search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Remove empty DragonFly CVS IDs.
[dragonfly.git] / sys / netproto / 802_11 / wlan / ieee80211_sta.c
blob3f1f1ad91a1500356107c4567c50f48d09dd9d05
1 /*-
2 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 *
25 * $FreeBSD: head/sys/net80211/ieee80211_sta.c 203422 2010-02-03 10:07:43Z rpaulo $
26 */
27
28 /*
29 * IEEE 802.11 Station mode support.
30 */
31 #include "opt_inet.h"
32 #include "opt_wlan.h"
33
34 #include <sys/param.h>
35 #include <sys/systm.h>
36 #include <sys/mbuf.h>
37 #include <sys/malloc.h>
38 #include <sys/kernel.h>
39
40 #include <sys/socket.h>
41 #include <sys/sockio.h>
42 #include <sys/endian.h>
43 #include <sys/errno.h>
44 #include <sys/proc.h>
45 #include <sys/sysctl.h>
46
47 #include <net/if.h>
48 #include <net/if_media.h>
49 #include <net/if_llc.h>
50 #include <net/ethernet.h>
51 #include <net/route.h>
52
53 #include <net/bpf.h>
54
55 #include <netproto/802_11/ieee80211_var.h>
56 #include <netproto/802_11/ieee80211_sta.h>
57 #include <netproto/802_11/ieee80211_input.h>
58 #ifdef IEEE80211_SUPPORT_SUPERG
59 #include <netproto/802_11/ieee80211_superg.h>
60 #endif
61
62 #define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2)
63
64 static void sta_vattach(struct ieee80211vap *);
65 static void sta_beacon_miss(struct ieee80211vap *);
66 static int sta_newstate(struct ieee80211vap *, enum ieee80211_state, int);
67 static int sta_input(struct ieee80211_node *, struct mbuf *, int, int);
68 static void sta_recv_mgmt(struct ieee80211_node *, struct mbuf *,
69 int subtype, int rssi, int nf);
70 static void sta_recv_ctl(struct ieee80211_node *, struct mbuf *, int subtype);
71
72 void
73 ieee80211_sta_attach(struct ieee80211com *ic)
74 {
75 ic->ic_vattach[IEEE80211_M_STA] = sta_vattach;
76 }
77
78 void
79 ieee80211_sta_detach(struct ieee80211com *ic)
80 {
81 }
82
83 static void
84 sta_vdetach(struct ieee80211vap *vap)
85 {
86 }
87
88 static void
89 sta_vattach(struct ieee80211vap *vap)
90 {
91 vap->iv_newstate = sta_newstate;
92 vap->iv_input = sta_input;
93 vap->iv_recv_mgmt = sta_recv_mgmt;
94 vap->iv_recv_ctl = sta_recv_ctl;
95 vap->iv_opdetach = sta_vdetach;
96 vap->iv_bmiss = sta_beacon_miss;
97 }
98
99 /*
100 * Handle a beacon miss event. The common code filters out
101 * spurious events that can happen when scanning and/or before
102 * reaching RUN state.
103 */
104 static void
105 sta_beacon_miss(struct ieee80211vap *vap)
106 {
107 struct ieee80211com *ic = vap->iv_ic;
108
109 KASSERT((ic->ic_flags & IEEE80211_F_SCAN) == 0, ("scanning"));
110 KASSERT(vap->iv_state >= IEEE80211_S_RUN,
111 ("wrong state %s", ieee80211_state_name[vap->iv_state]));
112
113 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE | IEEE80211_MSG_DEBUG,
114 "beacon miss, mode %s state %s\n",
115 ieee80211_opmode_name[vap->iv_opmode],
116 ieee80211_state_name[vap->iv_state]);
117
118 if (vap->iv_state == IEEE80211_S_CSA) {
119 /*
120 * A Channel Switch is pending; assume we missed the
121 * beacon that would've completed the process and just
122 * force the switch. If we made a mistake we'll not
123 * find the AP on the new channel and fall back to a
124 * normal scan.
125 */
126 ieee80211_csa_completeswitch(ic);
127 return;
128 }
129 if (++vap->iv_bmiss_count < vap->iv_bmiss_max) {
130 /*
131 * Send a directed probe req before falling back to a
132 * scan; if we receive a response ic_bmiss_count will
133 * be reset. Some cards mistakenly report beacon miss
134 * so this avoids the expensive scan if the ap is
135 * still there.
136 */
137 ieee80211_send_probereq(vap->iv_bss, vap->iv_myaddr,
138 vap->iv_bss->ni_bssid, vap->iv_bss->ni_bssid,
139 vap->iv_bss->ni_essid, vap->iv_bss->ni_esslen);
140 return;
141 }
142 vap->iv_bmiss_count = 0;
143 vap->iv_stats.is_beacon_miss++;
144 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) {
145 #ifdef IEEE80211_SUPPORT_SUPERG
146 struct ieee80211com *ic = vap->iv_ic;
147
148 /*
149 * If we receive a beacon miss interrupt when using
150 * dynamic turbo, attempt to switch modes before
151 * reassociating.
152 */
153 if (IEEE80211_ATH_CAP(vap, vap->iv_bss, IEEE80211_NODE_TURBOP))
154 ieee80211_dturbo_switch(vap,
155 ic->ic_bsschan->ic_flags ^ IEEE80211_CHAN_TURBO);
156 #endif
157 /*
158 * Try to reassociate before scanning for a new ap.
159 */
160 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 1);
161 } else {
162 /*
163 * Somebody else is controlling state changes (e.g.
164 * a user-mode app) don't do anything that would
165 * confuse them; just drop into scan mode so they'll
166 * notified of the state change and given control.
167 */
168 ieee80211_new_state(vap, IEEE80211_S_SCAN, 0);
169 }
170 }
171
172 /*
173 * Handle deauth with reason. We retry only for
174 * the cases where we might succeed. Otherwise
175 * we downgrade the ap and scan.
176 */
177 static void
178 sta_authretry(struct ieee80211vap *vap, struct ieee80211_node *ni, int reason)
179 {
180 switch (reason) {
181 case IEEE80211_STATUS_SUCCESS: /* NB: MLME assoc */
182 case IEEE80211_STATUS_TIMEOUT:
183 case IEEE80211_REASON_ASSOC_EXPIRE:
184 case IEEE80211_REASON_NOT_AUTHED:
185 case IEEE80211_REASON_NOT_ASSOCED:
186 case IEEE80211_REASON_ASSOC_LEAVE:
187 case IEEE80211_REASON_ASSOC_NOT_AUTHED:
188 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, 1);
189 break;
190 default:
191 ieee80211_scan_assoc_fail(vap, vap->iv_bss->ni_macaddr, reason);
192 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO)
193 ieee80211_check_scan_current(vap);
194 break;
195 }
196 }
197
198 /*
199 * IEEE80211_M_STA vap state machine handler.
200 * This routine handles the main states in the 802.11 protocol.
201 */
202 static int
203 sta_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
204 {
205 struct ieee80211com *ic = vap->iv_ic;
206 struct ieee80211_node *ni;
207 enum ieee80211_state ostate;
208
209 ostate = vap->iv_state;
210 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n",
211 __func__, ieee80211_state_name[ostate],
212 ieee80211_state_name[nstate], arg);
213 vap->iv_state = nstate; /* state transition */
214 callout_stop(&vap->iv_mgtsend); /* XXX callout_drain */
215 if (ostate != IEEE80211_S_SCAN)
216 ieee80211_cancel_scan(vap); /* background scan */
217 ni = vap->iv_bss; /* NB: no reference held */
218 if (vap->iv_flags_ext & IEEE80211_FEXT_SWBMISS)
219 callout_stop(&vap->iv_swbmiss);
220 switch (nstate) {
221 case IEEE80211_S_INIT:
222 switch (ostate) {
223 case IEEE80211_S_SLEEP:
224 /* XXX wakeup */
225 case IEEE80211_S_RUN:
226 IEEE80211_SEND_MGMT(ni,
227 IEEE80211_FC0_SUBTYPE_DISASSOC,
228 IEEE80211_REASON_ASSOC_LEAVE);
229 ieee80211_sta_leave(ni);
230 break;
231 case IEEE80211_S_ASSOC:
232 IEEE80211_SEND_MGMT(ni,
233 IEEE80211_FC0_SUBTYPE_DEAUTH,
234 IEEE80211_REASON_AUTH_LEAVE);
235 break;
236 case IEEE80211_S_SCAN:
237 ieee80211_cancel_scan(vap);
238 break;
239 default:
240 goto invalid;
241 }
242 if (ostate != IEEE80211_S_INIT) {
243 /* NB: optimize INIT -> INIT case */
244 ieee80211_reset_bss(vap);
245 }
246 if (vap->iv_auth->ia_detach != NULL)
247 vap->iv_auth->ia_detach(vap);
248 break;
249 case IEEE80211_S_SCAN:
250 switch (ostate) {
251 case IEEE80211_S_INIT:
252 /*
253 * Initiate a scan. We can come here as a result
254 * of an IEEE80211_IOC_SCAN_REQ too in which case
255 * the vap will be marked with IEEE80211_FEXT_SCANREQ
256 * and the scan request parameters will be present
257 * in iv_scanreq. Otherwise we do the default.
