1 /*- 2 * Copyright (c) 2007-2009 Sam Leffler, Errno Consulting 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 26 #include <sys/cdefs.h> 27 #ifdef __FreeBSD__ 28 __FBSDID("$FreeBSD$"); 29 #endif 30 31 /* 32 * IEEE 802.11 IBSS mode support. 33 */ 34 #include "opt_inet.h" 35 #include "opt_wlan.h" 36 37 #include <sys/param.h> 38 #include <sys/systm.h> 39 #include <sys/mbuf.h> 40 #include <sys/malloc.h> 41 #include <sys/kernel.h> 42 43 #include <sys/socket.h> 44 #include <sys/sockio.h> 45 #include <sys/endian.h> 46 #include <sys/errno.h> 47 #include <sys/proc.h> 48 #include <sys/sysctl.h> 49 50 #include <net/if.h> 51 #include <net/if_var.h> 52 #include <net/if_media.h> 53 #include <net/if_llc.h> 54 #include <net/ethernet.h> 55 56 #include <net/bpf.h> 57 58 #include <net80211/ieee80211_var.h> 59 #include <net80211/ieee80211_adhoc.h> 60 #include <net80211/ieee80211_input.h> 61 #ifdef IEEE80211_SUPPORT_SUPERG 62 #include <net80211/ieee80211_superg.h> 63 #endif 64 #ifdef IEEE80211_SUPPORT_TDMA 65 #include <net80211/ieee80211_tdma.h> 66 #endif 67 #include <net80211/ieee80211_sta.h> 68 69 #define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2) 70 71 static void adhoc_vattach(struct ieee80211vap *); 72 static int adhoc_newstate(struct ieee80211vap *, enum ieee80211_state, int); 73 static int adhoc_input(struct ieee80211_node *, struct mbuf *, int, int); 74 static void adhoc_recv_mgmt(struct ieee80211_node *, struct mbuf *, 75 int subtype, int, int); 76 static void ahdemo_recv_mgmt(struct ieee80211_node *, struct mbuf *, 77 int subtype, int, int); 78 static void adhoc_recv_ctl(struct ieee80211_node *, struct mbuf *, int subtype); 79 80 void 81 ieee80211_adhoc_attach(struct ieee80211com *ic) 82 { 83 ic->ic_vattach[IEEE80211_M_IBSS] = adhoc_vattach; 84 ic->ic_vattach[IEEE80211_M_AHDEMO] = adhoc_vattach; 85 } 86 87 void 88 ieee80211_adhoc_detach(struct ieee80211com *ic) 89 { 90 } 91 92 static void 93 adhoc_vdetach(struct ieee80211vap *vap) 94 { 95 } 96 97 static void 98 adhoc_vattach(struct ieee80211vap *vap) 99 { 100 vap->iv_newstate = adhoc_newstate; 101 vap->iv_input = adhoc_input; 102 if (vap->iv_opmode == IEEE80211_M_IBSS) 103 vap->iv_recv_mgmt = adhoc_recv_mgmt; 104 else 105 vap->iv_recv_mgmt = ahdemo_recv_mgmt; 106 vap->iv_recv_ctl = adhoc_recv_ctl; 107 vap->iv_opdetach = adhoc_vdetach; 108 #ifdef IEEE80211_SUPPORT_TDMA 109 /* 110 * Throw control to tdma support. Note we do this 111 * after setting up our callbacks so it can piggyback 112 * on top of us. 113 */ 114 if (vap->iv_caps & IEEE80211_C_TDMA) 115 ieee80211_tdma_vattach(vap); 116 #endif 117 } 118 119 static void 120 sta_leave(void *arg, struct ieee80211_node *ni) 121 { 122 struct ieee80211vap *vap = arg; 123 124 if (ni->ni_vap == vap && ni != vap->iv_bss) 125 ieee80211_node_leave(ni); 126 } 127 128 /* 129 * IEEE80211_M_IBSS+IEEE80211_M_AHDEMO vap state machine handler. 130 */ 131 static int 132 adhoc_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg) 133 { 134 struct ieee80211com *ic = vap->iv_ic; 135 struct ieee80211_node *ni; 136 enum ieee80211_state ostate; 137 138 IEEE80211_LOCK_ASSERT(vap->iv_ic); 139 140 ostate = vap->iv_state; 141 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n", 142 __func__, ieee80211_state_name[ostate], 143 ieee80211_state_name[nstate], arg); 144 vap->iv_state = nstate; /* state transition */ 145 if (ostate != IEEE80211_S_SCAN) 146 ieee80211_cancel_scan(vap); /* background scan */ 147 ni = vap->iv_bss; /* NB: no reference held */ 148 switch (nstate) { 149 case IEEE80211_S_INIT: 150 switch (ostate) { 151 case IEEE80211_S_SCAN: 152 