ieee80211_adhoc.c revision 186904
1/*- 2 * Copyright (c) 2007-2009 Sam Leffler, Errno Consulting 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 26#include <sys/cdefs.h> 27#ifdef __FreeBSD__ 28__FBSDID("$FreeBSD: head/sys/net80211/ieee80211_adhoc.c 186904 2009-01-08 17:12:47Z sam $"); 29#endif 30 31/* 32 * IEEE 802.11 IBSS mode support. 33 */ 34#include "opt_inet.h" 35#include "opt_wlan.h" 36 37#include <sys/param.h> 38#include <sys/systm.h> 39#include <sys/mbuf.h> 40#include <sys/malloc.h> 41#include <sys/kernel.h> 42 43#include <sys/socket.h> 44#include <sys/sockio.h> 45#include <sys/endian.h> 46#include <sys/errno.h> 47#include <sys/proc.h> 48#include <sys/sysctl.h> 49 50#include <net/if.h> 51#include <net/if_media.h> 52#include <net/if_llc.h> 53#include <net/ethernet.h> 54 55#include <net/bpf.h> 56 57#include <net80211/ieee80211_var.h> 58#include <net80211/ieee80211_adhoc.h> 59#include <net80211/ieee80211_input.h> 60#ifdef IEEE80211_SUPPORT_TDMA 61#include <net80211/ieee80211_tdma.h> 62#endif 63 64#define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2) 65 66static void adhoc_vattach(struct ieee80211vap *); 67static int adhoc_newstate(struct ieee80211vap *, enum ieee80211_state, int); 68static int adhoc_input(struct ieee80211_node *, struct mbuf *, 69 int rssi, int noise, uint32_t rstamp); 70static void adhoc_recv_mgmt(struct ieee80211_node *, struct mbuf *, 71 int subtype, int rssi, int noise, uint32_t rstamp); 72static void ahdemo_recv_mgmt(struct ieee80211_node *, struct mbuf *, 73 int subtype, int rssi, int noise, uint32_t rstamp); 74 75void 76ieee80211_adhoc_attach(struct ieee80211com *ic) 77{ 78 ic->ic_vattach[IEEE80211_M_IBSS] = adhoc_vattach; 79 ic->ic_vattach[IEEE80211_M_AHDEMO] = adhoc_vattach; 80} 81 82void 83ieee80211_adhoc_detach(struct ieee80211com *ic) 84{ 85} 86 87static void 88adhoc_vdetach(struct ieee80211vap *vap) 89{ 90} 91 92static void 93adhoc_vattach(struct ieee80211vap *vap) 94{ 95 vap->iv_newstate = adhoc_newstate; 96 vap->iv_input = adhoc_input; 97 if (vap->iv_opmode == IEEE80211_M_IBSS) 98 vap->iv_recv_mgmt = adhoc_recv_mgmt; 99 else 100 vap->iv_recv_mgmt = ahdemo_recv_mgmt; 101 vap->iv_opdetach = adhoc_vdetach; 102#ifdef IEEE80211_SUPPORT_TDMA 103 /* 104 * Throw control to tdma support. Note we do this 105 * after setting up our callbacks so it can piggyback 106 * on top of us. 107 */ 108 if (vap->iv_caps & IEEE80211_C_TDMA) 109 ieee80211_tdma_vattach(vap); 110#endif 111} 112 113/* 114 * IEEE80211_M_IBSS+IEEE80211_M_AHDEMO vap state machine handler. 115 */ 116static int 117adhoc_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg) 118{ 119 struct ieee80211com *ic = vap->iv_ic; 120 struct ieee80211_node *ni; 121 enum ieee80211_state ostate; 122 123 IEEE80211_LOCK_ASSERT(vap->iv_ic); 124 125 ostate = vap->iv_state; 126 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n", 127 __func__, ieee80211_state_name[ostate], 128 ieee80211_state_name[nstate], arg); 129 vap->iv_state = nstate; /* state transition */ 130 if (ostate != IEEE80211_S_SCAN) 131 ieee80211_cancel_scan(vap); /* background scan */ 132 ni = vap->iv_bss; /* NB: no reference held */ 133 switch (nstate) { 134 case IEEE80211_S_INIT: 135 switch (ostate) { 136 case IEEE80211_S_SCAN: 137 ieee80211_cancel_scan(vap); 138 break; 139 default: 140 break; 141 } 142 if (ostate != IEEE80211_S_INIT) { 143 /* NB: optimize INIT -> INIT case */ 144 ieee80211_reset_bss(vap); 145 } 146 break; 147 case IEEE80211_S_SCAN: 148 switch (ostate) { 149 case IEEE80211_S_INIT: 150 case IEEE80211_S_RUN: /* beacon miss */ 151 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC && 152 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) { 153 /* 154 * Already have a channel; bypass the 155 * scan and startup immediately. 