1 /* $OpenBSD: ieee80211_input.c,v 1.178 2016/05/18 08:15:28 stsp Exp $ */ 2 3 /*- 4 * Copyright (c) 2001 Atsushi Onoe 5 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 6 * Copyright (c) 2007-2009 Damien Bergamini 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. The name of the author may not be used to endorse or promote products 18 * derived from this software without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 21 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 22 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 23 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 25 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 29 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 #include "bpfilter.h" 33 34 #include <sys/param.h> 35 #include <sys/systm.h> 36 #include <sys/mbuf.h> 37 #include <sys/malloc.h> 38 #include <sys/kernel.h> 39 #include <sys/socket.h> 40 #include <sys/sockio.h> 41 #include <sys/endian.h> 42 #include <sys/errno.h> 43 #include <sys/sysctl.h> 44 #include <sys/task.h> 45 46 #include <net/if.h> 47 #include <net/if_dl.h> 48 #include <net/if_media.h> 49 #include <net/if_llc.h> 50 51 #if NBPFILTER > 0 52 #include <net/bpf.h> 53 #endif 54 55 #include <netinet/in.h> 56 #include <netinet/if_ether.h> 57 58 #include <net80211/ieee80211_var.h> 59 #include <net80211/ieee80211_priv.h> 60 61 struct mbuf *ieee80211_defrag(struct ieee80211com *, struct mbuf *, int); 62 void ieee80211_defrag_timeout(void *); 63 void ieee80211_input_ba(struct ieee80211com *, struct mbuf *, 64 struct ieee80211_node *, int, struct ieee80211_rxinfo *); 65 void ieee80211_input_ba_flush(struct ieee80211com *, struct ieee80211_node *, 66 struct ieee80211_rx_ba *); 67 void ieee80211_input_ba_gap_timeout(void *arg); 68 void ieee80211_ba_move_window(struct ieee80211com *, 69 struct ieee80211_node *, u_int8_t, u_int16_t); 70 void ieee80211_input_ba_seq(struct ieee80211com *, 71 struct ieee80211_node *, uint8_t, uint16_t); 72 struct mbuf *ieee80211_align_mbuf(struct mbuf *); 73 void ieee80211_decap(struct ieee80211com *, struct mbuf *, 74 struct ieee80211_node *, int); 75 void ieee80211_amsdu_decap(struct ieee80211com *, struct mbuf *, 76 struct ieee80211_node *, int); 77 void ieee80211_deliver_data(struct ieee80211com *, struct mbuf *, 78 struct ieee80211_node *); 79 int ieee80211_parse_edca_params_body(struct ieee80211com *, 80 const u_int8_t *); 81 int ieee80211_parse_edca_params(struct ieee80211com *, const u_int8_t *); 82 int ieee80211_parse_wmm_params(struct ieee80211com *, const u_int8_t *); 83 enum ieee80211_cipher ieee80211_parse_rsn_cipher(const u_int8_t[]); 84 enum ieee80211_akm ieee80211_parse_rsn_akm(const u_int8_t[]); 85 int ieee80211_parse_rsn_body(struct ieee80211com *, const u_int8_t *, 86 u_int, struct ieee80211_rsnparams *); 87 int ieee80211_save_ie(const u_int8_t *, u_int8_t **); 88 void ieee80211_recv_probe_resp(struct ieee80211com *, struct mbuf *, 89 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 90 #ifndef IEEE80211_STA_ONLY 91 void ieee80211_recv_probe_req(struct ieee80211com *, struct mbuf *, 92 struct ieee80211_node *, struct ieee80211_rxinfo *); 93 #endif 94 void ieee80211_recv_auth(struct ieee80211com *, struct mbuf *, 95 struct ieee80211_node *, struct ieee80211_rxinfo *); 96 #ifndef IEEE80211_STA_ONLY 97 void ieee80211_recv_assoc_req(struct ieee80211com *, struct mbuf *, 98 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 99 #endif 100 void ieee80211_recv_assoc_resp(struct ieee80211com *, struct mbuf *, 101 struct ieee80211_node *, int); 102 void ieee80211_recv_deauth(struct ieee80211com *, struct mbuf *, 103 struct ieee80211_node *); 104 void ieee80211_recv_disassoc(struct ieee80211com *, struct mbuf *, 105 struct ieee80211_node *); 106 void ieee80211_recv_addba_req(struct ieee80211com *, struct mbuf *, 107 struct ieee80211_node *); 108 void ieee80211_recv_addba_resp(struct ieee80211com *, struct mbuf *, 109 struct ieee80211_node *); 110 void ieee80211_recv_delba(struct ieee80211com *, struct mbuf *, 111 struct ieee80211_node *); 112 void ieee80211_recv_sa_query_req(struct ieee80211com *, struct mbuf *, 113 struct ieee80211_node *); 114 #ifndef IEEE80211_STA_ONLY 115 void ieee80211_recv_sa_query_resp(struct ieee80211com *, struct mbuf *, 116 struct ieee80211_node *); 117 #endif 118 void ieee80211_recv_action(struct ieee80211com *, struct mbuf *, 119 struct ieee80211_node *); 120 #ifndef IEEE80211_STA_ONLY 121 void ieee80211_recv_pspoll(struct ieee80211com *, struct mbuf *, 122 struct ieee80211_node *); 123 #endif 124 void ieee80211_recv_bar(struct ieee80211com *, struct mbuf *, 125 struct ieee80211_node *); 126 void ieee80211_bar_tid(struct ieee80211com *, struct ieee80211_node *, 127 u_int8_t, u_int16_t); 128 void ieee80211_input_print(struct ieee80211com *, struct ifnet *, 129 struct ieee80211_frame *, struct ieee80211_rxinfo *); 130 void ieee80211_input_print_task(void *); 131 132 struct ieee80211printmsg { 133 struct task task; 134 char text[512]; 135 }; 136 137 /* 138 * Retrieve the length in bytes of an 802.11 header. 139 */ 140 u_int 141 ieee80211_get_hdrlen(const struct ieee80211_frame *wh) 142 { 143 u_int size = sizeof(*wh); 144 145 /* NB: does not work with control frames */ 146 KASSERT(ieee80211_has_seq(wh)); 147 148 if (ieee80211_has_addr4(wh)) 149 size += IEEE80211_ADDR_LEN; /* i_addr4 */ 150 if (ieee80211_has_qos(wh)) 151 size += sizeof(u_int16_t); /* i_qos */ 152 if (ieee80211_has_htc(wh)) 153 size += sizeof(u_int32_t); /* i_ht */ 154 return size; 155 } 156 157 /* 158 * Work queue task that prints a received frame. Avoids printf() from 159 * interrupt context at IPL_NET making slow machines unusable when many 160 * frames are received and the interface is put in debug mode. 161 */ 162 void 163 ieee80211_input_print_task(void *arg1) 164 { 165 struct ieee80211printmsg *msg = arg1; 166 167 printf("%s", msg->text); 168 free(msg, M_DEVBUF, 0); 169 } 170 171 void 172 ieee80211_input_print(struct ieee80211com *ic, struct ifnet *ifp, 173 struct ieee80211_frame *wh, struct ieee80211_rxinfo *rxi) 174 { 175 int doprint; 176 struct ieee80211printmsg *msg; 177 u_int8_t subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 178 179 /* avoid printing too many frames */ 180 doprint = 0; 181 switch (subtype) { 182 case IEEE80211_FC0_SUBTYPE_BEACON: 183 if (ic->ic_state == IEEE80211_S_SCAN) 184 doprint = 1; 185 break; 186 #ifndef IEEE80211_STA_ONLY 187 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 188 if (ic->ic_opmode == IEEE80211_M_IBSS) 189 doprint = 1; 190 break; 191 #endif 192 default: 193 doprint = 1; 194 break; 195 } 196 #ifdef IEEE80211_DEBUG 197 doprint += (ieee80211_debug > 1); 198 #endif 199 if (!doprint) 200 return; 201 202 msg = malloc(sizeof(*msg), M_DEVBUF, M_NOWAIT); 203 if (msg == NULL) 204 return; 205 206 snprintf(msg->text, sizeof(msg->text), 207 "%s: received %s from %s rssi %d mode %s\n", ifp->if_xname, 208 ieee80211_mgt_subtype_name[subtype >> IEEE80211_FC0_SUBTYPE_SHIFT], 209 ether_sprintf(wh->i_addr2), rxi->rxi_rssi, 210 ieee80211_phymode_name[ic->ic_curmode]); 211 212 task_set(&msg->task, ieee80211_input_print_task, msg); 213 task_add(systq, &msg->task); 214 } 215 216 /* 217 * Process a received frame. The node associated with the sender 218 * should be supplied. If nothing was found in the node table then 219 * the caller is assumed to supply a reference to ic_bss instead. 220 * The RSSI and a timestamp are also supplied. The RSSI data is used 221 * during AP scanning to select a AP to associate with; it can have 222 * any units so long as values have consistent units and higher values 223 * mean ``better signal''. The receive timestamp is currently not used 224 * by the 802.11 layer. 225 */ 226 void 227 ieee80211_input(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni, 228 struct ieee80211_rxinfo *rxi) 229 { 230 struct ieee80211com *ic = (void *)ifp; 231 struct ieee80211_frame *wh; 232 u_int16_t *orxseq, nrxseq, qos; 233 u_int8_t dir, type, subtype, tid; 234 int hdrlen, hasqos; 235 236 KASSERT(ni != NULL); 237 238 /* in monitor mode, send everything directly to bpf */ 239 if (ic->ic_opmode == IEEE80211_M_MONITOR) 240 goto out; 241 242 /* 243 * Do not process frames without an Address 2 field any further. 244 * Only CTS and ACK control frames do not have this field. 245 */ 246 if (m->m_len < sizeof(struct ieee80211_frame_min)) { 247 DPRINTF(("frame too short, len %u\n", m->m_len)); 248 ic->ic_stats.is_rx_tooshort++; 249 goto out; 250 } 251 252 wh = mtod(m, struct ieee80211_frame *); 253 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 254 IEEE80211_FC0_VERSION_0) { 255 DPRINTF(("frame with wrong version: %x\n", wh->i_fc[0])); 256 ic->ic_stats.is_rx_badversion++; 257 goto err; 258 } 259 260 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 261 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 262 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 263 264 if (type != IEEE80211_FC0_TYPE_CTL) { 265 hdrlen = ieee80211_get_hdrlen(wh); 266 if (m->m_len < hdrlen) { 267 DPRINTF(("frame too short, len %u\n", m->m_len)); 268 ic->ic_stats.is_rx_tooshort++; 269 goto err; 270 } 271 } 272 if ((hasqos = ieee80211_has_qos(wh))) { 273 qos = ieee80211_get_qos(wh); 274 tid = qos & IEEE80211_QOS_TID; 275 } else { 276 qos = 0; 277 tid = 0; 278 } 279 280 if (type == IEEE80211_FC0_TYPE_DATA && hasqos && 281 (subtype & IEEE80211_FC0_SUBTYPE_NODATA) == 0 && 282 !(rxi->rxi_flags & IEEE80211_RXI_AMPDU_DONE)) { 283 int ba_state = ni->ni_rx_ba[tid].ba_state; 284 285 /* 286 * If Block Ack was explicitly requested, check 287 * if we have a BA agreement for this RA/TID. 288 */ 289 if ((qos & IEEE80211_QOS_ACK_POLICY_MASK) == 290 IEEE80211_QOS_ACK_POLICY_BA && 291 ba_state != IEEE80211_BA_AGREED) { 292 DPRINTF(("no BA agreement for %s, TID %d\n", 293 ether_sprintf(ni->ni_macaddr), tid)); 294 /* send a DELBA with reason code UNKNOWN-BA */ 295 IEEE80211_SEND_ACTION(ic, ni, 296 IEEE80211_CATEG_BA, IEEE80211_ACTION_DELBA, 297 IEEE80211_REASON_SETUP_REQUIRED << 16 | tid); 298 goto err; 299 } 300 301 /* 302 * Check if we have an explicit or implicit 303 * Block Ack Request for a valid BA agreement. 