ieee80211_cancel_scan(vap); 153 break; 154 default: 155 break; 156 } 157 if (ostate != IEEE80211_S_INIT) { 158 /* NB: optimize INIT -> INIT case */ 159 ieee80211_reset_bss(vap); 160 } 161 break; 162 case IEEE80211_S_SCAN: 163 switch (ostate) { 164 case IEEE80211_S_RUN: /* beacon miss */ 165 /* purge station table; entries are stale */ 166 ieee80211_iterate_nodes(&ic->ic_sta, sta_leave, vap); 167 /* fall thru... */ 168 case IEEE80211_S_INIT: 169 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC && 170 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) { 171 /* 172 * Already have a channel; bypass the 173 * scan and startup immediately. 174 */ 175 ieee80211_create_ibss(vap, 176 ieee80211_ht_adjust_channel(ic, 177 vap->iv_des_chan, vap->iv_flags_ht)); 178 break; 179 } 180 /* 181 * Initiate a scan. We can come here as a result 182 * of an IEEE80211_IOC_SCAN_REQ too in which case 183 * the vap will be marked with IEEE80211_FEXT_SCANREQ 184 * and the scan request parameters will be present 185 * in iv_scanreq. Otherwise we do the default. 186 */ 187 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) { 188 ieee80211_check_scan(vap, 189 vap->iv_scanreq_flags, 190 vap->iv_scanreq_duration, 191 vap->iv_scanreq_mindwell, 192 vap->iv_scanreq_maxdwell, 193 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid); 194 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ; 195 } else 196 ieee80211_check_scan_current(vap); 197 break; 198 case IEEE80211_S_SCAN: 199 /* 200 * This can happen because of a change in state 201 * that requires a reset. Trigger a new scan 202 * unless we're in manual roaming mode in which 203 * case an application must issue an explicit request. 204 */ 205 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) 206 ieee80211_check_scan_current(vap); 207 break; 208 default: 209 goto invalid; 210 } 211 break; 212 case IEEE80211_S_RUN: 213 if (vap->iv_flags & IEEE80211_F_WPA) { 214 /* XXX validate prerequisites */ 215 } 216 switch (ostate) { 217 case IEEE80211_S_SCAN: 218 #ifdef IEEE80211_DEBUG 219 if (ieee80211_msg_debug(vap)) { 220 ieee80211_note(vap, 221 "synchronized with %s ssid ", 222 ether_sprintf(ni->ni_bssid)); 223 ieee80211_print_essid(vap->iv_bss->ni_essid, 224 ni->ni_esslen); 225 /* XXX MCS/HT */ 226 printf(" channel %d start %uMb\n", 227 ieee80211_chan2ieee(ic, ic->ic_curchan), 228 IEEE80211_RATE2MBS(ni->ni_txrate)); 229 } 230 #endif 231 break; 232 default: 233 goto invalid; 234 } 235 /* 236 * When 802.1x is not in use mark the port authorized 237 * at this point so traffic can flow. 238 */ 239 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 240 ieee80211_node_authorize(ni); 241 /* 242 * Fake association when joining an existing bss. 243 */ 244 if (!IEEE80211_ADDR_EQ(ni->ni_macaddr, vap->iv_myaddr) && 245 ic->ic_newassoc != NULL) 246 ic->ic_newassoc(ni, ostate != IEEE80211_S_RUN); 247 break; 248 case IEEE80211_S_SLEEP: 249 vap->iv_sta_ps(vap, 0); 250 break; 251 default: 252 invalid: 253 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, 254 "%s: unexpected state transition %s -> %s\n", __func__, 255 ieee80211_state_name[ostate], ieee80211_state_name[nstate]); 256 break; 257 } 258 return 0; 259 } 260 261 /* 262 * Decide if a received management frame should be 263 * printed when debugging is enabled. This filters some 264 * of the less interesting frames that come frequently 265 * (e.g. beacons). 