1 /* $OpenBSD: ieee80211_input.c,v 1.187 2017/03/01 19:28:48 stsp Exp $ */ 2 3 /*- 4 * Copyright (c) 2001 Atsushi Onoe 5 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 6 * Copyright (c) 2007-2009 Damien Bergamini 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. The name of the author may not be used to endorse or promote products 18 * derived from this software without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 21 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 22 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 23 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 25 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 29 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 #include "bpfilter.h" 33 34 #include <sys/param.h> 35 #include <sys/systm.h> 36 #include <sys/mbuf.h> 37 #include <sys/malloc.h> 38 #include <sys/kernel.h> 39 #include <sys/socket.h> 40 #include <sys/sockio.h> 41 #include <sys/endian.h> 42 #include <sys/errno.h> 43 #include <sys/sysctl.h> 44 #include <sys/task.h> 45 46 #include <net/if.h> 47 #include <net/if_dl.h> 48 #include <net/if_media.h> 49 #include <net/if_llc.h> 50 51 #if NBPFILTER > 0 52 #include <net/bpf.h> 53 #endif 54 55 #include <netinet/in.h> 56 #include <netinet/if_ether.h> 57 58 #include <net80211/ieee80211_var.h> 59 #include <net80211/ieee80211_priv.h> 60 61 struct mbuf *ieee80211_defrag(struct ieee80211com *, struct mbuf *, int); 62 void ieee80211_defrag_timeout(void *); 63 void ieee80211_input_ba(struct ieee80211com *, struct mbuf *, 64 struct ieee80211_node *, int, struct ieee80211_rxinfo *); 65 void ieee80211_input_ba_flush(struct ieee80211com *, struct ieee80211_node *, 66 struct ieee80211_rx_ba *); 67 void ieee80211_input_ba_gap_timeout(void *arg); 68 void ieee80211_ba_move_window(struct ieee80211com *, 69 struct ieee80211_node *, u_int8_t, u_int16_t); 70 void ieee80211_input_ba_seq(struct ieee80211com *, 71 struct ieee80211_node *, uint8_t, uint16_t); 72 struct mbuf *ieee80211_align_mbuf(struct mbuf *); 73 void ieee80211_decap(struct ieee80211com *, struct mbuf *, 74 struct ieee80211_node *, int); 75 void ieee80211_amsdu_decap(struct ieee80211com *, struct mbuf *, 76 struct ieee80211_node *, int); 77 void ieee80211_deliver_data(struct ieee80211com *, struct mbuf *, 78 struct ieee80211_node *, int); 79 int ieee80211_parse_edca_params_body(struct ieee80211com *, 80 const u_int8_t *); 81 int ieee80211_parse_edca_params(struct ieee80211com *, const u_int8_t *); 82 int ieee80211_parse_wmm_params(struct ieee80211com *, const u_int8_t *); 83 enum ieee80211_cipher ieee80211_parse_rsn_cipher(const u_int8_t[]); 84 enum ieee80211_akm ieee80211_parse_rsn_akm(const u_int8_t[]); 85 int ieee80211_parse_rsn_body(struct ieee80211com *, const u_int8_t *, 86 u_int, struct ieee80211_rsnparams *); 87 int ieee80211_save_ie(const u_int8_t *, u_int8_t **); 88 void ieee80211_recv_probe_resp(struct ieee80211com *, struct mbuf *, 89 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 90 #ifndef IEEE80211_STA_ONLY 91 void ieee80211_recv_probe_req(struct ieee80211com *, struct mbuf *, 92 struct ieee80211_node *, struct ieee80211_rxinfo *); 93 #endif 94 void ieee80211_recv_auth(struct ieee80211com *, struct mbuf *, 95 struct ieee80211_node *, struct ieee80211_rxinfo *); 96 #ifndef IEEE80211_STA_ONLY 97 void ieee80211_recv_assoc_req(struct ieee80211com *, struct mbuf *, 98 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 99 #endif 100 void ieee80211_recv_assoc_resp(struct ieee80211com *, struct mbuf *, 101 struct ieee80211_node *, int); 102 void ieee80211_recv_deauth(struct ieee80211com *, struct mbuf *, 103 struct ieee80211_node *); 104 void ieee80211_recv_disassoc(struct ieee80211com *, struct mbuf *, 105 struct ieee80211_node *); 106 void ieee80211_recv_addba_req(struct ieee80211com *, struct mbuf *, 107 struct ieee80211_node *); 108 void ieee80211_recv_addba_resp(struct ieee80211com *, struct mbuf *, 109 struct ieee80211_node *); 110 void ieee80211_recv_delba(struct ieee80211com *, struct mbuf *, 111 struct ieee80211_node *); 112 void ieee80211_recv_sa_query_req(struct ieee80211com *, struct mbuf *, 113 struct ieee80211_node *); 114 #ifndef IEEE80211_STA_ONLY 115 void ieee80211_recv_sa_query_resp(struct ieee80211com *, struct mbuf *, 116 struct ieee80211_node *); 117 #endif 118 void ieee80211_recv_action(struct ieee80211com *, struct mbuf *, 119 struct ieee80211_node *); 120 #ifndef IEEE80211_STA_ONLY 121 void ieee80211_recv_pspoll(struct ieee80211com *, struct mbuf *, 122 struct ieee80211_node *); 123 #endif 124 void ieee80211_recv_bar(struct ieee80211com *, struct mbuf *, 125 struct ieee80211_node *); 126 void ieee80211_bar_tid(struct ieee80211com *, struct ieee80211_node *, 127 u_int8_t, u_int16_t); 128 void ieee80211_input_print(struct ieee80211com *, struct ifnet *, 129 struct ieee80211_frame *, struct ieee80211_rxinfo *); 130 void ieee80211_input_print_task(void *); 131 132 struct ieee80211printmsg { 133 struct task task; 134 char text[512]; 135 }; 136 137 /* 138 * Retrieve the length in bytes of an 802.11 header. 139 */ 140 u_int 141 ieee80211_get_hdrlen(const struct ieee80211_frame *wh) 142 { 143 u_int size = sizeof(*wh); 144 145 /* NB: does not work with control frames */ 146 KASSERT(ieee80211_has_seq(wh)); 147 148 if (ieee80211_has_addr4(wh)) 149 size += IEEE80211_ADDR_LEN; /* i_addr4 */ 150 if (ieee80211_has_qos(wh)) 151 size += sizeof(u_int16_t); /* i_qos */ 152 if (ieee80211_has_htc(wh)) 153 size += sizeof(u_int32_t); /* i_ht */ 154 return size; 155 } 156 157 /* 158 * Work queue task that prints a received frame. Avoids printf() from 159 * interrupt context at IPL_NET making slow machines unusable when many 160 * frames are received and the interface is put in debug mode. 161 */ 162 void 163 ieee80211_input_print_task(void *arg1) 164 { 165 struct ieee80211printmsg *msg = arg1; 166 167 printf("%s", msg->text); 168 free(msg, M_DEVBUF, 0); 169 } 170 171 void 172 ieee80211_input_print(struct ieee80211com *ic, struct ifnet *ifp, 173 struct ieee80211_frame *wh, struct ieee80211_rxinfo *rxi) 174 { 175 int doprint; 176 struct ieee80211printmsg *msg; 177 u_int8_t subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 178 179 /* avoid printing too many frames */ 180 doprint = 0; 181 switch (subtype) { 182 case IEEE80211_FC0_SUBTYPE_BEACON: 183 if (ic->ic_state == IEEE80211_S_SCAN) 184 doprint = 1; 185 break; 186 #ifndef IEEE80211_STA_ONLY 187 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 188 if (ic->ic_opmode == IEEE80211_M_IBSS) 189 doprint = 1; 190 break; 191 #endif 192 default: 193 doprint = 1; 194 break; 195 } 196 #ifdef IEEE80211_DEBUG 197 doprint += (ieee80211_debug > 1); 198 #endif 199 if (!doprint) 200 return; 201 202 msg = malloc(sizeof(*msg), M_DEVBUF, M_NOWAIT); 203 if (msg == NULL) 204 return; 205 206 snprintf(msg->text, sizeof(msg->text), 207 "%s: received %s from %s rssi %d mode %s\n", ifp->if_xname, 208 ieee80211_mgt_subtype_name[subtype >> IEEE80211_FC0_SUBTYPE_SHIFT], 209 ether_sprintf(wh->i_addr2), rxi->rxi_rssi, 210 ieee80211_phymode_name[ic->ic_curmode]); 211 212 task_set(&msg->task, ieee80211_input_print_task, msg); 213 task_add(systq, &msg->task); 214 } 215 216 /* 217 * Process a received frame. The node associated with the sender 218 * should be supplied. If nothing was found in the node table then 219 * the caller is assumed to supply a reference to ic_bss instead. 220 * The RSSI and a timestamp are also supplied. The RSSI data is used 221 * during AP scanning to select a AP to associate with; it can have 222 * any units so long as values have consistent units and higher values 223 * mean ``better signal''. The receive timestamp is currently not used 224 * by the 802.11 layer. 225 */ 226 void 227 ieee80211_input(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni, 228 struct ieee80211_rxinfo *rxi) 229 { 230 struct ieee80211com *ic = (void *)ifp; 231 struct ieee80211_frame *wh; 232 u_int16_t *orxseq, nrxseq, qos; 233 u_int8_t dir, type, subtype, tid; 234 int hdrlen, hasqos; 235 236 KASSERT(ni != NULL); 237 238 /* in monitor mode, send everything directly to bpf */ 239 if (ic->ic_opmode == IEEE80211_M_MONITOR) 240 goto out; 241 242 /* 243 * Do not process frames without an Address 2 field any further. 244 * Only CTS and ACK control frames do not have this field. 245 */ 246 if (m->m_len < sizeof(struct ieee80211_frame_min)) { 247 DPRINTF(("frame too short, len %u\n", m->m_len)); 248 ic->ic_stats.is_rx_tooshort++; 249 goto out; 250 } 251 252 wh = mtod(m, struct ieee80211_frame *); 253 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 254 IEEE80211_FC0_VERSION_0) { 255 DPRINTF(("frame with wrong version: %x\n", wh->i_fc[0])); 256 ic->ic_stats.is_rx_badversion++; 257 goto err; 258 } 259 260 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 261 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 262 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 263 264 if (type != IEEE80211_FC0_TYPE_CTL) { 265 hdrlen = ieee80211_get_hdrlen(wh); 266 if (m->m_len < hdrlen) { 267 DPRINTF(("frame too short, len %u\n", m->m_len)); 268 ic->ic_stats.is_rx_tooshort++; 269 goto err; 270 } 271 } 272 if ((hasqos = ieee80211_has_qos(wh))) { 273 qos = ieee80211_get_qos(wh); 274 tid = qos & IEEE80211_QOS_TID; 275 } else { 276 qos = 0; 277 tid = 0; 278 } 279 280 if (type == IEEE80211_FC0_TYPE_DATA && hasqos && 281 (subtype & IEEE80211_FC0_SUBTYPE_NODATA) == 0 && 282 !(rxi->rxi_flags & IEEE80211_RXI_AMPDU_DONE)) { 283 int ba_state = ni->ni_rx_ba[tid].ba_state; 284 285 /* 286 * If Block Ack was explicitly requested, check 287 * if we have a BA agreement for this RA/TID. 288 */ 289 if ((qos & IEEE80211_QOS_ACK_POLICY_MASK) == 290 IEEE80211_QOS_ACK_POLICY_BA && 291 ba_state != IEEE80211_BA_AGREED) { 292 DPRINTF(("no BA agreement for %s, TID %d\n", 293 ether_sprintf(ni->ni_macaddr), tid)); 294 /* send a DELBA with reason code UNKNOWN-BA */ 295 IEEE80211_SEND_ACTION(ic, ni, 296 IEEE80211_CATEG_BA, IEEE80211_ACTION_DELBA, 297 IEEE80211_REASON_SETUP_REQUIRED << 16 | tid); 298 goto err; 299 } 300 301 /* 302 * Check if we have an explicit or implicit 303 * Block Ack Request for a valid BA agreement. 304 */ 305 if (ba_state == IEEE80211_BA_AGREED && 306 ((qos & IEEE80211_QOS_ACK_POLICY_MASK) == 307 IEEE80211_QOS_ACK_POLICY_BA || 308 (qos & IEEE80211_QOS_ACK_POLICY_MASK) == 309 IEEE80211_QOS_ACK_POLICY_NORMAL)) { 310 /* go through A-MPDU reordering */ 311 ieee80211_input_ba(ic, m, ni, tid, rxi); 312 return; /* don't free m! */ 313 } 314 } 315 316 /* duplicate detection (see 9.2.9) */ 317 if (ieee80211_has_seq(wh) && 318 ic->ic_state != IEEE80211_S_SCAN) { 319 nrxseq = letoh16(*(u_int16_t *)wh->i_seq) >> 320 IEEE80211_SEQ_SEQ_SHIFT; 321 if (hasqos) 322 orxseq = &ni->ni_qos_rxseqs[tid]; 323 else 324 orxseq = &ni->ni_rxseq; 325 if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) && 326 nrxseq == *orxseq) { 327 /* duplicate, silently discarded */ 328 ic->ic_stats.is_rx_dup++; 329 goto out; 330 } 331 *orxseq = nrxseq; 332 } 333 if (ic->ic_state != IEEE80211_S_SCAN) { 334 ni->ni_rssi = rxi->rxi_rssi; 335 ni->ni_rstamp = rxi->rxi_tstamp; 336 ni->ni_inact = 0; 337 } 338 339 #ifndef IEEE80211_STA_ONLY 340 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 341 (ic->ic_caps & IEEE80211_C_APPMGT) && 342 ni->ni_state == IEEE80211_STA_ASSOC) { 343 if (wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) { 344 if (ni->ni_pwrsave == IEEE80211_PS_AWAKE) { 345 /* turn on PS mode */ 346 ni->ni_pwrsave = IEEE80211_PS_DOZE; 347 DPRINTF(("PS mode on for %s\n", 348 ether_sprintf(wh->i_addr2))); 349 } 350 } else if (ni->ni_pwrsave == IEEE80211_PS_DOZE) { 351 struct mbuf *m; 352 353 /* turn off PS mode */ 354 ni->ni_pwrsave = IEEE80211_PS_AWAKE; 355 DPRINTF(("PS mode off for %s\n", 356 ether_sprintf(wh->i_addr2))); 357 358 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 359 360 /* dequeue buffered unicast frames */ 361 while ((m = mq_dequeue(&ni->ni_savedq)) != NULL) { 362 mq_enqueue(&ic->ic_pwrsaveq, m); 363 if_start(ifp); 364 } 365 } 366 } 367 #endif 368 switch (type) { 369 case IEEE80211_FC0_TYPE_DATA: 370 switch (ic->ic_opmode) { 371 case IEEE80211_M_STA: 372 if (dir != IEEE80211_FC1_DIR_FROMDS) { 373 ic->ic_stats.is_rx_wrongdir++; 374 goto out; 375 } 376 if (ic->ic_state != IEEE80211_S_SCAN && 377 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid)) { 378 /* Source address is not our BSS. */ 379 DPRINTF(("discard frame from SA %s\n", 380 ether_sprintf(wh->i_addr2))); 381 ic->ic_stats.is_rx_wrongbss++; 382 goto out; 383 } 384 if ((ifp->if_flags & IFF_SIMPLEX) && 385 IEEE80211_IS_MULTICAST(wh->i_addr1) && 386 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 387 /* 388 * In IEEE802.11 network, multicast frame 389 * sent from me is broadcasted from AP. 390 * It should be silently discarded for 391 * SIMPLEX interface. 