ieee80211_input.c revision 170360
1/*- 2 * Copyright (c) 2001 Atsushi Onoe 3 * Copyright (c) 2002-2007 Sam Leffler, Errno Consulting 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 */ 26 27#include <sys/cdefs.h> 28__FBSDID("$FreeBSD: head/sys/net80211/ieee80211_input.c 170360 2007-06-06 04:56:04Z sam $"); 29 30#include <sys/param.h> 31#include <sys/systm.h> 32#include <sys/mbuf.h> 33#include <sys/malloc.h> 34#include <sys/endian.h> 35#include <sys/kernel.h> 36 37#include <sys/socket.h> 38 39#include <net/if.h> 40#include <net/if_media.h> 41#include <net/ethernet.h> 42#include <net/if_llc.h> 43#include <net/if_vlan_var.h> 44 45#include <net80211/ieee80211_var.h> 46 47#include <net/bpf.h> 48 49#ifdef IEEE80211_DEBUG 50#include <machine/stdarg.h> 51 52/* 53 * Decide if a received management frame should be 54 * printed when debugging is enabled. This filters some 55 * of the less interesting frames that come frequently 56 * (e.g. beacons). 57 */ 58static __inline int 59doprint(struct ieee80211com *ic, int subtype) 60{ 61 switch (subtype) { 62 case IEEE80211_FC0_SUBTYPE_BEACON: 63 return (ic->ic_flags & IEEE80211_F_SCAN); 64 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 65 return (ic->ic_opmode == IEEE80211_M_IBSS); 66 } 67 return 1; 68} 69 70static const u_int8_t *ieee80211_getbssid(struct ieee80211com *, 71 const struct ieee80211_frame *); 72#endif /* IEEE80211_DEBUG */ 73 74static struct mbuf *ieee80211_defrag(struct ieee80211com *, 75 struct ieee80211_node *, struct mbuf *, int); 76static struct mbuf *ieee80211_decap(struct ieee80211com *, struct mbuf *, int); 77static void ieee80211_send_error(struct ieee80211com *, struct ieee80211_node *, 78 const u_int8_t *mac, int subtype, int arg); 79static void ieee80211_deliver_data(struct ieee80211com *, 80 struct ieee80211_node *, struct mbuf *); 81static void ieee80211_node_pwrsave(struct ieee80211_node *, int enable); 82static void ieee80211_recv_pspoll(struct ieee80211com *, 83 struct ieee80211_node *, struct mbuf *); 84 85/* 86 * Process a received frame. The node associated with the sender 87 * should be supplied. If nothing was found in the node table then 88 * the caller is assumed to supply a reference to ic_bss instead. 89 * The RSSI and a timestamp are also supplied. The RSSI data is used 90 * during AP scanning to select a AP to associate with; it can have 91 * any units so long as values have consistent units and higher values 92 * mean ``better signal''. The receive timestamp is currently not used 93 * by the 802.11 layer. 94 */ 95int 96ieee80211_input(struct ieee80211com *ic, struct mbuf *m, 97 struct ieee80211_node *ni, int rssi, u_int32_t rstamp) 98{ 99#define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0) 100#define HAS_SEQ(type) ((type & 0x4) == 0) 101 struct ifnet *ifp = ic->ic_ifp; 102 struct ieee80211_frame *wh; 103 struct ieee80211_key *key; 104 struct ether_header *eh; 105 int hdrspace; 106 u_int8_t dir, type, subtype; 107 u_int8_t *bssid; 108 u_int16_t rxseq; 109 110 KASSERT(ni != NULL, ("null node")); 111 ni->ni_inact = ni->ni_inact_reload; 112 113 /* trim CRC here so WEP can find its own CRC at the end of packet. */ 114 if (m->m_flags & M_HASFCS) { 115 m_adj(m, -IEEE80211_CRC_LEN); 116 m->m_flags &= ~M_HASFCS; 117 } 118 type = -1; /* undefined */ 119 /* 120 * In monitor mode, send everything directly to bpf. 121 * XXX may want to include the CRC 122 */ 123 if (ic->ic_opmode == IEEE80211_M_MONITOR) 124 goto out; 125 126 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 127 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 128 ni->ni_macaddr, NULL, 129 "too short (1): len %u", m->m_pkthdr.len); 130 ic->ic_stats.is_rx_tooshort++; 131 goto out; 132 } 133 /* 134 * Bit of a cheat here, we use a pointer for a 3-address 135 * frame format but don't reference fields past outside 136 * ieee80211_frame_min w/o first validating the data is 137 * present. 138 */ 139 wh = mtod(m, struct ieee80211_frame *); 140 141 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 142 IEEE80211_FC0_VERSION_0) { 143 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 144 ni->ni_macaddr, NULL, "wrong version %x", wh->i_fc[0]); 145 ic->ic_stats.is_rx_badversion++; 146 goto err; 147 } 148 149 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 150 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 151 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 152 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 153 switch (ic->ic_opmode) { 154 case IEEE80211_M_STA: 155 bssid = wh->i_addr2; 156 if (!IEEE80211_ADDR_EQ(bssid, ni->ni_bssid)) { 157 /* not interested in */ 158 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 159 bssid, NULL, "%s", "not to bss"); 160 ic->ic_stats.is_rx_wrongbss++; 161 goto out; 162 } 163 break; 164 case IEEE80211_M_IBSS: 165 case IEEE80211_M_AHDEMO: 166 case IEEE80211_M_HOSTAP: 167 if (dir != IEEE80211_FC1_DIR_NODS) 168 bssid = wh->i_addr1; 169 else if (type == IEEE80211_FC0_TYPE_CTL) 170 bssid = wh->i_addr1; 171 else { 172 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 173 IEEE80211_DISCARD_MAC(ic, 174 IEEE80211_MSG_ANY, ni->ni_macaddr, 175 NULL, "too short (2): len %u", 176 m->m_pkthdr.len); 177 ic->ic_stats.is_rx_tooshort++; 178 goto out; 179 } 180 bssid = wh->i_addr3; 181 } 182 if (type != IEEE80211_FC0_TYPE_DATA) 183 break; 184 /* 185 * Data frame, validate the bssid. 186 */ 187 if (!IEEE80211_ADDR_EQ(bssid, ic->ic_bss->ni_bssid) && 188 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 189 /* not interested in */ 190 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 191 bssid, NULL, "%s", "not to bss"); 192 ic->ic_stats.is_rx_wrongbss++; 193 goto out; 194 } 195 /* 196 * For adhoc mode we cons up a node when it doesn't 197 * exist. This should probably done after an ACL check. 198 */ 199 if (ni == ic->ic_bss && 200 ic->ic_opmode != IEEE80211_M_HOSTAP && 201 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 202 /* 203 * Fake up a node for this newly 204 * discovered member of the IBSS. 205 */ 206 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta, 207 wh->i_addr2); 208 if (ni == NULL) { 209 /* NB: stat kept for alloc failure */ 210 goto err; 211 } 212 } 213 break; 214 default: 215 goto out; 216 } 217 ni->ni_rssi = rssi; 218 ni->ni_rstamp = rstamp; 219 if (HAS_SEQ(type)) { 220 u_int8_t tid; 221 if (IEEE80211_QOS_HAS_SEQ(wh)) { 222 tid = ((struct ieee80211_qosframe *)wh)-> 223 i_qos[0] & IEEE80211_QOS_TID; 224 if (TID_TO_WME_AC(tid) >= WME_AC_VI) 225 ic->ic_wme.wme_hipri_traffic++; 226 tid++; 227 } else 228 tid = IEEE80211_NONQOS_TID; 229 rxseq = le16toh(*(u_int16_t *)wh->i_seq); 230 if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) && 231 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) { 232 /* duplicate, discard */ 233 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 234 bssid, "duplicate", 235 "seqno <%u,%u> fragno <%u,%u> tid %u", 236 rxseq >> IEEE80211_SEQ_SEQ_SHIFT, 237 ni->ni_rxseqs[tid] >> 238 IEEE80211_SEQ_SEQ_SHIFT, 239 rxseq & IEEE80211_SEQ_FRAG_MASK, 240 ni->ni_rxseqs[tid] & 241 IEEE80211_SEQ_FRAG_MASK, 242 tid); 243 ic->ic_stats.is_rx_dup++; 244 IEEE80211_NODE_STAT(ni, rx_dup); 245 goto out; 246 } 247 ni->ni_rxseqs[tid] = rxseq; 248 } 249 } 250 251 switch (type) { 252 case IEEE80211_FC0_TYPE_DATA: 253 hdrspace = ieee80211_hdrspace(ic, wh); 254 if (m->m_len < hdrspace && 255 (m = m_pullup(m, hdrspace)) == NULL) { 256 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 257 ni->ni_macaddr, NULL, 258 "data too short: expecting %u", hdrspace); 259 ic->ic_stats.is_rx_tooshort++; 260 goto out; /* XXX */ 261 } 262 switch (ic->ic_opmode) { 263 case IEEE80211_M_STA: 264 if (dir != IEEE80211_FC1_DIR_FROMDS) { 265 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 266 wh, "data", "%s", "unknown dir 0x%x", dir); 267 ic->ic_stats.is_rx_wrongdir++; 268 goto out; 269 } 270 if ((ifp->if_flags & IFF_SIMPLEX) && 271 IEEE80211_IS_MULTICAST(wh->i_addr1) && 272 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 273 /* 274 * In IEEE802.11 network, multicast packet 275 * sent from me is broadcasted from AP. 276 * It should be silently discarded for 277 * SIMPLEX interface. 278 */ 279 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 280 wh, NULL, "%s", "multicast echo"); 281 ic->ic_stats.is_rx_mcastecho++; 282 goto out; 283 } 284 break; 285 case IEEE80211_M_IBSS: 286 case IEEE80211_M_AHDEMO: 287 if (dir != IEEE80211_FC1_DIR_NODS) { 288 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 289 wh, "data", "%s", "unknown dir 0x%x", dir); 290 ic->ic_stats.is_rx_wrongdir++; 291 goto out; 292 } 293 /* XXX no power-save support */ 294 break; 295 case IEEE80211_M_HOSTAP: 296 if (dir != IEEE80211_FC1_DIR_TODS) { 297 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 298 wh, "data", "%s", "unknown dir 0x%x", dir); 299 ic->ic_stats.is_rx_wrongdir++; 300 goto out; 301 } 302 /* check if source STA is associated */ 303 if (ni == ic->ic_bss) { 304 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 305 wh, "data", "%s", "unknown src"); 306 ieee80211_send_error(ic, ni, wh->i_addr2, 307 IEEE80211_FC0_SUBTYPE_DEAUTH, 308 IEEE80211_REASON_NOT_AUTHED); 309 ic->ic_stats.is_rx_notassoc++; 310 goto err; 311 } 312 if (ni->ni_associd == 0) { 313 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 314 wh, "data", "%s", "unassoc src"); 315 IEEE80211_SEND_MGMT(ic, ni, 316 IEEE80211_FC0_SUBTYPE_DISASSOC, 317 IEEE80211_REASON_NOT_ASSOCED); 318 ic->ic_stats.is_rx_notassoc++; 319 goto err; 320 } 321 322 /* 323 * Check for power save state change. 324 */ 325 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^ 326 (ni->ni_flags & IEEE80211_NODE_PWR_MGT))) 327 ieee80211_node_pwrsave(ni, 328 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT); 329 break; 330 default: 331 /* XXX here to keep compiler happy */ 332 goto out; 333 } 334 335 /* 336 * Handle privacy requirements. Note that we 337 * must not be preempted from here until after 338 * we (potentially) call ieee80211_crypto_demic; 339 * otherwise we may violate assumptions in the 340 * crypto cipher modules used to do delayed update 341 * of replay sequence numbers. 342 */ 343 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 344 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 345 /* 346 * Discard encrypted frames when privacy is off. 347 */ 348 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 349 wh, "WEP", "%s", "PRIVACY off"); 350 ic->ic_stats.is_rx_noprivacy++; 351 IEEE80211_NODE_STAT(ni, rx_noprivacy); 352 goto out; 353 } 354 key = ieee80211_crypto_decap(ic, ni, m, hdrspace); 355 if (key == NULL) { 356 /* NB: stats+msgs handled in crypto_decap */ 357 IEEE80211_NODE_STAT(ni, rx_wepfail); 358 goto out; 359 } 360 wh = mtod(m, struct ieee80211_frame *); 361 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 362 } else { 363 key = NULL; 364 } 365 366 /* 367 * Next up, any fragmentation. 