1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright 2002-2005, Instant802 Networks, Inc.
4 * Copyright 2005-2006, Devicescape Software, Inc.
5 * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz>
6 * Copyright 2007 Johannes Berg <johannes@sipsolutions.net>
7 * Copyright 2013-2014 Intel Mobile Communications GmbH
8 * Copyright (C) 2015-2017 Intel Deutschland GmbH
9 * Copyright (C) 2018-2024 Intel Corporation
10 *
11 * element parsing for mac80211
12 */
13
14 #include <net/mac80211.h>
15 #include <linux/netdevice.h>
16 #include <linux/export.h>
17 #include <linux/types.h>
18 #include <linux/slab.h>
19 #include <linux/skbuff.h>
20 #include <linux/etherdevice.h>
21 #include <linux/if_arp.h>
22 #include <linux/bitmap.h>
23 #include <linux/crc32.h>
24 #include <net/net_namespace.h>
25 #include <net/cfg80211.h>
26 #include <net/rtnetlink.h>
27 #include <kunit/visibility.h>
28
29 #include "ieee80211_i.h"
30 #include "driver-ops.h"
31 #include "rate.h"
32 #include "mesh.h"
33 #include "wme.h"
34 #include "led.h"
35 #include "wep.h"
36
37 struct ieee80211_elems_parse {
38 /* must be first for kfree to work */
39 struct ieee802_11_elems elems;
40
41 /* The basic Multi-Link element in the original elements */
42 const struct element *ml_basic_elem;
43
44 /* The reconfiguration Multi-Link element in the original elements */
45 const struct element *ml_reconf_elem;
46
47 /*
48 * scratch buffer that can be used for various element parsing related
49 * tasks, e.g., element de-fragmentation etc.
50 */
51 size_t scratch_len;
52 u8 *scratch_pos;
53 u8 scratch[] __counted_by(scratch_len);
54 };
55
56 static void
ieee80211_parse_extension_element(u32 * crc,const struct element * elem,struct ieee80211_elems_parse * elems_parse,struct ieee80211_elems_parse_params * params)57 ieee80211_parse_extension_element(u32 *crc,
58 const struct element *elem,
59 struct ieee80211_elems_parse *elems_parse,
60 struct ieee80211_elems_parse_params *params)
61 {
62 struct ieee802_11_elems *elems = &elems_parse->elems;
63 const void *data = elem->data + 1;
64 bool calc_crc = false;
65 u8 len;
66
67 if (!elem->datalen)
68 return;
69
70 len = elem->datalen - 1;
71
72 switch (elem->data[0]) {
73 case WLAN_EID_EXT_HE_MU_EDCA:
74 if (params->mode < IEEE80211_CONN_MODE_HE)
75 break;
76 calc_crc = true;
77 if (len >= sizeof(*elems->mu_edca_param_set))
78 elems->mu_edca_param_set = data;
79 break;
80 case WLAN_EID_EXT_HE_CAPABILITY:
81 if (params->mode < IEEE80211_CONN_MODE_HE)
82 break;
83 if (ieee80211_he_capa_size_ok(data, len)) {
84 elems->he_cap = data;
85 elems->he_cap_len = len;
86 }
87 break;
88 case WLAN_EID_EXT_HE_OPERATION:
89 if (params->mode < IEEE80211_CONN_MODE_HE)
90 break;
91 calc_crc = true;
92 if (len >= sizeof(*elems->he_operation) &&
93 len >= ieee80211_he_oper_size(data) - 1)
94 elems->he_operation = data;
95 break;
96 case WLAN_EID_EXT_UORA:
97 if (params->mode < IEEE80211_CONN_MODE_HE)
98 break;
99 if (len >= 1)
100 elems->uora_element = data;
101 break;
102 case WLAN_EID_EXT_MAX_CHANNEL_SWITCH_TIME:
103 if (len == 3)
104 elems->max_channel_switch_time = data;
105 break;
106 case WLAN_EID_EXT_MULTIPLE_BSSID_CONFIGURATION:
107 if (len >= sizeof(*elems->mbssid_config_ie))
108 elems->mbssid_config_ie = data;
109 break;
110 case WLAN_EID_EXT_HE_SPR:
111 if (params->mode < IEEE80211_CONN_MODE_HE)
112 break;
113 if (len >= sizeof(*elems->he_spr) &&
114 len >= ieee80211_he_spr_size(data) - 1)
115 elems->he_spr = data;
116 break;
117 case WLAN_EID_EXT_HE_6GHZ_CAPA:
118 if (params->mode < IEEE80211_CONN_MODE_HE)
119 break;
120 if (len >= sizeof(*elems->he_6ghz_capa))
121 elems->he_6ghz_capa = data;
122 break;
123 case WLAN_EID_EXT_EHT_CAPABILITY:
