1 /* $OpenBSD: ieee80211_input.c,v 1.179 2016/09/20 13:24:42 stsp Exp $ */ 2 3 /*- 4 * Copyright (c) 2001 Atsushi Onoe 5 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 6 * Copyright (c) 2007-2009 Damien Bergamini 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. The name of the author may not be used to endorse or promote products 18 * derived from this software without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 21 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 22 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 23 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 25 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 29 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 #include "bpfilter.h" 33 34 #include <sys/param.h> 35 #include <sys/systm.h> 36 #include <sys/mbuf.h> 37 #include <sys/malloc.h> 38 #include <sys/kernel.h> 39 #include <sys/socket.h> 40 #include <sys/sockio.h> 41 #include <sys/endian.h> 42 #include <sys/errno.h> 43 #include <sys/sysctl.h> 44 #include <sys/task.h> 45 46 #include <net/if.h> 47 #include <net/if_dl.h> 48 #include <net/if_media.h> 49 #include <net/if_llc.h> 50 51 #if NBPFILTER > 0 52 #include <net/bpf.h> 53 #endif 54 55 #include <netinet/in.h> 56 #include <netinet/if_ether.h> 57 58 #include <net80211/ieee80211_var.h> 59 #include <net80211/ieee80211_priv.h> 60 61 struct mbuf *ieee80211_defrag(struct ieee80211com *, struct mbuf *, int); 62 void ieee80211_defrag_timeout(void *); 63 void ieee80211_input_ba(struct ieee80211com *, struct mbuf *, 64 struct ieee80211_node *, int, struct ieee80211_rxinfo *); 65 void ieee80211_input_ba_flush(struct ieee80211com *, struct ieee80211_node *, 66 struct ieee80211_rx_ba *); 67 void ieee80211_input_ba_gap_timeout(void *arg); 68 void ieee80211_ba_move_window(struct ieee80211com *, 69 struct ieee80211_node *, u_int8_t, u_int16_t); 70 void ieee80211_input_ba_seq(struct ieee80211com *, 71 struct ieee80211_node *, uint8_t, uint16_t); 72 struct mbuf *ieee80211_align_mbuf(struct mbuf *); 73 void ieee80211_decap(struct ieee80211com *, struct mbuf *, 74 struct ieee80211_node *, int); 75 void ieee80211_amsdu_decap(struct ieee80211com *, struct mbuf *, 76 struct ieee80211_node *, int); 77 void ieee80211_deliver_data(struct ieee80211com *, struct mbuf *, 78 struct ieee80211_node *); 79 int ieee80211_parse_edca_params_body(struct ieee80211com *, 80 const u_int8_t *); 81 int ieee80211_parse_edca_params(struct ieee80211com *, const u_int8_t *); 82 int ieee80211_parse_wmm_params(struct ieee80211com *, const u_int8_t *); 83 enum ieee80211_cipher ieee80211_parse_rsn_cipher(const u_int8_t[]); 84 enum ieee80211_akm ieee80211_parse_rsn_akm(const u_int8_t[]); 85 int ieee80211_parse_rsn_body(struct ieee80211com *, const u_int8_t *, 86 u_int, struct ieee80211_rsnparams *); 87 int ieee80211_save_ie(const u_int8_t *, u_int8_t **); 88 void ieee80211_recv_probe_resp(struct ieee80211com *, struct mbuf *, 89 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 90 #ifndef IEEE80211_STA_ONLY 91 void ieee80211_recv_probe_req(struct ieee80211com *, struct mbuf *, 92 struct ieee80211_node *, struct ieee80211_rxinfo *); 93 #endif 94 void ieee80211_recv_auth(struct ieee80211com *, struct mbuf *, 95 struct ieee80211_node *, struct ieee80211_rxinfo *); 96 #ifndef IEEE80211_STA_ONLY 97 void ieee80211_recv_assoc_req(struct ieee80211com *, struct mbuf *, 98 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 99 #endif 100 void ieee80211_recv_assoc_resp(struct ieee80211com *, struct mbuf *, 101 struct ieee80211_node *, int); 102 void ieee80211_recv_deauth(struct ieee80211com *, struct mbuf *, 103 struct ieee80211_node *); 104 void ieee80211_recv_disassoc(struct ieee80211com *, struct mbuf *, 105 struct ieee80211_node *); 106 void ieee80211_recv_addba_req(struct ieee80211com *, struct mbuf *, 107 struct ieee80211_node *); 108 void ieee80211_recv_addba_resp(struct ieee80211com *, struct mbuf *, 109 struct ieee80211_node *); 110 void ieee80211_recv_delba(struct ieee80211com *, struct mbuf *, 111 struct ieee80211_node *); 112 void ieee80211_recv_sa_query_req(struct ieee80211com *, struct mbuf *, 113 struct ieee80211_node *); 114 #ifndef IEEE80211_STA_ONLY 115 void ieee80211_recv_sa_query_resp(struct ieee80211com *, struct mbuf *, 116 struct ieee80211_node *); 117 #endif 118 void ieee80211_recv_action(struct ieee80211com *, struct mbuf *, 119 struct ieee80211_node *); 120 #ifndef IEEE80211_STA_ONLY 121 void ieee80211_recv_pspoll(struct ieee80211com *, struct mbuf *, 122 struct ieee80211_node *); 123 #endif 124 void ieee80211_recv_bar(struct ieee80211com *, struct mbuf *, 125 struct ieee80211_node *); 126 void ieee80211_bar_tid(struct ieee80211com *, struct ieee80211_node *, 127 u_int8_t, u_int16_t); 128 void ieee80211_input_print(struct ieee80211com *, struct ifnet *, 129 struct ieee80211_frame *, struct ieee80211_rxinfo *); 130 void ieee80211_input_print_task(void *); 131 132 struct ieee80211printmsg { 133 struct task task; 134 char text[512]; 135 }; 136 137 /* 138 * Retrieve the length in bytes of an 802.11 header. 139 */ 140 u_int 141 ieee80211_get_hdrlen(const struct ieee80211_frame *wh) 142 { 143 u_int size = sizeof(*wh); 144 145 /* NB: does not work with control frames */ 146 KASSERT(ieee80211_has_seq(wh)); 147 148 if (ieee80211_has_addr4(wh)) 149 size += IEEE80211_ADDR_LEN; /* i_addr4 */ 150 if (ieee80211_has_qos(wh)) 151 size += sizeof(u_int16_t); /* i_qos */ 152 if (ieee80211_has_htc(wh)) 153 size += sizeof(u_int32_t); /* i_ht */ 154 return size; 155 } 156 157 /* 158 * Work queue task that prints a received frame. Avoids printf() from 159 * interrupt context at IPL_NET making slow machines unusable when many 160 * frames are received and the interface is put in debug mode. 161 */ 162 void 163 ieee80211_input_print_task(void *arg1) 164 { 165 struct ieee80211printmsg *msg = arg1; 166 167 printf("%s", msg->text); 168 free(msg, M_DEVBUF, 0); 169 } 170 171 void 172 ieee80211_input_print(struct ieee80211com *ic, struct ifnet *ifp, 173 struct ieee80211_frame *wh, struct ieee80211_rxinfo *rxi) 174 { 175 int doprint; 176 struct ieee80211printmsg *msg; 177 u_int8_t subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 178 179 /* avoid printing too many frames */ 180 doprint = 0; 181 switch (subtype) { 182 case IEEE80211_FC0_SUBTYPE_BEACON: 183 if (ic->ic_state == IEEE80211_S_SCAN) 184 doprint = 1; 185 break; 186 #ifndef IEEE80211_STA_ONLY 187 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 188 if (ic->ic_opmode == IEEE80211_M_IBSS) 189 doprint = 1; 190 break; 191 #endif 192 default: 193 doprint = 1; 194 break; 195 } 196 #ifdef IEEE80211_DEBUG 197 doprint += (ieee80211_debug > 1); 198 #endif 199 if (!doprint) 200 return; 201 202 msg = malloc(sizeof(*msg), M_DEVBUF, M_NOWAIT); 203 if (msg == NULL) 204 return; 205 206 snprintf(msg->text, sizeof(msg->text), 207 "%s: received %s from %s rssi %d mode %s\n", ifp->if_xname, 208 ieee80211_mgt_subtype_name[subtype >> IEEE80211_FC0_SUBTYPE_SHIFT], 209 ether_sprintf(wh->i_addr2), rxi->rxi_rssi, 210 ieee80211_phymode_name[ic->ic_curmode]); 211 212 task_set(&msg->task, ieee80211_input_print_task, msg); 213 task_add(systq, &msg->task); 214 } 215 216 /* 217 * Process a received frame. The node associated with the sender 218 * should be supplied. If nothing was found in the node table then 219 * the caller is assumed to supply a reference to ic_bss instead. 220 * The RSSI and a timestamp are also supplied. The RSSI data is used 221 * during AP scanning to select a AP to associate with; it can have 222 * any units so long as values have consistent units and higher values 223 * mean ``better signal''. The receive timestamp is currently not used 224 * by the 802.11 layer. 225 */ 226 void 227 ieee80211_input(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni, 228 struct ieee80211_rxinfo *rxi) 229 { 230 struct ieee80211com *ic = (void *)ifp; 231 struct ieee80211_frame *wh; 232 u_int16_t *orxseq, nrxseq, qos; 233 u_int8_t dir, type, subtype, tid; 234 int hdrlen, hasqos; 235 236 KASSERT(ni != NULL); 237 238 /* in monitor mode, send everything directly to bpf */ 239 if (ic->ic_opmode == IEEE80211_M_MONITOR) 240 goto out; 241 242 /* 243 * Do not process frames without an Address 2 field any further. 244 * Only CTS and ACK control frames do not have this field. 245 */ 246 if (m->m_len < sizeof(struct ieee80211_frame_min)) { 247 DPRINTF(("frame too short, len %u\n", m->m_len)); 248 ic->ic_stats.is_rx_tooshort++; 249 goto out; 250 } 251 252 wh = mtod(m, struct ieee80211_frame *); 253 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 254 IEEE80211_FC0_VERSION_0) { 255 DPRINTF(("frame with wrong version: %x\n", wh->i_fc[0])); 256 ic->ic_stats.is_rx_badversion++; 257 goto err; 258 } 259 260 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 261 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 262 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 263 264 if (type != IEEE80211_FC0_TYPE_CTL) { 265 hdrlen = ieee80211_get_hdrlen(wh); 266 if (m->m_len < hdrlen) { 267 DPRINTF(("frame too short, len %u\n", m->m_len)); 268 ic->ic_stats.is_rx_tooshort++; 269 goto err; 270 } 271 } 272 if ((hasqos = ieee80211_has_qos(wh))) { 273 qos = ieee80211_get_qos(wh); 274 tid = qos & IEEE80211_QOS_TID; 275 } else { 276 qos = 0; 277 tid = 0; 278 } 279 280 if (type == IEEE80211_FC0_TYPE_DATA && hasqos && 281 (subtype & IEEE80211_FC0_SUBTYPE_NODATA) == 0 && 282 !(rxi->rxi_flags & IEEE80211_RXI_AMPDU_DONE)) { 283 int ba_state = ni->ni_rx_ba[tid].ba_state; 284 285 /* 286 * If Block Ack was explicitly requested, check 287 * if we have a BA agreement for this RA/TID. 288 */ 289 if ((qos & IEEE80211_QOS_ACK_POLICY_MASK) == 290 IEEE80211_QOS_ACK_POLICY_BA && 291 ba_state != IEEE80211_BA_AGREED) { 292 DPRINTF(("no BA agreement for %s, TID %d\n", 293 ether_sprintf(ni->ni_macaddr), tid)); 294 /* send a DELBA with reason code UNKNOWN-BA */ 295 IEEE80211_SEND_ACTION(ic, ni, 296 IEEE80211_CATEG_BA, IEEE80211_ACTION_DELBA, 297 IEEE80211_REASON_SETUP_REQUIRED << 16 | tid); 298 goto err; 299 } 300 301 /* 302 * Check if we have an explicit or implicit 303 * Block Ack Request for a valid BA agreement. 304 */ 305 if (ba_state == IEEE80211_BA_AGREED && 306 ((qos & IEEE80211_QOS_ACK_POLICY_MASK) == 307 IEEE80211_QOS_ACK_POLICY_BA || 308 (qos & IEEE80211_QOS_ACK_POLICY_MASK) == 309 IEEE80211_QOS_ACK_POLICY_NORMAL)) { 310 /* go through A-MPDU reordering */ 311 ieee80211_input_ba(ic, m, ni, tid, rxi); 312 return; /* don't free m! */ 313 } 314 } 315 316 /* duplicate detection (see 9.2.9) */ 317 if (ieee80211_has_seq(wh) && 318 ic->ic_state != IEEE80211_S_SCAN) { 319 nrxseq = letoh16(*(u_int16_t *)wh->i_seq) >> 320 IEEE80211_SEQ_SEQ_SHIFT; 321 if (hasqos) 322 orxseq = &ni->ni_qos_rxseqs[tid]; 323 else 324 orxseq = &ni->ni_rxseq; 325 if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) && 326 nrxseq == *orxseq) { 327 /* duplicate, silently discarded */ 328 ic->ic_stats.is_rx_dup++; 329 goto out; 330 } 331 *orxseq = nrxseq; 332 } 333 if (ic->ic_state != IEEE80211_S_SCAN) { 334 ni->ni_rssi = rxi->rxi_rssi; 335 ni->ni_rstamp = rxi->rxi_tstamp; 336 ni->ni_inact = 0; 337 } 338 339 #ifndef IEEE80211_STA_ONLY 340 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 341 (ic->ic_caps & IEEE80211_C_APPMGT) && 342 ni->ni_state == IEEE80211_STA_ASSOC) { 343 if (wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) { 344 if (ni->ni_pwrsave == IEEE80211_PS_AWAKE) { 345 /* turn on PS mode */ 346 ni->ni_pwrsave = IEEE80211_PS_DOZE; 347 ic->ic_pssta++; 348 DPRINTF(("PS mode on for %s, count %d\n", 349 ether_sprintf(wh->i_addr2), ic->ic_pssta)); 350 } 351 } else if (ni->ni_pwrsave == IEEE80211_PS_DOZE) { 352 struct mbuf *m; 353 354 /* turn off PS mode */ 355 ni->ni_pwrsave = IEEE80211_PS_AWAKE; 356 ic->ic_pssta--; 357 DPRINTF(("PS mode off for %s, count %d\n", 358 ether_sprintf(wh->i_addr2), ic->ic_pssta)); 359 360 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 361 362 /* dequeue buffered unicast frames */ 363 while ((m = mq_dequeue(&ni->ni_savedq)) != NULL) { 364 mq_enqueue(&ic->ic_pwrsaveq, m); 365 if_start(ifp); 366 } 367 } 368 } 369 #endif 370 switch (type) { 371 case IEEE80211_FC0_TYPE_DATA: 372 switch (ic->ic_opmode) { 373 case IEEE80211_M_STA: 374 if (dir != IEEE80211_FC1_DIR_FROMDS) { 375 ic->ic_stats.is_rx_wrongdir++; 376 goto out; 377 } 378 if (ic->ic_state != IEEE80211_S_SCAN && 379 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid)) { 380 /* Source address is not our BSS. */ 381 DPRINTF(("discard frame from SA %s\n", 382 ether_sprintf(wh->i_addr2))); 383 ic->ic_stats.is_rx_wrongbss++; 384 goto out; 385 } 386 if ((ifp->if_flags & IFF_SIMPLEX) && 387 IEEE80211_IS_MULTICAST(wh->i_addr1) && 388 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 389 /* 390 * In IEEE802.11 network, multicast frame 391 * sent from me is broadcasted from AP. 392 * It should be silently discarded for 393 * SIMPLEX interface. 