1 /* $OpenBSD: ieee80211_input.c,v 1.120 2012/07/13 11:25:04 stsp Exp $ */ 2 3 /*- 4 * Copyright (c) 2001 Atsushi Onoe 5 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 6 * Copyright (c) 2007-2009 Damien Bergamini 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. The name of the author may not be used to endorse or promote products 18 * derived from this software without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 21 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 22 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 23 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 25 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 29 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 #include "bpfilter.h" 33 34 #include <sys/param.h> 35 #include <sys/systm.h> 36 #include <sys/mbuf.h> 37 #include <sys/malloc.h> 38 #include <sys/kernel.h> 39 #include <sys/socket.h> 40 #include <sys/sockio.h> 41 #include <sys/endian.h> 42 #include <sys/errno.h> 43 #include <sys/proc.h> 44 #include <sys/sysctl.h> 45 #include <sys/workq.h> 46 47 #include <net/if.h> 48 #include <net/if_dl.h> 49 #include <net/if_media.h> 50 #include <net/if_arp.h> 51 #include <net/if_llc.h> 52 53 #if NBPFILTER > 0 54 #include <net/bpf.h> 55 #endif 56 57 #ifdef INET 58 #include <netinet/in.h> 59 #include <netinet/if_ether.h> 60 #endif 61 62 #include <net80211/ieee80211_var.h> 63 #include <net80211/ieee80211_priv.h> 64 65 struct mbuf *ieee80211_defrag(struct ieee80211com *, struct mbuf *, int); 66 void ieee80211_defrag_timeout(void *); 67 #ifndef IEEE80211_NO_HT 68 void ieee80211_input_ba(struct ifnet *, struct mbuf *, 69 struct ieee80211_node *, int, struct ieee80211_rxinfo *); 70 void ieee80211_ba_move_window(struct ieee80211com *, 71 struct ieee80211_node *, u_int8_t, u_int16_t); 72 #endif 73 struct mbuf *ieee80211_align_mbuf(struct mbuf *); 74 void ieee80211_decap(struct ieee80211com *, struct mbuf *, 75 struct ieee80211_node *, int); 76 #ifndef IEEE80211_NO_HT 77 void ieee80211_amsdu_decap(struct ieee80211com *, struct mbuf *, 78 struct ieee80211_node *, int); 79 #endif 80 void ieee80211_deliver_data(struct ieee80211com *, struct mbuf *, 81 struct ieee80211_node *); 82 int ieee80211_parse_edca_params_body(struct ieee80211com *, 83 const u_int8_t *); 84 int ieee80211_parse_edca_params(struct ieee80211com *, const u_int8_t *); 85 int ieee80211_parse_wmm_params(struct ieee80211com *, const u_int8_t *); 86 enum ieee80211_cipher ieee80211_parse_rsn_cipher(const u_int8_t[]); 87 enum ieee80211_akm ieee80211_parse_rsn_akm(const u_int8_t[]); 88 int ieee80211_parse_rsn_body(struct ieee80211com *, const u_int8_t *, 89 u_int, struct ieee80211_rsnparams *); 90 int ieee80211_save_ie(const u_int8_t *, u_int8_t **); 91 void ieee80211_recv_probe_resp(struct ieee80211com *, struct mbuf *, 92 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 93 #ifndef IEEE80211_STA_ONLY 94 void ieee80211_recv_probe_req(struct ieee80211com *, struct mbuf *, 95 struct ieee80211_node *, struct ieee80211_rxinfo *); 96 #endif 97 void ieee80211_recv_auth(struct ieee80211com *, struct mbuf *, 98 struct ieee80211_node *, struct ieee80211_rxinfo *); 99 #ifndef IEEE80211_STA_ONLY 100 void ieee80211_recv_assoc_req(struct ieee80211com *, struct mbuf *, 101 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 102 #endif 103 void ieee80211_recv_assoc_resp(struct ieee80211com *, struct mbuf *, 104 struct ieee80211_node *, int); 105 void ieee80211_recv_deauth(struct ieee80211com *, struct mbuf *, 106 struct ieee80211_node *); 107 void ieee80211_recv_disassoc(struct ieee80211com *, struct mbuf *, 108 struct ieee80211_node *); 109 #ifndef IEEE80211_NO_HT 110 void ieee80211_recv_addba_req(struct ieee80211com *, struct mbuf *, 111 struct ieee80211_node *); 112 void ieee80211_recv_addba_resp(struct ieee80211com *, struct mbuf *, 113 struct ieee80211_node *); 114 void ieee80211_recv_delba(struct ieee80211com *, struct mbuf *, 115 struct ieee80211_node *); 116 #endif 117 void ieee80211_recv_sa_query_req(struct ieee80211com *, struct mbuf *, 118 struct ieee80211_node *); 119 #ifndef IEEE80211_STA_ONLY 120 void ieee80211_recv_sa_query_resp(struct ieee80211com *, struct mbuf *, 121 struct ieee80211_node *); 122 #endif 123 void ieee80211_recv_action(struct ieee80211com *, struct mbuf *, 124 struct ieee80211_node *); 125 #ifndef IEEE80211_STA_ONLY 126 void ieee80211_recv_pspoll(struct ieee80211com *, struct mbuf *, 127 struct ieee80211_node *); 128 #endif 129 #ifndef IEEE80211_NO_HT 130 void ieee80211_recv_bar(struct ieee80211com *, struct mbuf *, 131 struct ieee80211_node *); 132 void ieee80211_bar_tid(struct ieee80211com *, struct ieee80211_node *, 133 u_int8_t, u_int16_t); 134 #endif 135 void ieee80211_input_print(struct ieee80211com *, struct ifnet *, 136 struct ieee80211_frame *, struct ieee80211_rxinfo *); 137 void ieee80211_input_print_task(void *, void *); 138 139 /* 140 * Retrieve the length in bytes of an 802.11 header. 141 */ 142 u_int 143 ieee80211_get_hdrlen(const struct ieee80211_frame *wh) 144 { 145 u_int size = sizeof(*wh); 146 147 /* NB: does not work with control frames */ 148 KASSERT(ieee80211_has_seq(wh)); 149 150 if (ieee80211_has_addr4(wh)) 151 size += IEEE80211_ADDR_LEN; /* i_addr4 */ 152 if (ieee80211_has_qos(wh)) 153 size += sizeof(u_int16_t); /* i_qos */ 154 if (ieee80211_has_htc(wh)) 155 size += sizeof(u_int32_t); /* i_ht */ 156 return size; 157 } 158 159 /* 160 * Work queue task that prints a received frame. Avoids printf() from 161 * interrupt context at IPL_NET making slow machines unusable when many 162 * frames are received and the interface is put in debug mode. 163 */ 164 void 165 ieee80211_input_print_task(void *arg1, void *arg2) 166 { 167 char *msg = arg1; 168 169 printf("%s", msg); 170 free(msg, M_DEVBUF); 171 172 } 173 174 void 175 ieee80211_input_print(struct ieee80211com *ic, struct ifnet *ifp, 176 struct ieee80211_frame *wh, struct ieee80211_rxinfo *rxi) 177 { 178 int doprint, error; 179 char *msg; 180 u_int8_t subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 181 182 /* avoid printing too many frames */ 183 doprint = 0; 184 switch (subtype) { 185 case IEEE80211_FC0_SUBTYPE_BEACON: 186 if (ic->ic_state == IEEE80211_S_SCAN) 187 doprint = 1; 188 break; 189 #ifndef IEEE80211_STA_ONLY 190 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 191 if (ic->ic_opmode == IEEE80211_M_IBSS) 192 doprint = 1; 193 break; 194 #endif 195 default: 196 doprint = 1; 197 break; 198 } 199 #ifdef IEEE80211_DEBUG 200 doprint += ieee80211_debug; 201 #endif 202 if (!doprint) 203 return; 204 205 msg = malloc(1024, M_DEVBUF, M_NOWAIT); 206 if (msg == NULL) 207 return; 208 209 snprintf(msg, 1024, "%s: received %s from %s rssi %d mode %s\n", 210 ifp->if_xname, 211 ieee80211_mgt_subtype_name[subtype >> IEEE80211_FC0_SUBTYPE_SHIFT], 212 ether_sprintf(wh->i_addr2), rxi->rxi_rssi, 213 ieee80211_phymode_name[ieee80211_chan2mode( 214 ic, ic->ic_bss->ni_chan)]); 215 216 error = workq_add_task(NULL, 0, ieee80211_input_print_task, msg, NULL); 217 if (error) 218 free(msg, M_DEVBUF); 219 } 220 221 /* 222 * Process a received frame. The node associated with the sender 223 * should be supplied. If nothing was found in the node table then 224 * the caller is assumed to supply a reference to ic_bss instead. 225 * The RSSI and a timestamp are also supplied. The RSSI data is used 226 * during AP scanning to select a AP to associate with; it can have 227 * any units so long as values have consistent units and higher values 228 * mean ``better signal''. The receive timestamp is currently not used 229 * by the 802.11 layer. 230 */ 231 void 232 ieee80211_input(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni, 233 struct ieee80211_rxinfo *rxi) 234 { 235 struct ieee80211com *ic = (void *)ifp; 236 struct ieee80211_frame *wh; 237 u_int16_t *orxseq, nrxseq, qos; 238 u_int8_t dir, type, subtype, tid; 239 int hdrlen, hasqos; 240 241 KASSERT(ni != NULL); 242 243 /* in monitor mode, send everything directly to bpf */ 244 if (ic->ic_opmode == IEEE80211_M_MONITOR) 245 goto out; 246 247 /* 248 * Do not process frames without an Address 2 field any further. 249 * Only CTS and ACK control frames do not have this field. 250 */ 251 if (m->m_len < sizeof(struct ieee80211_frame_min)) { 252 DPRINTF(("frame too short, len %u\n", m->m_len)); 253 ic->ic_stats.is_rx_tooshort++; 254 goto out; 255 } 256 257 wh = mtod(m, struct ieee80211_frame *); 258 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 259 IEEE80211_FC0_VERSION_0) { 260 DPRINTF(("frame with wrong version: %x\n", wh->i_fc[0])); 261 ic->ic_stats.is_rx_badversion++; 262 goto err; 263 } 264 265 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 266 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 267 268 if (type != IEEE80211_FC0_TYPE_CTL) { 269 hdrlen = ieee80211_get_hdrlen(wh); 270 if (m->m_len < hdrlen) { 271 DPRINTF(("frame too short, len %u\n", m->m_len)); 272 ic->ic_stats.is_rx_tooshort++; 273 goto err; 274 } 275 } 276 if ((hasqos = ieee80211_has_qos(wh))) { 277 qos = ieee80211_get_qos(wh); 278 tid = qos & IEEE80211_QOS_TID; 279 } 280 281 /* duplicate detection (see 9.2.9) */ 282 if (ieee80211_has_seq(wh) && 283 ic->ic_state != IEEE80211_S_SCAN) { 284 nrxseq = letoh16(*(u_int16_t *)wh->i_seq) >> 285 IEEE80211_SEQ_SEQ_SHIFT; 286 if (hasqos) 287 orxseq = &ni->ni_qos_rxseqs[tid]; 288 else 289 orxseq = &ni->ni_rxseq; 290 if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) && 291 nrxseq == *orxseq) { 292 /* duplicate, silently discarded */ 293 ic->ic_stats.is_rx_dup++; 294 goto out; 295 } 296 *orxseq = nrxseq; 297 } 298 if (ic->ic_state != IEEE80211_S_SCAN) { 299 ni->ni_rssi = rxi->rxi_rssi; 300 ni->ni_rstamp = rxi->rxi_tstamp; 301 ni->ni_inact = 0; 302 } 303 304 #ifndef IEEE80211_STA_ONLY 305 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 306 (ic->ic_caps & IEEE80211_C_APPMGT) && 307 ni->ni_state == IEEE80211_STA_ASSOC) { 308 if (wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) { 309 if (ni->ni_pwrsave == IEEE80211_PS_AWAKE) { 310 /* turn on PS mode */ 311 ni->ni_pwrsave = IEEE80211_PS_DOZE; 312 ic->ic_pssta++; 313 DPRINTF(("PS mode on for %s, count %d\n", 314 ether_sprintf(wh->i_addr2), ic->ic_pssta)); 315 } 316 } else if (ni->ni_pwrsave == IEEE80211_PS_DOZE) { 317 /* turn off PS mode */ 318 ni->ni_pwrsave = IEEE80211_PS_AWAKE; 319 ic->ic_pssta--; 320 DPRINTF(("PS mode off for %s, count %d\n", 321 ether_sprintf(wh->i_addr2), ic->ic_pssta)); 322 323 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 324 325 /* dequeue buffered unicast frames */ 326 while (!IF_IS_EMPTY(&ni->ni_savedq)) { 327 struct mbuf *m; 328 IF_DEQUEUE(&ni->ni_savedq, m); 329 IF_ENQUEUE(&ic->ic_pwrsaveq, m); 330 (*ifp->if_start)(ifp); 331 } 332 } 333 } 334 #endif 335 switch (type) { 336 case IEEE80211_FC0_TYPE_DATA: 337 switch (ic->ic_opmode) { 338 case IEEE80211_M_STA: 339 if (dir != IEEE80211_FC1_DIR_FROMDS) { 340 ic->ic_stats.is_rx_wrongdir++; 341 goto out; 342 } 343 if (ic->ic_state != IEEE80211_S_SCAN && 344 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid)) { 345 /* Source address is not our BSS. */ 346 DPRINTF(("discard frame from SA %s\n", 347 ether_sprintf(wh->i_addr2))); 348 ic->ic_stats.is_rx_wrongbss++; 349 goto out; 350 } 351 if ((ifp->if_flags & IFF_SIMPLEX) && 352 IEEE80211_IS_MULTICAST(wh->i_addr1) && 353 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 354 /* 355 * In IEEE802.11 network, multicast frame 356 * sent from me is broadcasted from AP. 357 * It should be silently discarded for 358 * SIMPLEX interface. 