1 /*-
2 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 */
25
26 #include <sys/cdefs.h>
27 #ifdef __FreeBSD__
28 __FBSDID("$FreeBSD: src/sys/net80211/ieee80211_hostap.c,v 1.10 2008/11/22 07:35:45 kmacy Exp $");
29 #endif
30
31 /*
32 * IEEE 802.11 HOSTAP mode support.
33 */
34 #include "opt_inet.h"
35 #include "opt_wlan.h"
36
37 #include <sys/param.h>
38 #include <sys/systm.h>
39 #include <sys/mbuf.h>
40 #include <sys/malloc.h>
41 #include <sys/kernel.h>
42
43 #include <sys/socket.h>
44 #include <sys/sockio.h>
45 #include <sys/endian.h>
46 #include <sys/errno.h>
47 #include <sys/proc.h>
48 #include <sys/sysctl.h>
49
50 #include <net/if.h>
51 #include <net/if_media.h>
52 #include <net/if_llc.h>
53 #include <net/ethernet.h>
54
55 #include <net/bpf.h>
56
57 #include <net80211/ieee80211_var.h>
58 #include <net80211/ieee80211_hostap.h>
59 #include <net80211/ieee80211_input.h>
60 #include <net80211/ieee80211_wds.h>
61
62 #define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2)
63
64 static void hostap_vattach(struct ieee80211vap *);
65 static int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int);
66 static int hostap_input(struct ieee80211_node *ni, struct mbuf *m,
67 int rssi, int noise, uint32_t rstamp);
68 static void hostap_deliver_data(struct ieee80211vap *,
69 struct ieee80211_node *, struct mbuf *);
70 static void hostap_recv_mgmt(struct ieee80211_node *, struct mbuf *,
71 int subtype, int rssi, int noise, uint32_t rstamp);
72 static void hostap_recv_pspoll(struct ieee80211_node *, struct mbuf *);
73
74 void
75 ieee80211_hostap_attach(struct ieee80211com *ic)
76 {
77 ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach;
78 }
79
80 void
81 ieee80211_hostap_detach(struct ieee80211com *ic)
82 {
83 }
84
85 static void
86 hostap_vdetach(struct ieee80211vap *vap)
87 {
88 }
89
90 static void
91 hostap_vattach(struct ieee80211vap *vap)
92 {
93 vap->iv_newstate = hostap_newstate;
94 vap->iv_input = hostap_input;
95 vap->iv_recv_mgmt = hostap_recv_mgmt;
96 vap->iv_opdetach = hostap_vdetach;
97 vap->iv_deliver_data = hostap_deliver_data;
98 }
99
100 static void
101 sta_disassoc(void *arg, struct ieee80211_node *ni)
102 {
103 struct ieee80211vap *vap = arg;
104
105 if (ni->ni_vap == vap && ni->ni_associd != 0) {
106 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC,
107 IEEE80211_REASON_ASSOC_LEAVE);
108 ieee80211_node_leave(ni);
109 }
110 }
111
112 /*
113 * IEEE80211_M_HOSTAP vap state machine handler.
114 */
115 static int
116 hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
117 {
118 struct ieee80211com *ic = vap->iv_ic;
119 enum ieee80211_state ostate;
120
121 IEEE80211_LOCK_ASSERT(ic);
122
123 ostate = vap->iv_state;
124 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n",
125 __func__, ieee80211_state_name[ostate],
126 ieee80211_state_name[nstate], arg);
127 vap->iv_state = nstate; /* state transition */
128 if (ostate != IEEE80211_S_SCAN)
129 ieee80211_cancel_scan(vap); /* background scan */
130 switch (nstate) {
131 case IEEE80211_S_INIT:
132 switch (ostate) {
133 case IEEE80211_S_SCAN:
134 ieee80211_cancel_scan(vap);
135 break;
136 case IEEE80211_S_CAC:
137 ieee80211_dfs_cac_stop(vap);
138 break;
139 case IEEE80211_S_RUN:
140 ieee80211_iterate_nodes(&ic->ic_sta, sta_disassoc, vap);
141 break;
142 default:
143 break;
144 }
145 if (ostate != IEEE80211_S_INIT) {
146 /* NB: optimize INIT -> INIT case */
147 ieee80211_reset_bss(vap);
148 }
149 if (vap->iv_auth->ia_detach != NULL)
150 vap->iv_auth->ia_detach(vap);
151 break;
152 case IEEE80211_S_SCAN:
153 switch (ostate) {
154 case IEEE80211_S_CSA:
155 case IEEE80211_S_RUN:
156 ieee80211_iterate_nodes(&ic->ic_sta, sta_disassoc, vap);
157 /*
158 * Clear overlapping BSS state; the beacon frame
159 * will be reconstructed on transition to the RUN
160 * state and the timeout routines check if the flag
161 * is set before doing anything so this is sufficient.
