ieee80211_adhoc.c revision 184345
1/*- 2 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 26#include <sys/cdefs.h> 27#ifdef __FreeBSD__ 28__FBSDID("$FreeBSD: head/sys/net80211/ieee80211_adhoc.c 184345 2008-10-27 16:46:50Z sam $"); 29#endif 30 31/* 32 * IEEE 802.11 IBSS mode support. 33 */ 34#include "opt_inet.h" 35#include "opt_wlan.h" 36 37#include <sys/param.h> 38#include <sys/systm.h> 39#include <sys/mbuf.h> 40#include <sys/malloc.h> 41#include <sys/kernel.h> 42 43#include <sys/socket.h> 44#include <sys/sockio.h> 45#include <sys/endian.h> 46#include <sys/errno.h> 47#include <sys/proc.h> 48#include <sys/sysctl.h> 49 50#include <net/if.h> 51#include <net/if_media.h> 52#include <net/if_llc.h> 53#include <net/ethernet.h> 54 55#include <net/bpf.h> 56 57#include <net80211/ieee80211_var.h> 58#include <net80211/ieee80211_adhoc.h> 59#include <net80211/ieee80211_input.h> 60 61#define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2) 62 63static void adhoc_vattach(struct ieee80211vap *); 64static int adhoc_newstate(struct ieee80211vap *, enum ieee80211_state, int); 65static int adhoc_input(struct ieee80211_node *, struct mbuf *, 66 int rssi, int noise, uint32_t rstamp); 67static void adhoc_recv_mgmt(struct ieee80211_node *, struct mbuf *, 68 int subtype, int rssi, int noise, uint32_t rstamp); 69static void ahdemo_recv_mgmt(struct ieee80211_node *, struct mbuf *, 70 int subtype, int rssi, int noise, uint32_t rstamp); 71 72void 73ieee80211_adhoc_attach(struct ieee80211com *ic) 74{ 75 ic->ic_vattach[IEEE80211_M_IBSS] = adhoc_vattach; 76 ic->ic_vattach[IEEE80211_M_AHDEMO] = adhoc_vattach; 77} 78 79void 80ieee80211_adhoc_detach(struct ieee80211com *ic) 81{ 82} 83 84static void 85adhoc_vdetach(struct ieee80211vap *vap) 86{ 87} 88 89static void 90adhoc_vattach(struct ieee80211vap *vap) 91{ 92 vap->iv_newstate = adhoc_newstate; 93 vap->iv_input = adhoc_input; 94 if (vap->iv_opmode == IEEE80211_M_IBSS) 95 vap->iv_recv_mgmt = adhoc_recv_mgmt; 96 else 97 vap->iv_recv_mgmt = ahdemo_recv_mgmt; 98 vap->iv_opdetach = adhoc_vdetach; 99} 100 101/* 102 * IEEE80211_M_IBSS+IEEE80211_M_AHDEMO vap state machine handler. 103 */ 104static int 105adhoc_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg) 106{ 107 struct ieee80211com *ic = vap->iv_ic; 108 struct ieee80211_node *ni; 109 enum ieee80211_state ostate; 110 111 IEEE80211_LOCK_ASSERT(vap->iv_ic); 112 113 ostate = vap->iv_state; 114 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n", 115 __func__, ieee80211_state_name[ostate], 116 ieee80211_state_name[nstate], arg); 117 vap->iv_state = nstate; /* state transition */ 118 if (ostate != IEEE80211_S_SCAN) 119 ieee80211_cancel_scan(vap); /* background scan */ 120 ni = vap->iv_bss; /* NB: no reference held */ 121 switch (nstate) { 122 case IEEE80211_S_INIT: 123 switch (ostate) { 124 case IEEE80211_S_SCAN: 125 ieee80211_cancel_scan(vap); 126 break; 127 default: 128 break; 129 } 130 if (ostate != IEEE80211_S_INIT) { 131 /* NB: optimize INIT -> INIT case */ 132 ieee80211_reset_bss(vap); 133 } 134 break; 135 case IEEE80211_S_SCAN: 136 switch (ostate) { 137 case IEEE80211_S_INIT: 138 case IEEE80211_S_RUN: /* beacon miss */ 139 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC && 140 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) { 141 /* 142 * Already have a channel; bypass the 143 * scan and startup immediately. 