xref: /linux/net/mac80211/parse.c (revision b6b4a62d8525c3093c3273dc6b2e6831adbfc4b2)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Copyright 2002-2005, Instant802 Networks, Inc.
4  * Copyright 2005-2006, Devicescape Software, Inc.
5  * Copyright 2006-2007	Jiri Benc <jbenc@suse.cz>
6  * Copyright 2007	Johannes Berg <johannes@sipsolutions.net>
7  * Copyright 2013-2014  Intel Mobile Communications GmbH
8  * Copyright (C) 2015-2017	Intel Deutschland GmbH
9  * Copyright (C) 2018-2024 Intel Corporation
10  *
11  * element parsing for mac80211
12  */
13 
14 #include <net/mac80211.h>
15 #include <linux/netdevice.h>
16 #include <linux/export.h>
17 #include <linux/types.h>
18 #include <linux/slab.h>
19 #include <linux/skbuff.h>
20 #include <linux/etherdevice.h>
21 #include <linux/if_arp.h>
22 #include <linux/bitmap.h>
23 #include <linux/crc32.h>
24 #include <net/net_namespace.h>
25 #include <net/cfg80211.h>
26 #include <net/rtnetlink.h>
27 #include <kunit/visibility.h>
28 
29 #include "ieee80211_i.h"
30 #include "driver-ops.h"
31 #include "rate.h"
32 #include "mesh.h"
33 #include "wme.h"
34 #include "led.h"
35 #include "wep.h"
36 
37 struct ieee80211_elems_parse {
38 	/* must be first for kfree to work */
39 	struct ieee802_11_elems elems;
40 
41 	/* The basic Multi-Link element in the original elements */
42 	const struct element *ml_basic_elem;
43 
44 	/* The reconfiguration Multi-Link element in the original elements */
45 	const struct element *ml_reconf_elem;
46 
47 	/*
48 	 * scratch buffer that can be used for various element parsing related
49 	 * tasks, e.g., element de-fragmentation etc.
50 	 */
51 	size_t scratch_len;
52 	u8 *scratch_pos;
53 	u8 scratch[] __counted_by(scratch_len);
54 };
55 
56 static void
57 ieee80211_parse_extension_element(u32 *crc,
58 				  const struct element *elem,
59 				  struct ieee80211_elems_parse *elems_parse,
60 				  struct ieee80211_elems_parse_params *params)
61 {
62 	struct ieee802_11_elems *elems = &elems_parse->elems;
63 	const void *data = elem->data + 1;
64 	bool calc_crc = false;
65 	u8 len;
66 
67 	if (!elem->datalen)
68 		return;
69 
70 	len = elem->datalen - 1;
71 
72 	switch (elem->data[0]) {
73 	case WLAN_EID_EXT_HE_MU_EDCA:
74 		if (params->mode < IEEE80211_CONN_MODE_HE)
75 			break;
76 		calc_crc = true;
77 		if (len >= sizeof(*elems->mu_edca_param_set))
78 			elems->mu_edca_param_set = data;
79 		break;
80 	case WLAN_EID_EXT_HE_CAPABILITY:
81 		if (params->mode < IEEE80211_CONN_MODE_HE)
82 			break;
83 		if (ieee80211_he_capa_size_ok(data, len)) {
84 			elems->he_cap = data;
85 			elems->he_cap_len = len;
86 		}
87 		break;
88 	case WLAN_EID_EXT_HE_OPERATION:
89 		if (params->mode < IEEE80211_CONN_MODE_HE)
90 			break;
91 		calc_crc = true;
92 		if (len >= sizeof(*elems->he_operation) &&
93 		    len >= ieee80211_he_oper_size(data) - 1)
94 			elems->he_operation = data;
95 		break;
96 	case WLAN_EID_EXT_UORA:
97 		if (params->mode < IEEE80211_CONN_MODE_HE)
98 			break;
99 		if (len >= 1)
100 			elems->uora_element = data;
101 		break;
102 	case WLAN_EID_EXT_MAX_CHANNEL_SWITCH_TIME:
103 		if (len == 3)
104 			elems->max_channel_switch_time = data;
105 		break;
106 	case WLAN_EID_EXT_MULTIPLE_BSSID_CONFIGURATION:
107 		if (len >= sizeof(*elems->mbssid_config_ie))
108 			elems->mbssid_config_ie = data;
109 		break;
110 	case WLAN_EID_EXT_HE_SPR:
111 		if (params->mode < IEEE80211_CONN_MODE_HE)
112 			break;
113 		if (len >= sizeof(*elems->he_spr) &&
114 		    len >= ieee80211_he_spr_size(data))
115 			elems->he_spr = data;
116 		break;
117 	case WLAN_EID_EXT_HE_6GHZ_CAPA:
118 		if (params->mode < IEEE80211_CONN_MODE_HE)
119 			break;
120 		if (len >= sizeof(*elems->he_6ghz_capa))
121 			elems->he_6ghz_capa = data;
122 		break;
123 	case WLAN_EID_EXT_EHT_CAPABILITY:
124 		if (params->mode < IEEE80211_CONN_MODE_EHT)
125 			break;
126 		if (ieee80211_eht_capa_size_ok(elems->he_cap,
