search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
update madwifi
[linux-2.6/zen-sources.git] / drivers / net / wireless / madwifi / net80211 / ieee80211_input.c
blobd70e76e33ca00839cac58611ca41c254ec494fd4
1 /*-
2 * Copyright (c) 2001 Atsushi Onoe
3 * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 * 3. The name of the author may not be used to endorse or promote products
15 * derived from this software without specific prior written permission.
16 *
17 * Alternatively, this software may be distributed under the terms of the
18 * GNU General Public License ("GPL") version 2 as published by the Free
19 * Software Foundation.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 *
32 * $Id: ieee80211_input.c 3809 2008-07-18 22:00:42Z proski $
33 */
34 #ifndef EXPORT_SYMTAB
35 #define EXPORT_SYMTAB
36 #endif
37
38 /*
39 * IEEE 802.11 input handling.
40 */
41 #ifndef AUTOCONF_INCLUDED
42 #include <linux/config.h>
43 #endif
44 #include <linux/version.h>
45 #include <linux/module.h>
46 #include <linux/skbuff.h>
47 #include <linux/netdevice.h>
48 #include <linux/etherdevice.h>
49 #include <linux/random.h>
50 #include <linux/if_vlan.h>
51 #include <net/iw_handler.h> /* wireless_send_event(..) */
52 #include <linux/wireless.h> /* SIOCGIWTHRSPY */
53 #include <linux/if_arp.h> /* ARPHRD_ETHER */
54
55 #include <net80211/if_llc.h>
56 #include <net80211/if_ethersubr.h>
57 #include <net80211/if_media.h>
58 #include <net80211/if_athproto.h>
59
60 #include <net80211/ieee80211_var.h>
61
62 #ifdef IEEE80211_DEBUG
63
64 #define BUF_LEN 192
65 /*
66 * Decide if a received management frame should be
67 * printed when debugging is enabled. This filters some
68 * of the less interesting frames that come frequently
69 * (e.g. beacons).
70 */
71 static __inline int
72 doprint(struct ieee80211vap *vap, int subtype)
73 {
74 switch (subtype) {
75 case IEEE80211_FC0_SUBTYPE_BEACON:
76 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN);
77 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
78 return (vap->iv_opmode == IEEE80211_M_IBSS);
79 }
80 return 1;
81 }
82
83 /*
84 * Emit a debug message about discarding a frame or information
85 * element. One format is for extracting the mac address from
86 * the frame header; the other is for when a header is not
87 * available or otherwise appropriate.
88 */
89 #define IEEE80211_DISCARD(_vap, _m, _wh, _type, _fmt, ...) do { \
90 if ((_vap)->iv_debug & (_m)) \
91 ieee80211_discard_frame(_vap, _wh, _type, _fmt, __VA_ARGS__);\
92 } while (0)
93 #define IEEE80211_DISCARD_IE(_vap, _m, _wh, _type, _fmt, ...) do { \
94 if ((_vap)->iv_debug & (_m)) \
95 ieee80211_discard_ie(_vap, _wh, _type, _fmt, __VA_ARGS__);\
96 } while (0)
97 #define IEEE80211_DISCARD_MAC(_vap, _m, _mac, _type, _fmt, ...) do { \
98 if ((_vap)->iv_debug & (_m)) \
99 ieee80211_discard_mac(_vap, _mac, _type, _fmt, __VA_ARGS__);\
100 } while (0)
101
102 static const u_int8_t *ieee80211_getbssid(struct ieee80211vap *,
103 const struct ieee80211_frame *);
104 static void ieee80211_discard_frame(struct ieee80211vap *,
105 const struct ieee80211_frame *, const char *, const char *, ...);
106 static void ieee80211_discard_ie(struct ieee80211vap *,
107 const struct ieee80211_frame *, const char *, const char *, ...);
108 static void ieee80211_discard_mac(struct ieee80211vap *,
109 const u_int8_t mac[IEEE80211_ADDR_LEN], const char *,
110 const char *, ...);
111 #else
112 #define IEEE80211_DISCARD(_vap, _m, _wh, _type, _fmt, ...)
113 #define IEEE80211_DISCARD_IE(_vap, _m, _wh, _type, _fmt, ...)
114 #define IEEE80211_DISCARD_MAC(_vap, _m, _mac, _type, _fmt, ...)
115 #endif /* IEEE80211_DEBUG */
116
117 static struct sk_buff *ieee80211_defrag(struct ieee80211_node *,
118 struct sk_buff *, int);
119 static void ieee80211_deliver_data(struct ieee80211_node *, struct sk_buff *);
120 static struct sk_buff *ieee80211_decap(struct ieee80211vap *,
121 struct sk_buff *, int);
122 static void ieee80211_send_error(struct ieee80211_node *, const u_int8_t *,
123 int, int);
124 static void ieee80211_recv_pspoll(struct ieee80211_node *, struct sk_buff *);
125 static int accept_data_frame(struct ieee80211vap *, struct ieee80211_node *,
126 struct ieee80211_key *, struct sk_buff *, struct ether_header *);
127
128
129 #ifdef ATH_SUPERG_FF
130 static int athff_decap(struct sk_buff *);
131 #endif
132 #ifdef USE_HEADERLEN_RESV
133 static __be16 ath_eth_type_trans(struct sk_buff *, struct net_device *);
134 #endif
135
136 #if WIRELESS_EXT >= 16
137 /**
138 * Given a node and the RSSI value of a just received frame from the node, this
139 * function checks if to raise an iwspy event because we iwspy the node and RSSI
140 * exceeds threshold (if active).
141 *
142 * @param vap: VAP
143 * @param ni: sender node
144 * @param rssi: RSSI value of received frame
145 */
146 static void
147 iwspy_event(struct ieee80211vap *vap, struct ieee80211_node *ni, u_int rssi)
148 {
149 if (vap->iv_spy.thr_low && vap->iv_spy.num && ni && (rssi <
150 vap->iv_spy.thr_low || rssi > vap->iv_spy.thr_high)) {
151 int i;
152 for (i = 0; i < vap->iv_spy.num; i++) {
153 if (IEEE80211_ADDR_EQ(ni->ni_macaddr,
154 &(vap->iv_spy.mac[i * IEEE80211_ADDR_LEN]))) {
155
156 union iwreq_data wrq;
157 struct iw_thrspy thr;
158 IEEE80211_DPRINTF(vap, IEEE80211_MSG_DEBUG,
159 "%s: we spy " MAC_FMT
160 ", threshold is active and rssi exceeds"
161 " it -> raise an iwspy event\n",
162 __func__, MAC_ADDR(ni->ni_macaddr));
163 memset(&wrq, 0, sizeof(wrq));
164 wrq.data.length = 1;
165 memset(&thr, 0, sizeof(struct iw_thrspy));
166 memcpy(thr.addr.sa_data, ni->ni_macaddr,
167 IEEE80211_ADDR_LEN);
168 thr.addr.sa_family = ARPHRD_ETHER;
169 set_quality(&thr.qual, rssi, vap->iv_ic->ic_channoise);
170 set_quality(&thr.low, vap->iv_spy.thr_low, vap->iv_ic->ic_channoise);
171 set_quality(&thr.high, vap->iv_spy.thr_high, vap->iv_ic->ic_channoise);
172 wireless_send_event(vap->iv_dev,
173 SIOCGIWTHRSPY, &wrq, (char *)&thr);
174 break;
175 }
176 }
177 }
178 }
179
180 #else
181 #define iwspy_event(_vap, _ni, _rssi)
182 #endif /* WIRELESS_EXT >= 16 */
183
184 /*
185 * Process a received frame. The node associated with the sender
186 * should be supplied. If nothing was found in the node table then
187 * the caller is assumed to supply a reference to ic_bss instead.
188 * The RSSI and a timestamp are also supplied. The RSSI data is used
189 * during AP scanning to select a AP to associate with; it can have
190 * any units so long as values have consistent units and higher values
191 * mean ``better signal''. The receive timestamp is currently not used
192 * by the 802.11 layer.
193 *
194 * Context: softIRQ (tasklet)
195 */
196 int
197 ieee80211_input(struct ieee80211vap *vap, struct ieee80211_node *ni_or_null,
198 struct sk_buff *skb, int rssi, u_int64_t rtsf)
199 {
200 #define HAS_SEQ(type) ((type & 0x4) == 0)
201 struct ieee80211_node *ni = ni_or_null;
202 struct ieee80211com *ic = vap->iv_ic;
203 struct net_device *dev = vap->iv_dev;
204 struct ieee80211_frame *wh;
205 struct ieee80211_key *key;
206 struct ether_header *eh;
207 #ifdef ATH_SUPERG_FF
208 struct llc *llc;
209 #endif
210 int hdrlen;
211 u_int8_t dir, type = -1, subtype;
212 u_int8_t *bssid;
213 u_int16_t rxseq;
214
215 if ((vap->iv_dev->flags & (IFF_RUNNING | IFF_UP)) !=
216 (IFF_RUNNING | IFF_UP))
217 goto out;
218
219 /* Initialize ni as in the previous API. */
220 if (ni_or_null == NULL) {
221 /* This function does not 'own' vap->iv_bss, so we cannot
222 * guarantee its existence during the following call, hence
223 * briefly grab our own reference. */
224 ni = ieee80211_ref_node(vap->iv_bss);
225 }
226 KASSERT(skb != NULL, ("null skb"));
227 KASSERT(ni != NULL, ("null node"));
228 ni->ni_inact = ni->ni_inact_reload;
229
230 /* In monitor mode, send everything directly to bpf.
231 * Also do not process frames w/o i_addr2 any further.
232 * XXX: may want to include the CRC. */
233 if (vap->iv_opmode == IEEE80211_M_MONITOR)
234 goto out;
235 if (skb->len < sizeof(struct ieee80211_frame_min)) {
236 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
237 ni->ni_macaddr, NULL,
238 "too short (1): len %u", skb->len);
239 vap->iv_stats.is_rx_tooshort++;
240 goto out;
241 }
242
243 /* Bit of a cheat here, we use a pointer for a 3-address
244 * frame format but don't reference fields past outside
245 * ieee80211_frame_min w/o first validating the data is
246 * present. */
247 wh = (struct ieee80211_frame *)skb->data;
248
249 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
250 IEEE80211_FC0_VERSION_0) {
251 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
252 ni->ni_macaddr, NULL, "wrong version %x", wh->i_fc[0]);
253 vap->iv_stats.is_rx_badversion++;
254 goto err;
255 }
256
257 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
258 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
259 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
260 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
261 switch (vap->iv_opmode) {
262 case IEEE80211_M_STA:
263 bssid = wh->i_addr2;
264 if (!IEEE80211_ADDR_EQ(bssid, vap->iv_bssid)) {
265 /* not interested in */
266 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
267 bssid, NULL, "%s", "not to bss");
268 vap->iv_stats.is_rx_wrongbss++;
269 goto out;
270 }
271 iwspy_event(vap, ni, rssi);
272 break;
273 case IEEE80211_M_IBSS:
274 case IEEE80211_M_AHDEMO:
275 if (dir != IEEE80211_FC1_DIR_NODS)
276 bssid = wh->i_addr1;
277 else if (type == IEEE80211_FC0_TYPE_CTL)
278 bssid = wh->i_addr1;
279 else {
280 if (skb->len < sizeof(struct ieee80211_frame)) {
281 IEEE80211_DISCARD_MAC(vap,
282 IEEE80211_MSG_ANY, ni->ni_macaddr,
283 NULL, "too short (2): len %u",
284 skb->len);
285 vap->iv_stats.is_rx_tooshort++;
286 goto out;
287 }
288 bssid = wh->i_addr3;
289 }
290 /* Do not try to find a node reference if the packet really did come from the BSS */
291 if (type == IEEE80211_FC0_TYPE_DATA && ni == vap->iv_bss &&
292 !IEEE80211_ADDR_EQ(vap->iv_bss->ni_macaddr, wh->i_addr2)) {
293 /* Try to find sender in local node table. */
294 ni = ieee80211_find_node(vap->iv_bss->ni_table, wh->i_addr2);
295 if (ni == NULL) {
296 /*
297 * Fake up a node for this newly discovered
298 * member of the IBSS. This should probably
299 * done after an ACL check.
300 */
301 ni = ieee80211_fakeup_adhoc_node(vap,
302 wh->i_addr2);
303 if (ni == NULL) {
304 /* NB: stat kept for alloc failure */
305 goto err;
306 }
307 }
308 }
309 iwspy_event(vap, ni, rssi);
310 break;
311 case IEEE80211_M_HOSTAP:
312 if (dir != IEEE80211_FC1_DIR_NODS)
313 bssid = wh->i_addr1;
314 else if (type == IEEE80211_FC0_TYPE_CTL)
315 bssid = wh->i_addr1;
316 else {
317 if (skb->len < sizeof(struct ieee80211_frame)) {
318 IEEE80211_DISCARD_MAC(vap,
319 IEEE80211_MSG_ANY, ni->ni_macaddr,
320 NULL, "too short (2): len %u",
321 skb->len);
322 vap->iv_stats.is_rx_tooshort++;
323 goto out;
324 }
325 bssid = wh->i_addr3;
326 }
327 /*
328 * Validate the bssid.
329 */
330 #ifdef ATH_SUPERG_XR
331 if (!IEEE80211_ADDR_EQ(bssid, vap->iv_bssid) &&
332 !IEEE80211_ADDR_EQ(bssid, dev->broadcast)) {
333 /*
334 * allow MGT frames to vap->iv_xrvap.
335 * this will allow roaming between XR and normal vaps
336 * without station dis associating from previous vap.
337 */
338 if (!(vap->iv_xrvap &&
339 IEEE80211_ADDR_EQ(bssid, vap->iv_xrvap->iv_bssid) &&
340 type == IEEE80211_FC0_TYPE_MGT &&
341 ni != vap->iv_bss)) {
342 /* not interested in */
343 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
344 bssid, NULL, "%s", "not to bss or xrbss");
345 vap->iv_stats.is_rx_wrongbss++;
346 goto out;
347 }
348 }
349 #else
350 if (!IEEE80211_ADDR_EQ(bssid, vap->iv_bssid) &&
351 !IEEE80211_ADDR_EQ(bssid, dev->broadcast)) {
352 /* not interested in */
353 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
354 bssid, NULL, "%s", "not to bss");
355 vap->iv_stats.is_rx_wrongbss++;
356 goto out;
357 }
358
359 #endif
360 break;
361 case IEEE80211_M_WDS:
362 if (skb->len < sizeof(struct ieee80211_frame_addr4)) {
363 IEEE80211_DISCARD_MAC(vap,
364 IEEE80211_MSG_ANY, ni->ni_macaddr,
365 NULL, "too short (3): len %u",
366 skb->len);
367 vap->iv_stats.is_rx_tooshort++;
368 goto out;
369 }
370 bssid = wh->i_addr1;
371 if (!IEEE80211_ADDR_EQ(bssid, vap->iv_bssid) &&
372 !IEEE80211_ADDR_EQ(bssid, dev->broadcast)) {
373 /* not interested in */
374 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
375 bssid, NULL, "%s", "not to bss");
376 vap->iv_stats.is_rx_wrongbss++;
377 goto out;
378 }
379 if (!IEEE80211_ADDR_EQ(wh->i_addr2, vap->wds_mac)) {
380 /* not interested in */
381 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
382 wh->i_addr2, NULL, "%s", "not from DS");
383 vap->iv_stats.is_rx_wrongbss++;
384 goto out;
385 }
386 break;
387 default:
388 /* XXX catch bad values */
389 goto out;
390 }
391 /* since ieee80211_input() can be called multiple times for
392 * flooding VAPs when we don't know which VAP needs the packet -
393 * we don't want to update the wrong state when ni is assigned
394 * to the bss node to accomodate this case. */
395 if (IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) {
396 ni->ni_rssi = rssi;
397 ni->ni_rtsf = rtsf;
398 ni->ni_last_rx = jiffies;
399 }
400 if (HAS_SEQ(type)) {
401 u_int8_t tid;
402 if (IEEE80211_QOS_HAS_SEQ(wh)) {
403 tid = ((struct ieee80211_qosframe *)wh)->
404 i_qos[0] & IEEE80211_QOS_TID;
405 if (TID_TO_WME_AC(tid) >= WME_AC_VI)
406 ic->ic_wme.wme_hipri_traffic++;
407 tid++;
408 } else
409 tid = 0;
410 rxseq = le16toh(*(__le16 *)wh->i_seq);
411 if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) &&
412 IEEE80211_SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) {
413 /* duplicate, discard */
414 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
415 bssid, "duplicate",
416 "seqno <%u,%u> fragno <%u,%u> tid %u",
417 rxseq >> IEEE80211_SEQ_SEQ_SHIFT,
418 ni->ni_rxseqs[tid] >>
419 IEEE80211_SEQ_SEQ_SHIFT,
420 rxseq & IEEE80211_SEQ_FRAG_MASK,
421 ni->ni_rxseqs[tid] &
422 IEEE80211_SEQ_FRAG_MASK,
423 tid);
424 vap->iv_stats.is_rx_dup++;
425 IEEE80211_NODE_STAT(ni, rx_dup);
426 goto out;
427 }
428 ni->ni_rxseqs[tid] = rxseq;
429 }
430 }
431
432 switch (type) {
433 case IEEE80211_FC0_TYPE_DATA:
434 hdrlen = ieee80211_hdrsize(wh);
435 if (skb->len < hdrlen) {
436 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
437 wh, "data", "too short: len %u, expecting %u",
438 skb->len, hdrlen);
439 vap->iv_stats.is_rx_tooshort++;
440 goto out; /* XXX */
441 }
442 switch (vap->iv_opmode) {
443 case IEEE80211_M_STA:
444 if ((dir != IEEE80211_FC1_DIR_FROMDS) &&
445 (!((vap->iv_flags_ext & IEEE80211_FEXT_WDS) &&
446 (dir == IEEE80211_FC1_DIR_DSTODS)))) {
447 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
448 wh, "data", "invalid dir 0x%x", dir);
449 vap->iv_stats.is_rx_wrongdir++;
450 goto out;
451 }
452
453 if (IEEE80211_IS_MULTICAST(wh->i_addr1)) {
454 /* Discard multicast if IFF_MULTICAST not set */
455 if ((0 != memcmp(wh->i_addr3, dev->broadcast, ETH_ALEN)) &&
456 (0 == (dev->flags & IFF_MULTICAST))) {
457 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
458 wh, NULL, "%s", "multicast disabled.");
459 printk(KERN_ERR "CONFIG ERROR: multicast flag "
460 "cleared on radio, but multicast was used.\n");
461 vap->iv_stats.is_rx_mcastdisabled++;
462 goto out;
463 }
464 /* Discard echos of our own multicast or broadcast */
465 if (IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_myaddr)) {
466 /*
467 * In IEEE802.11 network, multicast packet
468 * sent from me is broadcasted from AP.
469 * It should be silently discarded for
470 * SIMPLEX interface.
471 *
472 * NB: Linux has no IFF_ flag to indicate
473 * if an interface is SIMPLEX or not;
474 * so we always assume it to be true.
475 */
476 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
477 wh, NULL, "%s", "multicast echo");
478 vap->iv_stats.is_rx_mcastecho++;
479 goto out;
480 }
481 /*
482 * if it is brodcasted by me on behalf of
483 * a station behind me, drop it.
484 */
485 if (vap->iv_flags_ext & IEEE80211_FEXT_WDS) {
486 struct ieee80211_node_table *nt;
487 struct ieee80211_node *ni_wds;
488 nt = &ic->ic_sta;
489 ni_wds = ieee80211_find_wds_node(nt, wh->i_addr3);
490 if (ni_wds) {
491 ieee80211_unref_node(&ni_wds);
492 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
493 wh, NULL, "%s",
494 "multicast echo originated from node behind me");
495 vap->iv_stats.is_rx_mcastecho++;
496 goto out;
497 }
498 }
499 }
500 break;
501 case IEEE80211_M_IBSS:
502 case IEEE80211_M_AHDEMO:
503 if (dir != IEEE80211_FC1_DIR_NODS) {
504 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
505 wh, "data", "invalid dir 0x%x", dir);
506 vap->iv_stats.is_rx_wrongdir++;
507 goto out;
508 }
509 /* XXX no power-save support */
510 break;
511 case IEEE80211_M_HOSTAP:
512 if ((dir != IEEE80211_FC1_DIR_TODS) &&
513 (dir != IEEE80211_FC1_DIR_DSTODS)) {
514 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
515 wh, "data", "invalid dir 0x%x", dir);
516 vap->iv_stats.is_rx_wrongdir++;
517 goto out;
518 }
519 /* check if source STA is associated */
520 if (ni == vap->iv_bss) {
521 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
522 wh, "data", "%s", "unknown src");
523 /* NB: caller deals with reference */
524 if (vap->iv_state == IEEE80211_S_RUN)
525 ieee80211_send_error(ni, wh->i_addr2,
526 IEEE80211_FC0_SUBTYPE_DEAUTH,
527 IEEE80211_REASON_NOT_AUTHED);
528 vap->iv_stats.is_rx_notassoc++;
529 goto err;
530 }
531 if (ni->ni_associd == 0) {
532 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
533 wh, "data", "%s", "unassoc src");
534 IEEE80211_SEND_MGMT(ni,
535 IEEE80211_FC0_SUBTYPE_DISASSOC,
536 IEEE80211_REASON_NOT_ASSOCED);
537 vap->iv_stats.is_rx_notassoc++;
538 goto err;
539 }
540 /*
541 * If we're a 4 address packet, make sure we have an entry in
542 * the node table for the packet source address (addr4).
543 * If not, add one.
544 */
545 /* XXX: Useless node mgmt API; make better */
546 if (dir == IEEE80211_FC1_DIR_DSTODS) {
547 struct ieee80211_node_table *nt;
548 struct ieee80211_frame_addr4 *wh4;
549 struct ieee80211_node *ni_wds;
550
551 if (!(vap->iv_flags_ext & IEEE80211_FEXT_WDS)) {
552 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
553 wh, "data", "%s", "4 addr not allowed");
554 goto err;
555 }
556 wh4 = (struct ieee80211_frame_addr4 *)skb->data;
557 nt = &ic->ic_sta;
558 ni_wds = ieee80211_find_wds_node(nt, wh4->i_addr4);
559 /* Last call increments ref count if !NULL */
560 if ((ni_wds != NULL) && (ni_wds != ni)) {
561 /*
562 * node with source address (addr4) moved
563 * to another WDS capable station. remove the
564 * reference to the previous station and add
565 * reference to the new one
566 */
567 (void) ieee80211_remove_wds_addr(nt, wh4->i_addr4);
568 ieee80211_add_wds_addr(nt, ni, wh4->i_addr4, 0);
569 }
570 if (ni_wds == NULL)
571 ieee80211_add_wds_addr(nt, ni, wh4->i_addr4, 0);
572 else
573 ieee80211_unref_node(&ni_wds);
574 }
575
576 /*
577 * Check for power save state change.