258 */
259 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) {
260 ieee80211_check_scan(vap,
261 vap->iv_scanreq_flags,
262 vap->iv_scanreq_duration,
263 vap->iv_scanreq_mindwell,
264 vap->iv_scanreq_maxdwell,
265 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid);
266 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ;
267 } else
268 ieee80211_check_scan_current(vap);
269 break;
270 case IEEE80211_S_SCAN:
271 case IEEE80211_S_AUTH:
272 case IEEE80211_S_ASSOC:
273 /*
274 * These can happen either because of a timeout
275 * on an assoc/auth response or because of a
276 * change in state that requires a reset. For
277 * the former we're called with a non-zero arg
278 * that is the cause for the failure; pass this
279 * to the scan code so it can update state.
280 * Otherwise trigger a new scan unless we're in
281 * manual roaming mode in which case an application
282 * must issue an explicit scan request.
283 */
284 if (arg != 0)
285 ieee80211_scan_assoc_fail(vap,
286 vap->iv_bss->ni_macaddr, arg);
287 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO)
288 ieee80211_check_scan_current(vap);
289 break;
290 case IEEE80211_S_RUN: /* beacon miss */
291 /*
292 * Beacon miss. Notify user space and if not
293 * under control of a user application (roaming
294 * manual) kick off a scan to re-connect.
295 */
296 ieee80211_sta_leave(ni);
297 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO)
298 ieee80211_check_scan_current(vap);
299 break;
300 default:
301 goto invalid;
302 }
303 break;
304 case IEEE80211_S_AUTH:
305 switch (ostate) {
306 case IEEE80211_S_INIT:
307 case IEEE80211_S_SCAN:
308 IEEE80211_SEND_MGMT(ni,
309 IEEE80211_FC0_SUBTYPE_AUTH, 1);
310 break;
311 case IEEE80211_S_AUTH:
312 case IEEE80211_S_ASSOC:
313 switch (arg & 0xff) {
314 case IEEE80211_FC0_SUBTYPE_AUTH:
315 /* ??? */
316 IEEE80211_SEND_MGMT(ni,
317 IEEE80211_FC0_SUBTYPE_AUTH, 2);
318 break;
319 case IEEE80211_FC0_SUBTYPE_DEAUTH:
320 sta_authretry(vap, ni, arg>>8);
321 break;
322 }
323 break;
324 case IEEE80211_S_RUN:
325 switch (arg & 0xff) {
326 case IEEE80211_FC0_SUBTYPE_AUTH:
327 IEEE80211_SEND_MGMT(ni,
328 IEEE80211_FC0_SUBTYPE_AUTH, 2);
329 vap->iv_state = ostate; /* stay RUN */
330 break;
331 case IEEE80211_FC0_SUBTYPE_DEAUTH:
332 ieee80211_sta_leave(ni);
333 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) {
334 /* try to reauth */
335 IEEE80211_SEND_MGMT(ni,
336 IEEE80211_FC0_SUBTYPE_AUTH, 1);
337 }
338 break;
339 }
340 break;
341 default:
342 goto invalid;
343 }
344 break;
345 case IEEE80211_S_ASSOC:
346 switch (ostate) {
347 case IEEE80211_S_AUTH:
348 case IEEE80211_S_ASSOC:
349 IEEE80211_SEND_MGMT(ni,
350 IEEE80211_FC0_SUBTYPE_ASSOC_REQ, 0);
351 break;
352 case IEEE80211_S_SLEEP: /* cannot happen */
353 case IEEE80211_S_RUN:
354 ieee80211_sta_leave(ni);
355 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) {
356 IEEE80211_SEND_MGMT(ni, arg ?
357 IEEE80211_FC0_SUBTYPE_REASSOC_REQ :
358 IEEE80211_FC0_SUBTYPE_ASSOC_REQ, 0);
359 }
360 break;
361 default:
362 goto invalid;
363 }
364 break;
365 case IEEE80211_S_RUN:
366 if (vap->iv_flags & IEEE80211_F_WPA) {
367 /* XXX validate prerequisites */
368 }
369 switch (ostate) {
370 case IEEE80211_S_RUN:
371 case IEEE80211_S_CSA:
372 break;
373 case IEEE80211_S_AUTH: /* when join is done in fw */
374 case IEEE80211_S_ASSOC:
375 #ifdef IEEE80211_DEBUG
376 if (ieee80211_msg_debug(vap)) {
377 ieee80211_note(vap, "%s with %6D ssid ",
378 (vap->iv_opmode == IEEE80211_M_STA ?
379 "associated" : "synchronized"),
380 ni->ni_bssid, ":");
381 ieee80211_print_essid(vap->iv_bss->ni_essid,
382 ni->ni_esslen);
383 /* XXX MCS/HT */
384 kprintf(" channel %d start %uMb\n",
385 ieee80211_chan2ieee(ic, ic->ic_curchan),
386 IEEE80211_RATE2MBS(ni->ni_txrate));
387 }
388 #endif
389 ieee80211_scan_assoc_success(vap, ni->ni_macaddr);
390 ieee80211_notify_node_join(ni,
391 arg == IEEE80211_FC0_SUBTYPE_ASSOC_RESP);
392 break;
393 case IEEE80211_S_SLEEP:
394 ieee80211_sta_pwrsave(vap, 0);
395 break;
396 default:
397 goto invalid;
398 }
399 ieee80211_sync_curchan(ic);
400 if (ostate != IEEE80211_S_RUN &&
401 (vap->iv_flags_ext & IEEE80211_FEXT_SWBMISS)) {
402 /*
403 * Start s/w beacon miss timer for devices w/o
404 * hardware support. We fudge a bit here since
405 * we're doing this in software.
406 */
407 vap->iv_swbmiss_period = IEEE80211_TU_TO_TICKS(
408 2 * vap->iv_bmissthreshold * ni->ni_intval);
409 vap->iv_swbmiss_count = 0;
410 callout_reset(&vap->iv_swbmiss, vap->iv_swbmiss_period,
411 ieee80211_swbmiss_callout, vap);
412 }
413 /*
414 * When 802.1x is not in use mark the port authorized
415 * at this point so traffic can flow.
416 */
417 if (ni->ni_authmode != IEEE80211_AUTH_8021X)
418 ieee80211_node_authorize(ni);
419 /*
420 * Fake association when joining an existing bss.
421 */
422 if (ic->ic_newassoc != NULL)
423 ic->ic_newassoc(vap->iv_bss, ostate != IEEE80211_S_RUN);
424 break;
425 case IEEE80211_S_CSA:
426 if (ostate != IEEE80211_S_RUN)
427 goto invalid;
428 break;
429 case IEEE80211_S_SLEEP:
430 ieee80211_sta_pwrsave(vap, 1);
431 break;
432 default:
433 invalid:
434 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE,
435 "%s: unexpected state transition %s -> %s\n", __func__,
436 ieee80211_state_name[ostate], ieee80211_state_name[nstate]);
437 break;
438 }
439 return 0;
440 }
441
442 /*
443 * Return non-zero if the frame is an echo of a multicast
444 * frame sent by ourself. The dir is known to be DSTODS.
445 */
446 static __inline int
447 isdstods_mcastecho(struct ieee80211vap *vap, const struct ieee80211_frame *wh)
448 {
449 #define QWH4(wh) ((const struct ieee80211_qosframe_addr4 *)wh)
450 #define WH4(wh) ((const struct ieee80211_frame_addr4 *)wh)
451 const uint8_t *sa;
452
453 KASSERT(vap->iv_opmode == IEEE80211_M_STA, ("wrong mode"));
454
455 if (!IEEE80211_IS_MULTICAST(wh->i_addr3))
456 return 0;
457 sa = IEEE80211_QOS_HAS_SEQ(wh) ? QWH4(wh)->i_addr4 : WH4(wh)->i_addr4;
458 return IEEE80211_ADDR_EQ(sa, vap->iv_myaddr);
459 #undef WH4
460 #undef QWH4
461 }
462
463 /*
464 * Return non-zero if the frame is an echo of a multicast
465 * frame sent by ourself. The dir is known to be FROMDS.