368 */ 369 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 370 m = ieee80211_defrag(ic, ni, m, hdrspace); 371 if (m == NULL) { 372 /* Fragment dropped or frame not complete yet */ 373 goto out; 374 } 375 } 376 wh = NULL; /* no longer valid, catch any uses */ 377 378 /* 379 * Next strip any MSDU crypto bits. 380 */ 381 if (key != NULL && !ieee80211_crypto_demic(ic, key, m, 0)) { 382 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 383 ni->ni_macaddr, "data", "%s", "demic error"); 384 ic->ic_stats.is_rx_demicfail++; 385 IEEE80211_NODE_STAT(ni, rx_demicfail); 386 goto out; 387 } 388 389 /* copy to listener after decrypt */ 390 if (bpf_peers_present(ic->ic_rawbpf)) 391 bpf_mtap(ic->ic_rawbpf, m); 392 393 /* 394 * Finally, strip the 802.11 header. 395 */ 396 m = ieee80211_decap(ic, m, hdrspace); 397 if (m == NULL) { 398 /* don't count Null data frames as errors */ 399 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA) 400 goto out; 401 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 402 ni->ni_macaddr, "data", "%s", "decap error"); 403 ic->ic_stats.is_rx_decap++; 404 IEEE80211_NODE_STAT(ni, rx_decap); 405 goto err; 406 } 407 eh = mtod(m, struct ether_header *); 408 if (!ieee80211_node_is_authorized(ni)) { 409 /* 410 * Deny any non-PAE frames received prior to 411 * authorization. For open/shared-key 412 * authentication the port is mark authorized 413 * after authentication completes. For 802.1x 414 * the port is not marked authorized by the 415 * authenticator until the handshake has completed. 416 */ 417 if (eh->ether_type != htons(ETHERTYPE_PAE)) { 418 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 419 eh->ether_shost, "data", 420 "unauthorized port: ether type 0x%x len %u", 421 eh->ether_type, m->m_pkthdr.len); 422 ic->ic_stats.is_rx_unauth++; 423 IEEE80211_NODE_STAT(ni, rx_unauth); 424 goto err; 425 } 426 } else { 427 /* 428 * When denying unencrypted frames, discard 429 * any non-PAE frames received without encryption. 430 */ 431 if ((ic->ic_flags & IEEE80211_F_DROPUNENC) && 432 key == NULL && 433 eh->ether_type != htons(ETHERTYPE_PAE)) { 434 /* 435 * Drop unencrypted frames. 436 */ 437 ic->ic_stats.is_rx_unencrypted++; 438 IEEE80211_NODE_STAT(ni, rx_unencrypted); 439 goto out; 440 } 441 } 442 ieee80211_deliver_data(ic, ni, m); 443 return IEEE80211_FC0_TYPE_DATA; 444 445 case IEEE80211_FC0_TYPE_MGT: 446 ic->ic_stats.is_rx_mgmt++; 447 IEEE80211_NODE_STAT(ni, rx_mgmt); 448 if (dir != IEEE80211_FC1_DIR_NODS) { 449 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 450 wh, "data", "%s", "unknown dir 0x%x", dir); 451 ic->ic_stats.is_rx_wrongdir++; 452 goto err; 453 } 454 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 455 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 456 ni->ni_macaddr, "mgt", "too short: len %u", 457 m->m_pkthdr.len); 458 ic->ic_stats.is_rx_tooshort++; 459 goto out; 460 } 461#ifdef IEEE80211_DEBUG 462 if ((ieee80211_msg_debug(ic) && doprint(ic, subtype)) || 463 ieee80211_msg_dumppkts(ic)) { 464 if_printf(ic->ic_ifp, "received %s from %s rssi %d\n", 465 ieee80211_mgt_subtype_name[subtype >> 466 IEEE80211_FC0_SUBTYPE_SHIFT], 467 ether_sprintf(wh->i_addr2), rssi); 468 } 469#endif 470 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 471 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { 472 /* 473 * Only shared key auth frames with a challenge 474 * should be encrypted, discard all others. 475 */ 476 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 477 wh, ieee80211_mgt_subtype_name[subtype >> 478 IEEE80211_FC0_SUBTYPE_SHIFT], 479 "%s", "WEP set but not permitted"); 480 ic->ic_stats.is_rx_mgtdiscard++; /* XXX */ 481 goto out; 482 } 483 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 484 /* 485 * Discard encrypted frames when privacy is off. 486 */ 487 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 488 wh, "mgt", "%s", "WEP set but PRIVACY off"); 489 ic->ic_stats.is_rx_noprivacy++; 490 goto out; 491 } 492 hdrspace = ieee80211_hdrspace(ic, wh); 493 key = ieee80211_crypto_decap(ic, ni, m, hdrspace); 494 if (key == NULL) { 495 /* NB: stats+msgs handled in crypto_decap */ 496 goto out; 497 } 498 wh = mtod(m, struct ieee80211_frame *); 499 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 500 } 501 if (bpf_peers_present(ic->ic_rawbpf)) 502 bpf_mtap(ic->ic_rawbpf, m); 503 (*ic->ic_recv_mgmt)(ic, m, ni, subtype, rssi, rstamp); 504 m_freem(m); 505 return type; 506 507 case IEEE80211_FC0_TYPE_CTL: 508 ic->ic_stats.is_rx_ctl++; 509 IEEE80211_NODE_STAT(ni, rx_ctrl); 510 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 511 switch (subtype) { 512 case IEEE80211_FC0_SUBTYPE_PS_POLL: 513 ieee80211_recv_pspoll(ic, ni, m); 514 break; 515 } 516 } 517 goto out; 518 default: 519 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 520 wh, NULL, "bad frame type 0x%x", type); 521 /* should not come here */ 522 break; 523 } 524err: 525 ifp->if_ierrors++; 526out: 527 if (m != NULL) { 528 if (bpf_peers_present(ic->ic_rawbpf)) 529 bpf_mtap(ic->ic_rawbpf, m); 530 m_freem(m); 531 } 532 return type; 533#undef SEQ_LEQ 534} 535 536/* 537 * This function reassemble fragments. 538 */ 539static struct mbuf * 540ieee80211_defrag(struct ieee80211com *ic, struct ieee80211_node *ni, 541 struct mbuf *m, int hdrspace) 542{ 543 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 544 struct ieee80211_frame *lwh; 545 u_int16_t rxseq; 546 u_int8_t fragno; 547 u_int8_t more_frag = wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG; 548 struct mbuf *mfrag; 549 550 KASSERT(!IEEE80211_IS_MULTICAST(wh->i_addr1), ("multicast fragm?")); 551 552 rxseq = le16toh(*(u_int16_t *)wh->i_seq); 553 fragno = rxseq & IEEE80211_SEQ_FRAG_MASK; 554 555 /* Quick way out, if there's nothing to defragment */ 556 if (!more_frag && fragno == 0 && ni->ni_rxfrag[0] == NULL) 557 return m; 558 559 /* 560 * Remove frag to insure it doesn't get reaped by timer. 561 */ 562 if (ni->ni_table == NULL) { 563 /* 564 * Should never happen. If the node is orphaned (not in 565 * the table) then input packets should not reach here. 566 * Otherwise, a concurrent request that yanks the table 567 * should be blocked by other interlocking and/or by first 568 * shutting the driver down. Regardless, be defensive 569 * here and just bail 570 */ 571 /* XXX need msg+stat */ 572 m_freem(m); 573 return NULL; 574 } 575 IEEE80211_NODE_LOCK(ni->ni_table); 576 mfrag = ni->ni_rxfrag[0]; 577 ni->ni_rxfrag[0] = NULL; 578 IEEE80211_NODE_UNLOCK(ni->ni_table); 579 580 /* 581 * Validate new fragment is in order and 582 * related to the previous ones. 583 */ 584 if (mfrag != NULL) { 585 u_int16_t last_rxseq; 586 587 lwh = mtod(mfrag, struct ieee80211_frame *); 588 last_rxseq = le16toh(*(u_int16_t *)lwh->i_seq); 589 /* NB: check seq # and frag together */ 590 if (rxseq != last_rxseq+1 || 591 !IEEE80211_ADDR_EQ(wh->i_addr1, lwh->i_addr1) || 592 !IEEE80211_ADDR_EQ(wh->i_addr2, lwh->i_addr2)) { 593 /* 594 * Unrelated fragment or no space for it, 595 * clear current fragments. 596 */ 597 m_freem(mfrag); 598 mfrag = NULL; 599 } 600 } 601 602 if (mfrag == NULL) { 603 if (fragno != 0) { /* !first fragment, discard */ 604 ic->ic_stats.is_rx_defrag++; 605 IEEE80211_NODE_STAT(ni, rx_defrag); 606 m_freem(m); 607 return NULL; 608 } 609 mfrag = m; 610 } else { /* concatenate */ 611 m_adj(m, hdrspace); /* strip header */ 612 m_cat(mfrag, m); 613 /* NB: m_cat doesn't update the packet header */ 614 mfrag->m_pkthdr.len += m->m_pkthdr.len; 615 /* track last seqnum and fragno */ 616 lwh = mtod(mfrag, struct ieee80211_frame *); 617 *(u_int16_t *) lwh->i_seq = *(u_int16_t *) wh->i_seq; 618 } 619 if (more_frag) { /* more to come, save */ 620 ni->ni_rxfragstamp = ticks; 621 ni->ni_rxfrag[0] = mfrag; 622 mfrag = NULL; 623 } 624 return mfrag; 625} 626 627static void 628ieee80211_deliver_data(struct ieee80211com *ic, 629 struct ieee80211_node *ni, struct mbuf *m) 630{ 631 struct ether_header *eh = mtod(m, struct ether_header *); 632 struct ifnet *ifp = ic->ic_ifp; 633 634 /* 635 * Do accounting. 636 */ 637 ifp->if_ipackets++; 638 IEEE80211_NODE_STAT(ni, rx_data); 639 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len); 640 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 641 m->m_flags |= M_MCAST; /* XXX M_BCAST? */ 642 IEEE80211_NODE_STAT(ni, rx_mcast); 643 } else 644 IEEE80211_NODE_STAT(ni, rx_ucast); 645 646 /* perform as a bridge within the AP */ 647 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 648 (ic->ic_flags & IEEE80211_F_NOBRIDGE) == 0) { 649 struct mbuf *m1 = NULL; 650 651 if (m->m_flags & M_MCAST) { 652 m1 = m_dup(m, M_DONTWAIT); 653 if (m1 == NULL) 654 ifp->if_oerrors++; 655 else 656 m1->m_flags |= M_MCAST; 657 } else { 658 /* 659 * Check if the destination is known; if so 660 * and the port is authorized dispatch directly. 661 */ 662 struct ieee80211_node *sta = 663 ieee80211_find_node(&ic->ic_sta, eh->ether_dhost); 664 if (sta != NULL) { 665 if (ieee80211_node_is_authorized(sta)) { 666 /* 667 * Beware of sending to ourself; this 668 * needs to happen via the normal 669 * input path. 670 */ 671 if (sta != ic->ic_bss) { 672 m1 = m; 673 m = NULL; 674 } 675 } else { 676 ic->ic_stats.is_rx_unauth++; 677 IEEE80211_NODE_STAT(sta, rx_unauth); 678 } 679 ieee80211_free_node(sta); 680 } 681 } 682 if (m1 != NULL) 683 (void) IF_HANDOFF(&ifp->if_snd, m1, ifp); 684 } 685 if (m != NULL) { 686 m->m_pkthdr.rcvif = ifp; 687 if (ni->ni_vlan != 0) { 688 /* attach vlan tag */ 689 m->m_pkthdr.ether_vtag = ni->ni_vlan; 690 m->m_flags |= M_VLANTAG; 691 } 692 (*ifp->if_input)(ifp, m); 693 } 694} 695 696static struct mbuf * 697ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, int hdrlen) 698{ 699 struct ieee80211_qosframe_addr4 wh; /* Max size address frames */ 700 struct ether_header *eh; 701 struct llc *llc; 702 703 if (m->m_len < hdrlen + sizeof(*llc) && 704 (m = m_pullup(m, hdrlen + sizeof(*llc))) == NULL) { 705 /* XXX stat, msg */ 706 return NULL; 707 } 708 memcpy(&wh, mtod(m, caddr_t), hdrlen); 709 llc = (struct llc *)(mtod(m, caddr_t) + hdrlen); 710 if (llc->llc_dsap == LLC_SNAP_LSAP && llc->llc_ssap == LLC_SNAP_LSAP && 711 llc->llc_control == LLC_UI && llc->llc_snap.org_code[0] == 0 && 712 llc->llc_snap.org_code[1] == 0 && llc->llc_snap.org_code[2] == 0) { 713 m_adj(m, hdrlen + sizeof(struct llc) - sizeof(*eh)); 714 llc = NULL; 715 } else { 716 m_adj(m, hdrlen - sizeof(*eh)); 717 } 718 eh = mtod(m, struct ether_header *); 719 switch (wh.i_fc[1] & IEEE80211_FC1_DIR_MASK) { 720 case IEEE80211_FC1_DIR_NODS: 721 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 722 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 723 break; 724 case IEEE80211_FC1_DIR_TODS: 725 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3); 726 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 727 break; 728 case IEEE80211_FC1_DIR_FROMDS: 729 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 730 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr3); 731 break; 732 case IEEE80211_FC1_DIR_DSTODS: 733 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3); 734 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr4); 735 break; 736 } 737#ifdef ALIGNED_POINTER 738 if (!ALIGNED_POINTER(mtod(m, caddr_t) + sizeof(*eh), u_int32_t)) { 739 struct mbuf *n, *n0, **np; 740 caddr_t newdata; 741 int off, pktlen; 742 743 n0 = NULL; 744 np = &n0; 745 off = 0; 746 pktlen = m->m_pkthdr.len; 747 while (pktlen > off) { 748 if (n0 == NULL) { 749 MGETHDR(n, M_DONTWAIT, MT_DATA); 750 if (n == NULL) { 751 m_freem(m); 752 return NULL; 753 } 754 M_MOVE_PKTHDR(n, m); 755 n->m_len = MHLEN; 756 } else { 757 MGET(n, M_DONTWAIT, MT_DATA); 758 if (n == NULL) { 759 m_freem(m); 760 m_freem(n0); 761 return NULL; 762 } 763 n->m_len = MLEN; 764 } 765 if (pktlen - off >= MINCLSIZE) { 766 MCLGET(n, M_DONTWAIT); 767 if (n->m_flags & M_EXT) 768 n->m_len = n->m_ext.ext_size; 769 } 770 if (n0 == NULL) { 771 newdata = 772 (caddr_t)ALIGN(n->m_data + sizeof(*eh)) - 773 sizeof(*eh); 774 n->m_len -= newdata - n->m_data; 775 n->m_data = newdata; 776 } 777 if (n->m_len > pktlen - off) 778 n->m_len = pktlen - off; 779 m_copydata(m, off, n->m_len, mtod(n, caddr_t)); 780 off += n->m_len; 781 *np = n; 782 np = &n->m_next; 783 } 784 m_freem(m); 785 m = n0; 786 } 787#endif /* ALIGNED_POINTER */ 788 if (llc != NULL) { 789 eh = mtod(m, struct ether_header *); 790 eh->ether_type = htons(m->m_pkthdr.len - sizeof(*eh)); 791 } 792 return m; 793} 794 795/* 796 * Install received rate set information in the node's state block. 