xref: /freebsd/contrib/wpa/src/common/ieee802_11_common.c (revision 7815283df299be63807225a9fe9b6e54406eae28)
1 /*
2  * IEEE 802.11 Common routines
3  * Copyright (c) 2002-2015, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "defs.h"
13 #include "wpa_common.h"
14 #include "qca-vendor.h"
15 #include "ieee802_11_defs.h"
16 #include "ieee802_11_common.h"
17 
18 
19 static int ieee802_11_parse_vendor_specific(const u8 *pos, size_t elen,
20 					    struct ieee802_11_elems *elems,
21 					    int show_errors)
22 {
23 	unsigned int oui;
24 
25 	/* first 3 bytes in vendor specific information element are the IEEE
26 	 * OUI of the vendor. The following byte is used a vendor specific
27 	 * sub-type. */
28 	if (elen < 4) {
29 		if (show_errors) {
30 			wpa_printf(MSG_MSGDUMP, "short vendor specific "
31 				   "information element ignored (len=%lu)",
32 				   (unsigned long) elen);
33 		}
34 		return -1;
35 	}
36 
37 	oui = WPA_GET_BE24(pos);
38 	switch (oui) {
39 	case OUI_MICROSOFT:
40 		/* Microsoft/Wi-Fi information elements are further typed and
41 		 * subtyped */
42 		switch (pos[3]) {
43 		case 1:
44 			/* Microsoft OUI (00:50:F2) with OUI Type 1:
45 			 * real WPA information element */
46 			elems->wpa_ie = pos;
47 			elems->wpa_ie_len = elen;
48 			break;
49 		case WMM_OUI_TYPE:
50 			/* WMM information element */
51 			if (elen < 5) {
52 				wpa_printf(MSG_MSGDUMP, "short WMM "
53 					   "information element ignored "
54 					   "(len=%lu)",
55 					   (unsigned long) elen);
56 				return -1;
57 			}
58 			switch (pos[4]) {
59 			case WMM_OUI_SUBTYPE_INFORMATION_ELEMENT:
60 			case WMM_OUI_SUBTYPE_PARAMETER_ELEMENT:
61 				/*
62 				 * Share same pointer since only one of these
63 				 * is used and they start with same data.
64 				 * Length field can be used to distinguish the
65 				 * IEs.
66 				 */
67 				elems->wmm = pos;
68 				elems->wmm_len = elen;
69 				break;
70 			case WMM_OUI_SUBTYPE_TSPEC_ELEMENT:
71 				elems->wmm_tspec = pos;
72 				elems->wmm_tspec_len = elen;
73 				break;
74 			default:
75 				wpa_printf(MSG_EXCESSIVE, "unknown WMM "
76 					   "information element ignored "
77 					   "(subtype=%d len=%lu)",
78 					   pos[4], (unsigned long) elen);
79 				return -1;
80 			}
81 			break;
82 		case 4:
83 			/* Wi-Fi Protected Setup (WPS) IE */
84 			elems->wps_ie = pos;
85 			elems->wps_ie_len = elen;
86 			break;
87 		default:
88 			wpa_printf(MSG_EXCESSIVE, "Unknown Microsoft "
89 				   "information element ignored "
90 				   "(type=%d len=%lu)",
91 				   pos[3], (unsigned long) elen);
92 			return -1;
93 		}
94 		break;
95 
96 	case OUI_WFA:
97 		switch (pos[3]) {
98 		case P2P_OUI_TYPE:
99 			/* Wi-Fi Alliance - P2P IE */
100 			elems->p2p = pos;
101 			elems->p2p_len = elen;
102 			break;
103 		case WFD_OUI_TYPE:
104 			/* Wi-Fi Alliance - WFD IE */
105 			elems->wfd = pos;
106 			elems->wfd_len = elen;
107 			break;
108 		case HS20_INDICATION_OUI_TYPE:
109 			/* Hotspot 2.0 */
110 			elems->hs20 = pos;
111 			elems->hs20_len = elen;
112 			break;
113 		case HS20_OSEN_OUI_TYPE:
114 			/* Hotspot 2.0 OSEN */
115 			elems->osen = pos;
116 			elems->osen_len = elen;
117 			break;
118 		case MBO_OUI_TYPE:
119 			/* MBO-OCE */
120 			elems->mbo = pos;
121 			elems->mbo_len = elen;
122 			break;
123 		default:
124 			wpa_printf(MSG_MSGDUMP, "Unknown WFA "
125 				   "information element ignored "
126 				   "(type=%d len=%lu)",
127 				   pos[3], (unsigned long) elen);
128 			return -1;
129 		}
130 		break;
131 
132 	case OUI_BROADCOM:
133 		switch (pos[3]) {
134 		case VENDOR_HT_CAPAB_OUI_TYPE:
135 			elems->vendor_ht_cap = pos;
136 			elems->vendor_ht_cap_len = elen;
137 			break;
138 		case VENDOR_VHT_TYPE:
139 			if (elen > 4 &&
140 			    (pos[4] == VENDOR_VHT_SUBTYPE ||
141 			     pos[4] == VENDOR_VHT_SUBTYPE2)) {
142 				elems->vendor_vht = pos;
143 				elems->vendor_vht_len = elen;
144 			} else
145 				return -1;
146 			break;
147 		default:
148 			wpa_printf(MSG_EXCESSIVE, "Unknown Broadcom "
149 				   "information element ignored "
150 				   "(type=%d len=%lu)",
151 				   pos[3], (unsigned long) elen);
152 			return -1;
153 		}
154 		break;
155 
156 	case OUI_QCA:
157 		switch (pos[3]) {
158 		case QCA_VENDOR_ELEM_P2P_PREF_CHAN_LIST:
159 			elems->pref_freq_list = pos;
160 			elems->pref_freq_list_len = elen;
161 			break;
162 		default:
163 			wpa_printf(MSG_EXCESSIVE,
164 				   "Unknown QCA information element ignored (type=%d len=%lu)",
165 				   pos[3], (unsigned long) elen);
166 			return -1;
167 		}
168 		break;
169 
170 	default:
171 		wpa_printf(MSG_EXCESSIVE, "unknown vendor specific "
172 			   "information element ignored (vendor OUI "
173 			   "%02x:%02x:%02x len=%lu)",
174 			   pos[0], pos[1], pos[2], (unsigned long) elen);
175 		return -1;
176 	}
177 
178 	return 0;
179 }
180 
181 
182 /**
183  * ieee802_11_parse_elems - Parse information elements in management frames
184  * @start: Pointer to the start of IEs
185  * @len: Length of IE buffer in octets
186  * @elems: Data structure for parsed elements
187  * @show_errors: Whether to show parsing errors in debug log
188  * Returns: Parsing result
189  */