466 */
467 static __inline int
468 isfromds_mcastecho(struct ieee80211vap *vap, const struct ieee80211_frame *wh)
469 {
470 KASSERT(vap->iv_opmode == IEEE80211_M_STA, ("wrong mode"));
471
472 if (!IEEE80211_IS_MULTICAST(wh->i_addr1))
473 return 0;
474 return IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_myaddr);
475 }
476
477 /*
478 * Decide if a received management frame should be
479 * printed when debugging is enabled. This filters some
480 * of the less interesting frames that come frequently
481 * (e.g. beacons).
482 */
483 static __inline int
484 doprint(struct ieee80211vap *vap, int subtype)
485 {
486 switch (subtype) {
487 case IEEE80211_FC0_SUBTYPE_BEACON:
488 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN);
489 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
490 return 0;
491 }
492 return 1;
493 }
494
495 /*
496 * Process a received frame. The node associated with the sender
497 * should be supplied. If nothing was found in the node table then
498 * the caller is assumed to supply a reference to iv_bss instead.
499 * The RSSI and a timestamp are also supplied. The RSSI data is used
500 * during AP scanning to select a AP to associate with; it can have
501 * any units so long as values have consistent units and higher values
502 * mean ``better signal''. The receive timestamp is currently not used
503 * by the 802.11 layer.
504 */
505 static int
506 sta_input(struct ieee80211_node *ni, struct mbuf *m, int rssi, int nf)
507 {
508 #define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0)
509 #define HAS_SEQ(type) ((type & 0x4) == 0)
510 struct ieee80211vap *vap = ni->ni_vap;
511 struct ieee80211com *ic = ni->ni_ic;
512 struct ifnet *ifp = vap->iv_ifp;
513 struct ieee80211_frame *wh;
514 struct ieee80211_key *key;
515 struct ether_header *eh;
516 int hdrspace, need_tap = 1; /* mbuf need to be tapped. */
517 uint8_t dir, type, subtype, qos;
518 uint8_t *bssid;
519 uint16_t rxseq;
520
521 if (m->m_flags & M_AMPDU_MPDU) {
522 /*
523 * Fastpath for A-MPDU reorder q resubmission. Frames
524 * w/ M_AMPDU_MPDU marked have already passed through
525 * here but were received out of order and been held on
526 * the reorder queue. When resubmitted they are marked
527 * with the M_AMPDU_MPDU flag and we can bypass most of
528 * the normal processing.
529 */
530 wh = mtod(m, struct ieee80211_frame *);
531 type = IEEE80211_FC0_TYPE_DATA;
532 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
533 subtype = IEEE80211_FC0_SUBTYPE_QOS;
534 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */
535 goto resubmit_ampdu;
536 }
537
538 KASSERT(ni != NULL, ("null node"));
539 ni->ni_inact = ni->ni_inact_reload;
540
541 type = -1; /* undefined */
542
543 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
544 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
545 ni->ni_macaddr, NULL,
546 "too short (1): len %u", m->m_pkthdr.len);
547 vap->iv_stats.is_rx_tooshort++;
548 goto out;
549 }
550 /*
551 * Bit of a cheat here, we use a pointer for a 3-address
552 * frame format but don't reference fields past outside
553 * ieee80211_frame_min w/o first validating the data is
554 * present.
555 */
556 wh = mtod(m, struct ieee80211_frame *);
557
558 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
559 IEEE80211_FC0_VERSION_0) {
560 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
561 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x",
562 wh->i_fc[0], wh->i_fc[1]);
563 vap->iv_stats.is_rx_badversion++;
564 goto err;
565 }
566
567 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
568 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
569 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
570 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
571 bssid = wh->i_addr2;
572 if (!IEEE80211_ADDR_EQ(bssid, ni->ni_bssid)) {
573 /* not interested in */
574 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
575 bssid, NULL, "%s", "not to bss");
576 vap->iv_stats.is_rx_wrongbss++;
577 goto out;
578 }
579 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
580 ni->ni_noise = nf;
581 if (HAS_SEQ(type) && !IEEE80211_IS_MULTICAST(wh->i_addr1)) {
582 uint8_t tid = ieee80211_gettid(wh);
583 if (IEEE80211_QOS_HAS_SEQ(wh) &&
584 TID_TO_WME_AC(tid) >= WME_AC_VI)
585 ic->ic_wme.wme_hipri_traffic++;
586 rxseq = le16toh(*(uint16_t *)wh->i_seq);
587 if ((ni->ni_flags & IEEE80211_NODE_HT) == 0 &&
588 (wh->i_fc[1] & IEEE80211_FC1_RETRY) &&
589 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) {
590 /* duplicate, discard */
591 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
592 bssid, "duplicate",
593 "seqno <%u,%u> fragno <%u,%u> tid %u",
594 rxseq >> IEEE80211_SEQ_SEQ_SHIFT,
595 ni->ni_rxseqs[tid] >>
596 IEEE80211_SEQ_SEQ_SHIFT,
597 rxseq & IEEE80211_SEQ_FRAG_MASK,
598 ni->ni_rxseqs[tid] &
599 IEEE80211_SEQ_FRAG_MASK,
600 tid);
601 vap->iv_stats.is_rx_dup++;
602 IEEE80211_NODE_STAT(ni, rx_dup);
603 goto out;
604 }
605 ni->ni_rxseqs[tid] = rxseq;
606 }
607 }
608
609 switch (type) {
610 case IEEE80211_FC0_TYPE_DATA:
611 hdrspace = ieee80211_hdrspace(ic, wh);
612 if (m->m_len < hdrspace &&
613 (m = m_pullup(m, hdrspace)) == NULL) {
614 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
615 ni->ni_macaddr, NULL,
616 "data too short: expecting %u", hdrspace);
617 vap->iv_stats.is_rx_tooshort++;
618 goto out; /* XXX */
619 }
620 /*
621 * Handle A-MPDU re-ordering. If the frame is to be
622 * processed directly then ieee80211_ampdu_reorder
623 * will return 0; otherwise it has consumed the mbuf
624 * and we should do nothing more with it.
625 */
626 if ((m->m_flags & M_AMPDU) &&
627 (dir == IEEE80211_FC1_DIR_FROMDS ||
628 dir == IEEE80211_FC1_DIR_DSTODS) &&
629 ieee80211_ampdu_reorder(ni, m) != 0) {
630 m = NULL;
631 goto out;
632 }
633 resubmit_ampdu:
634 if (dir == IEEE80211_FC1_DIR_FROMDS) {
635 if ((ifp->if_flags & IFF_SIMPLEX) &&
636 isfromds_mcastecho(vap, wh)) {
637 /*
638 * In IEEE802.11 network, multicast
639 * packets sent from "me" are broadcast
640 * from the AP; silently discard for
641 * SIMPLEX interface.
642 */
643 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
644 wh, "data", "%s", "multicast echo");
645 vap->iv_stats.is_rx_mcastecho++;
646 goto out;
647 }
648 if ((vap->iv_flags & IEEE80211_F_DWDS) &&
649 IEEE80211_IS_MULTICAST(wh->i_addr1)) {
650 /*
651 * DWDS sta's must drop 3-address mcast frames
652 * as they will be sent separately as a 4-addr
653 * frame. Accepting the 3-addr frame will
654 * confuse the bridge into thinking the sending
655 * sta is located at the end of WDS link.
656 */
657 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, wh,
658 "3-address data", "%s", "DWDS enabled");
659 vap->iv_stats.is_rx_mcastecho++;
660 goto out;
661 }
662 } else if (dir == IEEE80211_FC1_DIR_DSTODS) {
663 if ((vap->iv_flags & IEEE80211_F_DWDS) == 0) {
664 IEEE80211_DISCARD(vap,
665 IEEE80211_MSG_INPUT, wh, "4-address data",
666 "%s", "DWDS not enabled");
667 vap->iv_stats.is_rx_wrongdir++;
668 goto out;
669 }
670 if ((ifp->if_flags & IFF_SIMPLEX) &&
671 isdstods_mcastecho(vap, wh)) {
672 /*
673 * In IEEE802.11 network, multicast
674 * packets sent from "me" are broadcast
675 * from the AP; silently discard for
676 * SIMPLEX interface.
