ieee80211_input.c revision 172055
1/*-
2 * Copyright (c) 2001 Atsushi Onoe
3 * Copyright (c) 2002-2007 Sam Leffler, Errno Consulting
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 *    notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 *    notice, this list of conditions and the following disclaimer in the
13 *    documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 */
26
27#include <sys/cdefs.h>
28__FBSDID("$FreeBSD: head/sys/net80211/ieee80211_input.c 172055 2007-09-05 20:29:51Z sam $");
29
30#include <sys/param.h>
31#include <sys/systm.h>
32#include <sys/mbuf.h>
33#include <sys/malloc.h>
34#include <sys/endian.h>
35#include <sys/kernel.h>
36
37#include <sys/socket.h>
38
39#include <net/if.h>
40#include <net/if_media.h>
41#include <net/ethernet.h>
42#include <net/if_llc.h>
43#include <net/if_vlan_var.h>
44
45#include <net80211/ieee80211_var.h>
46
47#include <net/bpf.h>
48
49#ifdef IEEE80211_DEBUG
50#include <machine/stdarg.h>
51
52/*
53 * Decide if a received management frame should be
54 * printed when debugging is enabled.  This filters some
55 * of the less interesting frames that come frequently
56 * (e.g. beacons).
57 */
58static __inline int
59doprint(struct ieee80211com *ic, int subtype)
60{
61	switch (subtype) {
62	case IEEE80211_FC0_SUBTYPE_BEACON:
63		return (ic->ic_flags & IEEE80211_F_SCAN);
64	case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
65		return (ic->ic_opmode == IEEE80211_M_IBSS);
66	}
67	return 1;
68}
69
70static const uint8_t *ieee80211_getbssid(struct ieee80211com *,
71	const struct ieee80211_frame *);
72#endif /* IEEE80211_DEBUG */
73
74static struct mbuf *ieee80211_defrag(struct ieee80211com *,
75	struct ieee80211_node *, struct mbuf *, int);
76static struct mbuf *ieee80211_decap(struct ieee80211com *, struct mbuf *, int);
77static void ieee80211_send_error(struct ieee80211com *, struct ieee80211_node *,
78		const uint8_t *mac, int subtype, int arg);
79static struct mbuf *ieee80211_decap_fastframe(struct ieee80211com *,
80	struct ieee80211_node *, struct mbuf *);
81static void ieee80211_recv_pspoll(struct ieee80211com *,
82	struct ieee80211_node *, struct mbuf *);
83
84/*
85 * Process a received frame.  The node associated with the sender
86 * should be supplied.  If nothing was found in the node table then
87 * the caller is assumed to supply a reference to ic_bss instead.
88 * The RSSI and a timestamp are also supplied.  The RSSI data is used
89 * during AP scanning to select a AP to associate with; it can have
90 * any units so long as values have consistent units and higher values
91 * mean ``better signal''.  The receive timestamp is currently not used
92 * by the 802.11 layer.
93 */
94int
95ieee80211_input(struct ieee80211com *ic, struct mbuf *m,
96	struct ieee80211_node *ni, int rssi, int noise, uint32_t rstamp)
97{
98#define	SEQ_LEQ(a,b)	((int)((a)-(b)) <= 0)
99#define	HAS_SEQ(type)	((type & 0x4) == 0)
100	struct ifnet *ifp = ic->ic_ifp;
101	struct ieee80211_frame *wh;
102	struct ieee80211_key *key;
103	struct ether_header *eh;
104	int hdrspace, need_tap;
105	uint8_t dir, type, subtype, qos;
106	uint8_t *bssid;
107	uint16_t rxseq;
108
109	if (m->m_flags & M_AMPDU) {
110		/*
111		 * Fastpath for A-MPDU reorder q resubmission.  Frames
112		 * w/ M_AMPDU marked have already passed through here
113		 * but were received out of order and been held on the
114		 * reorder queue.  When resubmitted they are marked
115		 * with the M_AMPDU flag and we can bypass most of the
116		 * normal processing.
117		 */
118		wh = mtod(m, struct ieee80211_frame *);
119		type = IEEE80211_FC0_TYPE_DATA;
120		dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
121		subtype = IEEE80211_FC0_SUBTYPE_QOS;
122		hdrspace = ieee80211_hdrspace(ic, wh);	/* XXX optimize? */
123		need_tap = 0;
124		goto resubmit_ampdu;
125	}
126
127	KASSERT(ni != NULL, ("null node"));
128	ni->ni_inact = ni->ni_inact_reload;
129
130	need_tap = 1;			/* mbuf need to be tapped. */
131	type = -1;			/* undefined */
132	/*
133	 * In monitor mode, send everything directly to bpf.
134	 * XXX may want to include the CRC
135	 */
136	if (ic->ic_opmode == IEEE80211_M_MONITOR)
137		goto out;
138
139	if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
140		IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
141		    ni->ni_macaddr, NULL,
142		    "too short (1): len %u", m->m_pkthdr.len);
143		ic->ic_stats.is_rx_tooshort++;
144		goto out;
145	}
146	/*
147	 * Bit of a cheat here, we use a pointer for a 3-address
148	 * frame format but don't reference fields past outside
149	 * ieee80211_frame_min w/o first validating the data is
150	 * present.
151	 */
152	wh = mtod(m, struct ieee80211_frame *);
153
154	if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
155	    IEEE80211_FC0_VERSION_0) {
156		IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
157		    ni->ni_macaddr, NULL, "wrong version %x", wh->i_fc[0]);
158		ic->ic_stats.is_rx_badversion++;
159		goto err;
160	}
161
162	dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
163	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
164	subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
165	if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
166		switch (ic->ic_opmode) {
167		case IEEE80211_M_STA:
168			bssid = wh->i_addr2;
169			if (!IEEE80211_ADDR_EQ(bssid, ni->ni_bssid)) {
170				/* not interested in */
171				IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
172				    bssid, NULL, "%s", "not to bss");
173				ic->ic_stats.is_rx_wrongbss++;
174				goto out;
175			}
176			break;
177		case IEEE80211_M_IBSS:
178		case IEEE80211_M_AHDEMO:
179		case IEEE80211_M_HOSTAP:
180			if (dir != IEEE80211_FC1_DIR_NODS)
181				bssid = wh->i_addr1;
182			else if (type == IEEE80211_FC0_TYPE_CTL)
183				bssid = wh->i_addr1;
184			else {
185				if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
186					IEEE80211_DISCARD_MAC(ic,
187					    IEEE80211_MSG_ANY, ni->ni_macaddr,
188					    NULL, "too short (2): len %u",
189					    m->m_pkthdr.len);
190					ic->ic_stats.is_rx_tooshort++;
191					goto out;
192				}
193				bssid = wh->i_addr3;
194			}
195			if (type != IEEE80211_FC0_TYPE_DATA)
196				break;
197			/*
198			 * Data frame, validate the bssid.
199			 */
200			if (!IEEE80211_ADDR_EQ(bssid, ic->ic_bss->ni_bssid) &&
201			    !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) {
202				/* not interested in */
203				IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
204				    bssid, NULL, "%s", "not to bss");
205				ic->ic_stats.is_rx_wrongbss++;
206				goto out;
207			}
208			/*
209			 * For adhoc mode we cons up a node when it doesn't
210			 * exist. This should probably done after an ACL check.
211			 */
212			if (ni == ic->ic_bss &&
213			    ic->ic_opmode != IEEE80211_M_HOSTAP &&
214			    !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) {
215				/*
216				 * Fake up a node for this newly
217				 * discovered member of the IBSS.
218				 */
219				ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta,
220						    wh->i_addr2);
221				if (ni == NULL) {
222					/* NB: stat kept for alloc failure */
223					goto err;
224				}
225			}
226			break;
227		default:
228			goto out;
229		}
230		ni->ni_rssi = rssi;
231		ni->ni_noise = noise;
232		ni->ni_rstamp = rstamp;
233		if (HAS_SEQ(type)) {
234			uint8_t tid;
235			if (IEEE80211_QOS_HAS_SEQ(wh)) {
236				tid = ((struct ieee80211_qosframe *)wh)->
237					i_qos[0] & IEEE80211_QOS_TID;
238				if (TID_TO_WME_AC(tid) >= WME_AC_VI)
239					ic->ic_wme.wme_hipri_traffic++;
240				tid++;
241			} else
242				tid = IEEE80211_NONQOS_TID;
243			rxseq = le16toh(*(uint16_t *)wh->i_seq);
244			if ((ni->ni_flags & IEEE80211_NODE_HT) == 0 &&
245			    (wh->i_fc[1] & IEEE80211_FC1_RETRY) &&
246			    SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) {
247				/* duplicate, discard */
248				IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
249				    bssid, "duplicate",
250				    "seqno <%u,%u> fragno <%u,%u> tid %u",
251				    rxseq >> IEEE80211_SEQ_SEQ_SHIFT,
252				    ni->ni_rxseqs[tid] >>
253					IEEE80211_SEQ_SEQ_SHIFT,
254				    rxseq & IEEE80211_SEQ_FRAG_MASK,
255				    ni->ni_rxseqs[tid] &
256					IEEE80211_SEQ_FRAG_MASK,
257				    tid);
258				ic->ic_stats.is_rx_dup++;
259				IEEE80211_NODE_STAT(ni, rx_dup);
260				goto out;
261			}
262			ni->ni_rxseqs[tid] = rxseq;
263		}
264	}
265
266	switch (type) {
267	case IEEE80211_FC0_TYPE_DATA:
268		hdrspace = ieee80211_hdrspace(ic, wh);
269		if (m->m_len < hdrspace &&
270		    (m = m_pullup(m, hdrspace)) == NULL) {
271			IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
272			    ni->ni_macaddr, NULL,
273			    "data too short: expecting %u", hdrspace);
274			ic->ic_stats.is_rx_tooshort++;
275			goto out;		/* XXX */
276		}
277		switch (ic->ic_opmode) {
278		case IEEE80211_M_STA:
279			if (dir != IEEE80211_FC1_DIR_FROMDS) {
280				IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
281				    wh, "data", "unknown dir 0x%x", dir);
282				ic->ic_stats.is_rx_wrongdir++;
283				goto out;
284			}
285			if ((ifp->if_flags & IFF_SIMPLEX) &&
286			    IEEE80211_IS_MULTICAST(wh->i_addr1) &&
287			    IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) {
288				/*
289				 * In IEEE802.11 network, multicast packet
290				 * sent from me is broadcasted from AP.
291				 * It should be silently discarded for
292				 * SIMPLEX interface.
293				 */
294				IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
295				    wh, NULL, "%s", "multicast echo");
296				ic->ic_stats.is_rx_mcastecho++;
297				goto out;
298			}
299			break;
300		case IEEE80211_M_IBSS:
301		case IEEE80211_M_AHDEMO:
302			if (dir != IEEE80211_FC1_DIR_NODS) {
303				IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
304				    wh, "data", "unknown dir 0x%x", dir);
305				ic->ic_stats.is_rx_wrongdir++;
306				goto out;
307			}
308			/* XXX no power-save support */
309			break;
310		case IEEE80211_M_HOSTAP:
311			if (dir != IEEE80211_FC1_DIR_TODS) {
312				IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
313				    wh, "data", "unknown dir 0x%x", dir);
314				ic->ic_stats.is_rx_wrongdir++;
315				goto out;
316			}
317			/* check if source STA is associated */
318			if (ni == ic->ic_bss) {
319				IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
320				    wh, "data", "%s", "unknown src");
321				ieee80211_send_error(ic, ni, wh->i_addr2,
322				    IEEE80211_FC0_SUBTYPE_DEAUTH,
323				    IEEE80211_REASON_NOT_AUTHED);
324				ic->ic_stats.is_rx_notassoc++;
325				goto err;
326			}
327			if (ni->ni_associd == 0) {
328				IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
329				    wh, "data", "%s", "unassoc src");
330				IEEE80211_SEND_MGMT(ic, ni,
331				    IEEE80211_FC0_SUBTYPE_DISASSOC,
332				    IEEE80211_REASON_NOT_ASSOCED);
333				ic->ic_stats.is_rx_notassoc++;
334				goto err;
335			}
336
337			/*
338			 * Check for power save state change.
339			 * XXX out-of-order A-MPDU frames?
340			 */
341			if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^
342			    (ni->ni_flags & IEEE80211_NODE_PWR_MGT)))
343				ieee80211_node_pwrsave(ni,
344					wh->i_fc[1] & IEEE80211_FC1_PWR_MGT);
345			break;
346		default:
347			/* XXX here to keep compiler happy */
348			goto out;
349		}
350
351		/*
352		 * Handle A-MPDU re-ordering.  The station must be
353		 * associated and negotiated HT.  The frame must be
354		 * a QoS frame (not QoS null data) and not previously
355		 * processed for A-MPDU re-ordering.  If the frame is
356		 * to be processed directly then ieee80211_ampdu_reorder
357		 * will return 0; otherwise it has consumed the mbuf
358		 * and we should do nothing more with it.
359		 */
360		if ((ni->ni_flags & IEEE80211_NODE_HT) &&
361		    subtype == IEEE80211_FC0_SUBTYPE_QOS &&
362		    ieee80211_ampdu_reorder(ni, m) != 0) {
363			m = NULL;
364			goto out;
365		}
366	resubmit_ampdu:
367
368		/*
369		 * Handle privacy requirements.  Note that we
370		 * must not be preempted from here until after
371		 * we (potentially) call ieee80211_crypto_demic;
372		 * otherwise we may violate assumptions in the
373		 * crypto cipher modules used to do delayed update
374		 * of replay sequence numbers.
375		 */
376		if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
377			if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) {
378				/*
379				 * Discard encrypted frames when privacy is off.
380				 */
381				IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
382				    wh, "WEP", "%s", "PRIVACY off");
383				ic->ic_stats.is_rx_noprivacy++;
384				IEEE80211_NODE_STAT(ni, rx_noprivacy);
385				goto out;
386			}
387			key = ieee80211_crypto_decap(ic, ni, m, hdrspace);
388			if (key == NULL) {
389				/* NB: stats+msgs handled in crypto_decap */
390				IEEE80211_NODE_STAT(ni, rx_wepfail);
391				goto out;
392			}
393			wh = mtod(m, struct ieee80211_frame *);
394			wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
395		} else {
396			/* XXX M_WEP and IEEE80211_F_PRIVACY */
397			key = NULL;
398		}
399
400		/*
401		 * Save QoS bits for use below--before we strip the header.
402		 */
403		if (subtype == IEEE80211_FC0_SUBTYPE_QOS) {
404			qos = (dir == IEEE80211_FC1_DIR_DSTODS) ?
405			    ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] :
406			    ((struct ieee80211_qosframe *)wh)->i_qos[0];
407		} else
408			qos = 0;
409
410		/*
411		 * Next up, any fragmentation.
412		 */
413		if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
414			m = ieee80211_defrag(ic, ni, m, hdrspace);
415			if (m == NULL) {
416				/* Fragment dropped or frame not complete yet */
417				goto out;
418			}
419		}
420		wh = NULL;		/* no longer valid, catch any uses */
421
422		/*
423		 * Next strip any MSDU crypto bits.
424		 */
425		if (key != NULL && !ieee80211_crypto_demic(ic, key, m, 0)) {
426			IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
427			    ni->ni_macaddr, "data", "%s", "demic error");
428			ic->ic_stats.is_rx_demicfail++;
429			IEEE80211_NODE_STAT(ni, rx_demicfail);
430			goto out;
431		}
432
433		/* copy to listener after decrypt */
434		if (bpf_peers_present(ic->ic_rawbpf))
435			bpf_mtap(ic->ic_rawbpf, m);
436		need_tap = 0;
437
438		/*
439		 * Finally, strip the 802.11 header.
