1 /* $OpenBSD: ieee80211_input.c,v 1.250 2023/01/09 00:22:47 daniel Exp $ */
2 /* $NetBSD: ieee80211_input.c,v 1.24 2004/05/31 11:12:24 dyoung Exp $ */
3
4 /*-
5 * Copyright (c) 2001 Atsushi Onoe
6 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
7 * Copyright (c) 2007-2009 Damien Bergamini
8 * All rights reserved.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 * 3. The name of the author may not be used to endorse or promote products
19 * derived from this software without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 */
32
33 #include "bpfilter.h"
34
35 #include <sys/param.h>
36 #include <sys/systm.h>
37 #include <sys/mbuf.h>
38 #include <sys/malloc.h>
39 #include <sys/kernel.h>
40 #include <sys/socket.h>
41 #include <sys/sockio.h>
42 #include <sys/endian.h>
43 #include <sys/errno.h>
44 #include <sys/sysctl.h>
45 #include <sys/task.h>
46
47 #include <net/if.h>
48 #include <net/if_dl.h>
49 #include <net/if_media.h>
50 #include <net/if_llc.h>
51
52 #if NBPFILTER > 0
53 #include <net/bpf.h>
54 #endif
55
56 #include <netinet/in.h>
57 #include <netinet/if_ether.h>
58
59 #include <net80211/ieee80211_var.h>
60 #include <net80211/ieee80211_priv.h>
61
62 struct mbuf *ieee80211_input_hwdecrypt(struct ieee80211com *,
63 struct ieee80211_node *, struct mbuf *,
64 struct ieee80211_rxinfo *rxi);
65 struct mbuf *ieee80211_defrag(struct ieee80211com *, struct mbuf *, int);
66 void ieee80211_defrag_timeout(void *);
67 void ieee80211_input_ba(struct ieee80211com *, struct mbuf *,
68 struct ieee80211_node *, int, struct ieee80211_rxinfo *,
69 struct mbuf_list *);
70 void ieee80211_input_ba_flush(struct ieee80211com *, struct ieee80211_node *,
71 struct ieee80211_rx_ba *, struct mbuf_list *);
72 int ieee80211_input_ba_gap_skip(struct ieee80211_rx_ba *);
73 void ieee80211_input_ba_gap_timeout(void *arg);
74 void ieee80211_ba_move_window(struct ieee80211com *,
75 struct ieee80211_node *, u_int8_t, u_int16_t, struct mbuf_list *);
76 void ieee80211_input_ba_seq(struct ieee80211com *,
77 struct ieee80211_node *, uint8_t, uint16_t, struct mbuf_list *);
78 struct mbuf *ieee80211_align_mbuf(struct mbuf *);
79 void ieee80211_decap(struct ieee80211com *, struct mbuf *,
80 struct ieee80211_node *, int, struct mbuf_list *);
81 int ieee80211_amsdu_decap_validate(struct ieee80211com *, struct mbuf *,
82 struct ieee80211_node *);
83 void ieee80211_amsdu_decap(struct ieee80211com *, struct mbuf *,
84 struct ieee80211_node *, int, struct mbuf_list *);
85 void ieee80211_enqueue_data(struct ieee80211com *, struct mbuf *,
86 struct ieee80211_node *, int, struct mbuf_list *);
87 int ieee80211_parse_edca_params_body(struct ieee80211com *,
88 const u_int8_t *);
89 int ieee80211_parse_edca_params(struct ieee80211com *, const u_int8_t *);
90 int ieee80211_parse_wmm_params(struct ieee80211com *, const u_int8_t *);
91 enum ieee80211_cipher ieee80211_parse_rsn_cipher(const u_int8_t *);
92 enum ieee80211_akm ieee80211_parse_rsn_akm(const u_int8_t *);
93 int ieee80211_parse_rsn_body(struct ieee80211com *, const u_int8_t *,
94 u_int, struct ieee80211_rsnparams *);
95 int ieee80211_save_ie(const u_int8_t *, u_int8_t **);
96 void ieee80211_recv_probe_resp(struct ieee80211com *, struct mbuf *,
97 struct ieee80211_node *, struct ieee80211_rxinfo *, int);
98 #ifndef IEEE80211_STA_ONLY
99 void ieee80211_recv_probe_req(struct ieee80211com *, struct mbuf *,
100 struct ieee80211_node *, struct ieee80211_rxinfo *);
101 #endif
102 void ieee80211_recv_auth(struct ieee80211com *, struct mbuf *,
103 struct ieee80211_node *, struct ieee80211_rxinfo *);
104 #ifndef IEEE80211_STA_ONLY
105 void ieee80211_recv_assoc_req(struct ieee80211com *, struct mbuf *,
106 struct ieee80211_node *, struct ieee80211_rxinfo *, int);
107 #endif
108 void ieee80211_recv_assoc_resp(struct ieee80211com *, struct mbuf *,
109 struct ieee80211_node *, int);
110 void ieee80211_recv_deauth(struct ieee80211com *, struct mbuf *,
111 struct ieee80211_node *);
112 void ieee80211_recv_disassoc(struct ieee80211com *, struct mbuf *,
113 struct ieee80211_node *);
114 void ieee80211_recv_addba_req(struct ieee80211com *, struct mbuf *,
115 struct ieee80211_node *);
116 void ieee80211_recv_addba_resp(struct ieee80211com *, struct mbuf *,
117 struct ieee80211_node *);
118 void ieee80211_recv_delba(struct ieee80211com *, struct mbuf *,
119 struct ieee80211_node *);
120 void ieee80211_recv_sa_query_req(struct ieee80211com *, struct mbuf *,
121 struct ieee80211_node *);
122 #ifndef IEEE80211_STA_ONLY
123 void ieee80211_recv_sa_query_resp(struct ieee80211com *, struct mbuf *,
124 struct ieee80211_node *);
125 #endif
126 void ieee80211_recv_action(struct ieee80211com *, struct mbuf *,
127 struct ieee80211_node *);
128 #ifndef IEEE80211_STA_ONLY
129 void ieee80211_recv_pspoll(struct ieee80211com *, struct mbuf *,
130 struct ieee80211_node *);
131 #endif
132 void ieee80211_recv_bar(struct ieee80211com *, struct mbuf *,
133 struct ieee80211_node *);
134 void ieee80211_bar_tid(struct ieee80211com *, struct ieee80211_node *,
135 u_int8_t, u_int16_t);
136
137 /*
138 * Retrieve the length in bytes of an 802.11 header.
139 */
140 u_int
141 ieee80211_get_hdrlen(const struct ieee80211_frame *wh)
142 {
143 u_int size = sizeof(*wh);
144
145 /* NB: does not work with control frames */
146 KASSERT(ieee80211_has_seq(wh));
147
148 if (ieee80211_has_addr4(wh))
149 size += IEEE80211_ADDR_LEN; /* i_addr4 */
150 if (ieee80211_has_qos(wh))
151 size += sizeof(u_int16_t); /* i_qos */
152 if (ieee80211_has_htc(wh))
153 size += sizeof(u_int32_t); /* i_ht */
154 return size;
155 }
156
157 /* Post-processing for drivers which perform decryption in hardware. */
158 struct mbuf *
159 ieee80211_input_hwdecrypt(struct ieee80211com *ic, struct ieee80211_node *ni,
160 struct mbuf *m, struct ieee80211_rxinfo *rxi)
161 {
162 struct ieee80211_key *k;
163 struct ieee80211_frame *wh;
164 uint64_t pn, *prsc;
165 int hdrlen;
166
167 k = ieee80211_get_rxkey(ic, m, ni);
168 if (k == NULL)
169 return NULL;
170
171 wh = mtod(m, struct ieee80211_frame *);
172 hdrlen = ieee80211_get_hdrlen(wh);
173
174 /*
175 * Update the last-seen packet number (PN) for drivers using hardware
176 * crypto offloading. This cannot be done by drivers because A-MPDU
177 * reordering needs to occur before a valid lower bound can be
178 * determined for the PN. Drivers will read the PN we write here and
179 * are expected to discard replayed frames based on it.
180 * Drivers are expected to leave the IV of decrypted frames intact
181 * so we can update the last-seen PN and strip the IV here.
182 */
183 switch (k->k_cipher) {
184 case IEEE80211_CIPHER_CCMP:
185 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) {
186 /*
187 * If the protected bit is clear then hardware has
188 * stripped the IV and we must trust that it handles
189 * replay detection correctly.
190 */
191 break;
192 }
193 if (ieee80211_ccmp_get_pn(&pn, &prsc, m, k) != 0)
194 return NULL;
195 if (rxi->rxi_flags & IEEE80211_RXI_HWDEC_SAME_PN) {
196 if (pn < *prsc) {
197 ic->ic_stats.is_ccmp_replays++;
198 return NULL;
199 }
200 } else if (pn <= *prsc) {
201 ic->ic_stats.is_ccmp_replays++;
202 return NULL;
203 }
204
205 /* Update last-seen packet number. */
206 *prsc = pn;
207
208 /* Clear Protected bit and strip IV. */
209 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
210 memmove(mtod(m, caddr_t) + IEEE80211_CCMP_HDRLEN, wh, hdrlen);
211 m_adj(m, IEEE80211_CCMP_HDRLEN);
212 /* Drivers are expected to strip the MIC. */
213 break;
214 case IEEE80211_CIPHER_TKIP:
215 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) {
216 /*
217 * If the protected bit is clear then hardware has
218 * stripped the IV and we must trust that it handles
219 * replay detection correctly.
220 */
221 break;
222 }
223 if (ieee80211_tkip_get_tsc(&pn, &prsc, m, k) != 0)
224 return NULL;
225 if (rxi->rxi_flags & IEEE80211_RXI_HWDEC_SAME_PN) {
226 if (pn < *prsc) {
227 ic->ic_stats.is_tkip_replays++;
228 return NULL;
229 }
230 } else if (pn <= *prsc) {
231 ic->ic_stats.is_tkip_replays++;
232 return NULL;
233 }
234
235 /* Update last-seen packet number. */
236 *prsc = pn;
237
238 /* Clear Protected bit and strip IV. */
239 wh = mtod(m, struct ieee80211_frame *);
240 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
241 memmove(mtod(m, caddr_t) + IEEE80211_TKIP_HDRLEN, wh, hdrlen);
242 m_adj(m, IEEE80211_TKIP_HDRLEN);
243 /* Drivers are expected to strip the MIC. */
244 break;
245 default:
246 break;
247 }
248
249 return m;
250 }
251
252 /*
253 * Process a received frame. The node associated with the sender
254 * should be supplied. If nothing was found in the node table then
255 * the caller is assumed to supply a reference to ic_bss instead.
256 * The RSSI and a timestamp are also supplied. The RSSI data is used
257 * during AP scanning to select a AP to associate with; it can have
258 * any units so long as values have consistent units and higher values
259 * mean ``better signal''. The receive timestamp is currently not used
260 * by the 802.11 layer.
261 *
262 * This function acts on management frames immediately and queues data frames
263 * on the specified mbuf list. Delivery of queued data frames to upper layers
264 * must be triggered with if_input(). Drivers should call if_input() only once
265 * per Rx interrupt to avoid triggering the input ifq pressure drop mechanism
266 * unnecessarily.
267 */
268 void
269 ieee80211_inputm(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni,
270 struct ieee80211_rxinfo *rxi, struct mbuf_list *ml)
271 {
272 struct ieee80211com *ic = (void *)ifp;
273 struct ieee80211_frame *wh;
274 u_int16_t *orxseq, nrxseq, qos;
275 u_int8_t dir, type, subtype, tid;
276 int hdrlen, hasqos;
277
278 KASSERT(ni != NULL);
279
280 /* in monitor mode, send everything directly to bpf */
281 if (ic->ic_opmode == IEEE80211_M_MONITOR)
282 goto out;
283
284 /*
285 * Do not process frames without an Address 2 field any further.
286 * Only CTS and ACK control frames do not have this field.
287 */
288 if (m->m_len < sizeof(struct ieee80211_frame_min)) {
289 DPRINTF(("frame too short, len %u\n", m->m_len));
290 ic->ic_stats.is_rx_tooshort++;
291 goto out;
292 }
293
294 wh = mtod(m, struct ieee80211_frame *);
295 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
296 IEEE80211_FC0_VERSION_0) {
297 DPRINTF(("frame with wrong version: %x\n", wh->i_fc[0]));
298 ic->ic_stats.is_rx_badversion++;
299 goto err;
300 }
301
302 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
303 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
304 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
305
306 if (type != IEEE80211_FC0_TYPE_CTL) {
307 hdrlen = ieee80211_get_hdrlen(wh);
308 if (m->m_len < hdrlen) {
309 DPRINTF(("frame too short, len %u\n", m->m_len));
310 ic->ic_stats.is_rx_tooshort++;
311 goto err;
312 }
313 } else
314 hdrlen = 0;
315 if ((hasqos = ieee80211_has_qos(wh))) {
316 qos = ieee80211_get_qos(wh);
317 tid = qos & IEEE80211_QOS_TID;
318 } else {
319 qos = 0;
320 tid = 0;
321 }
322
323 if (ic->ic_state == IEEE80211_S_RUN &&
324 type == IEEE80211_FC0_TYPE_DATA && hasqos &&
325 (subtype & IEEE80211_FC0_SUBTYPE_NODATA) == 0 &&
326 !(rxi->rxi_flags & IEEE80211_RXI_AMPDU_DONE)
327 #ifndef IEEE80211_STA_ONLY
328 && (ic->ic_opmode == IEEE80211_M_STA || ni != ic->ic_bss)
329 #endif
330 ) {
331 int ba_state = ni->ni_rx_ba[tid].ba_state;
332
333 #ifndef IEEE80211_STA_ONLY
334 if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
335 if (!IEEE80211_ADDR_EQ(wh->i_addr1,
336 ic->ic_bss->ni_bssid)) {
337 ic->ic_stats.is_rx_wrongbss++;
338 goto err;
339 }
340 if (ni->ni_state != IEEE80211_S_ASSOC) {
341 ic->ic_stats.is_rx_notassoc++;
342 goto err;
343 }
344 }
345 #endif
346 /*
347 * If Block Ack was explicitly requested, check
348 * if we have a BA agreement for this RA/TID.
349 */
350 if ((qos & IEEE80211_QOS_ACK_POLICY_MASK) ==
351 IEEE80211_QOS_ACK_POLICY_BA &&
352 ba_state != IEEE80211_BA_AGREED) {
353 DPRINTF(("no BA agreement for %s, TID %d\n",
354 ether_sprintf(ni->ni_macaddr), tid));
355 /* send a DELBA with reason code UNKNOWN-BA */
356 IEEE80211_SEND_ACTION(ic, ni,
357 IEEE80211_CATEG_BA, IEEE80211_ACTION_DELBA,
358 IEEE80211_REASON_SETUP_REQUIRED << 16 | tid);
359 goto err;
360 }
361
362 /*
363 * Check if we have an explicit or implicit
364 * Block Ack Request for a valid BA agreement.
365 */
366 if (ba_state == IEEE80211_BA_AGREED &&
367 ((qos & IEEE80211_QOS_ACK_POLICY_MASK) ==
368 IEEE80211_QOS_ACK_POLICY_BA ||
369 (qos & IEEE80211_QOS_ACK_POLICY_MASK) ==
370 IEEE80211_QOS_ACK_POLICY_NORMAL)) {
371 /* go through A-MPDU reordering */
372 ieee80211_input_ba(ic, m, ni, tid, rxi, ml);
373 return; /* don't free m! */
374 } else if (ba_state == IEEE80211_BA_REQUESTED &&
375 (qos & IEEE80211_QOS_ACK_POLICY_MASK) ==
376 IEEE80211_QOS_ACK_POLICY_NORMAL) {
377 /*
378 * Apparently, qos frames for a tid where a
379 * block ack agreement was requested but not
380 * yet confirmed by us should still contribute
381 * to the sequence number for this tid.
382 */
383 ieee80211_input_ba(ic, m, ni, tid, rxi, ml);
384 return; /* don't free m! */
385 }
386 }
387
388 /*
389 * We do not yet support fragments. Drop any fragmented packets.
390 * Counter-measure against attacks where an arbitrary packet is
391 * injected via a fragment with attacker-controlled content.
