1 /*-
2 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 */
25
26 #include <sys/cdefs.h>
27 #ifdef __FreeBSD__
28 __FBSDID("$FreeBSD: src/sys/net80211/ieee80211_sta.c,v 1.11 2008/10/30 16:22:04 sam Exp $");
29 #endif
30
31 /*
32 * IEEE 802.11 Station mode support.
33 */
34 #include "opt_inet.h"
35 #include "opt_wlan.h"
36
37 #include <sys/param.h>
38 #include <sys/systm.h>
39 #include <sys/mbuf.h>
40 #include <sys/malloc.h>
41 #include <sys/kernel.h>
42
43 #include <sys/socket.h>
44 #include <sys/sockio.h>
45 #include <sys/endian.h>
46 #include <sys/errno.h>
47 #include <sys/proc.h>
48 #include <sys/sysctl.h>
49
50 #include <net/if.h>
51 #include <net/if_media.h>
52 #include <net/if_llc.h>
53 #include <net/ethernet.h>
54
55 #include <net/bpf.h>
56
57 #include <net80211/ieee80211_var.h>
58 #include <net80211/ieee80211_sta.h>
59 #include <net80211/ieee80211_input.h>
60
61 #define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2)
62
63 static void sta_vattach(struct ieee80211vap *);
64 static void sta_beacon_miss(struct ieee80211vap *);
65 static int sta_newstate(struct ieee80211vap *, enum ieee80211_state, int);
66 static int sta_input(struct ieee80211_node *, struct mbuf *,
67 int rssi, int noise, uint32_t rstamp);
68 static void sta_recv_mgmt(struct ieee80211_node *, struct mbuf *,
69 int subtype, int rssi, int noise, uint32_t rstamp);
70
71 void
72 ieee80211_sta_attach(struct ieee80211com *ic)
73 {
74 ic->ic_vattach[IEEE80211_M_STA] = sta_vattach;
75 }
76
77 void
78 ieee80211_sta_detach(struct ieee80211com *ic)
79 {
80 }
81
82 static void
83 sta_vdetach(struct ieee80211vap *vap)
84 {
85 }
86
87 static void
88 sta_vattach(struct ieee80211vap *vap)
89 {
90 vap->iv_newstate = sta_newstate;
91 vap->iv_input = sta_input;
92 vap->iv_recv_mgmt = sta_recv_mgmt;
93 vap->iv_opdetach = sta_vdetach;
94 vap->iv_bmiss = sta_beacon_miss;
95 }
96
97 /*
98 * Handle a beacon miss event. The common code filters out
99 * spurious events that can happen when scanning and/or before
100 * reaching RUN state.
101 */
102 static void
103 sta_beacon_miss(struct ieee80211vap *vap)
104 {
105 struct ieee80211com *ic = vap->iv_ic;
106
107 KASSERT((ic->ic_flags & IEEE80211_F_SCAN) == 0, ("scanning"));
108 KASSERT(vap->iv_state == IEEE80211_S_RUN,
109 ("wrong state %d", vap->iv_state));
110
111 IEEE80211_DPRINTF(vap,
112 IEEE80211_MSG_STATE | IEEE80211_MSG_DEBUG,
113 "beacon miss, mode %u state %s\n",
114 vap->iv_opmode, ieee80211_state_name[vap->iv_state]);
115
116 if (++vap->iv_bmiss_count < vap->iv_bmiss_max) {
117 /*
118 * Send a directed probe req before falling back to a
119 * scan; if we receive a response ic_bmiss_count will
120 * be reset. Some cards mistakenly report beacon miss
121 * so this avoids the expensive scan if the ap is
122 * still there.
123 */
124 ieee80211_send_probereq(vap->iv_bss, vap->iv_myaddr,
125 vap->iv_bss->ni_bssid, vap->iv_bss->ni_bssid,
126 vap->iv_bss->ni_essid, vap->iv_bss->ni_esslen);
127 return;
128 }
129 vap->iv_bmiss_count = 0;
130 vap->iv_stats.is_beacon_miss++;
131 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) {
132 /*
133 * If we receive a beacon miss interrupt when using
134 * dynamic turbo, attempt to switch modes before
135 * reassociating.