392 */ 393 ic->ic_stats.is_rx_mcastecho++; 394 goto out; 395 } 396 break; 397 #ifndef IEEE80211_STA_ONLY 398 case IEEE80211_M_IBSS: 399 case IEEE80211_M_AHDEMO: 400 if (dir != IEEE80211_FC1_DIR_NODS) { 401 ic->ic_stats.is_rx_wrongdir++; 402 goto out; 403 } 404 if (ic->ic_state != IEEE80211_S_SCAN && 405 !IEEE80211_ADDR_EQ(wh->i_addr3, 406 ic->ic_bss->ni_bssid) && 407 !IEEE80211_ADDR_EQ(wh->i_addr3, 408 etherbroadcastaddr)) { 409 /* Destination is not our BSS or broadcast. */ 410 DPRINTF(("discard data frame to DA %s\n", 411 ether_sprintf(wh->i_addr3))); 412 ic->ic_stats.is_rx_wrongbss++; 413 goto out; 414 } 415 break; 416 case IEEE80211_M_HOSTAP: 417 if (dir != IEEE80211_FC1_DIR_TODS) { 418 ic->ic_stats.is_rx_wrongdir++; 419 goto out; 420 } 421 if (ic->ic_state != IEEE80211_S_SCAN && 422 !IEEE80211_ADDR_EQ(wh->i_addr1, 423 ic->ic_bss->ni_bssid) && 424 !IEEE80211_ADDR_EQ(wh->i_addr1, 425 etherbroadcastaddr)) { 426 /* BSS is not us or broadcast. */ 427 DPRINTF(("discard data frame to BSS %s\n", 428 ether_sprintf(wh->i_addr1))); 429 ic->ic_stats.is_rx_wrongbss++; 430 goto out; 431 } 432 /* check if source STA is associated */ 433 if (ni == ic->ic_bss) { 434 DPRINTF(("data from unknown src %s\n", 435 ether_sprintf(wh->i_addr2))); 436 /* NB: caller deals with reference */ 437 ni = ieee80211_find_node(ic, wh->i_addr2); 438 if (ni == NULL) 439 ni = ieee80211_dup_bss(ic, wh->i_addr2); 440 if (ni != NULL) { 441 IEEE80211_SEND_MGMT(ic, ni, 442 IEEE80211_FC0_SUBTYPE_DEAUTH, 443 IEEE80211_REASON_NOT_AUTHED); 444 } 445 ic->ic_stats.is_rx_notassoc++; 446 goto err; 447 } 448 if (ni->ni_state != IEEE80211_STA_ASSOC) { 449 DPRINTF(("data from unassoc src %s\n", 450 ether_sprintf(wh->i_addr2))); 451 IEEE80211_SEND_MGMT(ic, ni, 452 IEEE80211_FC0_SUBTYPE_DISASSOC, 453 IEEE80211_REASON_NOT_ASSOCED); 454 ic->ic_stats.is_rx_notassoc++; 455 goto err; 456 } 457 break; 458 #endif /* IEEE80211_STA_ONLY */ 459 default: 460 /* can't get there */ 461 goto out; 462 } 463 464 if ((ic->ic_flags & IEEE80211_F_WEPON) || 465 ((ic->ic_flags & IEEE80211_F_RSNON) && 466 (ni->ni_flags & IEEE80211_NODE_RXPROT))) { 467 /* protection is on for Rx */ 468 if (!(rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 469 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 470 /* drop unencrypted */ 471 ic->ic_stats.is_rx_unencrypted++; 472 goto err; 473 } 474 /* do software decryption */ 475 m = ieee80211_decrypt(ic, m, ni); 476 if (m == NULL) { 477 ic->ic_stats.is_rx_wepfail++; 478 goto err; 479 } 480 wh = mtod(m, struct ieee80211_frame *); 481 } 482 } else if ((wh->i_fc[1] & IEEE80211_FC1_PROTECTED) || 483 (rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 484 /* frame encrypted but protection off for Rx */ 485 ic->ic_stats.is_rx_nowep++; 486 goto out; 487 } 488 489 #if NBPFILTER > 0 490 /* copy to listener after decrypt */ 491 if (ic->ic_rawbpf) 492 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 493 #endif 494 495 if ((ni->ni_flags & IEEE80211_NODE_HT) && 496 hasqos && (qos & IEEE80211_QOS_AMSDU)) 497 ieee80211_amsdu_decap(ic, m, ni, hdrlen); 498 else 499 ieee80211_decap(ic, m, ni, hdrlen); 500 return; 501 502 case IEEE80211_FC0_TYPE_MGT: 503 if (dir != IEEE80211_FC1_DIR_NODS) { 504 ic->ic_stats.is_rx_wrongdir++; 505 goto err; 506 } 507 #ifndef IEEE80211_STA_ONLY 508 if (ic->ic_opmode == IEEE80211_M_AHDEMO) { 509 ic->ic_stats.is_rx_ahdemo_mgt++; 510 goto out; 511 } 512 #endif 513 /* drop frames without interest */ 514 if (ic->ic_state == IEEE80211_S_SCAN) { 515 if (subtype != IEEE80211_FC0_SUBTYPE_BEACON && 516 subtype != IEEE80211_FC0_SUBTYPE_PROBE_RESP) { 517 ic->ic_stats.is_rx_mgtdiscard++; 518 goto out; 519 } 520 } 521 522 if (ni->ni_flags & IEEE80211_NODE_RXMGMTPROT) { 523 /* MMPDU protection is on for Rx */ 524 if (subtype == IEEE80211_FC0_SUBTYPE_DISASSOC || 525 subtype == IEEE80211_FC0_SUBTYPE_DEAUTH || 526 subtype == IEEE80211_FC0_SUBTYPE_ACTION) { 527 if (!IEEE80211_IS_MULTICAST(wh->i_addr1) && 528 !(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 529 /* unicast mgmt not encrypted */ 530 goto out; 531 } 532 /* do software decryption */ 533 m = ieee80211_decrypt(ic, m, ni); 534 if (m == NULL) { 535 /* XXX stats */ 536 goto out; 537 } 538 wh = mtod(m, struct ieee80211_frame *); 539 } 540 } else if ((ic->ic_flags & IEEE80211_F_RSNON) && 541 (wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 542 /* encrypted but MMPDU Rx protection off for TA */ 543 goto out; 544 } 545 546 if (ifp->if_flags & IFF_DEBUG) 547 ieee80211_input_print(ic, ifp, wh, rxi); 548 #if NBPFILTER > 0 549 if (bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN) != 0) { 550 /* 551 * Drop mbuf if it was filtered by bpf. Normally, 552 * this is done in ether_input() but IEEE 802.11 553 * management frames are a special case. 554 */ 555 m_freem(m); 556 return; 557 } 558 #endif 559 (*ic->ic_recv_mgmt)(ic, m, ni, rxi, subtype); 560 m_freem(m); 561 return; 562 563 case IEEE80211_FC0_TYPE_CTL: 564 ic->ic_stats.is_rx_ctl++; 565 switch (subtype) { 566 #ifndef IEEE80211_STA_ONLY 567 case IEEE80211_FC0_SUBTYPE_PS_POLL: 568 ieee80211_recv_pspoll(ic, m, ni); 569 break; 570 #endif 571 case IEEE80211_FC0_SUBTYPE_BAR: 572 ieee80211_recv_bar(ic, m, ni); 573 break; 574 default: 575 break; 576 } 577 goto out; 578 579 default: 580 DPRINTF(("bad frame type %x\n", type)); 581 /* should not come here */ 582 break; 583 } 584 err: 585 ifp->if_ierrors++; 586 out: 587 if (m != NULL) { 588 #if NBPFILTER > 0 589 if (ic->ic_rawbpf) 590 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 591 #endif 592 m_freem(m); 593 } 594 } 595 596 /* 597 * Handle defragmentation (see 9.5 and Annex C). We support the concurrent 598 * reception of fragments of three fragmented MSDUs or MMPDUs. 599 */ 600 struct mbuf * 601 ieee80211_defrag(struct ieee80211com *ic, struct mbuf *m, int hdrlen) 602 { 603 const struct ieee80211_frame *owh, *wh; 604 struct ieee80211_defrag *df; 605 u_int16_t rxseq, seq; 606 u_int8_t frag; 607 int i; 608 609 wh = mtod(m, struct ieee80211_frame *); 610 rxseq = letoh16(*(const u_int16_t *)wh->i_seq); 611 seq = rxseq >> IEEE80211_SEQ_SEQ_SHIFT; 612 frag = rxseq & IEEE80211_SEQ_FRAG_MASK; 613 614 if (frag == 0 && !(wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG)) 615 return m; /* not fragmented */ 616 617 if (frag == 0) { 618 /* first fragment, setup entry in the fragment cache */ 619 if (++ic->ic_defrag_cur == IEEE80211_DEFRAG_SIZE) 620 ic->ic_defrag_cur = 0; 621 df = &ic->ic_defrag[ic->ic_defrag_cur]; 622 m_freem(df->df_m); /* discard old entry */ 623 df->df_seq = seq; 624 df->df_frag = 0; 625 df->df_m = m; 626 /* start receive MSDU timer of aMaxReceiveLifetime */ 627 timeout_add_sec(&df->df_to, 1); 628 return NULL; /* MSDU or MMPDU not yet complete */ 629 } 630 631 /* find matching entry in the fragment cache */ 632 for (i = 0; i < IEEE80211_DEFRAG_SIZE; i++) { 633 df = &ic->ic_defrag[i]; 634 if (df->df_m == NULL) 635 continue; 636 if (df->df_seq != seq || df->df_frag + 1 != frag) 637 continue; 638 owh = mtod(df->df_m, struct ieee80211_frame *); 639 /* frame type, source and destination must match */ 640 if (((wh->i_fc[0] ^ owh->i_fc[0]) & IEEE80211_FC0_TYPE_MASK) || 641 !IEEE80211_ADDR_EQ(wh->i_addr1, owh->i_addr1) || 642 !IEEE80211_ADDR_EQ(wh->i_addr2, owh->i_addr2)) 643 continue; 644 /* matching entry found */ 645 break; 646 } 647 if (i == IEEE80211_DEFRAG_SIZE) { 648 /* no matching entry found, discard fragment */ 649 ic->ic_if.if_ierrors++; 650 m_freem(m); 651 return NULL; 652 } 653 654 df->df_frag = frag; 655 /* strip 802.11 header and concatenate fragment */ 656 m_adj(m, hdrlen); 657 m_cat(df->df_m, m); 658 df->df_m->m_pkthdr.len += m->m_pkthdr.len; 659 660 if (wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG) 661 return NULL; /* MSDU or MMPDU not yet complete */ 662 663 /* MSDU or MMPDU complete */ 664 timeout_del(&df->df_to); 665 m = df->df_m; 666 df->df_m = NULL; 667 return m; 668 } 669 670 /* 671 * Receive MSDU defragmentation timer exceeds aMaxReceiveLifetime. 672 */ 673 void 674 ieee80211_defrag_timeout(void *arg) 675 { 676 struct ieee80211_defrag *df = arg; 677 int s = splnet(); 678 679 /* discard all received fragments */ 680 m_freem(df->df_m); 681 df->df_m = NULL; 682 683 splx(s); 684 } 685 686 /* 687 * Process a received data MPDU related to a specific HT-immediate Block Ack 688 * agreement (see 9.10.7.6). 689 */ 690 void 691 ieee80211_input_ba(struct ieee80211com *ic, struct mbuf *m, 692 struct ieee80211_node *ni, int tid, struct ieee80211_rxinfo *rxi) 693 { 694 struct ifnet *ifp = &ic->ic_if; 695 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 696 struct ieee80211_frame *wh; 697 int idx, count; 698 u_int16_t sn; 699 700 wh = mtod(m, struct ieee80211_frame *); 701 sn = letoh16(*(u_int16_t *)wh->i_seq) >> IEEE80211_SEQ_SEQ_SHIFT; 702 703 /* reset Block Ack inactivity timer */ 704 if (ba->ba_timeout_val != 0) 705 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 706 707 if (SEQ_LT(sn, ba->ba_winstart)) { /* SN < WinStartB */ 708 ic->ic_stats.is_ht_rx_frame_below_ba_winstart++; 709 m_freem(m); /* discard the MPDU */ 710 return; 711 } 712 if (SEQ_LT(ba->ba_winend, sn)) { /* WinEndB < SN */ 713 ic->ic_stats.is_ht_rx_frame_above_ba_winend++; 714 count = (sn - ba->ba_winend) & 0xfff; 715 if (count > ba->ba_winsize) { 716 /* 717 * Check whether we're consistently behind the window, 718 * and let the window move forward if neccessary. 