392 * See https://papers.mathyvanhoef.com/usenix2021.pdf
393 * Section 6.8 "Treating fragments as full frames"
394 */
395 if (ieee80211_has_seq(wh)) {
396 uint16_t rxseq = letoh16(*(const u_int16_t *)wh->i_seq);
397 if ((wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG) ||
398 (rxseq & IEEE80211_SEQ_FRAG_MASK))
399 goto err;
400 }
401
402 /* duplicate detection (see 9.2.9) */
403 if (ieee80211_has_seq(wh) &&
404 ic->ic_state != IEEE80211_S_SCAN) {
405 nrxseq = letoh16(*(u_int16_t *)wh->i_seq) >>
406 IEEE80211_SEQ_SEQ_SHIFT;
407 if (hasqos)
408 orxseq = &ni->ni_qos_rxseqs[tid];
409 else
410 orxseq = &ni->ni_rxseq;
411 if (rxi->rxi_flags & IEEE80211_RXI_SAME_SEQ) {
412 if (nrxseq != *orxseq) {
413 /* duplicate, silently discarded */
414 ic->ic_stats.is_rx_dup++;
415 goto out;
416 }
417 } else if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) &&
418 nrxseq == *orxseq) {
419 /* duplicate, silently discarded */
420 ic->ic_stats.is_rx_dup++;
421 goto out;
422 }
423 *orxseq = nrxseq;
424 }
425 if (ic->ic_state > IEEE80211_S_SCAN) {
426 ni->ni_rssi = rxi->rxi_rssi;
427 ni->ni_rstamp = rxi->rxi_tstamp;
428 ni->ni_inact = 0;
429
430 if (ic->ic_state == IEEE80211_S_RUN && ic->ic_bgscan_start) {
431 /* Cancel or start background scan based on RSSI. */
432 if ((*ic->ic_node_checkrssi)(ic, ni))
433 timeout_del(&ic->ic_bgscan_timeout);
434 else if (!timeout_pending(&ic->ic_bgscan_timeout) &&
435 (ic->ic_flags & IEEE80211_F_BGSCAN) == 0 &&
436 (ic->ic_flags & IEEE80211_F_DESBSSID) == 0)
437 timeout_add_msec(&ic->ic_bgscan_timeout,
438 500 * (ic->ic_bgscan_fail + 1));
439 }
440 }
441
442 #ifndef IEEE80211_STA_ONLY
443 if (ic->ic_opmode == IEEE80211_M_HOSTAP &&
444 (ic->ic_caps & IEEE80211_C_APPMGT) &&
445 ni->ni_state == IEEE80211_STA_ASSOC) {
446 if (wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) {
447 if (ni->ni_pwrsave == IEEE80211_PS_AWAKE) {
448 /* turn on PS mode */
449 ni->ni_pwrsave = IEEE80211_PS_DOZE;
450 DPRINTF(("PS mode on for %s\n",
451 ether_sprintf(wh->i_addr2)));
452 }
453 } else if (ni->ni_pwrsave == IEEE80211_PS_DOZE) {
454 struct mbuf *m;
455
456 /* turn off PS mode */
457 ni->ni_pwrsave = IEEE80211_PS_AWAKE;
458 DPRINTF(("PS mode off for %s\n",
459 ether_sprintf(wh->i_addr2)));
460
461 (*ic->ic_set_tim)(ic, ni->ni_associd, 0);
462
463 /* dequeue buffered unicast frames */
464 while ((m = mq_dequeue(&ni->ni_savedq)) != NULL) {
465 mq_enqueue(&ic->ic_pwrsaveq, m);
466 if_start(ifp);
467 }
468 }
469 }
470 #endif
471 switch (type) {
472 case IEEE80211_FC0_TYPE_DATA:
473 switch (ic->ic_opmode) {
474 case IEEE80211_M_STA:
475 if (dir != IEEE80211_FC1_DIR_FROMDS) {
476 ic->ic_stats.is_rx_wrongdir++;
477 goto out;
478 }
479 if (ic->ic_state != IEEE80211_S_SCAN &&
480 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid)) {
481 /* Source address is not our BSS. */
482 DPRINTF(("discard frame from SA %s\n",
483 ether_sprintf(wh->i_addr2)));
484 ic->ic_stats.is_rx_wrongbss++;
485 goto out;
486 }
487 if ((ifp->if_flags & IFF_SIMPLEX) &&
488 IEEE80211_IS_MULTICAST(wh->i_addr1) &&
489 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) {
490 /*
491 * In IEEE802.11 network, multicast frame
492 * sent from me is broadcasted from AP.
493 * It should be silently discarded for
494 * SIMPLEX interface.
495 */
496 ic->ic_stats.is_rx_mcastecho++;
497 goto out;
498 }
499 break;
500 #ifndef IEEE80211_STA_ONLY
501 case IEEE80211_M_IBSS:
502 case IEEE80211_M_AHDEMO:
503 if (dir != IEEE80211_FC1_DIR_NODS) {
504 ic->ic_stats.is_rx_wrongdir++;
505 goto out;
506 }
507 if (ic->ic_state != IEEE80211_S_SCAN &&
508 !IEEE80211_ADDR_EQ(wh->i_addr3,
509 ic->ic_bss->ni_bssid) &&
510 !IEEE80211_ADDR_EQ(wh->i_addr3,
511 etherbroadcastaddr)) {
512 /* Destination is not our BSS or broadcast. */
513 DPRINTF(("discard data frame to DA %s\n",
514 ether_sprintf(wh->i_addr3)));
515 ic->ic_stats.is_rx_wrongbss++;
516 goto out;
517 }
518 break;
519 case IEEE80211_M_HOSTAP:
520 if (dir != IEEE80211_FC1_DIR_TODS) {
521 ic->ic_stats.is_rx_wrongdir++;
522 goto out;
523 }
524 if (ic->ic_state != IEEE80211_S_SCAN &&
525 !IEEE80211_ADDR_EQ(wh->i_addr1,
526 ic->ic_bss->ni_bssid) &&
527 !IEEE80211_ADDR_EQ(wh->i_addr1,
528 etherbroadcastaddr)) {
529 /* BSS is not us or broadcast. */
530 DPRINTF(("discard data frame to BSS %s\n",
531 ether_sprintf(wh->i_addr1)));
532 ic->ic_stats.is_rx_wrongbss++;
533 goto out;
534 }
535 /* check if source STA is associated */
536 if (ni == ic->ic_bss) {
537 DPRINTF(("data from unknown src %s\n",
538 ether_sprintf(wh->i_addr2)));
539 /* NB: caller deals with reference */
540 ni = ieee80211_find_node(ic, wh->i_addr2);
541 if (ni == NULL)
542 ni = ieee80211_dup_bss(ic, wh->i_addr2);
543 if (ni != NULL) {
544 IEEE80211_SEND_MGMT(ic, ni,
545 IEEE80211_FC0_SUBTYPE_DEAUTH,
546 IEEE80211_REASON_NOT_AUTHED);
547 }
548 ic->ic_stats.is_rx_notassoc++;
549 goto err;
550 }
551 if (ni->ni_state != IEEE80211_STA_ASSOC) {
552 DPRINTF(("data from unassoc src %s\n",
553 ether_sprintf(wh->i_addr2)));
554 IEEE80211_SEND_MGMT(ic, ni,
555 IEEE80211_FC0_SUBTYPE_DISASSOC,
556 IEEE80211_REASON_NOT_ASSOCED);
557 ic->ic_stats.is_rx_notassoc++;
558 goto err;
559 }
560 break;
561 #endif /* IEEE80211_STA_ONLY */
562 default:
563 /* can't get there */
564 goto out;
565 }
566
567 /* Do not process "no data" frames any further. */
568 if (subtype & IEEE80211_FC0_SUBTYPE_NODATA) {
569 #if NBPFILTER > 0
570 if (ic->ic_rawbpf)
571 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN);
572 #endif
573 goto out;
574 }
575
576 if ((ic->ic_flags & IEEE80211_F_WEPON) ||
577 ((ic->ic_flags & IEEE80211_F_RSNON) &&
578 (ni->ni_flags & IEEE80211_NODE_RXPROT))) {
579 /* protection is on for Rx */
580 if (!(rxi->rxi_flags & IEEE80211_RXI_HWDEC)) {
581 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) {
582 /* drop unencrypted */
583 ic->ic_stats.is_rx_unencrypted++;
584 goto err;
585 }
586 /* do software decryption */
587 m = ieee80211_decrypt(ic, m, ni);
588 if (m == NULL) {
589 ic->ic_stats.is_rx_wepfail++;
590 goto err;
591 }
592 } else {
593 m = ieee80211_input_hwdecrypt(ic, ni, m, rxi);
594 if (m == NULL)
595 goto err;
596 }
597 wh = mtod(m, struct ieee80211_frame *);
598 } else if ((wh->i_fc[1] & IEEE80211_FC1_PROTECTED) ||
599 (rxi->rxi_flags & IEEE80211_RXI_HWDEC)) {
600 /* frame encrypted but protection off for Rx */
601 ic->ic_stats.is_rx_nowep++;
602 goto out;
603 }
604
605 #if NBPFILTER > 0
606 /* copy to listener after decrypt */
607 if (ic->ic_rawbpf)
608 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN);
609 #endif
610
611 if ((ni->ni_flags & IEEE80211_NODE_HT) &&
612 hasqos && (qos & IEEE80211_QOS_AMSDU))
613 ieee80211_amsdu_decap(ic, m, ni, hdrlen, ml);
614 else
615 ieee80211_decap(ic, m, ni, hdrlen, ml);
616 return;
617
618 case IEEE80211_FC0_TYPE_MGT:
619 if (dir != IEEE80211_FC1_DIR_NODS) {
620 ic->ic_stats.is_rx_wrongdir++;
621 goto err;
622 }
623 #ifndef IEEE80211_STA_ONLY
624 if (ic->ic_opmode == IEEE80211_M_AHDEMO) {
625 ic->ic_stats.is_rx_ahdemo_mgt++;
626 goto out;
627 }
628 #endif
629 /* drop frames without interest */
630 if (ic->ic_state == IEEE80211_S_SCAN) {
631 if (subtype != IEEE80211_FC0_SUBTYPE_BEACON &&
632 subtype != IEEE80211_FC0_SUBTYPE_PROBE_RESP) {
633 ic->ic_stats.is_rx_mgtdiscard++;
634 goto out;
635 }
636 }
637
638 if (ni->ni_flags & IEEE80211_NODE_RXMGMTPROT) {
639 /* MMPDU protection is on for Rx */
640 if (subtype == IEEE80211_FC0_SUBTYPE_DISASSOC ||
641 subtype == IEEE80211_FC0_SUBTYPE_DEAUTH ||
642 subtype == IEEE80211_FC0_SUBTYPE_ACTION) {
643 if (!IEEE80211_IS_MULTICAST(wh->i_addr1) &&
644 !(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) {
645 /* unicast mgmt not encrypted */
646 goto out;
647 }
648 /* do software decryption */
649 m = ieee80211_decrypt(ic, m, ni);
650 if (m == NULL) {
651 /* XXX stats */
652 goto out;
653 }
654 wh = mtod(m, struct ieee80211_frame *);
655 }
656 } else if ((ic->ic_flags & IEEE80211_F_RSNON) &&
657 (wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) {
658 /* encrypted but MMPDU Rx protection off for TA */
659 goto out;
660 }
661
662 #if NBPFILTER > 0
663 if (bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN) != 0) {
664 /*
665 * Drop mbuf if it was filtered by bpf. Normally,
666 * this is done in ether_input() but IEEE 802.11
667 * management frames are a special case.
668 */
669 m_freem(m);
670 return;
671 }
672 #endif
673 (*ic->ic_recv_mgmt)(ic, m, ni, rxi, subtype);
674 m_freem(m);
675 return;
676
677 case IEEE80211_FC0_TYPE_CTL:
678 switch (subtype) {
679 #ifndef IEEE80211_STA_ONLY
680 case IEEE80211_FC0_SUBTYPE_PS_POLL:
681 ieee80211_recv_pspoll(ic, m, ni);
682 break;
683 #endif
684 case IEEE80211_FC0_SUBTYPE_BAR:
685 ieee80211_recv_bar(ic, m, ni);
686 break;
687 default:
688 ic->ic_stats.is_rx_ctl++;
689 break;
690 }
691 goto out;
692
693 default:
694 DPRINTF(("bad frame type %x\n", type));
695 /* should not come here */
696 break;
697 }
698 err:
699 ifp->if_ierrors++;
700 out:
701 if (m != NULL) {
702 #if NBPFILTER > 0
703 if (ic->ic_rawbpf)
704 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN);
705 #endif
706 m_freem(m);
707 }
708 }
709
710 /* Input handler for drivers which only receive one frame per interrupt. */
711 void
712 ieee80211_input(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni,
713 struct ieee80211_rxinfo *rxi)
714 {
715 struct mbuf_list ml = MBUF_LIST_INITIALIZER();
716
717 ieee80211_inputm(ifp, m, ni, rxi, &ml);
718 if_input(ifp, &ml);
719 }
720
721 #ifdef notyet
722 /*
723 * Handle defragmentation (see 9.5 and Annex C). We support the concurrent
724 * reception of fragments of three fragmented MSDUs or MMPDUs.
725 */
726 struct mbuf *
727 ieee80211_defrag(struct ieee80211com *ic, struct mbuf *m, int hdrlen)
728 {
729 const struct ieee80211_frame *owh, *wh;
730 struct ieee80211_defrag *df;
731 u_int16_t rxseq, seq;
732 u_int8_t frag;
733 int i;
734
735 wh = mtod(m, struct ieee80211_frame *);
736 rxseq = letoh16(*(const u_int16_t *)wh->i_seq);
737 seq = rxseq >> IEEE80211_SEQ_SEQ_SHIFT;
738 frag = rxseq & IEEE80211_SEQ_FRAG_MASK;
739
740 if (frag == 0 && !(wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG))
741 return m; /* not fragmented */
742
743 if (frag == 0) {
744 /* first fragment, setup entry in the fragment cache */
745 if (++ic->ic_defrag_cur == IEEE80211_DEFRAG_SIZE)
746 ic->ic_defrag_cur = 0;
747 df = &ic->ic_defrag[ic->ic_defrag_cur];
748 m_freem(df->df_m); /* discard old entry */
749 df->df_seq = seq;
750 df->df_frag = 0;
751 df->df_m = m;
752 /* start receive MSDU timer of aMaxReceiveLifetime */
753 timeout_add_sec(&df->df_to, 1);
754 return NULL; /* MSDU or MMPDU not yet complete */
755 }
756
757 /* find matching entry in the fragment cache */
758 for (i = 0; i < IEEE80211_DEFRAG_SIZE; i++) {
759 df = &ic->ic_defrag[i];
760 if (df->df_m == NULL)
761 continue;
762 if (df->df_seq != seq || df->df_frag + 1 != frag)
763 continue;
764 owh = mtod(df->df_m, struct ieee80211_frame *);
765 /* frame type, source and destination must match */
766 if (((wh->i_fc[0] ^ owh->i_fc[0]) & IEEE80211_FC0_TYPE_MASK) ||
767 !IEEE80211_ADDR_EQ(wh->i_addr1, owh->i_addr1) ||
768 !IEEE80211_ADDR_EQ(wh->i_addr2, owh->i_addr2))
769 continue;
770 /* matching entry found */
771 break;
772 }
773 if (i == IEEE80211_DEFRAG_SIZE) {
774 /* no matching entry found, discard fragment */
775 ic->ic_if.if_ierrors++;
776 m_freem(m);
777 return NULL;
778 }
779
780 df->df_frag = frag;
781 /* strip 802.11 header and concatenate fragment */
782 m_adj(m, hdrlen);
783 m_cat(df->df_m, m);
784 df->df_m->m_pkthdr.len += m->m_pkthdr.len;
785
786 if (wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG)
787 return NULL; /* MSDU or MMPDU not yet complete */
788
789 /* MSDU or MMPDU complete */
790 timeout_del(&df->df_to);
791 m = df->df_m;
792 df->df_m = NULL;
793 return m;
794 }
795
796 /*
797 * Receive MSDU defragmentation timer exceeds aMaxReceiveLifetime.
798 */
799 void
800 ieee80211_defrag_timeout(void *arg)
801 {
802 struct ieee80211_defrag *df = arg;
803 int s = splnet();
804
805 /* discard all received fragments */
806 m_freem(df->df_m);
807 df->df_m = NULL;
808
809 splx(s);
810 }
811 #endif
812
813 /*
814 * Process a received data MPDU related to a specific HT-immediate Block Ack
815 * agreement (see 9.10.7.6).
816 */
817 void
818 ieee80211_input_ba(struct ieee80211com *ic, struct mbuf *m,
819 struct ieee80211_node *ni, int tid, struct ieee80211_rxinfo *rxi,
820 struct mbuf_list *ml)
821 {
822 struct ifnet *ifp = &ic->ic_if;
823 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid];
824 struct ieee80211_frame *wh;
825 int idx, count;
826 u_int16_t sn;
827
828 wh = mtod(m, struct ieee80211_frame *);
829 sn = letoh16(*(u_int16_t *)wh->i_seq) >> IEEE80211_SEQ_SEQ_SHIFT;
830
831 /* reset Block Ack inactivity timer */
832 if (ba->ba_timeout_val != 0)
833 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val);
834
835 if (SEQ_LT(sn, ba->ba_winstart)) { /* SN < WinStartB */
836 ic->ic_stats.is_ht_rx_frame_below_ba_winstart++;
837 m_freem(m); /* discard the MPDU */
838 return;
839 }
840 if (SEQ_LT(ba->ba_winend, sn)) { /* WinEndB < SN */
841 ic->ic_stats.is_ht_rx_frame_above_ba_winend++;
842 count = (sn - ba->ba_winend) & 0xfff;
843 if (count > ba->ba_winsize) {
844 /*
845 * Check whether we're consistently behind the window,
846 * and let the window move forward if necessary.
847 */
848 if (ba->ba_winmiss < IEEE80211_BA_MAX_WINMISS) {
849 if (ba->ba_missedsn == ((sn - 1) & 0xfff))
850 ba->ba_winmiss++;
851 else
852 ba->ba_winmiss = 0;
853 ba->ba_missedsn = sn;
854 ifp->if_ierrors++;
855 m_freem(m); /* discard the MPDU */
856 return;
857 }
858
859 /* It appears the window has moved for real. */
860 ic->ic_stats.is_ht_rx_ba_window_jump++;
861 ba->ba_winmiss = 0;
862 ba->ba_missedsn = 0;
863 ieee80211_ba_move_window(ic, ni, tid, sn, ml);
864 } else {
865 ic->ic_stats.is_ht_rx_ba_window_slide++;
866 ieee80211_input_ba_seq(ic, ni, tid,
867 (ba->ba_winstart + count) & 0xfff, ml);
868 ieee80211_input_ba_flush(ic, ni, ba, ml);
869 }
870 }
871 /* WinStartB <= SN <= WinEndB */
872
873 ba->ba_winmiss = 0;
874 ba->ba_missedsn = 0;
875 idx = (sn - ba->ba_winstart) & 0xfff;
876 idx = (ba->ba_head + idx) % IEEE80211_BA_MAX_WINSZ;
877 /* store the received MPDU in the buffer */
878 if (ba->ba_buf[idx].m != NULL) {
879 ifp->if_ierrors++;
880 ic->ic_stats.is_ht_rx_ba_no_buf++;
881 m_freem(m);
882 return;
883 }
884 ba->ba_buf[idx].m = m;
885 /* store Rx meta-data too */
886 rxi->rxi_flags |= IEEE80211_RXI_AMPDU_DONE;
887 ba->ba_buf[idx].rxi = *rxi;
888 ba->ba_gapwait++;
889
890 if (ba->ba_buf[ba->ba_head].m == NULL && ba->ba_gapwait == 1)
891 timeout_add_msec(&ba->ba_gap_to, IEEE80211_BA_GAP_TIMEOUT);
892
893 ieee80211_input_ba_flush(ic, ni, ba, ml);
894 }
895
896 /*
897 * Forward buffered frames with sequence number lower than max_seq.
898 * See 802.11-2012 9.21.7.6.2 b.