677 */
678 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, wh,
679 "4-address data", "%s", "multicast echo");
680 vap->iv_stats.is_rx_mcastecho++;
681 goto out;
682 }
683 } else {
684 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, wh,
685 "data", "incorrect dir 0x%x", dir);
686 vap->iv_stats.is_rx_wrongdir++;
687 goto out;
688 }
689
690 /*
691 * Handle privacy requirements. Note that we
692 * must not be preempted from here until after
693 * we (potentially) call ieee80211_crypto_demic;
694 * otherwise we may violate assumptions in the
695 * crypto cipher modules used to do delayed update
696 * of replay sequence numbers.
697 */
698 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
699 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
700 /*
701 * Discard encrypted frames when privacy is off.
702 */
703 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
704 wh, "WEP", "%s", "PRIVACY off");
705 vap->iv_stats.is_rx_noprivacy++;
706 IEEE80211_NODE_STAT(ni, rx_noprivacy);
707 goto out;
708 }
709 key = ieee80211_crypto_decap(ni, m, hdrspace);
710 if (key == NULL) {
711 /* NB: stats+msgs handled in crypto_decap */
712 IEEE80211_NODE_STAT(ni, rx_wepfail);
713 goto out;
714 }
715 wh = mtod(m, struct ieee80211_frame *);
716 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
717 } else {
718 /* XXX M_WEP and IEEE80211_F_PRIVACY */
719 key = NULL;
720 }
721
722 /*
723 * Save QoS bits for use below--before we strip the header.
724 */
725 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) {
726 qos = (dir == IEEE80211_FC1_DIR_DSTODS) ?
727 ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] :
728 ((struct ieee80211_qosframe *)wh)->i_qos[0];
729 } else
730 qos = 0;
731
732 /*
733 * Next up, any fragmentation.
734 */
735 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
736 m = ieee80211_defrag(ni, m, hdrspace);
737 if (m == NULL) {
738 /* Fragment dropped or frame not complete yet */
739 goto out;
740 }
741 }
742 wh = NULL; /* no longer valid, catch any uses */
743
744 /*
745 * Next strip any MSDU crypto bits.
746 */
747 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) {
748 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
749 ni->ni_macaddr, "data", "%s", "demic error");
750 vap->iv_stats.is_rx_demicfail++;
751 IEEE80211_NODE_STAT(ni, rx_demicfail);
752 goto out;
753 }
754
755 /* copy to listener after decrypt */
756 if (ieee80211_radiotap_active_vap(vap))
757 ieee80211_radiotap_rx(vap, m);
758 need_tap = 0;
759
760 /*
761 * Finally, strip the 802.11 header.
762 */
763 m = ieee80211_decap(vap, m, hdrspace);
764 if (m == NULL) {
765 /* XXX mask bit to check for both */
766 /* don't count Null data frames as errors */
767 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA ||
768 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL)
769 goto out;
770 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
771 ni->ni_macaddr, "data", "%s", "decap error");
772 vap->iv_stats.is_rx_decap++;
773 IEEE80211_NODE_STAT(ni, rx_decap);
774 goto err;
775 }
776 eh = mtod(m, struct ether_header *);
777 if (!ieee80211_node_is_authorized(ni)) {
778 /*
779 * Deny any non-PAE frames received prior to
780 * authorization. For open/shared-key
781 * authentication the port is mark authorized
782 * after authentication completes. For 802.1x
783 * the port is not marked authorized by the
784 * authenticator until the handshake has completed.
785 */
786 if (eh->ether_type != htons(ETHERTYPE_PAE)) {
787 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
788 eh->ether_shost, "data",
789 "unauthorized port: ether type 0x%x len %u",
790 eh->ether_type, m->m_pkthdr.len);
791 vap->iv_stats.is_rx_unauth++;
792 IEEE80211_NODE_STAT(ni, rx_unauth);
793 goto err;
794 }
795 } else {
796 /*
797 * When denying unencrypted frames, discard
798 * any non-PAE frames received without encryption.
799 */
800 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
801 (key == NULL && (m->m_flags & M_WEP) == 0) &&
802 eh->ether_type != htons(ETHERTYPE_PAE)) {
803 /*
804 * Drop unencrypted frames.
805 */
806 vap->iv_stats.is_rx_unencrypted++;
807 IEEE80211_NODE_STAT(ni, rx_unencrypted);
808 goto out;
809 }
810 }
811 /* XXX require HT? */
812 if (qos & IEEE80211_QOS_AMSDU) {
813 m = ieee80211_decap_amsdu(ni, m);
814 if (m == NULL)
815 return IEEE80211_FC0_TYPE_DATA;
816 } else {
817 #ifdef IEEE80211_SUPPORT_SUPERG
818 m = ieee80211_decap_fastframe(vap, ni, m);
819 if (m == NULL)
820 return IEEE80211_FC0_TYPE_DATA;
821 #endif
822 }
823 ieee80211_deliver_data(vap, ni, m);
824 return IEEE80211_FC0_TYPE_DATA;
825
826 case IEEE80211_FC0_TYPE_MGT:
827 vap->iv_stats.is_rx_mgmt++;
828 IEEE80211_NODE_STAT(ni, rx_mgmt);
829 if (dir != IEEE80211_FC1_DIR_NODS) {
830 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
831 wh, "data", "incorrect dir 0x%x", dir);
832 vap->iv_stats.is_rx_wrongdir++;
833 goto err;
834 }
835 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
836 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
837 ni->ni_macaddr, "mgt", "too short: len %u",
838 m->m_pkthdr.len);
839 vap->iv_stats.is_rx_tooshort++;
840 goto out;
841 }
842 #ifdef IEEE80211_DEBUG
843 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) ||
844 ieee80211_msg_dumppkts(vap)) {
845 if_printf(ifp, "received %s from %6D rssi %d\n",
846 ieee80211_mgt_subtype_name[subtype >>
847 IEEE80211_FC0_SUBTYPE_SHIFT],
848 wh->i_addr2, ":", rssi);
849 }
850 #endif
851 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
852 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
853 /*
854 * Only shared key auth frames with a challenge
855 * should be encrypted, discard all others.
856 */
857 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
858 wh, ieee80211_mgt_subtype_name[subtype >>
859 IEEE80211_FC0_SUBTYPE_SHIFT],
860 "%s", "WEP set but not permitted");
861 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */
862 goto out;
863 }
864 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
865 /*
866 * Discard encrypted frames when privacy is off.
867 */
868 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
869 wh, "mgt", "%s", "WEP set but PRIVACY off");
870 vap->iv_stats.is_rx_noprivacy++;
871 goto out;
872 }
873 hdrspace = ieee80211_hdrspace(ic, wh);
874 key = ieee80211_crypto_decap(ni, m, hdrspace);
875 if (key == NULL) {
876 /* NB: stats+msgs handled in crypto_decap */
877 goto out;
878 }
879 wh = mtod(m, struct ieee80211_frame *);
880 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
881 }
882 vap->iv_recv_mgmt(ni, m, subtype, rssi, nf);
883 goto out;
884
885 case IEEE80211_FC0_TYPE_CTL:
886 vap->iv_stats.is_rx_ctl++;
887 IEEE80211_NODE_STAT(ni, rx_ctrl);
888 vap->iv_recv_ctl(ni, m, subtype);
889 goto out;
890
891 default:
892 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
893 wh, NULL, "bad frame type 0x%x", type);
894 /* should not come here */
895 break;
896 }
897 err:
898 ifp->if_ierrors++;
899 out:
900 if (m != NULL) {
901 if (need_tap && ieee80211_radiotap_active_vap(vap))
902 ieee80211_radiotap_rx(vap, m);
903 m_freem(m);
904 }
905 return type;
906 #undef SEQ_LEQ
907 }
908
909 static void
910 sta_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh,
911 int rssi, int nf, uint16_t seq, uint16_t status)
912 {
913 struct ieee80211vap *vap = ni->ni_vap;
914
915 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
916 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
917 ni->ni_macaddr, "open auth",
918 "bad sta auth mode %u", ni->ni_authmode);
919 vap->iv_stats.is_rx_bad_auth++; /* XXX */
920 return;
921 }
922 if (vap->iv_state != IEEE80211_S_AUTH ||
923 seq != IEEE80211_AUTH_OPEN_RESPONSE) {
924 vap->iv_stats.is_rx_bad_auth++;
925 return;
926 }
927 if (status != 0) {
928 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
929 ni, "open auth failed (reason %d)", status);
930 vap->iv_stats.is_rx_auth_fail++;
931 vap->iv_stats.is_rx_authfail_code = status;
932 ieee80211_new_state(vap, IEEE80211_S_SCAN,
933 IEEE80211_SCAN_FAIL_STATUS);
934 } else
935 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 0);
936 }
937
938 static void
939 sta_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh,
940 uint8_t *frm, uint8_t *efrm, int rssi, int nf,
941 uint16_t seq, uint16_t status)
942 {
943 struct ieee80211vap *vap = ni->ni_vap;
944 uint8_t *challenge;
945 int estatus;
946
947 /*
948 * NB: this can happen as we allow pre-shared key
949 * authentication to be enabled w/o wep being turned
950 * on so that configuration of these can be done
951 * in any order. It may be better to enforce the
952 * ordering in which case this check would just be
953 * for sanity/consistency.
