1 /*-
2 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 */
25
26 #include <sys/cdefs.h>
27 #ifdef __FreeBSD__
28 __FBSDID("$FreeBSD: src/sys/net80211/ieee80211_adhoc.c,v 1.7 2008/10/30 16:22:04 sam Exp $");
29 #endif
30
31 /*
32 * IEEE 802.11 IBSS mode support.
33 */
34 #include "opt_inet.h"
35 #include "opt_wlan.h"
36
37 #include <sys/param.h>
38 #include <sys/systm.h>
39 #include <sys/mbuf.h>
40 #include <sys/malloc.h>
41 #include <sys/kernel.h>
42
43 #include <sys/socket.h>
44 #include <sys/sockio.h>
45 #include <sys/endian.h>
46 #include <sys/errno.h>
47 #include <sys/proc.h>
48 #include <sys/sysctl.h>
49
50 #include <net/if.h>
51 #include <net/if_media.h>
52 #include <net/if_llc.h>
53 #include <net/ethernet.h>
54
55 #include <net/bpf.h>
56
57 #include <net80211/ieee80211_var.h>
58 #include <net80211/ieee80211_adhoc.h>
59 #include <net80211/ieee80211_input.h>
60
61 #define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2)
62
63 static void adhoc_vattach(struct ieee80211vap *);
64 static int adhoc_newstate(struct ieee80211vap *, enum ieee80211_state, int);
65 static int adhoc_input(struct ieee80211_node *, struct mbuf *,
66 int rssi, int noise, uint32_t rstamp);
67 static void adhoc_recv_mgmt(struct ieee80211_node *, struct mbuf *,
68 int subtype, int rssi, int noise, uint32_t rstamp);
69 static void ahdemo_recv_mgmt(struct ieee80211_node *, struct mbuf *,
70 int subtype, int rssi, int noise, uint32_t rstamp);
71
72 void
73 ieee80211_adhoc_attach(struct ieee80211com *ic)
74 {
75 ic->ic_vattach[IEEE80211_M_IBSS] = adhoc_vattach;
76 ic->ic_vattach[IEEE80211_M_AHDEMO] = adhoc_vattach;
77 }
78
79 void
80 ieee80211_adhoc_detach(struct ieee80211com *ic)
81 {
82 }
83
84 static void
85 adhoc_vdetach(struct ieee80211vap *vap)
86 {
87 }
88
89 static void
90 adhoc_vattach(struct ieee80211vap *vap)
91 {
92 vap->iv_newstate = adhoc_newstate;
93 vap->iv_input = adhoc_input;
94 if (vap->iv_opmode == IEEE80211_M_IBSS)
95 vap->iv_recv_mgmt = adhoc_recv_mgmt;
96 else
97 vap->iv_recv_mgmt = ahdemo_recv_mgmt;
98 vap->iv_opdetach = adhoc_vdetach;
99 }
100
101 /*
102 * IEEE80211_M_IBSS+IEEE80211_M_AHDEMO vap state machine handler.
103 */
104 static int
105 adhoc_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
106 {
107 struct ieee80211com *ic = vap->iv_ic;
108 struct ieee80211_node *ni;
109 enum ieee80211_state ostate;
110
111 IEEE80211_LOCK_ASSERT(vap->iv_ic);
112
113 ostate = vap->iv_state;
114 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n",
115 __func__, ieee80211_state_name[ostate],
116 ieee80211_state_name[nstate], arg);
117 vap->iv_state = nstate; /* state transition */
118 if (ostate != IEEE80211_S_SCAN)
119 ieee80211_cancel_scan(vap); /* background scan */
120 ni = vap->iv_bss; /* NB: no reference held */
121 switch (nstate) {
122 case IEEE80211_S_INIT:
123 switch (ostate) {
124 case IEEE80211_S_SCAN:
125 ieee80211_cancel_scan(vap);
126 break;
127 default:
128 break;
129 }
130 if (ostate != IEEE80211_S_INIT) {
131 /* NB: optimize INIT -> INIT case */
132 ieee80211_reset_bss(vap);
133 }
134 break;
135 case IEEE80211_S_SCAN:
136 switch (ostate) {
137 case IEEE80211_S_INIT:
138 case IEEE80211_S_RUN: /* beacon miss */
139 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC &&
140 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) {
141 /*
142 * Already have a channel; bypass the
143 * scan and startup immediately.