144 */ 145 ieee80211_create_ibss(vap, vap->iv_des_chan); 146 break; 147 } 148 /* 149 * Initiate a scan. We can come here as a result 150 * of an IEEE80211_IOC_SCAN_REQ too in which case 151 * the vap will be marked with IEEE80211_FEXT_SCANREQ 152 * and the scan request parameters will be present 153 * in iv_scanreq. Otherwise we do the default. 154 */ 155 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) { 156 ieee80211_check_scan(vap, 157 vap->iv_scanreq_flags, 158 vap->iv_scanreq_duration, 159 vap->iv_scanreq_mindwell, 160 vap->iv_scanreq_maxdwell, 161 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid); 162 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ; 163 } else 164 ieee80211_check_scan_current(vap); 165 break; 166 case IEEE80211_S_SCAN: 167 /* 168 * This can happen because of a change in state 169 * that requires a reset. Trigger a new scan 170 * unless we're in manual roaming mode in which 171 * case an application must issue an explicit request. 172 */ 173 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) 174 ieee80211_check_scan_current(vap); 175 break; 176 default: 177 goto invalid; 178 } 179 break; 180 case IEEE80211_S_RUN: 181 if (vap->iv_flags & IEEE80211_F_WPA) { 182 /* XXX validate prerequisites */ 183 } 184 switch (ostate) { 185 case IEEE80211_S_SCAN: 186#ifdef IEEE80211_DEBUG 187 if (ieee80211_msg_debug(vap)) { 188 ieee80211_note(vap, 189 "synchronized with %s ssid ", 190 ether_sprintf(ni->ni_bssid)); 191 ieee80211_print_essid(vap->iv_bss->ni_essid, 192 ni->ni_esslen); 193 /* XXX MCS/HT */ 194 printf(" channel %d start %uMb\n", 195 ieee80211_chan2ieee(ic, ic->ic_curchan), 196 IEEE80211_RATE2MBS(ni->ni_txrate)); 197 } 198#endif 199 break; 200 default: 201 goto invalid; 202 } 203 /* 204 * When 802.1x is not in use mark the port authorized 205 * at this point so traffic can flow. 206 */ 207 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 208 ieee80211_node_authorize(ni); 209 /* 210 * Fake association when joining an existing bss. 211 */ 212 if (!IEEE80211_ADDR_EQ(ni->ni_macaddr, vap->iv_myaddr) && 213 ic->ic_newassoc != NULL) 214 ic->ic_newassoc(ni, ostate != IEEE80211_S_RUN); 215 break; 216 case IEEE80211_S_SLEEP: 217 ieee80211_sta_pwrsave(vap, 0); 218 break; 219 default: 220 invalid: 221 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, 222 "%s: unexpected state transition %s -> %s\n", __func__, 223 ieee80211_state_name[ostate], ieee80211_state_name[nstate]); 224 break; 225 } 226 return 0; 227} 228 229/* 230 * Decide if a received management frame should be 231 * printed when debugging is enabled. This filters some 232 * of the less interesting frames that come frequently 233 * (e.g. beacons). 234 */ 235static __inline int 236doprint(struct ieee80211vap *vap, int subtype) 237{ 238 switch (subtype) { 239 case IEEE80211_FC0_SUBTYPE_BEACON: 240 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN); 241 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 242 return 1; 243 } 244 return 1; 245} 246 247/* 248 * Process a received frame. The node associated with the sender 249 * should be supplied. If nothing was found in the node table then 250 * the caller is assumed to supply a reference to iv_bss instead. 251 * The RSSI and a timestamp are also supplied. The RSSI data is used 252 * during AP scanning to select a AP to associate with; it can have 253 * any units so long as values have consistent units and higher values 254 * mean ``better signal''. The receive timestamp is currently not used 255 * by the 802.11 layer. 