394 */ 395 ic->ic_stats.is_rx_mcastecho++; 396 goto out; 397 } 398 break; 399 #ifndef IEEE80211_STA_ONLY 400 case IEEE80211_M_IBSS: 401 case IEEE80211_M_AHDEMO: 402 if (dir != IEEE80211_FC1_DIR_NODS) { 403 ic->ic_stats.is_rx_wrongdir++; 404 goto out; 405 } 406 if (ic->ic_state != IEEE80211_S_SCAN && 407 !IEEE80211_ADDR_EQ(wh->i_addr3, 408 ic->ic_bss->ni_bssid) && 409 !IEEE80211_ADDR_EQ(wh->i_addr3, 410 etherbroadcastaddr)) { 411 /* Destination is not our BSS or broadcast. */ 412 DPRINTF(("discard data frame to DA %s\n", 413 ether_sprintf(wh->i_addr3))); 414 ic->ic_stats.is_rx_wrongbss++; 415 goto out; 416 } 417 break; 418 case IEEE80211_M_HOSTAP: 419 if (dir != IEEE80211_FC1_DIR_TODS) { 420 ic->ic_stats.is_rx_wrongdir++; 421 goto out; 422 } 423 if (ic->ic_state != IEEE80211_S_SCAN && 424 !IEEE80211_ADDR_EQ(wh->i_addr1, 425 ic->ic_bss->ni_bssid) && 426 !IEEE80211_ADDR_EQ(wh->i_addr1, 427 etherbroadcastaddr)) { 428 /* BSS is not us or broadcast. */ 429 DPRINTF(("discard data frame to BSS %s\n", 430 ether_sprintf(wh->i_addr1))); 431 ic->ic_stats.is_rx_wrongbss++; 432 goto out; 433 } 434 /* check if source STA is associated */ 435 if (ni == ic->ic_bss) { 436 DPRINTF(("data from unknown src %s\n", 437 ether_sprintf(wh->i_addr2))); 438 /* NB: caller deals with reference */ 439 ni = ieee80211_find_node(ic, wh->i_addr2); 440 if (ni == NULL) 441 ni = ieee80211_dup_bss(ic, wh->i_addr2); 442 if (ni != NULL) { 443 IEEE80211_SEND_MGMT(ic, ni, 444 IEEE80211_FC0_SUBTYPE_DEAUTH, 445 IEEE80211_REASON_NOT_AUTHED); 446 } 447 ic->ic_stats.is_rx_notassoc++; 448 goto err; 449 } 450 if (ni->ni_state != IEEE80211_STA_ASSOC) { 451 DPRINTF(("data from unassoc src %s\n", 452 ether_sprintf(wh->i_addr2))); 453 IEEE80211_SEND_MGMT(ic, ni, 454 IEEE80211_FC0_SUBTYPE_DISASSOC, 455 IEEE80211_REASON_NOT_ASSOCED); 456 ic->ic_stats.is_rx_notassoc++; 457 goto err; 458 } 459 break; 460 #endif /* IEEE80211_STA_ONLY */ 461 default: 462 /* can't get there */ 463 goto out; 464 } 465 466 if ((ic->ic_flags & IEEE80211_F_WEPON) || 467 ((ic->ic_flags & IEEE80211_F_RSNON) && 468 (ni->ni_flags & IEEE80211_NODE_RXPROT))) { 469 /* protection is on for Rx */ 470 if (!(rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 471 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 472 /* drop unencrypted */ 473 ic->ic_stats.is_rx_unencrypted++; 474 goto err; 475 } 476 /* do software decryption */ 477 m = ieee80211_decrypt(ic, m, ni); 478 if (m == NULL) { 479 ic->ic_stats.is_rx_wepfail++; 480 goto err; 481 } 482 wh = mtod(m, struct ieee80211_frame *); 483 } 484 } else if ((wh->i_fc[1] & IEEE80211_FC1_PROTECTED) || 485 (rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 486 /* frame encrypted but protection off for Rx */ 487 ic->ic_stats.is_rx_nowep++; 488 goto out; 489 } 490 491 #if NBPFILTER > 0 492 /* copy to listener after decrypt */ 493 if (ic->ic_rawbpf) 494 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 495 #endif 496 497 if ((ni->ni_flags & IEEE80211_NODE_HT) && 498 hasqos && (qos & IEEE80211_QOS_AMSDU)) 499 ieee80211_amsdu_decap(ic, m, ni, hdrlen); 500 else 501 ieee80211_decap(ic, m, ni, hdrlen); 502 return; 503 504 case IEEE80211_FC0_TYPE_MGT: 505 if (dir != IEEE80211_FC1_DIR_NODS) { 506 ic->ic_stats.is_rx_wrongdir++; 507 goto err; 508 } 509 #ifndef IEEE80211_STA_ONLY 510 if (ic->ic_opmode == IEEE80211_M_AHDEMO) { 511 ic->ic_stats.is_rx_ahdemo_mgt++; 512 goto out; 513 } 514 #endif 515 /* drop frames without interest */ 516 if (ic->ic_state == IEEE80211_S_SCAN) { 517 if (subtype != IEEE80211_FC0_SUBTYPE_BEACON && 518 subtype != IEEE80211_FC0_SUBTYPE_PROBE_RESP) { 519 ic->ic_stats.is_rx_mgtdiscard++; 520 goto out; 521 } 522 } 523 524 if (ni->ni_flags & IEEE80211_NODE_RXMGMTPROT) { 525 /* MMPDU protection is on for Rx */ 526 if (subtype == IEEE80211_FC0_SUBTYPE_DISASSOC || 527 subtype == IEEE80211_FC0_SUBTYPE_DEAUTH || 528 subtype == IEEE80211_FC0_SUBTYPE_ACTION) { 529 if (!IEEE80211_IS_MULTICAST(wh->i_addr1) && 530 !(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 531 /* unicast mgmt not encrypted */ 532 goto out; 533 } 534 /* do software decryption */ 535 m = ieee80211_decrypt(ic, m, ni); 536 if (m == NULL) { 537 /* XXX stats */ 538 goto out; 539 } 540 wh = mtod(m, struct ieee80211_frame *); 541 } 542 } else if ((ic->ic_flags & IEEE80211_F_RSNON) && 543 (wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 544 /* encrypted but MMPDU Rx protection off for TA */ 545 goto out; 546 } 547 548 if (ifp->if_flags & IFF_DEBUG) 549 ieee80211_input_print(ic, ifp, wh, rxi); 550 #if NBPFILTER > 0 551 if (bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN) != 0) { 552 /* 553 * Drop mbuf if it was filtered by bpf. Normally, 554 * this is done in ether_input() but IEEE 802.11 555 * management frames are a special case. 556 */ 557 m_freem(m); 558 return; 559 } 560 #endif 561 (*ic->ic_recv_mgmt)(ic, m, ni, rxi, subtype); 562 m_freem(m); 563 return; 564 565 case IEEE80211_FC0_TYPE_CTL: 566 ic->ic_stats.is_rx_ctl++; 567 switch (subtype) { 568 #ifndef IEEE80211_STA_ONLY 569 case IEEE80211_FC0_SUBTYPE_PS_POLL: 570 ieee80211_recv_pspoll(ic, m, ni); 571 break; 572 #endif 573 case IEEE80211_FC0_SUBTYPE_BAR: 574 ieee80211_recv_bar(ic, m, ni); 575 break; 576 default: 577 break; 578 } 579 goto out; 580 581 default: 582 DPRINTF(("bad frame type %x\n", type)); 583 /* should not come here */ 584 break; 585 } 586 err: 587 ifp->if_ierrors++; 588 out: 589 if (m != NULL) { 590 #if NBPFILTER > 0 591 if (ic->ic_rawbpf) 592 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 593 #endif 594 m_freem(m); 595 } 596 } 597 598 /* 599 * Handle defragmentation (see 9.5 and Annex C). We support the concurrent 600 * reception of fragments of three fragmented MSDUs or MMPDUs. 601 */ 602 struct mbuf * 603 ieee80211_defrag(struct ieee80211com *ic, struct mbuf *m, int hdrlen) 604 { 605 const struct ieee80211_frame *owh, *wh; 606 struct ieee80211_defrag *df; 607 u_int16_t rxseq, seq; 608 u_int8_t frag; 609 int i; 610 611 wh = mtod(m, struct ieee80211_frame *); 612 rxseq = letoh16(*(const u_int16_t *)wh->i_seq); 613 seq = rxseq >> IEEE80211_SEQ_SEQ_SHIFT; 614 frag = rxseq & IEEE80211_SEQ_FRAG_MASK; 615 616 if (frag == 0 && !(wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG)) 617 return m; /* not fragmented */ 618 619 if (frag == 0) { 620 /* first fragment, setup entry in the fragment cache */ 621 if (++ic->ic_defrag_cur == IEEE80211_DEFRAG_SIZE) 622 ic->ic_defrag_cur = 0; 623 df = &ic->ic_defrag[ic->ic_defrag_cur]; 624 m_freem(df->df_m); /* discard old entry */ 625 df->df_seq = seq; 626 df->df_frag = 0; 627 df->df_m = m; 628 /* start receive MSDU timer of aMaxReceiveLifetime */ 629 timeout_add_sec(&df->df_to, 1); 630 return NULL; /* MSDU or MMPDU not yet complete */ 631 } 632 633 /* find matching entry in the fragment cache */ 634 for (i = 0; i < IEEE80211_DEFRAG_SIZE; i++) { 635 df = &ic->ic_defrag[i]; 636 if (df->df_m == NULL) 637 continue; 638 if (df->df_seq != seq || df->df_frag + 1 != frag) 639 continue; 640 owh = mtod(df->df_m, struct ieee80211_frame *); 641 /* frame type, source and destination must match */ 642 if (((wh->i_fc[0] ^ owh->i_fc[0]) & IEEE80211_FC0_TYPE_MASK) || 643 !IEEE80211_ADDR_EQ(wh->i_addr1, owh->i_addr1) || 644 !IEEE80211_ADDR_EQ(wh->i_addr2, owh->i_addr2)) 645 continue; 646 /* matching entry found */ 647 break; 648 } 649 if (i == IEEE80211_DEFRAG_SIZE) { 650 /* no matching entry found, discard fragment */ 651 ic->ic_if.if_ierrors++; 652 m_freem(m); 653 return NULL; 654 } 655 656 df->df_frag = frag; 657 /* strip 802.11 header and concatenate fragment */ 658 m_adj(m, hdrlen); 659 m_cat(df->df_m, m); 660 df->df_m->m_pkthdr.len += m->m_pkthdr.len; 661 662 if (wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG) 663 return NULL; /* MSDU or MMPDU not yet complete */ 664 665 /* MSDU or MMPDU complete */ 666 timeout_del(&df->df_to); 667 m = df->df_m; 668 df->df_m = NULL; 669 return m; 670 } 671 672 /* 673 * Receive MSDU defragmentation timer exceeds aMaxReceiveLifetime. 674 */ 675 void 676 ieee80211_defrag_timeout(void *arg) 677 { 678 struct ieee80211_defrag *df = arg; 679 int s = splnet(); 680 681 /* discard all received fragments */ 682 m_freem(df->df_m); 683 df->df_m = NULL; 684 685 splx(s); 686 } 687 688 /* 689 * Process a received data MPDU related to a specific HT-immediate Block Ack 690 * agreement (see 9.10.7.6). 691 */ 692 void 693 ieee80211_input_ba(struct ieee80211com *ic, struct mbuf *m, 694 struct ieee80211_node *ni, int tid, struct ieee80211_rxinfo *rxi) 695 { 696 struct ifnet *ifp = &ic->ic_if; 697 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 698 struct ieee80211_frame *wh; 699 int idx, count; 700 u_int16_t sn; 701 702 wh = mtod(m, struct ieee80211_frame *); 703 sn = letoh16(*(u_int16_t *)wh->i_seq) >> IEEE80211_SEQ_SEQ_SHIFT; 704 705 /* reset Block Ack inactivity timer */ 706 if (ba->ba_timeout_val != 0) 707 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 708 709 if (SEQ_LT(sn, ba->ba_winstart)) { /* SN < WinStartB */ 710 ic->ic_stats.is_ht_rx_frame_below_ba_winstart++; 711 m_freem(m); /* discard the MPDU */ 712 return; 713 } 714 if (SEQ_LT(ba->ba_winend, sn)) { /* WinEndB < SN */ 715 ic->ic_stats.is_ht_rx_frame_above_ba_winend++; 716 count = (sn - ba->ba_winend) & 0xfff; 717 if (count > ba->ba_winsize) { 718 /* 719 * Check whether we're consistently behind the window, 720 * and let the window move forward if neccessary. 