156 */ 157 ieee80211_create_ibss(vap, vap->iv_des_chan); 158 break; 159 } 160 /* 161 * Initiate a scan. We can come here as a result 162 * of an IEEE80211_IOC_SCAN_REQ too in which case 163 * the vap will be marked with IEEE80211_FEXT_SCANREQ 164 * and the scan request parameters will be present 165 * in iv_scanreq. Otherwise we do the default. 166 */ 167 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) { 168 ieee80211_check_scan(vap, 169 vap->iv_scanreq_flags, 170 vap->iv_scanreq_duration, 171 vap->iv_scanreq_mindwell, 172 vap->iv_scanreq_maxdwell, 173 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid); 174 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ; 175 } else 176 ieee80211_check_scan_current(vap); 177 break; 178 case IEEE80211_S_SCAN: 179 /* 180 * This can happen because of a change in state 181 * that requires a reset. Trigger a new scan 182 * unless we're in manual roaming mode in which 183 * case an application must issue an explicit request. 184 */ 185 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) 186 ieee80211_check_scan_current(vap); 187 break; 188 default: 189 goto invalid; 190 } 191 break; 192 case IEEE80211_S_RUN: 193 if (vap->iv_flags & IEEE80211_F_WPA) { 194 /* XXX validate prerequisites */ 195 } 196 switch (ostate) { 197 case IEEE80211_S_SCAN: 198#ifdef IEEE80211_DEBUG 199 if (ieee80211_msg_debug(vap)) { 200 ieee80211_note(vap, 201 "synchronized with %s ssid ", 202 ether_sprintf(ni->ni_bssid)); 203 ieee80211_print_essid(vap->iv_bss->ni_essid, 204 ni->ni_esslen); 205 /* XXX MCS/HT */ 206 printf(" channel %d start %uMb\n", 207 ieee80211_chan2ieee(ic, ic->ic_curchan), 208 IEEE80211_RATE2MBS(ni->ni_txrate)); 209 } 210#endif 211 break; 212 default: 213 goto invalid; 214 } 215 /* 216 * When 802.1x is not in use mark the port authorized 217 * at this point so traffic can flow. 218 */ 219 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 220 ieee80211_node_authorize(ni); 221 /* 222 * Fake association when joining an existing bss. 223 */ 224 if (!IEEE80211_ADDR_EQ(ni->ni_macaddr, vap->iv_myaddr) && 225 ic->ic_newassoc != NULL) 226 ic->ic_newassoc(ni, ostate != IEEE80211_S_RUN); 227 break; 228 case IEEE80211_S_SLEEP: 229 ieee80211_sta_pwrsave(vap, 0); 230 break; 231 default: 232 invalid: 233 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, 234 "%s: unexpected state transition %s -> %s\n", __func__, 235 ieee80211_state_name[ostate], ieee80211_state_name[nstate]); 236 break; 237 } 238 return 0; 239} 240 241/* 242 * Decide if a received management frame should be 243 * printed when debugging is enabled. This filters some 244 * of the less interesting frames that come frequently 245 * (e.g. beacons). 246 */ 247static __inline int 248doprint(struct ieee80211vap *vap, int subtype) 249{ 250 switch (subtype) { 251 case IEEE80211_FC0_SUBTYPE_BEACON: 252 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN); 253 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 254 return 1; 255 } 256 return 1; 257} 258 259/* 260 * Process a received frame. The node associated with the sender 261 * should be supplied. If nothing was found in the node table then 262 * the caller is assumed to supply a reference to iv_bss instead. 