719 */ 720 if (ba->ba_winmiss < IEEE80211_BA_MAX_WINMISS) { 721 if (ba->ba_missedsn == ((sn - 1) & 0xfff)) 722 ba->ba_winmiss++; 723 else 724 ba->ba_winmiss = 0; 725 ba->ba_missedsn = sn; 726 ifp->if_ierrors++; 727 m_freem(m); /* discard the MPDU */ 728 return; 729 } 730 731 /* It appears the window has moved for real. */ 732 ic->ic_stats.is_ht_rx_ba_window_jump++; 733 ba->ba_winmiss = 0; 734 ba->ba_missedsn = 0; 735 ieee80211_ba_move_window(ic, ni, tid, sn); 736 } else { 737 ic->ic_stats.is_ht_rx_ba_window_slide++; 738 ieee80211_input_ba_seq(ic, ni, tid, 739 (ba->ba_winstart + count) & 0xfff); 740 ieee80211_input_ba_flush(ic, ni, ba); 741 } 742 } 743 /* WinStartB <= SN <= WinEndB */ 744 745 ba->ba_winmiss = 0; 746 ba->ba_missedsn = 0; 747 idx = (sn - ba->ba_winstart) & 0xfff; 748 idx = (ba->ba_head + idx) % IEEE80211_BA_MAX_WINSZ; 749 /* store the received MPDU in the buffer */ 750 if (ba->ba_buf[idx].m != NULL) { 751 ifp->if_ierrors++; 752 ic->ic_stats.is_ht_rx_ba_no_buf++; 753 m_freem(m); 754 return; 755 } 756 ba->ba_buf[idx].m = m; 757 /* store Rx meta-data too */ 758 rxi->rxi_flags |= IEEE80211_RXI_AMPDU_DONE; 759 ba->ba_buf[idx].rxi = *rxi; 760 761 if (ba->ba_buf[ba->ba_head].m == NULL) 762 timeout_add_msec(&ba->ba_gap_to, IEEE80211_BA_GAP_TIMEOUT); 763 else if (timeout_pending(&ba->ba_gap_to)) 764 timeout_del(&ba->ba_gap_to); 765 766 ieee80211_input_ba_flush(ic, ni, ba); 767 } 768 769 /* 770 * Forward buffered frames with sequence number lower than max_seq. 771 * See 802.11-2012 9.21.7.6.2 b. 772 */ 773 void 774 ieee80211_input_ba_seq(struct ieee80211com *ic, struct ieee80211_node *ni, 775 uint8_t tid, uint16_t max_seq) 776 { 777 struct ifnet *ifp = &ic->ic_if; 778 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 779 struct ieee80211_frame *wh; 780 uint16_t seq; 781 int i = 0; 782 783 while (i++ < ba->ba_winsize) { 784 /* gaps may exist */ 785 if (ba->ba_buf[ba->ba_head].m != NULL) { 786 wh = mtod(ba->ba_buf[ba->ba_head].m, 787 struct ieee80211_frame *); 788 KASSERT(ieee80211_has_seq(wh)); 789 seq = letoh16(*(u_int16_t *)wh->i_seq) >> 790 IEEE80211_SEQ_SEQ_SHIFT; 791 if (!SEQ_LT(seq, max_seq)) 792 return; 793 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, 794 ni, &ba->ba_buf[ba->ba_head].rxi); 795 ba->ba_buf[ba->ba_head].m = NULL; 796 } else 797 ic->ic_stats.is_ht_rx_ba_frame_lost++; 798 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 799 } 800 } 801 802 /* Flush a consecutive sequence of frames from the reorder buffer. */ 803 void 804 ieee80211_input_ba_flush(struct ieee80211com *ic, struct ieee80211_node *ni, 805 struct ieee80211_rx_ba *ba) 806 807 { 808 struct ifnet *ifp = &ic->ic_if; 809 810 /* pass reordered MPDUs up to the next MAC process */ 811 while (ba->ba_buf[ba->ba_head].m != NULL) { 812 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, ni, 813 &ba->ba_buf[ba->ba_head].rxi); 814 ba->ba_buf[ba->ba_head].m = NULL; 815 816 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 817 /* move window forward */ 818 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 819 } 820 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 821 } 822 823 /* 824 * Forcibly move the BA window forward to remove a leading gap which has 825 * been causing frames to linger in the reordering buffer for too long. 826 * A leading gap will occur if a particular A-MPDU subframe never arrives 827 * or if a bug in the sender causes sequence numbers to jump forward by > 1. 828 */ 829 void 830 ieee80211_input_ba_gap_timeout(void *arg) 831 { 832 struct ieee80211_rx_ba *ba = arg; 833 struct ieee80211_node *ni = ba->ba_ni; 834 struct ieee80211com *ic = ni->ni_ic; 835 int s, skipped; 836 837 ic->ic_stats.is_ht_rx_ba_window_gap_timeout++; 838 839 s = splnet(); 840 841 skipped = 0; 842 while (skipped < ba->ba_winsize && ba->ba_buf[ba->ba_head].m == NULL) { 843 /* move window forward */ 844 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 845 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 846 skipped++; 847 ic->ic_stats.is_ht_rx_ba_frame_lost++; 848 } 849 if (skipped > 0) 850 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 851 852 ieee80211_input_ba_flush(ic, ni, ba); 853 854 splx(s); 855 } 856 857 858 /* 859 * Change the value of WinStartB (move window forward) upon reception of a 860 * BlockAckReq frame or an ADDBA Request (PBAC). 861 */ 862 void 863 ieee80211_ba_move_window(struct ieee80211com *ic, struct ieee80211_node *ni, 864 u_int8_t tid, u_int16_t ssn) 865 { 866 struct ifnet *ifp = &ic->ic_if; 867 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 868 int count; 869 870 /* assert(WinStartB <= SSN) */ 871 872 count = (ssn - ba->ba_winstart) & 0xfff; 873 if (count > ba->ba_winsize) /* no overlap */ 874 count = ba->ba_winsize; 875 while (count-- > 0) { 876 /* gaps may exist */ 877 if (ba->ba_buf[ba->ba_head].m != NULL) { 878 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, ni, 879 &ba->ba_buf[ba->ba_head].rxi); 880 ba->ba_buf[ba->ba_head].m = NULL; 881 } else 882 ic->ic_stats.is_ht_rx_ba_frame_lost++; 883 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 884 } 885 /* move window forward */ 886 ba->ba_winstart = ssn; 887 888 ieee80211_input_ba_flush(ic, ni, ba); 889 } 890 891 void 892 ieee80211_deliver_data(struct ieee80211com *ic, struct mbuf *m, 893 struct ieee80211_node *ni, int mcast) 894 { 895 struct ifnet *ifp = &ic->ic_if; 896 struct ether_header *eh; 897 struct mbuf *m1; 898 899 eh = mtod(m, struct ether_header *); 900 901 if ((ic->ic_flags & IEEE80211_F_RSNON) && !ni->ni_port_valid && 902 eh->ether_type != htons(ETHERTYPE_PAE)) { 903 DPRINTF(("port not valid: %s\n", 904 ether_sprintf(eh->ether_dhost))); 905 ic->ic_stats.is_rx_unauth++; 906 m_freem(m); 907 return; 908 } 909 910 /* 911 * Perform as a bridge within the AP. Notice that we do not 912 * bridge EAPOL frames as suggested in C.1.1 of IEEE Std 802.1X. 913 * And we do not forward unicast frames received on a multicast address. 914 */ 915 m1 = NULL; 916 #ifndef IEEE80211_STA_ONLY 917 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 918 !(ic->ic_flags & IEEE80211_F_NOBRIDGE) && 919 eh->ether_type != htons(ETHERTYPE_PAE)) { 920 struct ieee80211_node *ni1; 921 922 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 923 m1 = m_dup_pkt(m, ETHER_ALIGN, M_DONTWAIT); 924 if (m1 == NULL) 925 ifp->if_oerrors++; 926 else 927 m1->m_flags |= M_MCAST; 928 } else if (!mcast) { 929 ni1 = ieee80211_find_node(ic, eh->ether_dhost); 930 if (ni1 != NULL && 931 ni1->ni_state == IEEE80211_STA_ASSOC) { 932 m1 = m; 933 m = NULL; 934 } 935 } 936 if (m1 != NULL) { 937 if (if_enqueue(ifp, m1)) 938 ifp->if_oerrors++; 939 } 940 } 941 #endif 942 if (m != NULL) { 943 if ((ic->ic_flags & IEEE80211_F_RSNON) && 944 eh->ether_type == htons(ETHERTYPE_PAE)) { 945 ifp->if_ipackets++; 946 #if NBPFILTER > 0 947 /* 948 * If we forward frame into transmitter of the AP, 949 * we don't need to duplicate for DLT_EN10MB. 950 */ 951 if (ifp->if_bpf && m1 == NULL) 952 bpf_mtap(ifp->if_bpf, m, BPF_DIRECTION_IN); 953 #endif 954 ieee80211_eapol_key_input(ic, m, ni); 955 } else { 956 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 957 ml_enqueue(&ml, m); 958 if_input(ifp, &ml); 959 } 960 } 961 } 962 963 void 964 ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, 965 struct ieee80211_node *ni, int hdrlen) 966 { 967 struct ether_header eh; 968 struct ieee80211_frame *wh; 969 struct llc *llc; 970 int mcast; 971 972 if (m->m_len < hdrlen + LLC_SNAPFRAMELEN && 973 (m = m_pullup(m, hdrlen + LLC_SNAPFRAMELEN)) == NULL) { 974 ic->ic_stats.is_rx_decap++; 975 return; 976 } 977 wh = mtod(m, struct ieee80211_frame *); 978 mcast = IEEE80211_IS_MULTICAST(wh->i_addr1); 979 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 980 case IEEE80211_FC1_DIR_NODS: 981 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1); 982 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2); 983 break; 984 case IEEE80211_FC1_DIR_TODS: 985 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3); 986 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2); 987 break; 988 case IEEE80211_FC1_DIR_FROMDS: 989 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1); 990 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr3); 991 break; 992 case IEEE80211_FC1_DIR_DSTODS: 993 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3); 994 IEEE80211_ADDR_COPY(eh.ether_shost, 995 ((struct ieee80211_frame_addr4 *)wh)->i_addr4); 996 break; 997 } 998 llc = (struct llc *)((caddr_t)wh + hdrlen); 999 if (llc->llc_dsap == LLC_SNAP_LSAP && 1000 llc->llc_ssap == LLC_SNAP_LSAP && 1001 llc->llc_control == LLC_UI && 1002 llc->llc_snap.org_code[0] == 0 && 1003 llc->llc_snap.org_code[1] == 0 && 1004 llc->llc_snap.org_code[2] == 0) { 1005 eh.ether_type = llc->llc_snap.ether_type; 1006 m_adj(m, hdrlen + LLC_SNAPFRAMELEN - ETHER_HDR_LEN); 1007 } else { 1008 eh.ether_type = htons(m->m_pkthdr.len - hdrlen); 1009 m_adj(m, hdrlen - ETHER_HDR_LEN); 1010 } 1011 memcpy(mtod(m, caddr_t), &eh, ETHER_HDR_LEN); 1012 if (!ALIGNED_POINTER(mtod(m, caddr_t) + ETHER_HDR_LEN, u_int32_t)) { 1013 struct mbuf *m0 = m; 1014 m = m_dup_pkt(m0, ETHER_ALIGN, M_NOWAIT); 1015 m_freem(m0); 1016 if (m == NULL) { 1017 ic->ic_stats.is_rx_decap++; 1018 return; 1019 } 1020 } 1021 ieee80211_deliver_data(ic, m, ni, mcast); 1022 } 1023 1024 /* 1025 * Decapsulate an Aggregate MSDU (see 7.2.2.2). 1026 */ 1027 void 1028 ieee80211_amsdu_decap(struct ieee80211com *ic, struct mbuf *m, 1029 struct ieee80211_node *ni, int hdrlen) 1030 { 1031 struct mbuf *n; 1032 struct ether_header *eh; 1033 struct llc *llc; 1034 int len, pad, mcast; 1035 struct ieee80211_frame *wh; 1036 1037 wh = mtod(m, struct ieee80211_frame *); 1038 mcast = IEEE80211_IS_MULTICAST(wh->i_addr1); 1039 1040 /* strip 802.11 header */ 1041 m_adj(m, hdrlen); 1042 1043 for (;;) { 1044 /* process an A-MSDU subframe */ 1045 if (m->m_len < ETHER_HDR_LEN + LLC_SNAPFRAMELEN) { 1046 m = m_pullup(m, ETHER_HDR_LEN + LLC_SNAPFRAMELEN); 1047 if (m == NULL) { 1048 ic->ic_stats.is_rx_decap++; 1049 break; 1050 } 1051 } 1052 eh = mtod(m, struct ether_header *); 1053 /* examine 802.3 header */ 1054 len = ntohs(eh->ether_type); 1055 if (len < LLC_SNAPFRAMELEN) { 1056 DPRINTF(("A-MSDU subframe too short (%d)\n", len)); 1057 /* stop processing A-MSDU subframes */ 1058 ic->ic_stats.is_rx_decap++; 1059 m_freem(m); 1060 break; 1061 } 1062 llc = (struct llc *)&eh[1]; 1063 /* examine 802.2 LLC header */ 1064 if (llc->llc_dsap == LLC_SNAP_LSAP && 1065 llc->llc_ssap == LLC_SNAP_LSAP && 1066 llc->llc_control == LLC_UI && 1067 llc->llc_snap.org_code[0] == 0 && 1068 llc->llc_snap.org_code[1] == 0 && 1069 llc->llc_snap.org_code[2] == 0) { 1070 /* convert to Ethernet II header */ 1071 eh->ether_type = llc->llc_snap.ether_type; 1072 /* strip LLC+SNAP headers */ 1073 memmove((u_int8_t *)eh + LLC_SNAPFRAMELEN, eh, 1074 ETHER_HDR_LEN); 1075 m_adj(m, LLC_SNAPFRAMELEN); 1076 len -= LLC_SNAPFRAMELEN; 1077 } 1078 len += ETHER_HDR_LEN; 1079 if (len > m->m_pkthdr.len) { 1080 /* stop processing A-MSDU subframes */ 1081 DPRINTF(("A-MSDU subframe too long (%d)\n", len)); 1082 ic->ic_stats.is_rx_decap++; 1083 m_freem(m); 1084 break; 1085 } 1086 1087 /* "detach" our A-MSDU subframe from the others */ 1088 n = m_split(m, len, M_NOWAIT); 1089 if (n == NULL) { 1090 /* stop processing A-MSDU subframes */ 1091 ic->ic_stats.is_rx_decap++; 1092 m_freem(m); 1093 break; 1094 } 1095 ieee80211_deliver_data(ic, m, ni, mcast); 1096 1097 if (n->m_pkthdr.len == 0) { 1098 m_freem(n); 1099 break; 1100 } 1101 m = n; 1102 /* remove padding */ 1103 pad = ((len + 3) & ~3) - len; 1104 m_adj(m, pad); 1105 } 1106 } 1107 1108 /* 1109 * Parse an EDCA Parameter Set element (see 7.3.2.27). 1110 */ 1111 int 1112 ieee80211_parse_edca_params_body(struct ieee80211com *ic, const u_int8_t *frm) 1113 { 1114 u_int updtcount; 1115 int aci; 1116 1117 /* 1118 * Check if EDCA parameters have changed XXX if we miss more than 1119 * 15 consecutive beacons, we might not detect changes to EDCA 1120 * parameters due to wraparound of the 4-bit Update Count field. 