578 */
579 if (!(ni->ni_flags & IEEE80211_NODE_UAPSD)) {
580 if ((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^
581 (ni->ni_flags & IEEE80211_NODE_PWR_MGT))
582 ieee80211_node_pwrsave(ni, wh->i_fc[1] & IEEE80211_FC1_PWR_MGT);
583 } else if (ni->ni_flags & IEEE80211_NODE_PS_CHANGED) {
584 int pwr_save_changed = 0;
585 IEEE80211_LOCK_IRQ(ic);
586 if ((*(__le16 *)(&wh->i_seq[0])) == ni->ni_pschangeseq) {
587 ni->ni_flags &= ~IEEE80211_NODE_PS_CHANGED;
588 pwr_save_changed = 1;
589 }
590 IEEE80211_UNLOCK_IRQ(ic);
591 if (pwr_save_changed)
592 ieee80211_node_pwrsave(ni, wh->i_fc[1] & IEEE80211_FC1_PWR_MGT);
593 }
594 break;
595 case IEEE80211_M_WDS:
596 if (dir != IEEE80211_FC1_DIR_DSTODS) {
597 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
598 wh, "data", "invalid dir 0x%x", dir);
599 vap->iv_stats.is_rx_wrongdir++;
600 goto out;
601 }
602 break;
603 default:
604 /* XXX here to keep compiler happy */
605 goto out;
606 }
607
608 /* These frames have no further meaning. */
609 if ((subtype == IEEE80211_FC0_SUBTYPE_NULL) ||
610 (subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL))
611 goto out;
612
613 /*
614 * Handle privacy requirements. Note that we
615 * must not be preempted from here until after
616 * we (potentially) call ieee80211_crypto_demic;
617 * otherwise we may violate assumptions in the
618 * crypto cipher modules used to do delayed update
619 * of replay sequence numbers.
620 */
621 if (wh->i_fc[1] & IEEE80211_FC1_PROT) {
622 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
623 /*
624 * Discard encrypted frames when privacy is off.
625 */
626 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
627 wh, "WEP", "%s", "PRIVACY off");
628 vap->iv_stats.is_rx_noprivacy++;
629 IEEE80211_NODE_STAT(ni, rx_noprivacy);
630 goto out;
631 }
632 key = ieee80211_crypto_decap(ni, skb, hdrlen);
633 if (key == NULL) {
634 /* NB: stats+msgs handled in crypto_decap */
635 IEEE80211_NODE_STAT(ni, rx_wepfail);
636 goto out;
637 }
638 wh = (struct ieee80211_frame *)skb->data;
639 wh->i_fc[1] &= ~IEEE80211_FC1_PROT;
640 } else
641 key = NULL;
642
643 /* Next up, any fragmentation. */
644 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
645 skb = ieee80211_defrag(ni, skb, hdrlen);
646 if (skb == NULL) {
647 /* Fragment dropped or frame not complete yet */
648 goto out;
649 }
650 }
651 wh = NULL; /* no longer valid, catch any uses */
652
653 /* Next strip any MSDU crypto. bits. */
654 if (key != NULL &&
655 !ieee80211_crypto_demic(vap, key, skb, hdrlen, 0)) {
656 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
657 ni->ni_macaddr, "data", "%s", "demic error");
658 IEEE80211_NODE_STAT(ni, rx_demicfail);
659 goto out;
660 }
661
662 /* Finally, strip the 802.11 header. */
663 skb = ieee80211_decap(vap, skb, hdrlen);
664 if (skb == NULL) {
665 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
666 ni->ni_macaddr, "data", "%s", "decap error");
667 vap->iv_stats.is_rx_decap++;
668 IEEE80211_NODE_STAT(ni, rx_decap);
669 goto err;
670 }
671 eh = (struct ether_header *)skb->data;
672
673 if (!accept_data_frame(vap, ni, key, skb, eh))
674 goto out;
675
676 vap->iv_devstats.rx_packets++;
677 vap->iv_devstats.rx_bytes += skb->len;
678 IEEE80211_NODE_STAT(ni, rx_data);
679 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, skb->len);
680 ic->ic_lastdata = jiffies;
681
682 #ifdef ATH_SUPERG_FF
683 /* check for FF */
684 llc = (struct llc *)(skb->data + sizeof(struct ether_header));
685 if (ntohs(llc->llc_snap.ether_type) == (u_int16_t)ATH_ETH_TYPE) {
686 struct sk_buff *skb1 = NULL;
687 struct ether_header *eh_tmp;
688 struct athl2p_tunnel_hdr *ath_hdr;
689 unsigned int frame_len;
690
691 /* NB: assumes linear (i.e., non-fragmented) skb */
692
693 /* get to the tunneled headers */
694 ath_hdr = (struct athl2p_tunnel_hdr *)
695 skb_pull(skb, sizeof(struct ether_header) + LLC_SNAPFRAMELEN);
696 /* ignore invalid frames */
697 if (ath_hdr == NULL)
698 goto err;
699
700 /* only implementing FF now. drop all others. */
701 if (ath_hdr->proto != ATH_L2TUNNEL_PROTO_FF) {
702 IEEE80211_DISCARD_MAC(vap,
703 IEEE80211_MSG_SUPG | IEEE80211_MSG_INPUT,
704 eh->ether_shost, "fast-frame",
705 "bad atheros tunnel prot %u",
706 ath_hdr->proto);
707 vap->iv_stats.is_rx_badathtnl++;
708 goto err;
709 }
710 vap->iv_stats.is_rx_ffcnt++;
711
712 /* move past the tunneled header, with alignment */
713 skb_pull(skb, roundup(sizeof(struct athl2p_tunnel_hdr) - 2, 4) + 2);
714 eh_tmp = (struct ether_header *)skb->data;
715
716 /* ether_type must be length as FF frames are always LLC/SNAP encap'd */
717 frame_len = ntohs(eh_tmp->ether_type);
718
719 skb1 = skb_copy(skb, GFP_ATOMIC);
720 if (skb1 == NULL)
721 goto err;
722 ieee80211_skb_copy_noderef(skb, skb1);
723
724 /* we now have 802.3 MAC hdr followed by 802.2 LLC/SNAP; convert to EthernetII.
725 * Note that the frame is at least IEEE80211_MIN_LEN, due to the driver code. */
726 athff_decap(skb);
727
728 /* remove second frame from end of first */
729 skb_trim(skb, sizeof(struct ether_header) + frame_len - LLC_SNAPFRAMELEN);
730
731 /* prepare second tunneled frame */
732 skb_pull(skb1, roundup(sizeof(struct ether_header) + frame_len, 4));
733
734 /* Fail if there is no space left for at least the necessary headers */
735 if (athff_decap(skb1)) {
736 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
737 ni->ni_macaddr, "data", "%s", "Decapsulation error");
738 vap->iv_stats.is_rx_decap++;
739 IEEE80211_NODE_STAT(ni, rx_decap);
740 ieee80211_dev_kfree_skb(&skb1); /* This is a copy! */
741 goto err;
742 }
743
744 /* Deliver the frames. */
745 ieee80211_deliver_data(ni, skb);
746 ieee80211_deliver_data(ni, skb1);
747 } else {
748 /* Assume non-atheros LLC type. */
749 ieee80211_deliver_data(ni, skb);
750 }
751 #else /* !ATH_SUPERG_FF */
752 ieee80211_deliver_data(ni, skb);
753 #endif
754 if (ni_or_null == NULL)
755 ieee80211_unref_node(&ni);
756 /* XXX: Why doesn't this use 'goto out'?
757 * If it did, then the SKB would be accessed after we
758 * have given it to ieee80211_deliver_data and we get
759 * crashes/errors. */
760 return IEEE80211_FC0_TYPE_DATA;
761 case IEEE80211_FC0_TYPE_MGT:
762 /* WDS opmode does not support management frames. */
763 if (vap->iv_opmode == IEEE80211_M_WDS) {
764 vap->iv_stats.is_rx_mgtdiscard++;
765 goto out;
766 }
767 IEEE80211_NODE_STAT(ni, rx_mgmt);
768 if (dir != IEEE80211_FC1_DIR_NODS) {
769 vap->iv_stats.is_rx_wrongdir++;
770 goto err;
771 }
772 if (skb->len < sizeof(struct ieee80211_frame)) {
773 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
774 ni->ni_macaddr, "mgt", "too short: len %u",
775 skb->len);
776 vap->iv_stats.is_rx_tooshort++;
777 goto out;
778 }
779 #ifdef IEEE80211_DEBUG
780 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) ||
781 ieee80211_msg_dumppkts(vap)) {
782 ieee80211_note(vap,
783 "received %s from " MAC_FMT " rssi %d\n",
784 ieee80211_mgt_subtype_name[subtype >>
785 IEEE80211_FC0_SUBTYPE_SHIFT],
786 MAC_ADDR(wh->i_addr2), rssi);
787 }
788 #endif
789 if (wh->i_fc[1] & IEEE80211_FC1_PROT) {
790 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
791 /*
792 * Only shared key auth frames with a challenge
793 * should be encrypted, discard all others.
794 */
795 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
796 wh, ieee80211_mgt_subtype_name[subtype >>
797 IEEE80211_FC0_SUBTYPE_SHIFT],
798 "%s", "WEP set but not permitted");
799 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */
800 goto out;
801 }
802 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
803 /*
804 * Discard encrypted frames when privacy is off.
805 */
806 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
807 wh, "mgt", "%s", "WEP set but PRIVACY off");
808 vap->iv_stats.is_rx_noprivacy++;
809 goto out;
810 }
811 hdrlen = ieee80211_hdrsize(wh);
812 key = ieee80211_crypto_decap(ni, skb, hdrlen);
813 if (key == NULL) {
814 /* NB: stats+msgs handled in crypto_decap */
815 goto out;
816 }
817 wh = (struct ieee80211_frame *)skb->data;
818 wh->i_fc[1] &= ~IEEE80211_FC1_PROT;
819 }
820 ic->ic_recv_mgmt(vap, ni_or_null, skb, subtype, rssi, rtsf);
821 goto out;
822
823 case IEEE80211_FC0_TYPE_CTL:
824 IEEE80211_NODE_STAT(ni, rx_ctrl);
825 vap->iv_stats.is_rx_ctl++;
826 if (vap->iv_opmode == IEEE80211_M_HOSTAP)
827 if (subtype == IEEE80211_FC0_SUBTYPE_PS_POLL)
828 ieee80211_recv_pspoll(ni, skb);
829 goto out;
830
831 default:
832 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
833 wh, NULL, "bad frame type 0x%x", type);
834 /* should not come here */
835 break;
836 }
837 err:
838 vap->iv_devstats.rx_errors++;
839 out:
840 ieee80211_dev_kfree_skb(&skb);
841 if (ni_or_null == NULL)
842 ieee80211_unref_node(&ni);
843 return type;
844 #undef HAS_SEQ
845 }
846
847 EXPORT_SYMBOL(ieee80211_input);
848 /*
849 * Context: softIRQ (tasklet)
850 */
851 int
852 ieee80211_input_all(struct ieee80211com *ic,
853 struct sk_buff *skb, int rssi, u_int64_t rtsf)
854 {
855 struct ieee80211vap *vap, *next_vap;
856 struct sk_buff *tskb = NULL;
857 int type = -1; /* Used to determine when to blinks LEDs. */
858
859 /* Create a new SKB copy for each VAP except the last
860 * one, which gets the original SKB. */
861 vap = TAILQ_FIRST(&ic->ic_vaps);
862 while (vap) {
863 for (next_vap = TAILQ_NEXT(vap, iv_next); next_vap;
864 next_vap = TAILQ_NEXT(next_vap, iv_next)) {
865 if ((next_vap->iv_dev->flags & (IFF_RUNNING | IFF_UP))
866 == (IFF_RUNNING | IFF_UP))
867 break;
868 }
869
870 if (!next_vap) {
871 tskb = skb;
872 skb = NULL;
873 } else
874 tskb = skb_copy(skb, GFP_ATOMIC);
875
876 if (!tskb)
877 /* XXX: Brilliant OOM handling. */
878 vap->iv_devstats.tx_dropped++;
879 else
880 type = ieee80211_input(vap, NULL, tskb, rssi, rtsf);
881
882 vap = next_vap;
883 };
884
885 ieee80211_dev_kfree_skb(&skb);
886 return type;
887 }
888 EXPORT_SYMBOL(ieee80211_input_all);
889
890 /*
891 * Determines whether a frame should be accepted, based on information
892 * about the frame's origin and encryption, and policy for this vap.
893 */
894 static int accept_data_frame(struct ieee80211vap *vap,
895 struct ieee80211_node *ni, struct ieee80211_key *key,
896 struct sk_buff *skb, struct ether_header *eh)
897 {
898 #define IS_EAPOL(eh) ((eh)->ether_type == __constant_htons(ETHERTYPE_PAE))
899 #define PAIRWISE_SET(vap) ((vap)->iv_nw_keys[0].wk_cipher != &ieee80211_cipher_none)
900 if (IS_EAPOL(eh)) {
901 /* encrypted eapol is always OK */
902 if (key)
903 return 1;
904 /* cleartext eapol is OK if we don't have pairwise keys yet */
905 if (!PAIRWISE_SET(vap))
906 return 1;
907 /* cleartext eapol is OK if configured to allow it */
908 if (!IEEE80211_VAP_DROPUNENC_EAPOL(vap))
909 return 1;
910 /* cleartext eapol is OK if other unencrypted is OK */
911 if (!(vap->iv_flags & IEEE80211_F_DROPUNENC))
912 return 1;
913 /* not OK */
914 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
915 eh->ether_shost, "data",
916 "unauthorized port: ether type 0x%x len %u",
917 ntohs(eh->ether_type), skb->len);
918 vap->iv_stats.is_rx_unauth++;
919 vap->iv_devstats.rx_errors++;
920 IEEE80211_NODE_STAT(ni, rx_unauth);
921 return 0;
922 }
923
924 if (!ieee80211_node_is_authorized(ni)) {
925 /*
926 * Deny any non-PAE frames received prior to
927 * authorization. For open/shared-key
928 * authentication the port is mark authorized
929 * after authentication completes. For 802.1x
930 * the port is not marked authorized by the
931 * authenticator until the handshake has completed.
932 */
933 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
934 eh->ether_shost, "data",
935 "unauthorized port: ether type 0x%x len %u",
936 ntohs(eh->ether_type), skb->len);
937 vap->iv_stats.is_rx_unauth++;
938 vap->iv_devstats.rx_errors++;
939 IEEE80211_NODE_STAT(ni, rx_unauth);
940 return 0;
941 } else {
942 /*
943 * When denying unencrypted frames, discard
944 * any non-PAE frames received without encryption.
945 */
946 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && key == NULL) {
947 IEEE80211_NODE_STAT(ni, rx_unencrypted);
948 return 0;
949 }
950 }
951 return 1;
952
953 #undef IS_EAPOL
954 #undef PAIRWISE_SET
955 }
956
957 /*
958 * This function reassemble fragments using the skb of the 1st fragment,
959 * if large enough. If not, a new skb is allocated to hold incoming
960 * fragments.
961 *
962 * Fragments are copied at the end of the previous fragment. A different
963 * strategy could have been used, where a non-linear skb is allocated and
964 * fragments attached to that skb.
965 */
966 static struct sk_buff *
967 ieee80211_defrag(struct ieee80211_node *ni, struct sk_buff *skb, int hdrlen)
968 {
969 struct ieee80211_frame *wh = (struct ieee80211_frame *)skb->data;
970 u_int16_t rxseq, last_rxseq;
971 u_int8_t fragno, last_fragno;
972 u_int8_t more_frag = wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG;
973
974 rxseq = le16_to_cpu(*(__le16 *)wh->i_seq) >> IEEE80211_SEQ_SEQ_SHIFT;
975 fragno = le16_to_cpu(*(__le16 *)wh->i_seq) & IEEE80211_SEQ_FRAG_MASK;
976
977 /* Quick way out, if there's nothing to defragment */
978 if (!more_frag && fragno == 0 && ni->ni_rxfrag == NULL)
979 return skb;
980
981 /*
982 * Remove frag to ensure it doesn't get reaped by timer.
983 */
984 if (ni->ni_table == NULL) {
985 /*
986 * Should never happen. If the node is orphaned (not in
987 * the table) then input packets should not reach here.
988 * Otherwise, a concurrent request that yanks the table
989 * should be blocked by other interlocking and/or by first
990 * shutting the driver down. Regardless, be defensive
991 * here and just bail
992 */
993 /* XXX need msg+stat */
994 ieee80211_dev_kfree_skb(&skb);
995 return NULL;
996 }
997
998 /*
999 * Update the time stamp. As a side effect, it
1000 * also makes sure that the timer will not change
1001 * ni->ni_rxfrag for at least 1 second, or in
1002 * other words, for the remaining of this function.
1003 * XXX HUGE HORRIFIC HACK
1004 */
1005 ni->ni_rxfragstamp = jiffies;
1006
1007 /*
1008 * Validate that fragment is in order and
1009 * related to the previous ones.
1010 */
1011 if (ni->ni_rxfrag) {
1012 struct ieee80211_frame *lwh;
1013
1014 lwh = (struct ieee80211_frame *)ni->ni_rxfrag->data;
1015 last_rxseq = le16_to_cpu(*(__le16 *)lwh->i_seq) >>
1016 IEEE80211_SEQ_SEQ_SHIFT;
1017 last_fragno = le16_to_cpu(*(__le16 *)lwh->i_seq) &
1018 IEEE80211_SEQ_FRAG_MASK;
1019 if (rxseq != last_rxseq
1020 || fragno != last_fragno + 1
1021 || (!IEEE80211_ADDR_EQ(wh->i_addr1, lwh->i_addr1))
1022 || (!IEEE80211_ADDR_EQ(wh->i_addr2, lwh->i_addr2))
1023 || (ni->ni_rxfrag->end - ni->ni_rxfrag->tail <
1024 skb->len)) {
1025 /*
1026 * Unrelated fragment or no space for it,
1027 * clear current fragments
1028 */
1029 ieee80211_dev_kfree_skb(&ni->ni_rxfrag);
1030 }
1031 }
1032
1033 /* If this is the first fragment */
1034 if (ni->ni_rxfrag == NULL && fragno == 0) {
1035 ni->ni_rxfrag = skb;
1036 /* If more frags are coming */
1037 if (more_frag) {
1038 if (skb_is_nonlinear(skb)) {
1039 /*
1040 * We need a continous buffer to
1041 * assemble fragments
1042 */
1043 ni->ni_rxfrag = skb_copy(skb, GFP_ATOMIC);
1044 if (ni->ni_rxfrag) {
1045 ieee80211_skb_copy_noderef(skb, ni->ni_rxfrag);
1046 ieee80211_dev_kfree_skb(&skb);
1047 }
1048 }
1049 /*
1050 * Check that we have enough space to hold
1051 * incoming fragments
1052 * XXX 4-address/QoS frames?
1053 */
1054 else if ((skb_end_pointer(skb) - skb->head) <
1055 (ni->ni_vap->iv_dev->mtu + hdrlen)) {
1056 ni->ni_rxfrag = skb_copy_expand(skb, 0,
1057 (ni->ni_vap->iv_dev->mtu + hdrlen) -
1058 (skb_end_pointer(skb) - skb->head),
1059 GFP_ATOMIC);
1060 if (ni->ni_rxfrag)
1061 ieee80211_skb_copy_noderef(skb, ni->ni_rxfrag);
1062 ieee80211_dev_kfree_skb(&skb);
1063 }
1064 }
1065 } else {
1066 if (ni->ni_rxfrag) {
1067 struct ieee80211_frame *lwh = (struct ieee80211_frame *)
1068 ni->ni_rxfrag->data;
1069
1070 /*
1071 * We know we have enough space to copy,
1072 * we've verified that before
1073 */
1074 /* Copy current fragment at end of previous one */
1075 memcpy(skb_tail_pointer(ni->ni_rxfrag),
1076 skb->data + hdrlen, skb->len - hdrlen);
1077 /* Update tail and length */
1078 skb_put(ni->ni_rxfrag, skb->len - hdrlen);
1079 /* Keep a copy of last sequence and fragno */
1080 *(__le16 *)lwh->i_seq = *(__le16 *)wh->i_seq;
1081 }
1082 /* we're done with the fragment */
1083 ieee80211_dev_kfree_skb(&skb);
1084 }
1085
1086 if (more_frag) {
1087 /* More to come */
1088 skb = NULL;
1089 } else {
1090 /* Last fragment received, we're done! */
1091 skb = ni->ni_rxfrag;
1092 ni->ni_rxfrag = NULL;
1093 }
1094 return skb;
1095 }
1096
1097 static void
1098 ieee80211_deliver_data(struct ieee80211_node *ni, struct sk_buff *skb)
1099 {
1100 struct ieee80211vap *vap = ni->ni_vap;
1101 struct net_device *dev = vap->iv_dev;
1102 struct ether_header *eh = (struct ether_header *)skb->data;
1103 struct ieee80211_node *tni;
1104 int ret;
1105
1106 #ifdef ATH_SUPERG_XR
1107 /*
1108 * if it is a XR vap, send the data to associated normal net
1109 * device. XR vap has a net device which is not registered with
1110 * OS.
1111 */
1112 if (vap->iv_xrvap && vap->iv_flags & IEEE80211_F_XR)
1113 dev = vap->iv_xrvap->iv_dev;
1114 #endif
1115
1116 /* perform as a bridge within the vap */
1117 /* XXX intra-vap bridging only */
1118 if (vap->iv_opmode == IEEE80211_M_HOSTAP &&
1119 (vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) {
1120 struct sk_buff *skb1 = NULL;
1121
1122 if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
1123 /* Create a SKB for the BSS to send out. */
1124 skb1 = skb_copy(skb, GFP_ATOMIC);
1125 if (skb1)
1126 SKB_NI(skb1) = ieee80211_ref_node(vap->iv_bss);
1127 }
1128 else {
1129 /* Check if destination is associated with the
1130 * same VAP and authorized to receive traffic.