263 * The RSSI and a timestamp are also supplied. The RSSI data is used 264 * during AP scanning to select a AP to associate with; it can have 265 * any units so long as values have consistent units and higher values 266 * mean ``better signal''. The receive timestamp is currently not used 267 * by the 802.11 layer. 268 */ 269static int 270adhoc_input(struct ieee80211_node *ni, struct mbuf *m, 271 int rssi, int noise, uint32_t rstamp) 272{ 273#define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0) 274#define HAS_SEQ(type) ((type & 0x4) == 0) 275 struct ieee80211vap *vap = ni->ni_vap; 276 struct ieee80211com *ic = ni->ni_ic; 277 struct ifnet *ifp = vap->iv_ifp; 278 struct ieee80211_frame *wh; 279 struct ieee80211_key *key; 280 struct ether_header *eh; 281 int hdrspace, need_tap; 282 uint8_t dir, type, subtype, qos; 283 uint8_t *bssid; 284 uint16_t rxseq; 285 286 if (m->m_flags & M_AMPDU_MPDU) { 287 /* 288 * Fastpath for A-MPDU reorder q resubmission. Frames 289 * w/ M_AMPDU_MPDU marked have already passed through 290 * here but were received out of order and been held on 291 * the reorder queue. When resubmitted they are marked 292 * with the M_AMPDU_MPDU flag and we can bypass most of 293 * the normal processing. 294 */ 295 wh = mtod(m, struct ieee80211_frame *); 296 type = IEEE80211_FC0_TYPE_DATA; 297 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 298 subtype = IEEE80211_FC0_SUBTYPE_QOS; 299 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */ 300 goto resubmit_ampdu; 301 } 302 303 KASSERT(ni != NULL, ("null node")); 304 ni->ni_inact = ni->ni_inact_reload; 305 306 need_tap = 1; /* mbuf need to be tapped. */ 307 type = -1; /* undefined */ 308 309 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 310 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 311 ni->ni_macaddr, NULL, 312 "too short (1): len %u", m->m_pkthdr.len); 313 vap->iv_stats.is_rx_tooshort++; 314 goto out; 315 } 316 /* 317 * Bit of a cheat here, we use a pointer for a 3-address 318 * frame format but don't reference fields past outside 319 * ieee80211_frame_min w/o first validating the data is 320 * present. 321 */ 322 wh = mtod(m, struct ieee80211_frame *); 323 324 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 325 IEEE80211_FC0_VERSION_0) { 326 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 327 ni->ni_macaddr, NULL, "wrong version %x", wh->i_fc[0]); 328 vap->iv_stats.is_rx_badversion++; 329 goto err; 330 } 331 332 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 333 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 334 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 335 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 336 if (dir != IEEE80211_FC1_DIR_NODS) 337 bssid = wh->i_addr1; 338 else if (type == IEEE80211_FC0_TYPE_CTL) 339 bssid = wh->i_addr1; 340 else { 341 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 342 IEEE80211_DISCARD_MAC(vap, 343 IEEE80211_MSG_ANY, ni->ni_macaddr, 344 NULL, "too short (2): len %u", 345 m->m_pkthdr.len); 346 vap->iv_stats.is_rx_tooshort++; 347 goto out; 348 } 349 bssid = wh->i_addr3; 350 } 351 /* 352 * Validate the bssid. 353 */ 354 if (!IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) && 355 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 356 /* not interested in */ 357 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 358 bssid, NULL, "%s", "not to bss"); 359 vap->iv_stats.is_rx_wrongbss++; 360 goto out; 361 } 362 /* 363 * Data frame, cons up a node when it doesn't 364 * exist. This should probably done after an ACL check. 