xref: /freebsd/sys/net80211/ieee80211_input.c (revision 1e413cf93298b5b97441a21d9a50fdcd0ee9945e)
1 /*-
2  * Copyright (c) 2001 Atsushi Onoe
3  * Copyright (c) 2002-2007 Sam Leffler, Errno Consulting
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer.
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in the
13  *    documentation and/or other materials provided with the distribution.
14  *
15  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25  */
26 
27 #include <sys/cdefs.h>
28 __FBSDID("$FreeBSD$");
29 
30 #include <sys/param.h>
31 #include <sys/systm.h>
32 #include <sys/mbuf.h>
33 #include <sys/malloc.h>
34 #include <sys/endian.h>
35 #include <sys/kernel.h>
36 
37 #include <sys/socket.h>
38 
39 #include <net/if.h>
40 #include <net/if_media.h>
41 #include <net/ethernet.h>
42 #include <net/if_llc.h>
43 #include <net/if_vlan_var.h>
44 
45 #include <net80211/ieee80211_var.h>
46 
47 #include <net/bpf.h>
48 
49 #ifdef IEEE80211_DEBUG
50 #include <machine/stdarg.h>
51 
52 /*
53  * Decide if a received management frame should be
54  * printed when debugging is enabled.  This filters some
55  * of the less interesting frames that come frequently
56  * (e.g. beacons).
57  */
58 static __inline int
59 doprint(struct ieee80211com *ic, int subtype)
60 {
61 	switch (subtype) {
62 	case IEEE80211_FC0_SUBTYPE_BEACON:
63 		return (ic->ic_flags & IEEE80211_F_SCAN);
64 	case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
65 		return (ic->ic_opmode == IEEE80211_M_IBSS);
66 	}
67 	return 1;
68 }
69 
70 static const uint8_t *ieee80211_getbssid(struct ieee80211com *,
71 	const struct ieee80211_frame *);
72 #endif /* IEEE80211_DEBUG */
73 
74 static struct mbuf *ieee80211_defrag(struct ieee80211com *,
75 	struct ieee80211_node *, struct mbuf *, int);
76 static struct mbuf *ieee80211_decap(struct ieee80211com *, struct mbuf *, int);
77 static void ieee80211_send_error(struct ieee80211com *, struct ieee80211_node *,
78 		const uint8_t *mac, int subtype, int arg);
79 static struct mbuf *ieee80211_decap_fastframe(struct ieee80211com *,
80 	struct ieee80211_node *, struct mbuf *);
81 static void ieee80211_recv_pspoll(struct ieee80211com *,
82 	struct ieee80211_node *, struct mbuf *);
83 
84 /*
85  * Process a received frame.  The node associated with the sender
86  * should be supplied.  If nothing was found in the node table then
87  * the caller is assumed to supply a reference to ic_bss instead.
88  * The RSSI and a timestamp are also supplied.  The RSSI data is used
89  * during AP scanning to select a AP to associate with; it can have
90  * any units so long as values have consistent units and higher values
91  * mean ``better signal''.  The receive timestamp is currently not used
92  * by the 802.11 layer.
93  */
94 int
95 ieee80211_input(struct ieee80211com *ic, struct mbuf *m,
96 	struct ieee80211_node *ni, int rssi, int noise, uint32_t rstamp)
97 {
98 #define	SEQ_LEQ(a,b)	((int)((a)-(b)) <= 0)
99 #define	HAS_SEQ(type)	((type & 0x4) == 0)
100 	struct ifnet *ifp = ic->ic_ifp;
101 	struct ieee80211_frame *wh;
102 	struct ieee80211_key *key;
103 	struct ether_header *eh;
104 	int hdrspace, need_tap;
105 	uint8_t dir, type, subtype, qos;
106 	uint8_t *bssid;
107 	uint16_t rxseq;
108 
109 	if (m->m_flags & M_AMPDU) {
110 		/*
111 		 * Fastpath for A-MPDU reorder q resubmission.  Frames
112 		 * w/ M_AMPDU marked have already passed through here
113 		 * but were received out of order and been held on the
114 		 * reorder queue.  When resubmitted they are marked
115 		 * with the M_AMPDU flag and we can bypass most of the
116 		 * normal processing.
117 		 */
118 		wh = mtod(m, struct ieee80211_frame *);
119 		type = IEEE80211_FC0_TYPE_DATA;
120 		dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
121 		subtype = IEEE80211_FC0_SUBTYPE_QOS;
122 		hdrspace = ieee80211_hdrspace(ic, wh);	/* XXX optimize? */
123 		need_tap = 0;
124 		goto resubmit_ampdu;
125 	}
126 
127 	KASSERT(ni != NULL, ("null node"));
128 	ni->ni_inact = ni->ni_inact_reload;
129 
130 	need_tap = 1;			/* mbuf need to be tapped. */
131 	type = -1;			/* undefined */
132 	/*
133 	 * In monitor mode, send everything directly to bpf.
134 	 * XXX may want to include the CRC
135 	 */
136 	if (ic->ic_opmode == IEEE80211_M_MONITOR)
137 		goto out;
138 
139 	if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
140 		IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
141 		    ni->ni_macaddr, NULL,
142 		    "too short (1): len %u", m->m_pkthdr.len);
143 		ic->ic_stats.is_rx_tooshort++;
144 		goto out;
145 	}
146 	/*
147 	 * Bit of a cheat here, we use a pointer for a 3-address
148 	 * frame format but don't reference fields past outside
149 	 * ieee80211_frame_min w/o first validating the data is
150 	 * present.
151 	 */
152 	wh = mtod(m, struct ieee80211_frame *);
153 
154 	if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
155 	    IEEE80211_FC0_VERSION_0) {
156 		IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
157 		    ni->ni_macaddr, NULL, "wrong version %x", wh->i_fc[0]);
158 		ic->ic_stats.is_rx_badversion++;
159 		goto err;
160 	}
161 
162 	dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
163 	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
164 	subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
165 	if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
166 		switch (ic->ic_opmode) {
167 		case IEEE80211_M_STA:
168 			bssid = wh->i_addr2;
169 			if (!IEEE80211_ADDR_EQ(bssid, ni->ni_bssid)) {
170 				/* not interested in */
171 				IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
172 				    bssid, NULL, "%s", "not to bss");
173 				ic->ic_stats.is_rx_wrongbss++;
174 				goto out;
175 			}
176 			break;
177 		case IEEE80211_M_IBSS:
178 		case IEEE80211_M_AHDEMO:
179 		case IEEE80211_M_HOSTAP:
180 			if (dir != IEEE80211_FC1_DIR_NODS)
181 				bssid = wh->i_addr1;
182 			else if (type == IEEE80211_FC0_TYPE_CTL)
183 				bssid = wh->i_addr1;
184 			else {
185 				if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
186 					IEEE80211_DISCARD_MAC(ic,
187 					    IEEE80211_MSG_ANY, ni->ni_macaddr,
188 					    NULL, "too short (2): len %u",
189 					    m->m_pkthdr.len);
190 					ic->ic_stats.is_rx_tooshort++;
191 					goto out;
192 				}
193 				bssid = wh->i_addr3;
194 			}
195 			if (type != IEEE80211_FC0_TYPE_DATA)
196 				break;
197 			/*
198 			 * Data frame, validate the bssid.
199 			 */
200 			if (!IEEE80211_ADDR_EQ(bssid, ic->ic_bss->ni_bssid) &&
201 			    !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) {
202 				/* not interested in */
203 				IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
204 				    bssid, NULL, "%s", "not to bss");
205 				ic->ic_stats.is_rx_wrongbss++;
206 				goto out;
207 			}
208 			/*
209 			 * For adhoc mode we cons up a node when it doesn't
210 			 * exist. This should probably done after an ACL check.
211 			 */
212 			if (ni == ic->ic_bss &&
213 			    ic->ic_opmode != IEEE80211_M_HOSTAP &&
214 			    !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) {
215 				/*
216 				 * Fake up a node for this newly
217 				 * discovered member of the IBSS.
218 				 */
219 				ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta,
220 						    wh->i_addr2);
221 				if (ni == NULL) {
222 					/* NB: stat kept for alloc failure */
223 					goto err;
224 				}
225 			}
226 			break;
227 		default:
228 			goto out;
229 		}
230 		ni->ni_rssi = rssi;
231 		ni->ni_noise = noise;
232 		ni->ni_rstamp = rstamp;
233 		if (HAS_SEQ(type)) {
234 			uint8_t tid;
235 			if (IEEE80211_QOS_HAS_SEQ(wh)) {
236 				tid = ((struct ieee80211_qosframe *)wh)->
237 					i_qos[0] & IEEE80211_QOS_TID;
238 				if (TID_TO_WME_AC(tid) >= WME_AC_VI)
239 					ic->ic_wme.wme_hipri_traffic++;
240 				tid++;
241 			} else
242 				tid = IEEE80211_NONQOS_TID;
243 			rxseq = le16toh(*(uint16_t *)wh->i_seq);
244 			if ((ni->ni_flags & IEEE80211_NODE_HT) == 0 &&
245 			    (wh->i_fc[1] & IEEE80211_FC1_RETRY) &&
246 			    SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) {
247 				/* duplicate, discard */
248 				IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
249 				    bssid, "duplicate",
250 				    "seqno <%u,%u> fragno <%u,%u> tid %u",
251 				    rxseq >> IEEE80211_SEQ_SEQ_SHIFT,
252 				    ni->ni_rxseqs[tid] >>
253 					IEEE80211_SEQ_SEQ_SHIFT,
254 				    rxseq & IEEE80211_SEQ_FRAG_MASK,
255 				    ni->ni_rxseqs[tid] &
256 					IEEE80211_SEQ_FRAG_MASK,
257 				    tid);
258 				ic->ic_stats.is_rx_dup++;
259 				IEEE80211_NODE_STAT(ni, rx_dup);
260 				goto out;
261 			}
262 			ni->ni_rxseqs[tid] = rxseq;
263 		}
264 	}
265 
266 	switch (type) {
267 	case IEEE80211_FC0_TYPE_DATA:
268 		hdrspace = ieee80211_hdrspace(ic, wh);
269 		if (m->m_len < hdrspace &&
270 		    (m = m_pullup(m, hdrspace)) == NULL) {
271 			IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
272 			    ni->ni_macaddr, NULL,
273 			    "data too short: expecting %u", hdrspace);
274 			ic->ic_stats.is_rx_tooshort++;
275 			goto out;		/* XXX */
276 		}
277 		switch (ic->ic_opmode) {
278 		case IEEE80211_M_STA:
279 			if (dir != IEEE80211_FC1_DIR_FROMDS) {
280 				IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
281 				    wh, "data", "unknown dir 0x%x", dir);
282 				ic->ic_stats.is_rx_wrongdir++;
283 				goto out;
284 			}
285 			if ((ifp->if_flags & IFF_SIMPLEX) &&
286 			    IEEE80211_IS_MULTICAST(wh->i_addr1) &&
287 			    IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) {
288 				/*
289 				 * In IEEE802.11 network, multicast packet
290 				 * sent from me is broadcasted from AP.
291 				 * It should be silently discarded for
292 				 * SIMPLEX interface.
293 				 */
294 				IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
295 				    wh, NULL, "%s", "multicast echo");
296 				ic->ic_stats.is_rx_mcastecho++;
297 				goto out;
298 			}
299 			break;
300 		case IEEE80211_M_IBSS:
301 		case IEEE80211_M_AHDEMO:
302 			if (dir != IEEE80211_FC1_DIR_NODS) {
303 				IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
304 				    wh, "data", "unknown dir 0x%x", dir);
305 				ic->ic_stats.is_rx_wrongdir++;
306 				goto out;
307 			}
308 			/* XXX no power-save support */
309 			break;
310 		case IEEE80211_M_HOSTAP:
311 			if (dir != IEEE80211_FC1_DIR_TODS) {
312 				IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
313 				    wh, "data", "unknown dir 0x%x", dir);
314 				ic->ic_stats.is_rx_wrongdir++;
315 				goto out;
316 			}
317 			/* check if source STA is associated */
318 			if (ni == ic->ic_bss) {
319 				IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
320 				    wh, "data", "%s", "unknown src");
321 				ieee80211_send_error(ic, ni, wh->i_addr2,
322 				    IEEE80211_FC0_SUBTYPE_DEAUTH,
323 				    IEEE80211_REASON_NOT_AUTHED);
324 				ic->ic_stats.is_rx_notassoc++;
325 				goto err;
326 			}
327 			if (ni->ni_associd == 0) {
328 				IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
329 				    wh, "data", "%s", "unassoc src");
330 				IEEE80211_SEND_MGMT(ic, ni,
331 				    IEEE80211_FC0_SUBTYPE_DISASSOC,
332 				    IEEE80211_REASON_NOT_ASSOCED);
333 				ic->ic_stats.is_rx_notassoc++;
334 				goto err;
335 			}
336 
337 			/*
338 			 * Check for power save state change.
339 			 * XXX out-of-order A-MPDU frames?
340 			 */
341 			if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^
342 			    (ni->ni_flags & IEEE80211_NODE_PWR_MGT)))
343 				ieee80211_node_pwrsave(ni,
344 					wh->i_fc[1] & IEEE80211_FC1_PWR_MGT);
345 			break;
346 		default:
347 			/* XXX here to keep compiler happy */
348 			goto out;
349 		}
350 
351 		/*
352 		 * Handle A-MPDU re-ordering.  The station must be
353 		 * associated and negotiated HT.  The frame must be
354 		 * a QoS frame (not QoS null data) and not previously
355 		 * processed for A-MPDU re-ordering.  If the frame is
356 		 * to be processed directly then ieee80211_ampdu_reorder
357 		 * will return 0; otherwise it has consumed the mbuf
358 		 * and we should do nothing more with it.
359 		 */
360 		if ((ni->ni_flags & IEEE80211_NODE_HT) &&
361 		    subtype == IEEE80211_FC0_SUBTYPE_QOS &&
362 		    ieee80211_ampdu_reorder(ni, m) != 0) {
363 			m = NULL;
364 			goto out;
365 		}
366 	resubmit_ampdu:
367 
368 		/*
369 		 * Handle privacy requirements.  Note that we
370 		 * must not be preempted from here until after
371 		 * we (potentially) call ieee80211_crypto_demic;
372 		 * otherwise we may violate assumptions in the
373 		 * crypto cipher modules used to do delayed update
374 		 * of replay sequence numbers.
375 		 */
376 		if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
377 			if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) {
378 				/*
379 				 * Discard encrypted frames when privacy is off.
380 				 */
381 				IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
382 				    wh, "WEP", "%s", "PRIVACY off");
383 				ic->ic_stats.is_rx_noprivacy++;
384 				IEEE80211_NODE_STAT(ni, rx_noprivacy);
385 				goto out;
386 			}
387 			key = ieee80211_crypto_decap(ic, ni, m, hdrspace);
388 			if (key == NULL) {
389 				/* NB: stats+msgs handled in crypto_decap */
390 				IEEE80211_NODE_STAT(ni, rx_wepfail);
391 				goto out;
392 			}
393 			wh = mtod(m, struct ieee80211_frame *);
394 			wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
395 		} else {
396 			/* XXX M_WEP and IEEE80211_F_PRIVACY */
397 			key = NULL;
398 		}
399 
400 		/*
401 		 * Save QoS bits for use below--before we strip the header.
402 		 */
403 		if (subtype == IEEE80211_FC0_SUBTYPE_QOS) {
404 			qos = (dir == IEEE80211_FC1_DIR_DSTODS) ?
405 			    ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] :
406 			    ((struct ieee80211_qosframe *)wh)->i_qos[0];
407 		} else
408 			qos = 0;
409 
410 		/*
411 		 * Next up, any fragmentation.
412 		 */
413 		if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
414 			m = ieee80211_defrag(ic, ni, m, hdrspace);
415 			if (m == NULL) {
416 				/* Fragment dropped or frame not complete yet */
417 				goto out;
418 			}
419 		}
420 		wh = NULL;		/* no longer valid, catch any uses */
421 
422 		/*
423 		 * Next strip any MSDU crypto bits.
424 		 */
425 		if (key != NULL && !ieee80211_crypto_demic(ic, key, m, 0)) {
426 			IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
427 			    ni->ni_macaddr, "data", "%s", "demic error");
428 			ic->ic_stats.is_rx_demicfail++;
429 			IEEE80211_NODE_STAT(ni, rx_demicfail);
430 			goto out;
431 		}
432 
433 		/* copy to listener after decrypt */
434 		if (bpf_peers_present(ic->ic_rawbpf))
435 			bpf_mtap(ic->ic_rawbpf, m);
436 		need_tap = 0;
437 
438 		/*
439 		 * Finally, strip the 802.11 header.
440 		 */
441 		m = ieee80211_decap(ic, m, hdrspace);
442 		if (m == NULL) {
443 			/* don't count Null data frames as errors */
444 			if (subtype == IEEE80211_FC0_SUBTYPE_NODATA ||
445 			    subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL)
446 				goto out;
447 			IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
448 			    ni->ni_macaddr, "data", "%s", "decap error");
449 			ic->ic_stats.is_rx_decap++;
450 			IEEE80211_NODE_STAT(ni, rx_decap);
451 			goto err;
452 		}
453 		eh = mtod(m, struct ether_header *);
454 		if (!ieee80211_node_is_authorized(ni)) {
455 			/*
456 			 * Deny any non-PAE frames received prior to
457 			 * authorization.  For open/shared-key
458 			 * authentication the port is mark authorized
459 			 * after authentication completes.  For 802.1x
460 			 * the port is not marked authorized by the
461 			 * authenticator until the handshake has completed.
462 			 */
463 			if (eh->ether_type != htons(ETHERTYPE_PAE)) {
464 				IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
465 				    eh->ether_shost, "data",
466 				    "unauthorized port: ether type 0x%x len %u",
467 				    eh->ether_type, m->m_pkthdr.len);
468 				ic->ic_stats.is_rx_unauth++;
469 				IEEE80211_NODE_STAT(ni, rx_unauth);
470 				goto err;
471 			}
472 		} else {
473 			/*
474 			 * When denying unencrypted frames, discard
475 			 * any non-PAE frames received without encryption.