1131 * Beware of traffic destined for the VAP itself;
1132 * sending it will not work; just let it be
1133 * delivered normally. */
1134 struct ieee80211_node *ni1 = ieee80211_find_node(
1135 &vap->iv_ic->ic_sta, eh->ether_dhost);
1136 if (ni1 != NULL) {
1137 if ((ni1->ni_vap == vap) &&
1138 (ni1 != vap->iv_bss) &&
1139 ieee80211_node_is_authorized(ni1)) {
1140 skb1 = skb;
1141 skb = NULL;
1142 }
1143 /* XXX: statistic? */
1144 ieee80211_unref_node(&ni1);
1145 }
1146 }
1147 if (skb1 != NULL) {
1148 skb1->dev = dev;
1149 skb_reset_mac_header(skb1);
1150 skb_set_network_header(skb1, sizeof(struct ether_header));
1151
1152 skb1->protocol = __constant_htons(ETH_P_802_2);
1153
1154 /* This SKB is being emitted to the physical/parent
1155 * device, which maintains node references. However,
1156 * there is kernel code in between which does not.
1157 * Therefore, the ref. is cleaned if the SKB is
1158 * dropped. */
1159 tni = SKB_NI(skb1);
1160 /* XXX: Insert vlan tag before queuing it? */
1161 if (dev_queue_xmit(skb1) == NET_XMIT_DROP) {
1162 vap->iv_devstats.tx_dropped++;
1163 if (tni != NULL)
1164 ieee80211_unref_node(&tni);
1165 }
1166 /* SKB is no longer ours, either way after dev_queue_xmit. */
1167 skb1 = NULL;
1168 }
1169 }
1170
1171 if (skb != NULL) {
1172 vap->iv_devstats.rx_packets++;
1173 vap->iv_devstats.rx_bytes += skb->len;
1174 dev->last_rx = jiffies;
1175
1176 skb->dev = dev;
1177 #ifdef USE_HEADERLEN_RESV
1178 skb->protocol = ath_eth_type_trans(skb, dev);
1179 #else
1180 skb->protocol = eth_type_trans(skb, dev);
1181 #endif
1182 tni = SKB_NI(skb);
1183 if ((ni->ni_vlan != 0) && (vap->iv_vlgrp != NULL))
1184 /* Attach VLAN tag. */
1185 ret = vlan_hwaccel_rx(skb,
1186 vap->iv_vlgrp, ni->ni_vlan);
1187 else
1188 ret = netif_rx(skb);
1189 if (ret == NET_RX_DROP)
1190 vap->iv_devstats.rx_dropped++;
1191 if (tni != NULL)
1192 ieee80211_unref_node(&tni);
1193 skb = NULL; /* SKB is no longer ours */
1194 }
1195 }
1196
1197 /* This function removes the 802.11 header, including LLC/SNAP headers and
1198 * replaces it with an Ethernet II header. */
1199 static struct sk_buff *
1200 ieee80211_decap(struct ieee80211vap *vap, struct sk_buff *skb, int hdrlen)
1201 {
1202 const struct llc snap_hdr = {.llc_dsap = LLC_SNAP_LSAP,
1203 .llc_ssap = LLC_SNAP_LSAP,
1204 .llc_snap.control = LLC_UI,
1205 .llc_snap.org_code = {0x0, 0x0, 0x0}};
1206 struct ieee80211_qosframe_addr4 wh; /* Max size address frames */
1207 struct ether_header *eh;
1208 struct llc *llc;
1209 __be16 ether_type = 0;
1210
1211 memcpy(&wh, skb->data, hdrlen); /* Make a copy of the variably sized .11 header */
1212
1213 llc = (struct llc *)skb_pull(skb, hdrlen);
1214 /* XXX: For some unknown reason some APs think they are from DEC and
1215 * use an OUI of 00-00-f8. This should be killed as soon as sanity is
1216 * restored. */
1217 if ((skb->len >= LLC_SNAPFRAMELEN) && (memcmp(&snap_hdr, llc, 5) == 0) &&
1218 ((llc->llc_snap.org_code[2] == 0x0) ||
1219 (llc->llc_snap.org_code[2] == 0xf8))) {
1220 ether_type = llc->llc_un.type_snap.ether_type;
1221 skb_pull(skb, LLC_SNAPFRAMELEN);
1222 llc = NULL;
1223 }
1224
1225 eh = (struct ether_header *)skb_push(skb, sizeof(struct ether_header));
1226 switch (wh.i_fc[1] & IEEE80211_FC1_DIR_MASK) {
1227 case IEEE80211_FC1_DIR_NODS:
1228 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1);
1229 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2);
1230 break;
1231 case IEEE80211_FC1_DIR_TODS:
1232 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3);
1233 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2);
1234 break;
1235 case IEEE80211_FC1_DIR_FROMDS:
1236 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1);
1237 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr3);
1238 break;
1239 case IEEE80211_FC1_DIR_DSTODS:
1240 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3);
1241 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr4);
1242 break;
1243 }
1244
1245 if (llc != NULL)
1246 eh->ether_type = htons(skb->len - sizeof(*eh));
1247 else
1248 eh->ether_type = ether_type;
1249
1250 return skb;
1251 }
1252
1253 /*
1254 * Install received rate set information in the node's state block.
1255 */
1256 int
1257 ieee80211_setup_rates(struct ieee80211_node *ni,
1258 const u_int8_t *rates, const u_int8_t *xrates, int flags)
1259 {
1260 struct ieee80211_rateset *rs = &ni->ni_rates;
1261
1262 memset(rs, 0, sizeof(*rs));
1263 rs->rs_nrates = rates[1];
1264 memcpy(rs->rs_rates, rates + 2, rs->rs_nrates);
1265 if (xrates != NULL) {
1266 u_int8_t nxrates;
1267 /*
1268 * Tack on 11g extended supported rate element.
1269 */
1270 nxrates = xrates[1];
1271 if (rs->rs_nrates + nxrates > IEEE80211_RATE_MAXSIZE) {
1272 struct ieee80211vap *vap = ni->ni_vap;
1273
1274 nxrates = IEEE80211_RATE_MAXSIZE - rs->rs_nrates;
1275 IEEE80211_NOTE(vap, IEEE80211_MSG_XRATE, ni,
1276 "extended rate set too large;"
1277 " only using %u of %u rates",
1278 nxrates, xrates[1]);
1279 vap->iv_stats.is_rx_rstoobig++;
1280 }
1281 memcpy(rs->rs_rates + rs->rs_nrates, xrates+2, nxrates);
1282 rs->rs_nrates += nxrates;
1283 }
1284 return ieee80211_fix_rate(ni, flags);
1285 }
1286
1287 static void
1288 ieee80211_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh,
1289 int rssi, u_int64_t rtsf, u_int16_t seq, u_int16_t status)
1290 {
1291 struct ieee80211vap *vap = ni->ni_vap;
1292 unsigned int tmpnode = 0;
1293
1294 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
1295 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1296 ni->ni_macaddr, "open auth",
1297 "bad sta auth mode %u", ni->ni_authmode);
1298 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */
1299 if (vap->iv_opmode == IEEE80211_M_HOSTAP) {
1300 if (ni == vap->iv_bss) {
1301 ni = ieee80211_dup_bss(vap, wh->i_addr2, 0);
1302 if (ni == NULL)
1303 return;
1304 tmpnode = 1;
1305 }
1306 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH,
1307 (seq + 1) | (IEEE80211_STATUS_ALG << 16));
1308
1309 if (tmpnode)
1310 ieee80211_unref_node(&ni);
1311 return;
1312 }
1313 }
1314 switch (vap->iv_opmode) {
1315 case IEEE80211_M_IBSS:
1316 if (vap->iv_state != IEEE80211_S_RUN ||
1317 seq != IEEE80211_AUTH_OPEN_REQUEST) {
1318 vap->iv_stats.is_rx_bad_auth++;
1319 return;
1320 }
1321 ieee80211_new_state(vap, IEEE80211_S_AUTH,
1322 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK);
1323 break;
1324
1325 case IEEE80211_M_AHDEMO:
1326 case IEEE80211_M_WDS:
1327 /* should not come here */
1328 break;
1329
1330 case IEEE80211_M_HOSTAP:
1331 if (vap->iv_state != IEEE80211_S_RUN ||
1332 seq != IEEE80211_AUTH_OPEN_REQUEST) {
1333 vap->iv_stats.is_rx_bad_auth++;
1334 return;
1335 }
1336 /* always accept open authentication requests */
1337 if (ni == vap->iv_bss) {
1338 ni = ieee80211_dup_bss(vap, wh->i_addr2, 0);
1339 if (ni == NULL)
1340 return;
1341 tmpnode = 1;
1342 }
1343
1344 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1345 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1346 ni, "station authenticated (%s)", "open");
1347 /*
1348 * When 802.1x is not in use mark the port
1349 * authorized at this point so traffic can flow.
1350 */
1351 if (ni->ni_authmode != IEEE80211_AUTH_8021X)
1352 ieee80211_node_authorize(ni);
1353 if (tmpnode)
1354 ieee80211_unref_node(&ni);
1355 break;
1356
1357 case IEEE80211_M_STA:
1358 if (vap->iv_state != IEEE80211_S_AUTH ||
1359 seq != IEEE80211_AUTH_OPEN_RESPONSE) {
1360 vap->iv_stats.is_rx_bad_auth++;
1361 return;
1362 }
1363 if (status != 0) {
1364 IEEE80211_NOTE(vap,
1365 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni,
1366 "open auth failed (reason %d)", status);
1367 vap->iv_stats.is_rx_auth_fail++;
1368 ieee80211_new_state(vap, IEEE80211_S_SCAN,
1369 IEEE80211_SCAN_FAIL_STATUS);
1370 } else
1371 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 0);
1372 break;
1373 case IEEE80211_M_MONITOR:
1374 break;
1375 }
1376 }
1377
1378 /*
1379 * Send a management frame error response to the specified
1380 * station. If ni is associated with the station then use
1381 * it; otherwise allocate a temporary node suitable for
1382 * transmitting the frame and then free the reference so
1383 * it will go away as soon as the frame has been transmitted.
1384 */
1385 static void
1386 ieee80211_send_error(struct ieee80211_node *ni,
1387 const u_int8_t *mac, int subtype, int arg)
1388 {
1389 struct ieee80211vap *vap = ni->ni_vap;
1390 int istmp;
1391
1392 if (ni == vap->iv_bss) {
1393 ni = ieee80211_dup_bss(vap, mac, 1);
1394 if (ni == NULL) {
1395 /* XXX msg */
1396 return;
1397 }
1398 istmp = 1;
1399 } else
1400 istmp = 0;
1401 IEEE80211_SEND_MGMT(ni, subtype, arg);
1402 if (istmp)
1403 ieee80211_unref_node(&ni);
1404 }
1405
1406 static int
1407 alloc_challenge(struct ieee80211_node *ni)
1408 {
1409 if (ni->ni_challenge == NULL)
1410 MALLOC(ni->ni_challenge, u_int32_t*, IEEE80211_CHALLENGE_LEN,
1411 M_DEVBUF, M_NOWAIT);
1412 if (ni->ni_challenge == NULL) {
1413 IEEE80211_NOTE(ni->ni_vap,
1414 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni,
1415 "%s", "shared key challenge alloc failed");
1416 /* XXX statistic */
1417 }
1418 return (ni->ni_challenge != NULL);
1419 }
1420
1421 /* XXX TODO: add statistics */
1422 static void
1423 ieee80211_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh,
1424 u_int8_t *frm, u_int8_t *efrm, int rssi, u_int64_t rtsf,
1425 u_int16_t seq, u_int16_t status)
1426 {
1427 struct ieee80211vap *vap = ni->ni_vap;
1428 u_int8_t *challenge;
1429 int allocbs = 0, estatus = 0;
1430
1431 /*
1432 * NB: this can happen as we allow pre-shared key
1433 * authentication to be enabled w/o wep being turned
1434 * on so that configuration of these can be done
1435 * in any order. It may be better to enforce the
1436 * ordering in which case this check would just be
1437 * for sanity/consistency.
1438 */
1439 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
1440 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1441 ni->ni_macaddr, "shared key auth",
1442 "%s", " PRIVACY is disabled");
1443 estatus = IEEE80211_STATUS_ALG;
1444 goto bad;
1445 }
1446 /*
1447 * Pre-shared key authentication is evil; accept
1448 * it only if explicitly configured (it is supported
1449 * mainly for compatibility with clients like OS X).
1450 */
1451 if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
1452 ni->ni_authmode != IEEE80211_AUTH_SHARED) {
1453 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1454 ni->ni_macaddr, "shared key auth",
1455 "bad sta auth mode %u", ni->ni_authmode);
1456 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */
1457 estatus = IEEE80211_STATUS_ALG;
1458 goto bad;
1459 }
1460
1461 challenge = NULL;
1462 if (frm + 1 < efrm) {
1463 if ((frm[1] + 2) > (efrm - frm)) {
1464 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1465 ni->ni_macaddr, "shared key auth",
1466 "ie %d/%d too long",
1467 frm[0], (frm[1] + 2) - (efrm - frm));
1468 vap->iv_stats.is_rx_bad_auth++;
1469 estatus = IEEE80211_STATUS_CHALLENGE;
1470 goto bad;
1471 }
1472 if (*frm == IEEE80211_ELEMID_CHALLENGE)
1473 challenge = frm;
1474 frm += frm[1] + 2;
1475 }
1476 switch (seq) {
1477 case IEEE80211_AUTH_SHARED_CHALLENGE:
1478 case IEEE80211_AUTH_SHARED_RESPONSE:
1479 if (challenge == NULL) {
1480 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1481 ni->ni_macaddr, "shared key auth",
1482 "%s", "no challenge");
1483 vap->iv_stats.is_rx_bad_auth++;
1484 estatus = IEEE80211_STATUS_CHALLENGE;
1485 goto bad;
1486 }
1487 if (challenge[1] != IEEE80211_CHALLENGE_LEN) {
1488 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1489 ni->ni_macaddr, "shared key auth",
1490 "bad challenge len %d", challenge[1]);
1491 vap->iv_stats.is_rx_bad_auth++;
1492 estatus = IEEE80211_STATUS_CHALLENGE;
1493 goto bad;
1494 }
1495 default:
1496 break;
1497 }
1498 switch (vap->iv_opmode) {
1499 case IEEE80211_M_MONITOR:
1500 case IEEE80211_M_AHDEMO:
1501 case IEEE80211_M_IBSS:
1502 case IEEE80211_M_WDS:
1503 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1504 ni->ni_macaddr, "shared key auth",
1505 "bad operating mode %u", vap->iv_opmode);
1506 return;
1507 case IEEE80211_M_HOSTAP:
1508 if (vap->iv_state != IEEE80211_S_RUN) {
1509 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1510 ni->ni_macaddr, "shared key auth",
1511 "bad state %u", vap->iv_state);
1512 estatus = IEEE80211_STATUS_ALG; /* XXX */
1513 goto bad;
1514 }
1515 switch (seq) {
1516 case IEEE80211_AUTH_SHARED_REQUEST:
1517 if (ni == vap->iv_bss) {
1518 ni = ieee80211_dup_bss(vap, wh->i_addr2, 0);
1519 if (ni == NULL) {
1520 /* NB: no way to return an error */
1521 return;
1522 }
1523 allocbs = 1;
1524 }
1525
1526 ni->ni_rssi = rssi;
1527 ni->ni_rtsf = rtsf;
1528 ni->ni_last_rx = jiffies;
1529 if (!alloc_challenge(ni)) {
1530 if (allocbs)
1531 ieee80211_unref_node(&ni);
1532 /* NB: don't return error so they rexmit */
1533 return;
1534 }
1535 get_random_bytes(ni->ni_challenge,
1536 IEEE80211_CHALLENGE_LEN);
1537 IEEE80211_NOTE(vap,
1538 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni,
1539 "shared key %sauth request", allocbs ? "" : "re");
1540 break;
1541 case IEEE80211_AUTH_SHARED_RESPONSE:
1542 if (ni == vap->iv_bss) {
1543 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1544 ni->ni_macaddr, "shared key response",
1545 "%s", "unknown station");
1546 /* NB: don't send a response */
1547 return;
1548 }
1549 if (ni->ni_challenge == NULL) {
1550 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1551 ni->ni_macaddr, "shared key response",
1552 "%s", "no challenge recorded");
1553 vap->iv_stats.is_rx_bad_auth++;
1554 estatus = IEEE80211_STATUS_CHALLENGE;
1555 goto bad;
1556 }
1557 if (memcmp(ni->ni_challenge, &challenge[2],
1558 challenge[1]) != 0) {
1559 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1560 ni->ni_macaddr, "shared key response",
1561 "%s", "challenge mismatch");
1562 vap->iv_stats.is_rx_auth_fail++;
1563 estatus = IEEE80211_STATUS_CHALLENGE;
1564 goto bad;
1565 }
1566 IEEE80211_NOTE(vap,
1567 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni,
1568 "station authenticated (%s)", "shared key");
1569 ieee80211_node_authorize(ni);
1570 break;
1571 default:
1572 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1573 ni->ni_macaddr, "shared key auth",
1574 "bad seq %d", seq);
1575 vap->iv_stats.is_rx_bad_auth++;
1576 estatus = IEEE80211_STATUS_SEQUENCE;
1577 goto bad;
1578 }
1579 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1580 break;
1581
1582 case IEEE80211_M_STA:
1583 if (vap->iv_state != IEEE80211_S_AUTH)
1584 return;
1585 switch (seq) {
1586 case IEEE80211_AUTH_SHARED_PASS:
1587 if (ni->ni_challenge != NULL) {
1588 FREE(ni->ni_challenge, M_DEVBUF);
1589 ni->ni_challenge = NULL;
1590 }
1591 if (status != 0) {
1592 IEEE80211_NOTE_MAC(vap,
1593 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1594 ieee80211_getbssid(vap, wh),
1595 "shared key auth failed (reason %d)",
1596 status);
1597 vap->iv_stats.is_rx_auth_fail++;
1598 /* XXX IEEE80211_SCAN_FAIL_STATUS */
1599 goto bad;
1600 }
1601 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 0);
1602 break;
1603 case IEEE80211_AUTH_SHARED_CHALLENGE:
1604 if (!alloc_challenge(ni))
1605 goto bad;
1606 /* XXX could optimize by passing recvd challenge */
1607 memcpy(ni->ni_challenge, &challenge[2], challenge[1]);
1608 IEEE80211_SEND_MGMT(ni,
1609 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1610 break;
1611 default:
1612 IEEE80211_DISCARD(vap, IEEE80211_MSG_AUTH,
1613 wh, "shared key auth", "bad seq %d", seq);
1614 vap->iv_stats.is_rx_bad_auth++;
1615 goto bad;
1616 }
1617 break;
1618 }
1619 if (allocbs)
1620 ieee80211_unref_node(&ni);
1621 return;
1622 bad:
1623 /* Send an error response; but only when operating as an AP. */
1624 if (vap->iv_opmode == IEEE80211_M_HOSTAP) {
1625 /* XXX hack to workaround calling convention */
1626 ieee80211_send_error(ni, wh->i_addr2,
1627 IEEE80211_FC0_SUBTYPE_AUTH,
1628 (seq + 1) | (estatus<<16));
1629 /* Remove node state if it exists and isn't just a
1630 * temporary copy of the bss (dereferenced later) */
1631 if (!allocbs && (ni != vap->iv_bss))
1632 ieee80211_node_leave(ni);
1633 } else if (vap->iv_opmode == IEEE80211_M_STA) {
1634 /*
1635 * Kick the state machine. This short-circuits
1636 * using the mgt frame timeout to trigger the
1637 * state transition.