124 if (params->mode < IEEE80211_CONN_MODE_EHT)
125 break;
126 if (ieee80211_eht_capa_size_ok(elems->he_cap,
127 data, len,
128 params->from_ap)) {
129 elems->eht_cap = data;
130 elems->eht_cap_len = len;
131 }
132 break;
133 case WLAN_EID_EXT_EHT_OPERATION:
134 if (params->mode < IEEE80211_CONN_MODE_EHT)
135 break;
136 if (ieee80211_eht_oper_size_ok(data, len))
137 elems->eht_operation = data;
138 calc_crc = true;
139 break;
140 case WLAN_EID_EXT_EHT_MULTI_LINK:
141 if (params->mode < IEEE80211_CONN_MODE_EHT)
142 break;
143 calc_crc = true;
144
145 if (ieee80211_mle_size_ok(data, len)) {
146 const struct ieee80211_multi_link_elem *mle =
147 (void *)data;
148
149 switch (le16_get_bits(mle->control,
150 IEEE80211_ML_CONTROL_TYPE)) {
151 case IEEE80211_ML_CONTROL_TYPE_BASIC:
152 if (elems_parse->ml_basic_elem) {
153 elems->parse_error |=
154 IEEE80211_PARSE_ERR_DUP_NEST_ML_BASIC;
155 break;
156 }
157 elems_parse->ml_basic_elem = elem;
158 break;
159 case IEEE80211_ML_CONTROL_TYPE_RECONF:
160 elems_parse->ml_reconf_elem = elem;
161 break;
162 default:
163 break;
164 }
165 }
166 break;
167 case WLAN_EID_EXT_BANDWIDTH_INDICATION:
168 if (params->mode < IEEE80211_CONN_MODE_EHT)
169 break;
170 if (ieee80211_bandwidth_indication_size_ok(data, len))
171 elems->bandwidth_indication = data;
172 calc_crc = true;
173 break;
174 case WLAN_EID_EXT_TID_TO_LINK_MAPPING:
175 if (params->mode < IEEE80211_CONN_MODE_EHT)
176 break;
177 calc_crc = true;
178 if (ieee80211_tid_to_link_map_size_ok(data, len) &&
179 elems->ttlm_num < ARRAY_SIZE(elems->ttlm)) {
180 elems->ttlm[elems->ttlm_num] = (void *)data;
181 elems->ttlm_num++;
182 }
183 break;
184 }
185
186 if (crc && calc_crc)
187 *crc = crc32_be(*crc, (void *)elem, elem->datalen + 2);
188 }
189
ieee80211_parse_tpe(struct ieee80211_parsed_tpe * tpe,const u8 * data,u8 len)190 static void ieee80211_parse_tpe(struct ieee80211_parsed_tpe *tpe,
191 const u8 *data, u8 len)
192 {
193 const struct ieee80211_tx_pwr_env *env = (const void *)data;
194 u8 count, interpret, category;
195 u8 *out, N, *cnt_out = NULL, *N_out = NULL;
196
197 if (!ieee80211_valid_tpe_element(data, len))
198 return;
199
200 count = u8_get_bits(env->info, IEEE80211_TX_PWR_ENV_INFO_COUNT);
201 interpret = u8_get_bits(env->info, IEEE80211_TX_PWR_ENV_INFO_INTERPRET);
202 category = u8_get_bits(env->info, IEEE80211_TX_PWR_ENV_INFO_CATEGORY);
203
204 switch (interpret) {
205 case IEEE80211_TPE_LOCAL_EIRP:
206 out = tpe->max_local[category].power;
207 cnt_out = &tpe->max_local[category].count;
208 tpe->max_local[category].valid = true;
209 break;
210 case IEEE80211_TPE_REG_CLIENT_EIRP:
211 out = tpe->max_reg_client[category].power;
212 cnt_out = &tpe->max_reg_client[category].count;
213 tpe->max_reg_client[category].valid = true;
214 break;
215 case IEEE80211_TPE_LOCAL_EIRP_PSD:
216 out = tpe->psd_local[category].power;
217 cnt_out = &tpe->psd_local[category].count;
218 N_out = &tpe->psd_local[category].n;
219 tpe->psd_local[category].valid = true;
220 break;
221 case IEEE80211_TPE_REG_CLIENT_EIRP_PSD:
222 out = tpe->psd_reg_client[category].power;
223 cnt_out = &tpe->psd_reg_client[category].count;
224 N_out = &tpe->psd_reg_client[category].n;
225 tpe->psd_reg_client[category].valid = true;
226 break;
227 }
228
229 switch (interpret) {
230 case IEEE80211_TPE_LOCAL_EIRP:
231 case IEEE80211_TPE_REG_CLIENT_EIRP:
232 /* count was validated <= 3, plus 320 MHz */
233 BUILD_BUG_ON(IEEE80211_TPE_EIRP_ENTRIES_320MHZ < 5);
234 memcpy(out, env->variable, count + 1);
235 *cnt_out = count + 1;
236 /* separately take 320 MHz if present */
237 if (count == 3 && len > sizeof(*env) + count + 1) {
238 out[4] = env->variable[4];
239 *cnt_out = 5;
240 }
241 break;