476 			 */
477 			if ((ic->ic_flags & IEEE80211_F_DROPUNENC) &&
478 			    (key == NULL && (m->m_flags & M_WEP) == 0) &&
479 			    eh->ether_type != htons(ETHERTYPE_PAE)) {
480 				/*
481 				 * Drop unencrypted frames.
482 				 */
483 				ic->ic_stats.is_rx_unencrypted++;
484 				IEEE80211_NODE_STAT(ni, rx_unencrypted);
485 				goto out;
486 			}
487 		}
488 		/* XXX require HT? */
489 		if (qos & IEEE80211_QOS_AMSDU) {
490 			m = ieee80211_decap_amsdu(ni, m);
491 			if (m == NULL)
492 				return IEEE80211_FC0_TYPE_DATA;
493 		} else if ((ni->ni_ath_flags & IEEE80211_NODE_FF) &&
494 #define	FF_LLC_SIZE	(sizeof(struct ether_header) + sizeof(struct llc))
495 		    m->m_pkthdr.len >= 3*FF_LLC_SIZE) {
496 			struct llc *llc;
497 
498 			/*
499 			 * Check for fast-frame tunnel encapsulation.
500 			 */
501 			if (m->m_len < FF_LLC_SIZE &&
502 			    (m = m_pullup(m, FF_LLC_SIZE)) == NULL) {
503 				IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
504 				    ni->ni_macaddr, "fast-frame",
505 				    "%s", "m_pullup(llc) failed");
506 				ic->ic_stats.is_rx_tooshort++;
507 				return IEEE80211_FC0_TYPE_DATA;
508 			}
509 			llc = (struct llc *)(mtod(m, uint8_t *) +
510 				sizeof(struct ether_header));
511 			if (llc->llc_snap.ether_type == htons(ATH_FF_ETH_TYPE)) {
512 				m_adj(m, FF_LLC_SIZE);
513 				m = ieee80211_decap_fastframe(ic, ni, m);
514 				if (m == NULL)
515 					return IEEE80211_FC0_TYPE_DATA;
516 			}
517 		}
518 #undef FF_LLC_SIZE
519 		ieee80211_deliver_data(ic, ni, m);
520 		return IEEE80211_FC0_TYPE_DATA;
521 
522 	case IEEE80211_FC0_TYPE_MGT:
523 		ic->ic_stats.is_rx_mgmt++;
524 		IEEE80211_NODE_STAT(ni, rx_mgmt);
525 		if (dir != IEEE80211_FC1_DIR_NODS) {
526 			IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
527 			    wh, "data", "unknown dir 0x%x", dir);
528 			ic->ic_stats.is_rx_wrongdir++;
529 			goto err;
530 		}
531 		if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
532 			IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
533 			    ni->ni_macaddr, "mgt", "too short: len %u",
534 			    m->m_pkthdr.len);
535 			ic->ic_stats.is_rx_tooshort++;
536 			goto out;
537 		}
538 #ifdef IEEE80211_DEBUG
539 		if ((ieee80211_msg_debug(ic) && doprint(ic, subtype)) ||
540 		    ieee80211_msg_dumppkts(ic)) {
541 			if_printf(ic->ic_ifp, "received %s from %s rssi %d\n",
542 			    ieee80211_mgt_subtype_name[subtype >>
543 				IEEE80211_FC0_SUBTYPE_SHIFT],
544 			    ether_sprintf(wh->i_addr2), rssi);
545 		}
546 #endif
547 		if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
548 			if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
549 				/*
550 				 * Only shared key auth frames with a challenge
551 				 * should be encrypted, discard all others.
552 				 */
553 				IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
554 				    wh, ieee80211_mgt_subtype_name[subtype >>
555 					IEEE80211_FC0_SUBTYPE_SHIFT],
556 				    "%s", "WEP set but not permitted");
557 				ic->ic_stats.is_rx_mgtdiscard++; /* XXX */
558 				goto out;
559 			}
560 			if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) {
561 				/*
562 				 * Discard encrypted frames when privacy is off.
563 				 */
564 				IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
565 				    wh, "mgt", "%s", "WEP set but PRIVACY off");
566 				ic->ic_stats.is_rx_noprivacy++;
567 				goto out;
568 			}
569 			hdrspace = ieee80211_hdrspace(ic, wh);
570 			key = ieee80211_crypto_decap(ic, ni, m, hdrspace);
571 			if (key == NULL) {
572 				/* NB: stats+msgs handled in crypto_decap */
573 				goto out;
574 			}
575 			wh = mtod(m, struct ieee80211_frame *);
576 			wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
577 		}
578 		if (bpf_peers_present(ic->ic_rawbpf))
579 			bpf_mtap(ic->ic_rawbpf, m);
580 		(*ic->ic_recv_mgmt)(ic, m, ni, subtype, rssi, noise, rstamp);
581 		m_freem(m);
582 		return IEEE80211_FC0_TYPE_MGT;
583 
584 	case IEEE80211_FC0_TYPE_CTL:
585 		ic->ic_stats.is_rx_ctl++;
586 		IEEE80211_NODE_STAT(ni, rx_ctrl);
587 		if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
588 			switch (subtype) {
589 			case IEEE80211_FC0_SUBTYPE_PS_POLL:
590 				ieee80211_recv_pspoll(ic, ni, m);
591 				break;
592 			case IEEE80211_FC0_SUBTYPE_BAR:
593 				ieee80211_recv_bar(ni, m);
594 				break;
595 			}
596 		}
597 		goto out;
598 	default:
599 		IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY,
600 		    wh, NULL, "bad frame type 0x%x", type);
601 		/* should not come here */
602 		break;
603 	}
604 err:
605 	ifp->if_ierrors++;
606 out:
607 	if (m != NULL) {
608 		if (bpf_peers_present(ic->ic_rawbpf) && need_tap)
609 			bpf_mtap(ic->ic_rawbpf, m);
610 		m_freem(m);
611 	}
612 	return type;
613 #undef SEQ_LEQ
614 }
615 
616 /*
617  * This function reassemble fragments.
618  */
619 static struct mbuf *
620 ieee80211_defrag(struct ieee80211com *ic, struct ieee80211_node *ni,
621 	struct mbuf *m, int hdrspace)
622 {
623 	struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *);
624 	struct ieee80211_frame *lwh;
625 	uint16_t rxseq;
626 	uint8_t fragno;
627 	uint8_t more_frag = wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG;
628 	struct mbuf *mfrag;
629 
630 	KASSERT(!IEEE80211_IS_MULTICAST(wh->i_addr1), ("multicast fragm?"));
631 
632 	rxseq = le16toh(*(uint16_t *)wh->i_seq);
633 	fragno = rxseq & IEEE80211_SEQ_FRAG_MASK;
634 
635 	/* Quick way out, if there's nothing to defragment */
636 	if (!more_frag && fragno == 0 && ni->ni_rxfrag[0] == NULL)
637 		return m;
638 
639 	/*
640 	 * Remove frag to insure it doesn't get reaped by timer.
641 	 */
642 	if (ni->ni_table == NULL) {
643 		/*
644 		 * Should never happen.  If the node is orphaned (not in
645 		 * the table) then input packets should not reach here.
646 		 * Otherwise, a concurrent request that yanks the table
647 		 * should be blocked by other interlocking and/or by first
648 		 * shutting the driver down.  Regardless, be defensive
649 		 * here and just bail
650 		 */
651 		/* XXX need msg+stat */
652 		m_freem(m);
653 		return NULL;
654 	}
655 	IEEE80211_NODE_LOCK(ni->ni_table);
656 	mfrag = ni->ni_rxfrag[0];
657 	ni->ni_rxfrag[0] = NULL;
658 	IEEE80211_NODE_UNLOCK(ni->ni_table);
659 
660 	/*
661 	 * Validate new fragment is in order and
662 	 * related to the previous ones.
663 	 */
664 	if (mfrag != NULL) {
665 		uint16_t last_rxseq;
666 
667 		lwh = mtod(mfrag, struct ieee80211_frame *);
668 		last_rxseq = le16toh(*(uint16_t *)lwh->i_seq);
669 		/* NB: check seq # and frag together */
670 		if (rxseq != last_rxseq+1 ||
671 		    !IEEE80211_ADDR_EQ(wh->i_addr1, lwh->i_addr1) ||
672 		    !IEEE80211_ADDR_EQ(wh->i_addr2, lwh->i_addr2)) {
673 			/*
674 			 * Unrelated fragment or no space for it,
675 			 * clear current fragments.
676 			 */
677 			m_freem(mfrag);
678 			mfrag = NULL;
679 		}
680 	}
681 
682  	if (mfrag == NULL) {
683 		if (fragno != 0) {		/* !first fragment, discard */
684 			ic->ic_stats.is_rx_defrag++;
685 			IEEE80211_NODE_STAT(ni, rx_defrag);
686 			m_freem(m);
687 			return NULL;
688 		}
689 		mfrag = m;
690 	} else {				/* concatenate */
691 		m_adj(m, hdrspace);		/* strip header */
692 		m_cat(mfrag, m);
693 		/* NB: m_cat doesn't update the packet header */
694 		mfrag->m_pkthdr.len += m->m_pkthdr.len;
695 		/* track last seqnum and fragno */
696 		lwh = mtod(mfrag, struct ieee80211_frame *);
697 		*(uint16_t *) lwh->i_seq = *(uint16_t *) wh->i_seq;
698 	}
699 	if (more_frag) {			/* more to come, save */
700 		ni->ni_rxfragstamp = ticks;
701 		ni->ni_rxfrag[0] = mfrag;
702 		mfrag = NULL;
703 	}
704 	return mfrag;
705 }
706 
707 void
708 ieee80211_deliver_data(struct ieee80211com *ic,
709 	struct ieee80211_node *ni, struct mbuf *m)
710 {
711 	struct ether_header *eh = mtod(m, struct ether_header *);
712 	struct ifnet *ifp = ic->ic_ifp;
713 
714 	/*
715 	 * Do accounting.
716 	 */
717 	ifp->if_ipackets++;
718 	IEEE80211_NODE_STAT(ni, rx_data);
719 	IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len);
720 	if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
721 		m->m_flags |= M_MCAST;		/* XXX M_BCAST? */
722 		IEEE80211_NODE_STAT(ni, rx_mcast);
723 	} else
724 		IEEE80211_NODE_STAT(ni, rx_ucast);
725 
726 	/* clear driver/net80211 flags before passing up */
727 	m->m_flags &= ~M_80211_RX;
728 
729 	/* perform as a bridge within the AP */
730 	if (ic->ic_opmode == IEEE80211_M_HOSTAP &&
731 	    (ic->ic_flags & IEEE80211_F_NOBRIDGE) == 0) {
732 		struct mbuf *m1 = NULL;
733 
734 		if (m->m_flags & M_MCAST) {
735 			m1 = m_dup(m, M_DONTWAIT);
736 			if (m1 == NULL)
737 				ifp->if_oerrors++;
738 			else
739 				m1->m_flags |= M_MCAST;
740 		} else {
741 			/*
742 			 * Check if the destination is known; if so
743 			 * and the port is authorized dispatch directly.
744 			 */
745 			struct ieee80211_node *sta =
746 			    ieee80211_find_node(&ic->ic_sta, eh->ether_dhost);
747 			if (sta != NULL) {
748 				if (ieee80211_node_is_authorized(sta)) {
749 					/*
750 					 * Beware of sending to ourself; this
751 					 * needs to happen via the normal
752 					 * input path.
753 					 */
754 					if (sta != ic->ic_bss) {
755 						m1 = m;
756 						m = NULL;
757 					}
758 				} else {
759 					ic->ic_stats.is_rx_unauth++;
760 					IEEE80211_NODE_STAT(sta, rx_unauth);
761 				}
762 				ieee80211_free_node(sta);
763 			}
764 		}
765 		if (m1 != NULL)
766 			(void) IF_HANDOFF(&ifp->if_snd, m1, ifp);
767 	}
768 	if (m != NULL) {
769 		m->m_pkthdr.rcvif = ifp;
770 		if (ni->ni_vlan != 0) {
771 			/* attach vlan tag */
772 			m->m_pkthdr.ether_vtag = ni->ni_vlan;
773 			m->m_flags |= M_VLANTAG;
774 		}
775 		(*ifp->if_input)(ifp, m);
776 	}
777 }
778 
779 static struct mbuf *
780 ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, int hdrlen)
781 {
782 	struct ieee80211_qosframe_addr4 wh;	/* Max size address frames */
783 	struct ether_header *eh;
784 	struct llc *llc;
785 
786 	if (m->m_len < hdrlen + sizeof(*llc) &&
787 	    (m = m_pullup(m, hdrlen + sizeof(*llc))) == NULL) {
788 		/* XXX stat, msg */
789 		return NULL;
790 	}
791 	memcpy(&wh, mtod(m, caddr_t), hdrlen);
792 	llc = (struct llc *)(mtod(m, caddr_t) + hdrlen);
793 	if (llc->llc_dsap == LLC_SNAP_LSAP && llc->llc_ssap == LLC_SNAP_LSAP &&
794 	    llc->llc_control == LLC_UI && llc->llc_snap.org_code[0] == 0 &&
795 	    llc->llc_snap.org_code[1] == 0 && llc->llc_snap.org_code[2] == 0) {
796 		m_adj(m, hdrlen + sizeof(struct llc) - sizeof(*eh));
797 		llc = NULL;
798 	} else {
799 		m_adj(m, hdrlen - sizeof(*eh));
800 	}
801 	eh = mtod(m, struct ether_header *);
802 	switch (wh.i_fc[1] & IEEE80211_FC1_DIR_MASK) {
803 	case IEEE80211_FC1_DIR_NODS:
804 		IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1);
805 		IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2);
806 		break;
807 	case IEEE80211_FC1_DIR_TODS:
808 		IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3);
809 		IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2);
810 		break;
811 	case IEEE80211_FC1_DIR_FROMDS:
812 		IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1);
813 		IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr3);
814 		break;
815 	case IEEE80211_FC1_DIR_DSTODS:
816 		IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3);
817 		IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr4);
818 		break;
819 	}
820 #ifdef ALIGNED_POINTER
821 	if (!ALIGNED_POINTER(mtod(m, caddr_t) + sizeof(*eh), uint32_t)) {
822 		struct mbuf *n, *n0, **np;
823 		caddr_t newdata;
824 		int off, pktlen;
825 
826 		n0 = NULL;
827 		np = &n0;
828 		off = 0;
829 		pktlen = m->m_pkthdr.len;
830 		while (pktlen > off) {
831 			if (n0 == NULL) {
832 				MGETHDR(n, M_DONTWAIT, MT_DATA);
833 				if (n == NULL) {
834 					m_freem(m);
835 					return NULL;
836 				}
837 				M_MOVE_PKTHDR(n, m);
838 				n->m_len = MHLEN;
839 			} else {
840 				MGET(n, M_DONTWAIT, MT_DATA);
841 				if (n == NULL) {
842 					m_freem(m);
843 					m_freem(n0);
844 					return NULL;
845 				}
846 				n->m_len = MLEN;
847 			}
848 			if (pktlen - off >= MINCLSIZE) {
849 				MCLGET(n, M_DONTWAIT);
850 				if (n->m_flags & M_EXT)
851 					n->m_len = n->m_ext.ext_size;
852 			}
853 			if (n0 == NULL) {
854 				newdata =
855 				    (caddr_t)ALIGN(n->m_data + sizeof(*eh)) -
856 				    sizeof(*eh);
857 				n->m_len -= newdata - n->m_data;
858 				n->m_data = newdata;
859 			}
860 			if (n->m_len > pktlen - off)
861 				n->m_len = pktlen - off;
862 			m_copydata(m, off, n->m_len, mtod(n, caddr_t));
863 			off += n->m_len;
864 			*np = n;
865 			np = &n->m_next;
866 		}
867 		m_freem(m);
868 		m = n0;
869 	}
870 #endif /* ALIGNED_POINTER */
871 	if (llc != NULL) {
872 		eh = mtod(m, struct ether_header *);
873 		eh->ether_type = htons(m->m_pkthdr.len - sizeof(*eh));
874 	}
875 	return m;
876 }
877 
878 /*
879  * Decap a frame encapsulated in a fast-frame/A-MSDU.
880  */
881 struct mbuf *
882 ieee80211_decap1(struct mbuf *m, int *framelen)
883 {
884 #define	FF_LLC_SIZE	(sizeof(struct ether_header) + sizeof(struct llc))
885 	struct ether_header *eh;
886 	struct llc *llc;
887 
888 	/*
889 	 * The frame has an 802.3 header followed by an 802.2
890 	 * LLC header.  The encapsulated frame length is in the
891 	 * first header type field; save that and overwrite it
892 	 * with the true type field found in the second.  Then
893 	 * copy the 802.3 header up to where it belongs and
894 	 * adjust the mbuf contents to remove the void.
895 	 */
896 	if (m->m_len < FF_LLC_SIZE && (m = m_pullup(m, FF_LLC_SIZE)) == NULL)
897 		return NULL;
898 	eh = mtod(m, struct ether_header *);	/* 802.3 header is first */
899 	llc = (struct llc *)&eh[1];		/* 802.2 header follows */
900 	*framelen = ntohs(eh->ether_type)	/* encap'd frame size */
901 		  + sizeof(struct ether_header) - sizeof(struct llc);
902 	eh->ether_type = llc->llc_un.type_snap.ether_type;
903 	ovbcopy(eh, mtod(m, uint8_t *) + sizeof(struct llc),
904 		sizeof(struct ether_header));
905 	m_adj(m, sizeof(struct llc));
906 	return m;
907 #undef FF_LLC_SIZE
908 }
909 
910 /*
911  * Decap the encapsulated frame pair and dispatch the first
912  * for delivery.  The second frame is returned for delivery
913  * via the normal path.
