1 /* $OpenBSD: ieee80211_input.c,v 1.236 2021/05/17 11:44:22 stsp Exp $ */ 2 3 /*- 4 * Copyright (c) 2001 Atsushi Onoe 5 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 6 * Copyright (c) 2007-2009 Damien Bergamini 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. The name of the author may not be used to endorse or promote products 18 * derived from this software without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 21 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 22 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 23 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 25 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 29 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 #include "bpfilter.h" 33 34 #include <sys/param.h> 35 #include <sys/systm.h> 36 #include <sys/mbuf.h> 37 #include <sys/malloc.h> 38 #include <sys/kernel.h> 39 #include <sys/socket.h> 40 #include <sys/sockio.h> 41 #include <sys/endian.h> 42 #include <sys/errno.h> 43 #include <sys/sysctl.h> 44 #include <sys/task.h> 45 46 #include <net/if.h> 47 #include <net/if_dl.h> 48 #include <net/if_media.h> 49 #include <net/if_llc.h> 50 51 #if NBPFILTER > 0 52 #include <net/bpf.h> 53 #endif 54 55 #include <netinet/in.h> 56 #include <netinet/if_ether.h> 57 58 #include <net80211/ieee80211_var.h> 59 #include <net80211/ieee80211_priv.h> 60 61 struct mbuf *ieee80211_input_hwdecrypt(struct ieee80211com *, 62 struct ieee80211_node *, struct mbuf *, 63 struct ieee80211_rxinfo *rxi); 64 struct mbuf *ieee80211_defrag(struct ieee80211com *, struct mbuf *, int); 65 void ieee80211_defrag_timeout(void *); 66 void ieee80211_input_ba(struct ieee80211com *, struct mbuf *, 67 struct ieee80211_node *, int, struct ieee80211_rxinfo *, 68 struct mbuf_list *); 69 void ieee80211_input_ba_flush(struct ieee80211com *, struct ieee80211_node *, 70 struct ieee80211_rx_ba *, struct mbuf_list *); 71 int ieee80211_input_ba_gap_skip(struct ieee80211_rx_ba *); 72 void ieee80211_input_ba_gap_timeout(void *arg); 73 void ieee80211_ba_move_window(struct ieee80211com *, 74 struct ieee80211_node *, u_int8_t, u_int16_t, struct mbuf_list *); 75 void ieee80211_input_ba_seq(struct ieee80211com *, 76 struct ieee80211_node *, uint8_t, uint16_t, struct mbuf_list *); 77 struct mbuf *ieee80211_align_mbuf(struct mbuf *); 78 void ieee80211_decap(struct ieee80211com *, struct mbuf *, 79 struct ieee80211_node *, int, struct mbuf_list *); 80 int ieee80211_amsdu_decap_validate(struct ieee80211com *, struct mbuf *, 81 struct ieee80211_node *); 82 void ieee80211_amsdu_decap(struct ieee80211com *, struct mbuf *, 83 struct ieee80211_node *, int, struct mbuf_list *); 84 void ieee80211_enqueue_data(struct ieee80211com *, struct mbuf *, 85 struct ieee80211_node *, int, struct mbuf_list *); 86 int ieee80211_parse_edca_params_body(struct ieee80211com *, 87 const u_int8_t *); 88 int ieee80211_parse_edca_params(struct ieee80211com *, const u_int8_t *); 89 int ieee80211_parse_wmm_params(struct ieee80211com *, const u_int8_t *); 90 enum ieee80211_cipher ieee80211_parse_rsn_cipher(const u_int8_t[]); 91 enum ieee80211_akm ieee80211_parse_rsn_akm(const u_int8_t[]); 92 int ieee80211_parse_rsn_body(struct ieee80211com *, const u_int8_t *, 93 u_int, struct ieee80211_rsnparams *); 94 int ieee80211_save_ie(const u_int8_t *, u_int8_t **); 95 void ieee80211_recv_probe_resp(struct ieee80211com *, struct mbuf *, 96 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 97 #ifndef IEEE80211_STA_ONLY 98 void ieee80211_recv_probe_req(struct ieee80211com *, struct mbuf *, 99 struct ieee80211_node *, struct ieee80211_rxinfo *); 100 #endif 101 void ieee80211_recv_auth(struct ieee80211com *, struct mbuf *, 102 struct ieee80211_node *, struct ieee80211_rxinfo *); 103 #ifndef IEEE80211_STA_ONLY 104 void ieee80211_recv_assoc_req(struct ieee80211com *, struct mbuf *, 105 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 106 #endif 107 void ieee80211_recv_assoc_resp(struct ieee80211com *, struct mbuf *, 108 struct ieee80211_node *, int); 109 void ieee80211_recv_deauth(struct ieee80211com *, struct mbuf *, 110 struct ieee80211_node *); 111 void ieee80211_recv_disassoc(struct ieee80211com *, struct mbuf *, 112 struct ieee80211_node *); 113 void ieee80211_recv_addba_req(struct ieee80211com *, struct mbuf *, 114 struct ieee80211_node *); 115 void ieee80211_recv_addba_resp(struct ieee80211com *, struct mbuf *, 116 struct ieee80211_node *); 117 void ieee80211_recv_delba(struct ieee80211com *, struct mbuf *, 118 struct ieee80211_node *); 119 void ieee80211_recv_sa_query_req(struct ieee80211com *, struct mbuf *, 120 struct ieee80211_node *); 121 #ifndef IEEE80211_STA_ONLY 122 void ieee80211_recv_sa_query_resp(struct ieee80211com *, struct mbuf *, 123 struct ieee80211_node *); 124 #endif 125 void ieee80211_recv_action(struct ieee80211com *, struct mbuf *, 126 struct ieee80211_node *); 127 #ifndef IEEE80211_STA_ONLY 128 void ieee80211_recv_pspoll(struct ieee80211com *, struct mbuf *, 129 struct ieee80211_node *); 130 #endif 131 void ieee80211_recv_bar(struct ieee80211com *, struct mbuf *, 132 struct ieee80211_node *); 133 void ieee80211_bar_tid(struct ieee80211com *, struct ieee80211_node *, 134 u_int8_t, u_int16_t); 135 136 /* 137 * Retrieve the length in bytes of an 802.11 header. 138 */ 139 u_int 140 ieee80211_get_hdrlen(const struct ieee80211_frame *wh) 141 { 142 u_int size = sizeof(*wh); 143 144 /* NB: does not work with control frames */ 145 KASSERT(ieee80211_has_seq(wh)); 146 147 if (ieee80211_has_addr4(wh)) 148 size += IEEE80211_ADDR_LEN; /* i_addr4 */ 149 if (ieee80211_has_qos(wh)) 150 size += sizeof(u_int16_t); /* i_qos */ 151 if (ieee80211_has_htc(wh)) 152 size += sizeof(u_int32_t); /* i_ht */ 153 return size; 154 } 155 156 /* Post-processing for drivers which perform decryption in hardware. */ 157 struct mbuf * 158 ieee80211_input_hwdecrypt(struct ieee80211com *ic, struct ieee80211_node *ni, 159 struct mbuf *m, struct ieee80211_rxinfo *rxi) 160 { 161 struct ieee80211_key *k; 162 struct ieee80211_frame *wh; 163 uint64_t pn, *prsc; 164 int hdrlen; 165 166 k = ieee80211_get_rxkey(ic, m, ni); 167 if (k == NULL) 168 return NULL; 169 170 wh = mtod(m, struct ieee80211_frame *); 171 hdrlen = ieee80211_get_hdrlen(wh); 172 173 /* 174 * Update the last-seen packet number (PN) for drivers using hardware 175 * crypto offloading. This cannot be done by drivers because A-MPDU 176 * reordering needs to occur before a valid lower bound can be 177 * determined for the PN. Drivers will read the PN we write here and 178 * are expected to discard replayed frames based on it. 179 * Drivers are expected to leave the IV of decrypted frames intact 180 * so we can update the last-seen PN and strip the IV here. 181 */ 182 switch (k->k_cipher) { 183 case IEEE80211_CIPHER_CCMP: 184 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 185 /* 186 * If the protected bit is clear then hardware has 187 * stripped the IV and we must trust that it handles 188 * replay detection correctly. 189 */ 190 break; 191 } 192 if (ieee80211_ccmp_get_pn(&pn, &prsc, m, k) != 0) 193 return NULL; 194 if (rxi->rxi_flags & IEEE80211_RXI_HWDEC_SAME_PN) { 195 if (pn < *prsc) { 196 ic->ic_stats.is_ccmp_replays++; 197 return NULL; 198 } 199 } else if (pn <= *prsc) { 200 ic->ic_stats.is_ccmp_replays++; 201 return NULL; 202 } 203 204 /* Update last-seen packet number. */ 205 *prsc = pn; 206 207 /* Clear Protected bit and strip IV. */ 208 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 209 memmove(mtod(m, caddr_t) + IEEE80211_CCMP_HDRLEN, wh, hdrlen); 210 m_adj(m, IEEE80211_CCMP_HDRLEN); 211 /* Drivers are expected to strip the MIC. */ 212 break; 213 case IEEE80211_CIPHER_TKIP: 214 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 215 /* 216 * If the protected bit is clear then hardware has 217 * stripped the IV and we must trust that it handles 218 * replay detection correctly. 219 */ 220 break; 221 } 222 if (ieee80211_tkip_get_tsc(&pn, &prsc, m, k) != 0) 223 return NULL; 224 if (rxi->rxi_flags & IEEE80211_RXI_HWDEC_SAME_PN) { 225 if (pn < *prsc) { 226 ic->ic_stats.is_tkip_replays++; 227 return NULL; 228 } 229 } else if (pn <= *prsc) { 230 ic->ic_stats.is_tkip_replays++; 231 return NULL; 232 } 233 234 /* Update last-seen packet number. */ 235 *prsc = pn; 236 237 /* Clear Protected bit and strip IV. */ 238 wh = mtod(m, struct ieee80211_frame *); 239 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 240 memmove(mtod(m, caddr_t) + IEEE80211_TKIP_HDRLEN, wh, hdrlen); 241 m_adj(m, IEEE80211_TKIP_HDRLEN); 242 /* Drivers are expected to strip the MIC. */ 243 break; 244 default: 245 break; 246 } 247 248 return m; 249 } 250 251 /* 252 * Process a received frame. The node associated with the sender 253 * should be supplied. If nothing was found in the node table then 254 * the caller is assumed to supply a reference to ic_bss instead. 255 * The RSSI and a timestamp are also supplied. The RSSI data is used 256 * during AP scanning to select a AP to associate with; it can have 257 * any units so long as values have consistent units and higher values 258 * mean ``better signal''. The receive timestamp is currently not used 259 * by the 802.11 layer. 260 * 261 * This function acts on management frames immediately and queues data frames 262 * on the specified mbuf list. Delivery of queued data frames to upper layers 263 * must be triggered with if_input(). Drivers should call if_input() only once 264 * per Rx interrupt to avoid triggering the input ifq pressure drop mechanism 265 * unnecessarily. 266 */ 267 void 268 ieee80211_inputm(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni, 269 struct ieee80211_rxinfo *rxi, struct mbuf_list *ml) 270 { 271 struct ieee80211com *ic = (void *)ifp; 272 struct ieee80211_frame *wh; 273 u_int16_t *orxseq, nrxseq, qos; 274 u_int8_t dir, type, subtype, tid; 275 int hdrlen, hasqos; 276 277 KASSERT(ni != NULL); 278 279 /* in monitor mode, send everything directly to bpf */ 280 if (ic->ic_opmode == IEEE80211_M_MONITOR) 281 goto out; 282 283 /* 284 * Do not process frames without an Address 2 field any further. 285 * Only CTS and ACK control frames do not have this field. 286 */ 287 if (m->m_len < sizeof(struct ieee80211_frame_min)) { 288 DPRINTF(("frame too short, len %u\n", m->m_len)); 289 ic->ic_stats.is_rx_tooshort++; 290 goto out; 291 } 292 293 wh = mtod(m, struct ieee80211_frame *); 294 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 295 IEEE80211_FC0_VERSION_0) { 296 DPRINTF(("frame with wrong version: %x\n", wh->i_fc[0])); 297 ic->ic_stats.is_rx_badversion++; 298 goto err; 299 } 300 301 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 302 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 303 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 304 305 if (type != IEEE80211_FC0_TYPE_CTL) { 306 hdrlen = ieee80211_get_hdrlen(wh); 307 if (m->m_len < hdrlen) { 308 DPRINTF(("frame too short, len %u\n", m->m_len)); 309 ic->ic_stats.is_rx_tooshort++; 310 goto err; 311 } 312 } else 313 hdrlen = 0; 314 if ((hasqos = ieee80211_has_qos(wh))) { 315 qos = ieee80211_get_qos(wh); 316 tid = qos & IEEE80211_QOS_TID; 317 } else { 318 qos = 0; 319 tid = 0; 320 } 321 322 if (ic->ic_state == IEEE80211_S_RUN && 323 type == IEEE80211_FC0_TYPE_DATA && hasqos && 324 (subtype & IEEE80211_FC0_SUBTYPE_NODATA) == 0 && 325 !(rxi->rxi_flags & IEEE80211_RXI_AMPDU_DONE) 326 #ifndef IEEE80211_STA_ONLY 327 && (ic->ic_opmode == IEEE80211_M_STA || ni != ic->ic_bss) 328 #endif 329 ) { 330 int ba_state = ni->ni_rx_ba[tid].ba_state; 331 332 #ifndef IEEE80211_STA_ONLY 333 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 334 if (!IEEE80211_ADDR_EQ(wh->i_addr1, 335 ic->ic_bss->ni_bssid)) { 336 ic->ic_stats.is_rx_wrongbss++; 337 goto err; 338 } 339 if (ni->ni_state != IEEE80211_S_ASSOC) { 340 ic->ic_stats.is_rx_notassoc++; 341 goto err; 342 } 343 } 344 #endif 345 /* 346 * If Block Ack was explicitly requested, check 347 * if we have a BA agreement for this RA/TID. 348 */ 349 if ((qos & IEEE80211_QOS_ACK_POLICY_MASK) == 350 IEEE80211_QOS_ACK_POLICY_BA && 351 ba_state != IEEE80211_BA_AGREED) { 352 DPRINTF(("no BA agreement for %s, TID %d\n", 353 ether_sprintf(ni->ni_macaddr), tid)); 354 /* send a DELBA with reason code UNKNOWN-BA */ 355 IEEE80211_SEND_ACTION(ic, ni, 356 IEEE80211_CATEG_BA, IEEE80211_ACTION_DELBA, 357 IEEE80211_REASON_SETUP_REQUIRED << 16 | tid); 358 goto err; 359 } 360 361 /* 362 * Check if we have an explicit or implicit 363 * Block Ack Request for a valid BA agreement. 