242 case IEEE80211_TPE_LOCAL_EIRP_PSD:
243 case IEEE80211_TPE_REG_CLIENT_EIRP_PSD:
244 if (!count) {
245 memset(out, env->variable[0],
246 IEEE80211_TPE_PSD_ENTRIES_320MHZ);
247 *cnt_out = IEEE80211_TPE_PSD_ENTRIES_320MHZ;
248 break;
249 }
250
251 N = 1 << (count - 1);
252 memcpy(out, env->variable, N);
253 *cnt_out = N;
254 *N_out = N;
255
256 if (len > sizeof(*env) + N) {
257 int K = u8_get_bits(env->variable[N],
258 IEEE80211_TX_PWR_ENV_EXT_COUNT);
259
260 K = min(K, IEEE80211_TPE_PSD_ENTRIES_320MHZ - N);
261 memcpy(out + N, env->variable + N + 1, K);
262 (*cnt_out) += K;
263 }
264 break;
265 }
266 }
267
268 static u32
_ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params * params,struct ieee80211_elems_parse * elems_parse,const struct element * check_inherit)269 _ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params,
270 struct ieee80211_elems_parse *elems_parse,
271 const struct element *check_inherit)
272 {
273 struct ieee802_11_elems *elems = &elems_parse->elems;
274 const struct element *elem;
275 bool calc_crc = params->filter != 0;
276 DECLARE_BITMAP(seen_elems, 256);
277 u32 crc = params->crc;
278
279 bitmap_zero(seen_elems, 256);
280
281 for_each_element(elem, params->start, params->len) {
282 const struct element *subelem;
283 u8 elem_parse_failed;
284 u8 id = elem->id;
285 u8 elen = elem->datalen;
286 const u8 *pos = elem->data;
287
288 if (check_inherit &&
289 !cfg80211_is_element_inherited(elem,
290 check_inherit))
291 continue;
292
293 switch (id) {
294 case WLAN_EID_SSID:
295 case WLAN_EID_SUPP_RATES:
296 case WLAN_EID_FH_PARAMS:
297 case WLAN_EID_DS_PARAMS:
298 case WLAN_EID_CF_PARAMS:
299 case WLAN_EID_TIM:
300 case WLAN_EID_IBSS_PARAMS:
301 case WLAN_EID_CHALLENGE:
302 case WLAN_EID_RSN:
303 case WLAN_EID_ERP_INFO:
304 case WLAN_EID_EXT_SUPP_RATES:
305 case WLAN_EID_HT_CAPABILITY:
306 case WLAN_EID_HT_OPERATION:
307 case WLAN_EID_VHT_CAPABILITY:
308 case WLAN_EID_VHT_OPERATION:
309 case WLAN_EID_MESH_ID:
310 case WLAN_EID_MESH_CONFIG:
311 case WLAN_EID_PEER_MGMT:
312 case WLAN_EID_PREQ:
313 case WLAN_EID_PREP:
314 case WLAN_EID_PERR:
315 case WLAN_EID_RANN:
316 case WLAN_EID_CHANNEL_SWITCH:
317 case WLAN_EID_EXT_CHANSWITCH_ANN:
318 case WLAN_EID_COUNTRY:
319 case WLAN_EID_PWR_CONSTRAINT:
320 case WLAN_EID_TIMEOUT_INTERVAL:
321 case WLAN_EID_SECONDARY_CHANNEL_OFFSET:
322 case WLAN_EID_WIDE_BW_CHANNEL_SWITCH:
323 case WLAN_EID_CHAN_SWITCH_PARAM:
324 case WLAN_EID_EXT_CAPABILITY:
325 case WLAN_EID_CHAN_SWITCH_TIMING:
326 case WLAN_EID_LINK_ID:
327 case WLAN_EID_BSS_MAX_IDLE_PERIOD:
328 case WLAN_EID_RSNX:
329 case WLAN_EID_S1G_BCN_COMPAT:
330 case WLAN_EID_S1G_CAPABILITIES:
331 case WLAN_EID_S1G_OPERATION:
332 case WLAN_EID_AID_RESPONSE:
333 case WLAN_EID_S1G_SHORT_BCN_INTERVAL:
334 /*
335 * not listing WLAN_EID_CHANNEL_SWITCH_WRAPPER -- it seems possible
336 * that if the content gets bigger it might be needed more than once
337 */
338 if (test_bit(id, seen_elems)) {
339 elems->parse_error |=
340 IEEE80211_PARSE_ERR_DUP_ELEM;
341 continue;
342 }
343 break;
344 }
345
346 if (calc_crc && id < 64 && (params->filter & (1ULL << id)))
347 crc = crc32_be(crc, pos - 2, elen + 2);
348
349 elem_parse_failed = 0;
350
351 switch (id) {
352 case WLAN_EID_LINK_ID:
353 if (elen + 2 < sizeof(struct ieee80211_tdls_lnkie)) {
354 elem_parse_failed =
355 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
356 break;
357 }
358 elems->lnk_id = (void *)(pos - 2);
359 break;
360 case WLAN_EID_CHAN_SWITCH_TIMING:
361 if (elen < sizeof(struct ieee80211_ch_switch_timing)) {
362 elem_parse_failed =
363 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
364 break;
365 }
366 elems->ch_sw_timing = (void *)pos;
367 break;