190 ParseRes ieee802_11_parse_elems(const u8 *start, size_t len,
191 				struct ieee802_11_elems *elems,
192 				int show_errors)
193 {
194 	size_t left = len;
195 	const u8 *pos = start;
196 	int unknown = 0;
197 
198 	os_memset(elems, 0, sizeof(*elems));
199 
200 	while (left >= 2) {
201 		u8 id, elen;
202 
203 		id = *pos++;
204 		elen = *pos++;
205 		left -= 2;
206 
207 		if (elen > left) {
208 			if (show_errors) {
209 				wpa_printf(MSG_DEBUG, "IEEE 802.11 element "
210 					   "parse failed (id=%d elen=%d "
211 					   "left=%lu)",
212 					   id, elen, (unsigned long) left);
213 				wpa_hexdump(MSG_MSGDUMP, "IEs", start, len);
214 			}
215 			return ParseFailed;
216 		}
217 
218 		switch (id) {
219 		case WLAN_EID_SSID:
220 			if (elen > SSID_MAX_LEN) {
221 				wpa_printf(MSG_DEBUG,
222 					   "Ignored too long SSID element (elen=%u)",
223 					   elen);
224 				break;
225 			}
226 			elems->ssid = pos;
227 			elems->ssid_len = elen;
228 			break;
229 		case WLAN_EID_SUPP_RATES:
230 			elems->supp_rates = pos;
231 			elems->supp_rates_len = elen;
232 			break;
233 		case WLAN_EID_DS_PARAMS:
234 			if (elen < 1)
235 				break;
236 			elems->ds_params = pos;
237 			break;
238 		case WLAN_EID_CF_PARAMS:
239 		case WLAN_EID_TIM:
240 			break;
241 		case WLAN_EID_CHALLENGE:
242 			elems->challenge = pos;
243 			elems->challenge_len = elen;
244 			break;
245 		case WLAN_EID_ERP_INFO:
246 			if (elen < 1)
247 				break;
248 			elems->erp_info = pos;
249 			break;
250 		case WLAN_EID_EXT_SUPP_RATES:
251 			elems->ext_supp_rates = pos;
252 			elems->ext_supp_rates_len = elen;
253 			break;
254 		case WLAN_EID_VENDOR_SPECIFIC:
255 			if (ieee802_11_parse_vendor_specific(pos, elen,
256 							     elems,
257 							     show_errors))
258 				unknown++;
259 			break;
260 		case WLAN_EID_RSN:
261 			elems->rsn_ie = pos;
262 			elems->rsn_ie_len = elen;
263 			break;
264 		case WLAN_EID_PWR_CAPABILITY:
265 			break;
266 		case WLAN_EID_SUPPORTED_CHANNELS:
267 			elems->supp_channels = pos;
268 			elems->supp_channels_len = elen;
269 			break;
270 		case WLAN_EID_MOBILITY_DOMAIN:
271 			if (elen < sizeof(struct rsn_mdie))
272 				break;
273 			elems->mdie = pos;
274 			elems->mdie_len = elen;
275 			break;
276 		case WLAN_EID_FAST_BSS_TRANSITION:
277 			if (elen < sizeof(struct rsn_ftie))
278 				break;
279 			elems->ftie = pos;
280 			elems->ftie_len = elen;
281 			break;
282 		case WLAN_EID_TIMEOUT_INTERVAL:
283 			if (elen != 5)
284 				break;
285 			elems->timeout_int = pos;
286 			break;
287 		case WLAN_EID_HT_CAP:
288 			if (elen < sizeof(struct ieee80211_ht_capabilities))
289 				break;
290 			elems->ht_capabilities = pos;
291 			break;
292 		case WLAN_EID_HT_OPERATION:
293 			if (elen < sizeof(struct ieee80211_ht_operation))
294 				break;
295 			elems->ht_operation = pos;
296 			break;
297 		case WLAN_EID_MESH_CONFIG:
298 			elems->mesh_config = pos;
299 			elems->mesh_config_len = elen;
300 			break;
301 		case WLAN_EID_MESH_ID:
302 			elems->mesh_id = pos;
303 			elems->mesh_id_len = elen;
304 			break;
305 		case WLAN_EID_PEER_MGMT:
306 			elems->peer_mgmt = pos;
307 			elems->peer_mgmt_len = elen;
308 			break;
309 		case WLAN_EID_VHT_CAP:
310 			if (elen < sizeof(struct ieee80211_vht_capabilities))
311 				break;
312 			elems->vht_capabilities = pos;
313 			break;
314 		case WLAN_EID_VHT_OPERATION:
315 			if (elen < sizeof(struct ieee80211_vht_operation))
316 				break;
317 			elems->vht_operation = pos;
318 			break;
319 		case WLAN_EID_VHT_OPERATING_MODE_NOTIFICATION:
320 			if (elen != 1)
321 				break;
322 			elems->vht_opmode_notif = pos;
323 			break;
324 		case WLAN_EID_LINK_ID:
325 			if (elen < 18)
326 				break;
327 			elems->link_id = pos;
328 			break;
329 		case WLAN_EID_INTERWORKING:
330 			elems->interworking = pos;
331 			elems->interworking_len = elen;
332 			break;
333 		case WLAN_EID_QOS_MAP_SET:
334 			if (elen < 16)
335 				break;
336 			elems->qos_map_set = pos;
337 			elems->qos_map_set_len = elen;
338 			break;
339 		case WLAN_EID_EXT_CAPAB:
340 			elems->ext_capab = pos;
341 			elems->ext_capab_len = elen;
342 			break;
343 		case WLAN_EID_BSS_MAX_IDLE_PERIOD:
344 			if (elen < 3)
345 				break;
346 			elems->bss_max_idle_period = pos;
347 			break;
348 		case WLAN_EID_SSID_LIST:
349 			elems->ssid_list = pos;
350 			elems->ssid_list_len = elen;
351 			break;
352 		case WLAN_EID_AMPE:
353 			elems->ampe = pos;
354 			elems->ampe_len = elen;
355 			break;
356 		case WLAN_EID_MIC:
357 			elems->mic = pos;
358 			elems->mic_len = elen;
359 			/* after mic everything is encrypted, so stop. */
360 			left = elen;
361 			break;
362 		case WLAN_EID_MULTI_BAND:
363 			if (elems->mb_ies.nof_ies >= MAX_NOF_MB_IES_SUPPORTED) {
364 				wpa_printf(MSG_MSGDUMP,
365 					   "IEEE 802.11 element parse ignored MB IE (id=%d elen=%d)",
366 					   id, elen);
367 				break;
368 			}
369 
370 			elems->mb_ies.ies[elems->mb_ies.nof_ies].ie = pos;
371 			elems->mb_ies.ies[elems->mb_ies.nof_ies].ie_len = elen;
372 			elems->mb_ies.nof_ies++;
373 			break;
374 		case WLAN_EID_SUPPORTED_OPERATING_CLASSES:
375 			elems->supp_op_classes = pos;
376 			elems->supp_op_classes_len = elen;
377 			break;
