1 /* $OpenBSD: ieee80211_input.c,v 1.238 2021/09/03 12:39:43 stsp Exp $ */ 2 3 /*- 4 * Copyright (c) 2001 Atsushi Onoe 5 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 6 * Copyright (c) 2007-2009 Damien Bergamini 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. The name of the author may not be used to endorse or promote products 18 * derived from this software without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 21 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 22 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 23 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 25 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 29 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 #include "bpfilter.h" 33 34 #include <sys/param.h> 35 #include <sys/systm.h> 36 #include <sys/mbuf.h> 37 #include <sys/malloc.h> 38 #include <sys/kernel.h> 39 #include <sys/socket.h> 40 #include <sys/sockio.h> 41 #include <sys/endian.h> 42 #include <sys/errno.h> 43 #include <sys/sysctl.h> 44 #include <sys/task.h> 45 46 #include <net/if.h> 47 #include <net/if_dl.h> 48 #include <net/if_media.h> 49 #include <net/if_llc.h> 50 51 #if NBPFILTER > 0 52 #include <net/bpf.h> 53 #endif 54 55 #include <netinet/in.h> 56 #include <netinet/if_ether.h> 57 58 #include <net80211/ieee80211_var.h> 59 #include <net80211/ieee80211_priv.h> 60 61 struct mbuf *ieee80211_input_hwdecrypt(struct ieee80211com *, 62 struct ieee80211_node *, struct mbuf *, 63 struct ieee80211_rxinfo *rxi); 64 struct mbuf *ieee80211_defrag(struct ieee80211com *, struct mbuf *, int); 65 void ieee80211_defrag_timeout(void *); 66 void ieee80211_input_ba(struct ieee80211com *, struct mbuf *, 67 struct ieee80211_node *, int, struct ieee80211_rxinfo *, 68 struct mbuf_list *); 69 void ieee80211_input_ba_flush(struct ieee80211com *, struct ieee80211_node *, 70 struct ieee80211_rx_ba *, struct mbuf_list *); 71 int ieee80211_input_ba_gap_skip(struct ieee80211_rx_ba *); 72 void ieee80211_input_ba_gap_timeout(void *arg); 73 void ieee80211_ba_move_window(struct ieee80211com *, 74 struct ieee80211_node *, u_int8_t, u_int16_t, struct mbuf_list *); 75 void ieee80211_input_ba_seq(struct ieee80211com *, 76 struct ieee80211_node *, uint8_t, uint16_t, struct mbuf_list *); 77 struct mbuf *ieee80211_align_mbuf(struct mbuf *); 78 void ieee80211_decap(struct ieee80211com *, struct mbuf *, 79 struct ieee80211_node *, int, struct mbuf_list *); 80 int ieee80211_amsdu_decap_validate(struct ieee80211com *, struct mbuf *, 81 struct ieee80211_node *); 82 void ieee80211_amsdu_decap(struct ieee80211com *, struct mbuf *, 83 struct ieee80211_node *, int, struct mbuf_list *); 84 void ieee80211_enqueue_data(struct ieee80211com *, struct mbuf *, 85 struct ieee80211_node *, int, struct mbuf_list *); 86 int ieee80211_parse_edca_params_body(struct ieee80211com *, 87 const u_int8_t *); 88 int ieee80211_parse_edca_params(struct ieee80211com *, const u_int8_t *); 89 int ieee80211_parse_wmm_params(struct ieee80211com *, const u_int8_t *); 90 enum ieee80211_cipher ieee80211_parse_rsn_cipher(const u_int8_t[]); 91 enum ieee80211_akm ieee80211_parse_rsn_akm(const u_int8_t[]); 92 int ieee80211_parse_rsn_body(struct ieee80211com *, const u_int8_t *, 93 u_int, struct ieee80211_rsnparams *); 94 int ieee80211_save_ie(const u_int8_t *, u_int8_t **); 95 void ieee80211_recv_probe_resp(struct ieee80211com *, struct mbuf *, 96 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 97 #ifndef IEEE80211_STA_ONLY 98 void ieee80211_recv_probe_req(struct ieee80211com *, struct mbuf *, 99 struct ieee80211_node *, struct ieee80211_rxinfo *); 100 #endif 101 void ieee80211_recv_auth(struct ieee80211com *, struct mbuf *, 102 struct ieee80211_node *, struct ieee80211_rxinfo *); 103 #ifndef IEEE80211_STA_ONLY 104 void ieee80211_recv_assoc_req(struct ieee80211com *, struct mbuf *, 105 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 106 #endif 107 void ieee80211_recv_assoc_resp(struct ieee80211com *, struct mbuf *, 108 struct ieee80211_node *, int); 109 void ieee80211_recv_deauth(struct ieee80211com *, struct mbuf *, 110 struct ieee80211_node *); 111 void ieee80211_recv_disassoc(struct ieee80211com *, struct mbuf *, 112 struct ieee80211_node *); 113 void ieee80211_recv_addba_req(struct ieee80211com *, struct mbuf *, 114 struct ieee80211_node *); 115 void ieee80211_recv_addba_resp(struct ieee80211com *, struct mbuf *, 116 struct ieee80211_node *); 117 void ieee80211_recv_delba(struct ieee80211com *, struct mbuf *, 118 struct ieee80211_node *); 119 void ieee80211_recv_sa_query_req(struct ieee80211com *, struct mbuf *, 120 struct ieee80211_node *); 121 #ifndef IEEE80211_STA_ONLY 122 void ieee80211_recv_sa_query_resp(struct ieee80211com *, struct mbuf *, 123 struct ieee80211_node *); 124 #endif 125 void ieee80211_recv_action(struct ieee80211com *, struct mbuf *, 126 struct ieee80211_node *); 127 #ifndef IEEE80211_STA_ONLY 128 void ieee80211_recv_pspoll(struct ieee80211com *, struct mbuf *, 129 struct ieee80211_node *); 130 #endif 131 void ieee80211_recv_bar(struct ieee80211com *, struct mbuf *, 132 struct ieee80211_node *); 133 void ieee80211_bar_tid(struct ieee80211com *, struct ieee80211_node *, 134 u_int8_t, u_int16_t); 135 136 /* 137 * Retrieve the length in bytes of an 802.11 header. 138 */ 139 u_int 140 ieee80211_get_hdrlen(const struct ieee80211_frame *wh) 141 { 142 u_int size = sizeof(*wh); 143 144 /* NB: does not work with control frames */ 145 KASSERT(ieee80211_has_seq(wh)); 146 147 if (ieee80211_has_addr4(wh)) 148 size += IEEE80211_ADDR_LEN; /* i_addr4 */ 149 if (ieee80211_has_qos(wh)) 150 size += sizeof(u_int16_t); /* i_qos */ 151 if (ieee80211_has_htc(wh)) 152 size += sizeof(u_int32_t); /* i_ht */ 153 return size; 154 } 155 156 /* Post-processing for drivers which perform decryption in hardware. */ 157 struct mbuf * 158 ieee80211_input_hwdecrypt(struct ieee80211com *ic, struct ieee80211_node *ni, 159 struct mbuf *m, struct ieee80211_rxinfo *rxi) 160 { 161 struct ieee80211_key *k; 162 struct ieee80211_frame *wh; 163 uint64_t pn, *prsc; 164 int hdrlen; 165 166 k = ieee80211_get_rxkey(ic, m, ni); 167 if (k == NULL) 168 return NULL; 169 170 wh = mtod(m, struct ieee80211_frame *); 171 hdrlen = ieee80211_get_hdrlen(wh); 172 173 /* 174 * Update the last-seen packet number (PN) for drivers using hardware 175 * crypto offloading. This cannot be done by drivers because A-MPDU 176 * reordering needs to occur before a valid lower bound can be 177 * determined for the PN. Drivers will read the PN we write here and 178 * are expected to discard replayed frames based on it. 179 * Drivers are expected to leave the IV of decrypted frames intact 180 * so we can update the last-seen PN and strip the IV here. 181 */ 182 switch (k->k_cipher) { 183 case IEEE80211_CIPHER_CCMP: 184 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 185 /* 186 * If the protected bit is clear then hardware has 187 * stripped the IV and we must trust that it handles 188 * replay detection correctly. 189 */ 190 break; 191 } 192 if (ieee80211_ccmp_get_pn(&pn, &prsc, m, k) != 0) 193 return NULL; 194 if (rxi->rxi_flags & IEEE80211_RXI_HWDEC_SAME_PN) { 195 if (pn < *prsc) { 196 ic->ic_stats.is_ccmp_replays++; 197 return NULL; 198 } 199 } else if (pn <= *prsc) { 200 ic->ic_stats.is_ccmp_replays++; 201 return NULL; 202 } 203 204 /* Update last-seen packet number. */ 205 *prsc = pn; 206 207 /* Clear Protected bit and strip IV. */ 208 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 209 memmove(mtod(m, caddr_t) + IEEE80211_CCMP_HDRLEN, wh, hdrlen); 210 m_adj(m, IEEE80211_CCMP_HDRLEN); 211 /* Drivers are expected to strip the MIC. */ 212 break; 213 case IEEE80211_CIPHER_TKIP: 214 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 215 /* 216 * If the protected bit is clear then hardware has 217 * stripped the IV and we must trust that it handles 218 * replay detection correctly. 219 */ 220 break; 221 } 222 if (ieee80211_tkip_get_tsc(&pn, &prsc, m, k) != 0) 223 return NULL; 224 if (rxi->rxi_flags & IEEE80211_RXI_HWDEC_SAME_PN) { 225 if (pn < *prsc) { 226 ic->ic_stats.is_tkip_replays++; 227 return NULL; 228 } 229 } else if (pn <= *prsc) { 230 ic->ic_stats.is_tkip_replays++; 231 return NULL; 232 } 233 234 /* Update last-seen packet number. */ 235 *prsc = pn; 236 237 /* Clear Protected bit and strip IV. */ 238 wh = mtod(m, struct ieee80211_frame *); 239 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 240 memmove(mtod(m, caddr_t) + IEEE80211_TKIP_HDRLEN, wh, hdrlen); 241 m_adj(m, IEEE80211_TKIP_HDRLEN); 242 /* Drivers are expected to strip the MIC. */ 243 break; 244 default: 245 break; 246 } 247 248 return m; 249 } 250 251 /* 252 * Process a received frame. The node associated with the sender 253 * should be supplied. If nothing was found in the node table then 254 * the caller is assumed to supply a reference to ic_bss instead. 255 * The RSSI and a timestamp are also supplied. The RSSI data is used 256 * during AP scanning to select a AP to associate with; it can have 257 * any units so long as values have consistent units and higher values 258 * mean ``better signal''. The receive timestamp is currently not used 259 * by the 802.11 layer. 260 * 261 * This function acts on management frames immediately and queues data frames 262 * on the specified mbuf list. Delivery of queued data frames to upper layers 263 * must be triggered with if_input(). Drivers should call if_input() only once 264 * per Rx interrupt to avoid triggering the input ifq pressure drop mechanism 265 * unnecessarily. 266 */ 267 void 268 ieee80211_inputm(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni, 269 struct ieee80211_rxinfo *rxi, struct mbuf_list *ml) 270 { 271 struct ieee80211com *ic = (void *)ifp; 272 struct ieee80211_frame *wh; 273 u_int16_t *orxseq, nrxseq, qos; 274 u_int8_t dir, type, subtype, tid; 275 int hdrlen, hasqos; 276 277 KASSERT(ni != NULL); 278 279 /* in monitor mode, send everything directly to bpf */ 280 if (ic->ic_opmode == IEEE80211_M_MONITOR) 281 goto out; 282 283 /* 284 * Do not process frames without an Address 2 field any further. 285 * Only CTS and ACK control frames do not have this field. 286 */ 287 if (m->m_len < sizeof(struct ieee80211_frame_min)) { 288 DPRINTF(("frame too short, len %u\n", m->m_len)); 289 ic->ic_stats.is_rx_tooshort++; 290 goto out; 291 } 292 293 wh = mtod(m, struct ieee80211_frame *); 294 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 295 IEEE80211_FC0_VERSION_0) { 296 DPRINTF(("frame with wrong version: %x\n", wh->i_fc[0])); 297 ic->ic_stats.is_rx_badversion++; 298 goto err; 299 } 300 301 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 302 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 303 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 304 305 if (type != IEEE80211_FC0_TYPE_CTL) { 306 hdrlen = ieee80211_get_hdrlen(wh); 307 if (m->m_len < hdrlen) { 308 DPRINTF(("frame too short, len %u\n", m->m_len)); 309 ic->ic_stats.is_rx_tooshort++; 310 goto err; 311 } 312 } else 313 hdrlen = 0; 314 if ((hasqos = ieee80211_has_qos(wh))) { 315 qos = ieee80211_get_qos(wh); 316 tid = qos & IEEE80211_QOS_TID; 317 } else { 318 qos = 0; 319 tid = 0; 320 } 321 322 if (ic->ic_state == IEEE80211_S_RUN && 323 type == IEEE80211_FC0_TYPE_DATA && hasqos && 324 (subtype & IEEE80211_FC0_SUBTYPE_NODATA) == 0 && 325 !(rxi->rxi_flags & IEEE80211_RXI_AMPDU_DONE) 326 #ifndef IEEE80211_STA_ONLY 327 && (ic->ic_opmode == IEEE80211_M_STA || ni != ic->ic_bss) 328 #endif 329 ) { 330 int ba_state = ni->ni_rx_ba[tid].ba_state; 331 332 #ifndef IEEE80211_STA_ONLY 333 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 334 if (!IEEE80211_ADDR_EQ(wh->i_addr1, 335 ic->ic_bss->ni_bssid)) { 336 ic->ic_stats.is_rx_wrongbss++; 337 goto err; 338 } 339 if (ni->ni_state != IEEE80211_S_ASSOC) { 340 ic->ic_stats.is_rx_notassoc++; 341 goto err; 342 } 343 } 344 #endif 345 /* 346 * If Block Ack was explicitly requested, check 347 * if we have a BA agreement for this RA/TID. 348 */ 349 if ((qos & IEEE80211_QOS_ACK_POLICY_MASK) == 350 IEEE80211_QOS_ACK_POLICY_BA && 351 ba_state != IEEE80211_BA_AGREED) { 352 DPRINTF(("no BA agreement for %s, TID %d\n", 353 ether_sprintf(ni->ni_macaddr), tid)); 354 /* send a DELBA with reason code UNKNOWN-BA */ 355 IEEE80211_SEND_ACTION(ic, ni, 356 IEEE80211_CATEG_BA, IEEE80211_ACTION_DELBA, 357 IEEE80211_REASON_SETUP_REQUIRED << 16 | tid); 358 goto err; 359 } 360 361 /* 362 * Check if we have an explicit or implicit 363 * Block Ack Request for a valid BA agreement. 364 */ 365 if (ba_state == IEEE80211_BA_AGREED && 366 ((qos & IEEE80211_QOS_ACK_POLICY_MASK) == 367 IEEE80211_QOS_ACK_POLICY_BA || 368 (qos & IEEE80211_QOS_ACK_POLICY_MASK) == 369 IEEE80211_QOS_ACK_POLICY_NORMAL)) { 370 /* go through A-MPDU reordering */ 371 ieee80211_input_ba(ic, m, ni, tid, rxi, ml); 372 return; /* don't free m! */ 373 } else if (ba_state == IEEE80211_BA_REQUESTED && 374 (qos & IEEE80211_QOS_ACK_POLICY_MASK) == 375 IEEE80211_QOS_ACK_POLICY_NORMAL) { 376 /* 377 * Apparently, qos frames for a tid where a 378 * block ack agreement was requested but not 379 * yet confirmed by us should still contribute 380 * to the sequence number for this tid. 381 */ 382 ieee80211_input_ba(ic, m, ni, tid, rxi, ml); 383 return; /* don't free m! */ 384 } 385 } 386 387 /* 388 * We do not yet support fragments. Drop any fragmented packets. 389 * Counter-measure against attacks where an arbitrary packet is 390 * injected via a fragment with attacker-controlled content. 