899 */
900 void
901 ieee80211_input_ba_seq(struct ieee80211com *ic, struct ieee80211_node *ni,
902 uint8_t tid, uint16_t max_seq, struct mbuf_list *ml)
903 {
904 struct ifnet *ifp = &ic->ic_if;
905 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid];
906 struct ieee80211_frame *wh;
907 uint16_t seq;
908 int i = 0;
909
910 while (i++ < ba->ba_winsize) {
911 /* gaps may exist */
912 if (ba->ba_buf[ba->ba_head].m != NULL) {
913 wh = mtod(ba->ba_buf[ba->ba_head].m,
914 struct ieee80211_frame *);
915 KASSERT(ieee80211_has_seq(wh));
916 seq = letoh16(*(u_int16_t *)wh->i_seq) >>
917 IEEE80211_SEQ_SEQ_SHIFT;
918 if (!SEQ_LT(seq, max_seq))
919 break;
920 ieee80211_inputm(ifp, ba->ba_buf[ba->ba_head].m,
921 ni, &ba->ba_buf[ba->ba_head].rxi, ml);
922 ba->ba_buf[ba->ba_head].m = NULL;
923 ba->ba_gapwait--;
924 } else
925 ic->ic_stats.is_ht_rx_ba_frame_lost++;
926 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ;
927 /* move window forward */
928 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff;
929 }
930 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff;
931 }
932
933 /* Flush a consecutive sequence of frames from the reorder buffer. */
934 void
935 ieee80211_input_ba_flush(struct ieee80211com *ic, struct ieee80211_node *ni,
936 struct ieee80211_rx_ba *ba, struct mbuf_list *ml)
937
938 {
939 struct ifnet *ifp = &ic->ic_if;
940
941 /* Do not re-arm the gap timeout if we made no progress. */
942 if (ba->ba_buf[ba->ba_head].m == NULL)
943 return;
944
945 /* pass reordered MPDUs up to the next MAC process */
946 while (ba->ba_buf[ba->ba_head].m != NULL) {
947 ieee80211_inputm(ifp, ba->ba_buf[ba->ba_head].m, ni,
948 &ba->ba_buf[ba->ba_head].rxi, ml);
949 ba->ba_buf[ba->ba_head].m = NULL;
950 ba->ba_gapwait--;
951
952 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ;
953 /* move window forward */
954 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff;
955 }
956 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff;
957
958 if (timeout_pending(&ba->ba_gap_to))
959 timeout_del(&ba->ba_gap_to);
960 if (ba->ba_gapwait)
961 timeout_add_msec(&ba->ba_gap_to, IEEE80211_BA_GAP_TIMEOUT);
962 }
963
964 /*
965 * Forcibly move the BA window forward to remove a leading gap which has
966 * been causing frames to linger in the reordering buffer for too long.
967 * A leading gap will occur if a particular A-MPDU subframe never arrives
968 * or if a bug in the sender causes sequence numbers to jump forward by > 1.
969 */
970 int
971 ieee80211_input_ba_gap_skip(struct ieee80211_rx_ba *ba)
972 {
973 int skipped = 0;
974
975 while (skipped < ba->ba_winsize && ba->ba_buf[ba->ba_head].m == NULL) {
976 /* move window forward */
977 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ;
978 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff;
979 skipped++;
980 }
981 if (skipped > 0)
982 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff;
983
984 return skipped;
985 }
986
987 void
988 ieee80211_input_ba_gap_timeout(void *arg)
989 {
990 struct ieee80211_rx_ba *ba = arg;
991 struct ieee80211_node *ni = ba->ba_ni;
992 struct ieee80211com *ic = ni->ni_ic;
993 int s, skipped;
994
995 ic->ic_stats.is_ht_rx_ba_window_gap_timeout++;
996
997 s = splnet();
998
999 skipped = ieee80211_input_ba_gap_skip(ba);
1000 ic->ic_stats.is_ht_rx_ba_frame_lost += skipped;
1001 if (skipped) {
1002 struct mbuf_list ml = MBUF_LIST_INITIALIZER();
1003 ieee80211_input_ba_flush(ic, ni, ba, &ml);
1004 if_input(&ic->ic_if, &ml);
1005 }
1006
1007 splx(s);
1008 }
1009
1010
1011 /*
1012 * Change the value of WinStartB (move window forward) upon reception of a
1013 * BlockAckReq frame or an ADDBA Request (PBAC).
1014 */
1015 void
1016 ieee80211_ba_move_window(struct ieee80211com *ic, struct ieee80211_node *ni,
1017 u_int8_t tid, u_int16_t ssn, struct mbuf_list *ml)
1018 {
1019 struct ifnet *ifp = &ic->ic_if;
1020 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid];
1021 int count;
1022
1023 /* assert(WinStartB <= SSN) */
1024
1025 count = (ssn - ba->ba_winstart) & 0xfff;
1026 if (count > ba->ba_winsize) /* no overlap */
1027 count = ba->ba_winsize;
1028 while (count-- > 0) {
1029 /* gaps may exist */
1030 if (ba->ba_buf[ba->ba_head].m != NULL) {
1031 ieee80211_inputm(ifp, ba->ba_buf[ba->ba_head].m, ni,
1032 &ba->ba_buf[ba->ba_head].rxi, ml);
1033 ba->ba_buf[ba->ba_head].m = NULL;
1034 ba->ba_gapwait--;
1035 } else
1036 ic->ic_stats.is_ht_rx_ba_frame_lost++;
1037 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ;
1038 }
1039 /* move window forward */
1040 ba->ba_winstart = ssn;
1041 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff;
1042
1043 ieee80211_input_ba_flush(ic, ni, ba, ml);
1044 }
1045
1046 void
1047 ieee80211_enqueue_data(struct ieee80211com *ic, struct mbuf *m,
1048 struct ieee80211_node *ni, int mcast, struct mbuf_list *ml)
1049 {
1050 struct ifnet *ifp = &ic->ic_if;
1051 struct ether_header *eh;
1052 struct mbuf *m1;
1053
1054 eh = mtod(m, struct ether_header *);
1055
1056 if ((ic->ic_flags & IEEE80211_F_RSNON) && !ni->ni_port_valid &&
1057 eh->ether_type != htons(ETHERTYPE_EAPOL)) {
1058 DPRINTF(("port not valid: %s\n",
1059 ether_sprintf(eh->ether_dhost)));
1060 ic->ic_stats.is_rx_unauth++;
1061 m_freem(m);
1062 return;
1063 }
1064
1065 /*
1066 * Perform as a bridge within the AP. Notice that we do not
1067 * bridge EAPOL frames as suggested in C.1.1 of IEEE Std 802.1X.
1068 * And we do not forward unicast frames received on a multicast address.
1069 */
1070 m1 = NULL;
1071 #ifndef IEEE80211_STA_ONLY
1072 if (ic->ic_opmode == IEEE80211_M_HOSTAP &&
1073 !(ic->ic_userflags & IEEE80211_F_NOBRIDGE) &&
1074 eh->ether_type != htons(ETHERTYPE_EAPOL)) {
1075 struct ieee80211_node *ni1;
1076
1077 if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
1078 m1 = m_dup_pkt(m, ETHER_ALIGN, M_DONTWAIT);
1079 if (m1 == NULL)
1080 ifp->if_oerrors++;
1081 else
1082 m1->m_flags |= M_MCAST;
1083 } else if (!mcast) {
1084 ni1 = ieee80211_find_node(ic, eh->ether_dhost);
1085 if (ni1 != NULL &&
1086 ni1->ni_state == IEEE80211_STA_ASSOC) {
1087 m1 = m;
1088 m = NULL;
1089 }
1090 }
1091 if (m1 != NULL) {
1092 if (if_enqueue(ifp, m1))
1093 ifp->if_oerrors++;
1094 }
1095 }
1096 #endif
1097 if (m != NULL) {
1098 if ((ic->ic_flags & IEEE80211_F_RSNON) &&
1099 eh->ether_type == htons(ETHERTYPE_EAPOL)) {
1100 ifp->if_ipackets++;
1101 #if NBPFILTER > 0
1102 /*
1103 * If we forward frame into transmitter of the AP,
1104 * we don't need to duplicate for DLT_EN10MB.
1105 */
1106 if (ifp->if_bpf && m1 == NULL)
1107 bpf_mtap(ifp->if_bpf, m, BPF_DIRECTION_IN);
1108 #endif
1109 ieee80211_eapol_key_input(ic, m, ni);
1110 } else {
1111 ml_enqueue(ml, m);
1112 }
1113 }
1114 }
1115
1116 void
1117 ieee80211_decap(struct ieee80211com *ic, struct mbuf *m,
1118 struct ieee80211_node *ni, int hdrlen, struct mbuf_list *ml)
1119 {
1120 struct ether_header eh;
1121 struct ieee80211_frame *wh;
1122 struct llc *llc;
1123 int mcast;
1124
1125 if (m->m_len < hdrlen + LLC_SNAPFRAMELEN &&
1126 (m = m_pullup(m, hdrlen + LLC_SNAPFRAMELEN)) == NULL) {
1127 ic->ic_stats.is_rx_decap++;
1128 return;
1129 }
1130 wh = mtod(m, struct ieee80211_frame *);
1131 mcast = IEEE80211_IS_MULTICAST(wh->i_addr1);
1132 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) {
1133 case IEEE80211_FC1_DIR_NODS:
1134 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1);
1135 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2);
1136 break;
1137 case IEEE80211_FC1_DIR_TODS:
1138 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3);
1139 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2);
1140 break;
1141 case IEEE80211_FC1_DIR_FROMDS:
1142 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1);
1143 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr3);
1144 break;
1145 case IEEE80211_FC1_DIR_DSTODS:
1146 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3);
1147 IEEE80211_ADDR_COPY(eh.ether_shost,
1148 ((struct ieee80211_frame_addr4 *)wh)->i_addr4);
1149 break;
1150 }
1151 llc = (struct llc *)((caddr_t)wh + hdrlen);
1152 if (llc->llc_dsap == LLC_SNAP_LSAP &&
1153 llc->llc_ssap == LLC_SNAP_LSAP &&
1154 llc->llc_control == LLC_UI &&
1155 llc->llc_snap.org_code[0] == 0 &&
1156 llc->llc_snap.org_code[1] == 0 &&
1157 llc->llc_snap.org_code[2] == 0) {
1158 eh.ether_type = llc->llc_snap.ether_type;
1159 m_adj(m, hdrlen + LLC_SNAPFRAMELEN - ETHER_HDR_LEN);
1160 } else {
1161 eh.ether_type = htons(m->m_pkthdr.len - hdrlen);
1162 m_adj(m, hdrlen - ETHER_HDR_LEN);
1163 }
1164 memcpy(mtod(m, caddr_t), &eh, ETHER_HDR_LEN);
1165 if (!ALIGNED_POINTER(mtod(m, caddr_t) + ETHER_HDR_LEN, u_int32_t)) {
1166 struct mbuf *m0 = m;
1167 m = m_dup_pkt(m0, ETHER_ALIGN, M_NOWAIT);
1168 m_freem(m0);
1169 if (m == NULL) {
1170 ic->ic_stats.is_rx_decap++;
1171 return;
1172 }
1173 }
1174 ieee80211_enqueue_data(ic, m, ni, mcast, ml);
1175 }
1176
1177 int
1178 ieee80211_amsdu_decap_validate(struct ieee80211com *ic, struct mbuf *m,
1179 struct ieee80211_node *ni)
1180 {
1181 struct ether_header *eh = mtod(m, struct ether_header *);
1182 const uint8_t llc_hdr_mac[ETHER_ADDR_LEN] = {
1183 /* MAC address matching the 802.2 LLC header. */
1184 LLC_SNAP_LSAP, LLC_SNAP_LSAP, LLC_UI, 0, 0, 0
1185 };
1186
1187 /*
1188 * We are sorry, but this particular MAC address cannot be used.
1189 * This mitigates an attack where a single 802.11 frame is interpreted
1190 * as an A-MSDU because of a forged AMSDU-present bit in the 802.11
1191 * QoS frame header: https://papers.mathyvanhoef.com/usenix2021.pdf
1192 * See Section 7.2, 'Countermeasures for the design flaws'
1193 */
1194 if (ETHER_IS_EQ(eh->ether_dhost, llc_hdr_mac))
1195 return 1;
1196
1197 switch (ic->ic_opmode) {
1198 #ifndef IEEE80211_STA_ONLY
1199 case IEEE80211_M_HOSTAP:
1200 /*
1201 * Subframes must use the source address of the node which
1202 * transmitted the A-MSDU. Prevents MAC spoofing.
1203 */
1204 if (!ETHER_IS_EQ(ni->ni_macaddr, eh->ether_shost))
1205 return 1;
1206 break;
1207 #endif
1208 case IEEE80211_M_STA:
1209 /* Subframes must be addressed to me. */
1210 if (!ETHER_IS_EQ(ic->ic_myaddr, eh->ether_dhost))
1211 return 1;
1212 break;
1213 default:
1214 /* Ignore MONITOR/IBSS modes for now. */
1215 break;
1216 }
1217
1218 return 0;
1219 }
1220
1221 /*
1222 * Decapsulate an Aggregate MSDU (see 7.2.2.2).
1223 */
1224 void
1225 ieee80211_amsdu_decap(struct ieee80211com *ic, struct mbuf *m,
1226 struct ieee80211_node *ni, int hdrlen, struct mbuf_list *ml)
1227 {
1228 struct mbuf *n;
1229 struct ether_header *eh;
1230 struct llc *llc;
1231 int len, pad, mcast;
1232 struct ieee80211_frame *wh;
1233 struct mbuf_list subframes = MBUF_LIST_INITIALIZER();
1234
1235 wh = mtod(m, struct ieee80211_frame *);
1236 mcast = IEEE80211_IS_MULTICAST(wh->i_addr1);
1237
1238 /* strip 802.11 header */
1239 m_adj(m, hdrlen);
1240
1241 while (m->m_pkthdr.len >= ETHER_HDR_LEN + LLC_SNAPFRAMELEN) {
1242 /* process an A-MSDU subframe */
1243 m = m_pullup(m, ETHER_HDR_LEN + LLC_SNAPFRAMELEN);
1244 if (m == NULL)
1245 break;
1246 eh = mtod(m, struct ether_header *);
1247 /* examine 802.3 header */
1248 len = ntohs(eh->ether_type);
1249 if (len < LLC_SNAPFRAMELEN) {
1250 DPRINTF(("A-MSDU subframe too short (%d)\n", len));
1251 /* stop processing A-MSDU subframes */
1252 ic->ic_stats.is_rx_decap++;
1253 ml_purge(&subframes);
1254 m_freem(m);
1255 return;
1256 }
1257 llc = (struct llc *)&eh[1];
1258 /* Examine the 802.2 LLC header after the A-MSDU header. */
1259 if (llc->llc_dsap == LLC_SNAP_LSAP &&
1260 llc->llc_ssap == LLC_SNAP_LSAP &&
1261 llc->llc_control == LLC_UI &&
1262 llc->llc_snap.org_code[0] == 0 &&
1263 llc->llc_snap.org_code[1] == 0 &&
1264 llc->llc_snap.org_code[2] == 0) {
1265 /* convert to Ethernet II header */
1266 eh->ether_type = llc->llc_snap.ether_type;
1267 /* strip LLC+SNAP headers */
1268 memmove((u_int8_t *)eh + LLC_SNAPFRAMELEN, eh,
1269 ETHER_HDR_LEN);
1270 m_adj(m, LLC_SNAPFRAMELEN);
1271 len -= LLC_SNAPFRAMELEN;
1272 }
1273 len += ETHER_HDR_LEN;
1274 if (len > m->m_pkthdr.len) {
1275 /* stop processing A-MSDU subframes */
1276 DPRINTF(("A-MSDU subframe too long (%d)\n", len));
1277 ic->ic_stats.is_rx_decap++;
1278 ml_purge(&subframes);
1279 m_freem(m);
1280 return;
1281 }
1282
1283 /* "detach" our A-MSDU subframe from the others */
1284 n = m_split(m, len, M_NOWAIT);
1285 if (n == NULL) {
1286 /* stop processing A-MSDU subframes */
1287 ic->ic_stats.is_rx_decap++;
1288 ml_purge(&subframes);
1289 m_freem(m);
1290 return;
1291 }
1292
1293 if (ieee80211_amsdu_decap_validate(ic, m, ni)) {
1294 /* stop processing A-MSDU subframes */
1295 ic->ic_stats.is_rx_decap++;
1296 ml_purge(&subframes);
1297 m_freem(m);
1298 return;
1299 }
1300
1301 ml_enqueue(&subframes, m);
1302
1303 m = n;
1304 /* remove padding */
1305 pad = ((len + 3) & ~3) - len;
1306 m_adj(m, pad);
1307 }
1308
1309 while ((n = ml_dequeue(&subframes)) != NULL)
1310 ieee80211_enqueue_data(ic, n, ni, mcast, ml);
1311
1312 m_freem(m);
1313 }
1314
1315 /*
1316 * Parse an EDCA Parameter Set element (see 7.3.2.27).
1317 */
1318 int
1319 ieee80211_parse_edca_params_body(struct ieee80211com *ic, const u_int8_t *frm)
1320 {
1321 u_int updtcount;
1322 int aci;
1323
1324 /*
1325 * Check if EDCA parameters have changed XXX if we miss more than
1326 * 15 consecutive beacons, we might not detect changes to EDCA
1327 * parameters due to wraparound of the 4-bit Update Count field.