256 */ 257static int 258adhoc_input(struct ieee80211_node *ni, struct mbuf *m, 259 int rssi, int noise, uint32_t rstamp) 260{ 261#define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0) 262#define HAS_SEQ(type) ((type & 0x4) == 0) 263 struct ieee80211vap *vap = ni->ni_vap; 264 struct ieee80211com *ic = ni->ni_ic; 265 struct ifnet *ifp = vap->iv_ifp; 266 struct ieee80211_frame *wh; 267 struct ieee80211_key *key; 268 struct ether_header *eh; 269 int hdrspace, need_tap; 270 uint8_t dir, type, subtype, qos; 271 uint8_t *bssid; 272 uint16_t rxseq; 273 274 if (m->m_flags & M_AMPDU_MPDU) { 275 /* 276 * Fastpath for A-MPDU reorder q resubmission. Frames 277 * w/ M_AMPDU_MPDU marked have already passed through 278 * here but were received out of order and been held on 279 * the reorder queue. When resubmitted they are marked 280 * with the M_AMPDU_MPDU flag and we can bypass most of 281 * the normal processing. 282 */ 283 wh = mtod(m, struct ieee80211_frame *); 284 type = IEEE80211_FC0_TYPE_DATA; 285 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 286 subtype = IEEE80211_FC0_SUBTYPE_QOS; 287 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */ 288 goto resubmit_ampdu; 289 } 290 291 KASSERT(ni != NULL, ("null node")); 292 ni->ni_inact = ni->ni_inact_reload; 293 294 need_tap = 1; /* mbuf need to be tapped. */ 295 type = -1; /* undefined */ 296 297 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 298 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 299 ni->ni_macaddr, NULL, 300 "too short (1): len %u", m->m_pkthdr.len); 301 vap->iv_stats.is_rx_tooshort++; 302 goto out; 303 } 304 /* 305 * Bit of a cheat here, we use a pointer for a 3-address 306 * frame format but don't reference fields past outside 307 * ieee80211_frame_min w/o first validating the data is 308 * present. 309 */ 310 wh = mtod(m, struct ieee80211_frame *); 311 312 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 313 IEEE80211_FC0_VERSION_0) { 314 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 315 ni->ni_macaddr, NULL, "wrong version %x", wh->i_fc[0]); 316 vap->iv_stats.is_rx_badversion++; 317 goto err; 318 } 319 320 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 321 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 322 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 323 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 324 if (dir != IEEE80211_FC1_DIR_NODS) 325 bssid = wh->i_addr1; 326 else if (type == IEEE80211_FC0_TYPE_CTL) 327 bssid = wh->i_addr1; 328 else { 329 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 330 IEEE80211_DISCARD_MAC(vap, 331 IEEE80211_MSG_ANY, ni->ni_macaddr, 332 NULL, "too short (2): len %u", 333 m->m_pkthdr.len); 334 vap->iv_stats.is_rx_tooshort++; 335 goto out; 336 } 337 bssid = wh->i_addr3; 338 } 339 /* 340 * Validate the bssid. 341 */ 342 if (!IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) && 343 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 344 /* not interested in */ 345 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 346 bssid, NULL, "%s", "not to bss"); 347 vap->iv_stats.is_rx_wrongbss++; 348 goto out; 349 } 350 /* 351 * Data frame, cons up a node when it doesn't 352 * exist. This should probably done after an ACL check. 