378 		case WLAN_EID_RRM_ENABLED_CAPABILITIES:
379 			elems->rrm_enabled = pos;
380 			elems->rrm_enabled_len = elen;
381 			break;
382 		default:
383 			unknown++;
384 			if (!show_errors)
385 				break;
386 			wpa_printf(MSG_MSGDUMP, "IEEE 802.11 element parse "
387 				   "ignored unknown element (id=%d elen=%d)",
388 				   id, elen);
389 			break;
390 		}
391 
392 		left -= elen;
393 		pos += elen;
394 	}
395 
396 	if (left)
397 		return ParseFailed;
398 
399 	return unknown ? ParseUnknown : ParseOK;
400 }
401 
402 
403 int ieee802_11_ie_count(const u8 *ies, size_t ies_len)
404 {
405 	int count = 0;
406 	const u8 *pos, *end;
407 
408 	if (ies == NULL)
409 		return 0;
410 
411 	pos = ies;
412 	end = ies + ies_len;
413 
414 	while (end - pos >= 2) {
415 		if (2 + pos[1] > end - pos)
416 			break;
417 		count++;
418 		pos += 2 + pos[1];
419 	}
420 
421 	return count;
422 }
423 
424 
425 struct wpabuf * ieee802_11_vendor_ie_concat(const u8 *ies, size_t ies_len,
426 					    u32 oui_type)
427 {
428 	struct wpabuf *buf;
429 	const u8 *end, *pos, *ie;
430 
431 	pos = ies;
432 	end = ies + ies_len;
433 	ie = NULL;
434 
435 	while (end - pos > 1) {
436 		if (2 + pos[1] > end - pos)
437 			return NULL;
438 		if (pos[0] == WLAN_EID_VENDOR_SPECIFIC && pos[1] >= 4 &&
439 		    WPA_GET_BE32(&pos[2]) == oui_type) {
440 			ie = pos;
441 			break;
442 		}
443 		pos += 2 + pos[1];
444 	}
445 
446 	if (ie == NULL)
447 		return NULL; /* No specified vendor IE found */
448 
449 	buf = wpabuf_alloc(ies_len);
450 	if (buf == NULL)
451 		return NULL;
452 
453 	/*
454 	 * There may be multiple vendor IEs in the message, so need to
455 	 * concatenate their data fields.
456 	 */
457 	while (end - pos > 1) {
458 		if (2 + pos[1] > end - pos)
459 			break;
460 		if (pos[0] == WLAN_EID_VENDOR_SPECIFIC && pos[1] >= 4 &&
461 		    WPA_GET_BE32(&pos[2]) == oui_type)
462 			wpabuf_put_data(buf, pos + 6, pos[1] - 4);
463 		pos += 2 + pos[1];
464 	}
465 
466 	return buf;
467 }
468 
469 
470 const u8 * get_hdr_bssid(const struct ieee80211_hdr *hdr, size_t len)
471 {
472 	u16 fc, type, stype;
473 
474 	/*
475 	 * PS-Poll frames are 16 bytes. All other frames are
476 	 * 24 bytes or longer.
477 	 */
478 	if (len < 16)
479 		return NULL;
480 
481 	fc = le_to_host16(hdr->frame_control);
482 	type = WLAN_FC_GET_TYPE(fc);
483 	stype = WLAN_FC_GET_STYPE(fc);
484 
485 	switch (type) {
486 	case WLAN_FC_TYPE_DATA:
487 		if (len < 24)
488 			return NULL;
489 		switch (fc & (WLAN_FC_FROMDS | WLAN_FC_TODS)) {
490 		case WLAN_FC_FROMDS | WLAN_FC_TODS:
491 		case WLAN_FC_TODS:
492 			return hdr->addr1;
493 		case WLAN_FC_FROMDS:
494 			return hdr->addr2;
495 		default:
496 			return NULL;
497 		}
498 	case WLAN_FC_TYPE_CTRL:
499 		if (stype != WLAN_FC_STYPE_PSPOLL)
500 			return NULL;
501 		return hdr->addr1;
502 	case WLAN_FC_TYPE_MGMT:
503 		return hdr->addr3;
504 	default:
505 		return NULL;
506 	}
507 }
508 
509 
510 int hostapd_config_wmm_ac(struct hostapd_wmm_ac_params wmm_ac_params[],
511 			  const char *name, const char *val)
512 {
513 	int num, v;
514 	const char *pos;
515 	struct hostapd_wmm_ac_params *ac;
516 
517 	/* skip 'wme_ac_' or 'wmm_ac_' prefix */
518 	pos = name + 7;
519 	if (os_strncmp(pos, "be_", 3) == 0) {
520 		num = 0;
521 		pos += 3;
522 	} else if (os_strncmp(pos, "bk_", 3) == 0) {
523 		num = 1;
524 		pos += 3;
525 	} else if (os_strncmp(pos, "vi_", 3) == 0) {
526 		num = 2;
527 		pos += 3;
528 	} else if (os_strncmp(pos, "vo_", 3) == 0) {
529 		num = 3;
530 		pos += 3;
531 	} else {
532 		wpa_printf(MSG_ERROR, "Unknown WMM name '%s'", pos);
533 		return -1;
534 	}
535 
536 	ac = &wmm_ac_params[num];
537 
538 	if (os_strcmp(pos, "aifs") == 0) {
539 		v = atoi(val);
540 		if (v < 1 || v > 255) {
541 			wpa_printf(MSG_ERROR, "Invalid AIFS value %d", v);
542 			return -1;
543 		}
544 		ac->aifs = v;
545 	} else if (os_strcmp(pos, "cwmin") == 0) {
546 		v = atoi(val);
547 		if (v < 0 || v > 15) {
548 			wpa_printf(MSG_ERROR, "Invalid cwMin value %d", v);
549 			return -1;
550 		}
551 		ac->cwmin = v;
552 	} else if (os_strcmp(pos, "cwmax") == 0) {
553 		v = atoi(val);
554 		if (v < 0 || v > 15) {
555 			wpa_printf(MSG_ERROR, "Invalid cwMax value %d", v);
556 			return -1;
557 		}
558 		ac->cwmax = v;
559 	} else if (os_strcmp(pos, "txop_limit") == 0) {
560 		v = atoi(val);
561 		if (v < 0 || v > 0xffff) {
562 			wpa_printf(MSG_ERROR, "Invalid txop value %d", v);
563 			return -1;
564 		}
565 		ac->txop_limit = v;
566 	} else if (os_strcmp(pos, "acm") == 0) {
567 		v = atoi(val);
568 		if (v < 0 || v > 1) {
569 			wpa_printf(MSG_ERROR, "Invalid acm value %d", v);
570 			return -1;
571 		}
572 		ac->admission_control_mandatory = v;
573 	} else {
574 		wpa_printf(MSG_ERROR, "Unknown wmm_ac_ field '%s'", pos);
575 		return -1;
576 	}
577 
578 	return 0;
579 }
580 
581 
582 enum hostapd_hw_mode ieee80211_freq_to_chan(int freq, u8 *channel)
583 {
584 	u8 op_class;
585 
586 	return ieee80211_freq_to_channel_ext(freq, 0, VHT_CHANWIDTH_USE_HT,
587 					     &op_class, channel);
588 }
589 
590 
591 /**
592  * ieee80211_freq_to_channel_ext - Convert frequency into channel info
593  * for HT40 and VHT. DFS channels are not covered.