364 */ 365 if (ba_state == IEEE80211_BA_AGREED && 366 ((qos & IEEE80211_QOS_ACK_POLICY_MASK) == 367 IEEE80211_QOS_ACK_POLICY_BA || 368 (qos & IEEE80211_QOS_ACK_POLICY_MASK) == 369 IEEE80211_QOS_ACK_POLICY_NORMAL)) { 370 /* go through A-MPDU reordering */ 371 ieee80211_input_ba(ic, m, ni, tid, rxi, ml); 372 return; /* don't free m! */ 373 } else if (ba_state == IEEE80211_BA_REQUESTED && 374 (qos & IEEE80211_QOS_ACK_POLICY_MASK) == 375 IEEE80211_QOS_ACK_POLICY_NORMAL) { 376 /* 377 * Apparently, qos frames for a tid where a 378 * block ack agreement was requested but not 379 * yet confirmed by us should still contribute 380 * to the sequence number for this tid. 381 */ 382 ieee80211_input_ba(ic, m, ni, tid, rxi, ml); 383 return; /* don't free m! */ 384 } 385 } 386 387 /* duplicate detection (see 9.2.9) */ 388 if (ieee80211_has_seq(wh) && 389 ic->ic_state != IEEE80211_S_SCAN) { 390 nrxseq = letoh16(*(u_int16_t *)wh->i_seq) >> 391 IEEE80211_SEQ_SEQ_SHIFT; 392 if (hasqos) 393 orxseq = &ni->ni_qos_rxseqs[tid]; 394 else 395 orxseq = &ni->ni_rxseq; 396 if (rxi->rxi_flags & IEEE80211_RXI_SAME_SEQ) { 397 if (nrxseq != *orxseq) { 398 /* duplicate, silently discarded */ 399 ic->ic_stats.is_rx_dup++; 400 goto out; 401 } 402 } else if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) && 403 nrxseq == *orxseq) { 404 /* duplicate, silently discarded */ 405 ic->ic_stats.is_rx_dup++; 406 goto out; 407 } 408 *orxseq = nrxseq; 409 } 410 if (ic->ic_state > IEEE80211_S_SCAN) { 411 ni->ni_rssi = rxi->rxi_rssi; 412 ni->ni_rstamp = rxi->rxi_tstamp; 413 ni->ni_inact = 0; 414 415 if (ic->ic_state == IEEE80211_S_RUN && ic->ic_bgscan_start) { 416 /* Cancel or start background scan based on RSSI. */ 417 if ((*ic->ic_node_checkrssi)(ic, ni)) 418 timeout_del(&ic->ic_bgscan_timeout); 419 else if (!timeout_pending(&ic->ic_bgscan_timeout) && 420 (ic->ic_flags & IEEE80211_F_BGSCAN) == 0 && 421 (ic->ic_flags & IEEE80211_F_DESBSSID) == 0) 422 timeout_add_msec(&ic->ic_bgscan_timeout, 423 500 * (ic->ic_bgscan_fail + 1)); 424 } 425 } 426 427 #ifndef IEEE80211_STA_ONLY 428 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 429 (ic->ic_caps & IEEE80211_C_APPMGT) && 430 ni->ni_state == IEEE80211_STA_ASSOC) { 431 if (wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) { 432 if (ni->ni_pwrsave == IEEE80211_PS_AWAKE) { 433 /* turn on PS mode */ 434 ni->ni_pwrsave = IEEE80211_PS_DOZE; 435 DPRINTF(("PS mode on for %s\n", 436 ether_sprintf(wh->i_addr2))); 437 } 438 } else if (ni->ni_pwrsave == IEEE80211_PS_DOZE) { 439 struct mbuf *m; 440 441 /* turn off PS mode */ 442 ni->ni_pwrsave = IEEE80211_PS_AWAKE; 443 DPRINTF(("PS mode off for %s\n", 444 ether_sprintf(wh->i_addr2))); 445 446 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 447 448 /* dequeue buffered unicast frames */ 449 while ((m = mq_dequeue(&ni->ni_savedq)) != NULL) { 450 mq_enqueue(&ic->ic_pwrsaveq, m); 451 if_start(ifp); 452 } 453 } 454 } 455 #endif 456 switch (type) { 457 case IEEE80211_FC0_TYPE_DATA: 458 switch (ic->ic_opmode) { 459 case IEEE80211_M_STA: 460 if (dir != IEEE80211_FC1_DIR_FROMDS) { 461 ic->ic_stats.is_rx_wrongdir++; 462 goto out; 463 } 464 if (ic->ic_state != IEEE80211_S_SCAN && 465 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid)) { 466 /* Source address is not our BSS. */ 467 DPRINTF(("discard frame from SA %s\n", 468 ether_sprintf(wh->i_addr2))); 469 ic->ic_stats.is_rx_wrongbss++; 470 goto out; 471 } 472 if ((ifp->if_flags & IFF_SIMPLEX) && 473 IEEE80211_IS_MULTICAST(wh->i_addr1) && 474 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 475 /* 476 * In IEEE802.11 network, multicast frame 477 * sent from me is broadcasted from AP. 478 * It should be silently discarded for 479 * SIMPLEX interface. 480 */ 481 ic->ic_stats.is_rx_mcastecho++; 482 goto out; 483 } 484 break; 485 #ifndef IEEE80211_STA_ONLY 486 case IEEE80211_M_IBSS: 487 case IEEE80211_M_AHDEMO: 488 if (dir != IEEE80211_FC1_DIR_NODS) { 489 ic->ic_stats.is_rx_wrongdir++; 490 goto out; 491 } 492 if (ic->ic_state != IEEE80211_S_SCAN && 493 !IEEE80211_ADDR_EQ(wh->i_addr3, 494 ic->ic_bss->ni_bssid) && 495 !IEEE80211_ADDR_EQ(wh->i_addr3, 496 etherbroadcastaddr)) { 497 /* Destination is not our BSS or broadcast. */ 498 DPRINTF(("discard data frame to DA %s\n", 499 ether_sprintf(wh->i_addr3))); 500 ic->ic_stats.is_rx_wrongbss++; 501 goto out; 502 } 503 break; 504 case IEEE80211_M_HOSTAP: 505 if (dir != IEEE80211_FC1_DIR_TODS) { 506 ic->ic_stats.is_rx_wrongdir++; 507 goto out; 508 } 509 if (ic->ic_state != IEEE80211_S_SCAN && 510 !IEEE80211_ADDR_EQ(wh->i_addr1, 511 ic->ic_bss->ni_bssid) && 512 !IEEE80211_ADDR_EQ(wh->i_addr1, 513 etherbroadcastaddr)) { 514 /* BSS is not us or broadcast. */ 515 DPRINTF(("discard data frame to BSS %s\n", 516 ether_sprintf(wh->i_addr1))); 517 ic->ic_stats.is_rx_wrongbss++; 518 goto out; 519 } 520 /* check if source STA is associated */ 521 if (ni == ic->ic_bss) { 522 DPRINTF(("data from unknown src %s\n", 523 ether_sprintf(wh->i_addr2))); 524 /* NB: caller deals with reference */ 525 ni = ieee80211_find_node(ic, wh->i_addr2); 526 if (ni == NULL) 527 ni = ieee80211_dup_bss(ic, wh->i_addr2); 528 if (ni != NULL) { 529 IEEE80211_SEND_MGMT(ic, ni, 530 IEEE80211_FC0_SUBTYPE_DEAUTH, 531 IEEE80211_REASON_NOT_AUTHED); 532 } 533 ic->ic_stats.is_rx_notassoc++; 534 goto err; 535 } 536 if (ni->ni_state != IEEE80211_STA_ASSOC) { 537 DPRINTF(("data from unassoc src %s\n", 538 ether_sprintf(wh->i_addr2))); 539 IEEE80211_SEND_MGMT(ic, ni, 540 IEEE80211_FC0_SUBTYPE_DISASSOC, 541 IEEE80211_REASON_NOT_ASSOCED); 542 ic->ic_stats.is_rx_notassoc++; 543 goto err; 544 } 545 break; 546 #endif /* IEEE80211_STA_ONLY */ 547 default: 548 /* can't get there */ 549 goto out; 550 } 551 552 /* Do not process "no data" frames any further. */ 553 if (subtype & IEEE80211_FC0_SUBTYPE_NODATA) { 554 #if NBPFILTER > 0 555 if (ic->ic_rawbpf) 556 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 557 #endif 558 goto out; 559 } 560 561 if ((ic->ic_flags & IEEE80211_F_WEPON) || 562 ((ic->ic_flags & IEEE80211_F_RSNON) && 563 (ni->ni_flags & IEEE80211_NODE_RXPROT))) { 564 /* protection is on for Rx */ 565 if (!(rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 566 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 567 /* drop unencrypted */ 568 ic->ic_stats.is_rx_unencrypted++; 569 goto err; 570 } 571 /* do software decryption */ 572 m = ieee80211_decrypt(ic, m, ni); 573 if (m == NULL) { 574 ic->ic_stats.is_rx_wepfail++; 575 goto err; 576 } 577 } else { 578 m = ieee80211_input_hwdecrypt(ic, ni, m, rxi); 579 if (m == NULL) 580 goto err; 581 } 582 wh = mtod(m, struct ieee80211_frame *); 583 } else if ((wh->i_fc[1] & IEEE80211_FC1_PROTECTED) || 584 (rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 585 /* frame encrypted but protection off for Rx */ 586 ic->ic_stats.is_rx_nowep++; 587 goto out; 588 } 589 590 #if NBPFILTER > 0 591 /* copy to listener after decrypt */ 592 if (ic->ic_rawbpf) 593 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 594 #endif 595 596 if ((ni->ni_flags & IEEE80211_NODE_HT) && 597 hasqos && (qos & IEEE80211_QOS_AMSDU)) 598 ieee80211_amsdu_decap(ic, m, ni, hdrlen, ml); 599 else 600 ieee80211_decap(ic, m, ni, hdrlen, ml); 601 return; 602 603 case IEEE80211_FC0_TYPE_MGT: 604 if (dir != IEEE80211_FC1_DIR_NODS) { 605 ic->ic_stats.is_rx_wrongdir++; 606 goto err; 607 } 608 #ifndef IEEE80211_STA_ONLY 609 if (ic->ic_opmode == IEEE80211_M_AHDEMO) { 610 ic->ic_stats.is_rx_ahdemo_mgt++; 611 goto out; 612 } 613 #endif 614 /* drop frames without interest */ 615 if (ic->ic_state == IEEE80211_S_SCAN) { 616 if (subtype != IEEE80211_FC0_SUBTYPE_BEACON && 617 subtype != IEEE80211_FC0_SUBTYPE_PROBE_RESP) { 618 ic->ic_stats.is_rx_mgtdiscard++; 619 goto out; 620 } 621 } 622 623 if (ni->ni_flags & IEEE80211_NODE_RXMGMTPROT) { 624 /* MMPDU protection is on for Rx */ 625 if (subtype == IEEE80211_FC0_SUBTYPE_DISASSOC || 626 subtype == IEEE80211_FC0_SUBTYPE_DEAUTH || 627 subtype == IEEE80211_FC0_SUBTYPE_ACTION) { 628 if (!IEEE80211_IS_MULTICAST(wh->i_addr1) && 629 !(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 630 /* unicast mgmt not encrypted */ 631 goto out; 632 } 633 /* do software decryption */ 634 m = ieee80211_decrypt(ic, m, ni); 635 if (m == NULL) { 636 /* XXX stats */ 637 goto out; 638 } 639 wh = mtod(m, struct ieee80211_frame *); 640 } 641 } else if ((ic->ic_flags & IEEE80211_F_RSNON) && 642 (wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 643 /* encrypted but MMPDU Rx protection off for TA */ 644 goto out; 645 } 646 647 #if NBPFILTER > 0 648 if (bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN) != 0) { 649 /* 650 * Drop mbuf if it was filtered by bpf. Normally, 651 * this is done in ether_input() but IEEE 802.11 652 * management frames are a special case. 653 */ 654 m_freem(m); 655 return; 656 } 657 #endif 658 (*ic->ic_recv_mgmt)(ic, m, ni, rxi, subtype); 659 m_freem(m); 660 return; 661 662 case IEEE80211_FC0_TYPE_CTL: 663 switch (subtype) { 664 #ifndef IEEE80211_STA_ONLY 665 case IEEE80211_FC0_SUBTYPE_PS_POLL: 666 ieee80211_recv_pspoll(ic, m, ni); 667 break; 668 #endif 669 case IEEE80211_FC0_SUBTYPE_BAR: 670 ieee80211_recv_bar(ic, m, ni); 671 break; 672 default: 673 ic->ic_stats.is_rx_ctl++; 674 break; 675 } 676 goto out; 677 678 default: 679 DPRINTF(("bad frame type %x\n", type)); 680 /* should not come here */ 681 break; 682 } 683 err: 684 ifp->if_ierrors++; 685 out: 686 if (m != NULL) { 687 #if NBPFILTER > 0 688 if (ic->ic_rawbpf) 689 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 690 #endif 691 m_freem(m); 692 } 693 } 694 695 /* Input handler for drivers which only receive one frame per interrupt. */ 696 void 697 ieee80211_input(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni, 698 struct ieee80211_rxinfo *rxi) 699 { 700 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 701 702 ieee80211_inputm(ifp, m, ni, rxi, &ml); 703 if_input(ifp, &ml); 704 } 705 706 #ifdef notyet 707 /* 708 * Handle defragmentation (see 9.5 and Annex C). We support the concurrent 709 * reception of fragments of three fragmented MSDUs or MMPDUs. 710 */ 711 struct mbuf * 712 ieee80211_defrag(struct ieee80211com *ic, struct mbuf *m, int hdrlen) 713 { 714 const struct ieee80211_frame *owh, *wh; 715 struct ieee80211_defrag *df; 716 u_int16_t rxseq, seq; 717 u_int8_t frag; 718 int i; 719 720 wh = mtod(m, struct ieee80211_frame *); 721 rxseq = letoh16(*(const u_int16_t *)wh->i_seq); 722 seq = rxseq >> IEEE80211_SEQ_SEQ_SHIFT; 723 frag = rxseq & IEEE80211_SEQ_FRAG_MASK; 724 725 if (frag == 0 && !(wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG)) 726 return m; /* not fragmented */ 727 728 if (frag == 0) { 729 /* first fragment, setup entry in the fragment cache */ 730 if (++ic->ic_defrag_cur == IEEE80211_DEFRAG_SIZE) 731 ic->ic_defrag_cur = 0; 732 df = &ic->ic_defrag[ic->ic_defrag_cur]; 733 m_freem(df->df_m); /* discard old entry */ 734 df->df_seq = seq; 735 df->df_frag = 0; 736 df->df_m = m; 737 /* start receive MSDU timer of aMaxReceiveLifetime */ 738 timeout_add_sec(&df->df_to, 1); 739 return NULL; /* MSDU or MMPDU not yet complete */ 740 } 741 742 /* find matching entry in the fragment cache */ 743 for (i = 0; i < IEEE80211_DEFRAG_SIZE; i++) { 744 df = &ic->ic_defrag[i]; 745 if (df->df_m == NULL) 746 continue; 747 if (df->df_seq != seq || df->df_frag + 1 != frag) 748 continue; 749 owh = mtod(df->df_m, struct ieee80211_frame *); 750 /* frame type, source and destination must match */ 751 if (((wh->i_fc[0] ^ owh->i_fc[0]) & IEEE80211_FC0_TYPE_MASK) || 752 !IEEE80211_ADDR_EQ(wh->i_addr1, owh->i_addr1) || 753 !IEEE80211_ADDR_EQ(wh->i_addr2, owh->i_addr2)) 754 continue; 755 /* matching entry found */ 756 break; 757 } 758 if (i == IEEE80211_DEFRAG_SIZE) { 759 /* no matching entry found, discard fragment */ 760 ic->ic_if.if_ierrors++; 761 m_freem(m); 762 return NULL; 763 } 764 765 df->df_frag = frag; 766 /* strip 802.11 header and concatenate fragment */ 767 m_adj(m, hdrlen); 768 m_cat(df->df_m, m); 769 df->df_m->m_pkthdr.len += m->m_pkthdr.len; 770 771 if (wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG) 772 return NULL; /* MSDU or MMPDU not yet complete */ 773 774 /* MSDU or MMPDU complete */ 775 timeout_del(&df->df_to); 776 m = df->df_m; 777 df->df_m = NULL; 778 return m; 779 } 780 781 /* 782 * Receive MSDU defragmentation timer exceeds aMaxReceiveLifetime. 783 */ 784 void 785 ieee80211_defrag_timeout(void *arg) 786 { 787 struct ieee80211_defrag *df = arg; 788 int s = splnet(); 789 790 /* discard all received fragments */ 791 m_freem(df->df_m); 792 df->df_m = NULL; 793 794 splx(s); 795 } 796 #endif 797 798 /* 799 * Process a received data MPDU related to a specific HT-immediate Block Ack 800 * agreement (see 9.10.7.6). 801 */ 802 void 803 ieee80211_input_ba(struct ieee80211com *ic, struct mbuf *m, 804 struct ieee80211_node *ni, int tid, struct ieee80211_rxinfo *rxi, 805 struct mbuf_list *ml) 806 { 807 struct ifnet *ifp = &ic->ic_if; 808 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 809 struct ieee80211_frame *wh; 810 int idx, count; 811 u_int16_t sn; 812 813 wh = mtod(m, struct ieee80211_frame *); 814 sn = letoh16(*(u_int16_t *)wh->i_seq) >> IEEE80211_SEQ_SEQ_SHIFT; 815 816 /* reset Block Ack inactivity timer */ 817 if (ba->ba_timeout_val != 0) 818 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 819 820 if (SEQ_LT(sn, ba->ba_winstart)) { /* SN < WinStartB */ 821 ic->ic_stats.is_ht_rx_frame_below_ba_winstart++; 822 m_freem(m); /* discard the MPDU */ 823 return; 824 } 825 if (SEQ_LT(ba->ba_winend, sn)) { /* WinEndB < SN */ 826 ic->ic_stats.is_ht_rx_frame_above_ba_winend++; 827 count = (sn - ba->ba_winend) & 0xfff; 828 if (count > ba->ba_winsize) { 829 /* 830 * Check whether we're consistently behind the window, 831 * and let the window move forward if necessary. 