440		 */
441		m = ieee80211_decap(ic, m, hdrspace);
442		if (m == NULL) {
443			/* don't count Null data frames as errors */
444			if (subtype == IEEE80211_FC0_SUBTYPE_NODATA ||
445			    subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL)
446				goto out;
447			IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
448			    ni->ni_macaddr, "data", "%s", "decap error");
449			ic->ic_stats.is_rx_decap++;
450			IEEE80211_NODE_STAT(ni, rx_decap);
451			goto err;
452		}
453		eh = mtod(m, struct ether_header *);
454		if (!ieee80211_node_is_authorized(ni)) {
455			/*
456			 * Deny any non-PAE frames received prior to
457			 * authorization.  For open/shared-key
458			 * authentication the port is mark authorized
459			 * after authentication completes.  For 802.1x
460			 * the port is not marked authorized by the
461			 * authenticator until the handshake has completed.
462			 */
463			if (eh->ether_type != htons(ETHERTYPE_PAE)) {
464				IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
465				    eh->ether_shost, "data",
466				    "unauthorized port: ether type 0x%x len %u",
467				    eh->ether_type, m->m_pkthdr.len);
468				ic->ic_stats.is_rx_unauth++;
469				IEEE80211_NODE_STAT(ni, rx_unauth);
470				goto err;
471			}
472		} else {
473			/*
474			 * When denying unencrypted frames, discard
475			 * any non-PAE frames received without encryption.
476			 */
477			if ((ic->ic_flags & IEEE80211_F_DROPUNENC) &&
478			    (key == NULL && (m->m_flags & M_WEP) == 0) &&
479			    eh->ether_type != htons(ETHERTYPE_PAE)) {
480				/*
481				 * Drop unencrypted frames.
482				 */
483				ic->ic_stats.is_rx_unencrypted++;
484				IEEE80211_NODE_STAT(ni, rx_unencrypted);
485				goto out;
486			}
487		}
488		/* XXX require HT? */
489		if (qos & IEEE80211_QOS_AMSDU) {
490			m = ieee80211_decap_amsdu(ni, m);
491			if (m == NULL)
492				return IEEE80211_FC0_TYPE_DATA;
493		} else if ((ni->ni_ath_flags & IEEE80211_NODE_FF) &&
494#define	FF_LLC_SIZE	(sizeof(struct ether_header) + sizeof(struct llc))
495		    m->m_pkthdr.len >= 3*FF_LLC_SIZE) {
496			struct llc *llc;
497
498			/*
499			 * Check for fast-frame tunnel encapsulation.
500			 */
501			if (m->m_len < FF_LLC_SIZE &&
502			    (m = m_pullup(m, FF_LLC_SIZE)) == NULL) {
503				IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
504				    ni->ni_macaddr, "fast-frame",
505				    "%s", "m_pullup(llc) failed");
506				ic->ic_stats.is_rx_tooshort++;
507				return IEEE80211_FC0_TYPE_DATA;
508			}
509			llc = (struct llc *)(mtod(m, uint8_t *) +
510				sizeof(struct ether_header));
511			if (llc->llc_snap.ether_type == htons(ATH_FF_ETH_TYPE)) {
512				m_adj(m, FF_LLC_SIZE);
513				m = ieee80211_decap_fastframe(ic, ni, m);
514				if (m == NULL)
515					return IEEE80211_FC0_TYPE_DATA;
516			}
517		}
518#undef FF_LLC_SIZE
519		ieee80211_deliver_data(ic, ni, m);
520		return IEEE80211_FC0_TYPE_DATA;
521
522	case IEEE80211_FC0_TYPE_MGT:
523		ic->ic_stats.is_rx_mgmt++;
524		IEEE80211_NODE_STAT(ni, rx_mgmt);
525		if (dir != IEEE80211_FC1_DIR_NODS) {
526			IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
527			    wh, "data", "unknown dir 0x%x", dir);
528			ic->ic_stats.is_rx_wrongdir++;
529			goto err;
530		}
531		if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
532			IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
533			    ni->ni_macaddr, "mgt", "too short: len %u",
534			    m->m_pkthdr.len);
535			ic->ic_stats.is_rx_tooshort++;
536			goto out;
537		}
538#ifdef IEEE80211_DEBUG
539		if ((ieee80211_msg_debug(ic) && doprint(ic, subtype)) ||
540		    ieee80211_msg_dumppkts(ic)) {
541			if_printf(ic->ic_ifp, "received %s from %s rssi %d\n",
542			    ieee80211_mgt_subtype_name[subtype >>
543				IEEE80211_FC0_SUBTYPE_SHIFT],
544			    ether_sprintf(wh->i_addr2), rssi);
545		}
546#endif
547		if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
548			if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
549				/*
550				 * Only shared key auth frames with a challenge
551				 * should be encrypted, discard all others.
552				 */
553				IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
554				    wh, ieee80211_mgt_subtype_name[subtype >>
555					IEEE80211_FC0_SUBTYPE_SHIFT],
556				    "%s", "WEP set but not permitted");
557				ic->ic_stats.is_rx_mgtdiscard++; /* XXX */
558				goto out;
559			}
560			if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) {
561				/*
562				 * Discard encrypted frames when privacy is off.
563				 */
564				IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
565				    wh, "mgt", "%s", "WEP set but PRIVACY off");
566				ic->ic_stats.is_rx_noprivacy++;
567				goto out;
568			}
569			hdrspace = ieee80211_hdrspace(ic, wh);
570			key = ieee80211_crypto_decap(ic, ni, m, hdrspace);
571			if (key == NULL) {
572				/* NB: stats+msgs handled in crypto_decap */
573				goto out;
574			}
575			wh = mtod(m, struct ieee80211_frame *);
576			wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
577		}
578		if (bpf_peers_present(ic->ic_rawbpf))
579			bpf_mtap(ic->ic_rawbpf, m);
580		(*ic->ic_recv_mgmt)(ic, m, ni, subtype, rssi, noise, rstamp);
581		m_freem(m);
582		return IEEE80211_FC0_TYPE_MGT;
583
584	case IEEE80211_FC0_TYPE_CTL:
585		ic->ic_stats.is_rx_ctl++;
586		IEEE80211_NODE_STAT(ni, rx_ctrl);
587		if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
588			switch (subtype) {
589			case IEEE80211_FC0_SUBTYPE_PS_POLL:
590				ieee80211_recv_pspoll(ic, ni, m);
591				break;
592			case IEEE80211_FC0_SUBTYPE_BAR:
593				ieee80211_recv_bar(ni, m);
594				break;
595			}
596		}
597		goto out;
598	default:
599		IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY,
600		    wh, NULL, "bad frame type 0x%x", type);
601		/* should not come here */
602		break;
603	}
604err:
605	ifp->if_ierrors++;
606out:
607	if (m != NULL) {
608		if (bpf_peers_present(ic->ic_rawbpf) && need_tap)
609			bpf_mtap(ic->ic_rawbpf, m);
610		m_freem(m);
611	}
612	return type;
613#undef SEQ_LEQ
614}
615
616/*
617 * This function reassemble fragments.
618 */
619static struct mbuf *
620ieee80211_defrag(struct ieee80211com *ic, struct ieee80211_node *ni,
621	struct mbuf *m, int hdrspace)
622{
623	struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *);
624	struct ieee80211_frame *lwh;
625	uint16_t rxseq;
626	uint8_t fragno;
627	uint8_t more_frag = wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG;
628	struct mbuf *mfrag;
629
630	KASSERT(!IEEE80211_IS_MULTICAST(wh->i_addr1), ("multicast fragm?"));
631
632	rxseq = le16toh(*(uint16_t *)wh->i_seq);
633	fragno = rxseq & IEEE80211_SEQ_FRAG_MASK;
634
635	/* Quick way out, if there's nothing to defragment */
636	if (!more_frag && fragno == 0 && ni->ni_rxfrag[0] == NULL)
637		return m;
638
639	/*
640	 * Remove frag to insure it doesn't get reaped by timer.
641	 */
642	if (ni->ni_table == NULL) {
643		/*
644		 * Should never happen.  If the node is orphaned (not in
645		 * the table) then input packets should not reach here.
646		 * Otherwise, a concurrent request that yanks the table
647		 * should be blocked by other interlocking and/or by first
648		 * shutting the driver down.  Regardless, be defensive
649		 * here and just bail
650		 */
651		/* XXX need msg+stat */
652		m_freem(m);
653		return NULL;
654	}
655	IEEE80211_NODE_LOCK(ni->ni_table);
656	mfrag = ni->ni_rxfrag[0];
657	ni->ni_rxfrag[0] = NULL;
658	IEEE80211_NODE_UNLOCK(ni->ni_table);
659
660	/*
661	 * Validate new fragment is in order and
662	 * related to the previous ones.
663	 */
664	if (mfrag != NULL) {
665		uint16_t last_rxseq;
666
667		lwh = mtod(mfrag, struct ieee80211_frame *);
668		last_rxseq = le16toh(*(uint16_t *)lwh->i_seq);
669		/* NB: check seq # and frag together */
670		if (rxseq != last_rxseq+1 ||
671		    !IEEE80211_ADDR_EQ(wh->i_addr1, lwh->i_addr1) ||
672		    !IEEE80211_ADDR_EQ(wh->i_addr2, lwh->i_addr2)) {
673			/*
674			 * Unrelated fragment or no space for it,
675			 * clear current fragments.
676			 */
677			m_freem(mfrag);
678			mfrag = NULL;
679		}
680	}
681
682 	if (mfrag == NULL) {
683		if (fragno != 0) {		/* !first fragment, discard */
684			ic->ic_stats.is_rx_defrag++;
685			IEEE80211_NODE_STAT(ni, rx_defrag);
686			m_freem(m);
687			return NULL;
688		}
689		mfrag = m;
690	} else {				/* concatenate */
691		m_adj(m, hdrspace);		/* strip header */
692		m_cat(mfrag, m);
693		/* NB: m_cat doesn't update the packet header */
694		mfrag->m_pkthdr.len += m->m_pkthdr.len;
695		/* track last seqnum and fragno */
696		lwh = mtod(mfrag, struct ieee80211_frame *);
697		*(uint16_t *) lwh->i_seq = *(uint16_t *) wh->i_seq;
698	}
699	if (more_frag) {			/* more to come, save */
700		ni->ni_rxfragstamp = ticks;
701		ni->ni_rxfrag[0] = mfrag;
702		mfrag = NULL;
703	}
704	return mfrag;
705}
706
707void
708ieee80211_deliver_data(struct ieee80211com *ic,
709	struct ieee80211_node *ni, struct mbuf *m)
710{
711	struct ether_header *eh = mtod(m, struct ether_header *);
712	struct ifnet *ifp = ic->ic_ifp;
713
714	/*
715	 * Do accounting.
716	 */
717	ifp->if_ipackets++;
718	IEEE80211_NODE_STAT(ni, rx_data);
719	IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len);
720	if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
721		m->m_flags |= M_MCAST;		/* XXX M_BCAST? */
722		IEEE80211_NODE_STAT(ni, rx_mcast);
723	} else
724		IEEE80211_NODE_STAT(ni, rx_ucast);
725
726	/* clear driver/net80211 flags before passing up */
727	m->m_flags &= ~M_80211_RX;
728
729	/* perform as a bridge within the AP */
730	if (ic->ic_opmode == IEEE80211_M_HOSTAP &&
731	    (ic->ic_flags & IEEE80211_F_NOBRIDGE) == 0) {
732		struct mbuf *m1 = NULL;
733
734		if (m->m_flags & M_MCAST) {
735			m1 = m_dup(m, M_DONTWAIT);
736			if (m1 == NULL)
737				ifp->if_oerrors++;
738			else
739				m1->m_flags |= M_MCAST;
740		} else {
741			/*
742			 * Check if the destination is known; if so
743			 * and the port is authorized dispatch directly.
744			 */
745			struct ieee80211_node *sta =
746			    ieee80211_find_node(&ic->ic_sta, eh->ether_dhost);
747			if (sta != NULL) {
748				if (ieee80211_node_is_authorized(sta)) {
749					/*
750					 * Beware of sending to ourself; this
751					 * needs to happen via the normal
752					 * input path.
753					 */
754					if (sta != ic->ic_bss) {
755						m1 = m;
756						m = NULL;
757					}
758				} else {
759					ic->ic_stats.is_rx_unauth++;
760					IEEE80211_NODE_STAT(sta, rx_unauth);
761				}
762				ieee80211_free_node(sta);
763			}
764		}
765		if (m1 != NULL)
766			(void) IF_HANDOFF(&ifp->if_snd, m1, ifp);
767	}
768	if (m != NULL) {
769		m->m_pkthdr.rcvif = ifp;
770		if (ni->ni_vlan != 0) {
771			/* attach vlan tag */
772			m->m_pkthdr.ether_vtag = ni->ni_vlan;
773			m->m_flags |= M_VLANTAG;
774		}
775		(*ifp->if_input)(ifp, m);
776	}
777}
778
779static struct mbuf *
780ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, int hdrlen)
781{
782	struct ieee80211_qosframe_addr4 wh;	/* Max size address frames */
783	struct ether_header *eh;
784	struct llc *llc;
785
786	if (m->m_len < hdrlen + sizeof(*llc) &&
787	    (m = m_pullup(m, hdrlen + sizeof(*llc))) == NULL) {
788		/* XXX stat, msg */
789		return NULL;
790	}
791	memcpy(&wh, mtod(m, caddr_t), hdrlen);
792	llc = (struct llc *)(mtod(m, caddr_t) + hdrlen);
793	if (llc->llc_dsap == LLC_SNAP_LSAP && llc->llc_ssap == LLC_SNAP_LSAP &&
794	    llc->llc_control == LLC_UI && llc->llc_snap.org_code[0] == 0 &&
795	    llc->llc_snap.org_code[1] == 0 && llc->llc_snap.org_code[2] == 0) {
796		m_adj(m, hdrlen + sizeof(struct llc) - sizeof(*eh));
797		llc = NULL;
798	} else {
799		m_adj(m, hdrlen - sizeof(*eh));
800	}
801	eh = mtod(m, struct ether_header *);
802	switch (wh.i_fc[1] & IEEE80211_FC1_DIR_MASK) {
803	case IEEE80211_FC1_DIR_NODS:
804		IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1);
805		IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2);
806		break;
807	case IEEE80211_FC1_DIR_TODS:
808		IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3);
809		IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2);
810		break;
811	case IEEE80211_FC1_DIR_FROMDS:
812		IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1);
813		IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr3);
814		break;
815	case IEEE80211_FC1_DIR_DSTODS:
816		IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3);
817		IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr4);
818		break;
819	}
820#ifdef ALIGNED_POINTER
821	if (!ALIGNED_POINTER(mtod(m, caddr_t) + sizeof(*eh), uint32_t)) {
822		struct mbuf *n, *n0, **np;
823		caddr_t newdata;
824		int off, pktlen;
825
826		n0 = NULL;
827		np = &n0;
828		off = 0;
829		pktlen = m->m_pkthdr.len;
830		while (pktlen > off) {
831			if (n0 == NULL) {
832				MGETHDR(n, M_DONTWAIT, MT_DATA);
833				if (n == NULL) {
834					m_freem(m);
835					return NULL;
836				}
837				M_MOVE_PKTHDR(n, m);
838				n->m_len = MHLEN;
839			} else {
840				MGET(n, M_DONTWAIT, MT_DATA);
841				if (n == NULL) {
842					m_freem(m);
843					m_freem(n0);
844					return NULL;
845				}
846				n->m_len = MLEN;
847			}
848			if (pktlen - off >= MINCLSIZE) {
849				MCLGET(n, M_DONTWAIT);
850				if (n->m_flags & M_EXT)
851					n->m_len = n->m_ext.ext_size;
852			}
853			if (n0 == NULL) {
854				newdata =
855				    (caddr_t)ALIGN(n->m_data + sizeof(*eh)) -
856				    sizeof(*eh);
857				n->m_len -= newdata - n->m_data;
858				n->m_data = newdata;
859			}
860			if (n->m_len > pktlen - off)
861				n->m_len = pktlen - off;
862			m_copydata(m, off, n->m_len, mtod(n, caddr_t));
863			off += n->m_len;
864			*np = n;
865			np = &n->m_next;
866		}
867		m_freem(m);
868		m = n0;
869	}
870#endif /* ALIGNED_POINTER */
871	if (llc != NULL) {
872		eh = mtod(m, struct ether_header *);
873		eh->ether_type = htons(m->m_pkthdr.len - sizeof(*eh));
874	}
875	return m;
876}
877
878/*
879 * Decap a frame encapsulated in a fast-frame/A-MSDU.