594  * @freq: Frequency (MHz) to convert
595  * @sec_channel: 0 = non-HT40, 1 = sec. channel above, -1 = sec. channel below
596  * @vht: VHT channel width (VHT_CHANWIDTH_*)
597  * @op_class: Buffer for returning operating class
598  * @channel: Buffer for returning channel number
599  * Returns: hw_mode on success, NUM_HOSTAPD_MODES on failure
600  */
601 enum hostapd_hw_mode ieee80211_freq_to_channel_ext(unsigned int freq,
602 						   int sec_channel, int vht,
603 						   u8 *op_class, u8 *channel)
604 {
605 	u8 vht_opclass;
606 
607 	/* TODO: more operating classes */
608 
609 	if (sec_channel > 1 || sec_channel < -1)
610 		return NUM_HOSTAPD_MODES;
611 
612 	if (freq >= 2412 && freq <= 2472) {
613 		if ((freq - 2407) % 5)
614 			return NUM_HOSTAPD_MODES;
615 
616 		if (vht)
617 			return NUM_HOSTAPD_MODES;
618 
619 		/* 2.407 GHz, channels 1..13 */
620 		if (sec_channel == 1)
621 			*op_class = 83;
622 		else if (sec_channel == -1)
623 			*op_class = 84;
624 		else
625 			*op_class = 81;
626 
627 		*channel = (freq - 2407) / 5;
628 
629 		return HOSTAPD_MODE_IEEE80211G;
630 	}
631 
632 	if (freq == 2484) {
633 		if (sec_channel || vht)
634 			return NUM_HOSTAPD_MODES;
635 
636 		*op_class = 82; /* channel 14 */
637 		*channel = 14;
638 
639 		return HOSTAPD_MODE_IEEE80211B;
640 	}
641 
642 	if (freq >= 4900 && freq < 5000) {
643 		if ((freq - 4000) % 5)
644 			return NUM_HOSTAPD_MODES;
645 		*channel = (freq - 4000) / 5;
646 		*op_class = 0; /* TODO */
647 		return HOSTAPD_MODE_IEEE80211A;
648 	}
649 
650 	switch (vht) {
651 	case VHT_CHANWIDTH_80MHZ:
652 		vht_opclass = 128;
653 		break;
654 	case VHT_CHANWIDTH_160MHZ:
655 		vht_opclass = 129;
656 		break;
657 	case VHT_CHANWIDTH_80P80MHZ:
658 		vht_opclass = 130;
659 		break;
660 	default:
661 		vht_opclass = 0;
662 		break;
663 	}
664 
665 	/* 5 GHz, channels 36..48 */
666 	if (freq >= 5180 && freq <= 5240) {
667 		if ((freq - 5000) % 5)
668 			return NUM_HOSTAPD_MODES;
669 
670 		if (vht_opclass)
671 			*op_class = vht_opclass;
672 		else if (sec_channel == 1)
673 			*op_class = 116;
674 		else if (sec_channel == -1)
675 			*op_class = 117;
676 		else
677 			*op_class = 115;
678 
679 		*channel = (freq - 5000) / 5;
680 
681 		return HOSTAPD_MODE_IEEE80211A;
682 	}
683 
684 	/* 5 GHz, channels 149..169 */
685 	if (freq >= 5745 && freq <= 5845) {
686 		if ((freq - 5000) % 5)
687 			return NUM_HOSTAPD_MODES;
688 
689 		if (vht_opclass)
690 			*op_class = vht_opclass;
691 		else if (sec_channel == 1)
692 			*op_class = 126;
693 		else if (sec_channel == -1)
694 			*op_class = 127;
695 		else if (freq <= 5805)
696 			*op_class = 124;
697 		else
698 			*op_class = 125;
699 
700 		*channel = (freq - 5000) / 5;
701 
702 		return HOSTAPD_MODE_IEEE80211A;
703 	}
704 
705 	/* 5 GHz, channels 100..140 */
706 	if (freq >= 5000 && freq <= 5700) {
707 		if ((freq - 5000) % 5)
708 			return NUM_HOSTAPD_MODES;
709 
710 		if (vht_opclass)
711 			*op_class = vht_opclass;
712 		else if (sec_channel == 1)
713 			*op_class = 122;
714 		else if (sec_channel == -1)
715 			*op_class = 123;
716 		else
717 			*op_class = 121;
718 
719 		*channel = (freq - 5000) / 5;
720 
721 		return HOSTAPD_MODE_IEEE80211A;
722 	}
723 
724 	if (freq >= 5000 && freq < 5900) {
725 		if ((freq - 5000) % 5)
726 			return NUM_HOSTAPD_MODES;
727 		*channel = (freq - 5000) / 5;
728 		*op_class = 0; /* TODO */
729 		return HOSTAPD_MODE_IEEE80211A;
730 	}
731 
732 	/* 56.16 GHz, channel 1..4 */
733 	if (freq >= 56160 + 2160 * 1 && freq <= 56160 + 2160 * 4) {
734 		if (sec_channel || vht)
735 			return NUM_HOSTAPD_MODES;
736 
737 		*channel = (freq - 56160) / 2160;
738 		*op_class = 180;
739 
740 		return HOSTAPD_MODE_IEEE80211AD;
741 	}
742 
743 	return NUM_HOSTAPD_MODES;
744 }
745 
746 
747 static const char *const us_op_class_cc[] = {
748 	"US", "CA", NULL
749 };
750 
751 static const char *const eu_op_class_cc[] = {
752 	"AL", "AM", "AT", "AZ", "BA", "BE", "BG", "BY", "CH", "CY", "CZ", "DE",
753 	"DK", "EE", "EL", "ES", "FI", "FR", "GE", "HR", "HU", "IE", "IS", "IT",
754 	"LI", "LT", "LU", "LV", "MD", "ME", "MK", "MT", "NL", "NO", "PL", "PT",
755 	"RO", "RS", "RU", "SE", "SI", "SK", "TR", "UA", "UK", NULL
756 };
757 
758 static const char *const jp_op_class_cc[] = {
759 	"JP", NULL