1328 */
1329 updtcount = frm[0] & 0xf;
1330 if (updtcount == ic->ic_edca_updtcount)
1331 return 0; /* no changes to EDCA parameters, ignore */
1332 ic->ic_edca_updtcount = updtcount;
1333
1334 frm += 2; /* skip QoS Info & Reserved fields */
1335
1336 /* parse AC Parameter Records */
1337 for (aci = 0; aci < EDCA_NUM_AC; aci++) {
1338 struct ieee80211_edca_ac_params *ac = &ic->ic_edca_ac[aci];
1339
1340 ac->ac_acm = (frm[0] >> 4) & 0x1;
1341 ac->ac_aifsn = frm[0] & 0xf;
1342 ac->ac_ecwmin = frm[1] & 0xf;
1343 ac->ac_ecwmax = frm[1] >> 4;
1344 ac->ac_txoplimit = LE_READ_2(frm + 2);
1345 frm += 4;
1346 }
1347 /* give drivers a chance to update their settings */
1348 if ((ic->ic_flags & IEEE80211_F_QOS) && ic->ic_updateedca != NULL)
1349 (*ic->ic_updateedca)(ic);
1350
1351 return 0;
1352 }
1353
1354 int
1355 ieee80211_parse_edca_params(struct ieee80211com *ic, const u_int8_t *frm)
1356 {
1357 if (frm[1] < 18) {
1358 ic->ic_stats.is_rx_elem_toosmall++;
1359 return IEEE80211_REASON_IE_INVALID;
1360 }
1361 return ieee80211_parse_edca_params_body(ic, frm + 2);
1362 }
1363
1364 int
1365 ieee80211_parse_wmm_params(struct ieee80211com *ic, const u_int8_t *frm)
1366 {
1367 if (frm[1] < 24) {
1368 ic->ic_stats.is_rx_elem_toosmall++;
1369 return IEEE80211_REASON_IE_INVALID;
1370 }
1371 return ieee80211_parse_edca_params_body(ic, frm + 8);
1372 }
1373
1374 enum ieee80211_cipher
1375 ieee80211_parse_rsn_cipher(const u_int8_t selector[4])
1376 {
1377 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */
1378 switch (selector[3]) {
1379 case 0: /* use group data cipher suite */
1380 return IEEE80211_CIPHER_USEGROUP;
1381 case 1: /* WEP-40 */
1382 return IEEE80211_CIPHER_WEP40;
1383 case 2: /* TKIP */
1384 return IEEE80211_CIPHER_TKIP;
1385 case 4: /* CCMP (RSNA default) */
1386 return IEEE80211_CIPHER_CCMP;
1387 case 5: /* WEP-104 */
1388 return IEEE80211_CIPHER_WEP104;
1389 }
1390 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */
1391 /* see 802.11-2012 Table 8-99 */
1392 switch (selector[3]) {
1393 case 0: /* use group data cipher suite */
1394 return IEEE80211_CIPHER_USEGROUP;
1395 case 1: /* WEP-40 */
1396 return IEEE80211_CIPHER_WEP40;
1397 case 2: /* TKIP */
1398 return IEEE80211_CIPHER_TKIP;
1399 case 4: /* CCMP (RSNA default) */
1400 return IEEE80211_CIPHER_CCMP;
1401 case 5: /* WEP-104 */
1402 return IEEE80211_CIPHER_WEP104;
1403 case 6: /* BIP */
1404 return IEEE80211_CIPHER_BIP;
1405 }
1406 }
1407 return IEEE80211_CIPHER_NONE; /* ignore unknown ciphers */
1408 }
1409
1410 enum ieee80211_akm
1411 ieee80211_parse_rsn_akm(const u_int8_t selector[4])
1412 {
1413 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */
1414 switch (selector[3]) {
1415 case 1: /* IEEE 802.1X (RSNA default) */
1416 return IEEE80211_AKM_8021X;
1417 case 2: /* PSK */
1418 return IEEE80211_AKM_PSK;
1419 }
1420 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */
1421 /* from IEEE Std 802.11i-2004 - Table 20dc */
1422 switch (selector[3]) {
1423 case 1: /* IEEE 802.1X (RSNA default) */
1424 return IEEE80211_AKM_8021X;
1425 case 2: /* PSK */
1426 return IEEE80211_AKM_PSK;
1427 case 5: /* IEEE 802.1X with SHA256 KDF */
1428 return IEEE80211_AKM_SHA256_8021X;
1429 case 6: /* PSK with SHA256 KDF */
1430 return IEEE80211_AKM_SHA256_PSK;
1431 }
1432 }
1433 return IEEE80211_AKM_NONE; /* ignore unknown AKMs */
1434 }
1435
1436 /*
1437 * Parse an RSN element (see 802.11-2012 8.4.2.27)
1438 */
1439 int
1440 ieee80211_parse_rsn_body(struct ieee80211com *ic, const u_int8_t *frm,
1441 u_int len, struct ieee80211_rsnparams *rsn)
1442 {
1443 const u_int8_t *efrm;
1444 u_int16_t m, n, s;
1445
1446 efrm = frm + len;
1447
1448 /* check Version field */
1449 if (LE_READ_2(frm) != 1)
1450 return IEEE80211_STATUS_RSN_IE_VER_UNSUP;
1451 frm += 2;
1452
1453 /* all fields after the Version field are optional */
1454
1455 /* if Cipher Suite missing, default to CCMP */
1456 rsn->rsn_groupcipher = IEEE80211_CIPHER_CCMP;
1457 rsn->rsn_nciphers = 1;
1458 rsn->rsn_ciphers = IEEE80211_CIPHER_CCMP;
1459 /* if Group Management Cipher Suite missing, default to BIP */
1460 rsn->rsn_groupmgmtcipher = IEEE80211_CIPHER_BIP;
1461 /* if AKM Suite missing, default to 802.1X */
1462 rsn->rsn_nakms = 1;
1463 rsn->rsn_akms = IEEE80211_AKM_8021X;
1464 /* if RSN capabilities missing, default to 0 */
1465 rsn->rsn_caps = 0;
1466 rsn->rsn_npmkids = 0;
1467
1468 /* read Group Data Cipher Suite field */
1469 if (frm + 4 > efrm)
1470 return 0;
1471 rsn->rsn_groupcipher = ieee80211_parse_rsn_cipher(frm);
1472 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_NONE ||
1473 rsn->rsn_groupcipher == IEEE80211_CIPHER_USEGROUP ||
1474 rsn->rsn_groupcipher == IEEE80211_CIPHER_BIP)
1475 return IEEE80211_STATUS_BAD_GROUP_CIPHER;
1476 frm += 4;
1477
1478 /* read Pairwise Cipher Suite Count field */
1479 if (frm + 2 > efrm)
1480 return 0;
1481 m = rsn->rsn_nciphers = LE_READ_2(frm);
1482 frm += 2;
1483
1484 /* read Pairwise Cipher Suite List */
1485 if (frm + m * 4 > efrm)
1486 return IEEE80211_STATUS_IE_INVALID;
1487 rsn->rsn_ciphers = IEEE80211_CIPHER_NONE;
1488 while (m-- > 0) {
1489 rsn->rsn_ciphers |= ieee80211_parse_rsn_cipher(frm);
1490 frm += 4;
1491 }
1492 if (rsn->rsn_ciphers & IEEE80211_CIPHER_USEGROUP) {
1493 if (rsn->rsn_ciphers != IEEE80211_CIPHER_USEGROUP)
1494 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER;
1495 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_CCMP)
1496 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER;
1497 }
1498
1499 /* read AKM Suite List Count field */
1500 if (frm + 2 > efrm)
1501 return 0;
1502 n = rsn->rsn_nakms = LE_READ_2(frm);
1503 frm += 2;
1504
1505 /* read AKM Suite List */
1506 if (frm + n * 4 > efrm)
1507 return IEEE80211_STATUS_IE_INVALID;
1508 rsn->rsn_akms = IEEE80211_AKM_NONE;
1509 while (n-- > 0) {
1510 rsn->rsn_akms |= ieee80211_parse_rsn_akm(frm);
1511 frm += 4;
1512 }
1513
1514 /* read RSN Capabilities field */
1515 if (frm + 2 > efrm)
1516 return 0;
1517 rsn->rsn_caps = LE_READ_2(frm);
1518 frm += 2;
1519
1520 /* read PMKID Count field */
1521 if (frm + 2 > efrm)
1522 return 0;
1523 s = rsn->rsn_npmkids = LE_READ_2(frm);
1524 frm += 2;
1525
1526 /* read PMKID List */
1527 if (frm + s * IEEE80211_PMKID_LEN > efrm)
1528 return IEEE80211_STATUS_IE_INVALID;
1529 if (s != 0) {
1530 rsn->rsn_pmkids = frm;
1531 frm += s * IEEE80211_PMKID_LEN;
1532 }
1533
1534 /* read Group Management Cipher Suite field */
1535 if (frm + 4 > efrm)
1536 return 0;
1537 rsn->rsn_groupmgmtcipher = ieee80211_parse_rsn_cipher(frm);
1538 if (rsn->rsn_groupmgmtcipher != IEEE80211_CIPHER_BIP)
1539 return IEEE80211_STATUS_BAD_GROUP_CIPHER;
1540
1541 return IEEE80211_STATUS_SUCCESS;
1542 }
1543
1544 int
1545 ieee80211_parse_rsn(struct ieee80211com *ic, const u_int8_t *frm,
1546 struct ieee80211_rsnparams *rsn)
1547 {
1548 if (frm[1] < 2) {
1549 ic->ic_stats.is_rx_elem_toosmall++;
1550 return IEEE80211_STATUS_IE_INVALID;
1551 }
1552 return ieee80211_parse_rsn_body(ic, frm + 2, frm[1], rsn);
1553 }
1554
1555 int
1556 ieee80211_parse_wpa(struct ieee80211com *ic, const u_int8_t *frm,
1557 struct ieee80211_rsnparams *rsn)
1558 {
1559 if (frm[1] < 6) {
1560 ic->ic_stats.is_rx_elem_toosmall++;
1561 return IEEE80211_STATUS_IE_INVALID;
1562 }
1563 return ieee80211_parse_rsn_body(ic, frm + 6, frm[1] - 4, rsn);
1564 }
1565
1566 /*
1567 * Create (or update) a copy of an information element.
1568 */
1569 int
1570 ieee80211_save_ie(const u_int8_t *frm, u_int8_t **ie)
1571 {
1572 int olen = *ie ? 2 + (*ie)[1] : 0;
1573 int len = 2 + frm[1];
1574
1575 if (*ie == NULL || olen != len) {
1576 if (*ie != NULL)
1577 free(*ie, M_DEVBUF, olen);
1578 *ie = malloc(len, M_DEVBUF, M_NOWAIT);
1579 if (*ie == NULL)
1580 return ENOMEM;
1581 }
1582 memcpy(*ie, frm, len);
1583 return 0;
1584 }
1585
1586 /*-
1587 * Beacon/Probe response frame format:
1588 * [8] Timestamp
1589 * [2] Beacon interval
1590 * [2] Capability
1591 * [tlv] Service Set Identifier (SSID)
1592 * [tlv] Supported rates
1593 * [tlv] DS Parameter Set (802.11g)
1594 * [tlv] ERP Information (802.11g)
1595 * [tlv] Extended Supported Rates (802.11g)
1596 * [tlv] RSN (802.11i)
1597 * [tlv] EDCA Parameter Set (802.11e)
1598 * [tlv] QoS Capability (Beacon only, 802.11e)
1599 * [tlv] HT Capabilities (802.11n)
1600 * [tlv] HT Operation (802.11n)
1601 */
1602 void
1603 ieee80211_recv_probe_resp(struct ieee80211com *ic, struct mbuf *m,
1604 struct ieee80211_node *rni, struct ieee80211_rxinfo *rxi, int isprobe)
1605 {
1606 struct ieee80211_node *ni;
1607 const struct ieee80211_frame *wh;
1608 const u_int8_t *frm, *efrm;
1609 const u_int8_t *tstamp, *ssid, *rates, *xrates, *edcaie, *wmmie, *tim;
1610 const u_int8_t *rsnie, *wpaie, *htcaps, *htop, *vhtcaps, *vhtop;
1611 u_int16_t capinfo, bintval;
1612 u_int8_t chan, bchan, erp;
1613 int is_new;
1614
1615 /*
1616 * We process beacon/probe response frames for:
1617 * o station mode: to collect state
1618 * updates such as 802.11g slot time and for passive
1619 * scanning of APs
1620 * o adhoc mode: to discover neighbors
1621 * o hostap mode: for passive scanning of neighbor APs
1622 * o when scanning
1623 * In other words, in all modes other than monitor (which
1624 * does not process incoming frames) and adhoc-demo (which
1625 * does not use management frames at all).
1626 */
1627 #ifdef DIAGNOSTIC
1628 if (ic->ic_opmode != IEEE80211_M_STA &&
1629 #ifndef IEEE80211_STA_ONLY
1630 ic->ic_opmode != IEEE80211_M_IBSS &&
1631 ic->ic_opmode != IEEE80211_M_HOSTAP &&
1632 #endif
1633 ic->ic_state != IEEE80211_S_SCAN) {
1634 panic("%s: impossible operating mode", __func__);
1635 }
1636 #endif
1637 /* make sure all mandatory fixed fields are present */
1638 if (m->m_len < sizeof(*wh) + 12) {
1639 DPRINTF(("frame too short\n"));
1640 return;
1641 }
1642 wh = mtod(m, struct ieee80211_frame *);
1643 frm = (const u_int8_t *)&wh[1];
1644 efrm = mtod(m, u_int8_t *) + m->m_len;
1645
1646 tstamp = frm; frm += 8;
1647 bintval = LE_READ_2(frm); frm += 2;
1648 capinfo = LE_READ_2(frm); frm += 2;
1649
1650 ssid = rates = xrates = edcaie = wmmie = rsnie = wpaie = tim = NULL;
1651 htcaps = htop = vhtcaps = vhtop = NULL;
1652 if (rxi->rxi_chan)
1653 bchan = rxi->rxi_chan;
1654 else
1655 bchan = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan);
1656 chan = bchan;
1657 erp = 0;
1658 while (frm + 2 <= efrm) {
1659 if (frm + 2 + frm[1] > efrm) {
1660 ic->ic_stats.is_rx_elem_toosmall++;
1661 break;
1662 }
1663 switch (frm[0]) {
1664 case IEEE80211_ELEMID_SSID:
1665 ssid = frm;
1666 break;
1667 case IEEE80211_ELEMID_RATES:
1668 rates = frm;
1669 break;
1670 case IEEE80211_ELEMID_DSPARMS:
1671 if (frm[1] < 1) {
1672 ic->ic_stats.is_rx_elem_toosmall++;
1673 break;
1674 }
1675 chan = frm[2];
1676 break;
1677 case IEEE80211_ELEMID_XRATES:
1678 xrates = frm;
1679 break;
1680 case IEEE80211_ELEMID_ERP:
1681 if (frm[1] < 1) {
1682 ic->ic_stats.is_rx_elem_toosmall++;
1683 break;
1684 }
1685 erp = frm[2];
1686 break;
1687 case IEEE80211_ELEMID_RSN:
1688 rsnie = frm;
1689 break;
1690 case IEEE80211_ELEMID_EDCAPARMS:
1691 edcaie = frm;
1692 break;
1693 case IEEE80211_ELEMID_HTCAPS:
1694 htcaps = frm;
1695 break;
1696 case IEEE80211_ELEMID_HTOP:
1697 if (frm[1] < 22) {
1698 ic->ic_stats.is_rx_elem_toosmall++;
1699 break;
1700 }
1701 htop = frm;
1702 chan = frm[2];
1703 break;
1704 case IEEE80211_ELEMID_VHTCAPS:
1705 vhtcaps = frm;
1706 break;
1707 case IEEE80211_ELEMID_VHTOP:
1708 vhtop = frm;
1709 break;
1710 case IEEE80211_ELEMID_TIM:
1711 if (frm[1] < 4) {
1712 ic->ic_stats.is_rx_elem_toosmall++;
1713 break;
1714 }
1715 tim = frm;
1716 break;
1717 case IEEE80211_ELEMID_VENDOR:
1718 if (frm[1] < 4) {
1719 ic->ic_stats.is_rx_elem_toosmall++;
1720 break;
1721 }
1722 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) {
1723 if (frm[5] == 1)
1724 wpaie = frm;
1725 else if (frm[1] >= 5 &&
1726 frm[5] == 2 && frm[6] == 1)
1727 wmmie = frm;
1728 }
1729 break;
1730 }
1731 frm += 2 + frm[1];
1732 }
1733 /* supported rates element is mandatory */
1734 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) {
1735 DPRINTF(("invalid supported rates element\n"));
1736 return;
1737 }
1738 /* SSID element is mandatory */
1739 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) {
1740 DPRINTF(("invalid SSID element\n"));
1741 return;
1742 }
1743
1744 if (
1745 #if IEEE80211_CHAN_MAX < 255
1746 chan > IEEE80211_CHAN_MAX ||
1747 #endif
1748 (isclr(ic->ic_chan_active, chan) &&
1749 ((ic->ic_caps & IEEE80211_C_SCANALL) == 0 ||
1750 (ic->ic_flags & IEEE80211_F_BGSCAN) == 0))) {
1751 DPRINTF(("ignore %s with invalid channel %u\n",
1752 isprobe ? "probe response" : "beacon", chan));
1753 ic->ic_stats.is_rx_badchan++;
1754 return;
1755 }
1756 if ((rxi->rxi_chan != 0 && chan != rxi->rxi_chan) ||
1757 ((ic->ic_state != IEEE80211_S_SCAN ||
1758 !(ic->ic_caps & IEEE80211_C_SCANALL)) &&
1759 chan != bchan)) {
1760 /*
1761 * Frame was received on a channel different from the
1762 * one indicated in the DS params element id;
1763 * silently discard it.
1764 *
1765 * NB: this can happen due to signal leakage.
1766 */
1767 DPRINTF(("ignore %s on channel %u marked for channel %u\n",
1768 isprobe ? "probe response" : "beacon", bchan, chan));
1769 ic->ic_stats.is_rx_chanmismatch++;
1770 return;
1771 }
1772
1773 #ifdef IEEE80211_DEBUG
1774 if (ieee80211_debug > 1 &&
1775 (ni == NULL || ic->ic_state == IEEE80211_S_SCAN ||
1776 (ic->ic_flags & IEEE80211_F_BGSCAN))) {
1777 printf("%s: %s%s on chan %u (bss chan %u) ",
1778 __func__, (ni == NULL ? "new " : ""),
1779 isprobe ? "probe response" : "beacon",
1780 chan, bchan);
1781 ieee80211_print_essid(ssid + 2, ssid[1]);
1782 printf(" from %s\n", ether_sprintf((u_int8_t *)wh->i_addr2));
1783 printf("%s: caps 0x%x bintval %u erp 0x%x\n",
1784 __func__, capinfo, bintval, erp);
1785 }
1786 #endif
1787
1788 if ((ni = ieee80211_find_node(ic, wh->i_addr2)) == NULL) {
1789 ni = ieee80211_alloc_node(ic, wh->i_addr2);
1790 if (ni == NULL)
1791 return;
1792 is_new = 1;
1793 } else
1794 is_new = 0;
1795
1796 ni->ni_chan = &ic->ic_channels[chan];
1797
1798 if (htcaps)
1799 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]);
1800 if (htop && !ieee80211_setup_htop(ni, htop + 2, htop[1], 1))
1801 htop = NULL; /* invalid HTOP */
1802 if (htcaps && vhtcaps && IEEE80211_IS_CHAN_5GHZ(ni->ni_chan)) {
1803 ieee80211_setup_vhtcaps(ni, vhtcaps + 2, vhtcaps[1]);
1804 if (vhtop && !ieee80211_setup_vhtop(ni, vhtop + 2, vhtop[1], 1))
1805 vhtop = NULL; /* invalid VHTOP */
1806 }
1807
1808 if (tim) {
1809 ni->ni_dtimcount = tim[2];
1810 ni->ni_dtimperiod = tim[3];
1811 }
1812
1813 /*
1814 * When operating in station mode, check for state updates
1815 * while we're associated.
