1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright 2002-2005, Instant802 Networks, Inc. 4 * Copyright 2005-2006, Devicescape Software, Inc. 5 * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz> 6 * Copyright 2007 Johannes Berg <johannes@sipsolutions.net> 7 * Copyright 2013-2014 Intel Mobile Communications GmbH 8 * Copyright (C) 2015-2017 Intel Deutschland GmbH 9 * Copyright (C) 2018-2024 Intel Corporation 10 * 11 * element parsing for mac80211 12 */ 13 14 #include <net/mac80211.h> 15 #include <linux/netdevice.h> 16 #include <linux/export.h> 17 #include <linux/types.h> 18 #include <linux/slab.h> 19 #include <linux/skbuff.h> 20 #include <linux/etherdevice.h> 21 #include <linux/if_arp.h> 22 #include <linux/bitmap.h> 23 #include <linux/crc32.h> 24 #include <net/net_namespace.h> 25 #include <net/cfg80211.h> 26 #include <net/rtnetlink.h> 27 #include <kunit/visibility.h> 28 29 #include "ieee80211_i.h" 30 #include "driver-ops.h" 31 #include "rate.h" 32 #include "mesh.h" 33 #include "wme.h" 34 #include "led.h" 35 #include "wep.h" 36 37 struct ieee80211_elems_parse { 38 /* must be first for kfree to work */ 39 struct ieee802_11_elems elems; 40 41 /* The basic Multi-Link element in the original elements */ 42 const struct element *ml_basic_elem; 43 44 /* The reconfiguration Multi-Link element in the original elements */ 45 const struct element *ml_reconf_elem; 46 47 /* The EPCS Multi-Link element in the original elements */ 48 const struct element *ml_epcs_elem; 49 50 /* 51 * scratch buffer that can be used for various element parsing related 52 * tasks, e.g., element de-fragmentation etc. 53 */ 54 size_t scratch_len; 55 u8 *scratch_pos; 56 u8 scratch[] __counted_by(scratch_len); 57 }; 58 59 static void 60 ieee80211_parse_extension_element(u32 *crc, 61 const struct element *elem, 62 struct ieee80211_elems_parse *elems_parse, 63 struct ieee80211_elems_parse_params *params) 64 { 65 struct ieee802_11_elems *elems = &elems_parse->elems; 66 const void *data = elem->data + 1; 67 bool calc_crc = false; 68 u8 len; 69 70 if (!elem->datalen) 71 return; 72 73 len = elem->datalen - 1; 74 75 switch (elem->data[0]) { 76 case WLAN_EID_EXT_HE_MU_EDCA: 77 if (params->mode < IEEE80211_CONN_MODE_HE) 78 break; 79 calc_crc = true; 80 if (len >= sizeof(*elems->mu_edca_param_set)) 81 elems->mu_edca_param_set = data; 82 break; 83 case WLAN_EID_EXT_HE_CAPABILITY: 84 if (params->mode < IEEE80211_CONN_MODE_HE) 85 break; 86 if (ieee80211_he_capa_size_ok(data, len)) { 87 elems->he_cap = data; 88 elems->he_cap_len = len; 89 } 90 break; 91 case WLAN_EID_EXT_HE_OPERATION: 92 if (params->mode < IEEE80211_CONN_MODE_HE) 93 break; 94 calc_crc = true; 95 if (len >= sizeof(*elems->he_operation) && 96 len >= ieee80211_he_oper_size(data) - 1) 97 elems->he_operation = data; 98 break; 99 case WLAN_EID_EXT_UORA: 100 if (params->mode < IEEE80211_CONN_MODE_HE) 101 break; 102 if (len >= 1) 103 elems->uora_element = data; 104 break; 105 case WLAN_EID_EXT_MAX_CHANNEL_SWITCH_TIME: 106 if (len == 3) 107 elems->max_channel_switch_time = data; 108 break; 109 case WLAN_EID_EXT_MULTIPLE_BSSID_CONFIGURATION: 110 if (len >= sizeof(*elems->mbssid_config_ie)) 111 elems->mbssid_config_ie = data; 112 break; 113 case WLAN_EID_EXT_HE_SPR: 114 if (params->mode < IEEE80211_CONN_MODE_HE) 115 break; 116 if (len >= sizeof(*elems->he_spr) && 117 len >= ieee80211_he_spr_size(data) - 1) 118 elems->he_spr = data; 119 break; 120 case WLAN_EID_EXT_HE_6GHZ_CAPA: 121 if (params->mode < IEEE80211_CONN_MODE_HE) 122 break; 123 if (len >= sizeof(*elems->he_6ghz_capa)) 124 elems->he_6ghz_capa = data; 125 break; 126 case WLAN_EID_EXT_EHT_CAPABILITY: 127 if (params->mode < IEEE80211_CONN_MODE_EHT) 128 break; 129 if (ieee80211_eht_capa_size_ok(elems->he_cap, 130 data, len, 131 params->from_ap)) { 132 elems->eht_cap = data; 133 elems->eht_cap_len = len; 134 } 135 break; 