353 */ 354 if (type == IEEE80211_FC0_TYPE_DATA && 355 ni == vap->iv_bss && 356 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 357 /* 358 * Fake up a node for this newly 359 * discovered member of the IBSS. 360 */ 361 ni = ieee80211_fakeup_adhoc_node(vap, wh->i_addr2); 362 if (ni == NULL) { 363 /* NB: stat kept for alloc failure */ 364 goto err; 365 } 366 } 367 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 368 ni->ni_noise = noise; 369 ni->ni_rstamp = rstamp; 370 if (HAS_SEQ(type)) { 371 uint8_t tid = ieee80211_gettid(wh); 372 if (IEEE80211_QOS_HAS_SEQ(wh) && 373 TID_TO_WME_AC(tid) >= WME_AC_VI) 374 ic->ic_wme.wme_hipri_traffic++; 375 rxseq = le16toh(*(uint16_t *)wh->i_seq); 376 if ((ni->ni_flags & IEEE80211_NODE_HT) == 0 && 377 (wh->i_fc[1] & IEEE80211_FC1_RETRY) && 378 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) { 379 /* duplicate, discard */ 380 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 381 bssid, "duplicate", 382 "seqno <%u,%u> fragno <%u,%u> tid %u", 383 rxseq >> IEEE80211_SEQ_SEQ_SHIFT, 384 ni->ni_rxseqs[tid] >> 385 IEEE80211_SEQ_SEQ_SHIFT, 386 rxseq & IEEE80211_SEQ_FRAG_MASK, 387 ni->ni_rxseqs[tid] & 388 IEEE80211_SEQ_FRAG_MASK, 389 tid); 390 vap->iv_stats.is_rx_dup++; 391 IEEE80211_NODE_STAT(ni, rx_dup); 392 goto out; 393 } 394 ni->ni_rxseqs[tid] = rxseq; 395 } 396 } 397 398 switch (type) { 399 case IEEE80211_FC0_TYPE_DATA: 400 hdrspace = ieee80211_hdrspace(ic, wh); 401 if (m->m_len < hdrspace && 402 (m = m_pullup(m, hdrspace)) == NULL) { 403 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 404 ni->ni_macaddr, NULL, 405 "data too short: expecting %u", hdrspace); 406 vap->iv_stats.is_rx_tooshort++; 407 goto out; /* XXX */ 408 } 409 if (dir != IEEE80211_FC1_DIR_NODS) { 410 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 411 wh, "data", "incorrect dir 0x%x", dir); 412 vap->iv_stats.is_rx_wrongdir++; 413 goto out; 414 } 415 /* XXX no power-save support */ 416 417 /* 418 * Handle A-MPDU re-ordering. If the frame is to be 419 * processed directly then ieee80211_ampdu_reorder 420 * will return 0; otherwise it has consumed the mbuf 421 * and we should do nothing more with it. 422 */ 423 if ((m->m_flags & M_AMPDU) && 424 ieee80211_ampdu_reorder(ni, m) != 0) { 425 m = NULL; 426 goto out; 427 } 428 resubmit_ampdu: 429 430 /* 431 * Handle privacy requirements. Note that we 432 * must not be preempted from here until after 433 * we (potentially) call ieee80211_crypto_demic; 434 * otherwise we may violate assumptions in the 435 * crypto cipher modules used to do delayed update 436 * of replay sequence numbers. 437 */ 438 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 439 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 440 /* 441 * Discard encrypted frames when privacy is off. 442 */ 443 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 444 wh, "WEP", "%s", "PRIVACY off"); 445 vap->iv_stats.is_rx_noprivacy++; 446 IEEE80211_NODE_STAT(ni, rx_noprivacy); 447 goto out; 448 } 449 key = ieee80211_crypto_decap(ni, m, hdrspace); 450 if (key == NULL) { 451 /* NB: stats+msgs handled in crypto_decap */ 452 IEEE80211_NODE_STAT(ni, rx_wepfail); 453 goto out; 454 } 455 wh = mtod(m, struct ieee80211_frame *); 456 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 457 } else { 458 /* XXX M_WEP and IEEE80211_F_PRIVACY */ 459 key = NULL; 460 } 461 462 /* 463 * Save QoS bits for use below--before we strip the header. 