1121 */ 1122 updtcount = frm[0] & 0xf; 1123 if (updtcount == ic->ic_edca_updtcount) 1124 return 0; /* no changes to EDCA parameters, ignore */ 1125 ic->ic_edca_updtcount = updtcount; 1126 1127 frm += 2; /* skip QoS Info & Reserved fields */ 1128 1129 /* parse AC Parameter Records */ 1130 for (aci = 0; aci < EDCA_NUM_AC; aci++) { 1131 struct ieee80211_edca_ac_params *ac = &ic->ic_edca_ac[aci]; 1132 1133 ac->ac_acm = (frm[0] >> 4) & 0x1; 1134 ac->ac_aifsn = frm[0] & 0xf; 1135 ac->ac_ecwmin = frm[1] & 0xf; 1136 ac->ac_ecwmax = frm[1] >> 4; 1137 ac->ac_txoplimit = LE_READ_2(frm + 2); 1138 frm += 4; 1139 } 1140 /* give drivers a chance to update their settings */ 1141 if ((ic->ic_flags & IEEE80211_F_QOS) && ic->ic_updateedca != NULL) 1142 (*ic->ic_updateedca)(ic); 1143 1144 return 0; 1145 } 1146 1147 int 1148 ieee80211_parse_edca_params(struct ieee80211com *ic, const u_int8_t *frm) 1149 { 1150 if (frm[1] < 18) { 1151 ic->ic_stats.is_rx_elem_toosmall++; 1152 return IEEE80211_REASON_IE_INVALID; 1153 } 1154 return ieee80211_parse_edca_params_body(ic, frm + 2); 1155 } 1156 1157 int 1158 ieee80211_parse_wmm_params(struct ieee80211com *ic, const u_int8_t *frm) 1159 { 1160 if (frm[1] < 24) { 1161 ic->ic_stats.is_rx_elem_toosmall++; 1162 return IEEE80211_REASON_IE_INVALID; 1163 } 1164 return ieee80211_parse_edca_params_body(ic, frm + 8); 1165 } 1166 1167 enum ieee80211_cipher 1168 ieee80211_parse_rsn_cipher(const u_int8_t selector[4]) 1169 { 1170 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1171 switch (selector[3]) { 1172 case 0: /* use group data cipher suite */ 1173 return IEEE80211_CIPHER_USEGROUP; 1174 case 1: /* WEP-40 */ 1175 return IEEE80211_CIPHER_WEP40; 1176 case 2: /* TKIP */ 1177 return IEEE80211_CIPHER_TKIP; 1178 case 4: /* CCMP (RSNA default) */ 1179 return IEEE80211_CIPHER_CCMP; 1180 case 5: /* WEP-104 */ 1181 return IEEE80211_CIPHER_WEP104; 1182 } 1183 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1184 /* see 802.11-2012 Table 8-99 */ 1185 switch (selector[3]) { 1186 case 0: /* use group data cipher suite */ 1187 return IEEE80211_CIPHER_USEGROUP; 1188 case 1: /* WEP-40 */ 1189 return IEEE80211_CIPHER_WEP40; 1190 case 2: /* TKIP */ 1191 return IEEE80211_CIPHER_TKIP; 1192 case 4: /* CCMP (RSNA default) */ 1193 return IEEE80211_CIPHER_CCMP; 1194 case 5: /* WEP-104 */ 1195 return IEEE80211_CIPHER_WEP104; 1196 case 6: /* BIP */ 1197 return IEEE80211_CIPHER_BIP; 1198 } 1199 } 1200 return IEEE80211_CIPHER_NONE; /* ignore unknown ciphers */ 1201 } 1202 1203 enum ieee80211_akm 1204 ieee80211_parse_rsn_akm(const u_int8_t selector[4]) 1205 { 1206 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1207 switch (selector[3]) { 1208 case 1: /* IEEE 802.1X (RSNA default) */ 1209 return IEEE80211_AKM_8021X; 1210 case 2: /* PSK */ 1211 return IEEE80211_AKM_PSK; 1212 } 1213 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1214 /* from IEEE Std 802.11i-2004 - Table 20dc */ 1215 switch (selector[3]) { 1216 case 1: /* IEEE 802.1X (RSNA default) */ 1217 return IEEE80211_AKM_8021X; 1218 case 2: /* PSK */ 1219 return IEEE80211_AKM_PSK; 1220 case 5: /* IEEE 802.1X with SHA256 KDF */ 1221 return IEEE80211_AKM_SHA256_8021X; 1222 case 6: /* PSK with SHA256 KDF */ 1223 return IEEE80211_AKM_SHA256_PSK; 1224 } 1225 } 1226 return IEEE80211_AKM_NONE; /* ignore unknown AKMs */ 1227 } 1228 1229 /* 1230 * Parse an RSN element (see 802.11-2012 8.4.2.27) 1231 */ 1232 int 1233 ieee80211_parse_rsn_body(struct ieee80211com *ic, const u_int8_t *frm, 1234 u_int len, struct ieee80211_rsnparams *rsn) 1235 { 1236 const u_int8_t *efrm; 1237 u_int16_t m, n, s; 1238 1239 efrm = frm + len; 1240 1241 /* check Version field */ 1242 if (LE_READ_2(frm) != 1) 1243 return IEEE80211_STATUS_RSN_IE_VER_UNSUP; 1244 frm += 2; 1245 1246 /* all fields after the Version field are optional */ 1247 1248 /* if Cipher Suite missing, default to CCMP */ 1249 rsn->rsn_groupcipher = IEEE80211_CIPHER_CCMP; 1250 rsn->rsn_nciphers = 1; 1251 rsn->rsn_ciphers = IEEE80211_CIPHER_CCMP; 1252 /* if Group Management Cipher Suite missing, defaut to BIP */ 1253 rsn->rsn_groupmgmtcipher = IEEE80211_CIPHER_BIP; 1254 /* if AKM Suite missing, default to 802.1X */ 1255 rsn->rsn_nakms = 1; 1256 rsn->rsn_akms = IEEE80211_AKM_8021X; 1257 /* if RSN capabilities missing, default to 0 */ 1258 rsn->rsn_caps = 0; 1259 rsn->rsn_npmkids = 0; 1260 1261 /* read Group Data Cipher Suite field */ 1262 if (frm + 4 > efrm) 1263 return 0; 1264 rsn->rsn_groupcipher = ieee80211_parse_rsn_cipher(frm); 1265 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_NONE || 1266 rsn->rsn_groupcipher == IEEE80211_CIPHER_USEGROUP || 1267 rsn->rsn_groupcipher == IEEE80211_CIPHER_BIP) 1268 return IEEE80211_STATUS_BAD_GROUP_CIPHER; 1269 frm += 4; 1270 1271 /* read Pairwise Cipher Suite Count field */ 1272 if (frm + 2 > efrm) 1273 return 0; 1274 m = rsn->rsn_nciphers = LE_READ_2(frm); 1275 frm += 2; 1276 1277 /* read Pairwise Cipher Suite List */ 1278 if (frm + m * 4 > efrm) 1279 return IEEE80211_STATUS_IE_INVALID; 1280 rsn->rsn_ciphers = IEEE80211_CIPHER_NONE; 1281 while (m-- > 0) { 1282 rsn->rsn_ciphers |= ieee80211_parse_rsn_cipher(frm); 1283 frm += 4; 1284 } 1285 if (rsn->rsn_ciphers & IEEE80211_CIPHER_USEGROUP) { 1286 if (rsn->rsn_ciphers != IEEE80211_CIPHER_USEGROUP) 1287 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1288 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_CCMP) 1289 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1290 } 1291 1292 /* read AKM Suite List Count field */ 1293 if (frm + 2 > efrm) 1294 return 0; 1295 n = rsn->rsn_nakms = LE_READ_2(frm); 1296 frm += 2; 1297 1298 /* read AKM Suite List */ 1299 if (frm + n * 4 > efrm) 1300 return IEEE80211_STATUS_IE_INVALID; 1301 rsn->rsn_akms = IEEE80211_AKM_NONE; 1302 while (n-- > 0) { 1303 rsn->rsn_akms |= ieee80211_parse_rsn_akm(frm); 1304 frm += 4; 1305 } 1306 1307 /* read RSN Capabilities field */ 1308 if (frm + 2 > efrm) 1309 return 0; 1310 rsn->rsn_caps = LE_READ_2(frm); 1311 frm += 2; 1312 1313 /* read PMKID Count field */ 1314 if (frm + 2 > efrm) 1315 return 0; 1316 s = rsn->rsn_npmkids = LE_READ_2(frm); 1317 frm += 2; 1318 1319 /* read PMKID List */ 1320 if (frm + s * IEEE80211_PMKID_LEN > efrm) 1321 return IEEE80211_STATUS_IE_INVALID; 1322 if (s != 0) { 1323 rsn->rsn_pmkids = frm; 1324 frm += s * IEEE80211_PMKID_LEN; 1325 } 1326 1327 /* read Group Management Cipher Suite field */ 1328 if (frm + 4 > efrm) 1329 return 0; 1330 rsn->rsn_groupmgmtcipher = ieee80211_parse_rsn_cipher(frm); 1331 if (rsn->rsn_groupmgmtcipher != IEEE80211_CIPHER_BIP) 1332 return IEEE80211_STATUS_BAD_GROUP_CIPHER; 1333 1334 return IEEE80211_STATUS_SUCCESS; 1335 } 1336 1337 int 1338 ieee80211_parse_rsn(struct ieee80211com *ic, const u_int8_t *frm, 1339 struct ieee80211_rsnparams *rsn) 1340 { 1341 if (frm[1] < 2) { 1342 ic->ic_stats.is_rx_elem_toosmall++; 1343 return IEEE80211_STATUS_IE_INVALID; 1344 } 1345 return ieee80211_parse_rsn_body(ic, frm + 2, frm[1], rsn); 1346 } 1347 1348 int 1349 ieee80211_parse_wpa(struct ieee80211com *ic, const u_int8_t *frm, 1350 struct ieee80211_rsnparams *rsn) 1351 { 1352 if (frm[1] < 6) { 1353 ic->ic_stats.is_rx_elem_toosmall++; 1354 return IEEE80211_STATUS_IE_INVALID; 1355 } 1356 return ieee80211_parse_rsn_body(ic, frm + 6, frm[1] - 4, rsn); 1357 } 1358 1359 /* 1360 * Create (or update) a copy of an information element. 1361 */ 1362 int 1363 ieee80211_save_ie(const u_int8_t *frm, u_int8_t **ie) 1364 { 1365 if (*ie == NULL || (*ie)[1] != frm[1]) { 1366 if (*ie != NULL) 1367 free(*ie, M_DEVBUF, 0); 1368 *ie = malloc(2 + frm[1], M_DEVBUF, M_NOWAIT); 1369 if (*ie == NULL) 1370 return ENOMEM; 1371 } 1372 memcpy(*ie, frm, 2 + frm[1]); 1373 return 0; 1374 } 1375 1376 /*- 1377 * Beacon/Probe response frame format: 1378 * [8] Timestamp 1379 * [2] Beacon interval 1380 * [2] Capability 1381 * [tlv] Service Set Identifier (SSID) 1382 * [tlv] Supported rates 1383 * [tlv] DS Parameter Set (802.11g) 1384 * [tlv] ERP Information (802.11g) 1385 * [tlv] Extended Supported Rates (802.11g) 1386 * [tlv] RSN (802.11i) 1387 * [tlv] EDCA Parameter Set (802.11e) 1388 * [tlv] QoS Capability (Beacon only, 802.11e) 1389 * [tlv] HT Capabilities (802.11n) 1390 * [tlv] HT Operation (802.11n) 1391 */ 1392 void 1393 ieee80211_recv_probe_resp(struct ieee80211com *ic, struct mbuf *m, 1394 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int isprobe) 1395 { 1396 const struct ieee80211_frame *wh; 1397 const u_int8_t *frm, *efrm; 1398 const u_int8_t *tstamp, *ssid, *rates, *xrates, *edcaie, *wmmie; 1399 const u_int8_t *rsnie, *wpaie, *htcaps, *htop; 1400 u_int16_t capinfo, bintval; 1401 u_int8_t chan, bchan, erp, dtim_count, dtim_period; 1402 int is_new; 1403 1404 /* 1405 * We process beacon/probe response frames for: 1406 * o station mode: to collect state 1407 * updates such as 802.11g slot time and for passive 1408 * scanning of APs 1409 * o adhoc mode: to discover neighbors 1410 * o hostap mode: for passive scanning of neighbor APs 1411 * o when scanning 1412 * In other words, in all modes other than monitor (which 1413 * does not process incoming frames) and adhoc-demo (which 1414 * does not use management frames at all). 1415 */ 1416 #ifdef DIAGNOSTIC 1417 if (ic->ic_opmode != IEEE80211_M_STA && 1418 #ifndef IEEE80211_STA_ONLY 1419 ic->ic_opmode != IEEE80211_M_IBSS && 1420 ic->ic_opmode != IEEE80211_M_HOSTAP && 1421 #endif 1422 ic->ic_state != IEEE80211_S_SCAN) { 1423 panic("%s: impossible operating mode", __func__); 1424 } 1425 #endif 1426 /* make sure all mandatory fixed fields are present */ 1427 if (m->m_len < sizeof(*wh) + 12) { 1428 DPRINTF(("frame too short\n")); 1429 return; 1430 } 1431 wh = mtod(m, struct ieee80211_frame *); 1432 frm = (const u_int8_t *)&wh[1]; 1433 efrm = mtod(m, u_int8_t *) + m->m_len; 1434 1435 tstamp = frm; frm += 8; 1436 bintval = LE_READ_2(frm); frm += 2; 1437 capinfo = LE_READ_2(frm); frm += 2; 1438 1439 ssid = rates = xrates = edcaie = wmmie = rsnie = wpaie = NULL; 1440 htcaps = htop = NULL; 1441 bchan = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan); 1442 chan = bchan; 1443 erp = 0; 1444 dtim_count = dtim_period = 0; 1445 while (frm + 2 <= efrm) { 1446 if (frm + 2 + frm[1] > efrm) { 1447 ic->ic_stats.is_rx_elem_toosmall++; 1448 break; 1449 } 1450 switch (frm[0]) { 1451 case IEEE80211_ELEMID_SSID: 1452 ssid = frm; 1453 break; 1454 case IEEE80211_ELEMID_RATES: 1455 rates = frm; 1456 break; 1457 case IEEE80211_ELEMID_DSPARMS: 1458 if (frm[1] < 1) { 1459 ic->ic_stats.is_rx_elem_toosmall++; 1460 break; 1461 } 1462 chan = frm[2]; 1463 break; 1464 case IEEE80211_ELEMID_XRATES: 1465 xrates = frm; 1466 break; 1467 case IEEE80211_ELEMID_ERP: 1468 if (frm[1] < 1) { 1469 ic->ic_stats.is_rx_elem_toosmall++; 1470 break; 1471 } 1472 erp = frm[2]; 1473 break; 1474 case IEEE80211_ELEMID_RSN: 1475 rsnie = frm; 1476 break; 1477 case IEEE80211_ELEMID_EDCAPARMS: 1478 edcaie = frm; 1479 break; 1480 case IEEE80211_ELEMID_HTCAPS: 1481 htcaps = frm; 1482 break; 1483 case IEEE80211_ELEMID_HTOP: 1484 htop = frm; 1485 break; 1486 case IEEE80211_ELEMID_TIM: 1487 if (frm[1] > 3) { 1488 dtim_count = frm[2]; 1489 dtim_period = frm[3]; 1490 } 1491 break; 1492 case IEEE80211_ELEMID_VENDOR: 1493 if (frm[1] < 4) { 1494 ic->ic_stats.is_rx_elem_toosmall++; 1495 break; 1496 } 1497 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 1498 if (frm[5] == 1) 1499 wpaie = frm; 1500 else if (frm[1] >= 5 && 1501 frm[5] == 2 && frm[6] == 1) 1502 wmmie = frm; 1503 } 1504 break; 1505 } 1506 frm += 2 + frm[1]; 1507 } 1508 /* supported rates element is mandatory */ 1509 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1510 DPRINTF(("invalid supported rates element\n")); 1511 return; 1512 } 1513 /* SSID element is mandatory */ 1514 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1515 DPRINTF(("invalid SSID element\n")); 1516 return; 1517 } 1518 1519 if ( 1520 #if IEEE80211_CHAN_MAX < 255 1521 chan > IEEE80211_CHAN_MAX || 1522 #endif 1523 isclr(ic->ic_chan_active, chan)) { 1524 DPRINTF(("ignore %s with invalid channel %u\n", 1525 isprobe ? "probe response" : "beacon", chan)); 1526 ic->ic_stats.is_rx_badchan++; 1527 return; 1528 } 1529 if ((ic->ic_state != IEEE80211_S_SCAN || 1530 !(ic->ic_caps & IEEE80211_C_SCANALL)) && 1531 chan != bchan) { 1532 /* 1533 * Frame was received on a channel different from the 1534 * one indicated in the DS params element id; 1535 * silently discard it. 1536 * 1537 * NB: this can happen due to signal leakage. 