760 };
761 
762 static const char *const cn_op_class_cc[] = {
763 	"CN", NULL
764 };
765 
766 
767 static int country_match(const char *const cc[], const char *const country)
768 {
769 	int i;
770 
771 	if (country == NULL)
772 		return 0;
773 	for (i = 0; cc[i]; i++) {
774 		if (cc[i][0] == country[0] && cc[i][1] == country[1])
775 			return 1;
776 	}
777 
778 	return 0;
779 }
780 
781 
782 static int ieee80211_chan_to_freq_us(u8 op_class, u8 chan)
783 {
784 	switch (op_class) {
785 	case 12: /* channels 1..11 */
786 	case 32: /* channels 1..7; 40 MHz */
787 	case 33: /* channels 5..11; 40 MHz */
788 		if (chan < 1 || chan > 11)
789 			return -1;
790 		return 2407 + 5 * chan;
791 	case 1: /* channels 36,40,44,48 */
792 	case 2: /* channels 52,56,60,64; dfs */
793 	case 22: /* channels 36,44; 40 MHz */
794 	case 23: /* channels 52,60; 40 MHz */
795 	case 27: /* channels 40,48; 40 MHz */
796 	case 28: /* channels 56,64; 40 MHz */
797 		if (chan < 36 || chan > 64)
798 			return -1;
799 		return 5000 + 5 * chan;
800 	case 4: /* channels 100-144 */
801 	case 24: /* channels 100-140; 40 MHz */
802 		if (chan < 100 || chan > 144)
803 			return -1;
804 		return 5000 + 5 * chan;
805 	case 3: /* channels 149,153,157,161 */
806 	case 25: /* channels 149,157; 40 MHz */
807 	case 26: /* channels 149,157; 40 MHz */
808 	case 30: /* channels 153,161; 40 MHz */
809 	case 31: /* channels 153,161; 40 MHz */
810 		if (chan < 149 || chan > 161)
811 			return -1;
812 		return 5000 + 5 * chan;
813 	case 5: /* channels 149,153,157,161,165 */
814 		if (chan < 149 || chan > 165)
815 			return -1;
816 		return 5000 + 5 * chan;
817 	case 34: /* 60 GHz band, channels 1..3 */
818 		if (chan < 1 || chan > 3)
819 			return -1;
820 		return 56160 + 2160 * chan;
821 	}
822 	return -1;
823 }
824 
825 
826 static int ieee80211_chan_to_freq_eu(u8 op_class, u8 chan)
827 {
828 	switch (op_class) {
829 	case 4: /* channels 1..13 */
830 	case 11: /* channels 1..9; 40 MHz */
831 	case 12: /* channels 5..13; 40 MHz */
832 		if (chan < 1 || chan > 13)
833 			return -1;
834 		return 2407 + 5 * chan;
835 	case 1: /* channels 36,40,44,48 */
836 	case 2: /* channels 52,56,60,64; dfs */
837 	case 5: /* channels 36,44; 40 MHz */
838 	case 6: /* channels 52,60; 40 MHz */
839 	case 8: /* channels 40,48; 40 MHz */
840 	case 9: /* channels 56,64; 40 MHz */
841 		if (chan < 36 || chan > 64)
842 			return -1;
843 		return 5000 + 5 * chan;
844 	case 3: /* channels 100-140 */
845 	case 7: /* channels 100-132; 40 MHz */
846 	case 10: /* channels 104-136; 40 MHz */
847 	case 16: /* channels 100-140 */
848 		if (chan < 100 || chan > 140)
849 			return -1;
850 		return 5000 + 5 * chan;
851 	case 17: /* channels 149,153,157,161,165,169 */
852 		if (chan < 149 || chan > 169)
853 			return -1;
854 		return 5000 + 5 * chan;
855 	case 18: /* 60 GHz band, channels 1..4 */
856 		if (chan < 1 || chan > 4)
857 			return -1;
858 		return 56160 + 2160 * chan;
859 	}
860 	return -1;
861 }
862 
863 
864 static int ieee80211_chan_to_freq_jp(u8 op_class, u8 chan)
865 {
866 	switch (op_class) {
867 	case 30: /* channels 1..13 */
868 	case 56: /* channels 1..9; 40 MHz */
869 	case 57: /* channels 5..13; 40 MHz */
870 		if (chan < 1 || chan > 13)
871 			return -1;
872 		return 2407 + 5 * chan;
873 	case 31: /* channel 14 */
874 		if (chan != 14)
875 			return -1;
876 		return 2414 + 5 * chan;
877 	case 1: /* channels 34,38,42,46(old) or 36,40,44,48 */
878 	case 32: /* channels 52,56,60,64 */
879 	case 33: /* channels 52,56,60,64 */
880 	case 36: /* channels 36,44; 40 MHz */
881 	case 37: /* channels 52,60; 40 MHz */
882 	case 38: /* channels 52,60; 40 MHz */
883 	case 41: /* channels 40,48; 40 MHz */
884 	case 42: /* channels 56,64; 40 MHz */
885 	case 43: /* channels 56,64; 40 MHz */
886 		if (chan < 34 || chan > 64)
887 			return -1;
888 		return 5000 + 5 * chan;
889 	case 34: /* channels 100-140 */
890 	case 35: /* channels 100-140 */
891 	case 39: /* channels 100-132; 40 MHz */
892 	case 40: /* channels 100-132; 40 MHz */
893 	case 44: /* channels 104-136; 40 MHz */
894 	case 45: /* channels 104-136; 40 MHz */
895 	case 58: /* channels 100-140 */
896 		if (chan < 100 || chan > 140)
897 			return -1;
898 		return 5000 + 5 * chan;
899 	case 59: /* 60 GHz band, channels 1..4 */