391 * See https://papers.mathyvanhoef.com/usenix2021.pdf 392 * Section 6.8 "Treating fragments as full frames" 393 */ 394 if (ieee80211_has_seq(wh)) { 395 uint16_t rxseq = letoh16(*(const u_int16_t *)wh->i_seq); 396 if ((wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG) || 397 (rxseq & IEEE80211_SEQ_FRAG_MASK)) 398 goto err; 399 } 400 401 /* duplicate detection (see 9.2.9) */ 402 if (ieee80211_has_seq(wh) && 403 ic->ic_state != IEEE80211_S_SCAN) { 404 nrxseq = letoh16(*(u_int16_t *)wh->i_seq) >> 405 IEEE80211_SEQ_SEQ_SHIFT; 406 if (hasqos) 407 orxseq = &ni->ni_qos_rxseqs[tid]; 408 else 409 orxseq = &ni->ni_rxseq; 410 if (rxi->rxi_flags & IEEE80211_RXI_SAME_SEQ) { 411 if (nrxseq != *orxseq) { 412 /* duplicate, silently discarded */ 413 ic->ic_stats.is_rx_dup++; 414 goto out; 415 } 416 } else if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) && 417 nrxseq == *orxseq) { 418 /* duplicate, silently discarded */ 419 ic->ic_stats.is_rx_dup++; 420 goto out; 421 } 422 *orxseq = nrxseq; 423 } 424 if (ic->ic_state > IEEE80211_S_SCAN) { 425 ni->ni_rssi = rxi->rxi_rssi; 426 ni->ni_rstamp = rxi->rxi_tstamp; 427 ni->ni_inact = 0; 428 429 if (ic->ic_state == IEEE80211_S_RUN && ic->ic_bgscan_start) { 430 /* Cancel or start background scan based on RSSI. */ 431 if ((*ic->ic_node_checkrssi)(ic, ni)) 432 timeout_del(&ic->ic_bgscan_timeout); 433 else if (!timeout_pending(&ic->ic_bgscan_timeout) && 434 (ic->ic_flags & IEEE80211_F_BGSCAN) == 0 && 435 (ic->ic_flags & IEEE80211_F_DESBSSID) == 0) 436 timeout_add_msec(&ic->ic_bgscan_timeout, 437 500 * (ic->ic_bgscan_fail + 1)); 438 } 439 } 440 441 #ifndef IEEE80211_STA_ONLY 442 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 443 (ic->ic_caps & IEEE80211_C_APPMGT) && 444 ni->ni_state == IEEE80211_STA_ASSOC) { 445 if (wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) { 446 if (ni->ni_pwrsave == IEEE80211_PS_AWAKE) { 447 /* turn on PS mode */ 448 ni->ni_pwrsave = IEEE80211_PS_DOZE; 449 DPRINTF(("PS mode on for %s\n", 450 ether_sprintf(wh->i_addr2))); 451 } 452 } else if (ni->ni_pwrsave == IEEE80211_PS_DOZE) { 453 struct mbuf *m; 454 455 /* turn off PS mode */ 456 ni->ni_pwrsave = IEEE80211_PS_AWAKE; 457 DPRINTF(("PS mode off for %s\n", 458 ether_sprintf(wh->i_addr2))); 459 460 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 461 462 /* dequeue buffered unicast frames */ 463 while ((m = mq_dequeue(&ni->ni_savedq)) != NULL) { 464 mq_enqueue(&ic->ic_pwrsaveq, m); 465 if_start(ifp); 466 } 467 } 468 } 469 #endif 470 switch (type) { 471 case IEEE80211_FC0_TYPE_DATA: 472 switch (ic->ic_opmode) { 473 case IEEE80211_M_STA: 474 if (dir != IEEE80211_FC1_DIR_FROMDS) { 475 ic->ic_stats.is_rx_wrongdir++; 476 goto out; 477 } 478 if (ic->ic_state != IEEE80211_S_SCAN && 479 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid)) { 480 /* Source address is not our BSS. */ 481 DPRINTF(("discard frame from SA %s\n", 482 ether_sprintf(wh->i_addr2))); 483 ic->ic_stats.is_rx_wrongbss++; 484 goto out; 485 } 486 if ((ifp->if_flags & IFF_SIMPLEX) && 487 IEEE80211_IS_MULTICAST(wh->i_addr1) && 488 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 489 /* 490 * In IEEE802.11 network, multicast frame 491 * sent from me is broadcasted from AP. 492 * It should be silently discarded for 493 * SIMPLEX interface. 494 */ 495 ic->ic_stats.is_rx_mcastecho++; 496 goto out; 497 } 498 break; 499 #ifndef IEEE80211_STA_ONLY 500 case IEEE80211_M_IBSS: 501 case IEEE80211_M_AHDEMO: 502 if (dir != IEEE80211_FC1_DIR_NODS) { 503 ic->ic_stats.is_rx_wrongdir++; 504 goto out; 505 } 506 if (ic->ic_state != IEEE80211_S_SCAN && 507 !IEEE80211_ADDR_EQ(wh->i_addr3, 508 ic->ic_bss->ni_bssid) && 509 !IEEE80211_ADDR_EQ(wh->i_addr3, 510 etherbroadcastaddr)) { 511 /* Destination is not our BSS or broadcast. */ 512 DPRINTF(("discard data frame to DA %s\n", 513 ether_sprintf(wh->i_addr3))); 514 ic->ic_stats.is_rx_wrongbss++; 515 goto out; 516 } 517 break; 518 case IEEE80211_M_HOSTAP: 519 if (dir != IEEE80211_FC1_DIR_TODS) { 520 ic->ic_stats.is_rx_wrongdir++; 521 goto out; 522 } 523 if (ic->ic_state != IEEE80211_S_SCAN && 524 !IEEE80211_ADDR_EQ(wh->i_addr1, 525 ic->ic_bss->ni_bssid) && 526 !IEEE80211_ADDR_EQ(wh->i_addr1, 527 etherbroadcastaddr)) { 528 /* BSS is not us or broadcast. */ 529 DPRINTF(("discard data frame to BSS %s\n", 530 ether_sprintf(wh->i_addr1))); 531 ic->ic_stats.is_rx_wrongbss++; 532 goto out; 533 } 534 /* check if source STA is associated */ 535 if (ni == ic->ic_bss) { 536 DPRINTF(("data from unknown src %s\n", 537 ether_sprintf(wh->i_addr2))); 538 /* NB: caller deals with reference */ 539 ni = ieee80211_find_node(ic, wh->i_addr2); 540 if (ni == NULL) 541 ni = ieee80211_dup_bss(ic, wh->i_addr2); 542 if (ni != NULL) { 543 IEEE80211_SEND_MGMT(ic, ni, 544 IEEE80211_FC0_SUBTYPE_DEAUTH, 545 IEEE80211_REASON_NOT_AUTHED); 546 } 547 ic->ic_stats.is_rx_notassoc++; 548 goto err; 549 } 550 if (ni->ni_state != IEEE80211_STA_ASSOC) { 551 DPRINTF(("data from unassoc src %s\n", 552 ether_sprintf(wh->i_addr2))); 553 IEEE80211_SEND_MGMT(ic, ni, 554 IEEE80211_FC0_SUBTYPE_DISASSOC, 555 IEEE80211_REASON_NOT_ASSOCED); 556 ic->ic_stats.is_rx_notassoc++; 557 goto err; 558 } 559 break; 560 #endif /* IEEE80211_STA_ONLY */ 561 default: 562 /* can't get there */ 563 goto out; 564 } 565 566 /* Do not process "no data" frames any further. */ 567 if (subtype & IEEE80211_FC0_SUBTYPE_NODATA) { 568 #if NBPFILTER > 0 569 if (ic->ic_rawbpf) 570 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 571 #endif 572 goto out; 573 } 574 575 if ((ic->ic_flags & IEEE80211_F_WEPON) || 576 ((ic->ic_flags & IEEE80211_F_RSNON) && 577 (ni->ni_flags & IEEE80211_NODE_RXPROT))) { 578 /* protection is on for Rx */ 579 if (!(rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 580 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 581 /* drop unencrypted */ 582 ic->ic_stats.is_rx_unencrypted++; 583 goto err; 584 } 585 /* do software decryption */ 586 m = ieee80211_decrypt(ic, m, ni); 587 if (m == NULL) { 588 ic->ic_stats.is_rx_wepfail++; 589 goto err; 590 } 591 } else { 592 m = ieee80211_input_hwdecrypt(ic, ni, m, rxi); 593 if (m == NULL) 594 goto err; 595 } 596 wh = mtod(m, struct ieee80211_frame *); 597 } else if ((wh->i_fc[1] & IEEE80211_FC1_PROTECTED) || 598 (rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 599 /* frame encrypted but protection off for Rx */ 600 ic->ic_stats.is_rx_nowep++; 601 goto out; 602 } 603 604 #if NBPFILTER > 0 605 /* copy to listener after decrypt */ 606 if (ic->ic_rawbpf) 607 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 608 #endif 609 610 if ((ni->ni_flags & IEEE80211_NODE_HT) && 611 hasqos && (qos & IEEE80211_QOS_AMSDU)) 612 ieee80211_amsdu_decap(ic, m, ni, hdrlen, ml); 613 else 614 ieee80211_decap(ic, m, ni, hdrlen, ml); 615 return; 616 617 case IEEE80211_FC0_TYPE_MGT: 618 if (dir != IEEE80211_FC1_DIR_NODS) { 619 ic->ic_stats.is_rx_wrongdir++; 620 goto err; 621 } 622 #ifndef IEEE80211_STA_ONLY 623 if (ic->ic_opmode == IEEE80211_M_AHDEMO) { 624 ic->ic_stats.is_rx_ahdemo_mgt++; 625 goto out; 626 } 627 #endif 628 /* drop frames without interest */ 629 if (ic->ic_state == IEEE80211_S_SCAN) { 630 if (subtype != IEEE80211_FC0_SUBTYPE_BEACON && 631 subtype != IEEE80211_FC0_SUBTYPE_PROBE_RESP) { 632 ic->ic_stats.is_rx_mgtdiscard++; 633 goto out; 634 } 635 } 636 637 if (ni->ni_flags & IEEE80211_NODE_RXMGMTPROT) { 638 /* MMPDU protection is on for Rx */ 639 if (subtype == IEEE80211_FC0_SUBTYPE_DISASSOC || 640 subtype == IEEE80211_FC0_SUBTYPE_DEAUTH || 641 subtype == IEEE80211_FC0_SUBTYPE_ACTION) { 642 if (!IEEE80211_IS_MULTICAST(wh->i_addr1) && 643 !(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 644 /* unicast mgmt not encrypted */ 645 goto out; 646 } 647 /* do software decryption */ 648 m = ieee80211_decrypt(ic, m, ni); 649 if (m == NULL) { 650 /* XXX stats */ 651 goto out; 652 } 653 wh = mtod(m, struct ieee80211_frame *); 654 } 655 } else if ((ic->ic_flags & IEEE80211_F_RSNON) && 656 (wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 657 /* encrypted but MMPDU Rx protection off for TA */ 658 goto out; 659 } 660 661 #if NBPFILTER > 0 662 if (bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN) != 0) { 663 /* 664 * Drop mbuf if it was filtered by bpf. Normally, 665 * this is done in ether_input() but IEEE 802.11 666 * management frames are a special case. 667 */ 668 m_freem(m); 669 return; 670 } 671 #endif 672 (*ic->ic_recv_mgmt)(ic, m, ni, rxi, subtype); 673 m_freem(m); 674 return; 675 676 case IEEE80211_FC0_TYPE_CTL: 677 switch (subtype) { 678 #ifndef IEEE80211_STA_ONLY 679 case IEEE80211_FC0_SUBTYPE_PS_POLL: 680 ieee80211_recv_pspoll(ic, m, ni); 681 break; 682 #endif 683 case IEEE80211_FC0_SUBTYPE_BAR: 684 ieee80211_recv_bar(ic, m, ni); 685 break; 686 default: 687 ic->ic_stats.is_rx_ctl++; 688 break; 689 } 690 goto out; 691 692 default: 693 DPRINTF(("bad frame type %x\n", type)); 694 /* should not come here */ 695 break; 696 } 697 err: 698 ifp->if_ierrors++; 699 out: 700 if (m != NULL) { 701 #if NBPFILTER > 0 702 if (ic->ic_rawbpf) 703 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 704 #endif 705 m_freem(m); 706 } 707 } 708 709 /* Input handler for drivers which only receive one frame per interrupt. */ 710 void 711 ieee80211_input(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni, 712 struct ieee80211_rxinfo *rxi) 713 { 714 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 715 716 ieee80211_inputm(ifp, m, ni, rxi, &ml); 717 if_input(ifp, &ml); 718 } 719 720 #ifdef notyet 721 /* 722 * Handle defragmentation (see 9.5 and Annex C). We support the concurrent 723 * reception of fragments of three fragmented MSDUs or MMPDUs. 724 */ 725 struct mbuf * 726 ieee80211_defrag(struct ieee80211com *ic, struct mbuf *m, int hdrlen) 727 { 728 const struct ieee80211_frame *owh, *wh; 729 struct ieee80211_defrag *df; 730 u_int16_t rxseq, seq; 731 u_int8_t frag; 732 int i; 733 734 wh = mtod(m, struct ieee80211_frame *); 735 rxseq = letoh16(*(const u_int16_t *)wh->i_seq); 736 seq = rxseq >> IEEE80211_SEQ_SEQ_SHIFT; 737 frag = rxseq & IEEE80211_SEQ_FRAG_MASK; 738 739 if (frag == 0 && !(wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG)) 740 return m; /* not fragmented */ 741 742 if (frag == 0) { 743 /* first fragment, setup entry in the fragment cache */ 744 if (++ic->ic_defrag_cur == IEEE80211_DEFRAG_SIZE) 745 ic->ic_defrag_cur = 0; 746 df = &ic->ic_defrag[ic->ic_defrag_cur]; 747 m_freem(df->df_m); /* discard old entry */ 748 df->df_seq = seq; 749 df->df_frag = 0; 750 df->df_m = m; 751 /* start receive MSDU timer of aMaxReceiveLifetime */ 752 timeout_add_sec(&df->df_to, 1); 753 return NULL; /* MSDU or MMPDU not yet complete */ 754 } 755 756 /* find matching entry in the fragment cache */ 757 for (i = 0; i < IEEE80211_DEFRAG_SIZE; i++) { 758 df = &ic->ic_defrag[i]; 759 if (df->df_m == NULL) 760 continue; 761 if (df->df_seq != seq || df->df_frag + 1 != frag) 762 continue; 763 owh = mtod(df->df_m, struct ieee80211_frame *); 764 /* frame type, source and destination must match */ 765 if (((wh->i_fc[0] ^ owh->i_fc[0]) & IEEE80211_FC0_TYPE_MASK) || 766 !IEEE80211_ADDR_EQ(wh->i_addr1, owh->i_addr1) || 767 !IEEE80211_ADDR_EQ(wh->i_addr2, owh->i_addr2)) 768 continue; 769 /* matching entry found */ 770 break; 771 } 772 if (i == IEEE80211_DEFRAG_SIZE) { 773 /* no matching entry found, discard fragment */ 774 ic->ic_if.if_ierrors++; 775 m_freem(m); 776 return NULL; 777 } 778 779 df->df_frag = frag; 780 /* strip 802.11 header and concatenate fragment */ 781 m_adj(m, hdrlen); 782 m_cat(df->df_m, m); 783 df->df_m->m_pkthdr.len += m->m_pkthdr.len; 784 785 if (wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG) 786 return NULL; /* MSDU or MMPDU not yet complete */ 787 788 /* MSDU or MMPDU complete */ 789 timeout_del(&df->df_to); 790 m = df->df_m; 791 df->df_m = NULL; 792 return m; 793 } 794 795 /* 796 * Receive MSDU defragmentation timer exceeds aMaxReceiveLifetime. 797 */ 798 void 799 ieee80211_defrag_timeout(void *arg) 800 { 801 struct ieee80211_defrag *df = arg; 802 int s = splnet(); 803 804 /* discard all received fragments */ 805 m_freem(df->df_m); 806 df->df_m = NULL; 807 808 splx(s); 809 } 810 #endif 811 812 /* 813 * Process a received data MPDU related to a specific HT-immediate Block Ack 814 * agreement (see 9.10.7.6). 815 */ 816 void 817 ieee80211_input_ba(struct ieee80211com *ic, struct mbuf *m, 818 struct ieee80211_node *ni, int tid, struct ieee80211_rxinfo *rxi, 819 struct mbuf_list *ml) 820 { 821 struct ifnet *ifp = &ic->ic_if; 822 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 823 struct ieee80211_frame *wh; 824 int idx, count; 825 u_int16_t sn; 826 827 wh = mtod(m, struct ieee80211_frame *); 828 sn = letoh16(*(u_int16_t *)wh->i_seq) >> IEEE80211_SEQ_SEQ_SHIFT; 829 830 /* reset Block Ack inactivity timer */ 831 if (ba->ba_timeout_val != 0) 832 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 833 834 if (SEQ_LT(sn, ba->ba_winstart)) { /* SN < WinStartB */ 835 ic->ic_stats.is_ht_rx_frame_below_ba_winstart++; 836 m_freem(m); /* discard the MPDU */ 837 return; 838 } 839 if (SEQ_LT(ba->ba_winend, sn)) { /* WinEndB < SN */ 840 ic->ic_stats.is_ht_rx_frame_above_ba_winend++; 841 count = (sn - ba->ba_winend) & 0xfff; 842 if (count > ba->ba_winsize) { 843 /* 844 * Check whether we're consistently behind the window, 845 * and let the window move forward if necessary. 