127 					       data, len,
128 					       params->from_ap)) {
129 			elems->eht_cap = data;
130 			elems->eht_cap_len = len;
131 		}
132 		break;
133 	case WLAN_EID_EXT_EHT_OPERATION:
134 		if (params->mode < IEEE80211_CONN_MODE_EHT)
135 			break;
136 		if (ieee80211_eht_oper_size_ok(data, len))
137 			elems->eht_operation = data;
138 		calc_crc = true;
139 		break;
140 	case WLAN_EID_EXT_EHT_MULTI_LINK:
141 		if (params->mode < IEEE80211_CONN_MODE_EHT)
142 			break;
143 		calc_crc = true;
144 
145 		if (ieee80211_mle_size_ok(data, len)) {
146 			const struct ieee80211_multi_link_elem *mle =
147 				(void *)data;
148 
149 			switch (le16_get_bits(mle->control,
150 					      IEEE80211_ML_CONTROL_TYPE)) {
151 			case IEEE80211_ML_CONTROL_TYPE_BASIC:
152 				if (elems_parse->ml_basic_elem) {
153 					elems->parse_error |=
154 						IEEE80211_PARSE_ERR_DUP_NEST_ML_BASIC;
155 					break;
156 				}
157 				elems_parse->ml_basic_elem = elem;
158 				break;
159 			case IEEE80211_ML_CONTROL_TYPE_RECONF:
160 				elems_parse->ml_reconf_elem = elem;
161 				break;
162 			default:
163 				break;
164 			}
165 		}
166 		break;
167 	case WLAN_EID_EXT_BANDWIDTH_INDICATION:
168 		if (params->mode < IEEE80211_CONN_MODE_EHT)
169 			break;
170 		if (ieee80211_bandwidth_indication_size_ok(data, len))
171 			elems->bandwidth_indication = data;
172 		calc_crc = true;
173 		break;
174 	case WLAN_EID_EXT_TID_TO_LINK_MAPPING:
175 		if (params->mode < IEEE80211_CONN_MODE_EHT)
176 			break;
177 		calc_crc = true;
178 		if (ieee80211_tid_to_link_map_size_ok(data, len) &&
179 		    elems->ttlm_num < ARRAY_SIZE(elems->ttlm)) {
180 			elems->ttlm[elems->ttlm_num] = (void *)data;
181 			elems->ttlm_num++;
182 		}
183 		break;
184 	}
185 
186 	if (crc && calc_crc)
187 		*crc = crc32_be(*crc, (void *)elem, elem->datalen + 2);
188 }
189 
190 static u32
191 _ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params,
192 			     struct ieee80211_elems_parse *elems_parse,
193 			     const struct element *check_inherit)
194 {
195 	struct ieee802_11_elems *elems = &elems_parse->elems;
196 	const struct element *elem;
197 	bool calc_crc = params->filter != 0;
198 	DECLARE_BITMAP(seen_elems, 256);
199 	u32 crc = params->crc;
200 
201 	bitmap_zero(seen_elems, 256);
202 
203 	for_each_element(elem, params->start, params->len) {
204 		const struct element *subelem;
205 		u8 elem_parse_failed;
206 		u8 id = elem->id;
207 		u8 elen = elem->datalen;
208 		const u8 *pos = elem->data;
209 
210 		if (check_inherit &&
211 		    !cfg80211_is_element_inherited(elem,
212 						   check_inherit))
213 			continue;
214 
215 		switch (id) {
216 		case WLAN_EID_SSID:
217 		case WLAN_EID_SUPP_RATES:
218 		case WLAN_EID_FH_PARAMS:
219 		case WLAN_EID_DS_PARAMS:
220 		case WLAN_EID_CF_PARAMS:
221 		case WLAN_EID_TIM:
222 		case WLAN_EID_IBSS_PARAMS:
223 		case WLAN_EID_CHALLENGE:
224 		case WLAN_EID_RSN:
225 		case WLAN_EID_ERP_INFO:
226 		case WLAN_EID_EXT_SUPP_RATES:
227 		case WLAN_EID_HT_CAPABILITY:
228 		case WLAN_EID_HT_OPERATION:
229 		case WLAN_EID_VHT_CAPABILITY:
230 		case WLAN_EID_VHT_OPERATION:
231 		case WLAN_EID_MESH_ID:
232 		case WLAN_EID_MESH_CONFIG:
233 		case WLAN_EID_PEER_MGMT:
234 		case WLAN_EID_PREQ:
235 		case WLAN_EID_PREP:
236 		case WLAN_EID_PERR:
237 		case WLAN_EID_RANN:
238 		case WLAN_EID_CHANNEL_SWITCH:
239 		case WLAN_EID_EXT_CHANSWITCH_ANN:
240 		case WLAN_EID_COUNTRY:
241 		case WLAN_EID_PWR_CONSTRAINT:
242 		case WLAN_EID_TIMEOUT_INTERVAL:
243 		case WLAN_EID_SECONDARY_CHANNEL_OFFSET:
244 		case WLAN_EID_WIDE_BW_CHANNEL_SWITCH:
245 		case WLAN_EID_CHAN_SWITCH_PARAM:
246 		case WLAN_EID_EXT_CAPABILITY:
247 		case WLAN_EID_CHAN_SWITCH_TIMING:
248 		case WLAN_EID_LINK_ID:
249 		case WLAN_EID_BSS_MAX_IDLE_PERIOD:
250 		case WLAN_EID_RSNX:
251 		case WLAN_EID_S1G_BCN_COMPAT:
252 		case WLAN_EID_S1G_CAPABILITIES:
253 		case WLAN_EID_S1G_OPERATION:
254 		case WLAN_EID_AID_RESPONSE:
255 		case WLAN_EID_S1G_SHORT_BCN_INTERVAL:
256 		/*
257 		 * not listing WLAN_EID_CHANNEL_SWITCH_WRAPPER -- it seems possible
258 		 * that if the content gets bigger it might be needed more than once
259 		 */
260 			if (test_bit(id, seen_elems)) {
261 				elems->parse_error |=
262 					IEEE80211_PARSE_ERR_DUP_ELEM;
263 				continue;
264 			}
265 			break;
266 		}
267 
268 		if (calc_crc && id < 64 && (params->filter & (1ULL << id)))
269 			crc = crc32_be(crc, pos - 2, elen + 2);
270 
271 		elem_parse_failed = 0;
272 
273 		switch (id) {
274 		case WLAN_EID_LINK_ID:
275 			if (elen + 2 < sizeof(struct ieee80211_tdls_lnkie)) {
276 				elem_parse_failed =
277 					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
278 				break;
279 			}
280 			elems->lnk_id = (void *)(pos - 2);
281 			break;
282 		case WLAN_EID_CHAN_SWITCH_TIMING:
283 			if (elen < sizeof(struct ieee80211_ch_switch_timing)) {
284 				elem_parse_failed =
285 					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
286 				break;
287 			}
288 			elems->ch_sw_timing = (void *)pos;
289 			break;
290 		case WLAN_EID_EXT_CAPABILITY:
291 			elems->ext_capab = pos;
292 			elems->ext_capab_len = elen;
293 			break;
294 		case WLAN_EID_SSID:
295 			elems->ssid = pos;
296 			elems->ssid_len = elen;
297 			break;
298 		case WLAN_EID_SUPP_RATES:
299 			elems->supp_rates = pos;
300 			elems->supp_rates_len = elen;
301 			break;
302 		case WLAN_EID_DS_PARAMS:
303 			if (elen >= 1)
304 				elems->ds_params = pos;
305 			else
306 				elem_parse_failed =
307 					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
308 			break;
309 		case WLAN_EID_TIM:
310 			if (elen >= sizeof(struct ieee80211_tim_ie)) {
311 				elems->tim = (void *)pos;
312 				elems->tim_len = elen;
313 			} else
314 				elem_parse_failed =
315 					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
316 			break;
317 		case WLAN_EID_VENDOR_SPECIFIC:
318 			if (elen >= 4 && pos[0] == 0x00 && pos[1] == 0x50 &&
319 			    pos[2] == 0xf2) {
320 				/* Microsoft OUI (00:50:F2) */
321 
322 				if (calc_crc)
323 					crc = crc32_be(crc, pos - 2, elen + 2);
324 
325 				if (elen >= 5 && pos[3] == 2) {
326 					/* OUI Type 2 - WMM IE */
327 					if (pos[4] == 0) {
328 						elems->wmm_info = pos;
329 						elems->wmm_info_len = elen;
330 					} else if (pos[4] == 1) {
331 						elems->wmm_param = pos;
332 						elems->wmm_param_len = elen;
333 					}
334 				}
335 			}
336 			break;
337 		case WLAN_EID_RSN:
338 			elems->rsn = pos;
339 			elems->rsn_len = elen;
340 			break;
341 		case WLAN_EID_ERP_INFO:
342 			if (elen >= 1)
343 				elems->erp_info = pos;
344 			else
345 				elem_parse_failed =
346 					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
347 			break;
348 		case WLAN_EID_EXT_SUPP_RATES:
349 			elems->ext_supp_rates = pos;
350 			elems->ext_supp_rates_len = elen;
351 			break;
352 		case WLAN_EID_HT_CAPABILITY:
353 			if (params->mode < IEEE80211_CONN_MODE_HT)
354 				break;
355 			if (elen >= sizeof(struct ieee80211_ht_cap))
356 				elems->ht_cap_elem = (void *)pos;
357 			else
358 				elem_parse_failed =
359 					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
360 			break;
361 		case WLAN_EID_HT_OPERATION:
362 			if (params->mode < IEEE80211_CONN_MODE_HT)
363 				break;
364 			if (elen >= sizeof(struct ieee80211_ht_operation))
365 				elems->ht_operation = (void *)pos;
366 			else
367 				elem_parse_failed =
368 					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
369 			break;
370 		case WLAN_EID_VHT_CAPABILITY:
371 			if (params->mode < IEEE80211_CONN_MODE_VHT)
372 				break;
373 			if (elen >= sizeof(struct ieee80211_vht_cap))
374 				elems->vht_cap_elem = (void *)pos;
375 			else
376 				elem_parse_failed =
377 					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
378 			break;