1816 */
1817 if (ic->ic_opmode == IEEE80211_M_STA &&
1818 ic->ic_state == IEEE80211_S_RUN &&
1819 ni->ni_state == IEEE80211_STA_BSS) {
1820 int updateprot = 0;
1821 /*
1822 * Check if protection mode has changed since last beacon.
1823 */
1824 if (ni->ni_erp != erp) {
1825 DPRINTF(("[%s] erp change: was 0x%x, now 0x%x\n",
1826 ether_sprintf((u_int8_t *)wh->i_addr2),
1827 ni->ni_erp, erp));
1828 if ((ic->ic_curmode == IEEE80211_MODE_11G ||
1829 (ic->ic_curmode == IEEE80211_MODE_11N &&
1830 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))) &&
1831 (erp & IEEE80211_ERP_USE_PROTECTION))
1832 ic->ic_flags |= IEEE80211_F_USEPROT;
1833 else
1834 ic->ic_flags &= ~IEEE80211_F_USEPROT;
1835 ic->ic_bss->ni_erp = erp;
1836 updateprot = 1;
1837 }
1838 if (htop && (ic->ic_bss->ni_flags & IEEE80211_NODE_HT)) {
1839 enum ieee80211_htprot htprot_last, htprot;
1840 htprot_last =
1841 ((ic->ic_bss->ni_htop1 & IEEE80211_HTOP1_PROT_MASK)
1842 >> IEEE80211_HTOP1_PROT_SHIFT);
1843 htprot = ((ni->ni_htop1 & IEEE80211_HTOP1_PROT_MASK) >>
1844 IEEE80211_HTOP1_PROT_SHIFT);
1845 if (htprot_last != htprot) {
1846 DPRINTF(("[%s] htprot change: was %d, now %d\n",
1847 ether_sprintf((u_int8_t *)wh->i_addr2),
1848 htprot_last, htprot));
1849 ic->ic_stats.is_ht_prot_change++;
1850 ic->ic_bss->ni_htop1 = ni->ni_htop1;
1851 updateprot = 1;
1852 }
1853 }
1854 if (updateprot && ic->ic_updateprot != NULL)
1855 ic->ic_updateprot(ic);
1856
1857 /*
1858 * Check if 40MHz channel mode has changed since last beacon.
1859 */
1860 if (htop && (ic->ic_bss->ni_flags & IEEE80211_NODE_HT) &&
1861 (ic->ic_htcaps & IEEE80211_HTCAP_CBW20_40)) {
1862 uint8_t chw_last, chw, sco_last, sco;
1863 chw_last = (ic->ic_bss->ni_htop0 & IEEE80211_HTOP0_CHW);
1864 chw = (ni->ni_htop0 & IEEE80211_HTOP0_CHW);
1865 sco_last =
1866 ((ic->ic_bss->ni_htop0 & IEEE80211_HTOP0_SCO_MASK)
1867 >> IEEE80211_HTOP0_SCO_SHIFT);
1868 sco = ((ni->ni_htop0 & IEEE80211_HTOP0_SCO_MASK) >>
1869 IEEE80211_HTOP0_SCO_SHIFT);
1870 ic->ic_bss->ni_htop0 = ni->ni_htop0;
1871 if (chw_last != chw || sco_last != sco) {
1872 if (ic->ic_updatechan != NULL)
1873 ic->ic_updatechan(ic);
1874 }
1875 } else if (htop)
1876 ic->ic_bss->ni_htop0 = ni->ni_htop0;
1877
1878 /*
1879 * Check if AP short slot time setting has changed
1880 * since last beacon and give the driver a chance to
1881 * update the hardware.
1882 */
1883 if ((ni->ni_capinfo ^ capinfo) &
1884 IEEE80211_CAPINFO_SHORT_SLOTTIME) {
1885 ieee80211_set_shortslottime(ic,
1886 ic->ic_curmode == IEEE80211_MODE_11A ||
1887 (capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
1888 }
1889
1890 if (tim && ic->ic_bss->ni_dtimperiod != ni->ni_dtimperiod) {
1891 ic->ic_bss->ni_dtimperiod = ni->ni_dtimperiod;
1892 ic->ic_bss->ni_dtimcount = ni->ni_dtimcount;
1893
1894 if (ic->ic_updatedtim != NULL)
1895 ic->ic_updatedtim(ic);
1896 }
1897
1898 /*
1899 * Reset management timer. If it is non-zero in RUN state, the
1900 * driver sent a probe request after a missed beacon event.
1901 * This probe response indicates the AP is still serving us
1902 * so don't allow ieee80211_watchdog() to move us into SCAN.
1903 */
1904 if ((ic->ic_flags & IEEE80211_F_BGSCAN) == 0)
1905 ic->ic_mgt_timer = 0;
1906 }
1907 /*
1908 * We do not try to update EDCA parameters if QoS was not negotiated
1909 * with the AP at association time.
1910 */
1911 if (ni->ni_flags & IEEE80211_NODE_QOS) {
1912 /* always prefer EDCA IE over Wi-Fi Alliance WMM IE */
1913 if ((edcaie != NULL &&
1914 ieee80211_parse_edca_params(ic, edcaie) == 0) ||
1915 (wmmie != NULL &&
1916 ieee80211_parse_wmm_params(ic, wmmie) == 0))
1917 ni->ni_flags |= IEEE80211_NODE_QOS;
1918 else
1919 ni->ni_flags &= ~IEEE80211_NODE_QOS;
1920 }
1921
1922 if (ic->ic_state == IEEE80211_S_SCAN ||
1923 (ic->ic_flags & IEEE80211_F_BGSCAN)) {
1924 struct ieee80211_rsnparams rsn, wpa;
1925
1926 ni->ni_rsnprotos = IEEE80211_PROTO_NONE;
1927 ni->ni_supported_rsnprotos = IEEE80211_PROTO_NONE;
1928 ni->ni_rsnakms = 0;
1929 ni->ni_supported_rsnakms = 0;
1930 ni->ni_rsnciphers = 0;
1931 ni->ni_rsngroupcipher = 0;
1932 ni->ni_rsngroupmgmtcipher = 0;
1933 ni->ni_rsncaps = 0;
1934
1935 if (rsnie != NULL &&
1936 ieee80211_parse_rsn(ic, rsnie, &rsn) == 0) {
1937 ni->ni_supported_rsnprotos |= IEEE80211_PROTO_RSN;
1938 ni->ni_supported_rsnakms |= rsn.rsn_akms;
1939 }
1940 if (wpaie != NULL &&
1941 ieee80211_parse_wpa(ic, wpaie, &wpa) == 0) {
1942 ni->ni_supported_rsnprotos |= IEEE80211_PROTO_WPA;
1943 ni->ni_supported_rsnakms |= wpa.rsn_akms;
1944 }
1945
1946 /*
1947 * If the AP advertises both WPA and RSN IEs (WPA1+WPA2),
1948 * we only use the highest protocol version we support.
1949 */
1950 if (rsnie != NULL &&
1951 (ni->ni_supported_rsnprotos & IEEE80211_PROTO_RSN) &&
1952 (ic->ic_caps & IEEE80211_C_RSN)) {
1953 if (ieee80211_save_ie(rsnie, &ni->ni_rsnie) == 0
1954 #ifndef IEEE80211_STA_ONLY
1955 && ic->ic_opmode != IEEE80211_M_HOSTAP
1956 #endif
1957 ) {
1958 ni->ni_rsnprotos = IEEE80211_PROTO_RSN;
1959 ni->ni_rsnakms = rsn.rsn_akms;
1960 ni->ni_rsnciphers = rsn.rsn_ciphers;
1961 ni->ni_rsngroupcipher = rsn.rsn_groupcipher;
1962 ni->ni_rsngroupmgmtcipher =
1963 rsn.rsn_groupmgmtcipher;
1964 ni->ni_rsncaps = rsn.rsn_caps;
1965 }
1966 } else if (wpaie != NULL &&
1967 (ni->ni_supported_rsnprotos & IEEE80211_PROTO_WPA) &&
1968 (ic->ic_caps & IEEE80211_C_RSN)) {
1969 if (ieee80211_save_ie(wpaie, &ni->ni_rsnie) == 0
1970 #ifndef IEEE80211_STA_ONLY
1971 && ic->ic_opmode != IEEE80211_M_HOSTAP
1972 #endif
1973 ) {
1974 ni->ni_rsnprotos = IEEE80211_PROTO_WPA;
1975 ni->ni_rsnakms = wpa.rsn_akms;
1976 ni->ni_rsnciphers = wpa.rsn_ciphers;
1977 ni->ni_rsngroupcipher = wpa.rsn_groupcipher;
1978 ni->ni_rsngroupmgmtcipher =
1979 wpa.rsn_groupmgmtcipher;
1980 ni->ni_rsncaps = wpa.rsn_caps;
1981 }
1982 }
1983 }
1984
1985 /*
1986 * Set our SSID if we do not know it yet.
1987 * If we are doing a directed scan for an AP with a hidden SSID
1988 * we must collect the SSID from a probe response to override
1989 * a non-zero-length SSID filled with zeroes that we may have
1990 * received earlier in a beacon.
1991 */
1992 if (ssid[1] != 0 && ni->ni_essid[0] == '\0') {
1993 ni->ni_esslen = ssid[1];
1994 memset(ni->ni_essid, 0, sizeof(ni->ni_essid));
1995 /* we know that ssid[1] <= IEEE80211_NWID_LEN */
1996 memcpy(ni->ni_essid, &ssid[2], ssid[1]);
1997 }
1998 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3);
1999 if (ic->ic_state == IEEE80211_S_SCAN &&
2000 IEEE80211_IS_CHAN_5GHZ(ni->ni_chan)) {
2001 /*
2002 * During a scan on 5Ghz, prefer RSSI measured for probe
2003 * response frames. i.e. don't allow beacons to lower the
2004 * measured RSSI. Some 5GHz APs send beacons with much
2005 * less Tx power than they use for probe responses.
2006 */
2007 if (isprobe || ni->ni_rssi == 0)
2008 ni->ni_rssi = rxi->rxi_rssi;
2009 else if (ni->ni_rssi < rxi->rxi_rssi)
2010 ni->ni_rssi = rxi->rxi_rssi;
2011 } else
2012 ni->ni_rssi = rxi->rxi_rssi;
2013 ni->ni_rstamp = rxi->rxi_tstamp;
2014 memcpy(ni->ni_tstamp, tstamp, sizeof(ni->ni_tstamp));
2015 ni->ni_intval = bintval;
2016 ni->ni_capinfo = capinfo;
2017 ni->ni_erp = erp;
2018 /* NB: must be after ni_chan is setup */
2019 ieee80211_setup_rates(ic, ni, rates, xrates, IEEE80211_F_DOSORT);
2020 #ifndef IEEE80211_STA_ONLY
2021 if (ic->ic_opmode == IEEE80211_M_IBSS && is_new && isprobe) {
2022 /*
2023 * Fake an association so the driver can setup its
2024 * private state. The rate set has been setup above;
2025 * there is no handshake as in ap/station operation.
2026 */
2027 if (ic->ic_newassoc)
2028 (*ic->ic_newassoc)(ic, ni, 1);
2029 }
2030 #endif
2031 }
2032
2033 #ifndef IEEE80211_STA_ONLY
2034 /*-
2035 * Probe request frame format:
2036 * [tlv] SSID
2037 * [tlv] Supported rates
2038 * [tlv] Extended Supported Rates (802.11g)
2039 * [tlv] HT Capabilities (802.11n)
2040 */
2041 void
2042 ieee80211_recv_probe_req(struct ieee80211com *ic, struct mbuf *m,
2043 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi)
2044 {
2045 const struct ieee80211_frame *wh;
2046 const u_int8_t *frm, *efrm;
2047 const u_int8_t *ssid, *rates, *xrates, *htcaps, *vhtcaps;
2048 u_int8_t rate;
2049
2050 if (ic->ic_opmode == IEEE80211_M_STA ||
2051 ic->ic_state != IEEE80211_S_RUN)
2052 return;
2053
2054 wh = mtod(m, struct ieee80211_frame *);
2055 frm = (const u_int8_t *)&wh[1];
2056 efrm = mtod(m, u_int8_t *) + m->m_len;
2057
2058 ssid = rates = xrates = htcaps = vhtcaps = NULL;
2059 while (frm + 2 <= efrm) {
2060 if (frm + 2 + frm[1] > efrm) {
2061 ic->ic_stats.is_rx_elem_toosmall++;
2062 break;
2063 }
2064 switch (frm[0]) {
2065 case IEEE80211_ELEMID_SSID:
2066 ssid = frm;
2067 break;
2068 case IEEE80211_ELEMID_RATES:
2069 rates = frm;
2070 break;
2071 case IEEE80211_ELEMID_XRATES:
2072 xrates = frm;
2073 break;
2074 case IEEE80211_ELEMID_HTCAPS:
2075 htcaps = frm;
2076 break;
2077 case IEEE80211_ELEMID_VHTCAPS:
2078 vhtcaps = frm;
2079 break;
2080 }
2081 frm += 2 + frm[1];
2082 }
2083 /* supported rates element is mandatory */
2084 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) {
2085 DPRINTF(("invalid supported rates element\n"));
2086 return;
2087 }
2088 /* SSID element is mandatory */
2089 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) {
2090 DPRINTF(("invalid SSID element\n"));
2091 return;
2092 }
2093 /* check that the specified SSID (if not wildcard) matches ours */
2094 if (ssid[1] != 0 && (ssid[1] != ic->ic_bss->ni_esslen ||
2095 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen))) {
2096 DPRINTF(("SSID mismatch\n"));
2097 ic->ic_stats.is_rx_ssidmismatch++;
2098 return;
2099 }
2100 /* refuse wildcard SSID if we're hiding our SSID in beacons */
2101 if (ssid[1] == 0 && (ic->ic_userflags & IEEE80211_F_HIDENWID)) {
2102 DPRINTF(("wildcard SSID rejected"));
2103 ic->ic_stats.is_rx_ssidmismatch++;
2104 return;
2105 }
2106
2107 if (ni == ic->ic_bss) {
2108 ni = ieee80211_find_node(ic, wh->i_addr2);
2109 if (ni == NULL)
2110 ni = ieee80211_dup_bss(ic, wh->i_addr2);
2111 if (ni == NULL)
2112 return;
2113 DPRINTF(("new probe req from %s\n",
2114 ether_sprintf((u_int8_t *)wh->i_addr2)));
2115 }
2116 ni->ni_rssi = rxi->rxi_rssi;
2117 ni->ni_rstamp = rxi->rxi_tstamp;
2118 rate = ieee80211_setup_rates(ic, ni, rates, xrates,
2119 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO |
2120 IEEE80211_F_DODEL);
2121 if (rate & IEEE80211_RATE_BASIC) {
2122 DPRINTF(("rate mismatch for %s\n",
2123 ether_sprintf((u_int8_t *)wh->i_addr2)));
2124 return;
2125 }
2126 if (htcaps)
2127 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]);
2128 else
2129 ieee80211_clear_htcaps(ni);
2130 if (htcaps && vhtcaps && IEEE80211_IS_CHAN_5GHZ(ic->ic_bss->ni_chan))
2131 ieee80211_setup_vhtcaps(ni, vhtcaps + 2, vhtcaps[1]);
2132 else
2133 ieee80211_clear_vhtcaps(ni);
2134 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0);
2135 }
2136 #endif /* IEEE80211_STA_ONLY */
2137
2138 /*-
2139 * Authentication frame format:
2140 * [2] Authentication algorithm number
2141 * [2] Authentication transaction sequence number
2142 * [2] Status code
2143 */
2144 void
2145 ieee80211_recv_auth(struct ieee80211com *ic, struct mbuf *m,
2146 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi)
2147 {
2148 const struct ieee80211_frame *wh;
2149 const u_int8_t *frm;
2150 u_int16_t algo, seq, status;
2151
2152 /* make sure all mandatory fixed fields are present */
2153 if (m->m_len < sizeof(*wh) + 6) {
2154 DPRINTF(("frame too short\n"));
2155 return;
2156 }
2157 wh = mtod(m, struct ieee80211_frame *);
2158 frm = (const u_int8_t *)&wh[1];
2159
2160 algo = LE_READ_2(frm); frm += 2;
2161 seq = LE_READ_2(frm); frm += 2;
2162 status = LE_READ_2(frm); frm += 2;
2163 DPRINTF(("auth %d seq %d from %s\n", algo, seq,
2164 ether_sprintf((u_int8_t *)wh->i_addr2)));
2165
2166 /* only "open" auth mode is supported */
2167 if (algo != IEEE80211_AUTH_ALG_OPEN) {
2168 DPRINTF(("unsupported auth algorithm %d from %s\n",
2169 algo, ether_sprintf((u_int8_t *)wh->i_addr2)));
2170 ic->ic_stats.is_rx_auth_unsupported++;
2171 #ifndef IEEE80211_STA_ONLY
2172 if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
2173 /* XXX hack to workaround calling convention */
2174 IEEE80211_SEND_MGMT(ic, ni,
2175 IEEE80211_FC0_SUBTYPE_AUTH,
2176 IEEE80211_STATUS_ALG << 16 | ((seq + 1) & 0xfff));
2177 }
2178 #endif
2179 return;
2180 }
2181 ieee80211_auth_open(ic, wh, ni, rxi, seq, status);
2182 }
2183
2184 #ifndef IEEE80211_STA_ONLY
2185 /*-
2186 * (Re)Association request frame format:
2187 * [2] Capability information
2188 * [2] Listen interval
2189 * [6*] Current AP address (Reassociation only)
2190 * [tlv] SSID
2191 * [tlv] Supported rates
2192 * [tlv] Extended Supported Rates (802.11g)
2193 * [tlv] RSN (802.11i)
2194 * [tlv] QoS Capability (802.11e)
2195 * [tlv] HT Capabilities (802.11n)
2196 */
2197 void
2198 ieee80211_recv_assoc_req(struct ieee80211com *ic, struct mbuf *m,
2199 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int reassoc)
2200 {
2201 const struct ieee80211_frame *wh;
2202 const u_int8_t *frm, *efrm;
2203 const u_int8_t *ssid, *rates, *xrates, *rsnie, *wpaie, *wmeie;
2204 const u_int8_t *htcaps, *vhtcaps;
2205 u_int16_t capinfo, bintval;
2206 int resp, status = 0;
2207 struct ieee80211_rsnparams rsn;
2208 u_int8_t rate;
2209 const u_int8_t *saveie = NULL;
2210
2211 if (ic->ic_opmode != IEEE80211_M_HOSTAP ||
2212 ic->ic_state != IEEE80211_S_RUN)
2213 return;
2214
2215 /* make sure all mandatory fixed fields are present */
2216 if (m->m_len < sizeof(*wh) + (reassoc ? 10 : 4)) {
2217 DPRINTF(("frame too short\n"));
2218 return;
2219 }
2220 wh = mtod(m, struct ieee80211_frame *);
2221 frm = (const u_int8_t *)&wh[1];
2222 efrm = mtod(m, u_int8_t *) + m->m_len;
2223
2224 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) {
2225 DPRINTF(("ignore other bss from %s\n",
2226 ether_sprintf((u_int8_t *)wh->i_addr2)));
2227 ic->ic_stats.is_rx_assoc_bss++;
2228 return;
2229 }
2230 capinfo = LE_READ_2(frm); frm += 2;
2231 bintval = LE_READ_2(frm); frm += 2;
2232 if (reassoc) {
2233 frm += IEEE80211_ADDR_LEN; /* skip current AP address */