359 */ 360 ic->ic_stats.is_rx_mcastecho++; 361 goto out; 362 } 363 break; 364 #ifndef IEEE80211_STA_ONLY 365 case IEEE80211_M_IBSS: 366 case IEEE80211_M_AHDEMO: 367 if (dir != IEEE80211_FC1_DIR_NODS) { 368 ic->ic_stats.is_rx_wrongdir++; 369 goto out; 370 } 371 if (ic->ic_state != IEEE80211_S_SCAN && 372 !IEEE80211_ADDR_EQ(wh->i_addr3, 373 ic->ic_bss->ni_bssid) && 374 !IEEE80211_ADDR_EQ(wh->i_addr3, 375 etherbroadcastaddr)) { 376 /* Destination is not our BSS or broadcast. */ 377 DPRINTF(("discard data frame to DA %s\n", 378 ether_sprintf(wh->i_addr3))); 379 ic->ic_stats.is_rx_wrongbss++; 380 goto out; 381 } 382 break; 383 case IEEE80211_M_HOSTAP: 384 if (dir != IEEE80211_FC1_DIR_TODS) { 385 ic->ic_stats.is_rx_wrongdir++; 386 goto out; 387 } 388 if (ic->ic_state != IEEE80211_S_SCAN && 389 !IEEE80211_ADDR_EQ(wh->i_addr1, 390 ic->ic_bss->ni_bssid) && 391 !IEEE80211_ADDR_EQ(wh->i_addr1, 392 etherbroadcastaddr)) { 393 /* BSS is not us or broadcast. */ 394 DPRINTF(("discard data frame to BSS %s\n", 395 ether_sprintf(wh->i_addr1))); 396 ic->ic_stats.is_rx_wrongbss++; 397 goto out; 398 } 399 /* check if source STA is associated */ 400 if (ni == ic->ic_bss) { 401 DPRINTF(("data from unknown src %s\n", 402 ether_sprintf(wh->i_addr2))); 403 /* NB: caller deals with reference */ 404 ni = ieee80211_dup_bss(ic, wh->i_addr2); 405 if (ni != NULL) { 406 IEEE80211_SEND_MGMT(ic, ni, 407 IEEE80211_FC0_SUBTYPE_DEAUTH, 408 IEEE80211_REASON_NOT_AUTHED); 409 } 410 ic->ic_stats.is_rx_notassoc++; 411 goto err; 412 } 413 if (ni->ni_associd == 0) { 414 DPRINTF(("data from unassoc src %s\n", 415 ether_sprintf(wh->i_addr2))); 416 IEEE80211_SEND_MGMT(ic, ni, 417 IEEE80211_FC0_SUBTYPE_DISASSOC, 418 IEEE80211_REASON_NOT_ASSOCED); 419 ic->ic_stats.is_rx_notassoc++; 420 goto err; 421 } 422 break; 423 #endif /* IEEE80211_STA_ONLY */ 424 default: 425 /* can't get there */ 426 goto out; 427 } 428 429 #ifndef IEEE80211_NO_HT 430 if (!(rxi->rxi_flags & IEEE80211_RXI_AMPDU_DONE) && 431 hasqos && (qos & IEEE80211_QOS_ACK_POLICY_MASK) == 432 IEEE80211_QOS_ACK_POLICY_BA) { 433 /* check if we have a BA agreement for this RA/TID */ 434 if (ni->ni_rx_ba[tid].ba_state != 435 IEEE80211_BA_AGREED) { 436 DPRINTF(("no BA agreement for %s, TID %d\n", 437 ether_sprintf(ni->ni_macaddr), tid)); 438 /* send a DELBA with reason code UNKNOWN-BA */ 439 IEEE80211_SEND_ACTION(ic, ni, 440 IEEE80211_CATEG_BA, IEEE80211_ACTION_DELBA, 441 IEEE80211_REASON_SETUP_REQUIRED << 16 | 442 tid); 443 goto err; 444 } 445 /* go through A-MPDU reordering */ 446 ieee80211_input_ba(ifp, m, ni, tid, rxi); 447 return; /* don't free m! */ 448 } 449 #endif 450 if ((ic->ic_flags & IEEE80211_F_WEPON) || 451 ((ic->ic_flags & IEEE80211_F_RSNON) && 452 (ni->ni_flags & IEEE80211_NODE_RXPROT))) { 453 /* protection is on for Rx */ 454 if (!(rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 455 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 456 /* drop unencrypted */ 457 ic->ic_stats.is_rx_unencrypted++; 458 goto err; 459 } 460 /* do software decryption */ 461 m = ieee80211_decrypt(ic, m, ni); 462 if (m == NULL) { 463 ic->ic_stats.is_rx_wepfail++; 464 goto err; 465 } 466 wh = mtod(m, struct ieee80211_frame *); 467 } 468 } else if ((wh->i_fc[1] & IEEE80211_FC1_PROTECTED) || 469 (rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 470 /* frame encrypted but protection off for Rx */ 471 ic->ic_stats.is_rx_nowep++; 472 goto out; 473 } 474 475 #if NBPFILTER > 0 476 /* copy to listener after decrypt */ 477 if (ic->ic_rawbpf) 478 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 479 #endif 480 481 #ifndef IEEE80211_NO_HT 482 if ((ni->ni_flags & IEEE80211_NODE_HT) && 483 hasqos && (qos & IEEE80211_QOS_AMSDU)) 484 ieee80211_amsdu_decap(ic, m, ni, hdrlen); 485 else 486 #endif 487 ieee80211_decap(ic, m, ni, hdrlen); 488 return; 489 490 case IEEE80211_FC0_TYPE_MGT: 491 if (dir != IEEE80211_FC1_DIR_NODS) { 492 ic->ic_stats.is_rx_wrongdir++; 493 goto err; 494 } 495 #ifndef IEEE80211_STA_ONLY 496 if (ic->ic_opmode == IEEE80211_M_AHDEMO) { 497 ic->ic_stats.is_rx_ahdemo_mgt++; 498 goto out; 499 } 500 #endif 501 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 502 503 /* drop frames without interest */ 504 if (ic->ic_state == IEEE80211_S_SCAN) { 505 if (subtype != IEEE80211_FC0_SUBTYPE_BEACON && 506 subtype != IEEE80211_FC0_SUBTYPE_PROBE_RESP) { 507 ic->ic_stats.is_rx_mgtdiscard++; 508 goto out; 509 } 510 } 511 512 if (ni->ni_flags & IEEE80211_NODE_RXMGMTPROT) { 513 /* MMPDU protection is on for Rx */ 514 if (subtype == IEEE80211_FC0_SUBTYPE_DISASSOC || 515 subtype == IEEE80211_FC0_SUBTYPE_DEAUTH || 516 subtype == IEEE80211_FC0_SUBTYPE_ACTION) { 517 if (!IEEE80211_IS_MULTICAST(wh->i_addr1) && 518 !(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 519 /* unicast mgmt not encrypted */ 520 goto out; 521 } 522 /* do software decryption */ 523 m = ieee80211_decrypt(ic, m, ni); 524 if (m == NULL) { 525 /* XXX stats */ 526 goto out; 527 } 528 wh = mtod(m, struct ieee80211_frame *); 529 } 530 } else if ((ic->ic_flags & IEEE80211_F_RSNON) && 531 (wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 532 /* encrypted but MMPDU Rx protection off for TA */ 533 goto out; 534 } 535 536 if (ifp->if_flags & IFF_DEBUG) 537 ieee80211_input_print(ic, ifp, wh, rxi); 538 #if NBPFILTER > 0 539 if (ic->ic_rawbpf) 540 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 541 /* 542 * Drop mbuf if it was filtered by bpf. Normally, this is 543 * done in ether_input() but IEEE 802.11 management frames 544 * are a special case. 545 */ 546 if (m->m_flags & M_FILDROP) { 547 m_freem(m); 548 return; 549 } 550 #endif 551 (*ic->ic_recv_mgmt)(ic, m, ni, rxi, subtype); 552 m_freem(m); 553 return; 554 555 case IEEE80211_FC0_TYPE_CTL: 556 ic->ic_stats.is_rx_ctl++; 557 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 558 switch (subtype) { 559 #ifndef IEEE80211_STA_ONLY 560 case IEEE80211_FC0_SUBTYPE_PS_POLL: 561 ieee80211_recv_pspoll(ic, m, ni); 562 break; 563 #endif 564 #ifndef IEEE80211_NO_HT 565 case IEEE80211_FC0_SUBTYPE_BAR: 566 ieee80211_recv_bar(ic, m, ni); 567 break; 568 #endif 569 default: 570 break; 571 } 572 goto out; 573 574 default: 575 DPRINTF(("bad frame type %x\n", type)); 576 /* should not come here */ 577 break; 578 } 579 err: 580 ifp->if_ierrors++; 581 out: 582 if (m != NULL) { 583 #if NBPFILTER > 0 584 if (ic->ic_rawbpf) 585 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 586 #endif 587 m_freem(m); 588 } 589 } 590 591 /* 592 * Handle defragmentation (see 9.5 and Annex C). We support the concurrent 593 * reception of fragments of three fragmented MSDUs or MMPDUs. 594 */ 595 struct mbuf * 596 ieee80211_defrag(struct ieee80211com *ic, struct mbuf *m, int hdrlen) 597 { 598 const struct ieee80211_frame *owh, *wh; 599 struct ieee80211_defrag *df; 600 u_int16_t rxseq, seq; 601 u_int8_t frag; 602 int i; 603 604 wh = mtod(m, struct ieee80211_frame *); 605 rxseq = letoh16(*(const u_int16_t *)wh->i_seq); 606 seq = rxseq >> IEEE80211_SEQ_SEQ_SHIFT; 607 frag = rxseq & IEEE80211_SEQ_FRAG_MASK; 608 609 if (frag == 0 && !(wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG)) 610 return m; /* not fragmented */ 611 612 if (frag == 0) { 613 /* first fragment, setup entry in the fragment cache */ 614 if (++ic->ic_defrag_cur == IEEE80211_DEFRAG_SIZE) 615 ic->ic_defrag_cur = 0; 616 df = &ic->ic_defrag[ic->ic_defrag_cur]; 617 if (df->df_m != NULL) 618 m_freem(df->df_m); /* discard old entry */ 619 df->df_seq = seq; 620 df->df_frag = 0; 621 df->df_m = m; 622 /* start receive MSDU timer of aMaxReceiveLifetime */ 623 timeout_add_sec(&df->df_to, 1); 624 return NULL; /* MSDU or MMPDU not yet complete */ 625 } 626 627 /* find matching entry in the fragment cache */ 628 for (i = 0; i < IEEE80211_DEFRAG_SIZE; i++) { 629 df = &ic->ic_defrag[i]; 630 if (df->df_m == NULL) 631 continue; 632 if (df->df_seq != seq || df->df_frag + 1 != frag) 633 continue; 634 owh = mtod(df->df_m, struct ieee80211_frame *); 635 /* frame type, source and destination must match */ 636 if (((wh->i_fc[0] ^ owh->i_fc[0]) & IEEE80211_FC0_TYPE_MASK) || 637 !IEEE80211_ADDR_EQ(wh->i_addr1, owh->i_addr1) || 638 !IEEE80211_ADDR_EQ(wh->i_addr2, owh->i_addr2)) 639 continue; 640 /* matching entry found */ 641 break; 642 } 643 if (i == IEEE80211_DEFRAG_SIZE) { 644 /* no matching entry found, discard fragment */ 645 ic->ic_if.if_ierrors++; 646 m_freem(m); 647 return NULL; 648 } 649 650 df->df_frag = frag; 651 /* strip 802.11 header and concatenate fragment */ 652 m_adj(m, hdrlen); 653 m_cat(df->df_m, m); 654 df->df_m->m_pkthdr.len += m->m_pkthdr.len; 655 656 if (wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG) 657 return NULL; /* MSDU or MMPDU not yet complete */ 658 659 /* MSDU or MMPDU complete */ 660 timeout_del(&df->df_to); 661 m = df->df_m; 662 df->df_m = NULL; 663 return m; 664 } 665 666 /* 667 * Receive MSDU defragmentation timer exceeds aMaxReceiveLifetime. 668 */ 669 void 670 ieee80211_defrag_timeout(void *arg) 671 { 672 struct ieee80211_defrag *df = arg; 673 int s = splnet(); 674 675 /* discard all received fragments */ 676 m_freem(df->df_m); 677 df->df_m = NULL; 678 679 splx(s); 680 } 681 682 #ifndef IEEE80211_NO_HT 683 /* 684 * Process a received data MPDU related to a specific HT-immediate Block Ack 685 * agreement (see 9.10.7.6). 686 */ 687 void 688 ieee80211_input_ba(struct ifnet *ifp, struct mbuf *m, 689 struct ieee80211_node *ni, int tid, struct ieee80211_rxinfo *rxi) 690 { 691 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 692 struct ieee80211_frame *wh; 693 int idx, count; 694 u_int16_t sn; 695 696 wh = mtod(m, struct ieee80211_frame *); 697 sn = letoh16(*(u_int16_t *)wh->i_seq) >> IEEE80211_SEQ_SEQ_SHIFT; 698 699 /* reset Block Ack inactivity timer */ 700 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 701 702 if (SEQ_LT(sn, ba->ba_winstart)) { /* SN < WinStartB */ 703 ifp->if_ierrors++; 704 m_freem(m); /* discard the MPDU */ 705 return; 706 } 707 if (SEQ_LT(ba->ba_winend, sn)) { /* WinEndB < SN */ 708 count = (sn - ba->ba_winend) & 0xfff; 709 if (count > ba->ba_winsize) /* no overlap */ 710 count = ba->ba_winsize; 711 while (count-- > 0) { 712 /* gaps may exist */ 713 if (ba->ba_buf[ba->ba_head].m != NULL) { 714 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, 715 ni, &ba->ba_buf[ba->ba_head].rxi); 716 ba->ba_buf[ba->ba_head].m = NULL; 717 } 718 ba->ba_head = (ba->ba_head + 1) % 719 IEEE80211_BA_MAX_WINSZ; 720 } 721 /* move window forward */ 722 ba->ba_winend = sn; 723 ba->ba_winstart = (sn - ba->ba_winsize + 1) & 0xfff; 724 } 725 /* WinStartB <= SN <= WinEndB */ 726 727 idx = (sn - ba->ba_winstart) & 0xfff; 728 idx = (ba->ba_head + idx) % IEEE80211_BA_MAX_WINSZ; 729 /* store the received MPDU in the buffer */ 730 if (ba->ba_buf[idx].m != NULL) { 731 ifp->if_ierrors++; 732 m_freem(m); 733 return; 734 } 735 ba->ba_buf[idx].m = m; 736 /* store Rx meta-data too */ 737 rxi->rxi_flags |= IEEE80211_RXI_AMPDU_DONE; 738 ba->ba_buf[idx].rxi = *rxi; 739 740 /* pass reordered MPDUs up to the next MAC process */ 741 while (ba->ba_buf[ba->ba_head].m != NULL) { 742 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, ni, 743 &ba->ba_buf[ba->ba_head].rxi); 744 ba->ba_buf[ba->ba_head].m = NULL; 745 746 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 747 /* move window forward */ 748 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 749 } 750 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 751 } 752 753 /* 754 * Change the value of WinStartB (move window forward) upon reception of a 755 * BlockAckReq frame or an ADDBA Request (PBAC). 