832 */ 833 if (ba->ba_winmiss < IEEE80211_BA_MAX_WINMISS) { 834 if (ba->ba_missedsn == ((sn - 1) & 0xfff)) 835 ba->ba_winmiss++; 836 else 837 ba->ba_winmiss = 0; 838 ba->ba_missedsn = sn; 839 ifp->if_ierrors++; 840 m_freem(m); /* discard the MPDU */ 841 return; 842 } 843 844 /* It appears the window has moved for real. */ 845 ic->ic_stats.is_ht_rx_ba_window_jump++; 846 ba->ba_winmiss = 0; 847 ba->ba_missedsn = 0; 848 ieee80211_ba_move_window(ic, ni, tid, sn, ml); 849 } else { 850 ic->ic_stats.is_ht_rx_ba_window_slide++; 851 ieee80211_input_ba_seq(ic, ni, tid, 852 (ba->ba_winstart + count) & 0xfff, ml); 853 ieee80211_input_ba_flush(ic, ni, ba, ml); 854 } 855 } 856 /* WinStartB <= SN <= WinEndB */ 857 858 ba->ba_winmiss = 0; 859 ba->ba_missedsn = 0; 860 idx = (sn - ba->ba_winstart) & 0xfff; 861 idx = (ba->ba_head + idx) % IEEE80211_BA_MAX_WINSZ; 862 /* store the received MPDU in the buffer */ 863 if (ba->ba_buf[idx].m != NULL) { 864 ifp->if_ierrors++; 865 ic->ic_stats.is_ht_rx_ba_no_buf++; 866 m_freem(m); 867 return; 868 } 869 ba->ba_buf[idx].m = m; 870 /* store Rx meta-data too */ 871 rxi->rxi_flags |= IEEE80211_RXI_AMPDU_DONE; 872 ba->ba_buf[idx].rxi = *rxi; 873 ba->ba_gapwait++; 874 875 if (ba->ba_buf[ba->ba_head].m == NULL && ba->ba_gapwait == 1) 876 timeout_add_msec(&ba->ba_gap_to, IEEE80211_BA_GAP_TIMEOUT); 877 878 ieee80211_input_ba_flush(ic, ni, ba, ml); 879 } 880 881 /* 882 * Forward buffered frames with sequence number lower than max_seq. 883 * See 802.11-2012 9.21.7.6.2 b. 884 */ 885 void 886 ieee80211_input_ba_seq(struct ieee80211com *ic, struct ieee80211_node *ni, 887 uint8_t tid, uint16_t max_seq, struct mbuf_list *ml) 888 { 889 struct ifnet *ifp = &ic->ic_if; 890 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 891 struct ieee80211_frame *wh; 892 uint16_t seq; 893 int i = 0; 894 895 while (i++ < ba->ba_winsize) { 896 /* gaps may exist */ 897 if (ba->ba_buf[ba->ba_head].m != NULL) { 898 wh = mtod(ba->ba_buf[ba->ba_head].m, 899 struct ieee80211_frame *); 900 KASSERT(ieee80211_has_seq(wh)); 901 seq = letoh16(*(u_int16_t *)wh->i_seq) >> 902 IEEE80211_SEQ_SEQ_SHIFT; 903 if (!SEQ_LT(seq, max_seq)) 904 break; 905 ieee80211_inputm(ifp, ba->ba_buf[ba->ba_head].m, 906 ni, &ba->ba_buf[ba->ba_head].rxi, ml); 907 ba->ba_buf[ba->ba_head].m = NULL; 908 ba->ba_gapwait--; 909 } else 910 ic->ic_stats.is_ht_rx_ba_frame_lost++; 911 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 912 /* move window forward */ 913 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 914 } 915 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 916 } 917 918 /* Flush a consecutive sequence of frames from the reorder buffer. */ 919 void 920 ieee80211_input_ba_flush(struct ieee80211com *ic, struct ieee80211_node *ni, 921 struct ieee80211_rx_ba *ba, struct mbuf_list *ml) 922 923 { 924 struct ifnet *ifp = &ic->ic_if; 925 926 /* Do not re-arm the gap timeout if we made no progress. */ 927 if (ba->ba_buf[ba->ba_head].m == NULL) 928 return; 929 930 /* pass reordered MPDUs up to the next MAC process */ 931 while (ba->ba_buf[ba->ba_head].m != NULL) { 932 ieee80211_inputm(ifp, ba->ba_buf[ba->ba_head].m, ni, 933 &ba->ba_buf[ba->ba_head].rxi, ml); 934 ba->ba_buf[ba->ba_head].m = NULL; 935 ba->ba_gapwait--; 936 937 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 938 /* move window forward */ 939 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 940 } 941 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 942 943 if (timeout_pending(&ba->ba_gap_to)) 944 timeout_del(&ba->ba_gap_to); 945 if (ba->ba_gapwait) 946 timeout_add_msec(&ba->ba_gap_to, IEEE80211_BA_GAP_TIMEOUT); 947 } 948 949 /* 950 * Forcibly move the BA window forward to remove a leading gap which has 951 * been causing frames to linger in the reordering buffer for too long. 952 * A leading gap will occur if a particular A-MPDU subframe never arrives 953 * or if a bug in the sender causes sequence numbers to jump forward by > 1. 954 */ 955 int 956 ieee80211_input_ba_gap_skip(struct ieee80211_rx_ba *ba) 957 { 958 int skipped = 0; 959 960 while (skipped < ba->ba_winsize && ba->ba_buf[ba->ba_head].m == NULL) { 961 /* move window forward */ 962 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 963 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 964 skipped++; 965 } 966 if (skipped > 0) 967 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 968 969 return skipped; 970 } 971 972 void 973 ieee80211_input_ba_gap_timeout(void *arg) 974 { 975 struct ieee80211_rx_ba *ba = arg; 976 struct ieee80211_node *ni = ba->ba_ni; 977 struct ieee80211com *ic = ni->ni_ic; 978 int s, skipped; 979 980 ic->ic_stats.is_ht_rx_ba_window_gap_timeout++; 981 982 s = splnet(); 983 984 skipped = ieee80211_input_ba_gap_skip(ba); 985 ic->ic_stats.is_ht_rx_ba_frame_lost += skipped; 986 if (skipped) { 987 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 988 ieee80211_input_ba_flush(ic, ni, ba, &ml); 989 if_input(&ic->ic_if, &ml); 990 } 991 992 splx(s); 993 } 994 995 996 /* 997 * Change the value of WinStartB (move window forward) upon reception of a 998 * BlockAckReq frame or an ADDBA Request (PBAC). 999 */ 1000 void 1001 ieee80211_ba_move_window(struct ieee80211com *ic, struct ieee80211_node *ni, 1002 u_int8_t tid, u_int16_t ssn, struct mbuf_list *ml) 1003 { 1004 struct ifnet *ifp = &ic->ic_if; 1005 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 1006 int count; 1007 1008 /* assert(WinStartB <= SSN) */ 1009 1010 count = (ssn - ba->ba_winstart) & 0xfff; 1011 if (count > ba->ba_winsize) /* no overlap */ 1012 count = ba->ba_winsize; 1013 while (count-- > 0) { 1014 /* gaps may exist */ 1015 if (ba->ba_buf[ba->ba_head].m != NULL) { 1016 ieee80211_inputm(ifp, ba->ba_buf[ba->ba_head].m, ni, 1017 &ba->ba_buf[ba->ba_head].rxi, ml); 1018 ba->ba_buf[ba->ba_head].m = NULL; 1019 ba->ba_gapwait--; 1020 } else 1021 ic->ic_stats.is_ht_rx_ba_frame_lost++; 1022 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 1023 } 1024 /* move window forward */ 1025 ba->ba_winstart = ssn; 1026 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 1027 1028 ieee80211_input_ba_flush(ic, ni, ba, ml); 1029 } 1030 1031 void 1032 ieee80211_enqueue_data(struct ieee80211com *ic, struct mbuf *m, 1033 struct ieee80211_node *ni, int mcast, struct mbuf_list *ml) 1034 { 1035 struct ifnet *ifp = &ic->ic_if; 1036 struct ether_header *eh; 1037 struct mbuf *m1; 1038 1039 eh = mtod(m, struct ether_header *); 1040 1041 if ((ic->ic_flags & IEEE80211_F_RSNON) && !ni->ni_port_valid && 1042 eh->ether_type != htons(ETHERTYPE_PAE)) { 1043 DPRINTF(("port not valid: %s\n", 1044 ether_sprintf(eh->ether_dhost))); 1045 ic->ic_stats.is_rx_unauth++; 1046 m_freem(m); 1047 return; 1048 } 1049 1050 /* 1051 * Perform as a bridge within the AP. Notice that we do not 1052 * bridge EAPOL frames as suggested in C.1.1 of IEEE Std 802.1X. 1053 * And we do not forward unicast frames received on a multicast address. 1054 */ 1055 m1 = NULL; 1056 #ifndef IEEE80211_STA_ONLY 1057 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 1058 !(ic->ic_userflags & IEEE80211_F_NOBRIDGE) && 1059 eh->ether_type != htons(ETHERTYPE_PAE)) { 1060 struct ieee80211_node *ni1; 1061 1062 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 1063 m1 = m_dup_pkt(m, ETHER_ALIGN, M_DONTWAIT); 1064 if (m1 == NULL) 1065 ifp->if_oerrors++; 1066 else 1067 m1->m_flags |= M_MCAST; 1068 } else if (!mcast) { 1069 ni1 = ieee80211_find_node(ic, eh->ether_dhost); 1070 if (ni1 != NULL && 1071 ni1->ni_state == IEEE80211_STA_ASSOC) { 1072 m1 = m; 1073 m = NULL; 1074 } 1075 } 1076 if (m1 != NULL) { 1077 if (if_enqueue(ifp, m1)) 1078 ifp->if_oerrors++; 1079 } 1080 } 1081 #endif 1082 if (m != NULL) { 1083 if ((ic->ic_flags & IEEE80211_F_RSNON) && 1084 eh->ether_type == htons(ETHERTYPE_PAE)) { 1085 ifp->if_ipackets++; 1086 #if NBPFILTER > 0 1087 /* 1088 * If we forward frame into transmitter of the AP, 1089 * we don't need to duplicate for DLT_EN10MB. 1090 */ 1091 if (ifp->if_bpf && m1 == NULL) 1092 bpf_mtap(ifp->if_bpf, m, BPF_DIRECTION_IN); 1093 #endif 1094 ieee80211_eapol_key_input(ic, m, ni); 1095 } else { 1096 ml_enqueue(ml, m); 1097 } 1098 } 1099 } 1100 1101 void 1102 ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, 1103 struct ieee80211_node *ni, int hdrlen, struct mbuf_list *ml) 1104 { 1105 struct ether_header eh; 1106 struct ieee80211_frame *wh; 1107 struct llc *llc; 1108 int mcast; 1109 1110 if (m->m_len < hdrlen + LLC_SNAPFRAMELEN && 1111 (m = m_pullup(m, hdrlen + LLC_SNAPFRAMELEN)) == NULL) { 1112 ic->ic_stats.is_rx_decap++; 1113 return; 1114 } 1115 wh = mtod(m, struct ieee80211_frame *); 1116 mcast = IEEE80211_IS_MULTICAST(wh->i_addr1); 1117 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 1118 case IEEE80211_FC1_DIR_NODS: 1119 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1); 1120 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2); 1121 break; 1122 case IEEE80211_FC1_DIR_TODS: 1123 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3); 1124 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2); 1125 break; 1126 case IEEE80211_FC1_DIR_FROMDS: 1127 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1); 1128 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr3); 1129 break; 1130 case IEEE80211_FC1_DIR_DSTODS: 1131 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3); 1132 IEEE80211_ADDR_COPY(eh.ether_shost, 1133 ((struct ieee80211_frame_addr4 *)wh)->i_addr4); 1134 break; 1135 } 1136 llc = (struct llc *)((caddr_t)wh + hdrlen); 1137 if (llc->llc_dsap == LLC_SNAP_LSAP && 1138 llc->llc_ssap == LLC_SNAP_LSAP && 1139 llc->llc_control == LLC_UI && 1140 llc->llc_snap.org_code[0] == 0 && 1141 llc->llc_snap.org_code[1] == 0 && 1142 llc->llc_snap.org_code[2] == 0) { 1143 eh.ether_type = llc->llc_snap.ether_type; 1144 m_adj(m, hdrlen + LLC_SNAPFRAMELEN - ETHER_HDR_LEN); 1145 } else { 1146 eh.ether_type = htons(m->m_pkthdr.len - hdrlen); 1147 m_adj(m, hdrlen - ETHER_HDR_LEN); 1148 } 1149 memcpy(mtod(m, caddr_t), &eh, ETHER_HDR_LEN); 1150 if (!ALIGNED_POINTER(mtod(m, caddr_t) + ETHER_HDR_LEN, u_int32_t)) { 1151 struct mbuf *m0 = m; 1152 m = m_dup_pkt(m0, ETHER_ALIGN, M_NOWAIT); 1153 m_freem(m0); 1154 if (m == NULL) { 1155 ic->ic_stats.is_rx_decap++; 1156 return; 1157 } 1158 } 1159 ieee80211_enqueue_data(ic, m, ni, mcast, ml); 1160 } 1161 1162 int 1163 ieee80211_amsdu_decap_validate(struct ieee80211com *ic, struct mbuf *m, 1164 struct ieee80211_node *ni) 1165 { 1166 struct ether_header *eh = mtod(m, struct ether_header *); 1167 const uint8_t llc_hdr_mac[ETHER_ADDR_LEN] = { 1168 /* MAC address matching the 802.2 LLC header. */ 1169 LLC_SNAP_LSAP, LLC_SNAP_LSAP, LLC_UI, 0, 0, 0 1170 }; 1171 1172 /* 1173 * We are sorry, but this particular MAC address cannot be used. 1174 * This mitigates an attack where a single 802.11 frame is interpreted 1175 * as an A-MSDU because of a forged AMSDU-present bit in the 802.11 1176 * QoS frame header: https://papers.mathyvanhoef.com/usenix2021.pdf 1177 * See Section 7.2, 'Countermeasures for the design flaws' 1178 */ 1179 if (ETHER_IS_EQ(eh->ether_dhost, llc_hdr_mac)) 1180 return 1; 1181 1182 switch (ic->ic_opmode) { 1183 #ifndef IEEE80211_STA_ONLY 1184 case IEEE80211_M_HOSTAP: 1185 /* 1186 * Subframes must use the source address of the node which 1187 * transmitted the A-MSDU. Prevents MAC spoofing. 1188 */ 1189 if (!ETHER_IS_EQ(ni->ni_macaddr, eh->ether_shost)) 1190 return 1; 1191 break; 1192 #endif 1193 case IEEE80211_M_STA: 1194 /* Subframes must be addressed to me. */ 1195 if (!ETHER_IS_EQ(ic->ic_myaddr, eh->ether_dhost)) 1196 return 1; 1197 break; 1198 default: 1199 /* Ignore MONITOR/IBSS modes for now. */ 1200 break; 1201 } 1202 1203 return 0; 1204 } 1205 1206 /* 1207 * Decapsulate an Aggregate MSDU (see 7.2.2.2). 1208 */ 1209 void 1210 ieee80211_amsdu_decap(struct ieee80211com *ic, struct mbuf *m, 1211 struct ieee80211_node *ni, int hdrlen, struct mbuf_list *ml) 1212 { 1213 struct mbuf *n; 1214 struct ether_header *eh; 1215 struct llc *llc; 1216 int len, pad, mcast; 1217 struct ieee80211_frame *wh; 1218 struct mbuf_list subframes = MBUF_LIST_INITIALIZER(); 1219 1220 wh = mtod(m, struct ieee80211_frame *); 1221 mcast = IEEE80211_IS_MULTICAST(wh->i_addr1); 1222 1223 /* strip 802.11 header */ 1224 m_adj(m, hdrlen); 1225 1226 while (m->m_pkthdr.len >= ETHER_HDR_LEN + LLC_SNAPFRAMELEN) { 1227 /* process an A-MSDU subframe */ 1228 m = m_pullup(m, ETHER_HDR_LEN + LLC_SNAPFRAMELEN); 1229 if (m == NULL) 1230 break; 1231 eh = mtod(m, struct ether_header *); 1232 /* examine 802.3 header */ 1233 len = ntohs(eh->ether_type); 1234 if (len < LLC_SNAPFRAMELEN) { 1235 DPRINTF(("A-MSDU subframe too short (%d)\n", len)); 1236 /* stop processing A-MSDU subframes */ 1237 ic->ic_stats.is_rx_decap++; 1238 ml_purge(&subframes); 1239 m_freem(m); 1240 return; 1241 } 1242 llc = (struct llc *)&eh[1]; 1243 /* Examine the 802.2 LLC header after the A-MSDU header. */ 1244 if (llc->llc_dsap == LLC_SNAP_LSAP && 1245 llc->llc_ssap == LLC_SNAP_LSAP && 1246 llc->llc_control == LLC_UI && 1247 llc->llc_snap.org_code[0] == 0 && 1248 llc->llc_snap.org_code[1] == 0 && 1249 llc->llc_snap.org_code[2] == 0) { 1250 /* convert to Ethernet II header */ 1251 eh->ether_type = llc->llc_snap.ether_type; 1252 /* strip LLC+SNAP headers */ 1253 memmove((u_int8_t *)eh + LLC_SNAPFRAMELEN, eh, 1254 ETHER_HDR_LEN); 1255 m_adj(m, LLC_SNAPFRAMELEN); 1256 len -= LLC_SNAPFRAMELEN; 1257 } 1258 len += ETHER_HDR_LEN; 1259 if (len > m->m_pkthdr.len) { 1260 /* stop processing A-MSDU subframes */ 1261 DPRINTF(("A-MSDU subframe too long (%d)\n", len)); 1262 ic->ic_stats.is_rx_decap++; 1263 ml_purge(&subframes); 1264 m_freem(m); 1265 return; 1266 } 1267 1268 /* "detach" our A-MSDU subframe from the others */ 1269 n = m_split(m, len, M_NOWAIT); 1270 if (n == NULL) { 1271 /* stop processing A-MSDU subframes */ 1272 ic->ic_stats.is_rx_decap++; 1273 ml_purge(&subframes); 1274 m_freem(m); 1275 return; 1276 } 1277 1278 if (ieee80211_amsdu_decap_validate(ic, m, ni)) { 1279 /* stop processing A-MSDU subframes */ 1280 ic->ic_stats.is_rx_decap++; 1281 ml_purge(&subframes); 1282 m_freem(m); 1283 return; 1284 } 1285 1286 ml_enqueue(&subframes, m); 1287 1288 m = n; 1289 /* remove padding */ 1290 pad = ((len + 3) & ~3) - len; 1291 m_adj(m, pad); 1292 } 1293 1294 while ((n = ml_dequeue(&subframes)) != NULL) 1295 ieee80211_enqueue_data(ic, n, ni, mcast, ml); 1296 1297 m_freem(m); 1298 } 1299 1300 /* 1301 * Parse an EDCA Parameter Set element (see 7.3.2.27). 