721 */ 722 if (ba->ba_winmiss < IEEE80211_BA_MAX_WINMISS) { 723 if (ba->ba_missedsn == ((sn - 1) & 0xfff)) 724 ba->ba_winmiss++; 725 else 726 ba->ba_winmiss = 0; 727 ba->ba_missedsn = sn; 728 ifp->if_ierrors++; 729 m_freem(m); /* discard the MPDU */ 730 return; 731 } 732 733 /* It appears the window has moved for real. */ 734 ic->ic_stats.is_ht_rx_ba_window_jump++; 735 ba->ba_winmiss = 0; 736 ba->ba_missedsn = 0; 737 ieee80211_ba_move_window(ic, ni, tid, sn); 738 } else { 739 ic->ic_stats.is_ht_rx_ba_window_slide++; 740 ieee80211_input_ba_seq(ic, ni, tid, 741 (ba->ba_winstart + count) & 0xfff); 742 ieee80211_input_ba_flush(ic, ni, ba); 743 } 744 } 745 /* WinStartB <= SN <= WinEndB */ 746 747 ba->ba_winmiss = 0; 748 ba->ba_missedsn = 0; 749 idx = (sn - ba->ba_winstart) & 0xfff; 750 idx = (ba->ba_head + idx) % IEEE80211_BA_MAX_WINSZ; 751 /* store the received MPDU in the buffer */ 752 if (ba->ba_buf[idx].m != NULL) { 753 ifp->if_ierrors++; 754 ic->ic_stats.is_ht_rx_ba_no_buf++; 755 m_freem(m); 756 return; 757 } 758 ba->ba_buf[idx].m = m; 759 /* store Rx meta-data too */ 760 rxi->rxi_flags |= IEEE80211_RXI_AMPDU_DONE; 761 ba->ba_buf[idx].rxi = *rxi; 762 763 if (ba->ba_buf[ba->ba_head].m == NULL) 764 timeout_add_msec(&ba->ba_gap_to, IEEE80211_BA_GAP_TIMEOUT); 765 else if (timeout_pending(&ba->ba_gap_to)) 766 timeout_del(&ba->ba_gap_to); 767 768 ieee80211_input_ba_flush(ic, ni, ba); 769 } 770 771 /* 772 * Forward buffered frames with sequence number lower than max_seq. 773 * See 802.11-2012 9.21.7.6.2 b. 774 */ 775 void 776 ieee80211_input_ba_seq(struct ieee80211com *ic, struct ieee80211_node *ni, 777 uint8_t tid, uint16_t max_seq) 778 { 779 struct ifnet *ifp = &ic->ic_if; 780 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 781 struct ieee80211_frame *wh; 782 uint16_t seq; 783 int i = 0; 784 785 while (i++ < ba->ba_winsize) { 786 /* gaps may exist */ 787 if (ba->ba_buf[ba->ba_head].m != NULL) { 788 wh = mtod(ba->ba_buf[ba->ba_head].m, 789 struct ieee80211_frame *); 790 KASSERT(ieee80211_has_seq(wh)); 791 seq = letoh16(*(u_int16_t *)wh->i_seq) >> 792 IEEE80211_SEQ_SEQ_SHIFT; 793 if (!SEQ_LT(seq, max_seq)) 794 return; 795 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, 796 ni, &ba->ba_buf[ba->ba_head].rxi); 797 ba->ba_buf[ba->ba_head].m = NULL; 798 } else 799 ic->ic_stats.is_ht_rx_ba_frame_lost++; 800 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 801 } 802 } 803 804 /* Flush a consecutive sequence of frames from the reorder buffer. */ 805 void 806 ieee80211_input_ba_flush(struct ieee80211com *ic, struct ieee80211_node *ni, 807 struct ieee80211_rx_ba *ba) 808 809 { 810 struct ifnet *ifp = &ic->ic_if; 811 812 /* pass reordered MPDUs up to the next MAC process */ 813 while (ba->ba_buf[ba->ba_head].m != NULL) { 814 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, ni, 815 &ba->ba_buf[ba->ba_head].rxi); 816 ba->ba_buf[ba->ba_head].m = NULL; 817 818 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 819 /* move window forward */ 820 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 821 } 822 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 823 } 824 825 /* 826 * Forcibly move the BA window forward to remove a leading gap which has 827 * been causing frames to linger in the reordering buffer for too long. 828 * A leading gap will occur if a particular A-MPDU subframe never arrives 829 * or if a bug in the sender causes sequence numbers to jump forward by > 1. 830 */ 831 void 832 ieee80211_input_ba_gap_timeout(void *arg) 833 { 834 struct ieee80211_rx_ba *ba = arg; 835 struct ieee80211_node *ni = ba->ba_ni; 836 struct ieee80211com *ic = ni->ni_ic; 837 int s, skipped; 838 839 ic->ic_stats.is_ht_rx_ba_window_gap_timeout++; 840 841 s = splnet(); 842 843 skipped = 0; 844 while (skipped < ba->ba_winsize && ba->ba_buf[ba->ba_head].m == NULL) { 845 /* move window forward */ 846 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 847 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 848 skipped++; 849 ic->ic_stats.is_ht_rx_ba_frame_lost++; 850 } 851 if (skipped > 0) 852 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 853 854 ieee80211_input_ba_flush(ic, ni, ba); 855 856 splx(s); 857 } 858 859 860 /* 861 * Change the value of WinStartB (move window forward) upon reception of a 862 * BlockAckReq frame or an ADDBA Request (PBAC). 863 */ 864 void 865 ieee80211_ba_move_window(struct ieee80211com *ic, struct ieee80211_node *ni, 866 u_int8_t tid, u_int16_t ssn) 867 { 868 struct ifnet *ifp = &ic->ic_if; 869 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 870 int count; 871 872 /* assert(WinStartB <= SSN) */ 873 874 count = (ssn - ba->ba_winstart) & 0xfff; 875 if (count > ba->ba_winsize) /* no overlap */ 876 count = ba->ba_winsize; 877 while (count-- > 0) { 878 /* gaps may exist */ 879 if (ba->ba_buf[ba->ba_head].m != NULL) { 880 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, ni, 881 &ba->ba_buf[ba->ba_head].rxi); 882 ba->ba_buf[ba->ba_head].m = NULL; 883 } else 884 ic->ic_stats.is_ht_rx_ba_frame_lost++; 885 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 886 } 887 /* move window forward */ 888 ba->ba_winstart = ssn; 889 890 ieee80211_input_ba_flush(ic, ni, ba); 891 } 892 893 void 894 ieee80211_deliver_data(struct ieee80211com *ic, struct mbuf *m, 895 struct ieee80211_node *ni) 896 { 897 struct ifnet *ifp = &ic->ic_if; 898 struct ether_header *eh; 899 struct mbuf *m1; 900 901 eh = mtod(m, struct ether_header *); 902 903 if ((ic->ic_flags & IEEE80211_F_RSNON) && !ni->ni_port_valid && 904 eh->ether_type != htons(ETHERTYPE_PAE)) { 905 DPRINTF(("port not valid: %s\n", 906 ether_sprintf(eh->ether_dhost))); 907 ic->ic_stats.is_rx_unauth++; 908 m_freem(m); 909 return; 910 } 911 912 /* 913 * Perform as a bridge within the AP. Notice that we do not 914 * bridge EAPOL frames as suggested in C.1.1 of IEEE Std 802.1X. 915 */ 916 m1 = NULL; 917 #ifndef IEEE80211_STA_ONLY 918 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 919 !(ic->ic_flags & IEEE80211_F_NOBRIDGE) && 920 eh->ether_type != htons(ETHERTYPE_PAE)) { 921 struct ieee80211_node *ni1; 922 923 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 924 m1 = m_dup_pkt(m, ETHER_ALIGN, M_DONTWAIT); 925 if (m1 == NULL) 926 ifp->if_oerrors++; 927 else 928 m1->m_flags |= M_MCAST; 929 } else { 930 ni1 = ieee80211_find_node(ic, eh->ether_dhost); 931 if (ni1 != NULL && 932 ni1->ni_state == IEEE80211_STA_ASSOC) { 933 m1 = m; 934 m = NULL; 935 } 936 } 937 if (m1 != NULL) { 938 if (if_enqueue(ifp, m1)) 939 ifp->if_oerrors++; 940 } 941 } 942 #endif 943 if (m != NULL) { 944 if ((ic->ic_flags & IEEE80211_F_RSNON) && 945 eh->ether_type == htons(ETHERTYPE_PAE)) { 946 ifp->if_ipackets++; 947 #if NBPFILTER > 0 948 /* 949 * If we forward frame into transmitter of the AP, 950 * we don't need to duplicate for DLT_EN10MB. 951 */ 952 if (ifp->if_bpf && m1 == NULL) 953 bpf_mtap(ifp->if_bpf, m, BPF_DIRECTION_IN); 954 #endif 955 ieee80211_eapol_key_input(ic, m, ni); 956 } else { 957 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 958 ml_enqueue(&ml, m); 959 if_input(ifp, &ml); 960 } 961 } 962 } 963 964 void 965 ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, 966 struct ieee80211_node *ni, int hdrlen) 967 { 968 struct ether_header eh; 969 struct ieee80211_frame *wh; 970 struct llc *llc; 971 972 if (m->m_len < hdrlen + LLC_SNAPFRAMELEN && 973 (m = m_pullup(m, hdrlen + LLC_SNAPFRAMELEN)) == NULL) { 974 ic->ic_stats.is_rx_decap++; 975 return; 976 } 977 wh = mtod(m, struct ieee80211_frame *); 978 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 979 case IEEE80211_FC1_DIR_NODS: 980 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1); 981 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2); 982 break; 983 case IEEE80211_FC1_DIR_TODS: 984 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3); 985 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2); 986 break; 987 case IEEE80211_FC1_DIR_FROMDS: 988 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1); 989 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr3); 990 break; 991 case IEEE80211_FC1_DIR_DSTODS: 992 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3); 993 IEEE80211_ADDR_COPY(eh.ether_shost, 994 ((struct ieee80211_frame_addr4 *)wh)->i_addr4); 995 break; 996 } 997 llc = (struct llc *)((caddr_t)wh + hdrlen); 998 if (llc->llc_dsap == LLC_SNAP_LSAP && 999 llc->llc_ssap == LLC_SNAP_LSAP && 1000 llc->llc_control == LLC_UI && 1001 llc->llc_snap.org_code[0] == 0 && 1002 llc->llc_snap.org_code[1] == 0 && 1003 llc->llc_snap.org_code[2] == 0) { 1004 eh.ether_type = llc->llc_snap.ether_type; 1005 m_adj(m, hdrlen + LLC_SNAPFRAMELEN - ETHER_HDR_LEN); 1006 } else { 1007 eh.ether_type = htons(m->m_pkthdr.len - hdrlen); 1008 m_adj(m, hdrlen - ETHER_HDR_LEN); 1009 } 1010 memcpy(mtod(m, caddr_t), &eh, ETHER_HDR_LEN); 1011 if (!ALIGNED_POINTER(mtod(m, caddr_t) + ETHER_HDR_LEN, u_int32_t)) { 1012 struct mbuf *m0 = m; 1013 m = m_dup_pkt(m0, ETHER_ALIGN, M_NOWAIT); 1014 m_freem(m0); 1015 if (m == NULL) { 1016 ic->ic_stats.is_rx_decap++; 1017 return; 1018 } 1019 } 1020 ieee80211_deliver_data(ic, m, ni); 1021 } 1022 1023 /* 1024 * Decapsulate an Aggregate MSDU (see 7.2.2.2). 1025 */ 1026 void 1027 ieee80211_amsdu_decap(struct ieee80211com *ic, struct mbuf *m, 1028 struct ieee80211_node *ni, int hdrlen) 1029 { 1030 struct mbuf *n; 1031 struct ether_header *eh; 1032 struct llc *llc; 1033 int len, pad; 1034 1035 /* strip 802.11 header */ 1036 m_adj(m, hdrlen); 1037 1038 for (;;) { 1039 /* process an A-MSDU subframe */ 1040 if (m->m_len < ETHER_HDR_LEN + LLC_SNAPFRAMELEN) { 1041 m = m_pullup(m, ETHER_HDR_LEN + LLC_SNAPFRAMELEN); 1042 if (m == NULL) { 1043 ic->ic_stats.is_rx_decap++; 1044 break; 1045 } 1046 } 1047 eh = mtod(m, struct ether_header *); 1048 /* examine 802.3 header */ 1049 len = ntohs(eh->ether_type); 1050 if (len < LLC_SNAPFRAMELEN) { 1051 DPRINTF(("A-MSDU subframe too short (%d)\n", len)); 1052 /* stop processing A-MSDU subframes */ 1053 ic->ic_stats.is_rx_decap++; 1054 m_freem(m); 1055 break; 1056 } 1057 llc = (struct llc *)&eh[1]; 1058 /* examine 802.2 LLC header */ 1059 if (llc->llc_dsap == LLC_SNAP_LSAP && 1060 llc->llc_ssap == LLC_SNAP_LSAP && 1061 llc->llc_control == LLC_UI && 1062 llc->llc_snap.org_code[0] == 0 && 1063 llc->llc_snap.org_code[1] == 0 && 1064 llc->llc_snap.org_code[2] == 0) { 1065 /* convert to Ethernet II header */ 1066 eh->ether_type = llc->llc_snap.ether_type; 1067 /* strip LLC+SNAP headers */ 1068 memmove((u_int8_t *)eh + LLC_SNAPFRAMELEN, eh, 1069 ETHER_HDR_LEN); 1070 m_adj(m, LLC_SNAPFRAMELEN); 1071 len -= LLC_SNAPFRAMELEN; 1072 } 1073 len += ETHER_HDR_LEN; 1074 if (len > m->m_pkthdr.len) { 1075 /* stop processing A-MSDU subframes */ 1076 DPRINTF(("A-MSDU subframe too long (%d)\n", len)); 1077 ic->ic_stats.is_rx_decap++; 1078 m_freem(m); 1079 break; 1080 } 1081 1082 /* "detach" our A-MSDU subframe from the others */ 1083 n = m_split(m, len, M_NOWAIT); 1084 if (n == NULL) { 1085 /* stop processing A-MSDU subframes */ 1086 ic->ic_stats.is_rx_decap++; 1087 m_freem(m); 1088 break; 1089 } 1090 ieee80211_deliver_data(ic, m, ni); 1091 1092 if (n->m_len == 0) { 1093 m_freem(n); 1094 break; 1095 } 1096 m = n; 1097 /* remove padding */ 1098 pad = ((len + 3) & ~3) - len; 1099 m_adj(m, pad); 1100 } 1101 } 1102 1103 /* 1104 * Parse an EDCA Parameter Set element (see 7.3.2.27). 1105 */ 1106 int 1107 ieee80211_parse_edca_params_body(struct ieee80211com *ic, const u_int8_t *frm) 1108 { 1109 u_int updtcount; 1110 int aci; 1111 1112 /* 1113 * Check if EDCA parameters have changed XXX if we miss more than 1114 * 15 consecutive beacons, we might not detect changes to EDCA 1115 * parameters due to wraparound of the 4-bit Update Count field. 