954 */
955 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
956 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
957 ni->ni_macaddr, "shared key auth",
958 "%s", " PRIVACY is disabled");
959 estatus = IEEE80211_STATUS_ALG;
960 goto bad;
961 }
962 /*
963 * Pre-shared key authentication is evil; accept
964 * it only if explicitly configured (it is supported
965 * mainly for compatibility with clients like OS X).
966 */
967 if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
968 ni->ni_authmode != IEEE80211_AUTH_SHARED) {
969 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
970 ni->ni_macaddr, "shared key auth",
971 "bad sta auth mode %u", ni->ni_authmode);
972 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */
973 estatus = IEEE80211_STATUS_ALG;
974 goto bad;
975 }
976
977 challenge = NULL;
978 if (frm + 1 < efrm) {
979 if ((frm[1] + 2) > (efrm - frm)) {
980 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
981 ni->ni_macaddr, "shared key auth",
982 "ie %d/%d too long",
983 frm[0], (int)((frm[1] + 2) - (efrm - frm)));
984 vap->iv_stats.is_rx_bad_auth++;
985 estatus = IEEE80211_STATUS_CHALLENGE;
986 goto bad;
987 }
988 if (*frm == IEEE80211_ELEMID_CHALLENGE)
989 challenge = frm;
990 frm += frm[1] + 2;
991 }
992 switch (seq) {
993 case IEEE80211_AUTH_SHARED_CHALLENGE:
994 case IEEE80211_AUTH_SHARED_RESPONSE:
995 if (challenge == NULL) {
996 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
997 ni->ni_macaddr, "shared key auth",
998 "%s", "no challenge");
999 vap->iv_stats.is_rx_bad_auth++;
1000 estatus = IEEE80211_STATUS_CHALLENGE;
1001 goto bad;
1002 }
1003 if (challenge[1] != IEEE80211_CHALLENGE_LEN) {
1004 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1005 ni->ni_macaddr, "shared key auth",
1006 "bad challenge len %d", challenge[1]);
1007 vap->iv_stats.is_rx_bad_auth++;
1008 estatus = IEEE80211_STATUS_CHALLENGE;
1009 goto bad;
1010 }
1011 default:
1012 break;
1013 }
1014 if (vap->iv_state != IEEE80211_S_AUTH)
1015 return;
1016 switch (seq) {
1017 case IEEE80211_AUTH_SHARED_PASS:
1018 if (ni->ni_challenge != NULL) {
1019 kfree(ni->ni_challenge, M_80211_NODE);
1020 ni->ni_challenge = NULL;
1021 }
1022 if (status != 0) {
1023 IEEE80211_NOTE_FRAME(vap,
1024 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, wh,
1025 "shared key auth failed (reason %d)", status);
1026 vap->iv_stats.is_rx_auth_fail++;
1027 vap->iv_stats.is_rx_authfail_code = status;
1028 return;
1029 }
1030 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 0);
1031 break;
1032 case IEEE80211_AUTH_SHARED_CHALLENGE:
1033 if (!ieee80211_alloc_challenge(ni))
1034 return;
1035 /* XXX could optimize by passing recvd challenge */
1036 memcpy(ni->ni_challenge, &challenge[2], challenge[1]);
1037 IEEE80211_SEND_MGMT(ni,
1038 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1039 break;
1040 default:
1041 IEEE80211_DISCARD(vap, IEEE80211_MSG_AUTH,
1042 wh, "shared key auth", "bad seq %d", seq);
1043 vap->iv_stats.is_rx_bad_auth++;
1044 return;
1045 }
1046 return;
1047 bad:
1048 /*
1049 * Kick the state machine. This short-circuits
1050 * using the mgt frame timeout to trigger the
1051 * state transition.
1052 */
1053 if (vap->iv_state == IEEE80211_S_AUTH)
1054 ieee80211_new_state(vap, IEEE80211_S_SCAN,
1055 IEEE80211_SCAN_FAIL_STATUS);
1056 }
1057
1058 static int
1059 ieee80211_parse_wmeparams(struct ieee80211vap *vap, uint8_t *frm,
1060 const struct ieee80211_frame *wh)
1061 {
1062 #define MS(_v, _f) (((_v) & _f) >> _f##_S)
1063 struct ieee80211_wme_state *wme = &vap->iv_ic->ic_wme;
1064 u_int len = frm[1], qosinfo;
1065 int i;
1066
1067 if (len < sizeof(struct ieee80211_wme_param)-2) {
1068 IEEE80211_DISCARD_IE(vap,
1069 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WME,
1070 wh, "WME", "too short, len %u", len);
1071 return -1;
1072 }
1073 qosinfo = frm[__offsetof(struct ieee80211_wme_param, param_qosInfo)];
1074 qosinfo &= WME_QOSINFO_COUNT;
1075 /* XXX do proper check for wraparound */
1076 if (qosinfo == wme->wme_wmeChanParams.cap_info)
1077 return 0;
1078 frm += __offsetof(struct ieee80211_wme_param, params_acParams);
1079 for (i = 0; i < WME_NUM_AC; i++) {
1080 struct wmeParams *wmep =
1081 &wme->wme_wmeChanParams.cap_wmeParams[i];
1082 /* NB: ACI not used */
1083 wmep->wmep_acm = MS(frm[0], WME_PARAM_ACM);
1084 wmep->wmep_aifsn = MS(frm[0], WME_PARAM_AIFSN);
1085 wmep->wmep_logcwmin = MS(frm[1], WME_PARAM_LOGCWMIN);
1086 wmep->wmep_logcwmax = MS(frm[1], WME_PARAM_LOGCWMAX);
1087 wmep->wmep_txopLimit = LE_READ_2(frm+2);
1088 frm += 4;
1089 }
1090 wme->wme_wmeChanParams.cap_info = qosinfo;
1091 return 1;
1092 #undef MS
1093 }
1094
1095 /*
1096 * Process 11h Channel Switch Announcement (CSA) ie. If this
1097 * is the first CSA then initiate the switch. Otherwise we
1098 * track state and trigger completion and/or cancel of the switch.
1099 * XXX should be public for IBSS use
1100 */
1101 static void
1102 ieee80211_parse_csaparams(struct ieee80211vap *vap, uint8_t *frm,
1103 const struct ieee80211_frame *wh)
1104 {
1105 struct ieee80211com *ic = vap->iv_ic;
1106 const struct ieee80211_csa_ie *csa =
1107 (const struct ieee80211_csa_ie *) frm;
1108
1109 KASSERT(vap->iv_state >= IEEE80211_S_RUN,
1110 ("state %s", ieee80211_state_name[vap->iv_state]));
1111
1112 if (csa->csa_mode > 1) {
1113 IEEE80211_DISCARD_IE(vap,
1114 IEEE80211_MSG_ELEMID | IEEE80211_MSG_DOTH,
1115 wh, "CSA", "invalid mode %u", csa->csa_mode);
1116 return;
1117 }
1118 if ((ic->ic_flags & IEEE80211_F_CSAPENDING) == 0) {
1119 /*
1120 * Convert the channel number to a channel reference. We
1121 * try first to preserve turbo attribute of the current
1122 * channel then fallback. Note this will not work if the
1123 * CSA specifies a channel that requires a band switch (e.g.
1124 * 11a => 11g). This is intentional as 11h is defined only
1125 * for 5GHz/11a and because the switch does not involve a
1126 * reassociation, protocol state (capabilities, negotated
1127 * rates, etc) may/will be wrong.