797 */ 798int 799ieee80211_setup_rates(struct ieee80211_node *ni, 800 const u_int8_t *rates, const u_int8_t *xrates, int flags) 801{ 802 struct ieee80211com *ic = ni->ni_ic; 803 struct ieee80211_rateset *rs = &ni->ni_rates; 804 805 memset(rs, 0, sizeof(*rs)); 806 rs->rs_nrates = rates[1]; 807 memcpy(rs->rs_rates, rates + 2, rs->rs_nrates); 808 if (xrates != NULL) { 809 u_int8_t nxrates; 810 /* 811 * Tack on 11g extended supported rate element. 812 */ 813 nxrates = xrates[1]; 814 if (rs->rs_nrates + nxrates > IEEE80211_RATE_MAXSIZE) { 815 nxrates = IEEE80211_RATE_MAXSIZE - rs->rs_nrates; 816 IEEE80211_DPRINTF(ic, IEEE80211_MSG_XRATE, 817 "[%s] extended rate set too large;" 818 " only using %u of %u rates\n", 819 ether_sprintf(ni->ni_macaddr), nxrates, xrates[1]); 820 ic->ic_stats.is_rx_rstoobig++; 821 } 822 memcpy(rs->rs_rates + rs->rs_nrates, xrates+2, nxrates); 823 rs->rs_nrates += nxrates; 824 } 825 return ieee80211_fix_rate(ni, rs, flags); 826} 827 828static void 829ieee80211_auth_open(struct ieee80211com *ic, struct ieee80211_frame *wh, 830 struct ieee80211_node *ni, int rssi, u_int32_t rstamp, u_int16_t seq, 831 u_int16_t status) 832{ 833 834 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) { 835 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 836 ni->ni_macaddr, "open auth", 837 "bad sta auth mode %u", ni->ni_authmode); 838 ic->ic_stats.is_rx_bad_auth++; /* XXX */ 839 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 840 /* 841 * Clear any challenge text that may be there if 842 * a previous shared key auth failed and then an 843 * open auth is attempted. 844 */ 845 if (ni->ni_challenge != NULL) { 846 FREE(ni->ni_challenge, M_DEVBUF); 847 ni->ni_challenge = NULL; 848 } 849 /* XXX hack to workaround calling convention */ 850 ieee80211_send_error(ic, ni, wh->i_addr2, 851 IEEE80211_FC0_SUBTYPE_AUTH, 852 (seq + 1) | (IEEE80211_STATUS_ALG<<16)); 853 } 854 return; 855 } 856 switch (ic->ic_opmode) { 857 case IEEE80211_M_IBSS: 858 case IEEE80211_M_AHDEMO: 859 case IEEE80211_M_MONITOR: 860 /* should not come here */ 861 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 862 ni->ni_macaddr, "open auth", 863 "bad operating mode %u", ic->ic_opmode); 864 break; 865 866 case IEEE80211_M_HOSTAP: 867 if (ic->ic_state != IEEE80211_S_RUN || 868 seq != IEEE80211_AUTH_OPEN_REQUEST) { 869 ic->ic_stats.is_rx_bad_auth++; 870 return; 871 } 872 /* always accept open authentication requests */ 873 if (ni == ic->ic_bss) { 874 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2); 875 if (ni == NULL) 876 return; 877 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 878 (void) ieee80211_ref_node(ni); 879 /* 880 * Mark the node as referenced to reflect that it's 881 * reference count has been bumped to insure it remains 882 * after the transaction completes. 883 */ 884 ni->ni_flags |= IEEE80211_NODE_AREF; 885 886 IEEE80211_SEND_MGMT(ic, ni, 887 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 888 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 889 "[%s] station authenticated (open)\n", 890 ether_sprintf(ni->ni_macaddr)); 891 /* 892 * When 802.1x is not in use mark the port 893 * authorized at this point so traffic can flow. 894 */ 895 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 896 ieee80211_node_authorize(ni); 897 break; 898 899 case IEEE80211_M_STA: 900 if (ic->ic_state != IEEE80211_S_AUTH || 901 seq != IEEE80211_AUTH_OPEN_RESPONSE) { 902 ic->ic_stats.is_rx_bad_auth++; 903 return; 904 } 905 if (status != 0) { 906 IEEE80211_DPRINTF(ic, 907 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 908 "[%s] open auth failed (reason %d)\n", 909 ether_sprintf(ni->ni_macaddr), status); 910 /* XXX can this happen? */ 911 if (ni != ic->ic_bss) 912 ni->ni_fails++; 913 ic->ic_stats.is_rx_auth_fail++; 914 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 915 } else 916 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 917 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 918 break; 919 } 920} 921 922/* 923 * Send a management frame error response to the specified 924 * station. If ni is associated with the station then use 925 * it; otherwise allocate a temporary node suitable for 926 * transmitting the frame and then free the reference so 927 * it will go away as soon as the frame has been transmitted. 928 */ 929static void 930ieee80211_send_error(struct ieee80211com *ic, struct ieee80211_node *ni, 931 const u_int8_t *mac, int subtype, int arg) 932{ 933 int istmp; 934 935 if (ni == ic->ic_bss) { 936 ni = ieee80211_tmp_node(ic, mac); 937 if (ni == NULL) { 938 /* XXX msg */ 939 return; 940 } 941 istmp = 1; 942 } else 943 istmp = 0; 944 IEEE80211_SEND_MGMT(ic, ni, subtype, arg); 945 if (istmp) 946 ieee80211_free_node(ni); 947} 948 949static int 950alloc_challenge(struct ieee80211com *ic, struct ieee80211_node *ni) 951{ 952 if (ni->ni_challenge == NULL) 953 MALLOC(ni->ni_challenge, u_int32_t*, IEEE80211_CHALLENGE_LEN, 954 M_DEVBUF, M_NOWAIT); 955 if (ni->ni_challenge == NULL) { 956 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 957 "[%s] shared key challenge alloc failed\n", 958 ether_sprintf(ni->ni_macaddr)); 959 /* XXX statistic */ 960 } 961 return (ni->ni_challenge != NULL); 962} 963 964/* XXX TODO: add statistics */ 965static void 966ieee80211_auth_shared(struct ieee80211com *ic, struct ieee80211_frame *wh, 967 u_int8_t *frm, u_int8_t *efrm, struct ieee80211_node *ni, int rssi, 968 u_int32_t rstamp, u_int16_t seq, u_int16_t status) 969{ 970 u_int8_t *challenge; 971 int allocbs, estatus; 972 973 /* 974 * NB: this can happen as we allow pre-shared key 975 * authentication to be enabled w/o wep being turned 976 * on so that configuration of these can be done 977 * in any order. It may be better to enforce the 978 * ordering in which case this check would just be 979 * for sanity/consistency. 980 */ 981 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 982 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 983 ni->ni_macaddr, "shared key auth", 984 "%s", " PRIVACY is disabled"); 985 estatus = IEEE80211_STATUS_ALG; 986 goto bad; 987 } 988 /* 989 * Pre-shared key authentication is evil; accept 990 * it only if explicitly configured (it is supported 991 * mainly for compatibility with clients like OS X). 992 */ 993 if (ni->ni_authmode != IEEE80211_AUTH_AUTO && 994 ni->ni_authmode != IEEE80211_AUTH_SHARED) { 995 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 996 ni->ni_macaddr, "shared key auth", 997 "bad sta auth mode %u", ni->ni_authmode); 998 ic->ic_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */ 999 estatus = IEEE80211_STATUS_ALG; 1000 goto bad; 1001 } 1002 1003 challenge = NULL; 1004 if (frm + 1 < efrm) { 1005 if ((frm[1] + 2) > (efrm - frm)) { 1006 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1007 ni->ni_macaddr, "shared key auth", 1008 "ie %d/%d too long", 1009 frm[0], (frm[1] + 2) - (efrm - frm)); 1010 ic->ic_stats.is_rx_bad_auth++; 1011 estatus = IEEE80211_STATUS_CHALLENGE; 1012 goto bad; 1013 } 1014 if (*frm == IEEE80211_ELEMID_CHALLENGE) 1015 challenge = frm; 1016 frm += frm[1] + 2; 1017 } 1018 switch (seq) { 1019 case IEEE80211_AUTH_SHARED_CHALLENGE: 1020 case IEEE80211_AUTH_SHARED_RESPONSE: 1021 if (challenge == NULL) { 1022 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1023 ni->ni_macaddr, "shared key auth", 1024 "%s", "no challenge"); 1025 ic->ic_stats.is_rx_bad_auth++; 1026 estatus = IEEE80211_STATUS_CHALLENGE; 1027 goto bad; 1028 } 1029 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 1030 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1031 ni->ni_macaddr, "shared key auth", 1032 "bad challenge len %d", challenge[1]); 1033 ic->ic_stats.is_rx_bad_auth++; 1034 estatus = IEEE80211_STATUS_CHALLENGE; 1035 goto bad; 1036 } 1037 default: 1038 break; 1039 } 1040 switch (ic->ic_opmode) { 1041 case IEEE80211_M_MONITOR: 1042 case IEEE80211_M_AHDEMO: 1043 case IEEE80211_M_IBSS: 1044 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1045 ni->ni_macaddr, "shared key auth", 1046 "bad operating mode %u", ic->ic_opmode); 1047 return; 1048 case IEEE80211_M_HOSTAP: 1049 if (ic->ic_state != IEEE80211_S_RUN) { 1050 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1051 ni->ni_macaddr, "shared key auth", 1052 "bad state %u", ic->ic_state); 1053 estatus = IEEE80211_STATUS_ALG; /* XXX */ 1054 goto bad; 1055 } 1056 switch (seq) { 1057 case IEEE80211_AUTH_SHARED_REQUEST: 1058 if (ni == ic->ic_bss) { 1059 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2); 1060 if (ni == NULL) { 1061 /* NB: no way to return an error */ 1062 return; 1063 } 1064 allocbs = 1; 1065 } else { 1066 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 1067 (void) ieee80211_ref_node(ni); 1068 allocbs = 0; 1069 } 1070 /* 1071 * Mark the node as referenced to reflect that it's 1072 * reference count has been bumped to insure it remains 1073 * after the transaction completes. 