1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright 2002-2005, Instant802 Networks, Inc. 4 * Copyright 2005-2006, Devicescape Software, Inc. 5 * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz> 6 * Copyright 2007 Johannes Berg <johannes@sipsolutions.net> 7 * Copyright 2013-2014 Intel Mobile Communications GmbH 8 * Copyright (C) 2015-2017 Intel Deutschland GmbH 9 * Copyright (C) 2018-2026 Intel Corporation 10 * 11 * element parsing for mac80211 12 */ 13 14 #include <net/mac80211.h> 15 #include <linux/netdevice.h> 16 #include <linux/export.h> 17 #include <linux/types.h> 18 #include <linux/slab.h> 19 #include <linux/skbuff.h> 20 #include <linux/etherdevice.h> 21 #include <linux/if_arp.h> 22 #include <linux/bitmap.h> 23 #include <linux/crc32.h> 24 #include <net/net_namespace.h> 25 #include <net/cfg80211.h> 26 #include <net/rtnetlink.h> 27 #include <kunit/visibility.h> 28 29 #include "ieee80211_i.h" 30 #include "driver-ops.h" 31 #include "rate.h" 32 #include "mesh.h" 33 #include "wme.h" 34 #include "led.h" 35 #include "wep.h" 36 37 static const u8 empty_non_inheritance[] = { 38 WLAN_EID_EXTENSION, 1, WLAN_EID_EXT_NON_INHERITANCE, 39 /* 40 * cfg80211_is_element_inherited() hardcodes elements that 41 * cannot be inherited, so we just need an empty one to be 42 * calling it at all. 43 */ 44 }; 45 46 struct ieee80211_elem_defrag { 47 const struct element *elem; 48 /* container start/len */ 49 const u8 *start; 50 size_t len; 51 }; 52 53 struct ieee80211_elems_parse { 54 /* must be first for kfree to work */ 55 struct ieee802_11_elems elems; 56 57 struct ieee80211_elem_defrag ml_reconf, ml_epcs, ml_basic; 58 59 bool inside_multilink; 60 bool skip_vendor; 61 62 /* 63 * scratch buffer that can be used for various element parsing related 64 * tasks, e.g., element de-fragmentation etc. 65 */ 66 size_t scratch_len; 67 u8 *scratch_pos; 68 u8 scratch[] __counted_by(scratch_len); 69 }; 70 71 static void 72 ieee80211_parse_extension_element(u32 *crc, 73 const struct element *elem, 74 struct ieee80211_elems_parse *elems_parse, 75 struct ieee80211_elems_parse_params *params) 76 { 77 struct ieee802_11_elems *elems = &elems_parse->elems; 78 const void *data = elem->data + 1; 79 bool calc_crc = false; 80 u8 len; 81 82 if (!elem->datalen) 83 return; 84 85 len = elem->datalen - 1; 86 87 switch (elem->data[0]) { 88 case WLAN_EID_EXT_HE_MU_EDCA: 89 if (params->mode < IEEE80211_CONN_MODE_HE) 90 break; 91 calc_crc = true; 92 if (len >= sizeof(*elems->mu_edca_param_set)) 93 elems->mu_edca_param_set = data; 94 break; 95 case WLAN_EID_EXT_HE_CAPABILITY: 96 if (params->mode < IEEE80211_CONN_MODE_HE) 97 break; 98 if (ieee80211_he_capa_size_ok(data, len)) { 99 elems->he_cap = data; 100 elems->he_cap_len = len; 101 } 102 break; 103 case WLAN_EID_EXT_HE_OPERATION: 104 if (params->mode < IEEE80211_CONN_MODE_HE) 105 break; 106 calc_crc = true; 107 if (len >= sizeof(*elems->he_operation) && 108 len >= ieee80211_he_oper_size(data) - 1) 109 elems->he_operation = data; 110 break; 111 case WLAN_EID_EXT_UORA: 112 if (params->mode < IEEE80211_CONN_MODE_HE) 113 break; 114 if (len >= 1) 115 elems->uora_element = data; 116 break; 117 case WLAN_EID_EXT_MAX_CHANNEL_SWITCH_TIME: 118 if (len == 3) 119 elems->max_channel_switch_time = data; 120 break; 121 case WLAN_EID_EXT_MULTIPLE_BSSID_CONFIGURATION: 122 if (len >= sizeof(*elems->mbssid_config_ie)) 123 elems->mbssid_config_ie = data; 124 break; 125 case WLAN_EID_EXT_HE_SPR: 126 if (params->mode < IEEE80211_CONN_MODE_HE) 127 break; 128 if (len >= sizeof(*elems->he_spr) && 129 len >= ieee80211_he_spr_size(data) - 1) 130 elems->he_spr = data; 131 break; 132 case WLAN_EID_EXT_HE_6GHZ_CAPA: 133 if (params->mode < IEEE80211_CONN_MODE_HE) 134 break; 135 if (len >= sizeof(*elems->he_6ghz_capa)) 136 elems->he_6ghz_capa = data; 137 break; 138 case WLAN_EID_EXT_EHT_CAPABILITY: 139 if (params->mode < IEEE80211_CONN_MODE_EHT) 140 break; 141 if (ieee80211_eht_capa_size_ok(elems->he_cap, 142 data, len, 143 params->from_ap)) { 144 elems->eht_cap = data; 145 elems->eht_cap_len = len; 146 } 147 break; 148 case WLAN_EID_EXT_EHT_OPERATION: 149 if (params->mode < IEEE80211_CONN_MODE_EHT) 150 break; 151 if (ieee80211_eht_oper_size_ok(data, len)) 152 elems->eht_operation = data; 153 calc_crc = true; 154 break; 155 case WLAN_EID_EXT_EHT_MULTI_LINK: 156 if (params->mode < IEEE80211_CONN_MODE_EHT) 157 break; 158 calc_crc = true; 159 160 if (ieee80211_mle_size_ok(data, len)) { 