914  */
915 static struct mbuf *
916 ieee80211_decap_fastframe(struct ieee80211com *ic,
917 	struct ieee80211_node *ni, struct mbuf *m)
918 {
919 #define	MS(x,f)	(((x) & f) >> f##_S)
920 	uint32_t ath;
921 	struct mbuf *n;
922 	int framelen;
923 
924 	m_copydata(m, 0, sizeof(uint32_t), (caddr_t) &ath);
925 	if (MS(ath, ATH_FF_PROTO) != ATH_FF_PROTO_L2TUNNEL) {
926 		IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
927 		    ni->ni_macaddr, "fast-frame",
928 		    "unsupport tunnel protocol, header 0x%x", ath);
929 		ic->ic_stats.is_ff_badhdr++;
930 		m_freem(m);
931 		return NULL;
932 	}
933 	/* NB: skip header and alignment padding */
934 	m_adj(m, roundup(sizeof(uint32_t) - 2, 4) + 2);
935 
936 	ic->ic_stats.is_ff_decap++;
937 
938 	/*
939 	 * Decap the first frame, bust it apart from the
940 	 * second and deliver; then decap the second frame
941 	 * and return it to the caller for normal delivery.
942 	 */
943 	m = ieee80211_decap1(m, &framelen);
944 	if (m == NULL) {
945 		IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
946 		    ni->ni_macaddr, "fast-frame", "%s", "first decap failed");
947 		ic->ic_stats.is_ff_tooshort++;
948 		return NULL;
949 	}
950 	n = m_split(m, framelen, M_NOWAIT);
951 	if (n == NULL) {
952 		IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
953 		    ni->ni_macaddr, "fast-frame",
954 		    "%s", "unable to split encapsulated frames");
955 		ic->ic_stats.is_ff_split++;
956 		m_freem(m);			/* NB: must reclaim */
957 		return NULL;
958 	}
959 	ieee80211_deliver_data(ic, ni, m);	/* 1st of pair */
960 
961 	/*
962 	 * Decap second frame.
963 	 */
964 	m_adj(n, roundup2(framelen, 4) - framelen);	/* padding */
965 	n = ieee80211_decap1(n, &framelen);
966 	if (n == NULL) {
967 		IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
968 		    ni->ni_macaddr, "fast-frame", "%s", "second decap failed");
969 		ic->ic_stats.is_ff_tooshort++;
970 	}
971 	/* XXX verify framelen against mbuf contents */
972 	return n;				/* 2nd delivered by caller */
973 #undef MS
974 }
975 
976 /*
977  * Install received rate set information in the node's state block.
978  */
979 int
980 ieee80211_setup_rates(struct ieee80211_node *ni,
981 	const uint8_t *rates, const uint8_t *xrates, int flags)
982 {
983 	struct ieee80211com *ic = ni->ni_ic;
984 	struct ieee80211_rateset *rs = &ni->ni_rates;
985 
986 	memset(rs, 0, sizeof(*rs));
987 	rs->rs_nrates = rates[1];
988 	memcpy(rs->rs_rates, rates + 2, rs->rs_nrates);
989 	if (xrates != NULL) {
990 		uint8_t nxrates;
991 		/*
992 		 * Tack on 11g extended supported rate element.
993 		 */
994 		nxrates = xrates[1];
995 		if (rs->rs_nrates + nxrates > IEEE80211_RATE_MAXSIZE) {
996 			nxrates = IEEE80211_RATE_MAXSIZE - rs->rs_nrates;
997 			IEEE80211_DPRINTF(ic, IEEE80211_MSG_XRATE,
998 			     "[%s] extended rate set too large;"
999 			     " only using %u of %u rates\n",
1000 			     ether_sprintf(ni->ni_macaddr), nxrates, xrates[1]);
1001 			ic->ic_stats.is_rx_rstoobig++;
1002 		}
1003 		memcpy(rs->rs_rates + rs->rs_nrates, xrates+2, nxrates);
1004 		rs->rs_nrates += nxrates;
1005 	}
1006 	return ieee80211_fix_rate(ni, rs, flags);
1007 }
1008 
1009 static void
1010 ieee80211_auth_open(struct ieee80211com *ic, struct ieee80211_frame *wh,
1011     struct ieee80211_node *ni, int rssi, int noise, uint32_t rstamp,
1012     uint16_t seq, uint16_t status)
1013 {
1014 
1015 	if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
1016 		IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1017 		    ni->ni_macaddr, "open auth",
1018 		    "bad sta auth mode %u", ni->ni_authmode);
1019 		ic->ic_stats.is_rx_bad_auth++;	/* XXX */
1020 		if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
1021 			/*
1022 			 * Clear any challenge text that may be there if
1023 			 * a previous shared key auth failed and then an
1024 			 * open auth is attempted.
1025 			 */
1026 			if (ni->ni_challenge != NULL) {
1027 				FREE(ni->ni_challenge, M_80211_NODE);
1028 				ni->ni_challenge = NULL;
1029 			}
1030 			/* XXX hack to workaround calling convention */
1031 			ieee80211_send_error(ic, ni, wh->i_addr2,
1032 			    IEEE80211_FC0_SUBTYPE_AUTH,
1033 			    (seq + 1) | (IEEE80211_STATUS_ALG<<16));
1034 		}
1035 		return;
1036 	}
1037 	switch (ic->ic_opmode) {
1038 	case IEEE80211_M_IBSS:
1039 	case IEEE80211_M_AHDEMO:
1040 	case IEEE80211_M_MONITOR:
1041 	case IEEE80211_M_WDS:
1042 		/* should not come here */
1043 		IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1044 		    ni->ni_macaddr, "open auth",
1045 		    "bad operating mode %u", ic->ic_opmode);
1046 		break;
1047 
1048 	case IEEE80211_M_HOSTAP:
1049 		if (ic->ic_state != IEEE80211_S_RUN ||
1050 		    seq != IEEE80211_AUTH_OPEN_REQUEST) {
1051 			ic->ic_stats.is_rx_bad_auth++;
1052 			return;
1053 		}
1054 		/* always accept open authentication requests */
1055 		if (ni == ic->ic_bss) {
1056 			ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2);
1057 			if (ni == NULL)
1058 				return;
1059 		} else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
1060 			(void) ieee80211_ref_node(ni);
1061 		/*
1062 		 * Mark the node as referenced to reflect that it's
1063 		 * reference count has been bumped to insure it remains
1064 		 * after the transaction completes.
1065 		 */
1066 		ni->ni_flags |= IEEE80211_NODE_AREF;
1067 
1068 		IEEE80211_SEND_MGMT(ic, ni,
1069 			IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1070 		IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1071 		    "[%s] station authenticated (open)\n",
1072 		    ether_sprintf(ni->ni_macaddr));
1073 		/*
1074 		 * When 802.1x is not in use mark the port
1075 		 * authorized at this point so traffic can flow.
1076 		 */
1077 		if (ni->ni_authmode != IEEE80211_AUTH_8021X)
1078 			ieee80211_node_authorize(ni);
1079 		break;
1080 
1081 	case IEEE80211_M_STA:
1082 		if (ic->ic_state != IEEE80211_S_AUTH ||
1083 		    seq != IEEE80211_AUTH_OPEN_RESPONSE) {
1084 			ic->ic_stats.is_rx_bad_auth++;
1085 			return;
1086 		}
1087 		if (status != 0) {
1088 			IEEE80211_DPRINTF(ic,
1089 			    IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1090 			    "[%s] open auth failed (reason %d)\n",
1091 			    ether_sprintf(ni->ni_macaddr), status);
1092 			/* XXX can this happen? */
1093 			if (ni != ic->ic_bss)
1094 				ni->ni_fails++;
1095 			ic->ic_stats.is_rx_auth_fail++;
1096 			ieee80211_new_state(ic, IEEE80211_S_SCAN,
1097 			    IEEE80211_SCAN_FAIL_STATUS);
1098 		} else
1099 			ieee80211_new_state(ic, IEEE80211_S_ASSOC, 0);
1100 		break;
1101 	}
1102 }
1103 
1104 /*
1105  * Send a management frame error response to the specified
1106  * station.  If ni is associated with the station then use
1107  * it; otherwise allocate a temporary node suitable for
1108  * transmitting the frame and then free the reference so
1109  * it will go away as soon as the frame has been transmitted.
1110  */
1111 static void
1112 ieee80211_send_error(struct ieee80211com *ic, struct ieee80211_node *ni,
1113 	const uint8_t *mac, int subtype, int arg)
1114 {
1115 	int istmp;
1116 
1117 	if (ni == ic->ic_bss) {
1118 		ni = ieee80211_tmp_node(ic, mac);
1119 		if (ni == NULL) {
1120 			/* XXX msg */
1121 			return;
1122 		}
1123 		istmp = 1;
1124 	} else
1125 		istmp = 0;
1126 	IEEE80211_SEND_MGMT(ic, ni, subtype, arg);
1127 	if (istmp)
1128 		ieee80211_free_node(ni);
1129 }
1130 
1131 static int
1132 alloc_challenge(struct ieee80211com *ic, struct ieee80211_node *ni)
1133 {
1134 	if (ni->ni_challenge == NULL)
1135 		MALLOC(ni->ni_challenge, uint32_t*, IEEE80211_CHALLENGE_LEN,
1136 		    M_80211_NODE, M_NOWAIT);
1137 	if (ni->ni_challenge == NULL) {
1138 		IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1139 		    "[%s] shared key challenge alloc failed\n",
1140 		    ether_sprintf(ni->ni_macaddr));
1141 		/* XXX statistic */
1142 	}
1143 	return (ni->ni_challenge != NULL);
1144 }
1145 
1146 /* XXX TODO: add statistics */
1147 static void
1148 ieee80211_auth_shared(struct ieee80211com *ic, struct ieee80211_frame *wh,
1149     uint8_t *frm, uint8_t *efrm, struct ieee80211_node *ni,
1150     int rssi, int noise, uint32_t rstamp, uint16_t seq, uint16_t status)
1151 {
1152 	uint8_t *challenge;
1153 	int allocbs, estatus;
1154 
1155 	/*
1156 	 * NB: this can happen as we allow pre-shared key
1157 	 * authentication to be enabled w/o wep being turned
1158 	 * on so that configuration of these can be done
1159 	 * in any order.  It may be better to enforce the
1160 	 * ordering in which case this check would just be
1161 	 * for sanity/consistency.
1162 	 */
1163 	if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) {
1164 		IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1165 		    ni->ni_macaddr, "shared key auth",
1166 		    "%s", " PRIVACY is disabled");
1167 		estatus = IEEE80211_STATUS_ALG;
1168 		goto bad;
1169 	}
1170 	/*
1171 	 * Pre-shared key authentication is evil; accept
1172 	 * it only if explicitly configured (it is supported
1173 	 * mainly for compatibility with clients like OS X).
1174 	 */
1175 	if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
1176 	    ni->ni_authmode != IEEE80211_AUTH_SHARED) {
1177 		IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1178 		    ni->ni_macaddr, "shared key auth",
1179 		    "bad sta auth mode %u", ni->ni_authmode);
1180 		ic->ic_stats.is_rx_bad_auth++;	/* XXX maybe a unique error? */
1181 		estatus = IEEE80211_STATUS_ALG;
1182 		goto bad;
1183 	}
1184 
1185 	challenge = NULL;
1186 	if (frm + 1 < efrm) {
1187 		if ((frm[1] + 2) > (efrm - frm)) {
1188 			IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1189 			    ni->ni_macaddr, "shared key auth",
1190 			    "ie %d/%d too long",
1191 			    frm[0], (frm[1] + 2) - (efrm - frm));
1192 			ic->ic_stats.is_rx_bad_auth++;
1193 			estatus = IEEE80211_STATUS_CHALLENGE;
1194 			goto bad;
1195 		}
1196 		if (*frm == IEEE80211_ELEMID_CHALLENGE)
1197 			challenge = frm;
1198 		frm += frm[1] + 2;
1199 	}
1200 	switch (seq) {
1201 	case IEEE80211_AUTH_SHARED_CHALLENGE:
1202 	case IEEE80211_AUTH_SHARED_RESPONSE:
1203 		if (challenge == NULL) {
1204 			IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1205 			    ni->ni_macaddr, "shared key auth",
1206 			    "%s", "no challenge");
1207 			ic->ic_stats.is_rx_bad_auth++;
1208 			estatus = IEEE80211_STATUS_CHALLENGE;
1209 			goto bad;
1210 		}
1211 		if (challenge[1] != IEEE80211_CHALLENGE_LEN) {
1212 			IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1213 			    ni->ni_macaddr, "shared key auth",
1214 			    "bad challenge len %d", challenge[1]);
1215 			ic->ic_stats.is_rx_bad_auth++;
1216 			estatus = IEEE80211_STATUS_CHALLENGE;
1217 			goto bad;
1218 		}
1219 	default:
1220 		break;
1221 	}
1222 	switch (ic->ic_opmode) {
1223 	case IEEE80211_M_MONITOR:
1224 	case IEEE80211_M_AHDEMO:
1225 	case IEEE80211_M_IBSS:
1226 	case IEEE80211_M_WDS:
1227 		IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1228 		    ni->ni_macaddr, "shared key auth",
1229 		    "bad operating mode %u", ic->ic_opmode);
1230 		return;
1231 	case IEEE80211_M_HOSTAP:
1232 		if (ic->ic_state != IEEE80211_S_RUN) {
1233 			IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1234 			    ni->ni_macaddr, "shared key auth",
1235 			    "bad state %u", ic->ic_state);
1236 			estatus = IEEE80211_STATUS_ALG;	/* XXX */
1237 			goto bad;
1238 		}
1239 		switch (seq) {
1240 		case IEEE80211_AUTH_SHARED_REQUEST:
1241 			if (ni == ic->ic_bss) {
1242 				ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2);
1243 				if (ni == NULL) {
1244 					/* NB: no way to return an error */
1245 					return;
1246 				}
1247 				allocbs = 1;
1248 			} else {
1249 				if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
1250 					(void) ieee80211_ref_node(ni);
1251 				allocbs = 0;
1252 			}
1253 			/*
1254 			 * Mark the node as referenced to reflect that it's
1255 			 * reference count has been bumped to insure it remains
1256 			 * after the transaction completes.
1257 			 */
1258 			ni->ni_flags |= IEEE80211_NODE_AREF;
1259 			ni->ni_rssi = rssi;
1260 			ni->ni_noise = noise;
1261 			ni->ni_rstamp = rstamp;
1262 			if (!alloc_challenge(ic, ni)) {
1263 				/* NB: don't return error so they rexmit */
1264 				return;
1265 			}
1266 			get_random_bytes(ni->ni_challenge,
1267 				IEEE80211_CHALLENGE_LEN);
1268 			IEEE80211_DPRINTF(ic,
1269 				IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1270 				"[%s] shared key %sauth request\n",
1271 				ether_sprintf(ni->ni_macaddr),
1272 				allocbs ? "" : "re");
1273 			break;
1274 		case IEEE80211_AUTH_SHARED_RESPONSE:
1275 			if (ni == ic->ic_bss) {
1276 				IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1277 				    ni->ni_macaddr, "shared key response",
1278 				    "%s", "unknown station");
1279 				/* NB: don't send a response */
1280 				return;
1281 			}
1282 			if (ni->ni_challenge == NULL) {
1283 				IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1284 				    ni->ni_macaddr, "shared key response",
1285 				    "%s", "no challenge recorded");
1286 				ic->ic_stats.is_rx_bad_auth++;
1287 				estatus = IEEE80211_STATUS_CHALLENGE;
1288 				goto bad;
1289 			}
1290 			if (memcmp(ni->ni_challenge, &challenge[2],
1291 			           challenge[1]) != 0) {
1292 				IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1293 				    ni->ni_macaddr, "shared key response",
1294 				    "%s", "challenge mismatch");
1295 				ic->ic_stats.is_rx_auth_fail++;
1296 				estatus = IEEE80211_STATUS_CHALLENGE;
1297 				goto bad;
1298 			}
1299 			IEEE80211_DPRINTF(ic,
1300 			    IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1301 			    "[%s] station authenticated (shared key)\n",
1302 			    ether_sprintf(ni->ni_macaddr));
1303 			ieee80211_node_authorize(ni);
1304 			break;
1305 		default:
1306 			IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1307 			    ni->ni_macaddr, "shared key auth",
1308 			    "bad seq %d", seq);
1309 			ic->ic_stats.is_rx_bad_auth++;
1310 			estatus = IEEE80211_STATUS_SEQUENCE;
1311 			goto bad;
1312 		}
1313 		IEEE80211_SEND_MGMT(ic, ni,
1314 			IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1315 		break;
1316 
1317 	case IEEE80211_M_STA:
1318 		if (ic->ic_state != IEEE80211_S_AUTH)
1319 			return;
1320 		switch (seq) {
1321 		case IEEE80211_AUTH_SHARED_PASS:
1322 			if (ni->ni_challenge != NULL) {
1323 				FREE(ni->ni_challenge, M_80211_NODE);
1324 				ni->ni_challenge = NULL;
1325 			}
1326 			if (status != 0) {
1327 				IEEE80211_DPRINTF(ic,
1328 				    IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1329 				    "[%s] shared key auth failed (reason %d)\n",
1330 				    ether_sprintf(ieee80211_getbssid(ic, wh)),
1331 				    status);
1332 				/* XXX can this happen? */
1333 				if (ni != ic->ic_bss)
1334 					ni->ni_fails++;
1335 				ic->ic_stats.is_rx_auth_fail++;
1336 				return;
1337 			}
1338 			ieee80211_new_state(ic, IEEE80211_S_ASSOC, 0);
1339 			break;
1340 		case IEEE80211_AUTH_SHARED_CHALLENGE:
1341 			if (!alloc_challenge(ic, ni))
1342 				return;
1343 			/* XXX could optimize by passing recvd challenge */
1344 			memcpy(ni->ni_challenge, &challenge[2], challenge[1]);
1345 			IEEE80211_SEND_MGMT(ic, ni,
1346 				IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1347 			break;
1348 		default:
1349 			IEEE80211_DISCARD(ic, IEEE80211_MSG_AUTH,
1350 			    wh, "shared key auth", "bad seq %d", seq);
1351 			ic->ic_stats.is_rx_bad_auth++;
1352 			return;
1353 		}
1354 		break;
1355 	}
1356 	return;
1357 bad:
1358 	/*
1359 	 * Send an error response; but only when operating as an AP.