379 		case WLAN_EID_VHT_OPERATION:
380 			if (params->mode < IEEE80211_CONN_MODE_VHT)
381 				break;
382 			if (elen >= sizeof(struct ieee80211_vht_operation)) {
383 				elems->vht_operation = (void *)pos;
384 				if (calc_crc)
385 					crc = crc32_be(crc, pos - 2, elen + 2);
386 				break;
387 			}
388 			elem_parse_failed =
389 				IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
390 			break;
391 		case WLAN_EID_OPMODE_NOTIF:
392 			if (params->mode < IEEE80211_CONN_MODE_VHT)
393 				break;
394 			if (elen > 0) {
395 				elems->opmode_notif = pos;
396 				if (calc_crc)
397 					crc = crc32_be(crc, pos - 2, elen + 2);
398 				break;
399 			}
400 			elem_parse_failed =
401 				IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
402 			break;
403 		case WLAN_EID_MESH_ID:
404 			elems->mesh_id = pos;
405 			elems->mesh_id_len = elen;
406 			break;
407 		case WLAN_EID_MESH_CONFIG:
408 			if (elen >= sizeof(struct ieee80211_meshconf_ie))
409 				elems->mesh_config = (void *)pos;
410 			else
411 				elem_parse_failed =
412 					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
413 			break;
414 		case WLAN_EID_PEER_MGMT:
415 			elems->peering = pos;
416 			elems->peering_len = elen;
417 			break;
418 		case WLAN_EID_MESH_AWAKE_WINDOW:
419 			if (elen >= 2)
420 				elems->awake_window = (void *)pos;
421 			break;
422 		case WLAN_EID_PREQ:
423 			elems->preq = pos;
424 			elems->preq_len = elen;
425 			break;
426 		case WLAN_EID_PREP:
427 			elems->prep = pos;
428 			elems->prep_len = elen;
429 			break;
430 		case WLAN_EID_PERR:
431 			elems->perr = pos;
432 			elems->perr_len = elen;
433 			break;
434 		case WLAN_EID_RANN:
435 			if (elen >= sizeof(struct ieee80211_rann_ie))
436 				elems->rann = (void *)pos;
437 			else
438 				elem_parse_failed =
439 					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
440 			break;
441 		case WLAN_EID_CHANNEL_SWITCH:
442 			if (elen != sizeof(struct ieee80211_channel_sw_ie)) {
443 				elem_parse_failed =
444 					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
445 				break;
446 			}
447 			elems->ch_switch_ie = (void *)pos;
448 			break;
449 		case WLAN_EID_EXT_CHANSWITCH_ANN:
450 			if (elen != sizeof(struct ieee80211_ext_chansw_ie)) {
451 				elem_parse_failed =
452 					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
453 				break;
454 			}
455 			elems->ext_chansw_ie = (void *)pos;
456 			break;
457 		case WLAN_EID_SECONDARY_CHANNEL_OFFSET:
458 			if (params->mode < IEEE80211_CONN_MODE_HT)
459 				break;
460 			if (elen != sizeof(struct ieee80211_sec_chan_offs_ie)) {
461 				elem_parse_failed =
462 					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
463 				break;
464 			}
465 			elems->sec_chan_offs = (void *)pos;
466 			break;
467 		case WLAN_EID_CHAN_SWITCH_PARAM:
468 			if (elen <
469 			    sizeof(*elems->mesh_chansw_params_ie)) {
470 				elem_parse_failed =
471 					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
472 				break;
473 			}
474 			elems->mesh_chansw_params_ie = (void *)pos;
475 			break;
476 		case WLAN_EID_WIDE_BW_CHANNEL_SWITCH:
477 			if (params->mode < IEEE80211_CONN_MODE_VHT)
478 				break;
479 
480 			if (!params->action) {
481 				elem_parse_failed =
482 					IEEE80211_PARSE_ERR_UNEXPECTED_ELEM;
483 				break;
484 			}
485 
486 			if (elen < sizeof(*elems->wide_bw_chansw_ie)) {
487 				elem_parse_failed =
488 					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
489 				break;
490 			}
491 			elems->wide_bw_chansw_ie = (void *)pos;
492 			break;
493 		case WLAN_EID_CHANNEL_SWITCH_WRAPPER:
494 			if (params->mode < IEEE80211_CONN_MODE_VHT)
495 				break;
496 			if (params->action) {
497 				elem_parse_failed =
498 					IEEE80211_PARSE_ERR_UNEXPECTED_ELEM;
499 				break;
500 			}
501 			/*
502 			 * This is a bit tricky, but as we only care about
503 			 * a few elements, parse them out manually.