756 */ 757 void 758 ieee80211_ba_move_window(struct ieee80211com *ic, struct ieee80211_node *ni, 759 u_int8_t tid, u_int16_t ssn) 760 { 761 struct ifnet *ifp = &ic->ic_if; 762 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 763 int count; 764 765 /* assert(WinStartB <= SSN) */ 766 767 count = (ssn - ba->ba_winstart) & 0xfff; 768 if (count > ba->ba_winsize) /* no overlap */ 769 count = ba->ba_winsize; 770 while (count-- > 0) { 771 /* gaps may exist */ 772 if (ba->ba_buf[ba->ba_head].m != NULL) { 773 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, ni, 774 &ba->ba_buf[ba->ba_head].rxi); 775 ba->ba_buf[ba->ba_head].m = NULL; 776 } 777 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 778 } 779 /* move window forward */ 780 ba->ba_winstart = ssn; 781 782 /* pass reordered MPDUs up to the next MAC process */ 783 while (ba->ba_buf[ba->ba_head].m != NULL) { 784 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, ni, 785 &ba->ba_buf[ba->ba_head].rxi); 786 ba->ba_buf[ba->ba_head].m = NULL; 787 788 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 789 /* move window forward */ 790 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 791 } 792 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 793 } 794 #endif /* !IEEE80211_NO_HT */ 795 796 void 797 ieee80211_deliver_data(struct ieee80211com *ic, struct mbuf *m, 798 struct ieee80211_node *ni) 799 { 800 struct ifnet *ifp = &ic->ic_if; 801 struct ether_header *eh; 802 struct mbuf *m1; 803 804 eh = mtod(m, struct ether_header *); 805 806 if ((ic->ic_flags & IEEE80211_F_RSNON) && !ni->ni_port_valid && 807 eh->ether_type != htons(ETHERTYPE_PAE)) { 808 DPRINTF(("port not valid: %s\n", 809 ether_sprintf(eh->ether_dhost))); 810 ic->ic_stats.is_rx_unauth++; 811 m_freem(m); 812 return; 813 } 814 ifp->if_ipackets++; 815 816 /* 817 * Perform as a bridge within the AP. Notice that we do not 818 * bridge EAPOL frames as suggested in C.1.1 of IEEE Std 802.1X. 819 */ 820 m1 = NULL; 821 #ifndef IEEE80211_STA_ONLY 822 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 823 !(ic->ic_flags & IEEE80211_F_NOBRIDGE) && 824 eh->ether_type != htons(ETHERTYPE_PAE)) { 825 struct ieee80211_node *ni1; 826 int error, len; 827 828 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 829 m1 = m_copym2(m, 0, M_COPYALL, M_DONTWAIT); 830 if (m1 == NULL) 831 ifp->if_oerrors++; 832 else 833 m1->m_flags |= M_MCAST; 834 } else { 835 ni1 = ieee80211_find_node(ic, eh->ether_dhost); 836 if (ni1 != NULL && 837 ni1->ni_state == IEEE80211_STA_ASSOC) { 838 m1 = m; 839 m = NULL; 840 } 841 } 842 if (m1 != NULL) { 843 len = m1->m_pkthdr.len; 844 IFQ_ENQUEUE(&ifp->if_snd, m1, NULL, error); 845 if (error) 846 ifp->if_oerrors++; 847 else { 848 if (m != NULL) 849 ifp->if_omcasts++; 850 ifp->if_obytes += len; 851 if_start(ifp); 852 } 853 } 854 } 855 #endif 856 if (m != NULL) { 857 #if NBPFILTER > 0 858 /* 859 * If we forward frame into transmitter of the AP, 860 * we don't need to duplicate for DLT_EN10MB. 861 */ 862 if (ifp->if_bpf && m1 == NULL) 863 bpf_mtap(ifp->if_bpf, m, BPF_DIRECTION_IN); 864 #endif 865 if ((ic->ic_flags & IEEE80211_F_RSNON) && 866 eh->ether_type == htons(ETHERTYPE_PAE)) 867 ieee80211_eapol_key_input(ic, m, ni); 868 else 869 ether_input_mbuf(ifp, m); 870 } 871 } 872 873 #ifdef __STRICT_ALIGNMENT 874 /* 875 * Make sure protocol header (e.g. IP) is aligned on a 32-bit boundary. 876 * This is achieved by copying mbufs so drivers should try to map their 877 * buffers such that this copying is not necessary. It is however not 878 * always possible because 802.11 header length may vary (non-QoS+LLC 879 * is 32 bytes while QoS+LLC is 34 bytes). Some devices are smart and 880 * add 2 padding bytes after the 802.11 header in the QoS case so this 881 * function is there for stupid drivers/devices only. 882 * 883 * XXX -- this is horrible 884 */ 885 struct mbuf * 886 ieee80211_align_mbuf(struct mbuf *m) 887 { 888 struct mbuf *n, *n0, **np; 889 caddr_t newdata; 890 int off, pktlen; 891 892 n0 = NULL; 893 np = &n0; 894 off = 0; 895 pktlen = m->m_pkthdr.len; 896 while (pktlen > off) { 897 if (n0 == NULL) { 898 MGETHDR(n, M_DONTWAIT, MT_DATA); 899 if (n == NULL) { 900 m_freem(m); 901 return NULL; 902 } 903 if (m_dup_pkthdr(n, m, M_DONTWAIT)) { 904 m_free(n); 905 m_freem(m); 906 return (NULL); 907 } 908 n->m_len = MHLEN; 909 } else { 910 MGET(n, M_DONTWAIT, MT_DATA); 911 if (n == NULL) { 912 m_freem(m); 913 m_freem(n0); 914 return NULL; 915 } 916 n->m_len = MLEN; 917 } 918 if (pktlen - off >= MINCLSIZE) { 919 MCLGET(n, M_DONTWAIT); 920 if (n->m_flags & M_EXT) 921 n->m_len = n->m_ext.ext_size; 922 } 923 if (n0 == NULL) { 924 newdata = (caddr_t)ALIGN(n->m_data + ETHER_HDR_LEN) - 925 ETHER_HDR_LEN; 926 n->m_len -= newdata - n->m_data; 927 n->m_data = newdata; 928 } 929 if (n->m_len > pktlen - off) 930 n->m_len = pktlen - off; 931 m_copydata(m, off, n->m_len, mtod(n, caddr_t)); 932 off += n->m_len; 933 *np = n; 934 np = &n->m_next; 935 } 936 m_freem(m); 937 return n0; 938 } 939 #endif /* __STRICT_ALIGNMENT */ 940 941 void 942 ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, 943 struct ieee80211_node *ni, int hdrlen) 944 { 945 struct ether_header eh; 946 struct ieee80211_frame *wh; 947 struct llc *llc; 948 949 if (m->m_len < hdrlen + LLC_SNAPFRAMELEN && 950 (m = m_pullup(m, hdrlen + LLC_SNAPFRAMELEN)) == NULL) { 951 ic->ic_stats.is_rx_decap++; 952 return; 953 } 954 wh = mtod(m, struct ieee80211_frame *); 955 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 956 case IEEE80211_FC1_DIR_NODS: 957 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1); 958 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2); 959 break; 960 case IEEE80211_FC1_DIR_TODS: 961 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3); 962 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2); 963 break; 964 case IEEE80211_FC1_DIR_FROMDS: 965 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1); 966 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr3); 967 break; 968 case IEEE80211_FC1_DIR_DSTODS: 969 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3); 970 IEEE80211_ADDR_COPY(eh.ether_shost, 971 ((struct ieee80211_frame_addr4 *)wh)->i_addr4); 972 break; 973 } 974 llc = (struct llc *)((caddr_t)wh + hdrlen); 975 if (llc->llc_dsap == LLC_SNAP_LSAP && 976 llc->llc_ssap == LLC_SNAP_LSAP && 977 llc->llc_control == LLC_UI && 978 llc->llc_snap.org_code[0] == 0 && 979 llc->llc_snap.org_code[1] == 0 && 980 llc->llc_snap.org_code[2] == 0) { 981 eh.ether_type = llc->llc_snap.ether_type; 982 m_adj(m, hdrlen + LLC_SNAPFRAMELEN - ETHER_HDR_LEN); 983 } else { 984 eh.ether_type = htons(m->m_pkthdr.len - hdrlen); 985 m_adj(m, hdrlen - ETHER_HDR_LEN); 986 } 987 memcpy(mtod(m, caddr_t), &eh, ETHER_HDR_LEN); 988 #ifdef __STRICT_ALIGNMENT 989 if (!ALIGNED_POINTER(mtod(m, caddr_t) + ETHER_HDR_LEN, u_int32_t)) { 990 if ((m = ieee80211_align_mbuf(m)) == NULL) { 991 ic->ic_stats.is_rx_decap++; 992 return; 993 } 994 } 995 #endif 996 ieee80211_deliver_data(ic, m, ni); 997 } 998 999 #ifndef IEEE80211_NO_HT 1000 /* 1001 * Decapsulate an Aggregate MSDU (see 7.2.2.2). 1002 */ 1003 void 1004 ieee80211_amsdu_decap(struct ieee80211com *ic, struct mbuf *m, 1005 struct ieee80211_node *ni, int hdrlen) 1006 { 1007 struct mbuf *n; 1008 struct ether_header *eh; 1009 struct llc *llc; 1010 int len, pad; 1011 1012 /* strip 802.11 header */ 1013 m_adj(m, hdrlen); 1014 1015 for (;;) { 1016 /* process an A-MSDU subframe */ 1017 if (m->m_len < ETHER_HDR_LEN + LLC_SNAPFRAMELEN) { 1018 m = m_pullup(m, ETHER_HDR_LEN + LLC_SNAPFRAMELEN); 1019 if (m == NULL) { 1020 ic->ic_stats.is_rx_decap++; 1021 break; 1022 } 1023 } 1024 eh = mtod(m, struct ether_header *); 1025 /* examine 802.3 header */ 1026 len = ntohs(eh->ether_type); 1027 if (len < LLC_SNAPFRAMELEN) { 1028 DPRINTF(("A-MSDU subframe too short (%d)\n", len)); 1029 /* stop processing A-MSDU subframes */ 1030 ic->ic_stats.is_rx_decap++; 1031 m_freem(m); 1032 break; 1033 } 1034 llc = (struct llc *)&eh[1]; 1035 /* examine 802.2 LLC header */ 1036 if (llc->llc_dsap == LLC_SNAP_LSAP && 1037 llc->llc_ssap == LLC_SNAP_LSAP && 1038 llc->llc_control == LLC_UI && 1039 llc->llc_snap.org_code[0] == 0 && 1040 llc->llc_snap.org_code[1] == 0 && 1041 llc->llc_snap.org_code[2] == 0) { 1042 /* convert to Ethernet II header */ 1043 eh->ether_type = llc->llc_snap.ether_type; 1044 /* strip LLC+SNAP headers */ 1045 ovbcopy(eh, (u_int8_t *)eh + LLC_SNAPFRAMELEN, 1046 ETHER_HDR_LEN); 1047 m_adj(m, LLC_SNAPFRAMELEN); 1048 len -= LLC_SNAPFRAMELEN; 1049 } 1050 len += ETHER_HDR_LEN; 1051 1052 /* "detach" our A-MSDU subframe from the others */ 1053 n = m_split(m, len, M_NOWAIT); 1054 if (n == NULL) { 1055 /* stop processing A-MSDU subframes */ 1056 ic->ic_stats.is_rx_decap++; 1057 m_freem(m); 1058 break; 1059 } 1060 ieee80211_deliver_data(ic, m, ni); 1061 1062 m = n; 1063 /* remove padding */ 1064 pad = ((len + 3) & ~3) - len; 1065 m_adj(m, pad); 1066 } 1067 } 1068 #endif /* !IEEE80211_NO_HT */ 1069 1070 /* 1071 * Parse an EDCA Parameter Set element (see 7.3.2.27). 1072 */ 1073 int 1074 ieee80211_parse_edca_params_body(struct ieee80211com *ic, const u_int8_t *frm) 1075 { 1076 u_int updtcount; 1077 int aci; 1078 1079 /* 1080 * Check if EDCA parameters have changed XXX if we miss more than 1081 * 15 consecutive beacons, we might not detect changes to EDCA 1082 * parameters due to wraparound of the 4-bit Update Count field. 