1360 	 */
1361 	if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
1362 		/* XXX hack to workaround calling convention */
1363 		ieee80211_send_error(ic, ni, wh->i_addr2,
1364 		    IEEE80211_FC0_SUBTYPE_AUTH,
1365 		    (seq + 1) | (estatus<<16));
1366 	} else if (ic->ic_opmode == IEEE80211_M_STA) {
1367 		/*
1368 		 * Kick the state machine.  This short-circuits
1369 		 * using the mgt frame timeout to trigger the
1370 		 * state transition.
1371 		 */
1372 		if (ic->ic_state == IEEE80211_S_AUTH)
1373 			ieee80211_new_state(ic, IEEE80211_S_SCAN,
1374 			    IEEE80211_SCAN_FAIL_STATUS);
1375 	}
1376 }
1377 
1378 /* Verify the existence and length of __elem or get out. */
1379 #define IEEE80211_VERIFY_ELEMENT(__elem, __maxlen) do {			\
1380 	if ((__elem) == NULL) {						\
1381 		IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID,		\
1382 		    wh, ieee80211_mgt_subtype_name[subtype >>		\
1383 			IEEE80211_FC0_SUBTYPE_SHIFT],			\
1384 		    "%s", "no " #__elem );				\
1385 		ic->ic_stats.is_rx_elem_missing++;			\
1386 		return;							\
1387 	}								\
1388 	if ((__elem)[1] > (__maxlen)) {					\
1389 		IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID,		\
1390 		    wh, ieee80211_mgt_subtype_name[subtype >>		\
1391 			IEEE80211_FC0_SUBTYPE_SHIFT],			\
1392 		    "bad " #__elem " len %d", (__elem)[1]);		\
1393 		ic->ic_stats.is_rx_elem_toobig++;			\
1394 		return;							\
1395 	}								\
1396 } while (0)
1397 
1398 #define	IEEE80211_VERIFY_LENGTH(_len, _minlen, _action) do {		\
1399 	if ((_len) < (_minlen)) {					\
1400 		IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID,		\
1401 		    wh, ieee80211_mgt_subtype_name[subtype >>		\
1402 			IEEE80211_FC0_SUBTYPE_SHIFT],			\
1403 		    "ie too short, got %d, expected %d",		\
1404 		    (_len), (_minlen));					\
1405 		ic->ic_stats.is_rx_elem_toosmall++;			\
1406 		_action;						\
1407 	}								\
1408 } while (0)
1409 
1410 #ifdef IEEE80211_DEBUG
1411 static void
1412 ieee80211_ssid_mismatch(struct ieee80211com *ic, const char *tag,
1413 	uint8_t mac[IEEE80211_ADDR_LEN], uint8_t *ssid)
1414 {
1415 	printf("[%s] discard %s frame, ssid mismatch: ",
1416 		ether_sprintf(mac), tag);
1417 	ieee80211_print_essid(ssid + 2, ssid[1]);
1418 	printf("\n");
1419 }
1420 
1421 #define	IEEE80211_VERIFY_SSID(_ni, _ssid) do {				\
1422 	if ((_ssid)[1] != 0 &&						\
1423 	    ((_ssid)[1] != (_ni)->ni_esslen ||				\
1424 	    memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) {	\
1425 		if (ieee80211_msg_input(ic))				\
1426 			ieee80211_ssid_mismatch(ic, 			\
1427 			    ieee80211_mgt_subtype_name[subtype >>	\
1428 				IEEE80211_FC0_SUBTYPE_SHIFT],		\
1429 				wh->i_addr2, _ssid);			\
1430 		ic->ic_stats.is_rx_ssidmismatch++;			\
1431 		return;							\
1432 	}								\
1433 } while (0)
1434 #else /* !IEEE80211_DEBUG */
1435 #define	IEEE80211_VERIFY_SSID(_ni, _ssid) do {				\
1436 	if ((_ssid)[1] != 0 &&						\
1437 	    ((_ssid)[1] != (_ni)->ni_esslen ||				\
1438 	    memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) {	\
1439 		ic->ic_stats.is_rx_ssidmismatch++;			\
1440 		return;							\
1441 	}								\
1442 } while (0)
1443 #endif /* !IEEE80211_DEBUG */
1444 
1445 /* unalligned little endian access */
1446 #define LE_READ_2(p)					\
1447 	((uint16_t)					\
1448 	 ((((const uint8_t *)(p))[0]      ) |		\
1449 	  (((const uint8_t *)(p))[1] <<  8)))
1450 #define LE_READ_4(p)					\
1451 	((uint32_t)					\
1452 	 ((((const uint8_t *)(p))[0]      ) |		\
1453 	  (((const uint8_t *)(p))[1] <<  8) |		\
1454 	  (((const uint8_t *)(p))[2] << 16) |		\
1455 	  (((const uint8_t *)(p))[3] << 24)))
1456 
1457 static __inline int
1458 iswpaoui(const uint8_t *frm)
1459 {
1460 	return frm[1] > 3 && LE_READ_4(frm+2) == ((WPA_OUI_TYPE<<24)|WPA_OUI);
1461 }
1462 
1463 static __inline int
1464 iswmeoui(const uint8_t *frm)
1465 {
1466 	return frm[1] > 3 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI);
1467 }
1468 
1469 static __inline int
1470 iswmeparam(const uint8_t *frm)
1471 {
1472 	return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) &&
1473 		frm[6] == WME_PARAM_OUI_SUBTYPE;
1474 }
1475 
1476 static __inline int
1477 iswmeinfo(const uint8_t *frm)
1478 {
1479 	return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) &&
1480 		frm[6] == WME_INFO_OUI_SUBTYPE;
1481 }
1482 
1483 static __inline int
1484 isatherosoui(const uint8_t *frm)
1485 {
1486 	return frm[1] > 3 && LE_READ_4(frm+2) == ((ATH_OUI_TYPE<<24)|ATH_OUI);
1487 }
1488 
1489 static __inline int
1490 ishtcapoui(const uint8_t *frm)
1491 {
1492 	return frm[1] > 3 && LE_READ_4(frm+2) == ((BCM_OUI_HTCAP<<24)|BCM_OUI);
1493 }
1494 
1495 static __inline int
1496 ishtinfooui(const uint8_t *frm)
1497 {
1498 	return frm[1] > 3 && LE_READ_4(frm+2) == ((BCM_OUI_HTINFO<<24)|BCM_OUI);
1499 }
1500 
1501 /*
1502  * Convert a WPA cipher selector OUI to an internal
1503  * cipher algorithm.  Where appropriate we also
1504  * record any key length.
1505  */
1506 static int
1507 wpa_cipher(uint8_t *sel, uint8_t *keylen)
1508 {
1509 #define	WPA_SEL(x)	(((x)<<24)|WPA_OUI)
1510 	uint32_t w = LE_READ_4(sel);
1511 
1512 	switch (w) {
1513 	case WPA_SEL(WPA_CSE_NULL):
1514 		return IEEE80211_CIPHER_NONE;
1515 	case WPA_SEL(WPA_CSE_WEP40):
1516 		if (keylen)
1517 			*keylen = 40 / NBBY;
1518 		return IEEE80211_CIPHER_WEP;
1519 	case WPA_SEL(WPA_CSE_WEP104):
1520 		if (keylen)
1521 			*keylen = 104 / NBBY;
1522 		return IEEE80211_CIPHER_WEP;
1523 	case WPA_SEL(WPA_CSE_TKIP):
1524 		return IEEE80211_CIPHER_TKIP;
1525 	case WPA_SEL(WPA_CSE_CCMP):
1526 		return IEEE80211_CIPHER_AES_CCM;
1527 	}
1528 	return 32;		/* NB: so 1<< is discarded */
1529 #undef WPA_SEL
1530 }
1531 
1532 /*
1533  * Convert a WPA key management/authentication algorithm
1534  * to an internal code.
1535  */
1536 static int
1537 wpa_keymgmt(uint8_t *sel)
1538 {
1539 #define	WPA_SEL(x)	(((x)<<24)|WPA_OUI)
1540 	uint32_t w = LE_READ_4(sel);
1541 
1542 	switch (w) {
1543 	case WPA_SEL(WPA_ASE_8021X_UNSPEC):
1544 		return WPA_ASE_8021X_UNSPEC;
1545 	case WPA_SEL(WPA_ASE_8021X_PSK):
1546 		return WPA_ASE_8021X_PSK;
1547 	case WPA_SEL(WPA_ASE_NONE):
1548 		return WPA_ASE_NONE;
1549 	}
1550 	return 0;		/* NB: so is discarded */
1551 #undef WPA_SEL
1552 }
1553 
1554 /*
1555  * Parse a WPA information element to collect parameters
1556  * and validate the parameters against what has been
1557  * configured for the system.
1558  */
1559 static int
1560 ieee80211_parse_wpa(struct ieee80211com *ic, uint8_t *frm,
1561 	struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1562 {
1563 	uint8_t len = frm[1];
1564 	uint32_t w;
1565 	int n;
1566 
1567 	/*
1568 	 * Check the length once for fixed parts: OUI, type,
1569 	 * version, mcast cipher, and 2 selector counts.
1570 	 * Other, variable-length data, must be checked separately.
1571 	 */
1572 	if ((ic->ic_flags & IEEE80211_F_WPA1) == 0) {
1573 		IEEE80211_DISCARD_IE(ic,
1574 		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1575 		    wh, "WPA", "not WPA, flags 0x%x", ic->ic_flags);
1576 		return IEEE80211_REASON_IE_INVALID;
1577 	}
1578 	if (len < 14) {
1579 		IEEE80211_DISCARD_IE(ic,
1580 		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1581 		    wh, "WPA", "too short, len %u", len);
1582 		return IEEE80211_REASON_IE_INVALID;
1583 	}
1584 	frm += 6, len -= 4;		/* NB: len is payload only */
1585 	/* NB: iswapoui already validated the OUI and type */
1586 	w = LE_READ_2(frm);
1587 	if (w != WPA_VERSION) {
1588 		IEEE80211_DISCARD_IE(ic,
1589 		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1590 		    wh, "WPA", "bad version %u", w);
1591 		return IEEE80211_REASON_IE_INVALID;
1592 	}
1593 	frm += 2, len -= 2;
1594 
1595 	/* multicast/group cipher */
1596 	w = wpa_cipher(frm, &rsn->rsn_mcastkeylen);
1597 	if (w != rsn->rsn_mcastcipher) {
1598 		IEEE80211_DISCARD_IE(ic,
1599 		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1600 		    wh, "WPA", "mcast cipher mismatch; got %u, expected %u",
1601 		    w, rsn->rsn_mcastcipher);
1602 		return IEEE80211_REASON_IE_INVALID;
1603 	}
1604 	frm += 4, len -= 4;
1605 
1606 	/* unicast ciphers */
1607 	n = LE_READ_2(frm);
1608 	frm += 2, len -= 2;
1609 	if (len < n*4+2) {
1610 		IEEE80211_DISCARD_IE(ic,
1611 		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1612 		    wh, "WPA", "ucast cipher data too short; len %u, n %u",
1613 		    len, n);
1614 		return IEEE80211_REASON_IE_INVALID;
1615 	}
1616 	w = 0;
1617 	for (; n > 0; n--) {
1618 		w |= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen);
1619 		frm += 4, len -= 4;
1620 	}
1621 	w &= rsn->rsn_ucastcipherset;
1622 	if (w == 0) {
1623 		IEEE80211_DISCARD_IE(ic,
1624 		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1625 		    wh, "WPA", "%s", "ucast cipher set empty");
1626 		return IEEE80211_REASON_IE_INVALID;
1627 	}
1628 	if (w & (1<<IEEE80211_CIPHER_TKIP))
1629 		rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1630 	else
1631 		rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1632 
1633 	/* key management algorithms */
1634 	n = LE_READ_2(frm);
1635 	frm += 2, len -= 2;
1636 	if (len < n*4) {
1637 		IEEE80211_DISCARD_IE(ic,
1638 		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1639 		    wh, "WPA", "key mgmt alg data too short; len %u, n %u",
1640 		    len, n);
1641 		return IEEE80211_REASON_IE_INVALID;
1642 	}
1643 	w = 0;
1644 	for (; n > 0; n--) {
1645 		w |= wpa_keymgmt(frm);
1646 		frm += 4, len -= 4;
1647 	}
1648 	w &= rsn->rsn_keymgmtset;
1649 	if (w == 0) {
1650 		IEEE80211_DISCARD_IE(ic,
1651 		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1652 		    wh, "WPA", "%s", "no acceptable key mgmt alg");
1653 		return IEEE80211_REASON_IE_INVALID;
1654 	}
1655 	if (w & WPA_ASE_8021X_UNSPEC)
1656 		rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC;
1657 	else
1658 		rsn->rsn_keymgmt = WPA_ASE_8021X_PSK;
1659 
1660 	if (len > 2)		/* optional capabilities */
1661 		rsn->rsn_caps = LE_READ_2(frm);
1662 
1663 	return 0;
1664 }
1665 
1666 /*
1667  * Convert an RSN cipher selector OUI to an internal
1668  * cipher algorithm.  Where appropriate we also
1669  * record any key length.
1670  */
1671 static int
1672 rsn_cipher(uint8_t *sel, uint8_t *keylen)
1673 {
1674 #define	RSN_SEL(x)	(((x)<<24)|RSN_OUI)
1675 	uint32_t w = LE_READ_4(sel);
1676 
1677 	switch (w) {
1678 	case RSN_SEL(RSN_CSE_NULL):
1679 		return IEEE80211_CIPHER_NONE;
1680 	case RSN_SEL(RSN_CSE_WEP40):
1681 		if (keylen)
1682 			*keylen = 40 / NBBY;
1683 		return IEEE80211_CIPHER_WEP;
1684 	case RSN_SEL(RSN_CSE_WEP104):
1685 		if (keylen)
1686 			*keylen = 104 / NBBY;
1687 		return IEEE80211_CIPHER_WEP;
1688 	case RSN_SEL(RSN_CSE_TKIP):
1689 		return IEEE80211_CIPHER_TKIP;
1690 	case RSN_SEL(RSN_CSE_CCMP):
1691 		return IEEE80211_CIPHER_AES_CCM;
1692 	case RSN_SEL(RSN_CSE_WRAP):
1693 		return IEEE80211_CIPHER_AES_OCB;
1694 	}
1695 	return 32;		/* NB: so 1<< is discarded */
1696 #undef WPA_SEL
1697 }
1698 
1699 /*
1700  * Convert an RSN key management/authentication algorithm
1701  * to an internal code.
1702  */
1703 static int
1704 rsn_keymgmt(uint8_t *sel)
1705 {
1706 #define	RSN_SEL(x)	(((x)<<24)|RSN_OUI)
1707 	uint32_t w = LE_READ_4(sel);
1708 
1709 	switch (w) {
1710 	case RSN_SEL(RSN_ASE_8021X_UNSPEC):
1711 		return RSN_ASE_8021X_UNSPEC;
1712 	case RSN_SEL(RSN_ASE_8021X_PSK):
1713 		return RSN_ASE_8021X_PSK;
1714 	case RSN_SEL(RSN_ASE_NONE):
1715 		return RSN_ASE_NONE;
1716 	}
1717 	return 0;		/* NB: so is discarded */
1718 #undef RSN_SEL
1719 }
1720 
1721 /*
1722  * Parse a WPA/RSN information element to collect parameters
1723  * and validate the parameters against what has been
1724  * configured for the system.
1725  */
1726 static int
1727 ieee80211_parse_rsn(struct ieee80211com *ic, uint8_t *frm,
1728 	struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1729 {
1730 	uint8_t len = frm[1];
1731 	uint32_t w;
1732 	int n;
1733 
1734 	/*
1735 	 * Check the length once for fixed parts:
1736 	 * version, mcast cipher, and 2 selector counts.
1737 	 * Other, variable-length data, must be checked separately.