1074 */ 1075 ni->ni_flags |= IEEE80211_NODE_AREF; 1076 ni->ni_rssi = rssi; 1077 ni->ni_rstamp = rstamp; 1078 if (!alloc_challenge(ic, ni)) { 1079 /* NB: don't return error so they rexmit */ 1080 return; 1081 } 1082 get_random_bytes(ni->ni_challenge, 1083 IEEE80211_CHALLENGE_LEN); 1084 IEEE80211_DPRINTF(ic, 1085 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1086 "[%s] shared key %sauth request\n", 1087 ether_sprintf(ni->ni_macaddr), 1088 allocbs ? "" : "re"); 1089 break; 1090 case IEEE80211_AUTH_SHARED_RESPONSE: 1091 if (ni == ic->ic_bss) { 1092 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1093 ni->ni_macaddr, "shared key response", 1094 "%s", "unknown station"); 1095 /* NB: don't send a response */ 1096 return; 1097 } 1098 if (ni->ni_challenge == NULL) { 1099 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1100 ni->ni_macaddr, "shared key response", 1101 "%s", "no challenge recorded"); 1102 ic->ic_stats.is_rx_bad_auth++; 1103 estatus = IEEE80211_STATUS_CHALLENGE; 1104 goto bad; 1105 } 1106 if (memcmp(ni->ni_challenge, &challenge[2], 1107 challenge[1]) != 0) { 1108 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1109 ni->ni_macaddr, "shared key response", 1110 "%s", "challenge mismatch"); 1111 ic->ic_stats.is_rx_auth_fail++; 1112 estatus = IEEE80211_STATUS_CHALLENGE; 1113 goto bad; 1114 } 1115 IEEE80211_DPRINTF(ic, 1116 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1117 "[%s] station authenticated (shared key)\n", 1118 ether_sprintf(ni->ni_macaddr)); 1119 ieee80211_node_authorize(ni); 1120 break; 1121 default: 1122 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1123 ni->ni_macaddr, "shared key auth", 1124 "bad seq %d", seq); 1125 ic->ic_stats.is_rx_bad_auth++; 1126 estatus = IEEE80211_STATUS_SEQUENCE; 1127 goto bad; 1128 } 1129 IEEE80211_SEND_MGMT(ic, ni, 1130 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1131 break; 1132 1133 case IEEE80211_M_STA: 1134 if (ic->ic_state != IEEE80211_S_AUTH) 1135 return; 1136 switch (seq) { 1137 case IEEE80211_AUTH_SHARED_PASS: 1138 if (ni->ni_challenge != NULL) { 1139 FREE(ni->ni_challenge, M_DEVBUF); 1140 ni->ni_challenge = NULL; 1141 } 1142 if (status != 0) { 1143 IEEE80211_DPRINTF(ic, 1144 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1145 "[%s] shared key auth failed (reason %d)\n", 1146 ether_sprintf(ieee80211_getbssid(ic, wh)), 1147 status); 1148 /* XXX can this happen? */ 1149 if (ni != ic->ic_bss) 1150 ni->ni_fails++; 1151 ic->ic_stats.is_rx_auth_fail++; 1152 return; 1153 } 1154 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 1155 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 1156 break; 1157 case IEEE80211_AUTH_SHARED_CHALLENGE: 1158 if (!alloc_challenge(ic, ni)) 1159 return; 1160 /* XXX could optimize by passing recvd challenge */ 1161 memcpy(ni->ni_challenge, &challenge[2], challenge[1]); 1162 IEEE80211_SEND_MGMT(ic, ni, 1163 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1164 break; 1165 default: 1166 IEEE80211_DISCARD(ic, IEEE80211_MSG_AUTH, 1167 wh, "shared key auth", "bad seq %d", seq); 1168 ic->ic_stats.is_rx_bad_auth++; 1169 return; 1170 } 1171 break; 1172 } 1173 return; 1174bad: 1175 /* 1176 * Send an error response; but only when operating as an AP. 1177 */ 1178 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 1179 /* XXX hack to workaround calling convention */ 1180 ieee80211_send_error(ic, ni, wh->i_addr2, 1181 IEEE80211_FC0_SUBTYPE_AUTH, 1182 (seq + 1) | (estatus<<16)); 1183 } else if (ic->ic_opmode == IEEE80211_M_STA) { 1184 /* 1185 * Kick the state machine. This short-circuits 1186 * using the mgt frame timeout to trigger the 1187 * state transition. 1188 */ 1189 if (ic->ic_state == IEEE80211_S_AUTH) 1190 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 1191 } 1192} 1193 1194/* Verify the existence and length of __elem or get out. */ 1195#define IEEE80211_VERIFY_ELEMENT(__elem, __maxlen) do { \ 1196 if ((__elem) == NULL) { \ 1197 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1198 wh, ieee80211_mgt_subtype_name[subtype >> \ 1199 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1200 "%s", "no " #__elem ); \ 1201 ic->ic_stats.is_rx_elem_missing++; \ 1202 return; \ 1203 } \ 1204 if ((__elem)[1] > (__maxlen)) { \ 1205 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1206 wh, ieee80211_mgt_subtype_name[subtype >> \ 1207 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1208 "bad " #__elem " len %d", (__elem)[1]); \ 1209 ic->ic_stats.is_rx_elem_toobig++; \ 1210 return; \ 1211 } \ 1212} while (0) 1213 1214#define IEEE80211_VERIFY_LENGTH(_len, _minlen) do { \ 1215 if ((_len) < (_minlen)) { \ 1216 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1217 wh, ieee80211_mgt_subtype_name[subtype >> \ 1218 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1219 "ie too short, got %d, expected %d", \ 1220 (_len), (_minlen)); \ 1221 ic->ic_stats.is_rx_elem_toosmall++; \ 1222 return; \ 1223 } \ 1224} while (0) 1225 1226#ifdef IEEE80211_DEBUG 1227static void 1228ieee80211_ssid_mismatch(struct ieee80211com *ic, const char *tag, 1229 u_int8_t mac[IEEE80211_ADDR_LEN], u_int8_t *ssid) 1230{ 1231 printf("[%s] discard %s frame, ssid mismatch: ", 1232 ether_sprintf(mac), tag); 1233 ieee80211_print_essid(ssid + 2, ssid[1]); 1234 printf("\n"); 1235} 1236 1237#define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \ 1238 if ((_ssid)[1] != 0 && \ 1239 ((_ssid)[1] != (_ni)->ni_esslen || \ 1240 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 1241 if (ieee80211_msg_input(ic)) \ 1242 ieee80211_ssid_mismatch(ic, \ 1243 ieee80211_mgt_subtype_name[subtype >> \ 1244 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1245 wh->i_addr2, _ssid); \ 1246 ic->ic_stats.is_rx_ssidmismatch++; \ 1247 return; \ 1248 } \ 1249} while (0) 1250#else /* !IEEE80211_DEBUG */ 1251#define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \ 1252 if ((_ssid)[1] != 0 && \ 1253 ((_ssid)[1] != (_ni)->ni_esslen || \ 1254 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 1255 ic->ic_stats.is_rx_ssidmismatch++; \ 1256 return; \ 1257 } \ 1258} while (0) 1259#endif /* !IEEE80211_DEBUG */ 1260 1261/* unalligned little endian access */ 1262#define LE_READ_2(p) \ 1263 ((u_int16_t) \ 1264 ((((const u_int8_t *)(p))[0] ) | \ 1265 (((const u_int8_t *)(p))[1] << 8))) 1266#define LE_READ_4(p) \ 1267 ((u_int32_t) \ 1268 ((((const u_int8_t *)(p))[0] ) | \ 1269 (((const u_int8_t *)(p))[1] << 8) | \ 1270 (((const u_int8_t *)(p))[2] << 16) | \ 1271 (((const u_int8_t *)(p))[3] << 24))) 1272 1273static __inline int 1274iswpaoui(const u_int8_t *frm) 1275{ 1276 return frm[1] > 3 && LE_READ_4(frm+2) == ((WPA_OUI_TYPE<<24)|WPA_OUI); 1277} 1278 1279static __inline int 1280iswmeoui(const u_int8_t *frm) 1281{ 1282 return frm[1] > 3 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI); 1283} 1284 1285static __inline int 1286iswmeparam(const u_int8_t *frm) 1287{ 1288 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) && 1289 frm[6] == WME_PARAM_OUI_SUBTYPE; 1290} 1291 1292static __inline int 1293iswmeinfo(const u_int8_t *frm) 1294{ 1295 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) && 1296 frm[6] == WME_INFO_OUI_SUBTYPE; 1297} 1298 1299static __inline int 1300isatherosoui(const u_int8_t *frm) 1301{ 1302 return frm[1] > 3 && LE_READ_4(frm+2) == ((ATH_OUI_TYPE<<24)|ATH_OUI); 1303} 1304 1305/* 1306 * Convert a WPA cipher selector OUI to an internal 1307 * cipher algorithm. Where appropriate we also 1308 * record any key length. 1309 */ 1310static int 1311wpa_cipher(u_int8_t *sel, u_int8_t *keylen) 1312{ 1313#define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1314 u_int32_t w = LE_READ_4(sel); 1315 1316 switch (w) { 1317 case WPA_SEL(WPA_CSE_NULL): 1318 return IEEE80211_CIPHER_NONE; 1319 case WPA_SEL(WPA_CSE_WEP40): 1320 if (keylen) 1321 *keylen = 40 / NBBY; 1322 return IEEE80211_CIPHER_WEP; 1323 case WPA_SEL(WPA_CSE_WEP104): 1324 if (keylen) 1325 *keylen = 104 / NBBY; 1326 return IEEE80211_CIPHER_WEP; 1327 case WPA_SEL(WPA_CSE_TKIP): 1328 return IEEE80211_CIPHER_TKIP; 1329 case WPA_SEL(WPA_CSE_CCMP): 1330 return IEEE80211_CIPHER_AES_CCM; 1331 } 1332 return 32; /* NB: so 1<< is discarded */ 1333#undef WPA_SEL 1334} 1335 1336/* 1337 * Convert a WPA key management/authentication algorithm 1338 * to an internal code. 1339 */ 1340static int 1341wpa_keymgmt(u_int8_t *sel) 1342{ 1343#define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1344 u_int32_t w = LE_READ_4(sel); 1345 1346 switch (w) { 1347 case WPA_SEL(WPA_ASE_8021X_UNSPEC): 1348 return WPA_ASE_8021X_UNSPEC; 1349 case WPA_SEL(WPA_ASE_8021X_PSK): 1350 return WPA_ASE_8021X_PSK; 1351 case WPA_SEL(WPA_ASE_NONE): 1352 return WPA_ASE_NONE; 1353 } 1354 return 0; /* NB: so is discarded */ 1355#undef WPA_SEL 1356} 1357 1358/* 1359 * Parse a WPA information element to collect parameters 1360 * and validate the parameters against what has been 1361 * configured for the system. 1362 */ 1363static int 1364ieee80211_parse_wpa(struct ieee80211com *ic, u_int8_t *frm, 1365 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1366{ 1367 u_int8_t len = frm[1]; 1368 u_int32_t w; 1369 int n; 1370 1371 /* 1372 * Check the length once for fixed parts: OUI, type, 1373 * version, mcast cipher, and 2 selector counts. 1374 * Other, variable-length data, must be checked separately. 1375 */ 1376 if ((ic->ic_flags & IEEE80211_F_WPA1) == 0) { 1377 IEEE80211_DISCARD_IE(ic, 1378 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1379 wh, "WPA", "not WPA, flags 0x%x", ic->ic_flags); 1380 return IEEE80211_REASON_IE_INVALID; 1381 } 1382 if (len < 14) { 1383 IEEE80211_DISCARD_IE(ic, 1384 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1385 wh, "WPA", "too short, len %u", len); 1386 return IEEE80211_REASON_IE_INVALID; 1387 } 1388 frm += 6, len -= 4; /* NB: len is payload only */ 1389 /* NB: iswapoui already validated the OUI and type */ 1390 w = LE_READ_2(frm); 1391 if (w != WPA_VERSION) { 1392 IEEE80211_DISCARD_IE(ic, 1393 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1394 wh, "WPA", "bad version %u", w); 1395 return IEEE80211_REASON_IE_INVALID; 1396 } 1397 frm += 2, len -= 2; 1398 1399 /* multicast/group cipher */ 1400 w = wpa_cipher(frm, &rsn->rsn_mcastkeylen); 1401 if (w != rsn->rsn_mcastcipher) { 1402 IEEE80211_DISCARD_IE(ic, 1403 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1404 wh, "WPA", "mcast cipher mismatch; got %u, expected %u", 1405 w, rsn->rsn_mcastcipher); 1406 return IEEE80211_REASON_IE_INVALID; 1407 } 1408 frm += 4, len -= 4; 1409 1410 /* unicast ciphers */ 1411 n = LE_READ_2(frm); 1412 frm += 2, len -= 2; 1413 if (len < n*4+2) { 1414 IEEE80211_DISCARD_IE(ic, 1415 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1416 wh, "WPA", "ucast cipher data too short; len %u, n %u", 1417 len, n); 1418 return IEEE80211_REASON_IE_INVALID; 1419 } 1420 w = 0; 1421 for (; n > 0; n--) { 1422 w |= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen); 1423 frm += 4, len -= 4; 1424 } 1425 w &= rsn->rsn_ucastcipherset; 1426 if (w == 0) { 1427 IEEE80211_DISCARD_IE(ic, 1428 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1429 wh, "WPA", "%s", "ucast cipher set empty"); 1430 return IEEE80211_REASON_IE_INVALID; 1431 } 1432 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1433 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1434 else 1435 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1436 1437 /* key management algorithms */ 1438 n = LE_READ_2(frm); 1439 frm += 2, len -= 2; 1440 if (len < n*4) { 1441 IEEE80211_DISCARD_IE(ic, 1442 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1443 wh, "WPA", "key mgmt alg data too short; len %u, n %u", 1444 len, n); 1445 return IEEE80211_REASON_IE_INVALID; 1446 } 1447 w = 0; 1448 for (; n > 0; n--) { 1449 w |= wpa_keymgmt(frm); 1450 frm += 4, len -= 4; 1451 } 1452 w &= rsn->rsn_keymgmtset; 1453 if (w == 0) { 1454 IEEE80211_DISCARD_IE(ic, 1455 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1456 wh, "WPA", "%s", "no acceptable key mgmt alg"); 1457 return IEEE80211_REASON_IE_INVALID; 1458 } 1459 if (w & WPA_ASE_8021X_UNSPEC) 1460 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC; 1461 else 1462 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK; 1463 1464 if (len > 2) /* optional capabilities */ 1465 rsn->rsn_caps = LE_READ_2(frm); 1466 1467 return 0; 1468} 1469 1470/* 1471 * Convert an RSN cipher selector OUI to an internal 1472 * cipher algorithm. Where appropriate we also 1473 * record any key length. 