266 */ 267 static __inline int 268 doprint(struct ieee80211vap *vap, int subtype) 269 { 270 switch (subtype) { 271 case IEEE80211_FC0_SUBTYPE_BEACON: 272 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN); 273 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 274 return 1; 275 } 276 return 1; 277 } 278 279 /* 280 * Process a received frame. The node associated with the sender 281 * should be supplied. If nothing was found in the node table then 282 * the caller is assumed to supply a reference to iv_bss instead. 283 * The RSSI and a timestamp are also supplied. The RSSI data is used 284 * during AP scanning to select a AP to associate with; it can have 285 * any units so long as values have consistent units and higher values 286 * mean ``better signal''. The receive timestamp is currently not used 287 * by the 802.11 layer. 288 */ 289 static int 290 adhoc_input(struct ieee80211_node *ni, struct mbuf *m, int rssi, int nf) 291 { 292 #define HAS_SEQ(type) ((type & 0x4) == 0) 293 struct ieee80211vap *vap = ni->ni_vap; 294 struct ieee80211com *ic = ni->ni_ic; 295 struct ifnet *ifp = vap->iv_ifp; 296 struct ieee80211_frame *wh; 297 struct ieee80211_key *key; 298 struct ether_header *eh; 299 int hdrspace, need_tap = 1; /* mbuf need to be tapped. */ 300 uint8_t dir, type, subtype, qos; 301 uint8_t *bssid; 302 uint16_t rxseq; 303 304 if (m->m_flags & M_AMPDU_MPDU) { 305 /* 306 * Fastpath for A-MPDU reorder q resubmission. Frames 307 * w/ M_AMPDU_MPDU marked have already passed through 308 * here but were received out of order and been held on 309 * the reorder queue. When resubmitted they are marked 310 * with the M_AMPDU_MPDU flag and we can bypass most of 311 * the normal processing. 312 */ 313 wh = mtod(m, struct ieee80211_frame *); 314 type = IEEE80211_FC0_TYPE_DATA; 315 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 316 subtype = IEEE80211_FC0_SUBTYPE_QOS; 317 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */ 318 goto resubmit_ampdu; 319 } 320 321 KASSERT(ni != NULL, ("null node")); 322 ni->ni_inact = ni->ni_inact_reload; 323 324 type = -1; /* undefined */ 325 326 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 327 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 328 ni->ni_macaddr, NULL, 329 "too short (1): len %u", m->m_pkthdr.len); 330 vap->iv_stats.is_rx_tooshort++; 331 goto out; 332 } 333 /* 334 * Bit of a cheat here, we use a pointer for a 3-address 335 * frame format but don't reference fields past outside 336 * ieee80211_frame_min w/o first validating the data is 337 * present. 338 */ 339 wh = mtod(m, struct ieee80211_frame *); 340 341 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 342 IEEE80211_FC0_VERSION_0) { 343 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 344 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x", 345 wh->i_fc[0], wh->i_fc[1]); 346 vap->iv_stats.is_rx_badversion++; 347 goto err; 348 } 349 350 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 351 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 352 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 353 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 354 if (dir != IEEE80211_FC1_DIR_NODS) 355 bssid = wh->i_addr1; 356 else if (type == IEEE80211_FC0_TYPE_CTL) 357 bssid = wh->i_addr1; 358 else { 359 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 360 IEEE80211_DISCARD_MAC(vap, 361 IEEE80211_MSG_ANY, ni->ni_macaddr, 362 NULL, "too short (2): len %u", 363 m->m_pkthdr.len); 364 vap->iv_stats.is_rx_tooshort++; 365 goto out; 366 } 367 bssid = wh->i_addr3; 368 } 369 /* 370 * Validate the bssid. 371 */ 372 if (!IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) && 373 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 374 /* not interested in */ 375 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 376 bssid, NULL, "%s", "not to bss"); 377 vap->iv_stats.is_rx_wrongbss++; 378 goto out; 379 } 380 /* 381 * Data frame, cons up a node when it doesn't 382 * exist. This should probably done after an ACL check. 