1302 */ 1303 int 1304 ieee80211_parse_edca_params_body(struct ieee80211com *ic, const u_int8_t *frm) 1305 { 1306 u_int updtcount; 1307 int aci; 1308 1309 /* 1310 * Check if EDCA parameters have changed XXX if we miss more than 1311 * 15 consecutive beacons, we might not detect changes to EDCA 1312 * parameters due to wraparound of the 4-bit Update Count field. 1313 */ 1314 updtcount = frm[0] & 0xf; 1315 if (updtcount == ic->ic_edca_updtcount) 1316 return 0; /* no changes to EDCA parameters, ignore */ 1317 ic->ic_edca_updtcount = updtcount; 1318 1319 frm += 2; /* skip QoS Info & Reserved fields */ 1320 1321 /* parse AC Parameter Records */ 1322 for (aci = 0; aci < EDCA_NUM_AC; aci++) { 1323 struct ieee80211_edca_ac_params *ac = &ic->ic_edca_ac[aci]; 1324 1325 ac->ac_acm = (frm[0] >> 4) & 0x1; 1326 ac->ac_aifsn = frm[0] & 0xf; 1327 ac->ac_ecwmin = frm[1] & 0xf; 1328 ac->ac_ecwmax = frm[1] >> 4; 1329 ac->ac_txoplimit = LE_READ_2(frm + 2); 1330 frm += 4; 1331 } 1332 /* give drivers a chance to update their settings */ 1333 if ((ic->ic_flags & IEEE80211_F_QOS) && ic->ic_updateedca != NULL) 1334 (*ic->ic_updateedca)(ic); 1335 1336 return 0; 1337 } 1338 1339 int 1340 ieee80211_parse_edca_params(struct ieee80211com *ic, const u_int8_t *frm) 1341 { 1342 if (frm[1] < 18) { 1343 ic->ic_stats.is_rx_elem_toosmall++; 1344 return IEEE80211_REASON_IE_INVALID; 1345 } 1346 return ieee80211_parse_edca_params_body(ic, frm + 2); 1347 } 1348 1349 int 1350 ieee80211_parse_wmm_params(struct ieee80211com *ic, const u_int8_t *frm) 1351 { 1352 if (frm[1] < 24) { 1353 ic->ic_stats.is_rx_elem_toosmall++; 1354 return IEEE80211_REASON_IE_INVALID; 1355 } 1356 return ieee80211_parse_edca_params_body(ic, frm + 8); 1357 } 1358 1359 enum ieee80211_cipher 1360 ieee80211_parse_rsn_cipher(const u_int8_t selector[4]) 1361 { 1362 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1363 switch (selector[3]) { 1364 case 0: /* use group data cipher suite */ 1365 return IEEE80211_CIPHER_USEGROUP; 1366 case 1: /* WEP-40 */ 1367 return IEEE80211_CIPHER_WEP40; 1368 case 2: /* TKIP */ 1369 return IEEE80211_CIPHER_TKIP; 1370 case 4: /* CCMP (RSNA default) */ 1371 return IEEE80211_CIPHER_CCMP; 1372 case 5: /* WEP-104 */ 1373 return IEEE80211_CIPHER_WEP104; 1374 } 1375 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1376 /* see 802.11-2012 Table 8-99 */ 1377 switch (selector[3]) { 1378 case 0: /* use group data cipher suite */ 1379 return IEEE80211_CIPHER_USEGROUP; 1380 case 1: /* WEP-40 */ 1381 return IEEE80211_CIPHER_WEP40; 1382 case 2: /* TKIP */ 1383 return IEEE80211_CIPHER_TKIP; 1384 case 4: /* CCMP (RSNA default) */ 1385 return IEEE80211_CIPHER_CCMP; 1386 case 5: /* WEP-104 */ 1387 return IEEE80211_CIPHER_WEP104; 1388 case 6: /* BIP */ 1389 return IEEE80211_CIPHER_BIP; 1390 } 1391 } 1392 return IEEE80211_CIPHER_NONE; /* ignore unknown ciphers */ 1393 } 1394 1395 enum ieee80211_akm 1396 ieee80211_parse_rsn_akm(const u_int8_t selector[4]) 1397 { 1398 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1399 switch (selector[3]) { 1400 case 1: /* IEEE 802.1X (RSNA default) */ 1401 return IEEE80211_AKM_8021X; 1402 case 2: /* PSK */ 1403 return IEEE80211_AKM_PSK; 1404 } 1405 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1406 /* from IEEE Std 802.11i-2004 - Table 20dc */ 1407 switch (selector[3]) { 1408 case 1: /* IEEE 802.1X (RSNA default) */ 1409 return IEEE80211_AKM_8021X; 1410 case 2: /* PSK */ 1411 return IEEE80211_AKM_PSK; 1412 case 5: /* IEEE 802.1X with SHA256 KDF */ 1413 return IEEE80211_AKM_SHA256_8021X; 1414 case 6: /* PSK with SHA256 KDF */ 1415 return IEEE80211_AKM_SHA256_PSK; 1416 } 1417 } 1418 return IEEE80211_AKM_NONE; /* ignore unknown AKMs */ 1419 } 1420 1421 /* 1422 * Parse an RSN element (see 802.11-2012 8.4.2.27) 1423 */ 1424 int 1425 ieee80211_parse_rsn_body(struct ieee80211com *ic, const u_int8_t *frm, 1426 u_int len, struct ieee80211_rsnparams *rsn) 1427 { 1428 const u_int8_t *efrm; 1429 u_int16_t m, n, s; 1430 1431 efrm = frm + len; 1432 1433 /* check Version field */ 1434 if (LE_READ_2(frm) != 1) 1435 return IEEE80211_STATUS_RSN_IE_VER_UNSUP; 1436 frm += 2; 1437 1438 /* all fields after the Version field are optional */ 1439 1440 /* if Cipher Suite missing, default to CCMP */ 1441 rsn->rsn_groupcipher = IEEE80211_CIPHER_CCMP; 1442 rsn->rsn_nciphers = 1; 1443 rsn->rsn_ciphers = IEEE80211_CIPHER_CCMP; 1444 /* if Group Management Cipher Suite missing, default to BIP */ 1445 rsn->rsn_groupmgmtcipher = IEEE80211_CIPHER_BIP; 1446 /* if AKM Suite missing, default to 802.1X */ 1447 rsn->rsn_nakms = 1; 1448 rsn->rsn_akms = IEEE80211_AKM_8021X; 1449 /* if RSN capabilities missing, default to 0 */ 1450 rsn->rsn_caps = 0; 1451 rsn->rsn_npmkids = 0; 1452 1453 /* read Group Data Cipher Suite field */ 1454 if (frm + 4 > efrm) 1455 return 0; 1456 rsn->rsn_groupcipher = ieee80211_parse_rsn_cipher(frm); 1457 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_NONE || 1458 rsn->rsn_groupcipher == IEEE80211_CIPHER_USEGROUP || 1459 rsn->rsn_groupcipher == IEEE80211_CIPHER_BIP) 1460 return IEEE80211_STATUS_BAD_GROUP_CIPHER; 1461 frm += 4; 1462 1463 /* read Pairwise Cipher Suite Count field */ 1464 if (frm + 2 > efrm) 1465 return 0; 1466 m = rsn->rsn_nciphers = LE_READ_2(frm); 1467 frm += 2; 1468 1469 /* read Pairwise Cipher Suite List */ 1470 if (frm + m * 4 > efrm) 1471 return IEEE80211_STATUS_IE_INVALID; 1472 rsn->rsn_ciphers = IEEE80211_CIPHER_NONE; 1473 while (m-- > 0) { 1474 rsn->rsn_ciphers |= ieee80211_parse_rsn_cipher(frm); 1475 frm += 4; 1476 } 1477 if (rsn->rsn_ciphers & IEEE80211_CIPHER_USEGROUP) { 1478 if (rsn->rsn_ciphers != IEEE80211_CIPHER_USEGROUP) 1479 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1480 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_CCMP) 1481 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1482 } 1483 1484 /* read AKM Suite List Count field */ 1485 if (frm + 2 > efrm) 1486 return 0; 1487 n = rsn->rsn_nakms = LE_READ_2(frm); 1488 frm += 2; 1489 1490 /* read AKM Suite List */ 1491 if (frm + n * 4 > efrm) 1492 return IEEE80211_STATUS_IE_INVALID; 1493 rsn->rsn_akms = IEEE80211_AKM_NONE; 1494 while (n-- > 0) { 1495 rsn->rsn_akms |= ieee80211_parse_rsn_akm(frm); 1496 frm += 4; 1497 } 1498 1499 /* read RSN Capabilities field */ 1500 if (frm + 2 > efrm) 1501 return 0; 1502 rsn->rsn_caps = LE_READ_2(frm); 1503 frm += 2; 1504 1505 /* read PMKID Count field */ 1506 if (frm + 2 > efrm) 1507 return 0; 1508 s = rsn->rsn_npmkids = LE_READ_2(frm); 1509 frm += 2; 1510 1511 /* read PMKID List */ 1512 if (frm + s * IEEE80211_PMKID_LEN > efrm) 1513 return IEEE80211_STATUS_IE_INVALID; 1514 if (s != 0) { 1515 rsn->rsn_pmkids = frm; 1516 frm += s * IEEE80211_PMKID_LEN; 1517 } 1518 1519 /* read Group Management Cipher Suite field */ 1520 if (frm + 4 > efrm) 1521 return 0; 1522 rsn->rsn_groupmgmtcipher = ieee80211_parse_rsn_cipher(frm); 1523 if (rsn->rsn_groupmgmtcipher != IEEE80211_CIPHER_BIP) 1524 return IEEE80211_STATUS_BAD_GROUP_CIPHER; 1525 1526 return IEEE80211_STATUS_SUCCESS; 1527 } 1528 1529 int 1530 ieee80211_parse_rsn(struct ieee80211com *ic, const u_int8_t *frm, 1531 struct ieee80211_rsnparams *rsn) 1532 { 1533 if (frm[1] < 2) { 1534 ic->ic_stats.is_rx_elem_toosmall++; 1535 return IEEE80211_STATUS_IE_INVALID; 1536 } 1537 return ieee80211_parse_rsn_body(ic, frm + 2, frm[1], rsn); 1538 } 1539 1540 int 1541 ieee80211_parse_wpa(struct ieee80211com *ic, const u_int8_t *frm, 1542 struct ieee80211_rsnparams *rsn) 1543 { 1544 if (frm[1] < 6) { 1545 ic->ic_stats.is_rx_elem_toosmall++; 1546 return IEEE80211_STATUS_IE_INVALID; 1547 } 1548 return ieee80211_parse_rsn_body(ic, frm + 6, frm[1] - 4, rsn); 1549 } 1550 1551 /* 1552 * Create (or update) a copy of an information element. 1553 */ 1554 int 1555 ieee80211_save_ie(const u_int8_t *frm, u_int8_t **ie) 1556 { 1557 int olen = *ie ? 2 + (*ie)[1] : 0; 1558 int len = 2 + frm[1]; 1559 1560 if (*ie == NULL || olen != len) { 1561 if (*ie != NULL) 1562 free(*ie, M_DEVBUF, olen); 1563 *ie = malloc(len, M_DEVBUF, M_NOWAIT); 1564 if (*ie == NULL) 1565 return ENOMEM; 1566 } 1567 memcpy(*ie, frm, len); 1568 return 0; 1569 } 1570 1571 /*- 1572 * Beacon/Probe response frame format: 1573 * [8] Timestamp 1574 * [2] Beacon interval 1575 * [2] Capability 1576 * [tlv] Service Set Identifier (SSID) 1577 * [tlv] Supported rates 1578 * [tlv] DS Parameter Set (802.11g) 1579 * [tlv] ERP Information (802.11g) 1580 * [tlv] Extended Supported Rates (802.11g) 1581 * [tlv] RSN (802.11i) 1582 * [tlv] EDCA Parameter Set (802.11e) 1583 * [tlv] QoS Capability (Beacon only, 802.11e) 1584 * [tlv] HT Capabilities (802.11n) 1585 * [tlv] HT Operation (802.11n) 1586 */ 1587 void 1588 ieee80211_recv_probe_resp(struct ieee80211com *ic, struct mbuf *m, 1589 struct ieee80211_node *rni, struct ieee80211_rxinfo *rxi, int isprobe) 1590 { 1591 struct ieee80211_node *ni; 1592 const struct ieee80211_frame *wh; 1593 const u_int8_t *frm, *efrm; 1594 const u_int8_t *tstamp, *ssid, *rates, *xrates, *edcaie, *wmmie; 1595 const u_int8_t *rsnie, *wpaie, *htcaps, *htop; 1596 u_int16_t capinfo, bintval; 1597 u_int8_t chan, bchan, erp, dtim_count, dtim_period; 1598 int is_new; 1599 1600 /* 1601 * We process beacon/probe response frames for: 1602 * o station mode: to collect state 1603 * updates such as 802.11g slot time and for passive 1604 * scanning of APs 1605 * o adhoc mode: to discover neighbors 1606 * o hostap mode: for passive scanning of neighbor APs 1607 * o when scanning 1608 * In other words, in all modes other than monitor (which 1609 * does not process incoming frames) and adhoc-demo (which 1610 * does not use management frames at all). 1611 */ 1612 #ifdef DIAGNOSTIC 1613 if (ic->ic_opmode != IEEE80211_M_STA && 1614 #ifndef IEEE80211_STA_ONLY 1615 ic->ic_opmode != IEEE80211_M_IBSS && 1616 ic->ic_opmode != IEEE80211_M_HOSTAP && 1617 #endif 1618 ic->ic_state != IEEE80211_S_SCAN) { 1619 panic("%s: impossible operating mode", __func__); 1620 } 1621 #endif 1622 /* make sure all mandatory fixed fields are present */ 1623 if (m->m_len < sizeof(*wh) + 12) { 1624 DPRINTF(("frame too short\n")); 1625 return; 1626 } 1627 wh = mtod(m, struct ieee80211_frame *); 1628 frm = (const u_int8_t *)&wh[1]; 1629 efrm = mtod(m, u_int8_t *) + m->m_len; 1630 1631 tstamp = frm; frm += 8; 1632 bintval = LE_READ_2(frm); frm += 2; 1633 capinfo = LE_READ_2(frm); frm += 2; 1634 1635 ssid = rates = xrates = edcaie = wmmie = rsnie = wpaie = NULL; 1636 htcaps = htop = NULL; 1637 bchan = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan); 1638 chan = bchan; 1639 erp = 0; 1640 dtim_count = dtim_period = 0; 1641 while (frm + 2 <= efrm) { 1642 if (frm + 2 + frm[1] > efrm) { 1643 ic->ic_stats.is_rx_elem_toosmall++; 1644 break; 1645 } 1646 switch (frm[0]) { 1647 case IEEE80211_ELEMID_SSID: 1648 ssid = frm; 1649 break; 1650 case IEEE80211_ELEMID_RATES: 1651 rates = frm; 1652 break; 1653 case IEEE80211_ELEMID_DSPARMS: 1654 if (frm[1] < 1) { 1655 ic->ic_stats.is_rx_elem_toosmall++; 1656 break; 1657 } 1658 chan = frm[2]; 1659 break; 1660 case IEEE80211_ELEMID_XRATES: 1661 xrates = frm; 1662 break; 1663 case IEEE80211_ELEMID_ERP: 1664 if (frm[1] < 1) { 1665 ic->ic_stats.is_rx_elem_toosmall++; 1666 break; 1667 } 1668 erp = frm[2]; 1669 break; 1670 case IEEE80211_ELEMID_RSN: 1671 rsnie = frm; 1672 break; 1673 case IEEE80211_ELEMID_EDCAPARMS: 1674 edcaie = frm; 1675 break; 1676 case IEEE80211_ELEMID_HTCAPS: 1677 htcaps = frm; 1678 break; 1679 case IEEE80211_ELEMID_HTOP: 1680 htop = frm; 1681 break; 1682 case IEEE80211_ELEMID_TIM: 1683 if (frm[1] > 3) { 1684 dtim_count = frm[2]; 1685 dtim_period = frm[3]; 1686 } 1687 break; 1688 case IEEE80211_ELEMID_VENDOR: 1689 if (frm[1] < 4) { 1690 ic->ic_stats.is_rx_elem_toosmall++; 1691 break; 1692 } 1693 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 1694 if (frm[5] == 1) 1695 wpaie = frm; 1696 else if (frm[1] >= 5 && 1697 frm[5] == 2 && frm[6] == 1) 1698 wmmie = frm; 1699 } 1700 break; 1701 } 1702 frm += 2 + frm[1]; 1703 } 1704 /* supported rates element is mandatory */ 1705 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1706 DPRINTF(("invalid supported rates element\n")); 1707 return; 1708 } 1709 /* SSID element is mandatory */ 1710 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1711 DPRINTF(("invalid SSID element\n")); 1712 return; 1713 } 1714 1715 if ( 1716 #if IEEE80211_CHAN_MAX < 255 1717 chan > IEEE80211_CHAN_MAX || 1718 #endif 1719 isclr(ic->ic_chan_active, chan)) { 1720 DPRINTF(("ignore %s with invalid channel %u\n", 1721 isprobe ? "probe response" : "beacon", chan)); 1722 ic->ic_stats.is_rx_badchan++; 1723 return; 1724 } 1725 if ((ic->ic_state != IEEE80211_S_SCAN || 1726 !(ic->ic_caps & IEEE80211_C_SCANALL)) && 1727 chan != bchan) { 1728 /* 1729 * Frame was received on a channel different from the 1730 * one indicated in the DS params element id; 1731 * silently discard it. 1732 * 1733 * NB: this can happen due to signal leakage. 