1474 */ 1475static int 1476rsn_cipher(u_int8_t *sel, u_int8_t *keylen) 1477{ 1478#define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1479 u_int32_t w = LE_READ_4(sel); 1480 1481 switch (w) { 1482 case RSN_SEL(RSN_CSE_NULL): 1483 return IEEE80211_CIPHER_NONE; 1484 case RSN_SEL(RSN_CSE_WEP40): 1485 if (keylen) 1486 *keylen = 40 / NBBY; 1487 return IEEE80211_CIPHER_WEP; 1488 case RSN_SEL(RSN_CSE_WEP104): 1489 if (keylen) 1490 *keylen = 104 / NBBY; 1491 return IEEE80211_CIPHER_WEP; 1492 case RSN_SEL(RSN_CSE_TKIP): 1493 return IEEE80211_CIPHER_TKIP; 1494 case RSN_SEL(RSN_CSE_CCMP): 1495 return IEEE80211_CIPHER_AES_CCM; 1496 case RSN_SEL(RSN_CSE_WRAP): 1497 return IEEE80211_CIPHER_AES_OCB; 1498 } 1499 return 32; /* NB: so 1<< is discarded */ 1500#undef WPA_SEL 1501} 1502 1503/* 1504 * Convert an RSN key management/authentication algorithm 1505 * to an internal code. 1506 */ 1507static int 1508rsn_keymgmt(u_int8_t *sel) 1509{ 1510#define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1511 u_int32_t w = LE_READ_4(sel); 1512 1513 switch (w) { 1514 case RSN_SEL(RSN_ASE_8021X_UNSPEC): 1515 return RSN_ASE_8021X_UNSPEC; 1516 case RSN_SEL(RSN_ASE_8021X_PSK): 1517 return RSN_ASE_8021X_PSK; 1518 case RSN_SEL(RSN_ASE_NONE): 1519 return RSN_ASE_NONE; 1520 } 1521 return 0; /* NB: so is discarded */ 1522#undef RSN_SEL 1523} 1524 1525/* 1526 * Parse a WPA/RSN information element to collect parameters 1527 * and validate the parameters against what has been 1528 * configured for the system. 1529 */ 1530static int 1531ieee80211_parse_rsn(struct ieee80211com *ic, u_int8_t *frm, 1532 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1533{ 1534 u_int8_t len = frm[1]; 1535 u_int32_t w; 1536 int n; 1537 1538 /* 1539 * Check the length once for fixed parts: 1540 * version, mcast cipher, and 2 selector counts. 1541 * Other, variable-length data, must be checked separately. 1542 */ 1543 if ((ic->ic_flags & IEEE80211_F_WPA2) == 0) { 1544 IEEE80211_DISCARD_IE(ic, 1545 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1546 wh, "WPA", "not RSN, flags 0x%x", ic->ic_flags); 1547 return IEEE80211_REASON_IE_INVALID; 1548 } 1549 if (len < 10) { 1550 IEEE80211_DISCARD_IE(ic, 1551 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1552 wh, "RSN", "too short, len %u", len); 1553 return IEEE80211_REASON_IE_INVALID; 1554 } 1555 frm += 2; 1556 w = LE_READ_2(frm); 1557 if (w != RSN_VERSION) { 1558 IEEE80211_DISCARD_IE(ic, 1559 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1560 wh, "RSN", "bad version %u", w); 1561 return IEEE80211_REASON_IE_INVALID; 1562 } 1563 frm += 2, len -= 2; 1564 1565 /* multicast/group cipher */ 1566 w = rsn_cipher(frm, &rsn->rsn_mcastkeylen); 1567 if (w != rsn->rsn_mcastcipher) { 1568 IEEE80211_DISCARD_IE(ic, 1569 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1570 wh, "RSN", "mcast cipher mismatch; got %u, expected %u", 1571 w, rsn->rsn_mcastcipher); 1572 return IEEE80211_REASON_IE_INVALID; 1573 } 1574 frm += 4, len -= 4; 1575 1576 /* unicast ciphers */ 1577 n = LE_READ_2(frm); 1578 frm += 2, len -= 2; 1579 if (len < n*4+2) { 1580 IEEE80211_DISCARD_IE(ic, 1581 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1582 wh, "RSN", "ucast cipher data too short; len %u, n %u", 1583 len, n); 1584 return IEEE80211_REASON_IE_INVALID; 1585 } 1586 w = 0; 1587 for (; n > 0; n--) { 1588 w |= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen); 1589 frm += 4, len -= 4; 1590 } 1591 w &= rsn->rsn_ucastcipherset; 1592 if (w == 0) { 1593 IEEE80211_DISCARD_IE(ic, 1594 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1595 wh, "RSN", "%s", "ucast cipher set empty"); 1596 return IEEE80211_REASON_IE_INVALID; 1597 } 1598 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1599 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1600 else 1601 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1602 1603 /* key management algorithms */ 1604 n = LE_READ_2(frm); 1605 frm += 2, len -= 2; 1606 if (len < n*4) { 1607 IEEE80211_DISCARD_IE(ic, 1608 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1609 wh, "RSN", "key mgmt alg data too short; len %u, n %u", 1610 len, n); 1611 return IEEE80211_REASON_IE_INVALID; 1612 } 1613 w = 0; 1614 for (; n > 0; n--) { 1615 w |= rsn_keymgmt(frm); 1616 frm += 4, len -= 4; 1617 } 1618 w &= rsn->rsn_keymgmtset; 1619 if (w == 0) { 1620 IEEE80211_DISCARD_IE(ic, 1621 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1622 wh, "RSN", "%s", "no acceptable key mgmt alg"); 1623 return IEEE80211_REASON_IE_INVALID; 1624 } 1625 if (w & RSN_ASE_8021X_UNSPEC) 1626 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC; 1627 else 1628 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK; 1629 1630 /* optional RSN capabilities */ 1631 if (len > 2) 1632 rsn->rsn_caps = LE_READ_2(frm); 1633 /* XXXPMKID */ 1634 1635 return 0; 1636} 1637 1638static int 1639ieee80211_parse_wmeparams(struct ieee80211com *ic, u_int8_t *frm, 1640 const struct ieee80211_frame *wh) 1641{ 1642#define MS(_v, _f) (((_v) & _f) >> _f##_S) 1643 struct ieee80211_wme_state *wme = &ic->ic_wme; 1644 u_int len = frm[1], qosinfo; 1645 int i; 1646 1647 if (len < sizeof(struct ieee80211_wme_param)-2) { 1648 IEEE80211_DISCARD_IE(ic, 1649 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WME, 1650 wh, "WME", "too short, len %u", len); 1651 return -1; 1652 } 1653 qosinfo = frm[__offsetof(struct ieee80211_wme_param, param_qosInfo)]; 1654 qosinfo &= WME_QOSINFO_COUNT; 1655 /* XXX do proper check for wraparound */ 1656 if (qosinfo == wme->wme_wmeChanParams.cap_info) 1657 return 0; 1658 frm += __offsetof(struct ieee80211_wme_param, params_acParams); 1659 for (i = 0; i < WME_NUM_AC; i++) { 1660 struct wmeParams *wmep = 1661 &wme->wme_wmeChanParams.cap_wmeParams[i]; 1662 /* NB: ACI not used */ 1663 wmep->wmep_acm = MS(frm[0], WME_PARAM_ACM); 1664 wmep->wmep_aifsn = MS(frm[0], WME_PARAM_AIFSN); 1665 wmep->wmep_logcwmin = MS(frm[1], WME_PARAM_LOGCWMIN); 1666 wmep->wmep_logcwmax = MS(frm[1], WME_PARAM_LOGCWMAX); 1667 wmep->wmep_txopLimit = LE_READ_2(frm+2); 1668 frm += 4; 1669 } 1670 wme->wme_wmeChanParams.cap_info = qosinfo; 1671 return 1; 1672#undef MS 1673} 1674 1675void 1676ieee80211_saveie(u_int8_t **iep, const u_int8_t *ie) 1677{ 1678 u_int ielen = ie[1]+2; 1679 /* 1680 * Record information element for later use. 1681 */ 1682 if (*iep == NULL || (*iep)[1] != ie[1]) { 1683 if (*iep != NULL) 1684 FREE(*iep, M_DEVBUF); 1685 MALLOC(*iep, void*, ielen, M_DEVBUF, M_NOWAIT); 1686 } 1687 if (*iep != NULL) 1688 memcpy(*iep, ie, ielen); 1689 /* XXX note failure */ 1690} 1691 1692/* XXX find a better place for definition */ 1693struct l2_update_frame { 1694 struct ether_header eh; 1695 u_int8_t dsap; 1696 u_int8_t ssap; 1697 u_int8_t control; 1698 u_int8_t xid[3]; 1699} __packed; 1700 1701/* 1702 * Deliver a TGf L2UF frame on behalf of a station. 1703 * This primes any bridge when the station is roaming 1704 * between ap's on the same wired network. 1705 */ 1706static void 1707ieee80211_deliver_l2uf(struct ieee80211_node *ni) 1708{ 1709 struct ieee80211com *ic = ni->ni_ic; 1710 struct ifnet *ifp = ic->ic_ifp; 1711 struct mbuf *m; 1712 struct l2_update_frame *l2uf; 1713 struct ether_header *eh; 1714 1715 m = m_gethdr(M_NOWAIT, MT_DATA); 1716 if (m == NULL) { 1717 IEEE80211_NOTE(ic, IEEE80211_MSG_ASSOC, ni, 1718 "%s", "no mbuf for l2uf frame"); 1719 ic->ic_stats.is_rx_nobuf++; /* XXX not right */ 1720 return; 1721 } 1722 l2uf = mtod(m, struct l2_update_frame *); 1723 eh = &l2uf->eh; 1724 /* dst: Broadcast address */ 1725 IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr); 1726 /* src: associated STA */ 1727 IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr); 1728 eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh)); 1729 1730 l2uf->dsap = 0; 1731 l2uf->ssap = 0; 1732 l2uf->control = 0xf5; 1733 l2uf->xid[0] = 0x81; 1734 l2uf->xid[1] = 0x80; 1735 l2uf->xid[2] = 0x00; 1736 1737 m->m_pkthdr.len = m->m_len = sizeof(*l2uf); 1738 ieee80211_deliver_data(ic, ni, m); 1739} 1740 1741static void 1742ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1743 int reassoc, int resp, const char *tag, int rate) 1744{ 1745 struct ieee80211com *ic = ni->ni_ic; 1746 1747 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 1748 "[%s] deny %s request, %srate set mismatch, rate 0x%x\n", 1749 ether_sprintf(wh->i_addr2), 1750 reassoc ? "reassoc" : "assoc", tag, rate); 1751 IEEE80211_SEND_MGMT(ic, ni, resp, IEEE80211_STATUS_BASIC_RATE); 1752 ieee80211_node_leave(ic, ni); 1753 ic->ic_stats.is_rx_assoc_norate++; 1754} 1755 1756static void 1757capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1758 int reassoc, int resp, const char *tag, int capinfo) 1759{ 1760 struct ieee80211com *ic = ni->ni_ic; 1761 1762 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 1763 "[%s] deny %s request, %s mismatch 0x%x\n", 1764 ether_sprintf(wh->i_addr2), 1765 reassoc ? "reassoc" : "assoc", tag, capinfo); 1766 IEEE80211_SEND_MGMT(ic, ni, resp, IEEE80211_STATUS_CAPINFO); 1767 ieee80211_node_leave(ic, ni); 1768 ic->ic_stats.is_rx_assoc_capmismatch++; 1769} 1770 1771void 1772ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0, 1773 struct ieee80211_node *ni, 1774 int subtype, int rssi, u_int32_t rstamp) 1775{ 1776#define ISPROBE(_st) ((_st) == IEEE80211_FC0_SUBTYPE_PROBE_RESP) 1777#define ISREASSOC(_st) ((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP) 1778 struct ieee80211_frame *wh; 1779 u_int8_t *frm, *efrm; 1780 u_int8_t *ssid, *rates, *xrates, *wpa, *wme; 1781 int reassoc, resp, allocbs; 1782 u_int8_t rate; 1783 1784 wh = mtod(m0, struct ieee80211_frame *); 1785 frm = (u_int8_t *)&wh[1]; 1786 efrm = mtod(m0, u_int8_t *) + m0->m_len; 1787 switch (subtype) { 1788 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1789 case IEEE80211_FC0_SUBTYPE_BEACON: { 1790 struct ieee80211_scanparams scan; 1791 1792 /* 1793 * We process beacon/probe response frames: 1794 * o when scanning, or 1795 * o station mode when associated (to collect state 1796 * updates such as 802.11g slot time), or 1797 * o adhoc mode (to discover neighbors) 1798 * Frames otherwise received are discarded. 1799 */ 1800 if (!