368 case WLAN_EID_EXT_CAPABILITY:
369 elems->ext_capab = pos;
370 elems->ext_capab_len = elen;
371 break;
372 case WLAN_EID_SSID:
373 elems->ssid = pos;
374 elems->ssid_len = elen;
375 break;
376 case WLAN_EID_SUPP_RATES:
377 elems->supp_rates = pos;
378 elems->supp_rates_len = elen;
379 break;
380 case WLAN_EID_DS_PARAMS:
381 if (elen >= 1)
382 elems->ds_params = pos;
383 else
384 elem_parse_failed =
385 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
386 break;
387 case WLAN_EID_TIM:
388 if (elen >= sizeof(struct ieee80211_tim_ie)) {
389 elems->tim = (void *)pos;
390 elems->tim_len = elen;
391 } else
392 elem_parse_failed =
393 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
394 break;
395 case WLAN_EID_VENDOR_SPECIFIC:
396 if (elen >= 4 && pos[0] == 0x00 && pos[1] == 0x50 &&
397 pos[2] == 0xf2) {
398 /* Microsoft OUI (00:50:F2) */
399
400 if (calc_crc)
401 crc = crc32_be(crc, pos - 2, elen + 2);
402
403 if (elen >= 5 && pos[3] == 2) {
404 /* OUI Type 2 - WMM IE */
405 if (pos[4] == 0) {
406 elems->wmm_info = pos;
407 elems->wmm_info_len = elen;
408 } else if (pos[4] == 1) {
409 elems->wmm_param = pos;
410 elems->wmm_param_len = elen;
411 }
412 }
413 }
414 break;
415 case WLAN_EID_RSN:
416 elems->rsn = pos;
417 elems->rsn_len = elen;
418 break;
419 case WLAN_EID_ERP_INFO:
420 if (elen >= 1)
421 elems->erp_info = pos;
422 else
423 elem_parse_failed =
424 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
425 break;
426 case WLAN_EID_EXT_SUPP_RATES:
427 elems->ext_supp_rates = pos;
428 elems->ext_supp_rates_len = elen;
429 break;
430 case WLAN_EID_HT_CAPABILITY:
431 if (params->mode < IEEE80211_CONN_MODE_HT)
432 break;
433 if (elen >= sizeof(struct ieee80211_ht_cap))
434 elems->ht_cap_elem = (void *)pos;
435 else
436 elem_parse_failed =
437 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
438 break;
439 case WLAN_EID_HT_OPERATION:
440 if (params->mode < IEEE80211_CONN_MODE_HT)
441 break;
442 if (elen >= sizeof(struct ieee80211_ht_operation))
443 elems->ht_operation = (void *)pos;
444 else
445 elem_parse_failed =
446 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
447 break;
448 case WLAN_EID_VHT_CAPABILITY:
449 if (params->mode < IEEE80211_CONN_MODE_VHT)
450 break;
451 if (elen >= sizeof(struct ieee80211_vht_cap))
452 elems->vht_cap_elem = (void *)pos;
453 else
454 elem_parse_failed =
455 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
456 break;
457 case WLAN_EID_VHT_OPERATION:
458 if (params->mode < IEEE80211_CONN_MODE_VHT)
459 break;
460 if (elen >= sizeof(struct ieee80211_vht_operation)) {
461 elems->vht_operation = (void *)pos;
462 if (calc_crc)
463 crc = crc32_be(crc, pos - 2, elen + 2);
464 break;
465 }
466 elem_parse_failed =
467 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
468 break;
469 case WLAN_EID_OPMODE_NOTIF:
470 if (params->mode < IEEE80211_CONN_MODE_VHT)
471 break;
472 if (elen > 0) {
473 elems->opmode_notif = pos;
474 if (calc_crc)
475 crc = crc32_be(crc, pos - 2, elen + 2);
476 break;
477 }
478 elem_parse_failed =
479 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
480 break;
481 case WLAN_EID_MESH_ID:
482 elems->mesh_id = pos;
483 elems->mesh_id_len = elen;
484 break;
485 case WLAN_EID_MESH_CONFIG:
486 if (elen >= sizeof(struct ieee80211_meshconf_ie))
487 elems->mesh_config = (void *)pos;
488 else
489 elem_parse_failed =
490 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
491 break;
492 case WLAN_EID_PEER_MGMT:
493 elems->peering = pos;
494 elems->peering_len = elen;
495 break;
496 case WLAN_EID_MESH_AWAKE_WINDOW:
497 if (elen >= 2)
498 elems->awake_window = (void *)pos;
499 break;
500 case WLAN_EID_PREQ:
501 elems->preq = pos;
502 elems->preq_len = elen;
503 break;