383 */ 384 if (type == IEEE80211_FC0_TYPE_DATA && 385 ni == vap->iv_bss && 386 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 387 /* 388 * Beware of frames that come in too early; we 389 * can receive broadcast frames and creating sta 390 * entries will blow up because there is no bss 391 * channel yet. 392 */ 393 if (vap->iv_state != IEEE80211_S_RUN) { 394 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 395 wh, "data", "not in RUN state (%s)", 396 ieee80211_state_name[vap->iv_state]); 397 vap->iv_stats.is_rx_badstate++; 398 goto err; 399 } 400 /* 401 * Fake up a node for this newly 402 * discovered member of the IBSS. 403 */ 404 ni = ieee80211_fakeup_adhoc_node(vap, wh->i_addr2); 405 if (ni == NULL) { 406 /* NB: stat kept for alloc failure */ 407 goto err; 408 } 409 } 410 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 411 ni->ni_noise = nf; 412 if (HAS_SEQ(type)) { 413 uint8_t tid = ieee80211_gettid(wh); 414 if (IEEE80211_QOS_HAS_SEQ(wh) && 415 TID_TO_WME_AC(tid) >= WME_AC_VI) 416 ic->ic_wme.wme_hipri_traffic++; 417 rxseq = le16toh(*(uint16_t *)wh->i_seq); 418 if (! ieee80211_check_rxseq(ni, wh)) { 419 /* duplicate, discard */ 420 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 421 bssid, "duplicate", 422 "seqno <%u,%u> fragno <%u,%u> tid %u", 423 rxseq >> IEEE80211_SEQ_SEQ_SHIFT, 424 ni->ni_rxseqs[tid] >> 425 IEEE80211_SEQ_SEQ_SHIFT, 426 rxseq & IEEE80211_SEQ_FRAG_MASK, 427 ni->ni_rxseqs[tid] & 428 IEEE80211_SEQ_FRAG_MASK, 429 tid); 430 vap->iv_stats.is_rx_dup++; 431 IEEE80211_NODE_STAT(ni, rx_dup); 432 goto out; 433 } 434 ni->ni_rxseqs[tid] = rxseq; 435 } 436 } 437 438 switch (type) { 439 case IEEE80211_FC0_TYPE_DATA: 440 hdrspace = ieee80211_hdrspace(ic, wh); 441 if (m->m_len < hdrspace && 442 (m = m_pullup(m, hdrspace)) == NULL) { 443 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 444 ni->ni_macaddr, NULL, 445 "data too short: expecting %u", hdrspace); 446 vap->iv_stats.is_rx_tooshort++; 447 goto out; /* XXX */ 448 } 449 if (dir != IEEE80211_FC1_DIR_NODS) { 450 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 451 wh, "data", "incorrect dir 0x%x", dir); 452 vap->iv_stats.is_rx_wrongdir++; 453 goto out; 454 } 455 /* XXX no power-save support */ 456 457 /* 458 * Handle A-MPDU re-ordering. If the frame is to be 459 * processed directly then ieee80211_ampdu_reorder 460 * will return 0; otherwise it has consumed the mbuf 461 * and we should do nothing more with it. 462 */ 463 if ((m->m_flags & M_AMPDU) && 464 ieee80211_ampdu_reorder(ni, m) != 0) { 465 m = NULL; 466 goto out; 467 } 468 resubmit_ampdu: 469 470 /* 471 * Handle privacy requirements. Note that we 472 * must not be preempted from here until after 473 * we (potentially) call ieee80211_crypto_demic; 474 * otherwise we may violate assumptions in the 475 * crypto cipher modules used to do delayed update 476 * of replay sequence numbers. 477 */ 478 if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) { 479 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 480 /* 481 * Discard encrypted frames when privacy is off. 482 */ 483 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 484 wh, "WEP", "%s", "PRIVACY off"); 485 vap->iv_stats.is_rx_noprivacy++; 486 IEEE80211_NODE_STAT(ni, rx_noprivacy); 487 goto out; 488 } 489 key = ieee80211_crypto_decap(ni, m, hdrspace); 490 if (key == NULL) { 491 /* NB: stats+msgs handled in crypto_decap */ 492 IEEE80211_NODE_STAT(ni, rx_wepfail); 493 goto out; 494 } 495 wh = mtod(m, struct ieee80211_frame *); 496 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 497 } else { 498 /* XXX M_WEP and IEEE80211_F_PRIVACY */ 499 key = NULL; 500 } 501 502 /* 503 * Save QoS bits for use below--before we strip the header. 