1538 */ 1539 DPRINTF(("ignore %s on channel %u marked for channel %u\n", 1540 isprobe ? "probe response" : "beacon", bchan, chan)); 1541 ic->ic_stats.is_rx_chanmismatch++; 1542 return; 1543 } 1544 /* 1545 * Use mac, channel and rssi so we collect only the 1546 * best potential AP with the equal bssid while scanning. 1547 * Collecting all potential APs may result in bloat of 1548 * the node tree. This call will return NULL if the node 1549 * for this APs does not exist or if the new node is the 1550 * potential better one. 1551 */ 1552 if ((ni = ieee80211_find_node_for_beacon(ic, wh->i_addr2, 1553 &ic->ic_channels[chan], ssid, rxi->rxi_rssi)) != NULL) 1554 return; 1555 1556 #ifdef IEEE80211_DEBUG 1557 if (ieee80211_debug > 1 && 1558 (ni == NULL || ic->ic_state == IEEE80211_S_SCAN)) { 1559 printf("%s: %s%s on chan %u (bss chan %u) ", 1560 __func__, (ni == NULL ? "new " : ""), 1561 isprobe ? "probe response" : "beacon", 1562 chan, bchan); 1563 ieee80211_print_essid(ssid + 2, ssid[1]); 1564 printf(" from %s\n", ether_sprintf((u_int8_t *)wh->i_addr2)); 1565 printf("%s: caps 0x%x bintval %u erp 0x%x\n", 1566 __func__, capinfo, bintval, erp); 1567 } 1568 #endif 1569 1570 if ((ni = ieee80211_find_node(ic, wh->i_addr2)) == NULL) { 1571 ni = ieee80211_alloc_node(ic, wh->i_addr2); 1572 if (ni == NULL) 1573 return; 1574 is_new = 1; 1575 } else 1576 is_new = 0; 1577 1578 if (htcaps) 1579 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 1580 if (htop && !ieee80211_setup_htop(ni, htop + 2, htop[1])) 1581 htop = NULL; /* invalid HTOP */ 1582 1583 ni->ni_dtimcount = dtim_count; 1584 ni->ni_dtimperiod = dtim_period; 1585 1586 /* 1587 * When operating in station mode, check for state updates 1588 * while we're associated. 1589 */ 1590 if (ic->ic_opmode == IEEE80211_M_STA && 1591 ic->ic_state == IEEE80211_S_RUN && 1592 ni->ni_state == IEEE80211_STA_BSS) { 1593 /* 1594 * Check if protection mode has changed since last beacon. 1595 */ 1596 if (ni->ni_erp != erp) { 1597 DPRINTF(("[%s] erp change: was 0x%x, now 0x%x\n", 1598 ether_sprintf((u_int8_t *)wh->i_addr2), 1599 ni->ni_erp, erp)); 1600 if (ic->ic_curmode == IEEE80211_MODE_11G && 1601 (erp & IEEE80211_ERP_USE_PROTECTION)) 1602 ic->ic_flags |= IEEE80211_F_USEPROT; 1603 else 1604 ic->ic_flags &= ~IEEE80211_F_USEPROT; 1605 ic->ic_bss->ni_erp = erp; 1606 } 1607 if (htop && (ic->ic_bss->ni_flags & IEEE80211_NODE_HT)) { 1608 enum ieee80211_htprot htprot_last, htprot; 1609 htprot_last = 1610 ((ic->ic_bss->ni_htop1 & IEEE80211_HTOP1_PROT_MASK) 1611 >> IEEE80211_HTOP1_PROT_SHIFT); 1612 htprot = ((ni->ni_htop1 & IEEE80211_HTOP1_PROT_MASK) >> 1613 IEEE80211_HTOP1_PROT_SHIFT); 1614 if (htprot_last != htprot) { 1615 DPRINTF(("[%s] htprot change: was %d, now %d\n", 1616 ether_sprintf((u_int8_t *)wh->i_addr2), 1617 htprot_last, htprot)); 1618 ic->ic_stats.is_ht_prot_change++; 1619 ic->ic_bss->ni_htop1 = ni->ni_htop1; 1620 if (ic->ic_update_htprot) 1621 ic->ic_update_htprot(ic, ic->ic_bss); 1622 } 1623 } 1624 1625 /* 1626 * Check if AP short slot time setting has changed 1627 * since last beacon and give the driver a chance to 1628 * update the hardware. 1629 */ 1630 if ((ni->ni_capinfo ^ capinfo) & 1631 IEEE80211_CAPINFO_SHORT_SLOTTIME) { 1632 ieee80211_set_shortslottime(ic, 1633 ic->ic_curmode == IEEE80211_MODE_11A || 1634 (capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 1635 } 1636 } 1637 /* 1638 * We do not try to update EDCA parameters if QoS was not negotiated 1639 * with the AP at association time. 1640 */ 1641 if (ni->ni_flags & IEEE80211_NODE_QOS) { 1642 /* always prefer EDCA IE over Wi-Fi Alliance WMM IE */ 1643 if ((edcaie != NULL && 1644 ieee80211_parse_edca_params(ic, edcaie) == 0) || 1645 (wmmie != NULL && 1646 ieee80211_parse_wmm_params(ic, wmmie) == 0)) 1647 ni->ni_flags |= IEEE80211_NODE_QOS; 1648 else 1649 ni->ni_flags &= ~IEEE80211_NODE_QOS; 1650 } 1651 1652 if (ic->ic_state == IEEE80211_S_SCAN 1653 #ifndef IEEE80211_STA_ONLY 1654 && ic->ic_opmode != IEEE80211_M_HOSTAP 1655 #endif 1656 ) { 1657 struct ieee80211_rsnparams rsn; 1658 const u_int8_t *saveie = NULL; 1659 /* 1660 * If the AP advertises both RSN and WPA IEs (WPA1+WPA2), 1661 * we only store the parameters of the highest protocol 1662 * version we support. 1663 */ 1664 if (rsnie != NULL && 1665 (ic->ic_rsnprotos & IEEE80211_PROTO_RSN)) { 1666 if (ieee80211_parse_rsn(ic, rsnie, &rsn) == 0) { 1667 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 1668 saveie = rsnie; 1669 } 1670 } else if (wpaie != NULL && 1671 (ic->ic_rsnprotos & IEEE80211_PROTO_WPA)) { 1672 if (ieee80211_parse_wpa(ic, wpaie, &rsn) == 0) { 1673 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 1674 saveie = wpaie; 1675 } 1676 } 1677 if (saveie != NULL && 1678 ieee80211_save_ie(saveie, &ni->ni_rsnie) == 0) { 1679 ni->ni_rsnakms = rsn.rsn_akms; 1680 ni->ni_rsnciphers = rsn.rsn_ciphers; 1681 ni->ni_rsngroupcipher = rsn.rsn_groupcipher; 1682 ni->ni_rsngroupmgmtcipher = rsn.rsn_groupmgmtcipher; 1683 ni->ni_rsncaps = rsn.rsn_caps; 1684 } else 1685 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 1686 } 1687 1688 if (ssid[1] != 0 && ni->ni_esslen == 0) { 1689 ni->ni_esslen = ssid[1]; 1690 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1691 /* we know that ssid[1] <= IEEE80211_NWID_LEN */ 1692 memcpy(ni->ni_essid, &ssid[2], ssid[1]); 1693 } 1694 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3); 1695 ni->ni_rssi = rxi->rxi_rssi; 1696 ni->ni_rstamp = rxi->rxi_tstamp; 1697 memcpy(ni->ni_tstamp, tstamp, sizeof(ni->ni_tstamp)); 1698 ni->ni_intval = bintval; 1699 ni->ni_capinfo = capinfo; 1700 /* XXX validate channel # */ 1701 ni->ni_chan = &ic->ic_channels[chan]; 1702 ni->ni_erp = erp; 1703 /* NB: must be after ni_chan is setup */ 1704 ieee80211_setup_rates(ic, ni, rates, xrates, IEEE80211_F_DOSORT); 1705 #ifndef IEEE80211_STA_ONLY 1706 if (ic->ic_opmode == IEEE80211_M_IBSS && is_new && isprobe) { 1707 /* 1708 * Fake an association so the driver can setup it's 1709 * private state. The rate set has been setup above; 1710 * there is no handshake as in ap/station operation. 1711 */ 1712 if (ic->ic_newassoc) 1713 (*ic->ic_newassoc)(ic, ni, 1); 1714 } 1715 #endif 1716 } 1717 1718 #ifndef IEEE80211_STA_ONLY 1719 /*- 1720 * Probe request frame format: 1721 * [tlv] SSID 1722 * [tlv] Supported rates 1723 * [tlv] Extended Supported Rates (802.11g) 1724 * [tlv] HT Capabilities (802.11n) 1725 */ 1726 void 1727 ieee80211_recv_probe_req(struct ieee80211com *ic, struct mbuf *m, 1728 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 1729 { 1730 const struct ieee80211_frame *wh; 1731 const u_int8_t *frm, *efrm; 1732 const u_int8_t *ssid, *rates, *xrates, *htcaps; 1733 u_int8_t rate; 1734 1735 if (ic->ic_opmode == IEEE80211_M_STA || 1736 ic->ic_state != IEEE80211_S_RUN) 1737 return; 1738 1739 wh = mtod(m, struct ieee80211_frame *); 1740 frm = (const u_int8_t *)&wh[1]; 1741 efrm = mtod(m, u_int8_t *) + m->m_len; 1742 1743 ssid = rates = xrates = htcaps = NULL; 1744 while (frm + 2 <= efrm) { 1745 if (frm + 2 + frm[1] > efrm) { 1746 ic->ic_stats.is_rx_elem_toosmall++; 1747 break; 1748 } 1749 switch (frm[0]) { 1750 case IEEE80211_ELEMID_SSID: 1751 ssid = frm; 1752 break; 1753 case IEEE80211_ELEMID_RATES: 1754 rates = frm; 1755 break; 1756 case IEEE80211_ELEMID_XRATES: 1757 xrates = frm; 1758 break; 1759 case IEEE80211_ELEMID_HTCAPS: 1760 htcaps = frm; 1761 break; 1762 } 1763 frm += 2 + frm[1]; 1764 } 1765 /* supported rates element is mandatory */ 1766 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1767 DPRINTF(("invalid supported rates element\n")); 1768 return; 1769 } 1770 /* SSID element is mandatory */ 1771 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1772 DPRINTF(("invalid SSID element\n")); 1773 return; 1774 } 1775 /* check that the specified SSID (if not wildcard) matches ours */ 1776 if (ssid[1] != 0 && (ssid[1] != ic->ic_bss->ni_esslen || 1777 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen))) { 1778 DPRINTF(("SSID mismatch\n")); 1779 ic->ic_stats.is_rx_ssidmismatch++; 1780 return; 1781 } 1782 /* refuse wildcard SSID if we're hiding our SSID in beacons */ 1783 if (ssid[1] == 0 && (ic->ic_flags & IEEE80211_F_HIDENWID)) { 1784 DPRINTF(("wildcard SSID rejected")); 1785 ic->ic_stats.is_rx_ssidmismatch++; 1786 return; 1787 } 1788 1789 if (ni == ic->ic_bss) { 1790 ni = ieee80211_find_node(ic, wh->i_addr2); 1791 if (ni == NULL) 1792 ni = ieee80211_dup_bss(ic, wh->i_addr2); 1793 if (ni == NULL) 1794 return; 1795 DPRINTF(("new probe req from %s\n", 1796 ether_sprintf((u_int8_t *)wh->i_addr2))); 1797 } 1798 ni->ni_rssi = rxi->rxi_rssi; 1799 ni->ni_rstamp = rxi->rxi_tstamp; 1800 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 1801 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 1802 IEEE80211_F_DODEL); 1803 if (rate & IEEE80211_RATE_BASIC) { 1804 DPRINTF(("rate mismatch for %s\n", 1805 ether_sprintf((u_int8_t *)wh->i_addr2))); 1806 return; 1807 } 1808 if (htcaps) 1809 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 1810 else 1811 ieee80211_clear_htcaps(ni); 1812 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 1813 } 1814 #endif /* IEEE80211_STA_ONLY */ 1815 1816 /*- 1817 * Authentication frame format: 1818 * [2] Authentication algorithm number 1819 * [2] Authentication transaction sequence number 1820 * [2] Status code 1821 */ 1822 void 1823 ieee80211_recv_auth(struct ieee80211com *ic, struct mbuf *m, 1824 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 1825 { 1826 const struct ieee80211_frame *wh; 1827 const u_int8_t *frm; 1828 u_int16_t algo, seq, status; 1829 1830 /* make sure all mandatory fixed fields are present */ 1831 if (m->m_len < sizeof(*wh) + 6) { 1832 DPRINTF(("frame too short\n")); 1833 return; 1834 } 1835 wh = mtod(m, struct ieee80211_frame *); 1836 frm = (const u_int8_t *)&wh[1]; 1837 1838 algo = LE_READ_2(frm); frm += 2; 1839 seq = LE_READ_2(frm); frm += 2; 1840 status = LE_READ_2(frm); frm += 2; 1841 DPRINTF(("auth %d seq %d from %s\n", algo, seq, 1842 ether_sprintf((u_int8_t *)wh->i_addr2))); 1843 1844 /* only "open" auth mode is supported */ 1845 if (algo != IEEE80211_AUTH_ALG_OPEN) { 1846 DPRINTF(("unsupported auth algorithm %d from %s\n", 1847 algo, ether_sprintf((u_int8_t *)wh->i_addr2))); 1848 ic->ic_stats.is_rx_auth_unsupported++; 1849 #ifndef IEEE80211_STA_ONLY 1850 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 1851 /* XXX hack to workaround calling convention */ 1852 IEEE80211_SEND_MGMT(ic, ni, 1853 IEEE80211_FC0_SUBTYPE_AUTH, 1854 IEEE80211_STATUS_ALG << 16 | ((seq + 1) & 0xffff)); 1855 } 1856 #endif 1857 return; 1858 } 1859 ieee80211_auth_open(ic, wh, ni, rxi, seq, status); 1860 } 1861 1862 #ifndef IEEE80211_STA_ONLY 1863 /*- 1864 * (Re)Association request frame format: 1865 * [2] Capability information 1866 * [2] Listen interval 1867 * [6*] Current AP address (Reassociation only) 1868 * [tlv] SSID 1869 * [tlv] Supported rates 1870 * [tlv] Extended Supported Rates (802.11g) 1871 * [tlv] RSN (802.11i) 1872 * [tlv] QoS Capability (802.11e) 1873 * [tlv] HT Capabilities (802.11n) 1874 */ 1875 void 1876 ieee80211_recv_assoc_req(struct ieee80211com *ic, struct mbuf *m, 1877 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int reassoc) 1878 { 1879 const struct ieee80211_frame *wh; 1880 const u_int8_t *frm, *efrm; 1881 const u_int8_t *ssid, *rates, *xrates, *rsnie, *wpaie, *htcaps; 1882 u_int16_t capinfo, bintval; 1883 int resp, status = 0; 1884 struct ieee80211_rsnparams rsn; 1885 u_int8_t rate; 1886 1887 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 1888 ic->ic_state != IEEE80211_S_RUN) 1889 return; 1890 1891 /* make sure all mandatory fixed fields are present */ 1892 if (m->m_len < sizeof(*wh) + (reassoc ? 