846 */ 847 if (ba->ba_winmiss < IEEE80211_BA_MAX_WINMISS) { 848 if (ba->ba_missedsn == ((sn - 1) & 0xfff)) 849 ba->ba_winmiss++; 850 else 851 ba->ba_winmiss = 0; 852 ba->ba_missedsn = sn; 853 ifp->if_ierrors++; 854 m_freem(m); /* discard the MPDU */ 855 return; 856 } 857 858 /* It appears the window has moved for real. */ 859 ic->ic_stats.is_ht_rx_ba_window_jump++; 860 ba->ba_winmiss = 0; 861 ba->ba_missedsn = 0; 862 ieee80211_ba_move_window(ic, ni, tid, sn, ml); 863 } else { 864 ic->ic_stats.is_ht_rx_ba_window_slide++; 865 ieee80211_input_ba_seq(ic, ni, tid, 866 (ba->ba_winstart + count) & 0xfff, ml); 867 ieee80211_input_ba_flush(ic, ni, ba, ml); 868 } 869 } 870 /* WinStartB <= SN <= WinEndB */ 871 872 ba->ba_winmiss = 0; 873 ba->ba_missedsn = 0; 874 idx = (sn - ba->ba_winstart) & 0xfff; 875 idx = (ba->ba_head + idx) % IEEE80211_BA_MAX_WINSZ; 876 /* store the received MPDU in the buffer */ 877 if (ba->ba_buf[idx].m != NULL) { 878 ifp->if_ierrors++; 879 ic->ic_stats.is_ht_rx_ba_no_buf++; 880 m_freem(m); 881 return; 882 } 883 ba->ba_buf[idx].m = m; 884 /* store Rx meta-data too */ 885 rxi->rxi_flags |= IEEE80211_RXI_AMPDU_DONE; 886 ba->ba_buf[idx].rxi = *rxi; 887 ba->ba_gapwait++; 888 889 if (ba->ba_buf[ba->ba_head].m == NULL && ba->ba_gapwait == 1) 890 timeout_add_msec(&ba->ba_gap_to, IEEE80211_BA_GAP_TIMEOUT); 891 892 ieee80211_input_ba_flush(ic, ni, ba, ml); 893 } 894 895 /* 896 * Forward buffered frames with sequence number lower than max_seq. 897 * See 802.11-2012 9.21.7.6.2 b. 898 */ 899 void 900 ieee80211_input_ba_seq(struct ieee80211com *ic, struct ieee80211_node *ni, 901 uint8_t tid, uint16_t max_seq, struct mbuf_list *ml) 902 { 903 struct ifnet *ifp = &ic->ic_if; 904 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 905 struct ieee80211_frame *wh; 906 uint16_t seq; 907 int i = 0; 908 909 while (i++ < ba->ba_winsize) { 910 /* gaps may exist */ 911 if (ba->ba_buf[ba->ba_head].m != NULL) { 912 wh = mtod(ba->ba_buf[ba->ba_head].m, 913 struct ieee80211_frame *); 914 KASSERT(ieee80211_has_seq(wh)); 915 seq = letoh16(*(u_int16_t *)wh->i_seq) >> 916 IEEE80211_SEQ_SEQ_SHIFT; 917 if (!SEQ_LT(seq, max_seq)) 918 break; 919 ieee80211_inputm(ifp, ba->ba_buf[ba->ba_head].m, 920 ni, &ba->ba_buf[ba->ba_head].rxi, ml); 921 ba->ba_buf[ba->ba_head].m = NULL; 922 ba->ba_gapwait--; 923 } else 924 ic->ic_stats.is_ht_rx_ba_frame_lost++; 925 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 926 /* move window forward */ 927 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 928 } 929 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 930 } 931 932 /* Flush a consecutive sequence of frames from the reorder buffer. */ 933 void 934 ieee80211_input_ba_flush(struct ieee80211com *ic, struct ieee80211_node *ni, 935 struct ieee80211_rx_ba *ba, struct mbuf_list *ml) 936 937 { 938 struct ifnet *ifp = &ic->ic_if; 939 940 /* Do not re-arm the gap timeout if we made no progress. */ 941 if (ba->ba_buf[ba->ba_head].m == NULL) 942 return; 943 944 /* pass reordered MPDUs up to the next MAC process */ 945 while (ba->ba_buf[ba->ba_head].m != NULL) { 946 ieee80211_inputm(ifp, ba->ba_buf[ba->ba_head].m, ni, 947 &ba->ba_buf[ba->ba_head].rxi, ml); 948 ba->ba_buf[ba->ba_head].m = NULL; 949 ba->ba_gapwait--; 950 951 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 952 /* move window forward */ 953 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 954 } 955 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 956 957 if (timeout_pending(&ba->ba_gap_to)) 958 timeout_del(&ba->ba_gap_to); 959 if (ba->ba_gapwait) 960 timeout_add_msec(&ba->ba_gap_to, IEEE80211_BA_GAP_TIMEOUT); 961 } 962 963 /* 964 * Forcibly move the BA window forward to remove a leading gap which has 965 * been causing frames to linger in the reordering buffer for too long. 966 * A leading gap will occur if a particular A-MPDU subframe never arrives 967 * or if a bug in the sender causes sequence numbers to jump forward by > 1. 968 */ 969 int 970 ieee80211_input_ba_gap_skip(struct ieee80211_rx_ba *ba) 971 { 972 int skipped = 0; 973 974 while (skipped < ba->ba_winsize && ba->ba_buf[ba->ba_head].m == NULL) { 975 /* move window forward */ 976 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 977 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 978 skipped++; 979 } 980 if (skipped > 0) 981 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 982 983 return skipped; 984 } 985 986 void 987 ieee80211_input_ba_gap_timeout(void *arg) 988 { 989 struct ieee80211_rx_ba *ba = arg; 990 struct ieee80211_node *ni = ba->ba_ni; 991 struct ieee80211com *ic = ni->ni_ic; 992 int s, skipped; 993 994 ic->ic_stats.is_ht_rx_ba_window_gap_timeout++; 995 996 s = splnet(); 997 998 skipped = ieee80211_input_ba_gap_skip(ba); 999 ic->ic_stats.is_ht_rx_ba_frame_lost += skipped; 1000 if (skipped) { 1001 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 1002 ieee80211_input_ba_flush(ic, ni, ba, &ml); 1003 if_input(&ic->ic_if, &ml); 1004 } 1005 1006 splx(s); 1007 } 1008 1009 1010 /* 1011 * Change the value of WinStartB (move window forward) upon reception of a 1012 * BlockAckReq frame or an ADDBA Request (PBAC). 1013 */ 1014 void 1015 ieee80211_ba_move_window(struct ieee80211com *ic, struct ieee80211_node *ni, 1016 u_int8_t tid, u_int16_t ssn, struct mbuf_list *ml) 1017 { 1018 struct ifnet *ifp = &ic->ic_if; 1019 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 1020 int count; 1021 1022 /* assert(WinStartB <= SSN) */ 1023 1024 count = (ssn - ba->ba_winstart) & 0xfff; 1025 if (count > ba->ba_winsize) /* no overlap */ 1026 count = ba->ba_winsize; 1027 while (count-- > 0) { 1028 /* gaps may exist */ 1029 if (ba->ba_buf[ba->ba_head].m != NULL) { 1030 ieee80211_inputm(ifp, ba->ba_buf[ba->ba_head].m, ni, 1031 &ba->ba_buf[ba->ba_head].rxi, ml); 1032 ba->ba_buf[ba->ba_head].m = NULL; 1033 ba->ba_gapwait--; 1034 } else 1035 ic->ic_stats.is_ht_rx_ba_frame_lost++; 1036 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 1037 } 1038 /* move window forward */ 1039 ba->ba_winstart = ssn; 1040 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 1041 1042 ieee80211_input_ba_flush(ic, ni, ba, ml); 1043 } 1044 1045 void 1046 ieee80211_enqueue_data(struct ieee80211com *ic, struct mbuf *m, 1047 struct ieee80211_node *ni, int mcast, struct mbuf_list *ml) 1048 { 1049 struct ifnet *ifp = &ic->ic_if; 1050 struct ether_header *eh; 1051 struct mbuf *m1; 1052 1053 eh = mtod(m, struct ether_header *); 1054 1055 if ((ic->ic_flags & IEEE80211_F_RSNON) && !ni->ni_port_valid && 1056 eh->ether_type != htons(ETHERTYPE_PAE)) { 1057 DPRINTF(("port not valid: %s\n", 1058 ether_sprintf(eh->ether_dhost))); 1059 ic->ic_stats.is_rx_unauth++; 1060 m_freem(m); 1061 return; 1062 } 1063 1064 /* 1065 * Perform as a bridge within the AP. Notice that we do not 1066 * bridge EAPOL frames as suggested in C.1.1 of IEEE Std 802.1X. 1067 * And we do not forward unicast frames received on a multicast address. 1068 */ 1069 m1 = NULL; 1070 #ifndef IEEE80211_STA_ONLY 1071 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 1072 !(ic->ic_userflags & IEEE80211_F_NOBRIDGE) && 1073 eh->ether_type != htons(ETHERTYPE_PAE)) { 1074 struct ieee80211_node *ni1; 1075 1076 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 1077 m1 = m_dup_pkt(m, ETHER_ALIGN, M_DONTWAIT); 1078 if (m1 == NULL) 1079 ifp->if_oerrors++; 1080 else 1081 m1->m_flags |= M_MCAST; 1082 } else if (!mcast) { 1083 ni1 = ieee80211_find_node(ic, eh->ether_dhost); 1084 if (ni1 != NULL && 1085 ni1->ni_state == IEEE80211_STA_ASSOC) { 1086 m1 = m; 1087 m = NULL; 1088 } 1089 } 1090 if (m1 != NULL) { 1091 if (if_enqueue(ifp, m1)) 1092 ifp->if_oerrors++; 1093 } 1094 } 1095 #endif 1096 if (m != NULL) { 1097 if ((ic->ic_flags & IEEE80211_F_RSNON) && 1098 eh->ether_type == htons(ETHERTYPE_PAE)) { 1099 ifp->if_ipackets++; 1100 #if NBPFILTER > 0 1101 /* 1102 * If we forward frame into transmitter of the AP, 1103 * we don't need to duplicate for DLT_EN10MB. 1104 */ 1105 if (ifp->if_bpf && m1 == NULL) 1106 bpf_mtap(ifp->if_bpf, m, BPF_DIRECTION_IN); 1107 #endif 1108 ieee80211_eapol_key_input(ic, m, ni); 1109 } else { 1110 ml_enqueue(ml, m); 1111 } 1112 } 1113 } 1114 1115 void 1116 ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, 1117 struct ieee80211_node *ni, int hdrlen, struct mbuf_list *ml) 1118 { 1119 struct ether_header eh; 1120 struct ieee80211_frame *wh; 1121 struct llc *llc; 1122 int mcast; 1123 1124 if (m->m_len < hdrlen + LLC_SNAPFRAMELEN && 1125 (m = m_pullup(m, hdrlen + LLC_SNAPFRAMELEN)) == NULL) { 1126 ic->ic_stats.is_rx_decap++; 1127 return; 1128 } 1129 wh = mtod(m, struct ieee80211_frame *); 1130 mcast = IEEE80211_IS_MULTICAST(wh->i_addr1); 1131 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 1132 case IEEE80211_FC1_DIR_NODS: 1133 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1); 1134 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2); 1135 break; 1136 case IEEE80211_FC1_DIR_TODS: 1137 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3); 1138 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2); 1139 break; 1140 case IEEE80211_FC1_DIR_FROMDS: 1141 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1); 1142 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr3); 1143 break; 1144 case IEEE80211_FC1_DIR_DSTODS: 1145 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3); 1146 IEEE80211_ADDR_COPY(eh.ether_shost, 1147 ((struct ieee80211_frame_addr4 *)wh)->i_addr4); 1148 break; 1149 } 1150 llc = (struct llc *)((caddr_t)wh + hdrlen); 1151 if (llc->llc_dsap == LLC_SNAP_LSAP && 1152 llc->llc_ssap == LLC_SNAP_LSAP && 1153 llc->llc_control == LLC_UI && 1154 llc->llc_snap.org_code[0] == 0 && 1155 llc->llc_snap.org_code[1] == 0 && 1156 llc->llc_snap.org_code[2] == 0) { 1157 eh.ether_type = llc->llc_snap.ether_type; 1158 m_adj(m, hdrlen + LLC_SNAPFRAMELEN - ETHER_HDR_LEN); 1159 } else { 1160 eh.ether_type = htons(m->m_pkthdr.len - hdrlen); 1161 m_adj(m, hdrlen - ETHER_HDR_LEN); 1162 } 1163 memcpy(mtod(m, caddr_t), &eh, ETHER_HDR_LEN); 1164 if (!ALIGNED_POINTER(mtod(m, caddr_t) + ETHER_HDR_LEN, u_int32_t)) { 1165 struct mbuf *m0 = m; 1166 m = m_dup_pkt(m0, ETHER_ALIGN, M_NOWAIT); 1167 m_freem(m0); 1168 if (m == NULL) { 1169 ic->ic_stats.is_rx_decap++; 1170 return; 1171 } 1172 } 1173 ieee80211_enqueue_data(ic, m, ni, mcast, ml); 1174 } 1175 1176 int 1177 ieee80211_amsdu_decap_validate(struct ieee80211com *ic, struct mbuf *m, 1178 struct ieee80211_node *ni) 1179 { 1180 struct ether_header *eh = mtod(m, struct ether_header *); 1181 const uint8_t llc_hdr_mac[ETHER_ADDR_LEN] = { 1182 /* MAC address matching the 802.2 LLC header. */ 1183 LLC_SNAP_LSAP, LLC_SNAP_LSAP, LLC_UI, 0, 0, 0 1184 }; 1185 1186 /* 1187 * We are sorry, but this particular MAC address cannot be used. 1188 * This mitigates an attack where a single 802.11 frame is interpreted 1189 * as an A-MSDU because of a forged AMSDU-present bit in the 802.11 1190 * QoS frame header: https://papers.mathyvanhoef.com/usenix2021.pdf 1191 * See Section 7.2, 'Countermeasures for the design flaws' 1192 */ 1193 if (ETHER_IS_EQ(eh->ether_dhost, llc_hdr_mac)) 1194 return 1; 1195 1196 switch (ic->ic_opmode) { 1197 #ifndef IEEE80211_STA_ONLY 1198 case IEEE80211_M_HOSTAP: 1199 /* 1200 * Subframes must use the source address of the node which 1201 * transmitted the A-MSDU. Prevents MAC spoofing. 1202 */ 1203 if (!ETHER_IS_EQ(ni->ni_macaddr, eh->ether_shost)) 1204 return 1; 1205 break; 1206 #endif 1207 case IEEE80211_M_STA: 1208 /* Subframes must be addressed to me. */ 1209 if (!ETHER_IS_EQ(ic->ic_myaddr, eh->ether_dhost)) 1210 return 1; 1211 break; 1212 default: 1213 /* Ignore MONITOR/IBSS modes for now. */ 1214 break; 1215 } 1216 1217 return 0; 1218 } 1219 1220 /* 1221 * Decapsulate an Aggregate MSDU (see 7.2.2.2). 1222 */ 1223 void 1224 ieee80211_amsdu_decap(struct ieee80211com *ic, struct mbuf *m, 1225 struct ieee80211_node *ni, int hdrlen, struct mbuf_list *ml) 1226 { 1227 struct mbuf *n; 1228 struct ether_header *eh; 1229 struct llc *llc; 1230 int len, pad, mcast; 1231 struct ieee80211_frame *wh; 1232 struct mbuf_list subframes = MBUF_LIST_INITIALIZER(); 1233 1234 wh = mtod(m, struct ieee80211_frame *); 1235 mcast = IEEE80211_IS_MULTICAST(wh->i_addr1); 1236 1237 /* strip 802.11 header */ 1238 m_adj(m, hdrlen); 1239 1240 while (m->m_pkthdr.len >= ETHER_HDR_LEN + LLC_SNAPFRAMELEN) { 1241 /* process an A-MSDU subframe */ 1242 m = m_pullup(m, ETHER_HDR_LEN + LLC_SNAPFRAMELEN); 1243 if (m == NULL) 1244 break; 1245 eh = mtod(m, struct ether_header *); 1246 /* examine 802.3 header */ 1247 len = ntohs(eh->ether_type); 1248 if (len < LLC_SNAPFRAMELEN) { 1249 DPRINTF(("A-MSDU subframe too short (%d)\n", len)); 1250 /* stop processing A-MSDU subframes */ 1251 ic->ic_stats.is_rx_decap++; 1252 ml_purge(&subframes); 1253 m_freem(m); 1254 return; 1255 } 1256 llc = (struct llc *)&eh[1]; 1257 /* Examine the 802.2 LLC header after the A-MSDU header. */ 1258 if (llc->llc_dsap == LLC_SNAP_LSAP && 1259 llc->llc_ssap == LLC_SNAP_LSAP && 1260 llc->llc_control == LLC_UI && 1261 llc->llc_snap.org_code[0] == 0 && 1262 llc->llc_snap.org_code[1] == 0 && 1263 llc->llc_snap.org_code[2] == 0) { 1264 /* convert to Ethernet II header */ 1265 eh->ether_type = llc->llc_snap.ether_type; 1266 /* strip LLC+SNAP headers */ 1267 memmove((u_int8_t *)eh + LLC_SNAPFRAMELEN, eh, 1268 ETHER_HDR_LEN); 1269 m_adj(m, LLC_SNAPFRAMELEN); 1270 len -= LLC_SNAPFRAMELEN; 1271 } 1272 len += ETHER_HDR_LEN; 1273 if (len > m->m_pkthdr.len) { 1274 /* stop processing A-MSDU subframes */ 1275 DPRINTF(("A-MSDU subframe too long (%d)\n", len)); 1276 ic->ic_stats.is_rx_decap++; 1277 ml_purge(&subframes); 1278 m_freem(m); 1279 return; 1280 } 1281 1282 /* "detach" our A-MSDU subframe from the others */ 1283 n = m_split(m, len, M_NOWAIT); 1284 if (n == NULL) { 1285 /* stop processing A-MSDU subframes */ 1286 ic->ic_stats.is_rx_decap++; 1287 ml_purge(&subframes); 1288 m_freem(m); 1289 return; 1290 } 1291 1292 if (ieee80211_amsdu_decap_validate(ic, m, ni)) { 1293 /* stop processing A-MSDU subframes */ 1294 ic->ic_stats.is_rx_decap++; 1295 ml_purge(&subframes); 1296 m_freem(m); 1297 return; 1298 } 1299 1300 ml_enqueue(&subframes, m); 1301 1302 m = n; 1303 /* remove padding */ 1304 pad = ((len + 3) & ~3) - len; 1305 m_adj(m, pad); 1306 } 1307 1308 while ((n = ml_dequeue(&subframes)) != NULL) 1309 ieee80211_enqueue_data(ic, n, ni, mcast, ml); 1310 1311 m_freem(m); 1312 } 1313 1314 /* 1315 * Parse an EDCA Parameter Set element (see 7.3.2.27). 