161 const struct ieee80211_multi_link_elem *mle = 162 (void *)data; 163 164 switch (le16_get_bits(mle->control, 165 IEEE80211_ML_CONTROL_TYPE)) { 166 case IEEE80211_ML_CONTROL_TYPE_BASIC: 167 if (elems_parse->inside_multilink) { 168 elems->parse_error |= 169 IEEE80211_PARSE_ERR_DUP_NEST_ML_BASIC; 170 break; 171 } 172 elems_parse->ml_basic.elem = elem; 173 elems_parse->ml_basic.start = params->start; 174 elems_parse->ml_basic.len = params->len; 175 break; 176 case IEEE80211_ML_CONTROL_TYPE_RECONF: 177 elems_parse->ml_reconf.elem = elem; 178 elems_parse->ml_reconf.start = params->start; 179 elems_parse->ml_reconf.len = params->len; 180 break; 181 case IEEE80211_ML_CONTROL_TYPE_PRIO_ACCESS: 182 elems_parse->ml_epcs.elem = elem; 183 elems_parse->ml_epcs.start = params->start; 184 elems_parse->ml_epcs.len = params->len; 185 break; 186 default: 187 break; 188 } 189 } 190 break; 191 case WLAN_EID_EXT_BANDWIDTH_INDICATION: 192 if (params->mode < IEEE80211_CONN_MODE_EHT) 193 break; 194 if (ieee80211_bandwidth_indication_size_ok(data, len)) 195 elems->bandwidth_indication = data; 196 calc_crc = true; 197 break; 198 case WLAN_EID_EXT_TID_TO_LINK_MAPPING: 199 if (params->mode < IEEE80211_CONN_MODE_EHT) 200 break; 201 calc_crc = true; 202 if (ieee80211_tid_to_link_map_size_ok(data, len) && 203 elems->ttlm_num < ARRAY_SIZE(elems->ttlm)) { 204 elems->ttlm[elems->ttlm_num] = (void *)data; 205 elems->ttlm_num++; 206 } 207 break; 208 case WLAN_EID_EXT_UHR_OPER: 209 if (params->mode < IEEE80211_CONN_MODE_UHR) 210 break; 211 calc_crc = true; 212 if (ieee80211_uhr_oper_size_ok(data, len, 213 params->type == (IEEE80211_FTYPE_MGMT | 214 IEEE80211_STYPE_BEACON))) { 215 elems->uhr_operation = data; 216 elems->uhr_operation_len = len; 217 } 218 break; 219 case WLAN_EID_EXT_UHR_CAPA: 220 if (params->mode < IEEE80211_CONN_MODE_UHR) 221 break; 222 calc_crc = true; 223 if (ieee80211_uhr_capa_size_ok(data, len, true)) { 224 elems->uhr_cap = data; 225 elems->uhr_cap_len = len; 226 } 227 break; 228 } 229 230 if (crc && calc_crc) 231 *crc = crc32_be(*crc, (void *)elem, elem->datalen + 2); 232 } 233 234 static void ieee80211_parse_tpe(struct ieee80211_parsed_tpe *tpe, 235 const u8 *data, u8 len) 236 { 237 const struct ieee80211_tx_pwr_env *env = (const void *)data; 238 u8 count, interpret, category; 239 u8 *out, N, *cnt_out = NULL, *N_out = NULL; 240 241 if (!ieee80211_valid_tpe_element(data, len)) 242 return; 243 244 count = u8_get_bits(env->info, IEEE80211_TX_PWR_ENV_INFO_COUNT); 245 interpret = u8_get_bits(env->info, IEEE80211_TX_PWR_ENV_INFO_INTERPRET); 246 category = u8_get_bits(env->info, IEEE80211_TX_PWR_ENV_INFO_CATEGORY); 247 248 switch (interpret) { 249 case IEEE80211_TPE_LOCAL_EIRP: 250 out = tpe->max_local[category].power; 251 cnt_out = &tpe->max_local[category].count; 252 tpe->max_local[category].valid = true; 253 break; 254 case IEEE80211_TPE_REG_CLIENT_EIRP: 255 out = tpe->max_reg_client[category].power; 256 cnt_out = &tpe->max_reg_client[category].count; 257 tpe->max_reg_client[category].valid = true; 258 break; 259 case IEEE80211_TPE_LOCAL_EIRP_PSD: 260 out = tpe->psd_local[category].power; 261 cnt_out = &tpe->psd_local[category].count; 262 N_out = &tpe->psd_local[category].n; 263 tpe->psd_local[category].valid = true; 264 break; 265 case IEEE80211_TPE_REG_CLIENT_EIRP_PSD: 266 out = tpe->psd_reg_client[category].power; 267 cnt_out = &tpe->psd_reg_client[category].count; 268 N_out = &tpe->psd_reg_client[category].n; 269 tpe->psd_reg_client[category].valid = true; 270 break; 271 } 272 273 switch (interpret) { 274 case IEEE80211_TPE_LOCAL_EIRP: 275 case IEEE80211_TPE_REG_CLIENT_EIRP: 276 /* count was validated <= 3, plus 320 MHz */ 277 BUILD_BUG_ON(IEEE80211_TPE_EIRP_ENTRIES_320MHZ < 5); 278 memcpy(out, env->variable, count + 1); 279 *cnt_out = count + 1; 280 /* separately take 320 MHz if present */ 281 if (count == 3 && len > sizeof(*env) + count + 1) { 282 out[4] = env->variable[4]; 283 *cnt_out = 5; 284 } 285 break; 286 case IEEE80211_TPE_LOCAL_EIRP_PSD: 287 case IEEE80211_TPE_REG_CLIENT_EIRP_PSD: 288 if (!count) { 289 memset(out, env->variable[0], 290 IEEE80211_TPE_PSD_ENTRIES_320MHZ); 291 *cnt_out = IEEE80211_TPE_PSD_ENTRIES_320MHZ; 292 break; 293 } 294 295 N = 1 << (count - 1); 296 memcpy(out, env->variable, N); 297 *cnt_out = N; 298 *N_out = N; 299 300 if (len > sizeof(*env) + N) { 301 int K = u8_get_bits(env->variable[N], 302 