304 */ 305 if (ba_state == IEEE80211_BA_AGREED && 306 ((qos & IEEE80211_QOS_ACK_POLICY_MASK) == 307 IEEE80211_QOS_ACK_POLICY_BA || 308 (qos & IEEE80211_QOS_ACK_POLICY_MASK) == 309 IEEE80211_QOS_ACK_POLICY_NORMAL)) { 310 /* go through A-MPDU reordering */ 311 ieee80211_input_ba(ic, m, ni, tid, rxi); 312 return; /* don't free m! */ 313 } 314 } 315 316 /* duplicate detection (see 9.2.9) */ 317 if (ieee80211_has_seq(wh) && 318 ic->ic_state != IEEE80211_S_SCAN) { 319 nrxseq = letoh16(*(u_int16_t *)wh->i_seq) >> 320 IEEE80211_SEQ_SEQ_SHIFT; 321 if (hasqos) 322 orxseq = &ni->ni_qos_rxseqs[tid]; 323 else 324 orxseq = &ni->ni_rxseq; 325 if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) && 326 nrxseq == *orxseq) { 327 /* duplicate, silently discarded */ 328 ic->ic_stats.is_rx_dup++; 329 goto out; 330 } 331 *orxseq = nrxseq; 332 } 333 if (ic->ic_state != IEEE80211_S_SCAN) { 334 ni->ni_rssi = rxi->rxi_rssi; 335 ni->ni_rstamp = rxi->rxi_tstamp; 336 ni->ni_inact = 0; 337 } 338 339 #ifndef IEEE80211_STA_ONLY 340 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 341 (ic->ic_caps & IEEE80211_C_APPMGT) && 342 ni->ni_state == IEEE80211_STA_ASSOC) { 343 if (wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) { 344 if (ni->ni_pwrsave == IEEE80211_PS_AWAKE) { 345 /* turn on PS mode */ 346 ni->ni_pwrsave = IEEE80211_PS_DOZE; 347 ic->ic_pssta++; 348 DPRINTF(("PS mode on for %s, count %d\n", 349 ether_sprintf(wh->i_addr2), ic->ic_pssta)); 350 } 351 } else if (ni->ni_pwrsave == IEEE80211_PS_DOZE) { 352 struct mbuf *m; 353 354 /* turn off PS mode */ 355 ni->ni_pwrsave = IEEE80211_PS_AWAKE; 356 ic->ic_pssta--; 357 DPRINTF(("PS mode off for %s, count %d\n", 358 ether_sprintf(wh->i_addr2), ic->ic_pssta)); 359 360 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 361 362 /* dequeue buffered unicast frames */ 363 while ((m = mq_dequeue(&ni->ni_savedq)) != NULL) { 364 mq_enqueue(&ic->ic_pwrsaveq, m); 365 if_start(ifp); 366 } 367 } 368 } 369 #endif 370 switch (type) { 371 case IEEE80211_FC0_TYPE_DATA: 372 switch (ic->ic_opmode) { 373 case IEEE80211_M_STA: 374 if (dir != IEEE80211_FC1_DIR_FROMDS) { 375 ic->ic_stats.is_rx_wrongdir++; 376 goto out; 377 } 378 if (ic->ic_state != IEEE80211_S_SCAN && 379 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid)) { 380 /* Source address is not our BSS. */ 381 DPRINTF(("discard frame from SA %s\n", 382 ether_sprintf(wh->i_addr2))); 383 ic->ic_stats.is_rx_wrongbss++; 384 goto out; 385 } 386 if ((ifp->if_flags & IFF_SIMPLEX) && 387 IEEE80211_IS_MULTICAST(wh->i_addr1) && 388 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 389 /* 390 * In IEEE802.11 network, multicast frame 391 * sent from me is broadcasted from AP. 392 * It should be silently discarded for 393 * SIMPLEX interface. 394 */ 395 ic->ic_stats.is_rx_mcastecho++; 396 goto out; 397 } 398 break; 399 #ifndef IEEE80211_STA_ONLY 400 case IEEE80211_M_IBSS: 401 case IEEE80211_M_AHDEMO: 402 if (dir != IEEE80211_FC1_DIR_NODS) { 403 ic->ic_stats.is_rx_wrongdir++; 404 goto out; 405 } 406 if (ic->ic_state != IEEE80211_S_SCAN && 407 !IEEE80211_ADDR_EQ(wh->i_addr3, 408 ic->ic_bss->ni_bssid) && 409 !IEEE80211_ADDR_EQ(wh->i_addr3, 410 etherbroadcastaddr)) { 411 /* Destination is not our BSS or broadcast. */ 412 DPRINTF(("discard data frame to DA %s\n", 413 ether_sprintf(wh->i_addr3))); 414 ic->ic_stats.is_rx_wrongbss++; 415 goto out; 416 } 417 break; 418 case IEEE80211_M_HOSTAP: 419 if (dir != IEEE80211_FC1_DIR_TODS) { 420 ic->ic_stats.is_rx_wrongdir++; 421 goto out; 422 } 423 if (ic->ic_state != IEEE80211_S_SCAN && 424 !IEEE80211_ADDR_EQ(wh->i_addr1, 425 ic->ic_bss->ni_bssid) && 426 !IEEE80211_ADDR_EQ(wh->i_addr1, 427 etherbroadcastaddr)) { 428 /* BSS is not us or broadcast. */ 429 DPRINTF(("discard data frame to BSS %s\n", 430 ether_sprintf(wh->i_addr1))); 431 ic->ic_stats.is_rx_wrongbss++; 432 goto out; 433 } 434 /* check if source STA is associated */ 435 if (ni == ic->ic_bss) { 436 DPRINTF(("data from unknown src %s\n", 437 ether_sprintf(wh->i_addr2))); 438 /* NB: caller deals with reference */ 439 ni = ieee80211_find_node(ic, wh->i_addr2); 440 if (ni == NULL) 441 ni = ieee80211_dup_bss(ic, wh->i_addr2); 442 if (ni != NULL) { 443 IEEE80211_SEND_MGMT(ic, ni, 444 IEEE80211_FC0_SUBTYPE_DEAUTH, 445 IEEE80211_REASON_NOT_AUTHED); 446 } 447 ic->ic_stats.is_rx_notassoc++; 448 goto err; 449 } 450 if (ni->ni_state != IEEE80211_STA_ASSOC) { 451 DPRINTF(("data from unassoc src %s\n", 452 ether_sprintf(wh->i_addr2))); 453 IEEE80211_SEND_MGMT(ic, ni, 454 IEEE80211_FC0_SUBTYPE_DISASSOC, 455 IEEE80211_REASON_NOT_ASSOCED); 456 ic->ic_stats.is_rx_notassoc++; 457 goto err; 458 } 459 break; 460 #endif /* IEEE80211_STA_ONLY */ 461 default: 462 /* can't get there */ 463 goto out; 464 } 465 466 if ((ic->ic_flags & IEEE80211_F_WEPON) || 467 ((ic->ic_flags & IEEE80211_F_RSNON) && 468 (ni->ni_flags & IEEE80211_NODE_RXPROT))) { 469 /* protection is on for Rx */ 470 if (!(rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 471 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 472 /* drop unencrypted */ 473 ic->ic_stats.is_rx_unencrypted++; 474 goto err; 475 } 476 /* do software decryption */ 477 m = ieee80211_decrypt(ic, m, ni); 478 if (m == NULL) { 479 ic->ic_stats.is_rx_wepfail++; 480 goto err; 481 } 482 wh = mtod(m, struct ieee80211_frame *); 483 } 484 } else if ((wh->i_fc[1] & IEEE80211_FC1_PROTECTED) || 485 (rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 486 /* frame encrypted but protection off for Rx */ 487 ic->ic_stats.is_rx_nowep++; 488 goto out; 489 } 490 491 #if NBPFILTER > 0 492 /* copy to listener after decrypt */ 493 if (ic->ic_rawbpf) 494 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 495 #endif 496 497 if ((ni->ni_flags & IEEE80211_NODE_HT) && 498 hasqos && (qos & IEEE80211_QOS_AMSDU)) 499 ieee80211_amsdu_decap(ic, m, ni, hdrlen); 500 else 501 ieee80211_decap(ic, m, ni, hdrlen); 502 return; 503 504 case IEEE80211_FC0_TYPE_MGT: 505 if (dir != IEEE80211_FC1_DIR_NODS) { 506 ic->ic_stats.is_rx_wrongdir++; 507 goto err; 508 } 509 #ifndef IEEE80211_STA_ONLY 510 if (ic->ic_opmode == IEEE80211_M_AHDEMO) { 511 ic->ic_stats.is_rx_ahdemo_mgt++; 512 goto out; 513 } 514 #endif 515 /* drop frames without interest */ 516 if (ic->ic_state == IEEE80211_S_SCAN) { 517 if (subtype != IEEE80211_FC0_SUBTYPE_BEACON && 518 subtype != IEEE80211_FC0_SUBTYPE_PROBE_RESP) { 519 ic->ic_stats.is_rx_mgtdiscard++; 520 goto out; 521 } 522 } 523 524 if (ni->ni_flags & IEEE80211_NODE_RXMGMTPROT) { 525 /* MMPDU protection is on for Rx */ 526 if (subtype == IEEE80211_FC0_SUBTYPE_DISASSOC || 527 subtype == IEEE80211_FC0_SUBTYPE_DEAUTH || 528 subtype == IEEE80211_FC0_SUBTYPE_ACTION) { 529 if (!IEEE80211_IS_MULTICAST(wh->i_addr1) && 530 !(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 531 /* unicast mgmt not encrypted */ 532 goto out; 533 } 534 /* do software decryption */ 535 m = ieee80211_decrypt(ic, m, ni); 536 if (m == NULL) { 537 /* XXX stats */ 538 goto out; 539 } 540 wh = mtod(m, struct ieee80211_frame *); 541 } 542 } else if ((ic->ic_flags & IEEE80211_F_RSNON) && 543 (wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 544 /* encrypted but MMPDU Rx protection off for TA */ 545 goto out; 546 } 547 548 if (ifp->if_flags & IFF_DEBUG) 549 ieee80211_input_print(ic, ifp, wh, rxi); 550 #if NBPFILTER > 0 551 if (bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN) != 0) { 552 /* 553 * Drop mbuf if it was filtered by bpf. Normally, 554 * this is done in ether_input() but IEEE 802.11 555 * management frames are a special case. 556 */ 557 m_freem(m); 558 return; 559 } 560 #endif 561 (*ic->ic_recv_mgmt)(ic, m, ni, rxi, subtype); 562 m_freem(m); 563 return; 564 565 case IEEE80211_FC0_TYPE_CTL: 566 ic->ic_stats.is_rx_ctl++; 567 switch (subtype) { 568 #ifndef IEEE80211_STA_ONLY 569 case IEEE80211_FC0_SUBTYPE_PS_POLL: 570 ieee80211_recv_pspoll(ic, m, ni); 571 break; 572 #endif 573 case IEEE80211_FC0_SUBTYPE_BAR: 574 ieee80211_recv_bar(ic, m, ni); 575 break; 576 default: 577 break; 578 } 579 goto out; 580 581 default: 582 DPRINTF(("bad frame type %x\n", type)); 583 /* should not come here */ 584 break; 585 } 586 err: 587 ifp->if_ierrors++; 588 out: 589 if (m != NULL) { 590 #if NBPFILTER > 0 591 if (ic->ic_rawbpf) 592 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 593 #endif 594 m_freem(m); 595 } 596 } 597 598 /* 599 * Handle defragmentation (see 9.5 and Annex C). We support the concurrent 600 * reception of fragments of three fragmented MSDUs or MMPDUs. 601 */ 602 struct mbuf * 603 ieee80211_defrag(struct ieee80211com *ic, struct mbuf *m, int hdrlen) 604 { 605 const struct ieee80211_frame *owh, *wh; 606 struct ieee80211_defrag *df; 607 u_int16_t rxseq, seq; 608 u_int8_t frag; 609 int i; 610 611 wh = mtod(m, struct ieee80211_frame *); 612 rxseq = letoh16(*(const u_int16_t *)wh->i_seq); 613 seq = rxseq >> IEEE80211_SEQ_SEQ_SHIFT; 614 frag = rxseq & IEEE80211_SEQ_FRAG_MASK; 615 616 if (frag == 0 && !(wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG)) 617 return m; /* not fragmented */ 618 619 if (frag == 0) { 620 /* first fragment, setup entry in the fragment cache */ 621 if (++ic->ic_defrag_cur == IEEE80211_DEFRAG_SIZE) 622 ic->ic_defrag_cur = 0; 623 df = &ic->ic_defrag[ic->ic_defrag_cur]; 624 m_freem(df->df_m); /* discard old entry */ 625 df->df_seq = seq; 626 df->df_frag = 0; 627 df->df_m = m; 628 /* start receive MSDU timer of aMaxReceiveLifetime */ 629 timeout_add_sec(&df->df_to, 1); 630 return NULL; /* MSDU or MMPDU not yet complete */ 631 } 632 633 /* find matching entry in the fragment cache */ 634 for (i = 0; i < IEEE80211_DEFRAG_SIZE; i++) { 635 df = &ic->ic_defrag[i]; 636 if (df->df_m == NULL) 637 continue; 638 if (df->df_seq != seq || df->df_frag + 1 != frag) 639 continue; 640 owh = mtod(df->df_m, struct ieee80211_frame *); 641 /* frame type, source and destination must match */ 642 if (((wh->i_fc[0] ^ owh->i_fc[0]) & IEEE80211_FC0_TYPE_MASK) || 643 !IEEE80211_ADDR_EQ(wh->i_addr1, owh->i_addr1) || 644 !IEEE80211_ADDR_EQ(wh->i_addr2, owh->i_addr2)) 645 continue; 646 /* matching entry found */ 647 break; 648 } 649 if (i == IEEE80211_DEFRAG_SIZE) { 650 /* no matching entry found, discard fragment */ 651 ic->ic_if.if_ierrors++; 652 m_freem(m); 653 return NULL; 654 } 655 656 df->df_frag = frag; 657 /* strip 802.11 header and concatenate fragment */ 658 m_adj(m, hdrlen); 659 m_cat(df->df_m, m); 660 df->df_m->m_pkthdr.len += m->m_pkthdr.len; 661 662 if (wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG) 663 return NULL; /* MSDU or MMPDU not yet complete */ 664 665 /* MSDU or MMPDU complete */ 666 timeout_del(&df->df_to); 667 m = df->df_m; 668 df->df_m = NULL; 669 return m; 670 } 671 672 /* 673 * Receive MSDU defragmentation timer exceeds aMaxReceiveLifetime. 674 */ 675 void 676 ieee80211_defrag_timeout(void *arg) 677 { 678 struct ieee80211_defrag *df = arg; 679 int s = splnet(); 680 681 /* discard all received fragments */ 682 m_freem(df->df_m); 683 df->df_m = NULL; 684 685 splx(s); 686 } 687 688 /* 689 * Process a received data MPDU related to a specific HT-immediate Block Ack 690 * agreement (see 9.10.7.6). 691 */ 692 void 693 ieee80211_input_ba(struct ieee80211com *ic, struct mbuf *m, 694 struct ieee80211_node *ni, int tid, struct ieee80211_rxinfo *rxi) 695 { 696 struct ifnet *ifp = &ic->ic_if; 697 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 698 struct ieee80211_frame *wh; 699 int idx, count; 700 u_int16_t sn; 701 702 wh = mtod(m, struct ieee80211_frame *); 703 sn = letoh16(*(u_int16_t *)wh->i_seq) >> IEEE80211_SEQ_SEQ_SHIFT; 704 705 /* reset Block Ack inactivity timer */ 706 if (ba->ba_timeout_val != 0) 707 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 708 709 if (SEQ_LT(sn, ba->ba_winstart)) { /* SN < WinStartB */ 710 ic->ic_stats.is_ht_rx_frame_below_ba_winstart++; 711 m_freem(m); /* discard the MPDU */ 712 return; 713 } 714 if (SEQ_LT(ba->ba_winend, sn)) { /* WinEndB < SN */ 715 ic->ic_stats.is_ht_rx_frame_above_ba_winend++; 716 count = (sn - ba->ba_winend) & 0xfff; 717 if (count > ba->ba_winsize) { 718 /* 719 * Check whether we're consistently behind the window, 720 * and let the window move forward if neccessary. 