464 */ 465 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) { 466 qos = (dir == IEEE80211_FC1_DIR_DSTODS) ? 467 ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] : 468 ((struct ieee80211_qosframe *)wh)->i_qos[0]; 469 } else 470 qos = 0; 471 472 /* 473 * Next up, any fragmentation. 474 */ 475 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 476 m = ieee80211_defrag(ni, m, hdrspace); 477 if (m == NULL) { 478 /* Fragment dropped or frame not complete yet */ 479 goto out; 480 } 481 } 482 wh = NULL; /* no longer valid, catch any uses */ 483 484 /* 485 * Next strip any MSDU crypto bits. 486 */ 487 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) { 488 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 489 ni->ni_macaddr, "data", "%s", "demic error"); 490 vap->iv_stats.is_rx_demicfail++; 491 IEEE80211_NODE_STAT(ni, rx_demicfail); 492 goto out; 493 } 494 495 /* copy to listener after decrypt */ 496 if (bpf_peers_present(vap->iv_rawbpf)) 497 bpf_mtap(vap->iv_rawbpf, m); 498 need_tap = 0; 499 500 /* 501 * Finally, strip the 802.11 header. 502 */ 503 m = ieee80211_decap(vap, m, hdrspace); 504 if (m == NULL) { 505 /* XXX mask bit to check for both */ 506 /* don't count Null data frames as errors */ 507 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA || 508 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL) 509 goto out; 510 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 511 ni->ni_macaddr, "data", "%s", "decap error"); 512 vap->iv_stats.is_rx_decap++; 513 IEEE80211_NODE_STAT(ni, rx_decap); 514 goto err; 515 } 516 eh = mtod(m, struct ether_header *); 517 if (!ieee80211_node_is_authorized(ni)) { 518 /* 519 * Deny any non-PAE frames received prior to 520 * authorization. For open/shared-key 521 * authentication the port is mark authorized 522 * after authentication completes. For 802.1x 523 * the port is not marked authorized by the 524 * authenticator until the handshake has completed. 525 */ 526 if (eh->ether_type != htons(ETHERTYPE_PAE)) { 527 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 528 eh->ether_shost, "data", 529 "unauthorized port: ether type 0x%x len %u", 530 eh->ether_type, m->m_pkthdr.len); 531 vap->iv_stats.is_rx_unauth++; 532 IEEE80211_NODE_STAT(ni, rx_unauth); 533 goto err; 534 } 535 } else { 536 /* 537 * When denying unencrypted frames, discard 538 * any non-PAE frames received without encryption. 539 */ 540 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && 541 (key == NULL && (m->m_flags & M_WEP) == 0) && 542 eh->ether_type != htons(ETHERTYPE_PAE)) { 543 /* 544 * Drop unencrypted frames. 545 */ 546 vap->iv_stats.is_rx_unencrypted++; 547 IEEE80211_NODE_STAT(ni, rx_unencrypted); 548 goto out; 549 } 550 } 551 /* XXX require HT? */ 552 if (qos & IEEE80211_QOS_AMSDU) { 553 m = ieee80211_decap_amsdu(ni, m); 554 if (m == NULL) 555 return IEEE80211_FC0_TYPE_DATA; 556 } else if ((ni->ni_ath_flags & IEEE80211_NODE_FF) && 557#define FF_LLC_SIZE (sizeof(struct ether_header) + sizeof(struct llc)) 558 m->m_pkthdr.len >= 3*FF_LLC_SIZE) { 559 struct llc *llc; 560 561 /* 562 * Check for fast-frame tunnel encapsulation. 