504 */ 505 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) { 506 qos = (dir == IEEE80211_FC1_DIR_DSTODS) ? 507 ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] : 508 ((struct ieee80211_qosframe *)wh)->i_qos[0]; 509 } else 510 qos = 0; 511 512 /* 513 * Next up, any fragmentation. 514 */ 515 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 516 m = ieee80211_defrag(ni, m, hdrspace); 517 if (m == NULL) { 518 /* Fragment dropped or frame not complete yet */ 519 goto out; 520 } 521 } 522 wh = NULL; /* no longer valid, catch any uses */ 523 524 /* 525 * Next strip any MSDU crypto bits. 526 */ 527 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) { 528 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 529 ni->ni_macaddr, "data", "%s", "demic error"); 530 vap->iv_stats.is_rx_demicfail++; 531 IEEE80211_NODE_STAT(ni, rx_demicfail); 532 goto out; 533 } 534 535 /* copy to listener after decrypt */ 536 if (ieee80211_radiotap_active_vap(vap)) 537 ieee80211_radiotap_rx(vap, m); 538 need_tap = 0; 539 540 /* 541 * Finally, strip the 802.11 header. 542 */ 543 m = ieee80211_decap(vap, m, hdrspace); 544 if (m == NULL) { 545 /* XXX mask bit to check for both */ 546 /* don't count Null data frames as errors */ 547 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA || 548 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL) 549 goto out; 550 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 551 ni->ni_macaddr, "data", "%s", "decap error"); 552 vap->iv_stats.is_rx_decap++; 553 IEEE80211_NODE_STAT(ni, rx_decap); 554 goto err; 555 } 556 eh = mtod(m, struct ether_header *); 557 if (!ieee80211_node_is_authorized(ni)) { 558 /* 559 * Deny any non-PAE frames received prior to 560 * authorization. For open/shared-key 561 * authentication the port is mark authorized 562 * after authentication completes. For 802.1x 563 * the port is not marked authorized by the 564 * authenticator until the handshake has completed. 565 */ 566 if (eh->ether_type != htons(ETHERTYPE_PAE)) { 567 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 568 eh->ether_shost, "data", 569 "unauthorized port: ether type 0x%x len %u", 570 eh->ether_type, m->m_pkthdr.len); 571 vap->iv_stats.is_rx_unauth++; 572 IEEE80211_NODE_STAT(ni, rx_unauth); 573 goto err; 574 } 575 } else { 576 /* 577 * When denying unencrypted frames, discard 578 * any non-PAE frames received without encryption. 579 */ 580 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && 581 (key == NULL && (m->m_flags & M_WEP) == 0) && 582 eh->ether_type != htons(ETHERTYPE_PAE)) { 583 /* 584 * Drop unencrypted frames. 585 */ 586 vap->iv_stats.is_rx_unencrypted++; 587 IEEE80211_NODE_STAT(ni, rx_unencrypted); 588 goto out; 589 } 590 } 591 /* XXX require HT? */ 592 if (qos & IEEE80211_QOS_AMSDU) { 593 m = ieee80211_decap_amsdu(ni, m); 594 if (m == NULL) 595 return IEEE80211_FC0_TYPE_DATA; 596 } else { 597 #ifdef IEEE80211_SUPPORT_SUPERG 598 m = ieee80211_decap_fastframe(vap, ni, m); 599 if (m == NULL) 600 return IEEE80211_FC0_TYPE_DATA; 601 #endif 602 } 603 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL) 604 ieee80211_deliver_data(ni->ni_wdsvap, ni, m); 605 else 606 ieee80211_deliver_data(vap, ni, m); 607 return IEEE80211_FC0_TYPE_DATA; 608 609 case IEEE80211_FC0_TYPE_MGT: 610 vap->iv_stats.is_rx_mgmt++; 611 