136 case WLAN_EID_EXT_EHT_OPERATION: 137 if (params->mode < IEEE80211_CONN_MODE_EHT) 138 break; 139 if (ieee80211_eht_oper_size_ok(data, len)) 140 elems->eht_operation = data; 141 calc_crc = true; 142 break; 143 case WLAN_EID_EXT_EHT_MULTI_LINK: 144 if (params->mode < IEEE80211_CONN_MODE_EHT) 145 break; 146 calc_crc = true; 147 148 if (ieee80211_mle_size_ok(data, len)) { 149 const struct ieee80211_multi_link_elem *mle = 150 (void *)data; 151 152 switch (le16_get_bits(mle->control, 153 IEEE80211_ML_CONTROL_TYPE)) { 154 case IEEE80211_ML_CONTROL_TYPE_BASIC: 155 if (elems_parse->ml_basic_elem) { 156 elems->parse_error |= 157 IEEE80211_PARSE_ERR_DUP_NEST_ML_BASIC; 158 break; 159 } 160 elems_parse->ml_basic_elem = elem; 161 break; 162 case IEEE80211_ML_CONTROL_TYPE_RECONF: 163 elems_parse->ml_reconf_elem = elem; 164 break; 165 case IEEE80211_ML_CONTROL_TYPE_PRIO_ACCESS: 166 elems_parse->ml_epcs_elem = elem; 167 break; 168 default: 169 break; 170 } 171 } 172 break; 173 case WLAN_EID_EXT_BANDWIDTH_INDICATION: 174 if (params->mode < IEEE80211_CONN_MODE_EHT) 175 break; 176 if (ieee80211_bandwidth_indication_size_ok(data, len)) 177 elems->bandwidth_indication = data; 178 calc_crc = true; 179 break; 180 case WLAN_EID_EXT_TID_TO_LINK_MAPPING: 181 if (params->mode < IEEE80211_CONN_MODE_EHT) 182 break; 183 calc_crc = true; 184 if (ieee80211_tid_to_link_map_size_ok(data, len) && 185 elems->ttlm_num < ARRAY_SIZE(elems->ttlm)) { 186 elems->ttlm[elems->ttlm_num] = (void *)data; 187 elems->ttlm_num++; 188 } 189 break; 190 } 191 192 if (crc && calc_crc) 193 *crc = crc32_be(*crc, (void *)elem, elem->datalen + 2); 194 } 195 196 static void ieee80211_parse_tpe(struct ieee80211_parsed_tpe *tpe, 197 const u8 *data, u8 len) 198 { 199 const struct ieee80211_tx_pwr_env *env = (const void *)data; 200 u8 count, interpret, category; 201 u8 *out, N, *cnt_out = NULL, *N_out = NULL; 202 203 if (!ieee80211_valid_tpe_element(data, len)) 204 return; 205 206 count = u8_get_bits(env->info, IEEE80211_TX_PWR_ENV_INFO_COUNT); 207 interpret = u8_get_bits(env->info, IEEE80211_TX_PWR_ENV_INFO_INTERPRET); 208 category = u8_get_bits(env->info, IEEE80211_TX_PWR_ENV_INFO_CATEGORY); 209 210 switch (interpret) { 211 case IEEE80211_TPE_LOCAL_EIRP: 212 out = tpe->max_local[category].power; 213 cnt_out = &tpe->max_local[category].count; 214 tpe->max_local[category].valid = true; 215 break; 216 case IEEE80211_TPE_REG_CLIENT_EIRP: 217 out = tpe->max_reg_client[category].power; 218 cnt_out = &tpe->max_reg_client[category].count; 219 tpe->max_reg_client[category].valid = true; 220 break; 221 case IEEE80211_TPE_LOCAL_EIRP_PSD: 222 out = tpe->psd_local[category].power; 223 cnt_out = &tpe->psd_local[category].count; 224 N_out = &tpe->psd_local[category].n; 225 tpe->psd_local[category].valid = true; 226 break; 227 case IEEE80211_TPE_REG_CLIENT_EIRP_PSD: 228 out = tpe->psd_reg_client[category].power; 229 cnt_out = &tpe->psd_reg_client[category].count; 230 N_out = &tpe->psd_reg_client[category].n; 231 tpe->psd_reg_client[category].valid = true; 232 break; 233 } 234 235 switch (interpret) { 236 case IEEE80211_TPE_LOCAL_EIRP: 237 case IEEE80211_TPE_REG_CLIENT_EIRP: 238 /* count was validated <= 3, plus 320 MHz */ 239 BUILD_BUG_ON(IEEE80211_TPE_EIRP_ENTRIES_320MHZ < 5); 240 memcpy(out, env->variable, count + 1); 241 *cnt_out = count + 1; 242 /* separately take 320 MHz if present */ 243 if (count == 3 && len > sizeof(*env) + count + 1) { 244 out[4] = env->variable[4]; 245 *cnt_out = 5; 246 } 247 break; 248 case IEEE80211_TPE_LOCAL_EIRP_PSD: 249 case IEEE80211_TPE_REG_CLIENT_EIRP_PSD: 250 if (!count) { 251 memset(out, env->variable[0], 252 IEEE80211_TPE_PSD_ENTRIES_320MHZ); 253 *cnt_out = IEEE80211_TPE_PSD_ENTRIES_320MHZ; 254 break; 255 } 256 257 N = 1 << (count - 1); 258 memcpy(out, env->variable, N); 259 *cnt_out = N; 260 *N_out = N; 261 262 if (len > sizeof(*env) + N) { 263 int K = u8_get_bits(env->variable[N], 264 IEEE80211_TX_PWR_ENV_EXT_COUNT); 265 266 K = min(K, IEEE80211_TPE_PSD_ENTRIES_320MHZ - N); 267 memcpy(out + N, env->variable + N + 1, K); 268 (*cnt_out) += K; 269 } 270 break; 271 } 272 } 273 274 static u32 275 _ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params, 276 struct ieee80211_elems_parse *elems_parse, 277 const struct element *check_inherit) 278 { 279 struct ieee802_11_elems *elems = &elems_parse->elems; 280 const struct element *elem; 281 bool calc_crc = params->filter != 0; 282 DECLARE_BITMAP(seen_elems, 256); 283 u32 crc = params->crc; 284 285 bitmap_zero(seen_elems, 256); 286 287 for_each_element(elem, params->start, params->len) { 288 const struct element *subelem; 289 u8 elem_parse_failed; 290 u8 id = elem->id; 291 u8 elen = elem->datalen; 292 const u8 *pos = elem->data; 293 294 if (check_inherit && 295 !cfg80211_is_element_inherited(elem, 296 check_inherit)) 297 continue; 298 299 switch (id) { 300 case WLAN_EID_SSID: 301 case WLAN_EID_SUPP_RATES: 302 case WLAN_EID_FH_PARAMS: 303 case WLAN_EID_DS_PARAMS: 304 case WLAN_EID_CF_PARAMS: 305 case WLAN_EID_TIM: 306 case WLAN_EID_IBSS_PARAMS: 307 case WLAN_EID_CHALLENGE: 308 case WLAN_EID_RSN: 309 case WLAN_EID_ERP_INFO: 310 case WLAN_EID_EXT_SUPP_RATES: 311 case WLAN_EID_HT_CAPABILITY: 312 case WLAN_EID_HT_OPERATION: 313 case WLAN_EID_VHT_CAPABILITY: 314 case WLAN_EID_VHT_OPERATION: 315 case WLAN_EID_MESH_ID: 316 case WLAN_EID_MESH_CONFIG: 317 case WLAN_EID_PEER_MGMT: 318 case WLAN_EID_PREQ: 319 case WLAN_EID_PREP: 320 case WLAN_EID_PERR: 321 case WLAN_EID_RANN: 322 case WLAN_EID_CHANNEL_SWITCH: 323 case WLAN_EID_EXT_CHANSWITCH_ANN: 324 case WLAN_EID_COUNTRY: 325 case WLAN_EID_PWR_CONSTRAINT: 326 case WLAN_EID_TIMEOUT_INTERVAL: 327 case WLAN_EID_SECONDARY_CHANNEL_OFFSET: 328 case WLAN_EID_WIDE_BW_CHANNEL_SWITCH: 329 case WLAN_EID_CHAN_SWITCH_PARAM: 330 case WLAN_EID_EXT_CAPABILITY: 331 case WLAN_EID_CHAN_SWITCH_TIMING: 332 case WLAN_EID_LINK_ID: 333 case WLAN_EID_BSS_MAX_IDLE_PERIOD: 334 case WLAN_EID_RSNX: 335 case WLAN_EID_S1G_BCN_COMPAT: 336 case WLAN_EID_S1G_CAPABILITIES: 337 case WLAN_EID_S1G_OPERATION: 338 case WLAN_EID_AID_RESPONSE: 339 case WLAN_EID_S1G_SHORT_BCN_INTERVAL: 340 /* 341 * not listing WLAN_EID_CHANNEL_SWITCH_WRAPPER -- it seems possible 342 * that if the content gets bigger it might be needed more than once 343 */ 344 if (test_bit(id, seen_elems)) { 345 elems->parse_error |= 346 IEEE80211_PARSE_ERR_DUP_ELEM; 347 continue; 348 } 349 break; 350 } 351 352 if (calc_crc && id < 64 && (params->filter & (1ULL << id))) 353 crc = crc32_be(crc, pos - 2, elen + 2); 354 355 elem_parse_failed = 0; 356 357 switch (id) { 358 case WLAN_EID_LINK_ID: 359 if (elen + 2 < sizeof(struct ieee80211_tdls_lnkie)) { 360 elem_parse_failed = 361 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 362 break; 363 } 364 elems->lnk_id = (void *)(pos - 2); 365 break; 366 case WLAN_EID_CHAN_SWITCH_TIMING: 367 if (elen < sizeof(struct ieee80211_ch_switch_timing)) { 368 elem_parse_failed = 369 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 370 break; 371 } 372 elems->ch_sw_timing = (void *)pos; 373 break; 374 case WLAN_EID_EXT_CAPABILITY: 375 elems->ext_capab = pos; 376 elems->ext_capab_len = elen; 377 break; 378 case WLAN_EID_SSID: 379 elems->ssid = pos; 380 elems->ssid_len = elen; 381 break; 382 case WLAN_EID_SUPP_RATES: 383 elems->supp_rates = pos; 384 elems->supp_rates_len = elen; 385 break; 386 case WLAN_EID_DS_PARAMS: 387 if (elen >= 1) 388 elems->ds_params = pos; 389 else 390 elem_parse_failed = 391 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 392 break; 393 case WLAN_EID_TIM: 394 if (elen >= sizeof(struct ieee80211_tim_ie)) { 395 elems->tim = (void *)pos; 396 elems->tim_len = elen; 397 } else 398 elem_parse_failed = 399 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 