563 */ 564 if (m->m_len < FF_LLC_SIZE && 565 (m = m_pullup(m, FF_LLC_SIZE)) == NULL) { 566 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 567 ni->ni_macaddr, "fast-frame", 568 "%s", "m_pullup(llc) failed"); 569 vap->iv_stats.is_rx_tooshort++; 570 return IEEE80211_FC0_TYPE_DATA; 571 } 572 llc = (struct llc *)(mtod(m, uint8_t *) + 573 sizeof(struct ether_header)); 574 if (llc->llc_snap.ether_type == htons(ATH_FF_ETH_TYPE)) { 575 m_adj(m, FF_LLC_SIZE); 576 m = ieee80211_decap_fastframe(ni, m); 577 if (m == NULL) 578 return IEEE80211_FC0_TYPE_DATA; 579 } 580 } 581#undef FF_LLC_SIZE 582 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL) 583 ieee80211_deliver_data(ni->ni_wdsvap, ni, m); 584 else 585 ieee80211_deliver_data(vap, ni, m); 586 return IEEE80211_FC0_TYPE_DATA; 587 588 case IEEE80211_FC0_TYPE_MGT: 589 vap->iv_stats.is_rx_mgmt++; 590 IEEE80211_NODE_STAT(ni, rx_mgmt); 591 if (dir != IEEE80211_FC1_DIR_NODS) { 592 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 593 wh, "data", "incorrect dir 0x%x", dir); 594 vap->iv_stats.is_rx_wrongdir++; 595 goto err; 596 } 597 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 598 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 599 ni->ni_macaddr, "mgt", "too short: len %u", 600 m->m_pkthdr.len); 601 vap->iv_stats.is_rx_tooshort++; 602 goto out; 603 } 604#ifdef IEEE80211_DEBUG 605 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) || 606 ieee80211_msg_dumppkts(vap)) { 607 if_printf(ifp, "received %s from %s rssi %d\n", 608 ieee80211_mgt_subtype_name[subtype >> 609 IEEE80211_FC0_SUBTYPE_SHIFT], 610 ether_sprintf(wh->i_addr2), rssi); 611 } 612#endif 613 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 614 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 615 wh, NULL, "%s", "WEP set but not permitted"); 616 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */ 617 goto out; 618 } 619 if (bpf_peers_present(vap->iv_rawbpf)) 620 bpf_mtap(vap->iv_rawbpf, m); 621 vap->iv_recv_mgmt(ni, m, subtype, rssi, noise, rstamp); 622 m_freem(m); 623 return IEEE80211_FC0_TYPE_MGT; 624 625 case IEEE80211_FC0_TYPE_CTL: 626 vap->iv_stats.is_rx_ctl++; 627 IEEE80211_NODE_STAT(ni, rx_ctrl); 628 goto out; 629 default: 630 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 631 wh, "bad", "frame type 0x%x", type); 632 /* should not come here */ 633 break; 634 } 635err: 636 ifp->if_ierrors++; 637out: 638 if (m != NULL) { 639 if (bpf_peers_present(vap->iv_rawbpf) && need_tap) 640 bpf_mtap(vap->iv_rawbpf, m); 641 m_freem(m); 642 } 643 return type; 644#undef SEQ_LEQ 645} 646 647static int 648is11bclient(const uint8_t *rates, const uint8_t *xrates) 649{ 650 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11); 651 int i; 652 653 /* NB: the 11b clients we care about will not have xrates */ 654 if (xrates != NULL || rates == NULL) 655 return 0; 656 for (i = 0; i < rates[1]; i++) { 657 int r = rates[2+i] & IEEE80211_RATE_VAL; 658 if (r > 2*11 || ((1<<r) & brates) == 0) 659 return 0; 660 } 661 return 1; 662} 663 664static void 665adhoc_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, 666 int subtype, int rssi, int noise, uint32_t rstamp) 667{ 668 struct ieee80211vap *vap = ni->ni_vap; 669 struct ieee80211com *ic = ni->ni_ic; 670 struct ieee80211_frame *wh; 671 uint8_t *frm, *efrm, *sfrm; 672 uint8_t *ssid, *rates, *xrates; 673 674 wh = mtod(m0, struct ieee80211_frame *); 675 frm = (uint8_t *)&wh[1]; 676 efrm = mtod(m0, uint8_t *) + m0->m_len; 677 switch (subtype) { 678 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 679 case IEEE80211_FC0_SUBTYPE_BEACON: { 680 struct ieee80211_scanparams scan; 681 /* 682 * We process beacon/probe response 683 * frames to discover neighbors. 