1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright 2002-2005, Instant802 Networks, Inc. 4 * Copyright 2005-2006, Devicescape Software, Inc. 5 * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz> 6 * Copyright 2007 Johannes Berg <johannes@sipsolutions.net> 7 * Copyright 2013-2014 Intel Mobile Communications GmbH 8 * Copyright (C) 2015-2017 Intel Deutschland GmbH 9 * Copyright (C) 2018-2026 Intel Corporation 10 * 11 * element parsing for mac80211 12 */ 13 14 #include <net/mac80211.h> 15 #include <linux/netdevice.h> 16 #include <linux/export.h> 17 #include <linux/types.h> 18 #include <linux/slab.h> 19 #include <linux/skbuff.h> 20 #include <linux/etherdevice.h> 21 #include <linux/if_arp.h> 22 #include <linux/bitmap.h> 23 #include <linux/crc32.h> 24 #include <net/net_namespace.h> 25 #include <net/cfg80211.h> 26 #include <net/rtnetlink.h> 27 #include <kunit/visibility.h> 28 29 #include "ieee80211_i.h" 30 #include "driver-ops.h" 31 #include "rate.h" 32 #include "mesh.h" 33 #include "wme.h" 34 #include "led.h" 35 #include "wep.h" 36 37 static const u8 empty_non_inheritance[] = { 38 WLAN_EID_EXTENSION, 1, WLAN_EID_EXT_NON_INHERITANCE, 39 /* 40 * cfg80211_is_element_inherited() hardcodes elements that 41 * cannot be inherited, so we just need an empty one to be 42 * calling it at all. 43 */ 44 }; 45 46 struct ieee80211_elem_defrag { 47 const struct element *elem; 48 /* container start/len */ 49 const u8 *start; 50 size_t len; 51 }; 52 53 struct ieee80211_elems_parse { 54 /* must be first for kfree to work */ 55 struct ieee802_11_elems elems; 56 57 /* The basic Multi-Link element in the original elements */ 58 const struct element *ml_basic_elem; 59 60 struct ieee80211_elem_defrag ml_reconf, ml_epcs; 61 62 bool multi_link_inner; 63 bool skip_vendor; 64 65 /* 66 * scratch buffer that can be used for various element parsing related 67 * tasks, e.g., element de-fragmentation etc. 68 */ 69 size_t scratch_len; 70 u8 *scratch_pos; 71 u8 scratch[] __counted_by(scratch_len); 72 }; 73 74 static void 75 ieee80211_parse_extension_element(u32 *crc, 76 const struct element *elem, 77 struct ieee80211_elems_parse *elems_parse, 78 struct ieee80211_elems_parse_params *params) 79 { 80 struct ieee802_11_elems *elems = &elems_parse->elems; 81 const void *data = elem->data + 1; 82 bool calc_crc = false; 83 u8 len; 84 85 if (!elem->datalen) 86 return; 87 88 len = elem->datalen - 1; 89 90 switch (elem->data[0]) { 91 case WLAN_EID_EXT_HE_MU_EDCA: 92 if (params->mode < IEEE80211_CONN_MODE_HE) 93 break; 94 calc_crc = true; 95 if (len >= sizeof(*elems->mu_edca_param_set)) 96 elems->mu_edca_param_set = data; 97 break; 98 case WLAN_EID_EXT_HE_CAPABILITY: 99 if (params->mode < IEEE80211_CONN_MODE_HE) 100 break; 101 if (ieee80211_he_capa_size_ok(data, len)) { 102 elems->he_cap = data; 103 elems->he_cap_len = len; 104 } 105 break; 106 case WLAN_EID_EXT_HE_OPERATION: 107 if (params->mode < IEEE80211_CONN_MODE_HE) 108 break; 109 calc_crc = true; 110 if (len >= sizeof(*elems->he_operation) && 111 len >= ieee80211_he_oper_size(data) - 1) 112 elems->he_operation = data; 113 break; 114 case WLAN_EID_EXT_UORA: 115 if (params->mode < IEEE80211_CONN_MODE_HE) 116 break; 117 if (len >= 1) 118 elems->uora_element = data; 119 break; 120 case WLAN_EID_EXT_MAX_CHANNEL_SWITCH_TIME: 121 if (len == 3) 122 elems->max_channel_switch_time = data; 123 break; 124 case WLAN_EID_EXT_MULTIPLE_BSSID_CONFIGURATION: 125 if (len >= sizeof(*elems->mbssid_config_ie)) 126 elems->mbssid_config_ie = data; 127 break; 128 case WLAN_EID_EXT_HE_SPR: 129 if (params->mode < IEEE80211_CONN_MODE_HE) 130 break; 131 if (len >= sizeof(*elems->he_spr) && 132 len >= ieee80211_he_spr_size(data) - 1) 133 elems->he_spr = data; 134 break; 135 case WLAN_EID_EXT_HE_6GHZ_CAPA: 136 if (params->mode < IEEE80211_CONN_MODE_HE) 137 break; 138 if (len >= sizeof(*elems->he_6ghz_capa)) 139 elems->he_6ghz_capa = data; 140 break; 141 case WLAN_EID_EXT_EHT_CAPABILITY: 142 if (params->mode < IEEE80211_CONN_MODE_EHT) 143 break; 144 if (ieee80211_eht_capa_size_ok(elems->he_cap, 145 data, len, 146 params->from_ap)) { 147 elems->eht_cap = data; 148 elems->eht_cap_len = len; 149 } 150 break; 151 case WLAN_EID_EXT_EHT_OPERATION: 152 if (params->mode < IEEE80211_CONN_MODE_EHT) 153 break; 154 if (ieee80211_eht_oper_size_ok(data, len)) 