400 break; 401 case WLAN_EID_VENDOR_SPECIFIC: 402 if (elen >= 4 && pos[0] == 0x00 && pos[1] == 0x50 && 403 pos[2] == 0xf2) { 404 /* Microsoft OUI (00:50:F2) */ 405 406 if (calc_crc) 407 crc = crc32_be(crc, pos - 2, elen + 2); 408 409 if (elen >= 5 && pos[3] == 2) { 410 /* OUI Type 2 - WMM IE */ 411 if (pos[4] == 0) { 412 elems->wmm_info = pos; 413 elems->wmm_info_len = elen; 414 } else if (pos[4] == 1) { 415 elems->wmm_param = pos; 416 elems->wmm_param_len = elen; 417 } 418 } 419 } 420 break; 421 case WLAN_EID_RSN: 422 elems->rsn = pos; 423 elems->rsn_len = elen; 424 break; 425 case WLAN_EID_ERP_INFO: 426 if (elen >= 1) 427 elems->erp_info = pos; 428 else 429 elem_parse_failed = 430 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 431 break; 432 case WLAN_EID_EXT_SUPP_RATES: 433 elems->ext_supp_rates = pos; 434 elems->ext_supp_rates_len = elen; 435 break; 436 case WLAN_EID_HT_CAPABILITY: 437 if (params->mode < IEEE80211_CONN_MODE_HT) 438 break; 439 if (elen >= sizeof(struct ieee80211_ht_cap)) 440 elems->ht_cap_elem = (void *)pos; 441 else 442 elem_parse_failed = 443 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 444 break; 445 case WLAN_EID_HT_OPERATION: 446 if (params->mode < IEEE80211_CONN_MODE_HT) 447 break; 448 if (elen >= sizeof(struct ieee80211_ht_operation)) 449 elems->ht_operation = (void *)pos; 450 else 451 elem_parse_failed = 452 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 453 break; 454 case WLAN_EID_VHT_CAPABILITY: 455 if (params->mode < IEEE80211_CONN_MODE_VHT) 456 break; 457 if (elen >= sizeof(struct ieee80211_vht_cap)) 458 elems->vht_cap_elem = (void *)pos; 459 else 460 elem_parse_failed = 461 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 462 break; 463 case WLAN_EID_VHT_OPERATION: 464 if (params->mode < IEEE80211_CONN_MODE_VHT) 465 break; 466 if (elen >= sizeof(struct ieee80211_vht_operation)) { 467 elems->vht_operation = (void *)pos; 468 if (calc_crc) 469 crc = crc32_be(crc, pos - 2, elen + 2); 470 break; 471 } 472 elem_parse_failed = 473 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 474 break; 475 case WLAN_EID_OPMODE_NOTIF: 476 if (params->mode < IEEE80211_CONN_MODE_VHT) 477 break; 478 if (elen > 0) { 479 elems->opmode_notif = pos; 480 if (calc_crc) 481 crc = crc32_be(crc, pos - 2, elen + 2); 482 break; 483 } 484 elem_parse_failed = 485 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 486 break; 487 case WLAN_EID_MESH_ID: 488 elems->mesh_id = pos; 489 elems->mesh_id_len = elen; 490 break; 491 case WLAN_EID_MESH_CONFIG: 492 if (elen >= sizeof(struct ieee80211_meshconf_ie)) 493 elems->mesh_config = (void *)pos; 494 else 495 elem_parse_failed = 496 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 497 break; 498 case WLAN_EID_PEER_MGMT: 499 elems->peering = pos; 500 elems->peering_len = elen; 501 break; 502 case WLAN_EID_MESH_AWAKE_WINDOW: 503 if (elen >= 2) 504 elems->awake_window = (void *)pos; 505 break; 506 case WLAN_EID_PREQ: 507 elems->preq = pos; 508 elems->preq_len = elen; 509 break; 510 case WLAN_EID_PREP: 511 elems->prep = pos; 512 elems->prep_len = elen; 513 break; 514 case WLAN_EID_PERR: 515 elems->perr = pos; 516 elems->perr_len = elen; 517 break; 518 case WLAN_EID_RANN: 519 if (elen >= sizeof(struct ieee80211_rann_ie)) 520 elems->rann = (void *)pos; 521 else 522 elem_parse_failed = 523 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 524 break; 525 case WLAN_EID_CHANNEL_SWITCH: 526 if (elen != sizeof(struct ieee80211_channel_sw_ie)) { 527 elem_parse_failed = 528 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 529 break; 530 } 531 elems->ch_switch_ie = (void *)pos; 532 break; 533 case WLAN_EID_EXT_CHANSWITCH_ANN: 534 if (elen != sizeof(struct ieee80211_ext_chansw_ie)) { 535 elem_parse_failed = 536 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 537 break; 538 } 539 elems->ext_chansw_ie = (void *)pos; 540 break; 541 case WLAN_EID_SECONDARY_CHANNEL_OFFSET: 542 if (params->mode < IEEE80211_CONN_MODE_HT) 543 break; 544 if (elen != sizeof(struct ieee80211_sec_chan_offs_ie)) { 545 elem_parse_failed = 546 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 547 break; 548 } 549 elems->sec_chan_offs = (void *)pos; 550 break; 551 case WLAN_EID_CHAN_SWITCH_PARAM: 552 if (elen < 553 sizeof(*elems->mesh_chansw_params_ie)) { 554 elem_parse_failed = 555 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 556 break; 557 } 558 elems->mesh_chansw_params_ie = (void *)pos; 559 break; 560 case WLAN_EID_WIDE_BW_CHANNEL_SWITCH: 561 if (params->mode < IEEE80211_CONN_MODE_VHT) 562 break; 563 564 if (!params->action) { 565 elem_parse_failed = 566 IEEE80211_PARSE_ERR_UNEXPECTED_ELEM; 567 break; 568 } 569 570 if (elen < sizeof(*elems->wide_bw_chansw_ie)) { 571 elem_parse_failed = 572 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 573 break; 574 } 575 elems->wide_bw_chansw_ie = (void *)pos; 576 break; 577 case WLAN_EID_CHANNEL_SWITCH_WRAPPER: 578 if (params->mode < IEEE80211_CONN_MODE_VHT) 579 break; 580 if (params->action) { 581 elem_parse_failed = 582 IEEE80211_PARSE_ERR_UNEXPECTED_ELEM; 583 break; 584 } 585 /* 586 * This is a bit tricky, but as we only care about 587 * a few elements, parse them out manually. 588 */ 589 subelem = cfg80211_find_elem(WLAN_EID_WIDE_BW_CHANNEL_SWITCH, 590 pos, elen); 591 if (subelem) { 592 if (subelem->datalen >= sizeof(*elems->wide_bw_chansw_ie)) 593 elems->wide_bw_chansw_ie = 594 (void *)subelem->data; 595 else 596 elem_parse_failed = 597 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 598 } 599 600 if (params->mode < IEEE80211_CONN_MODE_EHT) 601 break; 602 603 subelem = cfg80211_find_ext_elem(WLAN_EID_EXT_BANDWIDTH_INDICATION, 604 pos, elen); 605 if (subelem) { 606 const void *edata = subelem->data + 1; 607 u8 edatalen = subelem->datalen - 1; 608 609 if (ieee80211_bandwidth_indication_size_ok(edata, 610 edatalen)) 611 elems->bandwidth_indication = edata; 612 else 613 elem_parse_failed = 614 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 615 } 616 617 subelem = cfg80211_find_ext_elem(WLAN_EID_TX_POWER_ENVELOPE, 618 pos, elen); 619 if (subelem) 620 ieee80211_parse_tpe(&elems->csa_tpe, 621 subelem->data + 1, 622 subelem->datalen - 1); 623 break; 624 case WLAN_EID_COUNTRY: 625 elems->country_elem = pos; 626 elems->country_elem_len = elen; 627 break; 628 case WLAN_EID_PWR_CONSTRAINT: 629 if (elen != 1) { 630 elem_parse_failed = 631 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 632 break; 633 } 634 elems->pwr_constr_elem = pos; 635 break; 636 case WLAN_EID_CISCO_VENDOR_SPECIFIC: 637 /* Lots of different options exist, but we only care 638 * about the Dynamic Transmit Power Control element. 639 * First check for the Cisco OUI, then for the DTPC 640 * tag (0x00). 641 */ 642 if (elen < 4) { 643 elem_parse_failed = 644 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 645 break; 646 } 647 648 if (pos[0] != 0x00 || pos[1] != 0x40 || 649 pos[2] != 0x96 || pos[3] != 0x00) 650 break; 651 652 if (elen != 6) { 653 elem_parse_failed = 654 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 655 break; 656 } 657 658 if (calc_crc) 659 crc = crc32_be(crc, pos - 2, elen + 2); 660 661 elems->cisco_dtpc_elem = pos; 662 break; 663 case WLAN_EID_ADDBA_EXT: 664 if (elen < sizeof(struct ieee80211_addba_ext_ie)) { 665 elem_parse_failed = 666 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 667 break; 668 } 669 elems->addba_ext_ie = (void *)pos; 670 break; 671 case WLAN_EID_TIMEOUT_INTERVAL: 672 if (elen >= sizeof(struct ieee80211_timeout_interval_ie)) 673 elems->timeout_int = (void *)pos; 674 else 675 elem_parse_failed = 676 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 677 break; 678 case WLAN_EID_BSS_MAX_IDLE_PERIOD: 679 if (elen >= sizeof(*elems->max_idle_period_ie)) 680 elems->max_idle_period_ie = (void *)pos; 681 break; 682 case WLAN_EID_RSNX: 683 elems->rsnx = pos; 684 elems->rsnx_len = elen; 685 break; 686 case WLAN_EID_TX_POWER_ENVELOPE: 687 if (params->mode < IEEE80211_CONN_MODE_HE) 688 break; 689 ieee80211_parse_tpe(&elems->tpe, pos, elen); 690 break; 691 case WLAN_EID_EXTENSION: 692 ieee80211_parse_extension_element(calc_crc ? 