684 */ 685 if (ieee80211_parse_beacon(ni, m0, &scan) != 0) 686 return; 687 /* 688 * Count frame now that we know it's to be processed. 689 */ 690 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 691 vap->iv_stats.is_rx_beacon++; /* XXX remove */ 692 IEEE80211_NODE_STAT(ni, rx_beacons); 693 } else 694 IEEE80211_NODE_STAT(ni, rx_proberesp); 695 /* 696 * If scanning, just pass information to the scan module. 697 */ 698 if (ic->ic_flags & IEEE80211_F_SCAN) { 699 if (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN) { 700 /* 701 * Actively scanning a channel marked passive; 702 * send a probe request now that we know there 703 * is 802.11 traffic present. 704 * 705 * XXX check if the beacon we recv'd gives 706 * us what we need and suppress the probe req 707 */ 708 ieee80211_probe_curchan(vap, 1); 709 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 710 } 711 ieee80211_add_scan(vap, &scan, wh, 712 subtype, rssi, noise, rstamp); 713 return; 714 } 715 if (scan.capinfo & IEEE80211_CAPINFO_IBSS) { 716 if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 717 /* 718 * Create a new entry in the neighbor table. 719 */ 720 ni = ieee80211_add_neighbor(vap, wh, &scan); 721 } else if (ni->ni_capinfo == 0) { 722 /* 723 * Update faked node created on transmit. 724 * Note this also updates the tsf. 725 */ 726 ieee80211_init_neighbor(ni, wh, &scan); 727 } else { 728 /* 729 * Record tsf for potential resync. 730 */ 731 memcpy(ni->ni_tstamp.data, scan.tstamp, 732 sizeof(ni->ni_tstamp)); 733 } 734 if (ni != NULL) { 735 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 736 ni->ni_noise = noise; 737 ni->ni_rstamp = rstamp; 738 } 739 } 740 break; 741 } 742 743 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 744 if (vap->iv_state != IEEE80211_S_RUN) { 745 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 746 wh, NULL, "wrong state %s", 747 ieee80211_state_name[vap->iv_state]); 748 vap->iv_stats.is_rx_mgtdiscard++; 749 return; 750 } 751 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 752 /* frame must be directed */ 753 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 754 wh, NULL, "%s", "not unicast"); 755 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */ 756 return; 757 } 758 759 /* 760 * prreq frame format 761 * [tlv] ssid 762 * [tlv] supported rates 763 * [tlv] extended supported rates 764 */ 765 ssid = rates = xrates = NULL; 766 sfrm = frm; 767 while (efrm - frm > 1) { 768 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 769 switch (*frm) { 770 case IEEE80211_ELEMID_SSID: 771 ssid = frm; 772 break; 773 case IEEE80211_ELEMID_RATES: 774 rates = frm; 775 break; 776 case IEEE80211_ELEMID_XRATES: 777 xrates = frm; 778 break; 779 } 780 frm += frm[1] + 2; 781 } 782 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 783 if (xrates != NULL) 784 IEEE80211_VERIFY_ELEMENT(xrates, 785 IEEE80211_RATE_MAXSIZE - rates[1], return); 786 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 787 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 788 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 789 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 790 wh, NULL, 791 "%s", "no ssid with ssid suppression enabled"); 792 