1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright 2002-2005, Instant802 Networks, Inc. 4 * Copyright 2005-2006, Devicescape Software, Inc. 5 * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz> 6 * Copyright 2007 Johannes Berg <johannes@sipsolutions.net> 7 * Copyright 2013-2014 Intel Mobile Communications GmbH 8 * Copyright (C) 2015-2017 Intel Deutschland GmbH 9 * Copyright (C) 2018-2025 Intel Corporation 10 * 11 * element parsing for mac80211 12 */ 13 14 #include <net/mac80211.h> 15 #include <linux/netdevice.h> 16 #include <linux/export.h> 17 #include <linux/types.h> 18 #include <linux/slab.h> 19 #include <linux/skbuff.h> 20 #include <linux/etherdevice.h> 21 #include <linux/if_arp.h> 22 #include <linux/bitmap.h> 23 #include <linux/crc32.h> 24 #include <net/net_namespace.h> 25 #include <net/cfg80211.h> 26 #include <net/rtnetlink.h> 27 #include <kunit/visibility.h> 28 29 #include "ieee80211_i.h" 30 #include "driver-ops.h" 31 #include "rate.h" 32 #include "mesh.h" 33 #include "wme.h" 34 #include "led.h" 35 #include "wep.h" 36 37 struct ieee80211_elems_parse { 38 /* must be first for kfree to work */ 39 struct ieee802_11_elems elems; 40 41 /* The basic Multi-Link element in the original elements */ 42 const struct element *ml_basic_elem; 43 44 /* The reconfiguration Multi-Link element in the original elements */ 45 const struct element *ml_reconf_elem; 46 47 /* The EPCS Multi-Link element in the original elements */ 48 const struct element *ml_epcs_elem; 49 50 bool multi_link_inner; 51 bool skip_vendor; 52 53 /* 54 * scratch buffer that can be used for various element parsing related 55 * tasks, e.g., element de-fragmentation etc. 56 */ 57 size_t scratch_len; 58 u8 *scratch_pos; 59 u8 scratch[] __counted_by(scratch_len); 60 }; 61 62 static void 63 ieee80211_parse_extension_element(u32 *crc, 64 const struct element *elem, 65 struct ieee80211_elems_parse *elems_parse, 66 struct ieee80211_elems_parse_params *params) 67 { 68 struct ieee802_11_elems *elems = &elems_parse->elems; 69 const void *data = elem->data + 1; 70 bool calc_crc = false; 71 u8 len; 72 73 if (!elem->datalen) 74 return; 75 76 len = elem->datalen - 1; 77 78 switch (elem->data[0]) { 79 case WLAN_EID_EXT_HE_MU_EDCA: 80 if (params->mode < IEEE80211_CONN_MODE_HE) 81 break; 82 calc_crc = true; 83 if (len >= sizeof(*elems->mu_edca_param_set)) 84 elems->mu_edca_param_set = data; 85 break; 86 case WLAN_EID_EXT_HE_CAPABILITY: 87 if (params->mode < IEEE80211_CONN_MODE_HE) 88 break; 89 if (ieee80211_he_capa_size_ok(data, len)) { 90 elems->he_cap = data; 91 elems->he_cap_len = len; 92 } 93 break; 94 case WLAN_EID_EXT_HE_OPERATION: 95 if (params->mode < IEEE80211_CONN_MODE_HE) 96 break; 97 calc_crc = true; 98 if (len >= sizeof(*elems->he_operation) && 99 len >= ieee80211_he_oper_size(data) - 1) 100 elems->he_operation = data; 101 break; 102 case WLAN_EID_EXT_UORA: 103 if (params->mode < IEEE80211_CONN_MODE_HE) 104 break; 105 if (len >= 1) 106 elems->uora_element = data; 107 break; 108 case WLAN_EID_EXT_MAX_CHANNEL_SWITCH_TIME: 109 if (len == 3) 110 elems->max_channel_switch_time = data; 111 break; 112 case WLAN_EID_EXT_MULTIPLE_BSSID_CONFIGURATION: 113 if (len >= sizeof(*elems->mbssid_config_ie)) 114 elems->mbssid_config_ie = data; 115 break; 116 case WLAN_EID_EXT_HE_SPR: 117 if (params->mode < IEEE80211_CONN_MODE_HE) 118 break; 119 if (len >= sizeof(*elems->he_spr) && 120 len >= ieee80211_he_spr_size(data) - 1) 121 elems->he_spr = data; 122 break; 123 case WLAN_EID_EXT_HE_6GHZ_CAPA: 124 if (params->mode < IEEE80211_CONN_MODE_HE) 125 break; 126 if (len >= sizeof(*elems->he_6ghz_capa)) 127 elems->he_6ghz_capa = data; 128 break; 129 case WLAN_EID_EXT_EHT_CAPABILITY: 130 if (params->mode < IEEE80211_CONN_MODE_EHT) 131 break; 132 if (ieee80211_eht_capa_size_ok(elems->he_cap, 133 data, len, 134 params->from_ap)) { 135 elems->eht_cap = data; 136 elems->eht_cap_len = len; 137 } 138 break; 139 case WLAN_EID_EXT_EHT_OPERATION: 140 if (params->mode < IEEE80211_CONN_MODE_EHT) 141 break; 142 if (ieee80211_eht_oper_size_ok(data, len)) 143 elems->eht_operation = data; 144 calc_crc = true; 145 break; 146 