((ic->ic_flags & IEEE80211_F_SCAN) || 1801 (ic->ic_opmode == IEEE80211_M_STA && ni->ni_associd) || 1802 ic->ic_opmode == IEEE80211_M_IBSS)) { 1803 ic->ic_stats.is_rx_mgtdiscard++; 1804 return; 1805 } 1806 /* 1807 * beacon/probe response frame format 1808 * [8] time stamp 1809 * [2] beacon interval 1810 * [2] capability information 1811 * [tlv] ssid 1812 * [tlv] supported rates 1813 * [tlv] country information 1814 * [tlv] parameter set (FH/DS) 1815 * [tlv] erp information 1816 * [tlv] extended supported rates 1817 * [tlv] WME 1818 * [tlv] WPA or RSN 1819 */ 1820 IEEE80211_VERIFY_LENGTH(efrm - frm, 12); 1821 memset(&scan, 0, sizeof(scan)); 1822 scan.tstamp = frm; frm += 8; 1823 scan.bintval = le16toh(*(u_int16_t *)frm); frm += 2; 1824 scan.capinfo = le16toh(*(u_int16_t *)frm); frm += 2; 1825 scan.bchan = ieee80211_chan2ieee(ic, ic->ic_curchan); 1826 scan.chan = scan.bchan; 1827 1828 while (efrm - frm > 1) { 1829 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2); 1830 switch (*frm) { 1831 case IEEE80211_ELEMID_SSID: 1832 scan.ssid = frm; 1833 break; 1834 case IEEE80211_ELEMID_RATES: 1835 scan.rates = frm; 1836 break; 1837 case IEEE80211_ELEMID_COUNTRY: 1838 scan.country = frm; 1839 break; 1840 case IEEE80211_ELEMID_FHPARMS: 1841 if (ic->ic_phytype == IEEE80211_T_FH) { 1842 scan.fhdwell = LE_READ_2(&frm[2]); 1843 scan.chan = IEEE80211_FH_CHAN(frm[4], frm[5]); 1844 scan.fhindex = frm[6]; 1845 } 1846 break; 1847 case IEEE80211_ELEMID_DSPARMS: 1848 /* 1849 * XXX hack this since depending on phytype 1850 * is problematic for multi-mode devices. 1851 */ 1852 if (ic->ic_phytype != IEEE80211_T_FH) 1853 scan.chan = frm[2]; 1854 break; 1855 case IEEE80211_ELEMID_TIM: 1856 /* XXX ATIM? */ 1857 scan.tim = frm; 1858 scan.timoff = frm - mtod(m0, u_int8_t *); 1859 break; 1860 case IEEE80211_ELEMID_IBSSPARMS: 1861 break; 1862 case IEEE80211_ELEMID_XRATES: 1863 scan.xrates = frm; 1864 break; 1865 case IEEE80211_ELEMID_ERP: 1866 if (frm[1] != 1) { 1867 IEEE80211_DISCARD_IE(ic, 1868 IEEE80211_MSG_ELEMID, wh, "ERP", 1869 "bad len %u", frm[1]); 1870 ic->ic_stats.is_rx_elem_toobig++; 1871 break; 1872 } 1873 scan.erp = frm[2]; 1874 break; 1875 case IEEE80211_ELEMID_RSN: 1876 scan.wpa = frm; 1877 break; 1878 case IEEE80211_ELEMID_VENDOR: 1879 if (iswpaoui(frm)) 1880 scan.wpa = frm; 1881 else if (iswmeparam(frm) || iswmeinfo(frm)) 1882 scan.wme = frm; 1883 /* XXX Atheros OUI support */ 1884 break; 1885 default: 1886 IEEE80211_DISCARD_IE(ic, IEEE80211_MSG_ELEMID, 1887 wh, "unhandled", 1888 "id %u, len %u", *frm, frm[1]); 1889 ic->ic_stats.is_rx_elem_unknown++; 1890 break; 1891 } 1892 frm += frm[1] + 2; 1893 } 1894 IEEE80211_VERIFY_ELEMENT(scan.rates, IEEE80211_RATE_MAXSIZE); 1895 IEEE80211_VERIFY_ELEMENT(scan.ssid, IEEE80211_NWID_LEN); 1896 if ( 1897#if IEEE80211_CHAN_MAX < 255 1898 scan.chan > IEEE80211_CHAN_MAX || 1899#endif 1900 isclr(ic->ic_chan_active, scan.chan)) { 1901 IEEE80211_DISCARD(ic, 1902 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT, 1903 wh, ieee80211_mgt_subtype_name[subtype >> 1904 IEEE80211_FC0_SUBTYPE_SHIFT], 1905 "invalid channel %u", scan.chan); 1906 ic->ic_stats.is_rx_badchan++; 1907 return; 1908 } 1909 if (scan.chan != scan.bchan && 1910 ic->ic_phytype != IEEE80211_T_FH) { 1911 /* 1912 * Frame was received on a channel different from the 1913 * one indicated in the DS params element id; 1914 * silently discard it. 1915 * 1916 * NB: this can happen due to signal leakage. 1917 * But we should take it for FH phy because 1918 * the rssi value should be correct even for 1919 * different hop pattern in FH. 1920 */ 1921 IEEE80211_DISCARD(ic, 1922 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT, 1923 wh, ieee80211_mgt_subtype_name[subtype >> 1924 IEEE80211_FC0_SUBTYPE_SHIFT], 1925 "for off-channel %u", scan.chan); 1926 ic->ic_stats.is_rx_chanmismatch++; 1927 return; 1928 } 1929 if (!(IEEE80211_BINTVAL_MIN <= scan.bintval && 1930 scan.bintval <= IEEE80211_BINTVAL_MAX)) { 1931 IEEE80211_DISCARD(ic, 1932 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT, 1933 wh, ieee80211_mgt_subtype_name[subtype >> 1934 IEEE80211_FC0_SUBTYPE_SHIFT], 1935 "bogus beacon interval", scan.bintval); 1936 ic->ic_stats.is_rx_badbintval++; 1937 return; 1938 } 1939 1940 /* 1941 * Count frame now that we know it's to be processed. 1942 */ 1943 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 1944 ic->ic_stats.is_rx_beacon++; /* XXX remove */ 1945 IEEE80211_NODE_STAT(ni, rx_beacons); 1946 } else 1947 IEEE80211_NODE_STAT(ni, rx_proberesp); 1948 1949 /* 1950 * When operating in station mode, check for state updates. 1951 * Be careful to ignore beacons received while doing a 1952 * background scan. We consider only 11g/WMM stuff right now. 1953 */ 1954 if (ic->ic_opmode == IEEE80211_M_STA && 1955 ni->ni_associd != 0 && 1956 ((ic->ic_flags & IEEE80211_F_SCAN) == 0 || 1957 IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid))) { 1958 /* record tsf of last beacon */ 1959 memcpy(ni->ni_tstamp.data, scan.tstamp, 1960 sizeof(ni->ni_tstamp)); 1961 /* count beacon frame for s/w bmiss handling */ 1962 ic->ic_swbmiss_count++; 1963 ic->ic_bmiss_count = 0; 1964 if (ni->ni_erp != scan.erp) { 1965 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 1966 "[%s] erp change: was 0x%x, now 0x%x\n", 1967 ether_sprintf(wh->i_addr2), 1968 ni->ni_erp, scan.erp); 1969 if (ic->ic_curmode == IEEE80211_MODE_11G && 1970 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 1971 ic->ic_flags |= IEEE80211_F_USEPROT; 1972 else 1973 ic->ic_flags &= ~IEEE80211_F_USEPROT; 1974 ni->ni_erp = scan.erp; 1975 /* XXX statistic */ 1976 } 1977 if ((ni->ni_capinfo ^ scan.capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME) { 1978 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 1979 "[%s] capabilities change: before 0x%x," 1980 " now 0x%x\n", 1981 ether_sprintf(wh->i_addr2), 1982 ni->ni_capinfo, scan.capinfo); 1983 /* 1984 * NB: we assume short preamble doesn't 1985 * change dynamically 1986 */ 1987 ieee80211_set_shortslottime(ic, 1988 ic->ic_curmode == IEEE80211_MODE_11A || 1989 (scan.capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 1990 ni->ni_capinfo = scan.capinfo; 1991 /* XXX statistic */ 1992 } 1993 if (scan.wme != NULL && 1994 (ni->ni_flags & IEEE80211_NODE_QOS) && 1995 ieee80211_parse_wmeparams(ic, scan.wme, wh) > 0) 1996 ieee80211_wme_updateparams(ic); 1997 if (scan.tim != NULL) { 1998 struct ieee80211_tim_ie *ie = 1999 (struct ieee80211_tim_ie *) scan.tim; 2000 2001 ni->ni_dtim_count = ie->tim_count; 2002 ni->ni_dtim_period = ie->tim_period; 2003 } 2004 if (ic->ic_flags & IEEE80211_F_SCAN) 2005 ieee80211_add_scan(ic, &scan, wh, 2006 subtype, rssi, rstamp); 2007 return; 2008 } 2009 /* 2010 * If scanning, just pass information to the scan module. 2011 */ 2012 if (ic->ic_flags & IEEE80211_F_SCAN) { 2013 if (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN) { 2014 /* 2015 * Actively scanning a channel marked passive; 2016 * send a probe request now that we know there 2017 * is 802.11 traffic present. 2018 * 2019 * XXX check if the beacon we recv'd gives 2020 * us what we need and suppress the probe req 2021 */ 2022 ieee80211_probe_curchan(ic, 1); 2023 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 2024 } 2025 ieee80211_add_scan(ic, &scan, wh, 2026 subtype, rssi, rstamp); 2027 return; 2028 } 2029 if (scan.capinfo & IEEE80211_CAPINFO_IBSS) { 2030 if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 2031 /* 2032 * Create a new entry in the neighbor table. 2033 */ 2034 ni = ieee80211_add_neighbor(ic, wh, &scan); 2035 } else if (ni->ni_capinfo == 0) { 2036 /* 2037 * Update faked node created on transmit. 2038 * Note this also updates the tsf. 2039 */ 2040 ieee80211_init_neighbor(ni, wh, &scan); 2041 } else { 2042 /* 2043 * Record tsf for potential resync. 2044 */ 2045 memcpy(ni->ni_tstamp.data, scan.tstamp, 2046 sizeof(ni->ni_tstamp)); 2047 } 2048 if (ni != NULL) { 2049 ni->ni_rssi = rssi; 2050 ni->ni_rstamp = rstamp; 2051 } 2052 } 2053 break; 2054 } 2055 2056 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 2057 if (ic->ic_opmode == IEEE80211_M_STA || 2058 ic->ic_state != IEEE80211_S_RUN) { 2059 ic->ic_stats.is_rx_mgtdiscard++; 2060 return; 2061 } 2062 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 2063 /* frame must be directed */ 2064 ic->ic_stats.is_rx_mgtdiscard++; /* XXX stat */ 2065 return; 2066 } 2067 2068 /* 2069 * prreq frame format 2070 * [tlv] ssid 2071 * [tlv] supported rates 2072 * [tlv] extended supported rates 2073 */ 2074 ssid = rates = xrates = NULL; 2075 while (efrm - frm > 1) { 2076 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2); 2077 switch (*frm) { 2078 case IEEE80211_ELEMID_SSID: 2079 ssid = frm; 2080 break; 2081 case IEEE80211_ELEMID_RATES: 2082 rates = frm; 2083 break; 2084 case IEEE80211_ELEMID_XRATES: 2085 xrates = frm; 2086 break; 2087 } 2088 frm += frm[1] + 2; 2089 } 2090 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2091 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 2092 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid); 2093 if ((ic->ic_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 2094 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 2095 wh, ieee80211_mgt_subtype_name[subtype >> 2096 IEEE80211_FC0_SUBTYPE_SHIFT], 2097 "%s", "no ssid with ssid suppression enabled"); 2098 ic->ic_stats.is_rx_ssidmismatch++; /*XXX*/ 2099 return; 2100 } 2101 2102 allocbs = 0; 2103 if (ni == ic->ic_bss) { 2104 if (ic->ic_opmode != IEEE80211_M_IBSS) { 2105 ni = ieee80211_tmp_node(ic, wh->i_addr2); 2106 allocbs = 1; 2107 } else if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 2108 /* 2109 * XXX Cannot tell if the sender is operating 2110 * in ibss mode. But we need a new node to 2111 * send the response so blindly add them to the 2112 * neighbor table. 2113 */ 2114 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta, 2115 wh->i_addr2); 2116 } 2117 if (ni == NULL) 2118 return; 2119 } 2120 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2121 "[%s] recv probe req\n", ether_sprintf(wh->i_addr2)); 2122 ni->ni_rssi = rssi; 2123 ni->ni_rstamp = rstamp; 2124 rate = ieee80211_setup_rates(ni, rates, xrates, 2125 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE 2126 | IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2127 if (rate & IEEE80211_RATE_BASIC) { 2128 IEEE80211_DISCARD(ic, IEEE80211_MSG_XRATE, 2129 wh, ieee80211_mgt_subtype_name[subtype >> 2130 IEEE80211_FC0_SUBTYPE_SHIFT], 2131 "%s", "recv'd rate set invalid"); 2132 } else { 2133 IEEE80211_SEND_MGMT(ic, ni, 2134 IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 2135 } 2136 if (allocbs) { 2137 /* 2138 * Temporary node created just to send a 2139 * response, reclaim immediately. 2140 */ 2141 ieee80211_free_node(ni); 2142 } 2143 break; 2144 2145 case IEEE80211_FC0_SUBTYPE_AUTH: { 2146 u_int16_t algo, seq, status; 2147 /* 2148 * auth frame format 2149 * [2] algorithm 2150 * [2] sequence 2151 * [2] status 2152 * [tlv*] challenge 2153 */ 2154 IEEE80211_VERIFY_LENGTH(efrm - frm, 6); 2155 algo = le16toh(*(u_int16_t *)frm); 2156 seq = le16toh(*(u_int16_t *)(frm + 2)); 2157 status = le16toh(*(u_int16_t *)(frm + 4)); 2158 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 2159 "[%s] recv auth frame with algorithm %d seq %d\n", 2160 ether_sprintf(wh->i_addr2), algo, seq); 2161 /* 2162 * Consult the ACL policy module if setup. 