1316 */ 1317 int 1318 ieee80211_parse_edca_params_body(struct ieee80211com *ic, const u_int8_t *frm) 1319 { 1320 u_int updtcount; 1321 int aci; 1322 1323 /* 1324 * Check if EDCA parameters have changed XXX if we miss more than 1325 * 15 consecutive beacons, we might not detect changes to EDCA 1326 * parameters due to wraparound of the 4-bit Update Count field. 1327 */ 1328 updtcount = frm[0] & 0xf; 1329 if (updtcount == ic->ic_edca_updtcount) 1330 return 0; /* no changes to EDCA parameters, ignore */ 1331 ic->ic_edca_updtcount = updtcount; 1332 1333 frm += 2; /* skip QoS Info & Reserved fields */ 1334 1335 /* parse AC Parameter Records */ 1336 for (aci = 0; aci < EDCA_NUM_AC; aci++) { 1337 struct ieee80211_edca_ac_params *ac = &ic->ic_edca_ac[aci]; 1338 1339 ac->ac_acm = (frm[0] >> 4) & 0x1; 1340 ac->ac_aifsn = frm[0] & 0xf; 1341 ac->ac_ecwmin = frm[1] & 0xf; 1342 ac->ac_ecwmax = frm[1] >> 4; 1343 ac->ac_txoplimit = LE_READ_2(frm + 2); 1344 frm += 4; 1345 } 1346 /* give drivers a chance to update their settings */ 1347 if ((ic->ic_flags & IEEE80211_F_QOS) && ic->ic_updateedca != NULL) 1348 (*ic->ic_updateedca)(ic); 1349 1350 return 0; 1351 } 1352 1353 int 1354 ieee80211_parse_edca_params(struct ieee80211com *ic, const u_int8_t *frm) 1355 { 1356 if (frm[1] < 18) { 1357 ic->ic_stats.is_rx_elem_toosmall++; 1358 return IEEE80211_REASON_IE_INVALID; 1359 } 1360 return ieee80211_parse_edca_params_body(ic, frm + 2); 1361 } 1362 1363 int 1364 ieee80211_parse_wmm_params(struct ieee80211com *ic, const u_int8_t *frm) 1365 { 1366 if (frm[1] < 24) { 1367 ic->ic_stats.is_rx_elem_toosmall++; 1368 return IEEE80211_REASON_IE_INVALID; 1369 } 1370 return ieee80211_parse_edca_params_body(ic, frm + 8); 1371 } 1372 1373 enum ieee80211_cipher 1374 ieee80211_parse_rsn_cipher(const u_int8_t selector[4]) 1375 { 1376 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1377 switch (selector[3]) { 1378 case 0: /* use group data cipher suite */ 1379 return IEEE80211_CIPHER_USEGROUP; 1380 case 1: /* WEP-40 */ 1381 return IEEE80211_CIPHER_WEP40; 1382 case 2: /* TKIP */ 1383 return IEEE80211_CIPHER_TKIP; 1384 case 4: /* CCMP (RSNA default) */ 1385 return IEEE80211_CIPHER_CCMP; 1386 case 5: /* WEP-104 */ 1387 return IEEE80211_CIPHER_WEP104; 1388 } 1389 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1390 /* see 802.11-2012 Table 8-99 */ 1391 switch (selector[3]) { 1392 case 0: /* use group data cipher suite */ 1393 return IEEE80211_CIPHER_USEGROUP; 1394 case 1: /* WEP-40 */ 1395 return IEEE80211_CIPHER_WEP40; 1396 case 2: /* TKIP */ 1397 return IEEE80211_CIPHER_TKIP; 1398 case 4: /* CCMP (RSNA default) */ 1399 return IEEE80211_CIPHER_CCMP; 1400 case 5: /* WEP-104 */ 1401 return IEEE80211_CIPHER_WEP104; 1402 case 6: /* BIP */ 1403 return IEEE80211_CIPHER_BIP; 1404 } 1405 } 1406 return IEEE80211_CIPHER_NONE; /* ignore unknown ciphers */ 1407 } 1408 1409 enum ieee80211_akm 1410 ieee80211_parse_rsn_akm(const u_int8_t selector[4]) 1411 { 1412 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1413 switch (selector[3]) { 1414 case 1: /* IEEE 802.1X (RSNA default) */ 1415 return IEEE80211_AKM_8021X; 1416 case 2: /* PSK */ 1417 return IEEE80211_AKM_PSK; 1418 } 1419 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1420 /* from IEEE Std 802.11i-2004 - Table 20dc */ 1421 switch (selector[3]) { 1422 case 1: /* IEEE 802.1X (RSNA default) */ 1423 return IEEE80211_AKM_8021X; 1424 case 2: /* PSK */ 1425 return IEEE80211_AKM_PSK; 1426 case 5: /* IEEE 802.1X with SHA256 KDF */ 1427 return IEEE80211_AKM_SHA256_8021X; 1428 case 6: /* PSK with SHA256 KDF */ 1429 return IEEE80211_AKM_SHA256_PSK; 1430 } 1431 } 1432 return IEEE80211_AKM_NONE; /* ignore unknown AKMs */ 1433 } 1434 1435 /* 1436 * Parse an RSN element (see 802.11-2012 8.4.2.27) 1437 */ 1438 int 1439 ieee80211_parse_rsn_body(struct ieee80211com *ic, const u_int8_t *frm, 1440 u_int len, struct ieee80211_rsnparams *rsn) 1441 { 1442 const u_int8_t *efrm; 1443 u_int16_t m, n, s; 1444 1445 efrm = frm + len; 1446 1447 /* check Version field */ 1448 if (LE_READ_2(frm) != 1) 1449 return IEEE80211_STATUS_RSN_IE_VER_UNSUP; 1450 frm += 2; 1451 1452 /* all fields after the Version field are optional */ 1453 1454 /* if Cipher Suite missing, default to CCMP */ 1455 rsn->rsn_groupcipher = IEEE80211_CIPHER_CCMP; 1456 rsn->rsn_nciphers = 1; 1457 rsn->rsn_ciphers = IEEE80211_CIPHER_CCMP; 1458 /* if Group Management Cipher Suite missing, default to BIP */ 1459 rsn->rsn_groupmgmtcipher = IEEE80211_CIPHER_BIP; 1460 /* if AKM Suite missing, default to 802.1X */ 1461 rsn->rsn_nakms = 1; 1462 rsn->rsn_akms = IEEE80211_AKM_8021X; 1463 /* if RSN capabilities missing, default to 0 */ 1464 rsn->rsn_caps = 0; 1465 rsn->rsn_npmkids = 0; 1466 1467 /* read Group Data Cipher Suite field */ 1468 if (frm + 4 > efrm) 1469 return 0; 1470 rsn->rsn_groupcipher = ieee80211_parse_rsn_cipher(frm); 1471 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_NONE || 1472 rsn->rsn_groupcipher == IEEE80211_CIPHER_USEGROUP || 1473 rsn->rsn_groupcipher == IEEE80211_CIPHER_BIP) 1474 return IEEE80211_STATUS_BAD_GROUP_CIPHER; 1475 frm += 4; 1476 1477 /* read Pairwise Cipher Suite Count field */ 1478 if (frm + 2 > efrm) 1479 return 0; 1480 m = rsn->rsn_nciphers = LE_READ_2(frm); 1481 frm += 2; 1482 1483 /* read Pairwise Cipher Suite List */ 1484 if (frm + m * 4 > efrm) 1485 return IEEE80211_STATUS_IE_INVALID; 1486 rsn->rsn_ciphers = IEEE80211_CIPHER_NONE; 1487 while (m-- > 0) { 1488 rsn->rsn_ciphers |= ieee80211_parse_rsn_cipher(frm); 1489 frm += 4; 1490 } 1491 if (rsn->rsn_ciphers & IEEE80211_CIPHER_USEGROUP) { 1492 if (rsn->rsn_ciphers != IEEE80211_CIPHER_USEGROUP) 1493 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1494 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_CCMP) 1495 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1496 } 1497 1498 /* read AKM Suite List Count field */ 1499 if (frm + 2 > efrm) 1500 return 0; 1501 n = rsn->rsn_nakms = LE_READ_2(frm); 1502 frm += 2; 1503 1504 /* read AKM Suite List */ 1505 if (frm + n * 4 > efrm) 1506 return IEEE80211_STATUS_IE_INVALID; 1507 rsn->rsn_akms = IEEE80211_AKM_NONE; 1508 while (n-- > 0) { 1509 rsn->rsn_akms |= ieee80211_parse_rsn_akm(frm); 1510 frm += 4; 1511 } 1512 1513 /* read RSN Capabilities field */ 1514 if (frm + 2 > efrm) 1515 return 0; 1516 rsn->rsn_caps = LE_READ_2(frm); 1517 frm += 2; 1518 1519 /* read PMKID Count field */ 1520 if (frm + 2 > efrm) 1521 return 0; 1522 s = rsn->rsn_npmkids = LE_READ_2(frm); 1523 frm += 2; 1524 1525 /* read PMKID List */ 1526 if (frm + s * IEEE80211_PMKID_LEN > efrm) 1527 return IEEE80211_STATUS_IE_INVALID; 1528 if (s != 0) { 1529 rsn->rsn_pmkids = frm; 1530 frm += s * IEEE80211_PMKID_LEN; 1531 } 1532 1533 /* read Group Management Cipher Suite field */ 1534 if (frm + 4 > efrm) 1535 return 0; 1536 rsn->rsn_groupmgmtcipher = ieee80211_parse_rsn_cipher(frm); 1537 if (rsn->rsn_groupmgmtcipher != IEEE80211_CIPHER_BIP) 1538 return IEEE80211_STATUS_BAD_GROUP_CIPHER; 1539 1540 return IEEE80211_STATUS_SUCCESS; 1541 } 1542 1543 int 1544 ieee80211_parse_rsn(struct ieee80211com *ic, const u_int8_t *frm, 1545 struct ieee80211_rsnparams *rsn) 1546 { 1547 if (frm[1] < 2) { 1548 ic->ic_stats.is_rx_elem_toosmall++; 1549 return IEEE80211_STATUS_IE_INVALID; 1550 } 1551 return ieee80211_parse_rsn_body(ic, frm + 2, frm[1], rsn); 1552 } 1553 1554 int 1555 ieee80211_parse_wpa(struct ieee80211com *ic, const u_int8_t *frm, 1556 struct ieee80211_rsnparams *rsn) 1557 { 1558 if (frm[1] < 6) { 1559 ic->ic_stats.is_rx_elem_toosmall++; 1560 return IEEE80211_STATUS_IE_INVALID; 1561 } 1562 return ieee80211_parse_rsn_body(ic, frm + 6, frm[1] - 4, rsn); 1563 } 1564 1565 /* 1566 * Create (or update) a copy of an information element. 1567 */ 1568 int 1569 ieee80211_save_ie(const u_int8_t *frm, u_int8_t **ie) 1570 { 1571 int olen = *ie ? 2 + (*ie)[1] : 0; 1572 int len = 2 + frm[1]; 1573 1574 if (*ie == NULL || olen != len) { 1575 if (*ie != NULL) 1576 free(*ie, M_DEVBUF, olen); 1577 *ie = malloc(len, M_DEVBUF, M_NOWAIT); 1578 if (*ie == NULL) 1579 return ENOMEM; 1580 } 1581 memcpy(*ie, frm, len); 1582 return 0; 1583 } 1584 1585 /*- 1586 * Beacon/Probe response frame format: 1587 * [8] Timestamp 1588 * [2] Beacon interval 1589 * [2] Capability 1590 * [tlv] Service Set Identifier (SSID) 1591 * [tlv] Supported rates 1592 * [tlv] DS Parameter Set (802.11g) 1593 * [tlv] ERP Information (802.11g) 1594 * [tlv] Extended Supported Rates (802.11g) 1595 * [tlv] RSN (802.11i) 1596 * [tlv] EDCA Parameter Set (802.11e) 1597 * [tlv] QoS Capability (Beacon only, 802.11e) 1598 * [tlv] HT Capabilities (802.11n) 1599 * [tlv] HT Operation (802.11n) 1600 */ 1601 void 1602 ieee80211_recv_probe_resp(struct ieee80211com *ic, struct mbuf *m, 1603 struct ieee80211_node *rni, struct ieee80211_rxinfo *rxi, int isprobe) 1604 { 1605 struct ieee80211_node *ni; 1606 const struct ieee80211_frame *wh; 1607 const u_int8_t *frm, *efrm; 1608 const u_int8_t *tstamp, *ssid, *rates, *xrates, *edcaie, *wmmie; 1609 const u_int8_t *rsnie, *wpaie, *htcaps, *htop; 1610 u_int16_t capinfo, bintval; 1611 u_int8_t chan, bchan, erp, dtim_count, dtim_period; 1612 int is_new; 1613 1614 /* 1615 * We process beacon/probe response frames for: 1616 * o station mode: to collect state 1617 * updates such as 802.11g slot time and for passive 1618 * scanning of APs 1619 * o adhoc mode: to discover neighbors 1620 * o hostap mode: for passive scanning of neighbor APs 1621 * o when scanning 1622 * In other words, in all modes other than monitor (which 1623 * does not process incoming frames) and adhoc-demo (which 1624 * does not use management frames at all). 1625 */ 1626 #ifdef DIAGNOSTIC 1627 if (ic->ic_opmode != IEEE80211_M_STA && 1628 #ifndef IEEE80211_STA_ONLY 1629 ic->ic_opmode != IEEE80211_M_IBSS && 1630 ic->ic_opmode != IEEE80211_M_HOSTAP && 1631 #endif 1632 ic->ic_state != IEEE80211_S_SCAN) { 1633 panic("%s: impossible operating mode", __func__); 1634 } 1635 #endif 1636 /* make sure all mandatory fixed fields are present */ 1637 if (m->m_len < sizeof(*wh) + 12) { 1638 DPRINTF(("frame too short\n")); 1639 return; 1640 } 1641 wh = mtod(m, struct ieee80211_frame *); 1642 frm = (const u_int8_t *)&wh[1]; 1643 efrm = mtod(m, u_int8_t *) + m->m_len; 1644 1645 tstamp = frm; frm += 8; 1646 bintval = LE_READ_2(frm); frm += 2; 1647 capinfo = LE_READ_2(frm); frm += 2; 1648 1649 ssid = rates = xrates = edcaie = wmmie = rsnie = wpaie = NULL; 1650 htcaps = htop = NULL; 1651 bchan = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan); 1652 chan = bchan; 1653 erp = 0; 1654 dtim_count = dtim_period = 0; 1655 while (frm + 2 <= efrm) { 1656 if (frm + 2 + frm[1] > efrm) { 1657 ic->ic_stats.is_rx_elem_toosmall++; 1658 break; 1659 } 1660 switch (frm[0]) { 1661 case IEEE80211_ELEMID_SSID: 1662 ssid = frm; 1663 break; 1664 case IEEE80211_ELEMID_RATES: 1665 rates = frm; 1666 break; 1667 case IEEE80211_ELEMID_DSPARMS: 1668 if (frm[1] < 1) { 1669 ic->ic_stats.is_rx_elem_toosmall++; 1670 break; 1671 } 1672 chan = frm[2]; 1673 break; 1674 case IEEE80211_ELEMID_XRATES: 1675 xrates = frm; 1676 break; 1677 case IEEE80211_ELEMID_ERP: 1678 if (frm[1] < 1) { 1679 ic->ic_stats.is_rx_elem_toosmall++; 1680 break; 1681 } 1682 erp = frm[2]; 1683 break; 1684 case IEEE80211_ELEMID_RSN: 1685 rsnie = frm; 1686 break; 1687 case IEEE80211_ELEMID_EDCAPARMS: 1688 edcaie = frm; 1689 break; 1690 case IEEE80211_ELEMID_HTCAPS: 1691 htcaps = frm; 1692 break; 1693 case IEEE80211_ELEMID_HTOP: 1694 htop = frm; 1695 break; 1696 case IEEE80211_ELEMID_TIM: 1697 if (frm[1] > 3) { 1698 dtim_count = frm[2]; 1699 dtim_period = frm[3]; 1700 } 1701 break; 1702 case IEEE80211_ELEMID_VENDOR: 1703 if (frm[1] < 4) { 1704 ic->ic_stats.is_rx_elem_toosmall++; 1705 break; 1706 } 1707 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 1708 if (frm[5] == 1) 1709 wpaie = frm; 1710 else if (frm[1] >= 5 && 1711 frm[5] == 2 && frm[6] == 1) 1712 wmmie = frm; 1713 } 1714 break; 1715 } 1716 frm += 2 + frm[1]; 1717 } 1718 /* supported rates element is mandatory */ 1719 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1720 DPRINTF(("invalid supported rates element\n")); 1721 return; 1722 } 1723 /* SSID element is mandatory */ 1724 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1725 DPRINTF(("invalid SSID element\n")); 1726 return; 1727 } 1728 1729 if ( 1730 #if IEEE80211_CHAN_MAX < 255 1731 chan > IEEE80211_CHAN_MAX || 1732 #endif 1733 isclr(ic->ic_chan_active, chan)) { 1734 DPRINTF(("ignore %s with invalid channel %u\n", 1735 isprobe ? "probe response" : "beacon", chan)); 1736 ic->ic_stats.is_rx_badchan++; 1737 return; 1738 } 1739 if ((ic->ic_state != IEEE80211_S_SCAN || 1740 !