693 &crc : NULL, 694 elem, elems_parse, 695 params); 696 break; 697 case WLAN_EID_S1G_CAPABILITIES: 698 if (params->mode != IEEE80211_CONN_MODE_S1G) 699 break; 700 if (elen >= sizeof(*elems->s1g_capab)) 701 elems->s1g_capab = (void *)pos; 702 else 703 elem_parse_failed = 704 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 705 break; 706 case WLAN_EID_S1G_OPERATION: 707 if (params->mode != IEEE80211_CONN_MODE_S1G) 708 break; 709 if (elen == sizeof(*elems->s1g_oper)) 710 elems->s1g_oper = (void *)pos; 711 else 712 elem_parse_failed = 713 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 714 break; 715 case WLAN_EID_S1G_BCN_COMPAT: 716 if (params->mode != IEEE80211_CONN_MODE_S1G) 717 break; 718 if (elen == sizeof(*elems->s1g_bcn_compat)) 719 elems->s1g_bcn_compat = (void *)pos; 720 else 721 elem_parse_failed = 722 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 723 break; 724 case WLAN_EID_AID_RESPONSE: 725 if (params->mode != IEEE80211_CONN_MODE_S1G) 726 break; 727 if (elen == sizeof(struct ieee80211_aid_response_ie)) 728 elems->aid_resp = (void *)pos; 729 else 730 elem_parse_failed = 731 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 732 break; 733 default: 734 break; 735 } 736 737 if (elem_parse_failed) 738 elems->parse_error |= elem_parse_failed; 739 else 740 __set_bit(id, seen_elems); 741 } 742 743 if (!for_each_element_completed(elem, params->start, params->len)) 744 elems->parse_error |= IEEE80211_PARSE_ERR_INVALID_END; 745 746 return crc; 747 } 748 749 static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len, 750 struct ieee802_11_elems *elems, 751 struct cfg80211_bss *bss, 752 u8 *nontransmitted_profile) 753 { 754 const struct element *elem, *sub; 755 size_t profile_len = 0; 756 bool found = false; 757 758 if (!bss || !bss->transmitted_bss) 759 return profile_len; 760 761 for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, start, len) { 762 if (elem->datalen < 2) 763 continue; 764 if (elem->data[0] < 1 || elem->data[0] > 8) 765 continue; 766 767 for_each_element(sub, elem->data + 1, elem->datalen - 1) { 768 u8 new_bssid[ETH_ALEN]; 769 const u8 *index; 770 771 if (sub->id != 0 || sub->datalen < 4) { 772 /* not a valid BSS profile */ 773 continue; 774 } 775 776 if (sub->data[0] != WLAN_EID_NON_TX_BSSID_CAP || 777 sub->data[1] != 2) { 778 /* The first element of the 779 * Nontransmitted BSSID Profile is not 780 * the Nontransmitted BSSID Capability 781 * element. 782 */ 783 continue; 784 } 785 786 memset(nontransmitted_profile, 0, len); 787 profile_len = cfg80211_merge_profile(start, len, 788 elem, 789 sub, 790 nontransmitted_profile, 791 len); 792 793 /* found a Nontransmitted BSSID Profile */ 794 index = cfg80211_find_ie(WLAN_EID_MULTI_BSSID_IDX, 795 nontransmitted_profile, 796 profile_len); 797 if (!index || index[1] < 1 || index[2] == 0) { 798 /* Invalid MBSSID Index element */ 799 continue; 800 } 801 802 cfg80211_gen_new_bssid(bss->transmitted_bss->bssid, 803 elem->data[0], 804 index[2], 805 new_bssid); 806 if (ether_addr_equal(new_bssid, bss->bssid)) { 807 found = true; 808 elems->bssid_index_len = index[1]; 809 elems->bssid_index = (void *)&index[2]; 810 break; 811 } 812 } 813 } 814 815 return found ? profile_len : 0; 816 } 817 818 static void 819 ieee80211_mle_get_sta_prof(struct ieee80211_elems_parse *elems_parse, 820 u8 link_id) 821 { 822 struct ieee802_11_elems *elems = &elems_parse->elems; 823 const struct ieee80211_multi_link_elem *ml = elems->ml_basic; 824 ssize_t ml_len = elems->ml_basic_len; 825 const struct element *sub; 826 827 for_each_mle_subelement(sub, (u8 *)ml, ml_len) { 828 struct ieee80211_mle_per_sta_profile *prof = (void *)sub->data; 829 ssize_t sta_prof_len; 830 u16 control; 831 832 if (sub->id != IEEE80211_MLE_SUBELEM_PER_STA_PROFILE) 833 continue; 834 835 if (!ieee80211_mle_basic_sta_prof_size_ok(sub->data, 836 sub->datalen)) 837 return; 838 839 control = le16_to_cpu(prof->control); 840 841 if (link_id != u16_get_bits(control, 842 IEEE80211_MLE_STA_CONTROL_LINK_ID)) 843 continue; 844 845 if (!