IEEE80211_TX_PWR_ENV_EXT_COUNT); 303 304 K = min(K, IEEE80211_TPE_PSD_ENTRIES_320MHZ - N); 305 memcpy(out + N, env->variable + N + 1, K); 306 (*cnt_out) += K; 307 } 308 break; 309 } 310 } 311 312 static u32 313 _ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params, 314 struct ieee80211_elems_parse *elems_parse, 315 const struct element *check_inherit) 316 { 317 struct ieee802_11_elems *elems = &elems_parse->elems; 318 const struct element *elem; 319 bool calc_crc = params->filter != 0; 320 DECLARE_BITMAP(seen_elems, 256); 321 u32 crc = params->crc; 322 323 bitmap_zero(seen_elems, 256); 324 325 switch (params->type) { 326 /* we don't need to parse assoc request, luckily (it's value 0) */ 327 case IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ASSOC_REQ: 328 case IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_REASSOC_REQ: 329 default: 330 WARN(1, "invalid frame type 0x%x for element parsing\n", 331 params->type); 332 break; 333 case IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ASSOC_RESP: 334 case IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_REASSOC_RESP: 335 case IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_PROBE_REQ: 336 case IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_PROBE_RESP: 337 case IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_BEACON: 338 case IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION: 339 case IEEE80211_FTYPE_EXT | IEEE80211_STYPE_S1G_BEACON: 340 break; 341 } 342 343 for_each_element(elem, params->start, params->len) { 344 const struct element *subelem; 345 u8 elem_parse_failed; 346 u8 id = elem->id; 347 u8 elen = elem->datalen; 348 const u8 *pos = elem->data; 349 350 if (check_inherit && 351 !cfg80211_is_element_inherited(elem, 352 check_inherit)) 353 continue; 354 355 switch (id) { 356 case WLAN_EID_SSID: 357 case WLAN_EID_SUPP_RATES: 358 case WLAN_EID_FH_PARAMS: 359 case WLAN_EID_DS_PARAMS: 360 case WLAN_EID_CF_PARAMS: 361 case WLAN_EID_TIM: 362 case WLAN_EID_IBSS_PARAMS: 363 case WLAN_EID_CHALLENGE: 364 case WLAN_EID_RSN: 365 case WLAN_EID_ERP_INFO: 366 case WLAN_EID_EXT_SUPP_RATES: 367 case WLAN_EID_HT_CAPABILITY: 368 case WLAN_EID_HT_OPERATION: 369 case WLAN_EID_VHT_CAPABILITY: 370 case WLAN_EID_VHT_OPERATION: 371 case WLAN_EID_MESH_ID: 372 case WLAN_EID_MESH_CONFIG: 373 case WLAN_EID_PEER_MGMT: 374 case WLAN_EID_PREQ: 375 case WLAN_EID_PREP: 376 case WLAN_EID_PERR: 377 case WLAN_EID_RANN: 378 case WLAN_EID_CHANNEL_SWITCH: 379 case WLAN_EID_EXT_CHANSWITCH_ANN: 380 case WLAN_EID_COUNTRY: 381 case WLAN_EID_PWR_CONSTRAINT: 382 case WLAN_EID_TIMEOUT_INTERVAL: 383 case WLAN_EID_SECONDARY_CHANNEL_OFFSET: 384 case WLAN_EID_WIDE_BW_CHANNEL_SWITCH: 385 case WLAN_EID_CHAN_SWITCH_PARAM: 386 case WLAN_EID_EXT_CAPABILITY: 387 case WLAN_EID_CHAN_SWITCH_TIMING: 388 case WLAN_EID_LINK_ID: 389 case WLAN_EID_BSS_MAX_IDLE_PERIOD: 390 case WLAN_EID_RSNX: 391 case WLAN_EID_S1G_BCN_COMPAT: 392 case WLAN_EID_S1G_CAPABILITIES: 393 case WLAN_EID_S1G_OPERATION: 394 case WLAN_EID_AID_RESPONSE: 395 case WLAN_EID_S1G_SHORT_BCN_INTERVAL: 396 /* 397 * not listing WLAN_EID_CHANNEL_SWITCH_WRAPPER -- it seems possible 398 * that if the content gets bigger it might be needed more than once 399 */ 400 if (test_bit(id, seen_elems)) { 401 elems->parse_error |= 402 IEEE80211_PARSE_ERR_DUP_ELEM; 403 continue; 404 } 405 break; 406 } 407 408 if (calc_crc && id < 64 && (params->filter & (1ULL << id))) 409 crc = crc32_be(crc, pos - 2, elen + 2); 410 411 elem_parse_failed = 0; 412 413 switch (id) { 414 case WLAN_EID_LINK_ID: 415 if (elen + 2 < sizeof(struct ieee80211_tdls_lnkie)) { 416 elem_parse_failed = 417 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 418 break; 419 } 420 elems->lnk_id = (void *)(pos - 2); 421 break; 422 case WLAN_EID_CHAN_SWITCH_TIMING: 423 if (elen < sizeof(struct ieee80211_ch_switch_timing)) { 424 elem_parse_failed = 425 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 426 break; 427 } 428 elems->ch_sw_timing = (void *)pos; 429 break; 430 case WLAN_EID_EXT_CAPABILITY: 431 elems->ext_capab = pos; 432 elems->ext_capab_len = elen; 433 break; 434 case WLAN_EID_SSID: 435 elems->ssid = pos; 436 elems->ssid_len = elen; 437 break; 438 case WLAN_EID_SUPP_RATES: 439 elems->supp_rates = pos; 440 elems->supp_rates_len = elen; 441 break; 442 case WLAN_EID_DS_PARAMS: 443 if (elen >= 1) 444 elems->ds_params = pos; 445 else 446 elem_parse_failed = 447 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 