136 */
137 if (IEEE80211_ATH_CAP(vap, vap->iv_bss, IEEE80211_NODE_TURBOP))
138 ieee80211_dturbo_switch(vap,
139 ic->ic_bsschan->ic_flags ^ IEEE80211_CHAN_TURBO);
140 /*
141 * Try to reassociate before scanning for a new ap.
142 */
143 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 1);
144 } else {
145 /*
146 * Somebody else is controlling state changes (e.g.
147 * a user-mode app) don't do anything that would
148 * confuse them; just drop into scan mode so they'll
149 * notified of the state change and given control.
150 */
151 ieee80211_new_state(vap, IEEE80211_S_SCAN, 0);
152 }
153 }
154
155 /*
156 * Handle deauth with reason. We retry only for
157 * the cases where we might succeed. Otherwise
158 * we downgrade the ap and scan.
159 */
160 static void
161 sta_authretry(struct ieee80211vap *vap, struct ieee80211_node *ni, int reason)
162 {
163 switch (reason) {
164 case IEEE80211_STATUS_SUCCESS: /* NB: MLME assoc */
165 case IEEE80211_STATUS_TIMEOUT:
166 case IEEE80211_REASON_ASSOC_EXPIRE:
167 case IEEE80211_REASON_NOT_AUTHED:
168 case IEEE80211_REASON_NOT_ASSOCED:
169 case IEEE80211_REASON_ASSOC_LEAVE:
170 case IEEE80211_REASON_ASSOC_NOT_AUTHED:
171 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, 1);
172 break;
173 default:
174 ieee80211_scan_assoc_fail(vap, vap->iv_bss->ni_macaddr, reason);
175 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO)
176 ieee80211_check_scan_current(vap);
177 break;
178 }
179 }
180
181 /*
182 * IEEE80211_M_STA vap state machine handler.
183 * This routine handles the main states in the 802.11 protocol.
184 */
185 static int
186 sta_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
187 {
188 struct ieee80211com *ic = vap->iv_ic;
189 struct ieee80211_node *ni;
190 enum ieee80211_state ostate;
191
192 IEEE80211_LOCK_ASSERT(ic);
193
194 ostate = vap->iv_state;
195 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n",
196 __func__, ieee80211_state_name[ostate],
197 ieee80211_state_name[nstate], arg);
198 vap->iv_state = nstate; /* state transition */
199 callout_stop(&vap->iv_mgtsend); /* XXX callout_drain */
200 if (ostate != IEEE80211_S_SCAN)
201 ieee80211_cancel_scan(vap); /* background scan */
202 ni = vap->iv_bss; /* NB: no reference held */
203 if (vap->iv_flags_ext & IEEE80211_FEXT_SWBMISS)
204 callout_stop(&vap->iv_swbmiss);
205 switch (nstate) {
206 case IEEE80211_S_INIT:
207 switch (ostate) {
208 case IEEE80211_S_SLEEP:
209 /* XXX wakeup */
210 case IEEE80211_S_RUN:
211 IEEE80211_SEND_MGMT(ni,
212 IEEE80211_FC0_SUBTYPE_DISASSOC,
213 IEEE80211_REASON_ASSOC_LEAVE);
214 ieee80211_sta_leave(ni);
215 break;
216 case IEEE80211_S_ASSOC:
217 IEEE80211_SEND_MGMT(ni,
218 IEEE80211_FC0_SUBTYPE_DEAUTH,
219 IEEE80211_REASON_AUTH_LEAVE);
220 break;
221 case IEEE80211_S_SCAN:
222 ieee80211_cancel_scan(vap);
223 break;
224 default:
225 goto invalid;
226 }
227 if (ostate != IEEE80211_S_INIT) {
228 /* NB: optimize INIT -> INIT case */
229 ieee80211_reset_bss(vap);
230 }
231 if (vap->iv_auth->ia_detach != NULL)
232 vap->iv_auth->ia_detach(vap);
233 break;
234 case IEEE80211_S_SCAN:
235 switch (ostate) {
236 case IEEE80211_S_INIT:
237 /*
238 * Initiate a scan. We can come here as a result
239 * of an IEEE80211_IOC_SCAN_REQ too in which case
240 * the vap will be marked with IEEE80211_FEXT_SCANREQ
241 * and the scan request parameters will be present
242 * in iv_scanreq. Otherwise we do the default.