155 elems->eht_operation = data; 156 calc_crc = true; 157 break; 158 case WLAN_EID_EXT_EHT_MULTI_LINK: 159 if (params->mode < IEEE80211_CONN_MODE_EHT) 160 break; 161 calc_crc = true; 162 163 if (ieee80211_mle_size_ok(data, len)) { 164 const struct ieee80211_multi_link_elem *mle = 165 (void *)data; 166 167 switch (le16_get_bits(mle->control, 168 IEEE80211_ML_CONTROL_TYPE)) { 169 case IEEE80211_ML_CONTROL_TYPE_BASIC: 170 if (elems_parse->multi_link_inner) { 171 elems->parse_error |= 172 IEEE80211_PARSE_ERR_DUP_NEST_ML_BASIC; 173 break; 174 } 175 break; 176 case IEEE80211_ML_CONTROL_TYPE_RECONF: 177 elems_parse->ml_reconf.elem = elem; 178 elems_parse->ml_reconf.start = params->start; 179 elems_parse->ml_reconf.len = params->len; 180 break; 181 case IEEE80211_ML_CONTROL_TYPE_PRIO_ACCESS: 182 elems_parse->ml_epcs.elem = elem; 183 elems_parse->ml_epcs.start = params->start; 184 elems_parse->ml_epcs.len = params->len; 185 break; 186 default: 187 break; 188 } 189 } 190 break; 191 case WLAN_EID_EXT_BANDWIDTH_INDICATION: 192 if (params->mode < IEEE80211_CONN_MODE_EHT) 193 break; 194 if (ieee80211_bandwidth_indication_size_ok(data, len)) 195 elems->bandwidth_indication = data; 196 calc_crc = true; 197 break; 198 case WLAN_EID_EXT_TID_TO_LINK_MAPPING: 199 if (params->mode < IEEE80211_CONN_MODE_EHT) 200 break; 201 calc_crc = true; 202 if (ieee80211_tid_to_link_map_size_ok(data, len) && 203 elems->ttlm_num < ARRAY_SIZE(elems->ttlm)) { 204 elems->ttlm[elems->ttlm_num] = (void *)data; 205 elems->ttlm_num++; 206 } 207 break; 208 case WLAN_EID_EXT_UHR_OPER: 209 if (params->mode < IEEE80211_CONN_MODE_UHR) 210 break; 211 calc_crc = true; 212 if (ieee80211_uhr_oper_size_ok(data, len, 213 params->type == (IEEE80211_FTYPE_MGMT | 214 IEEE80211_STYPE_BEACON))) { 215 elems->uhr_operation = data; 216 elems->uhr_operation_len = len; 217 } 218 break; 219 case WLAN_EID_EXT_UHR_CAPA: 220 if (params->mode < IEEE80211_CONN_MODE_UHR) 221 break; 222 calc_crc = true; 223 if (ieee80211_uhr_capa_size_ok(data, len, true)) { 224 elems->uhr_cap = data; 225 elems->uhr_cap_len = len; 226 } 227 break; 228 } 229 230 if (crc && calc_crc) 231 *crc = crc32_be(*crc, (void *)elem, elem->datalen + 2); 232 } 233 234 static void ieee80211_parse_tpe(struct ieee80211_parsed_tpe *tpe, 235 const u8 *data, u8 len) 236 { 237 const struct ieee80211_tx_pwr_env *env = (const void *)data; 238 u8 count, interpret, category; 239 u8 *out, N, *cnt_out = NULL, *N_out = NULL; 240 241 if (!ieee80211_valid_tpe_element(data, len)) 242 return; 243 244 count = u8_get_bits(env->info, IEEE80211_TX_PWR_ENV_INFO_COUNT); 245 interpret = u8_get_bits(env->info, IEEE80211_TX_PWR_ENV_INFO_INTERPRET); 246 category = u8_get_bits(env->info, IEEE80211_TX_PWR_ENV_INFO_CATEGORY); 247 248 switch (interpret) { 249 case IEEE80211_TPE_LOCAL_EIRP: 250 out = tpe->max_local[category].power; 251 cnt_out = &tpe->max_local[category].count; 252 tpe->max_local[category].valid = true; 253 break; 254 case IEEE80211_TPE_REG_CLIENT_EIRP: 255 out = tpe->max_reg_client[category].power; 256 cnt_out = &tpe->max_reg_client[category].count; 257 tpe->max_reg_client[category].valid = true; 258 break; 259 case IEEE80211_TPE_LOCAL_EIRP_PSD: 260 out = tpe->psd_local[category].power; 261 cnt_out = &tpe->psd_local[category].count; 262 N_out = &tpe->psd_local[category].n; 263 tpe->psd_local[category].valid = true; 264 break; 265 case IEEE80211_TPE_REG_CLIENT_EIRP_PSD: 266 out = tpe->psd_reg_client[category].power; 267 cnt_out = &tpe->psd_reg_client[category].count; 268 N_out = &tpe->psd_reg_client[category].n; 269 tpe->psd_reg_client[category].valid = true; 270 break; 271 } 272 273 switch (interpret) { 274 case IEEE80211_TPE_LOCAL_EIRP: 275 case IEEE80211_TPE_REG_CLIENT_EIRP: 276 /* count was validated <= 3, plus 320 MHz */ 277 BUILD_BUG_ON(IEEE80211_TPE_EIRP_ENTRIES_320MHZ < 5); 278 memcpy(out, env->variable, count + 1); 279 *cnt_out = count + 1; 280 /* separately take 320 MHz if present */ 281 if (count == 3 && len > sizeof(*env) + count + 1) { 282 out[4] = env->variable[4]; 283 *cnt_out = 5; 284 } 285 break; 286 case IEEE80211_TPE_LOCAL_EIRP_PSD: 287 case IEEE80211_TPE_REG_CLIENT_EIRP_PSD: 288 if (!count) { 289 memset(out, env->variable[0], 290 IEEE80211_TPE_PSD_ENTRIES_320MHZ); 291 *cnt_out = IEEE80211_TPE_PSD_ENTRIES_320MHZ; 