144 */
145 ieee80211_create_ibss(vap, vap->iv_des_chan);
146 break;
147 }
148 /*
149 * Initiate a scan. We can come here as a result
150 * of an IEEE80211_IOC_SCAN_REQ too in which case
151 * the vap will be marked with IEEE80211_FEXT_SCANREQ
152 * and the scan request parameters will be present
153 * in iv_scanreq. Otherwise we do the default.
154 */
155 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) {
156 ieee80211_check_scan(vap,
157 vap->iv_scanreq_flags,
158 vap->iv_scanreq_duration,
159 vap->iv_scanreq_mindwell,
160 vap->iv_scanreq_maxdwell,
161 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid);
162 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ;
163 } else
164 ieee80211_check_scan_current(vap);
165 break;
166 case IEEE80211_S_SCAN:
167 /*
168 * This can happen because of a change in state
169 * that requires a reset. Trigger a new scan
170 * unless we're in manual roaming mode in which
171 * case an application must issue an explicit request.
172 */
173 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO)
174 ieee80211_check_scan_current(vap);
175 break;
176 default:
177 goto invalid;
178 }
179 break;
180 case IEEE80211_S_RUN:
181 if (vap->iv_flags & IEEE80211_F_WPA) {
182 /* XXX validate prerequisites */
183 }
184 switch (ostate) {
185 case IEEE80211_S_SCAN:
186 #ifdef IEEE80211_DEBUG
187 if (ieee80211_msg_debug(vap)) {
188 ieee80211_note(vap,
189 "synchronized with %s ssid ",
190 ether_sprintf(ni->ni_bssid));
191 ieee80211_print_essid(vap->iv_bss->ni_essid,
192 ni->ni_esslen);
193 /* XXX MCS/HT */
194 printf(" channel %d start %uMb\n",
195 ieee80211_chan2ieee(ic, ic->ic_curchan),
196 IEEE80211_RATE2MBS(ni->ni_txrate));
197 }
198 #endif
199 break;
200 default:
201 goto invalid;
202 }
203 /*
204 * When 802.1x is not in use mark the port authorized
205 * at this point so traffic can flow.
206 */
207 if (ni->ni_authmode != IEEE80211_AUTH_8021X)
208 ieee80211_node_authorize(ni);
209 /*
210 * Fake association when joining an existing bss.
211 */
212 if (!IEEE80211_ADDR_EQ(ni->ni_macaddr, vap->iv_myaddr) &&
213 ic->ic_newassoc != NULL)
214 ic->ic_newassoc(ni, ostate != IEEE80211_S_RUN);
215 break;
216 case IEEE80211_S_SLEEP:
217 ieee80211_sta_pwrsave(vap, 0);
218 break;
219 default:
220 invalid:
221 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE,
222 "%s: unexpected state transition %s -> %s\n", __func__,
223 ieee80211_state_name[ostate], ieee80211_state_name[nstate]);
224 break;
225 }
226 return 0;
227 }
228
229 /*
230 * Decide if a received management frame should be
231 * printed when debugging is enabled. This filters some
232 * of the less interesting frames that come frequently
233 * (e.g. beacons).
234 */
235 static __inline int
236 doprint(struct ieee80211vap *vap, int subtype)
237 {
238 switch (subtype) {
239 case IEEE80211_FC0_SUBTYPE_BEACON:
240 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN);
241 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
242 return 1;
243 }
244 return 1;
245 }
246
247 /*
248 * Process a received frame. The node associated with the sender
249 * should be supplied. If nothing was found in the node table then
250 * the caller is assumed to supply a reference to iv_bss instead.
251 * The RSSI and a timestamp are also supplied. The RSSI data is used
252 * during AP scanning to select a AP to associate with; it can have
253 * any units so long as values have consistent units and higher values
254 * mean ``better signal''. The receive timestamp is currently not used
255 * by the 802.11 layer.