448 break; 449 case WLAN_EID_TIM: 450 if (elen >= sizeof(struct ieee80211_tim_ie)) { 451 elems->tim = (void *)pos; 452 elems->tim_len = elen; 453 } else 454 elem_parse_failed = 455 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 456 break; 457 case WLAN_EID_VENDOR_SPECIFIC: 458 if (elems_parse->skip_vendor) 459 break; 460 461 if (elen >= 4 && pos[0] == 0x00 && pos[1] == 0x50 && 462 pos[2] == 0xf2) { 463 /* Microsoft OUI (00:50:F2) */ 464 465 if (calc_crc) 466 crc = crc32_be(crc, pos - 2, elen + 2); 467 468 if (elen >= 5 && pos[3] == 2) { 469 /* OUI Type 2 - WMM IE */ 470 if (pos[4] == 0) { 471 elems->wmm_info = pos; 472 elems->wmm_info_len = elen; 473 } else if (pos[4] == 1) { 474 elems->wmm_param = pos; 475 elems->wmm_param_len = elen; 476 } 477 } 478 } 479 break; 480 case WLAN_EID_RSN: 481 elems->rsn = pos; 482 elems->rsn_len = elen; 483 break; 484 case WLAN_EID_ERP_INFO: 485 if (elen >= 1) 486 elems->erp_info = pos; 487 else 488 elem_parse_failed = 489 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 490 break; 491 case WLAN_EID_EXT_SUPP_RATES: 492 elems->ext_supp_rates = pos; 493 elems->ext_supp_rates_len = elen; 494 break; 495 case WLAN_EID_HT_CAPABILITY: 496 if (params->mode < IEEE80211_CONN_MODE_HT) 497 break; 498 if (elen >= sizeof(struct ieee80211_ht_cap)) 499 elems->ht_cap_elem = (void *)pos; 500 else 501 elem_parse_failed = 502 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 503 break; 504 case WLAN_EID_HT_OPERATION: 505 if (params->mode < IEEE80211_CONN_MODE_HT) 506 break; 507 if (elen >= sizeof(struct ieee80211_ht_operation)) 508 elems->ht_operation = (void *)pos; 509 else 510 elem_parse_failed = 511 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 512 break; 513 case WLAN_EID_VHT_CAPABILITY: 514 if (params->mode < IEEE80211_CONN_MODE_VHT) 515 break; 516 if (elen >= sizeof(struct ieee80211_vht_cap)) 517 elems->vht_cap_elem = (void *)pos; 518 else 519 elem_parse_failed = 520 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 521 break; 522 case WLAN_EID_VHT_OPERATION: 523 if (params->mode < IEEE80211_CONN_MODE_VHT) 524 break; 525 if (elen >= sizeof(struct ieee80211_vht_operation)) { 526 elems->vht_operation = (void *)pos; 527 if (calc_crc) 528 crc = crc32_be(crc, pos - 2, elen + 2); 529 break; 530 } 531 elem_parse_failed = 532 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 533 break; 534 case WLAN_EID_OPMODE_NOTIF: 535 if (params->mode < IEEE80211_CONN_MODE_VHT) 536 break; 537 if (elen > 0) { 538 elems->opmode_notif = pos; 539 if (calc_crc) 540 crc = crc32_be(crc, pos - 2, elen + 2); 541 break; 542 } 543 elem_parse_failed = 544 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 545 break; 546 case WLAN_EID_MESH_ID: 547 elems->mesh_id = pos; 548 elems->mesh_id_len = elen; 549 break; 550 case WLAN_EID_MESH_CONFIG: 551 if (elen >= sizeof(struct ieee80211_meshconf_ie)) 552 elems->mesh_config = (void *)pos; 553 else 554 elem_parse_failed = 555 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 556 break; 557 case WLAN_EID_PEER_MGMT: 558 elems->peering = pos; 559 elems->peering_len = elen; 560 break; 561 case WLAN_EID_MESH_AWAKE_WINDOW: 562 if (elen >= 2) 563 elems->awake_window = (void *)pos; 564 break; 565 case WLAN_EID_PREQ: 566 if (ieee80211_mesh_preq_size_ok(pos, elen)) { 567 elems->preq = pos; 568 elems->preq_len = elen; 569 } else { 570 elem_parse_failed = 571 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 572 } 573 break; 574 case WLAN_EID_PREP: 575 if (ieee80211_mesh_prep_size_ok(pos, elen)) { 576 elems->prep = pos; 577 elems->prep_len = elen; 578 } else { 579 elem_parse_failed = 580 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 581 } 582 break; 583 case WLAN_EID_PERR: 584 if (ieee80211_mesh_perr_size_ok(pos, elen)) { 585 elems->perr = pos; 586 elems->perr_len = elen; 587 } else { 588 elem_parse_failed = 589 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 590 } 591 break; 592 case WLAN_EID_RANN: 593 if (elen >= sizeof(struct ieee80211_rann_ie)) 594 elems->rann = (void *)pos; 595 else 596 elem_parse_failed = 597 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 598 break; 599 case WLAN_EID_CHANNEL_SWITCH: 600 if (elen != sizeof(struct ieee80211_channel_sw_ie)) { 601 elem_parse_failed = 602 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 603 break; 604 } 605 elems->ch_switch_ie = (void *)pos; 606 break; 607 case WLAN_EID_EXT_CHANSWITCH_ANN: 