2234 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP;
2235 } else
2236 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP;
2237
2238 ssid = rates = xrates = rsnie = wpaie = wmeie = htcaps = vhtcaps = NULL;
2239 while (frm + 2 <= efrm) {
2240 if (frm + 2 + frm[1] > efrm) {
2241 ic->ic_stats.is_rx_elem_toosmall++;
2242 break;
2243 }
2244 switch (frm[0]) {
2245 case IEEE80211_ELEMID_SSID:
2246 ssid = frm;
2247 break;
2248 case IEEE80211_ELEMID_RATES:
2249 rates = frm;
2250 break;
2251 case IEEE80211_ELEMID_XRATES:
2252 xrates = frm;
2253 break;
2254 case IEEE80211_ELEMID_RSN:
2255 rsnie = frm;
2256 break;
2257 case IEEE80211_ELEMID_QOS_CAP:
2258 break;
2259 case IEEE80211_ELEMID_HTCAPS:
2260 htcaps = frm;
2261 break;
2262 case IEEE80211_ELEMID_VHTCAPS:
2263 vhtcaps = frm;
2264 break;
2265 case IEEE80211_ELEMID_VENDOR:
2266 if (frm[1] < 4) {
2267 ic->ic_stats.is_rx_elem_toosmall++;
2268 break;
2269 }
2270 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) {
2271 if (frm[5] == 1)
2272 wpaie = frm;
2273 /* WME info IE: len=7 type=2 subtype=0 */
2274 if (frm[1] == 7 && frm[5] == 2 && frm[6] == 0)
2275 wmeie = frm;
2276 }
2277 break;
2278 }
2279 frm += 2 + frm[1];
2280 }
2281 /* supported rates element is mandatory */
2282 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) {
2283 DPRINTF(("invalid supported rates element\n"));
2284 return;
2285 }
2286 /* SSID element is mandatory */
2287 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) {
2288 DPRINTF(("invalid SSID element\n"));
2289 return;
2290 }
2291 /* check that the specified SSID matches ours */
2292 if (ssid[1] != ic->ic_bss->ni_esslen ||
2293 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen)) {
2294 DPRINTF(("SSID mismatch\n"));
2295 ic->ic_stats.is_rx_ssidmismatch++;
2296 return;
2297 }
2298
2299 if (ni->ni_state != IEEE80211_STA_AUTH &&
2300 ni->ni_state != IEEE80211_STA_ASSOC) {
2301 DPRINTF(("deny %sassoc from %s, not authenticated\n",
2302 reassoc ? "re" : "",
2303 ether_sprintf((u_int8_t *)wh->i_addr2)));
2304 ni = ieee80211_find_node(ic, wh->i_addr2);
2305 if (ni == NULL)
2306 ni = ieee80211_dup_bss(ic, wh->i_addr2);
2307 if (ni != NULL) {
2308 IEEE80211_SEND_MGMT(ic, ni,
2309 IEEE80211_FC0_SUBTYPE_DEAUTH,
2310 IEEE80211_REASON_ASSOC_NOT_AUTHED);
2311 }
2312 ic->ic_stats.is_rx_assoc_notauth++;
2313 return;
2314 }
2315
2316 if (ni->ni_state == IEEE80211_STA_ASSOC &&
2317 (ni->ni_flags & IEEE80211_NODE_MFP)) {
2318 if (ni->ni_flags & IEEE80211_NODE_SA_QUERY_FAILED) {
2319 /* send a protected Disassociate frame */
2320 IEEE80211_SEND_MGMT(ic, ni,
2321 IEEE80211_FC0_SUBTYPE_DISASSOC,
2322 IEEE80211_REASON_AUTH_EXPIRE);
2323 /* terminate the old SA */
2324 ieee80211_node_leave(ic, ni);
2325 } else {
2326 /* reject the (Re)Association Request temporarily */
2327 IEEE80211_SEND_MGMT(ic, ni, resp,
2328 IEEE80211_STATUS_TRY_AGAIN_LATER);
2329 /* start SA Query procedure if not already engaged */
2330 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY))
2331 ieee80211_sa_query_request(ic, ni);
2332 /* do not modify association state */
2333 }
2334 return;
2335 }
2336
2337 if (!(capinfo & IEEE80211_CAPINFO_ESS)) {
2338 ic->ic_stats.is_rx_assoc_capmismatch++;
2339 status = IEEE80211_STATUS_CAPINFO;
2340 goto end;
2341 }
2342 rate = ieee80211_setup_rates(ic, ni, rates, xrates,
2343 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO |
2344 IEEE80211_F_DODEL);
2345 if (rate & IEEE80211_RATE_BASIC) {
2346 ic->ic_stats.is_rx_assoc_norate++;
2347 status = IEEE80211_STATUS_BASIC_RATE;
2348 goto end;
2349 }
2350
2351 ni->ni_rsnprotos = IEEE80211_PROTO_NONE;
2352 ni->ni_supported_rsnprotos = IEEE80211_PROTO_NONE;
2353 ni->ni_rsnakms = 0;
2354 ni->ni_supported_rsnakms = 0;
2355 ni->ni_rsnciphers = 0;
2356 ni->ni_rsngroupcipher = 0;
2357 ni->ni_rsngroupmgmtcipher = 0;
2358 ni->ni_rsncaps = 0;
2359
2360 /*
2361 * A station should never include both a WPA and an RSN IE
2362 * in its (Re)Association Requests, but if it does, we only
2363 * consider the IE of the highest version of the protocol
2364 * that is allowed (ie RSN over WPA).
2365 */
2366 if (rsnie != NULL) {
2367 status = ieee80211_parse_rsn(ic, rsnie, &rsn);
2368 if (status != 0)
2369 goto end;
2370 ni->ni_supported_rsnprotos = IEEE80211_PROTO_RSN;
2371 ni->ni_supported_rsnakms = rsn.rsn_akms;
2372 if ((ic->ic_flags & IEEE80211_F_RSNON) &&
2373 (ic->ic_rsnprotos & IEEE80211_PROTO_RSN)) {
2374 ni->ni_rsnprotos = IEEE80211_PROTO_RSN;
2375 saveie = rsnie;
2376 }
2377 } else if (wpaie != NULL) {
2378 status = ieee80211_parse_wpa(ic, wpaie, &rsn);
2379 if (status != 0)
2380 goto end;
2381 ni->ni_supported_rsnprotos = IEEE80211_PROTO_WPA;
2382 ni->ni_supported_rsnakms = rsn.rsn_akms;
2383 if ((ic->ic_flags & IEEE80211_F_RSNON) &&
2384 (ic->ic_rsnprotos & IEEE80211_PROTO_WPA)) {
2385 ni->ni_rsnprotos = IEEE80211_PROTO_WPA;
2386 saveie = wpaie;
2387 }
2388 }
2389
2390 if (ic->ic_flags & IEEE80211_F_QOS) {
2391 if (wmeie != NULL)
2392 ni->ni_flags |= IEEE80211_NODE_QOS;
2393 else /* for Reassociation */
2394 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2395 }
2396
2397 if (ic->ic_flags & IEEE80211_F_RSNON) {
2398 if (ni->ni_rsnprotos == IEEE80211_PROTO_NONE) {
2399 /*
2400 * In an RSN, an AP shall not associate with STAs
2401 * that fail to include the RSN IE in the
2402 * (Re)Association Request.
2403 */
2404 status = IEEE80211_STATUS_IE_INVALID;
2405 goto end;
2406 }
2407 /*
2408 * The initiating STA's RSN IE shall include one authentication
2409 * and pairwise cipher suite among those advertised by the
2410 * targeted AP. It shall also specify the group cipher suite
2411 * specified by the targeted AP.
2412 */
2413 if (rsn.rsn_nakms != 1 ||
2414 !(rsn.rsn_akms & ic->ic_bss->ni_rsnakms)) {
2415 status = IEEE80211_STATUS_BAD_AKMP;
2416 ni->ni_rsnprotos = IEEE80211_PROTO_NONE;
2417 goto end;
2418 }
2419 if (rsn.rsn_nciphers != 1 ||
2420 !(rsn.rsn_ciphers & ic->ic_bss->ni_rsnciphers)) {
2421 status = IEEE80211_STATUS_BAD_PAIRWISE_CIPHER;
2422 ni->ni_rsnprotos = IEEE80211_PROTO_NONE;
2423 goto end;
2424 }
2425 if (rsn.rsn_groupcipher != ic->ic_bss->ni_rsngroupcipher) {
2426 status = IEEE80211_STATUS_BAD_GROUP_CIPHER;
2427 ni->ni_rsnprotos = IEEE80211_PROTO_NONE;
2428 goto end;
2429 }
2430
2431 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPR) &&
2432 !(rsn.rsn_caps & IEEE80211_RSNCAP_MFPC)) {
2433 status = IEEE80211_STATUS_MFP_POLICY;
2434 ni->ni_rsnprotos = IEEE80211_PROTO_NONE;
2435 goto end;
2436 }
2437 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPC) &&
2438 (rsn.rsn_caps & (IEEE80211_RSNCAP_MFPC |
2439 IEEE80211_RSNCAP_MFPR)) == IEEE80211_RSNCAP_MFPR) {
2440 /* STA advertises an invalid setting */
2441 status = IEEE80211_STATUS_MFP_POLICY;
2442 ni->ni_rsnprotos = IEEE80211_PROTO_NONE;
2443 goto end;
2444 }
2445 /*
2446 * A STA that has associated with Management Frame Protection
2447 * enabled shall not use cipher suite pairwise selector WEP40,
2448 * WEP104, TKIP, or "Use Group cipher suite".
2449 */
2450 if ((rsn.rsn_caps & IEEE80211_RSNCAP_MFPC) &&
2451 (rsn.rsn_ciphers != IEEE80211_CIPHER_CCMP ||
2452 rsn.rsn_groupmgmtcipher !=
2453 ic->ic_bss->ni_rsngroupmgmtcipher)) {
2454 status = IEEE80211_STATUS_MFP_POLICY;
2455 ni->ni_rsnprotos = IEEE80211_PROTO_NONE;
2456 goto end;
2457 }
2458
2459 /*
2460 * Disallow new associations using TKIP if countermeasures
2461 * are active.
2462 */
2463 if ((ic->ic_flags & IEEE80211_F_COUNTERM) &&
2464 (rsn.rsn_ciphers == IEEE80211_CIPHER_TKIP ||
2465 rsn.rsn_groupcipher == IEEE80211_CIPHER_TKIP)) {
2466 status = IEEE80211_STATUS_CIPHER_REJ_POLICY;
2467 ni->ni_rsnprotos = IEEE80211_PROTO_NONE;
2468 goto end;
2469 }
2470
2471 /* everything looks fine, save IE and parameters */
2472 if (saveie == NULL ||
2473 ieee80211_save_ie(saveie, &ni->ni_rsnie) != 0) {
2474 status = IEEE80211_STATUS_TOOMANY;
2475 ni->ni_rsnprotos = IEEE80211_PROTO_NONE;
2476 goto end;
2477 }
2478 ni->ni_rsnakms = rsn.rsn_akms;
2479 ni->ni_rsnciphers = rsn.rsn_ciphers;
2480 ni->ni_rsngroupcipher = ic->ic_bss->ni_rsngroupcipher;
2481 ni->ni_rsngroupmgmtcipher = ic->ic_bss->ni_rsngroupmgmtcipher;
2482 ni->ni_rsncaps = rsn.rsn_caps;
2483
2484 if (ieee80211_is_8021x_akm(ni->ni_rsnakms)) {
2485 struct ieee80211_pmk *pmk = NULL;
2486 const u_int8_t *pmkid = rsn.rsn_pmkids;
2487 /*
2488 * Check if we have a cached PMK entry matching one
2489 * of the PMKIDs specified in the RSN IE.
2490 */
2491 while (rsn.rsn_npmkids-- > 0) {
2492 pmk = ieee80211_pmksa_find(ic, ni, pmkid);
2493 if (pmk != NULL)
2494 break;
2495 pmkid += IEEE80211_PMKID_LEN;
2496 }
2497 if (pmk != NULL) {
2498 memcpy(ni->ni_pmk, pmk->pmk_key,
2499 IEEE80211_PMK_LEN);
2500 memcpy(ni->ni_pmkid, pmk->pmk_pmkid,
2501 IEEE80211_PMKID_LEN);
2502 ni->ni_flags |= IEEE80211_NODE_PMK;
2503 }
2504 }
2505 }
2506
2507 ni->ni_rssi = rxi->rxi_rssi;
2508 ni->ni_rstamp = rxi->rxi_tstamp;
2509 ni->ni_intval = bintval;
2510 ni->ni_capinfo = capinfo;
2511 ni->ni_chan = ic->ic_bss->ni_chan;
2512 if (htcaps)
2513 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]);
2514 else
2515 ieee80211_clear_htcaps(ni);
2516 if (htcaps && vhtcaps && IEEE80211_IS_CHAN_5GHZ(ic->ic_bss->ni_chan))
2517 ieee80211_setup_vhtcaps(ni, vhtcaps + 2, vhtcaps[1]);
2518 else
2519 ieee80211_clear_vhtcaps(ni);
2520 end:
2521 if (status != 0) {
2522 IEEE80211_SEND_MGMT(ic, ni, resp, status);
2523 ieee80211_node_leave(ic, ni);
2524 } else
2525 ieee80211_node_join(ic, ni, resp);
2526 }
2527 #endif /* IEEE80211_STA_ONLY */
2528
2529 /*-
2530 * (Re)Association response frame format:
2531 * [2] Capability information
2532 * [2] Status code
2533 * [2] Association ID (AID)
2534 * [tlv] Supported rates
2535 * [tlv] Extended Supported Rates (802.11g)
2536 * [tlv] EDCA Parameter Set (802.11e)
2537 * [tlv] HT Capabilities (802.11n)
2538 * [tlv] HT Operation (802.11n)
2539 */
2540 void
2541 ieee80211_recv_assoc_resp(struct ieee80211com *ic, struct mbuf *m,
2542 struct ieee80211_node *ni, int reassoc)
2543 {
2544 struct ifnet *ifp = &ic->ic_if;
2545 const struct ieee80211_frame *wh;
2546 const u_int8_t *frm, *efrm;
2547 const u_int8_t *rates, *xrates, *edcaie, *wmmie, *htcaps, *htop;
2548 const u_int8_t *vhtcaps, *vhtop;
2549 u_int16_t capinfo, status, associd;
2550 u_int8_t rate;
2551
2552 if (ic->ic_opmode != IEEE80211_M_STA ||
2553 ic->ic_state != IEEE80211_S_ASSOC) {
2554 ic->ic_stats.is_rx_mgtdiscard++;
2555 return;
2556 }
2557
2558 /* make sure all mandatory fixed fields are present */
2559 if (m->m_len < sizeof(*wh) + 6) {
2560 DPRINTF(("frame too short\n"));
2561 return;
2562 }
2563 wh = mtod(m, struct ieee80211_frame *);
2564 frm = (const u_int8_t *)&wh[1];
2565 efrm = mtod(m, u_int8_t *) + m->m_len;
2566
2567 capinfo = LE_READ_2(frm); frm += 2;
2568 status = LE_READ_2(frm); frm += 2;
2569 if (status != IEEE80211_STATUS_SUCCESS) {
2570 if (ifp->if_flags & IFF_DEBUG)
2571 printf("%s: %sassociation failed (status %d)"
2572 " for %s\n", ifp->if_xname,
2573 reassoc ? "re" : "",
2574 status, ether_sprintf((u_int8_t *)wh->i_addr3));
2575 if (ni != ic->ic_bss)
2576 ni->ni_fails++;
2577 ic->ic_stats.is_rx_auth_fail++;
2578 return;
2579 }
2580 associd = LE_READ_2(frm); frm += 2;
2581
2582 rates = xrates = edcaie = wmmie = htcaps = htop = NULL;
2583 vhtcaps = vhtop = NULL;
2584 while (frm + 2 <= efrm) {
2585 if (frm + 2 + frm[1] > efrm) {
2586 ic->ic_stats.is_rx_elem_toosmall++;
2587 break;
2588 }
2589 switch (frm[0]) {
2590 case IEEE80211_ELEMID_RATES:
2591 rates = frm;
2592 break;
2593 case IEEE80211_ELEMID_XRATES:
2594 xrates = frm;
2595 break;
2596 case IEEE80211_ELEMID_EDCAPARMS:
2597 edcaie = frm;
2598 break;
2599 case IEEE80211_ELEMID_HTCAPS:
2600 htcaps = frm;
2601 break;
2602 case IEEE80211_ELEMID_HTOP:
2603 htop = frm;
2604 break;
2605 case IEEE80211_ELEMID_VHTCAPS:
2606 vhtcaps = frm;
2607 break;
2608 case IEEE80211_ELEMID_VHTOP:
2609 vhtop = frm;
2610 break;
2611 case IEEE80211_ELEMID_VENDOR:
2612 if (frm[1] < 4) {
2613 ic->ic_stats.is_rx_elem_toosmall++;
2614 break;
2615 }
2616 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) {
2617 if (frm[1] >= 5 && frm[5] == 2 && frm[6] == 1)
2618 wmmie = frm;
2619 }
2620 break;
2621 }
2622 frm += 2 + frm[1];
2623 }
2624 /* supported rates element is mandatory */
2625 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) {
2626 DPRINTF(("invalid supported rates element\n"));
2627 return;
2628 }
2629 rate = ieee80211_setup_rates(ic, ni, rates, xrates,
2630 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO |
2631 IEEE80211_F_DODEL);
2632 if (rate & IEEE80211_RATE_BASIC) {
2633 DPRINTF(("rate mismatch for %s\n",
2634 ether_sprintf((u_int8_t *)wh->i_addr2)));
2635 ic->ic_stats.is_rx_assoc_norate++;
2636 return;
2637 }
2638 ni->ni_capinfo = capinfo;
2639 ni->ni_associd = associd;
2640 if (edcaie != NULL || wmmie != NULL) {
2641 /* force update of EDCA parameters */
2642 ic->ic_edca_updtcount = -1;
2643
2644 if ((edcaie != NULL &&
2645 ieee80211_parse_edca_params(ic, edcaie) == 0) ||
2646 (wmmie != NULL &&
2647 ieee80211_parse_wmm_params(ic, wmmie) == 0))
2648 ni->ni_flags |= IEEE80211_NODE_QOS;
2649 else /* for Reassociation */
2650 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2651 }
2652 if (htcaps)
2653 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]);
2654 if (htop)
2655 ieee80211_setup_htop(ni, htop + 2, htop[1], 0);
2656 ieee80211_ht_negotiate(ic, ni);
2657
2658 if (htcaps && vhtcaps && IEEE80211_IS_CHAN_5GHZ(ni->ni_chan)) {
2659 ieee80211_setup_vhtcaps(ni, vhtcaps + 2, vhtcaps[1]);
2660 if (vhtop && !ieee80211_setup_vhtop(ni, vhtop + 2, vhtop[1], 1))
2661 vhtop = NULL; /* invalid VHTOP */
2662 }
2663 ieee80211_vht_negotiate(ic, ni);
2664
2665 /* Hop into 11n/11ac modes after associating to a HT/VHT AP. */
2666 if (ni->ni_flags & IEEE80211_NODE_VHT)
2667 ieee80211_setmode(ic, IEEE80211_MODE_11AC);
2668 else if (ni->ni_flags & IEEE80211_NODE_HT)
2669 ieee80211_setmode(ic, IEEE80211_MODE_11N);
2670 else
2671 ieee80211_setmode(ic, ieee80211_chan2mode(ic, ni->ni_chan));
2672 /*
2673 * Reset the erp state (mostly the slot time) now that
2674 * our operating mode has been nailed down.