2163 */ 2164 if (ic->ic_acl != NULL && 2165 !ic->ic_acl->iac_check(ic, wh->i_addr2)) { 2166 IEEE80211_DISCARD(ic, IEEE80211_MSG_ACL, 2167 wh, "auth", "%s", "disallowed by ACL"); 2168 ic->ic_stats.is_rx_acl++; 2169 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2170 IEEE80211_SEND_MGMT(ic, ni, 2171 IEEE80211_FC0_SUBTYPE_AUTH, 2172 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16)); 2173 } 2174 return; 2175 } 2176 if (ic->ic_flags & IEEE80211_F_COUNTERM) { 2177 IEEE80211_DISCARD(ic, 2178 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO, 2179 wh, "auth", "%s", "TKIP countermeasures enabled"); 2180 ic->ic_stats.is_rx_auth_countermeasures++; 2181 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2182 IEEE80211_SEND_MGMT(ic, ni, 2183 IEEE80211_FC0_SUBTYPE_AUTH, 2184 IEEE80211_REASON_MIC_FAILURE); 2185 } 2186 return; 2187 } 2188 if (algo == IEEE80211_AUTH_ALG_SHARED) 2189 ieee80211_auth_shared(ic, wh, frm + 6, efrm, ni, rssi, 2190 rstamp, seq, status); 2191 else if (algo == IEEE80211_AUTH_ALG_OPEN) 2192 ieee80211_auth_open(ic, wh, ni, rssi, rstamp, seq, 2193 status); 2194 else { 2195 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2196 wh, "auth", "unsupported alg %d", algo); 2197 ic->ic_stats.is_rx_auth_unsupported++; 2198 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2199 /* XXX not right */ 2200 IEEE80211_SEND_MGMT(ic, ni, 2201 IEEE80211_FC0_SUBTYPE_AUTH, 2202 (seq+1) | (IEEE80211_STATUS_ALG<<16)); 2203 } 2204 return; 2205 } 2206 break; 2207 } 2208 2209 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2210 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { 2211 u_int16_t capinfo, lintval; 2212 struct ieee80211_rsnparms rsn; 2213 u_int8_t reason; 2214 2215 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 2216 ic->ic_state != IEEE80211_S_RUN) { 2217 ic->ic_stats.is_rx_mgtdiscard++; 2218 return; 2219 } 2220 2221 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 2222 reassoc = 1; 2223 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 2224 } else { 2225 reassoc = 0; 2226 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 2227 } 2228 /* 2229 * asreq frame format 2230 * [2] capability information 2231 * [2] listen interval 2232 * [6*] current AP address (reassoc only) 2233 * [tlv] ssid 2234 * [tlv] supported rates 2235 * [tlv] extended supported rates 2236 * [tlv] WPA or RSN 2237 */ 2238 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4)); 2239 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 2240 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2241 wh, ieee80211_mgt_subtype_name[subtype >> 2242 IEEE80211_FC0_SUBTYPE_SHIFT], 2243 "%s", "wrong bssid"); 2244 ic->ic_stats.is_rx_assoc_bss++; 2245 return; 2246 } 2247 capinfo = le16toh(*(u_int16_t *)frm); frm += 2; 2248 lintval = le16toh(*(u_int16_t *)frm); frm += 2; 2249 if (reassoc) 2250 frm += 6; /* ignore current AP info */ 2251 ssid = rates = xrates = wpa = wme = NULL; 2252 while (efrm - frm > 1) { 2253 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2); 2254 switch (*frm) { 2255 case IEEE80211_ELEMID_SSID: 2256 ssid = frm; 2257 break; 2258 case IEEE80211_ELEMID_RATES: 2259 rates = frm; 2260 break; 2261 case IEEE80211_ELEMID_XRATES: 2262 xrates = frm; 2263 break; 2264 /* XXX verify only one of RSN and WPA ie's? */ 2265 case IEEE80211_ELEMID_RSN: 2266 wpa = frm; 2267 break; 2268 case IEEE80211_ELEMID_VENDOR: 2269 if (iswpaoui(frm)) 2270 wpa = frm; 2271 else if (iswmeinfo(frm)) 2272 wme = frm; 2273 /* XXX Atheros OUI support */ 2274 break; 2275 } 2276 frm += frm[1] + 2; 2277 } 2278 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2279 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 2280 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid); 2281 2282 if (ni == ic->ic_bss) { 2283 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2284 "[%s] deny %s request, sta not authenticated\n", 2285 ether_sprintf(wh->i_addr2), 2286 reassoc ? "reassoc" : "assoc"); 2287 ieee80211_send_error(ic, ni, wh->i_addr2, 2288 IEEE80211_FC0_SUBTYPE_DEAUTH, 2289 IEEE80211_REASON_ASSOC_NOT_AUTHED); 2290 ic->ic_stats.is_rx_assoc_notauth++; 2291 return; 2292 } 2293 /* assert right associstion security credentials */ 2294 if (wpa == NULL && (ic->ic_flags & IEEE80211_F_WPA)) { 2295 IEEE80211_DPRINTF(ic, 2296 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 2297 "[%s] no WPA/RSN IE in association request\n", 2298 ether_sprintf(wh->i_addr2)); 2299 IEEE80211_SEND_MGMT(ic, ni, 2300 IEEE80211_FC0_SUBTYPE_DEAUTH, 2301 IEEE80211_REASON_RSN_REQUIRED); 2302 ieee80211_node_leave(ic, ni); 2303 /* XXX distinguish WPA/RSN? */ 2304 ic->ic_stats.is_rx_assoc_badwpaie++; 2305 return; 2306 } 2307 if (wpa != NULL) { 2308 /* 2309 * Parse WPA information element. Note that 2310 * we initialize the param block from the node 2311 * state so that information in the IE overrides 2312 * our defaults. The resulting parameters are 2313 * installed below after the association is assured. 2314 */ 2315 rsn = ni->ni_rsn; 2316 if (wpa[0] != IEEE80211_ELEMID_RSN) 2317 reason = ieee80211_parse_wpa(ic, wpa, &rsn, wh); 2318 else 2319 reason = ieee80211_parse_rsn(ic, wpa, &rsn, wh); 2320 if (reason != 0) { 2321 IEEE80211_SEND_MGMT(ic, ni, 2322 IEEE80211_FC0_SUBTYPE_DEAUTH, reason); 2323 ieee80211_node_leave(ic, ni); 2324 /* XXX distinguish WPA/RSN? */ 2325 ic->ic_stats.is_rx_assoc_badwpaie++; 2326 return; 2327 } 2328 IEEE80211_DPRINTF(ic, 2329 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 2330 "[%s] %s ie: mc %u/%u uc %u/%u key %u caps 0x%x\n", 2331 ether_sprintf(wh->i_addr2), 2332 wpa[0] != IEEE80211_ELEMID_RSN ? "WPA" : "RSN", 2333 rsn.rsn_mcastcipher, rsn.rsn_mcastkeylen, 2334 rsn.rsn_ucastcipher, rsn.rsn_ucastkeylen, 2335 rsn.rsn_keymgmt, rsn.rsn_caps); 2336 } 2337 /* discard challenge after association */ 2338 if (ni->ni_challenge != NULL) { 2339 FREE(ni->ni_challenge, M_DEVBUF); 2340 ni->ni_challenge = NULL; 2341 } 2342 /* NB: 802.11 spec says to ignore station's privacy bit */ 2343 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) { 2344 capinfomismatch(ni, wh, reassoc, resp, 2345 "capability", capinfo); 2346 return; 2347 } 2348 /* 2349 * Disallow re-associate w/ invalid slot time setting. 2350 */ 2351 if (ni->ni_associd != 0 && 2352 ic->ic_curmode == IEEE80211_MODE_11G && 2353 ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) { 2354 capinfomismatch(ni, wh, reassoc, resp, 2355 "slot time", capinfo); 2356 return; 2357 } 2358 rate = ieee80211_setup_rates(ni, rates, xrates, 2359 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 2360 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2361 if (rate & IEEE80211_RATE_BASIC) { 2362 ratesetmismatch(ni, wh, reassoc, resp, "basic", rate); 2363 return; 2364 } 2365 /* 2366 * If constrained to 11g-only stations reject an 2367 * 11b-only station. We cheat a bit here by looking 2368 * at the max negotiated xmit rate and assuming anyone 2369 * with a best rate <24Mb/s is an 11b station. 2370 */ 2371 if ((ic->ic_flags & IEEE80211_F_PUREG) && rate < 48) { 2372 ratesetmismatch(ni, wh, reassoc, resp, "11g", rate); 2373 return; 2374 } 2375 ni->ni_rssi = rssi; 2376 ni->ni_rstamp = rstamp; 2377 ni->ni_intval = lintval; 2378 ni->ni_capinfo = capinfo; 2379 ni->ni_chan = ic->ic_bss->ni_chan; 2380 ni->ni_fhdwell = ic->ic_bss->ni_fhdwell; 2381 ni->ni_fhindex = ic->ic_bss->ni_fhindex; 2382 if (wpa != NULL) { 2383 /* 2384 * Record WPA/RSN parameters for station, mark 2385 * node as using WPA and record information element 2386 * for applications that require it. 2387 */ 2388 ni->ni_rsn = rsn; 2389 ieee80211_saveie(&ni->ni_wpa_ie, wpa); 2390 } else if (ni->ni_wpa_ie != NULL) { 2391 /* 2392 * Flush any state from a previous association. 2393 */ 2394 FREE(ni->ni_wpa_ie, M_DEVBUF); 2395 ni->ni_wpa_ie = NULL; 2396 } 2397 if (wme != NULL) { 2398 /* 2399 * Record WME parameters for station, mark node 2400 * as capable of QoS and record information 2401 * element for applications that require it. 2402 */ 2403 ieee80211_saveie(&ni->ni_wme_ie, wme); 2404 ni->ni_flags |= IEEE80211_NODE_QOS; 2405 } else if (ni->ni_wme_ie != NULL) { 2406 /* 2407 * Flush any state from a previous association. 2408 */ 2409 FREE(ni->ni_wme_ie, M_DEVBUF); 2410 ni->ni_wme_ie = NULL; 2411 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2412 } 2413 ieee80211_deliver_l2uf(ni); 2414 ieee80211_node_join(ic, ni, resp); 2415 break; 2416 } 2417 2418 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2419 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: { 2420 u_int16_t capinfo, associd; 2421 u_int16_t status; 2422 2423 if (ic->ic_opmode != IEEE80211_M_STA || 2424 ic->ic_state != IEEE80211_S_ASSOC) { 2425 ic->ic_stats.is_rx_mgtdiscard++; 2426 return; 2427 } 2428 2429 /* 2430 * asresp frame format 2431 * [2] capability information 2432 * [2] status 2433 * [2] association ID 2434 * [tlv] supported rates 2435 * [tlv] extended supported rates 2436 * [tlv] WME 2437 */ 2438 IEEE80211_VERIFY_LENGTH(efrm - frm, 6); 2439 ni = ic->ic_bss; 2440 capinfo = le16toh(*(u_int16_t *)frm); 2441 frm += 2; 2442 status = le16toh(*(u_int16_t *)frm); 2443 frm += 2; 2444 if (status != 0) { 2445 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2446 "[%s] %sassoc failed (reason %d)\n", 2447 ether_sprintf(wh->i_addr2), 2448 ISREASSOC(subtype) ? "re" : "", status); 2449 if (ni != ic->ic_bss) /* XXX never true? */ 2450 ni->ni_fails++; 2451 ic->ic_stats.is_rx_auth_fail++; /* XXX */ 2452 return; 2453 } 2454 associd = le16toh(*(u_int16_t *)frm); 2455 frm += 2; 2456 2457 rates = xrates = wpa = wme = NULL; 2458 while (efrm - frm > 1) { 2459 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2); 2460 switch (*frm) { 2461 case IEEE80211_ELEMID_RATES: 2462 rates = frm; 2463 break; 2464 case IEEE80211_ELEMID_XRATES: 2465 xrates = frm; 2466 break; 2467 case IEEE80211_ELEMID_VENDOR: 2468 if (iswmeoui(frm)) 2469 wme = frm; 2470 /* XXX Atheros OUI support */ 2471 break; 2472 } 2473 frm += frm[1] + 2; 2474 } 2475 2476 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2477 rate = ieee80211_setup_rates(ni, rates, xrates, 2478 IEEE80211_F_JOIN | 2479 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 2480 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2481 if (rate & IEEE80211_RATE_BASIC) { 2482 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2483 "[%s] %sassoc failed (rate set mismatch)\n", 2484 ether_sprintf(wh->i_addr2), 2485 ISREASSOC(subtype) ? "re" : ""); 2486 if (ni != ic->ic_bss) /* XXX never true? */ 2487 ni->ni_fails++; 2488 ic->ic_stats.is_rx_assoc_norate++; 2489 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 2490 return; 2491 } 2492 2493 ni->ni_capinfo = capinfo; 2494 ni->ni_associd = associd; 2495 if (wme != NULL && 2496 ieee80211_parse_wmeparams(ic, wme, wh) >= 0) { 2497 ni->ni_flags |= IEEE80211_NODE_QOS; 2498 ieee80211_wme_updateparams(ic); 2499 } else 2500 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2501 /* 2502 * Configure state now that we are associated. 2503 * 2504 * XXX may need different/additional driver callbacks? 2505 */ 2506 if (ic->ic_curmode == IEEE80211_MODE_11A || 2507 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) { 2508 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 2509 ic->ic_flags &= ~IEEE80211_F_USEBARKER; 2510 } else { 2511 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 2512 ic->ic_flags |= IEEE80211_F_USEBARKER; 2513 } 2514 ieee80211_set_shortslottime(ic, 2515 ic->ic_curmode == IEEE80211_MODE_11A || 2516 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2517 /* 2518 * Honor ERP protection. 