1734 */ 1735 DPRINTF(("ignore %s on channel %u marked for channel %u\n", 1736 isprobe ? "probe response" : "beacon", bchan, chan)); 1737 ic->ic_stats.is_rx_chanmismatch++; 1738 return; 1739 } 1740 /* 1741 * Use mac, channel and rssi so we collect only the 1742 * best potential AP with the equal bssid while scanning. 1743 * Collecting all potential APs may result in bloat of 1744 * the node tree. This call will return NULL if the node 1745 * for this APs does not exist or if the new node is the 1746 * potential better one. 1747 */ 1748 ni = ieee80211_find_node_for_beacon(ic, wh->i_addr2, 1749 &ic->ic_channels[chan], ssid, rxi->rxi_rssi); 1750 if (ni != NULL) { 1751 /* 1752 * If we are doing a directed scan for an AP with a hidden SSID 1753 * we must collect the SSID from a probe response to override 1754 * a non-zero-length SSID filled with zeroes that we may have 1755 * received earlier in a beacon. 1756 */ 1757 if (isprobe && ssid[1] != 0 && ni->ni_essid[0] == '\0') { 1758 ni->ni_esslen = ssid[1]; 1759 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1760 /* we know that ssid[1] <= IEEE80211_NWID_LEN */ 1761 memcpy(ni->ni_essid, &ssid[2], ssid[1]); 1762 } 1763 1764 /* Update channel in case AP has switched */ 1765 if (ic->ic_opmode == IEEE80211_M_STA) 1766 ni->ni_chan = rni->ni_chan; 1767 1768 return; 1769 } 1770 1771 #ifdef IEEE80211_DEBUG 1772 if (ieee80211_debug > 1 && 1773 (ni == NULL || ic->ic_state == IEEE80211_S_SCAN || 1774 (ic->ic_flags & IEEE80211_F_BGSCAN))) { 1775 printf("%s: %s%s on chan %u (bss chan %u) ", 1776 __func__, (ni == NULL ? "new " : ""), 1777 isprobe ? "probe response" : "beacon", 1778 chan, bchan); 1779 ieee80211_print_essid(ssid + 2, ssid[1]); 1780 printf(" from %s\n", ether_sprintf((u_int8_t *)wh->i_addr2)); 1781 printf("%s: caps 0x%x bintval %u erp 0x%x\n", 1782 __func__, capinfo, bintval, erp); 1783 } 1784 #endif 1785 1786 if ((ni = ieee80211_find_node(ic, wh->i_addr2)) == NULL) { 1787 ni = ieee80211_alloc_node(ic, wh->i_addr2); 1788 if (ni == NULL) 1789 return; 1790 is_new = 1; 1791 } else 1792 is_new = 0; 1793 1794 if (htcaps) 1795 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 1796 if (htop && !ieee80211_setup_htop(ni, htop + 2, htop[1], 1)) 1797 htop = NULL; /* invalid HTOP */ 1798 1799 ni->ni_dtimcount = dtim_count; 1800 ni->ni_dtimperiod = dtim_period; 1801 1802 /* 1803 * When operating in station mode, check for state updates 1804 * while we're associated. 1805 */ 1806 if (ic->ic_opmode == IEEE80211_M_STA && 1807 ic->ic_state == IEEE80211_S_RUN && 1808 ni->ni_state == IEEE80211_STA_BSS) { 1809 int updateprot = 0; 1810 /* 1811 * Check if protection mode has changed since last beacon. 1812 */ 1813 if (ni->ni_erp != erp) { 1814 DPRINTF(("[%s] erp change: was 0x%x, now 0x%x\n", 1815 ether_sprintf((u_int8_t *)wh->i_addr2), 1816 ni->ni_erp, erp)); 1817 if ((ic->ic_curmode == IEEE80211_MODE_11G || 1818 (ic->ic_curmode == IEEE80211_MODE_11N && 1819 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))) && 1820 (erp & IEEE80211_ERP_USE_PROTECTION)) 1821 ic->ic_flags |= IEEE80211_F_USEPROT; 1822 else 1823 ic->ic_flags &= ~IEEE80211_F_USEPROT; 1824 ic->ic_bss->ni_erp = erp; 1825 updateprot = 1; 1826 } 1827 if (htop && (ic->ic_bss->ni_flags & IEEE80211_NODE_HT)) { 1828 enum ieee80211_htprot htprot_last, htprot; 1829 htprot_last = 1830 ((ic->ic_bss->ni_htop1 & IEEE80211_HTOP1_PROT_MASK) 1831 >> IEEE80211_HTOP1_PROT_SHIFT); 1832 htprot = ((ni->ni_htop1 & IEEE80211_HTOP1_PROT_MASK) >> 1833 IEEE80211_HTOP1_PROT_SHIFT); 1834 if (htprot_last != htprot) { 1835 DPRINTF(("[%s] htprot change: was %d, now %d\n", 1836 ether_sprintf((u_int8_t *)wh->i_addr2), 1837 htprot_last, htprot)); 1838 ic->ic_stats.is_ht_prot_change++; 1839 ic->ic_bss->ni_htop1 = ni->ni_htop1; 1840 updateprot = 1; 1841 } 1842 } 1843 if (updateprot && ic->ic_updateprot != NULL) 1844 ic->ic_updateprot(ic); 1845 1846 /* 1847 * Check if AP short slot time setting has changed 1848 * since last beacon and give the driver a chance to 1849 * update the hardware. 1850 */ 1851 if ((ni->ni_capinfo ^ capinfo) & 1852 IEEE80211_CAPINFO_SHORT_SLOTTIME) { 1853 ieee80211_set_shortslottime(ic, 1854 ic->ic_curmode == IEEE80211_MODE_11A || 1855 (capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 1856 } 1857 1858 /* 1859 * Reset management timer. If it is non-zero in RUN state, the 1860 * driver sent a probe request after a missed beacon event. 1861 * This probe response indicates the AP is still serving us 1862 * so don't allow ieee80211_watchdog() to move us into SCAN. 1863 */ 1864 if ((ic->ic_flags & IEEE80211_F_BGSCAN) == 0) 1865 ic->ic_mgt_timer = 0; 1866 } 1867 /* 1868 * We do not try to update EDCA parameters if QoS was not negotiated 1869 * with the AP at association time. 1870 */ 1871 if (ni->ni_flags & IEEE80211_NODE_QOS) { 1872 /* always prefer EDCA IE over Wi-Fi Alliance WMM IE */ 1873 if ((edcaie != NULL && 1874 ieee80211_parse_edca_params(ic, edcaie) == 0) || 1875 (wmmie != NULL && 1876 ieee80211_parse_wmm_params(ic, wmmie) == 0)) 1877 ni->ni_flags |= IEEE80211_NODE_QOS; 1878 else 1879 ni->ni_flags &= ~IEEE80211_NODE_QOS; 1880 } 1881 1882 if (ic->ic_state == IEEE80211_S_SCAN || 1883 (ic->ic_flags & IEEE80211_F_BGSCAN)) { 1884 struct ieee80211_rsnparams rsn, wpa; 1885 1886 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 1887 ni->ni_supported_rsnprotos = IEEE80211_PROTO_NONE; 1888 ni->ni_rsnakms = 0; 1889 ni->ni_supported_rsnakms = 0; 1890 ni->ni_rsnciphers = 0; 1891 ni->ni_rsngroupcipher = 0; 1892 ni->ni_rsngroupmgmtcipher = 0; 1893 ni->ni_rsncaps = 0; 1894 1895 if (rsnie != NULL && 1896 ieee80211_parse_rsn(ic, rsnie, &rsn) == 0) { 1897 ni->ni_supported_rsnprotos |= IEEE80211_PROTO_RSN; 1898 ni->ni_supported_rsnakms |= rsn.rsn_akms; 1899 } 1900 if (wpaie != NULL && 1901 ieee80211_parse_wpa(ic, wpaie, &wpa) == 0) { 1902 ni->ni_supported_rsnprotos |= IEEE80211_PROTO_WPA; 1903 ni->ni_supported_rsnakms |= wpa.rsn_akms; 1904 } 1905 1906 /* 1907 * If the AP advertises both WPA and RSN IEs (WPA1+WPA2), 1908 * we only use the highest protocol version we support. 1909 */ 1910 if (rsnie != NULL && 1911 (ni->ni_supported_rsnprotos & IEEE80211_PROTO_RSN) && 1912 (ic->ic_caps & IEEE80211_C_RSN)) { 1913 if (ieee80211_save_ie(rsnie, &ni->ni_rsnie) == 0 1914 #ifndef IEEE80211_STA_ONLY 1915 && ic->ic_opmode != IEEE80211_M_HOSTAP 1916 #endif 1917 ) { 1918 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 1919 ni->ni_rsnakms = rsn.rsn_akms; 1920 ni->ni_rsnciphers = rsn.rsn_ciphers; 1921 ni->ni_rsngroupcipher = rsn.rsn_groupcipher; 1922 ni->ni_rsngroupmgmtcipher = 1923 rsn.rsn_groupmgmtcipher; 1924 ni->ni_rsncaps = rsn.rsn_caps; 1925 } 1926 } else if (wpaie != NULL && 1927 (ni->ni_supported_rsnprotos & IEEE80211_PROTO_WPA) && 1928 (ic->ic_caps & IEEE80211_C_RSN)) { 1929 if (ieee80211_save_ie(wpaie, &ni->ni_rsnie) == 0 1930 #ifndef IEEE80211_STA_ONLY 1931 && ic->ic_opmode != IEEE80211_M_HOSTAP 1932 #endif 1933 ) { 1934 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 1935 ni->ni_rsnakms = wpa.rsn_akms; 1936 ni->ni_rsnciphers = wpa.rsn_ciphers; 1937 ni->ni_rsngroupcipher = wpa.rsn_groupcipher; 1938 ni->ni_rsngroupmgmtcipher = 1939 wpa.rsn_groupmgmtcipher; 1940 ni->ni_rsncaps = wpa.rsn_caps; 1941 } 1942 } 1943 } 1944 1945 if (ssid[1] != 0 && ni->ni_essid[0] == '\0') { 1946 ni->ni_esslen = ssid[1]; 1947 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1948 /* we know that ssid[1] <= IEEE80211_NWID_LEN */ 1949 memcpy(ni->ni_essid, &ssid[2], ssid[1]); 1950 } 1951 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3); 1952 /* XXX validate channel # */ 1953 ni->ni_chan = &ic->ic_channels[chan]; 1954 if (ic->ic_state == IEEE80211_S_SCAN && 1955 IEEE80211_IS_CHAN_5GHZ(ni->ni_chan)) { 1956 /* 1957 * During a scan on 5Ghz, prefer RSSI measured for probe 1958 * response frames. i.e. don't allow beacons to lower the 1959 * measured RSSI. Some 5GHz APs send beacons with much 1960 * less Tx power than they use for probe responses. 1961 */ 1962 if (isprobe || ni->ni_rssi == 0) 1963 ni->ni_rssi = rxi->rxi_rssi; 1964 else if (ni->ni_rssi < rxi->rxi_rssi) 1965 ni->ni_rssi = rxi->rxi_rssi; 1966 } else 1967 ni->ni_rssi = rxi->rxi_rssi; 1968 ni->ni_rstamp = rxi->rxi_tstamp; 1969 memcpy(ni->ni_tstamp, tstamp, sizeof(ni->ni_tstamp)); 1970 ni->ni_intval = bintval; 1971 ni->ni_capinfo = capinfo; 1972 ni->ni_erp = erp; 1973 /* NB: must be after ni_chan is setup */ 1974 ieee80211_setup_rates(ic, ni, rates, xrates, IEEE80211_F_DOSORT); 1975 #ifndef IEEE80211_STA_ONLY 1976 if (ic->ic_opmode == IEEE80211_M_IBSS && is_new && isprobe) { 1977 /* 1978 * Fake an association so the driver can setup it's 1979 * private state. The rate set has been setup above; 1980 * there is no handshake as in ap/station operation. 1981 */ 1982 if (ic->ic_newassoc) 1983 (*ic->ic_newassoc)(ic, ni, 1); 1984 } 1985 #endif 1986 } 1987 1988 #ifndef IEEE80211_STA_ONLY 1989 /*- 1990 * Probe request frame format: 1991 * [tlv] SSID 1992 * [tlv] Supported rates 1993 * [tlv] Extended Supported Rates (802.11g) 1994 * [tlv] HT Capabilities (802.11n) 1995 */ 1996 void 1997 ieee80211_recv_probe_req(struct ieee80211com *ic, struct mbuf *m, 1998 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 1999 { 2000 const struct ieee80211_frame *wh; 2001 const u_int8_t *frm, *efrm; 2002 const u_int8_t *ssid, *rates, *xrates, *htcaps; 2003 u_int8_t rate; 2004 2005 if (ic->ic_opmode == IEEE80211_M_STA || 2006 ic->ic_state != IEEE80211_S_RUN) 2007 return; 2008 2009 wh = mtod(m, struct ieee80211_frame *); 2010 frm = (const u_int8_t *)&wh[1]; 2011 efrm = mtod(m, u_int8_t *) + m->m_len; 2012 2013 ssid = rates = xrates = htcaps = NULL; 2014 while (frm + 2 <= efrm) { 2015 if (frm + 2 + frm[1] > efrm) { 2016 ic->ic_stats.is_rx_elem_toosmall++; 2017 break; 2018 } 2019 switch (frm[0]) { 2020 case IEEE80211_ELEMID_SSID: 2021 ssid = frm; 2022 break; 2023 case IEEE80211_ELEMID_RATES: 2024 rates = frm; 2025 break; 2026 case IEEE80211_ELEMID_XRATES: 2027 xrates = frm; 2028 break; 2029 case IEEE80211_ELEMID_HTCAPS: 2030 htcaps = frm; 2031 break; 2032 } 2033 frm += 2 + frm[1]; 2034 } 2035 /* supported rates element is mandatory */ 2036 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 2037 DPRINTF(("invalid supported rates element\n")); 2038 return; 2039 } 2040 /* SSID element is mandatory */ 2041 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 2042 DPRINTF(("invalid SSID element\n")); 2043 return; 2044 } 2045 /* check that the specified SSID (if not wildcard) matches ours */ 2046 if (ssid[1] != 0 && (ssid[1] != ic->ic_bss->ni_esslen || 2047 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen))) { 2048 DPRINTF(("SSID mismatch\n")); 2049 ic->ic_stats.is_rx_ssidmismatch++; 2050 return; 2051 } 2052 /* refuse wildcard SSID if we're hiding our SSID in beacons */ 2053 if (ssid[1] == 0 && (ic->ic_userflags & IEEE80211_F_HIDENWID)) { 2054 DPRINTF(("wildcard SSID rejected")); 2055 ic->ic_stats.is_rx_ssidmismatch++; 2056 return; 2057 } 2058 2059 if (ni == ic->ic_bss) { 2060 ni = ieee80211_find_node(ic, wh->i_addr2); 2061 if (ni == NULL) 2062 ni = ieee80211_dup_bss(ic, wh->i_addr2); 2063 if (ni == NULL) 2064 return; 2065 DPRINTF(("new probe req from %s\n", 2066 ether_sprintf((u_int8_t *)wh->i_addr2))); 2067 } 2068 ni->ni_rssi = rxi->rxi_rssi; 2069 ni->ni_rstamp = rxi->rxi_tstamp; 2070 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2071 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2072 IEEE80211_F_DODEL); 2073 if (rate & IEEE80211_RATE_BASIC) { 2074 DPRINTF(("rate mismatch for %s\n", 2075 ether_sprintf((u_int8_t *)wh->i_addr2))); 2076 return; 2077 } 2078 if (htcaps) 2079 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 2080 else 2081 ieee80211_clear_htcaps(ni); 2082 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 2083 } 2084 #endif /* IEEE80211_STA_ONLY */ 2085 2086 /*- 2087 * Authentication frame format: 2088 * [2] Authentication algorithm number 2089 * [2] Authentication transaction sequence number 2090 * [2] Status code 2091 */ 2092 void 2093 ieee80211_recv_auth(struct ieee80211com *ic, struct mbuf *m, 2094 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 2095 { 2096 const struct ieee80211_frame *wh; 2097 const u_int8_t *frm; 2098 u_int16_t algo, seq, status; 2099 2100 /* make sure all mandatory fixed fields are present */ 2101 if (m->m_len < sizeof(*wh) + 6) { 2102 DPRINTF(("frame too short\n")); 2103 return; 2104 } 2105 wh = mtod(m, struct ieee80211_frame *); 2106 frm = (const u_int8_t *)&wh[1]; 2107 2108 algo = LE_READ_2(frm); frm += 2; 2109 seq = LE_READ_2(frm); frm += 2; 2110 status = LE_READ_2(frm); frm += 2; 2111 DPRINTF(("auth %d seq %d from %s\n", algo, seq, 2112 ether_sprintf((u_int8_t *)wh->i_addr2))); 2113 2114 /* only "open" auth mode is supported */ 2115 if (algo != IEEE80211_AUTH_ALG_OPEN) { 2116 DPRINTF(("unsupported auth algorithm %d from %s\n", 2117 algo, ether_sprintf((u_int8_t *)wh->i_addr2))); 2118 ic->ic_stats.is_rx_auth_unsupported++; 2119 #ifndef IEEE80211_STA_ONLY 2120 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2121 /* XXX hack to workaround calling convention */ 2122 IEEE80211_SEND_MGMT(ic, ni, 2123 IEEE80211_FC0_SUBTYPE_AUTH, 2124 IEEE80211_STATUS_ALG << 16 | ((seq + 1) & 0xfff)); 2125 } 2126 #endif 2127 return; 2128 } 2129 ieee80211_auth_open(ic, wh, ni, rxi, seq, status); 2130 } 2131 2132 #ifndef IEEE80211_STA_ONLY 2133 /*- 2134 * (Re)Association request frame format: 2135 * [2] Capability information 2136 * [2] Listen interval 2137 * [6*] Current AP address (Reassociation only) 2138 * [tlv] SSID 2139 * [tlv] Supported rates 2140 * [tlv] Extended Supported Rates (802.11g) 2141 * [tlv] RSN (802.11i) 2142 * [tlv] QoS Capability (802.11e) 2143 * [tlv] HT Capabilities (802.11n) 2144 */ 2145 void 2146 ieee80211_recv_assoc_req(struct ieee80211com *ic, struct mbuf *m, 2147 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int reassoc) 2148 { 2149 const struct ieee80211_frame *wh; 2150 const u_int8_t *frm, *efrm; 2151 const u_int8_t *ssid, *rates, *xrates, *rsnie, *wpaie, *wmeie, *htcaps; 2152 u_int16_t capinfo, bintval; 2153 int resp, status = 0; 2154 struct ieee80211_rsnparams rsn; 2155 u_int8_t rate; 2156 const u_int8_t *saveie = NULL; 2157 2158 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 2159 ic->ic_state != IEEE80211_S_RUN) 2160 return; 2161 2162 /* make sure all mandatory fixed fields are present */ 2163 if (m->m_len < sizeof(*wh) + (reassoc ? 