1083 */ 1084 updtcount = frm[0] & 0xf; 1085 if (updtcount == ic->ic_edca_updtcount) 1086 return 0; /* no changes to EDCA parameters, ignore */ 1087 ic->ic_edca_updtcount = updtcount; 1088 1089 frm += 2; /* skip QoS Info & Reserved fields */ 1090 1091 /* parse AC Parameter Records */ 1092 for (aci = 0; aci < EDCA_NUM_AC; aci++) { 1093 struct ieee80211_edca_ac_params *ac = &ic->ic_edca_ac[aci]; 1094 1095 ac->ac_acm = (frm[0] >> 4) & 0x1; 1096 ac->ac_aifsn = frm[0] & 0xf; 1097 ac->ac_ecwmin = frm[1] & 0xf; 1098 ac->ac_ecwmax = frm[1] >> 4; 1099 ac->ac_txoplimit = LE_READ_2(frm + 2); 1100 frm += 4; 1101 } 1102 /* give drivers a chance to update their settings */ 1103 if ((ic->ic_flags & IEEE80211_F_QOS) && ic->ic_updateedca != NULL) 1104 (*ic->ic_updateedca)(ic); 1105 1106 return 0; 1107 } 1108 1109 int 1110 ieee80211_parse_edca_params(struct ieee80211com *ic, const u_int8_t *frm) 1111 { 1112 if (frm[1] < 18) { 1113 ic->ic_stats.is_rx_elem_toosmall++; 1114 return IEEE80211_REASON_IE_INVALID; 1115 } 1116 return ieee80211_parse_edca_params_body(ic, frm + 2); 1117 } 1118 1119 int 1120 ieee80211_parse_wmm_params(struct ieee80211com *ic, const u_int8_t *frm) 1121 { 1122 if (frm[1] < 24) { 1123 ic->ic_stats.is_rx_elem_toosmall++; 1124 return IEEE80211_REASON_IE_INVALID; 1125 } 1126 return ieee80211_parse_edca_params_body(ic, frm + 8); 1127 } 1128 1129 enum ieee80211_cipher 1130 ieee80211_parse_rsn_cipher(const u_int8_t selector[4]) 1131 { 1132 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1133 switch (selector[3]) { 1134 case 0: /* use group data cipher suite */ 1135 return IEEE80211_CIPHER_USEGROUP; 1136 case 1: /* WEP-40 */ 1137 return IEEE80211_CIPHER_WEP40; 1138 case 2: /* TKIP */ 1139 return IEEE80211_CIPHER_TKIP; 1140 case 4: /* CCMP (RSNA default) */ 1141 return IEEE80211_CIPHER_CCMP; 1142 case 5: /* WEP-104 */ 1143 return IEEE80211_CIPHER_WEP104; 1144 } 1145 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1146 /* from IEEE Std 802.11 - Table 20da */ 1147 switch (selector[3]) { 1148 case 0: /* use group data cipher suite */ 1149 return IEEE80211_CIPHER_USEGROUP; 1150 case 1: /* WEP-40 */ 1151 return IEEE80211_CIPHER_WEP40; 1152 case 2: /* TKIP */ 1153 return IEEE80211_CIPHER_TKIP; 1154 case 4: /* CCMP (RSNA default) */ 1155 return IEEE80211_CIPHER_CCMP; 1156 case 5: /* WEP-104 */ 1157 return IEEE80211_CIPHER_WEP104; 1158 case 6: /* BIP */ 1159 return IEEE80211_CIPHER_BIP; 1160 } 1161 } 1162 return IEEE80211_CIPHER_NONE; /* ignore unknown ciphers */ 1163 } 1164 1165 enum ieee80211_akm 1166 ieee80211_parse_rsn_akm(const u_int8_t selector[4]) 1167 { 1168 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1169 switch (selector[3]) { 1170 case 1: /* IEEE 802.1X (RSNA default) */ 1171 return IEEE80211_AKM_8021X; 1172 case 2: /* PSK */ 1173 return IEEE80211_AKM_PSK; 1174 } 1175 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1176 /* from IEEE Std 802.11i-2004 - Table 20dc */ 1177 switch (selector[3]) { 1178 case 1: /* IEEE 802.1X (RSNA default) */ 1179 return IEEE80211_AKM_8021X; 1180 case 2: /* PSK */ 1181 return IEEE80211_AKM_PSK; 1182 case 5: /* IEEE 802.1X with SHA256 KDF */ 1183 return IEEE80211_AKM_SHA256_8021X; 1184 case 6: /* PSK with SHA256 KDF */ 1185 return IEEE80211_AKM_SHA256_PSK; 1186 } 1187 } 1188 return IEEE80211_AKM_NONE; /* ignore unknown AKMs */ 1189 } 1190 1191 /* 1192 * Parse an RSN element (see 7.3.2.25). 1193 */ 1194 int 1195 ieee80211_parse_rsn_body(struct ieee80211com *ic, const u_int8_t *frm, 1196 u_int len, struct ieee80211_rsnparams *rsn) 1197 { 1198 const u_int8_t *efrm; 1199 u_int16_t m, n, s; 1200 1201 efrm = frm + len; 1202 1203 /* check Version field */ 1204 if (LE_READ_2(frm) != 1) 1205 return IEEE80211_STATUS_RSN_IE_VER_UNSUP; 1206 frm += 2; 1207 1208 /* all fields after the Version field are optional */ 1209 1210 /* if Cipher Suite missing, default to CCMP */ 1211 rsn->rsn_groupcipher = IEEE80211_CIPHER_CCMP; 1212 rsn->rsn_nciphers = 1; 1213 rsn->rsn_ciphers = IEEE80211_CIPHER_CCMP; 1214 /* if Group Management Cipher Suite missing, defaut to BIP */ 1215 rsn->rsn_groupmgmtcipher = IEEE80211_CIPHER_BIP; 1216 /* if AKM Suite missing, default to 802.1X */ 1217 rsn->rsn_nakms = 1; 1218 rsn->rsn_akms = IEEE80211_AKM_8021X; 1219 /* if RSN capabilities missing, default to 0 */ 1220 rsn->rsn_caps = 0; 1221 rsn->rsn_npmkids = 0; 1222 1223 /* read Group Data Cipher Suite field */ 1224 if (frm + 4 > efrm) 1225 return 0; 1226 rsn->rsn_groupcipher = ieee80211_parse_rsn_cipher(frm); 1227 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_USEGROUP) 1228 return IEEE80211_STATUS_BAD_GROUP_CIPHER; 1229 frm += 4; 1230 1231 /* read Pairwise Cipher Suite Count field */ 1232 if (frm + 2 > efrm) 1233 return 0; 1234 m = rsn->rsn_nciphers = LE_READ_2(frm); 1235 frm += 2; 1236 1237 /* read Pairwise Cipher Suite List */ 1238 if (frm + m * 4 > efrm) 1239 return IEEE80211_STATUS_IE_INVALID; 1240 rsn->rsn_ciphers = IEEE80211_CIPHER_NONE; 1241 while (m-- > 0) { 1242 rsn->rsn_ciphers |= ieee80211_parse_rsn_cipher(frm); 1243 frm += 4; 1244 } 1245 if (rsn->rsn_ciphers & IEEE80211_CIPHER_USEGROUP) { 1246 if (rsn->rsn_ciphers != IEEE80211_CIPHER_USEGROUP) 1247 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1248 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_CCMP) 1249 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1250 } 1251 1252 /* read AKM Suite List Count field */ 1253 if (frm + 2 > efrm) 1254 return 0; 1255 n = rsn->rsn_nakms = LE_READ_2(frm); 1256 frm += 2; 1257 1258 /* read AKM Suite List */ 1259 if (frm + n * 4 > efrm) 1260 return IEEE80211_STATUS_IE_INVALID; 1261 rsn->rsn_akms = IEEE80211_AKM_NONE; 1262 while (n-- > 0) { 1263 rsn->rsn_akms |= ieee80211_parse_rsn_akm(frm); 1264 frm += 4; 1265 } 1266 1267 /* read RSN Capabilities field */ 1268 if (frm + 2 > efrm) 1269 return 0; 1270 rsn->rsn_caps = LE_READ_2(frm); 1271 frm += 2; 1272 1273 /* read PMKID Count field */ 1274 if (frm + 2 > efrm) 1275 return 0; 1276 s = rsn->rsn_npmkids = LE_READ_2(frm); 1277 frm += 2; 1278 1279 /* read PMKID List */ 1280 if (frm + s * IEEE80211_PMKID_LEN > efrm) 1281 return IEEE80211_STATUS_IE_INVALID; 1282 if (s != 0) { 1283 rsn->rsn_pmkids = frm; 1284 frm += s * IEEE80211_PMKID_LEN; 1285 } 1286 1287 /* read Group Management Cipher Suite field */ 1288 if (frm + 4 > efrm) 1289 return 0; 1290 rsn->rsn_groupmgmtcipher = ieee80211_parse_rsn_cipher(frm); 1291 1292 return IEEE80211_STATUS_SUCCESS; 1293 } 1294 1295 int 1296 ieee80211_parse_rsn(struct ieee80211com *ic, const u_int8_t *frm, 1297 struct ieee80211_rsnparams *rsn) 1298 { 1299 if (frm[1] < 2) { 1300 ic->ic_stats.is_rx_elem_toosmall++; 1301 return IEEE80211_STATUS_IE_INVALID; 1302 } 1303 return ieee80211_parse_rsn_body(ic, frm + 2, frm[1], rsn); 1304 } 1305 1306 int 1307 ieee80211_parse_wpa(struct ieee80211com *ic, const u_int8_t *frm, 1308 struct ieee80211_rsnparams *rsn) 1309 { 1310 if (frm[1] < 6) { 1311 ic->ic_stats.is_rx_elem_toosmall++; 1312 return IEEE80211_STATUS_IE_INVALID; 1313 } 1314 return ieee80211_parse_rsn_body(ic, frm + 6, frm[1] - 4, rsn); 1315 } 1316 1317 /* 1318 * Create (or update) a copy of an information element. 1319 */ 1320 int 1321 ieee80211_save_ie(const u_int8_t *frm, u_int8_t **ie) 1322 { 1323 if (*ie == NULL || (*ie)[1] != frm[1]) { 1324 if (*ie != NULL) 1325 free(*ie, M_DEVBUF); 1326 *ie = malloc(2 + frm[1], M_DEVBUF, M_NOWAIT); 1327 if (*ie == NULL) 1328 return ENOMEM; 1329 } 1330 memcpy(*ie, frm, 2 + frm[1]); 1331 return 0; 1332 } 1333 1334 /*- 1335 * Beacon/Probe response frame format: 1336 * [8] Timestamp 1337 * [2] Beacon interval 1338 * [2] Capability 1339 * [tlv] Service Set Identifier (SSID) 1340 * [tlv] Supported rates 1341 * [tlv] DS Parameter Set (802.11g) 1342 * [tlv] ERP Information (802.11g) 1343 * [tlv] Extended Supported Rates (802.11g) 1344 * [tlv] RSN (802.11i) 1345 * [tlv] EDCA Parameter Set (802.11e) 1346 * [tlv] QoS Capability (Beacon only, 802.11e) 1347 * [tlv] HT Capabilities (802.11n) 1348 * [tlv] HT Operation (802.11n) 1349 */ 1350 void 1351 ieee80211_recv_probe_resp(struct ieee80211com *ic, struct mbuf *m, 1352 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int isprobe) 1353 { 1354 const struct ieee80211_frame *wh; 1355 const u_int8_t *frm, *efrm; 1356 const u_int8_t *tstamp, *ssid, *rates, *xrates, *edcaie, *wmmie; 1357 const u_int8_t *rsnie, *wpaie, *htcaps, *htop; 1358 u_int16_t capinfo, bintval; 1359 u_int8_t chan, bchan, erp; 1360 int is_new; 1361 1362 /* 1363 * We process beacon/probe response frames for: 1364 * o station mode: to collect state 1365 * updates such as 802.11g slot time and for passive 1366 * scanning of APs 1367 * o adhoc mode: to discover neighbors 1368 * o hostap mode: for passive scanning of neighbor APs 1369 * o when scanning 1370 * In other words, in all modes other than monitor (which 1371 * does not process incoming frames) and adhoc-demo (which 1372 * does not use management frames at all). 1373 */ 1374 #ifdef DIAGNOSTIC 1375 if (ic->ic_opmode != IEEE80211_M_STA && 1376 #ifndef IEEE80211_STA_ONLY 1377 ic->ic_opmode != IEEE80211_M_IBSS && 1378 ic->ic_opmode != IEEE80211_M_HOSTAP && 1379 #endif 1380 ic->ic_state != IEEE80211_S_SCAN) { 1381 panic("%s: impossible operating mode", __func__); 1382 } 1383 #endif 1384 /* make sure all mandatory fixed fields are present */ 1385 if (m->m_len < sizeof(*wh) + 12) { 1386 DPRINTF(("frame too short\n")); 1387 return; 1388 } 1389 wh = mtod(m, struct ieee80211_frame *); 1390 frm = (const u_int8_t *)&wh[1]; 1391 efrm = mtod(m, u_int8_t *) + m->m_len; 1392 1393 tstamp = frm; frm += 8; 1394 bintval = LE_READ_2(frm); frm += 2; 1395 capinfo = LE_READ_2(frm); frm += 2; 1396 1397 ssid = rates = xrates = edcaie = wmmie = rsnie = wpaie = NULL; 1398 htcaps = htop = NULL; 1399 bchan = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan); 1400 chan = bchan; 1401 erp = 0; 1402 while (frm + 2 <= efrm) { 1403 if (frm + 2 + frm[1] > efrm) { 1404 ic->ic_stats.is_rx_elem_toosmall++; 1405 break; 1406 } 1407 switch (frm[0]) { 1408 case IEEE80211_ELEMID_SSID: 1409 ssid = frm; 1410 break; 1411 case IEEE80211_ELEMID_RATES: 1412 rates = frm; 1413 break; 1414 case IEEE80211_ELEMID_DSPARMS: 1415 if (frm[1] < 1) { 1416 ic->ic_stats.is_rx_elem_toosmall++; 1417 break; 1418 } 1419 chan = frm[2]; 1420 break; 1421 case IEEE80211_ELEMID_XRATES: 1422 xrates = frm; 1423 break; 1424 case IEEE80211_ELEMID_ERP: 1425 if (frm[1] < 1) { 1426 ic->ic_stats.is_rx_elem_toosmall++; 1427 break; 1428 } 1429 erp = frm[2]; 1430 break; 1431 case IEEE80211_ELEMID_RSN: 1432 rsnie = frm; 1433 break; 1434 case IEEE80211_ELEMID_EDCAPARMS: 1435 edcaie = frm; 1436 break; 1437 #ifndef IEEE80211_NO_HT 1438 case IEEE80211_ELEMID_HTCAPS: 1439 htcaps = frm; 1440 break; 1441 case IEEE80211_ELEMID_HTOP: 1442 htop = frm; 1443 break; 1444 #endif 1445 case IEEE80211_ELEMID_VENDOR: 1446 if (frm[1] < 4) { 1447 ic->ic_stats.is_rx_elem_toosmall++; 1448 break; 1449 } 1450 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 1451 if (frm[5] == 1) 1452 wpaie = frm; 1453 else if (frm[1] >= 5 && 1454 frm[5] == 2 && frm[6] == 1) 1455 wmmie = frm; 1456 } 1457 break; 1458 } 1459 frm += 2 + frm[1]; 1460 } 1461 /* supported rates element is mandatory */ 1462 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1463 DPRINTF(("invalid supported rates element\n")); 1464 return; 1465 } 1466 /* SSID element is mandatory */ 1467 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1468 DPRINTF(("invalid SSID element\n")); 1469 return; 1470 } 1471 1472 if ( 1473 #if IEEE80211_CHAN_MAX < 255 1474 chan > IEEE80211_CHAN_MAX || 1475 #endif 1476 isclr(ic->ic_chan_active, chan)) { 1477 DPRINTF(("ignore %s with invalid channel %u\n", 1478 isprobe ? "probe response" : "beacon", chan)); 1479 ic->ic_stats.is_rx_badchan++; 1480 return; 1481 } 1482 if ((ic->ic_state != IEEE80211_S_SCAN || 1483 !(ic->ic_caps & IEEE80211_C_SCANALL)) && 1484 chan != bchan) { 1485 /* 1486 * Frame was received on a channel different from the 1487 * one indicated in the DS params element id; 1488 * silently discard it. 1489 * 1490 * NB: this can happen due to signal leakage. 