365 */ 366 if (type == IEEE80211_FC0_TYPE_DATA && 367 ni == vap->iv_bss && 368 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 369 /* 370 * Beware of frames that come in too early; we 371 * can receive broadcast frames and creating sta 372 * entries will blow up because there is no bss 373 * channel yet. 374 */ 375 if (vap->iv_state != IEEE80211_S_RUN) { 376 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 377 wh, "data", "not in RUN state (%s)", 378 ieee80211_state_name[vap->iv_state]); 379 vap->iv_stats.is_rx_badstate++; 380 goto err; 381 } 382 /* 383 * Fake up a node for this newly 384 * discovered member of the IBSS. 385 */ 386 ni = ieee80211_fakeup_adhoc_node(vap, wh->i_addr2); 387 if (ni == NULL) { 388 /* NB: stat kept for alloc failure */ 389 goto err; 390 } 391 } 392 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 393 ni->ni_noise = noise; 394 ni->ni_rstamp = rstamp; 395 if (HAS_SEQ(type)) { 396 uint8_t tid = ieee80211_gettid(wh); 397 if (IEEE80211_QOS_HAS_SEQ(wh) && 398 TID_TO_WME_AC(tid) >= WME_AC_VI) 399 ic->ic_wme.wme_hipri_traffic++; 400 rxseq = le16toh(*(uint16_t *)wh->i_seq); 401 if ((ni->ni_flags & IEEE80211_NODE_HT) == 0 && 402 (wh->i_fc[1] & IEEE80211_FC1_RETRY) && 403 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) { 404 /* duplicate, discard */ 405 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 406 bssid, "duplicate", 407 "seqno <%u,%u> fragno <%u,%u> tid %u", 408 rxseq >> IEEE80211_SEQ_SEQ_SHIFT, 409 ni->ni_rxseqs[tid] >> 410 IEEE80211_SEQ_SEQ_SHIFT, 411 rxseq & IEEE80211_SEQ_FRAG_MASK, 412 ni->ni_rxseqs[tid] & 413 IEEE80211_SEQ_FRAG_MASK, 414 tid); 415 vap->iv_stats.is_rx_dup++; 416 IEEE80211_NODE_STAT(ni, rx_dup); 417 goto out; 418 } 419 ni->ni_rxseqs[tid] = rxseq; 420 } 421 } 422 423 switch (type) { 424 case IEEE80211_FC0_TYPE_DATA: 425 hdrspace = ieee80211_hdrspace(ic, wh); 426 if (m->m_len < hdrspace && 427 (m = m_pullup(m, hdrspace)) == NULL) { 428 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 429 ni->ni_macaddr, NULL, 430 "data too short: expecting %u", hdrspace); 431 vap->iv_stats.is_rx_tooshort++; 432 goto out; /* XXX */ 433 } 434 if (dir != IEEE80211_FC1_DIR_NODS) { 435 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 436 wh, "data", "incorrect dir 0x%x", dir); 437 vap->iv_stats.is_rx_wrongdir++; 438 goto out; 439 } 440 /* XXX no power-save support */ 441 442 /* 443 * Handle A-MPDU re-ordering. If the frame is to be 444 * processed directly then ieee80211_ampdu_reorder 445 * will return 0; otherwise it has consumed the mbuf 446 * and we should do nothing more with it. 447 */ 448 if ((m->m_flags & M_AMPDU) && 449 ieee80211_ampdu_reorder(ni, m) != 0) { 450 m = NULL; 451 goto out; 452 } 453 resubmit_ampdu: 454 455 /* 456 * Handle privacy requirements. Note that we 457 * must not be preempted from here until after 458 * we (potentially) call ieee80211_crypto_demic; 459 * otherwise we may violate assumptions in the 460 * crypto cipher modules used to do delayed update 461 * of replay sequence numbers. 