1116 */ 1117 updtcount = frm[0] & 0xf; 1118 if (updtcount == ic->ic_edca_updtcount) 1119 return 0; /* no changes to EDCA parameters, ignore */ 1120 ic->ic_edca_updtcount = updtcount; 1121 1122 frm += 2; /* skip QoS Info & Reserved fields */ 1123 1124 /* parse AC Parameter Records */ 1125 for (aci = 0; aci < EDCA_NUM_AC; aci++) { 1126 struct ieee80211_edca_ac_params *ac = &ic->ic_edca_ac[aci]; 1127 1128 ac->ac_acm = (frm[0] >> 4) & 0x1; 1129 ac->ac_aifsn = frm[0] & 0xf; 1130 ac->ac_ecwmin = frm[1] & 0xf; 1131 ac->ac_ecwmax = frm[1] >> 4; 1132 ac->ac_txoplimit = LE_READ_2(frm + 2); 1133 frm += 4; 1134 } 1135 /* give drivers a chance to update their settings */ 1136 if ((ic->ic_flags & IEEE80211_F_QOS) && ic->ic_updateedca != NULL) 1137 (*ic->ic_updateedca)(ic); 1138 1139 return 0; 1140 } 1141 1142 int 1143 ieee80211_parse_edca_params(struct ieee80211com *ic, const u_int8_t *frm) 1144 { 1145 if (frm[1] < 18) { 1146 ic->ic_stats.is_rx_elem_toosmall++; 1147 return IEEE80211_REASON_IE_INVALID; 1148 } 1149 return ieee80211_parse_edca_params_body(ic, frm + 2); 1150 } 1151 1152 int 1153 ieee80211_parse_wmm_params(struct ieee80211com *ic, const u_int8_t *frm) 1154 { 1155 if (frm[1] < 24) { 1156 ic->ic_stats.is_rx_elem_toosmall++; 1157 return IEEE80211_REASON_IE_INVALID; 1158 } 1159 return ieee80211_parse_edca_params_body(ic, frm + 8); 1160 } 1161 1162 enum ieee80211_cipher 1163 ieee80211_parse_rsn_cipher(const u_int8_t selector[4]) 1164 { 1165 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1166 switch (selector[3]) { 1167 case 0: /* use group data cipher suite */ 1168 return IEEE80211_CIPHER_USEGROUP; 1169 case 1: /* WEP-40 */ 1170 return IEEE80211_CIPHER_WEP40; 1171 case 2: /* TKIP */ 1172 return IEEE80211_CIPHER_TKIP; 1173 case 4: /* CCMP (RSNA default) */ 1174 return IEEE80211_CIPHER_CCMP; 1175 case 5: /* WEP-104 */ 1176 return IEEE80211_CIPHER_WEP104; 1177 } 1178 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1179 /* see 802.11-2012 Table 8-99 */ 1180 switch (selector[3]) { 1181 case 0: /* use group data cipher suite */ 1182 return IEEE80211_CIPHER_USEGROUP; 1183 case 1: /* WEP-40 */ 1184 return IEEE80211_CIPHER_WEP40; 1185 case 2: /* TKIP */ 1186 return IEEE80211_CIPHER_TKIP; 1187 case 4: /* CCMP (RSNA default) */ 1188 return IEEE80211_CIPHER_CCMP; 1189 case 5: /* WEP-104 */ 1190 return IEEE80211_CIPHER_WEP104; 1191 case 6: /* BIP */ 1192 return IEEE80211_CIPHER_BIP; 1193 } 1194 } 1195 return IEEE80211_CIPHER_NONE; /* ignore unknown ciphers */ 1196 } 1197 1198 enum ieee80211_akm 1199 ieee80211_parse_rsn_akm(const u_int8_t selector[4]) 1200 { 1201 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1202 switch (selector[3]) { 1203 case 1: /* IEEE 802.1X (RSNA default) */ 1204 return IEEE80211_AKM_8021X; 1205 case 2: /* PSK */ 1206 return IEEE80211_AKM_PSK; 1207 } 1208 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1209 /* from IEEE Std 802.11i-2004 - Table 20dc */ 1210 switch (selector[3]) { 1211 case 1: /* IEEE 802.1X (RSNA default) */ 1212 return IEEE80211_AKM_8021X; 1213 case 2: /* PSK */ 1214 return IEEE80211_AKM_PSK; 1215 case 5: /* IEEE 802.1X with SHA256 KDF */ 1216 return IEEE80211_AKM_SHA256_8021X; 1217 case 6: /* PSK with SHA256 KDF */ 1218 return IEEE80211_AKM_SHA256_PSK; 1219 } 1220 } 1221 return IEEE80211_AKM_NONE; /* ignore unknown AKMs */ 1222 } 1223 1224 /* 1225 * Parse an RSN element (see 802.11-2012 8.4.2.27) 1226 */ 1227 int 1228 ieee80211_parse_rsn_body(struct ieee80211com *ic, const u_int8_t *frm, 1229 u_int len, struct ieee80211_rsnparams *rsn) 1230 { 1231 const u_int8_t *efrm; 1232 u_int16_t m, n, s; 1233 1234 efrm = frm + len; 1235 1236 /* check Version field */ 1237 if (LE_READ_2(frm) != 1) 1238 return IEEE80211_STATUS_RSN_IE_VER_UNSUP; 1239 frm += 2; 1240 1241 /* all fields after the Version field are optional */ 1242 1243 /* if Cipher Suite missing, default to CCMP */ 1244 rsn->rsn_groupcipher = IEEE80211_CIPHER_CCMP; 1245 rsn->rsn_nciphers = 1; 1246 rsn->rsn_ciphers = IEEE80211_CIPHER_CCMP; 1247 /* if Group Management Cipher Suite missing, defaut to BIP */ 1248 rsn->rsn_groupmgmtcipher = IEEE80211_CIPHER_BIP; 1249 /* if AKM Suite missing, default to 802.1X */ 1250 rsn->rsn_nakms = 1; 1251 rsn->rsn_akms = IEEE80211_AKM_8021X; 1252 /* if RSN capabilities missing, default to 0 */ 1253 rsn->rsn_caps = 0; 1254 rsn->rsn_npmkids = 0; 1255 1256 /* read Group Data Cipher Suite field */ 1257 if (frm + 4 > efrm) 1258 return 0; 1259 rsn->rsn_groupcipher = ieee80211_parse_rsn_cipher(frm); 1260 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_NONE || 1261 rsn->rsn_groupcipher == IEEE80211_CIPHER_USEGROUP || 1262 rsn->rsn_groupcipher == IEEE80211_CIPHER_BIP) 1263 return IEEE80211_STATUS_BAD_GROUP_CIPHER; 1264 frm += 4; 1265 1266 /* read Pairwise Cipher Suite Count field */ 1267 if (frm + 2 > efrm) 1268 return 0; 1269 m = rsn->rsn_nciphers = LE_READ_2(frm); 1270 frm += 2; 1271 1272 /* read Pairwise Cipher Suite List */ 1273 if (frm + m * 4 > efrm) 1274 return IEEE80211_STATUS_IE_INVALID; 1275 rsn->rsn_ciphers = IEEE80211_CIPHER_NONE; 1276 while (m-- > 0) { 1277 rsn->rsn_ciphers |= ieee80211_parse_rsn_cipher(frm); 1278 frm += 4; 1279 } 1280 if (rsn->rsn_ciphers & IEEE80211_CIPHER_USEGROUP) { 1281 if (rsn->rsn_ciphers != IEEE80211_CIPHER_USEGROUP) 1282 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1283 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_CCMP) 1284 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1285 } 1286 1287 /* read AKM Suite List Count field */ 1288 if (frm + 2 > efrm) 1289 return 0; 1290 n = rsn->rsn_nakms = LE_READ_2(frm); 1291 frm += 2; 1292 1293 /* read AKM Suite List */ 1294 if (frm + n * 4 > efrm) 1295 return IEEE80211_STATUS_IE_INVALID; 1296 rsn->rsn_akms = IEEE80211_AKM_NONE; 1297 while (n-- > 0) { 1298 rsn->rsn_akms |= ieee80211_parse_rsn_akm(frm); 1299 frm += 4; 1300 } 1301 1302 /* read RSN Capabilities field */ 1303 if (frm + 2 > efrm) 1304 return 0; 1305 rsn->rsn_caps = LE_READ_2(frm); 1306 frm += 2; 1307 1308 /* read PMKID Count field */ 1309 if (frm + 2 > efrm) 1310 return 0; 1311 s = rsn->rsn_npmkids = LE_READ_2(frm); 1312 frm += 2; 1313 1314 /* read PMKID List */ 1315 if (frm + s * IEEE80211_PMKID_LEN > efrm) 1316 return IEEE80211_STATUS_IE_INVALID; 1317 if (s != 0) { 1318 rsn->rsn_pmkids = frm; 1319 frm += s * IEEE80211_PMKID_LEN; 1320 } 1321 1322 /* read Group Management Cipher Suite field */ 1323 if (frm + 4 > efrm) 1324 return 0; 1325 rsn->rsn_groupmgmtcipher = ieee80211_parse_rsn_cipher(frm); 1326 if (rsn->rsn_groupmgmtcipher != IEEE80211_CIPHER_BIP) 1327 return IEEE80211_STATUS_BAD_GROUP_CIPHER; 1328 1329 return IEEE80211_STATUS_SUCCESS; 1330 } 1331 1332 int 1333 ieee80211_parse_rsn(struct ieee80211com *ic, const u_int8_t *frm, 1334 struct ieee80211_rsnparams *rsn) 1335 { 1336 if (frm[1] < 2) { 1337 ic->ic_stats.is_rx_elem_toosmall++; 1338 return IEEE80211_STATUS_IE_INVALID; 1339 } 1340 return ieee80211_parse_rsn_body(ic, frm + 2, frm[1], rsn); 1341 } 1342 1343 int 1344 ieee80211_parse_wpa(struct ieee80211com *ic, const u_int8_t *frm, 1345 struct ieee80211_rsnparams *rsn) 1346 { 1347 if (frm[1] < 6) { 1348 ic->ic_stats.is_rx_elem_toosmall++; 1349 return IEEE80211_STATUS_IE_INVALID; 1350 } 1351 return ieee80211_parse_rsn_body(ic, frm + 6, frm[1] - 4, rsn); 1352 } 1353 1354 /* 1355 * Create (or update) a copy of an information element. 1356 */ 1357 int 1358 ieee80211_save_ie(const u_int8_t *frm, u_int8_t **ie) 1359 { 1360 if (*ie == NULL || (*ie)[1] != frm[1]) { 1361 if (*ie != NULL) 1362 free(*ie, M_DEVBUF, 0); 1363 *ie = malloc(2 + frm[1], M_DEVBUF, M_NOWAIT); 1364 if (*ie == NULL) 1365 return ENOMEM; 1366 } 1367 memcpy(*ie, frm, 2 + frm[1]); 1368 return 0; 1369 } 1370 1371 /*- 1372 * Beacon/Probe response frame format: 1373 * [8] Timestamp 1374 * [2] Beacon interval 1375 * [2] Capability 1376 * [tlv] Service Set Identifier (SSID) 1377 * [tlv] Supported rates 1378 * [tlv] DS Parameter Set (802.11g) 1379 * [tlv] ERP Information (802.11g) 1380 * [tlv] Extended Supported Rates (802.11g) 1381 * [tlv] RSN (802.11i) 1382 * [tlv] EDCA Parameter Set (802.11e) 1383 * [tlv] QoS Capability (Beacon only, 802.11e) 1384 * [tlv] HT Capabilities (802.11n) 1385 * [tlv] HT Operation (802.11n) 1386 */ 1387 void 1388 ieee80211_recv_probe_resp(struct ieee80211com *ic, struct mbuf *m, 1389 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int isprobe) 1390 { 1391 const struct ieee80211_frame *wh; 1392 const u_int8_t *frm, *efrm; 1393 const u_int8_t *tstamp, *ssid, *rates, *xrates, *edcaie, *wmmie; 1394 const u_int8_t *rsnie, *wpaie, *htcaps, *htop; 1395 u_int16_t capinfo, bintval; 1396 u_int8_t chan, bchan, erp, dtim_count, dtim_period; 1397 int is_new; 1398 1399 /* 1400 * We process beacon/probe response frames for: 1401 * o station mode: to collect state 1402 * updates such as 802.11g slot time and for passive 1403 * scanning of APs 1404 * o adhoc mode: to discover neighbors 1405 * o hostap mode: for passive scanning of neighbor APs 1406 * o when scanning 1407 * In other words, in all modes other than monitor (which 1408 * does not process incoming frames) and adhoc-demo (which 1409 * does not use management frames at all). 1410 */ 1411 #ifdef DIAGNOSTIC 1412 if (ic->ic_opmode != IEEE80211_M_STA && 1413 #ifndef IEEE80211_STA_ONLY 1414 ic->ic_opmode != IEEE80211_M_IBSS && 1415 ic->ic_opmode != IEEE80211_M_HOSTAP && 1416 #endif 1417 ic->ic_state != IEEE80211_S_SCAN) { 1418 panic("%s: impossible operating mode", __func__); 1419 } 1420 #endif 1421 /* make sure all mandatory fixed fields are present */ 1422 if (m->m_len < sizeof(*wh) + 12) { 1423 DPRINTF(("frame too short\n")); 1424 return; 1425 } 1426 wh = mtod(m, struct ieee80211_frame *); 1427 frm = (const u_int8_t *)&wh[1]; 1428 efrm = mtod(m, u_int8_t *) + m->m_len; 1429 1430 tstamp = frm; frm += 8; 1431 bintval = LE_READ_2(frm); frm += 2; 1432 capinfo = LE_READ_2(frm); frm += 2; 1433 1434 ssid = rates = xrates = edcaie = wmmie = rsnie = wpaie = NULL; 1435 htcaps = htop = NULL; 1436 bchan = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan); 1437 chan = bchan; 1438 erp = 0; 1439 dtim_count = dtim_period = 0; 1440 while (frm + 2 <= efrm) { 1441 if (frm + 2 + frm[1] > efrm) { 1442 ic->ic_stats.is_rx_elem_toosmall++; 1443 break; 1444 } 1445 switch (frm[0]) { 1446 case IEEE80211_ELEMID_SSID: 1447 ssid = frm; 1448 break; 1449 case IEEE80211_ELEMID_RATES: 1450 rates = frm; 1451 break; 1452 case IEEE80211_ELEMID_DSPARMS: 1453 if (frm[1] < 1) { 1454 ic->ic_stats.is_rx_elem_toosmall++; 1455 break; 1456 } 1457 chan = frm[2]; 1458 break; 1459 case IEEE80211_ELEMID_XRATES: 1460 xrates = frm; 1461 break; 1462 case IEEE80211_ELEMID_ERP: 1463 if (frm[1] < 1) { 1464 ic->ic_stats.is_rx_elem_toosmall++; 1465 break; 1466 } 1467 erp = frm[2]; 1468 break; 1469 case IEEE80211_ELEMID_RSN: 1470 rsnie = frm; 1471 break; 1472 case IEEE80211_ELEMID_EDCAPARMS: 1473 edcaie = frm; 1474 break; 1475 case IEEE80211_ELEMID_HTCAPS: 1476 htcaps = frm; 1477 break; 1478 case IEEE80211_ELEMID_HTOP: 1479 htop = frm; 1480 break; 1481 case IEEE80211_ELEMID_TIM: 1482 if (frm[1] > 3) { 1483 dtim_count = frm[2]; 1484 dtim_period = frm[3]; 1485 } 1486 break; 1487 case IEEE80211_ELEMID_VENDOR: 1488 if (frm[1] < 4) { 1489 ic->ic_stats.is_rx_elem_toosmall++; 1490 break; 1491 } 1492 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 1493 if (frm[5] == 1) 1494 wpaie = frm; 1495 else if (frm[1] >= 5 && 1496 frm[5] == 2 && frm[6] == 1) 1497 wmmie = frm; 1498 } 1499 break; 1500 } 1501 frm += 2 + frm[1]; 1502 } 1503 /* supported rates element is mandatory */ 1504 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1505 DPRINTF(("invalid supported rates element\n")); 1506 return; 1507 } 1508 /* SSID element is mandatory */ 1509 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1510 DPRINTF(("invalid SSID element\n")); 1511 return; 1512 } 1513 1514 if ( 1515 #if IEEE80211_CHAN_MAX < 255 1516 chan > IEEE80211_CHAN_MAX || 1517 #endif 1518 isclr(ic->ic_chan_active, chan)) { 1519 DPRINTF(("ignore %s with invalid channel %u\n", 1520 isprobe ? "probe response" : "beacon", chan)); 1521 ic->ic_stats.is_rx_badchan++; 1522 return; 1523 } 1524 if ((ic->ic_state != IEEE80211_S_SCAN || 1525 !