504 case WLAN_EID_PREP:
505 elems->prep = pos;
506 elems->prep_len = elen;
507 break;
508 case WLAN_EID_PERR:
509 elems->perr = pos;
510 elems->perr_len = elen;
511 break;
512 case WLAN_EID_RANN:
513 if (elen >= sizeof(struct ieee80211_rann_ie))
514 elems->rann = (void *)pos;
515 else
516 elem_parse_failed =
517 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
518 break;
519 case WLAN_EID_CHANNEL_SWITCH:
520 if (elen != sizeof(struct ieee80211_channel_sw_ie)) {
521 elem_parse_failed =
522 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
523 break;
524 }
525 elems->ch_switch_ie = (void *)pos;
526 break;
527 case WLAN_EID_EXT_CHANSWITCH_ANN:
528 if (elen != sizeof(struct ieee80211_ext_chansw_ie)) {
529 elem_parse_failed =
530 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
531 break;
532 }
533 elems->ext_chansw_ie = (void *)pos;
534 break;
535 case WLAN_EID_SECONDARY_CHANNEL_OFFSET:
536 if (params->mode < IEEE80211_CONN_MODE_HT)
537 break;
538 if (elen != sizeof(struct ieee80211_sec_chan_offs_ie)) {
539 elem_parse_failed =
540 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
541 break;
542 }
543 elems->sec_chan_offs = (void *)pos;
544 break;
545 case WLAN_EID_CHAN_SWITCH_PARAM:
546 if (elen <
547 sizeof(*elems->mesh_chansw_params_ie)) {
548 elem_parse_failed =
549 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
550 break;
551 }
552 elems->mesh_chansw_params_ie = (void *)pos;
553 break;
554 case WLAN_EID_WIDE_BW_CHANNEL_SWITCH:
555 if (params->mode < IEEE80211_CONN_MODE_VHT)
556 break;
557
558 if (!params->action) {
559 elem_parse_failed =
560 IEEE80211_PARSE_ERR_UNEXPECTED_ELEM;
561 break;
562 }
563
564 if (elen < sizeof(*elems->wide_bw_chansw_ie)) {
565 elem_parse_failed =
566 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
567 break;
568 }
569 elems->wide_bw_chansw_ie = (void *)pos;
570 break;
571 case WLAN_EID_CHANNEL_SWITCH_WRAPPER:
572 if (params->mode < IEEE80211_CONN_MODE_VHT)
573 break;
574 if (params->action) {
575 elem_parse_failed =
576 IEEE80211_PARSE_ERR_UNEXPECTED_ELEM;
577 break;
578 }
579 /*
580 * This is a bit tricky, but as we only care about
581 * a few elements, parse them out manually.
582 */
583 subelem = cfg80211_find_elem(WLAN_EID_WIDE_BW_CHANNEL_SWITCH,
584 pos, elen);
585 if (subelem) {
586 if (subelem->datalen >= sizeof(*elems->wide_bw_chansw_ie))
587 elems->wide_bw_chansw_ie =
588 (void *)subelem->data;
589 else
590 elem_parse_failed =
591 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
592 }
593
594 if (params->mode < IEEE80211_CONN_MODE_EHT)
595 break;
596
597 subelem = cfg80211_find_ext_elem(WLAN_EID_EXT_BANDWIDTH_INDICATION,
598 pos, elen);
599 if (subelem) {
600 const void *edata = subelem->data + 1;
601 u8 edatalen = subelem->datalen - 1;
602
603 if (ieee80211_bandwidth_indication_size_ok(edata,
604 edatalen))
605 elems->bandwidth_indication = edata;
606 else
607 elem_parse_failed =
608 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
609 }
610
611 subelem = cfg80211_find_ext_elem(WLAN_EID_TX_POWER_ENVELOPE,
612 pos, elen);
613 if (subelem)
614 ieee80211_parse_tpe(&elems->csa_tpe,
615 subelem->data + 1,
616 subelem->datalen - 1);
617 break;
618 case WLAN_EID_COUNTRY:
619 elems->country_elem = pos;
620 elems->country_elem_len = elen;
621 break;
622 case WLAN_EID_PWR_CONSTRAINT:
623 if (elen != 1) {
624 elem_parse_failed =
625 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
626 break;
627 }
628 elems->pwr_constr_elem = pos;
629 break;
630 case WLAN_EID_CISCO_VENDOR_SPECIFIC:
631 /* Lots of different options exist, but we only care
632 * about the Dynamic Transmit Power Control element.
633 * First check for the Cisco OUI, then for the DTPC
634 * tag (0x00).