243 */
244 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) {
245 ieee80211_check_scan(vap,
246 vap->iv_scanreq_flags,
247 vap->iv_scanreq_duration,
248 vap->iv_scanreq_mindwell,
249 vap->iv_scanreq_maxdwell,
250 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid);
251 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ;
252 } else
253 ieee80211_check_scan_current(vap);
254 break;
255 case IEEE80211_S_SCAN:
256 case IEEE80211_S_AUTH:
257 case IEEE80211_S_ASSOC:
258 /*
259 * These can happen either because of a timeout
260 * on an assoc/auth response or because of a
261 * change in state that requires a reset. For
262 * the former we're called with a non-zero arg
263 * that is the cause for the failure; pass this
264 * to the scan code so it can update state.
265 * Otherwise trigger a new scan unless we're in
266 * manual roaming mode in which case an application
267 * must issue an explicit scan request.
268 */
269 if (arg != 0)
270 ieee80211_scan_assoc_fail(vap,
271 vap->iv_bss->ni_macaddr, arg);
272 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO)
273 ieee80211_check_scan_current(vap);
274 break;
275 case IEEE80211_S_RUN: /* beacon miss */
276 /*
277 * Beacon miss. Notify user space and if not
278 * under control of a user application (roaming
279 * manual) kick off a scan to re-connect.
280 */
281 ieee80211_sta_leave(ni);
282 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO)
283 ieee80211_check_scan_current(vap);
284 break;
285 default:
286 goto invalid;
287 }
288 break;
289 case IEEE80211_S_AUTH:
290 switch (ostate) {
291 case IEEE80211_S_INIT:
292 case IEEE80211_S_SCAN:
293 IEEE80211_SEND_MGMT(ni,
294 IEEE80211_FC0_SUBTYPE_AUTH, 1);
295 break;
296 case IEEE80211_S_AUTH:
297 case IEEE80211_S_ASSOC:
298 switch (arg & 0xff) {
299 case IEEE80211_FC0_SUBTYPE_AUTH:
300 /* ??? */
301 IEEE80211_SEND_MGMT(ni,
302 IEEE80211_FC0_SUBTYPE_AUTH, 2);
303 break;
304 case IEEE80211_FC0_SUBTYPE_DEAUTH:
305 sta_authretry(vap, ni, arg>>8);
306 break;
307 }
308 break;
309 case IEEE80211_S_RUN:
310 switch (arg & 0xff) {
311 case IEEE80211_FC0_SUBTYPE_AUTH:
312 IEEE80211_SEND_MGMT(ni,
313 IEEE80211_FC0_SUBTYPE_AUTH, 2);
314 vap->iv_state = ostate; /* stay RUN */
315 break;
316 case IEEE80211_FC0_SUBTYPE_DEAUTH:
317 ieee80211_sta_leave(ni);
318 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) {
319 /* try to reauth */
320 IEEE80211_SEND_MGMT(ni,
321 IEEE80211_FC0_SUBTYPE_AUTH, 1);
322 }
323 break;
324 }
325 break;
326 default:
327 goto invalid;
328 }
329 break;
330 case IEEE80211_S_ASSOC:
331 switch (ostate) {
332 case IEEE80211_S_AUTH:
333 case IEEE80211_S_ASSOC:
334 IEEE80211_SEND_MGMT(ni,
335 IEEE80211_FC0_SUBTYPE_ASSOC_REQ, 0);
336 break;
337 case IEEE80211_S_SLEEP: /* cannot happen */
338 case IEEE80211_S_RUN:
339 ieee80211_sta_leave(ni);
