1 /*- 2 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 26 #include <sys/cdefs.h> 27 #ifdef __FreeBSD__ 28 __FBSDID("$FreeBSD$"); 29 #endif 30 31 /* 32 * IEEE 802.11 IBSS mode support. 33 */ 34 #include "opt_inet.h" 35 #include "opt_wlan.h" 36 37 #include <sys/param.h> 38 #include <sys/systm.h> 39 #include <sys/mbuf.h> 40 #include <sys/malloc.h> 41 #include <sys/kernel.h> 42 43 #include <sys/socket.h> 44 #include <sys/sockio.h> 45 #include <sys/endian.h> 46 #include <sys/errno.h> 47 #include <sys/proc.h> 48 #include <sys/sysctl.h> 49 50 #include <net/if.h> 51 #include <net/if_media.h> 52 #include <net/if_llc.h> 53 #include <net/ethernet.h> 54 55 #include <net/bpf.h> 56 57 #include <net80211/ieee80211_var.h> 58 #include <net80211/ieee80211_adhoc.h> 59 #include <net80211/ieee80211_input.h> 60 61 #define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2) 62 63 static void adhoc_vattach(struct ieee80211vap *); 64 static int adhoc_newstate(struct ieee80211vap *, enum ieee80211_state, int); 65 static int adhoc_input(struct ieee80211_node *, struct mbuf *, 66 int rssi, int noise, uint32_t rstamp); 67 static void adhoc_recv_mgmt(struct ieee80211_node *, struct mbuf *, 68 int subtype, int rssi, int noise, uint32_t rstamp); 69 70 void 71 ieee80211_adhoc_attach(struct ieee80211com *ic) 72 { 73 ic->ic_vattach[IEEE80211_M_IBSS] = adhoc_vattach; 74 ic->ic_vattach[IEEE80211_M_AHDEMO] = adhoc_vattach; 75 } 76 77 void 78 ieee80211_adhoc_detach(struct ieee80211com *ic) 79 { 80 } 81 82 static void 83 adhoc_vdetach(struct ieee80211vap *vap) 84 { 85 } 86 87 static void 88 adhoc_vattach(struct ieee80211vap *vap) 89 { 90 vap->iv_newstate = adhoc_newstate; 91 vap->iv_input = adhoc_input; 92 vap->iv_recv_mgmt = adhoc_recv_mgmt; 93 vap->iv_opdetach = adhoc_vdetach; 94 } 95 96 /* 97 * IEEE80211_M_IBSS+IEEE80211_M_AHDEMO vap state machine handler. 98 */ 99 static int 100 adhoc_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg) 101 { 102 #ifdef IEEE80211_DEBUG 103 struct ieee80211com *ic = vap->iv_ic; 104 #endif 105 struct ieee80211_node *ni; 106 enum ieee80211_state ostate; 107 108 IEEE80211_LOCK_ASSERT(vap->iv_ic); 109 110 ostate = vap->iv_state; 111 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n", 112 __func__, ieee80211_state_name[ostate], 113 ieee80211_state_name[nstate], arg); 114 vap->iv_state = nstate; /* state transition */ 115 if (ostate != IEEE80211_S_SCAN) 116 ieee80211_cancel_scan(vap); /* background scan */ 117 ni = vap->iv_bss; /* NB: no reference held */ 118 if (vap->iv_flags_ext & IEEE80211_FEXT_SWBMISS) 119 callout_stop(&vap->iv_swbmiss); 120 switch (nstate) { 121 case IEEE80211_S_INIT: 122 switch (ostate) { 123 case IEEE80211_S_SCAN: 124 ieee80211_cancel_scan(vap); 125 break; 126 default: 127 break; 128 } 129 if (ostate != IEEE80211_S_INIT) { 130 /* NB: optimize INIT -> INIT case */ 131 ieee80211_reset_bss(vap); 132 } 133 break; 134 case IEEE80211_S_SCAN: 135 switch (ostate) { 136 case IEEE80211_S_INIT: 137 case IEEE80211_S_RUN: /* beacon miss */ 138 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC && 139 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) { 140 /* 141 * Already have a channel; bypass the 142 * scan and startup immediately. 143 */ 144 ieee80211_create_ibss(vap, vap->iv_des_chan); 145 break; 146 } 147 /* 148 * Initiate a scan. We can come here as a result 149 * of an IEEE80211_IOC_SCAN_REQ too in which case 150 * the vap will be marked with IEEE80211_FEXT_SCANREQ 151 * and the scan request parameters will be present 152 * in iv_scanreq. Otherwise we do the default. 