10 : 4)) { 2164 DPRINTF(("frame too short\n")); 2165 return; 2166 } 2167 wh = mtod(m, struct ieee80211_frame *); 2168 frm = (const u_int8_t *)&wh[1]; 2169 efrm = mtod(m, u_int8_t *) + m->m_len; 2170 2171 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 2172 DPRINTF(("ignore other bss from %s\n", 2173 ether_sprintf((u_int8_t *)wh->i_addr2))); 2174 ic->ic_stats.is_rx_assoc_bss++; 2175 return; 2176 } 2177 capinfo = LE_READ_2(frm); frm += 2; 2178 bintval = LE_READ_2(frm); frm += 2; 2179 if (reassoc) { 2180 frm += IEEE80211_ADDR_LEN; /* skip current AP address */ 2181 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 2182 } else 2183 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 2184 2185 ssid = rates = xrates = rsnie = wpaie = wmeie = htcaps = NULL; 2186 while (frm + 2 <= efrm) { 2187 if (frm + 2 + frm[1] > efrm) { 2188 ic->ic_stats.is_rx_elem_toosmall++; 2189 break; 2190 } 2191 switch (frm[0]) { 2192 case IEEE80211_ELEMID_SSID: 2193 ssid = frm; 2194 break; 2195 case IEEE80211_ELEMID_RATES: 2196 rates = frm; 2197 break; 2198 case IEEE80211_ELEMID_XRATES: 2199 xrates = frm; 2200 break; 2201 case IEEE80211_ELEMID_RSN: 2202 rsnie = frm; 2203 break; 2204 case IEEE80211_ELEMID_QOS_CAP: 2205 break; 2206 case IEEE80211_ELEMID_HTCAPS: 2207 htcaps = frm; 2208 break; 2209 case IEEE80211_ELEMID_VENDOR: 2210 if (frm[1] < 4) { 2211 ic->ic_stats.is_rx_elem_toosmall++; 2212 break; 2213 } 2214 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 2215 if (frm[5] == 1) 2216 wpaie = frm; 2217 /* WME info IE: len=7 type=2 subtype=0 */ 2218 if (frm[1] == 7 && frm[5] == 2 && frm[6] == 0) 2219 wmeie = frm; 2220 } 2221 break; 2222 } 2223 frm += 2 + frm[1]; 2224 } 2225 /* supported rates element is mandatory */ 2226 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 2227 DPRINTF(("invalid supported rates element\n")); 2228 return; 2229 } 2230 /* SSID element is mandatory */ 2231 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 2232 DPRINTF(("invalid SSID element\n")); 2233 return; 2234 } 2235 /* check that the specified SSID matches ours */ 2236 if (ssid[1] != ic->ic_bss->ni_esslen || 2237 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen)) { 2238 DPRINTF(("SSID mismatch\n")); 2239 ic->ic_stats.is_rx_ssidmismatch++; 2240 return; 2241 } 2242 2243 if (ni->ni_state != IEEE80211_STA_AUTH && 2244 ni->ni_state != IEEE80211_STA_ASSOC) { 2245 DPRINTF(("deny %sassoc from %s, not authenticated\n", 2246 reassoc ? "re" : "", 2247 ether_sprintf((u_int8_t *)wh->i_addr2))); 2248 ni = ieee80211_find_node(ic, wh->i_addr2); 2249 if (ni == NULL) 2250 ni = ieee80211_dup_bss(ic, wh->i_addr2); 2251 if (ni != NULL) { 2252 IEEE80211_SEND_MGMT(ic, ni, 2253 IEEE80211_FC0_SUBTYPE_DEAUTH, 2254 IEEE80211_REASON_ASSOC_NOT_AUTHED); 2255 } 2256 ic->ic_stats.is_rx_assoc_notauth++; 2257 return; 2258 } 2259 2260 if (ni->ni_state == IEEE80211_STA_ASSOC && 2261 (ni->ni_flags & IEEE80211_NODE_MFP)) { 2262 if (ni->ni_flags & IEEE80211_NODE_SA_QUERY_FAILED) { 2263 /* send a protected Disassociate frame */ 2264 IEEE80211_SEND_MGMT(ic, ni, 2265 IEEE80211_FC0_SUBTYPE_DISASSOC, 2266 IEEE80211_REASON_AUTH_EXPIRE); 2267 /* terminate the old SA */ 2268 ieee80211_node_leave(ic, ni); 2269 } else { 2270 /* reject the (Re)Association Request temporarily */ 2271 IEEE80211_SEND_MGMT(ic, ni, resp, 2272 IEEE80211_STATUS_TRY_AGAIN_LATER); 2273 /* start SA Query procedure if not already engaged */ 2274 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) 2275 ieee80211_sa_query_request(ic, ni); 2276 /* do not modify association state */ 2277 } 2278 return; 2279 } 2280 2281 if (!(capinfo & IEEE80211_CAPINFO_ESS)) { 2282 ic->ic_stats.is_rx_assoc_capmismatch++; 2283 status = IEEE80211_STATUS_CAPINFO; 2284 goto end; 2285 } 2286 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2287 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2288 IEEE80211_F_DODEL); 2289 if (rate & IEEE80211_RATE_BASIC) { 2290 ic->ic_stats.is_rx_assoc_norate++; 2291 status = IEEE80211_STATUS_BASIC_RATE; 2292 goto end; 2293 } 2294 2295 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2296 ni->ni_supported_rsnprotos = IEEE80211_PROTO_NONE; 2297 ni->ni_rsnakms = 0; 2298 ni->ni_supported_rsnakms = 0; 2299 ni->ni_rsnciphers = 0; 2300 ni->ni_rsngroupcipher = 0; 2301 ni->ni_rsngroupmgmtcipher = 0; 2302 ni->ni_rsncaps = 0; 2303 2304 /* 2305 * A station should never include both a WPA and an RSN IE 2306 * in its (Re)Association Requests, but if it does, we only 2307 * consider the IE of the highest version of the protocol 2308 * that is allowed (ie RSN over WPA). 2309 */ 2310 if (rsnie != NULL) { 2311 status = ieee80211_parse_rsn(ic, rsnie, &rsn); 2312 if (status != 0) 2313 goto end; 2314 ni->ni_supported_rsnprotos = IEEE80211_PROTO_RSN; 2315 ni->ni_supported_rsnakms = rsn.rsn_akms; 2316 if ((ic->ic_flags & IEEE80211_F_RSNON) && 2317 (ic->ic_rsnprotos & IEEE80211_PROTO_RSN)) { 2318 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 2319 saveie = rsnie; 2320 } 2321 } else if (wpaie != NULL) { 2322 status = ieee80211_parse_wpa(ic, wpaie, &rsn); 2323 if (status != 0) 2324 goto end; 2325 ni->ni_supported_rsnprotos = IEEE80211_PROTO_WPA; 2326 ni->ni_supported_rsnakms = rsn.rsn_akms; 2327 if ((ic->ic_flags & IEEE80211_F_RSNON) && 2328 (ic->ic_rsnprotos & IEEE80211_PROTO_WPA)) { 2329 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 2330 saveie = wpaie; 2331 } 2332 } 2333 2334 if (ic->ic_flags & IEEE80211_F_QOS) { 2335 if (wmeie != NULL) 2336 ni->ni_flags |= IEEE80211_NODE_QOS; 2337 else /* for Reassociation */ 2338 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2339 } 2340 2341 if (ic->ic_flags & IEEE80211_F_RSNON) { 2342 if (ni->ni_rsnprotos == IEEE80211_PROTO_NONE) { 2343 /* 2344 * In an RSN, an AP shall not associate with STAs 2345 * that fail to include the RSN IE in the 2346 * (Re)Association Request. 2347 */ 2348 status = IEEE80211_STATUS_IE_INVALID; 2349 goto end; 2350 } 2351 /* 2352 * The initiating STA's RSN IE shall include one authentication 2353 * and pairwise cipher suite among those advertised by the 2354 * targeted AP. It shall also specify the group cipher suite 2355 * specified by the targeted AP. 2356 */ 2357 if (rsn.rsn_nakms != 1 || 2358 !(rsn.rsn_akms & ic->ic_bss->ni_rsnakms)) { 2359 status = IEEE80211_STATUS_BAD_AKMP; 2360 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2361 goto end; 2362 } 2363 if (rsn.rsn_nciphers != 1 || 2364 !(rsn.rsn_ciphers & ic->ic_bss->ni_rsnciphers)) { 2365 status = IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 2366 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2367 goto end; 2368 } 2369 if (rsn.rsn_groupcipher != ic->ic_bss->ni_rsngroupcipher) { 2370 status = IEEE80211_STATUS_BAD_GROUP_CIPHER; 2371 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2372 goto end; 2373 } 2374 2375 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPR) && 2376 !(rsn.rsn_caps & IEEE80211_RSNCAP_MFPC)) { 2377 status = IEEE80211_STATUS_MFP_POLICY; 2378 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2379 goto end; 2380 } 2381 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPC) && 2382 (rsn.rsn_caps & (IEEE80211_RSNCAP_MFPC | 2383 IEEE80211_RSNCAP_MFPR)) == IEEE80211_RSNCAP_MFPR) { 2384 /* STA advertises an invalid setting */ 2385 status = IEEE80211_STATUS_MFP_POLICY; 2386 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2387 goto end; 2388 } 2389 /* 2390 * A STA that has associated with Management Frame Protection 2391 * enabled shall not use cipher suite pairwise selector WEP40, 2392 * WEP104, TKIP, or "Use Group cipher suite". 2393 */ 2394 if ((rsn.rsn_caps & IEEE80211_RSNCAP_MFPC) && 2395 (rsn.rsn_ciphers != IEEE80211_CIPHER_CCMP || 2396 rsn.rsn_groupmgmtcipher != 2397 ic->ic_bss->ni_rsngroupmgmtcipher)) { 2398 status = IEEE80211_STATUS_MFP_POLICY; 2399 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2400 goto end; 2401 } 2402 2403 /* 2404 * Disallow new associations using TKIP if countermeasures 2405 * are active. 2406 */ 2407 if ((ic->ic_flags & IEEE80211_F_COUNTERM) && 2408 (rsn.rsn_ciphers == IEEE80211_CIPHER_TKIP || 2409 rsn.rsn_groupcipher == IEEE80211_CIPHER_TKIP)) { 2410 status = IEEE80211_STATUS_CIPHER_REJ_POLICY; 2411 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2412 goto end; 2413 } 2414 2415 /* everything looks fine, save IE and parameters */ 2416 if (saveie == NULL || 2417 ieee80211_save_ie(saveie, &ni->ni_rsnie) != 0) { 2418 status = IEEE80211_STATUS_TOOMANY; 2419 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2420 goto end; 2421 } 2422 ni->ni_rsnakms = rsn.rsn_akms; 2423 ni->ni_rsnciphers = rsn.rsn_ciphers; 2424 ni->ni_rsngroupcipher = ic->ic_bss->ni_rsngroupcipher; 2425 ni->ni_rsngroupmgmtcipher = ic->ic_bss->ni_rsngroupmgmtcipher; 2426 ni->ni_rsncaps = rsn.rsn_caps; 2427 2428 if (ieee80211_is_8021x_akm(ni->ni_rsnakms)) { 2429 struct ieee80211_pmk *pmk = NULL; 2430 const u_int8_t *pmkid = rsn.rsn_pmkids; 2431 /* 2432 * Check if we have a cached PMK entry matching one 2433 * of the PMKIDs specified in the RSN IE. 2434 */ 2435 while (rsn.rsn_npmkids-- > 0) { 2436 pmk = ieee80211_pmksa_find(ic, ni, pmkid); 2437 if (pmk != NULL) 2438 break; 2439 pmkid += IEEE80211_PMKID_LEN; 2440 } 2441 if (pmk != NULL) { 2442 memcpy(ni->ni_pmk, pmk->pmk_key, 2443 IEEE80211_PMK_LEN); 2444 memcpy(ni->ni_pmkid, pmk->pmk_pmkid, 2445 IEEE80211_PMKID_LEN); 2446 ni->ni_flags |= IEEE80211_NODE_PMK; 2447 } 2448 } 2449 } 2450 2451 ni->ni_rssi = rxi->rxi_rssi; 2452 ni->ni_rstamp = rxi->rxi_tstamp; 2453 ni->ni_intval = bintval; 2454 ni->ni_capinfo = capinfo; 2455 ni->ni_chan = ic->ic_bss->ni_chan; 2456 if (htcaps) 2457 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 2458 else 2459 ieee80211_clear_htcaps(ni); 2460 end: 2461 if (status != 0) { 2462 IEEE80211_SEND_MGMT(ic, ni, resp, status); 2463 ieee80211_node_leave(ic, ni); 2464 } else 2465 ieee80211_node_join(ic, ni, resp); 2466 } 2467 #endif /* IEEE80211_STA_ONLY */ 2468 2469 /*- 2470 * (Re)Association response frame format: 2471 * [2] Capability information 2472 * [2] Status code 2473 * [2] Association ID (AID) 2474 * [tlv] Supported rates 2475 * [tlv] Extended Supported Rates (802.11g) 2476 * [tlv] EDCA Parameter Set (802.11e) 2477 * [tlv] HT Capabilities (802.11n) 2478 * [tlv] HT Operation (802.11n) 2479 */ 2480 void 2481 ieee80211_recv_assoc_resp(struct ieee80211com *ic, struct mbuf *m, 2482 struct ieee80211_node *ni, int reassoc) 2483 { 2484 struct ifnet *ifp = &ic->ic_if; 2485 const struct ieee80211_frame *wh; 2486 const u_int8_t *frm, *efrm; 2487 const u_int8_t *rates, *xrates, *edcaie, *wmmie, *htcaps, *htop; 2488 u_int16_t capinfo, status, associd; 2489 u_int8_t rate; 2490 2491 if (ic->ic_opmode != IEEE80211_M_STA || 2492 ic->ic_state != IEEE80211_S_ASSOC) { 2493 ic->ic_stats.is_rx_mgtdiscard++; 2494 return; 2495 } 2496 2497 /* make sure all mandatory fixed fields are present */ 2498 if (m->m_len < sizeof(*wh) + 6) { 2499 DPRINTF(("frame too short\n")); 2500 return; 2501 } 2502 wh = mtod(m, struct ieee80211_frame *); 2503 frm = (const u_int8_t *)&wh[1]; 2504 efrm = mtod(m, u_int8_t *) + m->m_len; 2505 2506 capinfo = LE_READ_2(frm); frm += 2; 2507 status = LE_READ_2(frm); frm += 2; 2508 if (status != IEEE80211_STATUS_SUCCESS) { 2509 if (ifp->if_flags & IFF_DEBUG) 2510 printf("%s: %sassociation failed (status %d)" 2511 " for %s\n", ifp->if_xname, 2512 reassoc ? "re" : "", 2513 status, ether_sprintf((u_int8_t *)wh->i_addr3)); 2514 if (ni != ic->ic_bss) 2515 ni->ni_fails++; 2516 ic->ic_stats.is_rx_auth_fail++; 2517 return; 2518 } 2519 associd = LE_READ_2(frm); frm += 2; 2520 2521 rates = xrates = edcaie = wmmie = htcaps = htop = NULL; 2522 while (frm + 2 <= efrm) { 2523 if (frm + 2 + frm[1] > efrm) { 2524 ic->ic_stats.is_rx_elem_toosmall++; 2525 break; 2526 } 2527 switch (frm[0]) { 2528 case IEEE80211_ELEMID_RATES: 2529 rates = frm; 2530 break; 2531 case IEEE80211_ELEMID_XRATES: 2532 xrates = frm; 2533 break; 2534 case IEEE80211_ELEMID_EDCAPARMS: 2535 edcaie = frm; 2536 break; 2537 case IEEE80211_ELEMID_HTCAPS: 2538 htcaps = frm; 2539 break; 2540 case IEEE80211_ELEMID_HTOP: 2541 htop = frm; 2542 break; 2543 case IEEE80211_ELEMID_VENDOR: 2544 if (frm[1] < 4) { 2545 ic->ic_stats.is_rx_elem_toosmall++; 2546 break; 2547 } 2548 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 2549 if (frm[1] >= 5 && frm[5] == 2 && frm[6] == 1) 2550 wmmie = frm; 2551 } 2552 break; 2553 } 2554 frm += 2 + frm[1]; 2555 } 2556 /* supported rates element is mandatory */ 2557 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 2558 DPRINTF(("invalid supported rates element\n")); 2559 return; 2560 } 2561 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2562 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2563 IEEE80211_F_DODEL); 2564 if (rate & IEEE80211_RATE_BASIC) { 2565 DPRINTF(("rate mismatch for %s\n", 2566 ether_sprintf((u_int8_t *)wh->i_addr2))); 2567 ic->ic_stats.is_rx_assoc_norate++; 2568 return; 2569 } 2570 ni->ni_capinfo = capinfo; 2571 ni->ni_associd = associd; 2572 if (edcaie != NULL || wmmie != NULL) { 2573 /* force update of EDCA parameters */ 2574 ic->ic_edca_updtcount = -1; 2575 2576 if ((edcaie != NULL && 2577 ieee80211_parse_edca_params(ic, edcaie) == 0) || 2578 (wmmie != NULL && 2579 ieee80211_parse_wmm_params(ic, wmmie) == 0)) 2580 ni->ni_flags |= IEEE80211_NODE_QOS; 2581 else /* for Reassociation */ 2582 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2583 } 2584 if (htcaps) 2585 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 2586 if (htop) 2587 ieee80211_setup_htop(ni, htop + 2, htop[1], 0); 2588 ieee80211_ht_negotiate(ic, ni); 2589 2590 /* Hop into 11n mode after associating to an HT AP in a non-11n mode. */ 2591 if (ni->ni_flags & IEEE80211_NODE_HT) 2592 ieee80211_setmode(ic, IEEE80211_MODE_11N); 2593 else 2594 ieee80211_setmode(ic, ieee80211_chan2mode(ic, ni->ni_chan)); 2595 /* 2596 * Reset the erp state (mostly the slot time) now that 2597 * our operating mode has been nailed down. 2598 */ 2599 ieee80211_reset_erp(ic); 2600 2601 /* 2602 * Configure state now that we are associated. 