292 break; 293 } 294 295 N = 1 << (count - 1); 296 memcpy(out, env->variable, N); 297 *cnt_out = N; 298 *N_out = N; 299 300 if (len > sizeof(*env) + N) { 301 int K = u8_get_bits(env->variable[N], 302 IEEE80211_TX_PWR_ENV_EXT_COUNT); 303 304 K = min(K, IEEE80211_TPE_PSD_ENTRIES_320MHZ - N); 305 memcpy(out + N, env->variable + N + 1, K); 306 (*cnt_out) += K; 307 } 308 break; 309 } 310 } 311 312 static u32 313 _ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params, 314 struct ieee80211_elems_parse *elems_parse, 315 const struct element *check_inherit) 316 { 317 struct ieee802_11_elems *elems = &elems_parse->elems; 318 const struct element *elem; 319 bool calc_crc = params->filter != 0; 320 DECLARE_BITMAP(seen_elems, 256); 321 u32 crc = params->crc; 322 323 bitmap_zero(seen_elems, 256); 324 325 switch (params->type) { 326 /* we don't need to parse assoc request, luckily (it's value 0) */ 327 case IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ASSOC_REQ: 328 case IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_REASSOC_REQ: 329 default: 330 WARN(1, "invalid frame type 0x%x for element parsing\n", 331 params->type); 332 break; 333 case IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ASSOC_RESP: 334 case IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_REASSOC_RESP: 335 case IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_PROBE_REQ: 336 case IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_PROBE_RESP: 337 case IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_BEACON: 338 case IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION: 339 case IEEE80211_FTYPE_EXT | IEEE80211_STYPE_S1G_BEACON: 340 break; 341 } 342 343 for_each_element(elem, params->start, params->len) { 344 const struct element *subelem; 345 u8 elem_parse_failed; 346 u8 id = elem->id; 347 u8 elen = elem->datalen; 348 const u8 *pos = elem->data; 349 350 if (check_inherit && 351 !cfg80211_is_element_inherited(elem, 352 check_inherit)) 353 continue; 354 355 switch (id) { 356 case WLAN_EID_SSID: 357 case WLAN_EID_SUPP_RATES: 358 case WLAN_EID_FH_PARAMS: 359 case WLAN_EID_DS_PARAMS: 360 case WLAN_EID_CF_PARAMS: 361 case WLAN_EID_TIM: 362 case WLAN_EID_IBSS_PARAMS: 363 case WLAN_EID_CHALLENGE: 364 case WLAN_EID_RSN: 365 case WLAN_EID_ERP_INFO: 366 case WLAN_EID_EXT_SUPP_RATES: 367 case WLAN_EID_HT_CAPABILITY: 368 case WLAN_EID_HT_OPERATION: 369 case WLAN_EID_VHT_CAPABILITY: 370 case WLAN_EID_VHT_OPERATION: 371 case WLAN_EID_MESH_ID: 372 case WLAN_EID_MESH_CONFIG: 373 case WLAN_EID_PEER_MGMT: 374 case WLAN_EID_PREQ: 375 case WLAN_EID_PREP: 376 case WLAN_EID_PERR: 377 case WLAN_EID_RANN: 378 case WLAN_EID_CHANNEL_SWITCH: 379 case WLAN_EID_EXT_CHANSWITCH_ANN: 380 case WLAN_EID_COUNTRY: 381 case WLAN_EID_PWR_CONSTRAINT: 382 case WLAN_EID_TIMEOUT_INTERVAL: 383 case WLAN_EID_SECONDARY_CHANNEL_OFFSET: 384 case WLAN_EID_WIDE_BW_CHANNEL_SWITCH: 385 case WLAN_EID_CHAN_SWITCH_PARAM: 386 case WLAN_EID_EXT_CAPABILITY: 387 case WLAN_EID_CHAN_SWITCH_TIMING: 388 case WLAN_EID_LINK_ID: 389 case WLAN_EID_BSS_MAX_IDLE_PERIOD: 390 case WLAN_EID_RSNX: 391 case WLAN_EID_S1G_BCN_COMPAT: 392 case WLAN_EID_S1G_CAPABILITIES: 393 case WLAN_EID_S1G_OPERATION: 394 case WLAN_EID_AID_RESPONSE: 395 case WLAN_EID_S1G_SHORT_BCN_INTERVAL: 396 /* 397 * not listing WLAN_EID_CHANNEL_SWITCH_WRAPPER -- it seems possible 398 * that if the content gets bigger it might be needed more than once 399 */ 400 if (test_bit(id, seen_elems)) { 401 elems->parse_error |= 402 IEEE80211_PARSE_ERR_DUP_ELEM; 403 continue; 404 } 405 break; 406 } 407 408 if (calc_crc && id < 64 && (params->filter & (1ULL << id))) 409 crc = crc32_be(crc, pos - 2, elen + 2); 410 411 elem_parse_failed = 0; 412 413 switch (id) { 414 case WLAN_EID_LINK_ID: 415 if (elen + 2 < sizeof(struct ieee80211_tdls_lnkie)) { 416 elem_parse_failed = 417 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 418 break; 419 } 420 elems->lnk_id = (void *)(pos - 2); 421 break; 422 case WLAN_EID_CHAN_SWITCH_TIMING: 423 if (elen < sizeof(struct ieee80211_ch_switch_timing)) { 424 elem_parse_failed = 425 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 426 break; 427 } 428 elems->ch_sw_timing = (void *)pos; 429 break; 430 case WLAN_EID_EXT_CAPABILITY: 431 elems->ext_capab = pos; 432 elems->ext_capab_len = elen; 