153 */ 154 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) { 155 ieee80211_check_scan(vap, 156 vap->iv_scanreq_flags, 157 vap->iv_scanreq_duration, 158 vap->iv_scanreq_mindwell, 159 vap->iv_scanreq_maxdwell, 160 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid); 161 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ; 162 } else 163 ieee80211_check_scan_current(vap); 164 break; 165 case IEEE80211_S_SCAN: 166 /* 167 * This can happen because of a change in state 168 * that requires a reset. Trigger a new scan 169 * unless we're in manual roaming mode in which 170 * case an application must issue an explicit request. 171 */ 172 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) 173 ieee80211_check_scan_current(vap); 174 break; 175 default: 176 goto invalid; 177 } 178 break; 179 case IEEE80211_S_RUN: 180 if (vap->iv_flags & IEEE80211_F_WPA) { 181 /* XXX validate prerequisites */ 182 } 183 switch (ostate) { 184 case IEEE80211_S_SCAN: 185 #ifdef IEEE80211_DEBUG 186 if (ieee80211_msg_debug(vap)) { 187 ieee80211_note(vap, 188 "synchronized with %s ssid ", 189 ether_sprintf(ni->ni_bssid)); 190 ieee80211_print_essid(vap->iv_bss->ni_essid, 191 ni->ni_esslen); 192 /* XXX MCS/HT */ 193 printf(" channel %d start %uMb\n", 194 ieee80211_chan2ieee(ic, ic->ic_curchan), 195 IEEE80211_RATE2MBS(ni->ni_txrate)); 196 } 197 #endif 198 break; 199 default: 200 goto invalid; 201 } 202 /* 203 * When 802.1x is not in use mark the port authorized 204 * at this point so traffic can flow. 205 */ 206 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 207 ieee80211_node_authorize(ni); 208 break; 209 case IEEE80211_S_SLEEP: 210 ieee80211_sta_pwrsave(vap, 0); 211 break; 212 default: 213 invalid: 214 IEEE80211_DPRINTF(vap, IEEE80211_MSG_ANY, 215 "%s: invalid state transition %s -> %s\n", __func__, 216 ieee80211_state_name[ostate], ieee80211_state_name[nstate]); 217 break; 218 } 219 return 0; 220 } 221 222 /* 223 * Decide if a received management frame should be 224 * printed when debugging is enabled. This filters some 225 * of the less interesting frames that come frequently 226 * (e.g. beacons). 227 */ 228 static __inline int 229 doprint(struct ieee80211vap *vap, int subtype) 230 { 231 switch (subtype) { 232 case IEEE80211_FC0_SUBTYPE_BEACON: 233 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN); 234 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 235 return 1; 236 } 237 return 1; 238 } 239 240 /* 241 * Process a received frame. The node associated with the sender 242 * should be supplied. If nothing was found in the node table then 243 * the caller is assumed to supply a reference to iv_bss instead. 244 * The RSSI and a timestamp are also supplied. The RSSI data is used 245 * during AP scanning to select a AP to associate with; it can have 246 * any units so long as values have consistent units and higher values 247 * mean ``better signal''. The receive timestamp is currently not used 248 * by the 802.11 layer. 249 */ 250 static int 251 adhoc_input(struct ieee80211_node *ni, struct mbuf *m, 252 int rssi, int noise, uint32_t rstamp) 253 { 254 #define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0) 255 #define HAS_SEQ(type) ((type & 0x4) == 0) 256 struct ieee80211vap *vap = ni->ni_vap; 257 struct ieee80211com *ic = ni->ni_ic; 258 struct ifnet *ifp = vap->iv_ifp; 259 struct ieee80211_frame *wh; 260 struct ieee80211_key *key; 261 struct ether_header *eh; 262 int hdrspace, need_tap; 263 uint8_t dir, type, subtype, qos; 264 uint8_t *bssid; 265 uint16_t rxseq; 266 267 if (m->m_flags & M_AMPDU) { 268 /* 269 * Fastpath for A-MPDU reorder q resubmission. Frames 270 * w/ M_AMPDU marked have already passed through here 271 * but were received out of order and been held on the 272 * reorder queue. When resubmitted they are marked 273 * with the M_AMPDU flag and we can bypass most of the 274 * normal processing. 