1638 */
1639 if (vap->iv_state == IEEE80211_S_AUTH)
1640 ieee80211_new_state(vap, IEEE80211_S_SCAN, 0);
1641 }
1642 if (allocbs)
1643 ieee80211_unref_node(&ni);
1644 }
1645
1646 /* Verify the existence and length of __elem or get out. */
1647 #define IEEE80211_VERIFY_ELEMENT(__elem, __maxlen) do { \
1648 if ((__elem) == NULL) { \
1649 IEEE80211_DISCARD(vap, IEEE80211_MSG_ELEMID, \
1650 wh, ieee80211_mgt_subtype_name[subtype >> \
1651 IEEE80211_FC0_SUBTYPE_SHIFT], \
1652 "%s", "no " #__elem); \
1653 vap->iv_stats.is_rx_elem_missing++; \
1654 return 0; \
1655 } \
1656 if ((__elem)[1] > (__maxlen)) { \
1657 IEEE80211_DISCARD(vap, IEEE80211_MSG_ELEMID, \
1658 wh, ieee80211_mgt_subtype_name[subtype >> \
1659 IEEE80211_FC0_SUBTYPE_SHIFT], \
1660 "bad " #__elem " len %d", (__elem)[1]); \
1661 vap->iv_stats.is_rx_elem_toobig++; \
1662 return 0; \
1663 } \
1664 } while (0)
1665
1666 #define IEEE80211_VERIFY_LENGTH(_len, _minlen) do { \
1667 if ((_len) < (_minlen)) { \
1668 IEEE80211_DISCARD(vap, IEEE80211_MSG_ELEMID, \
1669 wh, ieee80211_mgt_subtype_name[subtype >> \
1670 IEEE80211_FC0_SUBTYPE_SHIFT], \
1671 "%s", "ie too short"); \
1672 vap->iv_stats.is_rx_elem_toosmall++; \
1673 return 0; \
1674 } \
1675 } while (0)
1676
1677 #ifdef IEEE80211_DEBUG
1678 static void
1679 ieee80211_ssid_mismatch(struct ieee80211vap *vap, const char *tag,
1680 u_int8_t mac[IEEE80211_ADDR_LEN], u_int8_t *ssid)
1681 {
1682 printk("[" MAC_FMT "] discard %s frame, ssid mismatch: ",
1683 MAC_ADDR(mac), tag);
1684 ieee80211_print_essid(ssid + 2, ssid[1]);
1685 printk("\n");
1686 }
1687
1688 #define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \
1689 if ((_ssid)[1] != 0 && \
1690 ((_ssid)[1] != (_ni)->ni_esslen || \
1691 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \
1692 if (ieee80211_msg_input(vap)) \
1693 ieee80211_ssid_mismatch(vap, \
1694 ieee80211_mgt_subtype_name[subtype >> \
1695 IEEE80211_FC0_SUBTYPE_SHIFT], \
1696 wh->i_addr2, _ssid); \
1697 vap->iv_stats.is_rx_ssidmismatch++; \
1698 return 0; \
1699 } \
1700 } while (0)
1701 #else /* !IEEE80211_DEBUG */
1702 #define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \
1703 if ((_ssid)[1] != 0 && \
1704 ((_ssid)[1] != (_ni)->ni_esslen || \
1705 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \
1706 vap->iv_stats.is_rx_ssidmismatch++; \
1707 return 0; \
1708 } \
1709 } while (0)
1710 #endif /* !IEEE80211_DEBUG */
1711
1712 /* unaligned little endian access */
1713 #define LE_READ_2(p) \
1714 ((u_int16_t) \
1715 ((((const u_int8_t *)(p))[0] ) | \
1716 (((const u_int8_t *)(p))[1] << 8)))
1717 #define LE_READ_4(p) \
1718 ((u_int32_t) \
1719 ((((const u_int8_t *)(p))[0] ) | \
1720 (((const u_int8_t *)(p))[1] << 8) | \
1721 (((const u_int8_t *)(p))[2] << 16) | \
1722 (((const u_int8_t *)(p))[3] << 24)))
1723
1724 static __inline int
1725 iswpaoui(const u_int8_t *frm)
1726 {
1727 return frm[1] > 3 && LE_READ_4(frm+2) == ((WPA_OUI_TYPE<<24)|WPA_OUI);
1728 }
1729
1730 static __inline int
1731 iswmeoui(const u_int8_t *frm)
1732 {
1733 return frm[1] > 3 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI);
1734 }
1735
1736 static __inline int
1737 iswmeparam(const u_int8_t *frm)
1738 {
1739 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) &&
1740 frm[6] == WME_PARAM_OUI_SUBTYPE;
1741 }
1742
1743 static __inline int
1744 iswmeinfo(const u_int8_t *frm)
1745 {
1746 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) &&
1747 frm[6] == WME_INFO_OUI_SUBTYPE;
1748 }
1749
1750 static __inline int
1751 isatherosoui(const u_int8_t *frm)
1752 {
1753 return frm[1] > 3 && LE_READ_4(frm+2) == ((ATH_OUI_TYPE<<24)|ATH_OUI);
1754 }
1755
1756 /*
1757 * Convert a WPA cipher selector OUI to an internal
1758 * cipher algorithm. Where appropriate we also
1759 * record any key length.
1760 */
1761 static int
1762 wpa_cipher(u_int8_t *sel, u_int8_t *keylen)
1763 {
1764 #define WPA_SEL(x) (((x) << 24) | WPA_OUI)
1765 u_int32_t w = LE_READ_4(sel);
1766
1767 switch (w) {
1768 case WPA_SEL(WPA_CSE_NULL):
1769 return IEEE80211_CIPHER_NONE;
1770 case WPA_SEL(WPA_CSE_WEP40):
1771 if (keylen)
1772 *keylen = 40 / NBBY;
1773 return IEEE80211_CIPHER_WEP;
1774 case WPA_SEL(WPA_CSE_WEP104):
1775 if (keylen)
1776 *keylen = 104 / NBBY;
1777 return IEEE80211_CIPHER_WEP;
1778 case WPA_SEL(WPA_CSE_TKIP):
1779 return IEEE80211_CIPHER_TKIP;
1780 case WPA_SEL(WPA_CSE_CCMP):
1781 return IEEE80211_CIPHER_AES_CCM;
1782 }
1783 return 32; /* NB: so 1<< is discarded */
1784 #undef WPA_SEL
1785 }
1786
1787 /*
1788 * Convert a WPA key management/authentication algorithm
1789 * to an internal code.
1790 */
1791 static int
1792 wpa_keymgmt(u_int8_t *sel)
1793 {
1794 #define WPA_SEL(x) (((x)<<24)|WPA_OUI)
1795 u_int32_t w = LE_READ_4(sel);
1796
1797 switch (w) {
1798 case WPA_SEL(WPA_ASE_8021X_UNSPEC):
1799 return WPA_ASE_8021X_UNSPEC;
1800 case WPA_SEL(WPA_ASE_8021X_PSK):
1801 return WPA_ASE_8021X_PSK;
1802 case WPA_SEL(WPA_ASE_NONE):
1803 return WPA_ASE_NONE;
1804 }
1805 return 0; /* NB: so is discarded */
1806 #undef WPA_SEL
1807 }
1808
1809 /*
1810 * Parse a WPA information element to collect parameters
1811 * and validate the parameters against what has been
1812 * configured for the system.
1813 */
1814 static int
1815 ieee80211_parse_wpa(struct ieee80211vap *vap, u_int8_t *frm,
1816 struct ieee80211_rsnparms *rsn_parm, const struct ieee80211_frame *wh)
1817 {
1818 u_int8_t len = frm[1];
1819 u_int32_t w;
1820 int n;
1821
1822 /*
1823 * Check the length once for fixed parts: OUI, type,
1824 * version, mcast cipher, and 2 selector counts.
1825 * Other, variable-length data, must be checked separately.
1826 */
1827 if (!(vap->iv_flags & IEEE80211_F_WPA1)) {
1828 IEEE80211_DISCARD_IE(vap,
1829 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1830 wh, "WPA", "vap not WPA, flags 0x%x", vap->iv_flags);
1831 return IEEE80211_REASON_IE_INVALID;
1832 }
1833
1834 if (len < 14) {
1835 IEEE80211_DISCARD_IE(vap,
1836 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1837 wh, "WPA", "too short, len %u", len);
1838 return IEEE80211_REASON_IE_INVALID;
1839 }
1840 frm += 6, len -= 4; /* NB: len is payload only */
1841 /* NB: iswapoui already validated the OUI and type */
1842 w = LE_READ_2(frm);
1843 if (w != WPA_VERSION) {
1844 IEEE80211_DISCARD_IE(vap,
1845 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1846 wh, "WPA", "bad version %u", w);
1847 return IEEE80211_REASON_IE_INVALID;
1848 }
1849 frm += 2;
1850 len -= 2;
1851
1852 /* multicast/group cipher */
1853 w = wpa_cipher(frm, &rsn_parm->rsn_mcastkeylen);
1854 if (w != rsn_parm->rsn_mcastcipher) {
1855 IEEE80211_DISCARD_IE(vap,
1856 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1857 wh, "WPA", "mcast cipher mismatch; got %u, expected %u",
1858 w, rsn_parm->rsn_mcastcipher);
1859 return IEEE80211_REASON_IE_INVALID;
1860 }
1861 frm += 4;
1862 len -= 4;
1863
1864 /* unicast ciphers */
1865 n = LE_READ_2(frm);
1866 frm += 2;
1867 len -= 2;
1868 if (len < n*4+2) {
1869 IEEE80211_DISCARD_IE(vap,
1870 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1871 wh, "WPA", "ucast cipher data too short; len %u, n %u",
1872 len, n);
1873 return IEEE80211_REASON_IE_INVALID;
1874 }
1875 w = 0;
1876 for (; n > 0; n--) {
1877 w |= 1 << wpa_cipher(frm, &rsn_parm->rsn_ucastkeylen);
1878 frm += 4;
1879 len -= 4;
1880 }
1881 w &= rsn_parm->rsn_ucastcipherset;
1882 if (w == 0) {
1883 IEEE80211_DISCARD_IE(vap,
1884 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1885 wh, "WPA", "%s", "ucast cipher set empty");
1886 return IEEE80211_REASON_IE_INVALID;
1887 }
1888 if (w & (1 << IEEE80211_CIPHER_TKIP))
1889 rsn_parm->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1890 else
1891 rsn_parm->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1892
1893 /* key management algorithms */
1894 n = LE_READ_2(frm);
1895 frm += 2;
1896 len -= 2;
1897 if (len < n * 4) {
1898 IEEE80211_DISCARD_IE(vap,
1899 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1900 wh, "WPA", "key mgmt alg data too short; len %u, n %u",
1901 len, n);
1902 return IEEE80211_REASON_IE_INVALID;
1903 }
1904 w = 0;
1905 for (; n > 0; n--) {
1906 w |= wpa_keymgmt(frm);
1907 frm += 4;
1908 len -= 4;
1909 }
1910 w &= rsn_parm->rsn_keymgmtset;
1911 if (w == 0) {
1912 IEEE80211_DISCARD_IE(vap,
1913 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1914 wh, "WPA", "%s", "no acceptable key mgmt alg");
1915 return IEEE80211_REASON_IE_INVALID;
1916 }
1917 if (w & WPA_ASE_8021X_UNSPEC)
1918 rsn_parm->rsn_keymgmt = WPA_ASE_8021X_UNSPEC;
1919 else
1920 rsn_parm->rsn_keymgmt = WPA_ASE_8021X_PSK;
1921
1922 if (len > 2) /* optional capabilities */
1923 rsn_parm->rsn_caps = LE_READ_2(frm);
1924
1925 return 0;
1926 }
1927
1928 /*
1929 * Convert an RSN cipher selector OUI to an internal
1930 * cipher algorithm. Where appropriate we also
1931 * record any key length.
1932 */
1933 static int
1934 rsn_cipher(u_int8_t *sel, u_int8_t *keylen)
1935 {
1936 #define RSN_SEL(x) (((x) << 24) | RSN_OUI)
1937 u_int32_t w = LE_READ_4(sel);
1938
1939 switch (w) {
1940 case RSN_SEL(RSN_CSE_NULL):
1941 return IEEE80211_CIPHER_NONE;
1942 case RSN_SEL(RSN_CSE_WEP40):
1943 if (keylen)
1944 *keylen = 40 / NBBY;
1945 return IEEE80211_CIPHER_WEP;
1946 case RSN_SEL(RSN_CSE_WEP104):
1947 if (keylen)
1948 *keylen = 104 / NBBY;
1949 return IEEE80211_CIPHER_WEP;
1950 case RSN_SEL(RSN_CSE_TKIP):
1951 return IEEE80211_CIPHER_TKIP;
1952 case RSN_SEL(RSN_CSE_CCMP):
1953 return IEEE80211_CIPHER_AES_CCM;
1954 case RSN_SEL(RSN_CSE_WRAP):
1955 return IEEE80211_CIPHER_AES_OCB;
1956 }
1957 return 32; /* NB: so 1<< is discarded */
1958 #undef RSN_SEL
1959 }
1960
1961 /*
1962 * Convert an RSN key management/authentication algorithm
1963 * to an internal code.
1964 */
1965 static int
1966 rsn_keymgmt(u_int8_t *sel)
1967 {
1968 #define RSN_SEL(x) (((x) << 24) | RSN_OUI)
1969 u_int32_t w = LE_READ_4(sel);
1970
1971 switch (w) {
1972 case RSN_SEL(RSN_ASE_8021X_UNSPEC):
1973 return RSN_ASE_8021X_UNSPEC;
1974 case RSN_SEL(RSN_ASE_8021X_PSK):
1975 return RSN_ASE_8021X_PSK;
1976 case RSN_SEL(RSN_ASE_NONE):
1977 return RSN_ASE_NONE;
1978 }
1979 return 0; /* NB: so is discarded */
1980 #undef RSN_SEL
1981 }
1982
1983 /*
1984 * Parse a WPA/RSN information element to collect parameters
1985 * and validate the parameters against what has been
1986 * configured for the system.
1987 */
1988 static int
1989 ieee80211_parse_rsn(struct ieee80211vap *vap, u_int8_t *frm,
1990 struct ieee80211_rsnparms *rsn_parm, const struct ieee80211_frame *wh)
1991 {
1992 u_int8_t len = frm[1];
1993 u_int32_t w;
1994 int n;
1995
1996 /*
1997 * Check the length once for fixed parts:
1998 * version, mcast cipher, and 2 selector counts.
1999 * Other, variable-length data, must be checked separately.
2000 */
2001 if (!(vap->iv_flags & IEEE80211_F_WPA2)) {
2002 IEEE80211_DISCARD_IE(vap,
2003 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
2004 wh, "RSN", "vap not RSN, flags 0x%x", vap->iv_flags);
2005 return IEEE80211_REASON_IE_INVALID;
2006 }
2007
2008 if (len < 10) {
2009 IEEE80211_DISCARD_IE(vap,
2010 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
2011 wh, "RSN", "too short, len %u", len);
2012 return IEEE80211_REASON_IE_INVALID;
2013 }
2014 frm += 2;
2015 w = LE_READ_2(frm);
2016 if (w != RSN_VERSION) {
2017 IEEE80211_DISCARD_IE(vap,
2018 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
2019 wh, "RSN", "bad version %u", w);
2020 return IEEE80211_REASON_IE_INVALID;
2021 }
2022 frm += 2;
2023 len -= 2;
2024
2025 /* multicast/group cipher */
2026 w = rsn_cipher(frm, &rsn_parm->rsn_mcastkeylen);
2027 if (w != rsn_parm->rsn_mcastcipher) {
2028 IEEE80211_DISCARD_IE(vap,
2029 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
2030 wh, "RSN", "mcast cipher mismatch; got %u, expected %u",
2031 w, rsn_parm->rsn_mcastcipher);
2032 return IEEE80211_REASON_IE_INVALID;
2033 }
2034 frm += 4;
2035 len -= 4;
2036
2037 /* unicast ciphers */
2038 n = LE_READ_2(frm);
2039 frm += 2;
2040 len -= 2;
2041 if (len < n * 4 + 2) {
2042 IEEE80211_DISCARD_IE(vap,
2043 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
2044 wh, "RSN", "ucast cipher data too short; len %u, n %u",
2045 len, n);
2046 return IEEE80211_REASON_IE_INVALID;
2047 }
2048 w = 0;
2049 for (; n > 0; n--) {
2050 w |= 1 << rsn_cipher(frm, &rsn_parm->rsn_ucastkeylen);
2051 frm += 4;
2052 len -= 4;
2053 }
2054 w &= rsn_parm->rsn_ucastcipherset;
2055 if (w == 0) {
2056 IEEE80211_DISCARD_IE(vap,
2057 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
2058 wh, "RSN", "%s", "ucast cipher set empty");
2059 return IEEE80211_REASON_IE_INVALID;
2060 }
2061 if (w & (1<<IEEE80211_CIPHER_TKIP))
2062 rsn_parm->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
2063 else
2064 rsn_parm->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
2065
2066 /* key management algorithms */
2067 n = LE_READ_2(frm);
2068 frm += 2;
2069 len -= 2;
2070 if (len < n * 4) {
2071 IEEE80211_DISCARD_IE(vap,
2072 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
2073 wh, "RSN", "key mgmt alg data too short; len %u, n %u",
2074 len, n);
2075 return IEEE80211_REASON_IE_INVALID;
2076 }
2077 w = 0;
2078 for (; n > 0; n--) {
2079 w |= rsn_keymgmt(frm);
2080 frm += 4;
2081 len -= 4;
2082 }
2083 w &= rsn_parm->rsn_keymgmtset;
2084 if (w == 0) {
2085 IEEE80211_DISCARD_IE(vap,
2086 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
2087 wh, "RSN", "%s", "no acceptable key mgmt alg");
2088 return IEEE80211_REASON_IE_INVALID;
2089 }
2090 if (w & RSN_ASE_8021X_UNSPEC)
2091 rsn_parm->rsn_keymgmt = RSN_ASE_8021X_UNSPEC;
2092 else
2093 rsn_parm->rsn_keymgmt = RSN_ASE_8021X_PSK;
2094
2095 /* optional RSN capabilities */
2096 if (len > 2)
2097 rsn_parm->rsn_caps = LE_READ_2(frm);
2098 /* XXX PMKID */
2099
2100 return 0;
2101 }
2102
2103 /* Record information element for later use. */
2104 void
2105 ieee80211_saveie(u_int8_t **iep, const u_int8_t *ie)
2106 {
2107 if ((*iep == NULL) || (ie == NULL) || ((*iep)[1] != ie[1])) {
2108 if (*iep != NULL)
2109 FREE(*iep, M_DEVBUF);
2110 *iep = NULL;
2111 if (ie != NULL)
2112 MALLOC(*iep, void*, ie[1] + 2, M_DEVBUF, M_NOWAIT);
2113 }
2114 if ((*iep != NULL) && (ie != NULL))
2115 memcpy(*iep, ie, ie[1] + 2);
2116 }
2117 EXPORT_SYMBOL(ieee80211_saveie);
2118
2119 static int
2120 ieee80211_parse_wmeie(u_int8_t *frm, const struct ieee80211_frame *wh,
2121 struct ieee80211_node *ni)
2122 {
2123 u_int len = frm[1];
2124
2125 if (len != 7) {
2126 IEEE80211_DISCARD_IE(ni->ni_vap,
2127 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WME,
2128 wh, "WME IE", "too short, len %u", len);
2129 return -1;
2130 }
2131 ni->ni_uapsd = frm[WME_CAPINFO_IE_OFFSET];
2132 if (ni->ni_uapsd) {
2133 ni->ni_flags |= IEEE80211_NODE_UAPSD;
2134 switch (WME_UAPSD_MAXSP(ni->ni_uapsd)) {
2135 case 1:
2136 ni->ni_uapsd_maxsp = 2; break;
2137 case 2:
2138 ni->ni_uapsd_maxsp = 4; break;
2139 case 3:
2140 ni->ni_uapsd_maxsp = 6; break;
2141 default:
2142 ni->ni_uapsd_maxsp = WME_UAPSD_NODE_MAXQDEPTH;
2143 }
2144 }
2145 IEEE80211_NOTE(ni->ni_vap, IEEE80211_MSG_POWER, ni,
2146 "UAPSD bit settings from STA: %02x", ni->ni_uapsd);
2147
2148 return 1;
2149 }
2150
2151 static int
2152 ieee80211_parse_wmeparams(struct ieee80211vap *vap, u_int8_t *frm,
2153 const struct ieee80211_frame *wh, u_int8_t *qosinfo)
2154 {
2155 #define MS(_v, _f) (((_v) & _f) >> _f##_S)
2156 struct ieee80211_wme_state *wme = &vap->iv_ic->ic_wme;
2157 u_int len = frm[1], qosinfo_count;
2158 int i;
2159
2160 *qosinfo = 0;
2161
2162 if (len < sizeof(struct ieee80211_wme_param)-2) {
2163 IEEE80211_DISCARD_IE(vap,
2164 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WME,
2165 wh, "WME", "too short, len %u", len);
2166 return -1;
2167 }
2168 *qosinfo = frm[__offsetof(struct ieee80211_wme_param, param_qosInfo)];
2169 qosinfo_count = *qosinfo & WME_QOSINFO_COUNT;
2170 /* XXX do proper check for wraparound */
2171 if (qosinfo_count == wme->wme_wmeChanParams.cap_info_count)
2172 return 0;
2173 frm += __offsetof(struct ieee80211_wme_param, params_acParams);
2174 for (i = 0; i < WME_NUM_AC; i++) {
2175 struct wmeParams *wmep =
2176 &wme->wme_wmeChanParams.cap_wmeParams[i];
2177 /* NB: ACI not used */
2178 wmep->wmep_acm = MS(frm[0], WME_PARAM_ACM);
2179 wmep->wmep_aifsn = MS(frm[0], WME_PARAM_AIFSN);
2180 wmep->wmep_logcwmin = MS(frm[1], WME_PARAM_LOGCWMIN);
2181 wmep->wmep_logcwmax = MS(frm[1], WME_PARAM_LOGCWMAX);
2182 wmep->wmep_txopLimit = LE_READ_2(frm + 2);
2183 frm += 4;
2184 }
2185 wme->wme_wmeChanParams.cap_info_count = qosinfo_count;
2186 return 1;
2187 #undef MS
2188 }
2189
2190 static void
2191 ieee80211_parse_athParams(struct ieee80211_node *ni, u_int8_t *ie)
2192 {
2193 #ifdef ATH_SUPERG_DYNTURBO
2194 struct ieee80211vap *vap = ni->ni_vap;
2195 struct ieee80211com *ic = ni->ni_ic;
2196 #endif /* ATH_SUPERG_DYNTURBO */
2197 struct ieee80211_ie_athAdvCap *athIe =
2198 (struct ieee80211_ie_athAdvCap *)ie;
2199
2200 ni->ni_ath_flags = athIe->athAdvCap_capability;
2201 if (ni->ni_ath_flags & IEEE80211_ATHC_COMP)
2202 ni->ni_ath_defkeyindex = LE_READ_2(&athIe->athAdvCap_defKeyIndex);
2203 #if 0
2204 /* NB: too noisy */
2205 IEEE80211_NOTE(vap, IEEE80211_MSG_SUPG, ni,
2206 "recv ath params: caps 0x%x flags 0x%x defkeyix %u",
2207 athIe->athAdvCap_capability, ni->ni_ath_flags,
2208 ni->ni_ath_defkeyindex);
2209 #endif
2210 #ifdef ATH_SUPERG_DYNTURBO
2211 if (IEEE80211_ATH_CAP(vap, ni, IEEE80211_ATHC_TURBOP)) {
2212 u_int16_t curflags, newflags;
2213
2214 /*
2215 * Check for turbo mode switch. Calculate flags
2216 * for the new mode and effect the switch.