IEEE80211_NODE_STAT(ni, rx_mgmt); 612 if (dir != IEEE80211_FC1_DIR_NODS) { 613 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 614 wh, "data", "incorrect dir 0x%x", dir); 615 vap->iv_stats.is_rx_wrongdir++; 616 goto err; 617 } 618 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 619 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 620 ni->ni_macaddr, "mgt", "too short: len %u", 621 m->m_pkthdr.len); 622 vap->iv_stats.is_rx_tooshort++; 623 goto out; 624 } 625 #ifdef IEEE80211_DEBUG 626 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) || 627 ieee80211_msg_dumppkts(vap)) { 628 if_printf(ifp, "received %s from %s rssi %d\n", 629 ieee80211_mgt_subtype_name[subtype >> 630 IEEE80211_FC0_SUBTYPE_SHIFT], 631 ether_sprintf(wh->i_addr2), rssi); 632 } 633 #endif 634 if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) { 635 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 636 wh, NULL, "%s", "WEP set but not permitted"); 637 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */ 638 goto out; 639 } 640 vap->iv_recv_mgmt(ni, m, subtype, rssi, nf); 641 goto out; 642 643 case IEEE80211_FC0_TYPE_CTL: 644 vap->iv_stats.is_rx_ctl++; 645 IEEE80211_NODE_STAT(ni, rx_ctrl); 646 vap->iv_recv_ctl(ni, m, subtype); 647 goto out; 648 649 default: 650 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 651 wh, "bad", "frame type 0x%x", type); 652 /* should not come here */ 653 break; 654 } 655 err: 656 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1); 657 out: 658 if (m != NULL) { 659 if (need_tap && ieee80211_radiotap_active_vap(vap)) 660 ieee80211_radiotap_rx(vap, m); 661 m_freem(m); 662 } 663 return type; 664 } 665 666 static int 667 is11bclient(const uint8_t *rates, const uint8_t *xrates) 668 { 669 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11); 670 int i; 671 672 /* NB: the 11b clients we care about will not have xrates */ 673 if (xrates != NULL || rates == NULL) 674 return 0; 675 for (i = 0; i < rates[1]; i++) { 676 int r = rates[2+i] & IEEE80211_RATE_VAL; 677 if (r > 2*11 || ((1<<r) & brates) == 0) 678 return 0; 679 } 680 return 1; 681 } 682 683 static void 684 adhoc_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, 685 int subtype, int rssi, int nf) 686 { 687 struct ieee80211vap *vap = ni->ni_vap; 688 struct ieee80211com *ic = ni->ni_ic; 689 struct ieee80211_frame *wh; 690 uint8_t *frm, *efrm, *sfrm; 691 uint8_t *ssid, *rates, *xrates; 692 #if 0 693 int ht_state_change = 0; 694 #endif 695 696 wh = mtod(m0, struct ieee80211_frame *); 697 frm = (uint8_t *)&wh[1]; 698 efrm = mtod(m0, uint8_t *) + m0->m_len; 699 switch (subtype) { 700 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 701 case IEEE80211_FC0_SUBTYPE_BEACON: { 702 struct ieee80211_scanparams scan; 703 /* 704 * We process beacon/probe response 705 * frames to discover neighbors. 706 */ 707 if (ieee80211_parse_beacon(ni, m0, &scan) != 0) 708 return; 709 /* 710 * Count frame now that we know it's to be processed. 711 */ 712 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 713 vap->iv_stats.is_rx_beacon++; /* XXX remove */ 714 IEEE80211_NODE_STAT(ni, rx_beacons); 715 } else 716 IEEE80211_NODE_STAT(ni, rx_proberesp); 717 /* 718 * If scanning, just pass information to the scan module. 719 */ 720 if (ic->ic_flags & IEEE80211_F_SCAN) { 721 if (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN) { 722 /* 723 * Actively scanning a channel marked passive; 724 * send a probe request now that we know there 725 * is 802.11 traffic present. 