275 */ 276 wh = mtod(m, struct ieee80211_frame *); 277 type = IEEE80211_FC0_TYPE_DATA; 278 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 279 subtype = IEEE80211_FC0_SUBTYPE_QOS; 280 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */ 281 goto resubmit_ampdu; 282 } 283 284 KASSERT(ni != NULL, ("null node")); 285 ni->ni_inact = ni->ni_inact_reload; 286 287 need_tap = 1; /* mbuf need to be tapped. */ 288 type = -1; /* undefined */ 289 290 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 291 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 292 ni->ni_macaddr, NULL, 293 "too short (1): len %u", m->m_pkthdr.len); 294 vap->iv_stats.is_rx_tooshort++; 295 goto out; 296 } 297 /* 298 * Bit of a cheat here, we use a pointer for a 3-address 299 * frame format but don't reference fields past outside 300 * ieee80211_frame_min w/o first validating the data is 301 * present. 302 */ 303 wh = mtod(m, struct ieee80211_frame *); 304 305 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 306 IEEE80211_FC0_VERSION_0) { 307 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 308 ni->ni_macaddr, NULL, "wrong version %x", wh->i_fc[0]); 309 vap->iv_stats.is_rx_badversion++; 310 goto err; 311 } 312 313 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 314 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 315 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 316 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 317 if (dir != IEEE80211_FC1_DIR_NODS) 318 bssid = wh->i_addr1; 319 else if (type == IEEE80211_FC0_TYPE_CTL) 320 bssid = wh->i_addr1; 321 else { 322 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 323 IEEE80211_DISCARD_MAC(vap, 324 IEEE80211_MSG_ANY, ni->ni_macaddr, 325 NULL, "too short (2): len %u", 326 m->m_pkthdr.len); 327 vap->iv_stats.is_rx_tooshort++; 328 goto out; 329 } 330 bssid = wh->i_addr3; 331 } 332 /* 333 * Validate the bssid. 334 */ 335 if (!IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) && 336 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 337 /* not interested in */ 338 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 339 bssid, NULL, "%s", "not to bss"); 340 vap->iv_stats.is_rx_wrongbss++; 341 goto out; 342 } 343 /* 344 * Data frame, cons up a node when it doesn't 345 * exist. This should probably done after an ACL check. 346 */ 347 if (type == IEEE80211_FC0_TYPE_DATA && 348 ni == vap->iv_bss && 349 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 350 /* 351 * Fake up a node for this newly 352 * discovered member of the IBSS. 353 */ 354 ni = ieee80211_fakeup_adhoc_node(vap, wh->i_addr2); 355 if (ni == NULL) { 356 /* NB: stat kept for alloc failure */ 357 goto err; 358 } 359 } 360 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 361 ni->ni_noise = noise; 362 ni->ni_rstamp = rstamp; 363 if (HAS_SEQ(type)) { 364 uint8_t tid = ieee80211_gettid(wh); 365 if (IEEE80211_QOS_HAS_SEQ(wh) && 366 TID_TO_WME_AC(tid) >= WME_AC_VI) 367 ic->ic_wme.wme_hipri_traffic++; 368 rxseq = le16toh(*(uint16_t *)wh->i_seq); 369 if ((ni->ni_flags & IEEE80211_NODE_HT) == 0 && 370 (wh->i_fc[1] & IEEE80211_FC1_RETRY) && 371 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) { 372 /* duplicate, discard */ 373 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 374 bssid, "duplicate", 375 "seqno <%u,%u> fragno <%u,%u> tid %u", 376 rxseq >> IEEE80211_SEQ_SEQ_SHIFT, 377 ni->ni_rxseqs[tid] >> 378 IEEE80211_SEQ_SEQ_SHIFT, 379 rxseq & IEEE80211_SEQ_FRAG_MASK, 380 ni->ni_rxseqs[tid] & 381 IEEE80211_SEQ_FRAG_MASK, 382 tid); 383 vap->iv_stats.is_rx_dup++; 384 IEEE80211_NODE_STAT(ni, rx_dup); 385 goto out; 386 } 387 ni->ni_rxseqs[tid] = rxseq; 388 } 389 } 390 391 switch (type) { 392 case