case WLAN_EID_EXT_EHT_MULTI_LINK: 147 if (params->mode < IEEE80211_CONN_MODE_EHT) 148 break; 149 calc_crc = true; 150 151 if (ieee80211_mle_size_ok(data, len)) { 152 const struct ieee80211_multi_link_elem *mle = 153 (void *)data; 154 155 switch (le16_get_bits(mle->control, 156 IEEE80211_ML_CONTROL_TYPE)) { 157 case IEEE80211_ML_CONTROL_TYPE_BASIC: 158 if (elems_parse->multi_link_inner) { 159 elems->parse_error |= 160 IEEE80211_PARSE_ERR_DUP_NEST_ML_BASIC; 161 break; 162 } 163 break; 164 case IEEE80211_ML_CONTROL_TYPE_RECONF: 165 elems_parse->ml_reconf_elem = elem; 166 break; 167 case IEEE80211_ML_CONTROL_TYPE_PRIO_ACCESS: 168 elems_parse->ml_epcs_elem = elem; 169 break; 170 default: 171 break; 172 } 173 } 174 break; 175 case WLAN_EID_EXT_BANDWIDTH_INDICATION: 176 if (params->mode < IEEE80211_CONN_MODE_EHT) 177 break; 178 if (ieee80211_bandwidth_indication_size_ok(data, len)) 179 elems->bandwidth_indication = data; 180 calc_crc = true; 181 break; 182 case WLAN_EID_EXT_TID_TO_LINK_MAPPING: 183 if (params->mode < IEEE80211_CONN_MODE_EHT) 184 break; 185 calc_crc = true; 186 if (ieee80211_tid_to_link_map_size_ok(data, len) && 187 elems->ttlm_num < ARRAY_SIZE(elems->ttlm)) { 188 elems->ttlm[elems->ttlm_num] = (void *)data; 189 elems->ttlm_num++; 190 } 191 break; 192 } 193 194 if (crc && calc_crc) 195 *crc = crc32_be(*crc, (void *)elem, elem->datalen + 2); 196 } 197 198 static void ieee80211_parse_tpe(struct ieee80211_parsed_tpe *tpe, 199 const u8 *data, u8 len) 200 { 201 const struct ieee80211_tx_pwr_env *env = (const void *)data; 202 u8 count, interpret, category; 203 u8 *out, N, *cnt_out = NULL, *N_out = NULL; 204 205 if (!ieee80211_valid_tpe_element(data, len)) 206 return; 207 208 count = u8_get_bits(env->info, IEEE80211_TX_PWR_ENV_INFO_COUNT); 209 interpret = u8_get_bits(env->info, IEEE80211_TX_PWR_ENV_INFO_INTERPRET); 210 category = u8_get_bits(env->info, IEEE80211_TX_PWR_ENV_INFO_CATEGORY); 211 212 switch (interpret) { 213 case IEEE80211_TPE_LOCAL_EIRP: 214 out = tpe->max_local[category].power; 215 cnt_out = &tpe->max_local[category].count; 216 tpe->max_local[category].valid = true; 217 break; 218 case IEEE80211_TPE_REG_CLIENT_EIRP: 219 out = tpe->max_reg_client[category].power; 220 cnt_out = &tpe->max_reg_client[category].count; 221 tpe->max_reg_client[category].valid = true; 222 break; 223 case IEEE80211_TPE_LOCAL_EIRP_PSD: 224 out = tpe->psd_local[category].power; 225 cnt_out = &tpe->psd_local[category].count; 226 N_out = &tpe->psd_local[category].n; 227 tpe->psd_local[category].valid = true; 228 break; 229 case IEEE80211_TPE_REG_CLIENT_EIRP_PSD: 230 out = tpe->psd_reg_client[category].power; 231 cnt_out = &tpe->psd_reg_client[category].count; 232 N_out = &tpe->psd_reg_client[category].n; 233 tpe->psd_reg_client[category].valid = true; 234 break; 235 } 236 237 switch (interpret) { 238 case IEEE80211_TPE_LOCAL_EIRP: 239 case IEEE80211_TPE_REG_CLIENT_EIRP: 240 /* count was validated <= 3, plus 320 MHz */ 241 BUILD_BUG_ON(IEEE80211_TPE_EIRP_ENTRIES_320MHZ < 5); 242 memcpy(out, env->variable, count + 1); 243 *cnt_out = count + 1; 244 /* separately take 320 MHz if present */ 245 if (count == 3 && len > sizeof(*env) + count + 1) { 246 out[4] = env->variable[4]; 247 *cnt_out = 5; 248 } 249 break; 250 case IEEE80211_TPE_LOCAL_EIRP_PSD: 251 case IEEE80211_TPE_REG_CLIENT_EIRP_PSD: 252 if (!count) { 253 memset(out, env->variable[0], 254 IEEE80211_TPE_PSD_ENTRIES_320MHZ); 255 *cnt_out = IEEE80211_TPE_PSD_ENTRIES_320MHZ; 256 break; 257 } 258 259 N = 1 << (count - 1); 260 memcpy(out, env->variable, N); 261 *cnt_out = N; 262 *N_out = N; 263 264 if (len > sizeof(*env) + N) { 265 int K = u8_get_bits(env->variable[N], 266 IEEE80211_TX_PWR_ENV_EXT_COUNT); 267 268 K = min(K, IEEE80211_TPE_PSD_ENTRIES_320MHZ - N); 269 memcpy(out + N, env->variable + N + 1, K); 270 (*cnt_out) += K; 271 } 272 break; 273 } 274 } 275 276 static u32 277 _ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params, 278 struct ieee80211_elems_parse *elems_parse, 279 const struct element *check_inherit) 280 { 281 struct ieee802_11_elems *elems = &elems_parse->elems; 282 const struct element *elem; 283 bool calc_crc = params->filter != 0; 284 DECLARE_BITMAP(seen_elems, 256); 285 u32 crc = params->crc; 286 287 bitmap_zero(seen_elems, 256); 288 289 switch (params->type) { 290 /* we don't need to parse assoc request, luckily (it's value 0) */ 291 case IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ASSOC_REQ: 292 case IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_REASSOC_REQ: 293 default: 294 WARN(1, "invalid frame type 0x%x for element parsing\n", 295 params->type); 296 break; 297 case IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ASSOC_RESP: 298 case IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_REASSOC_RESP: 299 case IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_PROBE_REQ: 300 case IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_PROBE_RESP: 301 case IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_BEACON: 302 case IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION: 303 case IEEE80211_FTYPE_EXT | IEEE80211_STYPE_S1G_BEACON: 304 break; 305 } 306 307 for_each_element(elem, params->start, params->len) { 308 const struct element *subelem; 309 u8 elem_parse_failed; 310 u8 id = elem->id; 311 u8 elen = elem->datalen; 312 const u8 *pos = elem->data; 313 314 if (check_inherit && 315 !cfg80211_is_element_inherited(elem, 316 check_inherit)) 317 continue; 318 319 switch (id) { 320 case WLAN_EID_SSID: 321 case WLAN_EID_SUPP_RATES: 322 case WLAN_EID_FH_PARAMS: 323 case WLAN_EID_DS_PARAMS: 324 case WLAN_EID_CF_PARAMS: 325 case WLAN_EID_TIM: 326 case WLAN_EID_IBSS_PARAMS: 327 case WLAN_EID_CHALLENGE: 328 case WLAN_EID_RSN: 329 case WLAN_EID_ERP_INFO: 330 case WLAN_EID_EXT_SUPP_RATES: 331 case WLAN_EID_HT_CAPABILITY: 332 case WLAN_EID_HT_OPERATION: 333 case WLAN_EID_VHT_CAPABILITY: 334 case WLAN_EID_VHT_OPERATION: 335 case WLAN_EID_MESH_ID: 336 case WLAN_EID_MESH_CONFIG: 337 case WLAN_EID_PEER_MGMT: 338 case WLAN_EID_PREQ: 339 case WLAN_EID_PREP: 340 case WLAN_EID_PERR: 341 case WLAN_EID_RANN: 342 case WLAN_EID_CHANNEL_SWITCH: 343 case WLAN_EID_EXT_CHANSWITCH_ANN: 344 case WLAN_EID_COUNTRY: 345 case WLAN_EID_PWR_CONSTRAINT: 346 case WLAN_EID_TIMEOUT_INTERVAL: 347 case WLAN_EID_SECONDARY_CHANNEL_OFFSET: 348 case WLAN_EID_WIDE_BW_CHANNEL_SWITCH: 349 case WLAN_EID_CHAN_SWITCH_PARAM: 350 case WLAN_EID_EXT_CAPABILITY: 351 case WLAN_EID_CHAN_SWITCH_TIMING: 352 case WLAN_EID_LINK_ID: 353 case WLAN_EID_BSS_MAX_IDLE_PERIOD: 354 case WLAN_EID_RSNX: 355 case WLAN_EID_S1G_BCN_COMPAT: 356 case WLAN_EID_S1G_CAPABILITIES: 357 case WLAN_EID_S1G_OPERATION: 358 case WLAN_EID_AID_RESPONSE: 359 case WLAN_EID_S1G_SHORT_BCN_INTERVAL: 360 /* 361 * not listing WLAN_EID_CHANNEL_SWITCH_WRAPPER -- it seems possible 362 * that if the content gets bigger it might be needed more than once 363 */ 364 if (test_bit(id, seen_elems)) { 365 elems->parse_error |= 366 IEEE80211_PARSE_ERR_DUP_ELEM; 367 continue; 368 } 369 break; 370 } 371 372 if (calc_crc && id < 64 && (params->filter & (1ULL << id))) 373 crc = crc32_be(crc, pos - 2, elen + 2); 374 375 elem_parse_failed = 0; 376 377 switch (id) { 378 case WLAN_EID_LINK_ID: 379 if (elen + 2 < sizeof(struct ieee80211_tdls_lnkie)) { 380 elem_parse_failed = 381 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 382 break; 383 } 384 elems->lnk_id = (void *)(pos - 2); 385 break; 386 case WLAN_EID_CHAN_SWITCH_TIMING: 387 if (elen < sizeof(struct ieee80211_ch_switch_timing)) { 388 elem_parse_failed = 389 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 390 break; 391 } 392 elems->ch_sw_timing = (void *)pos; 393 break; 394 case WLAN_EID_EXT_CAPABILITY: 395 elems->ext_capab = pos; 396 elems->ext_capab_len = elen; 397 break; 398 case WLAN_EID_SSID: 399 elems->ssid = pos; 400 elems->ssid_len = elen; 401 break; 402 case WLAN_EID_SUPP_RATES: 403 elems->supp_rates = pos; 404 elems->supp_rates_len = elen; 405 break; 406 case WLAN_EID_DS_PARAMS: 407 if (elen >= 1) 408 elems->ds_params = pos; 409 else 410 elem_parse_failed = 411 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 412 break; 413 case WLAN_EID_TIM: 414 if (elen >= sizeof(struct ieee80211_tim_ie)) { 415 elems->tim = (void *)pos; 