608 if (elen != sizeof(struct ieee80211_ext_chansw_ie)) { 609 elem_parse_failed = 610 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 611 break; 612 } 613 elems->ext_chansw_ie = (void *)pos; 614 break; 615 case WLAN_EID_SECONDARY_CHANNEL_OFFSET: 616 if (params->mode < IEEE80211_CONN_MODE_HT) 617 break; 618 if (elen != sizeof(struct ieee80211_sec_chan_offs_ie)) { 619 elem_parse_failed = 620 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 621 break; 622 } 623 elems->sec_chan_offs = (void *)pos; 624 break; 625 case WLAN_EID_CHAN_SWITCH_PARAM: 626 if (elen < 627 sizeof(*elems->mesh_chansw_params_ie)) { 628 elem_parse_failed = 629 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 630 break; 631 } 632 elems->mesh_chansw_params_ie = (void *)pos; 633 break; 634 case WLAN_EID_WIDE_BW_CHANNEL_SWITCH: 635 if (params->mode < IEEE80211_CONN_MODE_VHT) 636 break; 637 638 if (params->type != (IEEE80211_FTYPE_MGMT | 639 IEEE80211_STYPE_ACTION)) { 640 elem_parse_failed = 641 IEEE80211_PARSE_ERR_UNEXPECTED_ELEM; 642 break; 643 } 644 645 if (elen < sizeof(*elems->wide_bw_chansw_ie)) { 646 elem_parse_failed = 647 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 648 break; 649 } 650 elems->wide_bw_chansw_ie = (void *)pos; 651 break; 652 case WLAN_EID_CHANNEL_SWITCH_WRAPPER: 653 if (params->mode < IEEE80211_CONN_MODE_VHT) 654 break; 655 if (params->type == (IEEE80211_FTYPE_MGMT | 656 IEEE80211_STYPE_ACTION)) { 657 elem_parse_failed = 658 IEEE80211_PARSE_ERR_UNEXPECTED_ELEM; 659 break; 660 } 661 /* 662 * This is a bit tricky, but as we only care about 663 * a few elements, parse them out manually. 664 */ 665 subelem = cfg80211_find_elem(WLAN_EID_WIDE_BW_CHANNEL_SWITCH, 666 pos, elen); 667 if (subelem) { 668 if (subelem->datalen >= sizeof(*elems->wide_bw_chansw_ie)) 669 elems->wide_bw_chansw_ie = 670 (void *)subelem->data; 671 else 672 elem_parse_failed = 673 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 674 } 675 676 if (params->mode < IEEE80211_CONN_MODE_EHT) 677 break; 678 679 subelem = cfg80211_find_ext_elem(WLAN_EID_EXT_BANDWIDTH_INDICATION, 680 pos, elen); 681 if (subelem) { 682 const void *edata = subelem->data + 1; 683 u8 edatalen = subelem->datalen - 1; 684 685 if (ieee80211_bandwidth_indication_size_ok(edata, 686 edatalen)) 687 elems->bandwidth_indication = edata; 688 else 689 elem_parse_failed = 690 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 691 } 692 693 subelem = cfg80211_find_ext_elem(WLAN_EID_TX_POWER_ENVELOPE, 694 pos, elen); 695 if (subelem) 696 ieee80211_parse_tpe(&elems->csa_tpe, 697 subelem->data + 1, 698 subelem->datalen - 1); 699 break; 700 case WLAN_EID_COUNTRY: 701 elems->country_elem = pos; 702 elems->country_elem_len = elen; 703 break; 704 case WLAN_EID_PWR_CONSTRAINT: 705 if (elen != 1) { 706 elem_parse_failed = 707 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 708 break; 709 } 710 elems->pwr_constr_elem = pos; 711 break; 712 case WLAN_EID_CISCO_VENDOR_SPECIFIC: 713 /* Lots of different options exist, but we only care 714 * about the Dynamic Transmit Power Control element. 715 * First check for the Cisco OUI, then for the DTPC 716 * tag (0x00). 717 */ 718 if (elen < 4) { 719 elem_parse_failed = 720 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 721 break; 722 } 723 724 if (pos[0] != 0x00 || pos[1] != 0x40 || 725 pos[2] != 0x96 || pos[3] != 0x00) 726 break; 727 728 if (elen != 6) { 729 elem_parse_failed = 730 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 731 break; 732 } 733 734 if (calc_crc) 735 crc = crc32_be(crc, pos - 2, elen + 2); 736 737 elems->cisco_dtpc_elem = pos; 738 break; 739 case WLAN_EID_ADDBA_EXT: 740 if (elen < sizeof(struct ieee80211_addba_ext_ie)) { 741 elem_parse_failed = 742 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 743 break; 744 } 745 elems->addba_ext_ie = (void *)pos; 746 break; 747 case WLAN_EID_TIMEOUT_INTERVAL: 748 if (elen >= sizeof(struct ieee80211_timeout_interval_ie)) 749 elems->timeout_int = (void *)pos; 750 else 751 elem_parse_failed = 752 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 753 break; 754 case WLAN_EID_BSS_MAX_IDLE_PERIOD: 755 if (elen >= sizeof(*elems->max_idle_period_ie)) 756 elems->max_idle_period_ie = (void *)pos; 757 break; 758 case WLAN_EID_RSNX: 759 elems->rsnx = pos; 760 elems->rsnx_len = elen; 761 break; 762 case WLAN_EID_TX_POWER_ENVELOPE: 763 if (params->mode < IEEE80211_CONN_MODE_HE) 764 break; 765 ieee80211_parse_tpe(&elems->tpe, pos, elen); 766 break; 767 case WLAN_EID_EXTENSION: 768 ieee80211_parse_extension_element(calc_crc ? 