IEEE80211_FC0_TYPE_DATA: 393 hdrspace = ieee80211_hdrspace(ic, wh); 394 if (m->m_len < hdrspace && 395 (m = m_pullup(m, hdrspace)) == NULL) { 396 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 397 ni->ni_macaddr, NULL, 398 "data too short: expecting %u", hdrspace); 399 vap->iv_stats.is_rx_tooshort++; 400 goto out; /* XXX */ 401 } 402 if (dir != IEEE80211_FC1_DIR_NODS) { 403 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 404 wh, "data", "incorrect dir 0x%x", dir); 405 vap->iv_stats.is_rx_wrongdir++; 406 goto out; 407 } 408 /* XXX no power-save support */ 409 410 /* 411 * Handle A-MPDU re-ordering. The station must be 412 * associated and negotiated HT. The frame must be 413 * a QoS frame (not QoS null data) and not previously 414 * processed for A-MPDU re-ordering. If the frame is 415 * to be processed directly then ieee80211_ampdu_reorder 416 * will return 0; otherwise it has consumed the mbuf 417 * and we should do nothing more with it. 418 */ 419 if ((ni->ni_flags & IEEE80211_NODE_HT) && 420 subtype == IEEE80211_FC0_SUBTYPE_QOS && 421 ieee80211_ampdu_reorder(ni, m) != 0) { 422 m = NULL; 423 goto out; 424 } 425 resubmit_ampdu: 426 427 /* 428 * Handle privacy requirements. Note that we 429 * must not be preempted from here until after 430 * we (potentially) call ieee80211_crypto_demic; 431 * otherwise we may violate assumptions in the 432 * crypto cipher modules used to do delayed update 433 * of replay sequence numbers. 434 */ 435 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 436 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 437 /* 438 * Discard encrypted frames when privacy is off. 439 */ 440 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 441 wh, "WEP", "%s", "PRIVACY off"); 442 vap->iv_stats.is_rx_noprivacy++; 443 IEEE80211_NODE_STAT(ni, rx_noprivacy); 444 goto out; 445 } 446 key = ieee80211_crypto_decap(ni, m, hdrspace); 447 if (key == NULL) { 448 /* NB: stats+msgs handled in crypto_decap */ 449 IEEE80211_NODE_STAT(ni, rx_wepfail); 450 goto out; 451 } 452 wh = mtod(m, struct ieee80211_frame *); 453 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 454 } else { 455 /* XXX M_WEP and IEEE80211_F_PRIVACY */ 456 key = NULL; 457 } 458 459 /* 460 * Save QoS bits for use below--before we strip the header. 461 */ 462 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) { 463 qos = (dir == IEEE80211_FC1_DIR_DSTODS) ? 464 ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] : 465 ((struct ieee80211_qosframe *)wh)->i_qos[0]; 466 } else 467 qos = 0; 468 469 /* 470 * Next up, any fragmentation. 471 */ 472 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 473 m = ieee80211_defrag(ni, m, hdrspace); 474 if (m == NULL) { 475 /* Fragment dropped or frame not complete yet */ 476 goto out; 477 } 478 } 479 wh = NULL; /* no longer valid, catch any uses */ 480 481 /* 482 * Next strip any MSDU crypto bits. 483 */ 484 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) { 485 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 486 ni->ni_macaddr, "data", "%s", "demic error"); 487 vap->iv_stats.is_rx_demicfail++; 488 IEEE80211_NODE_STAT(ni, rx_demicfail); 489 goto out; 490 } 491 492 /* copy to listener after decrypt */ 493 if (bpf_peers_present(vap->iv_rawbpf)) 494 bpf_mtap(vap->iv_rawbpf, m); 495 need_tap = 0; 496 497 /* 498 * Finally, strip the 802.11 header. 