433 break; 434 case WLAN_EID_SSID: 435 elems->ssid = pos; 436 elems->ssid_len = elen; 437 break; 438 case WLAN_EID_SUPP_RATES: 439 elems->supp_rates = pos; 440 elems->supp_rates_len = elen; 441 break; 442 case WLAN_EID_DS_PARAMS: 443 if (elen >= 1) 444 elems->ds_params = pos; 445 else 446 elem_parse_failed = 447 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 448 break; 449 case WLAN_EID_TIM: 450 if (elen >= sizeof(struct ieee80211_tim_ie)) { 451 elems->tim = (void *)pos; 452 elems->tim_len = elen; 453 } else 454 elem_parse_failed = 455 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 456 break; 457 case WLAN_EID_VENDOR_SPECIFIC: 458 if (elems_parse->skip_vendor) 459 break; 460 461 if (elen >= 4 && pos[0] == 0x00 && pos[1] == 0x50 && 462 pos[2] == 0xf2) { 463 /* Microsoft OUI (00:50:F2) */ 464 465 if (calc_crc) 466 crc = crc32_be(crc, pos - 2, elen + 2); 467 468 if (elen >= 5 && pos[3] == 2) { 469 /* OUI Type 2 - WMM IE */ 470 if (pos[4] == 0) { 471 elems->wmm_info = pos; 472 elems->wmm_info_len = elen; 473 } else if (pos[4] == 1) { 474 elems->wmm_param = pos; 475 elems->wmm_param_len = elen; 476 } 477 } 478 } 479 break; 480 case WLAN_EID_RSN: 481 elems->rsn = pos; 482 elems->rsn_len = elen; 483 break; 484 case WLAN_EID_ERP_INFO: 485 if (elen >= 1) 486 elems->erp_info = pos; 487 else 488 elem_parse_failed = 489 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 490 break; 491 case WLAN_EID_EXT_SUPP_RATES: 492 elems->ext_supp_rates = pos; 493 elems->ext_supp_rates_len = elen; 494 break; 495 case WLAN_EID_HT_CAPABILITY: 496 if (params->mode < IEEE80211_CONN_MODE_HT) 497 break; 498 if (elen >= sizeof(struct ieee80211_ht_cap)) 499 elems->ht_cap_elem = (void *)pos; 500 else 501 elem_parse_failed = 502 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 503 break; 504 case WLAN_EID_HT_OPERATION: 505 if (params->mode < IEEE80211_CONN_MODE_HT) 506 break; 507 if (elen >= sizeof(struct ieee80211_ht_operation)) 508 elems->ht_operation = (void *)pos; 509 else 510 elem_parse_failed = 511 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 512 break; 513 case WLAN_EID_VHT_CAPABILITY: 514 if (params->mode < IEEE80211_CONN_MODE_VHT) 515 break; 516 if (elen >= sizeof(struct ieee80211_vht_cap)) 517 elems->vht_cap_elem = (void *)pos; 518 else 519 elem_parse_failed = 520 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 521 break; 522 case WLAN_EID_VHT_OPERATION: 523 if (params->mode < IEEE80211_CONN_MODE_VHT) 524 break; 525 if (elen >= sizeof(struct ieee80211_vht_operation)) { 526 elems->vht_operation = (void *)pos; 527 if (calc_crc) 528 crc = crc32_be(crc, pos - 2, elen + 2); 529 break; 530 } 531 elem_parse_failed = 532 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 533 break; 534 case WLAN_EID_OPMODE_NOTIF: 535 if (params->mode < IEEE80211_CONN_MODE_VHT) 536 break; 537 if (elen > 0) { 538 elems->opmode_notif = pos; 539 if (calc_crc) 540 crc = crc32_be(crc, pos - 2, elen + 2); 541 break; 542 } 543 elem_parse_failed = 544 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 545 break; 546 case WLAN_EID_MESH_ID: 547 elems->mesh_id = pos; 548 elems->mesh_id_len = elen; 549 break; 550 case WLAN_EID_MESH_CONFIG: 551 if (elen >= sizeof(struct ieee80211_meshconf_ie)) 552 elems->mesh_config = (void *)pos; 553 else 554 elem_parse_failed = 555 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 556 break; 557 case WLAN_EID_PEER_MGMT: 558 elems->peering = pos; 559 elems->peering_len = elen; 560 break; 561 case WLAN_EID_MESH_AWAKE_WINDOW: 562 if (elen >= 2) 563 elems->awake_window = (void *)pos; 564 break; 565 case WLAN_EID_PREQ: 566 elems->preq = pos; 567 elems->preq_len = elen; 568 break; 569 case WLAN_EID_PREP: 570 elems->prep = pos; 571 elems->prep_len = elen; 572 break; 573 case WLAN_EID_PERR: 574 elems->perr = pos; 575 elems->perr_len = elen; 576 break; 577 case WLAN_EID_RANN: 578 if (elen >= sizeof(struct ieee80211_rann_ie)) 579 elems->rann = (void *)pos; 580 else 581 elem_parse_failed = 582 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 583 break; 584 case WLAN_EID_CHANNEL_SWITCH: 585 if (elen != sizeof(struct ieee80211_channel_sw_ie)) { 586 elem_parse_failed = 587 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 588 break; 589 } 590 elems->ch_switch_ie = (void *)pos; 591 break; 592 case