211_addba_resp_refuse(ic, ni, tid, status); 2885 2886 /* 2887 * In case the peer believes there is an existing 2888 * block ack agreement with us, try to delete it. 2889 */ 2890 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2891 IEEE80211_ACTION_DELBA, 2892 IEEE80211_REASON_SETUP_REQUIRED << 16 | 1 << 8 | tid); 2893 return; 2894 } 2895 2896 /* notify drivers of this new Block Ack agreement */ 2897 if (ic->ic_ampdu_tx_start != NULL) 2898 err = ic->ic_ampdu_tx_start(ic, ni, tid); 2899 2900 if (err == EBUSY) { 2901 /* driver will accept or refuse agreement when done */ 2902 return; 2903 } else if (err) { 2904 /* driver failed to setup, rollback */ 2905 ieee80211_addba_resp_refuse(ic, ni, tid, 2906 IEEE80211_STATUS_UNSPECIFIED); 2907 } else 2908 ieee80211_addba_resp_accept(ic, ni, tid); 2909 } 2910 2911 void 2912 ieee80211_addba_resp_accept(struct ieee80211com *ic, 2913 struct ieee80211_node *ni, uint8_t tid) 2914 { 2915 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 2916 2917 /* MLME-ADDBA.confirm(Success) */ 2918 ba->ba_state = IEEE80211_BA_AGREED; 2919 ic->ic_stats.is_ht_tx_ba_agreements++; 2920 2921 /* Reset ADDBA request interval. */ 2922 ni->ni_addba_req_intval[tid] = 1; 2923 2924 /* start Block Ack inactivity timeout */ 2925 if (ba->ba_timeout_val != 0) 2926 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2927 } 2928 2929 void 2930 ieee80211_addba_resp_refuse(struct ieee80211com *ic, 2931 struct ieee80211_node *ni, uint8_t tid, uint16_t status) 2932 { 2933 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 2934 2935 /* MLME-ADDBA.confirm(Failure) */ 2936 ba->ba_state = IEEE80211_BA_INIT; 2937 } 2938 2939 /*- 2940 * DELBA frame format: 2941 * [1] Category 2942 * [1] Action 2943 * [2] DELBA Parameter Set 2944 * [2] Reason Code 2945 */ 2946 void 2947 ieee80211_recv_delba(struct ieee80211com *ic, struct mbuf *m, 2948 struct ieee80211_node *ni) 2949 { 2950 const struct ieee80211_frame *wh; 2951 const u_int8_t *frm; 2952 u_int16_t params, reason; 2953 u_int8_t tid; 2954 int i; 2955 2956 if (m->m_len < sizeof(*wh) + 6) { 2957 DPRINTF(("frame too short\n")); 2958 return; 2959 } 2960 wh = mtod(m, struct ieee80211_frame *); 2961 frm = (const u_int8_t *)&wh[1]; 2962 2963 params = LE_READ_2(&frm[2]); 2964 reason = LE_READ_2(&frm[4]); 2965 tid = params >> 12; 2966 2967 DPRINTF(("received DELBA from %s, TID %d, reason %d\n", 2968 ether_sprintf(ni->ni_macaddr), tid, reason)); 2969 2970 if (params & IEEE80211_DELBA_INITIATOR) { 2971 /* MLME-DELBA.indication(Originator) */ 2972 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2973 2974 if (ba->ba_state != IEEE80211_BA_AGREED) { 2975 DPRINTF(("no matching Block Ack agreement\n")); 2976 return; 2977 } 2978 /* notify drivers of the end of the Block Ack agreement */ 2979 if (ic->ic_ampdu_rx_stop != NULL) 2980 ic->ic_ampdu_rx_stop(ic, ni, tid); 2981 2982 ba->ba_state = IEEE80211_BA_INIT; 2983 /* stop Block Ack inactivity timer */ 2984 timeout_del(&ba->ba_to); 2985 timeout_del(&ba->ba_gap_to); 2986 ba->ba_gapwait = 0; 2987 2988 if (ba->ba_buf != NULL) { 2989 /* free all MSDUs stored in reordering buffer */ 2990 for (i = 0; i < IEEE80211_BA_MAX_WINSZ; i++) 2991 m_freem(ba->ba_buf[i].m); 2992 /* free reordering buffer */ 2993 free(ba->ba_buf, M_DEVBUF, 2994 IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf)); 2995 ba->ba_buf = NULL; 2996 } 