721 */ 722 if (ba->ba_winmiss < IEEE80211_BA_MAX_WINMISS) { 723 if (ba->ba_missedsn == ((sn - 1) & 0xfff)) 724 ba->ba_winmiss++; 725 else 726 ba->ba_winmiss = 0; 727 ba->ba_missedsn = sn; 728 ifp->if_ierrors++; 729 m_freem(m); /* discard the MPDU */ 730 return; 731 } 732 733 /* It appears the window has moved for real. */ 734 ic->ic_stats.is_ht_rx_ba_window_jump++; 735 ba->ba_winmiss = 0; 736 ba->ba_missedsn = 0; 737 ieee80211_ba_move_window(ic, ni, tid, sn); 738 } else { 739 ic->ic_stats.is_ht_rx_ba_window_slide++; 740 ieee80211_input_ba_seq(ic, ni, tid, 741 (ba->ba_winstart + count) & 0xfff); 742 ieee80211_input_ba_flush(ic, ni, ba); 743 } 744 } 745 /* WinStartB <= SN <= WinEndB */ 746 747 ba->ba_winmiss = 0; 748 ba->ba_missedsn = 0; 749 idx = (sn - ba->ba_winstart) & 0xfff; 750 idx = (ba->ba_head + idx) % IEEE80211_BA_MAX_WINSZ; 751 /* store the received MPDU in the buffer */ 752 if (ba->ba_buf[idx].m != NULL) { 753 ifp->if_ierrors++; 754 ic->ic_stats.is_ht_rx_ba_no_buf++; 755 m_freem(m); 756 return; 757 } 758 ba->ba_buf[idx].m = m; 759 /* store Rx meta-data too */ 760 rxi->rxi_flags |= IEEE80211_RXI_AMPDU_DONE; 761 ba->ba_buf[idx].rxi = *rxi; 762 763 if (ba->ba_buf[ba->ba_head].m == NULL) 764 timeout_add_msec(&ba->ba_gap_to, IEEE80211_BA_GAP_TIMEOUT); 765 else if (timeout_pending(&ba->ba_gap_to)) 766 timeout_del(&ba->ba_gap_to); 767 768 ieee80211_input_ba_flush(ic, ni, ba); 769 } 770 771 /* 772 * Forward buffered frames with sequence number lower than max_seq. 773 * See 802.11-2012 9.21.7.6.2 b. 774 */ 775 void 776 ieee80211_input_ba_seq(struct ieee80211com *ic, struct ieee80211_node *ni, 777 uint8_t tid, uint16_t max_seq) 778 { 779 struct ifnet *ifp = &ic->ic_if; 780 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 781 struct ieee80211_frame *wh; 782 uint16_t seq; 783 int i = 0; 784 785 while (i++ < ba->ba_winsize) { 786 /* gaps may exist */ 787 if (ba->ba_buf[ba->ba_head].m != NULL) { 788 wh = mtod(ba->ba_buf[ba->ba_head].m, 789 struct ieee80211_frame *); 790 KASSERT(ieee80211_has_seq(wh)); 791 seq = letoh16(*(u_int16_t *)wh->i_seq) >> 792 IEEE80211_SEQ_SEQ_SHIFT; 793 if (!SEQ_LT(seq, max_seq)) 794 return; 795 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, 796 ni, &ba->ba_buf[ba->ba_head].rxi); 797 ba->ba_buf[ba->ba_head].m = NULL; 798 } else 799 ic->ic_stats.is_ht_rx_ba_frame_lost++; 800 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 801 } 802 } 803 804 /* Flush a consecutive sequence of frames from the reorder buffer. */ 805 void 806 ieee80211_input_ba_flush(struct ieee80211com *ic, struct ieee80211_node *ni, 807 struct ieee80211_rx_ba *ba) 808 809 { 810 struct ifnet *ifp = &ic->ic_if; 811 812 /* pass reordered MPDUs up to the next MAC process */ 813 while (ba->ba_buf[ba->ba_head].m != NULL) { 814 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, ni, 815 &ba->ba_buf[ba->ba_head].rxi); 816 ba->ba_buf[ba->ba_head].m = NULL; 817 818 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 819 /* move window forward */ 820 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 821 } 822 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 823 } 824 825 /* 826 * Forcibly move the BA window forward to remove a leading gap which has 827 * been causing frames to linger in the reordering buffer for too long. 828 * A leading gap will occur if a particular A-MPDU subframe never arrives 829 * or if a bug in the sender causes sequence numbers to jump forward by > 1. 830 */ 831 void 832 ieee80211_input_ba_gap_timeout(void *arg) 833 { 834 struct ieee80211_rx_ba *ba = arg; 835 struct ieee80211_node *ni = ba->ba_ni; 836 struct ieee80211com *ic = ni->ni_ic; 837 int s, skipped; 838 839 ic->ic_stats.is_ht_rx_ba_window_gap_timeout++; 840 841 s = splnet(); 842 843 skipped = 0; 844 while (skipped < ba->ba_winsize && ba->ba_buf[ba->ba_head].m == NULL) { 845 /* move window forward */ 846 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 847 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 848 skipped++; 849 ic->ic_stats.is_ht_rx_ba_frame_lost++; 850 } 851 if (skipped > 0) 852 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 853 854 ieee80211_input_ba_flush(ic, ni, ba); 855 856 splx(s); 857 } 858 859 860 /* 861 * Change the value of WinStartB (move window forward) upon reception of a 862 * BlockAckReq frame or an ADDBA Request (PBAC). 863 */ 864 void 865 ieee80211_ba_move_window(struct ieee80211com *ic, struct ieee80211_node *ni, 866 u_int8_t tid, u_int16_t ssn) 867 { 868 struct ifnet *ifp = &ic->ic_if; 869 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 870 int count; 871 872 /* assert(WinStartB <= SSN) */ 873 874 count = (ssn - ba->ba_winstart) & 0xfff; 875 if (count > ba->ba_winsize) /* no overlap */ 876 count = ba->ba_winsize; 877 while (count-- > 0) { 878 /* gaps may exist */ 879 if (ba->ba_buf[ba->ba_head].m != NULL) { 880 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, ni, 881 &ba->ba_buf[ba->ba_head].rxi); 882 ba->ba_buf[ba->ba_head].m = NULL; 883 } else 884 ic->ic_stats.is_ht_rx_ba_frame_lost++; 885 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 886 } 887 /* move window forward */ 888 ba->ba_winstart = ssn; 889 890 ieee80211_input_ba_flush(ic, ni, ba); 891 } 892 893 void 894 ieee80211_deliver_data(struct ieee80211com *ic, struct mbuf *m, 895 struct ieee80211_node *ni) 896 { 897 struct ifnet *ifp = &ic->ic_if; 898 struct ether_header *eh; 899 struct mbuf *m1; 900 901 eh = mtod(m, struct ether_header *); 902 903 if ((ic->ic_flags & IEEE80211_F_RSNON) && !ni->ni_port_valid && 904 eh->ether_type != htons(ETHERTYPE_PAE)) { 905 DPRINTF(("port not valid: %s\n", 906 ether_sprintf(eh->ether_dhost))); 907 ic->ic_stats.is_rx_unauth++; 908 m_freem(m); 909 return; 910 } 911 912 /* 913 * Perform as a bridge within the AP. Notice that we do not 914 * bridge EAPOL frames as suggested in C.1.1 of IEEE Std 802.1X. 915 */ 916 m1 = NULL; 917 #ifndef IEEE80211_STA_ONLY 918 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 919 !(ic->ic_flags & IEEE80211_F_NOBRIDGE) && 920 eh->ether_type != htons(ETHERTYPE_PAE)) { 921 struct ieee80211_node *ni1; 922 923 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 924 m1 = m_dup_pkt(m, ETHER_ALIGN, M_DONTWAIT); 925 if (m1 == NULL) 926 ifp->if_oerrors++; 927 else 928 m1->m_flags |= M_MCAST; 929 } else { 930 ni1 = ieee80211_find_node(ic, eh->ether_dhost); 931 if (ni1 != NULL && 932 ni1->ni_state == IEEE80211_STA_ASSOC) { 933 m1 = m; 934 m = NULL; 935 } 936 } 937 if (m1 != NULL) { 938 if (if_enqueue(ifp, m1)) 939 ifp->if_oerrors++; 940 } 941 } 942 #endif 943 if (m != NULL) { 944 if ((ic->ic_flags & IEEE80211_F_RSNON) && 945 eh->ether_type == htons(ETHERTYPE_PAE)) { 946 ifp->if_ipackets++; 947 #if NBPFILTER > 0 948 /* 949 * If we forward frame into transmitter of the AP, 950 * we don't need to duplicate for DLT_EN10MB. 951 */ 952 if (ifp->if_bpf && m1 == NULL) 953 bpf_mtap(ifp->if_bpf, m, BPF_DIRECTION_IN); 954 #endif 955 ieee80211_eapol_key_input(ic, m, ni); 956 } else { 957 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 958 ml_enqueue(&ml, m); 959 if_input(ifp, &ml); 960 } 961 } 962 } 963 964 void 965 ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, 966 struct ieee80211_node *ni, int hdrlen) 967 { 968 struct ether_header eh; 969 struct ieee80211_frame *wh; 970 struct llc *llc; 971 972 if (m->m_len < hdrlen + LLC_SNAPFRAMELEN && 973 (m = m_pullup(m, hdrlen + LLC_SNAPFRAMELEN)) == NULL) { 974 ic->ic_stats.is_rx_decap++; 975 return; 976 } 977 wh = mtod(m, struct ieee80211_frame *); 978 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 979 case IEEE80211_FC1_DIR_NODS: 980 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1); 981 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2); 982 break; 983 case IEEE80211_FC1_DIR_TODS: 984 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3); 985 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2); 986 break; 987 case IEEE80211_FC1_DIR_FROMDS: 988 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1); 989 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr3); 990 break; 991 case IEEE80211_FC1_DIR_DSTODS: 992 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3); 993 IEEE80211_ADDR_COPY(eh.ether_shost, 994 ((struct ieee80211_frame_addr4 *)wh)->i_addr4); 995 break; 996 } 997 llc = (struct llc *)((caddr_t)wh + hdrlen); 998 if (llc->llc_dsap == LLC_SNAP_LSAP && 999 llc->llc_ssap == LLC_SNAP_LSAP && 1000 llc->llc_control == LLC_UI && 1001 llc->llc_snap.org_code[0] == 0 && 1002 llc->llc_snap.org_code[1] == 0 && 1003 llc->llc_snap.org_code[2] == 0) { 1004 eh.ether_type = llc->llc_snap.ether_type; 1005 m_adj(m, hdrlen + LLC_SNAPFRAMELEN - ETHER_HDR_LEN); 1006 } else { 1007 eh.ether_type = htons(m->m_pkthdr.len - hdrlen); 1008 m_adj(m, hdrlen - ETHER_HDR_LEN); 1009 } 1010 memcpy(mtod(m, caddr_t), &eh, ETHER_HDR_LEN); 1011 if (!ALIGNED_POINTER(mtod(m, caddr_t) + ETHER_HDR_LEN, u_int32_t)) { 1012 struct mbuf *m0 = m; 1013 m = m_dup_pkt(m0, ETHER_ALIGN, M_NOWAIT); 1014 m_freem(m0); 1015 if (m == NULL) { 1016 ic->ic_stats.is_rx_decap++; 1017 return; 1018 } 1019 } 1020 ieee80211_deliver_data(ic, m, ni); 1021 } 1022 1023 /* 1024 * Decapsulate an Aggregate MSDU (see 7.2.2.2). 1025 */ 1026 void 1027 ieee80211_amsdu_decap(struct ieee80211com *ic, struct mbuf *m, 1028 struct ieee80211_node *ni, int hdrlen) 1029 { 1030 struct mbuf *n; 1031 struct ether_header *eh; 1032 struct llc *llc; 1033 int len, pad; 1034 1035 /* strip 802.11 header */ 1036 m_adj(m, hdrlen); 1037 1038 for (;;) { 1039 /* process an A-MSDU subframe */ 1040 if (m->m_len < ETHER_HDR_LEN + LLC_SNAPFRAMELEN) { 1041 m = m_pullup(m, ETHER_HDR_LEN + LLC_SNAPFRAMELEN); 1042 if (m == NULL) { 1043 ic->ic_stats.is_rx_decap++; 1044 break; 1045 } 1046 } 1047 eh = mtod(m, struct ether_header *); 1048 /* examine 802.3 header */ 1049 len = ntohs(eh->ether_type); 1050 if (len < LLC_SNAPFRAMELEN) { 1051 DPRINTF(("A-MSDU subframe too short (%d)\n", len)); 1052 /* stop processing A-MSDU subframes */ 1053 ic->ic_stats.is_rx_decap++; 1054 m_freem(m); 1055 break; 1056 } 1057 llc = (struct llc *)&eh[1]; 1058 /* examine 802.2 LLC header */ 1059 if (llc->llc_dsap == LLC_SNAP_LSAP && 1060 llc->llc_ssap == LLC_SNAP_LSAP && 1061 llc->llc_control == LLC_UI && 1062 llc->llc_snap.org_code[0] == 0 && 1063 llc->llc_snap.org_code[1] == 0 && 1064 llc->llc_snap.org_code[2] == 0) { 1065 /* convert to Ethernet II header */ 1066 eh->ether_type = llc->llc_snap.ether_type; 1067 /* strip LLC+SNAP headers */ 1068 memmove((u_int8_t *)eh + LLC_SNAPFRAMELEN, eh, 1069 ETHER_HDR_LEN); 1070 m_adj(m, LLC_SNAPFRAMELEN); 1071 len -= LLC_SNAPFRAMELEN; 1072 } 1073 len += ETHER_HDR_LEN; 1074 if (len > m->m_pkthdr.len) { 1075 /* stop processing A-MSDU subframes */ 1076 DPRINTF(("A-MSDU subframe too long (%d)\n", len)); 1077 ic->ic_stats.is_rx_decap++; 1078 m_freem(m); 1079 break; 1080 } 1081 1082 /* "detach" our A-MSDU subframe from the others */ 1083 n = m_split(m, len, M_NOWAIT); 1084 if (n == NULL) { 1085 /* stop processing A-MSDU subframes */ 1086 ic->ic_stats.is_rx_decap++; 1087 m_freem(m); 1088 break; 1089 } 1090 ieee80211_deliver_data(ic, m, ni); 1091 1092 if (n->m_len == 0) { 1093 m_freem(n); 1094 break; 1095 } 1096 m = n; 1097 /* remove padding */ 1098 pad = ((len + 3) & ~3) - len; 1099 m_adj(m, pad); 1100 } 1101 } 1102 1103 /* 1104 * Parse an EDCA Parameter Set element (see 7.3.2.27). 1105 */ 1106 int 1107 ieee80211_parse_edca_params_body(struct ieee80211com *ic, const u_int8_t *frm) 1108 { 1109 u_int updtcount; 1110 int aci; 1111 1112 /* 1113 * Check if EDCA parameters have changed XXX if we miss more than 1114 * 15 consecutive beacons, we might not detect changes to EDCA 1115 * parameters due to wraparound of the 4-bit Update Count field. 