2603 */ 2604 if (ic->ic_curmode == IEEE80211_MODE_11A || 2605 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) 2606 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 2607 else 2608 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 2609 2610 ieee80211_set_shortslottime(ic, 2611 ic->ic_curmode == IEEE80211_MODE_11A || 2612 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2613 /* 2614 * Honor ERP protection. 2615 */ 2616 if ((ic->ic_curmode == IEEE80211_MODE_11G || 2617 (ic->ic_curmode == IEEE80211_MODE_11N && 2618 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))) && 2619 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2620 ic->ic_flags |= IEEE80211_F_USEPROT; 2621 else 2622 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2623 /* 2624 * If not an RSNA, mark the port as valid, otherwise wait for 2625 * 802.1X authentication and 4-way handshake to complete.. 2626 */ 2627 if (ic->ic_flags & IEEE80211_F_RSNON) { 2628 /* XXX ic->ic_mgt_timer = 5; */ 2629 ni->ni_rsn_supp_state = RSNA_SUPP_PTKSTART; 2630 } else if (ic->ic_flags & IEEE80211_F_WEPON) 2631 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 2632 2633 ieee80211_new_state(ic, IEEE80211_S_RUN, 2634 IEEE80211_FC0_SUBTYPE_ASSOC_RESP); 2635 } 2636 2637 /*- 2638 * Deauthentication frame format: 2639 * [2] Reason code 2640 */ 2641 void 2642 ieee80211_recv_deauth(struct ieee80211com *ic, struct mbuf *m, 2643 struct ieee80211_node *ni) 2644 { 2645 const struct ieee80211_frame *wh; 2646 const u_int8_t *frm; 2647 u_int16_t reason; 2648 2649 /* make sure all mandatory fixed fields are present */ 2650 if (m->m_len < sizeof(*wh) + 2) { 2651 DPRINTF(("frame too short\n")); 2652 return; 2653 } 2654 wh = mtod(m, struct ieee80211_frame *); 2655 frm = (const u_int8_t *)&wh[1]; 2656 2657 reason = LE_READ_2(frm); 2658 2659 ic->ic_stats.is_rx_deauth++; 2660 switch (ic->ic_opmode) { 2661 case IEEE80211_M_STA: { 2662 int bgscan = ((ic->ic_flags & IEEE80211_F_BGSCAN) && 2663 ic->ic_state == IEEE80211_S_RUN); 2664 int stay_auth = ((ic->ic_userflags & IEEE80211_F_STAYAUTH) && 2665 ic->ic_state >= IEEE80211_S_AUTH); 2666 if (!(bgscan || stay_auth)) 2667 ieee80211_new_state(ic, IEEE80211_S_AUTH, 2668 IEEE80211_FC0_SUBTYPE_DEAUTH); 2669 } 2670 break; 2671 #ifndef IEEE80211_STA_ONLY 2672 case IEEE80211_M_HOSTAP: 2673 if (ni != ic->ic_bss) { 2674 int stay_auth = 2675 ((ic->ic_userflags & IEEE80211_F_STAYAUTH) && 2676 (ni->ni_state == IEEE80211_STA_AUTH || 2677 ni->ni_state == IEEE80211_STA_ASSOC)); 2678 if (ic->ic_if.if_flags & IFF_DEBUG) 2679 printf("%s: station %s deauthenticated " 2680 "by peer (reason %d)\n", 2681 ic->ic_if.if_xname, 2682 ether_sprintf(ni->ni_macaddr), 2683 reason); 2684 if (!stay_auth) 2685 ieee80211_node_leave(ic, ni); 2686 } 2687 break; 2688 #endif 2689 default: 2690 break; 2691 } 2692 } 2693 2694 /*- 2695 * Disassociation frame format: 2696 * [2] Reason code 2697 */ 2698 void 2699 ieee80211_recv_disassoc(struct ieee80211com *ic, struct mbuf *m, 2700 struct ieee80211_node *ni) 2701 { 2702 const struct ieee80211_frame *wh; 2703 const u_int8_t *frm; 2704 u_int16_t reason; 2705 2706 /* make sure all mandatory fixed fields are present */ 2707 if (m->m_len < sizeof(*wh) + 2) { 2708 DPRINTF(("frame too short\n")); 2709 return; 2710 } 2711 wh = mtod(m, struct ieee80211_frame *); 2712 frm = (const u_int8_t *)&wh[1]; 2713 2714 reason = LE_READ_2(frm); 2715 2716 ic->ic_stats.is_rx_disassoc++; 2717 switch (ic->ic_opmode) { 2718 case IEEE80211_M_STA: { 2719 int bgscan = ((ic->ic_flags & IEEE80211_F_BGSCAN) && 2720 ic->ic_state == IEEE80211_S_RUN); 2721 if (!bgscan) /* ignore disassoc during bgscan */ 2722 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 2723 IEEE80211_FC0_SUBTYPE_DISASSOC); 2724 } 2725 break; 2726 #ifndef IEEE80211_STA_ONLY 2727 case IEEE80211_M_HOSTAP: 2728 if (ni != ic->ic_bss) { 2729 if (ic->ic_if.if_flags & IFF_DEBUG) 2730 printf("%s: station %s disassociated " 2731 "by peer (reason %d)\n", 2732 ic->ic_if.if_xname, 2733 ether_sprintf(ni->ni_macaddr), 2734 reason); 2735 ieee80211_node_leave(ic, ni); 2736 } 2737 break; 2738 #endif 2739 default: 2740 break; 2741 } 2742 } 2743 2744 /*- 2745 * ADDBA Request frame format: 2746 * [1] Category 2747 * [1] Action 2748 * [1] Dialog Token 2749 * [2] Block Ack Parameter Set 2750 * [2] Block Ack Timeout Value 2751 * [2] Block Ack Starting Sequence Control 2752 */ 2753 void 2754 ieee80211_recv_addba_req(struct ieee80211com *ic, struct mbuf *m, 2755 struct ieee80211_node *ni) 2756 { 2757 const struct ieee80211_frame *wh; 2758 const u_int8_t *frm; 2759 struct ieee80211_rx_ba *ba; 2760 u_int16_t params, ssn, bufsz, timeout; 2761 u_int8_t token, tid; 2762 int err = 0; 2763 2764 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 2765 DPRINTF(("received ADDBA req from non-HT STA %s\n", 2766 ether_sprintf(ni->ni_macaddr))); 2767 return; 2768 } 2769 if (m->m_len < sizeof(*wh) + 9) { 2770 DPRINTF(("frame too short\n")); 2771 return; 2772 } 2773 /* MLME-ADDBA.indication */ 2774 wh = mtod(m, struct ieee80211_frame *); 2775 frm = (const u_int8_t *)&wh[1]; 2776 2777 token = frm[2]; 2778 params = LE_READ_2(&frm[3]); 2779 tid = ((params & IEEE80211_ADDBA_TID_MASK) >> 2780 IEEE80211_ADDBA_TID_SHIFT); 2781 bufsz = (params & IEEE80211_ADDBA_BUFSZ_MASK) >> 2782 IEEE80211_ADDBA_BUFSZ_SHIFT; 2783 timeout = LE_READ_2(&frm[5]); 2784 ssn = LE_READ_2(&frm[7]) >> 4; 2785 2786 ba = &ni->ni_rx_ba[tid]; 2787 /* The driver is still processing an ADDBA request for this tid. */ 2788 if (ba->ba_state == IEEE80211_BA_REQUESTED) 2789 return; 2790 /* check if we already have a Block Ack agreement for this RA/TID */ 2791 if (ba->ba_state == IEEE80211_BA_AGREED) { 2792 /* XXX should we update the timeout value? */ 2793 /* reset Block Ack inactivity timer */ 2794 if (ba->ba_timeout_val != 0) 2795 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2796 2797 /* check if it's a Protected Block Ack agreement */ 2798 if (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2799 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) 2800 return; /* not a PBAC, ignore */ 2801 2802 /* PBAC: treat the ADDBA Request like a BlockAckReq */ 2803 if (SEQ_LT(ba->ba_winstart, ssn)) { 2804 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 2805 ieee80211_ba_move_window(ic, ni, tid, ssn, &ml); 2806 if_input(&ic->ic_if, &ml); 2807 } 2808 return; 2809 } 2810 2811 /* if PBAC required but RA does not support it, refuse request */ 2812 if ((ic->ic_flags & IEEE80211_F_PBAR) && 2813 (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2814 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC))) 2815 goto refuse; 2816 /* 2817 * If the TID for which the Block Ack agreement is requested is 2818 * configured with a no-ACK policy, refuse the agreement. 2819 */ 2820 if (ic->ic_tid_noack & (1 << tid)) 2821 goto refuse; 2822 2823 /* check that we support the requested Block Ack Policy */ 2824 if (!(ic->ic_htcaps & IEEE80211_HTCAP_DELAYEDBA) && 2825 !(params & IEEE80211_ADDBA_BA_POLICY)) 2826 goto refuse; 2827 2828 /* setup Block Ack agreement */ 2829 ba->ba_state = IEEE80211_BA_REQUESTED; 2830 ba->ba_timeout_val = timeout * IEEE80211_DUR_TU; 2831 ba->ba_ni = ni; 2832 ba->ba_token = token; 2833 timeout_set(&ba->ba_to, ieee80211_rx_ba_timeout, ba); 2834 timeout_set(&ba->ba_gap_to, ieee80211_input_ba_gap_timeout, ba); 2835 ba->ba_gapwait = 0; 2836 ba->ba_winsize = bufsz; 2837 if (ba->ba_winsize == 0 || ba->ba_winsize > IEEE80211_BA_MAX_WINSZ) 2838 ba->ba_winsize = IEEE80211_BA_MAX_WINSZ; 2839 ba->ba_params = (params & IEEE80211_ADDBA_BA_POLICY); 2840 ba->ba_params |= ((ba->ba_winsize << IEEE80211_ADDBA_BUFSZ_SHIFT) | 2841 (tid << IEEE80211_ADDBA_TID_SHIFT)); 2842 ba->ba_params |= IEEE80211_ADDBA_AMSDU; 2843 ba->ba_winstart = ssn; 2844 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 2845 /* allocate and setup our reordering buffer */ 2846 ba->ba_buf = malloc(IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf), 2847 M_DEVBUF, M_NOWAIT | M_ZERO); 2848 if (ba->ba_buf == NULL) 2849 goto refuse; 2850 2851 ba->ba_head = 0; 2852 2853 /* notify drivers of this new Block Ack agreement */ 2854 if (ic->ic_ampdu_rx_start != NULL) 2855 err = ic->ic_ampdu_rx_start(ic, ni, tid); 2856 if (err == EBUSY) { 2857 /* driver will accept or refuse agreement when done */ 2858 return; 2859 } else if (err) { 2860 /* driver failed to setup, rollback */ 2861 ieee80211_addba_req_refuse(ic, ni, tid); 2862 } else 2863 ieee80211_addba_req_accept(ic, ni, tid); 2864 return; 2865 2866 refuse: 2867 /* MLME-ADDBA.response */ 2868 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2869 IEEE80211_ACTION_ADDBA_RESP, 2870 IEEE80211_STATUS_REFUSED << 16 | token << 8 | tid); 2871 } 2872 2873 void 2874 ieee80211_addba_req_accept(struct ieee80211com *ic, struct ieee80211_node *ni, 2875 uint8_t tid) 2876 { 2877 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2878 2879 ba->ba_state = IEEE80211_BA_AGREED; 2880 ic->ic_stats.is_ht_rx_ba_agreements++; 2881 /* start Block Ack inactivity timer */ 2882 if (ba->ba_timeout_val != 0) 2883 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2884 2885 /* MLME-ADDBA.response */ 2886 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2887 IEEE80211_ACTION_ADDBA_RESP, 2888 IEEE80211_STATUS_SUCCESS << 16 | ba->ba_token << 8 | tid); 2889 } 2890 2891 void 2892 ieee80211_addba_req_refuse(struct ieee80211com *ic, struct ieee80211_node *ni, 2893 uint8_t tid) 2894 { 2895 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2896 2897 free(ba->ba_buf, M_DEVBUF, 2898 IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf)); 2899 ba->ba_buf = NULL; 2900 ba->ba_state = IEEE80211_BA_INIT; 2901 2902 /* MLME-ADDBA.response */ 2903 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2904 IEEE80211_ACTION_ADDBA_RESP, 2905 IEEE80211_STATUS_REFUSED << 16 | ba->ba_token << 8 | tid); 2906 } 2907 2908 /*- 2909 * ADDBA Response frame format: 2910 * [1] Category 2911 * [1] Action 2912 * [1] Dialog Token 2913 * [2] Status Code 2914 * [2] Block Ack Parameter Set 2915 * [2] Block Ack Timeout Value 2916 */ 2917 void 2918 ieee80211_recv_addba_resp(struct ieee80211com *ic, struct mbuf *m, 2919 struct ieee80211_node *ni) 2920 { 2921 const struct ieee80211_frame *wh; 2922 const u_int8_t *frm; 2923 struct ieee80211_tx_ba *ba; 2924 u_int16_t status, params, bufsz, timeout; 2925 u_int8_t token, tid; 2926 int err = 0; 2927 2928 if (m->m_len < sizeof(*wh) + 9) { 2929 DPRINTF(("frame too short\n")); 2930 return; 2931 } 2932 wh = mtod(m, struct ieee80211_frame *); 2933 frm = (const u_int8_t *)&wh[1]; 2934 2935 token = frm[2]; 2936 status = LE_READ_2(&frm[3]); 2937 params = LE_READ_2(&frm[5]); 2938 tid = (params >> 2) & 0xf; 2939 bufsz = (params >> 6) & 0x3ff; 2940 timeout = LE_READ_2(&frm[7]); 2941 2942 DPRINTF(("received ADDBA resp from %s, TID %d, status %d\n", 2943 ether_sprintf(ni->ni_macaddr), tid, status)); 2944 2945 /* 2946 * Ignore if no ADDBA request has been sent for this RA/TID or 2947 * if we already have a Block Ack agreement. 2948 */ 2949 ba = &ni->ni_tx_ba[tid]; 2950 if (ba->ba_state != IEEE80211_BA_REQUESTED) { 2951 DPRINTF(("no matching ADDBA req found\n")); 2952 return; 2953 } 2954 if (token != ba->ba_token) { 2955 DPRINTF(("ignoring ADDBA resp from %s: token %x!