1738 	 */
1739 	if ((ic->ic_flags & IEEE80211_F_WPA2) == 0) {
1740 		IEEE80211_DISCARD_IE(ic,
1741 		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1742 		    wh, "WPA", "not RSN, flags 0x%x", ic->ic_flags);
1743 		return IEEE80211_REASON_IE_INVALID;
1744 	}
1745 	if (len < 10) {
1746 		IEEE80211_DISCARD_IE(ic,
1747 		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1748 		    wh, "RSN", "too short, len %u", len);
1749 		return IEEE80211_REASON_IE_INVALID;
1750 	}
1751 	frm += 2;
1752 	w = LE_READ_2(frm);
1753 	if (w != RSN_VERSION) {
1754 		IEEE80211_DISCARD_IE(ic,
1755 		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1756 		    wh, "RSN", "bad version %u", w);
1757 		return IEEE80211_REASON_IE_INVALID;
1758 	}
1759 	frm += 2, len -= 2;
1760 
1761 	/* multicast/group cipher */
1762 	w = rsn_cipher(frm, &rsn->rsn_mcastkeylen);
1763 	if (w != rsn->rsn_mcastcipher) {
1764 		IEEE80211_DISCARD_IE(ic,
1765 		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1766 		    wh, "RSN", "mcast cipher mismatch; got %u, expected %u",
1767 		    w, rsn->rsn_mcastcipher);
1768 		return IEEE80211_REASON_IE_INVALID;
1769 	}
1770 	frm += 4, len -= 4;
1771 
1772 	/* unicast ciphers */
1773 	n = LE_READ_2(frm);
1774 	frm += 2, len -= 2;
1775 	if (len < n*4+2) {
1776 		IEEE80211_DISCARD_IE(ic,
1777 		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1778 		    wh, "RSN", "ucast cipher data too short; len %u, n %u",
1779 		    len, n);
1780 		return IEEE80211_REASON_IE_INVALID;
1781 	}
1782 	w = 0;
1783 	for (; n > 0; n--) {
1784 		w |= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen);
1785 		frm += 4, len -= 4;
1786 	}
1787 	w &= rsn->rsn_ucastcipherset;
1788 	if (w == 0) {
1789 		IEEE80211_DISCARD_IE(ic,
1790 		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1791 		    wh, "RSN", "%s", "ucast cipher set empty");
1792 		return IEEE80211_REASON_IE_INVALID;
1793 	}
1794 	if (w & (1<<IEEE80211_CIPHER_TKIP))
1795 		rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1796 	else
1797 		rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1798 
1799 	/* key management algorithms */
1800 	n = LE_READ_2(frm);
1801 	frm += 2, len -= 2;
1802 	if (len < n*4) {
1803 		IEEE80211_DISCARD_IE(ic,
1804 		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1805 		    wh, "RSN", "key mgmt alg data too short; len %u, n %u",
1806 		    len, n);
1807 		return IEEE80211_REASON_IE_INVALID;
1808 	}
1809 	w = 0;
1810 	for (; n > 0; n--) {
1811 		w |= rsn_keymgmt(frm);
1812 		frm += 4, len -= 4;
1813 	}
1814 	w &= rsn->rsn_keymgmtset;
1815 	if (w == 0) {
1816 		IEEE80211_DISCARD_IE(ic,
1817 		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1818 		    wh, "RSN", "%s", "no acceptable key mgmt alg");
1819 		return IEEE80211_REASON_IE_INVALID;
1820 	}
1821 	if (w & RSN_ASE_8021X_UNSPEC)
1822 		rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC;
1823 	else
1824 		rsn->rsn_keymgmt = RSN_ASE_8021X_PSK;
1825 
1826 	/* optional RSN capabilities */
1827 	if (len > 2)
1828 		rsn->rsn_caps = LE_READ_2(frm);
1829 	/* XXXPMKID */
1830 
1831 	return 0;
1832 }
1833 
1834 static int
1835 ieee80211_parse_wmeparams(struct ieee80211com *ic, uint8_t *frm,
1836 	const struct ieee80211_frame *wh)
1837 {
1838 #define	MS(_v, _f)	(((_v) & _f) >> _f##_S)
1839 	struct ieee80211_wme_state *wme = &ic->ic_wme;
1840 	u_int len = frm[1], qosinfo;
1841 	int i;
1842 
1843 	if (len < sizeof(struct ieee80211_wme_param)-2) {
1844 		IEEE80211_DISCARD_IE(ic,
1845 		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WME,
1846 		    wh, "WME", "too short, len %u", len);
1847 		return -1;
1848 	}
1849 	qosinfo = frm[__offsetof(struct ieee80211_wme_param, param_qosInfo)];
1850 	qosinfo &= WME_QOSINFO_COUNT;
1851 	/* XXX do proper check for wraparound */
1852 	if (qosinfo == wme->wme_wmeChanParams.cap_info)
1853 		return 0;
1854 	frm += __offsetof(struct ieee80211_wme_param, params_acParams);
1855 	for (i = 0; i < WME_NUM_AC; i++) {
1856 		struct wmeParams *wmep =
1857 			&wme->wme_wmeChanParams.cap_wmeParams[i];
1858 		/* NB: ACI not used */
1859 		wmep->wmep_acm = MS(frm[0], WME_PARAM_ACM);
1860 		wmep->wmep_aifsn = MS(frm[0], WME_PARAM_AIFSN);
1861 		wmep->wmep_logcwmin = MS(frm[1], WME_PARAM_LOGCWMIN);
1862 		wmep->wmep_logcwmax = MS(frm[1], WME_PARAM_LOGCWMAX);
1863 		wmep->wmep_txopLimit = LE_READ_2(frm+2);
1864 		frm += 4;
1865 	}
1866 	wme->wme_wmeChanParams.cap_info = qosinfo;
1867 	return 1;
1868 #undef MS
1869 }
1870 
1871 static int
1872 ieee80211_parse_athparams(struct ieee80211_node *ni, uint8_t *frm,
1873 	const struct ieee80211_frame *wh)
1874 {
1875 	struct ieee80211com *ic = ni->ni_ic;
1876 	const struct ieee80211_ath_ie *ath;
1877 	u_int len = frm[1];
1878 	int capschanged;
1879 	uint16_t defkeyix;
1880 
1881 	if (len < sizeof(struct ieee80211_ath_ie)-2) {
1882 		IEEE80211_DISCARD_IE(ic,
1883 		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_SUPERG,
1884 		    wh, "Atheros", "too short, len %u", len);
1885 		return -1;
1886 	}
1887 	ath = (const struct ieee80211_ath_ie *)frm;
1888 	capschanged = (ni->ni_ath_flags != ath->ath_capability);
1889 	defkeyix = LE_READ_2(ath->ath_defkeyix);
1890 	if (capschanged || defkeyix != ni->ni_ath_defkeyix) {
1891 		ni->ni_ath_flags = ath->ath_capability;
1892 		ni->ni_ath_defkeyix = defkeyix;
1893 		IEEE80211_DPRINTF(ic, IEEE80211_MSG_SUPERG,
1894 		    "[%s] ath ie change: new caps 0x%x defkeyix 0x%x\n",
1895 		    ether_sprintf(ni->ni_macaddr),
1896 		    ni->ni_ath_flags, ni->ni_ath_defkeyix);
1897 	}
1898 	if (IEEE80211_ATH_CAP(ic, ni, ATHEROS_CAP_TURBO_PRIME)) {
1899 		uint16_t curflags, newflags;
1900 
1901 		/*
1902 		 * Check for turbo mode switch.  Calculate flags
1903 		 * for the new mode and effect the switch.
1904 		 */
1905 		newflags = curflags = ic->ic_bsschan->ic_flags;
1906 		/* NB: BOOST is not in ic_flags, so get it from the ie */
1907 		if (ath->ath_capability & ATHEROS_CAP_BOOST)
1908 			newflags |= IEEE80211_CHAN_TURBO;
1909 		else
1910 			newflags &= ~IEEE80211_CHAN_TURBO;
1911 		if (newflags != curflags)
1912 			ieee80211_dturbo_switch(ic, newflags);
1913 	}
1914 	return capschanged;
1915 }
1916 
1917 void
1918 ieee80211_saveath(struct ieee80211_node *ni, uint8_t *ie)
1919 {
1920 	const struct ieee80211_ath_ie *ath =
1921 		(const struct ieee80211_ath_ie *) ie;
1922 
1923 	ni->ni_ath_flags = ath->ath_capability;
1924 	ni->ni_ath_defkeyix = LE_READ_2(&ath->ath_defkeyix);
1925 	ieee80211_saveie(&ni->ni_ath_ie, ie);
1926 }
1927 
1928 void
1929 ieee80211_saveie(uint8_t **iep, const uint8_t *ie)
1930 {
1931 	u_int ielen = ie[1]+2;
1932 	/*
1933 	 * Record information element for later use.
1934 	 */
1935 	if (*iep == NULL || (*iep)[1] != ie[1]) {
1936 		if (*iep != NULL)
1937 			FREE(*iep, M_80211_NODE);
1938 		MALLOC(*iep, void*, ielen, M_80211_NODE, M_NOWAIT);
1939 	}
1940 	if (*iep != NULL)
1941 		memcpy(*iep, ie, ielen);
1942 	/* XXX note failure */
1943 }
1944 
1945 /* XXX find a better place for definition */
1946 struct l2_update_frame {
1947 	struct ether_header eh;
1948 	uint8_t dsap;
1949 	uint8_t ssap;
1950 	uint8_t control;
1951 	uint8_t xid[3];
1952 }  __packed;
1953 
1954 /*
1955  * Deliver a TGf L2UF frame on behalf of a station.
1956  * This primes any bridge when the station is roaming
1957  * between ap's on the same wired network.
1958  */
1959 static void
1960 ieee80211_deliver_l2uf(struct ieee80211_node *ni)
1961 {
1962 	struct ieee80211com *ic = ni->ni_ic;
1963 	struct ifnet *ifp = ic->ic_ifp;
1964 	struct mbuf *m;
1965 	struct l2_update_frame *l2uf;
1966 	struct ether_header *eh;
1967 
1968 	m = m_gethdr(M_NOWAIT, MT_DATA);
1969 	if (m == NULL) {
1970 		IEEE80211_NOTE(ic, IEEE80211_MSG_ASSOC, ni,
1971 		    "%s", "no mbuf for l2uf frame");
1972 		ic->ic_stats.is_rx_nobuf++;	/* XXX not right */
1973 		return;
1974 	}
1975 	l2uf = mtod(m, struct l2_update_frame *);
1976 	eh = &l2uf->eh;
1977 	/* dst: Broadcast address */
1978 	IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr);
1979 	/* src: associated STA */
1980 	IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr);
1981 	eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh));
1982 
1983 	l2uf->dsap = 0;
1984 	l2uf->ssap = 0;
1985 	l2uf->control = 0xf5;
1986 	l2uf->xid[0] = 0x81;
1987 	l2uf->xid[1] = 0x80;
1988 	l2uf->xid[2] = 0x00;
1989 
1990 	m->m_pkthdr.len = m->m_len = sizeof(*l2uf);
1991 	ieee80211_deliver_data(ic, ni, m);
1992 }
1993 
1994 static __inline int
1995 contbgscan(struct ieee80211com *ic)
1996 {
1997 	return ((ic->ic_flags_ext & IEEE80211_FEXT_BGSCAN) &&
1998 	    time_after(ticks, ic->ic_lastdata + ic->ic_bgscanidle));
1999 }
2000 
2001 static __inline int
2002 startbgscan(struct ieee80211com *ic)
2003 {
2004 	return ((ic->ic_flags & IEEE80211_F_BGSCAN) &&
2005 	    !IEEE80211_IS_CHAN_DTURBO(ic->ic_curchan) &&
2006 	    time_after(ticks, ic->ic_lastscan + ic->ic_bgscanintvl) &&
2007 	    time_after(ticks, ic->ic_lastdata + ic->ic_bgscanidle));
2008 }
2009 
2010 static void
2011 ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
2012 	int reassoc, int resp, const char *tag, int rate)
2013 {
2014 	struct ieee80211com *ic = ni->ni_ic;
2015 
2016 	IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY,
2017 	    "[%s] deny %s request, %s rate set mismatch, rate 0x%x\n",
2018 	    ether_sprintf(wh->i_addr2),
2019 	    reassoc ? "reassoc" : "assoc", tag, rate);
2020 	IEEE80211_SEND_MGMT(ic, ni, resp, IEEE80211_STATUS_BASIC_RATE);
2021 	ieee80211_node_leave(ic, ni);
2022 	ic->ic_stats.is_rx_assoc_norate++;
2023 }
2024 
2025 static void
2026 capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
2027 	int reassoc, int resp, const char *tag, int capinfo)
2028 {
2029 	struct ieee80211com *ic = ni->ni_ic;
2030 
2031 	IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY,
2032 	    "[%s] deny %s request, %s mismatch 0x%x\n",
2033 	    ether_sprintf(wh->i_addr2),
2034 	    reassoc ? "reassoc" : "assoc", tag, capinfo);
2035 	IEEE80211_SEND_MGMT(ic, ni, resp, IEEE80211_STATUS_CAPINFO);
2036 	ieee80211_node_leave(ic, ni);
2037 	ic->ic_stats.is_rx_assoc_capmismatch++;
2038 }
2039 
2040 static void
2041 htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
2042 	int reassoc, int resp)
2043 {
2044 	struct ieee80211com *ic = ni->ni_ic;
2045 
2046 	IEEE80211_NOTE_MAC(ic, IEEE80211_MSG_ANY, wh->i_addr2,
2047 	    "deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc");
2048 	/* XXX no better code */
2049 	IEEE80211_SEND_MGMT(ic, ni, resp, IEEE80211_STATUS_OTHER);
2050 	ieee80211_node_leave(ic, ni);
2051 }
2052 
2053 void
2054 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0,
2055 	struct ieee80211_node *ni,
2056 	int subtype, int rssi, int noise, uint32_t rstamp)
2057 {
2058 #define	ISPROBE(_st)	((_st) == IEEE80211_FC0_SUBTYPE_PROBE_RESP)
2059 #define	ISREASSOC(_st)	((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP)
2060 	struct ieee80211_frame *wh;
2061 	uint8_t *frm, *efrm;
2062 	uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap, *htinfo;
2063 	int reassoc, resp, allocbs;
2064 	uint8_t rate;
2065 
2066 	wh = mtod(m0, struct ieee80211_frame *);
2067 	frm = (uint8_t *)&wh[1];
2068 	efrm = mtod(m0, uint8_t *) + m0->m_len;
2069 	switch (subtype) {
2070 	case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
2071 	case IEEE80211_FC0_SUBTYPE_BEACON: {
2072 		struct ieee80211_scanparams scan;
2073 
2074 		/*
2075 		 * We process beacon/probe response frames:
2076 		 *    o when scanning, or
2077 		 *    o station mode when associated (to collect state
2078 		 *      updates such as 802.11g slot time), or
2079 		 *    o adhoc mode (to discover neighbors)
2080 		 * Frames otherwise received are discarded.
2081 		 */
2082 		if (!((ic->ic_flags & IEEE80211_F_SCAN) ||
2083 		      (ic->ic_opmode == IEEE80211_M_STA && ni->ni_associd) ||
2084 		       ic->ic_opmode == IEEE80211_M_IBSS)) {
2085 			ic->ic_stats.is_rx_mgtdiscard++;
2086 			return;
2087 		}
2088 		/*
2089 		 * beacon/probe response frame format
2090 		 *	[8] time stamp
2091 		 *	[2] beacon interval
2092 		 *	[2] capability information
2093 		 *	[tlv] ssid
2094 		 *	[tlv] supported rates
2095 		 *	[tlv] country information
2096 		 *	[tlv] parameter set (FH/DS)
2097 		 *	[tlv] erp information
2098 		 *	[tlv] extended supported rates
2099 		 *	[tlv] WME
2100 		 *	[tlv] WPA or RSN
2101 		 *	[tlv] HT capabilities
2102 		 *	[tlv] HT information
2103 		 *	[tlv] Atheros capabilities
2104 		 */
2105 		IEEE80211_VERIFY_LENGTH(efrm - frm, 12, return);
2106 		memset(&scan, 0, sizeof(scan));
2107 		scan.tstamp  = frm;				frm += 8;
2108 		scan.bintval = le16toh(*(uint16_t *)frm);	frm += 2;
2109 		scan.capinfo = le16toh(*(uint16_t *)frm);	frm += 2;
2110 		scan.bchan = IEEE80211_CHAN2IEEE(ic->ic_curchan);
2111 		scan.curchan = ic->ic_curchan;
2112 
2113 		while (efrm - frm > 1) {
2114 			IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
2115 			switch (*frm) {
2116 			case IEEE80211_ELEMID_SSID:
2117 				scan.ssid = frm;
2118 				break;
2119 			case IEEE80211_ELEMID_RATES:
2120 				scan.rates = frm;
2121 				break;
2122 			case IEEE80211_ELEMID_COUNTRY:
2123 				scan.country = frm;
2124 				break;
2125 			case IEEE80211_ELEMID_FHPARMS:
2126 				if (ic->ic_phytype == IEEE80211_T_FH) {
2127 					scan.fhdwell = LE_READ_2(&frm[2]);
2128 					scan.bchan = IEEE80211_FH_CHAN(frm[4], frm[5]);
2129 					scan.fhindex = frm[6];
2130 				}
2131 				break;
2132 			case IEEE80211_ELEMID_DSPARMS:
2133 				/*
2134 				 * XXX hack this since depending on phytype
2135 				 * is problematic for multi-mode devices.
2136 				 */
2137 				if (ic->ic_phytype != IEEE80211_T_FH)
2138 					scan.bchan = frm[2];
2139 				break;
2140 			case IEEE80211_ELEMID_TIM:
2141 				/* XXX ATIM? */
2142 				scan.tim = frm;
2143 				scan.timoff = frm - mtod(m0, uint8_t *);
2144 				break;
2145 			case IEEE80211_ELEMID_IBSSPARMS:
2146 				break;
2147 			case IEEE80211_ELEMID_XRATES:
2148 				scan.xrates = frm;
2149 				break;
2150 			case IEEE80211_ELEMID_ERP:
2151 				if (frm[1] != 1) {
2152 					IEEE80211_DISCARD_IE(ic,
2153 					    IEEE80211_MSG_ELEMID, wh, "ERP",
2154 					    "bad len %u", frm[1]);
2155 					ic->ic_stats.is_rx_elem_toobig++;
2156 					break;
2157 				}
2158 				scan.erp = frm[2];
2159 				break;
2160 			case IEEE80211_ELEMID_HTCAP:
2161 				scan.htcap = frm;
2162 				break;
2163 			case IEEE80211_ELEMID_RSN:
2164 				scan.rsn = frm;
2165 				break;
2166 			case IEEE80211_ELEMID_HTINFO:
2167 				scan.htinfo = frm;
2168 				break;
2169 			case IEEE80211_ELEMID_VENDOR:
2170 				if (iswpaoui(frm))
2171 					scan.wpa = frm;
2172 				else if (iswmeparam(frm) || iswmeinfo(frm))
2173 					scan.wme = frm;
2174 				else if (isatherosoui(frm))
2175 					scan.ath = frm;
2176 				else if (ic->ic_flags_ext & IEEE80211_FEXT_HTCOMPAT) {
2177 					/*
2178 					 * Accept pre-draft HT ie's if the
2179 					 * standard ones have not been seen.