2519 * 2520 * NB: ni_erp should zero for non-11g operation. 2521 * XXX check ic_curmode anyway? 2522 */ 2523 if (ic->ic_curmode == IEEE80211_MODE_11G && 2524 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2525 ic->ic_flags |= IEEE80211_F_USEPROT; 2526 else 2527 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2528 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2529 "[%s] %sassoc success: %s preamble, %s slot time%s%s\n", 2530 ether_sprintf(wh->i_addr2), 2531 ISREASSOC(subtype) ? "re" : "", 2532 ic->ic_flags&IEEE80211_F_SHPREAMBLE ? "short" : "long", 2533 ic->ic_flags&IEEE80211_F_SHSLOT ? "short" : "long", 2534 ic->ic_flags&IEEE80211_F_USEPROT ? ", protection" : "", 2535 ni->ni_flags & IEEE80211_NODE_QOS ? ", QoS" : "" 2536 ); 2537 ieee80211_new_state(ic, IEEE80211_S_RUN, subtype); 2538 break; 2539 } 2540 2541 case IEEE80211_FC0_SUBTYPE_DEAUTH: { 2542 u_int16_t reason; 2543 2544 if (ic->ic_state == IEEE80211_S_SCAN) { 2545 ic->ic_stats.is_rx_mgtdiscard++; 2546 return; 2547 } 2548 /* 2549 * deauth frame format 2550 * [2] reason 2551 */ 2552 IEEE80211_VERIFY_LENGTH(efrm - frm, 2); 2553 reason = le16toh(*(u_int16_t *)frm); 2554 ic->ic_stats.is_rx_deauth++; 2555 IEEE80211_NODE_STAT(ni, rx_deauth); 2556 2557 if (!IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) { 2558 /* NB: can happen when in promiscuous mode */ 2559 ic->ic_stats.is_rx_mgtdiscard++; 2560 break; 2561 } 2562 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 2563 "[%s] recv deauthenticate (reason %d)\n", 2564 ether_sprintf(ni->ni_macaddr), reason); 2565 switch (ic->ic_opmode) { 2566 case IEEE80211_M_STA: 2567 ieee80211_new_state(ic, IEEE80211_S_AUTH, 2568 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 2569 break; 2570 case IEEE80211_M_HOSTAP: 2571 if (ni != ic->ic_bss) 2572 ieee80211_node_leave(ic, ni); 2573 break; 2574 default: 2575 ic->ic_stats.is_rx_mgtdiscard++; 2576 break; 2577 } 2578 break; 2579 } 2580 2581 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 2582 u_int16_t reason; 2583 2584 if (ic->ic_state != IEEE80211_S_RUN && 2585 ic->ic_state != IEEE80211_S_ASSOC && 2586 ic->ic_state != IEEE80211_S_AUTH) { 2587 ic->ic_stats.is_rx_mgtdiscard++; 2588 return; 2589 } 2590 /* 2591 * disassoc frame format 2592 * [2] reason 2593 */ 2594 IEEE80211_VERIFY_LENGTH(efrm - frm, 2); 2595 reason = le16toh(*(u_int16_t *)frm); 2596 ic->ic_stats.is_rx_disassoc++; 2597 IEEE80211_NODE_STAT(ni, rx_disassoc); 2598 2599 if (!IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) { 2600 /* NB: can happen when in promiscuous mode */ 2601 ic->ic_stats.is_rx_mgtdiscard++; 2602 break; 2603 } 2604 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2605 "[%s] recv disassociate (reason %d)\n", 2606 ether_sprintf(ni->ni_macaddr), reason); 2607 switch (ic->ic_opmode) { 2608 case IEEE80211_M_STA: 2609 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 2610 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 2611 break; 2612 case IEEE80211_M_HOSTAP: 2613 if (ni != ic->ic_bss) 2614 ieee80211_node_leave(ic, ni); 2615 break; 2616 default: 2617 ic->ic_stats.is_rx_mgtdiscard++; 2618 break; 2619 } 2620 break; 2621 } 2622 default: 2623 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2624 wh, "mgt", "subtype 0x%x not handled", subtype); 2625 ic->ic_stats.is_rx_badsubtype++; 2626 break; 2627 } 2628#undef ISREASSOC 2629#undef ISPROBE 2630} 2631#undef IEEE80211_VERIFY_LENGTH 2632#undef IEEE80211_VERIFY_ELEMENT 2633 2634/* 2635 * Handle station power-save state change. 2636 */ 2637static void 2638ieee80211_node_pwrsave(struct ieee80211_node *ni, int enable) 2639{ 2640 struct ieee80211com *ic = ni->ni_ic; 2641 struct mbuf *m, *mhead, *mtail; 2642 int mcount; 2643 2644 if (enable) { 2645 if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) == 0) 2646 ic->ic_ps_sta++; 2647 ni->ni_flags |= IEEE80211_NODE_PWR_MGT; 2648 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2649 "[%s] power save mode on, %u sta's in ps mode\n", 2650 ether_sprintf(ni->ni_macaddr), ic->ic_ps_sta); 2651 return; 2652 } 2653 2654 if (ni->ni_flags & IEEE80211_NODE_PWR_MGT) 2655 ic->ic_ps_sta--; 2656 ni->ni_flags &= ~IEEE80211_NODE_PWR_MGT; 2657 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2658 "[%s] power save mode off, %u sta's in ps mode\n", 2659 ether_sprintf(ni->ni_macaddr), ic->ic_ps_sta); 2660 /* XXX if no stations in ps mode, flush mc frames */ 2661 2662 /* 2663 * Flush queued unicast frames. 2664 */ 2665 if (IEEE80211_NODE_SAVEQ_QLEN(ni) == 0) { 2666 if (ic->ic_set_tim != NULL) 2667 ic->ic_set_tim(ni, 0); /* just in case */ 2668 return; 2669 } 2670 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2671 "[%s] flush ps queue, %u packets queued\n", 2672 ether_sprintf(ni->ni_macaddr), IEEE80211_NODE_SAVEQ_QLEN(ni)); 2673 /* 2674 * Unload the frames from the ps q but don't send them 2675 * to the driver yet. We do this in two stages to minimize 2676 * locking but also because there's no easy way to preserve 2677 * ordering given the existing ifnet access mechanisms. 2678 * XXX could be optimized 2679 */ 2680 IEEE80211_NODE_SAVEQ_LOCK(ni); 2681 mcount = IEEE80211_NODE_SAVEQ_QLEN(ni); 2682 mhead = mtail = NULL; 2683 for (;;) { 2684 _IEEE80211_NODE_SAVEQ_DEQUEUE_HEAD(ni, m); 2685 if (m == NULL) 2686 break; 2687 if (mhead == NULL) { 2688 mhead = m; 2689 m->m_nextpkt = NULL; 2690 } else 2691 mtail->m_nextpkt = m; 2692 mtail = m; 2693 } 2694 IEEE80211_NODE_SAVEQ_UNLOCK(ni); 2695 if (mhead != NULL) { 2696 /* XXX need different driver interface */ 2697 /* XXX bypasses q max */ 2698 IF_PREPEND_LIST(&ic->ic_ifp->if_snd, mhead, mtail, mcount); 2699 } 2700 if (ic->ic_set_tim != NULL) 2701 ic->ic_set_tim(ni, 0); 2702} 2703 2704/* 2705 * Process a received ps-poll frame. 2706 */ 2707static void 2708ieee80211_recv_pspoll(struct ieee80211com *ic, 2709 struct ieee80211_node *ni, struct mbuf *m0) 2710{ 2711 struct ieee80211_frame_min *wh; 2712 struct mbuf *m; 2713 u_int16_t aid; 2714 int qlen; 2715 2716 wh = mtod(m0, struct ieee80211_frame_min *); 2717 if (ni->ni_associd == 0) { 2718 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2719 (struct ieee80211_frame *) wh, "ps-poll", 2720 "%s", "unassociated station"); 2721 ic->ic_stats.is_ps_unassoc++; 2722 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2723 IEEE80211_REASON_NOT_ASSOCED); 2724 return; 2725 } 2726 2727 aid = le16toh(*(u_int16_t *)wh->i_dur); 2728 if (aid != ni->ni_associd) { 2729 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2730 (struct ieee80211_frame *) wh, "ps-poll", 2731 "aid mismatch: sta aid 0x%x poll aid 0x%x", 2732 ni->ni_associd, aid); 2733 ic->ic_stats.is_ps_badaid++; 2734 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2735 IEEE80211_REASON_NOT_ASSOCED); 2736 return; 2737 } 2738 2739 /* Okay, take the first queued packet and put it out... */ 2740 IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen); 2741 if (m == NULL) { 2742 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2743 "[%s] recv ps-poll, but queue empty\n", 2744 ether_sprintf(wh->i_addr2)); 2745 ieee80211_send_nulldata(ieee80211_ref_node(ni)); 2746 ic->ic_stats.is_ps_qempty++; /* XXX node stat */ 2747 if (ic->ic_set_tim != NULL) 2748 ic->ic_set_tim(ni, 0); /* just in case */ 2749 return; 2750 } 2751 /* 2752 * If there are more packets, set the more packets bit 2753 * in the packet dispatched to the station; otherwise 2754 * turn off the TIM bit. 2755 */ 2756 if (qlen != 0) { 2757 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2758 "[%s] recv ps-poll, send packet, %u still queued\n", 2759 ether_sprintf(ni->ni_macaddr), qlen); 2760 m->m_flags |= M_MORE_DATA; 2761 } else { 2762 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2763 "[%s] recv ps-poll, send packet, queue empty\n", 2764 ether_sprintf(ni->ni_macaddr)); 2765 if (ic->ic_set_tim != NULL) 2766 ic->ic_set_tim(ni, 0); 2767 } 2768 m->m_flags |= M_PWR_SAV; /* bypass PS handling */ 2769 IF_ENQUEUE(&ic->ic_ifp->if_snd, m); 2770} 2771 2772#ifdef IEEE80211_DEBUG 2773/* 2774 * Debugging support. 2775 */ 2776 2777/* 2778 * Return the bssid of a frame. 2779 */ 2780static const u_int8_t * 2781ieee80211_getbssid(struct ieee80211com *ic, const struct ieee80211_frame *wh) 2782{ 2783 if (ic->ic_opmode == IEEE80211_M_STA) 2784 return wh->i_addr2; 2785 if ((wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) != IEEE80211_FC1_DIR_NODS) 2786 return wh->i_addr1; 2787 if ((wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) == IEEE80211_FC0_SUBTYPE_PS_POLL) 2788 return wh->i_addr1; 2789 return wh->i_addr3; 2790} 2791 2792void 2793ieee80211_note(struct ieee80211com *ic, const char *fmt, ...) 2794{ 2795 char buf[128]; /* XXX */ 2796 va_list ap; 2797 2798 va_start(ap, fmt); 2799 vsnprintf(buf, sizeof(buf), fmt, ap); 2800 va_end(ap); 2801 2802 if_printf(ic->ic_ifp, "%s", buf); /* NB: no \n */ 2803} 2804 2805void 2806ieee80211_note_frame(struct ieee80211com *ic, 2807 const struct ieee80211_frame *wh, 2808 const char *fmt, ...) 2809{ 2810 char buf[128]; /* XXX */ 2811 va_list ap; 2812 2813 va_start(ap, fmt); 2814 vsnprintf(buf, sizeof(buf), fmt, ap); 2815 va_end(ap); 2816 if_printf(ic->ic_ifp, "[%s] %s\n", 2817 ether_sprintf(ieee80211_getbssid(ic, wh)), buf); 2818} 2819 2820void 2821ieee80211_note_mac(struct ieee80211com *ic, 2822 const u_int8_t mac[IEEE80211_ADDR_LEN], 2823 const char *fmt, ...) 2824{ 2825 char buf[128]; /* XXX */ 2826 va_list ap; 2827 2828 va_start(ap, fmt); 2829 vsnprintf(buf, sizeof(buf), fmt, ap); 2830 va_end(ap); 2831 if_printf(ic->ic_ifp, "[%s] %s\n", ether_sprintf(mac), buf); 2832} 2833 2834void 2835ieee80211_discard_frame(struct ieee80211com *ic, 2836 const struct ieee80211_frame *wh, 2837 const char *type, const char *fmt, ...) 2838{ 2839 va_list ap; 2840 2841 printf("[%s:%s] discard ", ic->ic_ifp->if_xname, 2842 ether_sprintf(ieee80211_getbssid(ic, wh))); 2843 if (type != NULL) 2844 printf("%s frame, ", type); 2845 else 2846 printf("frame, "); 2847 va_start(ap, fmt); 2848 vprintf(fmt, ap); 2849 va_end(ap); 2850 printf("\n"); 2851} 2852 2853void 2854ieee80211_discard_ie(struct ieee80211com *ic, 2855 const struct ieee80211_frame *wh, 2856 const char *type, const char *fmt, ...) 2857{ 2858 va_list ap; 2859 2860 printf("[%s:%s] discard ", ic->ic_ifp->if_xname, 2861 ether_sprintf(ieee80211_getbssid(ic, wh))); 2862 if (type != NULL) 2863 printf("%s information element, ", type); 2864 else 2865 printf("information element, "); 2866 va_start(ap, fmt); 2867 vprintf(fmt, ap); 2868 va_end(ap); 2869 printf("\n"); 2870} 2871 2872void 2873ieee80211_discard_mac(struct ieee80211com *ic, 2874 const u_int8_t mac[IEEE80211_ADDR_LEN], 2875 const char *type, const char *fmt, ...) 2876{ 2877 va_list ap; 2878 2879 printf("[%s:%s] discard ", ic->ic_ifp->if_xname, ether_sprintf(mac)); 2880 if (type != NULL) 2881 printf("%s frame, ", type); 2882 else 2883 printf("frame, "); 2884 va_start(ap, fmt); 2885 vprintf(fmt, ap); 2886 va_end(ap); 2887 printf("\n"); 2888} 2889#endif /* IEEE80211_DEBUG */ 2890