504 			 */
505 			subelem = cfg80211_find_elem(WLAN_EID_WIDE_BW_CHANNEL_SWITCH,
506 						     pos, elen);
507 			if (subelem) {
508 				if (subelem->datalen >= sizeof(*elems->wide_bw_chansw_ie))
509 					elems->wide_bw_chansw_ie =
510 						(void *)subelem->data;
511 				else
512 					elem_parse_failed =
513 						IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
514 			}
515 
516 			if (params->mode < IEEE80211_CONN_MODE_EHT)
517 				break;
518 
519 			subelem = cfg80211_find_ext_elem(WLAN_EID_EXT_BANDWIDTH_INDICATION,
520 							 pos, elen);
521 			if (subelem) {
522 				const void *edata = subelem->data + 1;
523 				u8 edatalen = subelem->datalen - 1;
524 
525 				if (ieee80211_bandwidth_indication_size_ok(edata,
526 									   edatalen))
527 					elems->bandwidth_indication = edata;
528 				else
529 					elem_parse_failed =
530 						IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
531 			}
532 			break;
533 		case WLAN_EID_COUNTRY:
534 			elems->country_elem = pos;
535 			elems->country_elem_len = elen;
536 			break;
537 		case WLAN_EID_PWR_CONSTRAINT:
538 			if (elen != 1) {
539 				elem_parse_failed =
540 					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
541 				break;
542 			}
543 			elems->pwr_constr_elem = pos;
544 			break;
545 		case WLAN_EID_CISCO_VENDOR_SPECIFIC:
546 			/* Lots of different options exist, but we only care
547 			 * about the Dynamic Transmit Power Control element.
548 			 * First check for the Cisco OUI, then for the DTPC
549 			 * tag (0x00).
550 			 */
551 			if (elen < 4) {
552 				elem_parse_failed =
553 					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
554 				break;
555 			}
556 
557 			if (pos[0] != 0x00 || pos[1] != 0x40 ||
558 			    pos[2] != 0x96 || pos[3] != 0x00)
559 				break;
560 
561 			if (elen != 6) {
562 				elem_parse_failed =
563 					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
564 				break;
565 			}
566 
567 			if (calc_crc)
568 				crc = crc32_be(crc, pos - 2, elen + 2);
569 
570 			elems->cisco_dtpc_elem = pos;
571 			break;
572 		case WLAN_EID_ADDBA_EXT:
573 			if (elen < sizeof(struct ieee80211_addba_ext_ie)) {
574 				elem_parse_failed =
575 					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
576 				break;
577 			}
578 			elems->addba_ext_ie = (void *)pos;
579 			break;
580 		case WLAN_EID_TIMEOUT_INTERVAL:
581 			if (elen >= sizeof(struct ieee80211_timeout_interval_ie))
582 				elems->timeout_int = (void *)pos;
583 			else
584 				elem_parse_failed =
585 					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
586 			break;
587 		case WLAN_EID_BSS_MAX_IDLE_PERIOD:
588 			if (elen >= sizeof(*elems->max_idle_period_ie))
589 				elems->max_idle_period_ie = (void *)pos;
590 			break;
591 		case WLAN_EID_RSNX:
592 			elems->rsnx = pos;
593 			elems->rsnx_len = elen;
594 			break;
595 		case WLAN_EID_TX_POWER_ENVELOPE:
596 			if (elen < 1 ||
597 			    elen > sizeof(struct ieee80211_tx_pwr_env))
598 				break;
599 
600 			if (elems->tx_pwr_env_num >= ARRAY_SIZE(elems->tx_pwr_env))
601 				break;
602 
603 			elems->tx_pwr_env[elems->tx_pwr_env_num] = (void *)pos;
604 			elems->tx_pwr_env_len[elems->tx_pwr_env_num] = elen;
605 			elems->tx_pwr_env_num++;
606 			break;
607 		case WLAN_EID_EXTENSION:
608 			ieee80211_parse_extension_element(calc_crc ?