416 elems->tim_len = elen; 417 } else 418 elem_parse_failed = 419 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 420 break; 421 case WLAN_EID_VENDOR_SPECIFIC: 422 if (elems_parse->skip_vendor) 423 break; 424 425 if (elen >= 4 && pos[0] == 0x00 && pos[1] == 0x50 && 426 pos[2] == 0xf2) { 427 /* Microsoft OUI (00:50:F2) */ 428 429 if (calc_crc) 430 crc = crc32_be(crc, pos - 2, elen + 2); 431 432 if (elen >= 5 && pos[3] == 2) { 433 /* OUI Type 2 - WMM IE */ 434 if (pos[4] == 0) { 435 elems->wmm_info = pos; 436 elems->wmm_info_len = elen; 437 } else if (pos[4] == 1) { 438 elems->wmm_param = pos; 439 elems->wmm_param_len = elen; 440 } 441 } 442 } 443 break; 444 case WLAN_EID_RSN: 445 elems->rsn = pos; 446 elems->rsn_len = elen; 447 break; 448 case WLAN_EID_ERP_INFO: 449 if (elen >= 1) 450 elems->erp_info = pos; 451 else 452 elem_parse_failed = 453 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 454 break; 455 case WLAN_EID_EXT_SUPP_RATES: 456 elems->ext_supp_rates = pos; 457 elems->ext_supp_rates_len = elen; 458 break; 459 case WLAN_EID_HT_CAPABILITY: 460 if (params->mode < IEEE80211_CONN_MODE_HT) 461 break; 462 if (elen >= sizeof(struct ieee80211_ht_cap)) 463 elems->ht_cap_elem = (void *)pos; 464 else 465 elem_parse_failed = 466 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 467 break; 468 case WLAN_EID_HT_OPERATION: 469 if (params->mode < IEEE80211_CONN_MODE_HT) 470 break; 471 if (elen >= sizeof(struct ieee80211_ht_operation)) 472 elems->ht_operation = (void *)pos; 473 else 474 elem_parse_failed = 475 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 476 break; 477 case WLAN_EID_VHT_CAPABILITY: 478 if (params->mode < IEEE80211_CONN_MODE_VHT) 479 break; 480 if (elen >= sizeof(struct ieee80211_vht_cap)) 481 elems->vht_cap_elem = (void *)pos; 482 else 483 elem_parse_failed = 484 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 485 break; 486 case WLAN_EID_VHT_OPERATION: 487 if (params->mode < IEEE80211_CONN_MODE_VHT) 488 break; 489 if (elen >= sizeof(struct ieee80211_vht_operation)) { 490 elems->vht_operation = (void *)pos; 491 if (calc_crc) 492 crc = crc32_be(crc, pos - 2, elen + 2); 493 break; 494 } 495 elem_parse_failed = 496 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 497 break; 498 case WLAN_EID_OPMODE_NOTIF: 499 if (params->mode < IEEE80211_CONN_MODE_VHT) 500 break; 501 if (elen > 0) { 502 elems->opmode_notif = pos; 503 if (calc_crc) 504 crc = crc32_be(crc, pos - 2, elen + 2); 505 break; 506 } 507 elem_parse_failed = 508 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 509 break; 510 case WLAN_EID_MESH_ID: 511 elems->mesh_id = pos; 512 elems->mesh_id_len = elen; 513 break; 514 case WLAN_EID_MESH_CONFIG: 515 if (elen >= sizeof(struct ieee80211_meshconf_ie)) 516 elems->mesh_config = (void *)pos; 517 else 518 elem_parse_failed = 519 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 520 break; 521 case WLAN_EID_PEER_MGMT: 522 elems->peering = pos; 523 elems->peering_len = elen; 524 break; 525 case WLAN_EID_MESH_AWAKE_WINDOW: 526 if (elen >= 2) 527 elems->awake_window = (void *)pos; 528 break; 529 case WLAN_EID_PREQ: 530 elems->preq = pos; 531 elems->preq_len = elen; 532 break; 533 case WLAN_EID_PREP: 534 elems->prep = pos; 535 elems->prep_len = elen; 536 break; 537 case WLAN_EID_PERR: 538 elems->perr = pos; 539 elems->perr_len = elen; 540 break; 541 case WLAN_EID_RANN: 542 if (elen >= sizeof(struct ieee80211_rann_ie)) 543 elems->rann = (void *)pos; 544 else 545 elem_parse_failed = 546 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 547 break; 548 case WLAN_EID_CHANNEL_SWITCH: 549 if (elen != sizeof(struct ieee80211_channel_sw_ie)) { 550 elem_parse_failed = 551 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 552 break; 553 } 554 elems->ch_switch_ie = (void *)pos; 555 break; 556 case WLAN_EID_EXT_CHANSWITCH_ANN: 557 if (elen != sizeof(struct ieee80211_ext_chansw_ie)) { 558 elem_parse_failed = 559 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 560 break; 561 } 562 elems->ext_chansw_ie = (void *)pos; 563 break; 564 case WLAN_EID_SECONDARY_CHANNEL_OFFSET: 565 if (params->mode < IEEE80211_CONN_MODE_HT) 