726 * 727 * XXX check if the beacon we recv'd gives 728 * us what we need and suppress the probe req 729 */ 730 ieee80211_probe_curchan(vap, 1); 731 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 732 } 733 ieee80211_add_scan(vap, &scan, wh, subtype, rssi, nf); 734 return; 735 } 736 if (scan.capinfo & IEEE80211_CAPINFO_IBSS) { 737 if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 738 /* 739 * Create a new entry in the neighbor table. 740 */ 741 ni = ieee80211_add_neighbor(vap, wh, &scan); 742 } else if (ni->ni_capinfo == 0) { 743 /* 744 * Update faked node created on transmit. 745 * Note this also updates the tsf. 746 */ 747 ieee80211_init_neighbor(ni, wh, &scan); 748 } else { 749 /* 750 * Record tsf for potential resync. 751 */ 752 memcpy(ni->ni_tstamp.data, scan.tstamp, 753 sizeof(ni->ni_tstamp)); 754 } 755 /* 756 * This isn't enabled yet - otherwise it would 757 * update the HT parameters and channel width 758 * from any node, which could lead to lots of 759 * strange behaviour if the 11n nodes aren't 760 * exactly configured to match. 761 */ 762 #if 0 763 if (scan.htcap != NULL && scan.htinfo != NULL && 764 (vap->iv_flags_ht & IEEE80211_FHT_HT)) { 765 if (ieee80211_ht_updateparams(ni, 766 scan.htcap, scan.htinfo)) 767 ht_state_change = 1; 768 } 769 #endif 770 if (ni != NULL) { 771 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 772 ni->ni_noise = nf; 773 } 774 /* 775 * Same here - the channel width change should 776 * be applied to the specific peer node, not 777 * to the ic. Ie, the interface configuration 778 * should stay in its current channel width; 779 * but it should change the rate control and 780 * any queued frames for the given node only. 781 * 782 * Since there's no (current) way to inform 783 * the driver that a channel width change has 784 * occured for a single node, just stub this 785 * out. 786 */ 787 #if 0 788 if (ht_state_change) 789 ieee80211_update_chw(ic); 790 #endif 791 } 792 break; 793 } 794 795 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 796 if (vap->iv_state != IEEE80211_S_RUN) { 797 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 798 wh, NULL, "wrong state %s", 799 ieee80211_state_name[vap->iv_state]); 800 vap->iv_stats.is_rx_mgtdiscard++; 801 return; 802 } 803 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 804 /* frame must be directed */ 805 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 806 wh, NULL, "%s", "not unicast"); 807 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */ 808 return; 809 } 810 811 /* 812 * prreq frame format 813 * [tlv] ssid 814 * [tlv] supported rates 815 * [tlv] extended supported rates 816 */ 817 ssid = rates = xrates = NULL; 818 sfrm = frm; 819 while (efrm - frm > 1) { 820 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 821 switch (*frm) { 822 case IEEE80211_ELEMID_SSID: 823 ssid = frm; 824 break; 825 case IEEE80211_ELEMID_RATES: 826 rates = frm; 827 break; 828 case IEEE80211_ELEMID_XRATES: 829 xrates = frm; 830 break; 831 } 832 frm += frm[1] + 2; 833 } 834 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 835 if (xrates != NULL) 836 IEEE80211_VERIFY_ELEMENT(xrates, 837 IEEE80211_RATE_MAXSIZE - rates[1], return); 838 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 839 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 840 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 841 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 842 wh, NULL, 843 "%s", "no ssid with ssid suppression enabled"); 844 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/ 845 return; 846 } 847 848 /* XXX find a better class or define it's own */ 849 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2, 850 "%s", "recv probe req"); 851 /* 852 * Some legacy 11b