1491 */ 1492 DPRINTF(("ignore %s on channel %u marked for channel %u\n", 1493 isprobe ? "probe response" : "beacon", bchan, chan)); 1494 ic->ic_stats.is_rx_chanmismatch++; 1495 return; 1496 } 1497 /* 1498 * Use mac, channel and rssi so we collect only the 1499 * best potential AP with the equal bssid while scanning. 1500 * Collecting all potential APs may result in bloat of 1501 * the node tree. This call will return NULL if the node 1502 * for this APs does not exist or if the new node is the 1503 * potential better one. 1504 */ 1505 if ((ni = ieee80211_find_node_for_beacon(ic, wh->i_addr2, 1506 &ic->ic_channels[chan], ssid, rxi->rxi_rssi)) != NULL) 1507 return; 1508 1509 #ifdef IEEE80211_DEBUG 1510 if (ieee80211_debug && 1511 (ni == NULL || ic->ic_state == IEEE80211_S_SCAN)) { 1512 printf("%s: %s%s on chan %u (bss chan %u) ", 1513 __func__, (ni == NULL ? "new " : ""), 1514 isprobe ? "probe response" : "beacon", 1515 chan, bchan); 1516 ieee80211_print_essid(ssid + 2, ssid[1]); 1517 printf(" from %s\n", ether_sprintf((u_int8_t *)wh->i_addr2)); 1518 printf("%s: caps 0x%x bintval %u erp 0x%x\n", 1519 __func__, capinfo, bintval, erp); 1520 } 1521 #endif 1522 1523 if ((ni = ieee80211_find_node(ic, wh->i_addr2)) == NULL) { 1524 ni = ieee80211_alloc_node(ic, wh->i_addr2); 1525 if (ni == NULL) 1526 return; 1527 is_new = 1; 1528 } else 1529 is_new = 0; 1530 1531 /* 1532 * When operating in station mode, check for state updates 1533 * while we're associated. We consider only 11g stuff right 1534 * now. 1535 */ 1536 if (ic->ic_opmode == IEEE80211_M_STA && 1537 ic->ic_state == IEEE80211_S_RUN && 1538 ni->ni_state == IEEE80211_STA_BSS) { 1539 /* 1540 * Check if protection mode has changed since last beacon. 1541 */ 1542 if (ni->ni_erp != erp) { 1543 DPRINTF(("[%s] erp change: was 0x%x, now 0x%x\n", 1544 ether_sprintf((u_int8_t *)wh->i_addr2), 1545 ni->ni_erp, erp)); 1546 if (ic->ic_curmode == IEEE80211_MODE_11G && 1547 (erp & IEEE80211_ERP_USE_PROTECTION)) 1548 ic->ic_flags |= IEEE80211_F_USEPROT; 1549 else 1550 ic->ic_flags &= ~IEEE80211_F_USEPROT; 1551 ic->ic_bss->ni_erp = erp; 1552 } 1553 /* 1554 * Check if AP short slot time setting has changed 1555 * since last beacon and give the driver a chance to 1556 * update the hardware. 1557 */ 1558 if ((ni->ni_capinfo ^ capinfo) & 1559 IEEE80211_CAPINFO_SHORT_SLOTTIME) { 1560 ieee80211_set_shortslottime(ic, 1561 ic->ic_curmode == IEEE80211_MODE_11A || 1562 (capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 1563 } 1564 } 1565 /* 1566 * We do not try to update EDCA parameters if QoS was not negotiated 1567 * with the AP at association time. 1568 */ 1569 if (ni->ni_flags & IEEE80211_NODE_QOS) { 1570 /* always prefer EDCA IE over Wi-Fi Alliance WMM IE */ 1571 if (edcaie != NULL) 1572 ieee80211_parse_edca_params(ic, edcaie); 1573 else if (wmmie != NULL) 1574 ieee80211_parse_wmm_params(ic, wmmie); 1575 } 1576 1577 if (ic->ic_state == IEEE80211_S_SCAN && 1578 #ifndef IEEE80211_STA_ONLY 1579 ic->ic_opmode != IEEE80211_M_HOSTAP && 1580 #endif 1581 (ic->ic_flags & IEEE80211_F_RSNON)) { 1582 struct ieee80211_rsnparams rsn; 1583 const u_int8_t *saveie = NULL; 1584 /* 1585 * If the AP advertises both RSN and WPA IEs (WPA1+WPA2), 1586 * we only store the parameters of the highest protocol 1587 * version we support. 1588 */ 1589 if (rsnie != NULL && 1590 (ic->ic_rsnprotos & IEEE80211_PROTO_RSN)) { 1591 if (ieee80211_parse_rsn(ic, rsnie, &rsn) == 0) { 1592 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 1593 saveie = rsnie; 1594 } 1595 } else if (wpaie != NULL && 1596 (ic->ic_rsnprotos & IEEE80211_PROTO_WPA)) { 1597 if (ieee80211_parse_wpa(ic, wpaie, &rsn) == 0) { 1598 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 1599 saveie = wpaie; 1600 } 1601 } 1602 if (saveie != NULL && 1603 ieee80211_save_ie(saveie, &ni->ni_rsnie) == 0) { 1604 ni->ni_rsnakms = rsn.rsn_akms; 1605 ni->ni_rsnciphers = rsn.rsn_ciphers; 1606 ni->ni_rsngroupcipher = rsn.rsn_groupcipher; 1607 ni->ni_rsngroupmgmtcipher = rsn.rsn_groupmgmtcipher; 1608 ni->ni_rsncaps = rsn.rsn_caps; 1609 } else 1610 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 1611 } else if (ic->ic_state == IEEE80211_S_SCAN) 1612 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 1613 1614 if (ssid[1] != 0 && ni->ni_esslen == 0) { 1615 ni->ni_esslen = ssid[1]; 1616 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1617 /* we know that ssid[1] <= IEEE80211_NWID_LEN */ 1618 memcpy(ni->ni_essid, &ssid[2], ssid[1]); 1619 } 1620 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3); 1621 ni->ni_rssi = rxi->rxi_rssi; 1622 ni->ni_rstamp = rxi->rxi_tstamp; 1623 memcpy(ni->ni_tstamp, tstamp, sizeof(ni->ni_tstamp)); 1624 ni->ni_intval = bintval; 1625 ni->ni_capinfo = capinfo; 1626 /* XXX validate channel # */ 1627 ni->ni_chan = &ic->ic_channels[chan]; 1628 ni->ni_erp = erp; 1629 /* NB: must be after ni_chan is setup */ 1630 ieee80211_setup_rates(ic, ni, rates, xrates, IEEE80211_F_DOSORT); 1631 1632 /* 1633 * When scanning we record results (nodes) with a zero 1634 * refcnt. Otherwise we want to hold the reference for 1635 * ibss neighbors so the nodes don't get released prematurely. 1636 * Anything else can be discarded (XXX and should be handled 1637 * above so we don't do so much work). 1638 */ 1639 if ( 1640 #ifndef IEEE80211_STA_ONLY 1641 ic->ic_opmode == IEEE80211_M_IBSS || 1642 #endif 1643 (is_new && isprobe)) { 1644 /* 1645 * Fake an association so the driver can setup it's 1646 * private state. The rate set has been setup above; 1647 * there is no handshake as in ap/station operation. 1648 */ 1649 if (ic->ic_newassoc) 1650 (*ic->ic_newassoc)(ic, ni, 1); 1651 } 1652 } 1653 1654 #ifndef IEEE80211_STA_ONLY 1655 /*- 1656 * Probe request frame format: 1657 * [tlv] SSID 1658 * [tlv] Supported rates 1659 * [tlv] Extended Supported Rates (802.11g) 1660 * [tlv] HT Capabilities (802.11n) 1661 */ 1662 void 1663 ieee80211_recv_probe_req(struct ieee80211com *ic, struct mbuf *m, 1664 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 1665 { 1666 const struct ieee80211_frame *wh; 1667 const u_int8_t *frm, *efrm; 1668 const u_int8_t *ssid, *rates, *xrates, *htcaps; 1669 u_int8_t rate; 1670 1671 if (ic->ic_opmode == IEEE80211_M_STA || 1672 ic->ic_state != IEEE80211_S_RUN) 1673 return; 1674 1675 wh = mtod(m, struct ieee80211_frame *); 1676 frm = (const u_int8_t *)&wh[1]; 1677 efrm = mtod(m, u_int8_t *) + m->m_len; 1678 1679 ssid = rates = xrates = htcaps = NULL; 1680 while (frm + 2 <= efrm) { 1681 if (frm + 2 + frm[1] > efrm) { 1682 ic->ic_stats.is_rx_elem_toosmall++; 1683 break; 1684 } 1685 switch (frm[0]) { 1686 case IEEE80211_ELEMID_SSID: 1687 ssid = frm; 1688 break; 1689 case IEEE80211_ELEMID_RATES: 1690 rates = frm; 1691 break; 1692 case IEEE80211_ELEMID_XRATES: 1693 xrates = frm; 1694 break; 1695 #ifndef IEEE80211_NO_HT 1696 case IEEE80211_ELEMID_HTCAPS: 1697 htcaps = frm; 1698 break; 1699 #endif 1700 } 1701 frm += 2 + frm[1]; 1702 } 1703 /* supported rates element is mandatory */ 1704 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1705 DPRINTF(("invalid supported rates element\n")); 1706 return; 1707 } 1708 /* SSID element is mandatory */ 1709 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1710 DPRINTF(("invalid SSID element\n")); 1711 return; 1712 } 1713 /* check that the specified SSID (if not wildcard) matches ours */ 1714 if (ssid[1] != 0 && (ssid[1] != ic->ic_bss->ni_esslen || 1715 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen))) { 1716 DPRINTF(("SSID mismatch\n")); 1717 ic->ic_stats.is_rx_ssidmismatch++; 1718 return; 1719 } 1720 /* refuse wildcard SSID if we're hiding our SSID in beacons */ 1721 if (ssid[1] == 0 && (ic->ic_flags & IEEE80211_F_HIDENWID)) { 1722 DPRINTF(("wildcard SSID rejected")); 1723 ic->ic_stats.is_rx_ssidmismatch++; 1724 return; 1725 } 1726 1727 if (ni == ic->ic_bss) { 1728 ni = ieee80211_dup_bss(ic, wh->i_addr2); 1729 if (ni == NULL) 1730 return; 1731 DPRINTF(("new probe req from %s\n", 1732 ether_sprintf((u_int8_t *)wh->i_addr2))); 1733 } 1734 ni->ni_rssi = rxi->rxi_rssi; 1735 ni->ni_rstamp = rxi->rxi_tstamp; 1736 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 1737 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 1738 IEEE80211_F_DODEL); 1739 if (rate & IEEE80211_RATE_BASIC) { 1740 DPRINTF(("rate mismatch for %s\n", 1741 ether_sprintf((u_int8_t *)wh->i_addr2))); 1742 return; 1743 } 1744 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 1745 } 1746 #endif /* IEEE80211_STA_ONLY */ 1747 1748 /*- 1749 * Authentication frame format: 1750 * [2] Authentication algorithm number 1751 * [2] Authentication transaction sequence number 1752 * [2] Status code 1753 */ 1754 void 1755 ieee80211_recv_auth(struct ieee80211com *ic, struct mbuf *m, 1756 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 1757 { 1758 const struct ieee80211_frame *wh; 1759 const u_int8_t *frm; 1760 u_int16_t algo, seq, status; 1761 1762 /* make sure all mandatory fixed fields are present */ 1763 if (m->m_len < sizeof(*wh) + 6) { 1764 DPRINTF(("frame too short\n")); 1765 return; 1766 } 1767 wh = mtod(m, struct ieee80211_frame *); 1768 frm = (const u_int8_t *)&wh[1]; 1769 1770 algo = LE_READ_2(frm); frm += 2; 1771 seq = LE_READ_2(frm); frm += 2; 1772 status = LE_READ_2(frm); frm += 2; 1773 DPRINTF(("auth %d seq %d from %s\n", algo, seq, 1774 ether_sprintf((u_int8_t *)wh->i_addr2))); 1775 1776 /* only "open" auth mode is supported */ 1777 if (algo != IEEE80211_AUTH_ALG_OPEN) { 1778 DPRINTF(("unsupported auth algorithm %d from %s\n", 1779 algo, ether_sprintf((u_int8_t *)wh->i_addr2))); 1780 ic->ic_stats.is_rx_auth_unsupported++; 1781 #ifndef IEEE80211_STA_ONLY 1782 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 1783 /* XXX hack to workaround calling convention */ 1784 IEEE80211_SEND_MGMT(ic, ni, 1785 IEEE80211_FC0_SUBTYPE_AUTH, 1786 IEEE80211_STATUS_ALG << 16 | ((seq + 1) & 0xffff)); 1787 } 1788 #endif 1789 return; 1790 } 1791 ieee80211_auth_open(ic, wh, ni, rxi, seq, status); 1792 } 1793 1794 #ifndef IEEE80211_STA_ONLY 1795 /*- 1796 * (Re)Association request frame format: 1797 * [2] Capability information 1798 * [2] Listen interval 1799 * [6*] Current AP address (Reassociation only) 1800 * [tlv] SSID 1801 * [tlv] Supported rates 1802 * [tlv] Extended Supported Rates (802.11g) 1803 * [tlv] RSN (802.11i) 1804 * [tlv] QoS Capability (802.11e) 1805 * [tlv] HT Capabilities (802.11n) 1806 */ 1807 void 1808 ieee80211_recv_assoc_req(struct ieee80211com *ic, struct mbuf *m, 1809 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int reassoc) 1810 { 1811 const struct ieee80211_frame *wh; 1812 const u_int8_t *frm, *efrm; 1813 const u_int8_t *ssid, *rates, *xrates, *rsnie, *wpaie, *htcaps; 1814 u_int16_t capinfo, bintval; 1815 int resp, status = 0; 1816 struct ieee80211_rsnparams rsn; 1817 u_int8_t rate; 1818 1819 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 1820 ic->ic_state != IEEE80211_S_RUN) 1821 return; 1822 1823 /* make sure all mandatory fixed fields are present */ 1824 if (m->m_len < sizeof(*wh) + (reassoc ? 