2180 					 */
2181 					if (ishtcapoui(frm)) {
2182 						if (scan.htcap == NULL)
2183 							scan.htcap = frm;
2184 					} else if (ishtinfooui(frm)) {
2185 						if (scan.htinfo == NULL)
2186 							scan.htcap = frm;
2187 					}
2188 				}
2189 				break;
2190 			default:
2191 				IEEE80211_DISCARD_IE(ic, IEEE80211_MSG_ELEMID,
2192 				    wh, "unhandled",
2193 				    "id %u, len %u", *frm, frm[1]);
2194 				ic->ic_stats.is_rx_elem_unknown++;
2195 				break;
2196 			}
2197 			frm += frm[1] + 2;
2198 		}
2199 		IEEE80211_VERIFY_ELEMENT(scan.rates, IEEE80211_RATE_MAXSIZE);
2200 		if (scan.xrates != NULL)
2201 			IEEE80211_VERIFY_ELEMENT(scan.xrates,
2202 				IEEE80211_RATE_MAXSIZE - scan.rates[1]);
2203 		IEEE80211_VERIFY_ELEMENT(scan.ssid, IEEE80211_NWID_LEN);
2204 #if IEEE80211_CHAN_MAX < 255
2205 		if (scan.chan > IEEE80211_CHAN_MAX) {
2206 			IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID,
2207 			    wh, ieee80211_mgt_subtype_name[subtype >>
2208 				IEEE80211_FC0_SUBTYPE_SHIFT],
2209 			    "invalid channel %u", scan.chan);
2210 			ic->ic_stats.is_rx_badchan++;
2211 			return;
2212 		}
2213 #endif
2214 		if (IEEE80211_CHAN2IEEE(scan.curchan) != scan.bchan &&
2215 		    ic->ic_phytype != IEEE80211_T_FH) {
2216 			/*
2217 			 * Frame was received on a channel different from the
2218 			 * one indicated in the DS params element id;
2219 			 * silently discard it.
2220 			 *
2221 			 * NB: this can happen due to signal leakage.
2222 			 *     But we should take it for FH phy because
2223 			 *     the rssi value should be correct even for
2224 			 *     different hop pattern in FH.
2225 			 */
2226 			IEEE80211_DISCARD(ic,
2227 			    IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT,
2228 			    wh, ieee80211_mgt_subtype_name[subtype >>
2229 				IEEE80211_FC0_SUBTYPE_SHIFT],
2230 			    "for off-channel %u",
2231 			    IEEE80211_CHAN2IEEE(scan.curchan));
2232 			ic->ic_stats.is_rx_chanmismatch++;
2233 			return;
2234 		}
2235 		if (!(IEEE80211_BINTVAL_MIN <= scan.bintval &&
2236 		      scan.bintval <= IEEE80211_BINTVAL_MAX)) {
2237 			IEEE80211_DISCARD(ic,
2238 			    IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT,
2239 			    wh, ieee80211_mgt_subtype_name[subtype >>
2240 				IEEE80211_FC0_SUBTYPE_SHIFT],
2241 			    "bogus beacon interval", scan.bintval);
2242 			ic->ic_stats.is_rx_badbintval++;
2243 			return;
2244 		}
2245 		/*
2246 		 * Process HT ie's.  This is complicated by our
2247 		 * accepting both the standard ie's and the pre-draft
2248 		 * vendor OUI ie's that some vendors still use/require.
2249 		 */
2250 		if (scan.htcap != NULL) {
2251 			IEEE80211_VERIFY_LENGTH(scan.htcap[1],
2252 			     scan.htcap[0] == IEEE80211_ELEMID_VENDOR ?
2253 			         4 + sizeof(struct ieee80211_ie_htcap)-2 :
2254 			         sizeof(struct ieee80211_ie_htcap)-2,
2255 			     scan.htcap = NULL);
2256 		}
2257 		if (scan.htinfo != NULL) {
2258 			IEEE80211_VERIFY_LENGTH(scan.htinfo[1],
2259 			     scan.htinfo[0] == IEEE80211_ELEMID_VENDOR ?
2260 			         4 + sizeof(struct ieee80211_ie_htinfo)-2 :
2261 			         sizeof(struct ieee80211_ie_htinfo)-2,
2262 			     scan.htinfo = NULL);
2263 		}
2264 
2265 		/*
2266 		 * Count frame now that we know it's to be processed.
2267 		 */
2268 		if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
2269 			ic->ic_stats.is_rx_beacon++;		/* XXX remove */
2270 			IEEE80211_NODE_STAT(ni, rx_beacons);
2271 		} else
2272 			IEEE80211_NODE_STAT(ni, rx_proberesp);
2273 
2274 		/*
2275 		 * When operating in station mode, check for state updates.
2276 		 * Be careful to ignore beacons received while doing a
2277 		 * background scan.  We consider only 11g/WMM stuff right now.
2278 		 */
2279 		if (ic->ic_opmode == IEEE80211_M_STA &&
2280 		    ni->ni_associd != 0 &&
2281 		    ((ic->ic_flags & IEEE80211_F_SCAN) == 0 ||
2282 		     IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid))) {
2283 			/* record tsf of last beacon */
2284 			memcpy(ni->ni_tstamp.data, scan.tstamp,
2285 				sizeof(ni->ni_tstamp));
2286 			/* count beacon frame for s/w bmiss handling */
2287 			ic->ic_swbmiss_count++;
2288 			ic->ic_bmiss_count = 0;
2289 			if (ni->ni_erp != scan.erp) {
2290 				IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2291 				    "[%s] erp change: was 0x%x, now 0x%x\n",
2292 				    ether_sprintf(wh->i_addr2),
2293 				    ni->ni_erp, scan.erp);
2294 				if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
2295 				    (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION))
2296 					ic->ic_flags |= IEEE80211_F_USEPROT;
2297 				else
2298 					ic->ic_flags &= ~IEEE80211_F_USEPROT;
2299 				ni->ni_erp = scan.erp;
2300 				/* XXX statistic */
2301 			}
2302 			if ((ni->ni_capinfo ^ scan.capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME) {
2303 				IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2304 				    "[%s] capabilities change: before 0x%x,"
2305 				     " now 0x%x\n",
2306 				     ether_sprintf(wh->i_addr2),
2307 				     ni->ni_capinfo, scan.capinfo);
2308 				/*
2309 				 * NB: we assume short preamble doesn't
2310 				 *     change dynamically
2311 				 */
2312 				ieee80211_set_shortslottime(ic,
2313 					IEEE80211_IS_CHAN_A(ic->ic_bsschan) ||
2314 					(scan.capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
2315 				ni->ni_capinfo = (ni->ni_capinfo &~ IEEE80211_CAPINFO_SHORT_SLOTTIME)
2316 					       | (scan.capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME);
2317 				/* XXX statistic */
2318 			}
2319 			if (scan.wme != NULL &&
2320 			    (ni->ni_flags & IEEE80211_NODE_QOS) &&
2321 			    ieee80211_parse_wmeparams(ic, scan.wme, wh) > 0)
2322 				ieee80211_wme_updateparams(ic);
2323 			if (scan.ath != NULL)
2324 				ieee80211_parse_athparams(ni, scan.ath, wh);
2325 			if (scan.htcap != NULL)
2326 				ieee80211_parse_htcap(ni, scan.htcap);
2327 			if (scan.htinfo != NULL) {
2328 				ieee80211_parse_htinfo(ni, scan.htinfo);
2329 				if (ni->ni_chan != ic->ic_bsschan) {
2330 					/*
2331 					 * Channel has been adjusted based on
2332 					 * negotiated HT parameters; force the
2333 					 * channel state to follow.
2334 					 */
2335 					ieee80211_setbsschan(ic, ni->ni_chan);
2336 				}
2337 			}
2338 			if (scan.tim != NULL) {
2339 				struct ieee80211_tim_ie *tim =
2340 				    (struct ieee80211_tim_ie *) scan.tim;
2341 #if 0
2342 				int aid = IEEE80211_AID(ni->ni_associd);
2343 				int ix = aid / NBBY;
2344 				int min = tim->tim_bitctl &~ 1;
2345 				int max = tim->tim_len + min - 4;
2346 				if ((tim->tim_bitctl&1) ||
2347 				    (min <= ix && ix <= max &&
2348 				     isset(tim->tim_bitmap - min, aid))) {
2349 					/*
2350 					 * XXX Do not let bg scan kick off
2351 					 * we are expecting data.
2352 					 */
2353 					ic->ic_lastdata = ticks;
2354 					ieee80211_sta_pwrsave(ic, 0);
2355 				}
2356 #endif
2357 				ni->ni_dtim_count = tim->tim_count;
2358 				ni->ni_dtim_period = tim->tim_period;
2359 			}
2360 			/*
2361 			 * If scanning, pass the info to the scan module.
2362 			 * Otherwise, check if it's the right time to do
2363 			 * a background scan.  Background scanning must
2364 			 * be enabled and we must not be operating in the
2365 			 * turbo phase of dynamic turbo mode.  Then,
2366 			 * it's been a while since the last background
2367 			 * scan and if no data frames have come through
2368 			 * recently, kick off a scan.  Note that this
2369 			 * is the mechanism by which a background scan
2370 			 * is started _and_ continued each time we
2371 			 * return on-channel to receive a beacon from
2372 			 * our ap.
2373 			 */
2374 			if (ic->ic_flags & IEEE80211_F_SCAN) {
2375 				ieee80211_add_scan(ic, &scan, wh,
2376 					subtype, rssi, noise, rstamp);
2377 			} else if (contbgscan(ic)) {
2378 				ieee80211_bg_scan(ic);
2379 			} else if (startbgscan(ic)) {
2380 #if 0
2381 				/* wakeup if we are sleeing */
2382 				ieee80211_set_pwrsave(ic, 0);
2383 #endif
2384 				ieee80211_bg_scan(ic);
2385 			}
2386 			return;
2387 		}
2388 		/*
2389 		 * If scanning, just pass information to the scan module.
2390 		 */
2391 		if (ic->ic_flags & IEEE80211_F_SCAN) {
2392 			if (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN) {
2393 				/*
2394 				 * Actively scanning a channel marked passive;
2395 				 * send a probe request now that we know there
2396 				 * is 802.11 traffic present.
2397 				 *
2398 				 * XXX check if the beacon we recv'd gives
2399 				 * us what we need and suppress the probe req
2400 				 */
2401 				ieee80211_probe_curchan(ic, 1);
2402 				ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
2403 			}
2404 			ieee80211_add_scan(ic, &scan, wh,
2405 				subtype, rssi, noise, rstamp);
2406 			return;
2407 		}
2408 		if (scan.capinfo & IEEE80211_CAPINFO_IBSS) {
2409 			if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) {
2410 				/*
2411 				 * Create a new entry in the neighbor table.
2412 				 */
2413 				ni = ieee80211_add_neighbor(ic, wh, &scan);
2414 			} else if (ni->ni_capinfo == 0) {
2415 				/*
2416 				 * Update faked node created on transmit.
2417 				 * Note this also updates the tsf.
2418 				 */
2419 				ieee80211_init_neighbor(ni, wh, &scan);
2420 			} else {
2421 				/*
2422 				 * Record tsf for potential resync.
2423 				 */
2424 				memcpy(ni->ni_tstamp.data, scan.tstamp,
2425 					sizeof(ni->ni_tstamp));
2426 			}
2427 			if (ni != NULL) {
2428 				ni->ni_rssi = rssi;
2429 				ni->ni_noise = noise;
2430 				ni->ni_rstamp = rstamp;
2431 			}
2432 		}
2433 		break;
2434 	}
2435 
2436 	case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
2437 		if (ic->ic_opmode == IEEE80211_M_STA ||
2438 		    ic->ic_state != IEEE80211_S_RUN) {
2439 			ic->ic_stats.is_rx_mgtdiscard++;
2440 			return;
2441 		}
2442 		if (IEEE80211_IS_MULTICAST(wh->i_addr2)) {
2443 			/* frame must be directed */
2444 			ic->ic_stats.is_rx_mgtdiscard++;	/* XXX stat */
2445 			return;
2446 		}
2447 
2448 		/*
2449 		 * prreq frame format
2450 		 *	[tlv] ssid
2451 		 *	[tlv] supported rates
2452 		 *	[tlv] extended supported rates
2453 		 *	[tlv] Atheros capabilities
2454 		 */
2455 		ssid = rates = xrates = ath = NULL;
2456 		while (efrm - frm > 1) {
2457 			IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
2458 			switch (*frm) {
2459 			case IEEE80211_ELEMID_SSID:
2460 				ssid = frm;
2461 				break;
2462 			case IEEE80211_ELEMID_RATES:
2463 				rates = frm;
2464 				break;
2465 			case IEEE80211_ELEMID_XRATES:
2466 				xrates = frm;
2467 				break;
2468 			case IEEE80211_ELEMID_VENDOR:
2469 				if (isatherosoui(frm))
2470 					ath = frm;
2471 				break;
2472 			}
2473 			frm += frm[1] + 2;
2474 		}
2475 		IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE);
2476 		if (xrates != NULL)
2477 			IEEE80211_VERIFY_ELEMENT(xrates,
2478 				IEEE80211_RATE_MAXSIZE - rates[1]);
2479 		IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN);
2480 		IEEE80211_VERIFY_SSID(ic->ic_bss, ssid);
2481 		if ((ic->ic_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) {
2482 			IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
2483 			    wh, ieee80211_mgt_subtype_name[subtype >>
2484 				IEEE80211_FC0_SUBTYPE_SHIFT],
2485 			    "%s", "no ssid with ssid suppression enabled");
2486 			ic->ic_stats.is_rx_ssidmismatch++; /*XXX*/
2487 			return;
2488 		}
2489 
2490 		allocbs = 0;
2491 		if (ni == ic->ic_bss) {
2492 			if (ic->ic_opmode != IEEE80211_M_IBSS) {
2493 				ni = ieee80211_tmp_node(ic, wh->i_addr2);
2494 				allocbs = 1;
2495 			} else if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) {
2496 				/*
2497 				 * XXX Cannot tell if the sender is operating
2498 				 * in ibss mode.  But we need a new node to
2499 				 * send the response so blindly add them to the
2500 				 * neighbor table.
2501 				 */
2502 				ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta,
2503 					wh->i_addr2);
2504 			}
2505 			if (ni == NULL)
2506 				return;
2507 		}
2508 		IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2509 		    "[%s] recv probe req\n", ether_sprintf(wh->i_addr2));
2510 		ni->ni_rssi = rssi;
2511 		ni->ni_rstamp = rstamp;
2512 		rate = ieee80211_setup_rates(ni, rates, xrates,
2513 			  IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE
2514 			| IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
2515 		if (rate & IEEE80211_RATE_BASIC) {
2516 			IEEE80211_DISCARD(ic, IEEE80211_MSG_XRATE,
2517 			    wh, ieee80211_mgt_subtype_name[subtype >>
2518 				IEEE80211_FC0_SUBTYPE_SHIFT],
2519 			    "%s", "recv'd rate set invalid");
2520 		} else {
2521 			IEEE80211_SEND_MGMT(ic, ni,
2522 				IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0);
2523 		}
2524 		if (allocbs) {
2525 			/*
2526 			 * Temporary node created just to send a
2527 			 * response, reclaim immediately.
2528 			 */
2529 			ieee80211_free_node(ni);
2530 		} else if (ath != NULL)
2531 			ieee80211_saveath(ni, ath);
2532 		break;
2533 
2534 	case IEEE80211_FC0_SUBTYPE_AUTH: {
2535 		uint16_t algo, seq, status;
2536 		/*
2537 		 * auth frame format
2538 		 *	[2] algorithm
2539 		 *	[2] sequence
2540 		 *	[2] status
2541 		 *	[tlv*] challenge
2542 		 */
2543 		IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
2544 		algo   = le16toh(*(uint16_t *)frm);
2545 		seq    = le16toh(*(uint16_t *)(frm + 2));
2546 		status = le16toh(*(uint16_t *)(frm + 4));
2547 		IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH,
2548 		    "[%s] recv auth frame with algorithm %d seq %d\n",
2549 		    ether_sprintf(wh->i_addr2), algo, seq);
2550 		/*
2551 		 * Consult the ACL policy module if setup.