2675 */
2676 ieee80211_reset_erp(ic);
2677
2678 /*
2679 * Configure state now that we are associated.
2680 */
2681 if (ic->ic_curmode == IEEE80211_MODE_11A ||
2682 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE))
2683 ic->ic_flags |= IEEE80211_F_SHPREAMBLE;
2684 else
2685 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE;
2686
2687 ieee80211_set_shortslottime(ic,
2688 ic->ic_curmode == IEEE80211_MODE_11A ||
2689 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
2690 /*
2691 * Honor ERP protection.
2692 */
2693 if ((ic->ic_curmode == IEEE80211_MODE_11G ||
2694 (ic->ic_curmode == IEEE80211_MODE_11N &&
2695 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))) &&
2696 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION))
2697 ic->ic_flags |= IEEE80211_F_USEPROT;
2698 else
2699 ic->ic_flags &= ~IEEE80211_F_USEPROT;
2700 /*
2701 * If not an RSNA, mark the port as valid, otherwise wait for
2702 * 802.1X authentication and 4-way handshake to complete..
2703 */
2704 if (ic->ic_flags & IEEE80211_F_RSNON) {
2705 /* XXX ic->ic_mgt_timer = 5; */
2706 ni->ni_rsn_supp_state = RSNA_SUPP_PTKSTART;
2707 } else if (ic->ic_flags & IEEE80211_F_WEPON)
2708 ni->ni_flags |= IEEE80211_NODE_TXRXPROT;
2709
2710 ieee80211_new_state(ic, IEEE80211_S_RUN,
2711 IEEE80211_FC0_SUBTYPE_ASSOC_RESP);
2712 }
2713
2714 /*-
2715 * Deauthentication frame format:
2716 * [2] Reason code
2717 */
2718 void
2719 ieee80211_recv_deauth(struct ieee80211com *ic, struct mbuf *m,
2720 struct ieee80211_node *ni)
2721 {
2722 const struct ieee80211_frame *wh;
2723 const u_int8_t *frm;
2724 u_int16_t reason;
2725
2726 /* make sure all mandatory fixed fields are present */
2727 if (m->m_len < sizeof(*wh) + 2) {
2728 DPRINTF(("frame too short\n"));
2729 return;
2730 }
2731 wh = mtod(m, struct ieee80211_frame *);
2732 frm = (const u_int8_t *)&wh[1];
2733
2734 reason = LE_READ_2(frm);
2735
2736 ic->ic_stats.is_rx_deauth++;
2737 switch (ic->ic_opmode) {
2738 case IEEE80211_M_STA: {
2739 int bgscan = ((ic->ic_flags & IEEE80211_F_BGSCAN) &&
2740 ic->ic_state == IEEE80211_S_RUN);
2741 int stay_auth = ((ic->ic_userflags & IEEE80211_F_STAYAUTH) &&
2742 ic->ic_state >= IEEE80211_S_AUTH);
2743 if (!(bgscan || stay_auth))
2744 ieee80211_new_state(ic, IEEE80211_S_AUTH,
2745 IEEE80211_FC0_SUBTYPE_DEAUTH);
2746 }
2747 break;
2748 #ifndef IEEE80211_STA_ONLY
2749 case IEEE80211_M_HOSTAP:
2750 if (ni != ic->ic_bss) {
2751 int stay_auth =
2752 ((ic->ic_userflags & IEEE80211_F_STAYAUTH) &&
2753 (ni->ni_state == IEEE80211_STA_AUTH ||
2754 ni->ni_state == IEEE80211_STA_ASSOC));
2755 if (ic->ic_if.if_flags & IFF_DEBUG)
2756 printf("%s: station %s deauthenticated "
2757 "by peer (reason %d)\n",
2758 ic->ic_if.if_xname,
2759 ether_sprintf(ni->ni_macaddr),
2760 reason);
2761 if (!stay_auth)
2762 ieee80211_node_leave(ic, ni);
2763 }
2764 break;
2765 #endif
2766 default:
2767 break;
2768 }
2769 }
2770
2771 /*-
2772 * Disassociation frame format:
2773 * [2] Reason code
2774 */
2775 void
2776 ieee80211_recv_disassoc(struct ieee80211com *ic, struct mbuf *m,
2777 struct ieee80211_node *ni)
2778 {
2779 const struct ieee80211_frame *wh;
2780 const u_int8_t *frm;
2781 u_int16_t reason;
2782
2783 /* make sure all mandatory fixed fields are present */
2784 if (m->m_len < sizeof(*wh) + 2) {
2785 DPRINTF(("frame too short\n"));
2786 return;
2787 }
2788 wh = mtod(m, struct ieee80211_frame *);
2789 frm = (const u_int8_t *)&wh[1];
2790
2791 reason = LE_READ_2(frm);
2792
2793 ic->ic_stats.is_rx_disassoc++;
2794 switch (ic->ic_opmode) {
2795 case IEEE80211_M_STA: {
2796 int bgscan = ((ic->ic_flags & IEEE80211_F_BGSCAN) &&
2797 ic->ic_state == IEEE80211_S_RUN);
2798 if (!bgscan) /* ignore disassoc during bgscan */
2799 ieee80211_new_state(ic, IEEE80211_S_ASSOC,
2800 IEEE80211_FC0_SUBTYPE_DISASSOC);
2801 }
2802 break;
2803 #ifndef IEEE80211_STA_ONLY
2804 case IEEE80211_M_HOSTAP:
2805 if (ni != ic->ic_bss) {
2806 if (ic->ic_if.if_flags & IFF_DEBUG)
2807 printf("%s: station %s disassociated "
2808 "by peer (reason %d)\n",
2809 ic->ic_if.if_xname,
2810 ether_sprintf(ni->ni_macaddr),
2811 reason);
2812 ieee80211_node_leave(ic, ni);
2813 }
2814 break;
2815 #endif
2816 default:
2817 break;
2818 }
2819 }
2820
2821 /*-
2822 * ADDBA Request frame format:
2823 * [1] Category
2824 * [1] Action
2825 * [1] Dialog Token
2826 * [2] Block Ack Parameter Set
2827 * [2] Block Ack Timeout Value
2828 * [2] Block Ack Starting Sequence Control
2829 */
2830 void
2831 ieee80211_recv_addba_req(struct ieee80211com *ic, struct mbuf *m,
2832 struct ieee80211_node *ni)
2833 {
2834 const struct ieee80211_frame *wh;
2835 const u_int8_t *frm;
2836 struct ieee80211_rx_ba *ba;
2837 u_int16_t params, ssn, bufsz, timeout;
2838 u_int8_t token, tid;
2839 int err = 0;
2840
2841 if (!(ni->ni_flags & IEEE80211_NODE_HT)) {
2842 DPRINTF(("received ADDBA req from non-HT STA %s\n",
2843 ether_sprintf(ni->ni_macaddr)));
2844 return;
2845 }
2846 if (m->m_len < sizeof(*wh) + 9) {
2847 DPRINTF(("frame too short\n"));
2848 return;
2849 }
2850 /* MLME-ADDBA.indication */
2851 wh = mtod(m, struct ieee80211_frame *);
2852 frm = (const u_int8_t *)&wh[1];
2853
2854 token = frm[2];
2855 params = LE_READ_2(&frm[3]);
2856 tid = ((params & IEEE80211_ADDBA_TID_MASK) >>
2857 IEEE80211_ADDBA_TID_SHIFT);
2858 bufsz = (params & IEEE80211_ADDBA_BUFSZ_MASK) >>
2859 IEEE80211_ADDBA_BUFSZ_SHIFT;
2860 timeout = LE_READ_2(&frm[5]);
2861 ssn = LE_READ_2(&frm[7]) >> 4;
2862
2863 ba = &ni->ni_rx_ba[tid];
2864 /* The driver is still processing an ADDBA request for this tid. */
2865 if (ba->ba_state == IEEE80211_BA_REQUESTED)
2866 return;
2867 /* If we are in the process of roaming between APs, ignore. */
2868 if ((ic->ic_flags & IEEE80211_F_BGSCAN) &&
2869 (ic->ic_xflags & IEEE80211_F_TX_MGMT_ONLY))
2870 return;
2871 /* check if we already have a Block Ack agreement for this RA/TID */
2872 if (ba->ba_state == IEEE80211_BA_AGREED) {
2873 /* XXX should we update the timeout value? */
2874 /* reset Block Ack inactivity timer */
2875 if (ba->ba_timeout_val != 0)
2876 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val);
2877
2878 /* check if it's a Protected Block Ack agreement */
2879 if (!(ni->ni_flags & IEEE80211_NODE_MFP) ||
2880 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC))
2881 return; /* not a PBAC, ignore */
2882
2883 /* PBAC: treat the ADDBA Request like a BlockAckReq */
2884 if (SEQ_LT(ba->ba_winstart, ssn)) {
2885 struct mbuf_list ml = MBUF_LIST_INITIALIZER();
2886 ieee80211_ba_move_window(ic, ni, tid, ssn, &ml);
2887 if_input(&ic->ic_if, &ml);
2888 }
2889 return;
2890 }
2891
2892 /* if PBAC required but RA does not support it, refuse request */
2893 if ((ic->ic_flags & IEEE80211_F_PBAR) &&
2894 (!(ni->ni_flags & IEEE80211_NODE_MFP) ||
2895 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)))
2896 goto refuse;
2897 /*
2898 * If the TID for which the Block Ack agreement is requested is
2899 * configured with a no-ACK policy, refuse the agreement.
2900 */
2901 if (ic->ic_tid_noack & (1 << tid))
2902 goto refuse;
2903
2904 /* check that we support the requested Block Ack Policy */
2905 if (!(ic->ic_htcaps & IEEE80211_HTCAP_DELAYEDBA) &&
2906 !(params & IEEE80211_ADDBA_BA_POLICY))
2907 goto refuse;
2908
2909 /* setup Block Ack agreement */
2910 ba->ba_state = IEEE80211_BA_REQUESTED;
2911 ba->ba_timeout_val = timeout * IEEE80211_DUR_TU;
2912 ba->ba_ni = ni;
2913 ba->ba_token = token;
2914 timeout_set(&ba->ba_to, ieee80211_rx_ba_timeout, ba);
2915 timeout_set(&ba->ba_gap_to, ieee80211_input_ba_gap_timeout, ba);
2916 ba->ba_gapwait = 0;
2917 ba->ba_winsize = bufsz;
2918 if (ba->ba_winsize == 0 || ba->ba_winsize > IEEE80211_BA_MAX_WINSZ)
2919 ba->ba_winsize = IEEE80211_BA_MAX_WINSZ;
2920 ba->ba_params = (params & IEEE80211_ADDBA_BA_POLICY);
2921 ba->ba_params |= ((ba->ba_winsize << IEEE80211_ADDBA_BUFSZ_SHIFT) |
2922 (tid << IEEE80211_ADDBA_TID_SHIFT));
2923 ba->ba_params |= IEEE80211_ADDBA_AMSDU;
2924 ba->ba_winstart = ssn;
2925 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff;
2926 /* allocate and setup our reordering buffer */
2927 ba->ba_buf = malloc(IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf),
2928 M_DEVBUF, M_NOWAIT | M_ZERO);
2929 if (ba->ba_buf == NULL)
2930 goto refuse;
2931
2932 ba->ba_head = 0;
2933
2934 /* notify drivers of this new Block Ack agreement */
2935 if (ic->ic_ampdu_rx_start != NULL)
2936 err = ic->ic_ampdu_rx_start(ic, ni, tid);
2937 if (err == EBUSY) {
2938 /* driver will accept or refuse agreement when done */
2939 return;
2940 } else if (err) {
2941 /* driver failed to setup, rollback */
2942 ieee80211_addba_req_refuse(ic, ni, tid);
2943 } else
2944 ieee80211_addba_req_accept(ic, ni, tid);
2945 return;
2946
2947 refuse:
2948 /* MLME-ADDBA.response */
2949 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA,
2950 IEEE80211_ACTION_ADDBA_RESP,
2951 IEEE80211_STATUS_REFUSED << 16 | token << 8 | tid);
2952 }
2953
2954 void
2955 ieee80211_addba_req_accept(struct ieee80211com *ic, struct ieee80211_node *ni,
2956 uint8_t tid)
2957 {
2958 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid];
2959
2960 ba->ba_state = IEEE80211_BA_AGREED;
2961 ic->ic_stats.is_ht_rx_ba_agreements++;
2962 /* start Block Ack inactivity timer */
2963 if (ba->ba_timeout_val != 0)
2964 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val);
2965
2966 /* MLME-ADDBA.response */
2967 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA,
2968 IEEE80211_ACTION_ADDBA_RESP,
2969 IEEE80211_STATUS_SUCCESS << 16 | ba->ba_token << 8 | tid);
2970 }
2971
2972 void
2973 ieee80211_addba_req_refuse(struct ieee80211com *ic, struct ieee80211_node *ni,
2974 uint8_t tid)
2975 {
2976 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid];
2977
2978 free(ba->ba_buf, M_DEVBUF,
2979 IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf));
2980 ba->ba_buf = NULL;
2981 ba->ba_state = IEEE80211_BA_INIT;
2982
2983 /* MLME-ADDBA.response */
2984 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA,
2985 IEEE80211_ACTION_ADDBA_RESP,
2986 IEEE80211_STATUS_REFUSED << 16 | ba->ba_token << 8 | tid);
2987 }
2988
2989 /*-
2990 * ADDBA Response frame format:
2991 * [1] Category
2992 * [1] Action
2993 * [1] Dialog Token
2994 * [2] Status Code
2995 * [2] Block Ack Parameter Set
2996 * [2] Block Ack Timeout Value
2997 */
2998 void
2999 ieee80211_recv_addba_resp(struct ieee80211com *ic, struct mbuf *m,
3000 struct ieee80211_node *ni)
3001 {
3002 const struct ieee80211_frame *wh;
3003 const u_int8_t *frm;
3004 struct ieee80211_tx_ba *ba;
3005 u_int16_t status, params, bufsz, timeout;
3006 u_int8_t token, tid;
3007 int err = 0;
3008
3009 if (m->m_len < sizeof(*wh) + 9) {
3010 DPRINTF(("frame too short\n"));
3011 return;
3012 }
3013 wh = mtod(m, struct ieee80211_frame *);
3014 frm = (const u_int8_t *)&wh[1];
3015
3016 token = frm[2];
3017 status = LE_READ_2(&frm[3]);
3018 params = LE_READ_2(&frm[5]);
3019 tid = (params >> 2) & 0xf;
3020 bufsz = (params >> 6) & 0x3ff;
3021 timeout = LE_READ_2(&frm[7]);
3022
3023 DPRINTF(("received ADDBA resp from %s, TID %d, status %d\n",
3024 ether_sprintf(ni->ni_macaddr), tid, status));
3025
3026 /*
3027 * Ignore if no ADDBA request has been sent for this RA/TID or
3028 * if we already have a Block Ack agreement.