609 								&crc : NULL,
610 							  elem, elems_parse,
611 							  params);
612 			break;
613 		case WLAN_EID_S1G_CAPABILITIES:
614 			if (params->mode != IEEE80211_CONN_MODE_S1G)
615 				break;
616 			if (elen >= sizeof(*elems->s1g_capab))
617 				elems->s1g_capab = (void *)pos;
618 			else
619 				elem_parse_failed =
620 					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
621 			break;
622 		case WLAN_EID_S1G_OPERATION:
623 			if (params->mode != IEEE80211_CONN_MODE_S1G)
624 				break;
625 			if (elen == sizeof(*elems->s1g_oper))
626 				elems->s1g_oper = (void *)pos;
627 			else
628 				elem_parse_failed =
629 					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
630 			break;
631 		case WLAN_EID_S1G_BCN_COMPAT:
632 			if (params->mode != IEEE80211_CONN_MODE_S1G)
633 				break;
634 			if (elen == sizeof(*elems->s1g_bcn_compat))
635 				elems->s1g_bcn_compat = (void *)pos;
636 			else
637 				elem_parse_failed =
638 					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
639 			break;
640 		case WLAN_EID_AID_RESPONSE:
641 			if (params->mode != IEEE80211_CONN_MODE_S1G)
642 				break;
643 			if (elen == sizeof(struct ieee80211_aid_response_ie))
644 				elems->aid_resp = (void *)pos;
645 			else
646 				elem_parse_failed =
647 					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
648 			break;
649 		default:
650 			break;
651 		}
652 
653 		if (elem_parse_failed)
654 			elems->parse_error |= elem_parse_failed;
655 		else
656 			__set_bit(id, seen_elems);
657 	}
658 
659 	if (!for_each_element_completed(elem, params->start, params->len))
660 		elems->parse_error |= IEEE80211_PARSE_ERR_INVALID_END;
661 
662 	return crc;
663 }
664 
665 static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len,
666 					    struct ieee802_11_elems *elems,
667 					    struct cfg80211_bss *bss,
668 					    u8 *nontransmitted_profile)
669 {
670 	const struct element *elem, *sub;
671 	size_t profile_len = 0;
672 	bool found = false;
673 
674 	if (!bss || !bss->transmitted_bss)
675 		return profile_len;
676 
677 	for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, start, len) {
678 		if (elem->datalen < 2)
679 			continue;
680 		if (elem->data[0] < 1 || elem->data[0] > 8)
681 			continue;
682 
683 		for_each_element(sub, elem->data + 1, elem->datalen - 1) {
684 			u8 new_bssid[ETH_ALEN];
685 			const u8 *index;
686 
687 			if (sub->id != 0 || sub->datalen < 4) {
688 				/* not a valid BSS profile */
689 				continue;
690 			}
691 
692 			if (sub->data[0] != WLAN_EID_NON_TX_BSSID_CAP ||
693 			    sub->data[1] != 2) {
694 				/* The first element of the
695 				 * Nontransmitted BSSID Profile is not
696 				 * the Nontransmitted BSSID Capability
697 				 * element.