(ic->ic_caps & IEEE80211_C_SCANALL)) && 1526 chan != bchan) { 1527 /* 1528 * Frame was received on a channel different from the 1529 * one indicated in the DS params element id; 1530 * silently discard it. 1531 * 1532 * NB: this can happen due to signal leakage. 1533 */ 1534 DPRINTF(("ignore %s on channel %u marked for channel %u\n", 1535 isprobe ? "probe response" : "beacon", bchan, chan)); 1536 ic->ic_stats.is_rx_chanmismatch++; 1537 return; 1538 } 1539 /* 1540 * Use mac, channel and rssi so we collect only the 1541 * best potential AP with the equal bssid while scanning. 1542 * Collecting all potential APs may result in bloat of 1543 * the node tree. This call will return NULL if the node 1544 * for this APs does not exist or if the new node is the 1545 * potential better one. 1546 */ 1547 if ((ni = ieee80211_find_node_for_beacon(ic, wh->i_addr2, 1548 &ic->ic_channels[chan], ssid, rxi->rxi_rssi)) != NULL) 1549 return; 1550 1551 #ifdef IEEE80211_DEBUG 1552 if (ieee80211_debug > 1 && 1553 (ni == NULL || ic->ic_state == IEEE80211_S_SCAN)) { 1554 printf("%s: %s%s on chan %u (bss chan %u) ", 1555 __func__, (ni == NULL ? "new " : ""), 1556 isprobe ? "probe response" : "beacon", 1557 chan, bchan); 1558 ieee80211_print_essid(ssid + 2, ssid[1]); 1559 printf(" from %s\n", ether_sprintf((u_int8_t *)wh->i_addr2)); 1560 printf("%s: caps 0x%x bintval %u erp 0x%x\n", 1561 __func__, capinfo, bintval, erp); 1562 } 1563 #endif 1564 1565 if ((ni = ieee80211_find_node(ic, wh->i_addr2)) == NULL) { 1566 ni = ieee80211_alloc_node(ic, wh->i_addr2); 1567 if (ni == NULL) 1568 return; 1569 is_new = 1; 1570 } else 1571 is_new = 0; 1572 1573 if (htcaps) 1574 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 1575 if (htop && !ieee80211_setup_htop(ni, htop + 2, htop[1])) 1576 htop = NULL; /* invalid HTOP */ 1577 1578 ni->ni_dtimcount = dtim_count; 1579 ni->ni_dtimperiod = dtim_period; 1580 1581 /* 1582 * When operating in station mode, check for state updates 1583 * while we're associated. 1584 */ 1585 if (ic->ic_opmode == IEEE80211_M_STA && 1586 ic->ic_state == IEEE80211_S_RUN && 1587 ni->ni_state == IEEE80211_STA_BSS) { 1588 /* 1589 * Check if protection mode has changed since last beacon. 1590 */ 1591 if (ni->ni_erp != erp) { 1592 DPRINTF(("[%s] erp change: was 0x%x, now 0x%x\n", 1593 ether_sprintf((u_int8_t *)wh->i_addr2), 1594 ni->ni_erp, erp)); 1595 if (ic->ic_curmode == IEEE80211_MODE_11G && 1596 (erp & IEEE80211_ERP_USE_PROTECTION)) 1597 ic->ic_flags |= IEEE80211_F_USEPROT; 1598 else 1599 ic->ic_flags &= ~IEEE80211_F_USEPROT; 1600 ic->ic_bss->ni_erp = erp; 1601 } 1602 if (htop && (ic->ic_bss->ni_flags & IEEE80211_NODE_HT)) { 1603 enum ieee80211_htprot htprot_last, htprot; 1604 htprot_last = 1605 ((ic->ic_bss->ni_htop1 & IEEE80211_HTOP1_PROT_MASK) 1606 >> IEEE80211_HTOP1_PROT_SHIFT); 1607 htprot = ((ni->ni_htop1 & IEEE80211_HTOP1_PROT_MASK) >> 1608 IEEE80211_HTOP1_PROT_SHIFT); 1609 if (htprot_last != htprot) { 1610 DPRINTF(("[%s] htprot change: was %d, now %d\n", 1611 ether_sprintf((u_int8_t *)wh->i_addr2), 1612 htprot_last, htprot)); 1613 ic->ic_stats.is_ht_prot_change++; 1614 ic->ic_bss->ni_htop1 = ni->ni_htop1; 1615 ic->ic_update_htprot(ic, ic->ic_bss); 1616 } 1617 } 1618 1619 /* 1620 * Check if AP short slot time setting has changed 1621 * since last beacon and give the driver a chance to 1622 * update the hardware. 1623 */ 1624 if ((ni->ni_capinfo ^ capinfo) & 1625 IEEE80211_CAPINFO_SHORT_SLOTTIME) { 1626 ieee80211_set_shortslottime(ic, 1627 ic->ic_curmode == IEEE80211_MODE_11A || 1628 (capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 1629 } 1630 } 1631 /* 1632 * We do not try to update EDCA parameters if QoS was not negotiated 1633 * with the AP at association time. 1634 */ 1635 if (ni->ni_flags & IEEE80211_NODE_QOS) { 1636 /* always prefer EDCA IE over Wi-Fi Alliance WMM IE */ 1637 if ((edcaie != NULL && 1638 ieee80211_parse_edca_params(ic, edcaie) == 0) || 1639 (wmmie != NULL && 1640 ieee80211_parse_wmm_params(ic, wmmie) == 0)) 1641 ni->ni_flags |= IEEE80211_NODE_QOS; 1642 else 1643 ni->ni_flags &= ~IEEE80211_NODE_QOS; 1644 } 1645 1646 if (ic->ic_state == IEEE80211_S_SCAN 1647 #ifndef IEEE80211_STA_ONLY 1648 && ic->ic_opmode != IEEE80211_M_HOSTAP 1649 #endif 1650 ) { 1651 struct ieee80211_rsnparams rsn; 1652 const u_int8_t *saveie = NULL; 1653 /* 1654 * If the AP advertises both RSN and WPA IEs (WPA1+WPA2), 1655 * we only store the parameters of the highest protocol 1656 * version we support. 1657 */ 1658 if (rsnie != NULL && 1659 (ic->ic_rsnprotos & IEEE80211_PROTO_RSN)) { 1660 if (ieee80211_parse_rsn(ic, rsnie, &rsn) == 0) { 1661 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 1662 saveie = rsnie; 1663 } 1664 } else if (wpaie != NULL && 1665 (ic->ic_rsnprotos & IEEE80211_PROTO_WPA)) { 1666 if (ieee80211_parse_wpa(ic, wpaie, &rsn) == 0) { 1667 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 1668 saveie = wpaie; 1669 } 1670 } 1671 if (saveie != NULL && 1672 ieee80211_save_ie(saveie, &ni->ni_rsnie) == 0) { 1673 ni->ni_rsnakms = rsn.rsn_akms; 1674 ni->ni_rsnciphers = rsn.rsn_ciphers; 1675 ni->ni_rsngroupcipher = rsn.rsn_groupcipher; 1676 ni->ni_rsngroupmgmtcipher = rsn.rsn_groupmgmtcipher; 1677 ni->ni_rsncaps = rsn.rsn_caps; 1678 } else 1679 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 1680 } 1681 1682 if (ssid[1] != 0 && ni->ni_esslen == 0) { 1683 ni->ni_esslen = ssid[1]; 1684 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1685 /* we know that ssid[1] <= IEEE80211_NWID_LEN */ 1686 memcpy(ni->ni_essid, &ssid[2], ssid[1]); 1687 } 1688 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3); 1689 ni->ni_rssi = rxi->rxi_rssi; 1690 ni->ni_rstamp = rxi->rxi_tstamp; 1691 memcpy(ni->ni_tstamp, tstamp, sizeof(ni->ni_tstamp)); 1692 ni->ni_intval = bintval; 1693 ni->ni_capinfo = capinfo; 1694 /* XXX validate channel # */ 1695 ni->ni_chan = &ic->ic_channels[chan]; 1696 ni->ni_erp = erp; 1697 /* NB: must be after ni_chan is setup */ 1698 ieee80211_setup_rates(ic, ni, rates, xrates, IEEE80211_F_DOSORT); 1699 #ifndef IEEE80211_STA_ONLY 1700 if (ic->ic_opmode == IEEE80211_M_IBSS && is_new && isprobe) { 1701 /* 1702 * Fake an association so the driver can setup it's 1703 * private state. The rate set has been setup above; 1704 * there is no handshake as in ap/station operation. 1705 */ 1706 if (ic->ic_newassoc) 1707 (*ic->ic_newassoc)(ic, ni, 1); 1708 } 1709 #endif 1710 } 1711 1712 #ifndef IEEE80211_STA_ONLY 1713 /*- 1714 * Probe request frame format: 1715 * [tlv] SSID 1716 * [tlv] Supported rates 1717 * [tlv] Extended Supported Rates (802.11g) 1718 * [tlv] HT Capabilities (802.11n) 1719 */ 1720 void 1721 ieee80211_recv_probe_req(struct ieee80211com *ic, struct mbuf *m, 1722 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 1723 { 1724 const struct ieee80211_frame *wh; 1725 const u_int8_t *frm, *efrm; 1726 const u_int8_t *ssid, *rates, *xrates, *htcaps; 1727 u_int8_t rate; 1728 1729 if (ic->ic_opmode == IEEE80211_M_STA || 1730 ic->ic_state != IEEE80211_S_RUN) 1731 return; 1732 1733 wh = mtod(m, struct ieee80211_frame *); 1734 frm = (const u_int8_t *)&wh[1]; 1735 efrm = mtod(m, u_int8_t *) + m->m_len; 1736 1737 ssid = rates = xrates = htcaps = NULL; 1738 while (frm + 2 <= efrm) { 1739 if (frm + 2 + frm[1] > efrm) { 1740 ic->ic_stats.is_rx_elem_toosmall++; 1741 break; 1742 } 1743 switch (frm[0]) { 1744 case IEEE80211_ELEMID_SSID: 1745 ssid = frm; 1746 break; 1747 case IEEE80211_ELEMID_RATES: 1748 rates = frm; 1749 break; 1750 case IEEE80211_ELEMID_XRATES: 1751 xrates = frm; 1752 break; 1753 case IEEE80211_ELEMID_HTCAPS: 1754 htcaps = frm; 1755 break; 1756 } 1757 frm += 2 + frm[1]; 1758 } 1759 /* supported rates element is mandatory */ 1760 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1761 DPRINTF(("invalid supported rates element\n")); 1762 return; 1763 } 1764 /* SSID element is mandatory */ 1765 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1766 DPRINTF(("invalid SSID element\n")); 1767 return; 1768 } 1769 /* check that the specified SSID (if not wildcard) matches ours */ 1770 if (ssid[1] != 0 && (ssid[1] != ic->ic_bss->ni_esslen || 1771 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen))) { 1772 DPRINTF(("SSID mismatch\n")); 1773 ic->ic_stats.is_rx_ssidmismatch++; 1774 return; 1775 } 1776 /* refuse wildcard SSID if we're hiding our SSID in beacons */ 1777 if (ssid[1] == 0 && (ic->ic_flags & IEEE80211_F_HIDENWID)) { 1778 DPRINTF(("wildcard SSID rejected")); 1779 ic->ic_stats.is_rx_ssidmismatch++; 1780 return; 1781 } 1782 1783 if (ni == ic->ic_bss) { 1784 ni = ieee80211_find_node(ic, wh->i_addr2); 1785 if (ni == NULL) 1786 ni = ieee80211_dup_bss(ic, wh->i_addr2); 1787 if (ni == NULL) 1788 return; 1789 DPRINTF(("new probe req from %s\n", 1790 ether_sprintf((u_int8_t *)wh->i_addr2))); 1791 } 1792 ni->ni_rssi = rxi->rxi_rssi; 1793 ni->ni_rstamp = rxi->rxi_tstamp; 1794 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 1795 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 1796 IEEE80211_F_DODEL); 1797 if (rate & IEEE80211_RATE_BASIC) { 1798 DPRINTF(("rate mismatch for %s\n", 1799 ether_sprintf((u_int8_t *)wh->i_addr2))); 1800 return; 1801 } 1802 if (htcaps) 1803 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 1804 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 1805 } 1806 #endif /* IEEE80211_STA_ONLY */ 1807 1808 /*- 1809 * Authentication frame format: 1810 * [2] Authentication algorithm number 1811 * [2] Authentication transaction sequence number 1812 * [2] Status code 1813 */ 1814 void 1815 ieee80211_recv_auth(struct ieee80211com *ic, struct mbuf *m, 1816 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 1817 { 1818 const struct ieee80211_frame *wh; 1819 const u_int8_t *frm; 1820 u_int16_t algo, seq, status; 1821 1822 /* make sure all mandatory fixed fields are present */ 1823 if (m->m_len < sizeof(*wh) + 6) { 1824 DPRINTF(("frame too short\n")); 1825 return; 1826 } 1827 wh = mtod(m, struct ieee80211_frame *); 1828 frm = (const u_int8_t *)&wh[1]; 1829 1830 algo = LE_READ_2(frm); frm += 2; 1831 seq = LE_READ_2(frm); frm += 2; 1832 status = LE_READ_2(frm); frm += 2; 1833 DPRINTF(("auth %d seq %d from %s\n", algo, seq, 1834 ether_sprintf((u_int8_t *)wh->i_addr2))); 1835 1836 /* only "open" auth mode is supported */ 1837 if (algo != IEEE80211_AUTH_ALG_OPEN) { 1838 DPRINTF(("unsupported auth algorithm %d from %s\n", 1839 algo, ether_sprintf((u_int8_t *)wh->i_addr2))); 1840 ic->ic_stats.is_rx_auth_unsupported++; 1841 #ifndef IEEE80211_STA_ONLY 1842 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 1843 /* XXX hack to workaround calling convention */ 1844 IEEE80211_SEND_MGMT(ic, ni, 1845 IEEE80211_FC0_SUBTYPE_AUTH, 1846 IEEE80211_STATUS_ALG << 16 | ((seq + 1) & 0xffff)); 1847 } 1848 #endif 1849 return; 1850 } 1851 ieee80211_auth_open(ic, wh, ni, rxi, seq, status); 1852 } 1853 1854 #ifndef IEEE80211_STA_ONLY 1855 /*- 1856 * (Re)Association request frame format: 1857 * [2] Capability information 1858 * [2] Listen interval 1859 * [6*] Current AP address (Reassociation only) 1860 * [tlv] SSID 1861 * [tlv] Supported rates 1862 * [tlv] Extended Supported Rates (802.11g) 1863 * [tlv] RSN (802.11i) 1864 * [tlv] QoS Capability (802.11e) 1865 * [tlv] HT Capabilities (802.11n) 1866 */ 1867 void 1868 ieee80211_recv_assoc_req(struct ieee80211com *ic, struct mbuf *m, 1869 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int reassoc) 1870 { 1871 const struct ieee80211_frame *wh; 1872 const u_int8_t *frm, *efrm; 1873 const u_int8_t *ssid, *rates, *xrates, *rsnie, *wpaie, *htcaps; 1874 u_int16_t capinfo, bintval; 1875 int resp, status = 0; 1876 struct ieee80211_rsnparams rsn; 1877 u_int8_t rate; 1878 1879 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 1880 ic->ic_state != IEEE80211_S_RUN) 1881 return; 1882 1883 /* make sure all mandatory fixed fields are present */ 1884 if (m->m_len < sizeof(*wh) + (reassoc ? 