769 &crc : NULL, 770 elem, elems_parse, 771 params); 772 break; 773 case WLAN_EID_S1G_CAPABILITIES: 774 if (params->mode != IEEE80211_CONN_MODE_S1G) 775 break; 776 if (elen >= sizeof(*elems->s1g_capab)) 777 elems->s1g_capab = (void *)pos; 778 else 779 elem_parse_failed = 780 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 781 break; 782 case WLAN_EID_S1G_OPERATION: 783 if (params->mode != IEEE80211_CONN_MODE_S1G) 784 break; 785 if (elen == sizeof(*elems->s1g_oper)) 786 elems->s1g_oper = (void *)pos; 787 else 788 elem_parse_failed = 789 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 790 break; 791 case WLAN_EID_S1G_BCN_COMPAT: 792 if (params->mode != IEEE80211_CONN_MODE_S1G) 793 break; 794 if (elen == sizeof(*elems->s1g_bcn_compat)) 795 elems->s1g_bcn_compat = (void *)pos; 796 else 797 elem_parse_failed = 798 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 799 break; 800 case WLAN_EID_AID_RESPONSE: 801 if (params->mode != IEEE80211_CONN_MODE_S1G) 802 break; 803 if (elen == sizeof(struct ieee80211_aid_response_ie)) 804 elems->aid_resp = (void *)pos; 805 else 806 elem_parse_failed = 807 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 808 break; 809 default: 810 break; 811 } 812 813 if (elem_parse_failed) 814 elems->parse_error |= elem_parse_failed; 815 else 816 __set_bit(id, seen_elems); 817 } 818 819 if (!for_each_element_completed(elem, params->start, params->len)) 820 elems->parse_error |= IEEE80211_PARSE_ERR_INVALID_END; 821 822 return crc; 823 } 824 825 static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len, 826 struct ieee802_11_elems *elems, 827 struct cfg80211_bss *bss, 828 u8 *nontransmitted_profile) 829 { 830 const struct element *elem, *sub; 831 832 if (!bss || !bss->transmitted_bss) 833 return 0; 834 835 for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, start, len) { 836 if (elem->datalen < 2) 837 continue; 838 if (elem->data[0] < 1 || elem->data[0] > 8) 839 continue; 840 841 for_each_element(sub, elem->data + 1, elem->datalen - 1) { 842 u8 new_bssid[ETH_ALEN]; 843 size_t profile_len; 844 const u8 *index; 845 846 if (sub->id != 0 || sub->datalen < 4) { 847 /* not a valid BSS profile */ 848 continue; 849 } 850 851 if (sub->data[0] != WLAN_EID_NON_TX_BSSID_CAP || 852 sub->data[1] != 2) { 853 /* The first element of the 854 * Nontransmitted BSSID Profile is not 855 * the Nontransmitted BSSID Capability 856 * element. 857 */ 858 continue; 859 } 860 861 memset(nontransmitted_profile, 0, len); 862 profile_len = cfg80211_merge_profile(start, len, 863 elem, 864 sub, 865 nontransmitted_profile, 866 len); 867 868 /* found a Nontransmitted BSSID Profile */ 869 index = cfg80211_find_ie(WLAN_EID_MULTI_BSSID_IDX, 870 nontransmitted_profile, 871 profile_len); 872 if (!index || index[1] < 1 || index[2] == 0) { 873 /* Invalid MBSSID Index element */ 874 continue; 875 } 876 877 cfg80211_gen_new_bssid(bss->transmitted_bss->bssid, 878 elem->data[0], 879 index[2], 880 new_bssid); 881 if (ether_addr_equal(new_bssid, bss->bssid)) { 882 elems->bssid_index_len = index[1]; 883 elems->bssid_index = (void *)&index[2]; 884 return profile_len; 885 } 886 } 887 } 888 889 return 0; 890 } 891 892 static void 893 ieee80211_mle_get_sta_prof(struct ieee80211_elems_parse *elems_parse, 894 u8 link_id) 895 { 896 struct ieee802_11_elems *elems = &elems_parse->elems; 897 const struct ieee80211_multi_link_elem *ml = elems->ml_basic; 898 ssize_t ml_len = elems->ml_basic_len; 899 const struct element *sub; 900 901 for_each_mle_subelement(sub, (u8 *)ml, ml_len) { 902 struct ieee80211_mle_per_sta_profile *prof = (void *)sub->data; 903 ssize_t sta_prof_len; 904 u16 control; 905 906 if (sub->id != IEEE80211_MLE_SUBELEM_PER_STA_PROFILE) 907 continue; 908 909 if (!ieee80211_mle_basic_sta_prof_size_ok(sub->data, 910 sub->datalen)) 911 return; 912 913 control = le16_to_cpu(prof->control); 914 915 if (link_id != u16_get_bits(control, 916 IEEE80211_MLE_STA_CONTROL_LINK_ID)) 917 continue; 918 919 if (!