340 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) {
341 IEEE80211_SEND_MGMT(ni, arg ?
342 IEEE80211_FC0_SUBTYPE_REASSOC_REQ :
343 IEEE80211_FC0_SUBTYPE_ASSOC_REQ, 0);
344 }
345 break;
346 default:
347 goto invalid;
348 }
349 break;
350 case IEEE80211_S_RUN:
351 if (vap->iv_flags & IEEE80211_F_WPA) {
352 /* XXX validate prerequisites */
353 }
354 switch (ostate) {
355 case IEEE80211_S_RUN:
356 break;
357 case IEEE80211_S_AUTH: /* when join is done in fw */
358 case IEEE80211_S_ASSOC:
359 #ifdef IEEE80211_DEBUG
360 if (ieee80211_msg_debug(vap)) {
361 ieee80211_note(vap, "%s with %s ssid ",
362 (vap->iv_opmode == IEEE80211_M_STA ?
363 "associated" : "synchronized"),
364 ether_sprintf(ni->ni_bssid));
365 ieee80211_print_essid(vap->iv_bss->ni_essid,
366 ni->ni_esslen);
367 /* XXX MCS/HT */
368 printf(" channel %d start %uMb\n",
369 ieee80211_chan2ieee(ic, ic->ic_curchan),
370 IEEE80211_RATE2MBS(ni->ni_txrate));
371 }
372 #endif
373 ieee80211_scan_assoc_success(vap, ni->ni_macaddr);
374 ieee80211_notify_node_join(ni,
375 arg == IEEE80211_FC0_SUBTYPE_ASSOC_RESP);
376 break;
377 case IEEE80211_S_SLEEP:
378 ieee80211_sta_pwrsave(vap, 0);
379 break;
380 default:
381 goto invalid;
382 }
383 ieee80211_sync_curchan(ic);
384 if (ostate != IEEE80211_S_RUN &&
385 (vap->iv_flags_ext & IEEE80211_FEXT_SWBMISS)) {
386 /*
387 * Start s/w beacon miss timer for devices w/o
388 * hardware support. We fudge a bit here since
389 * we're doing this in software.
390 */
391 vap->iv_swbmiss_period = IEEE80211_TU_TO_TICKS(
392 2 * vap->iv_bmissthreshold * ni->ni_intval);
393 vap->iv_swbmiss_count = 0;
394 callout_reset(&vap->iv_swbmiss, vap->iv_swbmiss_period,
395 ieee80211_swbmiss, vap);
396 }
397 /*
398 * When 802.1x is not in use mark the port authorized
399 * at this point so traffic can flow.
400 */
401 if (ni->ni_authmode != IEEE80211_AUTH_8021X)
402 ieee80211_node_authorize(ni);
403 /*
404 * Fake association when joining an existing bss.
405 */
406 if (ic->ic_newassoc != NULL)
407 ic->ic_newassoc(vap->iv_bss, ostate != IEEE80211_S_RUN);
408 break;
409 case IEEE80211_S_SLEEP:
410 ieee80211_sta_pwrsave(vap, 0);
411 break;
412 default:
413 invalid:
414 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE,
415 "%s: unexpected state transition %s -> %s\n", __func__,
416 ieee80211_state_name[ostate], ieee80211_state_name[nstate]);
417 break;
418 }
419 return 0;
420 }
421
422 /*
423 * Return non-zero if the frame is an echo of a multicast
424 * frame sent by ourself. The dir is known to be DSTODS.
425 */
426 static __inline int
427 isdstods_mcastecho(struct ieee80211vap *vap, const struct ieee80211_frame *wh)
428 {
429 #define QWH4(wh) ((const struct ieee80211_qosframe_addr4 *)wh)
430 #define WH4(wh) ((const struct ieee80211_frame_addr4 *)wh)
431 const uint8_t *sa;
432
433 KASSERT(vap->iv_opmode == IEEE80211_M_STA, ("wrong mode"));
434
435 if (!IEEE80211_IS_MULTICAST(wh->i_addr3))
436 return 0;
437 sa = IEEE80211_QOS_HAS_SEQ(wh) ? QWH4(wh)->i_addr4 : WH4(wh)->i_addr4;
438 return IEEE80211_ADDR_EQ(sa, vap->iv_myaddr);
439 #undef WH4
440 #undef QWH4
441 }
442
443 /*
444 * Return non-zero if the frame is an echo of a multicast
445 * frame sent by ourself. The dir is known to be FROMDS.