499 */ 500 m = ieee80211_decap(vap, m, hdrspace); 501 if (m == NULL) { 502 /* XXX mask bit to check for both */ 503 /* don't count Null data frames as errors */ 504 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA || 505 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL) 506 goto out; 507 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 508 ni->ni_macaddr, "data", "%s", "decap error"); 509 vap->iv_stats.is_rx_decap++; 510 IEEE80211_NODE_STAT(ni, rx_decap); 511 goto err; 512 } 513 eh = mtod(m, struct ether_header *); 514 if (!ieee80211_node_is_authorized(ni)) { 515 /* 516 * Deny any non-PAE frames received prior to 517 * authorization. For open/shared-key 518 * authentication the port is mark authorized 519 * after authentication completes. For 802.1x 520 * the port is not marked authorized by the 521 * authenticator until the handshake has completed. 522 */ 523 if (eh->ether_type != htons(ETHERTYPE_PAE)) { 524 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 525 eh->ether_shost, "data", 526 "unauthorized port: ether type 0x%x len %u", 527 eh->ether_type, m->m_pkthdr.len); 528 vap->iv_stats.is_rx_unauth++; 529 IEEE80211_NODE_STAT(ni, rx_unauth); 530 goto err; 531 } 532 } else { 533 /* 534 * When denying unencrypted frames, discard 535 * any non-PAE frames received without encryption. 536 */ 537 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && 538 (key == NULL && (m->m_flags & M_WEP) == 0) && 539 eh->ether_type != htons(ETHERTYPE_PAE)) { 540 /* 541 * Drop unencrypted frames. 542 */ 543 vap->iv_stats.is_rx_unencrypted++; 544 IEEE80211_NODE_STAT(ni, rx_unencrypted); 545 goto out; 546 } 547 } 548 /* XXX require HT? */ 549 if (qos & IEEE80211_QOS_AMSDU) { 550 m = ieee80211_decap_amsdu(ni, m); 551 if (m == NULL) 552 return IEEE80211_FC0_TYPE_DATA; 553 } else if ((ni->ni_ath_flags & IEEE80211_NODE_FF) && 554 #define FF_LLC_SIZE (sizeof(struct ether_header) + sizeof(struct llc)) 555 m->m_pkthdr.len >= 3*FF_LLC_SIZE) { 556 struct llc *llc; 557 558 /* 559 * Check for fast-frame tunnel encapsulation. 560 */ 561 if (m->m_len < FF_LLC_SIZE && 562 (m = m_pullup(m, FF_LLC_SIZE)) == NULL) { 563 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 564 ni->ni_macaddr, "fast-frame", 565 "%s", "m_pullup(llc) failed"); 566 vap->iv_stats.is_rx_tooshort++; 567 return IEEE80211_FC0_TYPE_DATA; 568 } 569 llc = (struct llc *)(mtod(m, uint8_t *) + 570 sizeof(struct ether_header)); 571 if (llc->llc_snap.ether_type == htons(ATH_FF_ETH_TYPE)) { 572 m_adj(m, FF_LLC_SIZE); 573 m = ieee80211_decap_fastframe(ni, m); 574 if (m == NULL) 575 return IEEE80211_FC0_TYPE_DATA; 576 } 577 } 578 #undef FF_LLC_SIZE 579 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL) 580 ieee80211_deliver_data(ni->ni_wdsvap, ni, m); 581 else 582 ieee80211_deliver_data(vap, ni, m); 583 return IEEE80211_FC0_TYPE_DATA; 584 585 case IEEE80211_FC0_TYPE_MGT: 586 vap->iv_stats.is_rx_mgmt++; 587 IEEE80211_NODE_STAT(ni, rx_mgmt); 588 if (dir != IEEE80211_FC1_DIR_NODS) { 589 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 590 wh, "data", "incorrect dir 0x%x", dir); 591 vap->iv_stats.is_rx_wrongdir++; 592 goto err; 593 } 594 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 595 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 596 ni->ni_macaddr, "mgt", "too short: len %u", 597 m->m_pkthdr.len); 598 vap->iv_stats.is_rx_tooshort++; 599 goto out; 600 } 601 #ifdef IEEE80211_DEBUG 602 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) || 603 ieee80211_msg_dumppkts(vap)) { 604 if_printf(ifp, "received %s from %s rssi %d\n", 605 ieee80211_mgt_subtype_name[subtype >> 606 IEEE80211_FC0_SUBTYPE_SHIFT], 607 ether_sprintf(wh->i_addr2), rssi); 608 } 609 #endif 610 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 611 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 612 wh, NULL, "%s", "WEP set but not permitted"); 613 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */ 614 goto out; 615 } 616 if (bpf_peers_present(vap->iv_rawbpf)) 617 bpf_mtap(vap->iv_rawbpf, m); 618 /* NB: only IBSS mode gets mgt frames */ 619 if (vap->iv_opmode == IEEE80211_M_IBSS) 620 vap->iv_recv_mgmt(ni, m, subtype, rssi, noise, rstamp); 621 m_freem(m); 622 return IEEE80211_FC0_TYPE_MGT; 623 624 case IEEE80211_FC0_TYPE_CTL: 625 vap->iv_stats.is_rx_ctl++; 626 IEEE80211_NODE_STAT(ni, rx_ctrl); 627 goto out; 628 default: 629 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 630 wh, "bad", "frame type 0x%x", type); 631 /* should not come here */ 632 break; 633 } 634 err: 635 ifp->if_ierrors++; 636 out: 637 if (m != NULL) { 638 if (bpf_peers_present(vap->iv_rawbpf) && need_tap) 639 bpf_mtap(vap->iv_rawbpf, m); 640 m_freem(m); 641 } 642 return type; 643 #undef SEQ_LEQ 644 } 645 646 static int 647 is11bclient(const uint8_t *rates, const uint8_t *xrates) 648 { 649 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11); 650 int i; 651 652 /* NB: the 11b clients we care about will not have xrates */ 653 if (xrates != NULL || rates == NULL) 654 return 0; 655 for (i = 0; i < rates[1]; i++) { 656 int r = rates[2+i] & IEEE80211_RATE_VAL; 657 if (r > 2*11 || ((1<<r) & brates) == 0) 658 return 0; 659 } 660 return 1; 661 } 662 663 static void 664 adhoc_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, 665 int subtype, int rssi, int noise, uint32_t rstamp) 666 { 667 struct ieee80211vap *vap = ni->ni_vap; 668 struct ieee80211com *ic = ni->ni_ic; 669 struct ieee80211_frame *wh; 670 uint8_t *frm, *efrm, *sfrm; 671 uint8_t *ssid, *rates, *xrates; 672 673 wh = mtod(m0, struct ieee80211_frame *); 674 frm = (uint8_t *)&wh[1]; 675 efrm = mtod(m0, uint8_t *) + m0->m_len; 676 switch (subtype) { 677 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 678 case IEEE80211_FC0_SUBTYPE_BEACON: { 679 struct ieee80211_scanparams scan; 680 /* 681 * We process beacon/probe response 682 * frames to discover neighbors. 683 */ 684 if (ieee80211_parse_beacon(ni, m0, &scan) != 0) 685 return; 686 /* 687 * Count frame now that we know it's to be processed. 688 */ 689 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 690 vap->iv_stats.is_rx_beacon++; /* XXX remove */ 691 IEEE80211_NODE_STAT(ni, rx_beacons); 692 } else 693 IEEE80211_NODE_STAT(ni, rx_proberesp); 694 /* 695 * If scanning, just pass information to the scan module. 696 */ 697 if (ic->ic_flags & IEEE80211_F_SCAN) { 698 if (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN) { 699 /* 700 * Actively scanning a channel marked passive; 701 * send a probe request now that we know there 702 * is 802.11 traffic present. 703 * 704 * XXX check if the beacon we recv'd gives 705 * us what we need and suppress the probe req 706 */ 707 ieee80211_probe_curchan(vap, 1); 708 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 709 } 710 ieee80211_add_scan(vap, &scan, wh, 711 subtype, rssi, noise, rstamp); 712 return; 713 } 714 if (scan.capinfo & IEEE80211_CAPINFO_IBSS) { 715 if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 716 /* 717 * Create a new entry in the neighbor table. 718 */ 719 ni = ieee80211_add_neighbor(vap, wh, &scan); 720 } else if (ni->ni_capinfo == 0) { 721 /* 722 * Update faked node created on transmit. 723 * Note this also updates the tsf. 724 */ 725 ieee80211_init_neighbor(ni, wh, &scan); 726 } else { 727 /* 728 * Record tsf for potential resync. 