900 		if (chan < 1 || chan > 3)
901 			return -1;
902 		return 56160 + 2160 * chan;
903 	}
904 	return -1;
905 }
906 
907 
908 static int ieee80211_chan_to_freq_cn(u8 op_class, u8 chan)
909 {
910 	switch (op_class) {
911 	case 7: /* channels 1..13 */
912 	case 8: /* channels 1..9; 40 MHz */
913 	case 9: /* channels 5..13; 40 MHz */
914 		if (chan < 1 || chan > 13)
915 			return -1;
916 		return 2407 + 5 * chan;
917 	case 1: /* channels 36,40,44,48 */
918 	case 2: /* channels 52,56,60,64; dfs */
919 	case 4: /* channels 36,44; 40 MHz */
920 	case 5: /* channels 52,60; 40 MHz */
921 		if (chan < 36 || chan > 64)
922 			return -1;
923 		return 5000 + 5 * chan;
924 	case 3: /* channels 149,153,157,161,165 */
925 	case 6: /* channels 149,157; 40 MHz */
926 		if (chan < 149 || chan > 165)
927 			return -1;
928 		return 5000 + 5 * chan;
929 	}
930 	return -1;
931 }
932 
933 
934 static int ieee80211_chan_to_freq_global(u8 op_class, u8 chan)
935 {
936 	/* Table E-4 in IEEE Std 802.11-2012 - Global operating classes */
937 	switch (op_class) {
938 	case 81:
939 		/* channels 1..13 */
940 		if (chan < 1 || chan > 13)
941 			return -1;
942 		return 2407 + 5 * chan;
943 	case 82:
944 		/* channel 14 */
945 		if (chan != 14)
946 			return -1;
947 		return 2414 + 5 * chan;
948 	case 83: /* channels 1..9; 40 MHz */
949 	case 84: /* channels 5..13; 40 MHz */
950 		if (chan < 1 || chan > 13)
951 			return -1;
952 		return 2407 + 5 * chan;
953 	case 115: /* channels 36,40,44,48; indoor only */
954 	case 116: /* channels 36,44; 40 MHz; indoor only */
955 	case 117: /* channels 40,48; 40 MHz; indoor only */
956 	case 118: /* channels 52,56,60,64; dfs */
957 	case 119: /* channels 52,60; 40 MHz; dfs */
958 	case 120: /* channels 56,64; 40 MHz; dfs */
959 		if (chan < 36 || chan > 64)
960 			return -1;
961 		return 5000 + 5 * chan;
962 	case 121: /* channels 100-140 */
963 	case 122: /* channels 100-142; 40 MHz */
964 	case 123: /* channels 104-136; 40 MHz */
965 		if (chan < 100 || chan > 140)
966 			return -1;
967 		return 5000 + 5 * chan;
968 	case 124: /* channels 149,153,157,161 */
969 	case 126: /* channels 149,157; 40 MHz */
970 	case 127: /* channels 153,161; 40 MHz */
971 		if (chan < 149 || chan > 161)
972 			return -1;
973 		return 5000 + 5 * chan;
974 	case 125: /* channels 149,153,157,161,165,169 */
975 		if (chan < 149 || chan > 169)
976 			return -1;
977 		return 5000 + 5 * chan;
978 	case 128: /* center freqs 42, 58, 106, 122, 138, 155; 80 MHz */
979 	case 130: /* center freqs 42, 58, 106, 122, 138, 155; 80 MHz */
980 		if (chan < 36 || chan > 161)
981 			return -1;
982 		return 5000 + 5 * chan;
983 	case 129: /* center freqs 50, 114; 160 MHz */
984 		if (chan < 50 || chan > 114)
985 			return -1;
986 		return 5000 + 5 * chan;
987 	case 180: /* 60 GHz band, channels 1..4 */
988 		if (chan < 1 || chan > 4)
989 			return -1;
990 		return 56160 + 2160 * chan;
991 	}
992 	return -1;
993 }
994 
995 /**
996  * ieee80211_chan_to_freq - Convert channel info to frequency
997  * @country: Country code, if known; otherwise, global operating class is used
998  * @op_class: Operating class
999  * @chan: Channel number
1000  * Returns: Frequency in MHz or -1 if the specified channel is unknown
1001  */
1002 int ieee80211_chan_to_freq(const char *country, u8 op_class, u8 chan)
1003 {
1004 	int freq;
1005 
1006 	if (country_match(us_op_class_cc, country)) {
1007 		freq = ieee80211_chan_to_freq_us(op_class, chan);
1008 		if (freq > 0)
1009 			return freq;
1010 	}
1011 
1012 	if (country_match(eu_op_class_cc, country)) {
1013 		freq = ieee80211_chan_to_freq_eu(op_class, chan);
1014 		if (freq > 0)
1015 			return freq;
1016 	}
1017 
1018 	if (country_match(jp_op_class_cc, country)) {
1019 		freq = ieee80211_chan_to_freq_jp(op_class, chan);
1020 		if (freq > 0)
1021 			return freq;
1022 	}
1023 
1024 	if (country_match(cn_op_class_cc, country)) {
1025 		freq = ieee80211_chan_to_freq_cn(op_class, chan);
1026 		if (freq > 0)
1027 			return freq;
1028 	}
1029 
1030 	return ieee80211_chan_to_freq_global(op_class, chan);
1031 }
1032 
1033 
1034 int ieee80211_is_dfs(int freq)
1035 {
1036 	/* TODO: this could be more accurate to better cover all domains */
1037 	return (freq >= 5260 && freq <= 5320) || (freq >= 5500 && freq <= 5700);