10 : 4)) { 1825 DPRINTF(("frame too short\n")); 1826 return; 1827 } 1828 wh = mtod(m, struct ieee80211_frame *); 1829 frm = (const u_int8_t *)&wh[1]; 1830 efrm = mtod(m, u_int8_t *) + m->m_len; 1831 1832 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 1833 DPRINTF(("ignore other bss from %s\n", 1834 ether_sprintf((u_int8_t *)wh->i_addr2))); 1835 ic->ic_stats.is_rx_assoc_bss++; 1836 return; 1837 } 1838 capinfo = LE_READ_2(frm); frm += 2; 1839 bintval = LE_READ_2(frm); frm += 2; 1840 if (reassoc) { 1841 frm += IEEE80211_ADDR_LEN; /* skip current AP address */ 1842 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 1843 } else 1844 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 1845 1846 ssid = rates = xrates = rsnie = wpaie = htcaps = NULL; 1847 while (frm + 2 <= efrm) { 1848 if (frm + 2 + frm[1] > efrm) { 1849 ic->ic_stats.is_rx_elem_toosmall++; 1850 break; 1851 } 1852 switch (frm[0]) { 1853 case IEEE80211_ELEMID_SSID: 1854 ssid = frm; 1855 break; 1856 case IEEE80211_ELEMID_RATES: 1857 rates = frm; 1858 break; 1859 case IEEE80211_ELEMID_XRATES: 1860 xrates = frm; 1861 break; 1862 case IEEE80211_ELEMID_RSN: 1863 rsnie = frm; 1864 break; 1865 case IEEE80211_ELEMID_QOS_CAP: 1866 break; 1867 #ifndef IEEE80211_NO_HT 1868 case IEEE80211_ELEMID_HTCAPS: 1869 htcaps = frm; 1870 break; 1871 #endif 1872 case IEEE80211_ELEMID_VENDOR: 1873 if (frm[1] < 4) { 1874 ic->ic_stats.is_rx_elem_toosmall++; 1875 break; 1876 } 1877 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 1878 if (frm[5] == 1) 1879 wpaie = frm; 1880 } 1881 break; 1882 } 1883 frm += 2 + frm[1]; 1884 } 1885 /* supported rates element is mandatory */ 1886 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1887 DPRINTF(("invalid supported rates element\n")); 1888 return; 1889 } 1890 /* SSID element is mandatory */ 1891 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1892 DPRINTF(("invalid SSID element\n")); 1893 return; 1894 } 1895 /* check that the specified SSID matches ours */ 1896 if (ssid[1] != ic->ic_bss->ni_esslen || 1897 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen)) { 1898 DPRINTF(("SSID mismatch\n")); 1899 ic->ic_stats.is_rx_ssidmismatch++; 1900 return; 1901 } 1902 1903 if (ni->ni_state != IEEE80211_STA_AUTH && 1904 ni->ni_state != IEEE80211_STA_ASSOC) { 1905 DPRINTF(("deny %sassoc from %s, not authenticated\n", 1906 reassoc ? "re" : "", 1907 ether_sprintf((u_int8_t *)wh->i_addr2))); 1908 ni = ieee80211_dup_bss(ic, wh->i_addr2); 1909 if (ni != NULL) { 1910 IEEE80211_SEND_MGMT(ic, ni, 1911 IEEE80211_FC0_SUBTYPE_DEAUTH, 1912 IEEE80211_REASON_ASSOC_NOT_AUTHED); 1913 } 1914 ic->ic_stats.is_rx_assoc_notauth++; 1915 return; 1916 } 1917 1918 if (ni->ni_state == IEEE80211_STA_ASSOC && 1919 (ni->ni_flags & IEEE80211_NODE_MFP)) { 1920 if (ni->ni_flags & IEEE80211_NODE_SA_QUERY_FAILED) { 1921 /* send a protected Disassociate frame */ 1922 IEEE80211_SEND_MGMT(ic, ni, 1923 IEEE80211_FC0_SUBTYPE_DISASSOC, 1924 IEEE80211_REASON_AUTH_EXPIRE); 1925 /* terminate the old SA */ 1926 ieee80211_node_leave(ic, ni); 1927 } else { 1928 /* reject the (Re)Association Request temporarily */ 1929 IEEE80211_SEND_MGMT(ic, ni, resp, 1930 IEEE80211_STATUS_TRY_AGAIN_LATER); 1931 /* start SA Query procedure if not already engaged */ 1932 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) 1933 ieee80211_sa_query_request(ic, ni); 1934 /* do not modify association state */ 1935 } 1936 return; 1937 } 1938 1939 if (!(capinfo & IEEE80211_CAPINFO_ESS)) { 1940 ic->ic_stats.is_rx_assoc_capmismatch++; 1941 status = IEEE80211_STATUS_CAPINFO; 1942 goto end; 1943 } 1944 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 1945 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 1946 IEEE80211_F_DODEL); 1947 if (rate & IEEE80211_RATE_BASIC) { 1948 ic->ic_stats.is_rx_assoc_norate++; 1949 status = IEEE80211_STATUS_BASIC_RATE; 1950 goto end; 1951 } 1952 1953 if (ic->ic_flags & IEEE80211_F_RSNON) { 1954 const u_int8_t *saveie; 1955 /* 1956 * A station should never include both a WPA and an RSN IE 1957 * in its (Re)Association Requests, but if it does, we only 1958 * consider the IE of the highest version of the protocol 1959 * that is allowed (ie RSN over WPA). 1960 */ 1961 if (rsnie != NULL && 1962 (ic->ic_rsnprotos & IEEE80211_PROTO_RSN)) { 1963 status = ieee80211_parse_rsn(ic, rsnie, &rsn); 1964 if (status != 0) 1965 goto end; 1966 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 1967 saveie = rsnie; 1968 } else if (wpaie != NULL && 1969 (ic->ic_rsnprotos & IEEE80211_PROTO_WPA)) { 1970 status = ieee80211_parse_wpa(ic, wpaie, &rsn); 1971 if (status != 0) 1972 goto end; 1973 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 1974 saveie = wpaie; 1975 } else { 1976 /* 1977 * In an RSN, an AP shall not associate with STAs 1978 * that fail to include the RSN IE in the 1979 * (Re)Association Request. 1980 */ 1981 status = IEEE80211_STATUS_IE_INVALID; 1982 goto end; 1983 } 1984 /* 1985 * The initiating STA's RSN IE shall include one authentication 1986 * and pairwise cipher suite among those advertised by the 1987 * targeted AP. It shall also specify the group cipher suite 1988 * specified by the targeted AP. 1989 */ 1990 if (rsn.rsn_nakms != 1 || 1991 !(rsn.rsn_akms & ic->ic_bss->ni_rsnakms)) { 1992 status = IEEE80211_STATUS_BAD_AKMP; 1993 goto end; 1994 } 1995 if (rsn.rsn_nciphers != 1 || 1996 !(rsn.rsn_ciphers & ic->ic_bss->ni_rsnciphers)) { 1997 status = IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1998 goto end; 1999 } 2000 if (rsn.rsn_groupcipher != ic->ic_bss->ni_rsngroupcipher) { 2001 status = IEEE80211_STATUS_BAD_GROUP_CIPHER; 2002 goto end; 2003 } 2004 2005 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPR) && 2006 !(rsn.rsn_caps & IEEE80211_RSNCAP_MFPC)) { 2007 status = IEEE80211_STATUS_MFP_POLICY; 2008 goto end; 2009 } 2010 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPC) && 2011 (rsn.rsn_caps & (IEEE80211_RSNCAP_MFPC | 2012 IEEE80211_RSNCAP_MFPR)) == IEEE80211_RSNCAP_MFPR) { 2013 /* STA advertises an invalid setting */ 2014 status = IEEE80211_STATUS_MFP_POLICY; 2015 goto end; 2016 } 2017 /* 2018 * A STA that has associated with Management Frame Protection 2019 * enabled shall not use cipher suite pairwise selector WEP40, 2020 * WEP104, TKIP, or "Use Group cipher suite". 2021 */ 2022 if ((rsn.rsn_caps & IEEE80211_RSNCAP_MFPC) && 2023 (rsn.rsn_ciphers != IEEE80211_CIPHER_CCMP || 2024 rsn.rsn_groupmgmtcipher != 2025 ic->ic_bss->ni_rsngroupmgmtcipher)) { 2026 status = IEEE80211_STATUS_MFP_POLICY; 2027 goto end; 2028 } 2029 2030 /* 2031 * Disallow new associations using TKIP if countermeasures 2032 * are active. 2033 */ 2034 if ((ic->ic_flags & IEEE80211_F_COUNTERM) && 2035 (rsn.rsn_ciphers == IEEE80211_CIPHER_TKIP || 2036 rsn.rsn_groupcipher == IEEE80211_CIPHER_TKIP)) { 2037 status = IEEE80211_STATUS_CIPHER_REJ_POLICY; 2038 goto end; 2039 } 2040 2041 /* everything looks fine, save IE and parameters */ 2042 if (ieee80211_save_ie(saveie, &ni->ni_rsnie) != 0) { 2043 status = IEEE80211_STATUS_TOOMANY; 2044 goto end; 2045 } 2046 ni->ni_rsnakms = rsn.rsn_akms; 2047 ni->ni_rsnciphers = rsn.rsn_ciphers; 2048 ni->ni_rsngroupcipher = ic->ic_bss->ni_rsngroupcipher; 2049 ni->ni_rsngroupmgmtcipher = ic->ic_bss->ni_rsngroupmgmtcipher; 2050 ni->ni_rsncaps = rsn.rsn_caps; 2051 2052 if (ieee80211_is_8021x_akm(ni->ni_rsnakms)) { 2053 struct ieee80211_pmk *pmk = NULL; 2054 const u_int8_t *pmkid = rsn.rsn_pmkids; 2055 /* 2056 * Check if we have a cached PMK entry matching one 2057 * of the PMKIDs specified in the RSN IE. 2058 */ 2059 while (rsn.rsn_npmkids-- > 0) { 2060 pmk = ieee80211_pmksa_find(ic, ni, pmkid); 2061 if (pmk != NULL) 2062 break; 2063 pmkid += IEEE80211_PMKID_LEN; 2064 } 2065 if (pmk != NULL) { 2066 memcpy(ni->ni_pmk, pmk->pmk_key, 2067 IEEE80211_PMK_LEN); 2068 memcpy(ni->ni_pmkid, pmk->pmk_pmkid, 2069 IEEE80211_PMKID_LEN); 2070 ni->ni_flags |= IEEE80211_NODE_PMK; 2071 } 2072 } 2073 } else 2074 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2075 2076 ni->ni_rssi = rxi->rxi_rssi; 2077 ni->ni_rstamp = rxi->rxi_tstamp; 2078 ni->ni_intval = bintval; 2079 ni->ni_capinfo = capinfo; 2080 ni->ni_chan = ic->ic_bss->ni_chan; 2081 end: 2082 if (status != 0) { 2083 IEEE80211_SEND_MGMT(ic, ni, resp, status); 2084 ieee80211_node_leave(ic, ni); 2085 } else 2086 ieee80211_node_join(ic, ni, resp); 2087 } 2088 #endif /* IEEE80211_STA_ONLY */ 2089 2090 /*- 2091 * (Re)Association response frame format: 2092 * [2] Capability information 2093 * [2] Status code 2094 * [2] Association ID (AID) 2095 * [tlv] Supported rates 2096 * [tlv] Extended Supported Rates (802.11g) 2097 * [tlv] EDCA Parameter Set (802.11e) 2098 * [tlv] HT Capabilities (802.11n) 2099 * [tlv] HT Operation (802.11n) 2100 */ 2101 void 2102 ieee80211_recv_assoc_resp(struct ieee80211com *ic, struct mbuf *m, 2103 struct ieee80211_node *ni, int reassoc) 2104 { 2105 struct ifnet *ifp = &ic->ic_if; 2106 const struct ieee80211_frame *wh; 2107 const u_int8_t *frm, *efrm; 2108 const u_int8_t *rates, *xrates, *edcaie, *wmmie, *htcaps, *htop; 2109 u_int16_t capinfo, status, associd; 2110 u_int8_t rate; 2111 2112 if (ic->ic_opmode != IEEE80211_M_STA || 2113 ic->ic_state != IEEE80211_S_ASSOC) { 2114 ic->ic_stats.is_rx_mgtdiscard++; 2115 return; 2116 } 2117 2118 /* make sure all mandatory fixed fields are present */ 2119 if (m->m_len < sizeof(*wh) + 6) { 2120 DPRINTF(("frame too short\n")); 2121 return; 2122 } 2123 wh = mtod(m, struct ieee80211_frame *); 2124 frm = (const u_int8_t *)&wh[1]; 2125 efrm = mtod(m, u_int8_t *) + m->m_len; 2126 2127 capinfo = LE_READ_2(frm); frm += 2; 2128 status = LE_READ_2(frm); frm += 2; 2129 if (status != IEEE80211_STATUS_SUCCESS) { 2130 if (ifp->if_flags & IFF_DEBUG) 2131 printf("%s: %sassociation failed (status %d)" 2132 " for %s\n", ifp->if_xname, 2133 reassoc ? "re" : "", 2134 status, ether_sprintf((u_int8_t *)wh->i_addr3)); 2135 if (ni != ic->ic_bss) 2136 ni->ni_fails++; 2137 ic->ic_stats.is_rx_auth_fail++; 2138 return; 2139 } 2140 associd = LE_READ_2(frm); frm += 2; 2141 2142 rates = xrates = edcaie = wmmie = htcaps = htop = NULL; 2143 while (frm + 2 <= efrm) { 2144 if (frm + 2 + frm[1] > efrm) { 2145 ic->ic_stats.is_rx_elem_toosmall++; 2146 break; 2147 } 2148 switch (frm[0]) { 2149 case IEEE80211_ELEMID_RATES: 2150 rates = frm; 2151 break; 2152 case IEEE80211_ELEMID_XRATES: 2153 xrates = frm; 2154 break; 2155 case IEEE80211_ELEMID_EDCAPARMS: 2156 edcaie = frm; 2157 break; 2158 #ifndef IEEE80211_NO_HT 2159 case IEEE80211_ELEMID_HTCAPS: 2160 htcaps = frm; 2161 break; 2162 case IEEE80211_ELEMID_HTOP: 2163 htop = frm; 2164 break; 2165 #endif 2166 case IEEE80211_ELEMID_VENDOR: 2167 if (frm[1] < 4) { 2168 ic->ic_stats.is_rx_elem_toosmall++; 2169 break; 2170 } 2171 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 2172 if (frm[1] >= 5 && frm[5] == 2 && frm[6] == 1) 2173 wmmie = frm; 2174 } 2175 break; 2176 } 2177 frm += 2 + frm[1]; 2178 } 2179 /* supported rates element is mandatory */ 2180 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 2181 DPRINTF(("invalid supported rates element\n")); 2182 return; 2183 } 2184 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2185 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2186 IEEE80211_F_DODEL); 2187 if (rate & IEEE80211_RATE_BASIC) { 2188 DPRINTF(("rate mismatch for %s\n", 2189 ether_sprintf((u_int8_t *)wh->i_addr2))); 2190 ic->ic_stats.is_rx_assoc_norate++; 2191 return; 2192 } 2193 ni->ni_capinfo = capinfo; 2194 ni->ni_associd = associd; 2195 if (edcaie != NULL || wmmie != NULL) { 2196 /* force update of EDCA parameters */ 2197 ic->ic_edca_updtcount = -1; 2198 2199 if ((edcaie != NULL && 2200 ieee80211_parse_edca_params(ic, edcaie) == 0) || 2201 (wmmie != NULL && 2202 ieee80211_parse_wmm_params(ic, wmmie) == 0)) 2203 ni->ni_flags |= IEEE80211_NODE_QOS; 2204 else /* for Reassociation */ 2205 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2206 } 2207 /* 2208 * Configure state now that we are associated. 