256 */
257 static int
258 adhoc_input(struct ieee80211_node *ni, struct mbuf *m,
259 int rssi, int noise, uint32_t rstamp)
260 {
261 #define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0)
262 #define HAS_SEQ(type) ((type & 0x4) == 0)
263 struct ieee80211vap *vap = ni->ni_vap;
264 struct ieee80211com *ic = ni->ni_ic;
265 struct ifnet *ifp = vap->iv_ifp;
266 struct ieee80211_frame *wh;
267 struct ieee80211_key *key;
268 struct ether_header *eh;
269 int hdrspace, need_tap;
270 uint8_t dir, type, subtype, qos;
271 uint8_t *bssid;
272 uint16_t rxseq;
273
274 if (m->m_flags & M_AMPDU_MPDU) {
275 /*
276 * Fastpath for A-MPDU reorder q resubmission. Frames
277 * w/ M_AMPDU_MPDU marked have already passed through
278 * here but were received out of order and been held on
279 * the reorder queue. When resubmitted they are marked
280 * with the M_AMPDU_MPDU flag and we can bypass most of
281 * the normal processing.
282 */
283 wh = mtod(m, struct ieee80211_frame *);
284 type = IEEE80211_FC0_TYPE_DATA;
285 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
286 subtype = IEEE80211_FC0_SUBTYPE_QOS;
287 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */
288 goto resubmit_ampdu;
289 }
290
291 KASSERT(ni != NULL, ("null node"));
292 ni->ni_inact = ni->ni_inact_reload;
293
294 need_tap = 1; /* mbuf need to be tapped. */
295 type = -1; /* undefined */
296
297 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
298 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
299 ni->ni_macaddr, NULL,
300 "too short (1): len %u", m->m_pkthdr.len);
301 vap->iv_stats.is_rx_tooshort++;
302 goto out;
303 }
304 /*
305 * Bit of a cheat here, we use a pointer for a 3-address
306 * frame format but don't reference fields past outside
307 * ieee80211_frame_min w/o first validating the data is
308 * present.
309 */
310 wh = mtod(m, struct ieee80211_frame *);
311
312 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
313 IEEE80211_FC0_VERSION_0) {
314 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
315 ni->ni_macaddr, NULL, "wrong version %x", wh->i_fc[0]);
316 vap->iv_stats.is_rx_badversion++;
317 goto err;
318 }
319
320 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
321 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
322 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
323 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
324 if (dir != IEEE80211_FC1_DIR_NODS)
325 bssid = wh->i_addr1;
326 else if (type == IEEE80211_FC0_TYPE_CTL)
327 bssid = wh->i_addr1;
328 else {
329 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
330 IEEE80211_DISCARD_MAC(vap,
331 IEEE80211_MSG_ANY, ni->ni_macaddr,
332 NULL, "too short (2): len %u",
333 m->m_pkthdr.len);
334 vap->iv_stats.is_rx_tooshort++;
335 goto out;
336 }
337 bssid = wh->i_addr3;
338 }
339 /*
340 * Validate the bssid.
341 */
342 if (!IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) &&
343 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) {
344 /* not interested in */
345 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
346 bssid, NULL, "%s", "not to bss");
347 vap->iv_stats.is_rx_wrongbss++;
348 goto out;
349 }
350 /*
351 * Data frame, cons up a node when it doesn't
352 * exist. This should probably done after an ACL check.
353 */
354 if (type == IEEE80211_FC0_TYPE_DATA &&
355 ni == vap->iv_bss &&
356 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) {
357 /*
358 * Fake up a node for this newly
359 * discovered member of the IBSS.