=%x\n", 2956 ether_sprintf(ni->ni_macaddr), token, ba->ba_token)); 2957 return; 2958 } 2959 /* we got an ADDBA Response matching our request, stop timeout */ 2960 timeout_del(&ba->ba_to); 2961 2962 if (status != IEEE80211_STATUS_SUCCESS) { 2963 if (ni->ni_addba_req_intval[tid] < 2964 IEEE80211_ADDBA_REQ_INTVAL_MAX) 2965 ni->ni_addba_req_intval[tid]++; 2966 2967 ieee80211_addba_resp_refuse(ic, ni, tid, status); 2968 2969 /* 2970 * In case the peer believes there is an existing 2971 * block ack agreement with us, try to delete it. 2972 */ 2973 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2974 IEEE80211_ACTION_DELBA, 2975 IEEE80211_REASON_SETUP_REQUIRED << 16 | 1 << 8 | tid); 2976 return; 2977 } 2978 2979 /* notify drivers of this new Block Ack agreement */ 2980 if (ic->ic_ampdu_tx_start != NULL) 2981 err = ic->ic_ampdu_tx_start(ic, ni, tid); 2982 2983 if (err == EBUSY) { 2984 /* driver will accept or refuse agreement when done */ 2985 return; 2986 } else if (err) { 2987 /* driver failed to setup, rollback */ 2988 ieee80211_addba_resp_refuse(ic, ni, tid, 2989 IEEE80211_STATUS_UNSPECIFIED); 2990 } else 2991 ieee80211_addba_resp_accept(ic, ni, tid); 2992 } 2993 2994 void 2995 ieee80211_addba_resp_accept(struct ieee80211com *ic, 2996 struct ieee80211_node *ni, uint8_t tid) 2997 { 2998 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 2999 3000 /* MLME-ADDBA.confirm(Success) */ 3001 ba->ba_state = IEEE80211_BA_AGREED; 3002 ic->ic_stats.is_ht_tx_ba_agreements++; 3003 3004 /* Reset ADDBA request interval. */ 3005 ni->ni_addba_req_intval[tid] = 1; 3006 3007 /* start Block Ack inactivity timeout */ 3008 if (ba->ba_timeout_val != 0) 3009 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 3010 } 3011 3012 void 3013 ieee80211_addba_resp_refuse(struct ieee80211com *ic, 3014 struct ieee80211_node *ni, uint8_t tid, uint16_t status) 3015 { 3016 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 3017 3018 /* MLME-ADDBA.confirm(Failure) */ 3019 ba->ba_state = IEEE80211_BA_INIT; 3020 } 3021 3022 /*- 3023 * DELBA frame format: 3024 * [1] Category 3025 * [1] Action 3026 * [2] DELBA Parameter Set 3027 * [2] Reason Code 3028 */ 3029 void 3030 ieee80211_recv_delba(struct ieee80211com *ic, struct mbuf *m, 3031 struct ieee80211_node *ni) 3032 { 3033 const struct ieee80211_frame *wh; 3034 const u_int8_t *frm; 3035 u_int16_t params, reason; 3036 u_int8_t tid; 3037 int i; 3038 3039 if (m->m_len < sizeof(*wh) + 6) { 3040 DPRINTF(("frame too short\n")); 3041 return; 3042 } 3043 wh = mtod(m, struct ieee80211_frame *); 3044 frm = (const u_int8_t *)&wh[1]; 3045 3046 params = LE_READ_2(&frm[2]); 3047 reason = LE_READ_2(&frm[4]); 3048 tid = params >> 12; 3049 3050 DPRINTF(("received DELBA from %s, TID %d, reason %d\n", 3051 ether_sprintf(ni->ni_macaddr), tid, reason)); 3052 3053 if (params & IEEE80211_DELBA_INITIATOR) { 3054 /* MLME-DELBA.indication(Originator) */ 3055 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 3056 3057 if (ba->ba_state != IEEE80211_BA_AGREED) { 3058 DPRINTF(("no matching Block Ack agreement\n")); 3059 return; 3060 } 3061 /* notify drivers of the end of the Block Ack agreement */ 3062 if (ic->ic_ampdu_rx_stop != NULL) 3063 ic->ic_ampdu_rx_stop(ic, ni, tid); 3064 3065 ba->ba_state = IEEE80211_BA_INIT; 3066 /* stop Block Ack inactivity timer */ 3067 timeout_del(&ba->ba_to); 3068 timeout_del(&ba->ba_gap_to); 3069 ba->ba_gapwait = 0; 3070 3071 if (ba->ba_buf != NULL) { 3072 /* free all MSDUs stored in reordering buffer */ 3073 for (i = 0; i < IEEE80211_BA_MAX_WINSZ; i++) 3074 m_freem(ba->ba_buf[i].m); 3075 /* free reordering buffer */ 3076 free(ba->ba_buf, M_DEVBUF, 3077 IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf)); 3078 ba->ba_buf = NULL; 3079 } 3080 } else { 3081 /* MLME-DELBA.indication(Recipient) */ 3082 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 3083 3084 if (ba->ba_state != IEEE80211_BA_AGREED) { 3085 DPRINTF(("no matching Block Ack agreement\n")); 3086 return; 3087 } 3088 /* notify drivers of the end of the Block Ack agreement */ 3089 if (ic->ic_ampdu_tx_stop != NULL) 3090 ic->ic_ampdu_tx_stop(ic, ni, tid); 3091 3092 ba->ba_state = IEEE80211_BA_INIT; 3093 /* stop Block Ack inactivity timer */ 3094 timeout_del(&ba->ba_to); 3095 } 3096 } 3097 3098 /*- 3099 * SA Query Request frame format: 3100 * [1] Category 3101 * [1] Action 3102 * [2] Transaction Identifier 3103 */ 3104 void 3105 ieee80211_recv_sa_query_req(struct ieee80211com *ic, struct mbuf *m, 3106 struct ieee80211_node *ni) 3107 { 3108 const struct ieee80211_frame *wh; 3109 const u_int8_t *frm; 3110 3111 if (ic->ic_opmode != IEEE80211_M_STA || 3112 !(ni->ni_flags & IEEE80211_NODE_MFP)) { 3113 DPRINTF(("unexpected SA Query req from %s\n", 3114 ether_sprintf(ni->ni_macaddr))); 3115 return; 3116 } 3117 if (m->m_len < sizeof(*wh) + 4) { 3118 DPRINTF(("frame too short\n")); 3119 return; 3120 } 3121 wh = mtod(m, struct ieee80211_frame *); 3122 frm = (const u_int8_t *)&wh[1]; 3123 3124 /* MLME-SAQuery.indication */ 3125 3126 /* save Transaction Identifier for SA Query Response */ 3127 ni->ni_sa_query_trid = LE_READ_2(&frm[2]); 3128 3129 /* MLME-SAQuery.response */ 3130 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_SA_QUERY, 3131 IEEE80211_ACTION_SA_QUERY_RESP, 0); 3132 } 3133 3134 #ifndef IEEE80211_STA_ONLY 3135 /*- 3136 * SA Query Response frame format: 3137 * [1] Category 3138 * [1] Action 3139 * [2] Transaction Identifier 3140 */ 3141 void 3142 ieee80211_recv_sa_query_resp(struct ieee80211com *ic, struct mbuf *m, 3143 struct ieee80211_node *ni) 3144 { 3145 const struct ieee80211_frame *wh; 3146 const u_int8_t *frm; 3147 3148 /* ignore if we're not engaged in an SA Query with that STA */ 3149 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) { 3150 DPRINTF(("unexpected SA Query resp from %s\n", 3151 ether_sprintf(ni->ni_macaddr))); 3152 return; 3153 } 3154 if (m->m_len < sizeof(*wh) + 4) { 3155 DPRINTF(("frame too short\n")); 3156 return; 3157 } 3158 wh = mtod(m, struct ieee80211_frame *); 3159 frm = (const u_int8_t *)&wh[1]; 3160 3161 /* check that Transaction Identifier matches */ 3162 if (ni->ni_sa_query_trid != LE_READ_2(&frm[2])) { 3163 DPRINTF(("transaction identifier does not match\n")); 3164 return; 3165 } 3166 /* MLME-SAQuery.confirm */ 3167 timeout_del(&ni->ni_sa_query_to); 3168 ni->ni_flags &= ~IEEE80211_NODE_SA_QUERY; 3169 } 3170 #endif 3171 3172 /*- 3173 * Action frame format: 3174 * [1] Category 3175 * [1] Action 3176 */ 3177 void 3178 ieee80211_recv_action(struct ieee80211com *ic, struct mbuf *m, 3179 struct ieee80211_node *ni) 3180 { 3181 const struct ieee80211_frame *wh; 3182 const u_int8_t *frm; 3183 3184 if (m->m_len < sizeof(*wh) + 2) { 3185 DPRINTF(("frame too short\n")); 3186 return; 3187 } 3188 wh = mtod(m, struct ieee80211_frame *); 3189 frm = (const u_int8_t *)&wh[1]; 3190 3191 switch (frm[0]) { 3192 case IEEE80211_CATEG_BA: 3193 switch (frm[1]) { 3194 case IEEE80211_ACTION_ADDBA_REQ: 3195 ieee80211_recv_addba_req(ic, m, ni); 3196 break; 3197 case IEEE80211_ACTION_ADDBA_RESP: 3198 ieee80211_recv_addba_resp(ic, m, ni); 3199 break; 3200 case IEEE80211_ACTION_DELBA: 3201 ieee80211_recv_delba(ic, m, ni); 3202 break; 3203 } 3204 break; 3205 case IEEE80211_CATEG_SA_QUERY: 3206 switch (frm[1]) { 3207 case IEEE80211_ACTION_SA_QUERY_REQ: 3208 ieee80211_recv_sa_query_req(ic, m, ni); 3209 break; 3210 #ifndef IEEE80211_STA_ONLY 3211 case IEEE80211_ACTION_SA_QUERY_RESP: 3212 ieee80211_recv_sa_query_resp(ic, m, ni); 3213 break; 3214 #endif 3215 } 3216 break; 3217 default: 3218 DPRINTF(("action frame category %d not handled\n", frm[0])); 3219 break; 3220 } 3221 } 3222 3223 void 3224 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m, 3225 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int subtype) 3226 { 3227 switch (subtype) { 3228 case IEEE80211_FC0_SUBTYPE_BEACON: 3229 ieee80211_recv_probe_resp(ic, m, ni, rxi, 0); 3230 break; 3231 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 3232 ieee80211_recv_probe_resp(ic, m, ni, rxi, 1); 3233 break; 3234 #ifndef IEEE80211_STA_ONLY 3235 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 3236 ieee80211_recv_probe_req(ic, m, ni, rxi); 3237 break; 3238 #endif 3239 case IEEE80211_FC0_SUBTYPE_AUTH: 3240 ieee80211_recv_auth(ic, m, ni, rxi); 3241 break; 3242 #ifndef IEEE80211_STA_ONLY 3243 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 3244 ieee80211_recv_assoc_req(ic, m, ni, rxi, 0); 3245 break; 3246 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 3247 ieee80211_recv_assoc_req(ic, m, ni, rxi, 1); 3248 break; 3249 #endif 3250 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 3251 ieee80211_recv_assoc_resp(ic, m, ni, 0); 3252 break; 3253 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 3254 ieee80211_recv_assoc_resp(ic, m, ni, 1); 3255 break; 3256 case IEEE80211_FC0_SUBTYPE_DEAUTH: 3257 ieee80211_recv_deauth(ic, m, ni); 3258 break; 3259 case IEEE80211_FC0_SUBTYPE_DISASSOC: 3260 ieee80211_recv_disassoc(ic, m, ni); 3261 break; 3262 case IEEE80211_FC0_SUBTYPE_ACTION: 3263 ieee80211_recv_action(ic, m, ni); 3264 break; 3265 default: 3266 DPRINTF(("mgmt frame with subtype 0x%x not handled\n", 3267 subtype)); 3268 ic->ic_stats.is_rx_badsubtype++; 3269 break; 3270 } 3271 } 3272 3273 #ifndef IEEE80211_STA_ONLY 3274 /* 3275 * Process an incoming PS-Poll control frame (see 11.2). 3276 */ 3277 void 3278 ieee80211_recv_pspoll(struct ieee80211com *ic, struct mbuf *m, 3279 struct ieee80211_node *ni) 3280 { 3281 struct ifnet *ifp = &ic->ic_if; 3282 struct ieee80211_frame_pspoll *psp; 3283 struct ieee80211_frame *wh; 3284 u_int16_t aid; 3285 3286 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 3287 !(ic->ic_caps & IEEE80211_C_APPMGT) || 3288 ni->ni_state != IEEE80211_STA_ASSOC) 3289 return; 3290 3291 if (m->m_len < sizeof(*psp)) { 3292 DPRINTF(("frame too short, len %u\n", m->m_len)); 3293 ic->ic_stats.is_rx_tooshort++; 3294 return; 3295 } 3296 psp = mtod(m, struct ieee80211_frame_pspoll *); 3297 if (!IEEE80211_ADDR_EQ(psp->i_bssid, ic->ic_bss->ni_bssid)) { 3298 DPRINTF(("discard pspoll frame to BSS %s\n", 3299 ether_sprintf(psp->i_bssid))); 3300 ic->ic_stats.is_rx_wrongbss++; 3301 return; 3302 } 3303 aid = letoh16(*(u_int16_t *)psp->i_aid); 3304 if (aid != ni->ni_associd) { 3305 DPRINTF(("invalid pspoll aid %x from %s\n", aid, 3306 ether_sprintf(psp->i_ta))); 3307 return; 3308 } 3309 3310 /* take the first queued frame and put it out.. */ 3311 m = mq_dequeue(&ni->ni_savedq); 3312 if (m == NULL) 3313 return; 3314 if (mq_empty(&ni->ni_savedq)) { 3315 /* last queued frame, turn off the TIM bit */ 3316 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 3317 } else { 3318 /* more queued frames, set the more data bit */ 3319 wh = mtod(m, struct ieee80211_frame *); 3320 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 3321 } 3322 mq_enqueue(&ic->ic_pwrsaveq, m); 3323 if_start(ifp); 3324 } 3325 #endif /* IEEE80211_STA_ONLY */ 3326 3327 /* 3328 * Process an incoming BlockAckReq control frame (see 7.2.1.7). 3329 */ 3330 void 3331 ieee80211_recv_bar(struct ieee80211com *ic, struct mbuf *m, 3332 struct ieee80211_node *ni) 3333 { 3334 const struct ieee80211_frame_min *wh; 3335 const u_int8_t *frm; 3336 u_int16_t ctl, ssn; 3337 u_int8_t tid, ntids; 3338 3339 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 3340 DPRINTF(("received BlockAckReq from non-HT STA %s\n", 3341 ether_sprintf(ni->ni_macaddr))); 3342 return; 3343 } 3344 if (m->m_len < sizeof(*wh) + 4) { 3345 DPRINTF(("frame too short\n")); 3346 return; 3347 } 3348 wh = mtod(m, struct ieee80211_frame_min *); 3349 frm = (const u_int8_t *)&wh[1]; 3350 3351 /* read BlockAckReq Control field */ 3352 ctl = LE_READ_2(&frm[0]); 3353 tid = ctl >> 12; 3354 3355 /* determine BlockAckReq frame variant */ 3356 if (ctl & IEEE80211_BA_MULTI_TID) { 3357 /* Multi-TID BlockAckReq variant (PSMP only) */ 3358 ntids = tid + 1; 3359 3360 if (m->m_len < sizeof(*wh) + 2 + 4 * ntids) { 3361 DPRINTF(("MTBAR frame too short\n")); 3362 return; 3363 } 3364 frm += 2; /* skip BlockAckReq Control field */ 3365 while (ntids-- > 0) { 3366 /* read MTBAR Information field */ 3367 tid = LE_READ_2(&frm[0]) >> 12; 3368 ssn = LE_READ_2(&frm[2]) >> 4; 3369 ieee80211_bar_tid(ic, ni, tid, ssn); 3370 frm += 4; 3371 } 3372 } else { 3373 /* Basic or Compressed BlockAckReq variants */ 3374 ssn = LE_READ_2(&frm[2]) >> 4; 3375 ieee80211_bar_tid(ic, ni, tid, ssn); 3376 } 3377 } 3378 3379 /* 3380 * Process a BlockAckReq for a specific TID (see 9.10.7.6.3). 3381 * This is the common back-end for all BlockAckReq frame variants. 3382 */ 3383 void 3384 ieee80211_bar_tid(struct ieee80211com *ic, struct ieee80211_node *ni, 3385 u_int8_t tid, u_int16_t ssn) 3386 { 3387 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 3388 3389 /* check if we have a Block Ack agreement for RA/TID */ 3390 if (ba->ba_state != IEEE80211_BA_AGREED) { 3391 /* XXX not sure in PBAC case */ 3392 /* send a DELBA with reason code UNKNOWN-BA */ 3393 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 3394 IEEE80211_ACTION_DELBA, 3395 IEEE80211_REASON_SETUP_REQUIRED << 16 | tid); 3396 return; 3397 } 3398 /* check if it is a Protected Block Ack agreement */ 3399 if ((ni->ni_flags & IEEE80211_NODE_MFP) && 3400 (ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) { 3401 /* ADDBA Requests must be used in PBAC case */ 3402 if (SEQ_LT(ssn, ba->ba_winstart) || 3403 SEQ_LT(ba->ba_winend, ssn)) 3404 ic->ic_stats.is_pbac_errs++; 3405 return; /* PBAC, do not move window */ 3406 } 3407 /* reset Block Ack inactivity timer */ 3408 if (ba->ba_timeout_val != 0) 3409 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 3410 3411 if (SEQ_LT(ba->ba_winstart, ssn)) { 3412 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 3413 ieee80211_ba_move_window(ic, ni, tid, ssn, &ml); 3414 if_input(&ic->ic_if, &ml); 3415 } 3416 } 3417