WLAN_EID_EXT_CHANSWITCH_ANN: 593 if (elen != sizeof(struct ieee80211_ext_chansw_ie)) { 594 elem_parse_failed = 595 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 596 break; 597 } 598 elems->ext_chansw_ie = (void *)pos; 599 break; 600 case WLAN_EID_SECONDARY_CHANNEL_OFFSET: 601 if (params->mode < IEEE80211_CONN_MODE_HT) 602 break; 603 if (elen != sizeof(struct ieee80211_sec_chan_offs_ie)) { 604 elem_parse_failed = 605 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 606 break; 607 } 608 elems->sec_chan_offs = (void *)pos; 609 break; 610 case WLAN_EID_CHAN_SWITCH_PARAM: 611 if (elen < 612 sizeof(*elems->mesh_chansw_params_ie)) { 613 elem_parse_failed = 614 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 615 break; 616 } 617 elems->mesh_chansw_params_ie = (void *)pos; 618 break; 619 case WLAN_EID_WIDE_BW_CHANNEL_SWITCH: 620 if (params->mode < IEEE80211_CONN_MODE_VHT) 621 break; 622 623 if (params->type != (IEEE80211_FTYPE_MGMT | 624 IEEE80211_STYPE_ACTION)) { 625 elem_parse_failed = 626 IEEE80211_PARSE_ERR_UNEXPECTED_ELEM; 627 break; 628 } 629 630 if (elen < sizeof(*elems->wide_bw_chansw_ie)) { 631 elem_parse_failed = 632 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 633 break; 634 } 635 elems->wide_bw_chansw_ie = (void *)pos; 636 break; 637 case WLAN_EID_CHANNEL_SWITCH_WRAPPER: 638 if (params->mode < IEEE80211_CONN_MODE_VHT) 639 break; 640 if (params->type == (IEEE80211_FTYPE_MGMT | 641 IEEE80211_STYPE_ACTION)) { 642 elem_parse_failed = 643 IEEE80211_PARSE_ERR_UNEXPECTED_ELEM; 644 break; 645 } 646 /* 647 * This is a bit tricky, but as we only care about 648 * a few elements, parse them out manually. 649 */ 650 subelem = cfg80211_find_elem(WLAN_EID_WIDE_BW_CHANNEL_SWITCH, 651 pos, elen); 652 if (subelem) { 653 if (subelem->datalen >= sizeof(*elems->wide_bw_chansw_ie)) 654 elems->wide_bw_chansw_ie = 655 (void *)subelem->data; 656 else 657 elem_parse_failed = 658 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 659 } 660 661 if (params->mode < IEEE80211_CONN_MODE_EHT) 662 break; 663 664 subelem = cfg80211_find_ext_elem(WLAN_EID_EXT_BANDWIDTH_INDICATION, 665 pos, elen); 666 if (subelem) { 667 const void *edata = subelem->data + 1; 668 u8 edatalen = subelem->datalen - 1; 669 670 if (ieee80211_bandwidth_indication_size_ok(edata, 671 edatalen)) 672 elems->bandwidth_indication = edata; 673 else 674 elem_parse_failed = 675 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 676 } 677 678 subelem = cfg80211_find_ext_elem(WLAN_EID_TX_POWER_ENVELOPE, 679 pos, elen); 680 if (subelem) 681 ieee80211_parse_tpe(&elems->csa_tpe, 682 subelem->data + 1, 683 subelem->datalen - 1); 684 break; 685 case WLAN_EID_COUNTRY: 686 elems->country_elem = pos; 687 elems->country_elem_len = elen; 688 break; 689 case WLAN_EID_PWR_CONSTRAINT: 690 if (elen != 1) { 691 elem_parse_failed = 692 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 693 break; 694 } 695 elems->pwr_constr_elem = pos; 696 break; 697 case WLAN_EID_CISCO_VENDOR_SPECIFIC: 698 /* Lots of different options exist, but we only care 699 * about the Dynamic Transmit Power Control element. 700 * First check for the Cisco OUI, then for the DTPC 701 * tag (0x00). 702 */ 703 if (elen < 4) { 704 elem_parse_failed = 705 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 706 break; 707 } 708 709 if (pos[0] != 0x00 || pos[1] != 0x40 || 710 pos[2] != 0x96 || pos[3] != 0x00) 711 break; 712 713 if (elen != 6) { 714 elem_parse_failed = 715 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 716 break; 717 } 718 719 if (calc_crc) 720 crc = crc32_be(crc, pos - 2, elen + 2); 721 722 elems->cisco_dtpc_elem = pos; 723 break; 724 case WLAN_EID_ADDBA_EXT: 725 if (elen < sizeof(struct ieee80211_addba_ext_ie)) { 726 elem_parse_failed = 727 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 728 break; 729 } 730 elems->addba_ext_ie = (void *)pos; 731 break; 732 case WLAN_EID_TIMEOUT_INTERVAL: 733 if (elen >= sizeof(struct ieee80211_timeout_interval_ie)) 734 elems->timeout_int = (void *)pos; 735 else 736 elem_parse_failed = 737 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 738 break; 739 case WLAN_EID_BSS_MAX_IDLE_PERIOD: 740 if (elen >= sizeof(*elems->max_idle_period_ie)) 741 elems->max_idle_period_ie = (void *)pos; 742 break; 743 case WLAN_EID_RSNX: 744 elems->rsnx = pos; 745 elems->rsnx_len = elen; 746 break; 747 case WLAN_EID_TX_POWER_ENVELOPE: 748 if (params->mode < IEEE80211_CONN_MODE_HE) 749 break; 750 ieee80211_parse_tpe(&elems->tpe, pos, elen); 751 break; 752 case WLAN_EID_EXTENSION: 753 ieee80211_parse_extension_element(calc_crc ? 