462 */ 463 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 464 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 465 /* 466 * Discard encrypted frames when privacy is off. 467 */ 468 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 469 wh, "WEP", "%s", "PRIVACY off"); 470 vap->iv_stats.is_rx_noprivacy++; 471 IEEE80211_NODE_STAT(ni, rx_noprivacy); 472 goto out; 473 } 474 key = ieee80211_crypto_decap(ni, m, hdrspace); 475 if (key == NULL) { 476 /* NB: stats+msgs handled in crypto_decap */ 477 IEEE80211_NODE_STAT(ni, rx_wepfail); 478 goto out; 479 } 480 wh = mtod(m, struct ieee80211_frame *); 481 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 482 } else { 483 /* XXX M_WEP and IEEE80211_F_PRIVACY */ 484 key = NULL; 485 } 486 487 /* 488 * Save QoS bits for use below--before we strip the header. 489 */ 490 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) { 491 qos = (dir == IEEE80211_FC1_DIR_DSTODS) ? 492 ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] : 493 ((struct ieee80211_qosframe *)wh)->i_qos[0]; 494 } else 495 qos = 0; 496 497 /* 498 * Next up, any fragmentation. 499 */ 500 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 501 m = ieee80211_defrag(ni, m, hdrspace); 502 if (m == NULL) { 503 /* Fragment dropped or frame not complete yet */ 504 goto out; 505 } 506 } 507 wh = NULL; /* no longer valid, catch any uses */ 508 509 /* 510 * Next strip any MSDU crypto bits. 511 */ 512 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) { 513 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 514 ni->ni_macaddr, "data", "%s", "demic error"); 515 vap->iv_stats.is_rx_demicfail++; 516 IEEE80211_NODE_STAT(ni, rx_demicfail); 517 goto out; 518 } 519 520 /* copy to listener after decrypt */ 521 if (bpf_peers_present(vap->iv_rawbpf)) 522 bpf_mtap(vap->iv_rawbpf, m); 523 need_tap = 0; 524 525 /* 526 * Finally, strip the 802.11 header. 527 */ 528 m = ieee80211_decap(vap, m, hdrspace); 529 if (m == NULL) { 530 /* XXX mask bit to check for both */ 531 /* don't count Null data frames as errors */ 532 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA || 533 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL) 534 goto out; 535 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 536 ni->ni_macaddr, "data", "%s", "decap error"); 537 vap->iv_stats.is_rx_decap++; 538 IEEE80211_NODE_STAT(ni, rx_decap); 539 goto err; 540 } 541 eh = mtod(m, struct ether_header *); 542 if (!ieee80211_node_is_authorized(ni)) { 543 /* 544 * Deny any non-PAE frames received prior to 545 * authorization. For open/shared-key 546 * authentication the port is mark authorized 547 * after authentication completes. For 802.1x 548 * the port is not marked authorized by the 549 * authenticator until the handshake has completed. 550 */ 551 if (eh->ether_type != htons(ETHERTYPE_PAE)) { 552 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 553 eh->ether_shost, "data", 554 "unauthorized port: ether type 0x%x len %u", 555 eh->ether_type, m->m_pkthdr.len); 556 vap->iv_stats.is_rx_unauth++; 557 IEEE80211_NODE_STAT(ni, rx_unauth); 558 goto err; 559 } 560 } else { 561 /* 562 * When denying unencrypted frames, discard 563 * any non-PAE frames received without encryption. 564 */ 565 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && 566 (key == NULL && (m->m_flags & M_WEP) == 0) && 567 eh->ether_type != htons(ETHERTYPE_PAE)) { 568 /* 569 * Drop unencrypted frames. 570 */ 571 vap->iv_stats.is_rx_unencrypted++; 572 IEEE80211_NODE_STAT(ni, rx_unencrypted); 573 goto out; 574 } 575 } 576 /* XXX require HT? */ 577 if (qos & IEEE80211_QOS_AMSDU) { 578 m = ieee80211_decap_amsdu(ni, m); 579 if (m == NULL) 580 return IEEE80211_FC0_TYPE_DATA; 581 } else if (IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_FF) && 582#define FF_LLC_SIZE (sizeof(struct ether_header) + sizeof(struct llc)) 583 m->m_pkthdr.len >= 3*FF_LLC_SIZE) { 584 struct llc *llc; 585 586 /* 587 * Check for fast-frame tunnel encapsulation. 