880 */
881struct mbuf *
882ieee80211_decap1(struct mbuf *m, int *framelen)
883{
884#define	FF_LLC_SIZE	(sizeof(struct ether_header) + sizeof(struct llc))
885	struct ether_header *eh;
886	struct llc *llc;
887
888	/*
889	 * The frame has an 802.3 header followed by an 802.2
890	 * LLC header.  The encapsulated frame length is in the
891	 * first header type field; save that and overwrite it
892	 * with the true type field found in the second.  Then
893	 * copy the 802.3 header up to where it belongs and
894	 * adjust the mbuf contents to remove the void.
895	 */
896	if (m->m_len < FF_LLC_SIZE && (m = m_pullup(m, FF_LLC_SIZE)) == NULL)
897		return NULL;
898	eh = mtod(m, struct ether_header *);	/* 802.3 header is first */
899	llc = (struct llc *)&eh[1];		/* 802.2 header follows */
900	*framelen = ntohs(eh->ether_type)	/* encap'd frame size */
901		  + sizeof(struct ether_header) - sizeof(struct llc);
902	eh->ether_type = llc->llc_un.type_snap.ether_type;
903	ovbcopy(eh, mtod(m, uint8_t *) + sizeof(struct llc),
904		sizeof(struct ether_header));
905	m_adj(m, sizeof(struct llc));
906	return m;
907#undef FF_LLC_SIZE
908}
909
910/*
911 * Decap the encapsulated frame pair and dispatch the first
912 * for delivery.  The second frame is returned for delivery
913 * via the normal path.
914 */
915static struct mbuf *
916ieee80211_decap_fastframe(struct ieee80211com *ic,
917	struct ieee80211_node *ni, struct mbuf *m)
918{
919#define	MS(x,f)	(((x) & f) >> f##_S)
920	uint32_t ath;
921	struct mbuf *n;
922	int framelen;
923
924	m_copydata(m, 0, sizeof(uint32_t), (caddr_t) &ath);
925	if (MS(ath, ATH_FF_PROTO) != ATH_FF_PROTO_L2TUNNEL) {
926		IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
927		    ni->ni_macaddr, "fast-frame",
928		    "unsupport tunnel protocol, header 0x%x", ath);
929		ic->ic_stats.is_ff_badhdr++;
930		m_freem(m);
931		return NULL;
932	}
933	/* NB: skip header and alignment padding */
934	m_adj(m, roundup(sizeof(uint32_t) - 2, 4) + 2);
935
936	ic->ic_stats.is_ff_decap++;
937
938	/*
939	 * Decap the first frame, bust it apart from the
940	 * second and deliver; then decap the second frame
941	 * and return it to the caller for normal delivery.
942	 */
943	m = ieee80211_decap1(m, &framelen);
944	if (m == NULL) {
945		IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
946		    ni->ni_macaddr, "fast-frame", "%s", "first decap failed");
947		ic->ic_stats.is_ff_tooshort++;
948		return NULL;
949	}
950	n = m_split(m, framelen, M_NOWAIT);
951	if (n == NULL) {
952		IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
953		    ni->ni_macaddr, "fast-frame",
954		    "%s", "unable to split encapsulated frames");
955		ic->ic_stats.is_ff_split++;
956		m_freem(m);			/* NB: must reclaim */
957		return NULL;
958	}
959	ieee80211_deliver_data(ic, ni, m);	/* 1st of pair */
960
961	/*
962	 * Decap second frame.
963	 */
964	m_adj(n, roundup2(framelen, 4) - framelen);	/* padding */
965	n = ieee80211_decap1(n, &framelen);
966	if (n == NULL) {
967		IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
968		    ni->ni_macaddr, "fast-frame", "%s", "second decap failed");
969		ic->ic_stats.is_ff_tooshort++;
970	}
971	/* XXX verify framelen against mbuf contents */
972	return n;				/* 2nd delivered by caller */
973#undef MS
974}
975
976/*
977 * Install received rate set information in the node's state block.
978 */
979int
980ieee80211_setup_rates(struct ieee80211_node *ni,
981	const uint8_t *rates, const uint8_t *xrates, int flags)
982{
983	struct ieee80211com *ic = ni->ni_ic;
984	struct ieee80211_rateset *rs = &ni->ni_rates;
985
986	memset(rs, 0, sizeof(*rs));
987	rs->rs_nrates = rates[1];
988	memcpy(rs->rs_rates, rates + 2, rs->rs_nrates);
989	if (xrates != NULL) {
990		uint8_t nxrates;
991		/*
992		 * Tack on 11g extended supported rate element.
993		 */
994		nxrates = xrates[1];
995		if (rs->rs_nrates + nxrates > IEEE80211_RATE_MAXSIZE) {
996			nxrates = IEEE80211_RATE_MAXSIZE - rs->rs_nrates;
997			IEEE80211_DPRINTF(ic, IEEE80211_MSG_XRATE,
998			     "[%s] extended rate set too large;"
999			     " only using %u of %u rates\n",
1000			     ether_sprintf(ni->ni_macaddr), nxrates, xrates[1]);
1001			ic->ic_stats.is_rx_rstoobig++;
1002		}
1003		memcpy(rs->rs_rates + rs->rs_nrates, xrates+2, nxrates);
1004		rs->rs_nrates += nxrates;
1005	}
1006	return ieee80211_fix_rate(ni, rs, flags);
1007}
1008
1009static void
1010ieee80211_auth_open(struct ieee80211com *ic, struct ieee80211_frame *wh,
1011    struct ieee80211_node *ni, int rssi, int noise, uint32_t rstamp,
1012    uint16_t seq, uint16_t status)
1013{
1014
1015	if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
1016		IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1017		    ni->ni_macaddr, "open auth",
1018		    "bad sta auth mode %u", ni->ni_authmode);
1019		ic->ic_stats.is_rx_bad_auth++;	/* XXX */
1020		if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
1021			/*
1022			 * Clear any challenge text that may be there if
1023			 * a previous shared key auth failed and then an
1024			 * open auth is attempted.
1025			 */
1026			if (ni->ni_challenge != NULL) {
1027				FREE(ni->ni_challenge, M_80211_NODE);
1028				ni->ni_challenge = NULL;
1029			}
1030			/* XXX hack to workaround calling convention */
1031			ieee80211_send_error(ic, ni, wh->i_addr2,
1032			    IEEE80211_FC0_SUBTYPE_AUTH,
1033			    (seq + 1) | (IEEE80211_STATUS_ALG<<16));
1034		}
1035		return;
1036	}
1037	switch (ic->ic_opmode) {
1038	case IEEE80211_M_IBSS:
1039	case IEEE80211_M_AHDEMO:
1040	case IEEE80211_M_MONITOR:
1041	case IEEE80211_M_WDS:
1042		/* should not come here */
1043		IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1044		    ni->ni_macaddr, "open auth",
1045		    "bad operating mode %u", ic->ic_opmode);
1046		break;
1047
1048	case IEEE80211_M_HOSTAP:
1049		if (ic->ic_state != IEEE80211_S_RUN ||
1050		    seq != IEEE80211_AUTH_OPEN_REQUEST) {
1051			ic->ic_stats.is_rx_bad_auth++;
1052			return;
1053		}
1054		/* always accept open authentication requests */
1055		if (ni == ic->ic_bss) {
1056			ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2);
1057			if (ni == NULL)
1058				return;
1059		} else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
1060			(void) ieee80211_ref_node(ni);
1061		/*
1062		 * Mark the node as referenced to reflect that it's
1063		 * reference count has been bumped to insure it remains
1064		 * after the transaction completes.
1065		 */
1066		ni->ni_flags |= IEEE80211_NODE_AREF;
1067
1068		IEEE80211_SEND_MGMT(ic, ni,
1069			IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1070		IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1071		    "[%s] station authenticated (open)\n",
1072		    ether_sprintf(ni->ni_macaddr));
1073		/*
1074		 * When 802.1x is not in use mark the port
1075		 * authorized at this point so traffic can flow.
1076		 */
1077		if (ni->ni_authmode != IEEE80211_AUTH_8021X)
1078			ieee80211_node_authorize(ni);
1079		break;
1080
1081	case IEEE80211_M_STA:
1082		if (ic->ic_state != IEEE80211_S_AUTH ||
1083		    seq != IEEE80211_AUTH_OPEN_RESPONSE) {
1084			ic->ic_stats.is_rx_bad_auth++;
1085			return;
1086		}
1087		if (status != 0) {
1088			IEEE80211_DPRINTF(ic,
1089			    IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1090			    "[%s] open auth failed (reason %d)\n",
1091			    ether_sprintf(ni->ni_macaddr), status);
1092			/* XXX can this happen? */
1093			if (ni != ic->ic_bss)
1094				ni->ni_fails++;
1095			ic->ic_stats.is_rx_auth_fail++;
1096			ieee80211_new_state(ic, IEEE80211_S_SCAN,
1097			    IEEE80211_SCAN_FAIL_STATUS);
1098		} else
1099			ieee80211_new_state(ic, IEEE80211_S_ASSOC, 0);
1100		break;
1101	}
1102}
1103
1104/*
1105 * Send a management frame error response to the specified
1106 * station.  If ni is associated with the station then use
1107 * it; otherwise allocate a temporary node suitable for
1108 * transmitting the frame and then free the reference so
1109 * it will go away as soon as the frame has been transmitted.
1110 */
1111static void
1112ieee80211_send_error(struct ieee80211com *ic, struct ieee80211_node *ni,
1113	const uint8_t *mac, int subtype, int arg)
1114{
1115	int istmp;
1116
1117	if (ni == ic->ic_bss) {
1118		ni = ieee80211_tmp_node(ic, mac);
1119		if (ni == NULL) {
1120			/* XXX msg */
1121			return;
1122		}
1123		istmp = 1;
1124	} else
1125		istmp = 0;
1126	IEEE80211_SEND_MGMT(ic, ni, subtype, arg);
1127	if (istmp)
1128		ieee80211_free_node(ni);
1129}
1130
1131static int
1132alloc_challenge(struct ieee80211com *ic, struct ieee80211_node *ni)
1133{
1134	if (ni->ni_challenge == NULL)
1135		MALLOC(ni->ni_challenge, uint32_t*, IEEE80211_CHALLENGE_LEN,
1136		    M_80211_NODE, M_NOWAIT);
1137	if (ni->ni_challenge == NULL) {
1138		IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1139		    "[%s] shared key challenge alloc failed\n",
1140		    ether_sprintf(ni->ni_macaddr));
1141		/* XXX statistic */
1142	}
1143	return (ni->ni_challenge != NULL);
1144}
1145
1146/* XXX TODO: add statistics */
1147static void
1148ieee80211_auth_shared(struct ieee80211com *ic, struct ieee80211_frame *wh,
1149    uint8_t *frm, uint8_t *efrm, struct ieee80211_node *ni,
1150    int rssi, int noise, uint32_t rstamp, uint16_t seq, uint16_t status)
1151{
1152	uint8_t *challenge;
1153	int allocbs, estatus;
1154
1155	/*
1156	 * NB: this can happen as we allow pre-shared key
1157	 * authentication to be enabled w/o wep being turned
1158	 * on so that configuration of these can be done
1159	 * in any order.  It may be better to enforce the
1160	 * ordering in which case this check would just be
1161	 * for sanity/consistency.
1162	 */
1163	if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) {
1164		IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1165		    ni->ni_macaddr, "shared key auth",
1166		    "%s", " PRIVACY is disabled");
1167		estatus = IEEE80211_STATUS_ALG;
1168		goto bad;
1169	}
1170	/*
1171	 * Pre-shared key authentication is evil; accept
1172	 * it only if explicitly configured (it is supported
1173	 * mainly for compatibility with clients like OS X).
1174	 */
1175	if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
1176	    ni->ni_authmode != IEEE80211_AUTH_SHARED) {
1177		IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1178		    ni->ni_macaddr, "shared key auth",
1179		    "bad sta auth mode %u", ni->ni_authmode);
1180		ic->ic_stats.is_rx_bad_auth++;	/* XXX maybe a unique error? */
1181		estatus = IEEE80211_STATUS_ALG;
1182		goto bad;
1183	}
1184
1185	challenge = NULL;
1186	if (frm + 1 < efrm) {
1187		if ((frm[1] + 2) > (efrm - frm)) {
1188			IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1189			    ni->ni_macaddr, "shared key auth",
1190			    "ie %d/%d too long",
1191			    frm[0], (frm[1] + 2) - (efrm - frm));
1192			ic->ic_stats.is_rx_bad_auth++;
1193			estatus = IEEE80211_STATUS_CHALLENGE;
1194			goto bad;
1195		}
1196		if (*frm == IEEE80211_ELEMID_CHALLENGE)
1197			challenge = frm;
1198		frm += frm[1] + 2;
1199	}
1200	switch (seq) {
1201	case IEEE80211_AUTH_SHARED_CHALLENGE:
1202	case IEEE80211_AUTH_SHARED_RESPONSE:
1203		if (challenge == NULL) {
1204			IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1205			    ni->ni_macaddr, "shared key auth",
1206			    "%s", "no challenge");
1207			ic->ic_stats.is_rx_bad_auth++;
1208			estatus = IEEE80211_STATUS_CHALLENGE;
1209			goto bad;
1210		}
1211		if (challenge[1] != IEEE80211_CHALLENGE_LEN) {
1212			IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1213			    ni->ni_macaddr, "shared key auth",
1214			    "bad challenge len %d", challenge[1]);
1215			ic->ic_stats.is_rx_bad_auth++;
1216			estatus = IEEE80211_STATUS_CHALLENGE;
1217			goto bad;
1218		}
1219	default:
1220		break;
1221	}
1222	switch (ic->ic_opmode) {
1223	case IEEE80211_M_MONITOR:
1224	case IEEE80211_M_AHDEMO:
1225	case IEEE80211_M_IBSS:
1226	case IEEE80211_M_WDS:
1227		IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1228		    ni->ni_macaddr, "shared key auth",
1229		    "bad operating mode %u", ic->ic_opmode);
1230		return;
1231	case IEEE80211_M_HOSTAP:
1232		if (ic->ic_state != IEEE80211_S_RUN) {
1233			IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1234			    ni->ni_macaddr, "shared key auth",
1235			    "bad state %u", ic->ic_state);
1236			estatus = IEEE80211_STATUS_ALG;	/* XXX */
1237			goto bad;
1238		}
1239		switch (seq) {
1240		case IEEE80211_AUTH_SHARED_REQUEST:
1241			if (ni == ic->ic_bss) {
1242				ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2);
1243				if (ni == NULL) {
1244					/* NB: no way to return an error */
1245					return;
1246				}
1247				allocbs = 1;
1248			} else {
1249				if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
1250					(void) ieee80211_ref_node(ni);
1251				allocbs = 0;
1252			}
1253			/*
1254			 * Mark the node as referenced to reflect that it's
1255			 * reference count has been bumped to insure it remains
1256			 * after the transaction completes.