635 */
636 if (elen < 4) {
637 elem_parse_failed =
638 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
639 break;
640 }
641
642 if (pos[0] != 0x00 || pos[1] != 0x40 ||
643 pos[2] != 0x96 || pos[3] != 0x00)
644 break;
645
646 if (elen != 6) {
647 elem_parse_failed =
648 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
649 break;
650 }
651
652 if (calc_crc)
653 crc = crc32_be(crc, pos - 2, elen + 2);
654
655 elems->cisco_dtpc_elem = pos;
656 break;
657 case WLAN_EID_ADDBA_EXT:
658 if (elen < sizeof(struct ieee80211_addba_ext_ie)) {
659 elem_parse_failed =
660 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
661 break;
662 }
663 elems->addba_ext_ie = (void *)pos;
664 break;
665 case WLAN_EID_TIMEOUT_INTERVAL:
666 if (elen >= sizeof(struct ieee80211_timeout_interval_ie))
667 elems->timeout_int = (void *)pos;
668 else
669 elem_parse_failed =
670 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
671 break;
672 case WLAN_EID_BSS_MAX_IDLE_PERIOD:
673 if (elen >= sizeof(*elems->max_idle_period_ie))
674 elems->max_idle_period_ie = (void *)pos;
675 break;
676 case WLAN_EID_RSNX:
677 elems->rsnx = pos;
678 elems->rsnx_len = elen;
679 break;
680 case WLAN_EID_TX_POWER_ENVELOPE:
681 if (params->mode < IEEE80211_CONN_MODE_HE)
682 break;
683 ieee80211_parse_tpe(&elems->tpe, pos, elen);
684 break;
685 case WLAN_EID_EXTENSION:
686 ieee80211_parse_extension_element(calc_crc ?
687 &crc : NULL,
688 elem, elems_parse,
689 params);
690 break;
691 case WLAN_EID_S1G_CAPABILITIES:
692 if (params->mode != IEEE80211_CONN_MODE_S1G)
693 break;
694 if (elen >= sizeof(*elems->s1g_capab))
695 elems->s1g_capab = (void *)pos;
696 else
697 elem_parse_failed =
698 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
699 break;
700 case WLAN_EID_S1G_OPERATION:
701 if (params->mode != IEEE80211_CONN_MODE_S1G)
702 break;
703 if (elen == sizeof(*elems->s1g_oper))
704 elems->s1g_oper = (void *)pos;
705 else
706 elem_parse_failed =
707 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
708 break;
709 case WLAN_EID_S1G_BCN_COMPAT:
710 if (params->mode != IEEE80211_CONN_MODE_S1G)
711 break;
712 if (elen == sizeof(*elems->s1g_bcn_compat))
713 elems->s1g_bcn_compat = (void *)pos;
714 else
715 elem_parse_failed =
716 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
717 break;
718 case WLAN_EID_AID_RESPONSE:
719 if (params->mode != IEEE80211_CONN_MODE_S1G)
720 break;
721 if (elen == sizeof(struct ieee80211_aid_response_ie))
722 elems->aid_resp = (void *)pos;
723 else
724 elem_parse_failed =
725 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
726 break;
727 default:
728 break;
729 }
730
731 if (elem_parse_failed)
732 elems->parse_error |= elem_parse_failed;
733 else
734 __set_bit(id, seen_elems);
735 }
736
737 if (!for_each_element_completed(elem, params->start, params->len))
738 elems->parse_error |= IEEE80211_PARSE_ERR_INVALID_END;
739
740 return crc;
741 }
742
ieee802_11_find_bssid_profile(const u8 * start,size_t len,struct ieee802_11_elems * elems,struct cfg80211_bss * bss,u8 * nontransmitted_profile)743 static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len,
744 struct ieee802_11_elems *elems,
745 struct cfg80211_bss *bss,
746 u8 *nontransmitted_profile)
747 {
748 const struct element *elem, *sub;
749 size_t profile_len = 0;
750 bool found = false;
751
752 if (!bss || !bss->transmitted_bss)
753 return profile_len;
754
755 for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, start, len) {
756 if (elem->datalen < 2)
757 continue;
758 if (elem->data[0] < 1 || elem->data[0] > 8)
759 continue;
760
761 for_each_element(sub, elem->data + 1, elem->datalen - 1) {
762 u8 new_bssid[ETH_ALEN];
763 const u8 *index;
764
765 if (sub->id != 0 || sub->datalen < 4) {
766 /* not a valid BSS profile */
767 continue;
768 }
769
770 if (sub->data[0] != WLAN_EID_NON_TX_BSSID_CAP ||
771 sub->data[1] != 2) {
772 /* The first element of the
773 * Nontransmitted BSSID Profile is not
774 * the Nontransmitted BSSID Capability
775 * element.