clients cannot hack a complete 853 * probe response frame. When the request includes 854 * only a bare-bones rate set, communicate this to 855 * the transmit side. 856 */ 857 ieee80211_send_proberesp(vap, wh->i_addr2, 858 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0); 859 break; 860 861 case IEEE80211_FC0_SUBTYPE_ACTION: 862 case IEEE80211_FC0_SUBTYPE_ACTION_NOACK: 863 if (ni == vap->iv_bss) { 864 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 865 wh, NULL, "%s", "unknown node"); 866 vap->iv_stats.is_rx_mgtdiscard++; 867 } else if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) && 868 !IEEE80211_IS_MULTICAST(wh->i_addr1)) { 869 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 870 wh, NULL, "%s", "not for us"); 871 vap->iv_stats.is_rx_mgtdiscard++; 872 } else if (vap->iv_state != IEEE80211_S_RUN) { 873 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 874 wh, NULL, "wrong state %s", 875 ieee80211_state_name[vap->iv_state]); 876 vap->iv_stats.is_rx_mgtdiscard++; 877 } else { 878 if (ieee80211_parse_action(ni, m0) == 0) 879 (void)ic->ic_recv_action(ni, wh, frm, efrm); 880 } 881 break; 882 883 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 884 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 885 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 886 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 887 case IEEE80211_FC0_SUBTYPE_ATIM: 888 case IEEE80211_FC0_SUBTYPE_DISASSOC: 889 case IEEE80211_FC0_SUBTYPE_AUTH: 890 case IEEE80211_FC0_SUBTYPE_DEAUTH: 891 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 892 wh, NULL, "%s", "not handled"); 893 vap->iv_stats.is_rx_mgtdiscard++; 894 break; 895 896 default: 897 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 898 wh, "mgt", "subtype 0x%x not handled", subtype); 899 vap->iv_stats.is_rx_badsubtype++; 900 break; 901 } 902 } 903 #undef IEEE80211_VERIFY_LENGTH 904 #undef IEEE80211_VERIFY_ELEMENT 905 906 static void 907 ahdemo_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, 908 int subtype, int rssi, int nf) 909 { 910 struct ieee80211vap *vap = ni->ni_vap; 911 struct ieee80211com *ic = ni->ni_ic; 912 struct ieee80211_frame *wh; 913 914 /* 915 * Process management frames when scanning; useful for doing 916 * a site-survey. 917 */ 918 if (ic->ic_flags & IEEE80211_F_SCAN) 919 adhoc_recv_mgmt(ni, m0, subtype, rssi, nf); 920 else { 921 wh = mtod(m0, struct ieee80211_frame *); 922 switch (subtype) { 923 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 924 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 925 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 926 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 927 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 928 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 929 case IEEE80211_FC0_SUBTYPE_BEACON: 930 case IEEE80211_FC0_SUBTYPE_ATIM: 931 case IEEE80211_FC0_SUBTYPE_DISASSOC: 932 case IEEE80211_FC0_SUBTYPE_AUTH: 933 case IEEE80211_FC0_SUBTYPE_DEAUTH: 934 case IEEE80211_FC0_SUBTYPE_ACTION: 935 case IEEE80211_FC0_SUBTYPE_ACTION_NOACK: 936 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 937 wh, NULL, "%s", "not handled"); 938 vap->iv_stats.is_rx_mgtdiscard++; 939 break; 940 default: 941 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 942 wh, "mgt", "subtype 0x%x not handled", subtype); 943 vap->iv_stats.is_rx_badsubtype++; 944 break; 945 } 946 } 947 } 948 949 static void 950 adhoc_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype) 951 { 952 953 switch (subtype) { 954 case IEEE80211_FC0_SUBTYPE_BAR: 955 ieee80211_recv_bar(ni, m); 956 break; 957 } 958 } 959