(ic->ic_caps & IEEE80211_C_SCANALL)) && 1741 chan != bchan) { 1742 /* 1743 * Frame was received on a channel different from the 1744 * one indicated in the DS params element id; 1745 * silently discard it. 1746 * 1747 * NB: this can happen due to signal leakage. 1748 */ 1749 DPRINTF(("ignore %s on channel %u marked for channel %u\n", 1750 isprobe ? "probe response" : "beacon", bchan, chan)); 1751 ic->ic_stats.is_rx_chanmismatch++; 1752 return; 1753 } 1754 /* 1755 * Use mac, channel and rssi so we collect only the 1756 * best potential AP with the equal bssid while scanning. 1757 * Collecting all potential APs may result in bloat of 1758 * the node tree. This call will return NULL if the node 1759 * for this APs does not exist or if the new node is the 1760 * potential better one. 1761 */ 1762 ni = ieee80211_find_node_for_beacon(ic, wh->i_addr2, 1763 &ic->ic_channels[chan], ssid, rxi->rxi_rssi); 1764 if (ni != NULL) { 1765 /* 1766 * If we are doing a directed scan for an AP with a hidden SSID 1767 * we must collect the SSID from a probe response to override 1768 * a non-zero-length SSID filled with zeroes that we may have 1769 * received earlier in a beacon. 1770 */ 1771 if (isprobe && ssid[1] != 0 && ni->ni_essid[0] == '\0') { 1772 ni->ni_esslen = ssid[1]; 1773 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1774 /* we know that ssid[1] <= IEEE80211_NWID_LEN */ 1775 memcpy(ni->ni_essid, &ssid[2], ssid[1]); 1776 } 1777 1778 /* Update channel in case AP has switched */ 1779 if (ic->ic_opmode == IEEE80211_M_STA) 1780 ni->ni_chan = rni->ni_chan; 1781 1782 return; 1783 } 1784 1785 #ifdef IEEE80211_DEBUG 1786 if (ieee80211_debug > 1 && 1787 (ni == NULL || ic->ic_state == IEEE80211_S_SCAN || 1788 (ic->ic_flags & IEEE80211_F_BGSCAN))) { 1789 printf("%s: %s%s on chan %u (bss chan %u) ", 1790 __func__, (ni == NULL ? "new " : ""), 1791 isprobe ? "probe response" : "beacon", 1792 chan, bchan); 1793 ieee80211_print_essid(ssid + 2, ssid[1]); 1794 printf(" from %s\n", ether_sprintf((u_int8_t *)wh->i_addr2)); 1795 printf("%s: caps 0x%x bintval %u erp 0x%x\n", 1796 __func__, capinfo, bintval, erp); 1797 } 1798 #endif 1799 1800 if ((ni = ieee80211_find_node(ic, wh->i_addr2)) == NULL) { 1801 ni = ieee80211_alloc_node(ic, wh->i_addr2); 1802 if (ni == NULL) 1803 return; 1804 is_new = 1; 1805 } else 1806 is_new = 0; 1807 1808 if (htcaps) 1809 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 1810 if (htop && !ieee80211_setup_htop(ni, htop + 2, htop[1], 1)) 1811 htop = NULL; /* invalid HTOP */ 1812 1813 ni->ni_dtimcount = dtim_count; 1814 ni->ni_dtimperiod = dtim_period; 1815 1816 /* 1817 * When operating in station mode, check for state updates 1818 * while we're associated. 1819 */ 1820 if (ic->ic_opmode == IEEE80211_M_STA && 1821 ic->ic_state == IEEE80211_S_RUN && 1822 ni->ni_state == IEEE80211_STA_BSS) { 1823 int updateprot = 0; 1824 /* 1825 * Check if protection mode has changed since last beacon. 1826 */ 1827 if (ni->ni_erp != erp) { 1828 DPRINTF(("[%s] erp change: was 0x%x, now 0x%x\n", 1829 ether_sprintf((u_int8_t *)wh->i_addr2), 1830 ni->ni_erp, erp)); 1831 if ((ic->ic_curmode == IEEE80211_MODE_11G || 1832 (ic->ic_curmode == IEEE80211_MODE_11N && 1833 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))) && 1834 (erp & IEEE80211_ERP_USE_PROTECTION)) 1835 ic->ic_flags |= IEEE80211_F_USEPROT; 1836 else 1837 ic->ic_flags &= ~IEEE80211_F_USEPROT; 1838 ic->ic_bss->ni_erp = erp; 1839 updateprot = 1; 1840 } 1841 if (htop && (ic->ic_bss->ni_flags & IEEE80211_NODE_HT)) { 1842 enum ieee80211_htprot htprot_last, htprot; 1843 htprot_last = 1844 ((ic->ic_bss->ni_htop1 & IEEE80211_HTOP1_PROT_MASK) 1845 >> IEEE80211_HTOP1_PROT_SHIFT); 1846 htprot = ((ni->ni_htop1 & IEEE80211_HTOP1_PROT_MASK) >> 1847 IEEE80211_HTOP1_PROT_SHIFT); 1848 if (htprot_last != htprot) { 1849 DPRINTF(("[%s] htprot change: was %d, now %d\n", 1850 ether_sprintf((u_int8_t *)wh->i_addr2), 1851 htprot_last, htprot)); 1852 ic->ic_stats.is_ht_prot_change++; 1853 ic->ic_bss->ni_htop1 = ni->ni_htop1; 1854 updateprot = 1; 1855 } 1856 } 1857 if (updateprot && ic->ic_updateprot != NULL) 1858 ic->ic_updateprot(ic); 1859 1860 /* 1861 * Check if AP short slot time setting has changed 1862 * since last beacon and give the driver a chance to 1863 * update the hardware. 1864 */ 1865 if ((ni->ni_capinfo ^ capinfo) & 1866 IEEE80211_CAPINFO_SHORT_SLOTTIME) { 1867 ieee80211_set_shortslottime(ic, 1868 ic->ic_curmode == IEEE80211_MODE_11A || 1869 (capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 1870 } 1871 1872 /* 1873 * Reset management timer. If it is non-zero in RUN state, the 1874 * driver sent a probe request after a missed beacon event. 1875 * This probe response indicates the AP is still serving us 1876 * so don't allow ieee80211_watchdog() to move us into SCAN. 1877 */ 1878 if ((ic->ic_flags & IEEE80211_F_BGSCAN) == 0) 1879 ic->ic_mgt_timer = 0; 1880 } 1881 /* 1882 * We do not try to update EDCA parameters if QoS was not negotiated 1883 * with the AP at association time. 1884 */ 1885 if (ni->ni_flags & IEEE80211_NODE_QOS) { 1886 /* always prefer EDCA IE over Wi-Fi Alliance WMM IE */ 1887 if ((edcaie != NULL && 1888 ieee80211_parse_edca_params(ic, edcaie) == 0) || 1889 (wmmie != NULL && 1890 ieee80211_parse_wmm_params(ic, wmmie) == 0)) 1891 ni->ni_flags |= IEEE80211_NODE_QOS; 1892 else 1893 ni->ni_flags &= ~IEEE80211_NODE_QOS; 1894 } 1895 1896 if (ic->ic_state == IEEE80211_S_SCAN || 1897 (ic->ic_flags & IEEE80211_F_BGSCAN)) { 1898 struct ieee80211_rsnparams rsn, wpa; 1899 1900 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 1901 ni->ni_supported_rsnprotos = IEEE80211_PROTO_NONE; 1902 ni->ni_rsnakms = 0; 1903 ni->ni_supported_rsnakms = 0; 1904 ni->ni_rsnciphers = 0; 1905 ni->ni_rsngroupcipher = 0; 1906 ni->ni_rsngroupmgmtcipher = 0; 1907 ni->ni_rsncaps = 0; 1908 1909 if (rsnie != NULL && 1910 ieee80211_parse_rsn(ic, rsnie, &rsn) == 0) { 1911 ni->ni_supported_rsnprotos |= IEEE80211_PROTO_RSN; 1912 ni->ni_supported_rsnakms |= rsn.rsn_akms; 1913 } 1914 if (wpaie != NULL && 1915 ieee80211_parse_wpa(ic, wpaie, &wpa) == 0) { 1916 ni->ni_supported_rsnprotos |= IEEE80211_PROTO_WPA; 1917 ni->ni_supported_rsnakms |= wpa.rsn_akms; 1918 } 1919 1920 /* 1921 * If the AP advertises both WPA and RSN IEs (WPA1+WPA2), 1922 * we only use the highest protocol version we support. 1923 */ 1924 if (rsnie != NULL && 1925 (ni->ni_supported_rsnprotos & IEEE80211_PROTO_RSN) && 1926 (ic->ic_caps & IEEE80211_C_RSN)) { 1927 if (ieee80211_save_ie(rsnie, &ni->ni_rsnie) == 0 1928 #ifndef IEEE80211_STA_ONLY 1929 && ic->ic_opmode != IEEE80211_M_HOSTAP 1930 #endif 1931 ) { 1932 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 1933 ni->ni_rsnakms = rsn.rsn_akms; 1934 ni->ni_rsnciphers = rsn.rsn_ciphers; 1935 ni->ni_rsngroupcipher = rsn.rsn_groupcipher; 1936 ni->ni_rsngroupmgmtcipher = 1937 rsn.rsn_groupmgmtcipher; 1938 ni->ni_rsncaps = rsn.rsn_caps; 1939 } 1940 } else if (wpaie != NULL && 1941 (ni->ni_supported_rsnprotos & IEEE80211_PROTO_WPA) && 1942 (ic->ic_caps & IEEE80211_C_RSN)) { 1943 if (ieee80211_save_ie(wpaie, &ni->ni_rsnie) == 0 1944 #ifndef IEEE80211_STA_ONLY 1945 && ic->ic_opmode != IEEE80211_M_HOSTAP 1946 #endif 1947 ) { 1948 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 1949 ni->ni_rsnakms = wpa.rsn_akms; 1950 ni->ni_rsnciphers = wpa.rsn_ciphers; 1951 ni->ni_rsngroupcipher = wpa.rsn_groupcipher; 1952 ni->ni_rsngroupmgmtcipher = 1953 wpa.rsn_groupmgmtcipher; 1954 ni->ni_rsncaps = wpa.rsn_caps; 1955 } 1956 } 1957 } 1958 1959 if (ssid[1] != 0 && ni->ni_essid[0] == '\0') { 1960 ni->ni_esslen = ssid[1]; 1961 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1962 /* we know that ssid[1] <= IEEE80211_NWID_LEN */ 1963 memcpy(ni->ni_essid, &ssid[2], ssid[1]); 1964 } 1965 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3); 1966 /* XXX validate channel # */ 1967 ni->ni_chan = &ic->ic_channels[chan]; 1968 if (ic->ic_state == IEEE80211_S_SCAN && 1969 IEEE80211_IS_CHAN_5GHZ(ni->ni_chan)) { 1970 /* 1971 * During a scan on 5Ghz, prefer RSSI measured for probe 1972 * response frames. i.e. don't allow beacons to lower the 1973 * measured RSSI. Some 5GHz APs send beacons with much 1974 * less Tx power than they use for probe responses. 1975 */ 1976 if (isprobe || ni->ni_rssi == 0) 1977 ni->ni_rssi = rxi->rxi_rssi; 1978 else if (ni->ni_rssi < rxi->rxi_rssi) 1979 ni->ni_rssi = rxi->rxi_rssi; 1980 } else 1981 ni->ni_rssi = rxi->rxi_rssi; 1982 ni->ni_rstamp = rxi->rxi_tstamp; 1983 memcpy(ni->ni_tstamp, tstamp, sizeof(ni->ni_tstamp)); 1984 ni->ni_intval = bintval; 1985 ni->ni_capinfo = capinfo; 1986 ni->ni_erp = erp; 1987 /* NB: must be after ni_chan is setup */ 1988 ieee80211_setup_rates(ic, ni, rates, xrates, IEEE80211_F_DOSORT); 1989 #ifndef IEEE80211_STA_ONLY 1990 if (ic->ic_opmode == IEEE80211_M_IBSS && is_new && isprobe) { 1991 /* 1992 * Fake an association so the driver can setup it's 1993 * private state. The rate set has been setup above; 1994 * there is no handshake as in ap/station operation. 1995 */ 1996 if (ic->ic_newassoc) 1997 (*ic->ic_newassoc)(ic, ni, 1); 1998 } 1999 #endif 2000 } 2001 2002 #ifndef IEEE80211_STA_ONLY 2003 /*- 2004 * Probe request frame format: 2005 * [tlv] SSID 2006 * [tlv] Supported rates 2007 * [tlv] Extended Supported Rates (802.11g) 2008 * [tlv] HT Capabilities (802.11n) 2009 */ 2010 void 2011 ieee80211_recv_probe_req(struct ieee80211com *ic, struct mbuf *m, 2012 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 2013 { 2014 const struct ieee80211_frame *wh; 2015 const u_int8_t *frm, *efrm; 2016 const u_int8_t *ssid, *rates, *xrates, *htcaps; 2017 u_int8_t rate; 2018 2019 if (ic->ic_opmode == IEEE80211_M_STA || 2020 ic->ic_state != IEEE80211_S_RUN) 2021 return; 2022 2023 wh = mtod(m, struct ieee80211_frame *); 2024 frm = (const u_int8_t *)&wh[1]; 2025 efrm = mtod(m, u_int8_t *) + m->m_len; 2026 2027 ssid = rates = xrates = htcaps = NULL; 2028 while (frm + 2 <= efrm) { 2029 if (frm + 2 + frm[1] > efrm) { 2030 ic->ic_stats.is_rx_elem_toosmall++; 2031 break; 2032 } 2033 switch (frm[0]) { 2034 case IEEE80211_ELEMID_SSID: 2035 ssid = frm; 2036 break; 2037 case IEEE80211_ELEMID_RATES: 2038 rates = frm; 2039 break; 2040 case IEEE80211_ELEMID_XRATES: 2041 xrates = frm; 2042 break; 2043 case IEEE80211_ELEMID_HTCAPS: 2044 htcaps = frm; 2045 break; 2046 } 2047 frm += 2 + frm[1]; 2048 } 2049 /* supported rates element is mandatory */ 2050 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 2051 DPRINTF(("invalid supported rates element\n")); 2052 return; 2053 } 2054 /* SSID element is mandatory */ 2055 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 2056 DPRINTF(("invalid SSID element\n")); 2057 return; 2058 } 2059 /* check that the specified SSID (if not wildcard) matches ours */ 2060 if (ssid[1] != 0 && (ssid[1] != ic->ic_bss->ni_esslen || 2061 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen))) { 2062 DPRINTF(("SSID mismatch\n")); 2063 ic->ic_stats.is_rx_ssidmismatch++; 2064 return; 2065 } 2066 /* refuse wildcard SSID if we're hiding our SSID in beacons */ 2067 if (ssid[1] == 0 && (ic->ic_userflags & IEEE80211_F_HIDENWID)) { 2068 DPRINTF(("wildcard SSID rejected")); 2069 ic->ic_stats.is_rx_ssidmismatch++; 2070 return; 2071 } 2072 2073 if (ni == ic->ic_bss) { 2074 ni = ieee80211_find_node(ic, wh->i_addr2); 2075 if (ni == NULL) 2076 ni = ieee80211_dup_bss(ic, wh->i_addr2); 2077 if (ni == NULL) 2078 return; 2079 DPRINTF(("new probe req from %s\n", 2080 ether_sprintf((u_int8_t *)wh->i_addr2))); 2081 } 2082 ni->ni_rssi = rxi->rxi_rssi; 2083 ni->ni_rstamp = rxi->rxi_tstamp; 2084 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2085 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2086 IEEE80211_F_DODEL); 2087 if (rate & IEEE80211_RATE_BASIC) { 2088 DPRINTF(("rate mismatch for %s\n", 2089 ether_sprintf((u_int8_t *)wh->i_addr2))); 2090 return; 2091 } 2092 if (htcaps) 2093 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 2094 else 2095 ieee80211_clear_htcaps(ni); 2096 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 2097 } 2098 #endif /* IEEE80211_STA_ONLY */ 2099 2100 /*- 2101 * Authentication frame format: 2102 * [2] Authentication algorithm number 2103 * [2] Authentication transaction sequence number 2104 * [2] Status code 2105 */ 2106 void 2107 ieee80211_recv_auth(struct ieee80211com *ic, struct mbuf *m, 2108 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 2109 { 2110 const struct ieee80211_frame *wh; 2111 const u_int8_t *frm; 2112 u_int16_t algo, seq, status; 2113 2114 /* make sure all mandatory fixed fields are present */ 2115 if (m->m_len < sizeof(*wh) + 6) { 2116 DPRINTF(("frame too short\n")); 2117 return; 2118 } 2119 wh = mtod(m, struct ieee80211_frame *); 2120 frm = (const u_int8_t *)&wh[1]; 2121 2122 algo = LE_READ_2(frm); frm += 2; 2123 seq = LE_READ_2(frm); frm += 2; 2124 status = LE_READ_2(frm); frm += 2; 2125 DPRINTF(("auth %d seq %d from %s\n", algo, seq, 2126 ether_sprintf((u_int8_t *)wh->i_addr2))); 2127 2128 /* only "open" auth mode is supported */ 2129 if (algo != IEEE80211_AUTH_ALG_OPEN) { 2130 DPRINTF(("unsupported auth algorithm %d from %s\n", 2131 algo, ether_sprintf((u_int8_t *)wh->i_addr2))); 2132 ic->ic_stats.is_rx_auth_unsupported++; 2133 #ifndef IEEE80211_STA_ONLY 2134 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2135 /* XXX hack to workaround calling convention */ 2136 IEEE80211_SEND_MGMT(ic, ni, 2137 IEEE80211_FC0_SUBTYPE_AUTH, 2138 IEEE80211_STATUS_ALG << 16 | ((seq + 1) & 0xfff)); 2139 } 2140 #endif 2141 return; 2142 } 2143 ieee80211_auth_open(ic, wh, ni, rxi, seq, status); 2144 } 2145 2146 #ifndef IEEE80211_STA_ONLY 2147 /*- 2148 * (Re)Association request frame format: 2149 * [2] Capability information 2150 * [2] Listen interval 2151 * [6*] Current AP address (Reassociation only) 2152 * [tlv] SSID 2153 * [tlv] Supported rates 2154 * [tlv] Extended Supported Rates (802.11g) 2155 * [tlv] RSN (802.11i) 2156 * [tlv] QoS Capability (802.11e) 2157 * [tlv] HT Capabilities (802.11n) 2158 */ 2159 void 2160 ieee80211_recv_assoc_req(struct ieee80211com *ic, struct mbuf *m, 2161 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int reassoc) 2162 { 2163 const struct ieee80211_frame *wh; 2164 const u_int8_t *frm, *efrm; 2165 const u_int8_t *ssid, *rates, *xrates, *rsnie, *wpaie, *wmeie, *htcaps; 2166 u_int16_t capinfo, bintval; 2167 int resp, status = 0; 2168 struct ieee80211_rsnparams rsn; 2169 u_int8_t rate; 2170 const u_int8_t *saveie = NULL; 2171 2172 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 2173 ic->ic_state != IEEE80211_S_RUN) 2174 return; 2175 2176 /* make sure all mandatory fixed fields are present */ 2177 if (m->m_len < sizeof(*wh) + (reassoc ? 