729 */ 730 memcpy(ni->ni_tstamp.data, scan.tstamp, 731 sizeof(ni->ni_tstamp)); 732 } 733 if (ni != NULL) { 734 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 735 ni->ni_noise = noise; 736 ni->ni_rstamp = rstamp; 737 } 738 } 739 break; 740 } 741 742 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 743 if (vap->iv_state != IEEE80211_S_RUN) { 744 vap->iv_stats.is_rx_mgtdiscard++; 745 return; 746 } 747 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 748 /* frame must be directed */ 749 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */ 750 return; 751 } 752 753 /* 754 * prreq frame format 755 * [tlv] ssid 756 * [tlv] supported rates 757 * [tlv] extended supported rates 758 */ 759 ssid = rates = xrates = NULL; 760 sfrm = frm; 761 while (efrm - frm > 1) { 762 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 763 switch (*frm) { 764 case IEEE80211_ELEMID_SSID: 765 ssid = frm; 766 break; 767 case IEEE80211_ELEMID_RATES: 768 rates = frm; 769 break; 770 case IEEE80211_ELEMID_XRATES: 771 xrates = frm; 772 break; 773 } 774 frm += frm[1] + 2; 775 } 776 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 777 if (xrates != NULL) 778 IEEE80211_VERIFY_ELEMENT(xrates, 779 IEEE80211_RATE_MAXSIZE - rates[1], return); 780 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 781 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 782 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 783 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 784 wh, NULL, 785 "%s", "no ssid with ssid suppression enabled"); 786 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/ 787 return; 788 } 789 790 /* XXX find a better class or define it's own */ 791 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2, 792 "%s", "recv probe req"); 793 /* 794 * Some legacy 11b clients cannot hack a complete 795 * probe response frame. When the request includes 796 * only a bare-bones rate set, communicate this to 797 * the transmit side. 798 */ 799 ieee80211_send_proberesp(vap, wh->i_addr2, 800 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0); 801 break; 802 803 case IEEE80211_FC0_SUBTYPE_ACTION: { 804 const struct ieee80211_action *ia; 805 806 if (vap->iv_state != IEEE80211_S_RUN) { 807 vap->iv_stats.is_rx_mgtdiscard++; 808 return; 809 } 810 /* 811 * action frame format: 812 * [1] category 813 * [1] action 814 * [tlv] parameters 815 */ 816 IEEE80211_VERIFY_LENGTH(efrm - frm, 817 sizeof(struct ieee80211_action), return); 818 ia = (const struct ieee80211_action *) frm; 819 820 vap->iv_stats.is_rx_action++; 821 IEEE80211_NODE_STAT(ni, rx_action); 822 823 /* verify frame payloads but defer processing */ 824 /* XXX maybe push this to method */ 825 switch (ia->ia_category) { 826 case IEEE80211_ACTION_CAT_BA: 827 switch (ia->ia_action) { 828 case IEEE80211_ACTION_BA_ADDBA_REQUEST: 829 IEEE80211_VERIFY_LENGTH(efrm - frm, 830 sizeof(struct ieee80211_action_ba_addbarequest), 831 return); 832 break; 833 case IEEE80211_ACTION_BA_ADDBA_RESPONSE: 834 IEEE80211_VERIFY_LENGTH(efrm - frm, 835 sizeof(struct ieee80211_action_ba_addbaresponse), 836 return); 837 break; 838 case IEEE80211_ACTION_BA_DELBA: 839 IEEE80211_VERIFY_LENGTH(efrm - frm, 840 sizeof(struct ieee80211_action_ba_delba), 841 return); 842 break; 843 } 844 break; 845 case IEEE80211_ACTION_CAT_HT: 846 switch (ia->ia_action) { 847 case IEEE80211_ACTION_HT_TXCHWIDTH: 848 IEEE80211_VERIFY_LENGTH(efrm - frm, 849 sizeof(struct ieee80211_action_ht_txchwidth), 850 return); 851 break; 852 } 853 break; 854 } 855 ic->ic_recv_action(ni, frm, efrm); 856 break; 857 } 858 859 case IEEE80211_FC0_SUBTYPE_AUTH: 860 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 861 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 862 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 863 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 864 case IEEE80211_FC0_SUBTYPE_DEAUTH: 865 case IEEE80211_FC0_SUBTYPE_DISASSOC: 866 vap->iv_stats.is_rx_mgtdiscard++; 867 return; 868 869 default: 870 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 871 wh, "mgt", "subtype 0x%x not handled", subtype); 872 vap->iv_stats.is_rx_badsubtype++; 873 break; 874 } 875 } 876 #undef IEEE80211_VERIFY_LENGTH 877 #undef IEEE80211_VERIFY_ELEMENT 878