3029 */
3030 ba = &ni->ni_tx_ba[tid];
3031 if (ba->ba_state != IEEE80211_BA_REQUESTED) {
3032 DPRINTF(("no matching ADDBA req found\n"));
3033 return;
3034 }
3035 if (token != ba->ba_token) {
3036 DPRINTF(("ignoring ADDBA resp from %s: token %x!=%x\n",
3037 ether_sprintf(ni->ni_macaddr), token, ba->ba_token));
3038 return;
3039 }
3040 /* we got an ADDBA Response matching our request, stop timeout */
3041 timeout_del(&ba->ba_to);
3042
3043 if (status != IEEE80211_STATUS_SUCCESS) {
3044 if (ni->ni_addba_req_intval[tid] <
3045 IEEE80211_ADDBA_REQ_INTVAL_MAX)
3046 ni->ni_addba_req_intval[tid]++;
3047
3048 ieee80211_addba_resp_refuse(ic, ni, tid, status);
3049
3050 /*
3051 * In case the peer believes there is an existing
3052 * block ack agreement with us, try to delete it.
3053 */
3054 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA,
3055 IEEE80211_ACTION_DELBA,
3056 IEEE80211_REASON_SETUP_REQUIRED << 16 | 1 << 8 | tid);
3057 return;
3058 }
3059
3060 /* notify drivers of this new Block Ack agreement */
3061 if (ic->ic_ampdu_tx_start != NULL)
3062 err = ic->ic_ampdu_tx_start(ic, ni, tid);
3063
3064 if (err == EBUSY) {
3065 /* driver will accept or refuse agreement when done */
3066 return;
3067 } else if (err) {
3068 /* driver failed to setup, rollback */
3069 ieee80211_addba_resp_refuse(ic, ni, tid,
3070 IEEE80211_STATUS_UNSPECIFIED);
3071 } else
3072 ieee80211_addba_resp_accept(ic, ni, tid);
3073 }
3074
3075 void
3076 ieee80211_addba_resp_accept(struct ieee80211com *ic,
3077 struct ieee80211_node *ni, uint8_t tid)
3078 {
3079 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid];
3080
3081 /* MLME-ADDBA.confirm(Success) */
3082 ba->ba_state = IEEE80211_BA_AGREED;
3083 ic->ic_stats.is_ht_tx_ba_agreements++;
3084
3085 /* Reset ADDBA request interval. */
3086 ni->ni_addba_req_intval[tid] = 1;
3087
3088 ni->ni_qos_txseqs[tid] = ba->ba_winstart;
3089
3090 /* start Block Ack inactivity timeout */
3091 if (ba->ba_timeout_val != 0)
3092 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val);
3093 }
3094
3095 void
3096 ieee80211_addba_resp_refuse(struct ieee80211com *ic,
3097 struct ieee80211_node *ni, uint8_t tid, uint16_t status)
3098 {
3099 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid];
3100
3101 /* MLME-ADDBA.confirm(Failure) */
3102 ba->ba_state = IEEE80211_BA_INIT;
3103 }
3104
3105 /*-
3106 * DELBA frame format:
3107 * [1] Category
3108 * [1] Action
3109 * [2] DELBA Parameter Set
3110 * [2] Reason Code
3111 */
3112 void
3113 ieee80211_recv_delba(struct ieee80211com *ic, struct mbuf *m,
3114 struct ieee80211_node *ni)
3115 {
3116 const struct ieee80211_frame *wh;
3117 const u_int8_t *frm;
3118 u_int16_t params, reason;
3119 u_int8_t tid;
3120 int i;
3121
3122 if (m->m_len < sizeof(*wh) + 6) {
3123 DPRINTF(("frame too short\n"));
3124 return;
3125 }
3126 wh = mtod(m, struct ieee80211_frame *);
3127 frm = (const u_int8_t *)&wh[1];
3128
3129 params = LE_READ_2(&frm[2]);
3130 reason = LE_READ_2(&frm[4]);
3131 tid = params >> 12;
3132
3133 DPRINTF(("received DELBA from %s, TID %d, reason %d\n",
3134 ether_sprintf(ni->ni_macaddr), tid, reason));
3135
3136 if (params & IEEE80211_DELBA_INITIATOR) {
3137 /* MLME-DELBA.indication(Originator) */
3138 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid];
3139
3140 if (ba->ba_state != IEEE80211_BA_AGREED) {
3141 DPRINTF(("no matching Block Ack agreement\n"));
3142 return;
3143 }
3144 /* notify drivers of the end of the Block Ack agreement */
3145 if (ic->ic_ampdu_rx_stop != NULL)
3146 ic->ic_ampdu_rx_stop(ic, ni, tid);
3147
3148 ba->ba_state = IEEE80211_BA_INIT;
3149 /* stop Block Ack inactivity timer */
3150 timeout_del(&ba->ba_to);
3151 timeout_del(&ba->ba_gap_to);
3152 ba->ba_gapwait = 0;
3153
3154 if (ba->ba_buf != NULL) {
3155 /* free all MSDUs stored in reordering buffer */
3156 for (i = 0; i < IEEE80211_BA_MAX_WINSZ; i++)
3157 m_freem(ba->ba_buf[i].m);
3158 /* free reordering buffer */
3159 free(ba->ba_buf, M_DEVBUF,
3160 IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf));
3161 ba->ba_buf = NULL;
3162 }
3163 } else {
3164 /* MLME-DELBA.indication(Recipient) */
3165 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid];
3166
3167 if (ba->ba_state != IEEE80211_BA_AGREED) {
3168 DPRINTF(("no matching Block Ack agreement\n"));
3169 return;
3170 }
3171 /* notify drivers of the end of the Block Ack agreement */
3172 if (ic->ic_ampdu_tx_stop != NULL)
3173 ic->ic_ampdu_tx_stop(ic, ni, tid);
3174
3175 ba->ba_state = IEEE80211_BA_INIT;
3176 /* stop Block Ack inactivity timer */
3177 timeout_del(&ba->ba_to);
3178 }
3179 }
3180
3181 /*-
3182 * SA Query Request frame format:
3183 * [1] Category
3184 * [1] Action
3185 * [2] Transaction Identifier
3186 */
3187 void
3188 ieee80211_recv_sa_query_req(struct ieee80211com *ic, struct mbuf *m,
3189 struct ieee80211_node *ni)
3190 {
3191 const struct ieee80211_frame *wh;
3192 const u_int8_t *frm;
3193
3194 if (ic->ic_opmode != IEEE80211_M_STA ||
3195 !(ni->ni_flags & IEEE80211_NODE_MFP)) {
3196 DPRINTF(("unexpected SA Query req from %s\n",
3197 ether_sprintf(ni->ni_macaddr)));
3198 return;
3199 }
3200 if (m->m_len < sizeof(*wh) + 4) {
3201 DPRINTF(("frame too short\n"));
3202 return;
3203 }
3204 wh = mtod(m, struct ieee80211_frame *);
3205 frm = (const u_int8_t *)&wh[1];
3206
3207 /* MLME-SAQuery.indication */
3208
3209 /* save Transaction Identifier for SA Query Response */
3210 ni->ni_sa_query_trid = LE_READ_2(&frm[2]);
3211
3212 /* MLME-SAQuery.response */
3213 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_SA_QUERY,
3214 IEEE80211_ACTION_SA_QUERY_RESP, 0);
3215 }
3216
3217 #ifndef IEEE80211_STA_ONLY
3218 /*-
3219 * SA Query Response frame format:
3220 * [1] Category
3221 * [1] Action
3222 * [2] Transaction Identifier
3223 */
3224 void
3225 ieee80211_recv_sa_query_resp(struct ieee80211com *ic, struct mbuf *m,
3226 struct ieee80211_node *ni)
3227 {
3228 const struct ieee80211_frame *wh;
3229 const u_int8_t *frm;
3230
3231 /* ignore if we're not engaged in an SA Query with that STA */
3232 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) {
3233 DPRINTF(("unexpected SA Query resp from %s\n",
3234 ether_sprintf(ni->ni_macaddr)));
3235 return;
3236 }
3237 if (m->m_len < sizeof(*wh) + 4) {
3238 DPRINTF(("frame too short\n"));
3239 return;
3240 }
3241 wh = mtod(m, struct ieee80211_frame *);
3242 frm = (const u_int8_t *)&wh[1];
3243
3244 /* check that Transaction Identifier matches */
3245 if (ni->ni_sa_query_trid != LE_READ_2(&frm[2])) {
3246 DPRINTF(("transaction identifier does not match\n"));
3247 return;
3248 }
3249 /* MLME-SAQuery.confirm */
3250 timeout_del(&ni->ni_sa_query_to);
3251 ni->ni_flags &= ~IEEE80211_NODE_SA_QUERY;
3252 }
3253 #endif
3254
3255 /*-
3256 * Action frame format:
3257 * [1] Category
3258 * [1] Action
3259 */
3260 void
3261 ieee80211_recv_action(struct ieee80211com *ic, struct mbuf *m,
3262 struct ieee80211_node *ni)
3263 {
3264 const struct ieee80211_frame *wh;
3265 const u_int8_t *frm;
3266
3267 if (m->m_len < sizeof(*wh) + 2) {
3268 DPRINTF(("frame too short\n"));
3269 return;
3270 }
3271 wh = mtod(m, struct ieee80211_frame *);
3272 frm = (const u_int8_t *)&wh[1];
3273
3274 switch (frm[0]) {
3275 case IEEE80211_CATEG_BA:
3276 switch (frm[1]) {
3277 case IEEE80211_ACTION_ADDBA_REQ:
3278 ieee80211_recv_addba_req(ic, m, ni);
3279 break;
3280 case IEEE80211_ACTION_ADDBA_RESP:
3281 ieee80211_recv_addba_resp(ic, m, ni);
3282 break;
3283 case IEEE80211_ACTION_DELBA:
3284 ieee80211_recv_delba(ic, m, ni);
3285 break;
3286 }
3287 break;
3288 case IEEE80211_CATEG_SA_QUERY:
3289 switch (frm[1]) {
3290 case IEEE80211_ACTION_SA_QUERY_REQ:
3291 ieee80211_recv_sa_query_req(ic, m, ni);
3292 break;
3293 #ifndef IEEE80211_STA_ONLY
3294 case IEEE80211_ACTION_SA_QUERY_RESP:
3295 ieee80211_recv_sa_query_resp(ic, m, ni);
3296 break;
3297 #endif
3298 }
3299 break;
3300 default:
3301 DPRINTF(("action frame category %d not handled\n", frm[0]));
3302 break;
3303 }
3304 }
3305
3306 void
3307 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m,
3308 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int subtype)
3309 {
3310 switch (subtype) {
3311 case IEEE80211_FC0_SUBTYPE_BEACON:
3312 ieee80211_recv_probe_resp(ic, m, ni, rxi, 0);
3313 break;
3314 case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
3315 ieee80211_recv_probe_resp(ic, m, ni, rxi, 1);
3316 break;
3317 #ifndef IEEE80211_STA_ONLY
3318 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
3319 ieee80211_recv_probe_req(ic, m, ni, rxi);
3320 break;
3321 #endif
3322 case IEEE80211_FC0_SUBTYPE_AUTH:
3323 ieee80211_recv_auth(ic, m, ni, rxi);
3324 break;
3325 #ifndef IEEE80211_STA_ONLY
3326 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
3327 ieee80211_recv_assoc_req(ic, m, ni, rxi, 0);
3328 break;
3329 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ:
3330 ieee80211_recv_assoc_req(ic, m, ni, rxi, 1);
3331 break;
3332 #endif
3333 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
3334 ieee80211_recv_assoc_resp(ic, m, ni, 0);
3335 break;
3336 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP:
3337 ieee80211_recv_assoc_resp(ic, m, ni, 1);
3338 break;
3339 case IEEE80211_FC0_SUBTYPE_DEAUTH:
3340 ieee80211_recv_deauth(ic, m, ni);
3341 break;
3342 case IEEE80211_FC0_SUBTYPE_DISASSOC:
3343 ieee80211_recv_disassoc(ic, m, ni);
3344 break;
3345 case IEEE80211_FC0_SUBTYPE_ACTION:
3346 ieee80211_recv_action(ic, m, ni);
3347 break;
3348 default:
3349 DPRINTF(("mgmt frame with subtype 0x%x not handled\n",
3350 subtype));
3351 ic->ic_stats.is_rx_badsubtype++;
3352 break;
3353 }
3354 }
3355
3356 #ifndef IEEE80211_STA_ONLY
3357 /*
3358 * Process an incoming PS-Poll control frame (see 11.2).
3359 */
3360 void
3361 ieee80211_recv_pspoll(struct ieee80211com *ic, struct mbuf *m,
3362 struct ieee80211_node *ni)
3363 {
3364 struct ifnet *ifp = &ic->ic_if;
3365 struct ieee80211_frame_pspoll *psp;
3366 struct ieee80211_frame *wh;
3367 u_int16_t aid;
3368
3369 if (ic->ic_opmode != IEEE80211_M_HOSTAP ||
3370 !(ic->ic_caps & IEEE80211_C_APPMGT) ||
3371 ni->ni_state != IEEE80211_STA_ASSOC)
3372 return;
3373
3374 if (m->m_len < sizeof(*psp)) {
3375 DPRINTF(("frame too short, len %u\n", m->m_len));
3376 ic->ic_stats.is_rx_tooshort++;
3377 return;
3378 }
3379 psp = mtod(m, struct ieee80211_frame_pspoll *);
3380 if (!IEEE80211_ADDR_EQ(psp->i_bssid, ic->ic_bss->ni_bssid)) {
3381 DPRINTF(("discard pspoll frame to BSS %s\n",
3382 ether_sprintf(psp->i_bssid)));
3383 ic->ic_stats.is_rx_wrongbss++;
3384 return;
3385 }
3386 aid = letoh16(*(u_int16_t *)psp->i_aid);
3387 if (aid != ni->ni_associd) {
3388 DPRINTF(("invalid pspoll aid %x from %s\n", aid,
3389 ether_sprintf(psp->i_ta)));
3390 return;
3391 }
3392
3393 /* take the first queued frame and put it out.. */
3394 m = mq_dequeue(&ni->ni_savedq);
3395 if (m == NULL)
3396 return;
3397 if (mq_empty(&ni->ni_savedq)) {
3398 /* last queued frame, turn off the TIM bit */
3399 (*ic->ic_set_tim)(ic, ni->ni_associd, 0);
3400 } else {
3401 /* more queued frames, set the more data bit */
3402 wh = mtod(m, struct ieee80211_frame *);
3403 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA;
3404 }
3405 mq_enqueue(&ic->ic_pwrsaveq, m);
3406 if_start(ifp);
3407 }
3408 #endif /* IEEE80211_STA_ONLY */
3409
3410 /*
3411 * Process an incoming BlockAckReq control frame (see 7.2.1.7).
3412 */
3413 void
3414 ieee80211_recv_bar(struct ieee80211com *ic, struct mbuf *m,
3415 struct ieee80211_node *ni)
3416 {
3417 const struct ieee80211_frame_min *wh;
3418 const u_int8_t *frm;
3419 u_int16_t ctl, ssn;
3420 u_int8_t tid, ntids;
3421
3422 if (!(ni->ni_flags & IEEE80211_NODE_HT)) {
3423 DPRINTF(("received BlockAckReq from non-HT STA %s\n",
3424 ether_sprintf(ni->ni_macaddr)));
3425 return;
3426 }
3427 if (m->m_len < sizeof(*wh) + 4) {
3428 DPRINTF(("frame too short\n"));
3429 return;
3430 }
3431 wh = mtod(m, struct ieee80211_frame_min *);
3432 frm = (const u_int8_t *)&wh[1];
3433
3434 /* read BlockAckReq Control field */
3435 ctl = LE_READ_2(&frm[0]);
3436 tid = ctl >> 12;
3437
3438 /* determine BlockAckReq frame variant */
3439 if (ctl & IEEE80211_BA_MULTI_TID) {
3440 /* Multi-TID BlockAckReq variant (PSMP only) */
3441 ntids = tid + 1;
3442
3443 if (m->m_len < sizeof(*wh) + 2 + 4 * ntids) {
3444 DPRINTF(("MTBAR frame too short\n"));
3445 return;
3446 }
3447 frm += 2; /* skip BlockAckReq Control field */
3448 while (ntids-- > 0) {
3449 /* read MTBAR Information field */
3450 tid = LE_READ_2(&frm[0]) >> 12;
3451 ssn = LE_READ_2(&frm[2]) >> 4;
3452 ieee80211_bar_tid(ic, ni, tid, ssn);
3453 frm += 4;
3454 }
3455 } else {
3456 /* Basic or Compressed BlockAckReq variants */
3457 ssn = LE_READ_2(&frm[2]) >> 4;
3458 ieee80211_bar_tid(ic, ni, tid, ssn);
3459 }
3460 }
3461
3462 /*
3463 * Process a BlockAckReq for a specific TID (see 9.10.7.6.3).
3464 * This is the common back-end for all BlockAckReq frame variants.
3465 */
3466 void
3467 ieee80211_bar_tid(struct ieee80211com *ic, struct ieee80211_node *ni,
3468 u_int8_t tid, u_int16_t ssn)
3469 {
3470 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid];
3471
3472 /* check if we have a Block Ack agreement for RA/TID */
3473 if (ba->ba_state != IEEE80211_BA_AGREED) {
3474 /* XXX not sure in PBAC case */
3475 /* send a DELBA with reason code UNKNOWN-BA */
3476 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA,
3477 IEEE80211_ACTION_DELBA,
3478 IEEE80211_REASON_SETUP_REQUIRED << 16 | tid);
3479 return;
3480 }
3481 /* check if it is a Protected Block Ack agreement */
3482 if ((ni->ni_flags & IEEE80211_NODE_MFP) &&
3483 (ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) {
3484 /* ADDBA Requests must be used in PBAC case */
3485 if (SEQ_LT(ssn, ba->ba_winstart) ||
3486 SEQ_LT(ba->ba_winend, ssn))
3487 ic->ic_stats.is_pbac_errs++;
3488 return; /* PBAC, do not move window */
3489 }
3490 /* reset Block Ack inactivity timer */
3491 if (ba->ba_timeout_val != 0)
3492 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val);
3493
3494 if (SEQ_LT(ba->ba_winstart, ssn)) {
3495 struct mbuf_list ml = MBUF_LIST_INITIALIZER();
3496 ieee80211_ba_move_window(ic, ni, tid, ssn, &ml);
3497 if_input(&ic->ic_if, &ml);
3498 }
3499 }
Cache object: 78897a5367ff586019d85578a66ec830
|