1257			 */
1258			ni->ni_flags |= IEEE80211_NODE_AREF;
1259			ni->ni_rssi = rssi;
1260			ni->ni_noise = noise;
1261			ni->ni_rstamp = rstamp;
1262			if (!alloc_challenge(ic, ni)) {
1263				/* NB: don't return error so they rexmit */
1264				return;
1265			}
1266			get_random_bytes(ni->ni_challenge,
1267				IEEE80211_CHALLENGE_LEN);
1268			IEEE80211_DPRINTF(ic,
1269				IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1270				"[%s] shared key %sauth request\n",
1271				ether_sprintf(ni->ni_macaddr),
1272				allocbs ? "" : "re");
1273			break;
1274		case IEEE80211_AUTH_SHARED_RESPONSE:
1275			if (ni == ic->ic_bss) {
1276				IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1277				    ni->ni_macaddr, "shared key response",
1278				    "%s", "unknown station");
1279				/* NB: don't send a response */
1280				return;
1281			}
1282			if (ni->ni_challenge == NULL) {
1283				IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1284				    ni->ni_macaddr, "shared key response",
1285				    "%s", "no challenge recorded");
1286				ic->ic_stats.is_rx_bad_auth++;
1287				estatus = IEEE80211_STATUS_CHALLENGE;
1288				goto bad;
1289			}
1290			if (memcmp(ni->ni_challenge, &challenge[2],
1291			           challenge[1]) != 0) {
1292				IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1293				    ni->ni_macaddr, "shared key response",
1294				    "%s", "challenge mismatch");
1295				ic->ic_stats.is_rx_auth_fail++;
1296				estatus = IEEE80211_STATUS_CHALLENGE;
1297				goto bad;
1298			}
1299			IEEE80211_DPRINTF(ic,
1300			    IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1301			    "[%s] station authenticated (shared key)\n",
1302			    ether_sprintf(ni->ni_macaddr));
1303			ieee80211_node_authorize(ni);
1304			break;
1305		default:
1306			IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1307			    ni->ni_macaddr, "shared key auth",
1308			    "bad seq %d", seq);
1309			ic->ic_stats.is_rx_bad_auth++;
1310			estatus = IEEE80211_STATUS_SEQUENCE;
1311			goto bad;
1312		}
1313		IEEE80211_SEND_MGMT(ic, ni,
1314			IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1315		break;
1316
1317	case IEEE80211_M_STA:
1318		if (ic->ic_state != IEEE80211_S_AUTH)
1319			return;
1320		switch (seq) {
1321		case IEEE80211_AUTH_SHARED_PASS:
1322			if (ni->ni_challenge != NULL) {
1323				FREE(ni->ni_challenge, M_80211_NODE);
1324				ni->ni_challenge = NULL;
1325			}
1326			if (status != 0) {
1327				IEEE80211_DPRINTF(ic,
1328				    IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1329				    "[%s] shared key auth failed (reason %d)\n",
1330				    ether_sprintf(ieee80211_getbssid(ic, wh)),
1331				    status);
1332				/* XXX can this happen? */
1333				if (ni != ic->ic_bss)
1334					ni->ni_fails++;
1335				ic->ic_stats.is_rx_auth_fail++;
1336				return;
1337			}
1338			ieee80211_new_state(ic, IEEE80211_S_ASSOC, 0);
1339			break;
1340		case IEEE80211_AUTH_SHARED_CHALLENGE:
1341			if (!alloc_challenge(ic, ni))
1342				return;
1343			/* XXX could optimize by passing recvd challenge */
1344			memcpy(ni->ni_challenge, &challenge[2], challenge[1]);
1345			IEEE80211_SEND_MGMT(ic, ni,
1346				IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1347			break;
1348		default:
1349			IEEE80211_DISCARD(ic, IEEE80211_MSG_AUTH,
1350			    wh, "shared key auth", "bad seq %d", seq);
1351			ic->ic_stats.is_rx_bad_auth++;
1352			return;
1353		}
1354		break;
1355	}
1356	return;
1357bad:
1358	/*
1359	 * Send an error response; but only when operating as an AP.
1360	 */
1361	if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
1362		/* XXX hack to workaround calling convention */
1363		ieee80211_send_error(ic, ni, wh->i_addr2,
1364		    IEEE80211_FC0_SUBTYPE_AUTH,
1365		    (seq + 1) | (estatus<<16));
1366	} else if (ic->ic_opmode == IEEE80211_M_STA) {
1367		/*
1368		 * Kick the state machine.  This short-circuits
1369		 * using the mgt frame timeout to trigger the
1370		 * state transition.
1371		 */
1372		if (ic->ic_state == IEEE80211_S_AUTH)
1373			ieee80211_new_state(ic, IEEE80211_S_SCAN,
1374			    IEEE80211_SCAN_FAIL_STATUS);
1375	}
1376}
1377
1378/* Verify the existence and length of __elem or get out. */
1379#define IEEE80211_VERIFY_ELEMENT(__elem, __maxlen) do {			\
1380	if ((__elem) == NULL) {						\
1381		IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID,		\
1382		    wh, ieee80211_mgt_subtype_name[subtype >>		\
1383			IEEE80211_FC0_SUBTYPE_SHIFT],			\
1384		    "%s", "no " #__elem );				\
1385		ic->ic_stats.is_rx_elem_missing++;			\
1386		return;							\
1387	}								\
1388	if ((__elem)[1] > (__maxlen)) {					\
1389		IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID,		\
1390		    wh, ieee80211_mgt_subtype_name[subtype >>		\
1391			IEEE80211_FC0_SUBTYPE_SHIFT],			\
1392		    "bad " #__elem " len %d", (__elem)[1]);		\
1393		ic->ic_stats.is_rx_elem_toobig++;			\
1394		return;							\
1395	}								\
1396} while (0)
1397
1398#define	IEEE80211_VERIFY_LENGTH(_len, _minlen, _action) do {		\
1399	if ((_len) < (_minlen)) {					\
1400		IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID,		\
1401		    wh, ieee80211_mgt_subtype_name[subtype >>		\
1402			IEEE80211_FC0_SUBTYPE_SHIFT],			\
1403		    "ie too short, got %d, expected %d",		\
1404		    (_len), (_minlen));					\
1405		ic->ic_stats.is_rx_elem_toosmall++;			\
1406		_action;						\
1407	}								\
1408} while (0)
1409
1410#ifdef IEEE80211_DEBUG
1411static void
1412ieee80211_ssid_mismatch(struct ieee80211com *ic, const char *tag,
1413	uint8_t mac[IEEE80211_ADDR_LEN], uint8_t *ssid)
1414{
1415	printf("[%s] discard %s frame, ssid mismatch: ",
1416		ether_sprintf(mac), tag);
1417	ieee80211_print_essid(ssid + 2, ssid[1]);
1418	printf("\n");
1419}
1420
1421#define	IEEE80211_VERIFY_SSID(_ni, _ssid) do {				\
1422	if ((_ssid)[1] != 0 &&						\
1423	    ((_ssid)[1] != (_ni)->ni_esslen ||				\
1424	    memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) {	\
1425		if (ieee80211_msg_input(ic))				\
1426			ieee80211_ssid_mismatch(ic, 			\
1427			    ieee80211_mgt_subtype_name[subtype >>	\
1428				IEEE80211_FC0_SUBTYPE_SHIFT],		\
1429				wh->i_addr2, _ssid);			\
1430		ic->ic_stats.is_rx_ssidmismatch++;			\
1431		return;							\
1432	}								\
1433} while (0)
1434#else /* !IEEE80211_DEBUG */
1435#define	IEEE80211_VERIFY_SSID(_ni, _ssid) do {				\
1436	if ((_ssid)[1] != 0 &&						\
1437	    ((_ssid)[1] != (_ni)->ni_esslen ||				\
1438	    memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) {	\
1439		ic->ic_stats.is_rx_ssidmismatch++;			\
1440		return;							\
1441	}								\
1442} while (0)
1443#endif /* !IEEE80211_DEBUG */
1444
1445/* unalligned little endian access */
1446#define LE_READ_2(p)					\
1447	((uint16_t)					\
1448	 ((((const uint8_t *)(p))[0]      ) |		\
1449	  (((const uint8_t *)(p))[1] <<  8)))
1450#define LE_READ_4(p)					\
1451	((uint32_t)					\
1452	 ((((const uint8_t *)(p))[0]      ) |		\
1453	  (((const uint8_t *)(p))[1] <<  8) |		\
1454	  (((const uint8_t *)(p))[2] << 16) |		\
1455	  (((const uint8_t *)(p))[3] << 24)))
1456
1457static __inline int
1458iswpaoui(const uint8_t *frm)
1459{
1460	return frm[1] > 3 && LE_READ_4(frm+2) == ((WPA_OUI_TYPE<<24)|WPA_OUI);
1461}
1462
1463static __inline int
1464iswmeoui(const uint8_t *frm)
1465{
1466	return frm[1] > 3 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI);
1467}
1468
1469static __inline int
1470iswmeparam(const uint8_t *frm)
1471{
1472	return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) &&
1473		frm[6] == WME_PARAM_OUI_SUBTYPE;
1474}
1475
1476static __inline int
1477iswmeinfo(const uint8_t *frm)
1478{
1479	return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) &&
1480		frm[6] == WME_INFO_OUI_SUBTYPE;
1481}
1482
1483static __inline int
1484isatherosoui(const uint8_t *frm)
1485{
1486	return frm[1] > 3 && LE_READ_4(frm+2) == ((ATH_OUI_TYPE<<24)|ATH_OUI);
1487}
1488
1489static __inline int
1490ishtcapoui(const uint8_t *frm)
1491{
1492	return frm[1] > 3 && LE_READ_4(frm+2) == ((BCM_OUI_HTCAP<<24)|BCM_OUI);
1493}
1494
1495static __inline int
1496ishtinfooui(const uint8_t *frm)
1497{
1498	return frm[1] > 3 && LE_READ_4(frm+2) == ((BCM_OUI_HTINFO<<24)|BCM_OUI);
1499}
1500
1501/*
1502 * Convert a WPA cipher selector OUI to an internal
1503 * cipher algorithm.  Where appropriate we also
1504 * record any key length.
1505 */
1506static int
1507wpa_cipher(uint8_t *sel, uint8_t *keylen)
1508{
1509#define	WPA_SEL(x)	(((x)<<24)|WPA_OUI)
1510	uint32_t w = LE_READ_4(sel);
1511
1512	switch (w) {
1513	case WPA_SEL(WPA_CSE_NULL):
1514		return IEEE80211_CIPHER_NONE;
1515	case WPA_SEL(WPA_CSE_WEP40):
1516		if (keylen)
1517			*keylen = 40 / NBBY;
1518		return IEEE80211_CIPHER_WEP;
1519	case WPA_SEL(WPA_CSE_WEP104):
1520		if (keylen)
1521			*keylen = 104 / NBBY;
1522		return IEEE80211_CIPHER_WEP;
1523	case WPA_SEL(WPA_CSE_TKIP):
1524		return IEEE80211_CIPHER_TKIP;
1525	case WPA_SEL(WPA_CSE_CCMP):
1526		return IEEE80211_CIPHER_AES_CCM;
1527	}
1528	return 32;		/* NB: so 1<< is discarded */
1529#undef WPA_SEL
1530}
1531
1532/*
1533 * Convert a WPA key management/authentication algorithm
1534 * to an internal code.
1535 */
1536static int
1537wpa_keymgmt(uint8_t *sel)
1538{
1539#define	WPA_SEL(x)	(((x)<<24)|WPA_OUI)
1540	uint32_t w = LE_READ_4(sel);
1541
1542	switch (w) {
1543	case WPA_SEL(WPA_ASE_8021X_UNSPEC):
1544		return WPA_ASE_8021X_UNSPEC;
1545	case WPA_SEL(WPA_ASE_8021X_PSK):
1546		return WPA_ASE_8021X_PSK;
1547	case WPA_SEL(WPA_ASE_NONE):
1548		return WPA_ASE_NONE;
1549	}
1550	return 0;		/* NB: so is discarded */
1551#undef WPA_SEL
1552}
1553
1554/*
1555 * Parse a WPA information element to collect parameters
1556 * and validate the parameters against what has been
1557 * configured for the system.
1558 */
1559static int
1560ieee80211_parse_wpa(struct ieee80211com *ic, uint8_t *frm,
1561	struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1562{
1563	uint8_t len = frm[1];
1564	uint32_t w;
1565	int n;
1566
1567	/*
1568	 * Check the length once for fixed parts: OUI, type,
1569	 * version, mcast cipher, and 2 selector counts.
1570	 * Other, variable-length data, must be checked separately.
1571	 */
1572	if ((ic->ic_flags & IEEE80211_F_WPA1) == 0) {
1573		IEEE80211_DISCARD_IE(ic,
1574		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1575		    wh, "WPA", "not WPA, flags 0x%x", ic->ic_flags);
1576		return IEEE80211_REASON_IE_INVALID;
1577	}
1578	if (len < 14) {
1579		IEEE80211_DISCARD_IE(ic,
1580		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1581		    wh, "WPA", "too short, len %u", len);
1582		return IEEE80211_REASON_IE_INVALID;
1583	}
1584	frm += 6, len -= 4;		/* NB: len is payload only */
1585	/* NB: iswapoui already validated the OUI and type */
1586	w = LE_READ_2(frm);
1587	if (w != WPA_VERSION) {
1588		IEEE80211_DISCARD_IE(ic,
1589		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1590		    wh, "WPA", "bad version %u", w);
1591		return IEEE80211_REASON_IE_INVALID;
1592	}
1593	frm += 2, len -= 2;
1594
1595	/* multicast/group cipher */
1596	w = wpa_cipher(frm, &rsn->rsn_mcastkeylen);
1597	if (w != rsn->rsn_mcastcipher) {
1598		IEEE80211_DISCARD_IE(ic,
1599		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1600		    wh, "WPA", "mcast cipher mismatch; got %u, expected %u",
1601		    w, rsn->rsn_mcastcipher);
1602		return IEEE80211_REASON_IE_INVALID;
1603	}
1604	frm += 4, len -= 4;
1605
1606	/* unicast ciphers */
1607	n = LE_READ_2(frm);
1608	frm += 2, len -= 2;
1609	if (len < n*4+2) {
1610		IEEE80211_DISCARD_IE(ic,
1611		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1612		    wh, "WPA", "ucast cipher data too short; len %u, n %u",
1613		    len, n);
1614		return IEEE80211_REASON_IE_INVALID;
1615	}
1616	w = 0;
1617	for (; n > 0; n--) {
1618		w |= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen);
1619		frm += 4, len -= 4;
1620	}
1621	w &= rsn->rsn_ucastcipherset;
1622	if (w == 0) {
1623		IEEE80211_DISCARD_IE(ic,
1624		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1625		    wh, "WPA", "%s", "ucast cipher set empty");
1626		return IEEE80211_REASON_IE_INVALID;
1627	}
1628	if (w & (1<<IEEE80211_CIPHER_TKIP))
1629		rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1630	else
1631		rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1632
1633	/* key management algorithms */
1634	n = LE_READ_2(frm);
1635	frm += 2, len -= 2;
1636	if (len < n*4) {
1637		IEEE80211_DISCARD_IE(ic,
1638		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1639		    wh, "WPA", "key mgmt alg data too short; len %u, n %u",
1640		    len, n);
1641		return IEEE80211_REASON_IE_INVALID;
1642	}
1643	w = 0;
1644	for (; n > 0; n--) {
1645		w |= wpa_keymgmt(frm);
1646		frm += 4, len -= 4;
1647	}
1648	w &= rsn->rsn_keymgmtset;
1649	if (w == 0) {
1650		IEEE80211_DISCARD_IE(ic,
1651		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1652		    wh, "WPA", "%s", "no acceptable key mgmt alg");
1653		return IEEE80211_REASON_IE_INVALID;
1654	}
1655	if (w & WPA_ASE_8021X_UNSPEC)
1656		rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC;
1657	else
1658		rsn->rsn_keymgmt = WPA_ASE_8021X_PSK;
1659
1660	if (len > 2)		/* optional capabilities */
1661		rsn->rsn_caps = LE_READ_2(frm);
1662
1663	return 0;
1664}
1665
1666/*
1667 * Convert an RSN cipher selector OUI to an internal
1668 * cipher algorithm.  Where appropriate we also
1669 * record any key length.