10 : 4)) { 1885 DPRINTF(("frame too short\n")); 1886 return; 1887 } 1888 wh = mtod(m, struct ieee80211_frame *); 1889 frm = (const u_int8_t *)&wh[1]; 1890 efrm = mtod(m, u_int8_t *) + m->m_len; 1891 1892 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 1893 DPRINTF(("ignore other bss from %s\n", 1894 ether_sprintf((u_int8_t *)wh->i_addr2))); 1895 ic->ic_stats.is_rx_assoc_bss++; 1896 return; 1897 } 1898 capinfo = LE_READ_2(frm); frm += 2; 1899 bintval = LE_READ_2(frm); frm += 2; 1900 if (reassoc) { 1901 frm += IEEE80211_ADDR_LEN; /* skip current AP address */ 1902 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 1903 } else 1904 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 1905 1906 ssid = rates = xrates = rsnie = wpaie = htcaps = NULL; 1907 while (frm + 2 <= efrm) { 1908 if (frm + 2 + frm[1] > efrm) { 1909 ic->ic_stats.is_rx_elem_toosmall++; 1910 break; 1911 } 1912 switch (frm[0]) { 1913 case IEEE80211_ELEMID_SSID: 1914 ssid = frm; 1915 break; 1916 case IEEE80211_ELEMID_RATES: 1917 rates = frm; 1918 break; 1919 case IEEE80211_ELEMID_XRATES: 1920 xrates = frm; 1921 break; 1922 case IEEE80211_ELEMID_RSN: 1923 rsnie = frm; 1924 break; 1925 case IEEE80211_ELEMID_QOS_CAP: 1926 break; 1927 case IEEE80211_ELEMID_HTCAPS: 1928 htcaps = frm; 1929 break; 1930 case IEEE80211_ELEMID_VENDOR: 1931 if (frm[1] < 4) { 1932 ic->ic_stats.is_rx_elem_toosmall++; 1933 break; 1934 } 1935 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 1936 if (frm[5] == 1) 1937 wpaie = frm; 1938 } 1939 break; 1940 } 1941 frm += 2 + frm[1]; 1942 } 1943 /* supported rates element is mandatory */ 1944 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1945 DPRINTF(("invalid supported rates element\n")); 1946 return; 1947 } 1948 /* SSID element is mandatory */ 1949 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1950 DPRINTF(("invalid SSID element\n")); 1951 return; 1952 } 1953 /* check that the specified SSID matches ours */ 1954 if (ssid[1] != ic->ic_bss->ni_esslen || 1955 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen)) { 1956 DPRINTF(("SSID mismatch\n")); 1957 ic->ic_stats.is_rx_ssidmismatch++; 1958 return; 1959 } 1960 1961 if (ni->ni_state != IEEE80211_STA_AUTH && 1962 ni->ni_state != IEEE80211_STA_ASSOC) { 1963 DPRINTF(("deny %sassoc from %s, not authenticated\n", 1964 reassoc ? "re" : "", 1965 ether_sprintf((u_int8_t *)wh->i_addr2))); 1966 ni = ieee80211_find_node(ic, wh->i_addr2); 1967 if (ni == NULL) 1968 ni = ieee80211_dup_bss(ic, wh->i_addr2); 1969 if (ni != NULL) { 1970 IEEE80211_SEND_MGMT(ic, ni, 1971 IEEE80211_FC0_SUBTYPE_DEAUTH, 1972 IEEE80211_REASON_ASSOC_NOT_AUTHED); 1973 } 1974 ic->ic_stats.is_rx_assoc_notauth++; 1975 return; 1976 } 1977 1978 if (ni->ni_state == IEEE80211_STA_ASSOC && 1979 (ni->ni_flags & IEEE80211_NODE_MFP)) { 1980 if (ni->ni_flags & IEEE80211_NODE_SA_QUERY_FAILED) { 1981 /* send a protected Disassociate frame */ 1982 IEEE80211_SEND_MGMT(ic, ni, 1983 IEEE80211_FC0_SUBTYPE_DISASSOC, 1984 IEEE80211_REASON_AUTH_EXPIRE); 1985 /* terminate the old SA */ 1986 ieee80211_node_leave(ic, ni); 1987 } else { 1988 /* reject the (Re)Association Request temporarily */ 1989 IEEE80211_SEND_MGMT(ic, ni, resp, 1990 IEEE80211_STATUS_TRY_AGAIN_LATER); 1991 /* start SA Query procedure if not already engaged */ 1992 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) 1993 ieee80211_sa_query_request(ic, ni); 1994 /* do not modify association state */ 1995 } 1996 return; 1997 } 1998 1999 if (!(capinfo & IEEE80211_CAPINFO_ESS)) { 2000 ic->ic_stats.is_rx_assoc_capmismatch++; 2001 status = IEEE80211_STATUS_CAPINFO; 2002 goto end; 2003 } 2004 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2005 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2006 IEEE80211_F_DODEL); 2007 if (rate & IEEE80211_RATE_BASIC) { 2008 ic->ic_stats.is_rx_assoc_norate++; 2009 status = IEEE80211_STATUS_BASIC_RATE; 2010 goto end; 2011 } 2012 2013 if (ic->ic_flags & IEEE80211_F_RSNON) { 2014 const u_int8_t *saveie; 2015 /* 2016 * A station should never include both a WPA and an RSN IE 2017 * in its (Re)Association Requests, but if it does, we only 2018 * consider the IE of the highest version of the protocol 2019 * that is allowed (ie RSN over WPA). 2020 */ 2021 if (rsnie != NULL && 2022 (ic->ic_rsnprotos & IEEE80211_PROTO_RSN)) { 2023 status = ieee80211_parse_rsn(ic, rsnie, &rsn); 2024 if (status != 0) 2025 goto end; 2026 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 2027 saveie = rsnie; 2028 } else if (wpaie != NULL && 2029 (ic->ic_rsnprotos & IEEE80211_PROTO_WPA)) { 2030 status = ieee80211_parse_wpa(ic, wpaie, &rsn); 2031 if (status != 0) 2032 goto end; 2033 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 2034 saveie = wpaie; 2035 } else { 2036 /* 2037 * In an RSN, an AP shall not associate with STAs 2038 * that fail to include the RSN IE in the 2039 * (Re)Association Request. 2040 */ 2041 status = IEEE80211_STATUS_IE_INVALID; 2042 goto end; 2043 } 2044 /* 2045 * The initiating STA's RSN IE shall include one authentication 2046 * and pairwise cipher suite among those advertised by the 2047 * targeted AP. It shall also specify the group cipher suite 2048 * specified by the targeted AP. 2049 */ 2050 if (rsn.rsn_nakms != 1 || 2051 !(rsn.rsn_akms & ic->ic_bss->ni_rsnakms)) { 2052 status = IEEE80211_STATUS_BAD_AKMP; 2053 goto end; 2054 } 2055 if (rsn.rsn_nciphers != 1 || 2056 !(rsn.rsn_ciphers & ic->ic_bss->ni_rsnciphers)) { 2057 status = IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 2058 goto end; 2059 } 2060 if (rsn.rsn_groupcipher != ic->ic_bss->ni_rsngroupcipher) { 2061 status = IEEE80211_STATUS_BAD_GROUP_CIPHER; 2062 goto end; 2063 } 2064 2065 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPR) && 2066 !(rsn.rsn_caps & IEEE80211_RSNCAP_MFPC)) { 2067 status = IEEE80211_STATUS_MFP_POLICY; 2068 goto end; 2069 } 2070 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPC) && 2071 (rsn.rsn_caps & (IEEE80211_RSNCAP_MFPC | 2072 IEEE80211_RSNCAP_MFPR)) == IEEE80211_RSNCAP_MFPR) { 2073 /* STA advertises an invalid setting */ 2074 status = IEEE80211_STATUS_MFP_POLICY; 2075 goto end; 2076 } 2077 /* 2078 * A STA that has associated with Management Frame Protection 2079 * enabled shall not use cipher suite pairwise selector WEP40, 2080 * WEP104, TKIP, or "Use Group cipher suite". 2081 */ 2082 if ((rsn.rsn_caps & IEEE80211_RSNCAP_MFPC) && 2083 (rsn.rsn_ciphers != IEEE80211_CIPHER_CCMP || 2084 rsn.rsn_groupmgmtcipher != 2085 ic->ic_bss->ni_rsngroupmgmtcipher)) { 2086 status = IEEE80211_STATUS_MFP_POLICY; 2087 goto end; 2088 } 2089 2090 /* 2091 * Disallow new associations using TKIP if countermeasures 2092 * are active. 2093 */ 2094 if ((ic->ic_flags & IEEE80211_F_COUNTERM) && 2095 (rsn.rsn_ciphers == IEEE80211_CIPHER_TKIP || 2096 rsn.rsn_groupcipher == IEEE80211_CIPHER_TKIP)) { 2097 status = IEEE80211_STATUS_CIPHER_REJ_POLICY; 2098 goto end; 2099 } 2100 2101 /* everything looks fine, save IE and parameters */ 2102 if (ieee80211_save_ie(saveie, &ni->ni_rsnie) != 0) { 2103 status = IEEE80211_STATUS_TOOMANY; 2104 goto end; 2105 } 2106 ni->ni_rsnakms = rsn.rsn_akms; 2107 ni->ni_rsnciphers = rsn.rsn_ciphers; 2108 ni->ni_rsngroupcipher = ic->ic_bss->ni_rsngroupcipher; 2109 ni->ni_rsngroupmgmtcipher = ic->ic_bss->ni_rsngroupmgmtcipher; 2110 ni->ni_rsncaps = rsn.rsn_caps; 2111 2112 if (ieee80211_is_8021x_akm(ni->ni_rsnakms)) { 2113 struct ieee80211_pmk *pmk = NULL; 2114 const u_int8_t *pmkid = rsn.rsn_pmkids; 2115 /* 2116 * Check if we have a cached PMK entry matching one 2117 * of the PMKIDs specified in the RSN IE. 2118 */ 2119 while (rsn.rsn_npmkids-- > 0) { 2120 pmk = ieee80211_pmksa_find(ic, ni, pmkid); 2121 if (pmk != NULL) 2122 break; 2123 pmkid += IEEE80211_PMKID_LEN; 2124 } 2125 if (pmk != NULL) { 2126 memcpy(ni->ni_pmk, pmk->pmk_key, 2127 IEEE80211_PMK_LEN); 2128 memcpy(ni->ni_pmkid, pmk->pmk_pmkid, 2129 IEEE80211_PMKID_LEN); 2130 ni->ni_flags |= IEEE80211_NODE_PMK; 2131 } 2132 } 2133 } else 2134 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2135 2136 ni->ni_rssi = rxi->rxi_rssi; 2137 ni->ni_rstamp = rxi->rxi_tstamp; 2138 ni->ni_intval = bintval; 2139 ni->ni_capinfo = capinfo; 2140 ni->ni_chan = ic->ic_bss->ni_chan; 2141 if (htcaps) 2142 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 2143 end: 2144 if (status != 0) { 2145 IEEE80211_SEND_MGMT(ic, ni, resp, status); 2146 ieee80211_node_leave(ic, ni); 2147 } else 2148 ieee80211_node_join(ic, ni, resp); 2149 } 2150 #endif /* IEEE80211_STA_ONLY */ 2151 2152 /*- 2153 * (Re)Association response frame format: 2154 * [2] Capability information 2155 * [2] Status code 2156 * [2] Association ID (AID) 2157 * [tlv] Supported rates 2158 * [tlv] Extended Supported Rates (802.11g) 2159 * [tlv] EDCA Parameter Set (802.11e) 2160 * [tlv] HT Capabilities (802.11n) 2161 * [tlv] HT Operation (802.11n) 2162 */ 2163 void 2164 ieee80211_recv_assoc_resp(struct ieee80211com *ic, struct mbuf *m, 2165 struct ieee80211_node *ni, int reassoc) 2166 { 2167 struct ifnet *ifp = &ic->ic_if; 2168 const struct ieee80211_frame *wh; 2169 const u_int8_t *frm, *efrm; 2170 const u_int8_t *rates, *xrates, *edcaie, *wmmie, *htcaps, *htop; 2171 u_int16_t capinfo, status, associd; 2172 u_int8_t rate; 2173 2174 if (ic->ic_opmode != IEEE80211_M_STA || 2175 ic->ic_state != IEEE80211_S_ASSOC) { 2176 ic->ic_stats.is_rx_mgtdiscard++; 2177 return; 2178 } 2179 2180 /* make sure all mandatory fixed fields are present */ 2181 if (m->m_len < sizeof(*wh) + 6) { 2182 DPRINTF(("frame too short\n")); 2183 return; 2184 } 2185 wh = mtod(m, struct ieee80211_frame *); 2186 frm = (const u_int8_t *)&wh[1]; 2187 efrm = mtod(m, u_int8_t *) + m->m_len; 2188 2189 capinfo = LE_READ_2(frm); frm += 2; 2190 status = LE_READ_2(frm); frm += 2; 2191 if (status != IEEE80211_STATUS_SUCCESS) { 2192 if (ifp->if_flags & IFF_DEBUG) 2193 printf("%s: %sassociation failed (status %d)" 2194 " for %s\n", ifp->if_xname, 2195 reassoc ? "re" : "", 2196 status, ether_sprintf((u_int8_t *)wh->i_addr3)); 2197 if (ni != ic->ic_bss) 2198 ni->ni_fails++; 2199 ic->ic_stats.is_rx_auth_fail++; 2200 return; 2201 } 2202 associd = LE_READ_2(frm); frm += 2; 2203 2204 rates = xrates = edcaie = wmmie = htcaps = htop = NULL; 2205 while (frm + 2 <= efrm) { 2206 if (frm + 2 + frm[1] > efrm) { 2207 ic->ic_stats.is_rx_elem_toosmall++; 2208 break; 2209 } 2210 switch (frm[0]) { 2211 case IEEE80211_ELEMID_RATES: 2212 rates = frm; 2213 break; 2214 case IEEE80211_ELEMID_XRATES: 2215 xrates = frm; 2216 break; 2217 case IEEE80211_ELEMID_EDCAPARMS: 2218 edcaie = frm; 2219 break; 2220 case IEEE80211_ELEMID_HTCAPS: 2221 htcaps = frm; 2222 break; 2223 case IEEE80211_ELEMID_HTOP: 2224 htop = frm; 2225 break; 2226 case IEEE80211_ELEMID_VENDOR: 2227 if (frm[1] < 4) { 2228 ic->ic_stats.is_rx_elem_toosmall++; 2229 break; 2230 } 2231 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 2232 if (frm[1] >= 5 && frm[5] == 2 && frm[6] == 1) 2233 wmmie = frm; 2234 } 2235 break; 2236 } 2237 frm += 2 + frm[1]; 2238 } 2239 /* supported rates element is mandatory */ 2240 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 2241 DPRINTF(("invalid supported rates element\n")); 2242 return; 2243 } 2244 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2245 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2246 IEEE80211_F_DODEL); 2247 if (rate & IEEE80211_RATE_BASIC) { 2248 DPRINTF(("rate mismatch for %s\n", 2249 ether_sprintf((u_int8_t *)wh->i_addr2))); 2250 ic->ic_stats.is_rx_assoc_norate++; 2251 return; 2252 } 2253 ni->ni_capinfo = capinfo; 2254 ni->ni_associd = associd; 2255 if (edcaie != NULL || wmmie != NULL) { 2256 /* force update of EDCA parameters */ 2257 ic->ic_edca_updtcount = -1; 2258 2259 if ((edcaie != NULL && 2260 ieee80211_parse_edca_params(ic, edcaie) == 0) || 2261 (wmmie != NULL && 2262 ieee80211_parse_wmm_params(ic, wmmie) == 0)) 2263 ni->ni_flags |= IEEE80211_NODE_QOS; 2264 else /* for Reassociation */ 2265 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2266 } 2267 if (htcaps) 2268 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 2269 if (htop) 2270 ieee80211_setup_htop(ni, htop + 2, htop[1]); 2271 ieee80211_ht_negotiate(ic, ni); 2272 2273 /* Hop into 11n mode after associating to an HT AP in a non-11n mode. */ 2274 if (ni->ni_flags & IEEE80211_NODE_HT) 2275 ieee80211_setmode(ic, IEEE80211_MODE_11N); 2276 else 2277 ieee80211_setmode(ic, ieee80211_chan2mode(ic, ni->ni_chan)); 2278 /* 2279 * Reset the erp state (mostly the slot time) now that 2280 * our operating mode has been nailed down. 2281 */ 2282 ieee80211_reset_erp(ic); 2283 2284 /* 2285 * Configure state now that we are associated. 