10 : 4)) { 1893 DPRINTF(("frame too short\n")); 1894 return; 1895 } 1896 wh = mtod(m, struct ieee80211_frame *); 1897 frm = (const u_int8_t *)&wh[1]; 1898 efrm = mtod(m, u_int8_t *) + m->m_len; 1899 1900 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 1901 DPRINTF(("ignore other bss from %s\n", 1902 ether_sprintf((u_int8_t *)wh->i_addr2))); 1903 ic->ic_stats.is_rx_assoc_bss++; 1904 return; 1905 } 1906 capinfo = LE_READ_2(frm); frm += 2; 1907 bintval = LE_READ_2(frm); frm += 2; 1908 if (reassoc) { 1909 frm += IEEE80211_ADDR_LEN; /* skip current AP address */ 1910 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 1911 } else 1912 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 1913 1914 ssid = rates = xrates = rsnie = wpaie = htcaps = NULL; 1915 while (frm + 2 <= efrm) { 1916 if (frm + 2 + frm[1] > efrm) { 1917 ic->ic_stats.is_rx_elem_toosmall++; 1918 break; 1919 } 1920 switch (frm[0]) { 1921 case IEEE80211_ELEMID_SSID: 1922 ssid = frm; 1923 break; 1924 case IEEE80211_ELEMID_RATES: 1925 rates = frm; 1926 break; 1927 case IEEE80211_ELEMID_XRATES: 1928 xrates = frm; 1929 break; 1930 case IEEE80211_ELEMID_RSN: 1931 rsnie = frm; 1932 break; 1933 case IEEE80211_ELEMID_QOS_CAP: 1934 break; 1935 case IEEE80211_ELEMID_HTCAPS: 1936 htcaps = frm; 1937 break; 1938 case IEEE80211_ELEMID_VENDOR: 1939 if (frm[1] < 4) { 1940 ic->ic_stats.is_rx_elem_toosmall++; 1941 break; 1942 } 1943 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 1944 if (frm[5] == 1) 1945 wpaie = frm; 1946 } 1947 break; 1948 } 1949 frm += 2 + frm[1]; 1950 } 1951 /* supported rates element is mandatory */ 1952 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1953 DPRINTF(("invalid supported rates element\n")); 1954 return; 1955 } 1956 /* SSID element is mandatory */ 1957 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1958 DPRINTF(("invalid SSID element\n")); 1959 return; 1960 } 1961 /* check that the specified SSID matches ours */ 1962 if (ssid[1] != ic->ic_bss->ni_esslen || 1963 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen)) { 1964 DPRINTF(("SSID mismatch\n")); 1965 ic->ic_stats.is_rx_ssidmismatch++; 1966 return; 1967 } 1968 1969 if (ni->ni_state != IEEE80211_STA_AUTH && 1970 ni->ni_state != IEEE80211_STA_ASSOC) { 1971 DPRINTF(("deny %sassoc from %s, not authenticated\n", 1972 reassoc ? "re" : "", 1973 ether_sprintf((u_int8_t *)wh->i_addr2))); 1974 ni = ieee80211_find_node(ic, wh->i_addr2); 1975 if (ni == NULL) 1976 ni = ieee80211_dup_bss(ic, wh->i_addr2); 1977 if (ni != NULL) { 1978 IEEE80211_SEND_MGMT(ic, ni, 1979 IEEE80211_FC0_SUBTYPE_DEAUTH, 1980 IEEE80211_REASON_ASSOC_NOT_AUTHED); 1981 } 1982 ic->ic_stats.is_rx_assoc_notauth++; 1983 return; 1984 } 1985 1986 if (ni->ni_state == IEEE80211_STA_ASSOC && 1987 (ni->ni_flags & IEEE80211_NODE_MFP)) { 1988 if (ni->ni_flags & IEEE80211_NODE_SA_QUERY_FAILED) { 1989 /* send a protected Disassociate frame */ 1990 IEEE80211_SEND_MGMT(ic, ni, 1991 IEEE80211_FC0_SUBTYPE_DISASSOC, 1992 IEEE80211_REASON_AUTH_EXPIRE); 1993 /* terminate the old SA */ 1994 ieee80211_node_leave(ic, ni); 1995 } else { 1996 /* reject the (Re)Association Request temporarily */ 1997 IEEE80211_SEND_MGMT(ic, ni, resp, 1998 IEEE80211_STATUS_TRY_AGAIN_LATER); 1999 /* start SA Query procedure if not already engaged */ 2000 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) 2001 ieee80211_sa_query_request(ic, ni); 2002 /* do not modify association state */ 2003 } 2004 return; 2005 } 2006 2007 if (!(capinfo & IEEE80211_CAPINFO_ESS)) { 2008 ic->ic_stats.is_rx_assoc_capmismatch++; 2009 status = IEEE80211_STATUS_CAPINFO; 2010 goto end; 2011 } 2012 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2013 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2014 IEEE80211_F_DODEL); 2015 if (rate & IEEE80211_RATE_BASIC) { 2016 ic->ic_stats.is_rx_assoc_norate++; 2017 status = IEEE80211_STATUS_BASIC_RATE; 2018 goto end; 2019 } 2020 2021 if (ic->ic_flags & IEEE80211_F_RSNON) { 2022 const u_int8_t *saveie; 2023 /* 2024 * A station should never include both a WPA and an RSN IE 2025 * in its (Re)Association Requests, but if it does, we only 2026 * consider the IE of the highest version of the protocol 2027 * that is allowed (ie RSN over WPA). 2028 */ 2029 if (rsnie != NULL && 2030 (ic->ic_rsnprotos & IEEE80211_PROTO_RSN)) { 2031 status = ieee80211_parse_rsn(ic, rsnie, &rsn); 2032 if (status != 0) 2033 goto end; 2034 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 2035 saveie = rsnie; 2036 } else if (wpaie != NULL && 2037 (ic->ic_rsnprotos & IEEE80211_PROTO_WPA)) { 2038 status = ieee80211_parse_wpa(ic, wpaie, &rsn); 2039 if (status != 0) 2040 goto end; 2041 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 2042 saveie = wpaie; 2043 } else { 2044 /* 2045 * In an RSN, an AP shall not associate with STAs 2046 * that fail to include the RSN IE in the 2047 * (Re)Association Request. 2048 */ 2049 status = IEEE80211_STATUS_IE_INVALID; 2050 goto end; 2051 } 2052 /* 2053 * The initiating STA's RSN IE shall include one authentication 2054 * and pairwise cipher suite among those advertised by the 2055 * targeted AP. It shall also specify the group cipher suite 2056 * specified by the targeted AP. 2057 */ 2058 if (rsn.rsn_nakms != 1 || 2059 !(rsn.rsn_akms & ic->ic_bss->ni_rsnakms)) { 2060 status = IEEE80211_STATUS_BAD_AKMP; 2061 goto end; 2062 } 2063 if (rsn.rsn_nciphers != 1 || 2064 !(rsn.rsn_ciphers & ic->ic_bss->ni_rsnciphers)) { 2065 status = IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 2066 goto end; 2067 } 2068 if (rsn.rsn_groupcipher != ic->ic_bss->ni_rsngroupcipher) { 2069 status = IEEE80211_STATUS_BAD_GROUP_CIPHER; 2070 goto end; 2071 } 2072 2073 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPR) && 2074 !(rsn.rsn_caps & IEEE80211_RSNCAP_MFPC)) { 2075 status = IEEE80211_STATUS_MFP_POLICY; 2076 goto end; 2077 } 2078 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPC) && 2079 (rsn.rsn_caps & (IEEE80211_RSNCAP_MFPC | 2080 IEEE80211_RSNCAP_MFPR)) == IEEE80211_RSNCAP_MFPR) { 2081 /* STA advertises an invalid setting */ 2082 status = IEEE80211_STATUS_MFP_POLICY; 2083 goto end; 2084 } 2085 /* 2086 * A STA that has associated with Management Frame Protection 2087 * enabled shall not use cipher suite pairwise selector WEP40, 2088 * WEP104, TKIP, or "Use Group cipher suite". 2089 */ 2090 if ((rsn.rsn_caps & IEEE80211_RSNCAP_MFPC) && 2091 (rsn.rsn_ciphers != IEEE80211_CIPHER_CCMP || 2092 rsn.rsn_groupmgmtcipher != 2093 ic->ic_bss->ni_rsngroupmgmtcipher)) { 2094 status = IEEE80211_STATUS_MFP_POLICY; 2095 goto end; 2096 } 2097 2098 /* 2099 * Disallow new associations using TKIP if countermeasures 2100 * are active. 2101 */ 2102 if ((ic->ic_flags & IEEE80211_F_COUNTERM) && 2103 (rsn.rsn_ciphers == IEEE80211_CIPHER_TKIP || 2104 rsn.rsn_groupcipher == IEEE80211_CIPHER_TKIP)) { 2105 status = IEEE80211_STATUS_CIPHER_REJ_POLICY; 2106 goto end; 2107 } 2108 2109 /* everything looks fine, save IE and parameters */ 2110 if (ieee80211_save_ie(saveie, &ni->ni_rsnie) != 0) { 2111 status = IEEE80211_STATUS_TOOMANY; 2112 goto end; 2113 } 2114 ni->ni_rsnakms = rsn.rsn_akms; 2115 ni->ni_rsnciphers = rsn.rsn_ciphers; 2116 ni->ni_rsngroupcipher = ic->ic_bss->ni_rsngroupcipher; 2117 ni->ni_rsngroupmgmtcipher = ic->ic_bss->ni_rsngroupmgmtcipher; 2118 ni->ni_rsncaps = rsn.rsn_caps; 2119 2120 if (ieee80211_is_8021x_akm(ni->ni_rsnakms)) { 2121 struct ieee80211_pmk *pmk = NULL; 2122 const u_int8_t *pmkid = rsn.rsn_pmkids; 2123 /* 2124 * Check if we have a cached PMK entry matching one 2125 * of the PMKIDs specified in the RSN IE. 2126 */ 2127 while (rsn.rsn_npmkids-- > 0) { 2128 pmk = ieee80211_pmksa_find(ic, ni, pmkid); 2129 if (pmk != NULL) 2130 break; 2131 pmkid += IEEE80211_PMKID_LEN; 2132 } 2133 if (pmk != NULL) { 2134 memcpy(ni->ni_pmk, pmk->pmk_key, 2135 IEEE80211_PMK_LEN); 2136 memcpy(ni->ni_pmkid, pmk->pmk_pmkid, 2137 IEEE80211_PMKID_LEN); 2138 ni->ni_flags |= IEEE80211_NODE_PMK; 2139 } 2140 } 2141 } else 2142 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2143 2144 ni->ni_rssi = rxi->rxi_rssi; 2145 ni->ni_rstamp = rxi->rxi_tstamp; 2146 ni->ni_intval = bintval; 2147 ni->ni_capinfo = capinfo; 2148 ni->ni_chan = ic->ic_bss->ni_chan; 2149 if (htcaps) 2150 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 2151 else 2152 ieee80211_clear_htcaps(ni); 2153 end: 2154 if (status != 0) { 2155 IEEE80211_SEND_MGMT(ic, ni, resp, status); 2156 ieee80211_node_leave(ic, ni); 2157 } else 2158 ieee80211_node_join(ic, ni, resp); 2159 } 2160 #endif /* IEEE80211_STA_ONLY */ 2161 2162 /*- 2163 * (Re)Association response frame format: 2164 * [2] Capability information 2165 * [2] Status code 2166 * [2] Association ID (AID) 2167 * [tlv] Supported rates 2168 * [tlv] Extended Supported Rates (802.11g) 2169 * [tlv] EDCA Parameter Set (802.11e) 2170 * [tlv] HT Capabilities (802.11n) 2171 * [tlv] HT Operation (802.11n) 2172 */ 2173 void 2174 ieee80211_recv_assoc_resp(struct ieee80211com *ic, struct mbuf *m, 2175 struct ieee80211_node *ni, int reassoc) 2176 { 2177 struct ifnet *ifp = &ic->ic_if; 2178 const struct ieee80211_frame *wh; 2179 const u_int8_t *frm, *efrm; 2180 const u_int8_t *rates, *xrates, *edcaie, *wmmie, *htcaps, *htop; 2181 u_int16_t capinfo, status, associd; 2182 u_int8_t rate; 2183 2184 if (ic->ic_opmode != IEEE80211_M_STA || 2185 ic->ic_state != IEEE80211_S_ASSOC) { 2186 ic->ic_stats.is_rx_mgtdiscard++; 2187 return; 2188 } 2189 2190 /* make sure all mandatory fixed fields are present */ 2191 if (m->m_len < sizeof(*wh) + 6) { 2192 DPRINTF(("frame too short\n")); 2193 return; 2194 } 2195 wh = mtod(m, struct ieee80211_frame *); 2196 frm = (const u_int8_t *)&wh[1]; 2197 efrm = mtod(m, u_int8_t *) + m->m_len; 2198 2199 capinfo = LE_READ_2(frm); frm += 2; 2200 status = LE_READ_2(frm); frm += 2; 2201 if (status != IEEE80211_STATUS_SUCCESS) { 2202 if (ifp->if_flags & IFF_DEBUG) 2203 printf("%s: %sassociation failed (status %d)" 2204 " for %s\n", ifp->if_xname, 2205 reassoc ? "re" : "", 2206 status, ether_sprintf((u_int8_t *)wh->i_addr3)); 2207 if (ni != ic->ic_bss) 2208 ni->ni_fails++; 2209 ic->ic_stats.is_rx_auth_fail++; 2210 return; 2211 } 2212 associd = LE_READ_2(frm); frm += 2; 2213 2214 rates = xrates = edcaie = wmmie = htcaps = htop = NULL; 2215 while (frm + 2 <= efrm) { 2216 if (frm + 2 + frm[1] > efrm) { 2217 ic->ic_stats.is_rx_elem_toosmall++; 2218 break; 2219 } 2220 switch (frm[0]) { 2221 case IEEE80211_ELEMID_RATES: 2222 rates = frm; 2223 break; 2224 case IEEE80211_ELEMID_XRATES: 2225 xrates = frm; 2226 break; 2227 case IEEE80211_ELEMID_EDCAPARMS: 2228 edcaie = frm; 2229 break; 2230 case IEEE80211_ELEMID_HTCAPS: 2231 htcaps = frm; 2232 break; 2233 case IEEE80211_ELEMID_HTOP: 2234 htop = frm; 2235 break; 2236 case IEEE80211_ELEMID_VENDOR: 2237 if (frm[1] < 4) { 2238 ic->ic_stats.is_rx_elem_toosmall++; 2239 break; 2240 } 2241 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 2242 if (frm[1] >= 5 && frm[5] == 2 && frm[6] == 1) 2243 wmmie = frm; 2244 } 2245 break; 2246 } 2247 frm += 2 + frm[1]; 2248 } 2249 /* supported rates element is mandatory */ 2250 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 2251 DPRINTF(("invalid supported rates element\n")); 2252 return; 2253 } 2254 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2255 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2256 IEEE80211_F_DODEL); 2257 if (rate & IEEE80211_RATE_BASIC) { 2258 DPRINTF(("rate mismatch for %s\n", 2259 ether_sprintf((u_int8_t *)wh->i_addr2))); 2260 ic->ic_stats.is_rx_assoc_norate++; 2261 return; 2262 } 2263 ni->ni_capinfo = capinfo; 2264 ni->ni_associd = associd; 2265 if (edcaie != NULL || wmmie != NULL) { 2266 /* force update of EDCA parameters */ 2267 ic->ic_edca_updtcount = -1; 2268 2269 if ((edcaie != NULL && 2270 ieee80211_parse_edca_params(ic, edcaie) == 0) || 2271 (wmmie != NULL && 2272 ieee80211_parse_wmm_params(ic, wmmie) == 0)) 2273 ni->ni_flags |= IEEE80211_NODE_QOS; 2274 else /* for Reassociation */ 2275 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2276 } 2277 if (htcaps) 2278 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 2279 if (htop) 2280 ieee80211_setup_htop(ni, htop + 2, htop[1]); 2281 ieee80211_ht_negotiate(ic, ni); 2282 2283 /* Hop into 11n mode after associating to an HT AP in a non-11n mode. */ 2284 if (ni->ni_flags & IEEE80211_NODE_HT) 2285 ieee80211_setmode(ic, IEEE80211_MODE_11N); 2286 else 2287 ieee80211_setmode(ic, ieee80211_chan2mode(ic, ni->ni_chan)); 2288 /* 2289 * Reset the erp state (mostly the slot time) now that 2290 * our operating mode has been nailed down. 2291 */ 2292 ieee80211_reset_erp(ic); 2293 2294 /* 2295 * Configure state now that we are associated. 