566 break; 567 if (elen != sizeof(struct ieee80211_sec_chan_offs_ie)) { 568 elem_parse_failed = 569 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 570 break; 571 } 572 elems->sec_chan_offs = (void *)pos; 573 break; 574 case WLAN_EID_CHAN_SWITCH_PARAM: 575 if (elen < 576 sizeof(*elems->mesh_chansw_params_ie)) { 577 elem_parse_failed = 578 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 579 break; 580 } 581 elems->mesh_chansw_params_ie = (void *)pos; 582 break; 583 case WLAN_EID_WIDE_BW_CHANNEL_SWITCH: 584 if (params->mode < IEEE80211_CONN_MODE_VHT) 585 break; 586 587 if (params->type != (IEEE80211_FTYPE_MGMT | 588 IEEE80211_STYPE_ACTION)) { 589 elem_parse_failed = 590 IEEE80211_PARSE_ERR_UNEXPECTED_ELEM; 591 break; 592 } 593 594 if (elen < sizeof(*elems->wide_bw_chansw_ie)) { 595 elem_parse_failed = 596 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 597 break; 598 } 599 elems->wide_bw_chansw_ie = (void *)pos; 600 break; 601 case WLAN_EID_CHANNEL_SWITCH_WRAPPER: 602 if (params->mode < IEEE80211_CONN_MODE_VHT) 603 break; 604 if (params->type == (IEEE80211_FTYPE_MGMT | 605 IEEE80211_STYPE_ACTION)) { 606 elem_parse_failed = 607 IEEE80211_PARSE_ERR_UNEXPECTED_ELEM; 608 break; 609 } 610 /* 611 * This is a bit tricky, but as we only care about 612 * a few elements, parse them out manually. 613 */ 614 subelem = cfg80211_find_elem(WLAN_EID_WIDE_BW_CHANNEL_SWITCH, 615 pos, elen); 616 if (subelem) { 617 if (subelem->datalen >= sizeof(*elems->wide_bw_chansw_ie)) 618 elems->wide_bw_chansw_ie = 619 (void *)subelem->data; 620 else 621 elem_parse_failed = 622 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 623 } 624 625 if (params->mode < IEEE80211_CONN_MODE_EHT) 626 break; 627 628 subelem = cfg80211_find_ext_elem(WLAN_EID_EXT_BANDWIDTH_INDICATION, 629 pos, elen); 630 if (subelem) { 631 const void *edata = subelem->data + 1; 632 u8 edatalen = subelem->datalen - 1; 633 634 if (ieee80211_bandwidth_indication_size_ok(edata, 635 edatalen)) 636 elems->bandwidth_indication = edata; 637 else 638 elem_parse_failed = 639 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 640 } 641 642 subelem = cfg80211_find_ext_elem(WLAN_EID_TX_POWER_ENVELOPE, 643 pos, elen); 644 if (subelem) 645 ieee80211_parse_tpe(&elems->csa_tpe, 646 subelem->data + 1, 647 subelem->datalen - 1); 648 break; 649 case WLAN_EID_COUNTRY: 650 elems->country_elem = pos; 651 elems->country_elem_len = elen; 652 break; 653 case WLAN_EID_PWR_CONSTRAINT: 654 if (elen != 1) { 655 elem_parse_failed = 656 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 657 break; 658 } 659 elems->pwr_constr_elem = pos; 660 break; 661 case WLAN_EID_CISCO_VENDOR_SPECIFIC: 662 /* Lots of different options exist, but we only care 663 * about the Dynamic Transmit Power Control element. 664 * First check for the Cisco OUI, then for the DTPC 665 * tag (0x00). 666 */ 667 if (elen < 4) { 668 elem_parse_failed = 669 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 670 break; 671 } 672 673 if (pos[0] != 0x00 || pos[1] != 0x40 || 674 pos[2] != 0x96 || pos[3] != 0x00) 675 break; 676 677 if (elen != 6) { 678 elem_parse_failed = 679 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 680 break; 681 } 682 683 if (calc_crc) 684 crc = crc32_be(crc, pos - 2, elen + 2); 685 686 elems->cisco_dtpc_elem = pos; 687 break; 688 case WLAN_EID_ADDBA_EXT: 689 if (elen < sizeof(struct ieee80211_addba_ext_ie)) { 690 elem_parse_failed = 691 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 692 break; 693 } 694 elems->addba_ext_ie = (void *)pos; 695 break; 696 case WLAN_EID_TIMEOUT_INTERVAL: 697 if (elen >= sizeof(struct ieee80211_timeout_interval_ie)) 698 elems->timeout_int = (void *)pos; 699 else 700 elem_parse_failed = 701 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 702 break; 703 case WLAN_EID_BSS_MAX_IDLE_PERIOD: 704 if (elen >= sizeof(*elems->max_idle_period_ie)) 705 elems->max_idle_period_ie = (void *)pos; 706 break; 707 case WLAN_EID_RSNX: 708 elems->rsnx = pos; 709 elems->rsnx_len = elen; 710 break; 711 case WLAN_EID_TX_POWER_ENVELOPE: 712 if (params->mode < IEEE80211_CONN_MODE_HE) 713 break; 714 ieee80211_parse_tpe(&elems->tpe, pos, elen); 715 break; 716 case WLAN_EID_EXTENSION: 717 ieee80211_parse_extension_element(calc_crc ? 