1670 */
1671static int
1672rsn_cipher(uint8_t *sel, uint8_t *keylen)
1673{
1674#define	RSN_SEL(x)	(((x)<<24)|RSN_OUI)
1675	uint32_t w = LE_READ_4(sel);
1676
1677	switch (w) {
1678	case RSN_SEL(RSN_CSE_NULL):
1679		return IEEE80211_CIPHER_NONE;
1680	case RSN_SEL(RSN_CSE_WEP40):
1681		if (keylen)
1682			*keylen = 40 / NBBY;
1683		return IEEE80211_CIPHER_WEP;
1684	case RSN_SEL(RSN_CSE_WEP104):
1685		if (keylen)
1686			*keylen = 104 / NBBY;
1687		return IEEE80211_CIPHER_WEP;
1688	case RSN_SEL(RSN_CSE_TKIP):
1689		return IEEE80211_CIPHER_TKIP;
1690	case RSN_SEL(RSN_CSE_CCMP):
1691		return IEEE80211_CIPHER_AES_CCM;
1692	case RSN_SEL(RSN_CSE_WRAP):
1693		return IEEE80211_CIPHER_AES_OCB;
1694	}
1695	return 32;		/* NB: so 1<< is discarded */
1696#undef WPA_SEL
1697}
1698
1699/*
1700 * Convert an RSN key management/authentication algorithm
1701 * to an internal code.
1702 */
1703static int
1704rsn_keymgmt(uint8_t *sel)
1705{
1706#define	RSN_SEL(x)	(((x)<<24)|RSN_OUI)
1707	uint32_t w = LE_READ_4(sel);
1708
1709	switch (w) {
1710	case RSN_SEL(RSN_ASE_8021X_UNSPEC):
1711		return RSN_ASE_8021X_UNSPEC;
1712	case RSN_SEL(RSN_ASE_8021X_PSK):
1713		return RSN_ASE_8021X_PSK;
1714	case RSN_SEL(RSN_ASE_NONE):
1715		return RSN_ASE_NONE;
1716	}
1717	return 0;		/* NB: so is discarded */
1718#undef RSN_SEL
1719}
1720
1721/*
1722 * Parse a WPA/RSN information element to collect parameters
1723 * and validate the parameters against what has been
1724 * configured for the system.
1725 */
1726static int
1727ieee80211_parse_rsn(struct ieee80211com *ic, uint8_t *frm,
1728	struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1729{
1730	uint8_t len = frm[1];
1731	uint32_t w;
1732	int n;
1733
1734	/*
1735	 * Check the length once for fixed parts:
1736	 * version, mcast cipher, and 2 selector counts.
1737	 * Other, variable-length data, must be checked separately.
1738	 */
1739	if ((ic->ic_flags & IEEE80211_F_WPA2) == 0) {
1740		IEEE80211_DISCARD_IE(ic,
1741		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1742		    wh, "WPA", "not RSN, flags 0x%x", ic->ic_flags);
1743		return IEEE80211_REASON_IE_INVALID;
1744	}
1745	if (len < 10) {
1746		IEEE80211_DISCARD_IE(ic,
1747		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1748		    wh, "RSN", "too short, len %u", len);
1749		return IEEE80211_REASON_IE_INVALID;
1750	}
1751	frm += 2;
1752	w = LE_READ_2(frm);
1753	if (w != RSN_VERSION) {
1754		IEEE80211_DISCARD_IE(ic,
1755		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1756		    wh, "RSN", "bad version %u", w);
1757		return IEEE80211_REASON_IE_INVALID;
1758	}
1759	frm += 2, len -= 2;
1760
1761	/* multicast/group cipher */
1762	w = rsn_cipher(frm, &rsn->rsn_mcastkeylen);
1763	if (w != rsn->rsn_mcastcipher) {
1764		IEEE80211_DISCARD_IE(ic,
1765		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1766		    wh, "RSN", "mcast cipher mismatch; got %u, expected %u",
1767		    w, rsn->rsn_mcastcipher);
1768		return IEEE80211_REASON_IE_INVALID;
1769	}
1770	frm += 4, len -= 4;
1771
1772	/* unicast ciphers */
1773	n = LE_READ_2(frm);
1774	frm += 2, len -= 2;
1775	if (len < n*4+2) {
1776		IEEE80211_DISCARD_IE(ic,
1777		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1778		    wh, "RSN", "ucast cipher data too short; len %u, n %u",
1779		    len, n);
1780		return IEEE80211_REASON_IE_INVALID;
1781	}
1782	w = 0;
1783	for (; n > 0; n--) {
1784		w |= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen);
1785		frm += 4, len -= 4;
1786	}
1787	w &= rsn->rsn_ucastcipherset;
1788	if (w == 0) {
1789		IEEE80211_DISCARD_IE(ic,
1790		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1791		    wh, "RSN", "%s", "ucast cipher set empty");
1792		return IEEE80211_REASON_IE_INVALID;
1793	}
1794	if (w & (1<<IEEE80211_CIPHER_TKIP))
1795		rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1796	else
1797		rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1798
1799	/* key management algorithms */
1800	n = LE_READ_2(frm);
1801	frm += 2, len -= 2;
1802	if (len < n*4) {
1803		IEEE80211_DISCARD_IE(ic,
1804		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1805		    wh, "RSN", "key mgmt alg data too short; len %u, n %u",
1806		    len, n);
1807		return IEEE80211_REASON_IE_INVALID;
1808	}
1809	w = 0;
1810	for (; n > 0; n--) {
1811		w |= rsn_keymgmt(frm);
1812		frm += 4, len -= 4;
1813	}
1814	w &= rsn->rsn_keymgmtset;
1815	if (w == 0) {
1816		IEEE80211_DISCARD_IE(ic,
1817		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1818		    wh, "RSN", "%s", "no acceptable key mgmt alg");
1819		return IEEE80211_REASON_IE_INVALID;
1820	}
1821	if (w & RSN_ASE_8021X_UNSPEC)
1822		rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC;
1823	else
1824		rsn->rsn_keymgmt = RSN_ASE_8021X_PSK;
1825
1826	/* optional RSN capabilities */
1827	if (len > 2)
1828		rsn->rsn_caps = LE_READ_2(frm);
1829	/* XXXPMKID */
1830
1831	return 0;
1832}
1833
1834static int
1835ieee80211_parse_wmeparams(struct ieee80211com *ic, uint8_t *frm,
1836	const struct ieee80211_frame *wh)
1837{
1838#define	MS(_v, _f)	(((_v) & _f) >> _f##_S)
1839	struct ieee80211_wme_state *wme = &ic->ic_wme;
1840	u_int len = frm[1], qosinfo;
1841	int i;
1842
1843	if (len < sizeof(struct ieee80211_wme_param)-2) {
1844		IEEE80211_DISCARD_IE(ic,
1845		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WME,
1846		    wh, "WME", "too short, len %u", len);
1847		return -1;
1848	}
1849	qosinfo = frm[__offsetof(struct ieee80211_wme_param, param_qosInfo)];
1850	qosinfo &= WME_QOSINFO_COUNT;
1851	/* XXX do proper check for wraparound */
1852	if (qosinfo == wme->wme_wmeChanParams.cap_info)
1853		return 0;
1854	frm += __offsetof(struct ieee80211_wme_param, params_acParams);
1855	for (i = 0; i < WME_NUM_AC; i++) {
1856		struct wmeParams *wmep =
1857			&wme->wme_wmeChanParams.cap_wmeParams[i];
1858		/* NB: ACI not used */
1859		wmep->wmep_acm = MS(frm[0], WME_PARAM_ACM);
1860		wmep->wmep_aifsn = MS(frm[0], WME_PARAM_AIFSN);
1861		wmep->wmep_logcwmin = MS(frm[1], WME_PARAM_LOGCWMIN);
1862		wmep->wmep_logcwmax = MS(frm[1], WME_PARAM_LOGCWMAX);
1863		wmep->wmep_txopLimit = LE_READ_2(frm+2);
1864		frm += 4;
1865	}
1866	wme->wme_wmeChanParams.cap_info = qosinfo;
1867	return 1;
1868#undef MS
1869}
1870
1871static int
1872ieee80211_parse_athparams(struct ieee80211_node *ni, uint8_t *frm,
1873	const struct ieee80211_frame *wh)
1874{
1875	struct ieee80211com *ic = ni->ni_ic;
1876	const struct ieee80211_ath_ie *ath;
1877	u_int len = frm[1];
1878	int capschanged;
1879	uint16_t defkeyix;
1880
1881	if (len < sizeof(struct ieee80211_ath_ie)-2) {
1882		IEEE80211_DISCARD_IE(ic,
1883		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_SUPERG,
1884		    wh, "Atheros", "too short, len %u", len);
1885		return -1;
1886	}
1887	ath = (const struct ieee80211_ath_ie *)frm;
1888	capschanged = (ni->ni_ath_flags != ath->ath_capability);
1889	defkeyix = LE_READ_2(ath->ath_defkeyix);
1890	if (capschanged || defkeyix != ni->ni_ath_defkeyix) {
1891		ni->ni_ath_flags = ath->ath_capability;
1892		ni->ni_ath_defkeyix = defkeyix;
1893		IEEE80211_DPRINTF(ic, IEEE80211_MSG_SUPERG,
1894		    "[%s] ath ie change: new caps 0x%x defkeyix 0x%x\n",
1895		    ether_sprintf(ni->ni_macaddr),
1896		    ni->ni_ath_flags, ni->ni_ath_defkeyix);
1897	}
1898	if (IEEE80211_ATH_CAP(ic, ni, ATHEROS_CAP_TURBO_PRIME)) {
1899		uint16_t curflags, newflags;
1900
1901		/*
1902		 * Check for turbo mode switch.  Calculate flags
1903		 * for the new mode and effect the switch.
1904		 */
1905		newflags = curflags = ic->ic_bsschan->ic_flags;
1906		/* NB: BOOST is not in ic_flags, so get it from the ie */
1907		if (ath->ath_capability & ATHEROS_CAP_BOOST)
1908			newflags |= IEEE80211_CHAN_TURBO;
1909		else
1910			newflags &= ~IEEE80211_CHAN_TURBO;
1911		if (newflags != curflags)
1912			ieee80211_dturbo_switch(ic, newflags);
1913	}
1914	return capschanged;
1915}
1916
1917void
1918ieee80211_saveath(struct ieee80211_node *ni, uint8_t *ie)
1919{
1920	const struct ieee80211_ath_ie *ath =
1921		(const struct ieee80211_ath_ie *) ie;
1922
1923	ni->ni_ath_flags = ath->ath_capability;
1924	ni->ni_ath_defkeyix = LE_READ_2(&ath->ath_defkeyix);
1925	ieee80211_saveie(&ni->ni_ath_ie, ie);
1926}
1927
1928void
1929ieee80211_saveie(uint8_t **iep, const uint8_t *ie)
1930{
1931	u_int ielen = ie[1]+2;
1932	/*
1933	 * Record information element for later use.
1934	 */
1935	if (*iep == NULL || (*iep)[1] != ie[1]) {
1936		if (*iep != NULL)
1937			FREE(*iep, M_80211_NODE);
1938		MALLOC(*iep, void*, ielen, M_80211_NODE, M_NOWAIT);
1939	}
1940	if (*iep != NULL)
1941		memcpy(*iep, ie, ielen);
1942	/* XXX note failure */
1943}
1944
1945/* XXX find a better place for definition */
1946struct l2_update_frame {
1947	struct ether_header eh;
1948	uint8_t dsap;
1949	uint8_t ssap;
1950	uint8_t control;
1951	uint8_t xid[3];
1952}  __packed;
1953
1954/*
1955 * Deliver a TGf L2UF frame on behalf of a station.
1956 * This primes any bridge when the station is roaming
1957 * between ap's on the same wired network.
1958 */
1959static void
1960ieee80211_deliver_l2uf(struct ieee80211_node *ni)
1961{
1962	struct ieee80211com *ic = ni->ni_ic;
1963	struct ifnet *ifp = ic->ic_ifp;
1964	struct mbuf *m;
1965	struct l2_update_frame *l2uf;
1966	struct ether_header *eh;
1967
1968	m = m_gethdr(M_NOWAIT, MT_DATA);
1969	if (m == NULL) {
1970		IEEE80211_NOTE(ic, IEEE80211_MSG_ASSOC, ni,
1971		    "%s", "no mbuf for l2uf frame");
1972		ic->ic_stats.is_rx_nobuf++;	/* XXX not right */
1973		return;
1974	}
1975	l2uf = mtod(m, struct l2_update_frame *);
1976	eh = &l2uf->eh;
1977	/* dst: Broadcast address */
1978	IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr);
1979	/* src: associated STA */
1980	IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr);
1981	eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh));
1982
1983	l2uf->dsap = 0;
1984	l2uf->ssap = 0;
1985	l2uf->control = 0xf5;
1986	l2uf->xid[0] = 0x81;
1987	l2uf->xid[1] = 0x80;
1988	l2uf->xid[2] = 0x00;
1989
1990	m->m_pkthdr.len = m->m_len = sizeof(*l2uf);
1991	ieee80211_deliver_data(ic, ni, m);
1992}
1993
1994static __inline int
1995contbgscan(struct ieee80211com *ic)
1996{
1997	return ((ic->ic_flags_ext & IEEE80211_FEXT_BGSCAN) &&
1998	    time_after(ticks, ic->ic_lastdata + ic->ic_bgscanidle));
1999}
2000
2001static __inline int
2002startbgscan(struct ieee80211com *ic)
2003{
2004	return ((ic->ic_flags & IEEE80211_F_BGSCAN) &&
2005	    !IEEE80211_IS_CHAN_DTURBO(ic->ic_curchan) &&
2006	    time_after(ticks, ic->ic_lastscan + ic->ic_bgscanintvl) &&
2007	    time_after(ticks, ic->ic_lastdata + ic->ic_bgscanidle));
2008}
2009
2010static void
2011ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
2012	int reassoc, int resp, const char *tag, int rate)
2013{
2014	struct ieee80211com *ic = ni->ni_ic;
2015
2016	IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY,
2017	    "[%s] deny %s request, %s rate set mismatch, rate 0x%x\n",
2018	    ether_sprintf(wh->i_addr2),
2019	    reassoc ? "reassoc" : "assoc", tag, rate);
2020	IEEE80211_SEND_MGMT(ic, ni, resp, IEEE80211_STATUS_BASIC_RATE);
2021	ieee80211_node_leave(ic, ni);
2022	ic->ic_stats.is_rx_assoc_norate++;
2023}
2024
2025static void
2026capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
2027	int reassoc, int resp, const char *tag, int capinfo)
2028{
2029	struct ieee80211com *ic = ni->ni_ic;
2030
2031	IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY,
2032	    "[%s] deny %s request, %s mismatch 0x%x\n",
2033	    ether_sprintf(wh->i_addr2),
2034	    reassoc ? "reassoc" : "assoc", tag, capinfo);
2035	IEEE80211_SEND_MGMT(ic, ni, resp, IEEE80211_STATUS_CAPINFO);
2036	ieee80211_node_leave(ic, ni);
2037	ic->ic_stats.is_rx_assoc_capmismatch++;
2038}
2039
2040void
2041ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0,
2042	struct ieee80211_node *ni,
2043	int subtype, int rssi, int noise, uint32_t rstamp)
2044{
2045#define	ISPROBE(_st)	((_st) == IEEE80211_FC0_SUBTYPE_PROBE_RESP)
2046#define	ISREASSOC(_st)	((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP)
2047	struct ieee80211_frame *wh;
2048	uint8_t *frm, *efrm;
2049	uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap;
2050	int reassoc, resp, allocbs;
2051	uint8_t rate;
2052
2053	wh = mtod(m0, struct ieee80211_frame *);
2054	frm = (uint8_t *)&wh[1];
2055	efrm = mtod(m0, uint8_t *) + m0->m_len;
2056	switch (subtype) {
2057	case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
2058	case IEEE80211_FC0_SUBTYPE_BEACON: {
2059		struct ieee80211_scanparams scan;
2060
2061		/*
2062		 * We process beacon/probe response frames:
2063		 *    o when scanning, or
2064		 *    o station mode when associated (to collect state
2065		 *      updates such as 802.11g slot time), or
2066		 *    o adhoc mode (to discover neighbors)
2067		 * Frames otherwise received are discarded.