10 : 4)) { 2178 DPRINTF(("frame too short\n")); 2179 return; 2180 } 2181 wh = mtod(m, struct ieee80211_frame *); 2182 frm = (const u_int8_t *)&wh[1]; 2183 efrm = mtod(m, u_int8_t *) + m->m_len; 2184 2185 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 2186 DPRINTF(("ignore other bss from %s\n", 2187 ether_sprintf((u_int8_t *)wh->i_addr2))); 2188 ic->ic_stats.is_rx_assoc_bss++; 2189 return; 2190 } 2191 capinfo = LE_READ_2(frm); frm += 2; 2192 bintval = LE_READ_2(frm); frm += 2; 2193 if (reassoc) { 2194 frm += IEEE80211_ADDR_LEN; /* skip current AP address */ 2195 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 2196 } else 2197 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 2198 2199 ssid = rates = xrates = rsnie = wpaie = wmeie = htcaps = NULL; 2200 while (frm + 2 <= efrm) { 2201 if (frm + 2 + frm[1] > efrm) { 2202 ic->ic_stats.is_rx_elem_toosmall++; 2203 break; 2204 } 2205 switch (frm[0]) { 2206 case IEEE80211_ELEMID_SSID: 2207 ssid = frm; 2208 break; 2209 case IEEE80211_ELEMID_RATES: 2210 rates = frm; 2211 break; 2212 case IEEE80211_ELEMID_XRATES: 2213 xrates = frm; 2214 break; 2215 case IEEE80211_ELEMID_RSN: 2216 rsnie = frm; 2217 break; 2218 case IEEE80211_ELEMID_QOS_CAP: 2219 break; 2220 case IEEE80211_ELEMID_HTCAPS: 2221 htcaps = frm; 2222 break; 2223 case IEEE80211_ELEMID_VENDOR: 2224 if (frm[1] < 4) { 2225 ic->ic_stats.is_rx_elem_toosmall++; 2226 break; 2227 } 2228 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 2229 if (frm[5] == 1) 2230 wpaie = frm; 2231 /* WME info IE: len=7 type=2 subtype=0 */ 2232 if (frm[1] == 7 && frm[5] == 2 && frm[6] == 0) 2233 wmeie = frm; 2234 } 2235 break; 2236 } 2237 frm += 2 + frm[1]; 2238 } 2239 /* supported rates element is mandatory */ 2240 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 2241 DPRINTF(("invalid supported rates element\n")); 2242 return; 2243 } 2244 /* SSID element is mandatory */ 2245 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 2246 DPRINTF(("invalid SSID element\n")); 2247 return; 2248 } 2249 /* check that the specified SSID matches ours */ 2250 if (ssid[1] != ic->ic_bss->ni_esslen || 2251 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen)) { 2252 DPRINTF(("SSID mismatch\n")); 2253 ic->ic_stats.is_rx_ssidmismatch++; 2254 return; 2255 } 2256 2257 if (ni->ni_state != IEEE80211_STA_AUTH && 2258 ni->ni_state != IEEE80211_STA_ASSOC) { 2259 DPRINTF(("deny %sassoc from %s, not authenticated\n", 2260 reassoc ? "re" : "", 2261 ether_sprintf((u_int8_t *)wh->i_addr2))); 2262 ni = ieee80211_find_node(ic, wh->i_addr2); 2263 if (ni == NULL) 2264 ni = ieee80211_dup_bss(ic, wh->i_addr2); 2265 if (ni != NULL) { 2266 IEEE80211_SEND_MGMT(ic, ni, 2267 IEEE80211_FC0_SUBTYPE_DEAUTH, 2268 IEEE80211_REASON_ASSOC_NOT_AUTHED); 2269 } 2270 ic->ic_stats.is_rx_assoc_notauth++; 2271 return; 2272 } 2273 2274 if (ni->ni_state == IEEE80211_STA_ASSOC && 2275 (ni->ni_flags & IEEE80211_NODE_MFP)) { 2276 if (ni->ni_flags & IEEE80211_NODE_SA_QUERY_FAILED) { 2277 /* send a protected Disassociate frame */ 2278 IEEE80211_SEND_MGMT(ic, ni, 2279 IEEE80211_FC0_SUBTYPE_DISASSOC, 2280 IEEE80211_REASON_AUTH_EXPIRE); 2281 /* terminate the old SA */ 2282 ieee80211_node_leave(ic, ni); 2283 } else { 2284 /* reject the (Re)Association Request temporarily */ 2285 IEEE80211_SEND_MGMT(ic, ni, resp, 2286 IEEE80211_STATUS_TRY_AGAIN_LATER); 2287 /* start SA Query procedure if not already engaged */ 2288 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) 2289 ieee80211_sa_query_request(ic, ni); 2290 /* do not modify association state */ 2291 } 2292 return; 2293 } 2294 2295 if (!(capinfo & IEEE80211_CAPINFO_ESS)) { 2296 ic->ic_stats.is_rx_assoc_capmismatch++; 2297 status = IEEE80211_STATUS_CAPINFO; 2298 goto end; 2299 } 2300 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2301 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2302 IEEE80211_F_DODEL); 2303 if (rate & IEEE80211_RATE_BASIC) { 2304 ic->ic_stats.is_rx_assoc_norate++; 2305 status = IEEE80211_STATUS_BASIC_RATE; 2306 goto end; 2307 } 2308 2309 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2310 ni->ni_supported_rsnprotos = IEEE80211_PROTO_NONE; 2311 ni->ni_rsnakms = 0; 2312 ni->ni_supported_rsnakms = 0; 2313 ni->ni_rsnciphers = 0; 2314 ni->ni_rsngroupcipher = 0; 2315 ni->ni_rsngroupmgmtcipher = 0; 2316 ni->ni_rsncaps = 0; 2317 2318 /* 2319 * A station should never include both a WPA and an RSN IE 2320 * in its (Re)Association Requests, but if it does, we only 2321 * consider the IE of the highest version of the protocol 2322 * that is allowed (ie RSN over WPA). 2323 */ 2324 if (rsnie != NULL) { 2325 status = ieee80211_parse_rsn(ic, rsnie, &rsn); 2326 if (status != 0) 2327 goto end; 2328 ni->ni_supported_rsnprotos = IEEE80211_PROTO_RSN; 2329 ni->ni_supported_rsnakms = rsn.rsn_akms; 2330 if ((ic->ic_flags & IEEE80211_F_RSNON) && 2331 (ic->ic_rsnprotos & IEEE80211_PROTO_RSN)) { 2332 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 2333 saveie = rsnie; 2334 } 2335 } else if (wpaie != NULL) { 2336 status = ieee80211_parse_wpa(ic, wpaie, &rsn); 2337 if (status != 0) 2338 goto end; 2339 ni->ni_supported_rsnprotos = IEEE80211_PROTO_WPA; 2340 ni->ni_supported_rsnakms = rsn.rsn_akms; 2341 if ((ic->ic_flags & IEEE80211_F_RSNON) && 2342 (ic->ic_rsnprotos & IEEE80211_PROTO_WPA)) { 2343 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 2344 saveie = wpaie; 2345 } 2346 } 2347 2348 if (ic->ic_flags & IEEE80211_F_QOS) { 2349 if (wmeie != NULL) 2350 ni->ni_flags |= IEEE80211_NODE_QOS; 2351 else /* for Reassociation */ 2352 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2353 } 2354 2355 if (ic->ic_flags & IEEE80211_F_RSNON) { 2356 if (ni->ni_rsnprotos == IEEE80211_PROTO_NONE) { 2357 /* 2358 * In an RSN, an AP shall not associate with STAs 2359 * that fail to include the RSN IE in the 2360 * (Re)Association Request. 2361 */ 2362 status = IEEE80211_STATUS_IE_INVALID; 2363 goto end; 2364 } 2365 /* 2366 * The initiating STA's RSN IE shall include one authentication 2367 * and pairwise cipher suite among those advertised by the 2368 * targeted AP. It shall also specify the group cipher suite 2369 * specified by the targeted AP. 2370 */ 2371 if (rsn.rsn_nakms != 1 || 2372 !(rsn.rsn_akms & ic->ic_bss->ni_rsnakms)) { 2373 status = IEEE80211_STATUS_BAD_AKMP; 2374 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2375 goto end; 2376 } 2377 if (rsn.rsn_nciphers != 1 || 2378 !(rsn.rsn_ciphers & ic->ic_bss->ni_rsnciphers)) { 2379 status = IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 2380 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2381 goto end; 2382 } 2383 if (rsn.rsn_groupcipher != ic->ic_bss->ni_rsngroupcipher) { 2384 status = IEEE80211_STATUS_BAD_GROUP_CIPHER; 2385 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2386 goto end; 2387 } 2388 2389 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPR) && 2390 !(rsn.rsn_caps & IEEE80211_RSNCAP_MFPC)) { 2391 status = IEEE80211_STATUS_MFP_POLICY; 2392 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2393 goto end; 2394 } 2395 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPC) && 2396 (rsn.rsn_caps & (IEEE80211_RSNCAP_MFPC | 2397 IEEE80211_RSNCAP_MFPR)) == IEEE80211_RSNCAP_MFPR) { 2398 /* STA advertises an invalid setting */ 2399 status = IEEE80211_STATUS_MFP_POLICY; 2400 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2401 goto end; 2402 } 2403 /* 2404 * A STA that has associated with Management Frame Protection 2405 * enabled shall not use cipher suite pairwise selector WEP40, 2406 * WEP104, TKIP, or "Use Group cipher suite". 2407 */ 2408 if ((rsn.rsn_caps & IEEE80211_RSNCAP_MFPC) && 2409 (rsn.rsn_ciphers != IEEE80211_CIPHER_CCMP || 2410 rsn.rsn_groupmgmtcipher != 2411 ic->ic_bss->ni_rsngroupmgmtcipher)) { 2412 status = IEEE80211_STATUS_MFP_POLICY; 2413 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2414 goto end; 2415 } 2416 2417 /* 2418 * Disallow new associations using TKIP if countermeasures 2419 * are active. 2420 */ 2421 if ((ic->ic_flags & IEEE80211_F_COUNTERM) && 2422 (rsn.rsn_ciphers == IEEE80211_CIPHER_TKIP || 2423 rsn.rsn_groupcipher == IEEE80211_CIPHER_TKIP)) { 2424 status = IEEE80211_STATUS_CIPHER_REJ_POLICY; 2425 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2426 goto end; 2427 } 2428 2429 /* everything looks fine, save IE and parameters */ 2430 if (saveie == NULL || 2431 ieee80211_save_ie(saveie, &ni->ni_rsnie) != 0) { 2432 status = IEEE80211_STATUS_TOOMANY; 2433 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2434 goto end; 2435 } 2436 ni->ni_rsnakms = rsn.rsn_akms; 2437 ni->ni_rsnciphers = rsn.rsn_ciphers; 2438 ni->ni_rsngroupcipher = ic->ic_bss->ni_rsngroupcipher; 2439 ni->ni_rsngroupmgmtcipher = ic->ic_bss->ni_rsngroupmgmtcipher; 2440 ni->ni_rsncaps = rsn.rsn_caps; 2441 2442 if (ieee80211_is_8021x_akm(ni->ni_rsnakms)) { 2443 struct ieee80211_pmk *pmk = NULL; 2444 const u_int8_t *pmkid = rsn.rsn_pmkids; 2445 /* 2446 * Check if we have a cached PMK entry matching one 2447 * of the PMKIDs specified in the RSN IE. 2448 */ 2449 while (rsn.rsn_npmkids-- > 0) { 2450 pmk = ieee80211_pmksa_find(ic, ni, pmkid); 2451 if (pmk != NULL) 2452 break; 2453 pmkid += IEEE80211_PMKID_LEN; 2454 } 2455 if (pmk != NULL) { 2456 memcpy(ni->ni_pmk, pmk->pmk_key, 2457 IEEE80211_PMK_LEN); 2458 memcpy(ni->ni_pmkid, pmk->pmk_pmkid, 2459 IEEE80211_PMKID_LEN); 2460 ni->ni_flags |= IEEE80211_NODE_PMK; 2461 } 2462 } 2463 } 2464 2465 ni->ni_rssi = rxi->rxi_rssi; 2466 ni->ni_rstamp = rxi->rxi_tstamp; 2467 ni->ni_intval = bintval; 2468 ni->ni_capinfo = capinfo; 2469 ni->ni_chan = ic->ic_bss->ni_chan; 2470 if (htcaps) 2471 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 2472 else 2473 ieee80211_clear_htcaps(ni); 2474 end: 2475 if (status != 0) { 2476 IEEE80211_SEND_MGMT(ic, ni, resp, status); 2477 ieee80211_node_leave(ic, ni); 2478 } else 2479 ieee80211_node_join(ic, ni, resp); 2480 } 2481 #endif /* IEEE80211_STA_ONLY */ 2482 2483 /*- 2484 * (Re)Association response frame format: 2485 * [2] Capability information 2486 * [2] Status code 2487 * [2] Association ID (AID) 2488 * [tlv] Supported rates 2489 * [tlv] Extended Supported Rates (802.11g) 2490 * [tlv] EDCA Parameter Set (802.11e) 2491 * [tlv] HT Capabilities (802.11n) 2492 * [tlv] HT Operation (802.11n) 2493 */ 2494 void 2495 ieee80211_recv_assoc_resp(struct ieee80211com *ic, struct mbuf *m, 2496 struct ieee80211_node *ni, int reassoc) 2497 { 2498 struct ifnet *ifp = &ic->ic_if; 2499 const struct ieee80211_frame *wh; 2500 const u_int8_t *frm, *efrm; 2501 const u_int8_t *rates, *xrates, *edcaie, *wmmie, *htcaps, *htop; 2502 u_int16_t capinfo, status, associd; 2503 u_int8_t rate; 2504 2505 if (ic->ic_opmode != IEEE80211_M_STA || 2506 ic->ic_state != IEEE80211_S_ASSOC) { 2507 ic->ic_stats.is_rx_mgtdiscard++; 2508 return; 2509 } 2510 2511 /* make sure all mandatory fixed fields are present */ 2512 if (m->m_len < sizeof(*wh) + 6) { 2513 DPRINTF(("frame too short\n")); 2514 return; 2515 } 2516 wh = mtod(m, struct ieee80211_frame *); 2517 frm = (const u_int8_t *)&wh[1]; 2518 efrm = mtod(m, u_int8_t *) + m->m_len; 2519 2520 capinfo = LE_READ_2(frm); frm += 2; 2521 status = LE_READ_2(frm); frm += 2; 2522 if (status != IEEE80211_STATUS_SUCCESS) { 2523 if (ifp->if_flags & IFF_DEBUG) 2524 printf("%s: %sassociation failed (status %d)" 2525 " for %s\n", ifp->if_xname, 2526 reassoc ? "re" : "", 2527 status, ether_sprintf((u_int8_t *)wh->i_addr3)); 2528 if (ni != ic->ic_bss) 2529 ni->ni_fails++; 2530 ic->ic_stats.is_rx_auth_fail++; 2531 return; 2532 } 2533 associd = LE_READ_2(frm); frm += 2; 2534 2535 rates = xrates = edcaie = wmmie = htcaps = htop = NULL; 2536 while (frm + 2 <= efrm) { 2537 if (frm + 2 + frm[1] > efrm) { 2538 ic->ic_stats.is_rx_elem_toosmall++; 2539 break; 2540 } 2541 switch (frm[0]) { 2542 case IEEE80211_ELEMID_RATES: 2543 rates = frm; 2544 break; 2545 case IEEE80211_ELEMID_XRATES: 2546 xrates = frm; 2547 break; 2548 case IEEE80211_ELEMID_EDCAPARMS: 2549 edcaie = frm; 2550 break; 2551 case IEEE80211_ELEMID_HTCAPS: 2552 htcaps = frm; 2553 break; 2554 case IEEE80211_ELEMID_HTOP: 2555 htop = frm; 2556 break; 2557 case IEEE80211_ELEMID_VENDOR: 2558 if (frm[1] < 4) { 2559 ic->ic_stats.is_rx_elem_toosmall++; 2560 break; 2561 } 2562 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 2563 if (frm[1] >= 5 && frm[5] == 2 && frm[6] == 1) 2564 wmmie = frm; 2565 } 2566 break; 2567 } 2568 frm += 2 + frm[1]; 2569 } 2570 /* supported rates element is mandatory */ 2571 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 2572 DPRINTF(("invalid supported rates element\n")); 2573 return; 2574 } 2575 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2576 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2577 IEEE80211_F_DODEL); 2578 if (rate & IEEE80211_RATE_BASIC) { 2579 DPRINTF(("rate mismatch for %s\n", 2580 ether_sprintf((u_int8_t *)wh->i_addr2))); 2581 ic->ic_stats.is_rx_assoc_norate++; 2582 return; 2583 } 2584 ni->ni_capinfo = capinfo; 2585 ni->ni_associd = associd; 2586 if (edcaie != NULL || wmmie != NULL) { 2587 /* force update of EDCA parameters */ 2588 ic->ic_edca_updtcount = -1; 2589 2590 if ((edcaie != NULL && 2591 ieee80211_parse_edca_params(ic, edcaie) == 0) || 2592 (wmmie != NULL && 2593 ieee80211_parse_wmm_params(ic, wmmie) == 0)) 2594 ni->ni_flags |= IEEE80211_NODE_QOS; 2595 else /* for Reassociation */ 2596 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2597 } 2598 if (htcaps) 2599 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 2600 if (htop) 2601 ieee80211_setup_htop(ni, htop + 2, htop[1], 0); 2602 ieee80211_ht_negotiate(ic, ni); 2603 2604 /* Hop into 11n mode after associating to an HT AP in a non-11n mode. */ 2605 if (ni->ni_flags & IEEE80211_NODE_HT) 2606 ieee80211_setmode(ic, IEEE80211_MODE_11N); 2607 else 2608 ieee80211_setmode(ic, ieee80211_chan2mode(ic, ni->ni_chan)); 2609 /* 2610 * Reset the erp state (mostly the slot time) now that 2611 * our operating mode has been nailed down. 2612 */ 2613 ieee80211_reset_erp(ic); 2614 2615 /* 2616 * Configure state now that we are associated. 