(control & IEEE80211_MLE_STA_CONTROL_COMPLETE_PROFILE)) 846 return; 847 848 /* the sub element can be fragmented */ 849 sta_prof_len = 850 cfg80211_defragment_element(sub, 851 (u8 *)ml, ml_len, 852 elems_parse->scratch_pos, 853 elems_parse->scratch + 854 elems_parse->scratch_len - 855 elems_parse->scratch_pos, 856 IEEE80211_MLE_SUBELEM_FRAGMENT); 857 858 if (sta_prof_len < 0) 859 return; 860 861 elems->prof = (void *)elems_parse->scratch_pos; 862 elems->sta_prof_len = sta_prof_len; 863 elems_parse->scratch_pos += sta_prof_len; 864 865 return; 866 } 867 } 868 869 static void ieee80211_mle_parse_link(struct ieee80211_elems_parse *elems_parse, 870 struct ieee80211_elems_parse_params *params) 871 { 872 struct ieee802_11_elems *elems = &elems_parse->elems; 873 struct ieee80211_mle_per_sta_profile *prof; 874 struct ieee80211_elems_parse_params sub = { 875 .mode = params->mode, 876 .action = params->action, 877 .from_ap = params->from_ap, 878 .link_id = -1, 879 }; 880 ssize_t ml_len = elems->ml_basic_len; 881 const struct element *non_inherit = NULL; 882 const u8 *end; 883 884 ml_len = cfg80211_defragment_element(elems_parse->ml_basic_elem, 885 elems->ie_start, 886 elems->total_len, 887 elems_parse->scratch_pos, 888 elems_parse->scratch + 889 elems_parse->scratch_len - 890 elems_parse->scratch_pos, 891 WLAN_EID_FRAGMENT); 892 893 if (ml_len < 0) 894 return; 895 896 elems->ml_basic = (const void *)elems_parse->scratch_pos; 897 elems->ml_basic_len = ml_len; 898 elems_parse->scratch_pos += ml_len; 899 900 if (params->link_id == -1) 901 return; 902 903 ieee80211_mle_get_sta_prof(elems_parse, params->link_id); 904 prof = elems->prof; 905 906 if (!prof) 907 return; 908 909 /* check if we have the 4 bytes for the fixed part in assoc response */ 910 if (elems->sta_prof_len < sizeof(*prof) + prof->sta_info_len - 1 + 4) { 911 elems->prof = NULL; 912 elems->sta_prof_len = 0; 913 return; 914 } 915 916 /* 917 * Skip the capability information and the status code that are expected 918 * as part of the station profile in association response frames. Note 919 * the -1 is because the 'sta_info_len' is accounted to as part of the 920 * per-STA profile, but not part of the 'u8 variable[]' portion. 921 */ 922 sub.start = prof->variable + prof->sta_info_len - 1 + 4; 923 end = (const u8 *)prof + elems->sta_prof_len; 924 sub.len = end - sub.start; 925 926 non_inherit = cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, 927 sub.start, sub.len); 928 _ieee802_11_parse_elems_full(&sub, elems_parse, non_inherit); 929 } 930 931 static void 932 ieee80211_mle_defrag_reconf(struct ieee80211_elems_parse *elems_parse) 933 { 934 struct ieee802_11_elems *elems = &elems_parse->elems; 935 ssize_t ml_len; 936 937 ml_len = cfg80211_defragment_element(elems_parse->ml_reconf_elem, 938 elems->ie_start, 939 elems->total_len, 940 elems_parse->scratch_pos, 941 elems_parse->scratch + 942 elems_parse->scratch_len - 943 elems_parse->scratch_pos, 944 WLAN_EID_FRAGMENT); 945 if (ml_len < 0) 946 return; 947 elems->ml_reconf = (void *)elems_parse->scratch_pos; 948 elems->ml_reconf_len = ml_len; 949 elems_parse->scratch_pos += ml_len; 950 } 951 952 static void 953 ieee80211_mle_defrag_epcs(struct ieee80211_elems_parse *elems_parse) 954 { 955 struct ieee802_11_elems *elems = &elems_parse->elems; 