588 */ 589 if (m->m_len < FF_LLC_SIZE && 590 (m = m_pullup(m, FF_LLC_SIZE)) == NULL) { 591 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 592 ni->ni_macaddr, "fast-frame", 593 "%s", "m_pullup(llc) failed"); 594 vap->iv_stats.is_rx_tooshort++; 595 return IEEE80211_FC0_TYPE_DATA; 596 } 597 llc = (struct llc *)(mtod(m, uint8_t *) + 598 sizeof(struct ether_header)); 599 if (llc->llc_snap.ether_type == htons(ATH_FF_ETH_TYPE)) { 600 m_adj(m, FF_LLC_SIZE); 601 m = ieee80211_decap_fastframe(ni, m); 602 if (m == NULL) 603 return IEEE80211_FC0_TYPE_DATA; 604 } 605 } 606#undef FF_LLC_SIZE 607 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL) 608 ieee80211_deliver_data(ni->ni_wdsvap, ni, m); 609 else 610 ieee80211_deliver_data(vap, ni, m); 611 return IEEE80211_FC0_TYPE_DATA; 612 613 case IEEE80211_FC0_TYPE_MGT: 614 vap->iv_stats.is_rx_mgmt++; 615 IEEE80211_NODE_STAT(ni, rx_mgmt); 616 if (dir != IEEE80211_FC1_DIR_NODS) { 617 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 618 wh, "data", "incorrect dir 0x%x", dir); 619 vap->iv_stats.is_rx_wrongdir++; 620 goto err; 621 } 622 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 623 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 624 ni->ni_macaddr, "mgt", "too short: len %u", 625 m->m_pkthdr.len); 626 vap->iv_stats.is_rx_tooshort++; 627 goto out; 628 } 629#ifdef IEEE80211_DEBUG 630 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) || 631 ieee80211_msg_dumppkts(vap)) { 632 if_printf(ifp, "received %s from %s rssi %d\n", 633 ieee80211_mgt_subtype_name[subtype >> 634 IEEE80211_FC0_SUBTYPE_SHIFT], 635 ether_sprintf(wh->i_addr2), rssi); 636 } 637#endif 638 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 639 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 640 wh, NULL, "%s", "WEP set but not permitted"); 641 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */ 642 goto out; 643 } 644 if (bpf_peers_present(vap->iv_rawbpf)) 645 bpf_mtap(vap->iv_rawbpf, m); 646 vap->iv_recv_mgmt(ni, m, subtype, rssi, noise, rstamp); 647 m_freem(m); 648 return IEEE80211_FC0_TYPE_MGT; 649 650 case IEEE80211_FC0_TYPE_CTL: 651 vap->iv_stats.is_rx_ctl++; 652 IEEE80211_NODE_STAT(ni, rx_ctrl); 653 goto out; 654 default: 655 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 656 wh, "bad", "frame type 0x%x", type); 657 /* should not come here */ 658 break; 659 } 660err: 661 ifp->if_ierrors++; 662out: 663 if (m != NULL) { 664 if (bpf_peers_present(vap->iv_rawbpf) && need_tap) 665 bpf_mtap(vap->iv_rawbpf, m); 666 m_freem(m); 667 } 668 return type; 669#undef SEQ_LEQ 670} 671 672static int 673is11bclient(const uint8_t *rates, const uint8_t *xrates) 674{ 675 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11); 676 int i; 677 678 /* NB: the 11b clients we care about will not have xrates */ 679 if (xrates != NULL || rates == NULL) 680 return 0; 681 for (i = 0; i < rates[1]; i++) { 682 int r = rates[2+i] & IEEE80211_RATE_VAL; 683 if (r > 2*11 || ((1<<r) & brates) == 0) 684 return 0; 685 } 686 return 1; 687} 688 689static void 690adhoc_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, 691 int subtype, int rssi, int noise, uint32_t rstamp) 692{ 693 struct ieee80211vap *vap = ni->ni_vap; 694 struct ieee80211com *ic = ni->ni_ic; 695 struct ieee80211_frame *wh; 696 uint8_t *frm, *efrm, *sfrm; 697 uint8_t *ssid, *rates, *xrates; 698 699 wh = mtod(m0, struct ieee80211_frame *); 700 frm = (uint8_t *)&wh[1]; 701 efrm = mtod(m0, uint8_t *) + m0->m_len; 702 switch (subtype) { 703 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 704 case IEEE80211_FC0_SUBTYPE_BEACON: { 705 struct ieee80211_scanparams scan; 706 /* 707 * We process beacon/probe response 708 * frames to discover neighbors. 