2068		 */
2069		if (!((ic->ic_flags & IEEE80211_F_SCAN) ||
2070		      (ic->ic_opmode == IEEE80211_M_STA && ni->ni_associd) ||
2071		       ic->ic_opmode == IEEE80211_M_IBSS)) {
2072			ic->ic_stats.is_rx_mgtdiscard++;
2073			return;
2074		}
2075		/*
2076		 * beacon/probe response frame format
2077		 *	[8] time stamp
2078		 *	[2] beacon interval
2079		 *	[2] capability information
2080		 *	[tlv] ssid
2081		 *	[tlv] supported rates
2082		 *	[tlv] country information
2083		 *	[tlv] parameter set (FH/DS)
2084		 *	[tlv] erp information
2085		 *	[tlv] extended supported rates
2086		 *	[tlv] WME
2087		 *	[tlv] WPA or RSN
2088		 *	[tlv] HT capabilities
2089		 *	[tlv] HT information
2090		 *	[tlv] Atheros capabilities
2091		 */
2092		IEEE80211_VERIFY_LENGTH(efrm - frm, 12, return);
2093		memset(&scan, 0, sizeof(scan));
2094		scan.tstamp  = frm;				frm += 8;
2095		scan.bintval = le16toh(*(uint16_t *)frm);	frm += 2;
2096		scan.capinfo = le16toh(*(uint16_t *)frm);	frm += 2;
2097		scan.bchan = IEEE80211_CHAN2IEEE(ic->ic_curchan);
2098		scan.curchan = ic->ic_curchan;
2099
2100		while (efrm - frm > 1) {
2101			IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
2102			switch (*frm) {
2103			case IEEE80211_ELEMID_SSID:
2104				scan.ssid = frm;
2105				break;
2106			case IEEE80211_ELEMID_RATES:
2107				scan.rates = frm;
2108				break;
2109			case IEEE80211_ELEMID_COUNTRY:
2110				scan.country = frm;
2111				break;
2112			case IEEE80211_ELEMID_FHPARMS:
2113				if (ic->ic_phytype == IEEE80211_T_FH) {
2114					scan.fhdwell = LE_READ_2(&frm[2]);
2115					scan.bchan = IEEE80211_FH_CHAN(frm[4], frm[5]);
2116					scan.fhindex = frm[6];
2117				}
2118				break;
2119			case IEEE80211_ELEMID_DSPARMS:
2120				/*
2121				 * XXX hack this since depending on phytype
2122				 * is problematic for multi-mode devices.
2123				 */
2124				if (ic->ic_phytype != IEEE80211_T_FH)
2125					scan.bchan = frm[2];
2126				break;
2127			case IEEE80211_ELEMID_TIM:
2128				/* XXX ATIM? */
2129				scan.tim = frm;
2130				scan.timoff = frm - mtod(m0, uint8_t *);
2131				break;
2132			case IEEE80211_ELEMID_IBSSPARMS:
2133				break;
2134			case IEEE80211_ELEMID_XRATES:
2135				scan.xrates = frm;
2136				break;
2137			case IEEE80211_ELEMID_ERP:
2138				if (frm[1] != 1) {
2139					IEEE80211_DISCARD_IE(ic,
2140					    IEEE80211_MSG_ELEMID, wh, "ERP",
2141					    "bad len %u", frm[1]);
2142					ic->ic_stats.is_rx_elem_toobig++;
2143					break;
2144				}
2145				scan.erp = frm[2];
2146				break;
2147			case IEEE80211_ELEMID_HTCAP:
2148				scan.htcap = frm;
2149				break;
2150			case IEEE80211_ELEMID_RSN:
2151				scan.rsn = frm;
2152				break;
2153			case IEEE80211_ELEMID_HTINFO:
2154				scan.htinfo = frm;
2155				break;
2156			case IEEE80211_ELEMID_VENDOR:
2157				if (iswpaoui(frm))
2158					scan.wpa = frm;
2159				else if (iswmeparam(frm) || iswmeinfo(frm))
2160					scan.wme = frm;
2161				else if (isatherosoui(frm))
2162					scan.ath = frm;
2163				else if (ic->ic_flags_ext & IEEE80211_FEXT_HTCOMPAT) {
2164					/*
2165					 * Accept pre-draft HT ie's if the
2166					 * standard ones have not been seen.
2167					 */
2168					if (ishtcapoui(frm)) {
2169						if (scan.htcap == NULL)
2170							scan.htcap = frm;
2171					} else if (ishtinfooui(frm)) {
2172						if (scan.htinfo == NULL)
2173							scan.htcap = frm;
2174					}
2175				}
2176				break;
2177			default:
2178				IEEE80211_DISCARD_IE(ic, IEEE80211_MSG_ELEMID,
2179				    wh, "unhandled",
2180				    "id %u, len %u", *frm, frm[1]);
2181				ic->ic_stats.is_rx_elem_unknown++;
2182				break;
2183			}
2184			frm += frm[1] + 2;
2185		}
2186		IEEE80211_VERIFY_ELEMENT(scan.rates, IEEE80211_RATE_MAXSIZE);
2187		if (scan.xrates != NULL)
2188			IEEE80211_VERIFY_ELEMENT(scan.xrates,
2189				IEEE80211_RATE_MAXSIZE - scan.rates[1]);
2190		IEEE80211_VERIFY_ELEMENT(scan.ssid, IEEE80211_NWID_LEN);
2191#if IEEE80211_CHAN_MAX < 255
2192		if (scan.chan > IEEE80211_CHAN_MAX) {
2193			IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID,
2194			    wh, ieee80211_mgt_subtype_name[subtype >>
2195				IEEE80211_FC0_SUBTYPE_SHIFT],
2196			    "invalid channel %u", scan.chan);
2197			ic->ic_stats.is_rx_badchan++;
2198			return;
2199		}
2200#endif
2201		if (IEEE80211_CHAN2IEEE(scan.curchan) != scan.bchan &&
2202		    ic->ic_phytype != IEEE80211_T_FH) {
2203			/*
2204			 * Frame was received on a channel different from the
2205			 * one indicated in the DS params element id;
2206			 * silently discard it.
2207			 *
2208			 * NB: this can happen due to signal leakage.
2209			 *     But we should take it for FH phy because
2210			 *     the rssi value should be correct even for
2211			 *     different hop pattern in FH.
2212			 */
2213			IEEE80211_DISCARD(ic,
2214			    IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT,
2215			    wh, ieee80211_mgt_subtype_name[subtype >>
2216				IEEE80211_FC0_SUBTYPE_SHIFT],
2217			    "for off-channel %u",
2218			    IEEE80211_CHAN2IEEE(scan.curchan));
2219			ic->ic_stats.is_rx_chanmismatch++;
2220			return;
2221		}
2222		if (!(IEEE80211_BINTVAL_MIN <= scan.bintval &&
2223		      scan.bintval <= IEEE80211_BINTVAL_MAX)) {
2224			IEEE80211_DISCARD(ic,
2225			    IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT,
2226			    wh, ieee80211_mgt_subtype_name[subtype >>
2227				IEEE80211_FC0_SUBTYPE_SHIFT],
2228			    "bogus beacon interval", scan.bintval);
2229			ic->ic_stats.is_rx_badbintval++;
2230			return;
2231		}
2232		/*
2233		 * Process HT ie's.  This is complicated by our
2234		 * accepting both the standard ie's and the pre-draft
2235		 * vendor OUI ie's that some vendors still use/require.
2236		 */
2237		if (scan.htcap != NULL) {
2238			IEEE80211_VERIFY_LENGTH(scan.htcap[1],
2239			     scan.htcap[0] == IEEE80211_ELEMID_VENDOR ?
2240			         4 + sizeof(struct ieee80211_ie_htcap)-2 :
2241			         sizeof(struct ieee80211_ie_htcap)-2,
2242			     scan.htcap = NULL);
2243		}
2244		if (scan.htinfo != NULL) {
2245			IEEE80211_VERIFY_LENGTH(scan.htinfo[1],
2246			     scan.htinfo[0] == IEEE80211_ELEMID_VENDOR ?
2247			         4 + sizeof(struct ieee80211_ie_htinfo)-2 :
2248			         sizeof(struct ieee80211_ie_htinfo)-2,
2249			     scan.htinfo = NULL);
2250		}
2251
2252		/*
2253		 * Count frame now that we know it's to be processed.
2254		 */
2255		if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
2256			ic->ic_stats.is_rx_beacon++;		/* XXX remove */
2257			IEEE80211_NODE_STAT(ni, rx_beacons);
2258		} else
2259			IEEE80211_NODE_STAT(ni, rx_proberesp);
2260
2261		/*
2262		 * When operating in station mode, check for state updates.
2263		 * Be careful to ignore beacons received while doing a
2264		 * background scan.  We consider only 11g/WMM stuff right now.
2265		 */
2266		if (ic->ic_opmode == IEEE80211_M_STA &&
2267		    ni->ni_associd != 0 &&
2268		    ((ic->ic_flags & IEEE80211_F_SCAN) == 0 ||
2269		     IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid))) {
2270			/* record tsf of last beacon */
2271			memcpy(ni->ni_tstamp.data, scan.tstamp,
2272				sizeof(ni->ni_tstamp));
2273			/* count beacon frame for s/w bmiss handling */
2274			ic->ic_swbmiss_count++;
2275			ic->ic_bmiss_count = 0;
2276			if (ni->ni_erp != scan.erp) {
2277				IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2278				    "[%s] erp change: was 0x%x, now 0x%x\n",
2279				    ether_sprintf(wh->i_addr2),
2280				    ni->ni_erp, scan.erp);
2281				if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
2282				    (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION))
2283					ic->ic_flags |= IEEE80211_F_USEPROT;
2284				else
2285					ic->ic_flags &= ~IEEE80211_F_USEPROT;
2286				ni->ni_erp = scan.erp;
2287				/* XXX statistic */
2288			}
2289			if ((ni->ni_capinfo ^ scan.capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME) {
2290				IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2291				    "[%s] capabilities change: before 0x%x,"
2292				     " now 0x%x\n",
2293				     ether_sprintf(wh->i_addr2),
2294				     ni->ni_capinfo, scan.capinfo);
2295				/*
2296				 * NB: we assume short preamble doesn't
2297				 *     change dynamically
2298				 */
2299				ieee80211_set_shortslottime(ic,
2300					IEEE80211_IS_CHAN_A(ic->ic_bsschan) ||
2301					(scan.capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
2302				ni->ni_capinfo = (ni->ni_capinfo &~ IEEE80211_CAPINFO_SHORT_SLOTTIME)
2303					       | (scan.capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME);
2304				/* XXX statistic */
2305			}
2306			if (scan.wme != NULL &&
2307			    (ni->ni_flags & IEEE80211_NODE_QOS) &&
2308			    ieee80211_parse_wmeparams(ic, scan.wme, wh) > 0)
2309				ieee80211_wme_updateparams(ic);
2310			if (scan.ath != NULL)
2311				ieee80211_parse_athparams(ni, scan.ath, wh);
2312			if (scan.htcap != NULL)
2313				ieee80211_parse_htcap(ni, scan.htcap);
2314			if (scan.htinfo != NULL)
2315				ieee80211_parse_htinfo(ni, scan.htinfo);
2316			if (scan.tim != NULL) {
2317				struct ieee80211_tim_ie *tim =
2318				    (struct ieee80211_tim_ie *) scan.tim;
2319#if 0
2320				int aid = IEEE80211_AID(ni->ni_associd);
2321				int ix = aid / NBBY;
2322				int min = tim->tim_bitctl &~ 1;
2323				int max = tim->tim_len + min - 4;
2324				if ((tim->tim_bitctl&1) ||
2325				    (min <= ix && ix <= max &&
2326				     isset(tim->tim_bitmap - min, aid))) {
2327					/*
2328					 * XXX Do not let bg scan kick off
2329					 * we are expecting data.
2330					 */
2331					ic->ic_lastdata = ticks;
2332					ieee80211_sta_pwrsave(ic, 0);
2333				}
2334#endif
2335				ni->ni_dtim_count = tim->tim_count;
2336				ni->ni_dtim_period = tim->tim_period;
2337			}
2338			/*
2339			 * If scanning, pass the info to the scan module.
2340			 * Otherwise, check if it's the right time to do
2341			 * a background scan.  Background scanning must
2342			 * be enabled and we must not be operating in the
2343			 * turbo phase of dynamic turbo mode.  Then,
2344			 * it's been a while since the last background
2345			 * scan and if no data frames have come through
2346			 * recently, kick off a scan.  Note that this
2347			 * is the mechanism by which a background scan
2348			 * is started _and_ continued each time we
2349			 * return on-channel to receive a beacon from
2350			 * our ap.
2351			 */
2352			if (ic->ic_flags & IEEE80211_F_SCAN) {
2353				ieee80211_add_scan(ic, &scan, wh,
2354					subtype, rssi, noise, rstamp);
2355			} else if (contbgscan(ic)) {
2356				ieee80211_bg_scan(ic);
2357			} else if (startbgscan(ic)) {
2358#if 0
2359				/* wakeup if we are sleeing */
2360				ieee80211_set_pwrsave(ic, 0);
2361#endif
2362				ieee80211_bg_scan(ic);
2363			}
2364			return;
2365		}
2366		/*
2367		 * If scanning, just pass information to the scan module.
2368		 */
2369		if (ic->ic_flags & IEEE80211_F_SCAN) {
2370			if (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN) {
2371				/*
2372				 * Actively scanning a channel marked passive;
2373				 * send a probe request now that we know there
2374				 * is 802.11 traffic present.
2375				 *
2376				 * XXX check if the beacon we recv'd gives
2377				 * us what we need and suppress the probe req
2378				 */
2379				ieee80211_probe_curchan(ic, 1);
2380				ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
2381			}
2382			ieee80211_add_scan(ic, &scan, wh,
2383				subtype, rssi, noise, rstamp);
2384			return;
2385		}
2386		if (scan.capinfo & IEEE80211_CAPINFO_IBSS) {
2387			if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) {
2388				/*
2389				 * Create a new entry in the neighbor table.