956 ssize_t ml_len; 957 958 ml_len = cfg80211_defragment_element(elems_parse->ml_epcs_elem, 959 elems->ie_start, 960 elems->total_len, 961 elems_parse->scratch_pos, 962 elems_parse->scratch + 963 elems_parse->scratch_len - 964 elems_parse->scratch_pos, 965 WLAN_EID_FRAGMENT); 966 if (ml_len < 0) 967 return; 968 elems->ml_epcs = (void *)elems_parse->scratch_pos; 969 elems->ml_epcs_len = ml_len; 970 elems_parse->scratch_pos += ml_len; 971 } 972 973 struct ieee802_11_elems * 974 ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params) 975 { 976 struct ieee80211_elems_parse *elems_parse; 977 struct ieee802_11_elems *elems; 978 const struct element *non_inherit = NULL; 979 u8 *nontransmitted_profile; 980 int nontransmitted_profile_len = 0; 981 size_t scratch_len = 3 * params->len; 982 983 BUILD_BUG_ON(offsetof(typeof(*elems_parse), elems) != 0); 984 985 elems_parse = kzalloc(struct_size(elems_parse, scratch, scratch_len), 986 GFP_ATOMIC); 987 if (!elems_parse) 988 return NULL; 989 990 elems_parse->scratch_len = scratch_len; 991 elems_parse->scratch_pos = elems_parse->scratch; 992 993 elems = &elems_parse->elems; 994 elems->ie_start = params->start; 995 elems->total_len = params->len; 996 997 /* set all TPE entries to unlimited (but invalid) */ 998 ieee80211_clear_tpe(&elems->tpe); 999 ieee80211_clear_tpe(&elems->csa_tpe); 1000 1001 nontransmitted_profile = elems_parse->scratch_pos; 1002 nontransmitted_profile_len = 1003 ieee802_11_find_bssid_profile(params->start, params->len, 1004 elems, params->bss, 1005 nontransmitted_profile); 1006 elems_parse->scratch_pos += nontransmitted_profile_len; 1007 non_inherit = cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, 1008 nontransmitted_profile, 1009 nontransmitted_profile_len); 1010 1011 elems->crc = _ieee802_11_parse_elems_full(params, elems_parse, 1012 non_inherit); 1013 1014 /* Override with nontransmitted profile, if found */ 1015 if (nontransmitted_profile_len) { 1016 struct ieee80211_elems_parse_params sub = { 1017 .mode = params->mode, 1018 .start = nontransmitted_profile, 1019 .len = nontransmitted_profile_len, 1020 .action = params->action, 1021 .link_id = params->link_id, 1022 }; 1023 1024 _ieee802_11_parse_elems_full(&sub, elems_parse, NULL); 1025 } 1026 1027 ieee80211_mle_parse_link(elems_parse, params); 1028 1029 ieee80211_mle_defrag_reconf(elems_parse); 1030 1031 ieee80211_mle_defrag_epcs(elems_parse); 1032 1033 if (elems->tim && !elems->parse_error) { 1034 const struct ieee80211_tim_ie *tim_ie = elems->tim; 1035 1036 elems->dtim_period = tim_ie->dtim_period; 1037 elems->dtim_count = tim_ie->dtim_count; 1038 } 1039 1040 /* Override DTIM period and count if needed */ 1041 if (elems->bssid_index && 1042 elems->bssid_index_len >= 1043 offsetofend(struct ieee80211_bssid_index, dtim_period)) 1044 elems->dtim_period = elems->bssid_index->dtim_period; 1045 1046 if (elems->bssid_index && 1047 elems->bssid_index_len >= 1048 offsetofend(struct ieee80211_bssid_index, dtim_count)) 1049 elems->dtim_count = elems->bssid_index->dtim_count; 1050 1051 return elems; 1052 } 1053 EXPORT_SYMBOL_IF_KUNIT(ieee802_11_parse_elems_full); 1054 1055 int ieee80211_parse_bitrates(enum nl80211_chan_width width, 1056 const struct ieee80211_supported_band *sband, 1057 const u8 *srates, int srates_len, u32 *rates) 1058 { 1059 u32 rate_flags = ieee80211_chanwidth_rate_flags(width); 1060 struct ieee80211_rate *br; 1061 int brate, rate, i, j, count = 0; 1062 1063 *rates = 0; 1064 1065 for (i = 0; i < srates_len; i++) { 1066 rate = srates[i] & 0x7f; 1067 1068 for (j = 0; j < sband->n_bitrates; j++) { 1069 br = &sband->bitrates[j]; 1070 if ((rate_flags & br->flags) != rate_flags) 1071 continue; 1072 1073 brate = DIV_ROUND_UP(br->bitrate, 5); 1074 if (brate == rate) { 1075 *rates |= BIT(j); 1076 count++; 1077 break; 1078 } 1079 } 1080 } 1081 return count; 1082 } 1083