2552 		 */
2553 		if (ic->ic_acl != NULL &&
2554 		    !ic->ic_acl->iac_check(ic, wh->i_addr2)) {
2555 			IEEE80211_DISCARD(ic, IEEE80211_MSG_ACL,
2556 			    wh, "auth", "%s", "disallowed by ACL");
2557 			ic->ic_stats.is_rx_acl++;
2558 			if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
2559 				IEEE80211_SEND_MGMT(ic, ni,
2560 				    IEEE80211_FC0_SUBTYPE_AUTH,
2561 				    (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16));
2562 			}
2563 			return;
2564 		}
2565 		if (ic->ic_flags & IEEE80211_F_COUNTERM) {
2566 			IEEE80211_DISCARD(ic,
2567 			    IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO,
2568 			    wh, "auth", "%s", "TKIP countermeasures enabled");
2569 			ic->ic_stats.is_rx_auth_countermeasures++;
2570 			if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
2571 				IEEE80211_SEND_MGMT(ic, ni,
2572 					IEEE80211_FC0_SUBTYPE_AUTH,
2573 					IEEE80211_REASON_MIC_FAILURE);
2574 			}
2575 			return;
2576 		}
2577 		if (algo == IEEE80211_AUTH_ALG_SHARED)
2578 			ieee80211_auth_shared(ic, wh, frm + 6, efrm, ni, rssi,
2579 			    noise, rstamp, seq, status);
2580 		else if (algo == IEEE80211_AUTH_ALG_OPEN)
2581 			ieee80211_auth_open(ic, wh, ni, rssi, noise, rstamp,
2582 			    seq, status);
2583 		else {
2584 			IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY,
2585 			    wh, "auth", "unsupported alg %d", algo);
2586 			ic->ic_stats.is_rx_auth_unsupported++;
2587 			if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
2588 				/* XXX not right */
2589 				IEEE80211_SEND_MGMT(ic, ni,
2590 					IEEE80211_FC0_SUBTYPE_AUTH,
2591 					(seq+1) | (IEEE80211_STATUS_ALG<<16));
2592 			}
2593 			return;
2594 		}
2595 		break;
2596 	}
2597 
2598 	case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
2599 	case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: {
2600 		uint16_t capinfo, lintval;
2601 		struct ieee80211_rsnparms rsnparms;
2602 		uint8_t reason;
2603 		int badwparsn;
2604 
2605 		if (ic->ic_opmode != IEEE80211_M_HOSTAP ||
2606 		    ic->ic_state != IEEE80211_S_RUN) {
2607 			ic->ic_stats.is_rx_mgtdiscard++;
2608 			return;
2609 		}
2610 
2611 		if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
2612 			reassoc = 1;
2613 			resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP;
2614 		} else {
2615 			reassoc = 0;
2616 			resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP;
2617 		}
2618 		/*
2619 		 * asreq frame format
2620 		 *	[2] capability information
2621 		 *	[2] listen interval
2622 		 *	[6*] current AP address (reassoc only)
2623 		 *	[tlv] ssid
2624 		 *	[tlv] supported rates
2625 		 *	[tlv] extended supported rates
2626 		 *	[tlv] WPA or RSN
2627 		 *	[tlv] HT capabilities
2628 		 *	[tlv] Atheros capabilities
2629 		 */
2630 		IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return);
2631 		if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) {
2632 			IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY,
2633 			    wh, ieee80211_mgt_subtype_name[subtype >>
2634 				IEEE80211_FC0_SUBTYPE_SHIFT],
2635 			    "%s", "wrong bssid");
2636 			ic->ic_stats.is_rx_assoc_bss++;
2637 			return;
2638 		}
2639 		capinfo = le16toh(*(uint16_t *)frm);	frm += 2;
2640 		lintval = le16toh(*(uint16_t *)frm);	frm += 2;
2641 		if (reassoc)
2642 			frm += 6;	/* ignore current AP info */
2643 		ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL;
2644 		while (efrm - frm > 1) {
2645 			IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
2646 			switch (*frm) {
2647 			case IEEE80211_ELEMID_SSID:
2648 				ssid = frm;
2649 				break;
2650 			case IEEE80211_ELEMID_RATES:
2651 				rates = frm;
2652 				break;
2653 			case IEEE80211_ELEMID_XRATES:
2654 				xrates = frm;
2655 				break;
2656 			/* XXX verify only one of RSN and WPA ie's? */
2657 			case IEEE80211_ELEMID_RSN:
2658 				rsn = frm;
2659 				break;
2660 			case IEEE80211_ELEMID_HTCAP:
2661 				htcap = frm;
2662 				break;
2663 			case IEEE80211_ELEMID_VENDOR:
2664 				if (iswpaoui(frm))
2665 					wpa = frm;
2666 				else if (iswmeinfo(frm))
2667 					wme = frm;
2668 				else if (isatherosoui(frm))
2669 					ath = frm;
2670 				else if (ic->ic_flags_ext & IEEE80211_FEXT_HTCOMPAT) {
2671 					if (ishtcapoui(frm) && htcap == NULL)
2672 						htcap = frm;
2673 				}
2674 				break;
2675 			}
2676 			frm += frm[1] + 2;
2677 		}
2678 		IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE);
2679 		if (xrates != NULL)
2680 			IEEE80211_VERIFY_ELEMENT(xrates,
2681 				IEEE80211_RATE_MAXSIZE - rates[1]);
2682 		IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN);
2683 		IEEE80211_VERIFY_SSID(ic->ic_bss, ssid);
2684 		if (htcap != NULL) {
2685 			IEEE80211_VERIFY_LENGTH(htcap[1],
2686 			     htcap[0] == IEEE80211_ELEMID_VENDOR ?
2687 			         4 + sizeof(struct ieee80211_ie_htcap)-2 :
2688 			         sizeof(struct ieee80211_ie_htcap)-2,
2689 			     return);		/* XXX just NULL out? */
2690 		}
2691 
2692 		if (ni == ic->ic_bss) {
2693 			IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY,
2694 			    "[%s] deny %s request, sta not authenticated\n",
2695 			    ether_sprintf(wh->i_addr2),
2696 			    reassoc ? "reassoc" : "assoc");
2697 			ieee80211_send_error(ic, ni, wh->i_addr2,
2698 			    IEEE80211_FC0_SUBTYPE_DEAUTH,
2699 			    IEEE80211_REASON_ASSOC_NOT_AUTHED);
2700 			ic->ic_stats.is_rx_assoc_notauth++;
2701 			return;
2702 		}
2703 		/* assert right association security credentials */
2704 		badwparsn = 0;
2705 		switch (ic->ic_flags & IEEE80211_F_WPA) {
2706 		case IEEE80211_F_WPA1:
2707 			if (wpa == NULL)
2708 				badwparsn = 1;
2709 			break;
2710 		case IEEE80211_F_WPA2:
2711 			if (rsn == NULL)
2712 				badwparsn = 1;
2713 			break;
2714 		case IEEE80211_F_WPA1|IEEE80211_F_WPA2:
2715 			if (wpa == NULL && rsn == NULL)
2716 				badwparsn = 1;
2717 			break;
2718 		}
2719 		if (badwparsn) {
2720 			IEEE80211_DPRINTF(ic,
2721 			    IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
2722 			    "[%s] no WPA/RSN IE in association request\n",
2723 			    ether_sprintf(wh->i_addr2));
2724 			IEEE80211_SEND_MGMT(ic, ni,
2725 			    IEEE80211_FC0_SUBTYPE_DEAUTH,
2726 			    IEEE80211_REASON_IE_INVALID);
2727 			ieee80211_node_leave(ic, ni);
2728 			ic->ic_stats.is_rx_assoc_badwpaie++;
2729 			return;
2730 		}
2731 		if (wpa != NULL || rsn != NULL) {
2732 			/*
2733 			 * Parse WPA/RSN information element.  Note that
2734 			 * we initialize the param block from the node
2735 			 * state so that information in the IE overrides
2736 			 * our defaults.  The resulting parameters are
2737 			 * installed below after the association is assured.
2738 			 */
2739 			rsnparms = ni->ni_rsn;
2740 			if (wpa != NULL)
2741 				reason = ieee80211_parse_wpa(ic, wpa, &rsnparms, wh);
2742 			else
2743 				reason = ieee80211_parse_rsn(ic, rsn, &rsnparms, wh);
2744 			if (reason != 0) {
2745 				IEEE80211_SEND_MGMT(ic, ni,
2746 				    IEEE80211_FC0_SUBTYPE_DEAUTH, reason);
2747 				ieee80211_node_leave(ic, ni);
2748 				/* XXX distinguish WPA/RSN? */
2749 				ic->ic_stats.is_rx_assoc_badwpaie++;
2750 				return;
2751 			}
2752 			IEEE80211_DPRINTF(ic,
2753 			    IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
2754 			    "[%s] %s ie: mc %u/%u uc %u/%u key %u caps 0x%x\n",
2755 			    ether_sprintf(wh->i_addr2),
2756 			    wpa != NULL ? "WPA" : "RSN",
2757 			    rsnparms.rsn_mcastcipher, rsnparms.rsn_mcastkeylen,
2758 			    rsnparms.rsn_ucastcipher, rsnparms.rsn_ucastkeylen,
2759 			    rsnparms.rsn_keymgmt, rsnparms.rsn_caps);
2760 		}
2761 		/* discard challenge after association */
2762 		if (ni->ni_challenge != NULL) {
2763 			FREE(ni->ni_challenge, M_80211_NODE);
2764 			ni->ni_challenge = NULL;
2765 		}
2766 		/* NB: 802.11 spec says to ignore station's privacy bit */
2767 		if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) {
2768 			capinfomismatch(ni, wh, reassoc, resp,
2769 			    "capability", capinfo);
2770 			return;
2771 		}
2772 		/*
2773 		 * Disallow re-associate w/ invalid slot time setting.
2774 		 */
2775 		if (ni->ni_associd != 0 &&
2776 		    IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) &&
2777 		    ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) {
2778 			capinfomismatch(ni, wh, reassoc, resp,
2779 			    "slot time", capinfo);
2780 			return;
2781 		}
2782 		rate = ieee80211_setup_rates(ni, rates, xrates,
2783 				IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
2784 				IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
2785 		if (rate & IEEE80211_RATE_BASIC) {
2786 			ratesetmismatch(ni, wh, reassoc, resp, "basic", rate);
2787 			return;
2788 		}
2789 		/*
2790 		 * If constrained to 11g-only stations reject an
2791 		 * 11b-only station.  We cheat a bit here by looking
2792 		 * at the max negotiated xmit rate and assuming anyone
2793 		 * with a best rate <24Mb/s is an 11b station.
2794 		 */
2795 		if ((ic->ic_flags & IEEE80211_F_PUREG) && rate < 48) {
2796 			ratesetmismatch(ni, wh, reassoc, resp, "11g", rate);
2797 			return;
2798 		}
2799 		/* XXX enforce PUREN */
2800 		/* 802.11n-specific rateset handling */
2801 		if (IEEE80211_IS_CHAN_HT(ic->ic_curchan) && htcap != NULL) {
2802 			rate = ieee80211_setup_htrates(ni, htcap,
2803 				IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO |
2804 				IEEE80211_F_DOBRS);
2805 			if (rate & IEEE80211_RATE_BASIC) {
2806 				/* XXX 11n-specific stat */
2807 				ratesetmismatch(ni, wh, reassoc, resp,
2808 				    "HT", rate);
2809 				return;
2810 			}
2811 			ieee80211_ht_node_init(ni, htcap);
2812 		} else if (ni->ni_flags & IEEE80211_NODE_HT)
2813 			ieee80211_ht_node_cleanup(ni);
2814 		/*
2815 		 * Allow AMPDU operation only with unencrypted traffic
2816 		 * or AES-CCM; the 11n spec only specifies these ciphers
2817 		 * so permitting any others is undefined and can lead
2818 		 * to interoperability problems.
2819 		 *
2820 		 * NB: We check for AES by looking at the GTK cipher
2821 		 *     since the WPA/11i specs say the PTK cipher has
2822 		 *     to be "as good or better".
2823 		 */
2824 		if ((ni->ni_flags & IEEE80211_NODE_HT) &&
2825 		    (((ic->ic_flags & IEEE80211_F_WPA) &&
2826 		      rsnparms.rsn_mcastcipher != IEEE80211_CIPHER_AES_CCM) ||
2827 		     (ic->ic_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) {
2828 			IEEE80211_NOTE(ic,
2829 			    IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni,
2830 			    "disallow HT use because WEP or TKIP requested, "
2831 			    "capinfo 0x%x mcastcipher %d", capinfo,
2832 			    rsnparms.rsn_mcastcipher);
2833 			ieee80211_ht_node_cleanup(ni);
2834 			ic->ic_stats.is_ht_assoc_downgrade++;
2835 		}
2836 		/*
2837 		 * If constrained to 11n-only stations reject legacy stations.
2838 		 */
2839 		if ((ic->ic_flags_ext & IEEE80211_FEXT_PUREN) &&
2840 		    (ni->ni_flags & IEEE80211_NODE_HT) == 0) {
2841 			htcapmismatch(ni, wh, reassoc, resp);
2842 			ic->ic_stats.is_ht_assoc_nohtcap++;
2843 			return;
2844 		}
2845 		ni->ni_rssi = rssi;
2846 		ni->ni_noise = noise;
2847 		ni->ni_rstamp = rstamp;
2848 		ni->ni_intval = lintval;
2849 		ni->ni_capinfo = capinfo;
2850 		ni->ni_chan = ic->ic_bsschan;
2851 		ni->ni_fhdwell = ic->ic_bss->ni_fhdwell;
2852 		ni->ni_fhindex = ic->ic_bss->ni_fhindex;
2853 		if (wpa != NULL) {
2854 			/*
2855 			 * Record WPA parameters for station, mark
2856 			 * node as using WPA and record information element
2857 			 * for applications that require it.
2858 			 */
2859 			ni->ni_rsn = rsnparms;
2860 			ieee80211_saveie(&ni->ni_wpa_ie, wpa);
2861 		} else if (ni->ni_wpa_ie != NULL) {
2862 			/*
2863 			 * Flush any state from a previous association.
2864 			 */
2865 			FREE(ni->ni_wpa_ie, M_80211_NODE);
2866 			ni->ni_wpa_ie = NULL;
2867 		}
2868 		if (rsn != NULL) {
2869 			/*
2870 			 * Record RSN parameters for station, mark
2871 			 * node as using WPA and record information element
2872 			 * for applications that require it.
2873 			 */
2874 			ni->ni_rsn = rsnparms;
2875 			ieee80211_saveie(&ni->ni_rsn_ie, rsn);
2876 		} else if (ni->ni_rsn_ie != NULL) {
2877 			/*
2878 			 * Flush any state from a previous association.
2879 			 */
2880 			FREE(ni->ni_rsn_ie, M_80211_NODE);
2881 			ni->ni_rsn_ie = NULL;
2882 		}
2883 		if (wme != NULL) {
2884 			/*
2885 			 * Record WME parameters for station, mark node
2886 			 * as capable of QoS and record information
2887 			 * element for applications that require it.
2888 			 */
2889 			ieee80211_saveie(&ni->ni_wme_ie, wme);
2890 			ni->ni_flags |= IEEE80211_NODE_QOS;
2891 		} else if (ni->ni_wme_ie != NULL) {
2892 			/*
2893 			 * Flush any state from a previous association.
2894 			 */
2895 			FREE(ni->ni_wme_ie, M_80211_NODE);
2896 			ni->ni_wme_ie = NULL;
2897 			ni->ni_flags &= ~IEEE80211_NODE_QOS;
2898 		}
2899 		if (ath != NULL) {
2900 			/*
2901 			 * Record ATH parameters for station, mark
2902 			 * node with appropriate capabilities, and
2903 			 * record the information element for
2904 			 * applications that require it.
2905 			 */
2906 			ieee80211_saveath(ni, ath);
2907 		} else if (ni->ni_ath_ie != NULL) {
2908 			/*
2909 			 * Flush any state from a previous association.
2910 			 */
2911 			FREE(ni->ni_ath_ie, M_80211_NODE);
2912 			ni->ni_ath_ie = NULL;
2913 			ni->ni_ath_flags = 0;
2914 		}
2915 		ieee80211_node_join(ic, ni, resp);
2916 		ieee80211_deliver_l2uf(ni);
2917 		break;
2918 	}
2919 
2920 	case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
2921 	case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: {
2922 		uint16_t capinfo, associd;
2923 		uint16_t status;
2924 
2925 		if (ic->ic_opmode != IEEE80211_M_STA ||
2926 		    ic->ic_state != IEEE80211_S_ASSOC) {
2927 			ic->ic_stats.is_rx_mgtdiscard++;
2928 			return;
2929 		}
2930 
2931 		/*
2932 		 * asresp frame format
2933 		 *	[2] capability information
2934 		 *	[2] status
2935 		 *	[2] association ID
2936 		 *	[tlv] supported rates
2937 		 *	[tlv] extended supported rates
2938 		 *	[tlv] WME
2939 		 *	[tlv] HT capabilities
2940 		 *	[tlv] HT info
2941 		 */
2942 		IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
2943 		ni = ic->ic_bss;
2944 		capinfo = le16toh(*(uint16_t *)frm);
2945 		frm += 2;
2946 		status = le16toh(*(uint16_t *)frm);
2947 		frm += 2;
2948 		if (status != 0) {
2949 			IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2950 			    "[%s] %sassoc failed (reason %d)\n",
2951 			    ether_sprintf(wh->i_addr2),
2952 			    ISREASSOC(subtype) ?  "re" : "", status);
2953 			if (ni != ic->ic_bss)	/* XXX never true? */
2954 				ni->ni_fails++;
2955 			ic->ic_stats.is_rx_auth_fail++;	/* XXX */
2956 			return;
2957 		}
2958 		associd = le16toh(*(uint16_t *)frm);
2959 		frm += 2;
2960 
2961 		rates = xrates = wme = htcap = htinfo = NULL;
2962 		while (efrm - frm > 1) {
2963 			IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
2964 			switch (*frm) {
2965 			case IEEE80211_ELEMID_RATES:
2966 				rates = frm;
2967 				break;
2968 			case IEEE80211_ELEMID_XRATES:
2969 				xrates = frm;
2970 				break;
2971 			case IEEE80211_ELEMID_HTCAP:
2972 				htcap = frm;
2973 				break;
2974 			case IEEE80211_ELEMID_HTINFO:
2975 				htinfo = frm;
2976 				break;
2977 			case IEEE80211_ELEMID_VENDOR:
2978 				if (iswmeoui(frm))
2979 					wme = frm;
2980 				else if (ic->ic_flags_ext & IEEE80211_FEXT_HTCOMPAT) {
2981 					/*
2982 					 * Accept pre-draft HT ie's if the
2983 					 * standard ones have not been seen.