718 &crc : NULL, 719 elem, elems_parse, 720 params); 721 break; 722 case WLAN_EID_S1G_CAPABILITIES: 723 if (params->mode != IEEE80211_CONN_MODE_S1G) 724 break; 725 if (elen >= sizeof(*elems->s1g_capab)) 726 elems->s1g_capab = (void *)pos; 727 else 728 elem_parse_failed = 729 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 730 break; 731 case WLAN_EID_S1G_OPERATION: 732 if (params->mode != IEEE80211_CONN_MODE_S1G) 733 break; 734 if (elen == sizeof(*elems->s1g_oper)) 735 elems->s1g_oper = (void *)pos; 736 else 737 elem_parse_failed = 738 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 739 break; 740 case WLAN_EID_S1G_BCN_COMPAT: 741 if (params->mode != IEEE80211_CONN_MODE_S1G) 742 break; 743 if (elen == sizeof(*elems->s1g_bcn_compat)) 744 elems->s1g_bcn_compat = (void *)pos; 745 else 746 elem_parse_failed = 747 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 748 break; 749 case WLAN_EID_AID_RESPONSE: 750 if (params->mode != IEEE80211_CONN_MODE_S1G) 751 break; 752 if (elen == sizeof(struct ieee80211_aid_response_ie)) 753 elems->aid_resp = (void *)pos; 754 else 755 elem_parse_failed = 756 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 757 break; 758 default: 759 break; 760 } 761 762 if (elem_parse_failed) 763 elems->parse_error |= elem_parse_failed; 764 else 765 __set_bit(id, seen_elems); 766 } 767 768 if (!for_each_element_completed(elem, params->start, params->len)) 769 elems->parse_error |= IEEE80211_PARSE_ERR_INVALID_END; 770 771 return crc; 772 } 773 774 static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len, 775 struct ieee802_11_elems *elems, 776 struct cfg80211_bss *bss, 777 u8 *nontransmitted_profile) 778 { 779 const struct element *elem, *sub; 780 size_t profile_len = 0; 781 782 if (!bss || !bss->transmitted_bss) 783 return profile_len; 784 785 for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, start, len) { 786 if (elem->datalen < 2) 787 continue; 788 if (elem->data[0] < 1 || elem->data[0] > 8) 789 continue; 790 791 for_each_element(sub, elem->data + 1, elem->datalen - 1) { 792 u8 new_bssid[ETH_ALEN]; 793 const u8 *index; 794 795 if (sub->id != 0 || sub->datalen < 4) { 796 /* not a valid BSS profile */ 797 continue; 798 } 799 800 if (sub->data[0] != WLAN_EID_NON_TX_BSSID_CAP || 801 sub->data[1] != 2) { 802 /* The first element of the 803 * Nontransmitted BSSID Profile is not 804 * the Nontransmitted BSSID Capability 805 * element. 806 */ 807 continue; 808 } 809 810 memset(nontransmitted_profile, 0, len); 811 profile_len = cfg80211_merge_profile(start, len, 812 elem, 813 sub, 814 nontransmitted_profile, 815 len); 816 817 /* found a Nontransmitted BSSID Profile */ 818 index = cfg80211_find_ie(WLAN_EID_MULTI_BSSID_IDX, 819 nontransmitted_profile, 820 profile_len); 821 if (!index || index[1] < 1 || index[2] == 0) { 822 /* Invalid MBSSID Index element */ 823 continue; 824 } 825 826 cfg80211_gen_new_bssid(bss->transmitted_bss->bssid, 827 elem->data[0], 828 index[2], 829 new_bssid); 830 if (ether_addr_equal(new_bssid, bss->bssid)) { 831 elems->bssid_index_len = index[1]; 832 elems->bssid_index = (void *)&index[2]; 833 return profile_len; 834 } 835 } 836 } 837 838 return 0; 839 } 840 841 static void 842 ieee80211_mle_get_sta_prof(struct ieee80211_elems_parse *elems_parse, 843 u8 link_id) 844 { 845 struct ieee802_11_elems *elems = &elems_parse->elems; 846 const struct ieee80211_multi_link_elem *ml = elems->ml_basic; 847 ssize_t ml_len = elems->ml_basic_len; 848 const struct element *sub; 849 850 for_each_mle_subelement(sub, (u8 *)ml, ml_len) { 851 struct ieee80211_mle_per_sta_profile *prof = (void *)sub->data; 852 ssize_t sta_prof_len; 853 u16 control; 854 855 if (sub->id != IEEE80211_MLE_SUBELEM_PER_STA_PROFILE) 856 continue; 857 858 if (!ieee80211_mle_basic_sta_prof_size_ok(sub->data, 859 sub->datalen)) 860 return; 861 862 control = le16_to_cpu(prof->control); 863 864 if (link_id != u16_get_bits(control, 865 IEEE80211_MLE_STA_CONTROL_LINK_ID)) 866 continue; 867 868 if (!