162 */
163 ic->ic_flags_ext &= ~IEEE80211_FEXT_NONERP_PR;
164 ic->ic_flags_ext &= ~IEEE80211_FEXT_NONHT_PR;
165 /* fall thru... */
166 case IEEE80211_S_CAC:
167 /*
168 * NB: We may get here because of a manual channel
169 * change in which case we need to stop CAC
170 * XXX no need to stop if ostate RUN but it's ok
171 */
172 ieee80211_dfs_cac_stop(vap);
173 /* fall thru... */
174 case IEEE80211_S_INIT:
175 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC &&
176 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) {
177 /*
178 * Already have a channel; bypass the
179 * scan and startup immediately.
180 * ieee80211_create_ibss will call back to
181 * move us to RUN state.
182 */
183 ieee80211_create_ibss(vap, vap->iv_des_chan);
184 break;
185 }
186 /*
187 * Initiate a scan. We can come here as a result
188 * of an IEEE80211_IOC_SCAN_REQ too in which case
189 * the vap will be marked with IEEE80211_FEXT_SCANREQ
190 * and the scan request parameters will be present
191 * in iv_scanreq. Otherwise we do the default.
192 */
193 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) {
194 ieee80211_check_scan(vap,
195 vap->iv_scanreq_flags,
196 vap->iv_scanreq_duration,
197 vap->iv_scanreq_mindwell,
198 vap->iv_scanreq_maxdwell,
199 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid);
200 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ;
201 } else
202 ieee80211_check_scan_current(vap);
203 break;
204 case IEEE80211_S_SCAN:
205 /*
206 * A state change requires a reset; scan.
207 */
208 ieee80211_check_scan_current(vap);
209 break;
210 default:
211 break;
212 }
213 break;
214 case IEEE80211_S_CAC:
215 /*
216 * Start CAC on a DFS channel. We come here when starting
217 * a bss on a DFS channel (see ieee80211_create_ibss).
218 */
219 ieee80211_dfs_cac_start(vap);
220 break;
221 case IEEE80211_S_RUN:
222 if (vap->iv_flags & IEEE80211_F_WPA) {
223 /* XXX validate prerequisites */
224 }
225 switch (ostate) {
226 case IEEE80211_S_INIT:
227 /*
228 * Already have a channel; bypass the
229 * scan and startup immediately.
230 * Note that ieee80211_create_ibss will call
231 * back to do a RUN->RUN state change.
232 */
233 ieee80211_create_ibss(vap,
234 ieee80211_ht_adjust_channel(ic,
235 ic->ic_curchan, vap->iv_flags_ext));
236 /* NB: iv_bss is changed on return */
237 break;
238 case IEEE80211_S_CAC:
239 /*
240 * NB: This is the normal state change when CAC
241 * expires and no radar was detected; no need to
242 * clear the CAC timer as it's already expired.
243 */
244 /* fall thru... */
245 case IEEE80211_S_CSA:
246 /*
247 * Update bss node channel to reflect where
248 * we landed after CSA.
249 */
250 ieee80211_node_set_chan(vap->iv_bss,
251 ieee80211_ht_adjust_channel(ic, ic->ic_curchan,
252 ieee80211_htchanflags(vap->iv_bss->ni_chan)));
253 /* XXX bypass debug msgs */
254 break;
255 case IEEE80211_S_SCAN:
256 case IEEE80211_S_RUN:
257 #ifdef IEEE80211_DEBUG
258 if (ieee80211_msg_debug(vap)) {
259 struct ieee80211_node *ni = vap->iv_bss;
260 ieee80211_note(vap,
261 "synchronized with %s ssid ",
262 ether_sprintf(ni->ni_bssid));
263 ieee80211_print_essid(ni->ni_essid,
264 ni->ni_esslen);
265 /* XXX MCS/HT */
266 printf(" channel %d start %uMb\n",
267 ieee80211_chan2ieee(ic, ic->ic_curchan),
268 IEEE80211_RATE2MBS(ni->ni_txrate));
269 }
270 #endif
271 break;
272 default:
273 break;
274 }
275 /*
276 * Start/stop the authenticator. We delay until here
277 * to allow configuration to happen out of order.