698 				 */
699 				continue;
700 			}
701 
702 			memset(nontransmitted_profile, 0, len);
703 			profile_len = cfg80211_merge_profile(start, len,
704 							     elem,
705 							     sub,
706 							     nontransmitted_profile,
707 							     len);
708 
709 			/* found a Nontransmitted BSSID Profile */
710 			index = cfg80211_find_ie(WLAN_EID_MULTI_BSSID_IDX,
711 						 nontransmitted_profile,
712 						 profile_len);
713 			if (!index || index[1] < 1 || index[2] == 0) {
714 				/* Invalid MBSSID Index element */
715 				continue;
716 			}
717 
718 			cfg80211_gen_new_bssid(bss->transmitted_bss->bssid,
719 					       elem->data[0],
720 					       index[2],
721 					       new_bssid);
722 			if (ether_addr_equal(new_bssid, bss->bssid)) {
723 				found = true;
724 				elems->bssid_index_len = index[1];
725 				elems->bssid_index = (void *)&index[2];
726 				break;
727 			}
728 		}
729 	}
730 
731 	return found ? profile_len : 0;
732 }
733 
734 static void
735 ieee80211_mle_get_sta_prof(struct ieee80211_elems_parse *elems_parse,
736 			   u8 link_id)
737 {
738 	struct ieee802_11_elems *elems = &elems_parse->elems;
739 	const struct ieee80211_multi_link_elem *ml = elems->ml_basic;
740 	ssize_t ml_len = elems->ml_basic_len;
741 	const struct element *sub;
742 
743 	for_each_mle_subelement(sub, (u8 *)ml, ml_len) {
744 		struct ieee80211_mle_per_sta_profile *prof = (void *)sub->data;
745 		ssize_t sta_prof_len;
746 		u16 control;
747 
748 		if (sub->id != IEEE80211_MLE_SUBELEM_PER_STA_PROFILE)
749 			continue;
750 
751 		if (!ieee80211_mle_basic_sta_prof_size_ok(sub->data,
752 							  sub->datalen))
753 			return;
754 
755 		control = le16_to_cpu(prof->control);
756 
757 		if (link_id != u16_get_bits(control,
758 					    IEEE80211_MLE_STA_CONTROL_LINK_ID))
759 			continue;
760 
761 		if (!(control & IEEE80211_MLE_STA_CONTROL_COMPLETE_PROFILE))
762 			return;
763 
764 		/* the sub element can be fragmented */
765 		sta_prof_len =
766 			cfg80211_defragment_element(sub,
767 						    (u8 *)ml, ml_len,
768 						    elems_parse->scratch_pos,
769 						    elems_parse->scratch +
770 							elems_parse->scratch_len -
771 							elems_parse->scratch_pos,
772 						    IEEE80211_MLE_SUBELEM_FRAGMENT);
773 
774 		if (sta_prof_len < 0)
775 			return;
776 
777 		elems->prof = (void *)elems_parse->scratch_pos;
778 		elems->sta_prof_len = sta_prof_len;
779 		elems_parse->scratch_pos += sta_prof_len;
780 
781 		return;
782 	}
783 }
784 
785 static void ieee80211_mle_parse_link(struct ieee80211_elems_parse *elems_parse,
786 				     struct ieee80211_elems_parse_params *params)
787 {
788 	struct ieee802_11_elems *elems = &elems_parse->elems;
789 	struct ieee80211_mle_per_sta_profile *prof;
790 	struct ieee80211_elems_parse_params sub = {
791 		.mode = params->mode,
792 		.action = params->action,
793 		.from_ap = params->from_ap,
794 		.link_id = -1,
795 	};
796 	ssize_t ml_len = elems->ml_basic_len;
797 	const struct element *non_inherit = NULL;
798 	const u8 *end;
799 
800 	ml_len = cfg80211_defragment_element(elems_parse->ml_basic_elem,
801 					     elems->ie_start,
802 					     elems->total_len,
803 					     elems_parse->scratch_pos,
804 					     elems_parse->scratch +
805 						elems_parse->scratch_len -
806 						elems_parse->scratch_pos,
807 					     WLAN_EID_FRAGMENT);
808 
809 	if (ml_len < 0)
810 		return;
811 
812 	elems->ml_basic = (const void *)elems_parse->scratch_pos;
813 	elems->ml_basic_len = ml_len;
814 	elems_parse->scratch_pos += ml_len;
815 
816 	if (params->link_id == -1)
817 		return;
818 
819 	ieee80211_mle_get_sta_prof(elems_parse, params->link_id);
820 	prof = elems->prof;
821 
822 	if (!prof)
823 		return;
824 
825 	/* check if we have the 4 bytes for the fixed part in assoc response */
826 	if (elems->sta_prof_len < sizeof(*prof) + prof->sta_info_len - 1 + 4) {
827 		elems->prof = NULL;
828 		elems->sta_prof_len = 0;
829 		return;
830 	}
831 
832 	/*
833 	 * Skip the capability information and the status code that are expected
834 	 * as part of the station profile in association response frames. Note
835 	 * the -1 is because the 'sta_info_len' is accounted to as part of the
836 	 * per-STA profile, but not part of the 'u8 variable[]' portion.