2217 */
2218 newflags = curflags = ic->ic_bsschan->ic_flags;
2219 /* NB: ATHC_BOOST is not in ic_ath_cap, so get it from the ie */
2220 if (athIe->athAdvCap_capability & IEEE80211_ATHC_BOOST)
2221 newflags |= IEEE80211_CHAN_TURBO;
2222 else
2223 newflags &= ~IEEE80211_CHAN_TURBO;
2224 if (newflags != curflags)
2225 ieee80211_dturbo_switch(ic, newflags);
2226 }
2227 #endif /* ATH_SUPERG_DYNTURBO */
2228 }
2229
2230 static void
2231 forward_mgmt_to_app(struct ieee80211vap *vap, int subtype, struct sk_buff *skb,
2232 struct ieee80211_frame *wh)
2233 {
2234 struct net_device *dev = vap->iv_dev;
2235 int filter_type = 0;
2236
2237 switch (subtype) {
2238 case IEEE80211_FC0_SUBTYPE_BEACON:
2239 filter_type = IEEE80211_FILTER_TYPE_BEACON;
2240 break;
2241 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
2242 filter_type = IEEE80211_FILTER_TYPE_PROBE_REQ;
2243 break;
2244 case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
2245 filter_type = IEEE80211_FILTER_TYPE_PROBE_RESP;
2246 break;
2247 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
2248 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ:
2249 filter_type = IEEE80211_FILTER_TYPE_ASSOC_REQ;
2250 break;
2251 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
2252 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP:
2253 filter_type = IEEE80211_FILTER_TYPE_ASSOC_RESP;
2254 break;
2255 case IEEE80211_FC0_SUBTYPE_AUTH:
2256 filter_type = IEEE80211_FILTER_TYPE_AUTH;
2257 break;
2258 case IEEE80211_FC0_SUBTYPE_DEAUTH:
2259 filter_type = IEEE80211_FILTER_TYPE_DEAUTH;
2260 break;
2261 case IEEE80211_FC0_SUBTYPE_DISASSOC:
2262 filter_type = IEEE80211_FILTER_TYPE_DISASSOC;
2263 break;
2264 default:
2265 break;
2266 }
2267
2268 if (filter_type && ((vap->app_filter & filter_type) == filter_type)) {
2269 struct sk_buff *skb1;
2270
2271 skb1 = skb_copy(skb, GFP_ATOMIC);
2272 if (skb1 == NULL)
2273 return;
2274 /* We duplicate the reference after skb_copy */
2275 ieee80211_skb_copy_noderef(skb, skb1);
2276 skb1->dev = dev;
2277 skb_reset_mac_header(skb1);
2278
2279 skb1->ip_summed = CHECKSUM_NONE;
2280 skb1->pkt_type = PACKET_OTHERHOST;
2281 skb1->protocol = __constant_htons(0x0019); /* ETH_P_80211_RAW */
2282
2283 vap->iv_devstats.rx_packets++;
2284 vap->iv_devstats.rx_bytes += skb1->len;
2285
2286 if (SKB_NI(skb1) != NULL)
2287 ieee80211_unref_node(&SKB_NI(skb1));
2288 if (netif_rx(skb1) == NET_RX_DROP)
2289 vap->iv_devstats.rx_dropped++;
2290 }
2291 }
2292
2293 void
2294 ieee80211_saveath(struct ieee80211_node *ni, u_int8_t *ie)
2295 {
2296 const struct ieee80211_ie_athAdvCap *athIe =
2297 (const struct ieee80211_ie_athAdvCap *)ie;
2298
2299 ieee80211_saveie(&ni->ni_ath_ie, ie);
2300 if (athIe != NULL) {
2301 ni->ni_ath_flags = athIe->athAdvCap_capability;
2302 if (ni->ni_ath_flags & IEEE80211_ATHC_COMP)
2303 ni->ni_ath_defkeyindex = LE_READ_2(&athIe->athAdvCap_defKeyIndex);
2304 } else {
2305 ni->ni_ath_flags = 0;
2306 ni->ni_ath_defkeyindex = IEEE80211_INVAL_DEFKEY;
2307 }
2308 }
2309
2310 /*
2311 * Structure to be passed through ieee80211_iterate_nodes() to count_nodes()
2312 */
2313 struct count_nodes_arg {
2314 const int k;
2315 const int *subset;
2316 int count;
2317 struct ieee80211_node *new;
2318 };
2319
2320 /* Count nodes which don't support at least one of arg->subset. */
2321 static void
2322 count_nodes(void *_arg, struct ieee80211_node *ni)
2323 {
2324 struct count_nodes_arg *arg = (struct count_nodes_arg *)_arg;
2325 int i;
2326
2327 if (ni->ni_suppchans == NULL)
2328 return;
2329
2330 if (ni == arg->new)
2331 return;
2332
2333 for (i = 0; i < arg->k; i++)
2334 if (isclr(ni->ni_suppchans, arg->subset[i])) {
2335 arg->count++;
2336 return;
2337 }
2338 }
2339
2340 /* Structure to be passed through combinations() to channel_combination() */
2341 struct channel_combination_arg {
2342 struct ieee80211com *ic;
2343 struct ieee80211_node *new;
2344 int *best;
2345 int benefit;
2346 };
2347
2348 #ifdef IEEE80211_DEBUG
2349 /* sprintf() set[] array consisting of k integers */
2350 static const char*
2351 ints_sprintf(const int k, const int set[])
2352 {
2353 static char buf[915]; /* 0-255: 10*2 + 90*3 + 156*4 + '\0' */
2354 char *ptr = buf;
2355 int i;
2356 for (i = 0; i < k; i++)
2357 ptr += snprintf(ptr, buf + sizeof(buf) - ptr, "%d ", set[i]);
2358 return buf;
2359 }
2360 #endif
2361
2362 /* Action done for each combination of channels that are not supported by
2363 * currently joining station. */
2364 static void
2365 channel_combination(const int k, const int subset[], void *_arg)
2366 {
2367 struct channel_combination_arg *arg =
2368 (struct channel_combination_arg *)_arg;
2369 struct ieee80211com *ic = arg->ic;
2370 struct count_nodes_arg cn_arg = { k, subset, 0, arg->new };
2371 int permil, allowed;
2372 int sta_assoc = ic->ic_sta_assoc; /* make > 0 check consistent
2373 * with / operation */
2374
2375 ieee80211_iterate_nodes(&arg->ic->ic_sta,
2376 &count_nodes, (void*)&cn_arg);
2377
2378 /* The following two sanity checks can theoretically fail due to lack
2379 * of locking, but since it is not fatal, we will just print a debug
2380 * msg and neglect it */
2381 if (cn_arg.count == 0) {
2382 IEEE80211_NOTE(arg->new->ni_vap, IEEE80211_MSG_ANY, arg->new,
2383 "%s", "ic_chan_nodes incosistency (incorrect "
2384 "uncommon channel count)");
2385 return;
2386 }
2387 if (sta_assoc == 0) {
2388 IEEE80211_NOTE(arg->new->ni_vap, IEEE80211_MSG_ANY, arg->new,
2389 "%s", "no STAs associated, so there should be "
2390 "no \"uncommon\" channels");
2391 return;
2392 }
2393
2394 permil = 1000 * cn_arg.count / sta_assoc;
2395 allowed = ic->ic_sc_slcg * k;
2396 /* clamp it to provide more sensible output */
2397 if (allowed > 1000)
2398 allowed = 1000;
2399
2400 IEEE80211_NOTE(arg->new->ni_vap, IEEE80211_MSG_ASSOC|IEEE80211_MSG_DOTH,
2401 arg->new, "Making channels %savailable would require "
2402 "kicking out %d stations,", ints_sprintf(k, subset),
2403 cn_arg.count);
2404 IEEE80211_NOTE(arg->new->ni_vap, IEEE80211_MSG_ASSOC|IEEE80211_MSG_DOTH,
2405 arg->new, "what is %d permils of all associated STAs "
2406 "(slcg permits < %d).", permil, allowed);
2407
2408 if (permil > allowed)
2409 return;
2410 if (allowed - permil > arg->benefit) {
2411 memcpy(arg->best, subset, k * sizeof(*subset));
2412 arg->benefit = allowed - permil;
2413 }
2414 }
2415
2416 /* Enumerate all combinations of k-element subset of n-element set via a
2417 * callback function. */
2418 static void
2419 combinations(int n, int set[], int k,
2420 void (*callback)(const int, const int [], void *), void *arg)
2421 {
2422 int subset[k], pos[k], i;
2423 for (i = 0; i < k; i++)
2424 pos[i] = 0;
2425 i = 0;
2426 forward:
2427 if (i > 0) {
2428 while (set[pos[i]] < subset[i - 1] && pos[i] < n)
2429 pos[i]++;
2430 if (pos[i] == n)
2431 goto backward;
2432 }
2433 subset[i] = set[pos[i]];
2434 set[pos[i]] = set[n - 1];
2435 n--;
2436
2437 i++;
2438 if (i == k) {
2439 callback(k, subset, arg);
2440 } else {
2441 pos[i] = 0;
2442 goto forward;
2443 }
2444 backward:
2445 i--;
2446 if (i < 0)
2447 return;
2448 set[pos[i]] = subset[i];
2449 n++;
2450
2451 pos[i]++;
2452 if (pos[i] == n)
2453 goto backward;
2454 goto forward;
2455 }
2456
2457 static __inline int
2458 find_worse_nodes(struct ieee80211com *ic, struct ieee80211_node *new)
2459 {
2460 int i, tmp1, tmp2;
2461 u_int16_t n_common, n_uncommon;
2462 u_int16_t cn_total = ic->ic_cn_total;
2463 u_int16_t to_gain;
2464
2465 if (cn_total == 0)
2466 /* should not happen */
2467 return 1;
2468
2469 n_common = n_uncommon = 0;
2470
2471 CHANNEL_FOREACH(i, ic, tmp1, tmp2) {
2472 if (isset(new->ni_suppchans_new, i)) {
2473 if (ic->ic_chan_nodes[i] == ic->ic_cn_total) {
2474 n_common++;
2475 } else {
2476 n_uncommon++;
2477 }
2478 }
2479 }
2480
2481 to_gain = ic->ic_sc_mincom - n_common + 1;
2482 IEEE80211_NOTE(new->ni_vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_DOTH,
2483 new, "By accepting STA we would need to gain at least "
2484 "%d common channels.", to_gain);
2485 IEEE80211_NOTE(new->ni_vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_DOTH,
2486 new, "%d channels supported by the joining STA are "
2487 "not commonly supported by others.", n_uncommon);
2488
2489 if (to_gain > n_uncommon) {
2490 IEEE80211_NOTE(new->ni_vap, IEEE80211_MSG_ASSOC |
2491 IEEE80211_MSG_DOTH, new, "%s",
2492 "Even disassociating all the nodes will not "
2493 "be enough.");
2494 return 0;
2495 }
2496
2497 {
2498 int uncommon[n_uncommon];
2499 int best[to_gain];
2500 struct channel_combination_arg arg = { ic, new, best, -1 };
2501 int j = 0;
2502
2503 CHANNEL_FOREACH(i, ic, tmp1, tmp2)
2504 if (isset(new->ni_suppchans_new, i) &&
2505 (ic->ic_chan_nodes[i] !=
2506 ic->ic_cn_total)) {
2507 if (j == n_uncommon)
2508 /* silent assert */
2509 break;
2510 uncommon[j++] = i;
2511 }
2512
2513 combinations(n_uncommon, uncommon, to_gain,
2514 &channel_combination, &arg);
2515 if (arg.benefit < 0) {
2516 IEEE80211_NOTE(new->ni_vap, IEEE80211_MSG_ASSOC |
2517 IEEE80211_MSG_DOTH, new, "%s",
2518 "No combination of channels allows a "
2519 "beneficial trade-off.");
2520 return 0;
2521 }
2522 IEEE80211_NOTE(new->ni_vap, IEEE80211_MSG_ASSOC |
2523 IEEE80211_MSG_DOTH, new,
2524 "Nodes which don't support channels %swill be "
2525 "forced to leave.",
2526 ints_sprintf(to_gain, best));
2527
2528 if (new->ni_needed_chans != NULL)
2529 FREE(new->ni_needed_chans, M_DEVBUF);
2530 MALLOC(new->ni_needed_chans, void*,
2531 to_gain * sizeof(*new->ni_needed_chans),
2532 M_DEVBUF, M_NOWAIT);
2533
2534 if (new->ni_needed_chans == NULL) {
2535 IEEE80211_NOTE(new->ni_vap, IEEE80211_MSG_DEBUG |
2536 IEEE80211_MSG_DOTH, new, "%s",
2537 "needed_chans allocation failed");
2538 return 0;
2539 }
2540
2541 /* Store the list of channels to remove nodes which don't
2542 * support them. */
2543 for (i = 0; i < to_gain; i++)
2544 new->ni_needed_chans[i] = best[i];
2545 new->ni_n_needed_chans = to_gain;
2546 return 1;
2547 }
2548 }
2549
2550 static int
2551 ieee80211_parse_sc_ie(struct ieee80211_node *ni, u_int8_t *frm,
2552 const struct ieee80211_frame *wh)
2553 {
2554 struct ieee80211_ie_sc *sc_ie = (struct ieee80211_ie_sc *)frm;
2555 struct ieee80211com *ic = ni->ni_ic;
2556 #ifdef IEEE80211_DEBUG
2557 struct ieee80211vap *vap = ni->ni_vap;
2558 int reassoc = (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) ==
2559 IEEE80211_FC0_SUBTYPE_REASSOC_REQ;
2560 #endif
2561 int i, tmp1, tmp2;
2562 int count;
2563
2564 if (sc_ie == NULL) {
2565 if (ni->ni_ic->ic_sc_algorithm == IEEE80211_SC_STRICT) {
2566 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC |
2567 IEEE80211_MSG_DOTH, wh->i_addr2,
2568 "deny %s request, no supported "
2569 "channels IE",
2570 reassoc ? "reassoc" : "assoc");
2571 return IEEE80211_STATUS_SUPPCHAN_UNACCEPTABLE;
2572 }
2573 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC |
2574 IEEE80211_MSG_DOTH, wh->i_addr2,
2575 "%s request: no supported channels IE",
2576 reassoc ? "reassoc" : "assoc");
2577 return IEEE80211_STATUS_SUCCESS;
2578 }
2579 if (sc_ie->sc_len % 2 != 0) {
2580 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC |
2581 IEEE80211_MSG_DOTH, wh->i_addr2,
2582 "deny %s request, malformed supported "
2583 "channels IE (len)",
2584 reassoc ? "reassoc" : "assoc");
2585 /* XXX: deauth with IEEE80211_REASON_IE_INVALID? */
2586 return IEEE80211_STATUS_SUPPCHAN_UNACCEPTABLE;
2587 }
2588 if (ni->ni_suppchans_new == NULL) {
2589 MALLOC(ni->ni_suppchans_new, void*, IEEE80211_CHAN_BYTES,
2590 M_DEVBUF, M_NOWAIT);
2591 if (ni->ni_suppchans_new == NULL) {
2592 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC |
2593 IEEE80211_MSG_DOTH, wh->i_addr2,
2594 "deny %s request, couldn't allocate "
2595 "memory for SC IE!",
2596 reassoc ? "reassoc" : "assoc");
2597 return IEEE80211_STATUS_SUPPCHAN_UNACCEPTABLE;
2598 }
2599 }
2600 memset(ni->ni_suppchans_new, 0, IEEE80211_CHAN_BYTES);
2601 for (i = 0; i < (sc_ie->sc_len / 2); i++) {
2602 u_int8_t chan = sc_ie->sc_subband[i].sc_first;
2603 /* XXX: see 802.11d-2001-4-05-03-interp,
2604 * but what about .11j, turbo, etc.? */
2605 u_int8_t step = (chan <= 14 ? 1 : 4);
2606 u_int16_t last = chan + step *
2607 (sc_ie->sc_subband[i].sc_number - 1);
2608
2609 /* check for subband under- (sc_number == 0) or overflow */
2610 if ((last < chan) || ((chan <= 14) && (last > 14)) ||
2611 (chan > 14 && last > 200)) {
2612 /* XXX: deauth with IEEE80211_REASON_IE_INVALID? */
2613 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC |
2614 IEEE80211_MSG_DOTH, wh->i_addr2,
2615 "deny %s request, malformed supported "
2616 "channels ie (subbands, %d, %d)",
2617 reassoc ? "reassoc" : "assoc",
2618 chan, last);
2619 return IEEE80211_STATUS_SUPPCHAN_UNACCEPTABLE;
2620 }
2621
2622 for (; chan <= last; chan += step)
2623 setbit(ni->ni_suppchans_new, chan);
2624 }
2625 /* forbid STAs that claim they don't support the channel they are
2626 * currently operating at */
2627 if (isclr(ni->ni_suppchans_new, ic->ic_bsschan->ic_ieee)) {
2628 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC |
2629 IEEE80211_MSG_DOTH, wh->i_addr2,
2630 "deny %s request, sc ie does not contain bss "
2631 "channel(subbands)",
2632 reassoc ? "reassoc" : "assoc");
2633 return IEEE80211_STATUS_SUPPCHAN_UNACCEPTABLE;
2634 }
2635
2636 if ((ic->ic_sc_algorithm != IEEE80211_SC_TIGHT) &&
2637 (ic->ic_sc_algorithm != IEEE80211_SC_STRICT))
2638 goto success;
2639
2640 /* count number of channels that will be common to all STAs after the
2641 * new one joins */
2642 count = 0;
2643 CHANNEL_FOREACH(i, ic, tmp1, tmp2)
2644 if (isset(ni->ni_suppchans_new, i) && (
2645 ic->ic_chan_nodes[i] == ic->ic_cn_total))
2646 count++;
2647
2648 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_DOTH,
2649 wh->i_addr2, "%s request: %d common channels, %d "
2650 "required", reassoc ? "reassoc" : "assoc",
2651 count, ic->ic_sc_mincom);
2652 if (count < ic->ic_sc_mincom) {
2653 /* common channel count decreases below the required minimum */
2654 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_DOTH,
2655 wh->i_addr2, "%s request: not enough common "
2656 "channels available, tight/strict algorithm "
2657 "engaged", reassoc ? "reassoc" : "assoc");
2658
2659 if (!find_worse_nodes(ic, ni)) {
2660 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC |
2661 IEEE80211_MSG_DOTH, wh->i_addr2,
2662 "deny %s request, tight/strict "
2663 "criterion not met",
2664 reassoc ? "reassoc" : "assoc");
2665 return IEEE80211_STATUS_SUPPCHAN_UNACCEPTABLE;
2666 }
2667 }
2668
2669 success:
2670 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_DOTH | IEEE80211_MSG_ASSOC |
2671 IEEE80211_MSG_ELEMID, wh->i_addr2,
2672 "%s", "supported channels ie parsing successful");
2673 return IEEE80211_STATUS_SUCCESS;
2674 }
2675
2676
2677 struct ieee80211_channel *
2678 ieee80211_doth_findchan(struct ieee80211vap *vap, u_int8_t chan)
2679 {
2680 struct ieee80211com *ic = vap->iv_ic;
2681 struct ieee80211_channel *c;
2682 int flags, freq;
2683
2684 /* NB: try first to preserve turbo */
2685 flags = ic->ic_bsschan->ic_flags & IEEE80211_CHAN_ALL;
2686 freq = ieee80211_ieee2mhz(chan, 0);
2687 c = ieee80211_find_channel(ic, freq, flags);
2688 if (c == NULL)
2689 c = ieee80211_find_channel(ic, freq, 0);
2690 return c;
2691 }
2692
2693 static void
2694 ieee80211_doth_cancel_cs(struct ieee80211vap *vap)
2695 {
2696 del_timer(&vap->iv_csa_timer);
2697 if (vap->iv_csa_jiffies)
2698 IEEE80211_DPRINTF(vap, IEEE80211_MSG_DOTH,
2699 "channel switch canceled (was: ""to %3d "
2700 "(%4d MHz) in %u TBTT, mode %u)\n",
2701 vap->iv_csa_chan->ic_ieee,
2702 vap->iv_csa_chan->ic_freq,
2703 vap->iv_csa_count, vap->iv_csa_mode);
2704 vap->iv_csa_jiffies = 0;
2705 }
2706
2707 static void
2708 ieee80211_doth_switch_channel(struct ieee80211vap *vap)
2709 {
2710 struct ieee80211com *ic = vap->iv_ic;
2711
2712 IEEE80211_DPRINTF(vap, IEEE80211_MSG_DOTH,
2713 "%s: Channel switch to %3d (%4d MHz) NOW!\n",
2714 __func__,
2715 vap->iv_csa_chan->ic_ieee,
2716 vap->iv_csa_chan->ic_freq);
2717 #if 0
2718 /* XXX does not belong here? */
2719 /* XXX doesn't stop management frames */
2720 /* XXX who restarts the queue? */
2721 /* NB: for now, error here is non-catastrophic.
2722 * in the future we may need to ensure we
2723 * stop xmit on this channel.