2286 */ 2287 if (ic->ic_curmode == IEEE80211_MODE_11A || 2288 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) 2289 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 2290 else 2291 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 2292 2293 ieee80211_set_shortslottime(ic, 2294 ic->ic_curmode == IEEE80211_MODE_11A || 2295 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2296 /* 2297 * Honor ERP protection. 2298 */ 2299 if ((ic->ic_curmode == IEEE80211_MODE_11G || 2300 (ic->ic_curmode == IEEE80211_MODE_11N && 2301 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))) && 2302 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2303 ic->ic_flags |= IEEE80211_F_USEPROT; 2304 else 2305 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2306 /* 2307 * If not an RSNA, mark the port as valid, otherwise wait for 2308 * 802.1X authentication and 4-way handshake to complete.. 2309 */ 2310 if (ic->ic_flags & IEEE80211_F_RSNON) { 2311 /* XXX ic->ic_mgt_timer = 5; */ 2312 } else if (ic->ic_flags & IEEE80211_F_WEPON) 2313 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 2314 2315 ieee80211_new_state(ic, IEEE80211_S_RUN, 2316 IEEE80211_FC0_SUBTYPE_ASSOC_RESP); 2317 } 2318 2319 /*- 2320 * Deauthentication frame format: 2321 * [2] Reason code 2322 */ 2323 void 2324 ieee80211_recv_deauth(struct ieee80211com *ic, struct mbuf *m, 2325 struct ieee80211_node *ni) 2326 { 2327 const struct ieee80211_frame *wh; 2328 const u_int8_t *frm; 2329 u_int16_t reason; 2330 2331 /* make sure all mandatory fixed fields are present */ 2332 if (m->m_len < sizeof(*wh) + 2) { 2333 DPRINTF(("frame too short\n")); 2334 return; 2335 } 2336 wh = mtod(m, struct ieee80211_frame *); 2337 frm = (const u_int8_t *)&wh[1]; 2338 2339 reason = LE_READ_2(frm); 2340 2341 ic->ic_stats.is_rx_deauth++; 2342 switch (ic->ic_opmode) { 2343 case IEEE80211_M_STA: 2344 ieee80211_new_state(ic, IEEE80211_S_AUTH, 2345 IEEE80211_FC0_SUBTYPE_DEAUTH); 2346 break; 2347 #ifndef IEEE80211_STA_ONLY 2348 case IEEE80211_M_HOSTAP: 2349 if (ni != ic->ic_bss) { 2350 if (ic->ic_if.if_flags & IFF_DEBUG) 2351 printf("%s: station %s deauthenticated " 2352 "by peer (reason %d)\n", 2353 ic->ic_if.if_xname, 2354 ether_sprintf(ni->ni_macaddr), 2355 reason); 2356 ieee80211_node_leave(ic, ni); 2357 } 2358 break; 2359 #endif 2360 default: 2361 break; 2362 } 2363 } 2364 2365 /*- 2366 * Disassociation frame format: 2367 * [2] Reason code 2368 */ 2369 void 2370 ieee80211_recv_disassoc(struct ieee80211com *ic, struct mbuf *m, 2371 struct ieee80211_node *ni) 2372 { 2373 const struct ieee80211_frame *wh; 2374 const u_int8_t *frm; 2375 u_int16_t reason; 2376 2377 /* make sure all mandatory fixed fields are present */ 2378 if (m->m_len < sizeof(*wh) + 2) { 2379 DPRINTF(("frame too short\n")); 2380 return; 2381 } 2382 wh = mtod(m, struct ieee80211_frame *); 2383 frm = (const u_int8_t *)&wh[1]; 2384 2385 reason = LE_READ_2(frm); 2386 2387 ic->ic_stats.is_rx_disassoc++; 2388 switch (ic->ic_opmode) { 2389 case IEEE80211_M_STA: 2390 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 2391 IEEE80211_FC0_SUBTYPE_DISASSOC); 2392 break; 2393 #ifndef IEEE80211_STA_ONLY 2394 case IEEE80211_M_HOSTAP: 2395 if (ni != ic->ic_bss) { 2396 if (ic->ic_if.if_flags & IFF_DEBUG) 2397 printf("%s: station %s disassociated " 2398 "by peer (reason %d)\n", 2399 ic->ic_if.if_xname, 2400 ether_sprintf(ni->ni_macaddr), 2401 reason); 2402 ieee80211_node_leave(ic, ni); 2403 } 2404 break; 2405 #endif 2406 default: 2407 break; 2408 } 2409 } 2410 2411 /*- 2412 * ADDBA Request frame format: 2413 * [1] Category 2414 * [1] Action 2415 * [1] Dialog Token 2416 * [2] Block Ack Parameter Set 2417 * [2] Block Ack Timeout Value 2418 * [2] Block Ack Starting Sequence Control 2419 */ 2420 void 2421 ieee80211_recv_addba_req(struct ieee80211com *ic, struct mbuf *m, 2422 struct ieee80211_node *ni) 2423 { 2424 const struct ieee80211_frame *wh; 2425 const u_int8_t *frm; 2426 struct ieee80211_rx_ba *ba; 2427 u_int16_t params, ssn, bufsz, timeout, status; 2428 u_int8_t token, tid; 2429 2430 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 2431 DPRINTF(("received ADDBA req from non-HT STA %s\n", 2432 ether_sprintf(ni->ni_macaddr))); 2433 return; 2434 } 2435 if (m->m_len < sizeof(*wh) + 9) { 2436 DPRINTF(("frame too short\n")); 2437 return; 2438 } 2439 /* MLME-ADDBA.indication */ 2440 wh = mtod(m, struct ieee80211_frame *); 2441 frm = (const u_int8_t *)&wh[1]; 2442 2443 token = frm[2]; 2444 params = LE_READ_2(&frm[3]); 2445 tid = ((params & IEEE80211_ADDBA_TID_MASK) >> 2446 IEEE80211_ADDBA_TID_SHIFT); 2447 bufsz = (params & IEEE80211_ADDBA_BUFSZ_MASK) >> 2448 IEEE80211_ADDBA_BUFSZ_SHIFT; 2449 timeout = LE_READ_2(&frm[5]); 2450 ssn = LE_READ_2(&frm[7]) >> 4; 2451 2452 ba = &ni->ni_rx_ba[tid]; 2453 /* check if we already have a Block Ack agreement for this RA/TID */ 2454 if (ba->ba_state == IEEE80211_BA_AGREED) { 2455 /* XXX should we update the timeout value? */ 2456 /* reset Block Ack inactivity timer */ 2457 if (ba->ba_timeout_val != 0) 2458 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2459 2460 /* check if it's a Protected Block Ack agreement */ 2461 if (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2462 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) 2463 return; /* not a PBAC, ignore */ 2464 2465 /* PBAC: treat the ADDBA Request like a BlockAckReq */ 2466 if (SEQ_LT(ba->ba_winstart, ssn)) 2467 ieee80211_ba_move_window(ic, ni, tid, ssn); 2468 return; 2469 } 2470 /* if PBAC required but RA does not support it, refuse request */ 2471 if ((ic->ic_flags & IEEE80211_F_PBAR) && 2472 (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2473 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC))) { 2474 status = IEEE80211_STATUS_REFUSED; 2475 goto resp; 2476 } 2477 /* 2478 * If the TID for which the Block Ack agreement is requested is 2479 * configured with a no-ACK policy, refuse the agreement. 2480 */ 2481 if (ic->ic_tid_noack & (1 << tid)) { 2482 status = IEEE80211_STATUS_REFUSED; 2483 goto resp; 2484 } 2485 /* check that we support the requested Block Ack Policy */ 2486 if (!(ic->ic_htcaps & IEEE80211_HTCAP_DELAYEDBA) && 2487 !(params & IEEE80211_ADDBA_BA_POLICY)) { 2488 status = IEEE80211_STATUS_INVALID_PARAM; 2489 goto resp; 2490 } 2491 2492 /* setup Block Ack agreement */ 2493 ba->ba_state = IEEE80211_BA_INIT; 2494 ba->ba_timeout_val = timeout * IEEE80211_DUR_TU; 2495 ba->ba_ni = ni; 2496 timeout_set(&ba->ba_to, ieee80211_rx_ba_timeout, ba); 2497 timeout_set(&ba->ba_gap_to, ieee80211_input_ba_gap_timeout, ba); 2498 ba->ba_winsize = bufsz; 2499 if (ba->ba_winsize == 0 || ba->ba_winsize > IEEE80211_BA_MAX_WINSZ) 2500 ba->ba_winsize = IEEE80211_BA_MAX_WINSZ; 2501 ba->ba_params = (params & IEEE80211_ADDBA_BA_POLICY); 2502 ba->ba_params |= ((ba->ba_winsize << IEEE80211_ADDBA_BUFSZ_SHIFT) | 2503 (tid << IEEE80211_ADDBA_TID_SHIFT) | IEEE80211_ADDBA_AMSDU); 2504 ba->ba_winstart = ssn; 2505 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 2506 /* allocate and setup our reordering buffer */ 2507 ba->ba_buf = malloc(IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf), 2508 M_DEVBUF, M_NOWAIT | M_ZERO); 2509 if (ba->ba_buf == NULL) { 2510 status = IEEE80211_STATUS_REFUSED; 2511 goto resp; 2512 } 2513 ba->ba_head = 0; 2514 2515 /* notify drivers of this new Block Ack agreement */ 2516 if (ic->ic_ampdu_rx_start == NULL || 2517 ic->ic_ampdu_rx_start(ic, ni, tid) != 0) { 2518 /* driver failed to setup, rollback */ 2519 free(ba->ba_buf, M_DEVBUF, 0); 2520 ba->ba_buf = NULL; 2521 status = IEEE80211_STATUS_REFUSED; 2522 goto resp; 2523 } 2524 ba->ba_state = IEEE80211_BA_AGREED; 2525 ic->ic_stats.is_ht_rx_ba_agreements++; 2526 /* start Block Ack inactivity timer */ 2527 if (ba->ba_timeout_val != 0) 2528 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2529 status = IEEE80211_STATUS_SUCCESS; 2530 resp: 2531 /* MLME-ADDBA.response */ 2532 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2533 IEEE80211_ACTION_ADDBA_RESP, status << 16 | token << 8 | tid); 2534 } 2535 2536 /*- 2537 * ADDBA Response frame format: 2538 * [1] Category 2539 * [1] Action 2540 * [1] Dialog Token 2541 * [2] Status Code 2542 * [2] Block Ack Parameter Set 2543 * [2] Block Ack Timeout Value 2544 */ 2545 void 2546 ieee80211_recv_addba_resp(struct ieee80211com *ic, struct mbuf *m, 2547 struct ieee80211_node *ni) 2548 { 2549 const struct ieee80211_frame *wh; 2550 const u_int8_t *frm; 2551 struct ieee80211_tx_ba *ba; 2552 u_int16_t status, params, bufsz, timeout; 2553 u_int8_t token, tid; 2554 2555 if (m->m_len < sizeof(*wh) + 9) { 2556 DPRINTF(("frame too short\n")); 2557 return; 2558 } 2559 wh = mtod(m, struct ieee80211_frame *); 2560 frm = (const u_int8_t *)&wh[1]; 2561 2562 token = frm[2]; 2563 status = LE_READ_2(&frm[3]); 2564 params = LE_READ_2(&frm[5]); 2565 tid = (params >> 2) & 0xf; 2566 bufsz = (params >> 6) & 0x3ff; 2567 timeout = LE_READ_2(&frm[7]); 2568 2569 DPRINTF(("received ADDBA resp from %s, TID %d, status %d\n", 2570 ether_sprintf(ni->ni_macaddr), tid, status)); 2571 2572 /* 2573 * Ignore if no ADDBA request has been sent for this RA/TID or 2574 * if we already have a Block Ack agreement. 2575 */ 2576 ba = &ni->ni_tx_ba[tid]; 2577 if (ba->ba_state != IEEE80211_BA_REQUESTED) { 2578 DPRINTF(("no matching ADDBA req found\n")); 2579 return; 2580 } 2581 if (token != ba->ba_token) { 2582 DPRINTF(("ignoring ADDBA resp from %s: token %x!