2296 */ 2297 if (ic->ic_curmode == IEEE80211_MODE_11A || 2298 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) 2299 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 2300 else 2301 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 2302 2303 ieee80211_set_shortslottime(ic, 2304 ic->ic_curmode == IEEE80211_MODE_11A || 2305 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2306 /* 2307 * Honor ERP protection. 2308 */ 2309 if ((ic->ic_curmode == IEEE80211_MODE_11G || 2310 (ic->ic_curmode == IEEE80211_MODE_11N && 2311 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))) && 2312 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2313 ic->ic_flags |= IEEE80211_F_USEPROT; 2314 else 2315 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2316 /* 2317 * If not an RSNA, mark the port as valid, otherwise wait for 2318 * 802.1X authentication and 4-way handshake to complete.. 2319 */ 2320 if (ic->ic_flags & IEEE80211_F_RSNON) { 2321 /* XXX ic->ic_mgt_timer = 5; */ 2322 ni->ni_rsn_supp_state = RSNA_SUPP_PTKSTART; 2323 } else if (ic->ic_flags & IEEE80211_F_WEPON) 2324 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 2325 2326 ieee80211_new_state(ic, IEEE80211_S_RUN, 2327 IEEE80211_FC0_SUBTYPE_ASSOC_RESP); 2328 } 2329 2330 /*- 2331 * Deauthentication frame format: 2332 * [2] Reason code 2333 */ 2334 void 2335 ieee80211_recv_deauth(struct ieee80211com *ic, struct mbuf *m, 2336 struct ieee80211_node *ni) 2337 { 2338 const struct ieee80211_frame *wh; 2339 const u_int8_t *frm; 2340 u_int16_t reason; 2341 2342 /* make sure all mandatory fixed fields are present */ 2343 if (m->m_len < sizeof(*wh) + 2) { 2344 DPRINTF(("frame too short\n")); 2345 return; 2346 } 2347 wh = mtod(m, struct ieee80211_frame *); 2348 frm = (const u_int8_t *)&wh[1]; 2349 2350 reason = LE_READ_2(frm); 2351 2352 ic->ic_stats.is_rx_deauth++; 2353 switch (ic->ic_opmode) { 2354 case IEEE80211_M_STA: 2355 ieee80211_new_state(ic, IEEE80211_S_AUTH, 2356 IEEE80211_FC0_SUBTYPE_DEAUTH); 2357 break; 2358 #ifndef IEEE80211_STA_ONLY 2359 case IEEE80211_M_HOSTAP: 2360 if (ni != ic->ic_bss) { 2361 if (ic->ic_if.if_flags & IFF_DEBUG) 2362 printf("%s: station %s deauthenticated " 2363 "by peer (reason %d)\n", 2364 ic->ic_if.if_xname, 2365 ether_sprintf(ni->ni_macaddr), 2366 reason); 2367 ieee80211_node_leave(ic, ni); 2368 } 2369 break; 2370 #endif 2371 default: 2372 break; 2373 } 2374 } 2375 2376 /*- 2377 * Disassociation frame format: 2378 * [2] Reason code 2379 */ 2380 void 2381 ieee80211_recv_disassoc(struct ieee80211com *ic, struct mbuf *m, 2382 struct ieee80211_node *ni) 2383 { 2384 const struct ieee80211_frame *wh; 2385 const u_int8_t *frm; 2386 u_int16_t reason; 2387 2388 /* make sure all mandatory fixed fields are present */ 2389 if (m->m_len < sizeof(*wh) + 2) { 2390 DPRINTF(("frame too short\n")); 2391 return; 2392 } 2393 wh = mtod(m, struct ieee80211_frame *); 2394 frm = (const u_int8_t *)&wh[1]; 2395 2396 reason = LE_READ_2(frm); 2397 2398 ic->ic_stats.is_rx_disassoc++; 2399 switch (ic->ic_opmode) { 2400 case IEEE80211_M_STA: 2401 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 2402 IEEE80211_FC0_SUBTYPE_DISASSOC); 2403 break; 2404 #ifndef IEEE80211_STA_ONLY 2405 case IEEE80211_M_HOSTAP: 2406 if (ni != ic->ic_bss) { 2407 if (ic->ic_if.if_flags & IFF_DEBUG) 2408 printf("%s: station %s disassociated " 2409 "by peer (reason %d)\n", 2410 ic->ic_if.if_xname, 2411 ether_sprintf(ni->ni_macaddr), 2412 reason); 2413 ieee80211_node_leave(ic, ni); 2414 } 2415 break; 2416 #endif 2417 default: 2418 break; 2419 } 2420 } 2421 2422 /*- 2423 * ADDBA Request frame format: 2424 * [1] Category 2425 * [1] Action 2426 * [1] Dialog Token 2427 * [2] Block Ack Parameter Set 2428 * [2] Block Ack Timeout Value 2429 * [2] Block Ack Starting Sequence Control 2430 */ 2431 void 2432 ieee80211_recv_addba_req(struct ieee80211com *ic, struct mbuf *m, 2433 struct ieee80211_node *ni) 2434 { 2435 const struct ieee80211_frame *wh; 2436 const u_int8_t *frm; 2437 struct ieee80211_rx_ba *ba; 2438 u_int16_t params, ssn, bufsz, timeout; 2439 u_int8_t token, tid; 2440 int err = 0; 2441 2442 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 2443 DPRINTF(("received ADDBA req from non-HT STA %s\n", 2444 ether_sprintf(ni->ni_macaddr))); 2445 return; 2446 } 2447 if (m->m_len < sizeof(*wh) + 9) { 2448 DPRINTF(("frame too short\n")); 2449 return; 2450 } 2451 /* MLME-ADDBA.indication */ 2452 wh = mtod(m, struct ieee80211_frame *); 2453 frm = (const u_int8_t *)&wh[1]; 2454 2455 token = frm[2]; 2456 params = LE_READ_2(&frm[3]); 2457 tid = ((params & IEEE80211_ADDBA_TID_MASK) >> 2458 IEEE80211_ADDBA_TID_SHIFT); 2459 bufsz = (params & IEEE80211_ADDBA_BUFSZ_MASK) >> 2460 IEEE80211_ADDBA_BUFSZ_SHIFT; 2461 timeout = LE_READ_2(&frm[5]); 2462 ssn = LE_READ_2(&frm[7]) >> 4; 2463 2464 ba = &ni->ni_rx_ba[tid]; 2465 /* check if we already have a Block Ack agreement for this RA/TID */ 2466 if (ba->ba_state == IEEE80211_BA_AGREED) { 2467 /* XXX should we update the timeout value? */ 2468 /* reset Block Ack inactivity timer */ 2469 if (ba->ba_timeout_val != 0) 2470 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2471 2472 /* check if it's a Protected Block Ack agreement */ 2473 if (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2474 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) 2475 return; /* not a PBAC, ignore */ 2476 2477 /* PBAC: treat the ADDBA Request like a BlockAckReq */ 2478 if (SEQ_LT(ba->ba_winstart, ssn)) 2479 ieee80211_ba_move_window(ic, ni, tid, ssn); 2480 return; 2481 } 2482 2483 /* if PBAC required but RA does not support it, refuse request */ 2484 if ((ic->ic_flags & IEEE80211_F_PBAR) && 2485 (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2486 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC))) 2487 goto refuse; 2488 /* 2489 * If the TID for which the Block Ack agreement is requested is 2490 * configured with a no-ACK policy, refuse the agreement. 2491 */ 2492 if (ic->ic_tid_noack & (1 << tid)) 2493 goto refuse; 2494 2495 /* check that we support the requested Block Ack Policy */ 2496 if (!(ic->ic_htcaps & IEEE80211_HTCAP_DELAYEDBA) && 2497 !(params & IEEE80211_ADDBA_BA_POLICY)) 2498 goto refuse; 2499 2500 /* setup Block Ack agreement */ 2501 ba->ba_state = IEEE80211_BA_INIT; 2502 ba->ba_timeout_val = timeout * IEEE80211_DUR_TU; 2503 ba->ba_ni = ni; 2504 ba->ba_token = token; 2505 timeout_set(&ba->ba_to, ieee80211_rx_ba_timeout, ba); 2506 timeout_set(&ba->ba_gap_to, ieee80211_input_ba_gap_timeout, ba); 2507 ba->ba_winsize = bufsz; 2508 if (ba->ba_winsize == 0 || ba->ba_winsize > IEEE80211_BA_MAX_WINSZ) 2509 ba->ba_winsize = IEEE80211_BA_MAX_WINSZ; 2510 ba->ba_params = (params & IEEE80211_ADDBA_BA_POLICY); 2511 ba->ba_params |= ((ba->ba_winsize << IEEE80211_ADDBA_BUFSZ_SHIFT) | 2512 (tid << IEEE80211_ADDBA_TID_SHIFT) | IEEE80211_ADDBA_AMSDU); 2513 ba->ba_winstart = ssn; 2514 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 2515 /* allocate and setup our reordering buffer */ 2516 ba->ba_buf = malloc(IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf), 2517 M_DEVBUF, M_NOWAIT | M_ZERO); 2518 if (ba->ba_buf == NULL) 2519 goto refuse; 2520 2521 ba->ba_head = 0; 2522 2523 /* notify drivers of this new Block Ack agreement */ 2524 if (ic->ic_ampdu_rx_start != NULL) 2525 err = ic->ic_ampdu_rx_start(ic, ni, tid); 2526 if (err == EBUSY) { 2527 /* driver will accept or refuse agreement when done */ 2528 return; 2529 } else if (err) { 2530 /* driver failed to setup, rollback */ 2531 ieee80211_addba_req_refuse(ic, ni, tid); 2532 } else 2533 ieee80211_addba_req_accept(ic, ni, tid); 2534 return; 2535 2536 refuse: 2537 /* MLME-ADDBA.response */ 2538 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2539 IEEE80211_ACTION_ADDBA_RESP, 2540 IEEE80211_STATUS_REFUSED << 16 | token << 8 | tid); 2541 } 2542 2543 void 2544 ieee80211_addba_req_accept(struct ieee80211com *ic, struct ieee80211_node *ni, 2545 uint8_t tid) 2546 { 2547 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2548 2549 ba->ba_state = IEEE80211_BA_AGREED; 2550 ic->ic_stats.is_ht_rx_ba_agreements++; 2551 /* start Block Ack inactivity timer */ 2552 if (ba->ba_timeout_val != 0) 2553 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2554 2555 /* MLME-ADDBA.response */ 2556 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2557 IEEE80211_ACTION_ADDBA_RESP, 2558 IEEE80211_STATUS_SUCCESS << 16 | ba->ba_token << 8 | tid); 2559 } 2560 2561 void 2562 ieee80211_addba_req_refuse(struct ieee80211com *ic, struct ieee80211_node *ni, 2563 uint8_t tid) 2564 { 2565 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2566 2567 free(ba->ba_buf, M_DEVBUF, 0); 2568 ba->ba_buf = NULL; 2569 2570 /* MLME-ADDBA.response */ 2571 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2572 IEEE80211_ACTION_ADDBA_RESP, 2573 IEEE80211_STATUS_REFUSED << 16 | ba->ba_token << 8 | tid); 2574 } 2575 2576 /*- 2577 * ADDBA Response frame format: 2578 * [1] Category 2579 * [1] Action 2580 * [1] Dialog Token 2581 * [2] Status Code 2582 * [2] Block Ack Parameter Set 2583 * [2] Block Ack Timeout Value 2584 */ 2585 void 2586 ieee80211_recv_addba_resp(struct ieee80211com *ic, struct mbuf *m, 2587 struct ieee80211_node *ni) 2588 { 2589 const struct ieee80211_frame *wh; 2590 const u_int8_t *frm; 2591 struct ieee80211_tx_ba *ba; 2592 u_int16_t status, params, bufsz, timeout; 2593 u_int8_t token, tid; 2594 2595 if (m->m_len < sizeof(*wh) + 9) { 2596 DPRINTF(("frame too short\n")); 2597 return; 2598 } 2599 wh = mtod(m, struct ieee80211_frame *); 2600 frm = (const u_int8_t *)&wh[1]; 2601 2602 token = frm[2]; 2603 status = LE_READ_2(&frm[3]); 2604 params = LE_READ_2(&frm[5]); 2605 tid = (params >> 2) & 0xf; 2606 bufsz = (params >> 6) & 0x3ff; 2607 timeout = LE_READ_2(&frm[7]); 2608 2609 DPRINTF(("received ADDBA resp from %s, TID %d, status %d\n", 2610 ether_sprintf(ni->ni_macaddr), tid, status)); 2611 2612 /* 2613 * Ignore if no ADDBA request has been sent for this RA/TID or 2614 * if we already have a Block Ack agreement. 2615 */ 2616 ba = &ni->ni_tx_ba[tid]; 2617 if (ba->ba_state != IEEE80211_BA_REQUESTED) { 2618 DPRINTF(("no matching ADDBA req found\n")); 2619 return; 2620 } 2621 if (token != ba->ba_token) { 2622 DPRINTF(("ignoring ADDBA resp from %s: token %x!