2390				 */
2391				ni = ieee80211_add_neighbor(ic, wh, &scan);
2392			} else if (ni->ni_capinfo == 0) {
2393				/*
2394				 * Update faked node created on transmit.
2395				 * Note this also updates the tsf.
2396				 */
2397				ieee80211_init_neighbor(ni, wh, &scan);
2398			} else {
2399				/*
2400				 * Record tsf for potential resync.
2401				 */
2402				memcpy(ni->ni_tstamp.data, scan.tstamp,
2403					sizeof(ni->ni_tstamp));
2404			}
2405			if (ni != NULL) {
2406				ni->ni_rssi = rssi;
2407				ni->ni_noise = noise;
2408				ni->ni_rstamp = rstamp;
2409			}
2410		}
2411		break;
2412	}
2413
2414	case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
2415		if (ic->ic_opmode == IEEE80211_M_STA ||
2416		    ic->ic_state != IEEE80211_S_RUN) {
2417			ic->ic_stats.is_rx_mgtdiscard++;
2418			return;
2419		}
2420		if (IEEE80211_IS_MULTICAST(wh->i_addr2)) {
2421			/* frame must be directed */
2422			ic->ic_stats.is_rx_mgtdiscard++;	/* XXX stat */
2423			return;
2424		}
2425
2426		/*
2427		 * prreq frame format
2428		 *	[tlv] ssid
2429		 *	[tlv] supported rates
2430		 *	[tlv] extended supported rates
2431		 *	[tlv] Atheros capabilities
2432		 */
2433		ssid = rates = xrates = ath = NULL;
2434		while (efrm - frm > 1) {
2435			IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
2436			switch (*frm) {
2437			case IEEE80211_ELEMID_SSID:
2438				ssid = frm;
2439				break;
2440			case IEEE80211_ELEMID_RATES:
2441				rates = frm;
2442				break;
2443			case IEEE80211_ELEMID_XRATES:
2444				xrates = frm;
2445				break;
2446			case IEEE80211_ELEMID_VENDOR:
2447				if (isatherosoui(frm))
2448					ath = frm;
2449				break;
2450			}
2451			frm += frm[1] + 2;
2452		}
2453		IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE);
2454		if (xrates != NULL)
2455			IEEE80211_VERIFY_ELEMENT(xrates,
2456				IEEE80211_RATE_MAXSIZE - rates[1]);
2457		IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN);
2458		IEEE80211_VERIFY_SSID(ic->ic_bss, ssid);
2459		if ((ic->ic_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) {
2460			IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
2461			    wh, ieee80211_mgt_subtype_name[subtype >>
2462				IEEE80211_FC0_SUBTYPE_SHIFT],
2463			    "%s", "no ssid with ssid suppression enabled");
2464			ic->ic_stats.is_rx_ssidmismatch++; /*XXX*/
2465			return;
2466		}
2467
2468		allocbs = 0;
2469		if (ni == ic->ic_bss) {
2470			if (ic->ic_opmode != IEEE80211_M_IBSS) {
2471				ni = ieee80211_tmp_node(ic, wh->i_addr2);
2472				allocbs = 1;
2473			} else if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) {
2474				/*
2475				 * XXX Cannot tell if the sender is operating
2476				 * in ibss mode.  But we need a new node to
2477				 * send the response so blindly add them to the
2478				 * neighbor table.
2479				 */
2480				ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta,
2481					wh->i_addr2);
2482			}
2483			if (ni == NULL)
2484				return;
2485		}
2486		IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2487		    "[%s] recv probe req\n", ether_sprintf(wh->i_addr2));
2488		ni->ni_rssi = rssi;
2489		ni->ni_rstamp = rstamp;
2490		rate = ieee80211_setup_rates(ni, rates, xrates,
2491			  IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE
2492			| IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
2493		if (rate & IEEE80211_RATE_BASIC) {
2494			IEEE80211_DISCARD(ic, IEEE80211_MSG_XRATE,
2495			    wh, ieee80211_mgt_subtype_name[subtype >>
2496				IEEE80211_FC0_SUBTYPE_SHIFT],
2497			    "%s", "recv'd rate set invalid");
2498		} else {
2499			IEEE80211_SEND_MGMT(ic, ni,
2500				IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0);
2501		}
2502		if (allocbs) {
2503			/*
2504			 * Temporary node created just to send a
2505			 * response, reclaim immediately.
2506			 */
2507			ieee80211_free_node(ni);
2508		} else if (ath != NULL)
2509			ieee80211_saveath(ni, ath);
2510		break;
2511
2512	case IEEE80211_FC0_SUBTYPE_AUTH: {
2513		uint16_t algo, seq, status;
2514		/*
2515		 * auth frame format
2516		 *	[2] algorithm
2517		 *	[2] sequence
2518		 *	[2] status
2519		 *	[tlv*] challenge
2520		 */
2521		IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
2522		algo   = le16toh(*(uint16_t *)frm);
2523		seq    = le16toh(*(uint16_t *)(frm + 2));
2524		status = le16toh(*(uint16_t *)(frm + 4));
2525		IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH,
2526		    "[%s] recv auth frame with algorithm %d seq %d\n",
2527		    ether_sprintf(wh->i_addr2), algo, seq);
2528		/*
2529		 * Consult the ACL policy module if setup.
2530		 */
2531		if (ic->ic_acl != NULL &&
2532		    !ic->ic_acl->iac_check(ic, wh->i_addr2)) {
2533			IEEE80211_DISCARD(ic, IEEE80211_MSG_ACL,
2534			    wh, "auth", "%s", "disallowed by ACL");
2535			ic->ic_stats.is_rx_acl++;
2536			if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
2537				IEEE80211_SEND_MGMT(ic, ni,
2538				    IEEE80211_FC0_SUBTYPE_AUTH,
2539				    (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16));
2540			}
2541			return;
2542		}
2543		if (ic->ic_flags & IEEE80211_F_COUNTERM) {
2544			IEEE80211_DISCARD(ic,
2545			    IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO,
2546			    wh, "auth", "%s", "TKIP countermeasures enabled");
2547			ic->ic_stats.is_rx_auth_countermeasures++;
2548			if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
2549				IEEE80211_SEND_MGMT(ic, ni,
2550					IEEE80211_FC0_SUBTYPE_AUTH,
2551					IEEE80211_REASON_MIC_FAILURE);
2552			}
2553			return;
2554		}
2555		if (algo == IEEE80211_AUTH_ALG_SHARED)
2556			ieee80211_auth_shared(ic, wh, frm + 6, efrm, ni, rssi,
2557			    noise, rstamp, seq, status);
2558		else if (algo == IEEE80211_AUTH_ALG_OPEN)
2559			ieee80211_auth_open(ic, wh, ni, rssi, noise, rstamp,
2560			    seq, status);
2561		else {
2562			IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY,
2563			    wh, "auth", "unsupported alg %d", algo);
2564			ic->ic_stats.is_rx_auth_unsupported++;
2565			if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
2566				/* XXX not right */
2567				IEEE80211_SEND_MGMT(ic, ni,
2568					IEEE80211_FC0_SUBTYPE_AUTH,
2569					(seq+1) | (IEEE80211_STATUS_ALG<<16));
2570			}
2571			return;
2572		}
2573		break;
2574	}
2575
2576	case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
2577	case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: {
2578		uint16_t capinfo, lintval;
2579		struct ieee80211_rsnparms rsnparms;
2580		uint8_t reason;
2581		int badwparsn;
2582
2583		if (ic->ic_opmode != IEEE80211_M_HOSTAP ||
2584		    ic->ic_state != IEEE80211_S_RUN) {
2585			ic->ic_stats.is_rx_mgtdiscard++;
2586			return;
2587		}
2588
2589		if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
2590			reassoc = 1;
2591			resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP;
2592		} else {
2593			reassoc = 0;
2594			resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP;
2595		}
2596		/*
2597		 * asreq frame format
2598		 *	[2] capability information
2599		 *	[2] listen interval
2600		 *	[6*] current AP address (reassoc only)
2601		 *	[tlv] ssid
2602		 *	[tlv] supported rates
2603		 *	[tlv] extended supported rates
2604		 *	[tlv] WPA or RSN
2605		 *	[tlv] HT capabilities
2606		 *	[tlv] Atheros capabilities
2607		 */
2608		IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return);
2609		if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) {
2610			IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY,
2611			    wh, ieee80211_mgt_subtype_name[subtype >>
2612				IEEE80211_FC0_SUBTYPE_SHIFT],
2613			    "%s", "wrong bssid");
2614			ic->ic_stats.is_rx_assoc_bss++;
2615			return;
2616		}
2617		capinfo = le16toh(*(uint16_t *)frm);	frm += 2;
2618		lintval = le16toh(*(uint16_t *)frm);	frm += 2;
2619		if (reassoc)
2620			frm += 6;	/* ignore current AP info */
2621		ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL;
2622		while (efrm - frm > 1) {
2623			IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
2624			switch (*frm) {
2625			case IEEE80211_ELEMID_SSID:
2626				ssid = frm;
2627				break;
2628			case IEEE80211_ELEMID_RATES:
2629				rates = frm;
2630				break;
2631			case IEEE80211_ELEMID_XRATES:
2632				xrates = frm;
2633				break;
2634			/* XXX verify only one of RSN and WPA ie's? */
2635			case IEEE80211_ELEMID_RSN:
2636				rsn = frm;
2637				break;
2638			case IEEE80211_ELEMID_HTCAP:
2639				htcap = frm;
2640				break;
2641			case IEEE80211_ELEMID_VENDOR:
2642				if (iswpaoui(frm))
2643					wpa = frm;
2644				else if (iswmeinfo(frm))
2645					wme = frm;
2646				else if (isatherosoui(frm))
2647					ath = frm;
2648				else if (ic->ic_flags_ext & IEEE80211_FEXT_HTCOMPAT) {
2649					if (ishtcapoui(frm) && htcap == NULL)
2650						htcap = frm;
2651				}
2652				break;
2653			}
2654			frm += frm[1] + 2;
2655		}
2656		IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE);
2657		if (xrates != NULL)
2658			IEEE80211_VERIFY_ELEMENT(xrates,
2659				IEEE80211_RATE_MAXSIZE - rates[1]);
2660		IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN);
2661		IEEE80211_VERIFY_SSID(ic->ic_bss, ssid);
2662		if (htcap != NULL) {
2663			IEEE80211_VERIFY_LENGTH(htcap[1],
2664			     htcap[0] == IEEE80211_ELEMID_VENDOR ?
2665			         4 + sizeof(struct ieee80211_ie_htcap)-2 :
2666			         sizeof(struct ieee80211_ie_htcap)-2,
2667			     return);		/* XXX just NULL out? */
2668		}
2669
2670		if (ni == ic->ic_bss) {
2671			IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY,
2672			    "[%s] deny %s request, sta not authenticated\n",
2673			    ether_sprintf(wh->i_addr2),
2674			    reassoc ? "reassoc" : "assoc");
2675			ieee80211_send_error(ic, ni, wh->i_addr2,
2676			    IEEE80211_FC0_SUBTYPE_DEAUTH,
2677			    IEEE80211_REASON_ASSOC_NOT_AUTHED);
2678			ic->ic_stats.is_rx_assoc_notauth++;
2679			return;
2680		}
2681		/* assert right association security credentials */
2682		badwparsn = 0;
2683		switch (ic->ic_flags & IEEE80211_F_WPA) {
2684		case IEEE80211_F_WPA1:
2685			if (wpa == NULL)
2686				badwparsn = 1;
2687			break;
2688		case IEEE80211_F_WPA2:
2689			if (rsn == NULL)
2690				badwparsn = 1;
2691			break;
2692		case IEEE80211_F_WPA1|IEEE80211_F_WPA2:
2693			if (wpa == NULL && rsn == NULL)
2694				badwparsn = 1;
2695			break;
2696		}
2697		if (badwparsn) {
2698			IEEE80211_DPRINTF(ic,
2699			    IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
2700			    "[%s] no WPA/RSN IE in association request\n",
2701			    ether_sprintf(wh->i_addr2));
2702			IEEE80211_SEND_MGMT(ic, ni,
2703			    IEEE80211_FC0_SUBTYPE_DEAUTH,
2704			    IEEE80211_REASON_IE_INVALID);
2705			ieee80211_node_leave(ic, ni);
2706			ic->ic_stats.is_rx_assoc_badwpaie++;
2707			return;
2708		}
2709		if (wpa != NULL || rsn != NULL) {
2710			/*
2711			 * Parse WPA/RSN information element.  Note that
2712			 * we initialize the param block from the node
2713			 * state so that information in the IE overrides
2714			 * our defaults.  The resulting parameters are
2715			 * installed below after the association is assured.
2716			 */
2717			rsnparms = ni->ni_rsn;
2718			if (wpa != NULL)
2719				reason = ieee80211_parse_wpa(ic, wpa, &rsnparms, wh);
2720			else
2721				reason = ieee80211_parse_rsn(ic, rsn, &rsnparms, wh);
2722			if (reason != 0) {
2723				IEEE80211_SEND_MGMT(ic, ni,
2724				    IEEE80211_FC0_SUBTYPE_DEAUTH, reason);
2725				ieee80211_node_leave(ic, ni);
2726				/* XXX distinguish WPA/RSN? */
2727				ic->ic_stats.is_rx_assoc_badwpaie++;
2728				return;
2729			}
2730			IEEE80211_DPRINTF(ic,
2731			    IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
2732			    "[%s] %s ie: mc %u/%u uc %u/%u key %u caps 0x%x\n",
2733			    ether_sprintf(wh->i_addr2),
2734			    wpa != NULL ? "WPA" : "RSN",
2735			    rsnparms.rsn_mcastcipher, rsnparms.rsn_mcastkeylen,
2736			    rsnparms.rsn_ucastcipher, rsnparms.rsn_ucastkeylen,
2737			    rsnparms.rsn_keymgmt, rsnparms.rsn_caps);
2738		}
2739		/* discard challenge after association */
2740		if (ni->ni_challenge != NULL) {
2741			FREE(ni->ni_challenge, M_80211_NODE);
2742			ni->ni_challenge = NULL;
2743		}
2744		/* NB: 802.11 spec says to ignore station's privacy bit */
2745		if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) {
2746			capinfomismatch(ni, wh, reassoc, resp,
2747			    "capability", capinfo);
2748			return;
2749		}
2750		/*
2751		 * Disallow re-associate w/ invalid slot time setting.
2752		 */
2753		if (ni->ni_associd != 0 &&
2754		    IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) &&
2755		    ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) {
2756			capinfomismatch(ni, wh, reassoc, resp,
2757			    "slot time", capinfo);
2758			return;
2759		}
2760		rate = ieee80211_setup_rates(ni, rates, xrates,
2761				IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
2762				IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
2763		if (rate & IEEE80211_RATE_BASIC) {
2764			ratesetmismatch(ni, wh, reassoc, resp, "basic", rate);
2765			return;
2766		}
2767		/*
2768		 * If constrained to 11g-only stations reject an
2769		 * 11b-only station.  We cheat a bit here by looking
2770		 * at the max negotiated xmit rate and assuming anyone
2771		 * with a best rate <24Mb/s is an 11b station.