=%x\n", 2583 ether_sprintf(ni->ni_macaddr), token, ba->ba_token)); 2584 return; 2585 } 2586 /* we got an ADDBA Response matching our request, stop timeout */ 2587 timeout_del(&ba->ba_to); 2588 2589 if (status != IEEE80211_STATUS_SUCCESS) { 2590 /* MLME-ADDBA.confirm(Failure) */ 2591 ba->ba_state = IEEE80211_BA_INIT; 2592 return; 2593 } 2594 /* MLME-ADDBA.confirm(Success) */ 2595 ba->ba_state = IEEE80211_BA_AGREED; 2596 ic->ic_stats.is_ht_tx_ba_agreements++; 2597 2598 /* notify drivers of this new Block Ack agreement */ 2599 if (ic->ic_ampdu_tx_start != NULL) 2600 (void)ic->ic_ampdu_tx_start(ic, ni, tid); 2601 2602 /* start Block Ack inactivity timeout */ 2603 if (ba->ba_timeout_val != 0) 2604 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2605 } 2606 2607 /*- 2608 * DELBA frame format: 2609 * [1] Category 2610 * [1] Action 2611 * [2] DELBA Parameter Set 2612 * [2] Reason Code 2613 */ 2614 void 2615 ieee80211_recv_delba(struct ieee80211com *ic, struct mbuf *m, 2616 struct ieee80211_node *ni) 2617 { 2618 const struct ieee80211_frame *wh; 2619 const u_int8_t *frm; 2620 u_int16_t params, reason; 2621 u_int8_t tid; 2622 int i; 2623 2624 if (m->m_len < sizeof(*wh) + 6) { 2625 DPRINTF(("frame too short\n")); 2626 return; 2627 } 2628 wh = mtod(m, struct ieee80211_frame *); 2629 frm = (const u_int8_t *)&wh[1]; 2630 2631 params = LE_READ_2(&frm[2]); 2632 reason = LE_READ_2(&frm[4]); 2633 tid = params >> 12; 2634 2635 DPRINTF(("received DELBA from %s, TID %d, reason %d\n", 2636 ether_sprintf(ni->ni_macaddr), tid, reason)); 2637 2638 if (params & IEEE80211_DELBA_INITIATOR) { 2639 /* MLME-DELBA.indication(Originator) */ 2640 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2641 2642 if (ba->ba_state != IEEE80211_BA_AGREED) { 2643 DPRINTF(("no matching Block Ack agreement\n")); 2644 return; 2645 } 2646 /* notify drivers of the end of the Block Ack agreement */ 2647 if (ic->ic_ampdu_rx_stop != NULL) 2648 ic->ic_ampdu_rx_stop(ic, ni, tid); 2649 2650 ba->ba_state = IEEE80211_BA_INIT; 2651 /* stop Block Ack inactivity timer */ 2652 timeout_del(&ba->ba_to); 2653 timeout_del(&ba->ba_gap_to); 2654 2655 if (ba->ba_buf != NULL) { 2656 /* free all MSDUs stored in reordering buffer */ 2657 for (i = 0; i < IEEE80211_BA_MAX_WINSZ; i++) 2658 m_freem(ba->ba_buf[i].m); 2659 /* free reordering buffer */ 2660 free(ba->ba_buf, M_DEVBUF, 0); 2661 ba->ba_buf = NULL; 2662 } 2663 } else { 2664 /* MLME-DELBA.indication(Recipient) */ 2665 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 2666 2667 if (ba->ba_state != IEEE80211_BA_AGREED) { 2668 DPRINTF(("no matching Block Ack agreement\n")); 2669 return; 2670 } 2671 /* notify drivers of the end of the Block Ack agreement */ 2672 if (ic->ic_ampdu_tx_stop != NULL) 2673 ic->ic_ampdu_tx_stop(ic, ni, tid); 2674 2675 ba->ba_state = IEEE80211_BA_INIT; 2676 /* stop Block Ack inactivity timer */ 2677 timeout_del(&ba->ba_to); 2678 } 2679 } 2680 2681 /*- 2682 * SA Query Request frame format: 2683 * [1] Category 2684 * [1] Action 2685 * [2] Transaction Identifier 2686 */ 2687 void 2688 ieee80211_recv_sa_query_req(struct ieee80211com *ic, struct mbuf *m, 2689 struct ieee80211_node *ni) 2690 { 2691 const struct ieee80211_frame *wh; 2692 const u_int8_t *frm; 2693 2694 if (ic->ic_opmode != IEEE80211_M_STA || 2695 !(ni->ni_flags & IEEE80211_NODE_MFP)) { 2696 DPRINTF(("unexpected SA Query req from %s\n", 2697 ether_sprintf(ni->ni_macaddr))); 2698 return; 2699 } 2700 if (m->m_len < sizeof(*wh) + 4) { 2701 DPRINTF(("frame too short\n")); 2702 return; 2703 } 2704 wh = mtod(m, struct ieee80211_frame *); 2705 frm = (const u_int8_t *)&wh[1]; 2706 2707 /* MLME-SAQuery.indication */ 2708 2709 /* save Transaction Identifier for SA Query Response */ 2710 ni->ni_sa_query_trid = LE_READ_2(&frm[2]); 2711 2712 /* MLME-SAQuery.response */ 2713 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_SA_QUERY, 2714 IEEE80211_ACTION_SA_QUERY_RESP, 0); 2715 } 2716 2717 #ifndef IEEE80211_STA_ONLY 2718 /*- 2719 * SA Query Response frame format: 2720 * [1] Category 2721 * [1] Action 2722 * [2] Transaction Identifier 2723 */ 2724 void 2725 ieee80211_recv_sa_query_resp(struct ieee80211com *ic, struct mbuf *m, 2726 struct ieee80211_node *ni) 2727 { 2728 const struct ieee80211_frame *wh; 2729 const u_int8_t *frm; 2730 2731 /* ignore if we're not engaged in an SA Query with that STA */ 2732 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) { 2733 DPRINTF(("unexpected SA Query resp from %s\n", 2734 ether_sprintf(ni->ni_macaddr))); 2735 return; 2736 } 2737 if (m->m_len < sizeof(*wh) + 4) { 2738 DPRINTF(("frame too short\n")); 2739 return; 2740 } 2741 wh = mtod(m, struct ieee80211_frame *); 2742 frm = (const u_int8_t *)&wh[1]; 2743 2744 /* check that Transaction Identifier matches */ 2745 if (ni->ni_sa_query_trid != LE_READ_2(&frm[2])) { 2746 DPRINTF(("transaction identifier does not match\n")); 2747 return; 2748 } 2749 /* MLME-SAQuery.confirm */ 2750 timeout_del(&ni->ni_sa_query_to); 2751 ni->ni_flags &= ~IEEE80211_NODE_SA_QUERY; 2752 } 2753 #endif 2754 2755 /*- 2756 * Action frame format: 2757 * [1] Category 2758 * [1] Action 2759 */ 2760 void 2761 ieee80211_recv_action(struct ieee80211com *ic, struct mbuf *m, 2762 struct ieee80211_node *ni) 2763 { 2764 const struct ieee80211_frame *wh; 2765 const u_int8_t *frm; 2766 2767 if (m->m_len < sizeof(*wh) + 2) { 2768 DPRINTF(("frame too short\n")); 2769 return; 2770 } 2771 wh = mtod(m, struct ieee80211_frame *); 2772 frm = (const u_int8_t *)&wh[1]; 2773 2774 switch (frm[0]) { 2775 case IEEE80211_CATEG_BA: 2776 switch (frm[1]) { 2777 case IEEE80211_ACTION_ADDBA_REQ: 2778 ieee80211_recv_addba_req(ic, m, ni); 2779 break; 2780 case IEEE80211_ACTION_ADDBA_RESP: 2781 ieee80211_recv_addba_resp(ic, m, ni); 2782 break; 2783 case IEEE80211_ACTION_DELBA: 2784 ieee80211_recv_delba(ic, m, ni); 2785 break; 2786 } 2787 break; 2788 case IEEE80211_CATEG_SA_QUERY: 2789 switch (frm[1]) { 2790 case IEEE80211_ACTION_SA_QUERY_REQ: 2791 ieee80211_recv_sa_query_req(ic, m, ni); 2792 break; 2793 #ifndef IEEE80211_STA_ONLY 2794 case IEEE80211_ACTION_SA_QUERY_RESP: 2795 ieee80211_recv_sa_query_resp(ic, m, ni); 2796 break; 2797 #endif 2798 } 2799 break; 2800 default: 2801 DPRINTF(("action frame category %d not handled\n", frm[0])); 2802 break; 2803 } 2804 } 2805 2806 void 2807 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m, 2808 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int subtype) 2809 { 2810 switch (subtype) { 2811 case IEEE80211_FC0_SUBTYPE_BEACON: 2812 ieee80211_recv_probe_resp(ic, m, ni, rxi, 0); 2813 break; 2814 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 2815 ieee80211_recv_probe_resp(ic, m, ni, rxi, 1); 2816 break; 2817 #ifndef IEEE80211_STA_ONLY 2818 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 2819 ieee80211_recv_probe_req(ic, m, ni, rxi); 2820 break; 2821 #endif 2822 case IEEE80211_FC0_SUBTYPE_AUTH: 2823 ieee80211_recv_auth(ic, m, ni, rxi); 2824 break; 2825 #ifndef IEEE80211_STA_ONLY 2826 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2827 ieee80211_recv_assoc_req(ic, m, ni, rxi, 0); 2828 break; 2829 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 2830 ieee80211_recv_assoc_req(ic, m, ni, rxi, 1); 2831 break; 2832 #endif 2833 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2834 ieee80211_recv_assoc_resp(ic, m, ni, 0); 2835 break; 2836 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 2837 ieee80211_recv_assoc_resp(ic, m, ni, 1); 2838 break; 2839 case IEEE80211_FC0_SUBTYPE_DEAUTH: 2840 ieee80211_recv_deauth(ic, m, ni); 2841 break; 2842 case IEEE80211_FC0_SUBTYPE_DISASSOC: 2843 ieee80211_recv_disassoc(ic, m, ni); 2844 break; 2845 case IEEE80211_FC0_SUBTYPE_ACTION: 2846 ieee80211_recv_action(ic, m, ni); 2847 break; 2848 default: 2849 DPRINTF(("mgmt frame with subtype 0x%x not handled\n", 2850 subtype)); 2851 ic->ic_stats.is_rx_badsubtype++; 2852 break; 2853 } 2854 } 2855 2856 #ifndef IEEE80211_STA_ONLY 2857 /* 2858 * Process an incoming PS-Poll control frame (see 11.2). 2859 */ 2860 void 2861 ieee80211_recv_pspoll(struct ieee80211com *ic, struct mbuf *m, 2862 struct ieee80211_node *ni) 2863 { 2864 struct ifnet *ifp = &ic->ic_if; 2865 struct ieee80211_frame_pspoll *psp; 2866 struct ieee80211_frame *wh; 2867 u_int16_t aid; 2868 2869 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 2870 !(ic->ic_caps & IEEE80211_C_APPMGT) || 2871 ni->ni_state != IEEE80211_STA_ASSOC) 2872 return; 2873 2874 if (m->m_len < sizeof(*psp)) { 2875 DPRINTF(("frame too short, len %u\n", m->m_len)); 2876 ic->ic_stats.is_rx_tooshort++; 2877 return; 2878 } 2879 psp = mtod(m, struct ieee80211_frame_pspoll *); 2880 if (!IEEE80211_ADDR_EQ(psp->i_bssid, ic->ic_bss->ni_bssid)) { 2881 DPRINTF(("discard pspoll frame to BSS %s\n", 2882 ether_sprintf(psp->i_bssid))); 2883 ic->ic_stats.is_rx_wrongbss++; 2884 return; 2885 } 2886 aid = letoh16(*(u_int16_t *)psp->i_aid); 2887 if (aid != ni->ni_associd) { 2888 DPRINTF(("invalid pspoll aid %x from %s\n", aid, 2889 ether_sprintf(psp->i_ta))); 2890 return; 2891 } 2892 2893 /* take the first queued frame and put it out.. */ 2894 m = mq_dequeue(&ni->ni_savedq); 2895 if (m == NULL) 2896 return; 2897 if (mq_empty(&ni->ni_savedq)) { 2898 /* last queued frame, turn off the TIM bit */ 2899 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 2900 } else { 2901 /* more queued frames, set the more data bit */ 2902 wh = mtod(m, struct ieee80211_frame *); 2903 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 2904 } 2905 mq_enqueue(&ic->ic_pwrsaveq, m); 2906 if_start(ifp); 2907 } 2908 #endif /* IEEE80211_STA_ONLY */ 2909 2910 /* 2911 * Process an incoming BlockAckReq control frame (see 7.2.1.7). 2912 */ 2913 void 2914 ieee80211_recv_bar(struct ieee80211com *ic, struct mbuf *m, 2915 struct ieee80211_node *ni) 2916 { 2917 const struct ieee80211_frame_min *wh; 2918 const u_int8_t *frm; 2919 u_int16_t ctl, ssn; 2920 u_int8_t tid, ntids; 2921 2922 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 2923 DPRINTF(("received BlockAckReq from non-HT STA %s\n", 2924 ether_sprintf(ni->ni_macaddr))); 2925 return; 2926 } 2927 if (m->m_len < sizeof(*wh) + 4) { 2928 DPRINTF(("frame too short\n")); 2929 return; 2930 } 2931 wh = mtod(m, struct ieee80211_frame_min *); 2932 frm = (const u_int8_t *)&wh[1]; 2933 2934 /* read BlockAckReq Control field */ 2935 ctl = LE_READ_2(&frm[0]); 2936 tid = ctl >> 12; 2937 2938 /* determine BlockAckReq frame variant */ 2939 if (ctl & IEEE80211_BA_MULTI_TID) { 2940 /* Multi-TID BlockAckReq variant (PSMP only) */ 2941 ntids = tid + 1; 2942 2943 if (m->m_len < sizeof(*wh) + 2 + 4 * ntids) { 2944 DPRINTF(("MTBAR frame too short\n")); 2945 return; 2946 } 2947 frm += 2; /* skip BlockAckReq Control field */ 2948 while (ntids-- > 0) { 2949 /* read MTBAR Information field */ 2950 tid = LE_READ_2(&frm[0]) >> 12; 2951 ssn = LE_READ_2(&frm[2]) >> 4; 2952 ieee80211_bar_tid(ic, ni, tid, ssn); 2953 frm += 4; 2954 } 2955 } else { 2956 /* Basic or Compressed BlockAckReq variants */ 2957 ssn = LE_READ_2(&frm[2]) >> 4; 2958 ieee80211_bar_tid(ic, ni, tid, ssn); 2959 } 2960 } 2961 2962 /* 2963 * Process a BlockAckReq for a specific TID (see 9.10.7.6.3). 2964 * This is the common back-end for all BlockAckReq frame variants. 2965 */ 2966 void 2967 ieee80211_bar_tid(struct ieee80211com *ic, struct ieee80211_node *ni, 2968 u_int8_t tid, u_int16_t ssn) 2969 { 2970 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2971 2972 /* check if we have a Block Ack agreement for RA/TID */ 2973 if (ba->ba_state != IEEE80211_BA_AGREED) { 2974 /* XXX not sure in PBAC case */ 2975 /* send a DELBA with reason code UNKNOWN-BA */ 2976 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2977 IEEE80211_ACTION_DELBA, 2978 IEEE80211_REASON_SETUP_REQUIRED << 16 | tid); 2979 return; 2980 } 2981 /* check if it is a Protected Block Ack agreement */ 2982 if ((ni->ni_flags & IEEE80211_NODE_MFP) && 2983 (ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) { 2984 /* ADDBA Requests must be used in PBAC case */ 2985 if (SEQ_LT(ssn, ba->ba_winstart) || 2986 SEQ_LT(ba->ba_winend, ssn)) 2987 ic->ic_stats.is_pbac_errs++; 2988 return; /* PBAC, do not move window */ 2989 } 2990 /* reset Block Ack inactivity timer */ 2991 if (ba->ba_timeout_val != 0) 2992 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2993 2994 if (SEQ_LT(ba->ba_winstart, ssn)) 2995 ieee80211_ba_move_window(ic, ni, tid, ssn); 2996 } 2997