1116 */ 1117 updtcount = frm[0] & 0xf; 1118 if (updtcount == ic->ic_edca_updtcount) 1119 return 0; /* no changes to EDCA parameters, ignore */ 1120 ic->ic_edca_updtcount = updtcount; 1121 1122 frm += 2; /* skip QoS Info & Reserved fields */ 1123 1124 /* parse AC Parameter Records */ 1125 for (aci = 0; aci < EDCA_NUM_AC; aci++) { 1126 struct ieee80211_edca_ac_params *ac = &ic->ic_edca_ac[aci]; 1127 1128 ac->ac_acm = (frm[0] >> 4) & 0x1; 1129 ac->ac_aifsn = frm[0] & 0xf; 1130 ac->ac_ecwmin = frm[1] & 0xf; 1131 ac->ac_ecwmax = frm[1] >> 4; 1132 ac->ac_txoplimit = LE_READ_2(frm + 2); 1133 frm += 4; 1134 } 1135 /* give drivers a chance to update their settings */ 1136 if ((ic->ic_flags & IEEE80211_F_QOS) && ic->ic_updateedca != NULL) 1137 (*ic->ic_updateedca)(ic); 1138 1139 return 0; 1140 } 1141 1142 int 1143 ieee80211_parse_edca_params(struct ieee80211com *ic, const u_int8_t *frm) 1144 { 1145 if (frm[1] < 18) { 1146 ic->ic_stats.is_rx_elem_toosmall++; 1147 return IEEE80211_REASON_IE_INVALID; 1148 } 1149 return ieee80211_parse_edca_params_body(ic, frm + 2); 1150 } 1151 1152 int 1153 ieee80211_parse_wmm_params(struct ieee80211com *ic, const u_int8_t *frm) 1154 { 1155 if (frm[1] < 24) { 1156 ic->ic_stats.is_rx_elem_toosmall++; 1157 return IEEE80211_REASON_IE_INVALID; 1158 } 1159 return ieee80211_parse_edca_params_body(ic, frm + 8); 1160 } 1161 1162 enum ieee80211_cipher 1163 ieee80211_parse_rsn_cipher(const u_int8_t selector[4]) 1164 { 1165 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1166 switch (selector[3]) { 1167 case 0: /* use group data cipher suite */ 1168 return IEEE80211_CIPHER_USEGROUP; 1169 case 1: /* WEP-40 */ 1170 return IEEE80211_CIPHER_WEP40; 1171 case 2: /* TKIP */ 1172 return IEEE80211_CIPHER_TKIP; 1173 case 4: /* CCMP (RSNA default) */ 1174 return IEEE80211_CIPHER_CCMP; 1175 case 5: /* WEP-104 */ 1176 return IEEE80211_CIPHER_WEP104; 1177 } 1178 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1179 /* see 802.11-2012 Table 8-99 */ 1180 switch (selector[3]) { 1181 case 0: /* use group data cipher suite */ 1182 return IEEE80211_CIPHER_USEGROUP; 1183 case 1: /* WEP-40 */ 1184 return IEEE80211_CIPHER_WEP40; 1185 case 2: /* TKIP */ 1186 return IEEE80211_CIPHER_TKIP; 1187 case 4: /* CCMP (RSNA default) */ 1188 return IEEE80211_CIPHER_CCMP; 1189 case 5: /* WEP-104 */ 1190 return IEEE80211_CIPHER_WEP104; 1191 case 6: /* BIP */ 1192 return IEEE80211_CIPHER_BIP; 1193 } 1194 } 1195 return IEEE80211_CIPHER_NONE; /* ignore unknown ciphers */ 1196 } 1197 1198 enum ieee80211_akm 1199 ieee80211_parse_rsn_akm(const u_int8_t selector[4]) 1200 { 1201 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1202 switch (selector[3]) { 1203 case 1: /* IEEE 802.1X (RSNA default) */ 1204 return IEEE80211_AKM_8021X; 1205 case 2: /* PSK */ 1206 return IEEE80211_AKM_PSK; 1207 } 1208 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1209 /* from IEEE Std 802.11i-2004 - Table 20dc */ 1210 switch (selector[3]) { 1211 case 1: /* IEEE 802.1X (RSNA default) */ 1212 return IEEE80211_AKM_8021X; 1213 case 2: /* PSK */ 1214 return IEEE80211_AKM_PSK; 1215 case 5: /* IEEE 802.1X with SHA256 KDF */ 1216 return IEEE80211_AKM_SHA256_8021X; 1217 case 6: /* PSK with SHA256 KDF */ 1218 return IEEE80211_AKM_SHA256_PSK; 1219 } 1220 } 1221 return IEEE80211_AKM_NONE; /* ignore unknown AKMs */ 1222 } 1223 1224 /* 1225 * Parse an RSN element (see 802.11-2012 8.4.2.27) 1226 */ 1227 int 1228 ieee80211_parse_rsn_body(struct ieee80211com *ic, const u_int8_t *frm, 1229 u_int len, struct ieee80211_rsnparams *rsn) 1230 { 1231 const u_int8_t *efrm; 1232 u_int16_t m, n, s; 1233 1234 efrm = frm + len; 1235 1236 /* check Version field */ 1237 if (LE_READ_2(frm) != 1) 1238 return IEEE80211_STATUS_RSN_IE_VER_UNSUP; 1239 frm += 2; 1240 1241 /* all fields after the Version field are optional */ 1242 1243 /* if Cipher Suite missing, default to CCMP */ 1244 rsn->rsn_groupcipher = IEEE80211_CIPHER_CCMP; 1245 rsn->rsn_nciphers = 1; 1246 rsn->rsn_ciphers = IEEE80211_CIPHER_CCMP; 1247 /* if Group Management Cipher Suite missing, defaut to BIP */ 1248 rsn->rsn_groupmgmtcipher = IEEE80211_CIPHER_BIP; 1249 /* if AKM Suite missing, default to 802.1X */ 1250 rsn->rsn_nakms = 1; 1251 rsn->rsn_akms = IEEE80211_AKM_8021X; 1252 /* if RSN capabilities missing, default to 0 */ 1253 rsn->rsn_caps = 0; 1254 rsn->rsn_npmkids = 0; 1255 1256 /* read Group Data Cipher Suite field */ 1257 if (frm + 4 > efrm) 1258 return 0; 1259 rsn->rsn_groupcipher = ieee80211_parse_rsn_cipher(frm); 1260 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_NONE || 1261 rsn->rsn_groupcipher == IEEE80211_CIPHER_USEGROUP || 1262 rsn->rsn_groupcipher == IEEE80211_CIPHER_BIP) 1263 return IEEE80211_STATUS_BAD_GROUP_CIPHER; 1264 frm += 4; 1265 1266 /* read Pairwise Cipher Suite Count field */ 1267 if (frm + 2 > efrm) 1268 return 0; 1269 m = rsn->rsn_nciphers = LE_READ_2(frm); 1270 frm += 2; 1271 1272 /* read Pairwise Cipher Suite List */ 1273 if (frm + m * 4 > efrm) 1274 return IEEE80211_STATUS_IE_INVALID; 1275 rsn->rsn_ciphers = IEEE80211_CIPHER_NONE; 1276 while (m-- > 0) { 1277 rsn->rsn_ciphers |= ieee80211_parse_rsn_cipher(frm); 1278 frm += 4; 1279 } 1280 if (rsn->rsn_ciphers & IEEE80211_CIPHER_USEGROUP) { 1281 if (rsn->rsn_ciphers != IEEE80211_CIPHER_USEGROUP) 1282 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1283 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_CCMP) 1284 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1285 } 1286 1287 /* read AKM Suite List Count field */ 1288 if (frm + 2 > efrm) 1289 return 0; 1290 n = rsn->rsn_nakms = LE_READ_2(frm); 1291 frm += 2; 1292 1293 /* read AKM Suite List */ 1294 if (frm + n * 4 > efrm) 1295 return IEEE80211_STATUS_IE_INVALID; 1296 rsn->rsn_akms = IEEE80211_AKM_NONE; 1297 while (n-- > 0) { 1298 rsn->rsn_akms |= ieee80211_parse_rsn_akm(frm); 1299 frm += 4; 1300 } 1301 1302 /* read RSN Capabilities field */ 1303 if (frm + 2 > efrm) 1304 return 0; 1305 rsn->rsn_caps = LE_READ_2(frm); 1306 frm += 2; 1307 1308 /* read PMKID Count field */ 1309 if (frm + 2 > efrm) 1310 return 0; 1311 s = rsn->rsn_npmkids = LE_READ_2(frm); 1312 frm += 2; 1313 1314 /* read PMKID List */ 1315 if (frm + s * IEEE80211_PMKID_LEN > efrm) 1316 return IEEE80211_STATUS_IE_INVALID; 1317 if (s != 0) { 1318 rsn->rsn_pmkids = frm; 1319 frm += s * IEEE80211_PMKID_LEN; 1320 } 1321 1322 /* read Group Management Cipher Suite field */ 1323 if (frm + 4 > efrm) 1324 return 0; 1325 rsn->rsn_groupmgmtcipher = ieee80211_parse_rsn_cipher(frm); 1326 if (rsn->rsn_groupmgmtcipher != IEEE80211_CIPHER_BIP) 1327 return IEEE80211_STATUS_BAD_GROUP_CIPHER; 1328 1329 return IEEE80211_STATUS_SUCCESS; 1330 } 1331 1332 int 1333 ieee80211_parse_rsn(struct ieee80211com *ic, const u_int8_t *frm, 1334 struct ieee80211_rsnparams *rsn) 1335 { 1336 if (frm[1] < 2) { 1337 ic->ic_stats.is_rx_elem_toosmall++; 1338 return IEEE80211_STATUS_IE_INVALID; 1339 } 1340 return ieee80211_parse_rsn_body(ic, frm + 2, frm[1], rsn); 1341 } 1342 1343 int 1344 ieee80211_parse_wpa(struct ieee80211com *ic, const u_int8_t *frm, 1345 struct ieee80211_rsnparams *rsn) 1346 { 1347 if (frm[1] < 6) { 1348 ic->ic_stats.is_rx_elem_toosmall++; 1349 return IEEE80211_STATUS_IE_INVALID; 1350 } 1351 return ieee80211_parse_rsn_body(ic, frm + 6, frm[1] - 4, rsn); 1352 } 1353 1354 /* 1355 * Create (or update) a copy of an information element. 1356 */ 1357 int 1358 ieee80211_save_ie(const u_int8_t *frm, u_int8_t **ie) 1359 { 1360 if (*ie == NULL || (*ie)[1] != frm[1]) { 1361 if (*ie != NULL) 1362 free(*ie, M_DEVBUF, 0); 1363 *ie = malloc(2 + frm[1], M_DEVBUF, M_NOWAIT); 1364 if (*ie == NULL) 1365 return ENOMEM; 1366 } 1367 memcpy(*ie, frm, 2 + frm[1]); 1368 return 0; 1369 } 1370 1371 /*- 1372 * Beacon/Probe response frame format: 1373 * [8] Timestamp 1374 * [2] Beacon interval 1375 * [2] Capability 1376 * [tlv] Service Set Identifier (SSID) 1377 * [tlv] Supported rates 1378 * [tlv] DS Parameter Set (802.11g) 1379 * [tlv] ERP Information (802.11g) 1380 * [tlv] Extended Supported Rates (802.11g) 1381 * [tlv] RSN (802.11i) 1382 * [tlv] EDCA Parameter Set (802.11e) 1383 * [tlv] QoS Capability (Beacon only, 802.11e) 1384 * [tlv] HT Capabilities (802.11n) 1385 * [tlv] HT Operation (802.11n) 1386 */ 1387 void 1388 ieee80211_recv_probe_resp(struct ieee80211com *ic, struct mbuf *m, 1389 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int isprobe) 1390 { 1391 const struct ieee80211_frame *wh; 1392 const u_int8_t *frm, *efrm; 1393 const u_int8_t *tstamp, *ssid, *rates, *xrates, *edcaie, *wmmie; 1394 const u_int8_t *rsnie, *wpaie, *htcaps, *htop; 1395 u_int16_t capinfo, bintval; 1396 u_int8_t chan, bchan, erp; 1397 int is_new; 1398 1399 /* 1400 * We process beacon/probe response frames for: 1401 * o station mode: to collect state 1402 * updates such as 802.11g slot time and for passive 1403 * scanning of APs 1404 * o adhoc mode: to discover neighbors 1405 * o hostap mode: for passive scanning of neighbor APs 1406 * o when scanning 1407 * In other words, in all modes other than monitor (which 1408 * does not process incoming frames) and adhoc-demo (which 1409 * does not use management frames at all). 1410 */ 1411 #ifdef DIAGNOSTIC 1412 if (ic->ic_opmode != IEEE80211_M_STA && 1413 #ifndef IEEE80211_STA_ONLY 1414 ic->ic_opmode != IEEE80211_M_IBSS && 1415 ic->ic_opmode != IEEE80211_M_HOSTAP && 1416 #endif 1417 ic->ic_state != IEEE80211_S_SCAN) { 1418 panic("%s: impossible operating mode", __func__); 1419 } 1420 #endif 1421 /* make sure all mandatory fixed fields are present */ 1422 if (m->m_len < sizeof(*wh) + 12) { 1423 DPRINTF(("frame too short\n")); 1424 return; 1425 } 1426 wh = mtod(m, struct ieee80211_frame *); 1427 frm = (const u_int8_t *)&wh[1]; 1428 efrm = mtod(m, u_int8_t *) + m->m_len; 1429 1430 tstamp = frm; frm += 8; 1431 bintval = LE_READ_2(frm); frm += 2; 1432 capinfo = LE_READ_2(frm); frm += 2; 1433 1434 ssid = rates = xrates = edcaie = wmmie = rsnie = wpaie = NULL; 1435 htcaps = htop = NULL; 1436 bchan = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan); 1437 chan = bchan; 1438 erp = 0; 1439 while (frm + 2 <= efrm) { 1440 if (frm + 2 + frm[1] > efrm) { 1441 ic->ic_stats.is_rx_elem_toosmall++; 1442 break; 1443 } 1444 switch (frm[0]) { 1445 case IEEE80211_ELEMID_SSID: 1446 ssid = frm; 1447 break; 1448 case IEEE80211_ELEMID_RATES: 1449 rates = frm; 1450 break; 1451 case IEEE80211_ELEMID_DSPARMS: 1452 if (frm[1] < 1) { 1453 ic->ic_stats.is_rx_elem_toosmall++; 1454 break; 1455 } 1456 chan = frm[2]; 1457 break; 1458 case IEEE80211_ELEMID_XRATES: 1459 xrates = frm; 1460 break; 1461 case IEEE80211_ELEMID_ERP: 1462 if (frm[1] < 1) { 1463 ic->ic_stats.is_rx_elem_toosmall++; 1464 break; 1465 } 1466 erp = frm[2]; 1467 break; 1468 case IEEE80211_ELEMID_RSN: 1469 rsnie = frm; 1470 break; 1471 case IEEE80211_ELEMID_EDCAPARMS: 1472 edcaie = frm; 1473 break; 1474 case IEEE80211_ELEMID_HTCAPS: 1475 htcaps = frm; 1476 break; 1477 case IEEE80211_ELEMID_HTOP: 1478 htop = frm; 1479 break; 1480 case IEEE80211_ELEMID_VENDOR: 1481 if (frm[1] < 4) { 1482 ic->ic_stats.is_rx_elem_toosmall++; 1483 break; 1484 } 1485 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 1486 if (frm[5] == 1) 1487 wpaie = frm; 1488 else if (frm[1] >= 5 && 1489 frm[5] == 2 && frm[6] == 1) 1490 wmmie = frm; 1491 } 1492 break; 1493 } 1494 frm += 2 + frm[1]; 1495 } 1496 /* supported rates element is mandatory */ 1497 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1498 DPRINTF(("invalid supported rates element\n")); 1499 return; 1500 } 1501 /* SSID element is mandatory */ 1502 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1503 DPRINTF(("invalid SSID element\n")); 1504 return; 1505 } 1506 1507 if ( 1508 #if IEEE80211_CHAN_MAX < 255 1509 chan > IEEE80211_CHAN_MAX || 1510 #endif 1511 isclr(ic->ic_chan_active, chan)) { 1512 DPRINTF(("ignore %s with invalid channel %u\n", 1513 isprobe ? "probe response" : "beacon", chan)); 1514 ic->ic_stats.is_rx_badchan++; 1515 return; 1516 } 1517 if ((ic->ic_state != IEEE80211_S_SCAN || 1518 !