(control & IEEE80211_MLE_STA_CONTROL_COMPLETE_PROFILE)) 920 return; 921 922 /* the sub element can be fragmented */ 923 sta_prof_len = 924 cfg80211_defragment_element(sub, 925 (u8 *)ml, ml_len, 926 elems_parse->scratch_pos, 927 elems_parse->scratch + 928 elems_parse->scratch_len - 929 elems_parse->scratch_pos, 930 IEEE80211_MLE_SUBELEM_FRAGMENT); 931 932 if (sta_prof_len < 0) 933 return; 934 935 elems->prof = (void *)elems_parse->scratch_pos; 936 elems->sta_prof_len = sta_prof_len; 937 elems_parse->scratch_pos += sta_prof_len; 938 939 return; 940 } 941 } 942 943 static const struct element * 944 ieee80211_prep_mle_link_parse(struct ieee80211_elems_parse *elems_parse, 945 struct ieee80211_elems_parse_params *params, 946 struct ieee80211_elems_parse_params *sub) 947 { 948 struct ieee802_11_elems *elems = &elems_parse->elems; 949 struct ieee80211_mle_per_sta_profile *prof; 950 const struct element *ml_basic_elem = NULL; 951 const struct element *tmp, *ret; 952 ssize_t ml_len; 953 const u8 *end; 954 955 if (params->mode < IEEE80211_CONN_MODE_EHT) 956 return NULL; 957 958 for_each_element_extid(tmp, WLAN_EID_EXT_EHT_MULTI_LINK, 959 elems->ie_start, elems->total_len) { 960 const struct ieee80211_multi_link_elem *mle = 961 (void *)tmp->data + 1; 962 963 if (!ieee80211_mle_size_ok(tmp->data + 1, tmp->datalen - 1)) 964 continue; 965 966 if (le16_get_bits(mle->control, IEEE80211_ML_CONTROL_TYPE) != 967 IEEE80211_ML_CONTROL_TYPE_BASIC) 968 continue; 969 970 ml_basic_elem = tmp; 971 break; 972 } 973 974 ml_len = cfg80211_defragment_element(ml_basic_elem, elems->ie_start, 975 elems->total_len, 976 elems_parse->scratch_pos, 977 elems_parse->scratch + 978 elems_parse->scratch_len - 979 elems_parse->scratch_pos, 980 WLAN_EID_FRAGMENT); 981 982 if (ml_len < 0) 983 return NULL; 984 985 elems->ml_basic = (const void *)elems_parse->scratch_pos; 986 elems->ml_basic_len = ml_len; 987 elems_parse->scratch_pos += ml_len; 988 989 if (params->link_id == -1) 990 return NULL; 991 992 ieee80211_mle_get_sta_prof(elems_parse, params->link_id); 993 prof = elems->prof; 994 995 if (!prof) 996 return NULL; 997 998 /* check if we have the 4 bytes for the fixed part in assoc response */ 999 if (elems->sta_prof_len < sizeof(*prof) + prof->sta_info_len - 1 + 4) { 1000 elems->prof = NULL; 1001 elems->sta_prof_len = 0; 1002 return NULL; 1003 } 1004 1005 /* 1006 * Skip the capability information and the status code that are expected 1007 * as part of the station profile in association response frames. Note 1008 * the -1 is because the 'sta_info_len' is accounted to as part of the 1009 * per-STA profile, but not part of the 'u8 variable[]' portion. 1010 */ 1011 sub->start = prof->variable + prof->sta_info_len - 1 + 4; 1012 end = (const u8 *)prof + elems->sta_prof_len; 1013 sub->len = end - sub->start; 1014 1015 sub->mode = params->mode; 1016 sub->type = params->type; 1017 sub->from_ap = params->from_ap; 1018 sub->link_id = -1; 1019 1020 ret = cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, 1021 sub->start, sub->len); 1022 if (ret) 1023 return ret; 1024 1025 /* 1026 * Since we know we want and found a profile, apply an empty 1027 * non-inheritance if the profile didn't have one, so that any 1028 * element that shouldn't be inherited by spec isn't. 1029 */ 1030 return (const void *)empty_non_inheritance; 1031 } 1032 1033 static const void * 1034 ieee80211_mle_defrag(struct ieee80211_elems_parse *elems_parse, 1035 struct ieee80211_elem_defrag *defrag, 1036 size_t *out_len) 1037 { 1038 const void *ret; 1039 ssize_t ml_len; 1040 1041 ml_len = cfg80211_defragment_element(defrag->elem, 1042 defrag->start, defrag->len, 1043 elems_parse->scratch_pos, 1044 elems_parse->scratch + 1045 elems_parse->scratch_len - 1046 elems_parse->scratch_pos, 1047 WLAN_EID_FRAGMENT); 1048 if (ml_len < 0) 1049 return NULL; 1050 ret = elems_parse->scratch_pos; 1051 *out_len = ml_len; 1052 elems_parse->scratch_pos += ml_len; 1053 return ret; 1054 } 1055 1056 struct ieee802_11_elems * 1057 ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params) 1058 { 1059 struct ieee80211_elems_parse_params sub = {}; 1060 struct ieee80211_elems_parse *elems_parse; 1061 const struct element *non_inherit = NULL; 1062 struct ieee802_11_elems *elems; 1063 size_t scratch_len = 3 * params->len; 1064 bool inside_multilink = false; 1065 1066 BUILD_BUG_ON(sizeof(empty_non_inheritance) != empty_non_inheritance[1] + 2); 1067 BUILD_BUG_ON(offsetof(typeof(*elems_parse), elems) != 0); 1068 1069 /* cannot parse for both a specific link and non-transmitted BSS */ 1070 if (WARN_ON(params->link_id >= 0 && params->bss)) 1071 return NULL; 1072 1073 elems_parse = kzalloc_flex(*elems_parse, scratch, scratch_len, 1074 GFP_ATOMIC); 1075 if (!elems_parse) 1076 return NULL; 