1038 }
1039 
1040 
1041 static int is_11b(u8 rate)
1042 {
1043 	return rate == 0x02 || rate == 0x04 || rate == 0x0b || rate == 0x16;
1044 }
1045 
1046 
1047 int supp_rates_11b_only(struct ieee802_11_elems *elems)
1048 {
1049 	int num_11b = 0, num_others = 0;
1050 	int i;
1051 
1052 	if (elems->supp_rates == NULL && elems->ext_supp_rates == NULL)
1053 		return 0;
1054 
1055 	for (i = 0; elems->supp_rates && i < elems->supp_rates_len; i++) {
1056 		if (is_11b(elems->supp_rates[i]))
1057 			num_11b++;
1058 		else
1059 			num_others++;
1060 	}
1061 
1062 	for (i = 0; elems->ext_supp_rates && i < elems->ext_supp_rates_len;
1063 	     i++) {
1064 		if (is_11b(elems->ext_supp_rates[i]))
1065 			num_11b++;
1066 		else
1067 			num_others++;
1068 	}
1069 
1070 	return num_11b > 0 && num_others == 0;
1071 }
1072 
1073 
1074 const char * fc2str(u16 fc)
1075 {
1076 	u16 stype = WLAN_FC_GET_STYPE(fc);
1077 #define C2S(x) case x: return #x;
1078 
1079 	switch (WLAN_FC_GET_TYPE(fc)) {
1080 	case WLAN_FC_TYPE_MGMT:
1081 		switch (stype) {
1082 		C2S(WLAN_FC_STYPE_ASSOC_REQ)
1083 		C2S(WLAN_FC_STYPE_ASSOC_RESP)
1084 		C2S(WLAN_FC_STYPE_REASSOC_REQ)
1085 		C2S(WLAN_FC_STYPE_REASSOC_RESP)
1086 		C2S(WLAN_FC_STYPE_PROBE_REQ)
1087 		C2S(WLAN_FC_STYPE_PROBE_RESP)
1088 		C2S(WLAN_FC_STYPE_BEACON)
1089 		C2S(WLAN_FC_STYPE_ATIM)
1090 		C2S(WLAN_FC_STYPE_DISASSOC)
1091 		C2S(WLAN_FC_STYPE_AUTH)
1092 		C2S(WLAN_FC_STYPE_DEAUTH)
1093 		C2S(WLAN_FC_STYPE_ACTION)
1094 		}
1095 		break;
1096 	case WLAN_FC_TYPE_CTRL:
1097 		switch (stype) {
1098 		C2S(WLAN_FC_STYPE_PSPOLL)
1099 		C2S(WLAN_FC_STYPE_RTS)
1100 		C2S(WLAN_FC_STYPE_CTS)
1101 		C2S(WLAN_FC_STYPE_ACK)
1102 		C2S(WLAN_FC_STYPE_CFEND)
1103 		C2S(WLAN_FC_STYPE_CFENDACK)
1104 		}
1105 		break;
1106 	case WLAN_FC_TYPE_DATA:
1107 		switch (stype) {
1108 		C2S(WLAN_FC_STYPE_DATA)
1109 		C2S(WLAN_FC_STYPE_DATA_CFACK)
1110 		C2S(WLAN_FC_STYPE_DATA_CFPOLL)
1111 		C2S(WLAN_FC_STYPE_DATA_CFACKPOLL)
1112 		C2S(WLAN_FC_STYPE_NULLFUNC)
1113 		C2S(WLAN_FC_STYPE_CFACK)
1114 		C2S(WLAN_FC_STYPE_CFPOLL)
1115 		C2S(WLAN_FC_STYPE_CFACKPOLL)
1116 		C2S(WLAN_FC_STYPE_QOS_DATA)
1117 		C2S(WLAN_FC_STYPE_QOS_DATA_CFACK)
1118 		C2S(WLAN_FC_STYPE_QOS_DATA_CFPOLL)
1119 		C2S(WLAN_FC_STYPE_QOS_DATA_CFACKPOLL)
1120 		C2S(WLAN_FC_STYPE_QOS_NULL)
1121 		C2S(WLAN_FC_STYPE_QOS_CFPOLL)
1122 		C2S(WLAN_FC_STYPE_QOS_CFACKPOLL)
1123 		}
1124 		break;
1125 	}
1126 	return "WLAN_FC_TYPE_UNKNOWN";
1127 #undef C2S
1128 }
1129 
1130 
1131 int mb_ies_info_by_ies(struct mb_ies_info *info, const u8 *ies_buf,
1132 		       size_t ies_len)
1133 {
1134 	os_memset(info, 0, sizeof(*info));
1135 
1136 	while (ies_buf && ies_len >= 2 &&
1137 	       info->nof_ies < MAX_NOF_MB_IES_SUPPORTED) {
1138 		size_t len = 2 + ies_buf[1];
1139 
1140 		if (len > ies_len) {
1141 			wpa_hexdump(MSG_DEBUG, "Truncated IEs",
1142 				    ies_buf, ies_len);
1143 			return -1;
1144 		}
1145 
1146 		if (ies_buf[0] == WLAN_EID_MULTI_BAND) {
1147 			wpa_printf(MSG_DEBUG, "MB IE of %zu bytes found", len);
1148 			info->ies[info->nof_ies].ie = ies_buf + 2;
1149 			info->ies[info->nof_ies].ie_len = ies_buf[1];
1150 			info->nof_ies++;
1151 		}
1152 
1153 		ies_len -= len;
1154 		ies_buf += len;
1155 	}
1156 
1157 	return 0;
1158 }
1159 
1160 
1161 struct wpabuf * mb_ies_by_info(struct mb_ies_info *info)
1162 {
1163 	struct wpabuf *mb_ies = NULL;
1164 
1165 	WPA_ASSERT(info != NULL);
1166 
1167 	if (info->nof_ies) {
1168 		u8 i;
1169 		size_t mb_ies_size = 0;
1170 
1171 		for (i = 0; i < info->nof_ies; i++)
1172 			mb_ies_size += 2 + info->ies[i].ie_len;
1173 
1174 		mb_ies = wpabuf_alloc(mb_ies_size);
1175 		if (mb_ies) {
1176 			for (i = 0; i < info->nof_ies; i++) {
1177 				wpabuf_put_u8(mb_ies, WLAN_EID_MULTI_BAND);
1178 				wpabuf_put_u8(mb_ies, info->ies[i].ie_len);
1179 				wpabuf_put_data(mb_ies,
1180 						info->ies[i].ie,
1181 						info->ies[i].ie_len);
1182 			}
1183 		}
1184 	}
1185 
1186 	return mb_ies;
1187 }
1188 
1189 
1190 const struct oper_class_map global_op_class[] = {
1191 	{ HOSTAPD_MODE_IEEE80211G, 81, 1, 13, 1, BW20, P2P_SUPP },
1192 	{ HOSTAPD_MODE_IEEE80211G, 82, 14, 14, 1, BW20, NO_P2P_SUPP },
1193 
1194 	/* Do not enable HT40 on 2.4 GHz for P2P use for now */
1195 	{ HOSTAPD_MODE_IEEE80211G, 83, 1, 9, 1, BW40PLUS, NO_P2P_SUPP },