=%x\n", 2623 ether_sprintf(ni->ni_macaddr), token, ba->ba_token)); 2624 return; 2625 } 2626 /* we got an ADDBA Response matching our request, stop timeout */ 2627 timeout_del(&ba->ba_to); 2628 2629 if (status != IEEE80211_STATUS_SUCCESS) { 2630 /* MLME-ADDBA.confirm(Failure) */ 2631 ba->ba_state = IEEE80211_BA_INIT; 2632 return; 2633 } 2634 /* MLME-ADDBA.confirm(Success) */ 2635 ba->ba_state = IEEE80211_BA_AGREED; 2636 ic->ic_stats.is_ht_tx_ba_agreements++; 2637 2638 /* notify drivers of this new Block Ack agreement */ 2639 if (ic->ic_ampdu_tx_start != NULL) 2640 (void)ic->ic_ampdu_tx_start(ic, ni, tid); 2641 2642 /* start Block Ack inactivity timeout */ 2643 if (ba->ba_timeout_val != 0) 2644 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2645 } 2646 2647 /*- 2648 * DELBA frame format: 2649 * [1] Category 2650 * [1] Action 2651 * [2] DELBA Parameter Set 2652 * [2] Reason Code 2653 */ 2654 void 2655 ieee80211_recv_delba(struct ieee80211com *ic, struct mbuf *m, 2656 struct ieee80211_node *ni) 2657 { 2658 const struct ieee80211_frame *wh; 2659 const u_int8_t *frm; 2660 u_int16_t params, reason; 2661 u_int8_t tid; 2662 int i; 2663 2664 if (m->m_len < sizeof(*wh) + 6) { 2665 DPRINTF(("frame too short\n")); 2666 return; 2667 } 2668 wh = mtod(m, struct ieee80211_frame *); 2669 frm = (const u_int8_t *)&wh[1]; 2670 2671 params = LE_READ_2(&frm[2]); 2672 reason = LE_READ_2(&frm[4]); 2673 tid = params >> 12; 2674 2675 DPRINTF(("received DELBA from %s, TID %d, reason %d\n", 2676 ether_sprintf(ni->ni_macaddr), tid, reason)); 2677 2678 if (params & IEEE80211_DELBA_INITIATOR) { 2679 /* MLME-DELBA.indication(Originator) */ 2680 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2681 2682 if (ba->ba_state != IEEE80211_BA_AGREED) { 2683 DPRINTF(("no matching Block Ack agreement\n")); 2684 return; 2685 } 2686 /* notify drivers of the end of the Block Ack agreement */ 2687 if (ic->ic_ampdu_rx_stop != NULL) 2688 ic->ic_ampdu_rx_stop(ic, ni, tid); 2689 2690 ba->ba_state = IEEE80211_BA_INIT; 2691 /* stop Block Ack inactivity timer */ 2692 timeout_del(&ba->ba_to); 2693 timeout_del(&ba->ba_gap_to); 2694 2695 if (ba->ba_buf != NULL) { 2696 /* free all MSDUs stored in reordering buffer */ 2697 for (i = 0; i < IEEE80211_BA_MAX_WINSZ; i++) 2698 m_freem(ba->ba_buf[i].m); 2699 /* free reordering buffer */ 2700 free(ba->ba_buf, M_DEVBUF, 0); 2701 ba->ba_buf = NULL; 2702 } 2703 } else { 2704 /* MLME-DELBA.indication(Recipient) */ 2705 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 2706 2707 if (ba->ba_state != IEEE80211_BA_AGREED) { 2708 DPRINTF(("no matching Block Ack agreement\n")); 2709 return; 2710 } 2711 /* notify drivers of the end of the Block Ack agreement */ 2712 if (ic->ic_ampdu_tx_stop != NULL) 2713 ic->ic_ampdu_tx_stop(ic, ni, tid); 2714 2715 ba->ba_state = IEEE80211_BA_INIT; 2716 /* stop Block Ack inactivity timer */ 2717 timeout_del(&ba->ba_to); 2718 } 2719 } 2720 2721 /*- 2722 * SA Query Request frame format: 2723 * [1] Category 2724 * [1] Action 2725 * [2] Transaction Identifier 2726 */ 2727 void 2728 ieee80211_recv_sa_query_req(struct ieee80211com *ic, struct mbuf *m, 2729 struct ieee80211_node *ni) 2730 { 2731 const struct ieee80211_frame *wh; 2732 const u_int8_t *frm; 2733 2734 if (ic->ic_opmode != IEEE80211_M_STA || 2735 !(ni->ni_flags & IEEE80211_NODE_MFP)) { 2736 DPRINTF(("unexpected SA Query req from %s\n", 2737 ether_sprintf(ni->ni_macaddr))); 2738 return; 2739 } 2740 if (m->m_len < sizeof(*wh) + 4) { 2741 DPRINTF(("frame too short\n")); 2742 return; 2743 } 2744 wh = mtod(m, struct ieee80211_frame *); 2745 frm = (const u_int8_t *)&wh[1]; 2746 2747 /* MLME-SAQuery.indication */ 2748 2749 /* save Transaction Identifier for SA Query Response */ 2750 ni->ni_sa_query_trid = LE_READ_2(&frm[2]); 2751 2752 /* MLME-SAQuery.response */ 2753 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_SA_QUERY, 2754 IEEE80211_ACTION_SA_QUERY_RESP, 0); 2755 } 2756 2757 #ifndef IEEE80211_STA_ONLY 2758 /*- 2759 * SA Query Response frame format: 2760 * [1] Category 2761 * [1] Action 2762 * [2] Transaction Identifier 2763 */ 2764 void 2765 ieee80211_recv_sa_query_resp(struct ieee80211com *ic, struct mbuf *m, 2766 struct ieee80211_node *ni) 2767 { 2768 const struct ieee80211_frame *wh; 2769 const u_int8_t *frm; 2770 2771 /* ignore if we're not engaged in an SA Query with that STA */ 2772 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) { 2773 DPRINTF(("unexpected SA Query resp from %s\n", 2774 ether_sprintf(ni->ni_macaddr))); 2775 return; 2776 } 2777 if (m->m_len < sizeof(*wh) + 4) { 2778 DPRINTF(("frame too short\n")); 2779 return; 2780 } 2781 wh = mtod(m, struct ieee80211_frame *); 2782 frm = (const u_int8_t *)&wh[1]; 2783 2784 /* check that Transaction Identifier matches */ 2785 if (ni->ni_sa_query_trid != LE_READ_2(&frm[2])) { 2786 DPRINTF(("transaction identifier does not match\n")); 2787 return; 2788 } 2789 /* MLME-SAQuery.confirm */ 2790 timeout_del(&ni->ni_sa_query_to); 2791 ni->ni_flags &= ~IEEE80211_NODE_SA_QUERY; 2792 } 2793 #endif 2794 2795 /*- 2796 * Action frame format: 2797 * [1] Category 2798 * [1] Action 2799 */ 2800 void 2801 ieee80211_recv_action(struct ieee80211com *ic, struct mbuf *m, 2802 struct ieee80211_node *ni) 2803 { 2804 const struct ieee80211_frame *wh; 2805 const u_int8_t *frm; 2806 2807 if (m->m_len < sizeof(*wh) + 2) { 2808 DPRINTF(("frame too short\n")); 2809 return; 2810 } 2811 wh = mtod(m, struct ieee80211_frame *); 2812 frm = (const u_int8_t *)&wh[1]; 2813 2814 switch (frm[0]) { 2815 case IEEE80211_CATEG_BA: 2816 switch (frm[1]) { 2817 case IEEE80211_ACTION_ADDBA_REQ: 2818 ieee80211_recv_addba_req(ic, m, ni); 2819 break; 2820 case IEEE80211_ACTION_ADDBA_RESP: 2821 ieee80211_recv_addba_resp(ic, m, ni); 2822 break; 2823 case IEEE80211_ACTION_DELBA: 2824 ieee80211_recv_delba(ic, m, ni); 2825 break; 2826 } 2827 break; 2828 case IEEE80211_CATEG_SA_QUERY: 2829 switch (frm[1]) { 2830 case IEEE80211_ACTION_SA_QUERY_REQ: 2831 ieee80211_recv_sa_query_req(ic, m, ni); 2832 break; 2833 #ifndef IEEE80211_STA_ONLY 2834 case IEEE80211_ACTION_SA_QUERY_RESP: 2835 ieee80211_recv_sa_query_resp(ic, m, ni); 2836 break; 2837 #endif 2838 } 2839 break; 2840 default: 2841 DPRINTF(("action frame category %d not handled\n", frm[0])); 2842 break; 2843 } 2844 } 2845 2846 void 2847 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m, 2848 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int subtype) 2849 { 2850 switch (subtype) { 2851 case IEEE80211_FC0_SUBTYPE_BEACON: 2852 ieee80211_recv_probe_resp(ic, m, ni, rxi, 0); 2853 break; 2854 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 2855 ieee80211_recv_probe_resp(ic, m, ni, rxi, 1); 2856 break; 2857 #ifndef IEEE80211_STA_ONLY 2858 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 2859 ieee80211_recv_probe_req(ic, m, ni, rxi); 2860 break; 2861 #endif 2862 case IEEE80211_FC0_SUBTYPE_AUTH: 2863 ieee80211_recv_auth(ic, m, ni, rxi); 2864 break; 2865 #ifndef IEEE80211_STA_ONLY 2866 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2867 ieee80211_recv_assoc_req(ic, m, ni, rxi, 0); 2868 break; 2869 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 2870 ieee80211_recv_assoc_req(ic, m, ni, rxi, 1); 2871 break; 2872 #endif 2873 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2874 ieee80211_recv_assoc_resp(ic, m, ni, 0); 2875 break; 2876 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 2877 ieee80211_recv_assoc_resp(ic, m, ni, 1); 2878 break; 2879 case IEEE80211_FC0_SUBTYPE_DEAUTH: 2880 ieee80211_recv_deauth(ic, m, ni); 2881 break; 2882 case IEEE80211_FC0_SUBTYPE_DISASSOC: 2883 ieee80211_recv_disassoc(ic, m, ni); 2884 break; 2885 case IEEE80211_FC0_SUBTYPE_ACTION: 2886 ieee80211_recv_action(ic, m, ni); 2887 break; 2888 default: 2889 DPRINTF(("mgmt frame with subtype 0x%x not handled\n", 2890 subtype)); 2891 ic->ic_stats.is_rx_badsubtype++; 2892 break; 2893 } 2894 } 2895 2896 #ifndef IEEE80211_STA_ONLY 2897 /* 2898 * Process an incoming PS-Poll control frame (see 11.2). 2899 */ 2900 void 2901 ieee80211_recv_pspoll(struct ieee80211com *ic, struct mbuf *m, 2902 struct ieee80211_node *ni) 2903 { 2904 struct ifnet *ifp = &ic->ic_if; 2905 struct ieee80211_frame_pspoll *psp; 2906 struct ieee80211_frame *wh; 2907 u_int16_t aid; 2908 2909 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 2910 !(ic->ic_caps & IEEE80211_C_APPMGT) || 2911 ni->ni_state != IEEE80211_STA_ASSOC) 2912 return; 2913 2914 if (m->m_len < sizeof(*psp)) { 2915 DPRINTF(("frame too short, len %u\n", m->m_len)); 2916 ic->ic_stats.is_rx_tooshort++; 2917 return; 2918 } 2919 psp = mtod(m, struct ieee80211_frame_pspoll *); 2920 if (!IEEE80211_ADDR_EQ(psp->i_bssid, ic->ic_bss->ni_bssid)) { 2921 DPRINTF(("discard pspoll frame to BSS %s\n", 2922 ether_sprintf(psp->i_bssid))); 2923 ic->ic_stats.is_rx_wrongbss++; 2924 return; 2925 } 2926 aid = letoh16(*(u_int16_t *)psp->i_aid); 2927 if (aid != ni->ni_associd) { 2928 DPRINTF(("invalid pspoll aid %x from %s\n", aid, 2929 ether_sprintf(psp->i_ta))); 2930 return; 2931 } 2932 2933 /* take the first queued frame and put it out.. */ 2934 m = mq_dequeue(&ni->ni_savedq); 2935 if (m == NULL) 2936 return; 2937 if (mq_empty(&ni->ni_savedq)) { 2938 /* last queued frame, turn off the TIM bit */ 2939 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 2940 } else { 2941 /* more queued frames, set the more data bit */ 2942 wh = mtod(m, struct ieee80211_frame *); 2943 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 2944 } 2945 mq_enqueue(&ic->ic_pwrsaveq, m); 2946 if_start(ifp); 2947 } 2948 #endif /* IEEE80211_STA_ONLY */ 2949 2950 /* 2951 * Process an incoming BlockAckReq control frame (see 7.2.1.7). 2952 */ 2953 void 2954 ieee80211_recv_bar(struct ieee80211com *ic, struct mbuf *m, 2955 struct ieee80211_node *ni) 2956 { 2957 const struct ieee80211_frame_min *wh; 2958 const u_int8_t *frm; 2959 u_int16_t ctl, ssn; 2960 u_int8_t tid, ntids; 2961 2962 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 2963 DPRINTF(("received BlockAckReq from non-HT STA %s\n", 2964 ether_sprintf(ni->ni_macaddr))); 2965 return; 2966 } 2967 if (m->m_len < sizeof(*wh) + 4) { 2968 DPRINTF(("frame too short\n")); 2969 return; 2970 } 2971 wh = mtod(m, struct ieee80211_frame_min *); 2972 frm = (const u_int8_t *)&wh[1]; 2973 2974 /* read BlockAckReq Control field */ 2975 ctl = LE_READ_2(&frm[0]); 2976 tid = ctl >> 12; 2977 2978 /* determine BlockAckReq frame variant */ 2979 if (ctl & IEEE80211_BA_MULTI_TID) { 2980 /* Multi-TID BlockAckReq variant (PSMP only) */ 2981 ntids = tid + 1; 2982 2983 if (m->m_len < sizeof(*wh) + 2 + 4 * ntids) { 2984 DPRINTF(("MTBAR frame too short\n")); 2985 return; 2986 } 2987 frm += 2; /* skip BlockAckReq Control field */ 2988 while (ntids-- > 0) { 2989 /* read MTBAR Information field */ 2990 tid = LE_READ_2(&frm[0]) >> 12; 2991 ssn = LE_READ_2(&frm[2]) >> 4; 2992 ieee80211_bar_tid(ic, ni, tid, ssn); 2993 frm += 4; 2994 } 2995 } else { 2996 /* Basic or Compressed BlockAckReq variants */ 2997 ssn = LE_READ_2(&frm[2]) >> 4; 2998 ieee80211_bar_tid(ic, ni, tid, ssn); 2999 } 3000 } 3001 3002 /* 3003 * Process a BlockAckReq for a specific TID (see 9.10.7.6.3). 3004 * This is the common back-end for all BlockAckReq frame variants. 3005 */ 3006 void 3007 ieee80211_bar_tid(struct ieee80211com *ic, struct ieee80211_node *ni, 3008 u_int8_t tid, u_int16_t ssn) 3009 { 3010 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 3011 3012 /* check if we have a Block Ack agreement for RA/TID */ 3013 if (ba->ba_state != IEEE80211_BA_AGREED) { 3014 /* XXX not sure in PBAC case */ 3015 /* send a DELBA with reason code UNKNOWN-BA */ 3016 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 3017 IEEE80211_ACTION_DELBA, 3018 IEEE80211_REASON_SETUP_REQUIRED << 16 | tid); 3019 return; 3020 } 3021 /* check if it is a Protected Block Ack agreement */ 3022 if ((ni->ni_flags & IEEE80211_NODE_MFP) && 3023 (ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) { 3024 /* ADDBA Requests must be used in PBAC case */ 3025 if (SEQ_LT(ssn, ba->ba_winstart) || 3026 SEQ_LT(ba->ba_winend, ssn)) 3027 ic->ic_stats.is_pbac_errs++; 3028 return; /* PBAC, do not move window */ 3029 } 3030 /* reset Block Ack inactivity timer */ 3031 if (ba->ba_timeout_val != 0) 3032 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 3033 3034 if (SEQ_LT(ba->ba_winstart, ssn)) 3035 ieee80211_ba_move_window(ic, ni, tid, ssn); 3036 } 3037