1077 1078 elems_parse->elems.frame_type = params->type; 1079 elems_parse->elems.from_ap = params->from_ap; 1080 1081 elems_parse->scratch_len = scratch_len; 1082 elems_parse->scratch_pos = elems_parse->scratch; 1083 1084 elems = &elems_parse->elems; 1085 elems->ie_start = params->start; 1086 elems->total_len = params->len; 1087 1088 /* set all TPE entries to unlimited (but invalid) */ 1089 ieee80211_clear_tpe(&elems->tpe); 1090 ieee80211_clear_tpe(&elems->csa_tpe); 1091 1092 /* 1093 * If we're looking for a non-transmitted BSS then we cannot at 1094 * the same time be looking for a second link as the two can only 1095 * appear in the same frame carrying info for different BSSes. 1096 * 1097 * In any case, we only look for one at a time, as encoded by 1098 * the WARN_ON above. 1099 */ 1100 if (params->bss) { 1101 int nontx_len = 1102 ieee802_11_find_bssid_profile(params->start, 1103 params->len, 1104 elems, params->bss, 1105 elems_parse->scratch_pos); 1106 sub.start = elems_parse->scratch_pos; 1107 sub.mode = params->mode; 1108 sub.len = nontx_len; 1109 sub.type = params->type; 1110 sub.link_id = params->link_id; 1111 1112 /* indicate to consumer whether or not profile was found */ 1113 if (params->bss->transmitted_bss && !nontx_len) 1114 elems->mbssid_nontx_profile_missing = true; 1115 1116 /* consume the space used for non-transmitted profile */ 1117 elems_parse->scratch_pos += nontx_len; 1118 1119 non_inherit = cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, 1120 sub.start, nontx_len); 1121 /* 1122 * If it's a non-transmitted BSS, we shouldn't pick 1123 * any elements in the outer parsing that shouldn't 1124 * be inherited. If the profile has a non-inheritance 1125 * element this automatically happens, but if not then 1126 * provide an empty one so that the hard-coded elements 1127 * in cfg80211_is_element_inherited() are ignored, but 1128 * it must be called. 1129 */ 1130 if (params->bss->transmitted_bss && !non_inherit) 1131 non_inherit = (const void *)empty_non_inheritance; 1132 } else { 1133 /* 1134 * Find the multi-link element and the non-inherit element inside 1135 * the applicable profile, if requested by params->link_id >= 0. 1136 */ 1137 non_inherit = ieee80211_prep_mle_link_parse(elems_parse, params, 1138 &sub); 1139 inside_multilink = true; 1140 } 1141 1142 elems_parse->skip_vendor = 1143 cfg80211_find_elem(WLAN_EID_VENDOR_SPECIFIC, 1144 sub.start, sub.len); 1145 elems->crc = _ieee802_11_parse_elems_full(params, elems_parse, 1146 non_inherit); 1147 1148 /* Override with nontransmitted/per-STA profile if found */ 1149 if (sub.len) { 1150 elems_parse->inside_multilink = inside_multilink; 1151 elems_parse->skip_vendor = false; 1152 _ieee802_11_parse_elems_full(&sub, elems_parse, NULL); 1153 } 1154 1155 elems->ml_reconf = ieee80211_mle_defrag(elems_parse, 1156 &elems_parse->ml_reconf, 1157 &elems->ml_reconf_len); 1158 elems->ml_epcs = ieee80211_mle_defrag(elems_parse, 1159 &elems_parse->ml_epcs, 1160 &elems->ml_epcs_len); 1161 if (!elems->ml_basic) 1162 elems->ml_basic = ieee80211_mle_defrag(elems_parse, 1163 &elems_parse->ml_basic, 1164 &elems->ml_basic_len); 1165 1166 if (elems->tim && !elems->parse_error) { 1167 const struct ieee80211_tim_ie *tim_ie = elems->tim; 1168 1169 elems->dtim_period = tim_ie->dtim_period; 1170 elems->dtim_count = tim_ie->dtim_count; 1171 } 1172 1173 /* Override DTIM period and count if needed */ 1174 if (elems->bssid_index && 1175 elems->bssid_index_len >= 1176 offsetofend(struct ieee80211_bssid_index, dtim_period)) 1177 elems->dtim_period = elems->bssid_index->dtim_period; 1178 1179 if (elems->bssid_index && 1180 elems->bssid_index_len >= 1181 offsetofend(struct ieee80211_bssid_index, dtim_count)) 1182 elems->dtim_count = elems->bssid_index->dtim_count; 1183 1184 return elems; 1185 } 1186 EXPORT_SYMBOL_IF_KUNIT(ieee802_11_parse_elems_full); 1187 1188 int ieee80211_parse_bitrates(const struct ieee80211_supported_band *sband, 1189 const u8 *srates, int srates_len, u32 *rates) 1190 { 1191 struct ieee80211_rate *br; 1192 int brate, rate, i, j, count = 0; 1193 1194 *rates = 0; 1195 1196 for (i = 0; i < srates_len; i++) { 1197 rate = srates[i] & 0x7f; 1198 1199 for (j = 0; j < sband->n_bitrates; j++) { 1200 br = &sband->bitrates[j]; 1201 1202 brate = DIV_ROUND_UP(br->bitrate, 5); 1203 if (brate == rate) { 1204 *rates |= BIT(j); 1205 count++; 1206 break; 1207 } 1208 } 1209 } 1210 return count; 1211 } 1212