(ic->ic_caps & IEEE80211_C_SCANALL)) && 1519 chan != bchan) { 1520 /* 1521 * Frame was received on a channel different from the 1522 * one indicated in the DS params element id; 1523 * silently discard it. 1524 * 1525 * NB: this can happen due to signal leakage. 1526 */ 1527 DPRINTF(("ignore %s on channel %u marked for channel %u\n", 1528 isprobe ? "probe response" : "beacon", bchan, chan)); 1529 ic->ic_stats.is_rx_chanmismatch++; 1530 return; 1531 } 1532 /* 1533 * Use mac, channel and rssi so we collect only the 1534 * best potential AP with the equal bssid while scanning. 1535 * Collecting all potential APs may result in bloat of 1536 * the node tree. This call will return NULL if the node 1537 * for this APs does not exist or if the new node is the 1538 * potential better one. 1539 */ 1540 if ((ni = ieee80211_find_node_for_beacon(ic, wh->i_addr2, 1541 &ic->ic_channels[chan], ssid, rxi->rxi_rssi)) != NULL) 1542 return; 1543 1544 #ifdef IEEE80211_DEBUG 1545 if (ieee80211_debug > 1 && 1546 (ni == NULL || ic->ic_state == IEEE80211_S_SCAN)) { 1547 printf("%s: %s%s on chan %u (bss chan %u) ", 1548 __func__, (ni == NULL ? "new " : ""), 1549 isprobe ? "probe response" : "beacon", 1550 chan, bchan); 1551 ieee80211_print_essid(ssid + 2, ssid[1]); 1552 printf(" from %s\n", ether_sprintf((u_int8_t *)wh->i_addr2)); 1553 printf("%s: caps 0x%x bintval %u erp 0x%x\n", 1554 __func__, capinfo, bintval, erp); 1555 } 1556 #endif 1557 1558 if ((ni = ieee80211_find_node(ic, wh->i_addr2)) == NULL) { 1559 ni = ieee80211_alloc_node(ic, wh->i_addr2); 1560 if (ni == NULL) 1561 return; 1562 is_new = 1; 1563 } else 1564 is_new = 0; 1565 1566 if (htcaps) 1567 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 1568 if (htop && !ieee80211_setup_htop(ni, htop + 2, htop[1])) 1569 htop = NULL; /* invalid HTOP */ 1570 1571 /* 1572 * When operating in station mode, check for state updates 1573 * while we're associated. 1574 */ 1575 if (ic->ic_opmode == IEEE80211_M_STA && 1576 ic->ic_state == IEEE80211_S_RUN && 1577 ni->ni_state == IEEE80211_STA_BSS) { 1578 /* 1579 * Check if protection mode has changed since last beacon. 1580 */ 1581 if (ni->ni_erp != erp) { 1582 DPRINTF(("[%s] erp change: was 0x%x, now 0x%x\n", 1583 ether_sprintf((u_int8_t *)wh->i_addr2), 1584 ni->ni_erp, erp)); 1585 if (ic->ic_curmode == IEEE80211_MODE_11G && 1586 (erp & IEEE80211_ERP_USE_PROTECTION)) 1587 ic->ic_flags |= IEEE80211_F_USEPROT; 1588 else 1589 ic->ic_flags &= ~IEEE80211_F_USEPROT; 1590 ic->ic_bss->ni_erp = erp; 1591 } 1592 if (htop && (ic->ic_bss->ni_flags & IEEE80211_NODE_HT)) { 1593 enum ieee80211_htprot htprot_last, htprot; 1594 htprot_last = 1595 ((ic->ic_bss->ni_htop1 & IEEE80211_HTOP1_PROT_MASK) 1596 >> IEEE80211_HTOP1_PROT_SHIFT); 1597 htprot = ((ni->ni_htop1 & IEEE80211_HTOP1_PROT_MASK) >> 1598 IEEE80211_HTOP1_PROT_SHIFT); 1599 if (htprot_last != htprot) { 1600 DPRINTF(("[%s] htprot change: was %d, now %d\n", 1601 ether_sprintf((u_int8_t *)wh->i_addr2), 1602 htprot_last, htprot)); 1603 ic->ic_stats.is_ht_prot_change++; 1604 ic->ic_bss->ni_htop1 = ni->ni_htop1; 1605 ic->ic_update_htprot(ic, ic->ic_bss); 1606 } 1607 } 1608 1609 /* 1610 * Check if AP short slot time setting has changed 1611 * since last beacon and give the driver a chance to 1612 * update the hardware. 1613 */ 1614 if ((ni->ni_capinfo ^ capinfo) & 1615 IEEE80211_CAPINFO_SHORT_SLOTTIME) { 1616 ieee80211_set_shortslottime(ic, 1617 ic->ic_curmode == IEEE80211_MODE_11A || 1618 (capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 1619 } 1620 } 1621 /* 1622 * We do not try to update EDCA parameters if QoS was not negotiated 1623 * with the AP at association time. 1624 */ 1625 if (ni->ni_flags & IEEE80211_NODE_QOS) { 1626 /* always prefer EDCA IE over Wi-Fi Alliance WMM IE */ 1627 if ((edcaie != NULL && 1628 ieee80211_parse_edca_params(ic, edcaie) == 0) || 1629 (wmmie != NULL && 1630 ieee80211_parse_wmm_params(ic, wmmie) == 0)) 1631 ni->ni_flags |= IEEE80211_NODE_QOS; 1632 else 1633 ni->ni_flags &= ~IEEE80211_NODE_QOS; 1634 } 1635 1636 if (ic->ic_state == IEEE80211_S_SCAN 1637 #ifndef IEEE80211_STA_ONLY 1638 && ic->ic_opmode != IEEE80211_M_HOSTAP 1639 #endif 1640 ) { 1641 struct ieee80211_rsnparams rsn; 1642 const u_int8_t *saveie = NULL; 1643 /* 1644 * If the AP advertises both RSN and WPA IEs (WPA1+WPA2), 1645 * we only store the parameters of the highest protocol 1646 * version we support. 1647 */ 1648 if (rsnie != NULL && 1649 (ic->ic_rsnprotos & IEEE80211_PROTO_RSN)) { 1650 if (ieee80211_parse_rsn(ic, rsnie, &rsn) == 0) { 1651 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 1652 saveie = rsnie; 1653 } 1654 } else if (wpaie != NULL && 1655 (ic->ic_rsnprotos & IEEE80211_PROTO_WPA)) { 1656 if (ieee80211_parse_wpa(ic, wpaie, &rsn) == 0) { 1657 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 1658 saveie = wpaie; 1659 } 1660 } 1661 if (saveie != NULL && 1662 ieee80211_save_ie(saveie, &ni->ni_rsnie) == 0) { 1663 ni->ni_rsnakms = rsn.rsn_akms; 1664 ni->ni_rsnciphers = rsn.rsn_ciphers; 1665 ni->ni_rsngroupcipher = rsn.rsn_groupcipher; 1666 ni->ni_rsngroupmgmtcipher = rsn.rsn_groupmgmtcipher; 1667 ni->ni_rsncaps = rsn.rsn_caps; 1668 } else 1669 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 1670 } 1671 1672 if (ssid[1] != 0 && ni->ni_esslen == 0) { 1673 ni->ni_esslen = ssid[1]; 1674 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1675 /* we know that ssid[1] <= IEEE80211_NWID_LEN */ 1676 memcpy(ni->ni_essid, &ssid[2], ssid[1]); 1677 } 1678 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3); 1679 ni->ni_rssi = rxi->rxi_rssi; 1680 ni->ni_rstamp = rxi->rxi_tstamp; 1681 memcpy(ni->ni_tstamp, tstamp, sizeof(ni->ni_tstamp)); 1682 ni->ni_intval = bintval; 1683 ni->ni_capinfo = capinfo; 1684 /* XXX validate channel # */ 1685 ni->ni_chan = &ic->ic_channels[chan]; 1686 ni->ni_erp = erp; 1687 /* NB: must be after ni_chan is setup */ 1688 ieee80211_setup_rates(ic, ni, rates, xrates, IEEE80211_F_DOSORT); 1689 #ifndef IEEE80211_STA_ONLY 1690 if (ic->ic_opmode == IEEE80211_M_IBSS && is_new && isprobe) { 1691 /* 1692 * Fake an association so the driver can setup it's 1693 * private state. The rate set has been setup above; 1694 * there is no handshake as in ap/station operation. 1695 */ 1696 if (ic->ic_newassoc) 1697 (*ic->ic_newassoc)(ic, ni, 1); 1698 } 1699 #endif 1700 } 1701 1702 #ifndef IEEE80211_STA_ONLY 1703 /*- 1704 * Probe request frame format: 1705 * [tlv] SSID 1706 * [tlv] Supported rates 1707 * [tlv] Extended Supported Rates (802.11g) 1708 * [tlv] HT Capabilities (802.11n) 1709 */ 1710 void 1711 ieee80211_recv_probe_req(struct ieee80211com *ic, struct mbuf *m, 1712 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 1713 { 1714 const struct ieee80211_frame *wh; 1715 const u_int8_t *frm, *efrm; 1716 const u_int8_t *ssid, *rates, *xrates, *htcaps; 1717 u_int8_t rate; 1718 1719 if (ic->ic_opmode == IEEE80211_M_STA || 1720 ic->ic_state != IEEE80211_S_RUN) 1721 return; 1722 1723 wh = mtod(m, struct ieee80211_frame *); 1724 frm = (const u_int8_t *)&wh[1]; 1725 efrm = mtod(m, u_int8_t *) + m->m_len; 1726 1727 ssid = rates = xrates = htcaps = NULL; 1728 while (frm + 2 <= efrm) { 1729 if (frm + 2 + frm[1] > efrm) { 1730 ic->ic_stats.is_rx_elem_toosmall++; 1731 break; 1732 } 1733 switch (frm[0]) { 1734 case IEEE80211_ELEMID_SSID: 1735 ssid = frm; 1736 break; 1737 case IEEE80211_ELEMID_RATES: 1738 rates = frm; 1739 break; 1740 case IEEE80211_ELEMID_XRATES: 1741 xrates = frm; 1742 break; 1743 case IEEE80211_ELEMID_HTCAPS: 1744 htcaps = frm; 1745 break; 1746 } 1747 frm += 2 + frm[1]; 1748 } 1749 /* supported rates element is mandatory */ 1750 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1751 DPRINTF(("invalid supported rates element\n")); 1752 return; 1753 } 1754 /* SSID element is mandatory */ 1755 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1756 DPRINTF(("invalid SSID element\n")); 1757 return; 1758 } 1759 /* check that the specified SSID (if not wildcard) matches ours */ 1760 if (ssid[1] != 0 && (ssid[1] != ic->ic_bss->ni_esslen || 1761 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen))) { 1762 DPRINTF(("SSID mismatch\n")); 1763 ic->ic_stats.is_rx_ssidmismatch++; 1764 return; 1765 } 1766 /* refuse wildcard SSID if we're hiding our SSID in beacons */ 1767 if (ssid[1] == 0 && (ic->ic_flags & IEEE80211_F_HIDENWID)) { 1768 DPRINTF(("wildcard SSID rejected")); 1769 ic->ic_stats.is_rx_ssidmismatch++; 1770 return; 1771 } 1772 1773 if (ni == ic->ic_bss) { 1774 ni = ieee80211_find_node(ic, wh->i_addr2); 1775 if (ni == NULL) 1776 ni = ieee80211_dup_bss(ic, wh->i_addr2); 1777 if (ni == NULL) 1778 return; 1779 DPRINTF(("new probe req from %s\n", 1780 ether_sprintf((u_int8_t *)wh->i_addr2))); 1781 } 1782 ni->ni_rssi = rxi->rxi_rssi; 1783 ni->ni_rstamp = rxi->rxi_tstamp; 1784 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 1785 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 1786 IEEE80211_F_DODEL); 1787 if (rate & IEEE80211_RATE_BASIC) { 1788 DPRINTF(("rate mismatch for %s\n", 1789 ether_sprintf((u_int8_t *)wh->i_addr2))); 1790 return; 1791 } 1792 if (htcaps) 1793 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 1794 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 1795 } 1796 #endif /* IEEE80211_STA_ONLY */ 1797 1798 /*- 1799 * Authentication frame format: 1800 * [2] Authentication algorithm number 1801 * [2] Authentication transaction sequence number 1802 * [2] Status code 1803 */ 1804 void 1805 ieee80211_recv_auth(struct ieee80211com *ic, struct mbuf *m, 1806 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 1807 { 1808 const struct ieee80211_frame *wh; 1809 const u_int8_t *frm; 1810 u_int16_t algo, seq, status; 1811 1812 /* make sure all mandatory fixed fields are present */ 1813 if (m->m_len < sizeof(*wh) + 6) { 1814 DPRINTF(("frame too short\n")); 1815 return; 1816 } 1817 wh = mtod(m, struct ieee80211_frame *); 1818 frm = (const u_int8_t *)&wh[1]; 1819 1820 algo = LE_READ_2(frm); frm += 2; 1821 seq = LE_READ_2(frm); frm += 2; 1822 status = LE_READ_2(frm); frm += 2; 1823 DPRINTF(("auth %d seq %d from %s\n", algo, seq, 1824 ether_sprintf((u_int8_t *)wh->i_addr2))); 1825 1826 /* only "open" auth mode is supported */ 1827 if (algo != IEEE80211_AUTH_ALG_OPEN) { 1828 DPRINTF(("unsupported auth algorithm %d from %s\n", 1829 algo, ether_sprintf((u_int8_t *)wh->i_addr2))); 1830 ic->ic_stats.is_rx_auth_unsupported++; 1831 #ifndef IEEE80211_STA_ONLY 1832 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 1833 /* XXX hack to workaround calling convention */ 1834 IEEE80211_SEND_MGMT(ic, ni, 1835 IEEE80211_FC0_SUBTYPE_AUTH, 1836 IEEE80211_STATUS_ALG << 16 | ((seq + 1) & 0xffff)); 1837 } 1838 #endif 1839 return; 1840 } 1841 ieee80211_auth_open(ic, wh, ni, rxi, seq, status); 1842 } 1843 1844 #ifndef IEEE80211_STA_ONLY 1845 /*- 1846 * (Re)Association request frame format: 1847 * [2] Capability information 1848 * [2] Listen interval 1849 * [6*] Current AP address (Reassociation only) 1850 * [tlv] SSID 1851 * [tlv] Supported rates 1852 * [tlv] Extended Supported Rates (802.11g) 1853 * [tlv] RSN (802.11i) 1854 * [tlv] QoS Capability (802.11e) 1855 * [tlv] HT Capabilities (802.11n) 1856 */ 1857 void 1858 ieee80211_recv_assoc_req(struct ieee80211com *ic, struct mbuf *m, 1859 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int reassoc) 1860 { 1861 const struct ieee80211_frame *wh; 1862 const u_int8_t *frm, *efrm; 1863 const u_int8_t *ssid, *rates, *xrates, *rsnie, *wpaie, *htcaps; 1864 u_int16_t capinfo, bintval; 1865 int resp, status = 0; 1866 struct ieee80211_rsnparams rsn; 1867 u_int8_t rate; 1868 1869 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 1870 ic->ic_state != IEEE80211_S_RUN) 1871 return; 1872 1873 /* make sure all mandatory fixed fields are present */ 1874 if (m->m_len < sizeof(*wh) + (reassoc ? 