446 */
447 static __inline int
448 isfromds_mcastecho(struct ieee80211vap *vap, const struct ieee80211_frame *wh)
449 {
450 KASSERT(vap->iv_opmode == IEEE80211_M_STA, ("wrong mode"));
451
452 if (!IEEE80211_IS_MULTICAST(wh->i_addr1))
453 return 0;
454 return IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_myaddr);
455 }
456
457 /*
458 * Decide if a received management frame should be
459 * printed when debugging is enabled. This filters some
460 * of the less interesting frames that come frequently
461 * (e.g. beacons).
462 */
463 static __inline int
464 doprint(struct ieee80211vap *vap, int subtype)
465 {
466 switch (subtype) {
467 case IEEE80211_FC0_SUBTYPE_BEACON:
468 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN);
469 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
470 return 0;
471 }
472 return 1;
473 }
474
475 /*
476 * Process a received frame. The node associated with the sender
477 * should be supplied. If nothing was found in the node table then
478 * the caller is assumed to supply a reference to iv_bss instead.
479 * The RSSI and a timestamp are also supplied. The RSSI data is used
480 * during AP scanning to select a AP to associate with; it can have
481 * any units so long as values have consistent units and higher values
482 * mean ``better signal''. The receive timestamp is currently not used
483 * by the 802.11 layer.
484 */
485 static int
486 sta_input(struct ieee80211_node *ni, struct mbuf *m,
487 int rssi, int noise, uint32_t rstamp)
488 {
489 #define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0)
490 #define HAS_SEQ(type) ((type & 0x4) == 0)
491 struct ieee80211vap *vap = ni->ni_vap;
492 struct ieee80211com *ic = ni->ni_ic;
493 struct ifnet *ifp = vap->iv_ifp;
494 struct ieee80211_frame *wh;
495 struct ieee80211_key *key;
496 struct ether_header *eh;
497 int hdrspace, need_tap;
498 uint8_t dir, type, subtype, qos;
499 uint8_t *bssid;
500 uint16_t rxseq;
501
502 if (m->m_flags & M_AMPDU_MPDU) {
503 /*
504 * Fastpath for A-MPDU reorder q resubmission. Frames
505 * w/ M_AMPDU_MPDU marked have already passed through
506 * here but were received out of order and been held on
507 * the reorder queue. When resubmitted they are marked
508 * with the M_AMPDU_MPDU flag and we can bypass most of
509 * the normal processing.
510 */
511 wh = mtod(m, struct ieee80211_frame *);
512 type = IEEE80211_FC0_TYPE_DATA;
513 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
514 subtype = IEEE80211_FC0_SUBTYPE_QOS;
515 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */
516 goto resubmit_ampdu;
517 }
518
519 KASSERT(ni != NULL, ("null node"));
520 ni->ni_inact = ni->ni_inact_reload;
521
522 need_tap = 1; /* mbuf need to be tapped. */
523 type = -1; /* undefined */
524
525 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
526 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
527 ni->ni_macaddr, NULL,
528 "too short (1): len %u", m->m_pkthdr.len);
529 vap->iv_stats.is_rx_tooshort++;
530 goto out;
531 }
532 /*
533 * Bit of a cheat here, we use a pointer for a 3-address
534 * frame format but don't reference fields past outside
535 * ieee80211_frame_min w/o first validating the data is
536 * present.