776 */
777 continue;
778 }
779
780 memset(nontransmitted_profile, 0, len);
781 profile_len = cfg80211_merge_profile(start, len,
782 elem,
783 sub,
784 nontransmitted_profile,
785 len);
786
787 /* found a Nontransmitted BSSID Profile */
788 index = cfg80211_find_ie(WLAN_EID_MULTI_BSSID_IDX,
789 nontransmitted_profile,
790 profile_len);
791 if (!index || index[1] < 1 || index[2] == 0) {
792 /* Invalid MBSSID Index element */
793 continue;
794 }
795
796 cfg80211_gen_new_bssid(bss->transmitted_bss->bssid,
797 elem->data[0],
798 index[2],
799 new_bssid);
800 if (ether_addr_equal(new_bssid, bss->bssid)) {
801 found = true;
802 elems->bssid_index_len = index[1];
803 elems->bssid_index = (void *)&index[2];
804 break;
805 }
806 }
807 }
808
809 return found ? profile_len : 0;
810 }
811
812 static void
ieee80211_mle_get_sta_prof(struct ieee80211_elems_parse * elems_parse,u8 link_id)813 ieee80211_mle_get_sta_prof(struct ieee80211_elems_parse *elems_parse,
814 u8 link_id)
815 {
816 struct ieee802_11_elems *elems = &elems_parse->elems;
817 const struct ieee80211_multi_link_elem *ml = elems->ml_basic;
818 ssize_t ml_len = elems->ml_basic_len;
819 const struct element *sub;
820
821 for_each_mle_subelement(sub, (u8 *)ml, ml_len) {
822 struct ieee80211_mle_per_sta_profile *prof = (void *)sub->data;
823 ssize_t sta_prof_len;
824 u16 control;
825
826 if (sub->id != IEEE80211_MLE_SUBELEM_PER_STA_PROFILE)
827 continue;
828
829 if (!ieee80211_mle_basic_sta_prof_size_ok(sub->data,
830 sub->datalen))
831 return;
832
833 control = le16_to_cpu(prof->control);
834
835 if (link_id != u16_get_bits(control,
836 IEEE80211_MLE_STA_CONTROL_LINK_ID))
837 continue;
838
839 if (!(control & IEEE80211_MLE_STA_CONTROL_COMPLETE_PROFILE))
840 return;
841
842 /* the sub element can be fragmented */
843 sta_prof_len =
844 cfg80211_defragment_element(sub,
845 (u8 *)ml, ml_len,
846 elems_parse->scratch_pos,
847 elems_parse->scratch +
848 elems_parse->scratch_len -
849 elems_parse->scratch_pos,
850 IEEE80211_MLE_SUBELEM_FRAGMENT);
851
852 if (sta_prof_len < 0)
853 return;
854
855 elems->prof = (void *)elems_parse->scratch_pos;
856 elems->sta_prof_len = sta_prof_len;
857 elems_parse->scratch_pos += sta_prof_len;
858
859 return;
860 }
861 }
862
ieee80211_mle_parse_link(struct ieee80211_elems_parse * elems_parse,struct ieee80211_elems_parse_params * params)863 static void ieee80211_mle_parse_link(struct ieee80211_elems_parse *elems_parse,
864 struct ieee80211_elems_parse_params *params)
865 {
866 struct ieee802_11_elems *elems = &elems_parse->elems;
867 struct ieee80211_mle_per_sta_profile *prof;
868 struct ieee80211_elems_parse_params sub = {
869 .mode = params->mode,
870 .action = params->action,
871 .from_ap = params->from_ap,
872 .link_id = -1,
873 };
874 ssize_t ml_len = elems->ml_basic_len;
875 const struct element *non_inherit = NULL;
876 const u8 *end;
877
878 ml_len = cfg80211_defragment_element(elems_parse->ml_basic_elem,
879 elems->ie_start,
880 elems->total_len,
881 elems_parse->scratch_pos,
882 elems_parse->scratch +
883 elems_parse->scratch_len -
884 elems_parse->scratch_pos,
885 WLAN_EID_FRAGMENT);
886
887 if (ml_len < 0)
888 return;
889
890 elems->ml_basic = (const void *)elems_parse->scratch_pos;
891 elems->ml_basic_len = ml_len;
892 elems_parse->scratch_pos += ml_len;
893
894 if (params->link_id == -1)
895 return;
896
897 ieee80211_mle_get_sta_prof(elems_parse, params->link_id);
898 prof = elems->prof;
899
900 if (!prof)
901 return;
902
903 /* check if we have the 4 bytes for the fixed part in assoc response */
904 if (elems->sta_prof_len < sizeof(*prof) + prof->sta_info_len - 1 + 4) {
905 elems->prof = NULL;
906 elems->sta_prof_len = 0;
907 return;
908 }
909
910 /*
911 * Skip the capability information and the status code that are expected
912 * as part of the station profile in association response frames. Note
913 * the -1 is because the 'sta_info_len' is accounted to as part of the
914 * per-STA profile, but not part of the 'u8 variable[]' portion.