10 : 4)) { 1875 DPRINTF(("frame too short\n")); 1876 return; 1877 } 1878 wh = mtod(m, struct ieee80211_frame *); 1879 frm = (const u_int8_t *)&wh[1]; 1880 efrm = mtod(m, u_int8_t *) + m->m_len; 1881 1882 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 1883 DPRINTF(("ignore other bss from %s\n", 1884 ether_sprintf((u_int8_t *)wh->i_addr2))); 1885 ic->ic_stats.is_rx_assoc_bss++; 1886 return; 1887 } 1888 capinfo = LE_READ_2(frm); frm += 2; 1889 bintval = LE_READ_2(frm); frm += 2; 1890 if (reassoc) { 1891 frm += IEEE80211_ADDR_LEN; /* skip current AP address */ 1892 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 1893 } else 1894 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 1895 1896 ssid = rates = xrates = rsnie = wpaie = htcaps = NULL; 1897 while (frm + 2 <= efrm) { 1898 if (frm + 2 + frm[1] > efrm) { 1899 ic->ic_stats.is_rx_elem_toosmall++; 1900 break; 1901 } 1902 switch (frm[0]) { 1903 case IEEE80211_ELEMID_SSID: 1904 ssid = frm; 1905 break; 1906 case IEEE80211_ELEMID_RATES: 1907 rates = frm; 1908 break; 1909 case IEEE80211_ELEMID_XRATES: 1910 xrates = frm; 1911 break; 1912 case IEEE80211_ELEMID_RSN: 1913 rsnie = frm; 1914 break; 1915 case IEEE80211_ELEMID_QOS_CAP: 1916 break; 1917 case IEEE80211_ELEMID_HTCAPS: 1918 htcaps = frm; 1919 break; 1920 case IEEE80211_ELEMID_VENDOR: 1921 if (frm[1] < 4) { 1922 ic->ic_stats.is_rx_elem_toosmall++; 1923 break; 1924 } 1925 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 1926 if (frm[5] == 1) 1927 wpaie = frm; 1928 } 1929 break; 1930 } 1931 frm += 2 + frm[1]; 1932 } 1933 /* supported rates element is mandatory */ 1934 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1935 DPRINTF(("invalid supported rates element\n")); 1936 return; 1937 } 1938 /* SSID element is mandatory */ 1939 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1940 DPRINTF(("invalid SSID element\n")); 1941 return; 1942 } 1943 /* check that the specified SSID matches ours */ 1944 if (ssid[1] != ic->ic_bss->ni_esslen || 1945 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen)) { 1946 DPRINTF(("SSID mismatch\n")); 1947 ic->ic_stats.is_rx_ssidmismatch++; 1948 return; 1949 } 1950 1951 if (ni->ni_state != IEEE80211_STA_AUTH && 1952 ni->ni_state != IEEE80211_STA_ASSOC) { 1953 DPRINTF(("deny %sassoc from %s, not authenticated\n", 1954 reassoc ? "re" : "", 1955 ether_sprintf((u_int8_t *)wh->i_addr2))); 1956 ni = ieee80211_find_node(ic, wh->i_addr2); 1957 if (ni == NULL) 1958 ni = ieee80211_dup_bss(ic, wh->i_addr2); 1959 if (ni != NULL) { 1960 IEEE80211_SEND_MGMT(ic, ni, 1961 IEEE80211_FC0_SUBTYPE_DEAUTH, 1962 IEEE80211_REASON_ASSOC_NOT_AUTHED); 1963 } 1964 ic->ic_stats.is_rx_assoc_notauth++; 1965 return; 1966 } 1967 1968 if (ni->ni_state == IEEE80211_STA_ASSOC && 1969 (ni->ni_flags & IEEE80211_NODE_MFP)) { 1970 if (ni->ni_flags & IEEE80211_NODE_SA_QUERY_FAILED) { 1971 /* send a protected Disassociate frame */ 1972 IEEE80211_SEND_MGMT(ic, ni, 1973 IEEE80211_FC0_SUBTYPE_DISASSOC, 1974 IEEE80211_REASON_AUTH_EXPIRE); 1975 /* terminate the old SA */ 1976 ieee80211_node_leave(ic, ni); 1977 } else { 1978 /* reject the (Re)Association Request temporarily */ 1979 IEEE80211_SEND_MGMT(ic, ni, resp, 1980 IEEE80211_STATUS_TRY_AGAIN_LATER); 1981 /* start SA Query procedure if not already engaged */ 1982 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) 1983 ieee80211_sa_query_request(ic, ni); 1984 /* do not modify association state */ 1985 } 1986 return; 1987 } 1988 1989 if (!(capinfo & IEEE80211_CAPINFO_ESS)) { 1990 ic->ic_stats.is_rx_assoc_capmismatch++; 1991 status = IEEE80211_STATUS_CAPINFO; 1992 goto end; 1993 } 1994 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 1995 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 1996 IEEE80211_F_DODEL); 1997 if (rate & IEEE80211_RATE_BASIC) { 1998 ic->ic_stats.is_rx_assoc_norate++; 1999 status = IEEE80211_STATUS_BASIC_RATE; 2000 goto end; 2001 } 2002 2003 if (ic->ic_flags & IEEE80211_F_RSNON) { 2004 const u_int8_t *saveie; 2005 /* 2006 * A station should never include both a WPA and an RSN IE 2007 * in its (Re)Association Requests, but if it does, we only 2008 * consider the IE of the highest version of the protocol 2009 * that is allowed (ie RSN over WPA). 2010 */ 2011 if (rsnie != NULL && 2012 (ic->ic_rsnprotos & IEEE80211_PROTO_RSN)) { 2013 status = ieee80211_parse_rsn(ic, rsnie, &rsn); 2014 if (status != 0) 2015 goto end; 2016 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 2017 saveie = rsnie; 2018 } else if (wpaie != NULL && 2019 (ic->ic_rsnprotos & IEEE80211_PROTO_WPA)) { 2020 status = ieee80211_parse_wpa(ic, wpaie, &rsn); 2021 if (status != 0) 2022 goto end; 2023 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 2024 saveie = wpaie; 2025 } else { 2026 /* 2027 * In an RSN, an AP shall not associate with STAs 2028 * that fail to include the RSN IE in the 2029 * (Re)Association Request. 2030 */ 2031 status = IEEE80211_STATUS_IE_INVALID; 2032 goto end; 2033 } 2034 /* 2035 * The initiating STA's RSN IE shall include one authentication 2036 * and pairwise cipher suite among those advertised by the 2037 * targeted AP. It shall also specify the group cipher suite 2038 * specified by the targeted AP. 2039 */ 2040 if (rsn.rsn_nakms != 1 || 2041 !(rsn.rsn_akms & ic->ic_bss->ni_rsnakms)) { 2042 status = IEEE80211_STATUS_BAD_AKMP; 2043 goto end; 2044 } 2045 if (rsn.rsn_nciphers != 1 || 2046 !(rsn.rsn_ciphers & ic->ic_bss->ni_rsnciphers)) { 2047 status = IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 2048 goto end; 2049 } 2050 if (rsn.rsn_groupcipher != ic->ic_bss->ni_rsngroupcipher) { 2051 status = IEEE80211_STATUS_BAD_GROUP_CIPHER; 2052 goto end; 2053 } 2054 2055 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPR) && 2056 !(rsn.rsn_caps & IEEE80211_RSNCAP_MFPC)) { 2057 status = IEEE80211_STATUS_MFP_POLICY; 2058 goto end; 2059 } 2060 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPC) && 2061 (rsn.rsn_caps & (IEEE80211_RSNCAP_MFPC | 2062 IEEE80211_RSNCAP_MFPR)) == IEEE80211_RSNCAP_MFPR) { 2063 /* STA advertises an invalid setting */ 2064 status = IEEE80211_STATUS_MFP_POLICY; 2065 goto end; 2066 } 2067 /* 2068 * A STA that has associated with Management Frame Protection 2069 * enabled shall not use cipher suite pairwise selector WEP40, 2070 * WEP104, TKIP, or "Use Group cipher suite". 2071 */ 2072 if ((rsn.rsn_caps & IEEE80211_RSNCAP_MFPC) && 2073 (rsn.rsn_ciphers != IEEE80211_CIPHER_CCMP || 2074 rsn.rsn_groupmgmtcipher != 2075 ic->ic_bss->ni_rsngroupmgmtcipher)) { 2076 status = IEEE80211_STATUS_MFP_POLICY; 2077 goto end; 2078 } 2079 2080 /* 2081 * Disallow new associations using TKIP if countermeasures 2082 * are active. 2083 */ 2084 if ((ic->ic_flags & IEEE80211_F_COUNTERM) && 2085 (rsn.rsn_ciphers == IEEE80211_CIPHER_TKIP || 2086 rsn.rsn_groupcipher == IEEE80211_CIPHER_TKIP)) { 2087 status = IEEE80211_STATUS_CIPHER_REJ_POLICY; 2088 goto end; 2089 } 2090 2091 /* everything looks fine, save IE and parameters */ 2092 if (ieee80211_save_ie(saveie, &ni->ni_rsnie) != 0) { 2093 status = IEEE80211_STATUS_TOOMANY; 2094 goto end; 2095 } 2096 ni->ni_rsnakms = rsn.rsn_akms; 2097 ni->ni_rsnciphers = rsn.rsn_ciphers; 2098 ni->ni_rsngroupcipher = ic->ic_bss->ni_rsngroupcipher; 2099 ni->ni_rsngroupmgmtcipher = ic->ic_bss->ni_rsngroupmgmtcipher; 2100 ni->ni_rsncaps = rsn.rsn_caps; 2101 2102 if (ieee80211_is_8021x_akm(ni->ni_rsnakms)) { 2103 struct ieee80211_pmk *pmk = NULL; 2104 const u_int8_t *pmkid = rsn.rsn_pmkids; 2105 /* 2106 * Check if we have a cached PMK entry matching one 2107 * of the PMKIDs specified in the RSN IE. 2108 */ 2109 while (rsn.rsn_npmkids-- > 0) { 2110 pmk = ieee80211_pmksa_find(ic, ni, pmkid); 2111 if (pmk != NULL) 2112 break; 2113 pmkid += IEEE80211_PMKID_LEN; 2114 } 2115 if (pmk != NULL) { 2116 memcpy(ni->ni_pmk, pmk->pmk_key, 2117 IEEE80211_PMK_LEN); 2118 memcpy(ni->ni_pmkid, pmk->pmk_pmkid, 2119 IEEE80211_PMKID_LEN); 2120 ni->ni_flags |= IEEE80211_NODE_PMK; 2121 } 2122 } 2123 } else 2124 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2125 2126 ni->ni_rssi = rxi->rxi_rssi; 2127 ni->ni_rstamp = rxi->rxi_tstamp; 2128 ni->ni_intval = bintval; 2129 ni->ni_capinfo = capinfo; 2130 ni->ni_chan = ic->ic_bss->ni_chan; 2131 if (htcaps) 2132 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 2133 end: 2134 if (status != 0) { 2135 IEEE80211_SEND_MGMT(ic, ni, resp, status); 2136 ieee80211_node_leave(ic, ni); 2137 } else 2138 ieee80211_node_join(ic, ni, resp); 2139 } 2140 #endif /* IEEE80211_STA_ONLY */ 2141 2142 /*- 2143 * (Re)Association response frame format: 2144 * [2] Capability information 2145 * [2] Status code 2146 * [2] Association ID (AID) 2147 * [tlv] Supported rates 2148 * [tlv] Extended Supported Rates (802.11g) 2149 * [tlv] EDCA Parameter Set (802.11e) 2150 * [tlv] HT Capabilities (802.11n) 2151 * [tlv] HT Operation (802.11n) 2152 */ 2153 void 2154 ieee80211_recv_assoc_resp(struct ieee80211com *ic, struct mbuf *m, 2155 struct ieee80211_node *ni, int reassoc) 2156 { 2157 struct ifnet *ifp = &ic->ic_if; 2158 const struct ieee80211_frame *wh; 2159 const u_int8_t *frm, *efrm; 2160 const u_int8_t *rates, *xrates, *edcaie, *wmmie, *htcaps, *htop; 2161 u_int16_t capinfo, status, associd; 2162 u_int8_t rate; 2163 2164 if (ic->ic_opmode != IEEE80211_M_STA || 2165 ic->ic_state != IEEE80211_S_ASSOC) { 2166 ic->ic_stats.is_rx_mgtdiscard++; 2167 return; 2168 } 2169 2170 /* make sure all mandatory fixed fields are present */ 2171 if (m->m_len < sizeof(*wh) + 6) { 2172 DPRINTF(("frame too short\n")); 2173 return; 2174 } 2175 wh = mtod(m, struct ieee80211_frame *); 2176 frm = (const u_int8_t *)&wh[1]; 2177 efrm = mtod(m, u_int8_t *) + m->m_len; 2178 2179 capinfo = LE_READ_2(frm); frm += 2; 2180 status = LE_READ_2(frm); frm += 2; 2181 if (status != IEEE80211_STATUS_SUCCESS) { 2182 if (ifp->if_flags & IFF_DEBUG) 2183 printf("%s: %sassociation failed (status %d)" 2184 " for %s\n", ifp->if_xname, 2185 reassoc ? "re" : "", 2186 status, ether_sprintf((u_int8_t *)wh->i_addr3)); 2187 if (ni != ic->ic_bss) 2188 ni->ni_fails++; 2189 ic->ic_stats.is_rx_auth_fail++; 2190 return; 2191 } 2192 associd = LE_READ_2(frm); frm += 2; 2193 2194 rates = xrates = edcaie = wmmie = htcaps = htop = NULL; 2195 while (frm + 2 <= efrm) { 2196 if (frm + 2 + frm[1] > efrm) { 2197 ic->ic_stats.is_rx_elem_toosmall++; 2198 break; 2199 } 2200 switch (frm[0]) { 2201 case IEEE80211_ELEMID_RATES: 2202 rates = frm; 2203 break; 2204 case IEEE80211_ELEMID_XRATES: 2205 xrates = frm; 2206 break; 2207 case IEEE80211_ELEMID_EDCAPARMS: 2208 edcaie = frm; 2209 break; 2210 case IEEE80211_ELEMID_HTCAPS: 2211 htcaps = frm; 2212 break; 2213 case IEEE80211_ELEMID_HTOP: 2214 htop = frm; 2215 break; 2216 case IEEE80211_ELEMID_VENDOR: 2217 if (frm[1] < 4) { 2218 ic->ic_stats.is_rx_elem_toosmall++; 2219 break; 2220 } 2221 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 2222 if (frm[1] >= 5 && frm[5] == 2 && frm[6] == 1) 2223 wmmie = frm; 2224 } 2225 break; 2226 } 2227 frm += 2 + frm[1]; 2228 } 2229 /* supported rates element is mandatory */ 2230 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 2231 DPRINTF(("invalid supported rates element\n")); 2232 return; 2233 } 2234 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2235 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2236 IEEE80211_F_DODEL); 2237 if (rate & IEEE80211_RATE_BASIC) { 2238 DPRINTF(("rate mismatch for %s\n", 2239 ether_sprintf((u_int8_t *)wh->i_addr2))); 2240 ic->ic_stats.is_rx_assoc_norate++; 2241 return; 2242 } 2243 ni->ni_capinfo = capinfo; 2244 ni->ni_associd = associd; 2245 if (edcaie != NULL || wmmie != NULL) { 2246 /* force update of EDCA parameters */ 2247 ic->ic_edca_updtcount = -1; 2248 2249 if ((edcaie != NULL && 2250 ieee80211_parse_edca_params(ic, edcaie) == 0) || 2251 (wmmie != NULL && 2252 ieee80211_parse_wmm_params(ic, wmmie) == 0)) 2253 ni->ni_flags |= IEEE80211_NODE_QOS; 2254 else /* for Reassociation */ 2255 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2256 } 2257 if (htcaps) 2258 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 2259 if (htop) 2260 ieee80211_setup_htop(ni, htop + 2, htop[1]); 2261 ieee80211_ht_negotiate(ic, ni); 2262 2263 /* Hop into 11n mode after associating to an HT AP in a non-11n mode. */ 2264 if (ni->ni_flags & IEEE80211_NODE_HT) 2265 ieee80211_setmode(ic, IEEE80211_MODE_11N); 2266 else 2267 ieee80211_setmode(ic, ieee80211_chan2mode(ic, ni->ni_chan)); 2268 /* 2269 * Reset the erp state (mostly the slot time) now that 2270 * our operating mode has been nailed down. 2271 */ 2272 ieee80211_reset_erp(ic); 2273 2274 /* 2275 * Configure state now that we are associated. 