1196 	{ HOSTAPD_MODE_IEEE80211G, 84, 5, 13, 1, BW40MINUS, NO_P2P_SUPP },
1197 
1198 	{ HOSTAPD_MODE_IEEE80211A, 115, 36, 48, 4, BW20, P2P_SUPP },
1199 	{ HOSTAPD_MODE_IEEE80211A, 116, 36, 44, 8, BW40PLUS, P2P_SUPP },
1200 	{ HOSTAPD_MODE_IEEE80211A, 117, 40, 48, 8, BW40MINUS, P2P_SUPP },
1201 	{ HOSTAPD_MODE_IEEE80211A, 118, 52, 64, 4, BW20, NO_P2P_SUPP },
1202 	{ HOSTAPD_MODE_IEEE80211A, 119, 52, 60, 8, BW40PLUS, NO_P2P_SUPP },
1203 	{ HOSTAPD_MODE_IEEE80211A, 120, 56, 64, 8, BW40MINUS, NO_P2P_SUPP },
1204 	{ HOSTAPD_MODE_IEEE80211A, 121, 100, 140, 4, BW20, NO_P2P_SUPP },
1205 	{ HOSTAPD_MODE_IEEE80211A, 122, 100, 132, 8, BW40PLUS, NO_P2P_SUPP },
1206 	{ HOSTAPD_MODE_IEEE80211A, 123, 104, 136, 8, BW40MINUS, NO_P2P_SUPP },
1207 	{ HOSTAPD_MODE_IEEE80211A, 124, 149, 161, 4, BW20, P2P_SUPP },
1208 	{ HOSTAPD_MODE_IEEE80211A, 125, 149, 169, 4, BW20, P2P_SUPP },
1209 	{ HOSTAPD_MODE_IEEE80211A, 126, 149, 157, 8, BW40PLUS, P2P_SUPP },
1210 	{ HOSTAPD_MODE_IEEE80211A, 127, 153, 161, 8, BW40MINUS, P2P_SUPP },
1211 
1212 	/*
1213 	 * IEEE P802.11ac/D7.0 Table E-4 actually talks about channel center
1214 	 * frequency index 42, 58, 106, 122, 138, 155 with channel spacing of
1215 	 * 80 MHz, but currently use the following definition for simplicity
1216 	 * (these center frequencies are not actual channels, which makes
1217 	 * wpas_p2p_allow_channel() fail). wpas_p2p_verify_80mhz() should take
1218 	 * care of removing invalid channels.
1219 	 */
1220 	{ HOSTAPD_MODE_IEEE80211A, 128, 36, 161, 4, BW80, P2P_SUPP },
1221 	{ HOSTAPD_MODE_IEEE80211A, 129, 50, 114, 16, BW160, P2P_SUPP },
1222 	{ HOSTAPD_MODE_IEEE80211A, 130, 36, 161, 4, BW80P80, P2P_SUPP },
1223 	{ HOSTAPD_MODE_IEEE80211AD, 180, 1, 4, 1, BW2160, P2P_SUPP },
1224 	{ -1, 0, 0, 0, 0, BW20, NO_P2P_SUPP }
1225 };
1226 
1227 
1228 static enum phy_type ieee80211_phy_type_by_freq(int freq)
1229 {
1230 	enum hostapd_hw_mode hw_mode;
1231 	u8 channel;
1232 
1233 	hw_mode = ieee80211_freq_to_chan(freq, &channel);
1234 
1235 	switch (hw_mode) {
1236 	case HOSTAPD_MODE_IEEE80211A:
1237 		return PHY_TYPE_OFDM;
1238 	case HOSTAPD_MODE_IEEE80211B:
1239 		return PHY_TYPE_HRDSSS;
1240 	case HOSTAPD_MODE_IEEE80211G:
1241 		return PHY_TYPE_ERP;
1242 	case HOSTAPD_MODE_IEEE80211AD:
1243 		return PHY_TYPE_DMG;
1244 	default:
1245 		return PHY_TYPE_UNSPECIFIED;
1246 	};
1247 }
1248 
1249 
1250 /* ieee80211_get_phy_type - Derive the phy type by freq and bandwidth */
1251 enum phy_type ieee80211_get_phy_type(int freq, int ht, int vht)
1252 {
1253 	if (vht)
1254 		return PHY_TYPE_VHT;
1255 	if (ht)
1256 		return PHY_TYPE_HT;
1257 
1258 	return ieee80211_phy_type_by_freq(freq);
1259 }
1260 
1261 
1262 size_t global_op_class_size = ARRAY_SIZE(global_op_class);
1263 
1264 
1265 /**
1266  * get_ie - Fetch a specified information element from IEs buffer
1267  * @ies: Information elements buffer
1268  * @len: Information elements buffer length
1269  * @eid: Information element identifier (WLAN_EID_*)
1270  * Returns: Pointer to the information element (id field) or %NULL if not found
1271  *
1272  * This function returns the first matching information element in the IEs
1273  * buffer or %NULL in case the element is not found.
1274  */
1275 const u8 * get_ie(const u8 *ies, size_t len, u8 eid)
1276 {
1277 	const u8 *end;
1278 
1279 	if (!ies)
1280 		return NULL;
1281 
1282 	end = ies + len;
1283 
1284 	while (end - ies > 1) {
1285 		if (2 + ies[1] > end - ies)
1286 			break;
1287 
1288 		if (ies[0] == eid)
1289 			return ies;
1290 
1291 		ies += 2 + ies[1];
1292 	}
1293 
1294 	return NULL;
1295 }
1296 
1297 
1298 size_t mbo_add_ie(u8 *buf, size_t len, const u8 *attr, size_t attr_len)
1299 {
1300 	/*
1301 	 * MBO IE requires 6 bytes without the attributes: EID (1), length (1),
1302 	 * OUI (3), OUI type (1).
1303 	 */
1304 	if (len < 6 + attr_len) {
1305 		wpa_printf(MSG_DEBUG,
1306 			   "MBO: Not enough room in buffer for MBO IE: buf len = %zu, attr_len = %zu",
1307 			   len, attr_len);
1308 		return 0;
1309 	}
1310 
1311 	*buf++ = WLAN_EID_VENDOR_SPECIFIC;
1312 	*buf++ = attr_len + 4;
1313 	WPA_PUT_BE24(buf, OUI_WFA);
1314 	buf += 3;
1315 	*buf++ = MBO_OUI_TYPE;
1316 	os_memcpy(buf, attr, attr_len);
1317 
1318 	return 6 + attr_len;
1319 }
1320