1128 */
1129 struct ieee80211_channel *c =
1130 ieee80211_find_channel_byieee(ic, csa->csa_newchan,
1131 (ic->ic_bsschan->ic_flags & IEEE80211_CHAN_ALLTURBO));
1132 if (c == NULL) {
1133 c = ieee80211_find_channel_byieee(ic,
1134 csa->csa_newchan,
1135 (ic->ic_bsschan->ic_flags & IEEE80211_CHAN_ALL));
1136 if (c == NULL) {
1137 IEEE80211_DISCARD_IE(vap,
1138 IEEE80211_MSG_ELEMID | IEEE80211_MSG_DOTH,
1139 wh, "CSA", "invalid channel %u",
1140 csa->csa_newchan);
1141 goto done;
1142 }
1143 }
1144 #if IEEE80211_CSA_COUNT_MIN > 0
1145 if (csa->csa_count < IEEE80211_CSA_COUNT_MIN) {
1146 /*
1147 * Require at least IEEE80211_CSA_COUNT_MIN count to
1148 * reduce the risk of being redirected by a fabricated
1149 * CSA. If a valid CSA is dropped we'll still get a
1150 * beacon miss when the AP leaves the channel so we'll
1151 * eventually follow to the new channel.
1152 *
1153 * NOTE: this violates the 11h spec that states that
1154 * count may be any value and if 0 then a switch
1155 * should happen asap.
1156 */
1157 IEEE80211_DISCARD_IE(vap,
1158 IEEE80211_MSG_ELEMID | IEEE80211_MSG_DOTH,
1159 wh, "CSA", "count %u too small, must be >= %u",
1160 csa->csa_count, IEEE80211_CSA_COUNT_MIN);
1161 goto done;
1162 }
1163 #endif
1164 ieee80211_csa_startswitch(ic, c, csa->csa_mode, csa->csa_count);
1165 } else {
1166 /*
1167 * Validate this ie against the initial CSA. We require
1168 * mode and channel not change and the count must be
1169 * monotonically decreasing. This may be pointless and
1170 * canceling the switch as a result may be too paranoid but
1171 * in the worst case if we drop out of CSA because of this
1172 * and the AP does move then we'll just end up taking a
1173 * beacon miss and scan to find the AP.
1174 *
1175 * XXX may want <= on count as we also process ProbeResp
1176 * frames and those may come in w/ the same count as the
1177 * previous beacon; but doing so leaves us open to a stuck
1178 * count until we add a dead-man timer
1179 */
1180 if (!(csa->csa_count < ic->ic_csa_count &&
1181 csa->csa_mode == ic->ic_csa_mode &&
1182 csa->csa_newchan == ieee80211_chan2ieee(ic, ic->ic_csa_newchan))) {
1183 IEEE80211_NOTE_FRAME(vap, IEEE80211_MSG_DOTH, wh,
1184 "CSA ie mismatch, initial ie <%d,%d,%d>, "
1185 "this ie <%d,%d,%d>", ic->ic_csa_mode,
1186 ic->ic_csa_newchan->ic_ieee, ic->ic_csa_count,
1187 csa->csa_mode, csa->csa_newchan, csa->csa_count);
1188 ieee80211_csa_cancelswitch(ic);
1189 } else {
1190 if (csa->csa_count <= 1)
1191 ieee80211_csa_completeswitch(ic);
1192 else
1193 ic->ic_csa_count = csa->csa_count;
1194 }
1195 }
1196 done:
1197 ;
1198 }
1199
1200 /*
1201 * Return non-zero if a background scan may be continued:
1202 * o bg scan is active
1203 * o no channel switch is pending
1204 * o there has not been any traffic recently
1205 *
1206 * Note we do not check if there is an administrative enable;
1207 * this is only done to start the scan. We assume that any
1208 * change in state will be accompanied by a request to cancel
1209 * active scans which will otherwise cause this test to fail.
1210 */
1211 static __inline int
1212 contbgscan(struct ieee80211vap *vap)
1213 {
1214 struct ieee80211com *ic = vap->iv_ic;
1215
1216 return ((ic->ic_flags_ext & IEEE80211_FEXT_BGSCAN) &&
1217 (ic->ic_flags & IEEE80211_F_CSAPENDING) == 0 &&
1218 vap->iv_state == IEEE80211_S_RUN && /* XXX? */
1219 time_after(ticks, ic->ic_lastdata + vap->iv_bgscanidle));
1220 }
1221
1222 /*
1223 * Return non-zero if a backgrond scan may be started:
1224 * o bg scanning is administratively enabled
1225 * o no channel switch is pending
1226 * o we are not boosted on a dynamic turbo channel
1227 * o there has not been a scan recently
1228 * o there has not been any traffic recently
1229 */
1230 static __inline int
1231 startbgscan(struct ieee80211vap *vap)
1232 {
1233 struct ieee80211com *ic = vap->iv_ic;
1234
1235 return ((vap->iv_flags & IEEE80211_F_BGSCAN) &&
1236 (ic->ic_flags & IEEE80211_F_CSAPENDING) == 0 &&
1237 #ifdef IEEE80211_SUPPORT_SUPERG
1238 !IEEE80211_IS_CHAN_DTURBO(ic->ic_curchan) &&
1239 #endif
1240 time_after(ticks, ic->ic_lastscan + vap->iv_bgscanintvl) &&
1241 time_after(ticks, ic->ic_lastdata + vap->iv_bgscanidle));
1242 }
1243
1244 static void
1245 sta_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0,
1246 int subtype, int rssi, int nf)
1247 {
1248 #define ISPROBE(_st) ((_st) == IEEE80211_FC0_SUBTYPE_PROBE_RESP)
1249 #define ISREASSOC(_st) ((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP)
1250 struct ieee80211vap *vap = ni->ni_vap;
1251 struct ieee80211com *ic = ni->ni_ic;
1252 struct ieee80211_frame *wh;
1253 uint8_t *frm, *efrm;
1254 uint8_t *rates, *xrates, *wme, *htcap, *htinfo;
1255 uint8_t rate;
1256
1257 wh = mtod(m0, struct ieee80211_frame *);
1258 frm = (uint8_t *)&wh[1];
1259 efrm = mtod(m0, uint8_t *) + m0->m_len;
1260 switch (subtype) {
1261 case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
1262 case IEEE80211_FC0_SUBTYPE_BEACON: {
1263 struct ieee80211_scanparams scan;
1264 /*
1265 * We process beacon/probe response frames:
1266 * o when scanning, or
1267 * o station mode when associated (to collect state
1268 * updates such as 802.11g slot time)
1269 * Frames otherwise received are discarded.
1270 */
1271 if (!((ic->ic_flags & IEEE80211_F_SCAN) || ni->ni_associd)) {
1272 vap->iv_stats.is_rx_mgtdiscard++;
1273 return;
1274 }
1275 /* XXX probe response in sta mode when !scanning? */
1276 if (ieee80211_parse_beacon(ni, m0, &scan) != 0)
1277 return;
1278 /*
1279 * Count frame now that we know it's to be processed.
1280 */
1281 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
1282 vap->iv_stats.is_rx_beacon++; /* XXX remove */
1283 IEEE80211_NODE_STAT(ni, rx_beacons);
1284 } else
1285 IEEE80211_NODE_STAT(ni, rx_proberesp);
1286 /*
1287 * When operating in station mode, check for state updates.
1288 * Be careful to ignore beacons received while doing a
1289 * background scan. We consider only 11g/WMM stuff right now.