(control & IEEE80211_MLE_STA_CONTROL_COMPLETE_PROFILE)) 869 return; 870 871 /* the sub element can be fragmented */ 872 sta_prof_len = 873 cfg80211_defragment_element(sub, 874 (u8 *)ml, ml_len, 875 elems_parse->scratch_pos, 876 elems_parse->scratch + 877 elems_parse->scratch_len - 878 elems_parse->scratch_pos, 879 IEEE80211_MLE_SUBELEM_FRAGMENT); 880 881 if (sta_prof_len < 0) 882 return; 883 884 elems->prof = (void *)elems_parse->scratch_pos; 885 elems->sta_prof_len = sta_prof_len; 886 elems_parse->scratch_pos += sta_prof_len; 887 888 return; 889 } 890 } 891 892 static const struct element * 893 ieee80211_prep_mle_link_parse(struct ieee80211_elems_parse *elems_parse, 894 struct ieee80211_elems_parse_params *params, 895 struct ieee80211_elems_parse_params *sub) 896 { 897 struct ieee802_11_elems *elems = &elems_parse->elems; 898 struct ieee80211_mle_per_sta_profile *prof; 899 const struct element *tmp; 900 ssize_t ml_len; 901 const u8 *end; 902 903 if (params->mode < IEEE80211_CONN_MODE_EHT) 904 return NULL; 905 906 for_each_element_extid(tmp, WLAN_EID_EXT_EHT_MULTI_LINK, 907 elems->ie_start, elems->total_len) { 908 const struct ieee80211_multi_link_elem *mle = 909 (void *)tmp->data + 1; 910 911 if (!ieee80211_mle_size_ok(tmp->data + 1, tmp->datalen - 1)) 912 continue; 913 914 if (le16_get_bits(mle->control, IEEE80211_ML_CONTROL_TYPE) != 915 IEEE80211_ML_CONTROL_TYPE_BASIC) 916 continue; 917 918 elems_parse->ml_basic_elem = tmp; 919 break; 920 } 921 922 ml_len = cfg80211_defragment_element(elems_parse->ml_basic_elem, 923 elems->ie_start, 924 elems->total_len, 925 elems_parse->scratch_pos, 926 elems_parse->scratch + 927 elems_parse->scratch_len - 928 elems_parse->scratch_pos, 929 WLAN_EID_FRAGMENT); 930 931 if (ml_len < 0) 932 return NULL; 933 934 elems->ml_basic = (const void *)elems_parse->scratch_pos; 935 elems->ml_basic_len = ml_len; 936 elems_parse->scratch_pos += ml_len; 937 938 if (params->link_id == -1) 939 return NULL; 940 941 ieee80211_mle_get_sta_prof(elems_parse, params->link_id); 942 prof = elems->prof; 943 944 if (!prof) 945 return NULL; 946 947 /* check if we have the 4 bytes for the fixed part in assoc response */ 948 if (elems->sta_prof_len < sizeof(*prof) + prof->sta_info_len - 1 + 4) { 949 elems->prof = NULL; 950 elems->sta_prof_len = 0; 951 return NULL; 952 } 953 954 /* 955 * Skip the capability information and the status code that are expected 956 * as part of the station profile in association response frames. Note 957 * the -1 is because the 'sta_info_len' is accounted to as part of the 958 * per-STA profile, but not part of the 'u8 variable[]' portion. 959 */ 960 sub->start = prof->variable + prof->sta_info_len - 1 + 4; 961 end = (const u8 *)prof + elems->sta_prof_len; 962 sub->len = end - sub->start; 963 964 sub->mode = params->mode; 965 sub->type = params->type; 966 sub->from_ap = params->from_ap; 967 sub->link_id = -1; 968 969 return cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, 970 sub->start, sub->len); 971 } 972 973 static void 974 ieee80211_mle_defrag_reconf(struct ieee80211_elems_parse *elems_parse) 975 { 976 struct ieee802_11_elems *elems = &elems_parse->elems; 977 ssize_t ml_len; 978 979 ml_len = cfg80211_defragment_element(elems_parse->ml_reconf_elem, 980 elems->ie_start, 981 elems->total_len, 982 elems_parse->scratch_pos, 983 elems_parse->scratch + 984 elems_parse->scratch_len - 985 elems_parse->scratch_pos, 986 WLAN_EID_FRAGMENT); 987 if (ml_len < 0) 988 return; 989 elems->ml_reconf = (void *)elems_parse->scratch_pos; 990 elems->ml_reconf_len = ml_len; 991 elems_parse->scratch_pos += ml_len; 992 } 993 994 static void 995 ieee80211_mle_defrag_epcs(struct ieee80211_elems_parse *elems_parse) 996 { 997 struct ieee802_11_elems *elems = &elems_parse->elems; 998 ssize_t ml_len; 999 1000 ml_len = cfg80211_defragment_element(elems_parse->ml_epcs_elem, 1001 elems->ie_start, 1002 elems->total_len, 1003 elems_parse->scratch_pos, 1004 elems_parse->scratch + 1005 elems_parse->scratch_len - 1006 elems_parse->scratch_pos, 1007 WLAN_EID_FRAGMENT); 1008 if (ml_len < 0) 1009 return; 1010 elems->ml_epcs = (void *)elems_parse->scratch_pos; 1011 