278 */
279 if (vap->iv_auth->ia_attach != NULL) {
280 /* XXX check failure */
281 vap->iv_auth->ia_attach(vap);
282 } else if (vap->iv_auth->ia_detach != NULL) {
283 vap->iv_auth->ia_detach(vap);
284 }
285 ieee80211_node_authorize(vap->iv_bss);
286 break;
287 default:
288 break;
289 }
290 return 0;
291 }
292
293 static void
294 hostap_deliver_data(struct ieee80211vap *vap,
295 struct ieee80211_node *ni, struct mbuf *m)
296 {
297 struct ether_header *eh = mtod(m, struct ether_header *);
298 struct ifnet *ifp = vap->iv_ifp;
299
300 KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP,
301 ("gack, opmode %d", vap->iv_opmode));
302 /*
303 * Do accounting.
304 */
305 ifp->if_ipackets++;
306 IEEE80211_NODE_STAT(ni, rx_data);
307 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len);
308 if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
309 m->m_flags |= M_MCAST; /* XXX M_BCAST? */
310 IEEE80211_NODE_STAT(ni, rx_mcast);
311 } else
312 IEEE80211_NODE_STAT(ni, rx_ucast);
313
314 /* clear driver/net80211 flags before passing up */
315 m->m_flags &= ~M_80211_RX;
316
317 /* perform as a bridge within the AP */
318 if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) {
319 struct mbuf *mcopy = NULL;
320
321 if (m->m_flags & M_MCAST) {
322 mcopy = m_dup(m, M_DONTWAIT);
323 if (mcopy == NULL)
324 ifp->if_oerrors++;
325 else
326 mcopy->m_flags |= M_MCAST;
327 } else {
328 /*
329 * Check if the destination is associated with the
330 * same vap and authorized to receive traffic.
331 * Beware of traffic destined for the vap itself;
332 * sending it will not work; just let it be delivered
333 * normally.
334 */
335 struct ieee80211_node *sta = ieee80211_find_vap_node(
336 &vap->iv_ic->ic_sta, vap, eh->ether_dhost);
337 if (sta != NULL) {
338 if (ieee80211_node_is_authorized(sta)) {
339 /*
340 * Beware of sending to ourself; this
341 * needs to happen via the normal
342 * input path.
343 */
344 if (sta != vap->iv_bss) {
345 mcopy = m;
346 m = NULL;
347 }
348 } else {
349 vap->iv_stats.is_rx_unauth++;
350 IEEE80211_NODE_STAT(sta, rx_unauth);
351 }
352 ieee80211_free_node(sta);
353 }
354 }
355 if (mcopy != NULL) {
356 int len, err;
357 len = mcopy->m_pkthdr.len;
358 err = (ifp->if_transmit)(ifp, mcopy);
359 if (err) {
360 /* NB: IFQ_HANDOFF reclaims mcopy */
361 } else {
362 ifp->if_opackets++;
363 }
364 }
365 }
366 if (m != NULL) {
367 /*
368 * Mark frame as coming from vap's interface.
369 */
370 m->m_pkthdr.rcvif = ifp;
371 if (m->m_flags & M_MCAST) {
372 /*
373 * Spam DWDS vap's w/ multicast traffic.
374 */
375 /* XXX only if dwds in use? */
376 ieee80211_dwds_mcast(vap, m);
377 }
378 if (ni->ni_vlan != 0) {
379 /* attach vlan tag */
380 m->m_pkthdr.ether_vtag = ni->ni_vlan;
381 m->m_flags |= M_VLANTAG;
382 }
383 ifp->if_input(ifp, m);
384 }
385 }
386
387 /*
388 * Decide if a received management frame should be
389 * printed when debugging is enabled. This filters some
390 * of the less interesting frames that come frequently
391 * (e.g. beacons).