2997 } else { 2998 /* MLME-DELBA.indication(Recipient) */ 2999 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 3000 3001 if (ba->ba_state != IEEE80211_BA_AGREED) { 3002 DPRINTF(("no matching Block Ack agreement\n")); 3003 return; 3004 } 3005 /* notify drivers of the end of the Block Ack agreement */ 3006 if (ic->ic_ampdu_tx_stop != NULL) 3007 ic->ic_ampdu_tx_stop(ic, ni, tid); 3008 3009 ba->ba_state = IEEE80211_BA_INIT; 3010 /* stop Block Ack inactivity timer */ 3011 timeout_del(&ba->ba_to); 3012 } 3013 } 3014 3015 /*- 3016 * SA Query Request frame format: 3017 * [1] Category 3018 * [1] Action 3019 * [2] Transaction Identifier 3020 */ 3021 void 3022 ieee80211_recv_sa_query_req(struct ieee80211com *ic, struct mbuf *m, 3023 struct ieee80211_node *ni) 3024 { 3025 const struct ieee80211_frame *wh; 3026 const u_int8_t *frm; 3027 3028 if (ic->ic_opmode != IEEE80211_M_STA || 3029 !(ni->ni_flags & IEEE80211_NODE_MFP)) { 3030 DPRINTF(("unexpected SA Query req from %s\n", 3031 ether_sprintf(ni->ni_macaddr))); 3032 return; 3033 } 3034 if (m->m_len < sizeof(*wh) + 4) { 3035 DPRINTF(("frame too short\n")); 3036 return; 3037 } 3038 wh = mtod(m, struct ieee80211_frame *); 3039 frm = (const u_int8_t *)&wh[1]; 3040 3041 /* MLME-SAQuery.indication */ 3042 3043 /* save Transaction Identifier for SA Query Response */ 3044 ni->ni_sa_query_trid = LE_READ_2(&frm[2]); 3045 3046 /* MLME-SAQuery.response */ 3047 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_SA_QUERY, 3048 IEEE80211_ACTION_SA_QUERY_RESP, 0); 3049 } 3050 3051 #ifndef IEEE80211_STA_ONLY 3052 /*- 3053 * SA Query Response frame format: 3054 * [1] Category 3055 * [1] Action 3056 * [2] Transaction Identifier 3057 */ 3058 void 3059 ieee80211_recv_sa_query_resp(struct ieee80211com *ic, struct mbuf *m, 3060 struct ieee80211_node *ni) 3061 { 3062 const struct ieee80211_frame *wh; 3063 const u_int8_t *frm; 3064 3065 /* ignore if we're not engaged in an SA Query with that STA */ 3066 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) { 3067 DPRINTF(("unexpected SA Query resp from %s\n", 3068 ether_sprintf(ni->ni_macaddr))); 3069 return; 3070 } 3071 if (m->m_len < sizeof(*wh) + 4) { 3072 DPRINTF(("frame too short\n")); 3073 return; 3074 } 3075 wh = mtod(m, struct ieee80211_frame *); 3076 frm = (const u_int8_t *)&wh[1]; 3077 3078 /* check that Transaction Identifier matches */ 3079 if (ni->ni_sa_query_trid != LE_READ_2(&frm[2])) { 3080 DPRINTF(("transaction identifier does not match\n")); 3081 return; 3082 } 3083 /* MLME-SAQuery.confirm */ 3084 timeout_del(&ni->ni_sa_query_to); 3085 ni->ni_flags &= ~IEEE80211_NODE_SA_QUERY; 3086 } 3087 #endif 3088 3089 /*- 3090 * Action frame format: 3091 * [1] Category 3092 * [1] Action 3093 */ 3094 void 3095 ieee80211_recv_action(struct ieee80211com *ic, struct mbuf *m, 3096 struct ieee80211_node *ni) 3097 { 3098 const struct ieee80211_frame *wh; 3099 const u_int8_t *frm; 3100 3101 if (m->m_len < sizeof(*wh) + 2) { 3102 DPRINTF(("frame too short\n")); 3103 return; 3104 } 3105 wh = mtod(m, struct ieee80211_frame *); 3106 frm = (const u_int8_t *)&wh[1]; 3107 3108 switch (frm[0]) { 3109 case IEEE80211_CATEG_BA: 3110 switch (frm[1]) { 3111 case IEEE80211_ACTION_ADDBA_REQ: 3112 ieee80211_recv_addba_req(ic, m, ni); 3113 break; 3114 case IEEE80211_ACTION_ADDBA_RESP: 3115 ieee80211_recv_addba_resp(ic, m, ni); 3116 break; 3117 case