709 */ 710 if (ieee80211_parse_beacon(ni, m0, &scan) != 0) 711 return; 712 /* 713 * Count frame now that we know it's to be processed. 714 */ 715 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 716 vap->iv_stats.is_rx_beacon++; /* XXX remove */ 717 IEEE80211_NODE_STAT(ni, rx_beacons); 718 } else 719 IEEE80211_NODE_STAT(ni, rx_proberesp); 720 /* 721 * If scanning, just pass information to the scan module. 722 */ 723 if (ic->ic_flags & IEEE80211_F_SCAN) { 724 if (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN) { 725 /* 726 * Actively scanning a channel marked passive; 727 * send a probe request now that we know there 728 * is 802.11 traffic present. 729 * 730 * XXX check if the beacon we recv'd gives 731 * us what we need and suppress the probe req 732 */ 733 ieee80211_probe_curchan(vap, 1); 734 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 735 } 736 ieee80211_add_scan(vap, &scan, wh, 737 subtype, rssi, noise, rstamp); 738 return; 739 } 740 if (scan.capinfo & IEEE80211_CAPINFO_IBSS) { 741 if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 742 /* 743 * Create a new entry in the neighbor table. 744 */ 745 ni = ieee80211_add_neighbor(vap, wh, &scan); 746 } else if (ni->ni_capinfo == 0) { 747 /* 748 * Update faked node created on transmit. 749 * Note this also updates the tsf. 750 */ 751 ieee80211_init_neighbor(ni, wh, &scan); 752 } else { 753 /* 754 * Record tsf for potential resync. 755 */ 756 memcpy(ni->ni_tstamp.data, scan.tstamp, 757 sizeof(ni->ni_tstamp)); 758 } 759 if (ni != NULL) { 760 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 761 ni->ni_noise = noise; 762 ni->ni_rstamp = rstamp; 763 } 764 } 765 break; 766 } 767 768 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 769 if (vap->iv_state != IEEE80211_S_RUN) { 770 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 771 wh, NULL, "wrong state %s", 772 ieee80211_state_name[vap->iv_state]); 773 vap->iv_stats.is_rx_mgtdiscard++; 774 return; 775 } 776 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 777 /* frame must be directed */ 778 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 779 wh, NULL, "%s", "not unicast"); 780 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */ 781 return; 782 } 783 784 /* 785 * prreq frame format 786 * [tlv] ssid 787 * [tlv] supported rates 788 * [tlv] extended supported rates 789 */ 790 ssid = rates = xrates = NULL; 791 sfrm = frm; 792 while (efrm - frm > 1) { 793 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 794 switch (*frm) { 795 case IEEE80211_ELEMID_SSID: 796 ssid = frm; 797 break; 798 case IEEE80211_ELEMID_RATES: 799 rates = frm; 800 break; 801 case IEEE80211_ELEMID_XRATES: 802 xrates = frm; 803 break; 804 } 805 frm += frm[1] + 2; 806 } 807 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 808 if (xrates != NULL) 809 IEEE80211_VERIFY_ELEMENT(xrates, 810 IEEE80211_RATE_MAXSIZE - rates[1], return); 811 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 812 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 813 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 814 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 