2724 */
2725 netif_stop_queue(ic->ic_dev);
2726 #endif
2727
2728 vap->iv_csa_jiffies = 0; /* suppress "cancel" msg */
2729 ieee80211_doth_cancel_cs(vap);
2730
2731 ic->ic_curchan = ic->ic_bsschan = vap->iv_csa_chan;
2732 ic->ic_set_channel(ic);
2733 }
2734
2735 static void
2736 ieee80211_doth_switch_channel_tmr(unsigned long arg)
2737 {
2738 struct ieee80211vap *vap = (struct ieee80211vap *)arg;
2739 ieee80211_doth_switch_channel(vap);
2740 }
2741
2742 static int
2743 ieee80211_parse_csaie(struct ieee80211_node *ni, u_int8_t *frm,
2744 const struct ieee80211_frame *wh)
2745 {
2746 struct ieee80211vap *vap = ni->ni_vap;
2747 struct ieee80211com *ic = vap->iv_ic;
2748 struct ieee80211_channel *c;
2749 struct ieee80211_ie_csa *csa_ie = (struct ieee80211_ie_csa *)frm;
2750
2751 if (!frm) {
2752 /* we had CS underway but now we got Beacon without CSA IE */
2753 /* XXX abuse? */
2754
2755 IEEE80211_DPRINTF(vap, IEEE80211_MSG_DOTH,
2756 "%s: channel switch is scheduled, but we got "
2757 "Beacon without CSA IE!\n", __func__);
2758
2759 ieee80211_doth_cancel_cs(vap);
2760 return 0;
2761 }
2762
2763 if (csa_ie->csa_len != 3) {
2764 IEEE80211_DISCARD_IE(vap,
2765 IEEE80211_MSG_ELEMID | IEEE80211_MSG_DOTH,
2766 wh, "channel switch", "invalid length %u",
2767 csa_ie->csa_len);
2768 return -1;
2769 }
2770
2771 if (isclr(ic->ic_chan_avail, csa_ie->csa_chan)) {
2772 IEEE80211_DISCARD_IE(vap,
2773 IEEE80211_MSG_ELEMID | IEEE80211_MSG_DOTH,
2774 wh, "channel switch", "invalid channel %u",
2775 csa_ie->csa_chan);
2776 return -1;
2777 }
2778
2779 if ((c = ieee80211_doth_findchan(vap, csa_ie->csa_chan)) == NULL) {
2780 /* XXX something wrong */
2781 IEEE80211_DISCARD_IE(vap,
2782 IEEE80211_MSG_ELEMID | IEEE80211_MSG_DOTH,
2783 wh, "channel switch",
2784 "channel %u lookup failed", csa_ie->csa_chan);
2785 return -1;
2786 }
2787
2788 IEEE80211_DPRINTF(vap, IEEE80211_MSG_DOTH,
2789 "%s: channel switch to %u in %u tbtt (mode %u) announced\n",
2790 __func__, csa_ie->csa_chan, csa_ie->csa_count,
2791 csa_ie->csa_mode);
2792
2793 if (vap->iv_csa_jiffies) {
2794 /* CSA was received recently */
2795 if (c != vap->iv_csa_chan) {
2796 /* XXX abuse? */
2797 IEEE80211_DPRINTF(vap, IEEE80211_MSG_DOTH,
2798 "%s: channel switch channel "
2799 "changed from %3d (%4d MHz) to %u!\n",
2800 __func__,
2801 vap->iv_csa_chan->ic_ieee,
2802 vap->iv_csa_chan->ic_freq,
2803 csa_ie->csa_chan);
2804
2805 if (vap->iv_csa_count > IEEE80211_CSA_PROTECTION_PERIOD)
2806 ieee80211_doth_cancel_cs(vap);
2807 return 0;
2808 }
2809
2810 if (csa_ie->csa_mode != vap->iv_csa_mode) {
2811 /* Can be abused, but with no (to little) impact. */
2812
2813 /* CS mode change has no influence on our actions since
2814 * we don't respect cs modes at all (yet). Complain and
2815 * forget. */
2816 IEEE80211_DPRINTF(vap, IEEE80211_MSG_DOTH,
2817 "%s: channel switch mode changed from "
2818 "%u to %u!\n", __func__,
2819 vap->iv_csa_mode, csa_ie->csa_mode);
2820 }
2821
2822 if (csa_ie->csa_count >= vap->iv_csa_count) {
2823 /* XXX abuse? what for? */
2824 IEEE80211_DPRINTF(vap, IEEE80211_MSG_DOTH,
2825 "%s: channel switch count didn't "
2826 "decrease (%u -> %u)!\n", __func__,
2827 vap->iv_csa_count, csa_ie->csa_count);
2828 return 0;
2829 }
2830
2831 {
2832 u_int32_t elapsed = IEEE80211_JIFFIES_TO_TU(
2833 jiffies - vap->iv_csa_jiffies);
2834 u_int32_t cnt_diff = vap->iv_csa_count -
2835 csa_ie->csa_count;
2836 u_int32_t expected = ni->ni_intval * cnt_diff;
2837 int32_t delta = elapsed - expected;
2838 if (delta < 0)
2839 delta = -delta;
2840 if (delta > IEEE80211_CSA_SANITY_THRESHOLD) {
2841 /* XXX abuse? for now, it's safer to cancel CS
2842 * than to follow it blindly */
2843 IEEE80211_DPRINTF(vap, IEEE80211_MSG_DOTH,
2844 "%s: %u.%02u bintvals elapsed, "
2845 "but count dropped by %u (delta"
2846 " = %u TUs)\n", __func__,
2847 elapsed / ni->ni_intval,
2848 elapsed * 100 / ni->ni_intval
2849 % 100, cnt_diff, delta);
2850
2851 ieee80211_doth_cancel_cs(vap);
2852 return 0;
2853 }
2854 }
2855
2856 vap->iv_csa_count = csa_ie->csa_count;
2857 mod_timer(&vap->iv_csa_timer, jiffies +
2858 IEEE80211_TU_TO_JIFFIES(vap->iv_csa_count
2859 * ni->ni_intval + 10));
2860 } else {
2861 /* CSA wasn't received recently, so this is the first one in
2862 * the sequence. */
2863
2864 #if 0
2865 /* Needed for DFS / FCC ... */
2866
2867 if (csa_ie->csa_count < IEEE80211_CSA_PROTECTION_PERIOD) {
2868 IEEE80211_DISCARD_IE(vap,
2869 IEEE80211_MSG_ELEMID |
2870 IEEE80211_MSG_DOTH,
2871 wh, "channel switch",
2872 "initial announcement: channel switch"
2873 " would occur too soon (in %u tbtt)",
2874 csa_ie->csa_count);
2875 return 0;
2876 }
2877 #endif
2878
2879 vap->iv_csa_mode = csa_ie->csa_mode;
2880 vap->iv_csa_count = csa_ie->csa_count;
2881 vap->iv_csa_chan = c;
2882
2883 vap->iv_csa_timer.function = ieee80211_doth_switch_channel_tmr;
2884 vap->iv_csa_timer.data = (unsigned long)vap;
2885 mod_timer(&vap->iv_csa_timer, jiffies + IEEE80211_TU_TO_JIFFIES(
2886 vap->iv_csa_count * ni->ni_intval + 10));
2887 }
2888
2889 vap->iv_csa_jiffies = jiffies;
2890
2891 if (vap->iv_csa_count <= 1)
2892 ieee80211_doth_switch_channel(vap);
2893
2894 return 0;
2895 }
2896
2897 /* XXX. Not the right place for such a definition */
2898 struct l2_update_frame {
2899 u8 da[ETH_ALEN]; /* broadcast */
2900 u8 sa[ETH_ALEN]; /* STA addr */
2901 __be16 len; /* 6 */
2902 u8 dsap; /* null DSAP address */
2903 u8 ssap; /* null SSAP address, CR=Response */
2904 u8 control;
2905 u8 xid_info[3];
2906 } __attribute__ ((packed));
2907
2908
2909 static void
2910 ieee80211_deliver_l2_rnr(struct ieee80211_node *ni)
2911 {
2912 struct ieee80211vap *vap = ni->ni_vap;
2913 struct net_device *dev = vap->iv_dev;
2914 struct sk_buff *skb;
2915 struct l2_update_frame *l2uf;
2916
2917 skb = ieee80211_dev_alloc_skb(sizeof(*l2uf));
2918 if (skb == NULL) {
2919 return;
2920 }
2921 skb_put(skb, sizeof(*l2uf));
2922 l2uf = (struct l2_update_frame *)(skb->data);
2923 /* dst: Broadcast address */
2924 memcpy(l2uf->da, dev->broadcast, ETH_ALEN);
2925 /* src: associated STA */
2926 memcpy(l2uf->sa, ni->ni_macaddr, ETH_ALEN);
2927 l2uf->len = htons(6);
2928 l2uf->dsap = 0;
2929 l2uf->ssap = 0;
2930 l2uf->control = 0xf5;
2931 l2uf->xid_info[0] = 0x81;
2932 l2uf->xid_info[1] = 0x80;
2933 l2uf->xid_info[2] = 0x00;
2934
2935 skb->dev = dev;
2936 /* eth_trans_type modifies skb state (skb_pull(ETH_HLEN)), so use
2937 * constants instead. We know the packet type anyway. */
2938 skb->pkt_type = PACKET_BROADCAST;
2939 skb->protocol = htons(ETH_P_802_2);
2940 skb_reset_mac_header(skb);
2941
2942 ieee80211_deliver_data(ni, skb);
2943 return;
2944 }
2945
2946 static void
2947 ieee80211_deliver_l2_xid(struct ieee80211_node *ni)
2948 {
2949 struct ieee80211vap *vap = ni->ni_vap;
2950 struct net_device *dev = vap->iv_dev;
2951 struct sk_buff *skb;
2952 struct l2_update_frame *l2uf;
2953
2954 skb = ieee80211_dev_alloc_skb(sizeof(*l2uf));
2955 if (skb == NULL) {
2956 return;
2957 }
2958 /* Leak check / cleanup destructor */
2959 skb_put(skb, sizeof(*l2uf));
2960 l2uf = (struct l2_update_frame *)(skb->data);
2961 /* dst: Broadcast address */
2962 memcpy(l2uf->da, dev->broadcast, ETH_ALEN);
2963 /* src: associated STA */
2964 memcpy(l2uf->sa, ni->ni_macaddr, ETH_ALEN);
2965 l2uf->len = htons(6);
2966 l2uf->dsap = 0x00; /* NULL DSAP address */
2967 l2uf->ssap = 0x01;/* NULL SSAP address, CR Bit: Response */
2968 l2uf->control = 0xaf; /* XID response lsb.1111F101.
2969 * F=0 (no poll command; unsolicited frame) */
2970 l2uf->xid_info[0] = 0x81; /* XID format identifier */
2971 l2uf->xid_info[1] = 1; /* LLC types/classes: Type 1 LLC */
2972 l2uf->xid_info[2] = 1 << 1; /* XID sender's receive window size (RW)
2973 * FIX: what is correct RW with 802.11? */
2974 skb->dev = dev;
2975 /* eth_trans_type modifies skb state (skb_pull(ETH_HLEN)), so use
2976 * constants instead. We know the packet type anyway. */
2977 skb->pkt_type = PACKET_BROADCAST;
2978 skb->protocol = htons(ETH_P_802_2);
2979 skb_reset_mac_header(skb);
2980
2981 ieee80211_deliver_data(ni, skb);
2982 return;
2983 }
2984
2985 static __inline int
2986 contbgscan(struct ieee80211vap *vap)
2987 {
2988 struct ieee80211com *ic = vap->iv_ic;
2989
2990 return ((ic->ic_flags_ext & IEEE80211_FEXT_BGSCAN) &&
2991 time_after(jiffies, ic->ic_lastdata + vap->iv_bgscanidle));
2992 }
2993
2994 static __inline int
2995 startbgscan(struct ieee80211vap *vap)
2996 {
2997 struct ieee80211com *ic = vap->iv_ic;
2998
2999 return ((vap->iv_flags & IEEE80211_F_BGSCAN) &&
3000 !IEEE80211_IS_CHAN_DTURBO(ic->ic_curchan) &&
3001 time_after(jiffies, ic->ic_lastscan + vap->iv_bgscanintvl) &&
3002 time_after(jiffies, ic->ic_lastdata + vap->iv_bgscanidle));
3003 }
3004
3005
3006 /*
3007 * Context: SoftIRQ
3008 */
3009 int
3010 ieee80211_recv_mgmt(struct ieee80211vap *vap,
3011 struct ieee80211_node *ni_or_null, struct sk_buff *skb,
3012 int subtype, int rssi, u_int64_t rtsf)
3013 {
3014 #define ISPROBE(_st) ((_st) == IEEE80211_FC0_SUBTYPE_PROBE_RESP)
3015 #define ISREASSOC(_st) ((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP)
3016 struct ieee80211_node * ni = ni_or_null;
3017 struct ieee80211com *ic = vap->iv_ic;
3018 struct ieee80211_frame *wh;
3019 u_int8_t *frm, *efrm;
3020 u_int8_t *ssid, *rates, *xrates, *suppchan, *wpa, *rsn, *wme, *ath;
3021 u_int8_t rate;
3022 int reassoc, resp, allocbs = 0;
3023 u_int8_t qosinfo;
3024
3025 if (ni_or_null == NULL)
3026 ni = vap->iv_bss;
3027
3028 wh = (struct ieee80211_frame *)skb->data;
3029 frm = (u_int8_t *)&wh[1];
3030 efrm = skb->data + skb->len;
3031
3032 IEEE80211_DPRINTF(vap, IEEE80211_MSG_ASSOC,
3033 "%s: vap:%p[" MAC_FMT "] ni:%p[" MAC_FMT "]\n",
3034 __func__, vap, MAC_ADDR(vap->iv_bssid),
3035 ni_or_null, MAC_ADDR(wh->i_addr2));
3036
3037 /* forward management frame to application */
3038 if (vap->iv_opmode != IEEE80211_M_MONITOR)
3039 forward_mgmt_to_app(vap, subtype, skb, wh);
3040
3041 switch (subtype) {
3042 case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
3043 case IEEE80211_FC0_SUBTYPE_BEACON: {
3044 struct ieee80211_scanparams scan;
3045
3046 /*
3047 * We process beacon/probe response frames:
3048 * o when scanning, or
3049 * o station mode when associated (to collect state
3050 * updates such as 802.11g slot time), or
3051 * o adhoc mode (to discover neighbors)
3052 * Frames otherwise received are discarded.
3053 */
3054 if (!((ic->ic_flags & IEEE80211_F_SCAN) ||
3055 (vap->iv_opmode == IEEE80211_M_STA && ni->ni_associd) ||
3056 vap->iv_opmode == IEEE80211_M_IBSS)) {
3057 vap->iv_stats.is_rx_mgtdiscard++;
3058 return 0;
3059 }
3060 /*
3061 * beacon/probe response frame format
3062 * [8] time stamp
3063 * [2] beacon interval
3064 * [2] capability information
3065 * [tlv] ssid
3066 * [tlv] supported rates
3067 * [tlv] country information
3068 * [tlv] parameter set (FH/DS)
3069 * [tlv] erp information
3070 * [tlv] extended supported rates
3071 * [tlv] WME
3072 * [tlv] WPA or RSN
3073 * [tlv] Atheros Advanced Capabilities
3074 */
3075 IEEE80211_VERIFY_LENGTH(efrm - frm, 12);
3076 memset(&scan, 0, sizeof(scan));
3077 scan.tstamp = frm;
3078 frm += 8;
3079 scan.bintval = le16toh(*(__le16 *)frm);
3080 frm += 2;
3081 scan.capinfo = le16toh(*(__le16 *)frm);
3082 frm += 2;
3083 scan.bchan = ieee80211_chan2ieee(ic, ic->ic_curchan);
3084 scan.chan = scan.bchan;
3085
3086 while (frm < efrm) {
3087 /* Agere element in beacon */
3088 if ((*frm == IEEE80211_ELEMID_AGERE1) ||
3089 (*frm == IEEE80211_ELEMID_AGERE2)) {
3090 frm = efrm;
3091 continue;
3092 }
3093
3094 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1]);
3095 switch (*frm) {
3096 case IEEE80211_ELEMID_SSID:
3097 scan.ssid = frm;
3098 break;
3099 case IEEE80211_ELEMID_RATES:
3100 scan.rates = frm;
3101 break;
3102 case IEEE80211_ELEMID_COUNTRY:
3103 scan.country = frm;
3104 break;
3105 case IEEE80211_ELEMID_FHPARMS:
3106 if (ic->ic_phytype == IEEE80211_T_FH) {
3107 scan.fhdwell = LE_READ_2(&frm[2]);
3108 scan.chan = IEEE80211_FH_CHAN(frm[4],
3109 frm[5]);
3110 scan.fhindex = frm[6];
3111 }
3112 break;
3113 case IEEE80211_ELEMID_DSPARMS:
3114 /*
3115 * XXX hack this since depending on phytype
3116 * is problematic for multi-mode devices.
3117 */
3118 if (ic->ic_phytype != IEEE80211_T_FH)
3119 scan.chan = frm[2];
3120 break;
3121 case IEEE80211_ELEMID_TIM:
3122 /* XXX ATIM? */
3123 scan.tim = frm;
3124 scan.timoff = frm - skb->data;
3125 break;
3126 case IEEE80211_ELEMID_IBSSPARMS:
3127 break;
3128 case IEEE80211_ELEMID_XRATES:
3129 scan.xrates = frm;
3130 break;
3131 case IEEE80211_ELEMID_ERP:
3132 if (frm[1] != 1) {
3133 IEEE80211_DISCARD_IE(vap,
3134 IEEE80211_MSG_ELEMID, wh, "ERP",
3135 "bad len %u", frm[1]);
3136 vap->iv_stats.is_rx_elem_toobig++;
3137 break;
3138 }
3139 scan.erp = frm[2];
3140 break;
3141 case IEEE80211_ELEMID_RSN:
3142 scan.rsn = frm;
3143 break;
3144 case IEEE80211_ELEMID_VENDOR:
3145 if (iswpaoui(frm))
3146 scan.wpa = frm;
3147 else if (iswmeparam(frm) || iswmeinfo(frm))
3148 scan.wme = frm;
3149 else if (isatherosoui(frm))
3150 scan.ath = frm;
3151 break;
3152 case IEEE80211_ELEMID_CHANSWITCHANN:
3153 if (ic->ic_flags & IEEE80211_F_DOTH)
3154 scan.csa = frm;
3155 break;
3156 default:
3157 IEEE80211_DISCARD_IE(vap, IEEE80211_MSG_ELEMID,
3158 wh, "unhandled",
3159 "id %u, len %u", *frm, frm[1]);
3160 vap->iv_stats.is_rx_elem_unknown++;
3161 break;
3162 }
3163 frm += frm[1] + 2;
3164 }
3165 if (frm > efrm)
3166 return 0; /* reached past the end */
3167 IEEE80211_VERIFY_ELEMENT(scan.rates, IEEE80211_RATE_MAXSIZE);
3168 IEEE80211_VERIFY_ELEMENT(scan.ssid, IEEE80211_NWID_LEN);
3169 #if IEEE80211_CHAN_MAX < 255
3170 if (scan.chan > IEEE80211_CHAN_MAX) {
3171 IEEE80211_DISCARD(vap, IEEE80211_MSG_ELEMID,
3172 wh, ieee80211_mgt_subtype_name[subtype >>
3173 IEEE80211_FC0_SUBTYPE_SHIFT],
3174 "invalid channel %u", scan.chan);
3175 vap->iv_stats.is_rx_badchan++;
3176 return 0;
3177 }
3178 #endif
3179 if (scan.chan != scan.bchan &&
3180 ic->ic_phytype != IEEE80211_T_FH) {
3181 /*
3182 * Frame was received on a channel different from the
3183 * one indicated in the DS params element id;
3184 * silently discard it.
3185 *
3186 * NB: this can happen due to signal leakage.
3187 * But we should take it for FH PHY because
3188 * the RSSI value should be correct even for
3189 * different hop pattern in FH.
3190 */
3191 IEEE80211_DISCARD(vap, IEEE80211_MSG_ELEMID,
3192 wh, ieee80211_mgt_subtype_name[subtype >>
3193 IEEE80211_FC0_SUBTYPE_SHIFT],
3194 "for off-channel %u", scan.chan);
3195 vap->iv_stats.is_rx_chanmismatch++;
3196 return 0;
3197 }
3198
3199 /* IEEE802.11 does not specify the allowed range for
3200 * beacon interval. We discard any beacons with a
3201 * beacon interval outside of an arbitrary range in
3202 * order to protect against attack.
3203 */
3204 if (!IEEE80211_BINTVAL_VALID(scan.bintval)) {
3205 IEEE80211_DISCARD(vap, IEEE80211_MSG_SCAN,
3206 wh, "beacon", "invalid beacon interval (%u)",
3207 scan.bintval);
3208 return 0;
3209 }
3210
3211 /*
3212 * Count frame now that we know it's to be processed.
3213 */
3214 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON)
3215 IEEE80211_NODE_STAT(ni, rx_beacons);
3216 else
3217 IEEE80211_NODE_STAT(ni, rx_proberesp);
3218
3219 /*
3220 * When operating in station mode, check for state updates.
3221 * Be careful to ignore beacons received while doing a
3222 * background scan. We consider only 11g/WMM stuff right now.
3223 */
3224 if (vap->iv_opmode == IEEE80211_M_STA &&
3225 ni->ni_associd != 0 &&
3226 IEEE80211_ADDR_EQ(wh->i_addr2, vap->iv_bssid)) {
3227 /* record tsf of last beacon */
3228 memcpy(ni->ni_tstamp.data, scan.tstamp,
3229 sizeof(ni->ni_tstamp));
3230 if (ni->ni_intval != scan.bintval) {
3231 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni,
3232 "beacon interval divergence: "
3233 "was %u, now %u",
3234 ni->ni_intval, scan.bintval);
3235 if (!ni->ni_intval_end) {
3236 int msecs = 0; /* silence compiler */
3237 ni->ni_intval_cnt = 0;
3238 ni->ni_intval_old = ni->ni_intval;
3239 msecs = (ni->ni_intval_old * 1024 * 10) /
3240 1000;
3241 ni->ni_intval_end = jiffies +
3242 msecs_to_jiffies(msecs);
3243 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC,
3244 ni, "scheduling beacon "
3245 "interval measurement "
3246 "for %u msecs",
3247 msecs);
3248 }
3249 if (scan.bintval > ni->ni_intval) {
3250 ni->ni_intval = scan.bintval;
3251 vap->iv_flags_ext |=
3252 IEEE80211_FEXT_APPIE_UPDATE;
3253 }
3254 /* XXX: statistic */
3255 }
3256 if (ni->ni_intval_end) {
3257 if (scan.bintval == ni->ni_intval_old)
3258 ni->ni_intval_cnt++;
3259 if (!time_before(jiffies, ni->ni_intval_end)) {
3260 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC,
3261 ni, "beacon interval "
3262 "measurement finished, "
3263 "old value repeated: "
3264 "%u times",
3265 ni->ni_intval_cnt);
3266 ni->ni_intval_end = 0;
3267 if (ni->ni_intval_cnt == 0) {
3268 IEEE80211_NOTE(vap,
3269 IEEE80211_MSG_ASSOC, ni,
3270 "reprogramming bmiss "
3271 "timer from %u to %u",
3272 ni->ni_intval_old,
3273 scan.bintval);
3274 ni->ni_intval = scan.bintval;
3275 vap->iv_flags_ext |=
3276 IEEE80211_FEXT_APPIE_UPDATE;
3277 } else {
3278 IEEE80211_NOTE(vap,
3279 IEEE80211_MSG_ASSOC, ni,
3280 "ignoring the divergence "
3281 "(maybe someone tried to "
3282 "spoof the AP?)", 0);
3283 }
3284 }
3285 /* XXX statistic */
3286 }
3287 if (ni->ni_erp != scan.erp) {
3288 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni,
3289 "erp change: was 0x%x, now 0x%x",
3290 ni->ni_erp, scan.erp);
3291 if (scan.erp & IEEE80211_ERP_USE_PROTECTION)
3292 ic->ic_flags |= IEEE80211_F_USEPROT;
3293 else
3294 ic->ic_flags &= ~IEEE80211_F_USEPROT;
3295 ni->ni_erp = scan.erp;
3296 /* XXX statistic */
3297 }
3298 if ((ni->ni_capinfo ^ scan.capinfo) &
3299 IEEE80211_CAPINFO_SHORT_SLOTTIME) {
3300 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni,
3301 "capabilities change: was 0x%x, now 0x%x",
3302 ni->ni_capinfo, scan.capinfo);
3303 /*
3304 * NB: we assume short preamble doesn't
3305 * change dynamically
3306 */
3307 ieee80211_set_shortslottime(ic,
3308 IEEE80211_IS_CHAN_A(ic->ic_bsschan) ||
3309 (ni->ni_capinfo &
3310 IEEE80211_CAPINFO_SHORT_SLOTTIME));
3311 ni->ni_capinfo = scan.capinfo;
3312 /* XXX statistic */
3313 }
3314 if (scan.wme != NULL &&
3315 (ni->ni_flags & IEEE80211_NODE_QOS)) {
3316 int _retval;
3317 if ((_retval = ieee80211_parse_wmeparams(
3318 vap, scan.wme,
3319 wh, &qosinfo)) >= 0) {
3320 if (qosinfo & WME_CAPINFO_UAPSD_EN)
3321 ni->ni_flags |=
3322 IEEE80211_NODE_UAPSD;
3323 if (_retval > 0)
3324 ieee80211_wme_updateparams(vap);
3325 }
3326 } else
3327 ni->ni_flags &= ~IEEE80211_NODE_UAPSD;
3328 if (scan.ath != NULL)
3329 ieee80211_parse_athParams(ni, scan.ath);
3330 if (scan.csa != NULL || vap->iv_csa_jiffies)
3331 ieee80211_parse_csaie(ni, scan.csa, wh);
3332 if (scan.tim != NULL) {
3333 /*
3334 * Check the TIM. For now we drop out of
3335 * power save mode for any reason.