360 */
361 ni = ieee80211_fakeup_adhoc_node(vap, wh->i_addr2);
362 if (ni == NULL) {
363 /* NB: stat kept for alloc failure */
364 goto err;
365 }
366 }
367 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
368 ni->ni_noise = noise;
369 ni->ni_rstamp = rstamp;
370 if (HAS_SEQ(type)) {
371 uint8_t tid = ieee80211_gettid(wh);
372 if (IEEE80211_QOS_HAS_SEQ(wh) &&
373 TID_TO_WME_AC(tid) >= WME_AC_VI)
374 ic->ic_wme.wme_hipri_traffic++;
375 rxseq = le16toh(*(uint16_t *)wh->i_seq);
376 if ((ni->ni_flags & IEEE80211_NODE_HT) == 0 &&
377 (wh->i_fc[1] & IEEE80211_FC1_RETRY) &&
378 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) {
379 /* duplicate, discard */
380 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
381 bssid, "duplicate",
382 "seqno <%u,%u> fragno <%u,%u> tid %u",
383 rxseq >> IEEE80211_SEQ_SEQ_SHIFT,
384 ni->ni_rxseqs[tid] >>
385 IEEE80211_SEQ_SEQ_SHIFT,
386 rxseq & IEEE80211_SEQ_FRAG_MASK,
387 ni->ni_rxseqs[tid] &
388 IEEE80211_SEQ_FRAG_MASK,
389 tid);
390 vap->iv_stats.is_rx_dup++;
391 IEEE80211_NODE_STAT(ni, rx_dup);
392 goto out;
393 }
394 ni->ni_rxseqs[tid] = rxseq;
395 }
396 }
397
398 switch (type) {
399 case IEEE80211_FC0_TYPE_DATA:
400 hdrspace = ieee80211_hdrspace(ic, wh);
401 if (m->m_len < hdrspace &&
402 (m = m_pullup(m, hdrspace)) == NULL) {
403 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
404 ni->ni_macaddr, NULL,
405 "data too short: expecting %u", hdrspace);
406 vap->iv_stats.is_rx_tooshort++;
407 goto out; /* XXX */
408 }
409 if (dir != IEEE80211_FC1_DIR_NODS) {
410 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
411 wh, "data", "incorrect dir 0x%x", dir);
412 vap->iv_stats.is_rx_wrongdir++;
413 goto out;
414 }
415 /* XXX no power-save support */
416
417 /*
418 * Handle A-MPDU re-ordering. If the frame is to be
419 * processed directly then ieee80211_ampdu_reorder
420 * will return 0; otherwise it has consumed the mbuf
421 * and we should do nothing more with it.
422 */
423 if ((m->m_flags & M_AMPDU) &&
424 ieee80211_ampdu_reorder(ni, m) != 0) {
425 m = NULL;
426 goto out;
427 }
428 resubmit_ampdu:
429
430 /*
431 * Handle privacy requirements. Note that we
432 * must not be preempted from here until after
433 * we (potentially) call ieee80211_crypto_demic;
434 * otherwise we may violate assumptions in the
435 * crypto cipher modules used to do delayed update
436 * of replay sequence numbers.
437 */
438 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
439 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
440 /*
441 * Discard encrypted frames when privacy is off.
442 */
443 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
444 wh, "WEP", "%s", "PRIVACY off");
445 vap->iv_stats.is_rx_noprivacy++;
446 IEEE80211_NODE_STAT(ni, rx_noprivacy);
447 goto out;
448 }
449 key = ieee80211_crypto_decap(ni, m, hdrspace);
450 if (key == NULL) {
451 /* NB: stats+msgs handled in crypto_decap */
452 IEEE80211_NODE_STAT(ni, rx_wepfail);
453 goto out;
454 }
455 wh = mtod(m, struct ieee80211_frame *);
456 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
457 } else {
458 /* XXX M_WEP and IEEE80211_F_PRIVACY */
459 key = NULL;
460 }
461
462 /*
463 * Save QoS bits for use below--before we strip the header.
464 */
465 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) {
466 qos = (dir == IEEE80211_FC1_DIR_DSTODS) ?
467 ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] :
468 ((struct ieee80211_qosframe *)wh)->i_qos[0];
469 } else
470 qos = 0;
471
472 /*
473 * Next up, any fragmentation.
474 */
475 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
476 m = ieee80211_defrag(ni, m, hdrspace);
477 if (m == NULL) {
478 /* Fragment dropped or frame not complete yet */
479 goto out;
480 }
481 }
482 wh = NULL; /* no longer valid, catch any uses */
483
484 /*
485 * Next strip any MSDU crypto bits.
486 */
487 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) {
488 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
489 ni->ni_macaddr, "data", "%s", "demic error");
490 vap->iv_stats.is_rx_demicfail++;
491 IEEE80211_NODE_STAT(ni, rx_demicfail);
492 goto out;
493 }
494
495 /* copy to listener after decrypt */
496 if (bpf_peers_present(vap->iv_rawbpf))
497 bpf_mtap(vap->iv_rawbpf, m);
498 need_tap = 0;
499
500 /*
501 * Finally, strip the 802.11 header.