2617 */ 2618 if (ic->ic_curmode == IEEE80211_MODE_11A || 2619 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) 2620 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 2621 else 2622 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 2623 2624 ieee80211_set_shortslottime(ic, 2625 ic->ic_curmode == IEEE80211_MODE_11A || 2626 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2627 /* 2628 * Honor ERP protection. 2629 */ 2630 if ((ic->ic_curmode == IEEE80211_MODE_11G || 2631 (ic->ic_curmode == IEEE80211_MODE_11N && 2632 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))) && 2633 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2634 ic->ic_flags |= IEEE80211_F_USEPROT; 2635 else 2636 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2637 /* 2638 * If not an RSNA, mark the port as valid, otherwise wait for 2639 * 802.1X authentication and 4-way handshake to complete.. 2640 */ 2641 if (ic->ic_flags & IEEE80211_F_RSNON) { 2642 /* XXX ic->ic_mgt_timer = 5; */ 2643 ni->ni_rsn_supp_state = RSNA_SUPP_PTKSTART; 2644 } else if (ic->ic_flags & IEEE80211_F_WEPON) 2645 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 2646 2647 ieee80211_new_state(ic, IEEE80211_S_RUN, 2648 IEEE80211_FC0_SUBTYPE_ASSOC_RESP); 2649 } 2650 2651 /*- 2652 * Deauthentication frame format: 2653 * [2] Reason code 2654 */ 2655 void 2656 ieee80211_recv_deauth(struct ieee80211com *ic, struct mbuf *m, 2657 struct ieee80211_node *ni) 2658 { 2659 const struct ieee80211_frame *wh; 2660 const u_int8_t *frm; 2661 u_int16_t reason; 2662 2663 /* make sure all mandatory fixed fields are present */ 2664 if (m->m_len < sizeof(*wh) + 2) { 2665 DPRINTF(("frame too short\n")); 2666 return; 2667 } 2668 wh = mtod(m, struct ieee80211_frame *); 2669 frm = (const u_int8_t *)&wh[1]; 2670 2671 reason = LE_READ_2(frm); 2672 2673 ic->ic_stats.is_rx_deauth++; 2674 switch (ic->ic_opmode) { 2675 case IEEE80211_M_STA: { 2676 int bgscan = ((ic->ic_flags & IEEE80211_F_BGSCAN) && 2677 ic->ic_state == IEEE80211_S_RUN); 2678 int stay_auth = ((ic->ic_userflags & IEEE80211_F_STAYAUTH) && 2679 ic->ic_state >= IEEE80211_S_AUTH); 2680 if (!(bgscan || stay_auth)) 2681 ieee80211_new_state(ic, IEEE80211_S_AUTH, 2682 IEEE80211_FC0_SUBTYPE_DEAUTH); 2683 } 2684 break; 2685 #ifndef IEEE80211_STA_ONLY 2686 case IEEE80211_M_HOSTAP: 2687 if (ni != ic->ic_bss) { 2688 int stay_auth = 2689 ((ic->ic_userflags & IEEE80211_F_STAYAUTH) && 2690 (ni->ni_state == IEEE80211_STA_AUTH || 2691 ni->ni_state == IEEE80211_STA_ASSOC)); 2692 if (ic->ic_if.if_flags & IFF_DEBUG) 2693 printf("%s: station %s deauthenticated " 2694 "by peer (reason %d)\n", 2695 ic->ic_if.if_xname, 2696 ether_sprintf(ni->ni_macaddr), 2697 reason); 2698 if (!stay_auth) 2699 ieee80211_node_leave(ic, ni); 2700 } 2701 break; 2702 #endif 2703 default: 2704 break; 2705 } 2706 } 2707 2708 /*- 2709 * Disassociation frame format: 2710 * [2] Reason code 2711 */ 2712 void 2713 ieee80211_recv_disassoc(struct ieee80211com *ic, struct mbuf *m, 2714 struct ieee80211_node *ni) 2715 { 2716 const struct ieee80211_frame *wh; 2717 const u_int8_t *frm; 2718 u_int16_t reason; 2719 2720 /* make sure all mandatory fixed fields are present */ 2721 if (m->m_len < sizeof(*wh) + 2) { 2722 DPRINTF(("frame too short\n")); 2723 return; 2724 } 2725 wh = mtod(m, struct ieee80211_frame *); 2726 frm = (const u_int8_t *)&wh[1]; 2727 2728 reason = LE_READ_2(frm); 2729 2730 ic->ic_stats.is_rx_disassoc++; 2731 switch (ic->ic_opmode) { 2732 case IEEE80211_M_STA: { 2733 int bgscan = ((ic->ic_flags & IEEE80211_F_BGSCAN) && 2734 ic->ic_state == IEEE80211_S_RUN); 2735 if (!bgscan) /* ignore disassoc during bgscan */ 2736 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 2737 IEEE80211_FC0_SUBTYPE_DISASSOC); 2738 } 2739 break; 2740 #ifndef IEEE80211_STA_ONLY 2741 case IEEE80211_M_HOSTAP: 2742 if (ni != ic->ic_bss) { 2743 if (ic->ic_if.if_flags & IFF_DEBUG) 2744 printf("%s: station %s disassociated " 2745 "by peer (reason %d)\n", 2746 ic->ic_if.if_xname, 2747 ether_sprintf(ni->ni_macaddr), 2748 reason); 2749 ieee80211_node_leave(ic, ni); 2750 } 2751 break; 2752 #endif 2753 default: 2754 break; 2755 } 2756 } 2757 2758 /*- 2759 * ADDBA Request frame format: 2760 * [1] Category 2761 * [1] Action 2762 * [1] Dialog Token 2763 * [2] Block Ack Parameter Set 2764 * [2] Block Ack Timeout Value 2765 * [2] Block Ack Starting Sequence Control 2766 */ 2767 void 2768 ieee80211_recv_addba_req(struct ieee80211com *ic, struct mbuf *m, 2769 struct ieee80211_node *ni) 2770 { 2771 const struct ieee80211_frame *wh; 2772 const u_int8_t *frm; 2773 struct ieee80211_rx_ba *ba; 2774 u_int16_t params, ssn, bufsz, timeout; 2775 u_int8_t token, tid; 2776 int err = 0; 2777 2778 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 2779 DPRINTF(("received ADDBA req from non-HT STA %s\n", 2780 ether_sprintf(ni->ni_macaddr))); 2781 return; 2782 } 2783 if (m->m_len < sizeof(*wh) + 9) { 2784 DPRINTF(("frame too short\n")); 2785 return; 2786 } 2787 /* MLME-ADDBA.indication */ 2788 wh = mtod(m, struct ieee80211_frame *); 2789 frm = (const u_int8_t *)&wh[1]; 2790 2791 token = frm[2]; 2792 params = LE_READ_2(&frm[3]); 2793 tid = ((params & IEEE80211_ADDBA_TID_MASK) >> 2794 IEEE80211_ADDBA_TID_SHIFT); 2795 bufsz = (params & IEEE80211_ADDBA_BUFSZ_MASK) >> 2796 IEEE80211_ADDBA_BUFSZ_SHIFT; 2797 timeout = LE_READ_2(&frm[5]); 2798 ssn = LE_READ_2(&frm[7]) >> 4; 2799 2800 ba = &ni->ni_rx_ba[tid]; 2801 /* The driver is still processing an ADDBA request for this tid. */ 2802 if (ba->ba_state == IEEE80211_BA_REQUESTED) 2803 return; 2804 /* check if we already have a Block Ack agreement for this RA/TID */ 2805 if (ba->ba_state == IEEE80211_BA_AGREED) { 2806 /* XXX should we update the timeout value? */ 2807 /* reset Block Ack inactivity timer */ 2808 if (ba->ba_timeout_val != 0) 2809 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2810 2811 /* check if it's a Protected Block Ack agreement */ 2812 if (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2813 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) 2814 return; /* not a PBAC, ignore */ 2815 2816 /* PBAC: treat the ADDBA Request like a BlockAckReq */ 2817 if (SEQ_LT(ba->ba_winstart, ssn)) { 2818 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 2819 ieee80211_ba_move_window(ic, ni, tid, ssn, &ml); 2820 if_input(&ic->ic_if, &ml); 2821 } 2822 return; 2823 } 2824 2825 /* if PBAC required but RA does not support it, refuse request */ 2826 if ((ic->ic_flags & IEEE80211_F_PBAR) && 2827 (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2828 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC))) 2829 goto refuse; 2830 /* 2831 * If the TID for which the Block Ack agreement is requested is 2832 * configured with a no-ACK policy, refuse the agreement. 2833 */ 2834 if (ic->ic_tid_noack & (1 << tid)) 2835 goto refuse; 2836 2837 /* check that we support the requested Block Ack Policy */ 2838 if (!(ic->ic_htcaps & IEEE80211_HTCAP_DELAYEDBA) && 2839 !(params & IEEE80211_ADDBA_BA_POLICY)) 2840 goto refuse; 2841 2842 /* setup Block Ack agreement */ 2843 ba->ba_state = IEEE80211_BA_REQUESTED; 2844 ba->ba_timeout_val = timeout * IEEE80211_DUR_TU; 2845 ba->ba_ni = ni; 2846 ba->ba_token = token; 2847 timeout_set(&ba->ba_to, ieee80211_rx_ba_timeout, ba); 2848 timeout_set(&ba->ba_gap_to, ieee80211_input_ba_gap_timeout, ba); 2849 ba->ba_gapwait = 0; 2850 ba->ba_winsize = bufsz; 2851 if (ba->ba_winsize == 0 || ba->ba_winsize > IEEE80211_BA_MAX_WINSZ) 2852 ba->ba_winsize = IEEE80211_BA_MAX_WINSZ; 2853 ba->ba_params = (params & IEEE80211_ADDBA_BA_POLICY); 2854 ba->ba_params |= ((ba->ba_winsize << IEEE80211_ADDBA_BUFSZ_SHIFT) | 2855 (tid << IEEE80211_ADDBA_TID_SHIFT)); 2856 ba->ba_params |= IEEE80211_ADDBA_AMSDU; 2857 ba->ba_winstart = ssn; 2858 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 2859 /* allocate and setup our reordering buffer */ 2860 ba->ba_buf = malloc(IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf), 2861 M_DEVBUF, M_NOWAIT | M_ZERO); 2862 if (ba->ba_buf == NULL) 2863 goto refuse; 2864 2865 ba->ba_head = 0; 2866 2867 /* notify drivers of this new Block Ack agreement */ 2868 if (ic->ic_ampdu_rx_start != NULL) 2869 err = ic->ic_ampdu_rx_start(ic, ni, tid); 2870 if (err == EBUSY) { 2871 /* driver will accept or refuse agreement when done */ 2872 return; 2873 } else if (err) { 2874 /* driver failed to setup, rollback */ 2875 ieee80211_addba_req_refuse(ic, ni, tid); 2876 } else 2877 ieee80211_addba_req_accept(ic, ni, tid); 2878 return; 2879 2880 refuse: 2881 /* MLME-ADDBA.response */ 2882 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2883 IEEE80211_ACTION_ADDBA_RESP, 2884 IEEE80211_STATUS_REFUSED << 16 | token << 8 | tid); 2885 } 2886 2887 void 2888 ieee80211_addba_req_accept(struct ieee80211com *ic, struct ieee80211_node *ni, 2889 uint8_t tid) 2890 { 2891 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2892 2893 ba->ba_state = IEEE80211_BA_AGREED; 2894 ic->ic_stats.is_ht_rx_ba_agreements++; 2895 /* start Block Ack inactivity timer */ 2896 if (ba->ba_timeout_val != 0) 2897 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2898 2899 /* MLME-ADDBA.response */ 2900 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2901 IEEE80211_ACTION_ADDBA_RESP, 2902 IEEE80211_STATUS_SUCCESS << 16 | ba->ba_token << 8 | tid); 2903 } 2904 2905 void 2906 ieee80211_addba_req_refuse(struct ieee80211com *ic, struct ieee80211_node *ni, 2907 uint8_t tid) 2908 { 2909 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2910 2911 free(ba->ba_buf, M_DEVBUF, 2912 IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf)); 2913 ba->ba_buf = NULL; 2914 ba->ba_state = IEEE80211_BA_INIT; 2915 2916 /* MLME-ADDBA.response */ 2917 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2918 IEEE80211_ACTION_ADDBA_RESP, 2919 IEEE80211_STATUS_REFUSED << 16 | ba->ba_token << 8 | tid); 2920 } 2921 2922 /*- 2923 * ADDBA Response frame format: 2924 * [1] Category 2925 * [1] Action 2926 * [1] Dialog Token 2927 * [2] Status Code 2928 * [2] Block Ack Parameter Set 2929 * [2] Block Ack Timeout Value 2930 */ 2931 void 2932 ieee80211_recv_addba_resp(struct ieee80211com *ic, struct mbuf *m, 2933 struct ieee80211_node *ni) 2934 { 2935 const struct ieee80211_frame *wh; 2936 const u_int8_t *frm; 2937 struct ieee80211_tx_ba *ba; 2938 u_int16_t status, params, bufsz, timeout; 2939 u_int8_t token, tid; 2940 int err = 0; 2941 2942 if (m->m_len < sizeof(*wh) + 9) { 2943 DPRINTF(("frame too short\n")); 2944 return; 2945 } 2946 wh = mtod(m, struct ieee80211_frame *); 2947 frm = (const u_int8_t *)&wh[1]; 2948 2949 token = frm[2]; 2950 status = LE_READ_2(&frm[3]); 2951 params = LE_READ_2(&frm[5]); 2952 tid = (params >> 2) & 0xf; 2953 bufsz = (params >> 6) & 0x3ff; 2954 timeout = LE_READ_2(&frm[7]); 2955 2956 DPRINTF(("received ADDBA resp from %s, TID %d, status %d\n", 2957 ether_sprintf(ni->ni_macaddr), tid, status)); 2958 2959 /* 2960 * Ignore if no ADDBA request has been sent for this RA/TID or 2961 * if we already have a Block Ack agreement. 2962 */ 2963 ba = &ni->ni_tx_ba[tid]; 2964 if (ba->ba_state != IEEE80211_BA_REQUESTED) { 2965 DPRINTF(("no matching ADDBA req found\n")); 2966 return; 2967 } 2968 if (token != ba->ba_token) { 2969 DPRINTF(("ignoring ADDBA resp from %s: token %x!