3336 */
3337 struct ieee80211_tim_ie *tim =
3338 (struct ieee80211_tim_ie *)scan.tim;
3339 int aid = IEEE80211_AID(ni->ni_associd);
3340 int ix = aid / NBBY;
3341 int min = tim->tim_bitctl &~ 1;
3342 int max = tim->tim_len + min - 4;
3343 if ((tim->tim_bitctl&1) ||
3344 (min <= ix && ix <= max &&
3345 isset(tim->tim_bitmap - min, aid)))
3346 ieee80211_sta_pwrsave(vap, 0);
3347 vap->iv_dtim_count = tim->tim_count;
3348 }
3349
3350 /* WDS/Repeater: re-schedule software beacon timer for
3351 * STA. */
3352 if ((vap->iv_state == IEEE80211_S_RUN) &&
3353 (vap->iv_flags_ext & IEEE80211_FEXT_SWBMISS)) {
3354 mod_timer(&vap->iv_swbmiss,
3355 jiffies + vap->iv_swbmiss_period);
3356 }
3357
3358 /* If scanning, pass the info to the scan module.
3359 * Otherwise, check if it's the right time to do
3360 * a background scan. Background scanning must
3361 * be enabled and we must not be operating in the
3362 * turbo phase of dynamic turbo mode. Then,
3363 * it's been a while since the last background
3364 * scan and if no data frames have come through
3365 * recently, kick off a scan. Note that this
3366 * is the mechanism by which a background scan
3367 * is started _and_ continued each time we
3368 * return on-channel to receive a beacon from
3369 * our ap. */
3370 if (ic->ic_flags & IEEE80211_F_SCAN)
3371 ieee80211_add_scan(vap, &scan, wh,
3372 subtype, rssi, rtsf);
3373 else if (contbgscan(vap) || startbgscan(vap))
3374 ieee80211_bg_scan(vap);
3375 return 0;
3376 }
3377 /*
3378 * If scanning, just pass information to the scan module.
3379 */
3380 if (ic->ic_flags & IEEE80211_F_SCAN) {
3381 ieee80211_add_scan(vap, &scan, wh, subtype, rssi, rtsf);
3382 return 0;
3383 }
3384 if ((vap->iv_opmode == IEEE80211_M_IBSS) &&
3385 (scan.capinfo & IEEE80211_CAPINFO_IBSS)) {
3386 if (ni_or_null == NULL) {
3387 /* Create a new entry in the neighbor table. */
3388 ni = ieee80211_add_neighbor(vap, wh, &scan);
3389 if (ni == NULL)
3390 return 0;
3391 } else {
3392 /*
3393 * Copy data from beacon to neighbor table.
3394 * Some of this information might change after
3395 * ieee80211_add_neighbor(), so we just copy
3396 * everything over to be safe.
3397 */
3398 ni->ni_esslen = scan.ssid[1];
3399 memcpy(ni->ni_essid, scan.ssid + 2, scan.ssid[1]);
3400 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3);
3401 memcpy(ni->ni_tstamp.data, scan.tstamp,
3402 sizeof(ni->ni_tstamp));
3403 ni->ni_intval =
3404 IEEE80211_BINTVAL_SANITISE(scan.bintval);
3405 ni->ni_capinfo = scan.capinfo;
3406 ni->ni_chan = ic->ic_curchan;
3407 ni->ni_fhdwell = scan.fhdwell;
3408 ni->ni_fhindex = scan.fhindex;
3409 ni->ni_erp = scan.erp;
3410 ni->ni_timoff = scan.timoff;
3411 if (scan.wme != NULL)
3412 ieee80211_saveie(&ni->ni_wme_ie, scan.wme);
3413 if (scan.wpa != NULL)
3414 ieee80211_saveie(&ni->ni_wpa_ie, scan.wpa);
3415 if (scan.rsn != NULL)
3416 ieee80211_saveie(&ni->ni_rsn_ie, scan.rsn);
3417 if (scan.ath != NULL)
3418 ieee80211_saveath(ni, scan.ath);
3419
3420 /* NB: must be after ni_chan is setup */
3421 ieee80211_setup_rates(ni, scan.rates,
3422 scan.xrates, IEEE80211_F_DOSORT);
3423 }
3424 if (ni != NULL) {
3425 ni->ni_rssi = rssi;
3426 ni->ni_rtsf = rtsf;
3427 ni->ni_last_rx = jiffies;
3428 }
3429 }
3430 break;
3431 }
3432
3433 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
3434 if (vap->iv_opmode == IEEE80211_M_STA ||
3435 vap->iv_opmode == IEEE80211_M_AHDEMO ||
3436 vap->iv_state != IEEE80211_S_RUN) {
3437 vap->iv_stats.is_rx_mgtdiscard++;
3438 return 0;
3439 }
3440 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) {
3441 /* frame must be directed */
3442 vap->iv_stats.is_rx_mgtdiscard++; /* XXX: stat */
3443 return 0;
3444 }
3445
3446 /*
3447 * XR vap does not process probe requests.
3448 */
3449 #ifdef ATH_SUPERG_XR
3450 if (vap->iv_flags & IEEE80211_F_XR)
3451 return 0;
3452 #endif
3453 /*
3454 * prreq frame format
3455 * [tlv] ssid
3456 * [tlv] supported rates
3457 * [tlv] extended supported rates
3458 * [tlv] Atheros Advanced Capabilities
3459 */
3460 ssid = rates = xrates = ath = NULL;
3461 while (frm < efrm) {
3462 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1]);
3463 switch (*frm) {
3464 case IEEE80211_ELEMID_SSID:
3465 ssid = frm;
3466 break;
3467 case IEEE80211_ELEMID_RATES:
3468 rates = frm;
3469 break;
3470 case IEEE80211_ELEMID_XRATES:
3471 xrates = frm;
3472 break;
3473 case IEEE80211_ELEMID_VENDOR:
3474 if (isatherosoui(frm))
3475 ath = frm;
3476 /* XXX Atheros OUI support */
3477 break;
3478 }
3479 frm += frm[1] + 2;
3480 }
3481 if (frm > efrm)
3482 return 0; /* reached past the end */
3483 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE);
3484 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN);
3485 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid);
3486 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) {
3487 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
3488 wh, ieee80211_mgt_subtype_name[subtype >>
3489 IEEE80211_FC0_SUBTYPE_SHIFT],
3490 "%s", "no ssid with ssid suppression enabled");
3491 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/
3492 return 0;
3493 }
3494 if (ni == vap->iv_bss) {
3495 if (vap->iv_opmode == IEEE80211_M_IBSS) {
3496 /*
3497 * XXX Cannot tell if the sender is operating
3498 * in ibss mode. But we need a new node to
3499 * send the response so blindly add them to the
3500 * neighbor table.
3501 */
3502 ni = ieee80211_fakeup_adhoc_node(vap,
3503 wh->i_addr2);
3504 } else {
3505 ni = ieee80211_dup_bss(vap, wh->i_addr2, 1);
3506 }
3507 if (ni == NULL)
3508 return 0;
3509 allocbs = 1;
3510 }
3511
3512 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2,
3513 "%s", "recv probe req");
3514 ni->ni_rssi = rssi;
3515 ni->ni_rtsf = rtsf;
3516 ni->ni_last_rx = jiffies;
3517 rate = ieee80211_setup_rates(ni, rates, xrates,
3518 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
3519 IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
3520 if (rate & IEEE80211_RATE_BASIC) {
3521 IEEE80211_DISCARD(vap, IEEE80211_MSG_XRATE,
3522 wh, ieee80211_mgt_subtype_name[subtype >>
3523 IEEE80211_FC0_SUBTYPE_SHIFT],
3524 "%s", "recv'd rate set invalid");
3525 } else {
3526 IEEE80211_SEND_MGMT(ni,
3527 IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0);
3528 }
3529 if (allocbs) {
3530 /*
3531 * Temporary node created just to send a
3532 * response, reclaim immediately
3533 */
3534 ieee80211_unref_node(&ni);
3535 } else if (ath != NULL)
3536 ieee80211_saveath(ni, ath);
3537 break;
3538
3539 case IEEE80211_FC0_SUBTYPE_AUTH: {
3540 u_int16_t algo, seq, status;
3541 /*
3542 * auth frame format
3543 * [2] algorithm
3544 * [2] sequence
3545 * [2] status
3546 * [tlv*] challenge
3547 */
3548 IEEE80211_VERIFY_LENGTH(efrm - frm, 6);
3549 algo = le16toh(*(__le16 *)frm);
3550 seq = le16toh(*(__le16 *)(frm + 2));
3551 status = le16toh(*(__le16 *)(frm + 4));
3552 #ifdef ATH_SUPERG_XR
3553 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bssid)) {
3554 /*
3555 * node roaming between XR and normal vaps.
3556 * this can only happen in AP mode. disaccociate from
3557 * previous vap first.
3558 */
3559 if (vap->iv_xrvap) {
3560 if (ni == vap->iv_bss)
3561 ni = vap->iv_xrvap->iv_bss;
3562 else {
3563 ieee80211_node_leave(ni);
3564 /* This would be a stupid place to add
3565 * a node to the table; XR stuff needs
3566 * work anyway. */
3567 ieee80211_node_reset(ni, vap->iv_xrvap);
3568 }
3569 vap = vap->iv_xrvap;
3570 } else {
3571 IEEE80211_DISCARD(vap, IEEE80211_MSG_AUTH,
3572 wh, "auth", "%s", "not to pier xr bssid");
3573 return 0;
3574 }
3575 }
3576 #endif
3577 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2,
3578 "recv auth frame with algorithm %d seq %d", algo, seq);
3579 /* Consult the ACL policy module if setup. */
3580 if (vap->iv_acl != NULL &&
3581 !vap->iv_acl->iac_check(vap, wh->i_addr2)) {
3582 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
3583 wh, "auth", "%s", "disallowed by ACL");
3584 vap->iv_stats.is_rx_acl++;
3585 return 0;
3586 }
3587 if (vap->iv_flags & IEEE80211_F_COUNTERM) {
3588 IEEE80211_DISCARD(vap,
3589 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO,
3590 wh, "auth", "%s", "TKIP countermeasures enabled");
3591 vap->iv_stats.is_rx_auth_countermeasures++;
3592 if (vap->iv_opmode == IEEE80211_M_HOSTAP) {
3593 ieee80211_send_error(ni, wh->i_addr2,
3594 IEEE80211_FC0_SUBTYPE_AUTH,
3595 IEEE80211_REASON_MIC_FAILURE);
3596 }
3597 return 0;
3598 }
3599 if (algo == IEEE80211_AUTH_ALG_SHARED)
3600 ieee80211_auth_shared(ni, wh, frm + 6, efrm, rssi,
3601 rtsf, seq, status);
3602 else if (algo == IEEE80211_AUTH_ALG_OPEN)
3603 ieee80211_auth_open(ni, wh, rssi, rtsf, seq, status);
3604 else {
3605 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
3606 wh, "auth", "unsupported alg %d", algo);
3607 vap->iv_stats.is_rx_auth_unsupported++;
3608 if (vap->iv_opmode == IEEE80211_M_HOSTAP) {
3609 /* XXX not right */
3610 ieee80211_send_error(ni, wh->i_addr2,
3611 IEEE80211_FC0_SUBTYPE_AUTH,
3612 (seq + 1) |
3613 (IEEE80211_STATUS_ALG << 16));
3614 }
3615 return 0;
3616 }
3617 break;
3618 }
3619
3620 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
3621 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: {
3622 u_int16_t capinfo, bintval;
3623 struct ieee80211_rsnparms rsn_parm;
3624 u_int8_t reason;
3625
3626 if (vap->iv_opmode != IEEE80211_M_HOSTAP ||
3627 vap->iv_state != IEEE80211_S_RUN) {
3628 vap->iv_stats.is_rx_mgtdiscard++;
3629 return 0;
3630 }
3631
3632 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
3633 reassoc = 1;
3634 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP;
3635 } else {
3636 reassoc = 0;
3637 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP;
3638 }
3639
3640 /*
3641 * asreq frame format
3642 * [2] capability information
3643 * [2] listen interval
3644 * [6*] current AP address (reassoc only)
3645 * [tlv] ssid
3646 * [tlv] supported rates
3647 * [tlv] extended supported rates
3648 * [tlv] supported channels
3649 * [tlv] wpa or RSN
3650 * [tlv] WME
3651 * [tlv] Atheros Advanced Capabilities
3652 */
3653 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4));
3654 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bssid)) {
3655 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
3656 wh, ieee80211_mgt_subtype_name[subtype >>
3657 IEEE80211_FC0_SUBTYPE_SHIFT],
3658 "%s", "wrong bssid");
3659 vap->iv_stats.is_rx_assoc_bss++;
3660 return 0;
3661 }
3662 capinfo = le16toh(*(__le16 *)frm);
3663 frm += 2;
3664 bintval = le16toh(*(__le16 *)frm);
3665 frm += 2;
3666 if (reassoc)
3667 frm += 6; /* ignore current AP info */
3668 ssid = rates = xrates = suppchan = wpa = rsn = wme = ath = NULL;
3669 while (frm < efrm) {
3670 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1]);
3671 switch (*frm) {
3672 case IEEE80211_ELEMID_SSID:
3673 ssid = frm;
3674 break;
3675 case IEEE80211_ELEMID_RATES:
3676 rates = frm;
3677 break;
3678 case IEEE80211_ELEMID_XRATES:
3679 xrates = frm;
3680 break;
3681 /* XXX verify only one of RSN and WPA IEs? */
3682 case IEEE80211_ELEMID_RSN:
3683 if (vap->iv_flags & IEEE80211_F_WPA2)
3684 rsn = frm;
3685 else
3686 IEEE80211_DPRINTF(vap,
3687 IEEE80211_MSG_ASSOC |
3688 IEEE80211_MSG_WPA,
3689 "[" MAC_FMT "] ignoring RSN IE "
3690 "in association request\n",
3691 MAC_ADDR(wh->i_addr2));
3692 break;
3693 case IEEE80211_ELEMID_VENDOR:
3694 /* NB: Provide all IEs for wpa_supplicant, so
3695 * it can handle downgrade attacks, etc. */
3696 if (iswpaoui(frm) && !wpa) {
3697 if (vap->iv_flags & IEEE80211_F_WPA1)
3698 wpa = frm;
3699 else
3700 IEEE80211_DPRINTF(vap,
3701 IEEE80211_MSG_ASSOC |
3702 IEEE80211_MSG_WPA,
3703 "[" MAC_FMT "] "
3704 "ignoring WPA IE in "
3705 "association request\n",
3706 MAC_ADDR(wh->i_addr2));
3707 } else if (iswmeinfo(frm))
3708 wme = frm;
3709 else if (isatherosoui(frm))
3710 ath = frm;
3711 break;
3712 }
3713 frm += frm[1] + 2;
3714 }
3715 if (frm > efrm)
3716 return 0; /* reached past the end */
3717
3718 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE);
3719 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN);
3720 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid);
3721
3722 if (ni == vap->iv_bss) {
3723 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
3724 "deny %s request, sta not authenticated",
3725 reassoc ? "reassoc" : "assoc");
3726 ieee80211_send_error(ni, wh->i_addr2,
3727 IEEE80211_FC0_SUBTYPE_DEAUTH,
3728 IEEE80211_REASON_ASSOC_NOT_AUTHED);
3729 vap->iv_stats.is_rx_assoc_notauth++;
3730 return 0;
3731 }
3732
3733 if (ni->ni_needed_chans != NULL) {
3734 FREE(ni->ni_needed_chans, M_DEVBUF);
3735 ni->ni_needed_chans = NULL;
3736 }
3737
3738 if (ic->ic_flags & IEEE80211_F_DOTH) {
3739 u_int8_t status;
3740 status = ieee80211_parse_sc_ie(ni, suppchan, wh);
3741 if (status != IEEE80211_STATUS_SUCCESS) {
3742 /* ieee80211_parse_sc_ie already printed dbg msg */
3743 IEEE80211_SEND_MGMT(ni, resp, status);
3744 ieee80211_node_leave(ni); /* XXX */
3745 vap->iv_stats.is_rx_assoc_badscie++; /* XXX */
3746 return 0;
3747 }
3748 }
3749
3750 /* Assert right associstion security credentials */
3751 /* XXX Divy. Incomplete */
3752 if (wpa == NULL && (ic->ic_flags & IEEE80211_F_WPA)) {
3753 IEEE80211_DPRINTF(vap,
3754 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
3755 "[" MAC_FMT "] no WPA/RSN IE in association request\n",
3756 MAC_ADDR(wh->i_addr2));
3757 IEEE80211_SEND_MGMT(ni,
3758 IEEE80211_FC0_SUBTYPE_DEAUTH,
3759 IEEE80211_REASON_RSN_REQUIRED);
3760 ieee80211_node_leave(ni);
3761 /* XXX distinguish WPA/RSN? */
3762 vap->iv_stats.is_rx_assoc_badwpaie++;
3763 return 0;
3764 }
3765
3766 if (rsn != NULL) {
3767 /* Initialise values to node defaults, which are then
3768 * overwritten by values in the IE. These are
3769 * installed once association is complete. */
3770 rsn_parm = ni->ni_rsn;
3771 if (rsn[0] != IEEE80211_ELEMID_RSN)
3772 reason = ieee80211_parse_wpa(vap, rsn, &rsn_parm, wh);
3773 else
3774 reason = ieee80211_parse_rsn(vap, rsn, &rsn_parm, wh);
3775 if (reason != 0) {
3776 IEEE80211_SEND_MGMT(ni,
3777 IEEE80211_FC0_SUBTYPE_DEAUTH, reason);
3778 ieee80211_node_leave(ni);
3779 /* XXX distinguish WPA/RSN? */
3780 vap->iv_stats.is_rx_assoc_badwpaie++;
3781 return 0;
3782 }
3783 IEEE80211_NOTE_MAC(vap,
3784 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
3785 wh->i_addr2,
3786 "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x",
3787 rsn[0] != IEEE80211_ELEMID_RSN ? "WPA" : "RSN",
3788 rsn_parm.rsn_mcastcipher, rsn_parm.rsn_mcastkeylen,
3789 rsn_parm.rsn_ucastcipher, rsn_parm.rsn_ucastkeylen,
3790 rsn_parm.rsn_keymgmt, rsn_parm.rsn_caps);
3791 }
3792 /* discard challenge after association */
3793 if (ni->ni_challenge != NULL) {
3794 FREE(ni->ni_challenge, M_DEVBUF);
3795 ni->ni_challenge = NULL;
3796 }
3797 /* 802.11 spec. says to ignore station's privacy bit */
3798 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) {
3799 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
3800 "deny %s request, capability mismatch 0x%x",
3801 reassoc ? "reassoc" : "assoc", capinfo);
3802 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO);
3803 ieee80211_node_leave(ni);
3804 vap->iv_stats.is_rx_assoc_capmismatch++;
3805 return 0;
3806 }
3807 rate = ieee80211_setup_rates(ni, rates, xrates,
3808 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
3809 IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
3810 /*
3811 * If constrained to 11g-only stations reject an
3812 * 11b-only station. We cheat a bit here by looking
3813 * at the max negotiated xmit rate and assuming anyone
3814 * with a best rate <24Mb/s is an 11b station.