537 */
538 wh = mtod(m, struct ieee80211_frame *);
539
540 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
541 IEEE80211_FC0_VERSION_0) {
542 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
543 ni->ni_macaddr, NULL, "wrong version %x", wh->i_fc[0]);
544 vap->iv_stats.is_rx_badversion++;
545 goto err;
546 }
547
548 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
549 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
550 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
551 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
552 bssid = wh->i_addr2;
553 if (!IEEE80211_ADDR_EQ(bssid, ni->ni_bssid)) {
554 /* not interested in */
555 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
556 bssid, NULL, "%s", "not to bss");
557 vap->iv_stats.is_rx_wrongbss++;
558 goto out;
559 }
560 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
561 ni->ni_noise = noise;
562 ni->ni_rstamp = rstamp;
563 if (HAS_SEQ(type)) {
564 uint8_t tid = ieee80211_gettid(wh);
565 if (IEEE80211_QOS_HAS_SEQ(wh) &&
566 TID_TO_WME_AC(tid) >= WME_AC_VI)
567 ic->ic_wme.wme_hipri_traffic++;
568 rxseq = le16toh(*(uint16_t *)wh->i_seq);
569 if ((ni->ni_flags & IEEE80211_NODE_HT) == 0 &&
570 (wh->i_fc[1] & IEEE80211_FC1_RETRY) &&
571 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) {
572 /* duplicate, discard */
573 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
574 bssid, "duplicate",
575 "seqno <%u,%u> fragno <%u,%u> tid %u",
576 rxseq >> IEEE80211_SEQ_SEQ_SHIFT,
577 ni->ni_rxseqs[tid] >>
578 IEEE80211_SEQ_SEQ_SHIFT,
579 rxseq & IEEE80211_SEQ_FRAG_MASK,
580 ni->ni_rxseqs[tid] &
581 IEEE80211_SEQ_FRAG_MASK,
582 tid);
583 vap->iv_stats.is_rx_dup++;
584 IEEE80211_NODE_STAT(ni, rx_dup);
585 goto out;
586 }
587 ni->ni_rxseqs[tid] = rxseq;
588 }
589 }
590
591 switch (type) {
592 case IEEE80211_FC0_TYPE_DATA:
593 hdrspace = ieee80211_hdrspace(ic, wh);
594 if (m->m_len < hdrspace &&
595 (m = m_pullup(m, hdrspace)) == NULL) {
596 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
597 ni->ni_macaddr, NULL,
598 "data too short: expecting %u", hdrspace);
599 vap->iv_stats.is_rx_tooshort++;
600 goto out; /* XXX */
601 }
602 /*
603 * Handle A-MPDU re-ordering. If the frame is to be
604 * processed directly then ieee80211_ampdu_reorder
605 * will return 0; otherwise it has consumed the mbuf
606 * and we should do nothing more with it.
607 */
608 if ((m->m_flags & M_AMPDU) &&
609 (dir == IEEE80211_FC1_DIR_FROMDS ||
610 dir == IEEE80211_FC1_DIR_DSTODS) &&
611 ieee80211_ampdu_reorder(ni, m) != 0) {
612 m = NULL;
613 goto out;
614 }
615 resubmit_ampdu:
616 if (dir == IEEE80211_FC1_DIR_FROMDS) {
617 if ((ifp->if_flags & IFF_SIMPLEX) &&
618 isfromds_mcastecho(vap, wh)) {
619 /*
620 * In IEEE802.11 network, multicast
621 * packets sent from "me" are broadcast
622 * from the AP; silently discard for
623 * SIMPLEX interface.
624 */
625 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
626 wh, "data", "%s", "multicast echo");
627 vap->iv_stats.is_rx_mcastecho++;
628 goto out;
629 }
630 if ((vap->iv_flags & IEEE80211_F_DWDS) &&
631 IEEE80211_IS_MULTICAST(wh->i_addr1)) {
632 /*
633 * DWDS sta's must drop 3-address mcast frames
634 * as they will be sent separately as a 4-addr
635 * frame. Accepting the 3-addr frame will
636 * confuse the bridge into thinking the sending
637 * sta is located at the end of WDS link.
638 */
639 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, wh,
640 "3-address data", "%s", "DWDS enabled");
641 vap->iv_stats.is_rx_mcastecho++;
642 goto out;
643 }
644 } else if (dir == IEEE80211_FC1_DIR_DSTODS) {
645 if ((vap->iv_flags & IEEE80211_F_DWDS) == 0) {
646 IEEE80211_DISCARD(vap,
647 IEEE80211_MSG_INPUT, wh, "4-address data",
648 "%s", "DWDS not enabled");
649 vap->iv_stats.is_rx_wrongdir++;
650 goto out;
651 }
652 if ((ifp->if_flags & IFF_SIMPLEX) &&
653 isdstods_mcastecho(vap, wh)) {
654 /*
655 * In IEEE802.11 network, multicast
656 * packets sent from "me" are broadcast
657 * from the AP; silently discard for
658 * SIMPLEX interface.