2209 */ 2210 if (ic->ic_curmode == IEEE80211_MODE_11A || 2211 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) 2212 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 2213 else 2214 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 2215 2216 ieee80211_set_shortslottime(ic, 2217 ic->ic_curmode == IEEE80211_MODE_11A || 2218 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2219 /* 2220 * Honor ERP protection. 2221 */ 2222 if (ic->ic_curmode == IEEE80211_MODE_11G && 2223 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2224 ic->ic_flags |= IEEE80211_F_USEPROT; 2225 else 2226 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2227 /* 2228 * If not an RSNA, mark the port as valid, otherwise wait for 2229 * 802.1X authentication and 4-way handshake to complete.. 2230 */ 2231 if (ic->ic_flags & IEEE80211_F_RSNON) { 2232 /* XXX ic->ic_mgt_timer = 5; */ 2233 } else if (ic->ic_flags & IEEE80211_F_WEPON) 2234 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 2235 2236 ieee80211_new_state(ic, IEEE80211_S_RUN, 2237 IEEE80211_FC0_SUBTYPE_ASSOC_RESP); 2238 } 2239 2240 /*- 2241 * Deauthentication frame format: 2242 * [2] Reason code 2243 */ 2244 void 2245 ieee80211_recv_deauth(struct ieee80211com *ic, struct mbuf *m, 2246 struct ieee80211_node *ni) 2247 { 2248 const struct ieee80211_frame *wh; 2249 const u_int8_t *frm; 2250 u_int16_t reason; 2251 2252 /* make sure all mandatory fixed fields are present */ 2253 if (m->m_len < sizeof(*wh) + 2) { 2254 DPRINTF(("frame too short\n")); 2255 return; 2256 } 2257 wh = mtod(m, struct ieee80211_frame *); 2258 frm = (const u_int8_t *)&wh[1]; 2259 2260 reason = LE_READ_2(frm); 2261 2262 ic->ic_stats.is_rx_deauth++; 2263 switch (ic->ic_opmode) { 2264 case IEEE80211_M_STA: 2265 ieee80211_new_state(ic, IEEE80211_S_AUTH, 2266 IEEE80211_FC0_SUBTYPE_DEAUTH); 2267 break; 2268 #ifndef IEEE80211_STA_ONLY 2269 case IEEE80211_M_HOSTAP: 2270 if (ni != ic->ic_bss) { 2271 if (ic->ic_if.if_flags & IFF_DEBUG) 2272 printf("%s: station %s deauthenticated " 2273 "by peer (reason %d)\n", 2274 ic->ic_if.if_xname, 2275 ether_sprintf(ni->ni_macaddr), 2276 reason); 2277 ieee80211_node_leave(ic, ni); 2278 } 2279 break; 2280 #endif 2281 default: 2282 break; 2283 } 2284 } 2285 2286 /*- 2287 * Disassociation frame format: 2288 * [2] Reason code 2289 */ 2290 void 2291 ieee80211_recv_disassoc(struct ieee80211com *ic, struct mbuf *m, 2292 struct ieee80211_node *ni) 2293 { 2294 const struct ieee80211_frame *wh; 2295 const u_int8_t *frm; 2296 u_int16_t reason; 2297 2298 /* make sure all mandatory fixed fields are present */ 2299 if (m->m_len < sizeof(*wh) + 2) { 2300 DPRINTF(("frame too short\n")); 2301 return; 2302 } 2303 wh = mtod(m, struct ieee80211_frame *); 2304 frm = (const u_int8_t *)&wh[1]; 2305 2306 reason = LE_READ_2(frm); 2307 2308 ic->ic_stats.is_rx_disassoc++; 2309 switch (ic->ic_opmode) { 2310 case IEEE80211_M_STA: 2311 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 2312 IEEE80211_FC0_SUBTYPE_DISASSOC); 2313 break; 2314 #ifndef IEEE80211_STA_ONLY 2315 case IEEE80211_M_HOSTAP: 2316 if (ni != ic->ic_bss) { 2317 if (ic->ic_if.if_flags & IFF_DEBUG) 2318 printf("%s: station %s disassociated " 2319 "by peer (reason %d)\n", 2320 ic->ic_if.if_xname, 2321 ether_sprintf(ni->ni_macaddr), 2322 reason); 2323 ieee80211_node_leave(ic, ni); 2324 } 2325 break; 2326 #endif 2327 default: 2328 break; 2329 } 2330 } 2331 2332 #ifndef IEEE80211_NO_HT 2333 /*- 2334 * ADDBA Request frame format: 2335 * [1] Category 2336 * [1] Action 2337 * [1] Dialog Token 2338 * [2] Block Ack Parameter Set 2339 * [2] Block Ack Timeout Value 2340 * [2] Block Ack Starting Sequence Control 2341 */ 2342 void 2343 ieee80211_recv_addba_req(struct ieee80211com *ic, struct mbuf *m, 2344 struct ieee80211_node *ni) 2345 { 2346 const struct ieee80211_frame *wh; 2347 const u_int8_t *frm; 2348 struct ieee80211_rx_ba *ba; 2349 u_int16_t params, ssn, bufsz, timeout, status; 2350 u_int8_t token, tid; 2351 2352 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 2353 DPRINTF(("received ADDBA req from non-HT STA %s\n", 2354 ether_sprintf(ni->ni_macaddr))); 2355 return; 2356 } 2357 if (m->m_len < sizeof(*wh) + 9) { 2358 DPRINTF(("frame too short\n")); 2359 return; 2360 } 2361 /* MLME-ADDBA.indication */ 2362 wh = mtod(m, struct ieee80211_frame *); 2363 frm = (const u_int8_t *)&wh[1]; 2364 2365 token = frm[2]; 2366 params = LE_READ_2(&frm[3]); 2367 tid = (params >> 2) & 0xf; 2368 bufsz = (params >> 6) & 0x3ff; 2369 timeout = LE_READ_2(&frm[5]); 2370 ssn = LE_READ_2(&frm[7]) >> 4; 2371 2372 ba = &ni->ni_rx_ba[tid]; 2373 /* check if we already have a Block Ack agreement for this RA/TID */ 2374 if (ba->ba_state == IEEE80211_BA_AGREED) { 2375 /* XXX should we update the timeout value? */ 2376 /* reset Block Ack inactivity timer */ 2377 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2378 2379 /* check if it's a Protected Block Ack agreement */ 2380 if (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2381 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) 2382 return; /* not a PBAC, ignore */ 2383 2384 /* PBAC: treat the ADDBA Request like a BlockAckReq */ 2385 if (SEQ_LT(ba->ba_winstart, ssn)) 2386 ieee80211_ba_move_window(ic, ni, tid, ssn); 2387 return; 2388 } 2389 /* if PBAC required but RA does not support it, refuse request */ 2390 if ((ic->ic_flags & IEEE80211_F_PBAR) && 2391 (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2392 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC))) { 2393 status = IEEE80211_STATUS_REFUSED; 2394 goto resp; 2395 } 2396 /* 2397 * If the TID for which the Block Ack agreement is requested is 2398 * configured with a no-ACK policy, refuse the agreement. 2399 */ 2400 if (ic->ic_tid_noack & (1 << tid)) { 2401 status = IEEE80211_STATUS_REFUSED; 2402 goto resp; 2403 } 2404 /* check that we support the requested Block Ack Policy */ 2405 if (!(ic->ic_htcaps & IEEE80211_HTCAP_DELAYEDBA) && 2406 !(params & IEEE80211_BA_ACK_POLICY)) { 2407 status = IEEE80211_STATUS_INVALID_PARAM; 2408 goto resp; 2409 } 2410 2411 /* setup Block Ack agreement */ 2412 ba->ba_state = IEEE80211_BA_INIT; 2413 ba->ba_timeout_val = timeout * IEEE80211_DUR_TU; 2414 if (ba->ba_timeout_val < IEEE80211_BA_MIN_TIMEOUT) 2415 ba->ba_timeout_val = IEEE80211_BA_MIN_TIMEOUT; 2416 else if (ba->ba_timeout_val > IEEE80211_BA_MAX_TIMEOUT) 2417 ba->ba_timeout_val = IEEE80211_BA_MAX_TIMEOUT; 2418 timeout_set(&ba->ba_to, ieee80211_rx_ba_timeout, ba); 2419 ba->ba_winsize = bufsz; 2420 if (ba->ba_winsize == 0 || ba->ba_winsize > IEEE80211_BA_MAX_WINSZ) 2421 ba->ba_winsize = IEEE80211_BA_MAX_WINSZ; 2422 ba->ba_winstart = ssn; 2423 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 2424 /* allocate and setup our reordering buffer */ 2425 ba->ba_buf = malloc(IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf), 2426 M_DEVBUF, M_NOWAIT | M_ZERO); 2427 if (ba->ba_buf == NULL) { 2428 status = IEEE80211_STATUS_REFUSED; 2429 goto resp; 2430 } 2431 ba->ba_head = 0; 2432 2433 /* notify drivers of this new Block Ack agreement */ 2434 if (ic->ic_ampdu_rx_start != NULL && 2435 ic->ic_ampdu_rx_start(ic, ni, tid) != 0) { 2436 /* driver failed to setup, rollback */ 2437 free(ba->ba_buf, M_DEVBUF); 2438 ba->ba_buf = NULL; 2439 status = IEEE80211_STATUS_REFUSED; 2440 goto resp; 2441 } 2442 ba->ba_state = IEEE80211_BA_AGREED; 2443 /* start Block Ack inactivity timer */ 2444 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2445 status = IEEE80211_STATUS_SUCCESS; 2446 resp: 2447 /* MLME-ADDBA.response */ 2448 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2449 IEEE80211_ACTION_ADDBA_RESP, status << 16 | token << 8 | tid); 2450 } 2451 2452 /*- 2453 * ADDBA Response frame format: 2454 * [1] Category 2455 * [1] Action 2456 * [1] Dialog Token 2457 * [2] Status Code 2458 * [2] Block Ack Parameter Set 2459 * [2] Block Ack Timeout Value 2460 */ 2461 void 2462 ieee80211_recv_addba_resp(struct ieee80211com *ic, struct mbuf *m, 2463 struct ieee80211_node *ni) 2464 { 2465 const struct ieee80211_frame *wh; 2466 const u_int8_t *frm; 2467 struct ieee80211_tx_ba *ba; 2468 u_int16_t status, params, bufsz, timeout; 2469 u_int8_t token, tid; 2470 2471 if (m->m_len < sizeof(*wh) + 9) { 2472 DPRINTF(("frame too short\n")); 2473 return; 2474 } 2475 wh = mtod(m, struct ieee80211_frame *); 2476 frm = (const u_int8_t *)&wh[1]; 2477 2478 token = frm[2]; 2479 status = LE_READ_2(&frm[3]); 2480 params = LE_READ_2(&frm[5]); 2481 tid = (params >> 2) & 0xf; 2482 bufsz = (params >> 6) & 0x3ff; 2483 timeout = LE_READ_2(&frm[7]); 2484 2485 DPRINTF(("received ADDBA resp from %s, TID %d, status %d\n", 2486 ether_sprintf(ni->ni_macaddr), tid, status)); 2487 2488 /* 2489 * Ignore if no ADDBA request has been sent for this RA/TID or 2490 * if we already have a Block Ack agreement. 2491 */ 2492 ba = &ni->ni_tx_ba[tid]; 2493 if (ba->ba_state != IEEE80211_BA_REQUESTED) { 2494 DPRINTF(("no matching ADDBA req found\n")); 2495 return; 2496 } 2497 if (token != ba->ba_token) { 2498 DPRINTF(("ignoring ADDBA resp from %s: token %x!