=%x\n", 2970 ether_sprintf(ni->ni_macaddr), token, ba->ba_token)); 2971 return; 2972 } 2973 /* we got an ADDBA Response matching our request, stop timeout */ 2974 timeout_del(&ba->ba_to); 2975 2976 if (status != IEEE80211_STATUS_SUCCESS) { 2977 if (ni->ni_addba_req_intval[tid] < 2978 IEEE80211_ADDBA_REQ_INTVAL_MAX) 2979 ni->ni_addba_req_intval[tid]++; 2980 2981 ieee80211_addba_resp_refuse(ic, ni, tid, status); 2982 2983 /* 2984 * In case the peer believes there is an existing 2985 * block ack agreement with us, try to delete it. 2986 */ 2987 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2988 IEEE80211_ACTION_DELBA, 2989 IEEE80211_REASON_SETUP_REQUIRED << 16 | 1 << 8 | tid); 2990 return; 2991 } 2992 2993 /* notify drivers of this new Block Ack agreement */ 2994 if (ic->ic_ampdu_tx_start != NULL) 2995 err = ic->ic_ampdu_tx_start(ic, ni, tid); 2996 2997 if (err == EBUSY) { 2998 /* driver will accept or refuse agreement when done */ 2999 return; 3000 } else if (err) { 3001 /* driver failed to setup, rollback */ 3002 ieee80211_addba_resp_refuse(ic, ni, tid, 3003 IEEE80211_STATUS_UNSPECIFIED); 3004 } else 3005 ieee80211_addba_resp_accept(ic, ni, tid); 3006 } 3007 3008 void 3009 ieee80211_addba_resp_accept(struct ieee80211com *ic, 3010 struct ieee80211_node *ni, uint8_t tid) 3011 { 3012 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 3013 3014 /* MLME-ADDBA.confirm(Success) */ 3015 ba->ba_state = IEEE80211_BA_AGREED; 3016 ic->ic_stats.is_ht_tx_ba_agreements++; 3017 3018 /* Reset ADDBA request interval. */ 3019 ni->ni_addba_req_intval[tid] = 1; 3020 3021 ni->ni_qos_txseqs[tid] = ba->ba_winstart; 3022 3023 /* start Block Ack inactivity timeout */ 3024 if (ba->ba_timeout_val != 0) 3025 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 3026 } 3027 3028 void 3029 ieee80211_addba_resp_refuse(struct ieee80211com *ic, 3030 struct ieee80211_node *ni, uint8_t tid, uint16_t status) 3031 { 3032 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 3033 3034 /* MLME-ADDBA.confirm(Failure) */ 3035 ba->ba_state = IEEE80211_BA_INIT; 3036 } 3037 3038 /*- 3039 * DELBA frame format: 3040 * [1] Category 3041 * [1] Action 3042 * [2] DELBA Parameter Set 3043 * [2] Reason Code 3044 */ 3045 void 3046 ieee80211_recv_delba(struct ieee80211com *ic, struct mbuf *m, 3047 struct ieee80211_node *ni) 3048 { 3049 const struct ieee80211_frame *wh; 3050 const u_int8_t *frm; 3051 u_int16_t params, reason; 3052 u_int8_t tid; 3053 int i; 3054 3055 if (m->m_len < sizeof(*wh) + 6) { 3056 DPRINTF(("frame too short\n")); 3057 return; 3058 } 3059 wh = mtod(m, struct ieee80211_frame *); 3060 frm = (const u_int8_t *)&wh[1]; 3061 3062 params = LE_READ_2(&frm[2]); 3063 reason = LE_READ_2(&frm[4]); 3064 tid = params >> 12; 3065 3066 DPRINTF(("received DELBA from %s, TID %d, reason %d\n", 3067 ether_sprintf(ni->ni_macaddr), tid, reason)); 3068 3069 if (params & IEEE80211_DELBA_INITIATOR) { 3070 /* MLME-DELBA.indication(Originator) */ 3071 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 3072 3073 if (ba->ba_state != IEEE80211_BA_AGREED) { 3074 DPRINTF(("no matching Block Ack agreement\n")); 3075 return; 3076 } 3077 /* notify drivers of the end of the Block Ack agreement */ 3078 if (ic->ic_ampdu_rx_stop != NULL) 3079 ic->ic_ampdu_rx_stop(ic, ni, tid); 3080 3081 ba->ba_state = IEEE80211_BA_INIT; 3082 /* stop Block Ack inactivity timer */ 3083 timeout_del(&ba->ba_to); 3084 timeout_del(&ba->ba_gap_to); 3085 ba->ba_gapwait = 0; 3086 3087 if (ba->ba_buf != NULL) { 3088 /* free all MSDUs stored in reordering buffer */ 3089 for (i = 0; i < IEEE80211_BA_MAX_WINSZ; i++) 3090 m_freem(ba->ba_buf[i].m); 3091 /* free reordering buffer */ 3092 free(ba->ba_buf, M_DEVBUF, 3093 IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf)); 3094 ba->ba_buf = NULL; 3095 } 3096 } else { 3097 /* MLME-DELBA.indication(Recipient) */ 3098 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 3099 3100 if (ba->ba_state != IEEE80211_BA_AGREED) { 3101 DPRINTF(("no matching Block Ack agreement\n")); 3102 return; 3103 } 3104 /* notify drivers of the end of the Block Ack agreement */ 3105 if (ic->ic_ampdu_tx_stop != NULL) 3106 ic->ic_ampdu_tx_stop(ic, ni, tid); 3107 3108 ba->ba_state = IEEE80211_BA_INIT; 3109 /* stop Block Ack inactivity timer */ 3110 timeout_del(&ba->ba_to); 3111 } 3112 } 3113 3114 /*- 3115 * SA Query Request frame format: 3116 * [1] Category 3117 * [1] Action 3118 * [2] Transaction Identifier 3119 */ 3120 void 3121 ieee80211_recv_sa_query_req(struct ieee80211com *ic, struct mbuf *m, 3122 struct ieee80211_node *ni) 3123 { 3124 const struct ieee80211_frame *wh; 3125 const u_int8_t *frm; 3126 3127 if (ic->ic_opmode != IEEE80211_M_STA || 3128 !(ni->ni_flags & IEEE80211_NODE_MFP)) { 3129 DPRINTF(("unexpected SA Query req from %s\n", 3130 ether_sprintf(ni->ni_macaddr))); 3131 return; 3132 } 3133 if (m->m_len < sizeof(*wh) + 4) { 3134 DPRINTF(("frame too short\n")); 3135 return; 3136 } 3137 wh = mtod(m, struct ieee80211_frame *); 3138 frm = (const u_int8_t *)&wh[1]; 3139 3140 /* MLME-SAQuery.indication */ 3141 3142 /* save Transaction Identifier for SA Query Response */ 3143 ni->ni_sa_query_trid = LE_READ_2(&frm[2]); 3144 3145 /* MLME-SAQuery.response */ 3146 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_SA_QUERY, 3147 IEEE80211_ACTION_SA_QUERY_RESP, 0); 3148 } 3149 3150 #ifndef IEEE80211_STA_ONLY 3151 /*- 3152 * SA Query Response frame format: 3153 * [1] Category 3154 * [1] Action 3155 * [2] Transaction Identifier 3156 */ 3157 void 3158 ieee80211_recv_sa_query_resp(struct ieee80211com *ic, struct mbuf *m, 3159 struct ieee80211_node *ni) 3160 { 3161 const struct ieee80211_frame *wh; 3162 const u_int8_t *frm; 3163 3164 /* ignore if we're not engaged in an SA Query with that STA */ 3165 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) { 3166 DPRINTF(("unexpected SA Query resp from %s\n", 3167 ether_sprintf(ni->ni_macaddr))); 3168 return; 3169 } 3170 if (m->m_len < sizeof(*wh) + 4) { 3171 DPRINTF(("frame too short\n")); 3172 return; 3173 } 3174 wh = mtod(m, struct ieee80211_frame *); 3175 frm = (const u_int8_t *)&wh[1]; 3176 3177 /* check that Transaction Identifier matches */ 3178 if (ni->ni_sa_query_trid != LE_READ_2(&frm[2])) { 3179 DPRINTF(("transaction identifier does not match\n")); 3180 return; 3181 } 3182 /* MLME-SAQuery.confirm */ 3183 timeout_del(&ni->ni_sa_query_to); 3184 ni->ni_flags &= ~IEEE80211_NODE_SA_QUERY; 3185 } 3186 #endif 3187 3188 /*- 3189 * Action frame format: 3190 * [1] Category 3191 * [1] Action 3192 */ 3193 void 3194 ieee80211_recv_action(struct ieee80211com *ic, struct mbuf *m, 3195 struct ieee80211_node *ni) 3196 { 3197 const struct ieee80211_frame *wh; 3198 const u_int8_t *frm; 3199 3200 if (m->m_len < sizeof(*wh) + 2) { 3201 DPRINTF(("frame too short\n")); 3202 return; 3203 } 3204 wh = mtod(m, struct ieee80211_frame *); 3205 frm = (const u_int8_t *)&wh[1]; 3206 3207 switch (frm[0]) { 3208 case IEEE80211_CATEG_BA: 3209 switch (frm[1]) { 3210 case IEEE80211_ACTION_ADDBA_REQ: 3211 ieee80211_recv_addba_req(ic, m, ni); 3212 break; 3213 case IEEE80211_ACTION_ADDBA_RESP: 3214 ieee80211_recv_addba_resp(ic, m, ni); 3215 break; 3216 case IEEE80211_ACTION_DELBA: 3217 ieee80211_recv_delba(ic, m, ni); 3218 break; 3219 } 3220 break; 3221 case IEEE80211_CATEG_SA_QUERY: 3222 switch (frm[1]) { 3223 case IEEE80211_ACTION_SA_QUERY_REQ: 3224 ieee80211_recv_sa_query_req(ic, m, ni); 3225 break; 3226 #ifndef IEEE80211_STA_ONLY 3227 case IEEE80211_ACTION_SA_QUERY_RESP: 3228 ieee80211_recv_sa_query_resp(ic, m, ni); 3229 break; 3230 #endif 3231 } 3232 break; 3233 default: 3234 DPRINTF(("action frame category %d not handled\n", frm[0])); 3235 break; 3236 } 3237 } 3238 3239 void 3240 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m, 3241 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int subtype) 3242 { 3243 switch (subtype) { 3244 case IEEE80211_FC0_SUBTYPE_BEACON: 3245 ieee80211_recv_probe_resp(ic, m, ni, rxi, 0); 3246 break; 3247 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 3248 ieee80211_recv_probe_resp(ic, m, ni, rxi, 1); 3249 break; 3250 #ifndef IEEE80211_STA_ONLY 3251 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 3252 ieee80211_recv_probe_req(ic, m, ni, rxi); 3253 break; 3254 #endif 3255 case IEEE80211_FC0_SUBTYPE_AUTH: 3256 ieee80211_recv_auth(ic, m, ni, rxi); 3257 break; 3258 #ifndef IEEE80211_STA_ONLY 3259 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 3260 ieee80211_recv_assoc_req(ic, m, ni, rxi, 0); 3261 break; 3262 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 3263 ieee80211_recv_assoc_req(ic, m, ni, rxi, 1); 3264 break; 3265 #endif 3266 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 3267 ieee80211_recv_assoc_resp(ic, m, ni, 0); 3268 break; 3269 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 3270 ieee80211_recv_assoc_resp(ic, m, ni, 1); 3271 break; 3272 case IEEE80211_FC0_SUBTYPE_DEAUTH: 3273 ieee80211_recv_deauth(ic, m, ni); 3274 break; 3275 case IEEE80211_FC0_SUBTYPE_DISASSOC: 3276 ieee80211_recv_disassoc(ic, m, ni); 3277 break; 3278 case IEEE80211_FC0_SUBTYPE_ACTION: 3279 ieee80211_recv_action(ic, m, ni); 3280 break; 3281 default: 3282 DPRINTF(("mgmt frame with subtype 0x%x not handled\n", 3283 subtype)); 3284 ic->ic_stats.is_rx_badsubtype++; 3285 break; 3286 } 3287 } 3288 3289 #ifndef IEEE80211_STA_ONLY 3290 /* 3291 * Process an incoming PS-Poll control frame (see 11.2). 3292 */ 3293 void 3294 ieee80211_recv_pspoll(struct ieee80211com *ic, struct mbuf *m, 3295 struct ieee80211_node *ni) 3296 { 3297 struct ifnet *ifp = &ic->ic_if; 3298 struct ieee80211_frame_pspoll *psp; 3299 struct ieee80211_frame *wh; 3300 u_int16_t aid; 3301 3302 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 3303 !(ic->ic_caps & IEEE80211_C_APPMGT) || 3304 ni->ni_state != IEEE80211_STA_ASSOC) 3305 return; 3306 3307 if (m->m_len < sizeof(*psp)) { 3308 DPRINTF(("frame too short, len %u\n", m->m_len)); 3309 ic->ic_stats.is_rx_tooshort++; 3310 return; 3311 } 3312 psp = mtod(m, struct ieee80211_frame_pspoll *); 3313 if (!IEEE80211_ADDR_EQ(psp->i_bssid, ic->ic_bss->ni_bssid)) { 3314 DPRINTF(("discard pspoll frame to BSS %s\n", 3315 ether_sprintf(psp->i_bssid))); 3316 ic->ic_stats.is_rx_wrongbss++; 3317 return; 3318 } 3319 aid = letoh16(*(u_int16_t *)psp->i_aid); 3320 if (aid != ni->ni_associd) { 3321 DPRINTF(("invalid pspoll aid %x from %s\n", aid, 3322 ether_sprintf(psp->i_ta))); 3323 return; 3324 } 3325 3326 /* take the first queued frame and put it out.. */ 3327 m = mq_dequeue(&ni->ni_savedq); 3328 if (m == NULL) 3329 return; 3330 if (mq_empty(&ni->ni_savedq)) { 3331 /* last queued frame, turn off the TIM bit */ 3332 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 3333 } else { 3334 /* more queued frames, set the more data bit */ 3335 wh = mtod(m, struct ieee80211_frame *); 3336 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 3337 } 3338 mq_enqueue(&ic->ic_pwrsaveq, m); 3339 if_start(ifp); 3340 } 3341 #endif /* IEEE80211_STA_ONLY */ 3342 3343 /* 3344 * Process an incoming BlockAckReq control frame (see 7.2.1.7). 3345 */ 3346 void 3347 ieee80211_recv_bar(struct ieee80211com *ic, struct mbuf *m, 3348 struct ieee80211_node *ni) 3349 { 3350 const struct ieee80211_frame_min *wh; 3351 const u_int8_t *frm; 3352 u_int16_t ctl, ssn; 3353 u_int8_t tid, ntids; 3354 3355 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 3356 DPRINTF(("received BlockAckReq from non-HT STA %s\n", 3357 ether_sprintf(ni->ni_macaddr))); 3358 return; 3359 } 3360 if (m->m_len < sizeof(*wh) + 4) { 3361 DPRINTF(("frame too short\n")); 3362 return; 3363 } 3364 wh = mtod(m, struct ieee80211_frame_min *); 3365 frm = (const u_int8_t *)&wh[1]; 3366 3367 /* read BlockAckReq Control field */ 3368 ctl = LE_READ_2(&frm[0]); 3369 tid = ctl >> 12; 3370 3371 /* determine BlockAckReq frame variant */ 3372 if (ctl & IEEE80211_BA_MULTI_TID) { 3373 /* Multi-TID BlockAckReq variant (PSMP only) */ 3374 ntids = tid + 1; 3375 3376 if (m->m_len < sizeof(*wh) + 2 + 4 * ntids) { 3377 DPRINTF(("MTBAR frame too short\n")); 3378 return; 3379 } 3380 frm += 2; /* skip BlockAckReq Control field */ 3381 while (ntids-- > 0) { 3382 /* read MTBAR Information field */ 3383 tid = LE_READ_2(&frm[0]) >> 12; 3384 ssn = LE_READ_2(&frm[2]) >> 4; 3385 ieee80211_bar_tid(ic, ni, tid, ssn); 3386 frm += 4; 3387 } 3388 } else { 3389 /* Basic or Compressed BlockAckReq variants */ 3390 ssn = LE_READ_2(&frm[2]) >> 4; 3391 ieee80211_bar_tid(ic, ni, tid, ssn); 3392 } 3393 } 3394 3395 /* 3396 * Process a BlockAckReq for a specific TID (see 9.10.7.6.3). 3397 * This is the common back-end for all BlockAckReq frame variants. 3398 */ 3399 void 3400 ieee80211_bar_tid(struct ieee80211com *ic, struct ieee80211_node *ni, 3401 u_int8_t tid, u_int16_t ssn) 3402 { 3403 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 3404 3405 /* check if we have a Block Ack agreement for RA/TID */ 3406 if (ba->ba_state != IEEE80211_BA_AGREED) { 3407 /* XXX not sure in PBAC case */ 3408 /* send a DELBA with reason code UNKNOWN-BA */ 3409 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 3410 IEEE80211_ACTION_DELBA, 3411 IEEE80211_REASON_SETUP_REQUIRED << 16 | tid); 3412 return; 3413 } 3414 /* check if it is a Protected Block Ack agreement */ 3415 if ((ni->ni_flags & IEEE80211_NODE_MFP) && 3416 (ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) { 3417 /* ADDBA Requests must be used in PBAC case */ 3418 if (SEQ_LT(ssn, ba->ba_winstart) || 3419 SEQ_LT(ba->ba_winend, ssn)) 3420 ic->ic_stats.is_pbac_errs++; 3421 return; /* PBAC, do not move window */ 3422 } 3423 /* reset Block Ack inactivity timer */ 3424 if (ba->ba_timeout_val != 0) 3425 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 3426 3427 if (SEQ_LT(ba->ba_winstart, ssn)) { 3428 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 3429 ieee80211_ba_move_window(ic, ni, tid, ssn, &ml); 3430 if_input(&ic->ic_if, &ml); 3431 } 3432 } 3433