659 */
660 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, wh,
661 "4-address data", "%s", "multicast echo");
662 vap->iv_stats.is_rx_mcastecho++;
663 goto out;
664 }
665 } else {
666 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, wh,
667 "data", "incorrect dir 0x%x", dir);
668 vap->iv_stats.is_rx_wrongdir++;
669 goto out;
670 }
671
672 /*
673 * Handle privacy requirements. Note that we
674 * must not be preempted from here until after
675 * we (potentially) call ieee80211_crypto_demic;
676 * otherwise we may violate assumptions in the
677 * crypto cipher modules used to do delayed update
678 * of replay sequence numbers.
679 */
680 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
681 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
682 /*
683 * Discard encrypted frames when privacy is off.
684 */
685 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
686 wh, "WEP", "%s", "PRIVACY off");
687 vap->iv_stats.is_rx_noprivacy++;
688 IEEE80211_NODE_STAT(ni, rx_noprivacy);
689 goto out;
690 }
691 key = ieee80211_crypto_decap(ni, m, hdrspace);
692 if (key == NULL) {
693 /* NB: stats+msgs handled in crypto_decap */
694 IEEE80211_NODE_STAT(ni, rx_wepfail);
695 goto out;
696 }
697 wh = mtod(m, struct ieee80211_frame *);
698 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
699 } else {
700 /* XXX M_WEP and IEEE80211_F_PRIVACY */
701 key = NULL;
702 }
703
704 /*
705 * Save QoS bits for use below--before we strip the header.
706 */
707 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) {
708 qos = (dir == IEEE80211_FC1_DIR_DSTODS) ?
709 ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] :
710 ((struct ieee80211_qosframe *)wh)->i_qos[0];
711 } else
712 qos = 0;
713
714 /*
715 * Next up, any fragmentation.
716 */
717 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
718 m = ieee80211_defrag(ni, m, hdrspace);
719 if (m == NULL) {
720 /* Fragment dropped or frame not complete yet */
721 goto out;
722 }
723 }
724 wh = NULL; /* no longer valid, catch any uses */
725
726 /*
727 * Next strip any MSDU crypto bits.
728 */
729 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) {
730 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
731 ni->ni_macaddr, "data", "%s", "demic error");
732 vap->iv_stats.is_rx_demicfail++;
733 IEEE80211_NODE_STAT(ni, rx_demicfail);
734 goto out;
735 }
736
737 /* copy to listener after decrypt */
738 if (bpf_peers_present(vap->iv_rawbpf))
739 bpf_mtap(vap->iv_rawbpf, m);
740 need_tap = 0;
741
742 /*
743 * Finally, strip the 802.11 header.
744 */
745 m = ieee80211_decap(vap, m, hdrspace);
746 if (m == NULL) {
747 /* XXX mask bit to check for both */
748 /* don't count Null data frames as errors */
749 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA ||
750 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL)
751 goto out;
752 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
753 ni->ni_macaddr, "data", "%s", "decap error");
754 vap->iv_stats.is_rx_decap++;
755 IEEE80211_NODE_STAT(ni, rx_decap);
756 goto err;
757 }
758 eh = mtod(m, struct ether_header *);
759 if (!ieee80211_node_is_authorized(ni)) {
760 /*
761 * Deny any non-PAE frames received prior to
762 * authorization. For open/shared-key
763 * authentication the port is mark authorized
764 * after authentication completes. For 802.1x
765 * the port is not marked authorized by the
766 * authenticator until the handshake has completed.
767 */
768 if (eh->ether_type != htons(ETHERTYPE_PAE)) {
769 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
770 eh->ether_shost, "data",
771 "unauthorized port: ether type 0x%x len %u",
772 eh->ether_type, m->m_pkthdr.len);
773 vap->iv_stats.is_rx_unauth++;
774 IEEE80211_NODE_STAT(ni, rx_unauth);
775 goto err;
776 }
777 } else {
778 /*
779 * When denying unencrypted frames, discard
780 * any non-PAE frames received without encryption.