815 wh, NULL, 816 "%s", "no ssid with ssid suppression enabled"); 817 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/ 818 return; 819 } 820 821 /* XXX find a better class or define it's own */ 822 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2, 823 "%s", "recv probe req"); 824 /* 825 * Some legacy 11b clients cannot hack a complete 826 * probe response frame. When the request includes 827 * only a bare-bones rate set, communicate this to 828 * the transmit side. 829 */ 830 ieee80211_send_proberesp(vap, wh->i_addr2, 831 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0); 832 break; 833 834 case IEEE80211_FC0_SUBTYPE_ACTION: { 835 const struct ieee80211_action *ia; 836 837 if (vap->iv_state != IEEE80211_S_RUN) { 838 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 839 wh, NULL, "wrong state %s", 840 ieee80211_state_name[vap->iv_state]); 841 vap->iv_stats.is_rx_mgtdiscard++; 842 return; 843 } 844 /* 845 * action frame format: 846 * [1] category 847 * [1] action 848 * [tlv] parameters 849 */ 850 IEEE80211_VERIFY_LENGTH(efrm - frm, 851 sizeof(struct ieee80211_action), return); 852 ia = (const struct ieee80211_action *) frm; 853 854 vap->iv_stats.is_rx_action++; 855 IEEE80211_NODE_STAT(ni, rx_action); 856 857 /* verify frame payloads but defer processing */ 858 /* XXX maybe push this to method */ 859 switch (ia->ia_category) { 860 case IEEE80211_ACTION_CAT_BA: 861 switch (ia->ia_action) { 862 case IEEE80211_ACTION_BA_ADDBA_REQUEST: 863 IEEE80211_VERIFY_LENGTH(efrm - frm, 864 sizeof(struct ieee80211_action_ba_addbarequest), 865 return); 866 break; 867 case IEEE80211_ACTION_BA_ADDBA_RESPONSE: 868 IEEE80211_VERIFY_LENGTH(efrm - frm, 869 sizeof(struct ieee80211_action_ba_addbaresponse), 870 return); 871 break; 872 case IEEE80211_ACTION_BA_DELBA: 873 IEEE80211_VERIFY_LENGTH(efrm - frm, 874 sizeof(struct ieee80211_action_ba_delba), 875 return); 876 break; 877 } 878 break; 879 case IEEE80211_ACTION_CAT_HT: 880 switch (ia->ia_action) { 881 case IEEE80211_ACTION_HT_TXCHWIDTH: 882 IEEE80211_VERIFY_LENGTH(efrm - frm, 883 sizeof(struct ieee80211_action_ht_txchwidth), 884 return); 885 break; 886 } 887 break; 888 } 889 ic->ic_recv_action(ni, frm, efrm); 890 break; 891 } 892 893 case IEEE80211_FC0_SUBTYPE_AUTH: 894 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 895 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 896 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 897 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 898 case IEEE80211_FC0_SUBTYPE_DEAUTH: 899 case IEEE80211_FC0_SUBTYPE_DISASSOC: 900 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 901 wh, NULL, "%s", "not handled"); 902 vap->iv_stats.is_rx_mgtdiscard++; 903 return; 904 905 default: 906 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 907 wh, "mgt", "subtype 0x%x not handled", subtype); 908 vap->iv_stats.is_rx_badsubtype++; 909 break; 910 } 911} 912#undef IEEE80211_VERIFY_LENGTH 913#undef IEEE80211_VERIFY_ELEMENT 914 915static void 916ahdemo_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, 917 int subtype, int rssi, int noise, uint32_t rstamp) 918{ 919 struct ieee80211vap *vap = ni->ni_vap; 920 struct ieee80211com *ic = ni->ni_ic; 921 922 /* 923 * Process management frames when scanning; useful for doing 924 * a site-survey. 925 */ 926 if (ic->ic_flags & IEEE80211_F_SCAN) 927 adhoc_recv_mgmt(ni, m0, subtype, rssi, noise, rstamp); 928 else 929 vap->iv_stats.is_rx_mgtdiscard++; 930} 931