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/ 793 return; 794 } 795 796 /* XXX find a better class or define it's own */ 797 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2, 798 "%s", "recv probe req"); 799 /* 800 * Some legacy 11b clients cannot hack a complete 801 * probe response frame. When the request includes 802 * only a bare-bones rate set, communicate this to 803 * the transmit side. 804 */ 805 ieee80211_send_proberesp(vap, wh->i_addr2, 806 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0); 807 break; 808 809 case IEEE80211_FC0_SUBTYPE_ACTION: { 810 const struct ieee80211_action *ia; 811 812 if (vap->iv_state != IEEE80211_S_RUN) { 813 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 814 wh, NULL, "wrong state %s", 815 ieee80211_state_name[vap->iv_state]); 816 vap->iv_stats.is_rx_mgtdiscard++; 817 return; 818 } 819 /* 820 * action frame format: 821 * [1] category 822 * [1] action 823 * [tlv] parameters 824 */ 825 IEEE80211_VERIFY_LENGTH(efrm - frm, 826 sizeof(struct ieee80211_action), return); 827 ia = (const struct ieee80211_action *) frm; 828 829 vap->iv_stats.is_rx_action++; 830 IEEE80211_NODE_STAT(ni, rx_action); 831 832 /* verify frame payloads but defer processing */ 833 /* XXX maybe push this to method */ 834 switch (ia->ia_category) { 835 case IEEE80211_ACTION_CAT_BA: 836 switch (ia->ia_action) { 837 case IEEE80211_ACTION_BA_ADDBA_REQUEST: 838 IEEE80211_VERIFY_LENGTH(efrm - frm, 839 sizeof(struct ieee80211_action_ba_addbarequest), 840 return); 841 break; 842 case IEEE80211_ACTION_BA_ADDBA_RESPONSE: 843 IEEE80211_VERIFY_LENGTH(efrm - frm, 844 sizeof(struct ieee80211_action_ba_addbaresponse), 845 return); 846 break; 847 case IEEE80211_ACTION_BA_DELBA: 848 IEEE80211_VERIFY_LENGTH(efrm - frm, 849 sizeof(struct ieee80211_action_ba_delba), 850 return); 851 break; 852 } 853 break; 854 case IEEE80211_ACTION_CAT_HT: 855 switch (ia->ia_action) { 856 case IEEE80211_ACTION_HT_TXCHWIDTH: 857 IEEE80211_VERIFY_LENGTH(efrm - frm, 858 sizeof(struct ieee80211_action_ht_txchwidth), 859 return); 860 break; 861 } 862 break; 863 } 864 ic->ic_recv_action(ni, frm, efrm); 865 break; 866 } 867 868 case IEEE80211_FC0_SUBTYPE_AUTH: 869 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 870 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 871 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 872 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 873 case IEEE80211_FC0_SUBTYPE_DEAUTH: 874 case IEEE80211_FC0_SUBTYPE_DISASSOC: 875 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 876 wh, NULL, "%s", "not handled"); 877 vap->iv_stats.is_rx_mgtdiscard++; 878 return; 879 880 default: 881 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 882 wh, "mgt", "subtype 0x%x not handled", subtype); 883 vap->iv_stats.is_rx_badsubtype++; 884 break; 885 } 886} 887#undef IEEE80211_VERIFY_LENGTH 888#undef IEEE80211_VERIFY_ELEMENT 889 890static void 891ahdemo_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, 892 int subtype, int rssi, int noise, uint32_t rstamp) 893{ 894 struct ieee80211vap *vap = ni->ni_vap; 895 struct ieee80211com *ic = ni->ni_ic; 896 897 /* 898 * Process management frames when scanning; useful for doing 899 * a site-survey. 900 */ 901 if (ic->ic_flags & IEEE80211_F_SCAN) 902 adhoc_recv_mgmt(ni, m0, subtype, rssi, noise, rstamp); 903 else 904 vap->iv_stats.is_rx_mgtdiscard++; 905} 906