754 &crc : NULL, 755 elem, elems_parse, 756 params); 757 break; 758 case WLAN_EID_S1G_CAPABILITIES: 759 if (params->mode != IEEE80211_CONN_MODE_S1G) 760 break; 761 if (elen >= sizeof(*elems->s1g_capab)) 762 elems->s1g_capab = (void *)pos; 763 else 764 elem_parse_failed = 765 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 766 break; 767 case WLAN_EID_S1G_OPERATION: 768 if (params->mode != IEEE80211_CONN_MODE_S1G) 769 break; 770 if (elen == sizeof(*elems->s1g_oper)) 771 elems->s1g_oper = (void *)pos; 772 else 773 elem_parse_failed = 774 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 775 break; 776 case WLAN_EID_S1G_BCN_COMPAT: 777 if (params->mode != IEEE80211_CONN_MODE_S1G) 778 break; 779 if (elen == sizeof(*elems->s1g_bcn_compat)) 780 elems->s1g_bcn_compat = (void *)pos; 781 else 782 elem_parse_failed = 783 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 784 break; 785 case WLAN_EID_AID_RESPONSE: 786 if (params->mode != IEEE80211_CONN_MODE_S1G) 787 break; 788 if (elen == sizeof(struct ieee80211_aid_response_ie)) 789 elems->aid_resp = (void *)pos; 790 else 791 elem_parse_failed = 792 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 793 break; 794 default: 795 break; 796 } 797 798 if (elem_parse_failed) 799 elems->parse_error |= elem_parse_failed; 800 else 801 __set_bit(id, seen_elems); 802 } 803 804 if (!for_each_element_completed(elem, params->start, params->len)) 805 elems->parse_error |= IEEE80211_PARSE_ERR_INVALID_END; 806 807 return crc; 808 } 809 810 static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len, 811 struct ieee802_11_elems *elems, 812 struct cfg80211_bss *bss, 813 u8 *nontransmitted_profile) 814 { 815 const struct element *elem, *sub; 816 size_t profile_len = 0; 817 818 if (!bss || !bss->transmitted_bss) 819 return profile_len; 820 821 for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, start, len) { 822 if (elem->datalen < 2) 823 continue; 824 if (elem->data[0] < 1 || elem->data[0] > 8) 825 continue; 826 827 for_each_element(sub, elem->data + 1, elem->datalen - 1) { 828 u8 new_bssid[ETH_ALEN]; 829 const u8 *index; 830 831 if (sub->id != 0 || sub->datalen < 4) { 832 /* not a valid BSS profile */ 833 continue; 834 } 835 836 if (sub->data[0] != WLAN_EID_NON_TX_BSSID_CAP || 837 sub->data[1] != 2) { 838 /* The first element of the 839 * Nontransmitted BSSID Profile is not 840 * the Nontransmitted BSSID Capability 841 * element. 842 */ 843 continue; 844 } 845 846 memset(nontransmitted_profile, 0, len); 847 profile_len = cfg80211_merge_profile(start, len, 848 elem, 849 sub, 850 nontransmitted_profile, 851 len); 852 853 /* found a Nontransmitted BSSID Profile */ 854 index = cfg80211_find_ie(WLAN_EID_MULTI_BSSID_IDX, 855 nontransmitted_profile, 856 profile_len); 857 if (!index || index[1] < 1 || index[2] == 0) { 858 /* Invalid MBSSID Index element */ 859 continue; 860 } 861 862 cfg80211_gen_new_bssid(bss->transmitted_bss->bssid, 863 elem->data[0], 864 index[2], 865 new_bssid); 866 if (ether_addr_equal(new_bssid, bss->bssid)) { 867 elems->bssid_index_len = index[1]; 868 elems->bssid_index = (void *)&index[2]; 869 return profile_len; 870 } 871 } 872 } 873 874 return 0; 875 } 876 877 static void 878 ieee80211_mle_get_sta_prof(struct ieee80211_elems_parse *elems_parse, 879 u8 link_id) 880 { 881 struct ieee802_11_elems *elems = &elems_parse->elems; 882 const struct ieee80211_multi_link_elem *ml = elems->ml_basic; 883 ssize_t ml_len = elems->ml_basic_len; 884 const struct element *sub; 885 886 for_each_mle_subelement(sub, (u8 *)ml, ml_len) { 887 struct ieee80211_mle_per_sta_profile *prof = (void *)sub->data; 888 ssize_t sta_prof_len; 889 u16 control; 890 891 if (sub->id != IEEE80211_MLE_SUBELEM_PER_STA_PROFILE) 892 continue; 893 894 if (!ieee80211_mle_basic_sta_prof_size_ok(sub->data, 895 sub->datalen)) 896 return; 897 898 control = le16_to_cpu(prof->control); 899 900 if (link_id != u16_get_bits(control, 901 IEEE80211_MLE_STA_CONTROL_LINK_ID)) 902 continue; 903 904 if (!