IEEE80211_ACTION_DELBA: 3118 ieee80211_recv_delba(ic, m, ni); 3119 break; 3120 } 3121 break; 3122 case IEEE80211_CATEG_SA_QUERY: 3123 switch (frm[1]) { 3124 case IEEE80211_ACTION_SA_QUERY_REQ: 3125 ieee80211_recv_sa_query_req(ic, m, ni); 3126 break; 3127 #ifndef IEEE80211_STA_ONLY 3128 case IEEE80211_ACTION_SA_QUERY_RESP: 3129 ieee80211_recv_sa_query_resp(ic, m, ni); 3130 break; 3131 #endif 3132 } 3133 break; 3134 default: 3135 DPRINTF(("action frame category %d not handled\n", frm[0])); 3136 break; 3137 } 3138 } 3139 3140 void 3141 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m, 3142 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int subtype) 3143 { 3144 switch (subtype) { 3145 case IEEE80211_FC0_SUBTYPE_BEACON: 3146 ieee80211_recv_probe_resp(ic, m, ni, rxi, 0); 3147 break; 3148 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 3149 ieee80211_recv_probe_resp(ic, m, ni, rxi, 1); 3150 break; 3151 #ifndef IEEE80211_STA_ONLY 3152 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 3153 ieee80211_recv_probe_req(ic, m, ni, rxi); 3154 break; 3155 #endif 3156 case IEEE80211_FC0_SUBTYPE_AUTH: 3157 ieee80211_recv_auth(ic, m, ni, rxi); 3158 break; 3159 #ifndef IEEE80211_STA_ONLY 3160 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 3161 ieee80211_recv_assoc_req(ic, m, ni, rxi, 0); 3162 break; 3163 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 3164 ieee80211_recv_assoc_req(ic, m, ni, rxi, 1); 3165 break; 3166 #endif 3167 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 3168 ieee80211_recv_assoc_resp(ic, m, ni, 0); 3169 break; 3170 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 3171 ieee80211_recv_assoc_resp(ic, m, ni, 1); 3172 break; 3173 case IEEE80211_FC0_SUBTYPE_DEAUTH: 3174 ieee80211_recv_deauth(ic, m, ni); 3175 break; 3176 case IEEE80211_FC0_SUBTYPE_DISASSOC: 3177 ieee80211_recv_disassoc(ic, m, ni); 3178 break; 3179 case IEEE80211_FC0_SUBTYPE_ACTION: 3180 ieee80211_recv_action(ic, m, ni); 3181 break; 3182 default: 3183 DPRINTF(("mgmt frame with subtype 0x%x not handled\n", 3184 subtype)); 3185 ic->ic_stats.is_rx_badsubtype++; 3186 break; 3187 } 3188 } 3189 3190 #ifndef IEEE80211_STA_ONLY 3191 /* 3192 * Process an incoming PS-Poll control frame (see 11.2). 3193 */ 3194 void 3195 ieee80211_recv_pspoll(struct ieee80211com *ic, struct mbuf *m, 3196 struct ieee80211_node *ni) 3197 { 3198 struct ifnet *ifp = &ic->ic_if; 3199 struct ieee80211_frame_pspoll *psp; 3200 struct ieee80211_frame *wh; 3201 u_int16_t aid; 3202 3203 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 3204 !(ic->ic_caps & IEEE80211_C_APPMGT) || 3205 ni->ni_state != IEEE80211_STA_ASSOC) 3206 return; 3207 3208 if (m->m_len < sizeof(*psp)) { 3209 DPRINTF(("frame too short, len %u\n", m->m_len)); 3210 ic->ic_stats.is_rx_tooshort++; 3211 return; 3212 } 3213 psp = mtod(m, struct ieee80211_frame_pspoll *); 3214 if (!IEEE80211_ADDR_EQ(psp->i_bssid, ic->ic_bss->ni_bssid)) { 3215 DPRINTF(("discard pspoll frame to BSS %s\n", 3216 ether_sprintf(psp->i_bssid))); 3217 ic->ic_stats.is_rx_wrongbss++; 3218 return; 3219 } 3220 aid = letoh16(*(u_int16_t *)psp->i_aid); 3221 if (aid != ni->ni_associd) { 3222 DPRINTF(("invalid pspoll aid %x from %s\n", aid, 3223 ether_sprintf(psp->i_ta))); 3224 return; 3225 } 3226 3227 /* take the first queued frame and put it out.. */ 3228 m = mq_dequeue(&ni->ni_savedq); 3229 if (m == NULL) 3230 return; 3231 if (mq_empty(&ni->ni_savedq)) { 3232 /* last queued frame, turn off the TIM bit */ 3233 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 3234 } else { 3235 /* more queued frames, set the more data bit */ 3236 wh = mtod(m, struct ieee80211_frame *); 3237 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 3238 } 3239 mq_enqueue(&ic->ic_pwrsaveq, m); 3240 if_start(ifp); 3241 } 3242 #endif /* IEEE80211_STA_ONLY */ 3243 3244 /* 3245 * Process an incoming BlockAckReq control frame (see 7.2.1.7). 3246 */ 3247 void 3248 ieee80211_recv_bar(struct ieee80211com *ic, struct mbuf *m, 3249 struct ieee80211_node *ni) 3250 { 3251 const struct ieee80211_frame_min *wh; 3252 const u_int8_t *frm; 3253 u_int16_t ctl, ssn; 3254 u_int8_t tid, ntids; 3255 3256 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 3257 DPRINTF(("received BlockAckReq from non-HT STA %s\n", 3258 ether_sprintf(ni->ni_macaddr))); 3259 return; 3260 } 3261 if (m->m_len < sizeof(*wh) + 4) { 3262 DPRINTF(("frame too short\n")); 3263 return; 3264 } 3265 wh = mtod(m, struct ieee80211_frame_min *); 3266 frm = (const u_int8_t *)&wh[1]; 3267 3268 /* read BlockAckReq Control field */ 3269 ctl = LE_READ_2(&frm[0]); 3270 tid = ctl >> 12; 3271 3272 /* determine BlockAckReq frame variant */ 3273 if (ctl & IEEE80211_BA_MULTI_TID) { 3274 /* Multi-TID BlockAckReq variant (PSMP only) */ 3275 ntids = tid + 1; 3276 3277 if (m->m_len < sizeof(*wh) + 2 + 4 * ntids) { 3278 DPRINTF(("MTBAR frame too short\n")); 3279 return; 3280 } 3281 frm += 2; /* skip BlockAckReq Control field */ 3282 while (ntids-- > 0) { 3283 /* read MTBAR Information field */ 3284 tid = LE_READ_2(&frm[0]) >> 12; 3285 ssn = LE_READ_2(&frm[2]) >> 4; 3286 ieee80211_bar_tid(ic, ni, tid, ssn); 3287 frm += 4; 3288 } 3289 } else { 3290 /* Basic or Compressed BlockAckReq variants */ 3291 ssn = LE_READ_2(&frm[2]) >> 4; 3292 ieee80211_bar_tid(ic, ni, tid, ssn); 3293 } 3294 } 3295 3296 /* 3297 * Process a BlockAckReq for a specific TID (see 9.10.7.6.3). 3298 * This is the common back-end for all BlockAckReq frame variants. 3299 */ 3300 void 3301 ieee80211_bar_tid(struct ieee80211com *ic, struct ieee80211_node *ni, 3302 u_int8_t tid, u_int16_t ssn) 3303 { 3304 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 3305 3306 /* check if we have a Block Ack agreement for RA/TID */ 3307 if (ba->ba_state != IEEE80211_BA_AGREED) { 3308 /* XXX not sure in PBAC case */ 3309 /* send a DELBA with reason code UNKNOWN-BA */ 3310 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 3311 IEEE80211_ACTION_DELBA, 3312 IEEE80211_REASON_SETUP_REQUIRED << 16 | tid); 3313 return; 3314 } 3315 /* check if it is a Protected Block Ack agreement */ 3316 if ((ni->ni_flags & IEEE80211_NODE_MFP) && 3317 (ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) { 3318 /* ADDBA Requests must be used in PBAC case */ 3319 if (SEQ_LT(ssn, ba->ba_winstart) || 3320 SEQ_LT(ba->ba_winend, ssn)) 3321 ic->ic_stats.is_pbac_errs++; 3322 return; /* PBAC, do not move window */ 3323 } 3324 /* reset Block Ack inactivity timer */ 3325 if (ba->ba_timeout_val != 0) 3326 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 3327 3328 if (SEQ_LT(ba->ba_winstart, ssn)) { 3329 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 3330 ieee80211_ba_move_window(ic, ni, tid, ssn, &ml); 3331 if_input(&ic->ic_if, &ml); 3332 } 3333 } 3334