1290 */
1291 if (ni->ni_associd != 0 &&
1292 ((ic->ic_flags & IEEE80211_F_SCAN) == 0 ||
1293 IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid))) {
1294 /* record tsf of last beacon */
1295 memcpy(ni->ni_tstamp.data, scan.tstamp,
1296 sizeof(ni->ni_tstamp));
1297 /* count beacon frame for s/w bmiss handling */
1298 vap->iv_swbmiss_count++;
1299 vap->iv_bmiss_count = 0;
1300 if (ni->ni_erp != scan.erp) {
1301 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC,
1302 wh->i_addr2,
1303 "erp change: was 0x%x, now 0x%x",
1304 ni->ni_erp, scan.erp);
1305 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
1306 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION))
1307 ic->ic_flags |= IEEE80211_F_USEPROT;
1308 else
1309 ic->ic_flags &= ~IEEE80211_F_USEPROT;
1310 ni->ni_erp = scan.erp;
1311 /* XXX statistic */
1312 /* XXX driver notification */
1313 }
1314 if ((ni->ni_capinfo ^ scan.capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME) {
1315 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC,
1316 wh->i_addr2,
1317 "capabilities change: was 0x%x, now 0x%x",
1318 ni->ni_capinfo, scan.capinfo);
1319 /*
1320 * NB: we assume short preamble doesn't
1321 * change dynamically
1322 */
1323 ieee80211_set_shortslottime(ic,
1324 IEEE80211_IS_CHAN_A(ic->ic_bsschan) ||
1325 (scan.capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
1326 ni->ni_capinfo = (ni->ni_capinfo &~ IEEE80211_CAPINFO_SHORT_SLOTTIME)
1327 | (scan.capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME);
1328 /* XXX statistic */
1329 }
1330 if (scan.wme != NULL &&
1331 (ni->ni_flags & IEEE80211_NODE_QOS) &&
1332 ieee80211_parse_wmeparams(vap, scan.wme, wh) > 0)
1333 ieee80211_wme_updateparams(vap);
1334 #ifdef IEEE80211_SUPPORT_SUPERG
1335 if (scan.ath != NULL)
1336 ieee80211_parse_athparams(ni, scan.ath, wh);
1337 #endif
1338 if (scan.htcap != NULL && scan.htinfo != NULL &&
1339 (vap->iv_flags_ht & IEEE80211_FHT_HT)) {
1340 ieee80211_ht_updateparams(ni,
1341 scan.htcap, scan.htinfo);
1342 /* XXX state changes? */
1343 }
1344 if (scan.tim != NULL) {
1345 struct ieee80211_tim_ie *tim =
1346 (struct ieee80211_tim_ie *) scan.tim;
1347 #if 0
1348 int aid = IEEE80211_AID(ni->ni_associd);
1349 int ix = aid / NBBY;
1350 int min = tim->tim_bitctl &~ 1;
1351 int max = tim->tim_len + min - 4;
1352 if ((tim->tim_bitctl&1) ||
1353 (min <= ix && ix <= max &&
1354 isset(tim->tim_bitmap - min, aid))) {
1355 /*
1356 * XXX Do not let bg scan kick off
1357 * we are expecting data.
1358 */
1359 ic->ic_lastdata = ticks;
1360 ieee80211_sta_pwrsave(vap, 0);
1361 }
1362 #endif
1363 ni->ni_dtim_count = tim->tim_count;
1364 ni->ni_dtim_period = tim->tim_period;
1365 }
1366 if (scan.csa != NULL &&
1367 (vap->iv_flags & IEEE80211_F_DOTH))
1368 ieee80211_parse_csaparams(vap, scan.csa, wh);
1369 else if (ic->ic_flags & IEEE80211_F_CSAPENDING) {
1370 /*
1371 * No CSA ie or 11h disabled, but a channel
1372 * switch is pending; drop out so we aren't
1373 * stuck in CSA state. If the AP really is
1374 * moving we'll get a beacon miss and scan.
1375 */
1376 ieee80211_csa_cancelswitch(ic);
1377 }
1378 /*
1379 * If scanning, pass the info to the scan module.
1380 * Otherwise, check if it's the right time to do
1381 * a background scan. Background scanning must
1382 * be enabled and we must not be operating in the
1383 * turbo phase of dynamic turbo mode. Then,
1384 * it's been a while since the last background
1385 * scan and if no data frames have come through
1386 * recently, kick off a scan. Note that this
1387 * is the mechanism by which a background scan
1388 * is started _and_ continued each time we
1389 * return on-channel to receive a beacon from
1390 * our ap.
1391 */
1392 if (ic->ic_flags & IEEE80211_F_SCAN) {
1393 ieee80211_add_scan(vap, &scan, wh,
1394 subtype, rssi, nf);
1395 } else if (contbgscan(vap)) {
1396 ieee80211_bg_scan(vap, 0);
1397 } else if (startbgscan(vap)) {
1398 vap->iv_stats.is_scan_bg++;
1399 #if 0
1400 /* wakeup if we are sleeing */
1401 ieee80211_set_pwrsave(vap, 0);
1402 #endif
1403 ieee80211_bg_scan(vap, 0);
1404 }
1405 return;
1406 }
1407 /*
1408 * If scanning, just pass information to the scan module.
1409 */
1410 if (ic->ic_flags & IEEE80211_F_SCAN) {
1411 if (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN) {
1412 /*
1413 * Actively scanning a channel marked passive;
1414 * send a probe request now that we know there
1415 * is 802.11 traffic present.
1416 *
1417 * XXX check if the beacon we recv'd gives
1418 * us what we need and suppress the probe req
1419 */
1420 ieee80211_probe_curchan(vap, 1);
1421 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
1422 }
1423 ieee80211_add_scan(vap, &scan, wh, subtype, rssi, nf);
1424 return;
1425 }
1426 break;
1427 }
1428
1429 case IEEE80211_FC0_SUBTYPE_AUTH: {
1430 uint16_t algo, seq, status;
1431 /*
1432 * auth frame format
1433 * [2] algorithm
1434 * [2] sequence
1435 * [2] status
1436 * [tlv*] challenge
1437 */
1438 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
1439 algo = le16toh(*(uint16_t *)frm);
1440 seq = le16toh(*(uint16_t *)(frm + 2));
1441 status = le16toh(*(uint16_t *)(frm + 4));
1442 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2,
1443 "recv auth frame with algorithm %d seq %d", algo, seq);
1444
1445 if (vap->iv_flags & IEEE80211_F_COUNTERM) {
1446 IEEE80211_DISCARD(vap,
1447 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO,
1448 wh, "auth", "%s", "TKIP countermeasures enabled");
1449 vap->iv_stats.is_rx_auth_countermeasures++;
1450 if (vap->iv_opmode == IEEE80211_M_HOSTAP) {
1451 ieee80211_send_error(ni, wh->i_addr2,
1452 IEEE80211_FC0_SUBTYPE_AUTH,
1453 IEEE80211_REASON_MIC_FAILURE);
1454 }
1455 return;
1456 }
1457 if (algo == IEEE80211_AUTH_ALG_SHARED)
1458 sta_auth_shared(ni, wh, frm + 6, efrm, rssi, nf,
1459 seq, status);
1460 else if (algo == IEEE80211_AUTH_ALG_OPEN)
1461 sta_auth_open(ni, wh, rssi, nf, seq, status);
1462 else {
1463 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1464 wh, "auth", "unsupported alg %d", algo);
1465 vap->iv_stats.is_rx_auth_unsupported++;
1466 return;
1467 }
1468 break;
1469 }
1470
1471 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
1472 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: {
1473 uint16_t capinfo, associd;
1474 uint16_t status;
1475
1476 if (vap->iv_state != IEEE80211_S_ASSOC) {
1477 vap->iv_stats.is_rx_mgtdiscard++;
1478 return;
1479 }
1480
1481 /*
1482 * asresp frame format
1483 * [2] capability information
1484 * [2] status
1485 * [2] association ID
1486 * [tlv] supported rates
1487 * [tlv] extended supported rates
1488 * [tlv] WME
1489 * [tlv] HT capabilities
1490 * [tlv] HT info
1491 */
1492 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
1493 ni = vap->iv_bss;
1494 capinfo = le16toh(*(uint16_t *)frm);
1495 frm += 2;
1496 status = le16toh(*(uint16_t *)frm);
1497 frm += 2;
1498 if (status != 0) {
1499 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC,
1500 wh->i_addr2, "%sassoc failed (reason %d)",
1501 ISREASSOC(subtype) ? "re" : "", status);
1502 vap->iv_stats.is_rx_auth_fail++; /* XXX */
1503 return;
1504 }
1505 associd = le16toh(*(uint16_t *)frm);
1506 frm += 2;
1507
1508 rates = xrates = wme = htcap = htinfo = NULL;
1509 while (efrm - frm > 1) {
1510 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
1511 switch (*frm) {
1512 case IEEE80211_ELEMID_RATES:
1513 rates = frm;
1514 break;
1515 case IEEE80211_ELEMID_XRATES:
1516 xrates = frm;
1517 break;
1518 case IEEE80211_ELEMID_HTCAP:
1519 htcap = frm;
1520 break;
1521 case IEEE80211_ELEMID_HTINFO:
1522 htinfo = frm;
1523 break;
1524 case IEEE80211_ELEMID_VENDOR:
1525 if (iswmeoui(frm))
1526 wme = frm;
1527 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) {
1528 /*
1529 * Accept pre-draft HT ie's if the
1530 * standard ones have not been seen.