(control & IEEE80211_MLE_STA_CONTROL_COMPLETE_PROFILE)) 905 return; 906 907 /* the sub element can be fragmented */ 908 sta_prof_len = 909 cfg80211_defragment_element(sub, 910 (u8 *)ml, ml_len, 911 elems_parse->scratch_pos, 912 elems_parse->scratch + 913 elems_parse->scratch_len - 914 elems_parse->scratch_pos, 915 IEEE80211_MLE_SUBELEM_FRAGMENT); 916 917 if (sta_prof_len < 0) 918 return; 919 920 elems->prof = (void *)elems_parse->scratch_pos; 921 elems->sta_prof_len = sta_prof_len; 922 elems_parse->scratch_pos += sta_prof_len; 923 924 return; 925 } 926 } 927 928 static const struct element * 929 ieee80211_prep_mle_link_parse(struct ieee80211_elems_parse *elems_parse, 930 struct ieee80211_elems_parse_params *params, 931 struct ieee80211_elems_parse_params *sub) 932 { 933 struct ieee802_11_elems *elems = &elems_parse->elems; 934 struct ieee80211_mle_per_sta_profile *prof; 935 const struct element *tmp, *ret; 936 ssize_t ml_len; 937 const u8 *end; 938 939 if (params->mode < IEEE80211_CONN_MODE_EHT) 940 return NULL; 941 942 for_each_element_extid(tmp, WLAN_EID_EXT_EHT_MULTI_LINK, 943 elems->ie_start, elems->total_len) { 944 const struct ieee80211_multi_link_elem *mle = 945 (void *)tmp->data + 1; 946 947 if (!ieee80211_mle_size_ok(tmp->data + 1, tmp->datalen - 1)) 948 continue; 949 950 if (le16_get_bits(mle->control, IEEE80211_ML_CONTROL_TYPE) != 951 IEEE80211_ML_CONTROL_TYPE_BASIC) 952 continue; 953 954 elems_parse->ml_basic_elem = tmp; 955 break; 956 } 957 958 ml_len = cfg80211_defragment_element(elems_parse->ml_basic_elem, 959 elems->ie_start, 960 elems->total_len, 961 elems_parse->scratch_pos, 962 elems_parse->scratch + 963 elems_parse->scratch_len - 964 elems_parse->scratch_pos, 965 WLAN_EID_FRAGMENT); 966 967 if (ml_len < 0) 968 return NULL; 969 970 elems->ml_basic = (const void *)elems_parse->scratch_pos; 971 elems->ml_basic_len = ml_len; 972 elems_parse->scratch_pos += ml_len; 973 974 if (params->link_id == -1) 975 return NULL; 976 977 ieee80211_mle_get_sta_prof(elems_parse, params->link_id); 978 prof = elems->prof; 979 980 if (!prof) 981 return NULL; 982 983 /* check if we have the 4 bytes for the fixed part in assoc response */ 984 if (elems->sta_prof_len < sizeof(*prof) + prof->sta_info_len - 1 + 4) { 985 elems->prof = NULL; 986 elems->sta_prof_len = 0; 987 return NULL; 988 } 989 990 /* 991 * Skip the capability information and the status code that are expected 992 * as part of the station profile in association response frames. Note 993 * the -1 is because the 'sta_info_len' is accounted to as part of the 994 * per-STA profile, but not part of the 'u8 variable[]' portion. 995 */ 996 sub->start = prof->variable + prof->sta_info_len - 1 + 4; 997 end = (const u8 *)prof + elems->sta_prof_len; 998 sub->len = end - sub->start; 999 1000 sub->mode = params->mode; 1001 sub->type = params->type; 1002 sub->from_ap = params->from_ap; 1003 sub->link_id = -1; 1004 1005 ret = cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, 1006 sub->start, sub->len); 1007 if (ret) 1008 return ret; 1009 1010 /* 1011 * Since we know we want and found a profile, apply an empty 1012 * non-inheritance if the profile didn't have one, so that any 1013 * element that shouldn't be inherited by spec isn't. 1014 */ 1015 return (const void *)empty_non_inheritance; 1016 } 1017 1018 static const void * 1019 ieee80211_mle_defrag(struct ieee80211_elems_parse *elems_parse, 1020 struct ieee80211_elem_defrag *defrag, 1021 size_t *out_len) 1022 { 1023 const void *ret; 1024 ssize_t ml_len; 1025 1026 ml_len = cfg80211_defragment_element(defrag->elem, 1027 defrag->start, defrag->len, 1028 elems_parse->scratch_pos, 1029 elems_parse->scratch + 1030 elems_parse->scratch_len - 1031 elems_parse->scratch_pos, 1032 WLAN_EID_FRAGMENT); 1033 if (ml_len < 0) 1034 return NULL; 1035 ret = elems_parse->scratch_pos; 1036 *out_len = ml_len; 1037 elems_parse->scratch_pos += ml_len; 1038 return ret; 1039 } 1040 1041 struct ieee802_11_elems * 1042 ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params) 1043 { 1044 struct ieee80211_elems_parse_params sub = {}; 1045 struct ieee80211_elems_parse *elems_parse; 1046 const struct element *non_inherit = NULL; 1047 struct ieee802_11_elems *elems; 1048 size_t scratch_len = 3 * params->len; 1049 bool multi_link_inner = false; 1050 1051 BUILD_BUG_ON(sizeof(empty_non_inheritance) != empty_non_inheritance[1] + 