837 	 */
838 	sub.start = prof->variable + prof->sta_info_len - 1 + 4;
839 	end = (const u8 *)prof + elems->sta_prof_len;
840 	sub.len = end - sub.start;
841 
842 	non_inherit = cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
843 					     sub.start, sub.len);
844 	_ieee802_11_parse_elems_full(&sub, elems_parse, non_inherit);
845 }
846 
847 static void
848 ieee80211_mle_defrag_reconf(struct ieee80211_elems_parse *elems_parse)
849 {
850 	struct ieee802_11_elems *elems = &elems_parse->elems;
851 	ssize_t ml_len;
852 
853 	ml_len = cfg80211_defragment_element(elems_parse->ml_reconf_elem,
854 					     elems->ie_start,
855 					     elems->total_len,
856 					     elems_parse->scratch_pos,
857 					     elems_parse->scratch +
858 						elems_parse->scratch_len -
859 						elems_parse->scratch_pos,
860 					     WLAN_EID_FRAGMENT);
861 	if (ml_len < 0)
862 		return;
863 	elems->ml_reconf = (void *)elems_parse->scratch_pos;
864 	elems->ml_reconf_len = ml_len;
865 	elems_parse->scratch_pos += ml_len;
866 }
867 
868 struct ieee802_11_elems *
869 ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params)
870 {
871 	struct ieee80211_elems_parse *elems_parse;
872 	struct ieee802_11_elems *elems;
873 	const struct element *non_inherit = NULL;
874 	u8 *nontransmitted_profile;
875 	int nontransmitted_profile_len = 0;
876 	size_t scratch_len = 3 * params->len;
877 
878 	BUILD_BUG_ON(offsetof(typeof(*elems_parse), elems) != 0);
879 
880 	elems_parse = kzalloc(struct_size(elems_parse, scratch, scratch_len),
881 			      GFP_ATOMIC);
882 	if (!elems_parse)
883 		return NULL;
884 
885 	elems_parse->scratch_len = scratch_len;
886 	elems_parse->scratch_pos = elems_parse->scratch;
887 
888 	elems = &elems_parse->elems;
889 	elems->ie_start = params->start;
890 	elems->total_len = params->len;
891 
892 	nontransmitted_profile = elems_parse->scratch_pos;
893 	nontransmitted_profile_len =
894 		ieee802_11_find_bssid_profile(params->start, params->len,
895 					      elems, params->bss,
896 					      nontransmitted_profile);
897 	elems_parse->scratch_pos += nontransmitted_profile_len;
898 	non_inherit = cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
899 					     nontransmitted_profile,
900 					     nontransmitted_profile_len);
901 
902 	elems->crc = _ieee802_11_parse_elems_full(params, elems_parse,
903 						  non_inherit);
904 
905 	/* Override with nontransmitted profile, if found */
906 	if (nontransmitted_profile_len) {
907 		struct ieee80211_elems_parse_params sub = {
908 			.mode = params->mode,
909 			.start = nontransmitted_profile,
910 			.len = nontransmitted_profile_len,
911 			.action = params->action,
912 			.link_id = params->link_id,
913 		};
914 
915 		_ieee802_11_parse_elems_full(&sub, elems_parse, NULL);
916 	}
917 
918 	ieee80211_mle_parse_link(elems_parse, params);
919 
920 	ieee80211_mle_defrag_reconf(elems_parse);
921 
922 	if (elems->tim && !elems->parse_error) {
923 		const struct ieee80211_tim_ie *tim_ie = elems->tim;
924 
925 		elems->dtim_period = tim_ie->dtim_period;
926 		elems->dtim_count = tim_ie->dtim_count;
927 	}
928 
929 	/* Override DTIM period and count if needed */
930 	if (elems->bssid_index &&
931 	    elems->bssid_index_len >=
932 	    offsetofend(struct ieee80211_bssid_index, dtim_period))
933 		elems->dtim_period = elems->bssid_index->dtim_period;
934 
935 	if (elems->bssid_index &&
936 	    elems->bssid_index_len >=
937 	    offsetofend(struct ieee80211_bssid_index, dtim_count))
938 		elems->dtim_count = elems->bssid_index->dtim_count;
939 
940 	return elems;
941 }
942 EXPORT_SYMBOL_IF_KUNIT(ieee802_11_parse_elems_full);
943 
944 int ieee80211_parse_bitrates(enum nl80211_chan_width width,
945 			     const struct ieee80211_supported_band *sband,
946 			     const u8 *srates, int srates_len, u32 *rates)
947 {
948 	u32 rate_flags = ieee80211_chanwidth_rate_flags(width);
949 	struct ieee80211_rate *br;
950 	int brate, rate, i, j, count = 0;
951 
952 	*rates = 0;
953 
954 	for (i = 0; i < srates_len; i++) {
955 		rate = srates[i] & 0x7f;
956 
957 		for (j = 0; j < sband->n_bitrates; j++) {
958 			br = &sband->bitrates[j];
959 			if ((rate_flags & br->flags) != rate_flags)
960 				continue;
961 
962 			brate = DIV_ROUND_UP(br->bitrate, 5);
963 			if (brate == rate) {
964 				*rates |= BIT(j);
965 				count++;
966 				break;
967 			}
968 		}
969 	}
970 	return count;
971 }
972