502 */
503 m = ieee80211_decap(vap, m, hdrspace);
504 if (m == NULL) {
505 /* XXX mask bit to check for both */
506 /* don't count Null data frames as errors */
507 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA ||
508 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL)
509 goto out;
510 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
511 ni->ni_macaddr, "data", "%s", "decap error");
512 vap->iv_stats.is_rx_decap++;
513 IEEE80211_NODE_STAT(ni, rx_decap);
514 goto err;
515 }
516 eh = mtod(m, struct ether_header *);
517 if (!ieee80211_node_is_authorized(ni)) {
518 /*
519 * Deny any non-PAE frames received prior to
520 * authorization. For open/shared-key
521 * authentication the port is mark authorized
522 * after authentication completes. For 802.1x
523 * the port is not marked authorized by the
524 * authenticator until the handshake has completed.
525 */
526 if (eh->ether_type != htons(ETHERTYPE_PAE)) {
527 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
528 eh->ether_shost, "data",
529 "unauthorized port: ether type 0x%x len %u",
530 eh->ether_type, m->m_pkthdr.len);
531 vap->iv_stats.is_rx_unauth++;
532 IEEE80211_NODE_STAT(ni, rx_unauth);
533 goto err;
534 }
535 } else {
536 /*
537 * When denying unencrypted frames, discard
538 * any non-PAE frames received without encryption.
539 */
540 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
541 (key == NULL && (m->m_flags & M_WEP) == 0) &&
542 eh->ether_type != htons(ETHERTYPE_PAE)) {
543 /*
544 * Drop unencrypted frames.
545 */
546 vap->iv_stats.is_rx_unencrypted++;
547 IEEE80211_NODE_STAT(ni, rx_unencrypted);
548 goto out;
549 }
550 }
551 /* XXX require HT? */
552 if (qos & IEEE80211_QOS_AMSDU) {
553 m = ieee80211_decap_amsdu(ni, m);
554 if (m == NULL)
555 return IEEE80211_FC0_TYPE_DATA;
556 } else if (IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_FF) &&
557 #define FF_LLC_SIZE (sizeof(struct ether_header) + sizeof(struct llc))
558 m->m_pkthdr.len >= 3*FF_LLC_SIZE) {
559 struct llc *llc;
560
561 /*
562 * Check for fast-frame tunnel encapsulation.
563 */
564 if (m->m_len < FF_LLC_SIZE &&
565 (m = m_pullup(m, FF_LLC_SIZE)) == NULL) {
566 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
567 ni->ni_macaddr, "fast-frame",
568 "%s", "m_pullup(llc) failed");
569 vap->iv_stats.is_rx_tooshort++;
570 return IEEE80211_FC0_TYPE_DATA;
571 }
572 llc = (struct llc *)(mtod(m, uint8_t *) +
573 sizeof(struct ether_header));
574 if (llc->llc_snap.ether_type == htons(ATH_FF_ETH_TYPE)) {
575 m_adj(m, FF_LLC_SIZE);
576 m = ieee80211_decap_fastframe(ni, m);
577 if (m == NULL)
578 return IEEE80211_FC0_TYPE_DATA;
579 }
580 }
581 #undef FF_LLC_SIZE
582 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL)
583 ieee80211_deliver_data(ni->ni_wdsvap, ni, m);
584 else
585 ieee80211_deliver_data(vap, ni, m);
586 return IEEE80211_FC0_TYPE_DATA;
587
588 case IEEE80211_FC0_TYPE_MGT:
589 vap->iv_stats.is_rx_mgmt++;
590 IEEE80211_NODE_STAT(ni, rx_mgmt);
591 if (dir != IEEE80211_FC1_DIR_NODS) {
592 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
593 wh, "data", "incorrect dir 0x%x", dir);
594 vap->iv_stats.is_rx_wrongdir++;
595 goto err;
596 }
597 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
598 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
599 ni->ni_macaddr, "mgt", "too short: len %u",
600 m->m_pkthdr.len);
601 vap->iv_stats.is_rx_tooshort++;
602 goto out;
603 }
604 #ifdef IEEE80211_DEBUG
605 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) ||
606 ieee80211_msg_dumppkts(vap)) {
607 if_printf(ifp, "received %s from %s rssi %d\n",
608 ieee80211_mgt_subtype_name[subtype >>