2276 */ 2277 if (ic->ic_curmode == IEEE80211_MODE_11A || 2278 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) 2279 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 2280 else 2281 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 2282 2283 ieee80211_set_shortslottime(ic, 2284 ic->ic_curmode == IEEE80211_MODE_11A || 2285 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2286 /* 2287 * Honor ERP protection. 2288 */ 2289 if ((ic->ic_curmode == IEEE80211_MODE_11G || 2290 (ic->ic_curmode == IEEE80211_MODE_11N && 2291 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))) && 2292 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2293 ic->ic_flags |= IEEE80211_F_USEPROT; 2294 else 2295 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2296 /* 2297 * If not an RSNA, mark the port as valid, otherwise wait for 2298 * 802.1X authentication and 4-way handshake to complete.. 2299 */ 2300 if (ic->ic_flags & IEEE80211_F_RSNON) { 2301 /* XXX ic->ic_mgt_timer = 5; */ 2302 } else if (ic->ic_flags & IEEE80211_F_WEPON) 2303 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 2304 2305 ieee80211_new_state(ic, IEEE80211_S_RUN, 2306 IEEE80211_FC0_SUBTYPE_ASSOC_RESP); 2307 } 2308 2309 /*- 2310 * Deauthentication frame format: 2311 * [2] Reason code 2312 */ 2313 void 2314 ieee80211_recv_deauth(struct ieee80211com *ic, struct mbuf *m, 2315 struct ieee80211_node *ni) 2316 { 2317 const struct ieee80211_frame *wh; 2318 const u_int8_t *frm; 2319 u_int16_t reason; 2320 2321 /* make sure all mandatory fixed fields are present */ 2322 if (m->m_len < sizeof(*wh) + 2) { 2323 DPRINTF(("frame too short\n")); 2324 return; 2325 } 2326 wh = mtod(m, struct ieee80211_frame *); 2327 frm = (const u_int8_t *)&wh[1]; 2328 2329 reason = LE_READ_2(frm); 2330 2331 ic->ic_stats.is_rx_deauth++; 2332 switch (ic->ic_opmode) { 2333 case IEEE80211_M_STA: 2334 ieee80211_new_state(ic, IEEE80211_S_AUTH, 2335 IEEE80211_FC0_SUBTYPE_DEAUTH); 2336 break; 2337 #ifndef IEEE80211_STA_ONLY 2338 case IEEE80211_M_HOSTAP: 2339 if (ni != ic->ic_bss) { 2340 if (ic->ic_if.if_flags & IFF_DEBUG) 2341 printf("%s: station %s deauthenticated " 2342 "by peer (reason %d)\n", 2343 ic->ic_if.if_xname, 2344 ether_sprintf(ni->ni_macaddr), 2345 reason); 2346 ieee80211_node_leave(ic, ni); 2347 } 2348 break; 2349 #endif 2350 default: 2351 break; 2352 } 2353 } 2354 2355 /*- 2356 * Disassociation frame format: 2357 * [2] Reason code 2358 */ 2359 void 2360 ieee80211_recv_disassoc(struct ieee80211com *ic, struct mbuf *m, 2361 struct ieee80211_node *ni) 2362 { 2363 const struct ieee80211_frame *wh; 2364 const u_int8_t *frm; 2365 u_int16_t reason; 2366 2367 /* make sure all mandatory fixed fields are present */ 2368 if (m->m_len < sizeof(*wh) + 2) { 2369 DPRINTF(("frame too short\n")); 2370 return; 2371 } 2372 wh = mtod(m, struct ieee80211_frame *); 2373 frm = (const u_int8_t *)&wh[1]; 2374 2375 reason = LE_READ_2(frm); 2376 2377 ic->ic_stats.is_rx_disassoc++; 2378 switch (ic->ic_opmode) { 2379 case IEEE80211_M_STA: 2380 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 2381 IEEE80211_FC0_SUBTYPE_DISASSOC); 2382 break; 2383 #ifndef IEEE80211_STA_ONLY 2384 case IEEE80211_M_HOSTAP: 2385 if (ni != ic->ic_bss) { 2386 if (ic->ic_if.if_flags & IFF_DEBUG) 2387 printf("%s: station %s disassociated " 2388 "by peer (reason %d)\n", 2389 ic->ic_if.if_xname, 2390 ether_sprintf(ni->ni_macaddr), 2391 reason); 2392 ieee80211_node_leave(ic, ni); 2393 } 2394 break; 2395 #endif 2396 default: 2397 break; 2398 } 2399 } 2400 2401 /*- 2402 * ADDBA Request frame format: 2403 * [1] Category 2404 * [1] Action 2405 * [1] Dialog Token 2406 * [2] Block Ack Parameter Set 2407 * [2] Block Ack Timeout Value 2408 * [2] Block Ack Starting Sequence Control 2409 */ 2410 void 2411 ieee80211_recv_addba_req(struct ieee80211com *ic, struct mbuf *m, 2412 struct ieee80211_node *ni) 2413 { 2414 const struct ieee80211_frame *wh; 2415 const u_int8_t *frm; 2416 struct ieee80211_rx_ba *ba; 2417 u_int16_t params, ssn, bufsz, timeout, status; 2418 u_int8_t token, tid; 2419 2420 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 2421 DPRINTF(("received ADDBA req from non-HT STA %s\n", 2422 ether_sprintf(ni->ni_macaddr))); 2423 return; 2424 } 2425 if (m->m_len < sizeof(*wh) + 9) { 2426 DPRINTF(("frame too short\n")); 2427 return; 2428 } 2429 /* MLME-ADDBA.indication */ 2430 wh = mtod(m, struct ieee80211_frame *); 2431 frm = (const u_int8_t *)&wh[1]; 2432 2433 token = frm[2]; 2434 params = LE_READ_2(&frm[3]); 2435 tid = ((params & IEEE80211_ADDBA_TID_MASK) >> 2436 IEEE80211_ADDBA_TID_SHIFT); 2437 bufsz = (params & IEEE80211_ADDBA_BUFSZ_MASK) >> 2438 IEEE80211_ADDBA_BUFSZ_SHIFT; 2439 timeout = LE_READ_2(&frm[5]); 2440 ssn = LE_READ_2(&frm[7]) >> 4; 2441 2442 ba = &ni->ni_rx_ba[tid]; 2443 /* check if we already have a Block Ack agreement for this RA/TID */ 2444 if (ba->ba_state == IEEE80211_BA_AGREED) { 2445 /* XXX should we update the timeout value? */ 2446 /* reset Block Ack inactivity timer */ 2447 if (ba->ba_timeout_val != 0) 2448 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2449 2450 /* check if it's a Protected Block Ack agreement */ 2451 if (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2452 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) 2453 return; /* not a PBAC, ignore */ 2454 2455 /* PBAC: treat the ADDBA Request like a BlockAckReq */ 2456 if (SEQ_LT(ba->ba_winstart, ssn)) 2457 ieee80211_ba_move_window(ic, ni, tid, ssn); 2458 return; 2459 } 2460 /* if PBAC required but RA does not support it, refuse request */ 2461 if ((ic->ic_flags & IEEE80211_F_PBAR) && 2462 (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2463 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC))) { 2464 status = IEEE80211_STATUS_REFUSED; 2465 goto resp; 2466 } 2467 /* 2468 * If the TID for which the Block Ack agreement is requested is 2469 * configured with a no-ACK policy, refuse the agreement. 2470 */ 2471 if (ic->ic_tid_noack & (1 << tid)) { 2472 status = IEEE80211_STATUS_REFUSED; 2473 goto resp; 2474 } 2475 /* check that we support the requested Block Ack Policy */ 2476 if (!(ic->ic_htcaps & IEEE80211_HTCAP_DELAYEDBA) && 2477 !(params & IEEE80211_ADDBA_BA_POLICY)) { 2478 status = IEEE80211_STATUS_INVALID_PARAM; 2479 goto resp; 2480 } 2481 2482 /* setup Block Ack agreement */ 2483 ba->ba_state = IEEE80211_BA_INIT; 2484 ba->ba_timeout_val = timeout * IEEE80211_DUR_TU; 2485 ba->ba_ni = ni; 2486 timeout_set(&ba->ba_to, ieee80211_rx_ba_timeout, ba); 2487 timeout_set(&ba->ba_gap_to, ieee80211_input_ba_gap_timeout, ba); 2488 ba->ba_winsize = bufsz; 2489 if (ba->ba_winsize == 0 || ba->ba_winsize > IEEE80211_BA_MAX_WINSZ) 2490 ba->ba_winsize = IEEE80211_BA_MAX_WINSZ; 2491 ba->ba_params = (params & IEEE80211_ADDBA_BA_POLICY); 2492 ba->ba_params |= ((ba->ba_winsize << IEEE80211_ADDBA_BUFSZ_SHIFT) | 2493 (tid << IEEE80211_ADDBA_TID_SHIFT) | IEEE80211_ADDBA_AMSDU); 2494 ba->ba_winstart = ssn; 2495 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 2496 /* allocate and setup our reordering buffer */ 2497 ba->ba_buf = malloc(IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf), 2498 M_DEVBUF, M_NOWAIT | M_ZERO); 2499 if (ba->ba_buf == NULL) { 2500 status = IEEE80211_STATUS_REFUSED; 2501 goto resp; 2502 } 2503 ba->ba_head = 0; 2504 2505 /* notify drivers of this new Block Ack agreement */ 2506 if (ic->ic_ampdu_rx_start == NULL || 2507 ic->ic_ampdu_rx_start(ic, ni, tid) != 0) { 2508 /* driver failed to setup, rollback */ 2509 free(ba->ba_buf, M_DEVBUF, 0); 2510 ba->ba_buf = NULL; 2511 status = IEEE80211_STATUS_REFUSED; 2512 goto resp; 2513 } 2514 ba->ba_state = IEEE80211_BA_AGREED; 2515 ic->ic_stats.is_ht_rx_ba_agreements++; 2516 /* start Block Ack inactivity timer */ 2517 if (ba->ba_timeout_val != 0) 2518 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2519 status = IEEE80211_STATUS_SUCCESS; 2520 resp: 2521 /* MLME-ADDBA.response */ 2522 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2523 IEEE80211_ACTION_ADDBA_RESP, status << 16 | token << 8 | tid); 2524 } 2525 2526 /*- 2527 * ADDBA Response frame format: 2528 * [1] Category 2529 * [1] Action 2530 * [1] Dialog Token 2531 * [2] Status Code 2532 * [2] Block Ack Parameter Set 2533 * [2] Block Ack Timeout Value 2534 */ 2535 void 2536 ieee80211_recv_addba_resp(struct ieee80211com *ic, struct mbuf *m, 2537 struct ieee80211_node *ni) 2538 { 2539 const struct ieee80211_frame *wh; 2540 const u_int8_t *frm; 2541 struct ieee80211_tx_ba *ba; 2542 u_int16_t status, params, bufsz, timeout; 2543 u_int8_t token, tid; 2544 2545 if (m->m_len < sizeof(*wh) + 9) { 2546 DPRINTF(("frame too short\n")); 2547 return; 2548 } 2549 wh = mtod(m, struct ieee80211_frame *); 2550 frm = (const u_int8_t *)&wh[1]; 2551 2552 token = frm[2]; 2553 status = LE_READ_2(&frm[3]); 2554 params = LE_READ_2(&frm[5]); 2555 tid = (params >> 2) & 0xf; 2556 bufsz = (params >> 6) & 0x3ff; 2557 timeout = LE_READ_2(&frm[7]); 2558 2559 DPRINTF(("received ADDBA resp from %s, TID %d, status %d\n", 2560 ether_sprintf(ni->ni_macaddr), tid, status)); 2561 2562 /* 2563 * Ignore if no ADDBA request has been sent for this RA/TID or 2564 * if we already have a Block Ack agreement. 2565 */ 2566 ba = &ni->ni_tx_ba[tid]; 2567 if (ba->ba_state != IEEE80211_BA_REQUESTED) { 2568 DPRINTF(("no matching ADDBA req found\n")); 2569 return; 2570 } 2571 if (token != ba->ba_token) { 2572 DPRINTF(("ignoring ADDBA resp from %s: token %x!