392 */
393 static __inline int
394 doprint(struct ieee80211vap *vap, int subtype)
395 {
396 switch (subtype) {
397 case IEEE80211_FC0_SUBTYPE_BEACON:
398 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN);
399 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
400 return 0;
401 }
402 return 1;
403 }
404
405 /*
406 * Process a received frame. The node associated with the sender
407 * should be supplied. If nothing was found in the node table then
408 * the caller is assumed to supply a reference to iv_bss instead.
409 * The RSSI and a timestamp are also supplied. The RSSI data is used
410 * during AP scanning to select a AP to associate with; it can have
411 * any units so long as values have consistent units and higher values
412 * mean ``better signal''. The receive timestamp is currently not used
413 * by the 802.11 layer.
414 */
415 static int
416 hostap_input(struct ieee80211_node *ni, struct mbuf *m,
417 int rssi, int noise, uint32_t rstamp)
418 {
419 #define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0)
420 #define HAS_SEQ(type) ((type & 0x4) == 0)
421 struct ieee80211vap *vap = ni->ni_vap;
422 struct ieee80211com *ic = ni->ni_ic;
423 struct ifnet *ifp = vap->iv_ifp;
424 struct ieee80211_frame *wh;
425 struct ieee80211_key *key;
426 struct ether_header *eh;
427 int hdrspace, need_tap;
428 uint8_t dir, type, subtype, qos;
429 uint8_t *bssid;
430 uint16_t rxseq;
431
432 if (m->m_flags & M_AMPDU_MPDU) {
433 /*
434 * Fastpath for A-MPDU reorder q resubmission. Frames
435 * w/ M_AMPDU_MPDU marked have already passed through
436 * here but were received out of order and been held on
437 * the reorder queue. When resubmitted they are marked
438 * with the M_AMPDU_MPDU flag and we can bypass most of
439 * the normal processing.
440 */
441 wh = mtod(m, struct ieee80211_frame *);
442 type = IEEE80211_FC0_TYPE_DATA;
443 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
444 subtype = IEEE80211_FC0_SUBTYPE_QOS;
445 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */
446 goto resubmit_ampdu;
447 }
448
449 KASSERT(ni != NULL, ("null node"));
450 ni->ni_inact = ni->ni_inact_reload;
451
452 need_tap = 1; /* mbuf need to be tapped. */
453 type = -1; /* undefined */
454
455 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
456 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
457 ni->ni_macaddr, NULL,
458 "too short (1): len %u", m->m_pkthdr.len);
459 vap->iv_stats.is_rx_tooshort++;
460 goto out;
461 }
462 /*
463 * Bit of a cheat here, we use a pointer for a 3-address
464 * frame format but don't reference fields past outside
465 * ieee80211_frame_min w/o first validating the data is
466 * present.
467 */
468 wh = mtod(m, struct ieee80211_frame *);
469
470 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
471 IEEE80211_FC0_VERSION_0) {
472 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
473 ni->ni_macaddr, NULL, "wrong version %x", wh->i_fc[0]);
474 vap->iv_stats.is_rx_badversion++;
475 goto err;
476 }
477
478 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
479 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
480 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
481 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
482 if (dir != IEEE80211_FC1_DIR_NODS)
483 bssid = wh->i_addr1;
484 else if (type == IEEE80211_FC0_TYPE_CTL)
485 bssid = wh->i_addr1;
486 else {
487 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
488 IEEE80211_DISCARD_MAC(vap,
489 IEEE80211_MSG_ANY, ni->ni_macaddr,
490 NULL, "too short (2): len %u",
491 m->m_pkthdr.len);
492 vap->iv_stats.is_rx_tooshort++;
493 goto out;
494 }
495 bssid = wh->i_addr3;
496 }
497 /*
498 * Validate the bssid.