=%x\n", 2499 ether_sprintf(ni->ni_macaddr), token, ba->ba_token)); 2500 return; 2501 } 2502 /* we got an ADDBA Response matching our request, stop timeout */ 2503 timeout_del(&ba->ba_to); 2504 2505 if (status != IEEE80211_STATUS_SUCCESS) { 2506 /* MLME-ADDBA.confirm(Failure) */ 2507 ba->ba_state = IEEE80211_BA_INIT; 2508 return; 2509 } 2510 /* MLME-ADDBA.confirm(Success) */ 2511 ba->ba_state = IEEE80211_BA_AGREED; 2512 2513 /* notify drivers of this new Block Ack agreement */ 2514 if (ic->ic_ampdu_tx_start != NULL) 2515 (void)ic->ic_ampdu_tx_start(ic, ni, tid); 2516 2517 /* start Block Ack inactivity timeout */ 2518 if (ba->ba_timeout_val != 0) 2519 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2520 } 2521 2522 /*- 2523 * DELBA frame format: 2524 * [1] Category 2525 * [1] Action 2526 * [2] DELBA Parameter Set 2527 * [2] Reason Code 2528 */ 2529 void 2530 ieee80211_recv_delba(struct ieee80211com *ic, struct mbuf *m, 2531 struct ieee80211_node *ni) 2532 { 2533 const struct ieee80211_frame *wh; 2534 const u_int8_t *frm; 2535 u_int16_t params, reason; 2536 u_int8_t tid; 2537 int i; 2538 2539 if (m->m_len < sizeof(*wh) + 6) { 2540 DPRINTF(("frame too short\n")); 2541 return; 2542 } 2543 wh = mtod(m, struct ieee80211_frame *); 2544 frm = (const u_int8_t *)&wh[1]; 2545 2546 params = LE_READ_2(&frm[2]); 2547 reason = LE_READ_2(&frm[4]); 2548 tid = params >> 12; 2549 2550 DPRINTF(("received DELBA from %s, TID %d, reason %d\n", 2551 ether_sprintf(ni->ni_macaddr), tid, reason)); 2552 2553 if (params & IEEE80211_DELBA_INITIATOR) { 2554 /* MLME-DELBA.indication(Originator) */ 2555 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2556 2557 if (ba->ba_state != IEEE80211_BA_AGREED) { 2558 DPRINTF(("no matching Block Ack agreement\n")); 2559 return; 2560 } 2561 /* notify drivers of the end of the Block Ack agreement */ 2562 if (ic->ic_ampdu_rx_stop != NULL) 2563 ic->ic_ampdu_rx_stop(ic, ni, tid); 2564 2565 ba->ba_state = IEEE80211_BA_INIT; 2566 /* stop Block Ack inactivity timer */ 2567 timeout_del(&ba->ba_to); 2568 2569 if (ba->ba_buf != NULL) { 2570 /* free all MSDUs stored in reordering buffer */ 2571 for (i = 0; i < IEEE80211_BA_MAX_WINSZ; i++) 2572 if (ba->ba_buf[i].m != NULL) 2573 m_freem(ba->ba_buf[i].m); 2574 /* free reordering buffer */ 2575 free(ba->ba_buf, M_DEVBUF); 2576 ba->ba_buf = NULL; 2577 } 2578 } else { 2579 /* MLME-DELBA.indication(Recipient) */ 2580 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 2581 2582 if (ba->ba_state != IEEE80211_BA_AGREED) { 2583 DPRINTF(("no matching Block Ack agreement\n")); 2584 return; 2585 } 2586 /* notify drivers of the end of the Block Ack agreement */ 2587 if (ic->ic_ampdu_tx_stop != NULL) 2588 ic->ic_ampdu_tx_stop(ic, ni, tid); 2589 2590 ba->ba_state = IEEE80211_BA_INIT; 2591 /* stop Block Ack inactivity timer */ 2592 timeout_del(&ba->ba_to); 2593 } 2594 } 2595 #endif /* !IEEE80211_NO_HT */ 2596 2597 /*- 2598 * SA Query Request frame format: 2599 * [1] Category 2600 * [1] Action 2601 * [2] Transaction Identifier 2602 */ 2603 void 2604 ieee80211_recv_sa_query_req(struct ieee80211com *ic, struct mbuf *m, 2605 struct ieee80211_node *ni) 2606 { 2607 const struct ieee80211_frame *wh; 2608 const u_int8_t *frm; 2609 2610 if (ic->ic_opmode != IEEE80211_M_STA || 2611 !(ni->ni_flags & IEEE80211_NODE_MFP)) { 2612 DPRINTF(("unexpected SA Query req from %s\n", 2613 ether_sprintf(ni->ni_macaddr))); 2614 return; 2615 } 2616 if (m->m_len < sizeof(*wh) + 4) { 2617 DPRINTF(("frame too short\n")); 2618 return; 2619 } 2620 wh = mtod(m, struct ieee80211_frame *); 2621 frm = (const u_int8_t *)&wh[1]; 2622 2623 /* MLME-SAQuery.indication */ 2624 2625 /* save Transaction Identifier for SA Query Response */ 2626 ni->ni_sa_query_trid = LE_READ_2(&frm[2]); 2627 2628 /* MLME-SAQuery.response */ 2629 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_SA_QUERY, 2630 IEEE80211_ACTION_SA_QUERY_RESP, 0); 2631 } 2632 2633 #ifndef IEEE80211_STA_ONLY 2634 /*- 2635 * SA Query Response frame format: 2636 * [1] Category 2637 * [1] Action 2638 * [2] Transaction Identifier 2639 */ 2640 void 2641 ieee80211_recv_sa_query_resp(struct ieee80211com *ic, struct mbuf *m, 2642 struct ieee80211_node *ni) 2643 { 2644 const struct ieee80211_frame *wh; 2645 const u_int8_t *frm; 2646 2647 /* ignore if we're not engaged in an SA Query with that STA */ 2648 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) { 2649 DPRINTF(("unexpected SA Query resp from %s\n", 2650 ether_sprintf(ni->ni_macaddr))); 2651 return; 2652 } 2653 if (m->m_len < sizeof(*wh) + 4) { 2654 DPRINTF(("frame too short\n")); 2655 return; 2656 } 2657 wh = mtod(m, struct ieee80211_frame *); 2658 frm = (const u_int8_t *)&wh[1]; 2659 2660 /* check that Transaction Identifier matches */ 2661 if (ni->ni_sa_query_trid != LE_READ_2(&frm[2])) { 2662 DPRINTF(("transaction identifier does not match\n")); 2663 return; 2664 } 2665 /* MLME-SAQuery.confirm */ 2666 timeout_del(&ni->ni_sa_query_to); 2667 ni->ni_flags &= ~IEEE80211_NODE_SA_QUERY; 2668 } 2669 #endif 2670 2671 /*- 2672 * Action frame format: 2673 * [1] Category 2674 * [1] Action 2675 */ 2676 void 2677 ieee80211_recv_action(struct ieee80211com *ic, struct mbuf *m, 2678 struct ieee80211_node *ni) 2679 { 2680 const struct ieee80211_frame *wh; 2681 const u_int8_t *frm; 2682 2683 if (m->m_len < sizeof(*wh) + 2) { 2684 DPRINTF(("frame too short\n")); 2685 return; 2686 } 2687 wh = mtod(m, struct ieee80211_frame *); 2688 frm = (const u_int8_t *)&wh[1]; 2689 2690 switch (frm[0]) { 2691 #ifndef IEEE80211_NO_HT 2692 case IEEE80211_CATEG_BA: 2693 switch (frm[1]) { 2694 case IEEE80211_ACTION_ADDBA_REQ: 2695 ieee80211_recv_addba_req(ic, m, ni); 2696 break; 2697 case IEEE80211_ACTION_ADDBA_RESP: 2698 ieee80211_recv_addba_resp(ic, m, ni); 2699 break; 2700 case IEEE80211_ACTION_DELBA: 2701 ieee80211_recv_delba(ic, m, ni); 2702 break; 2703 } 2704 break; 2705 #endif 2706 case IEEE80211_CATEG_SA_QUERY: 2707 switch (frm[1]) { 2708 case IEEE80211_ACTION_SA_QUERY_REQ: 2709 ieee80211_recv_sa_query_req(ic, m, ni); 2710 break; 2711 #ifndef IEEE80211_STA_ONLY 2712 case IEEE80211_ACTION_SA_QUERY_RESP: 2713 ieee80211_recv_sa_query_resp(ic, m, ni); 2714 break; 2715 #endif 2716 } 2717 break; 2718 default: 2719 DPRINTF(("action frame category %d not handled\n", frm[0])); 2720 break; 2721 } 2722 } 2723 2724 void 2725 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m, 2726 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int subtype) 2727 { 2728 switch (subtype) { 2729 case IEEE80211_FC0_SUBTYPE_BEACON: 2730 ieee80211_recv_probe_resp(ic, m, ni, rxi, 0); 2731 break; 2732 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 2733 ieee80211_recv_probe_resp(ic, m, ni, rxi, 1); 2734 break; 2735 #ifndef IEEE80211_STA_ONLY 2736 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 2737 ieee80211_recv_probe_req(ic, m, ni, rxi); 2738 break; 2739 #endif 2740 case IEEE80211_FC0_SUBTYPE_AUTH: 2741 ieee80211_recv_auth(ic, m, ni, rxi); 2742 break; 2743 #ifndef IEEE80211_STA_ONLY 2744 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2745 ieee80211_recv_assoc_req(ic, m, ni, rxi, 0); 2746 break; 2747 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 2748 ieee80211_recv_assoc_req(ic, m, ni, rxi, 1); 2749 break; 2750 #endif 2751 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2752 ieee80211_recv_assoc_resp(ic, m, ni, 0); 2753 break; 2754 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 2755 ieee80211_recv_assoc_resp(ic, m, ni, 1); 2756 break; 2757 case IEEE80211_FC0_SUBTYPE_DEAUTH: 2758 ieee80211_recv_deauth(ic, m, ni); 2759 break; 2760 case IEEE80211_FC0_SUBTYPE_DISASSOC: 2761 ieee80211_recv_disassoc(ic, m, ni); 2762 break; 2763 case IEEE80211_FC0_SUBTYPE_ACTION: 2764 ieee80211_recv_action(ic, m, ni); 2765 break; 2766 default: 2767 DPRINTF(("mgmt frame with subtype 0x%x not handled\n", 2768 subtype)); 2769 ic->ic_stats.is_rx_badsubtype++; 2770 break; 2771 } 2772 } 2773 2774 #ifndef IEEE80211_STA_ONLY 2775 /* 2776 * Process an incoming PS-Poll control frame (see 11.2). 2777 */ 2778 void 2779 ieee80211_recv_pspoll(struct ieee80211com *ic, struct mbuf *m, 2780 struct ieee80211_node *ni) 2781 { 2782 struct ifnet *ifp = &ic->ic_if; 2783 struct ieee80211_frame_pspoll *psp; 2784 struct ieee80211_frame *wh; 2785 u_int16_t aid; 2786 2787 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 2788 !(ic->ic_caps & IEEE80211_C_APPMGT) || 2789 ni->ni_state != IEEE80211_STA_ASSOC) 2790 return; 2791 2792 if (m->m_len < sizeof(*psp)) { 2793 DPRINTF(("frame too short, len %u\n", m->m_len)); 2794 ic->ic_stats.is_rx_tooshort++; 2795 return; 2796 } 2797 psp = mtod(m, struct ieee80211_frame_pspoll *); 2798 if (!IEEE80211_ADDR_EQ(psp->i_bssid, ic->ic_bss->ni_bssid)) { 2799 DPRINTF(("discard pspoll frame to BSS %s\n", 2800 ether_sprintf(psp->i_bssid))); 2801 ic->ic_stats.is_rx_wrongbss++; 2802 return; 2803 } 2804 aid = letoh16(*(u_int16_t *)psp->i_aid); 2805 if (aid != ni->ni_associd) { 2806 DPRINTF(("invalid pspoll aid %x from %s\n", aid, 2807 ether_sprintf(psp->i_ta))); 2808 return; 2809 } 2810 2811 /* take the first queued frame and put it out.. */ 2812 IF_DEQUEUE(&ni->ni_savedq, m); 2813 if (m == NULL) 2814 return; 2815 if (IF_IS_EMPTY(&ni->ni_savedq)) { 2816 /* last queued frame, turn off the TIM bit */ 2817 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 2818 } else { 2819 /* more queued frames, set the more data bit */ 2820 wh = mtod(m, struct ieee80211_frame *); 2821 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 2822 } 2823 IF_ENQUEUE(&ic->ic_pwrsaveq, m); 2824 (*ifp->if_start)(ifp); 2825 } 2826 #endif /* IEEE80211_STA_ONLY */ 2827 2828 #ifndef IEEE80211_NO_HT 2829 /* 2830 * Process an incoming BlockAckReq control frame (see 7.2.1.7). 2831 */ 2832 void 2833 ieee80211_recv_bar(struct ieee80211com *ic, struct mbuf *m, 2834 struct ieee80211_node *ni) 2835 { 2836 const struct ieee80211_frame_min *wh; 2837 const u_int8_t *frm; 2838 u_int16_t ctl, ssn; 2839 u_int8_t tid, ntids; 2840 2841 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 2842 DPRINTF(("received BlockAckReq from non-HT STA %s\n", 2843 ether_sprintf(ni->ni_macaddr))); 2844 return; 2845 } 2846 if (m->m_len < sizeof(*wh) + 4) { 2847 DPRINTF(("frame too short\n")); 2848 return; 2849 } 2850 wh = mtod(m, struct ieee80211_frame_min *); 2851 frm = (const u_int8_t *)&wh[1]; 2852 2853 /* read BlockAckReq Control field */ 2854 ctl = LE_READ_2(&frm[0]); 2855 tid = ctl >> 12; 2856 2857 /* determine BlockAckReq frame variant */ 2858 if (ctl & IEEE80211_BA_MULTI_TID) { 2859 /* Multi-TID BlockAckReq variant (PSMP only) */ 2860 ntids = tid + 1; 2861 2862 if (m->m_len < sizeof(*wh) + 2 + 4 * ntids) { 2863 DPRINTF(("MTBAR frame too short\n")); 2864 return; 2865 } 2866 frm += 2; /* skip BlockAckReq Control field */ 2867 while (ntids-- > 0) { 2868 /* read MTBAR Information field */ 2869 tid = LE_READ_2(&frm[0]) >> 12; 2870 ssn = LE_READ_2(&frm[2]) >> 4; 2871 ieee80211_bar_tid(ic, ni, tid, ssn); 2872 frm += 4; 2873 } 2874 } else { 2875 /* Basic or Compressed BlockAckReq variants */ 2876 ssn = LE_READ_2(&frm[2]) >> 4; 2877 ieee80211_bar_tid(ic, ni, tid, ssn); 2878 } 2879 } 2880 2881 /* 2882 * Process a BlockAckReq for a specific TID (see 9.10.7.6.3). 2883 * This is the common back-end for all BlockAckReq frame variants. 2884 */ 2885 void 2886 ieee80211_bar_tid(struct ieee80211com *ic, struct ieee80211_node *ni, 2887 u_int8_t tid, u_int16_t ssn) 2888 { 2889 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2890 2891 /* check if we have a Block Ack agreement for RA/TID */ 2892 if (ba->ba_state != IEEE80211_BA_AGREED) { 2893 /* XXX not sure in PBAC case */ 2894 /* send a DELBA with reason code UNKNOWN-BA */ 2895 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2896 IEEE80211_ACTION_DELBA, 2897 IEEE80211_REASON_SETUP_REQUIRED << 16 | tid); 2898 return; 2899 } 2900 /* check if it is a Protected Block Ack agreement */ 2901 if ((ni->ni_flags & IEEE80211_NODE_MFP) && 2902 (ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) { 2903 /* ADDBA Requests must be used in PBAC case */ 2904 if (SEQ_LT(ssn, ba->ba_winstart) || 2905 SEQ_LT(ba->ba_winend, ssn)) 2906 ic->ic_stats.is_pbac_errs++; 2907 return; /* PBAC, do not move window */ 2908 } 2909 /* reset Block Ack inactivity timer */ 2910 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2911 2912 if (SEQ_LT(ba->ba_winstart, ssn)) 2913 ieee80211_ba_move_window(ic, ni, tid, ssn); 2914 } 2915 #endif /* !IEEE80211_NO_HT */ 2916