609 IEEE80211_FC0_SUBTYPE_SHIFT],
610 ether_sprintf(wh->i_addr2), rssi);
611 }
612 #endif
613 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
614 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
615 wh, NULL, "%s", "WEP set but not permitted");
616 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */
617 goto out;
618 }
619 if (bpf_peers_present(vap->iv_rawbpf))
620 bpf_mtap(vap->iv_rawbpf, m);
621 vap->iv_recv_mgmt(ni, m, subtype, rssi, noise, rstamp);
622 m_freem(m);
623 return IEEE80211_FC0_TYPE_MGT;
624
625 case IEEE80211_FC0_TYPE_CTL:
626 vap->iv_stats.is_rx_ctl++;
627 IEEE80211_NODE_STAT(ni, rx_ctrl);
628 goto out;
629 default:
630 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
631 wh, "bad", "frame type 0x%x", type);
632 /* should not come here */
633 break;
634 }
635 err:
636 ifp->if_ierrors++;
637 out:
638 if (m != NULL) {
639 if (bpf_peers_present(vap->iv_rawbpf) && need_tap)
640 bpf_mtap(vap->iv_rawbpf, m);
641 m_freem(m);
642 }
643 return type;
644 #undef SEQ_LEQ
645 }
646
647 static int
648 is11bclient(const uint8_t *rates, const uint8_t *xrates)
649 {
650 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11);
651 int i;
652
653 /* NB: the 11b clients we care about will not have xrates */
654 if (xrates != NULL || rates == NULL)
655 return 0;
656 for (i = 0; i < rates[1]; i++) {
657 int r = rates[2+i] & IEEE80211_RATE_VAL;
658 if (r > 2*11 || ((1<<r) & brates) == 0)
659 return 0;
660 }
661 return 1;
662 }
663
664 static void
665 adhoc_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0,
666 int subtype, int rssi, int noise, uint32_t rstamp)
667 {
668 struct ieee80211vap *vap = ni->ni_vap;
669 struct ieee80211com *ic = ni->ni_ic;
670 struct ieee80211_frame *wh;
671 uint8_t *frm, *efrm, *sfrm;
672 uint8_t *ssid, *rates, *xrates;
673
674 wh = mtod(m0, struct ieee80211_frame *);
675 frm = (uint8_t *)&wh[1];
676 efrm = mtod(m0, uint8_t *) + m0->m_len;
677 switch (subtype) {
678 case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
679 case IEEE80211_FC0_SUBTYPE_BEACON: {
680 struct ieee80211_scanparams scan;
681 /*
682 * We process beacon/probe response
683 * frames to discover neighbors.
684 */
685 if (ieee80211_parse_beacon(ni, m0, &scan) != 0)
686 return;
687 /*
688 * Count frame now that we know it's to be processed.
689 */
690 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
691 vap->iv_stats.is_rx_beacon++; /* XXX remove */
692 IEEE80211_NODE_STAT(ni, rx_beacons);
693 } else
694 IEEE80211_NODE_STAT(ni, rx_proberesp);
695 /*
696 * If scanning, just pass information to the scan module.
697 */
698 if (ic->ic_flags & IEEE80211_F_SCAN) {
699 if (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN) {
700 /*
701 * Actively scanning a channel marked passive;
702 * send a probe request now that we know there
703 * is 802.11 traffic present.
704 *
705 * XXX check if the beacon we recv'd gives
706 * us what we need and suppress the probe req
707 */
708 ieee80211_probe_curchan(vap, 1);
709 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
710 }
711 ieee80211_add_scan(vap, &scan, wh,
712 subtype, rssi, noise, rstamp);
713 return;
714 }
715 if (scan.capinfo & IEEE80211_CAPINFO_IBSS) {
716 if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) {
717 /*
718 * Create a new entry in the neighbor table.
719 */
720 ni = ieee80211_add_neighbor(vap, wh, &scan);
721 } else if (ni->ni_capinfo == 0) {
722 /*
723 * Update faked node created on transmit.
724 * Note this also updates the tsf.
725 */
726 ieee80211_init_neighbor(ni, wh, &scan);
727 } else {
728 /*
729 * Record tsf for potential resync.