3815 */
3816 if ((rate & IEEE80211_RATE_BASIC) ||
3817 ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48)) {
3818 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
3819 "deny %s request, rate set mismatch",
3820 reassoc ? "reassoc" : "assoc");
3821 IEEE80211_SEND_MGMT(ni, resp,
3822 IEEE80211_STATUS_BASIC_RATE);
3823 ieee80211_node_leave(ni);
3824 vap->iv_stats.is_rx_assoc_norate++;
3825 return 0;
3826 }
3827
3828 if (ni->ni_associd != 0 &&
3829 IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan)) {
3830 if ((ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)
3831 != (capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)) {
3832 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY,
3833 wh->i_addr2,
3834 "deny %s request, short slot time "
3835 "capability mismatch 0x%x",
3836 reassoc ? "reassoc" : "assoc", capinfo);
3837 IEEE80211_SEND_MGMT(ni, resp,
3838 IEEE80211_STATUS_CAPINFO);
3839 ieee80211_node_leave(ni);
3840 vap->iv_stats.is_rx_assoc_capmismatch++;
3841 return 0;
3842 }
3843 }
3844
3845 ni->ni_rssi = rssi;
3846 ni->ni_rtsf = rtsf;
3847 ni->ni_last_rx = jiffies;
3848 ni->ni_intval = IEEE80211_BINTVAL_SANITISE(bintval);
3849 ni->ni_capinfo = capinfo;
3850 ni->ni_chan = ic->ic_curchan;
3851 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell;
3852 ni->ni_fhindex = vap->iv_bss->ni_fhindex;
3853
3854 /* WPA */
3855 ieee80211_saveie(&ni->ni_wpa_ie, wpa);
3856 /* RSN */
3857 ni->ni_rsn = rsn_parm;
3858 ieee80211_saveie(&ni->ni_rsn_ie, rsn);
3859 /* WME - including QoS flag */
3860 ieee80211_saveie(&ni->ni_wme_ie, wme);
3861 ni->ni_flags &= ~IEEE80211_NODE_QOS;
3862 if ((wme != NULL) && (ieee80211_parse_wmeie(wme, wh, ni) > 0))
3863 ni->ni_flags |= IEEE80211_NODE_QOS;
3864
3865 ieee80211_saveath(ni, ath);
3866
3867 /* Send Receiver Not Ready (RNR) followed by XID for newly
3868 * associated stations. */
3869 ieee80211_deliver_l2_rnr(ni);
3870 ieee80211_deliver_l2_xid(ni);
3871 ieee80211_node_join(ni, resp);
3872 #ifdef ATH_SUPERG_XR
3873 if (ni->ni_prev_vap &&
3874 ni->ni_vap != ni->ni_prev_vap &&
3875 ni->ni_vap->iv_ath_cap & IEEE80211_ATHC_XR) {
3876 /*
3877 * node moved between XR and normal vap.
3878 * move the data between XR and normal vap.
3879 */
3880 ic->ic_node_move_data(ni);
3881 ni->ni_prev_vap = ni->ni_vap;
3882 }
3883 #endif
3884 break;
3885 }
3886
3887 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
3888 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: {
3889 u_int16_t capinfo, associd;
3890 u_int16_t status;
3891
3892 if (vap->iv_opmode != IEEE80211_M_STA ||
3893 vap->iv_state != IEEE80211_S_ASSOC) {
3894 vap->iv_stats.is_rx_mgtdiscard++;
3895 return 0;
3896 }
3897
3898 /*
3899 * asresp frame format
3900 * [2] capability information
3901 * [2] status
3902 * [2] association ID
3903 * [tlv] supported rates
3904 * [tlv] extended supported rates
3905 * [tlv] WME
3906 */
3907 IEEE80211_VERIFY_LENGTH(efrm - frm, 6);
3908 ni = vap->iv_bss;
3909 capinfo = le16toh(*(__le16 *)frm);
3910 frm += 2;
3911 status = le16toh(*(__le16 *)frm);
3912 frm += 2;
3913 if (status != 0) {
3914 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC,
3915 wh->i_addr2,
3916 "%sassoc failed (reason %d)",
3917 ISREASSOC(subtype) ? "re" : "", status);
3918 vap->iv_stats.is_rx_auth_fail++; /* XXX */
3919 ieee80211_new_state(vap, IEEE80211_S_SCAN,
3920 IEEE80211_SCAN_FAIL_STATUS);
3921 return 0;
3922 }
3923 associd = le16toh(*(__le16 *)frm);
3924 frm += 2;
3925
3926 rates = xrates = wme = NULL;
3927 while (frm < efrm) {
3928 /*
3929 * Do not discard frames containing proprietary Agere
3930 * elements 128 and 129, as the reported element length
3931 * is often wrong. Skip rest of the frame, since we can
3932 * not rely on the given element length making it impossible
3933 * to know where the next element starts.
3934 */
3935 if ((*frm == IEEE80211_ELEMID_AGERE1) ||
3936 (*frm == IEEE80211_ELEMID_AGERE2)) {
3937 frm = efrm;
3938 continue;
3939 }
3940
3941 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1]);
3942 switch (*frm) {
3943 case IEEE80211_ELEMID_RATES:
3944 rates = frm;
3945 break;
3946 case IEEE80211_ELEMID_XRATES:
3947 xrates = frm;
3948 break;
3949 case IEEE80211_ELEMID_VENDOR:
3950 if (iswmeoui(frm))
3951 wme = frm;
3952 break;
3953 }
3954 frm += frm[1] + 2;
3955 }
3956 if (frm > efrm)
3957 return 0; /* reached past the end */
3958 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE);
3959 rate = ieee80211_setup_rates(ni, rates, xrates,
3960 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
3961 IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
3962 if (rate & IEEE80211_RATE_BASIC) {
3963 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC,
3964 wh->i_addr2,
3965 "%sassoc failed (rate set mismatch)",
3966 ISREASSOC(subtype) ? "re" : "");
3967 vap->iv_stats.is_rx_assoc_norate++;
3968 ieee80211_new_state(vap, IEEE80211_S_SCAN,
3969 IEEE80211_SCAN_FAIL_STATUS);
3970 return 0;
3971 }
3972
3973 ni->ni_capinfo = capinfo;
3974 ni->ni_associd = associd;
3975 if (wme != NULL &&
3976 ieee80211_parse_wmeparams(vap, wme, wh, &qosinfo) >= 0) {
3977 ni->ni_flags |= IEEE80211_NODE_QOS;
3978 ieee80211_wme_updateparams(vap);
3979 } else
3980 ni->ni_flags &= ~IEEE80211_NODE_QOS;
3981 /*
3982 * Configure state now that we are associated.
3983 *
3984 * XXX may need different/additional driver callbacks?
3985 */
3986 if (IEEE80211_IS_CHAN_A(ic->ic_curchan) ||
3987 ((ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE) &&
3988 (ic->ic_caps & IEEE80211_C_SHPREAMBLE))) {
3989 ic->ic_flags |= IEEE80211_F_SHPREAMBLE;
3990 ic->ic_flags &= ~IEEE80211_F_USEBARKER;
3991 } else {
3992 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE;
3993 ic->ic_flags |= IEEE80211_F_USEBARKER;
3994 }
3995 ieee80211_set_shortslottime(ic,
3996 IEEE80211_IS_CHAN_A(ic->ic_curchan) ||
3997 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
3998 /*
3999 * Honor ERP protection.
4000 *
4001 * NB: ni_erp should zero for non-11g operation
4002 * but we check the channel characteristics
4003 * just in case.
4004 */
4005 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
4006 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION))
4007 ic->ic_flags |= IEEE80211_F_USEPROT;
4008 else
4009 ic->ic_flags &= ~IEEE80211_F_USEPROT;
4010 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC, wh->i_addr2,
4011 "%sassoc success: %s preamble, %s slot time%s%s%s%s%s%s%s",
4012 ISREASSOC(subtype) ? "re" : "",
4013 (ic->ic_flags&IEEE80211_F_SHPREAMBLE) &&
4014 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE) ? "short" : "long",
4015 ic->ic_flags&IEEE80211_F_SHSLOT ? "short" : "long",
4016 ic->ic_flags&IEEE80211_F_USEPROT ? ", protection" : "",
4017 ni->ni_flags & IEEE80211_NODE_QOS ? ", QoS" : "",
4018 IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_TURBOP) ?
4019 ", turbo" : "",
4020 IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_COMP) ?
4021 ", compression" : "",
4022 IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_FF) ?
4023 ", fast-frames" : "",
4024 IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_XR) ?
4025 ", XR" : "",
4026 IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_AR) ?
4027 ", AR" : ""
4028 );
4029 ieee80211_new_state(vap, IEEE80211_S_RUN, subtype);
4030 break;
4031 }
4032
4033 case IEEE80211_FC0_SUBTYPE_DEAUTH: {
4034 u_int16_t reason;
4035
4036 if (vap->iv_state == IEEE80211_S_SCAN) {
4037 vap->iv_stats.is_rx_mgtdiscard++;
4038 return 0;
4039 }
4040 /*
4041 * deauth frame format
4042 * [2] reason
4043 */
4044 IEEE80211_VERIFY_LENGTH(efrm - frm, 2);
4045 reason = le16toh(*(__le16 *)frm);
4046 vap->iv_stats.is_rx_deauth++;
4047 IEEE80211_NODE_STAT(ni, rx_deauth);
4048
4049 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni,
4050 "recv deauthenticate (reason %d)", reason);
4051 switch (vap->iv_opmode) {
4052 case IEEE80211_M_STA:
4053 ieee80211_new_state(vap, IEEE80211_S_AUTH,
4054 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK);
4055 break;
4056 case IEEE80211_M_HOSTAP:
4057 if (ni != vap->iv_bss)
4058 ieee80211_node_leave(ni);
4059 break;
4060 default:
4061 vap->iv_stats.is_rx_mgtdiscard++;
4062 break;
4063 }
4064 break;
4065 }
4066
4067 case IEEE80211_FC0_SUBTYPE_DISASSOC: {
4068 u_int16_t reason;
4069
4070 if (vap->iv_state != IEEE80211_S_RUN &&
4071 vap->iv_state != IEEE80211_S_ASSOC &&
4072 vap->iv_state != IEEE80211_S_AUTH) {
4073 vap->iv_stats.is_rx_mgtdiscard++;
4074 return 0;
4075 }
4076 /*
4077 * disassoc frame format
4078 * [2] reason
4079 */
4080 IEEE80211_VERIFY_LENGTH(efrm - frm, 2);
4081 reason = le16toh(*(__le16 *)frm);
4082 vap->iv_stats.is_rx_disassoc++;
4083 IEEE80211_NODE_STAT(ni, rx_disassoc);
4084
4085 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni,
4086 "recv disassociate (reason %d)", reason);
4087 switch (vap->iv_opmode) {
4088 case IEEE80211_M_STA:
4089 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 0);
4090 break;
4091 case IEEE80211_M_HOSTAP:
4092 if (ni != vap->iv_bss)
4093 ieee80211_node_leave(ni);
4094 break;
4095 default:
4096 vap->iv_stats.is_rx_mgtdiscard++;
4097 break;
4098 }
4099 break;
4100 }
4101 default:
4102 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
4103 wh, "mgt", "subtype 0x%x not handled", subtype);
4104 vap->iv_stats.is_rx_badsubtype++;
4105 break;
4106 }
4107 #undef ISREASSOC
4108 #undef ISPROBE
4109 return 1;
4110 }
4111 #undef IEEE80211_VERIFY_LENGTH
4112 #undef IEEE80211_VERIFY_ELEMENT
4113
4114 /*
4115 * Process a received ps-poll frame.
4116 */
4117 static void
4118 ieee80211_recv_pspoll(struct ieee80211_node *ni, struct sk_buff *skb0)
4119 {
4120 struct ieee80211vap *vap = ni->ni_vap;
4121 struct ieee80211_frame_min *wh;
4122 struct sk_buff *skb;
4123 u_int16_t aid;
4124 int qlen;
4125
4126 wh = (struct ieee80211_frame_min *)skb0->data;
4127 if (ni->ni_associd == 0) {
4128 IEEE80211_DISCARD(vap,
4129 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
4130 (struct ieee80211_frame *)wh, "ps-poll",
4131 "%s", "unassociated station");
4132 vap->iv_stats.is_ps_unassoc++;
4133 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
4134 IEEE80211_REASON_NOT_ASSOCED);
4135 return;
4136 }
4137
4138 aid = le16toh(wh->i_dur);
4139 if (aid != ni->ni_associd) {
4140 IEEE80211_DISCARD(vap,
4141 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
4142 (struct ieee80211_frame *)wh, "ps-poll",
4143 "aid mismatch: sta aid 0x%x poll aid 0x%x",
4144 ni->ni_associd, aid);
4145 vap->iv_stats.is_ps_badaid++;
4146 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
4147 IEEE80211_REASON_NOT_ASSOCED);
4148 return;
4149 }
4150
4151 /* Okay, take the first queued packet and put it out... */
4152 IEEE80211_NODE_SAVEQ_LOCK_IRQ(ni);
4153 IEEE80211_NODE_SAVEQ_DEQUEUE(ni, skb, qlen);
4154 IEEE80211_NODE_SAVEQ_UNLOCK_IRQ(ni);
4155 if (skb == NULL) {
4156 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2,
4157 "%s", "recv ps-poll, but queue empty");
4158 ieee80211_send_nulldata(ieee80211_ref_node(ni));
4159 vap->iv_stats.is_ps_qempty++; /* XXX node stat */
4160 if (vap->iv_set_tim != NULL)
4161 vap->iv_set_tim(ni, 0); /* just in case */
4162 return;
4163 }
4164 /*
4165 * If there are more packets, set the more packets bit
4166 * in the packet dispatched to the station; otherwise
4167 * turn off the TIM bit.
4168 */
4169 if (qlen != 0) {
4170 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
4171 "recv ps-poll, send packet, %u still queued", qlen);
4172 /*
4173 * NB: More-data bit will be set during encap.
4174 */
4175 } else {
4176 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
4177 "%s", "recv ps-poll, send packet, queue empty");
4178 if (vap->iv_set_tim != NULL)
4179 vap->iv_set_tim(ni, 0);
4180 }
4181 M_PWR_SAV_SET(skb); /* ensure MORE_DATA bit is set correctly */
4182
4183 ieee80211_parent_queue_xmit(skb); /* Submit to parent device, including updating stats */
4184 }
4185
4186 #ifdef ATH_SUPERG_FF
4187 static int
4188 athff_decap(struct sk_buff *skb)
4189 {
4190 struct ether_header eh_src, *eh_dst;
4191 struct llc *llc;
4192
4193 if (skb->len < (sizeof(struct ether_header) + LLC_SNAPFRAMELEN))
4194 return -1;
4195
4196 memcpy(&eh_src, skb->data, sizeof(struct ether_header));
4197 llc = (struct llc *)skb_pull(skb, sizeof(struct ether_header));
4198 eh_src.ether_type = llc->llc_un.type_snap.ether_type;
4199 skb_pull(skb, LLC_SNAPFRAMELEN);
4200
4201 eh_dst = (struct ether_header *)skb_push(skb, sizeof(struct ether_header));
4202 memcpy(eh_dst, &eh_src, sizeof(struct ether_header));
4203
4204 return 0;
4205 }
4206 #endif
4207
4208 #ifdef USE_HEADERLEN_RESV
4209 /*
4210 * The kernel version of this function alters the skb in a manner
4211 * inconsistent with dev->hard_header_len header reservation. This
4212 * is a rewrite of the portion of eth_type_trans() that we need.
4213 */
4214 static __be16
4215 ath_eth_type_trans(struct sk_buff *skb, struct net_device *dev)
4216 {
4217 struct ethhdr *eth;
4218
4219 skb_reset_mac_header(skb);
4220 skb_pull(skb, ETH_HLEN);
4221 eth = (struct ethhdr *)skb_mac_header(skb);
4222
4223 if (*eth->h_dest & 1)
4224 if (memcmp(eth->h_dest, dev->broadcast, ETH_ALEN) == 0)
4225 skb->pkt_type = PACKET_BROADCAST;
4226 else
4227 skb->pkt_type = PACKET_MULTICAST;
4228 else
4229 if (memcmp(eth->h_dest, dev->dev_addr, ETH_ALEN))
4230 skb->pkt_type = PACKET_OTHERHOST;
4231
4232 return eth->h_proto;
4233 }
4234 #endif
4235
4236 /* Re-process a frame w/ HW detected MIC failure, as it may be a false
4237 * negative. The frame will be dropped in any case. */
4238 void
4239 ieee80211_check_mic(struct ieee80211_node *ni, struct sk_buff *skb)
4240 {
4241 struct ieee80211vap *vap = ni->ni_vap;
4242 struct ieee80211_frame *wh;
4243 struct ieee80211_key *key;
4244 int hdrlen;
4245
4246 if (skb->len < sizeof(struct ieee80211_frame_min)) {
4247 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
4248 ni->ni_macaddr, NULL,
4249 "too short (1): len %u", skb->len);
4250 vap->iv_stats.is_rx_tooshort++;
4251 return;
4252 }
4253
4254 wh = (struct ieee80211_frame *)skb->data;
4255 hdrlen = ieee80211_hdrsize(wh);
4256
4257 key = ieee80211_crypto_decap(ni, skb, hdrlen);
4258 if (key == NULL) {
4259 /* NB: stats+msgs handled in crypto_decap */
4260 IEEE80211_NODE_STAT(ni, rx_wepfail);
4261 } else if (!ieee80211_crypto_demic(vap, key, skb, hdrlen, 1)) {
4262 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
4263 ni->ni_macaddr, "data", "%s", "demic error");
4264 IEEE80211_NODE_STAT(ni, rx_demicfail);
4265 } else
4266 IEEE80211_NODE_STAT(ni, rx_hwdemicerr);
4267
4268 return;
4269 }
4270 EXPORT_SYMBOL(ieee80211_check_mic);
4271
4272 #ifdef IEEE80211_DEBUG
4273 /*
4274 * Debugging support.
4275 */
4276
4277 /*
4278 * Return the bssid of a frame.
4279 */
4280 static const u_int8_t *
4281 ieee80211_getbssid(struct ieee80211vap *vap, const struct ieee80211_frame *wh)
4282 {
4283 if (vap->iv_opmode == IEEE80211_M_STA)
4284 return wh->i_addr2;
4285 if ((wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) != IEEE80211_FC1_DIR_NODS)
4286 return wh->i_addr1;
4287 if ((wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) == IEEE80211_FC0_SUBTYPE_PS_POLL)
4288 return wh->i_addr1;
4289 return wh->i_addr3;
4290 }
4291
4292 void
4293 ieee80211_note(struct ieee80211vap *vap, const char *fmt, ...)
4294 {
4295 char buf[BUF_LEN];
4296 va_list ap;
4297
4298 va_start(ap, fmt);
4299 vsnprintf(buf, sizeof(buf), fmt, ap);
4300 va_end(ap);
4301
4302 printk(KERN_DEBUG "%s/%s[" MAC_FMT "]: %s",
4303 vap->iv_ic->ic_dev->name, vap->iv_dev->name,
4304 MAC_ADDR(vap->iv_myaddr),
4305 buf); /* NB: no \n */
4306 }
4307 EXPORT_SYMBOL(ieee80211_note);
4308
4309 void
4310 ieee80211_note_frame(struct ieee80211vap *vap, const struct ieee80211_frame *wh,
4311 const char *fmt, ...)
4312 {
4313 char buf[BUF_LEN];
4314 va_list ap;
4315
4316 va_start(ap, fmt);
4317 vsnprintf(buf, sizeof(buf), fmt, ap);
4318 va_end(ap);
4319 printk(KERN_DEBUG "%s/%s[" MAC_FMT "]: " MAC_FMT " %s\n",
4320 vap->iv_ic->ic_dev->name, vap->iv_dev->name,
4321 MAC_ADDR(vap->iv_myaddr),
4322 MAC_ADDR(ieee80211_getbssid(vap, wh)), buf);
4323 }
4324 EXPORT_SYMBOL(ieee80211_note_frame);
4325
4326 void
4327 ieee80211_note_mac(struct ieee80211vap *vap, const u_int8_t mac[IEEE80211_ADDR_LEN],
4328 const char *fmt, ...)
4329 {
4330 char buf[BUF_LEN];
4331 va_list ap;
4332
4333 va_start(ap, fmt);
4334 vsnprintf(buf, sizeof(buf), fmt, ap);
4335 va_end(ap);
4336 printk(KERN_DEBUG "%s/%s[" MAC_FMT "]: " MAC_FMT " %s\n",
4337 vap->iv_ic->ic_dev->name, vap->iv_dev->name,
4338 MAC_ADDR(vap->iv_myaddr),
4339 MAC_ADDR(mac), buf);
4340 }
4341 EXPORT_SYMBOL(ieee80211_note_mac);
4342
4343 static void
4344 ieee80211_discard_frame(struct ieee80211vap *vap, const struct ieee80211_frame *wh,
4345 const char *type, const char *fmt, ...)
4346 {
4347 char buf[BUF_LEN];
4348 va_list ap;
4349
4350 va_start(ap, fmt);
4351 vsnprintf(buf, sizeof(buf), fmt, ap);
4352 va_end(ap);
4353 printk(KERN_DEBUG "%s/%s[" MAC_FMT "]: " MAC_FMT " discard %s%sframe, %s\n",
4354 vap->iv_ic->ic_dev->name, vap->iv_dev->name,
4355 MAC_ADDR(vap->iv_myaddr),
4356 MAC_ADDR(wh->i_addr2),
4357 (type != NULL) ? type : "",
4358 (type != NULL) ? " " : "",
4359 buf);
4360 }
4361
4362 static void
4363 ieee80211_discard_ie(struct ieee80211vap *vap, const struct ieee80211_frame *wh,
4364 const char *type, const char *fmt, ...)
4365 {
4366 char buf[BUF_LEN];
4367 va_list ap;
4368
4369 va_start(ap, fmt);
4370 vsnprintf(buf, sizeof(buf), fmt, ap);
4371 va_end(ap);
4372 printk(KERN_DEBUG "%s/%s[" MAC_FMT "]: "
4373 MAC_FMT " discard %s%sinformation element, %s\n",
4374 vap->iv_ic->ic_dev->name, vap->iv_dev->name,
4375 MAC_ADDR(vap->iv_myaddr),
4376 MAC_ADDR(ieee80211_getbssid(vap, wh)),
4377 (type != NULL) ? type : "",
4378 (type != NULL) ? " " : "",
4379 buf);
4380 }
4381
4382 static void
4383 ieee80211_discard_mac(struct ieee80211vap *vap, const u_int8_t mac[IEEE80211_ADDR_LEN],
4384 const char *type, const char *fmt, ...)
4385 {
4386 char buf[BUF_LEN];
4387 va_list ap;
4388
4389 va_start(ap, fmt);
4390 vsnprintf(buf, sizeof(buf), fmt, ap);
4391 va_end(ap);
4392 printk(KERN_DEBUG "%s/%s[" MAC_FMT "]: " MAC_FMT " discard %s%sframe, %s\n",
4393 vap->iv_ic->ic_dev->name,
4394 vap->iv_dev->name,
4395 MAC_ADDR(vap->iv_myaddr),
4396 MAC_ADDR(mac),
4397 (type != NULL) ? type : "",
4398 (type != NULL) ? " " : "",
4399 buf);
4400 }
4401 #endif /* IEEE80211_DEBUG */
Stable & featurefull patchset based on Linus's git branch