2984 					 */
2985 					if (ishtcapoui(frm)) {
2986 						if (htcap == NULL)
2987 							htcap = frm;
2988 					} else if (ishtinfooui(frm)) {
2989 						if (htinfo == NULL)
2990 							htcap = frm;
2991 					}
2992 				}
2993 				/* XXX Atheros OUI support */
2994 				break;
2995 			}
2996 			frm += frm[1] + 2;
2997 		}
2998 
2999 		IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE);
3000 		if (xrates != NULL)
3001 			IEEE80211_VERIFY_ELEMENT(xrates,
3002 				IEEE80211_RATE_MAXSIZE - rates[1]);
3003 		rate = ieee80211_setup_rates(ni, rates, xrates,
3004 				IEEE80211_F_JOIN |
3005 				IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
3006 				IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
3007 		if (rate & IEEE80211_RATE_BASIC) {
3008 			IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
3009 			    "[%s] %sassoc failed (rate set mismatch)\n",
3010 			    ether_sprintf(wh->i_addr2),
3011 			    ISREASSOC(subtype) ?  "re" : "");
3012 			if (ni != ic->ic_bss)	/* XXX never true? */
3013 				ni->ni_fails++;
3014 			ic->ic_stats.is_rx_assoc_norate++;
3015 			ieee80211_new_state(ic, IEEE80211_S_SCAN,
3016 			    IEEE80211_SCAN_FAIL_STATUS);
3017 			return;
3018 		}
3019 
3020 		ni->ni_capinfo = capinfo;
3021 		ni->ni_associd = associd;
3022 		if (wme != NULL &&
3023 		    ieee80211_parse_wmeparams(ic, wme, wh) >= 0) {
3024 			ni->ni_flags |= IEEE80211_NODE_QOS;
3025 			ieee80211_wme_updateparams(ic);
3026 		} else
3027 			ni->ni_flags &= ~IEEE80211_NODE_QOS;
3028 		/*
3029 		 * Setup HT state according to the negotiation.
3030 		 */
3031 		if ((ic->ic_htcaps & IEEE80211_HTC_HT) &&
3032 		    htcap != NULL && htinfo != NULL) {
3033 			ieee80211_ht_node_init(ni, htcap);
3034 			ieee80211_parse_htinfo(ni, htinfo);
3035 			ieee80211_setup_htrates(ni,
3036 			    htcap, IEEE80211_F_JOIN | IEEE80211_F_DOBRS);
3037 			ieee80211_setup_basic_htrates(ni, htinfo);
3038 			if (ni->ni_chan != ic->ic_bsschan) {
3039 				/*
3040 				 * Channel has been adjusted based on
3041 				 * negotiated HT parameters; force the
3042 				 * channel state to follow.
3043 				 */
3044 				ieee80211_setbsschan(ic, ni->ni_chan);
3045 			}
3046 		}
3047 		/*
3048 		 * Configure state now that we are associated.
3049 		 *
3050 		 * XXX may need different/additional driver callbacks?
3051 		 */
3052 		if (IEEE80211_IS_CHAN_A(ic->ic_curchan) ||
3053 		    (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) {
3054 			ic->ic_flags |= IEEE80211_F_SHPREAMBLE;
3055 			ic->ic_flags &= ~IEEE80211_F_USEBARKER;
3056 		} else {
3057 			ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE;
3058 			ic->ic_flags |= IEEE80211_F_USEBARKER;
3059 		}
3060 		ieee80211_set_shortslottime(ic,
3061 			IEEE80211_IS_CHAN_A(ic->ic_curchan) ||
3062 			(ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
3063 		/*
3064 		 * Honor ERP protection.
3065 		 *
3066 		 * NB: ni_erp should zero for non-11g operation.
3067 		 */
3068 		if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
3069 		    (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION))
3070 			ic->ic_flags |= IEEE80211_F_USEPROT;
3071 		else
3072 			ic->ic_flags &= ~IEEE80211_F_USEPROT;
3073 		IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
3074 		    "[%s] %sassoc success: %s preamble, %s slot time%s%s%s%s\n",
3075 		    ether_sprintf(wh->i_addr2),
3076 		    ISREASSOC(subtype) ? "re" : "",
3077 		    ic->ic_flags&IEEE80211_F_SHPREAMBLE ? "short" : "long",
3078 		    ic->ic_flags&IEEE80211_F_SHSLOT ? "short" : "long",
3079 		    ic->ic_flags&IEEE80211_F_USEPROT ? ", protection" : "",
3080 		    ni->ni_flags & IEEE80211_NODE_QOS ? ", QoS" : "",
3081 		    ni->ni_flags & IEEE80211_NODE_HT ?
3082 			(ni->ni_chw == 20 ? ", HT20" : ", HT40") : "",
3083 		    ni->ni_flags & IEEE80211_NODE_AMPDU ? " (+AMPDU)" : "",
3084 		    IEEE80211_ATH_CAP(ic, ni, IEEE80211_NODE_FF) ?
3085 			", fast-frames" : "",
3086 		    IEEE80211_ATH_CAP(ic, ni, IEEE80211_NODE_TURBOP) ?
3087 			", turbo" : ""
3088 		);
3089 		ieee80211_new_state(ic, IEEE80211_S_RUN, subtype);
3090 		break;
3091 	}
3092 
3093 	case IEEE80211_FC0_SUBTYPE_DEAUTH: {
3094 		uint16_t reason;
3095 
3096 		if (ic->ic_state == IEEE80211_S_SCAN) {
3097 			ic->ic_stats.is_rx_mgtdiscard++;
3098 			return;
3099 		}
3100 		/*
3101 		 * deauth frame format
3102 		 *	[2] reason
3103 		 */
3104 		IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
3105 		reason = le16toh(*(uint16_t *)frm);
3106 		ic->ic_stats.is_rx_deauth++;
3107 		IEEE80211_NODE_STAT(ni, rx_deauth);
3108 
3109 		if (!IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) {
3110 			/* NB: can happen when in promiscuous mode */
3111 			ic->ic_stats.is_rx_mgtdiscard++;
3112 			break;
3113 		}
3114 		IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH,
3115 		    "[%s] recv deauthenticate (reason %d)\n",
3116 		    ether_sprintf(ni->ni_macaddr), reason);
3117 		switch (ic->ic_opmode) {
3118 		case IEEE80211_M_STA:
3119 			ieee80211_new_state(ic, IEEE80211_S_AUTH,
3120 			    (reason << 8) | IEEE80211_FC0_SUBTYPE_DEAUTH);
3121 			break;
3122 		case IEEE80211_M_HOSTAP:
3123 			if (ni != ic->ic_bss)
3124 				ieee80211_node_leave(ic, ni);
3125 			break;
3126 		default:
3127 			ic->ic_stats.is_rx_mgtdiscard++;
3128 			break;
3129 		}
3130 		break;
3131 	}
3132 
3133 	case IEEE80211_FC0_SUBTYPE_DISASSOC: {
3134 		uint16_t reason;
3135 
3136 		if (ic->ic_state != IEEE80211_S_RUN &&
3137 		    ic->ic_state != IEEE80211_S_ASSOC &&
3138 		    ic->ic_state != IEEE80211_S_AUTH) {
3139 			ic->ic_stats.is_rx_mgtdiscard++;
3140 			return;
3141 		}
3142 		/*
3143 		 * disassoc frame format
3144 		 *	[2] reason
3145 		 */
3146 		IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
3147 		reason = le16toh(*(uint16_t *)frm);
3148 		ic->ic_stats.is_rx_disassoc++;
3149 		IEEE80211_NODE_STAT(ni, rx_disassoc);
3150 
3151 		if (!IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) {
3152 			/* NB: can happen when in promiscuous mode */
3153 			ic->ic_stats.is_rx_mgtdiscard++;
3154 			break;
3155 		}
3156 		IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
3157 		    "[%s] recv disassociate (reason %d)\n",
3158 		    ether_sprintf(ni->ni_macaddr), reason);
3159 		switch (ic->ic_opmode) {
3160 		case IEEE80211_M_STA:
3161 			ieee80211_new_state(ic, IEEE80211_S_ASSOC, 0);
3162 			break;
3163 		case IEEE80211_M_HOSTAP:
3164 			if (ni != ic->ic_bss)
3165 				ieee80211_node_leave(ic, ni);
3166 			break;
3167 		default:
3168 			ic->ic_stats.is_rx_mgtdiscard++;
3169 			break;
3170 		}
3171 		break;
3172 	}
3173 
3174 	case IEEE80211_FC0_SUBTYPE_ACTION: {
3175 		const struct ieee80211_action *ia;
3176 
3177 		if (ic->ic_state != IEEE80211_S_RUN &&
3178 		    ic->ic_state != IEEE80211_S_ASSOC &&
3179 		    ic->ic_state != IEEE80211_S_AUTH) {
3180 			ic->ic_stats.is_rx_mgtdiscard++;
3181 			return;
3182 		}
3183 		/*
3184 		 * action frame format:
3185 		 *	[1] category
3186 		 *	[1] action
3187 		 *	[tlv] parameters
3188 		 */
3189 		IEEE80211_VERIFY_LENGTH(efrm - frm,
3190 			sizeof(struct ieee80211_action), return);
3191 		ia = (const struct ieee80211_action *) frm;
3192 
3193 		ic->ic_stats.is_rx_action++;
3194 		IEEE80211_NODE_STAT(ni, rx_action);
3195 
3196 		/* verify frame payloads but defer processing */
3197 		/* XXX maybe push this to method */
3198 		switch (ia->ia_category) {
3199 		case IEEE80211_ACTION_CAT_BA:
3200 			switch (ia->ia_action) {
3201 			case IEEE80211_ACTION_BA_ADDBA_REQUEST:
3202 				IEEE80211_VERIFY_LENGTH(efrm - frm,
3203 				    sizeof(struct ieee80211_action_ba_addbarequest),
3204 				    return);
3205 				break;
3206 			case IEEE80211_ACTION_BA_ADDBA_RESPONSE:
3207 				IEEE80211_VERIFY_LENGTH(efrm - frm,
3208 				    sizeof(struct ieee80211_action_ba_addbaresponse),
3209 				    return);
3210 				break;
3211 			case IEEE80211_ACTION_BA_DELBA:
3212 				IEEE80211_VERIFY_LENGTH(efrm - frm,
3213 				    sizeof(struct ieee80211_action_ba_delba),
3214 				    return);
3215 				break;
3216 			}
3217 			break;
3218 		case IEEE80211_ACTION_CAT_HT:
3219 			switch (ia->ia_action) {
3220 			case IEEE80211_ACTION_HT_TXCHWIDTH:
3221 				IEEE80211_VERIFY_LENGTH(efrm - frm,
3222 				    sizeof(struct ieee80211_action_ht_txchwidth),
3223 				    return);
3224 				break;
3225 			}
3226 			break;
3227 		}
3228 		ic->ic_recv_action(ni, frm, efrm);
3229 		break;
3230 	}
3231 
3232 	default:
3233 		IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY,
3234 		     wh, "mgt", "subtype 0x%x not handled", subtype);
3235 		ic->ic_stats.is_rx_badsubtype++;
3236 		break;
3237 	}
3238 #undef ISREASSOC
3239 #undef ISPROBE
3240 }
3241 #undef IEEE80211_VERIFY_LENGTH
3242 #undef IEEE80211_VERIFY_ELEMENT
3243 
3244 /*
3245  * Process a received ps-poll frame.
3246  */
3247 static void
3248 ieee80211_recv_pspoll(struct ieee80211com *ic,
3249 	struct ieee80211_node *ni, struct mbuf *m0)
3250 {
3251 	struct ieee80211_frame_min *wh;
3252 	struct mbuf *m;
3253 	uint16_t aid;
3254 	int qlen;
3255 
3256 	wh = mtod(m0, struct ieee80211_frame_min *);
3257 	if (ni->ni_associd == 0) {
3258 		IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
3259 		    (struct ieee80211_frame *) wh, "ps-poll",
3260 		    "%s", "unassociated station");
3261 		ic->ic_stats.is_ps_unassoc++;
3262 		IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
3263 			IEEE80211_REASON_NOT_ASSOCED);
3264 		return;
3265 	}
3266 
3267 	aid = le16toh(*(uint16_t *)wh->i_dur);
3268 	if (aid != ni->ni_associd) {
3269 		IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
3270 		    (struct ieee80211_frame *) wh, "ps-poll",
3271 		    "aid mismatch: sta aid 0x%x poll aid 0x%x",
3272 		    ni->ni_associd, aid);
3273 		ic->ic_stats.is_ps_badaid++;
3274 		IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
3275 			IEEE80211_REASON_NOT_ASSOCED);
3276 		return;
3277 	}
3278 
3279 	/* Okay, take the first queued packet and put it out... */
3280 	IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen);
3281 	if (m == NULL) {
3282 		IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
3283 		    "[%s] recv ps-poll, but queue empty\n",
3284 		    ether_sprintf(wh->i_addr2));
3285 		ieee80211_send_nulldata(ieee80211_ref_node(ni));
3286 		ic->ic_stats.is_ps_qempty++;	/* XXX node stat */
3287 		if (ic->ic_set_tim != NULL)
3288 			ic->ic_set_tim(ni, 0);	/* just in case */
3289 		return;
3290 	}
3291 	/*
3292 	 * If there are more packets, set the more packets bit
3293 	 * in the packet dispatched to the station; otherwise
3294 	 * turn off the TIM bit.
3295 	 */
3296 	if (qlen != 0) {
3297 		IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
3298 		    "[%s] recv ps-poll, send packet, %u still queued\n",
3299 		    ether_sprintf(ni->ni_macaddr), qlen);
3300 		m->m_flags |= M_MORE_DATA;
3301 	} else {
3302 		IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
3303 		    "[%s] recv ps-poll, send packet, queue empty\n",
3304 		    ether_sprintf(ni->ni_macaddr));
3305 		if (ic->ic_set_tim != NULL)
3306 			ic->ic_set_tim(ni, 0);
3307 	}
3308 	m->m_flags |= M_PWR_SAV;		/* bypass PS handling */
3309 	IF_ENQUEUE(&ic->ic_ifp->if_snd, m);
3310 }
3311 
3312 #ifdef IEEE80211_DEBUG
3313 /*
3314  * Debugging support.
3315  */
3316 
3317 /*
3318  * Return the bssid of a frame.
3319  */
3320 static const uint8_t *
3321 ieee80211_getbssid(struct ieee80211com *ic, const struct ieee80211_frame *wh)
3322 {
3323 	if (ic->ic_opmode == IEEE80211_M_STA)
3324 		return wh->i_addr2;
3325 	if ((wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) != IEEE80211_FC1_DIR_NODS)
3326 		return wh->i_addr1;
3327 	if ((wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) == IEEE80211_FC0_SUBTYPE_PS_POLL)
3328 		return wh->i_addr1;
3329 	return wh->i_addr3;
3330 }
3331 
3332 void
3333 ieee80211_note(struct ieee80211com *ic, const char *fmt, ...)
3334 {
3335 	char buf[128];		/* XXX */
3336 	va_list ap;
3337 
3338 	va_start(ap, fmt);
3339 	vsnprintf(buf, sizeof(buf), fmt, ap);
3340 	va_end(ap);
3341 
3342 	if_printf(ic->ic_ifp, "%s", buf);	/* NB: no \n */
3343 }
3344 
3345 void
3346 ieee80211_note_frame(struct ieee80211com *ic,
3347 	const struct ieee80211_frame *wh,
3348 	const char *fmt, ...)
3349 {
3350 	char buf[128];		/* XXX */
3351 	va_list ap;
3352 
3353 	va_start(ap, fmt);
3354 	vsnprintf(buf, sizeof(buf), fmt, ap);
3355 	va_end(ap);
3356 	if_printf(ic->ic_ifp, "[%s] %s\n",
3357 		ether_sprintf(ieee80211_getbssid(ic, wh)), buf);
3358 }
3359 
3360 void
3361 ieee80211_note_mac(struct ieee80211com *ic,
3362 	const uint8_t mac[IEEE80211_ADDR_LEN],
3363 	const char *fmt, ...)
3364 {
3365 	char buf[128];		/* XXX */
3366 	va_list ap;
3367 
3368 	va_start(ap, fmt);
3369 	vsnprintf(buf, sizeof(buf), fmt, ap);
3370 	va_end(ap);
3371 	if_printf(ic->ic_ifp, "[%s] %s\n", ether_sprintf(mac), buf);
3372 }
3373 
3374 void
3375 ieee80211_discard_frame(struct ieee80211com *ic,
3376 	const struct ieee80211_frame *wh,
3377 	const char *type, const char *fmt, ...)
3378 {
3379 	va_list ap;
3380 
3381 	printf("[%s:%s] discard ", ic->ic_ifp->if_xname,
3382 		ether_sprintf(ieee80211_getbssid(ic, wh)));
3383 	if (type != NULL)
3384 		printf("%s frame, ", type);
3385 	else
3386 		printf("frame, ");
3387 	va_start(ap, fmt);
3388 	vprintf(fmt, ap);
3389 	va_end(ap);
3390 	printf("\n");
3391 }
3392 
3393 void
3394 ieee80211_discard_ie(struct ieee80211com *ic,
3395 	const struct ieee80211_frame *wh,
3396 	const char *type, const char *fmt, ...)
3397 {
3398 	va_list ap;
3399 
3400 	printf("[%s:%s] discard ", ic->ic_ifp->if_xname,
3401 		ether_sprintf(ieee80211_getbssid(ic, wh)));
3402 	if (type != NULL)
3403 		printf("%s information element, ", type);
3404 	else
3405 		printf("information element, ");
3406 	va_start(ap, fmt);
3407 	vprintf(fmt, ap);
3408 	va_end(ap);
3409 	printf("\n");
3410 }
3411 
3412 void
3413 ieee80211_discard_mac(struct ieee80211com *ic,
3414 	const uint8_t mac[IEEE80211_ADDR_LEN],
3415 	const char *type, const char *fmt, ...)
3416 {
3417 	va_list ap;
3418 
3419 	printf("[%s:%s] discard ", ic->ic_ifp->if_xname, ether_sprintf(mac));
3420 	if (type != NULL)
3421 		printf("%s frame, ", type);
3422 	else
3423 		printf("frame, ");
3424 	va_start(ap, fmt);
3425 	vprintf(fmt, ap);
3426 	va_end(ap);
3427 	printf("\n");
3428 }
3429 #endif /* IEEE80211_DEBUG */
3430