499 */
500 if (!(type == IEEE80211_FC0_TYPE_MGT &&
501 subtype == IEEE80211_FC0_SUBTYPE_BEACON) &&
502 !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) &&
503 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) {
504 /* not interested in */
505 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
506 bssid, NULL, "%s", "not to bss");
507 vap->iv_stats.is_rx_wrongbss++;
508 goto out;
509 }
510
511 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
512 ni->ni_noise = noise;
513 ni->ni_rstamp = rstamp;
514 if (HAS_SEQ(type)) {
515 uint8_t tid = ieee80211_gettid(wh);
516 if (IEEE80211_QOS_HAS_SEQ(wh) &&
517 TID_TO_WME_AC(tid) >= WME_AC_VI)
518 ic->ic_wme.wme_hipri_traffic++;
519 rxseq = le16toh(*(uint16_t *)wh->i_seq);
520 if ((ni->ni_flags & IEEE80211_NODE_HT) == 0 &&
521 (wh->i_fc[1] & IEEE80211_FC1_RETRY) &&
522 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) {
523 /* duplicate, discard */
524 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
525 bssid, "duplicate",
526 "seqno <%u,%u> fragno <%u,%u> tid %u",
527 rxseq >> IEEE80211_SEQ_SEQ_SHIFT,
528 ni->ni_rxseqs[tid] >>
529 IEEE80211_SEQ_SEQ_SHIFT,
530 rxseq & IEEE80211_SEQ_FRAG_MASK,
531 ni->ni_rxseqs[tid] &
532 IEEE80211_SEQ_FRAG_MASK,
533 tid);
534 vap->iv_stats.is_rx_dup++;
535 IEEE80211_NODE_STAT(ni, rx_dup);
536 goto out;
537 }
538 ni->ni_rxseqs[tid] = rxseq;
539 }
540 }
541
542 switch (type) {
543 case IEEE80211_FC0_TYPE_DATA:
544 hdrspace = ieee80211_hdrspace(ic, wh);
545 if (m->m_len < hdrspace &&
546 (m = m_pullup(m, hdrspace)) == NULL) {
547 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
548 ni->ni_macaddr, NULL,
549 "data too short: expecting %u", hdrspace);
550 vap->iv_stats.is_rx_tooshort++;
551 goto out; /* XXX */
552 }
553 if (!(dir == IEEE80211_FC1_DIR_TODS ||
554 (dir == IEEE80211_FC1_DIR_DSTODS &&
555 (vap->iv_flags & IEEE80211_F_DWDS)))) {
556 if (dir != IEEE80211_FC1_DIR_DSTODS) {
557 IEEE80211_DISCARD(vap,
558 IEEE80211_MSG_INPUT, wh, "data",
559 "incorrect dir 0x%x", dir);
560 } else {
561 IEEE80211_DISCARD(vap,
562 IEEE80211_MSG_INPUT |
563 IEEE80211_MSG_WDS, wh,
564 "4-address data",
565 "%s", "DWDS not enabled");
566 }
567 vap->iv_stats.is_rx_wrongdir++;
568 goto out;
569 }
570 /* check if source STA is associated */
571 if (ni == vap->iv_bss) {
572 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
573 wh, "data", "%s", "unknown src");
574 ieee80211_send_error(ni, wh->i_addr2,
575 IEEE80211_FC0_SUBTYPE_DEAUTH,
576 IEEE80211_REASON_NOT_AUTHED);
577 vap->iv_stats.is_rx_notassoc++;
578 goto err;
579 }
580 if (ni->ni_associd == 0) {
581 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
582 wh, "data", "%s", "unassoc src");
583 IEEE80211_SEND_MGMT(ni,
584 IEEE80211_FC0_SUBTYPE_DISASSOC,
585 IEEE80211_REASON_NOT_ASSOCED);
586 vap->iv_stats.is_rx_notassoc++;
587 goto err;
588 }
589
590 /*
591 * Check for power save state change.
592 * XXX out-of-order A-MPDU frames?
593 */
594 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^
595 (ni->ni_flags & IEEE80211_NODE_PWR_MGT)))
596 ieee80211_node_pwrsave(ni,
597 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT);
598 /*
599 * For 4-address packets handle WDS discovery
600 * notifications. Once a WDS link is setup frames
601 * are just delivered to the WDS vap (see below).