730 */
731 memcpy(ni->ni_tstamp.data, scan.tstamp,
732 sizeof(ni->ni_tstamp));
733 }
734 if (ni != NULL) {
735 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
736 ni->ni_noise = noise;
737 ni->ni_rstamp = rstamp;
738 }
739 }
740 break;
741 }
742
743 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
744 if (vap->iv_state != IEEE80211_S_RUN) {
745 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
746 wh, NULL, "wrong state %s",
747 ieee80211_state_name[vap->iv_state]);
748 vap->iv_stats.is_rx_mgtdiscard++;
749 return;
750 }
751 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) {
752 /* frame must be directed */
753 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
754 wh, NULL, "%s", "not unicast");
755 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */
756 return;
757 }
758
759 /*
760 * prreq frame format
761 * [tlv] ssid
762 * [tlv] supported rates
763 * [tlv] extended supported rates
764 */
765 ssid = rates = xrates = NULL;
766 sfrm = frm;
767 while (efrm - frm > 1) {
768 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
769 switch (*frm) {
770 case IEEE80211_ELEMID_SSID:
771 ssid = frm;
772 break;
773 case IEEE80211_ELEMID_RATES:
774 rates = frm;
775 break;
776 case IEEE80211_ELEMID_XRATES:
777 xrates = frm;
778 break;
779 }
780 frm += frm[1] + 2;
781 }
782 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
783 if (xrates != NULL)
784 IEEE80211_VERIFY_ELEMENT(xrates,
785 IEEE80211_RATE_MAXSIZE - rates[1], return);
786 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
787 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
788 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) {
789 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
790 wh, NULL,
791 "%s", "no ssid with ssid suppression enabled");
792 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/
793 return;
794 }
795
796 /* XXX find a better class or define it's own */
797 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2,
798 "%s", "recv probe req");
799 /*
800 * Some legacy 11b clients cannot hack a complete
801 * probe response frame. When the request includes
802 * only a bare-bones rate set, communicate this to
803 * the transmit side.
804 */
805 ieee80211_send_proberesp(vap, wh->i_addr2,
806 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0);
807 break;
808
809 case IEEE80211_FC0_SUBTYPE_ACTION: {
810 const struct ieee80211_action *ia;
811
812 if (vap->iv_state != IEEE80211_S_RUN) {
813 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
814 wh, NULL, "wrong state %s",
815 ieee80211_state_name[vap->iv_state]);
816 vap->iv_stats.is_rx_mgtdiscard++;
817 return;
818 }
819 /*
820 * action frame format:
821 * [1] category
822 * [1] action
823 * [tlv] parameters
824 */
825 IEEE80211_VERIFY_LENGTH(efrm - frm,
826 sizeof(struct ieee80211_action), return);
827 ia = (const struct ieee80211_action *) frm;
828
829 vap->iv_stats.is_rx_action++;
830 IEEE80211_NODE_STAT(ni, rx_action);
831
832 /* verify frame payloads but defer processing */
833 /* XXX maybe push this to method */
834 switch (ia->ia_category) {
835 case IEEE80211_ACTION_CAT_BA:
836 switch (ia->ia_action) {
837 case IEEE80211_ACTION_BA_ADDBA_REQUEST:
838 IEEE80211_VERIFY_LENGTH(efrm - frm,
839 sizeof(struct ieee80211_action_ba_addbarequest),
840 return);
841 break;
842 case IEEE80211_ACTION_BA_ADDBA_RESPONSE:
843 IEEE80211_VERIFY_LENGTH(efrm - frm,
844 sizeof(struct ieee80211_action_ba_addbaresponse),
845 return);
846 break;
847 case IEEE80211_ACTION_BA_DELBA:
848 IEEE80211_VERIFY_LENGTH(efrm - frm,
849 sizeof(struct ieee80211_action_ba_delba),
850 return);
851 break;
852 }
853 break;
854 case IEEE80211_ACTION_CAT_HT:
855 switch (ia->ia_action) {
856 case IEEE80211_ACTION_HT_TXCHWIDTH:
857 IEEE80211_VERIFY_LENGTH(efrm - frm,
858 sizeof(struct ieee80211_action_ht_txchwidth),
859 return);
860 break;
861 }
862 break;
863 }
864 ic->ic_recv_action(ni, frm, efrm);
865 break;
866 }
867
868 case IEEE80211_FC0_SUBTYPE_AUTH:
869 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
870 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ:
871 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
872 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP:
|