=%x\n", 2573 ether_sprintf(ni->ni_macaddr), token, ba->ba_token)); 2574 return; 2575 } 2576 /* we got an ADDBA Response matching our request, stop timeout */ 2577 timeout_del(&ba->ba_to); 2578 2579 if (status != IEEE80211_STATUS_SUCCESS) { 2580 /* MLME-ADDBA.confirm(Failure) */ 2581 ba->ba_state = IEEE80211_BA_INIT; 2582 return; 2583 } 2584 /* MLME-ADDBA.confirm(Success) */ 2585 ba->ba_state = IEEE80211_BA_AGREED; 2586 ic->ic_stats.is_ht_tx_ba_agreements++; 2587 2588 /* notify drivers of this new Block Ack agreement */ 2589 if (ic->ic_ampdu_tx_start != NULL) 2590 (void)ic->ic_ampdu_tx_start(ic, ni, tid); 2591 2592 /* start Block Ack inactivity timeout */ 2593 if (ba->ba_timeout_val != 0) 2594 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2595 } 2596 2597 /*- 2598 * DELBA frame format: 2599 * [1] Category 2600 * [1] Action 2601 * [2] DELBA Parameter Set 2602 * [2] Reason Code 2603 */ 2604 void 2605 ieee80211_recv_delba(struct ieee80211com *ic, struct mbuf *m, 2606 struct ieee80211_node *ni) 2607 { 2608 const struct ieee80211_frame *wh; 2609 const u_int8_t *frm; 2610 u_int16_t params, reason; 2611 u_int8_t tid; 2612 int i; 2613 2614 if (m->m_len < sizeof(*wh) + 6) { 2615 DPRINTF(("frame too short\n")); 2616 return; 2617 } 2618 wh = mtod(m, struct ieee80211_frame *); 2619 frm = (const u_int8_t *)&wh[1]; 2620 2621 params = LE_READ_2(&frm[2]); 2622 reason = LE_READ_2(&frm[4]); 2623 tid = params >> 12; 2624 2625 DPRINTF(("received DELBA from %s, TID %d, reason %d\n", 2626 ether_sprintf(ni->ni_macaddr), tid, reason)); 2627 2628 if (params & IEEE80211_DELBA_INITIATOR) { 2629 /* MLME-DELBA.indication(Originator) */ 2630 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2631 2632 if (ba->ba_state != IEEE80211_BA_AGREED) { 2633 DPRINTF(("no matching Block Ack agreement\n")); 2634 return; 2635 } 2636 /* notify drivers of the end of the Block Ack agreement */ 2637 if (ic->ic_ampdu_rx_stop != NULL) 2638 ic->ic_ampdu_rx_stop(ic, ni, tid); 2639 2640 ba->ba_state = IEEE80211_BA_INIT; 2641 /* stop Block Ack inactivity timer */ 2642 timeout_del(&ba->ba_to); 2643 timeout_del(&ba->ba_gap_to); 2644 2645 if (ba->ba_buf != NULL) { 2646 /* free all MSDUs stored in reordering buffer */ 2647 for (i = 0; i < IEEE80211_BA_MAX_WINSZ; i++) 2648 m_freem(ba->ba_buf[i].m); 2649 /* free reordering buffer */ 2650 free(ba->ba_buf, M_DEVBUF, 0); 2651 ba->ba_buf = NULL; 2652 } 2653 } else { 2654 /* MLME-DELBA.indication(Recipient) */ 2655 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 2656 2657 if (ba->ba_state != IEEE80211_BA_AGREED) { 2658 DPRINTF(("no matching Block Ack agreement\n")); 2659 return; 2660 } 2661 /* notify drivers of the end of the Block Ack agreement */ 2662 if (ic->ic_ampdu_tx_stop != NULL) 2663 ic->ic_ampdu_tx_stop(ic, ni, tid); 2664 2665 ba->ba_state = IEEE80211_BA_INIT; 2666 /* stop Block Ack inactivity timer */ 2667 timeout_del(&ba->ba_to); 2668 } 2669 } 2670 2671 /*- 2672 * SA Query Request frame format: 2673 * [1] Category 2674 * [1] Action 2675 * [2] Transaction Identifier 2676 */ 2677 void 2678 ieee80211_recv_sa_query_req(struct ieee80211com *ic, struct mbuf *m, 2679 struct ieee80211_node *ni) 2680 { 2681 const struct ieee80211_frame *wh; 2682 const u_int8_t *frm; 2683 2684 if (ic->ic_opmode != IEEE80211_M_STA || 2685 !(ni->ni_flags & IEEE80211_NODE_MFP)) { 2686 DPRINTF(("unexpected SA Query req from %s\n", 2687 ether_sprintf(ni->ni_macaddr))); 2688 return; 2689 } 2690 if (m->m_len < sizeof(*wh) + 4) { 2691 DPRINTF(("frame too short\n")); 2692 return; 2693 } 2694 wh = mtod(m, struct ieee80211_frame *); 2695 frm = (const u_int8_t *)&wh[1]; 2696 2697 /* MLME-SAQuery.indication */ 2698 2699 /* save Transaction Identifier for SA Query Response */ 2700 ni->ni_sa_query_trid = LE_READ_2(&frm[2]); 2701 2702 /* MLME-SAQuery.response */ 2703 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_SA_QUERY, 2704 IEEE80211_ACTION_SA_QUERY_RESP, 0); 2705 } 2706 2707 #ifndef IEEE80211_STA_ONLY 2708 /*- 2709 * SA Query Response frame format: 2710 * [1] Category 2711 * [1] Action 2712 * [2] Transaction Identifier 2713 */ 2714 void 2715 ieee80211_recv_sa_query_resp(struct ieee80211com *ic, struct mbuf *m, 2716 struct ieee80211_node *ni) 2717 { 2718 const struct ieee80211_frame *wh; 2719 const u_int8_t *frm; 2720 2721 /* ignore if we're not engaged in an SA Query with that STA */ 2722 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) { 2723 DPRINTF(("unexpected SA Query resp from %s\n", 2724 ether_sprintf(ni->ni_macaddr))); 2725 return; 2726 } 2727 if (m->m_len < sizeof(*wh) + 4) { 2728 DPRINTF(("frame too short\n")); 2729 return; 2730 } 2731 wh = mtod(m, struct ieee80211_frame *); 2732 frm = (const u_int8_t *)&wh[1]; 2733 2734 /* check that Transaction Identifier matches */ 2735 if (ni->ni_sa_query_trid != LE_READ_2(&frm[2])) { 2736 DPRINTF(("transaction identifier does not match\n")); 2737 return; 2738 } 2739 /* MLME-SAQuery.confirm */ 2740 timeout_del(&ni->ni_sa_query_to); 2741 ni->ni_flags &= ~IEEE80211_NODE_SA_QUERY; 2742 } 2743 #endif 2744 2745 /*- 2746 * Action frame format: 2747 * [1] Category 2748 * [1] Action 2749 */ 2750 void 2751 ieee80211_recv_action(struct ieee80211com *ic, struct mbuf *m, 2752 struct ieee80211_node *ni) 2753 { 2754 const struct ieee80211_frame *wh; 2755 const u_int8_t *frm; 2756 2757 if (m->m_len < sizeof(*wh) + 2) { 2758 DPRINTF(("frame too short\n")); 2759 return; 2760 } 2761 wh = mtod(m, struct ieee80211_frame *); 2762 frm = (const u_int8_t *)&wh[1]; 2763 2764 switch (frm[0]) { 2765 case IEEE80211_CATEG_BA: 2766 switch (frm[1]) { 2767 case IEEE80211_ACTION_ADDBA_REQ: 2768 ieee80211_recv_addba_req(ic, m, ni); 2769 break; 2770 case IEEE80211_ACTION_ADDBA_RESP: 2771 ieee80211_recv_addba_resp(ic, m, ni); 2772 break; 2773 case IEEE80211_ACTION_DELBA: 2774 ieee80211_recv_delba(ic, m, ni); 2775 break; 2776 } 2777 break; 2778 case IEEE80211_CATEG_SA_QUERY: 2779 switch (frm[1]) { 2780 case IEEE80211_ACTION_SA_QUERY_REQ: 2781 ieee80211_recv_sa_query_req(ic, m, ni); 2782 break; 2783 #ifndef IEEE80211_STA_ONLY 2784 case IEEE80211_ACTION_SA_QUERY_RESP: 2785 ieee80211_recv_sa_query_resp(ic, m, ni); 2786 break; 2787 #endif 2788 } 2789 break; 2790 default: 2791 DPRINTF(("action frame category %d not handled\n", frm[0])); 2792 break; 2793 } 2794 } 2795 2796 void 2797 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m, 2798 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int subtype) 2799 { 2800 switch (subtype) { 2801 case IEEE80211_FC0_SUBTYPE_BEACON: 2802 ieee80211_recv_probe_resp(ic, m, ni, rxi, 0); 2803 break; 2804 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 2805 ieee80211_recv_probe_resp(ic, m, ni, rxi, 1); 2806 break; 2807 #ifndef IEEE80211_STA_ONLY 2808 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 2809 ieee80211_recv_probe_req(ic, m, ni, rxi); 2810 break; 2811 #endif 2812 case IEEE80211_FC0_SUBTYPE_AUTH: 2813 ieee80211_recv_auth(ic, m, ni, rxi); 2814 break; 2815 #ifndef IEEE80211_STA_ONLY 2816 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2817 ieee80211_recv_assoc_req(ic, m, ni, rxi, 0); 2818 break; 2819 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 2820 ieee80211_recv_assoc_req(ic, m, ni, rxi, 1); 2821 break; 2822 #endif 2823 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2824 ieee80211_recv_assoc_resp(ic, m, ni, 0); 2825 break; 2826 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 2827 ieee80211_recv_assoc_resp(ic, m, ni, 1); 2828 break; 2829 case IEEE80211_FC0_SUBTYPE_DEAUTH: 2830 ieee80211_recv_deauth(ic, m, ni); 2831 break; 2832 case IEEE80211_FC0_SUBTYPE_DISASSOC: 2833 ieee80211_recv_disassoc(ic, m, ni); 2834 break; 2835 case IEEE80211_FC0_SUBTYPE_ACTION: 2836 ieee80211_recv_action(ic, m, ni); 2837 break; 2838 default: 2839 DPRINTF(("mgmt frame with subtype 0x%x not handled\n", 2840 subtype)); 2841 ic->ic_stats.is_rx_badsubtype++; 2842 break; 2843 } 2844 } 2845 2846 #ifndef IEEE80211_STA_ONLY 2847 /* 2848 * Process an incoming PS-Poll control frame (see 11.2). 2849 */ 2850 void 2851 ieee80211_recv_pspoll(struct ieee80211com *ic, struct mbuf *m, 2852 struct ieee80211_node *ni) 2853 { 2854 struct ifnet *ifp = &ic->ic_if; 2855 struct ieee80211_frame_pspoll *psp; 2856 struct ieee80211_frame *wh; 2857 u_int16_t aid; 2858 2859 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 2860 !(ic->ic_caps & IEEE80211_C_APPMGT) || 2861 ni->ni_state != IEEE80211_STA_ASSOC) 2862 return; 2863 2864 if (m->m_len < sizeof(*psp)) { 2865 DPRINTF(("frame too short, len %u\n", m->m_len)); 2866 ic->ic_stats.is_rx_tooshort++; 2867 return; 2868 } 2869 psp = mtod(m, struct ieee80211_frame_pspoll *); 2870 if (!IEEE80211_ADDR_EQ(psp->i_bssid, ic->ic_bss->ni_bssid)) { 2871 DPRINTF(("discard pspoll frame to BSS %s\n", 2872 ether_sprintf(psp->i_bssid))); 2873 ic->ic_stats.is_rx_wrongbss++; 2874 return; 2875 } 2876 aid = letoh16(*(u_int16_t *)psp->i_aid); 2877 if (aid != ni->ni_associd) { 2878 DPRINTF(("invalid pspoll aid %x from %s\n", aid, 2879 ether_sprintf(psp->i_ta))); 2880 return; 2881 } 2882 2883 /* take the first queued frame and put it out.. */ 2884 m = mq_dequeue(&ni->ni_savedq); 2885 if (m == NULL) 2886 return; 2887 if (mq_empty(&ni->ni_savedq)) { 2888 /* last queued frame, turn off the TIM bit */ 2889 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 2890 } else { 2891 /* more queued frames, set the more data bit */ 2892 wh = mtod(m, struct ieee80211_frame *); 2893 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 2894 } 2895 mq_enqueue(&ic->ic_pwrsaveq, m); 2896 if_start(ifp); 2897 } 2898 #endif /* IEEE80211_STA_ONLY */ 2899 2900 /* 2901 * Process an incoming BlockAckReq control frame (see 7.2.1.7). 2902 */ 2903 void 2904 ieee80211_recv_bar(struct ieee80211com *ic, struct mbuf *m, 2905 struct ieee80211_node *ni) 2906 { 2907 const struct ieee80211_frame_min *wh; 2908 const u_int8_t *frm; 2909 u_int16_t ctl, ssn; 2910 u_int8_t tid, ntids; 2911 2912 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 2913 DPRINTF(("received BlockAckReq from non-HT STA %s\n", 2914 ether_sprintf(ni->ni_macaddr))); 2915 return; 2916 } 2917 if (m->m_len < sizeof(*wh) + 4) { 2918 DPRINTF(("frame too short\n")); 2919 return; 2920 } 2921 wh = mtod(m, struct ieee80211_frame_min *); 2922 frm = (const u_int8_t *)&wh[1]; 2923 2924 /* read BlockAckReq Control field */ 2925 ctl = LE_READ_2(&frm[0]); 2926 tid = ctl >> 12; 2927 2928 /* determine BlockAckReq frame variant */ 2929 if (ctl & IEEE80211_BA_MULTI_TID) { 2930 /* Multi-TID BlockAckReq variant (PSMP only) */ 2931 ntids = tid + 1; 2932 2933 if (m->m_len < sizeof(*wh) + 2 + 4 * ntids) { 2934 DPRINTF(("MTBAR frame too short\n")); 2935 return; 2936 } 2937 frm += 2; /* skip BlockAckReq Control field */ 2938 while (ntids-- > 0) { 2939 /* read MTBAR Information field */ 2940 tid = LE_READ_2(&frm[0]) >> 12; 2941 ssn = LE_READ_2(&frm[2]) >> 4; 2942 ieee80211_bar_tid(ic, ni, tid, ssn); 2943 frm += 4; 2944 } 2945 } else { 2946 /* Basic or Compressed BlockAckReq variants */ 2947 ssn = LE_READ_2(&frm[2]) >> 4; 2948 ieee80211_bar_tid(ic, ni, tid, ssn); 2949 } 2950 } 2951 2952 /* 2953 * Process a BlockAckReq for a specific TID (see 9.10.7.6.3). 2954 * This is the common back-end for all BlockAckReq frame variants. 2955 */ 2956 void 2957 ieee80211_bar_tid(struct ieee80211com *ic, struct ieee80211_node *ni, 2958 u_int8_t tid, u_int16_t ssn) 2959 { 2960 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2961 2962 /* check if we have a Block Ack agreement for RA/TID */ 2963 if (ba->ba_state != IEEE80211_BA_AGREED) { 2964 /* XXX not sure in PBAC case */ 2965 /* send a DELBA with reason code UNKNOWN-BA */ 2966 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2967 IEEE80211_ACTION_DELBA, 2968 IEEE80211_REASON_SETUP_REQUIRED << 16 | tid); 2969 return; 2970 } 2971 /* check if it is a Protected Block Ack agreement */ 2972 if ((ni->ni_flags & IEEE80211_NODE_MFP) && 2973 (ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) { 2974 /* ADDBA Requests must be used in PBAC case */ 2975 if (SEQ_LT(ssn, ba->ba_winstart) || 2976 SEQ_LT(ba->ba_winend, ssn)) 2977 ic->ic_stats.is_pbac_errs++; 2978 return; /* PBAC, do not move window */ 2979 } 2980 /* reset Block Ack inactivity timer */ 2981 if (ba->ba_timeout_val != 0) 2982 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2983 2984 if (SEQ_LT(ba->ba_winstart, ssn)) 2985 ieee80211_ba_move_window(ic, ni, tid, ssn); 2986 } 2987