602 */
603 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) {
604 if (!ieee80211_node_is_authorized(ni)) {
605 IEEE80211_DISCARD(vap,
606 IEEE80211_MSG_INPUT |
607 IEEE80211_MSG_WDS, wh,
608 "4-address data",
609 "%s", "unauthorized port");
610 vap->iv_stats.is_rx_unauth++;
611 IEEE80211_NODE_STAT(ni, rx_unauth);
612 goto err;
613 }
614 ieee80211_dwds_discover(ni, m);
615 return type;
616 }
617
618 /*
619 * Handle A-MPDU re-ordering. If the frame is to be
620 * processed directly then ieee80211_ampdu_reorder
621 * will return 0; otherwise it has consumed the mbuf
622 * and we should do nothing more with it.
623 */
624 if ((m->m_flags & M_AMPDU) &&
625 ieee80211_ampdu_reorder(ni, m) != 0) {
626 m = NULL;
627 goto out;
628 }
629 resubmit_ampdu:
630
631 /*
632 * Handle privacy requirements. Note that we
633 * must not be preempted from here until after
634 * we (potentially) call ieee80211_crypto_demic;
635 * otherwise we may violate assumptions in the
636 * crypto cipher modules used to do delayed update
637 * of replay sequence numbers.
638 */
639 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
640 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
641 /*
642 * Discard encrypted frames when privacy is off.
643 */
644 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
645 wh, "WEP", "%s", "PRIVACY off");
646 vap->iv_stats.is_rx_noprivacy++;
647 IEEE80211_NODE_STAT(ni, rx_noprivacy);
648 goto out;
649 }
650 key = ieee80211_crypto_decap(ni, m, hdrspace);
651 if (key == NULL) {
652 /* NB: stats+msgs handled in crypto_decap */
653 IEEE80211_NODE_STAT(ni, rx_wepfail);
654 goto out;
655 }
656 wh = mtod(m, struct ieee80211_frame *);
657 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
658 } else {
659 /* XXX M_WEP and IEEE80211_F_PRIVACY */
660 key = NULL;
661 }
662
663 /*
664 * Save QoS bits for use below--before we strip the header.
665 */
666 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) {
667 qos = (dir == IEEE80211_FC1_DIR_DSTODS) ?
668 ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] :
669 ((struct ieee80211_qosframe *)wh)->i_qos[0];
670 } else
671 qos = 0;
672
673 /*
674 * Next up, any fragmentation.
675 */
676 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
677 m = ieee80211_defrag(ni, m, hdrspace);
678 if (m == NULL) {
679 /* Fragment dropped or frame not complete yet */
680 goto out;
681 }
682 }
683 wh = NULL; /* no longer valid, catch any uses */
684
685 /*
686 * Next strip any MSDU crypto bits.
687 */
688 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) {
689 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
690 ni->ni_macaddr, "data", "%s", "demic error");
691 vap->iv_stats.is_rx_demicfail++;
692 IEEE80211_NODE_STAT(ni, rx_demicfail);
693 goto out;
694 }
695 /* copy to listener after decrypt */
696 if (bpf_peers_present(vap->iv_rawbpf))
697 bpf_mtap(vap->iv_rawbpf, m);
698 need_tap = 0;
699 /*
700 * Finally, strip the 802.11 header.
701 */
702 m = ieee80211_decap(vap, m, hdrspace);
703 if (m == NULL) {
704 /* XXX mask bit to check for both */
705 /* don't count Null data frames as errors */
706 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA ||
707 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL)
708 goto out;
709 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
710 ni->ni_macaddr, "data", "%s", "decap error");
711 vap->iv_stats.is_rx_decap++;
712 IEEE80211_NODE_STAT(ni, rx_decap);
713 goto err;
714 }
715 eh = mtod(m, struct ether_header *);
716 if (!ieee80211_node_is_authorized(ni)) {
717 /*
718 * Deny any non-PAE frames received prior to
719 * authorization. For open/shared-key
720 * authentication the port is mark authorized
721 * after authentication completes. For 802.1x
722 * the port is not marked authorized by the
723 * authenticator until the handshake has completed.
724 */
725 if (eh->ether_type != htons(ETHERTYPE_PAE)) {
726 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
727 eh->ether_shost, "data",
728 "unauthorized port: ether type 0x%x len %u",
729 eh->ether_type, m->m_pkthdr.len);
730 vap->iv_stats.is_rx_unauth++;
731 IEEE80211_NODE_STAT(ni, rx_unauth);
732 goto err;
733 }
734 } else {
735 /*
736 * When denying unencrypted frames, discard
737 * any non-PAE frames received without encryption.