2); 1052 BUILD_BUG_ON(offsetof(typeof(*elems_parse), elems) != 0); 1053 1054 /* cannot parse for both a specific link and non-transmitted BSS */ 1055 if (WARN_ON(params->link_id >= 0 && params->bss)) 1056 return NULL; 1057 1058 elems_parse = kzalloc_flex(*elems_parse, scratch, scratch_len, 1059 GFP_ATOMIC); 1060 if (!elems_parse) 1061 return NULL; 1062 1063 elems_parse->scratch_len = scratch_len; 1064 elems_parse->scratch_pos = elems_parse->scratch; 1065 1066 elems = &elems_parse->elems; 1067 elems->ie_start = params->start; 1068 elems->total_len = params->len; 1069 1070 /* set all TPE entries to unlimited (but invalid) */ 1071 ieee80211_clear_tpe(&elems->tpe); 1072 ieee80211_clear_tpe(&elems->csa_tpe); 1073 1074 /* 1075 * If we're looking for a non-transmitted BSS then we cannot at 1076 * the same time be looking for a second link as the two can only 1077 * appear in the same frame carrying info for different BSSes. 1078 * 1079 * In any case, we only look for one at a time, as encoded by 1080 * the WARN_ON above. 1081 */ 1082 if (params->bss) { 1083 int nontx_len = 1084 ieee802_11_find_bssid_profile(params->start, 1085 params->len, 1086 elems, params->bss, 1087 elems_parse->scratch_pos); 1088 sub.start = elems_parse->scratch_pos; 1089 sub.mode = params->mode; 1090 sub.len = nontx_len; 1091 sub.type = params->type; 1092 sub.link_id = params->link_id; 1093 1094 /* consume the space used for non-transmitted profile */ 1095 elems_parse->scratch_pos += nontx_len; 1096 1097 non_inherit = cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, 1098 sub.start, nontx_len); 1099 /* 1100 * If it's a non-transmitted BSS, we shouldn't pick 1101 * any elements in the outer parsing that shouldn't 1102 * be inherited. If the profile has a non-inheritance 1103 * element this automatically happens, but if not then 1104 * provide an empty one so that the hard-coded elements 1105 * in cfg80211_is_element_inherited() are ignored, but 1106 * it must be called. 1107 */ 1108 if (params->bss->transmitted_bss && !non_inherit) 1109 non_inherit = (const void *)empty_non_inheritance; 1110 } else { 1111 /* must always parse to get elems_parse->ml_basic_elem */ 1112 non_inherit = ieee80211_prep_mle_link_parse(elems_parse, params, 1113 &sub); 1114 multi_link_inner = true; 1115 } 1116 1117 elems_parse->skip_vendor = 1118 cfg80211_find_elem(WLAN_EID_VENDOR_SPECIFIC, 1119 sub.start, sub.len); 1120 elems->crc = _ieee802_11_parse_elems_full(params, elems_parse, 1121 non_inherit); 1122 1123 /* Override with nontransmitted/per-STA profile if found */ 1124 if (sub.len) { 1125 elems_parse->multi_link_inner = multi_link_inner; 1126 elems_parse->skip_vendor = false; 1127 _ieee802_11_parse_elems_full(&sub, elems_parse, NULL); 1128 } 1129 1130 elems->ml_reconf = ieee80211_mle_defrag(elems_parse, 1131 &elems_parse->ml_reconf, 1132 &elems->ml_reconf_len); 1133 elems->ml_epcs = ieee80211_mle_defrag(elems_parse, 1134 &elems_parse->ml_epcs, 1135 &elems->ml_epcs_len); 1136 1137 if (elems->tim && !elems->parse_error) { 1138 const struct ieee80211_tim_ie *tim_ie = elems->tim; 1139 1140 elems->dtim_period = tim_ie->dtim_period; 1141 elems->dtim_count = tim_ie->dtim_count; 1142 } 1143 1144 /* Override DTIM period and count if needed */ 1145 if (elems->bssid_index && 1146 elems->bssid_index_len >= 1147 offsetofend(struct ieee80211_bssid_index, dtim_period)) 1148 elems->dtim_period = elems->bssid_index->dtim_period; 1149 1150 if (elems->bssid_index && 1151 elems->bssid_index_len >= 1152 offsetofend(struct ieee80211_bssid_index, dtim_count)) 1153 elems->dtim_count = elems->bssid_index->dtim_count; 1154 1155 return elems; 1156 } 1157 EXPORT_SYMBOL_IF_KUNIT(ieee802_11_parse_elems_full); 1158 1159 int ieee80211_parse_bitrates(const struct ieee80211_supported_band *sband, 1160 const u8 *srates, int srates_len, u32 *rates) 1161 { 1162 struct ieee80211_rate *br; 1163 int brate, rate, i, j, count = 0; 1164 1165 *rates = 0; 1166 1167 for (i = 0; i < srates_len; i++) { 1168 rate = srates[i] & 0x7f; 1169 1170 for (j = 0; j < sband->n_bitrates; j++) { 1171 br = &sband->bitrates[j]; 1172 1173 brate = DIV_ROUND_UP(br->bitrate, 5); 1174 if (brate == rate) { 1175 *rates |= BIT(j); 1176 count++; 1177 break; 1178 } 1179 } 1180 } 1181 return count; 1182 } 1183