915 */
916 sub.start = prof->variable + prof->sta_info_len - 1 + 4;
917 end = (const u8 *)prof + elems->sta_prof_len;
918 sub.len = end - sub.start;
919
920 non_inherit = cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
921 sub.start, sub.len);
922 _ieee802_11_parse_elems_full(&sub, elems_parse, non_inherit);
923 }
924
925 static void
ieee80211_mle_defrag_reconf(struct ieee80211_elems_parse * elems_parse)926 ieee80211_mle_defrag_reconf(struct ieee80211_elems_parse *elems_parse)
927 {
928 struct ieee802_11_elems *elems = &elems_parse->elems;
929 ssize_t ml_len;
930
931 ml_len = cfg80211_defragment_element(elems_parse->ml_reconf_elem,
932 elems->ie_start,
933 elems->total_len,
934 elems_parse->scratch_pos,
935 elems_parse->scratch +
936 elems_parse->scratch_len -
937 elems_parse->scratch_pos,
938 WLAN_EID_FRAGMENT);
939 if (ml_len < 0)
940 return;
941 elems->ml_reconf = (void *)elems_parse->scratch_pos;
942 elems->ml_reconf_len = ml_len;
943 elems_parse->scratch_pos += ml_len;
944 }
945
946 struct ieee802_11_elems *
ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params * params)947 ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params)
948 {
949 struct ieee80211_elems_parse *elems_parse;
950 struct ieee802_11_elems *elems;
951 const struct element *non_inherit = NULL;
952 u8 *nontransmitted_profile;
953 int nontransmitted_profile_len = 0;
954 size_t scratch_len = 3 * params->len;
955
956 BUILD_BUG_ON(offsetof(typeof(*elems_parse), elems) != 0);
957
958 elems_parse = kzalloc(struct_size(elems_parse, scratch, scratch_len),
959 GFP_ATOMIC);
960 if (!elems_parse)
961 return NULL;
962
963 elems_parse->scratch_len = scratch_len;
964 elems_parse->scratch_pos = elems_parse->scratch;
965
966 elems = &elems_parse->elems;
967 elems->ie_start = params->start;
968 elems->total_len = params->len;
969
970 /* set all TPE entries to unlimited (but invalid) */
971 ieee80211_clear_tpe(&elems->tpe);
972 ieee80211_clear_tpe(&elems->csa_tpe);
973
974 nontransmitted_profile = elems_parse->scratch_pos;
975 nontransmitted_profile_len =
976 ieee802_11_find_bssid_profile(params->start, params->len,
977 elems, params->bss,
978 nontransmitted_profile);
979 elems_parse->scratch_pos += nontransmitted_profile_len;
980 non_inherit = cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
981 nontransmitted_profile,
982 nontransmitted_profile_len);
983
984 elems->crc = _ieee802_11_parse_elems_full(params, elems_parse,
985 non_inherit);
986
987 /* Override with nontransmitted profile, if found */
988 if (nontransmitted_profile_len) {
989 struct ieee80211_elems_parse_params sub = {
990 .mode = params->mode,
991 .start = nontransmitted_profile,
992 .len = nontransmitted_profile_len,
993 .action = params->action,
994 .link_id = params->link_id,
995 };
996
997 _ieee802_11_parse_elems_full(&sub, elems_parse, NULL);
998 }
999
1000 ieee80211_mle_parse_link(elems_parse, params);
1001
1002 ieee80211_mle_defrag_reconf(elems_parse);
1003
1004 if (elems->tim && !elems->parse_error) {
1005 const struct ieee80211_tim_ie *tim_ie = elems->tim;
1006
1007 elems->dtim_period = tim_ie->dtim_period;
1008 elems->dtim_count = tim_ie->dtim_count;
1009 }
1010
1011 /* Override DTIM period and count if needed */
1012 if (elems->bssid_index &&
1013 elems->bssid_index_len >=
1014 offsetofend(struct ieee80211_bssid_index, dtim_period))
1015 elems->dtim_period = elems->bssid_index->dtim_period;
1016
1017 if (elems->bssid_index &&
1018 elems->bssid_index_len >=
1019 offsetofend(struct ieee80211_bssid_index, dtim_count))
1020 elems->dtim_count = elems->bssid_index->dtim_count;
1021
1022 return elems;
1023 }
1024 EXPORT_SYMBOL_IF_KUNIT(ieee802_11_parse_elems_full);
1025
ieee80211_parse_bitrates(enum nl80211_chan_width width,const struct ieee80211_supported_band * sband,const u8 * srates,int srates_len,u32 * rates)1026 int ieee80211_parse_bitrates(enum nl80211_chan_width width,
1027 const struct ieee80211_supported_band *sband,
1028 const u8 *srates, int srates_len, u32 *rates)
1029 {
1030 u32 rate_flags = ieee80211_chanwidth_rate_flags(width);
1031 struct ieee80211_rate *br;
1032 int brate, rate, i, j, count = 0;
1033
1034 *rates = 0;
1035
1036 for (i = 0; i < srates_len; i++) {
1037 rate = srates[i] & 0x7f;
1038
1039 for (j = 0; j < sband->n_bitrates; j++) {
1040 br = &sband->bitrates[j];
1041 if ((rate_flags & br->flags) != rate_flags)
1042 continue;
1043
1044 brate = DIV_ROUND_UP(br->bitrate, 5);
1045 if (brate == rate) {
1046 *rates |= BIT(j);
1047 count++;
1048 break;
1049 }
1050 }
1051 }
1052 return count;
1053 }
1054