elems->ml_epcs_len = ml_len; 1012 elems_parse->scratch_pos += ml_len; 1013 } 1014 1015 struct ieee802_11_elems * 1016 ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params) 1017 { 1018 struct ieee80211_elems_parse_params sub = {}; 1019 struct ieee80211_elems_parse *elems_parse; 1020 const struct element *non_inherit = NULL; 1021 struct ieee802_11_elems *elems; 1022 size_t scratch_len = 3 * params->len; 1023 bool multi_link_inner = false; 1024 1025 BUILD_BUG_ON(offsetof(typeof(*elems_parse), elems) != 0); 1026 1027 /* cannot parse for both a specific link and non-transmitted BSS */ 1028 if (WARN_ON(params->link_id >= 0 && params->bss)) 1029 return NULL; 1030 1031 elems_parse = kzalloc(struct_size(elems_parse, scratch, scratch_len), 1032 GFP_ATOMIC); 1033 if (!elems_parse) 1034 return NULL; 1035 1036 elems_parse->scratch_len = scratch_len; 1037 elems_parse->scratch_pos = elems_parse->scratch; 1038 1039 elems = &elems_parse->elems; 1040 elems->ie_start = params->start; 1041 elems->total_len = params->len; 1042 1043 /* set all TPE entries to unlimited (but invalid) */ 1044 ieee80211_clear_tpe(&elems->tpe); 1045 ieee80211_clear_tpe(&elems->csa_tpe); 1046 1047 /* 1048 * If we're looking for a non-transmitted BSS then we cannot at 1049 * the same time be looking for a second link as the two can only 1050 * appear in the same frame carrying info for different BSSes. 1051 * 1052 * In any case, we only look for one at a time, as encoded by 1053 * the WARN_ON above. 1054 */ 1055 if (params->bss) { 1056 int nontx_len = 1057 ieee802_11_find_bssid_profile(params->start, 1058 params->len, 1059 elems, params->bss, 1060 elems_parse->scratch_pos); 1061 sub.start = elems_parse->scratch_pos; 1062 sub.mode = params->mode; 1063 sub.len = nontx_len; 1064 sub.type = params->type; 1065 sub.link_id = params->link_id; 1066 1067 /* consume the space used for non-transmitted profile */ 1068 elems_parse->scratch_pos += nontx_len; 1069 1070 non_inherit = cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, 1071 sub.start, nontx_len); 1072 } else { 1073 /* must always parse to get elems_parse->ml_basic_elem */ 1074 non_inherit = ieee80211_prep_mle_link_parse(elems_parse, params, 1075 &sub); 1076 multi_link_inner = true; 1077 } 1078 1079 elems_parse->skip_vendor = 1080 cfg80211_find_elem(WLAN_EID_VENDOR_SPECIFIC, 1081 sub.start, sub.len); 1082 elems->crc = _ieee802_11_parse_elems_full(params, elems_parse, 1083 non_inherit); 1084 1085 /* Override with nontransmitted/per-STA profile if found */ 1086 if (sub.len) { 1087 elems_parse->multi_link_inner = multi_link_inner; 1088 elems_parse->skip_vendor = false; 1089 _ieee802_11_parse_elems_full(&sub, elems_parse, NULL); 1090 } 1091 1092 ieee80211_mle_defrag_reconf(elems_parse); 1093 1094 ieee80211_mle_defrag_epcs(elems_parse); 1095 1096 if (elems->tim && !elems->parse_error) { 1097 const struct ieee80211_tim_ie *tim_ie = elems->tim; 1098 1099 elems->dtim_period = tim_ie->dtim_period; 1100 elems->dtim_count = tim_ie->dtim_count; 1101 } 1102 1103 /* Override DTIM period and count if needed */ 1104 if (elems->bssid_index && 1105 elems->bssid_index_len >= 1106 offsetofend(struct ieee80211_bssid_index, dtim_period)) 1107 elems->dtim_period = elems->bssid_index->dtim_period; 1108 1109 if (elems->bssid_index && 1110 elems->bssid_index_len >= 1111 offsetofend(struct ieee80211_bssid_index, dtim_count)) 1112 elems->dtim_count = elems->bssid_index->dtim_count; 1113 1114 return elems; 1115 } 1116 EXPORT_SYMBOL_IF_KUNIT(ieee802_11_parse_elems_full); 1117 1118 int ieee80211_parse_bitrates(enum nl80211_chan_width width, 1119 const struct ieee80211_supported_band *sband, 1120 const u8 *srates, int srates_len, u32 *rates) 1121 { 1122 struct ieee80211_rate *br; 1123 int brate, rate, i, j, count = 0; 1124 1125 *rates = 0; 1126 1127 for (i = 0; i < srates_len; i++) { 1128 rate = srates[i] & 0x7f; 1129 1130 for (j = 0; j < sband->n_bitrates; j++) { 1131 br = &sband->bitrates[j]; 1132 1133 brate = DIV_ROUND_UP(br->bitrate, 5); 1134 if (brate == rate) { 1135 *rates |= BIT(j); 1136 count++; 1137 break; 1138 } 1139 } 1140 } 1141 return count; 1142 } 1143