1531 */
1532 if (ishtcapoui(frm)) {
1533 if (htcap == NULL)
1534 htcap = frm;
1535 } else if (ishtinfooui(frm)) {
1536 if (htinfo == NULL)
1537 htcap = frm;
1538 }
1539 }
1540 /* XXX Atheros OUI support */
1541 break;
1542 }
1543 frm += frm[1] + 2;
1544 }
1545
1546 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
1547 if (xrates != NULL)
1548 IEEE80211_VERIFY_ELEMENT(xrates,
1549 IEEE80211_RATE_MAXSIZE - rates[1], return);
1550 rate = ieee80211_setup_rates(ni, rates, xrates,
1551 IEEE80211_F_JOIN |
1552 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
1553 IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
1554 if (rate & IEEE80211_RATE_BASIC) {
1555 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC,
1556 wh->i_addr2,
1557 "%sassoc failed (rate set mismatch)",
1558 ISREASSOC(subtype) ? "re" : "");
1559 vap->iv_stats.is_rx_assoc_norate++;
1560 ieee80211_new_state(vap, IEEE80211_S_SCAN,
1561 IEEE80211_SCAN_FAIL_STATUS);
1562 return;
1563 }
1564
1565 ni->ni_capinfo = capinfo;
1566 ni->ni_associd = associd;
1567 if (ni->ni_jointime == 0)
1568 ni->ni_jointime = time_second;
1569 if (wme != NULL &&
1570 ieee80211_parse_wmeparams(vap, wme, wh) >= 0) {
1571 ni->ni_flags |= IEEE80211_NODE_QOS;
1572 ieee80211_wme_updateparams(vap);
1573 } else
1574 ni->ni_flags &= ~IEEE80211_NODE_QOS;
1575 /*
1576 * Setup HT state according to the negotiation.
1577 *
1578 * NB: shouldn't need to check if HT use is enabled but some
1579 * ap's send back HT ie's even when we don't indicate we
1580 * are HT capable in our AssocReq.
1581 */
1582 if (htcap != NULL && htinfo != NULL &&
1583 (vap->iv_flags_ht & IEEE80211_FHT_HT)) {
1584 ieee80211_ht_node_init(ni);
1585 ieee80211_ht_updateparams(ni, htcap, htinfo);
1586 ieee80211_setup_htrates(ni, htcap,
1587 IEEE80211_F_JOIN | IEEE80211_F_DOBRS);
1588 ieee80211_setup_basic_htrates(ni, htinfo);
1589 ieee80211_node_setuptxparms(ni);
1590 } else {
1591 #ifdef IEEE80211_SUPPORT_SUPERG
1592 if (IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_ATH))
1593 ieee80211_ff_node_init(ni);
1594 #endif
1595 }
1596 /*
1597 * Configure state now that we are associated.
1598 *
1599 * XXX may need different/additional driver callbacks?
1600 */
1601 if (IEEE80211_IS_CHAN_A(ic->ic_curchan) ||
1602 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) {
1603 ic->ic_flags |= IEEE80211_F_SHPREAMBLE;
1604 ic->ic_flags &= ~IEEE80211_F_USEBARKER;
1605 } else {
1606 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE;
1607 ic->ic_flags |= IEEE80211_F_USEBARKER;
1608 }
1609 ieee80211_set_shortslottime(ic,
1610 IEEE80211_IS_CHAN_A(ic->ic_curchan) ||
1611 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
1612 /*
1613 * Honor ERP protection.
1614 *
1615 * NB: ni_erp should zero for non-11g operation.
1616 */
1617 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
1618 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION))
1619 ic->ic_flags |= IEEE80211_F_USEPROT;
1620 else
1621 ic->ic_flags &= ~IEEE80211_F_USEPROT;
1622 IEEE80211_NOTE_MAC(vap,
1623 IEEE80211_MSG_ASSOC | IEEE80211_MSG_DEBUG, wh->i_addr2,
1624 "%sassoc success at aid %d: %s preamble, %s slot time%s%s%s%s%s%s%s%s",
1625 ISREASSOC(subtype) ? "re" : "",
1626 IEEE80211_NODE_AID(ni),
1627 ic->ic_flags&IEEE80211_F_SHPREAMBLE ? "short" : "long",
1628 ic->ic_flags&IEEE80211_F_SHSLOT ? "short" : "long",
1629 ic->ic_flags&IEEE80211_F_USEPROT ? ", protection" : "",
1630 ni->ni_flags & IEEE80211_NODE_QOS ? ", QoS" : "",
1631 ni->ni_flags & IEEE80211_NODE_HT ?
1632 (ni->ni_chw == 40 ? ", HT40" : ", HT20") : "",
1633 ni->ni_flags & IEEE80211_NODE_AMPDU ? " (+AMPDU)" : "",
1634 ni->ni_flags & IEEE80211_NODE_MIMO_RTS ? " (+SMPS-DYN)" :
1635 ni->ni_flags & IEEE80211_NODE_MIMO_PS ? " (+SMPS)" : "",
1636 ni->ni_flags & IEEE80211_NODE_RIFS ? " (+RIFS)" : "",
1637 IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_FF) ?
1638 ", fast-frames" : "",
1639 IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_TURBOP) ?
1640 ", turbo" : ""
1641 );
1642 ieee80211_new_state(vap, IEEE80211_S_RUN, subtype);
1643 break;
1644 }
1645
1646 case IEEE80211_FC0_SUBTYPE_DEAUTH: {
1647 uint16_t reason;
1648
1649 if (vap->iv_state == IEEE80211_S_SCAN) {
1650 vap->iv_stats.is_rx_mgtdiscard++;
1651 return;
1652 }
1653 if (!IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
1654 /* NB: can happen when in promiscuous mode */
1655 vap->iv_stats.is_rx_mgtdiscard++;
1656 break;
1657 }
1658
1659 /*
1660 * deauth frame format
1661 * [2] reason
1662 */
1663 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
1664 reason = le16toh(*(uint16_t *)frm);
1665
1666 vap->iv_stats.is_rx_deauth++;
1667 vap->iv_stats.is_rx_deauth_code = reason;
1668 IEEE80211_NODE_STAT(ni, rx_deauth);
1669
1670 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni,
1671 "recv deauthenticate (reason %d)", reason);
1672 ieee80211_new_state(vap, IEEE80211_S_AUTH,
1673 (reason << 8) | IEEE80211_FC0_SUBTYPE_DEAUTH);
1674 break;
1675 }
1676
1677 case IEEE80211_FC0_SUBTYPE_DISASSOC: {
1678 uint16_t reason;
1679
1680 if (vap->iv_state != IEEE80211_S_RUN &&
1681 vap->iv_state != IEEE80211_S_ASSOC &&
1682 vap->iv_state != IEEE80211_S_AUTH) {
1683 vap->iv_stats.is_rx_mgtdiscard++;
1684 return;
1685 }
1686 if (!IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
1687 /* NB: can happen when in promiscuous mode */
1688 vap->iv_stats.is_rx_mgtdiscard++;
1689 break;
1690 }
1691
1692 /*
1693 * disassoc frame format
1694 * [2] reason
1695 */
1696 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
1697 reason = le16toh(*(uint16_t *)frm);
1698
1699 vap->iv_stats.is_rx_disassoc++;
1700 vap->iv_stats.is_rx_disassoc_code = reason;
1701 IEEE80211_NODE_STAT(ni, rx_disassoc);
1702
1703 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni,
1704 "recv disassociate (reason %d)", reason);
1705 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 0);
1706 break;
1707 }
1708
1709 case IEEE80211_FC0_SUBTYPE_ACTION:
1710 if (vap->iv_state == IEEE80211_S_RUN) {
1711 if (ieee80211_parse_action(ni, m0) == 0)
1712 ic->ic_recv_action(ni, wh, frm, efrm);
1713 } else
1714 vap->iv_stats.is_rx_mgtdiscard++;
1715 break;
1716
1717 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
1718 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
1719 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ:
1720 vap->iv_stats.is_rx_mgtdiscard++;
1721 return;
1722 default:
1723 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1724 wh, "mgt", "subtype 0x%x not handled", subtype);
1725 vap->iv_stats.is_rx_badsubtype++;
1726 break;
1727 }
1728 #undef ISREASSOC
1729 #undef ISPROBE
1730 }
1731
1732 static void
1733 sta_recv_ctl(struct ieee80211_node *ni, struct mbuf *m0, int subtype)
1734 {
1735 }
DragonFly BSD