781 */
782 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
783 (key == NULL && (m->m_flags & M_WEP) == 0) &&
784 eh->ether_type != htons(ETHERTYPE_PAE)) {
785 /*
786 * Drop unencrypted frames.
787 */
788 vap->iv_stats.is_rx_unencrypted++;
789 IEEE80211_NODE_STAT(ni, rx_unencrypted);
790 goto out;
791 }
792 }
793 /* XXX require HT? */
794 if (qos & IEEE80211_QOS_AMSDU) {
795 m = ieee80211_decap_amsdu(ni, m);
796 if (m == NULL)
797 return IEEE80211_FC0_TYPE_DATA;
798 } else if (IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_FF) &&
799 #define FF_LLC_SIZE (sizeof(struct ether_header) + sizeof(struct llc))
800 m->m_pkthdr.len >= 3*FF_LLC_SIZE) {
801 struct llc *llc;
802
803 /*
804 * Check for fast-frame tunnel encapsulation.
805 */
806 if (m->m_len < FF_LLC_SIZE &&
807 (m = m_pullup(m, FF_LLC_SIZE)) == NULL) {
808 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
809 ni->ni_macaddr, "fast-frame",
810 "%s", "m_pullup(llc) failed");
811 vap->iv_stats.is_rx_tooshort++;
812 return IEEE80211_FC0_TYPE_DATA;
813 }
814 llc = (struct llc *)(mtod(m, uint8_t *) +
815 sizeof(struct ether_header));
816 if (llc->llc_snap.ether_type == htons(ATH_FF_ETH_TYPE)) {
817 m_adj(m, FF_LLC_SIZE);
818 m = ieee80211_decap_fastframe(ni, m);
819 if (m == NULL)
820 return IEEE80211_FC0_TYPE_DATA;
821 }
822 }
823 #undef FF_LLC_SIZE
824 ieee80211_deliver_data(vap, ni, m);
825 return IEEE80211_FC0_TYPE_DATA;
826
827 case IEEE80211_FC0_TYPE_MGT:
828 vap->iv_stats.is_rx_mgmt++;
829 IEEE80211_NODE_STAT(ni, rx_mgmt);
830 if (dir != IEEE80211_FC1_DIR_NODS) {
831 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
832 wh, "data", "incorrect dir 0x%x", dir);
833 vap->iv_stats.is_rx_wrongdir++;
834 goto err;
835 }
836 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
837 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
838 ni->ni_macaddr, "mgt", "too short: len %u",
839 m->m_pkthdr.len);
840 vap->iv_stats.is_rx_tooshort++;
841 goto out;
842 }
843 #ifdef IEEE80211_DEBUG
844 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) ||
845 ieee80211_msg_dumppkts(vap)) {
846 if_printf(ifp, "received %s from %s rssi %d\n",
847 ieee80211_mgt_subtype_name[subtype >>
848 IEEE80211_FC0_SUBTYPE_SHIFT],
849 ether_sprintf(wh->i_addr2), rssi);
850 }
851 #endif
852 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
853 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
854 /*
855 * Only shared key auth frames with a challenge
856 * should be encrypted, discard all others.
857 */
858 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
859 wh, ieee80211_mgt_subtype_name[subtype >>
860 IEEE80211_FC0_SUBTYPE_SHIFT],
861 "%s", "WEP set but not permitted");
862 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */
863 goto out;
864 }
865 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
866 /*
867 * Discard encrypted frames when privacy is off.
868 */
869 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
870 wh, "mgt", "%s", "WEP set but PRIVACY off");
871 vap->iv_stats.is_rx_noprivacy++;
872 goto out;
873 }
874 hdrspace = ieee80211_hdrspace(ic, wh);
875 key = ieee80211_crypto_decap(ni, m, hdrspace);
876 if (key == NULL) {
877 /* NB: stats+msgs handled in crypto_decap */
878 goto out;
879 }
880 wh = mtod(m, struct ieee80211_frame *);
|