738 */
739 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
740 (key == NULL && (m->m_flags & M_WEP) == 0) &&
741 eh->ether_type != htons(ETHERTYPE_PAE)) {
742 /*
743 * Drop unencrypted frames.
744 */
745 vap->iv_stats.is_rx_unencrypted++;
746 IEEE80211_NODE_STAT(ni, rx_unencrypted);
747 goto out;
748 }
749 }
750 /* XXX require HT? */
751 if (qos & IEEE80211_QOS_AMSDU) {
752 m = ieee80211_decap_amsdu(ni, m);
753 if (m == NULL)
754 return IEEE80211_FC0_TYPE_DATA;
755 } else if (IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_FF) &&
756 #define FF_LLC_SIZE (sizeof(struct ether_header) + sizeof(struct llc))
757 m->m_pkthdr.len >= 3*FF_LLC_SIZE) {
758 struct llc *llc;
759
760 /*
761 * Check for fast-frame tunnel encapsulation.
762 */
763 if (m->m_len < FF_LLC_SIZE &&
764 (m = m_pullup(m, FF_LLC_SIZE)) == NULL) {
765 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
766 ni->ni_macaddr, "fast-frame",
767 "%s", "m_pullup(llc) failed");
768 vap->iv_stats.is_rx_tooshort++;
769 return IEEE80211_FC0_TYPE_DATA;
770 }
771 llc = (struct llc *)(mtod(m, uint8_t *) +
772 sizeof(struct ether_header));
773 if (llc->llc_snap.ether_type == htons(ATH_FF_ETH_TYPE)) {
774 m_adj(m, FF_LLC_SIZE);
775 m = ieee80211_decap_fastframe(ni, m);
776 if (m == NULL)
777 return IEEE80211_FC0_TYPE_DATA;
778 }
779 }
780 #undef FF_LLC_SIZE
781 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL)
782 ieee80211_deliver_data(ni->ni_wdsvap, ni, m);
783 else
784 hostap_deliver_data(vap, ni, m);
785 return IEEE80211_FC0_TYPE_DATA;
786
787 case IEEE80211_FC0_TYPE_MGT:
788 vap->iv_stats.is_rx_mgmt++;
789 IEEE80211_NODE_STAT(ni, rx_mgmt);
790 if (dir != IEEE80211_FC1_DIR_NODS) {
791 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
792 wh, "mgt", "incorrect dir 0x%x", dir);
793 vap->iv_stats.is_rx_wrongdir++;
794 goto err;
795 }
796 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
797 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
798 ni->ni_macaddr, "mgt", "too short: len %u",
799 m->m_pkthdr.len);
800 vap->iv_stats.is_rx_tooshort++;
801 goto out;
802 }
803 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) {
804 /* ensure return frames are unicast */
805 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
806 wh, NULL, "source is multicast: %s",
807 ether_sprintf(wh->i_addr2));
808 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */
809 goto out;
810 }
811 #ifdef IEEE80211_DEBUG
812 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) ||
813 ieee80211_msg_dumppkts(vap)) {
814 if_printf(ifp, "received %s from %s rssi %d\n",
815 ieee80211_mgt_subtype_name[subtype >>
816 IEEE80211_FC0_SUBTYPE_SHIFT],
817 ether_sprintf(wh->i_addr2), rssi);
818 }
819 #endif
820 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
821 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
822 /*
823 * Only shared key auth frames with a challenge
824 * should be encrypted, discard all others.
825 */
826 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
827 wh, NULL,
828 "%s", "WEP set but not permitted");
829 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */
830 goto out;
831 }
832 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
833 /*
834 * Discard encrypted frames when privacy is off.
835 */
836 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
837 wh, NULL, "%s", "WEP set but PRIVACY off");
838 vap->iv_stats.is_rx_noprivacy++;
839 goto out;
840 }
841 hdrspace = ieee80211_hdrspace(ic, wh);
842 key = ieee80211_crypto_decap(ni, m, hdrspace);
843 if (key == NULL) {
844 /* NB: stats+msgs handled in crypto_decap */
845 goto out;
846 }
847 wh = mtod(m, struct ieee80211_frame *);
848 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
849 }
850 if (bpf_peers_present(vap->iv_rawbpf))
|