2772		 */
2773		if ((ic->ic_flags & IEEE80211_F_PUREG) && rate < 48) {
2774			ratesetmismatch(ni, wh, reassoc, resp, "11g", rate);
2775			return;
2776		}
2777		/* XXX enforce PUREN */
2778		/* 802.11n-specific rateset handling */
2779		if (IEEE80211_IS_CHAN_HT(ic->ic_curchan) && htcap != NULL) {
2780			rate = ieee80211_setup_htrates(ni, htcap,
2781				IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO |
2782				IEEE80211_F_DOBRS);
2783			if (rate & IEEE80211_RATE_BASIC) {
2784				/* XXX 11n-specific stat */
2785				ratesetmismatch(ni, wh, reassoc, resp,
2786				    "HT", rate);
2787				return;
2788			}
2789			ieee80211_ht_node_init(ni, htcap);
2790		} else if (ni->ni_flags & IEEE80211_NODE_HT)
2791			ieee80211_ht_node_cleanup(ni);
2792		ni->ni_rssi = rssi;
2793		ni->ni_noise = noise;
2794		ni->ni_rstamp = rstamp;
2795		ni->ni_intval = lintval;
2796		ni->ni_capinfo = capinfo;
2797		ni->ni_chan = ic->ic_bsschan;
2798		ni->ni_fhdwell = ic->ic_bss->ni_fhdwell;
2799		ni->ni_fhindex = ic->ic_bss->ni_fhindex;
2800		if (wpa != NULL) {
2801			/*
2802			 * Record WPA parameters for station, mark
2803			 * node as using WPA and record information element
2804			 * for applications that require it.
2805			 */
2806			ni->ni_rsn = rsnparms;
2807			ieee80211_saveie(&ni->ni_wpa_ie, wpa);
2808		} else if (ni->ni_wpa_ie != NULL) {
2809			/*
2810			 * Flush any state from a previous association.
2811			 */
2812			FREE(ni->ni_wpa_ie, M_80211_NODE);
2813			ni->ni_wpa_ie = NULL;
2814		}
2815		if (rsn != NULL) {
2816			/*
2817			 * Record RSN parameters for station, mark
2818			 * node as using WPA and record information element
2819			 * for applications that require it.
2820			 */
2821			ni->ni_rsn = rsnparms;
2822			ieee80211_saveie(&ni->ni_rsn_ie, rsn);
2823		} else if (ni->ni_rsn_ie != NULL) {
2824			/*
2825			 * Flush any state from a previous association.
2826			 */
2827			FREE(ni->ni_rsn_ie, M_80211_NODE);
2828			ni->ni_rsn_ie = NULL;
2829		}
2830		if (wme != NULL) {
2831			/*
2832			 * Record WME parameters for station, mark node
2833			 * as capable of QoS and record information
2834			 * element for applications that require it.
2835			 */
2836			ieee80211_saveie(&ni->ni_wme_ie, wme);
2837			ni->ni_flags |= IEEE80211_NODE_QOS;
2838		} else if (ni->ni_wme_ie != NULL) {
2839			/*
2840			 * Flush any state from a previous association.
2841			 */
2842			FREE(ni->ni_wme_ie, M_80211_NODE);
2843			ni->ni_wme_ie = NULL;
2844			ni->ni_flags &= ~IEEE80211_NODE_QOS;
2845		}
2846		if (ath != NULL) {
2847			/*
2848			 * Record ATH parameters for station, mark
2849			 * node with appropriate capabilities, and
2850			 * record the information element for
2851			 * applications that require it.
2852			 */
2853			ieee80211_saveath(ni, ath);
2854		} else if (ni->ni_ath_ie != NULL) {
2855			/*
2856			 * Flush any state from a previous association.
2857			 */
2858			FREE(ni->ni_ath_ie, M_80211_NODE);
2859			ni->ni_ath_ie = NULL;
2860			ni->ni_ath_flags = 0;
2861		}
2862		ieee80211_node_join(ic, ni, resp);
2863		ieee80211_deliver_l2uf(ni);
2864		break;
2865	}
2866
2867	case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
2868	case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: {
2869		uint16_t capinfo, associd;
2870		uint16_t status;
2871
2872		if (ic->ic_opmode != IEEE80211_M_STA ||
2873		    ic->ic_state != IEEE80211_S_ASSOC) {
2874			ic->ic_stats.is_rx_mgtdiscard++;
2875			return;
2876		}
2877
2878		/*
2879		 * asresp frame format
2880		 *	[2] capability information
2881		 *	[2] status
2882		 *	[2] association ID
2883		 *	[tlv] supported rates
2884		 *	[tlv] extended supported rates
2885		 *	[tlv] WME
2886		 *	[tlv] HT capabilities
2887		 */
2888		IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
2889		ni = ic->ic_bss;
2890		capinfo = le16toh(*(uint16_t *)frm);
2891		frm += 2;
2892		status = le16toh(*(uint16_t *)frm);
2893		frm += 2;
2894		if (status != 0) {
2895			IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2896			    "[%s] %sassoc failed (reason %d)\n",
2897			    ether_sprintf(wh->i_addr2),
2898			    ISREASSOC(subtype) ?  "re" : "", status);
2899			if (ni != ic->ic_bss)	/* XXX never true? */
2900				ni->ni_fails++;
2901			ic->ic_stats.is_rx_auth_fail++;	/* XXX */
2902			return;
2903		}
2904		associd = le16toh(*(uint16_t *)frm);
2905		frm += 2;
2906
2907		rates = xrates = wme = htcap = NULL;
2908		while (efrm - frm > 1) {
2909			IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
2910			switch (*frm) {
2911			case IEEE80211_ELEMID_RATES:
2912				rates = frm;
2913				break;
2914			case IEEE80211_ELEMID_XRATES:
2915				xrates = frm;
2916				break;
2917			case IEEE80211_ELEMID_HTCAP:
2918				htcap = frm;
2919				break;
2920			case IEEE80211_ELEMID_VENDOR:
2921				if (iswmeoui(frm))
2922					wme = frm;
2923				/* XXX Atheros OUI support */
2924				break;
2925			}
2926			frm += frm[1] + 2;
2927		}
2928
2929		IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE);
2930		if (xrates != NULL)
2931			IEEE80211_VERIFY_ELEMENT(xrates,
2932				IEEE80211_RATE_MAXSIZE - rates[1]);
2933		rate = ieee80211_setup_rates(ni, rates, xrates,
2934				IEEE80211_F_JOIN |
2935				IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
2936				IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
2937		if (rate & IEEE80211_RATE_BASIC) {
2938			IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2939			    "[%s] %sassoc failed (rate set mismatch)\n",
2940			    ether_sprintf(wh->i_addr2),
2941			    ISREASSOC(subtype) ?  "re" : "");
2942			if (ni != ic->ic_bss)	/* XXX never true? */
2943				ni->ni_fails++;
2944			ic->ic_stats.is_rx_assoc_norate++;
2945			ieee80211_new_state(ic, IEEE80211_S_SCAN,
2946			    IEEE80211_SCAN_FAIL_STATUS);
2947			return;
2948		}
2949
2950		ni->ni_capinfo = capinfo;
2951		ni->ni_associd = associd;
2952		if (wme != NULL &&
2953		    ieee80211_parse_wmeparams(ic, wme, wh) >= 0) {
2954			ni->ni_flags |= IEEE80211_NODE_QOS;
2955			ieee80211_wme_updateparams(ic);
2956		} else
2957			ni->ni_flags &= ~IEEE80211_NODE_QOS;
2958		/*
2959		 * Configure state now that we are associated.
2960		 *
2961		 * XXX may need different/additional driver callbacks?
2962		 */
2963		if (IEEE80211_IS_CHAN_A(ic->ic_curchan) ||
2964		    (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) {
2965			ic->ic_flags |= IEEE80211_F_SHPREAMBLE;
2966			ic->ic_flags &= ~IEEE80211_F_USEBARKER;
2967		} else {
2968			ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE;
2969			ic->ic_flags |= IEEE80211_F_USEBARKER;
2970		}
2971		ieee80211_set_shortslottime(ic,
2972			IEEE80211_IS_CHAN_A(ic->ic_curchan) ||
2973			(ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
2974		/*
2975		 * Honor ERP protection.
2976		 *
2977		 * NB: ni_erp should zero for non-11g operation.
2978		 */
2979		if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
2980		    (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION))
2981			ic->ic_flags |= IEEE80211_F_USEPROT;
2982		else
2983			ic->ic_flags &= ~IEEE80211_F_USEPROT;
2984		IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2985		    "[%s] %sassoc success: %s preamble, %s slot time%s%s%s%s\n",
2986		    ether_sprintf(wh->i_addr2),
2987		    ISREASSOC(subtype) ? "re" : "",
2988		    ic->ic_flags&IEEE80211_F_SHPREAMBLE ? "short" : "long",
2989		    ic->ic_flags&IEEE80211_F_SHSLOT ? "short" : "long",
2990		    ic->ic_flags&IEEE80211_F_USEPROT ? ", protection" : "",
2991		    ni->ni_flags & IEEE80211_NODE_QOS ? ", QoS" : "",
2992		    IEEE80211_ATH_CAP(ic, ni, IEEE80211_NODE_FF) ?
2993			", fast-frames" : "",
2994		    IEEE80211_ATH_CAP(ic, ni, IEEE80211_NODE_TURBOP) ?
2995			", turbo" : ""
2996		);
2997		ieee80211_new_state(ic, IEEE80211_S_RUN, subtype);
2998		break;
2999	}
3000
3001	case IEEE80211_FC0_SUBTYPE_DEAUTH: {
3002		uint16_t reason;
3003
3004		if (ic->ic_state == IEEE80211_S_SCAN) {
3005			ic->ic_stats.is_rx_mgtdiscard++;
3006			return;
3007		}
3008		/*
3009		 * deauth frame format
3010		 *	[2] reason
3011		 */
3012		IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
3013		reason = le16toh(*(uint16_t *)frm);
3014		ic->ic_stats.is_rx_deauth++;
3015		IEEE80211_NODE_STAT(ni, rx_deauth);
3016
3017		if (!IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) {
3018			/* NB: can happen when in promiscuous mode */
3019			ic->ic_stats.is_rx_mgtdiscard++;
3020			break;
3021		}
3022		IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH,
3023		    "[%s] recv deauthenticate (reason %d)\n",
3024		    ether_sprintf(ni->ni_macaddr), reason);
3025		switch (ic->ic_opmode) {
3026		case IEEE80211_M_STA:
3027			ieee80211_new_state(ic, IEEE80211_S_AUTH,
3028			    (reason << 8) | IEEE80211_FC0_SUBTYPE_DEAUTH);
3029			break;
3030		case IEEE80211_M_HOSTAP:
3031			if (ni != ic->ic_bss)
3032				ieee80211_node_leave(ic, ni);
3033			break;
3034		default:
3035			ic->ic_stats.is_rx_mgtdiscard++;
3036			break;
3037		}
3038		break;
3039	}
3040
3041	case IEEE80211_FC0_SUBTYPE_DISASSOC: {
3042		uint16_t reason;
3043
3044		if (ic->ic_state != IEEE80211_S_RUN &&
3045		    ic->ic_state != IEEE80211_S_ASSOC &&
3046		    ic->ic_state != IEEE80211_S_AUTH) {
3047			ic->ic_stats.is_rx_mgtdiscard++;
3048			return;
3049		}
3050		/*
3051		 * disassoc frame format
3052		 *	[2] reason
3053		 */
3054		IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
3055		reason = le16toh(*(uint16_t *)frm);
3056		ic->ic_stats.is_rx_disassoc++;
3057		IEEE80211_NODE_STAT(ni, rx_disassoc);
3058
3059		if (!IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) {
3060			/* NB: can happen when in promiscuous mode */
3061			ic->ic_stats.is_rx_mgtdiscard++;
3062			break;
3063		}
3064		IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
3065		    "[%s] recv disassociate (reason %d)\n",
3066		    ether_sprintf(ni->ni_macaddr), reason);
3067		switch (ic->ic_opmode) {
3068		case IEEE80211_M_STA:
3069			ieee80211_new_state(ic, IEEE80211_S_ASSOC, 0);
3070			break;
3071		case IEEE80211_M_HOSTAP:
3072			if (ni != ic->ic_bss)
3073				ieee80211_node_leave(ic, ni);
3074			break;
3075		default:
3076			ic->ic_stats.is_rx_mgtdiscard++;
3077			break;
3078		}
3079		break;
3080	}
3081
3082	case IEEE80211_FC0_SUBTYPE_ACTION: {
3083		const struct ieee80211_action *ia;
3084
3085		if (ic->ic_state != IEEE80211_S_RUN &&
3086		    ic->ic_state != IEEE80211_S_ASSOC &&
3087		    ic->ic_state != IEEE80211_S_AUTH) {
3088			ic->ic_stats.is_rx_mgtdiscard++;
3089			return;
3090		}
3091		/*
3092		 * action frame format:
3093		 *	[1] category
3094		 *	[1] action
3095		 *	[tlv] parameters
3096		 */
3097		IEEE80211_VERIFY_LENGTH(efrm - frm,
3098			sizeof(struct ieee80211_action), return);
3099		ia = (const struct ieee80211_action *) frm;
3100
3101		ic->ic_stats.is_rx_action++;
3102		IEEE80211_NODE_STAT(ni, rx_action);
3103
3104		/* verify frame payloads but defer processing */
3105		/* XXX maybe push this to method */
3106		switch (ia->ia_category) {
3107		case IEEE80211_ACTION_CAT_BA:
3108			switch (ia->ia_action) {
3109			case IEEE80211_ACTION_BA_ADDBA_REQUEST:
3110				IEEE80211_VERIFY_LENGTH(efrm - frm,
3111				    sizeof(struct ieee80211_action_ba_addbarequest),
3112				    return);
3113				break;
3114			case IEEE80211_ACTION_BA_ADDBA_RESPONSE:
3115				IEEE80211_VERIFY_LENGTH(efrm - frm,
3116				    sizeof(struct ieee80211_action_ba_addbaresponse),
3117				    return);
3118				break;
3119			case IEEE80211_ACTION_BA_DELBA:
3120				IEEE80211_VERIFY_LENGTH(efrm - frm,
3121				    sizeof(struct ieee80211_action_ba_delba),
3122				    return);
3123				break;
3124			}
3125			break;
3126		case IEEE80211_ACTION_CAT_HT:
3127			switch (ia->ia_action) {
3128			case IEEE80211_ACTION_HT_TXCHWIDTH:
3129				IEEE80211_VERIFY_LENGTH(efrm - frm,
3130				    sizeof(struct ieee80211_action_ht_txchwidth),
3131				    return);
3132				break;
3133			}
3134			break;
3135		}
3136		ic->ic_recv_action(ni, frm, efrm);
3137		break;
3138	}
3139
3140	default:
3141		IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY,
3142		     wh, "mgt", "subtype 0x%x not handled", subtype);
3143		ic->ic_stats.is_rx_badsubtype++;
3144		break;
3145	}
3146#undef ISREASSOC
3147#undef ISPROBE
3148}
3149#undef IEEE80211_VERIFY_LENGTH
3150#undef IEEE80211_VERIFY_ELEMENT
3151
3152/*
3153 * Process a received ps-poll frame.
3154 */
3155static void
3156ieee80211_recv_pspoll(struct ieee80211com *ic,
3157	struct ieee80211_node *ni, struct mbuf *m0)
3158{
3159	struct ieee80211_frame_min *wh;
3160	struct mbuf *m;
3161	uint16_t aid;
3162	int qlen;
3163
3164	wh = mtod(m0, struct ieee80211_frame_min *);
3165	if (ni->ni_associd == 0) {
3166		IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
3167		    (struct ieee80211_frame *) wh, "ps-poll",
3168		    "%s", "unassociated station");
3169		ic->ic_stats.is_ps_unassoc++;
3170		IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
3171			IEEE80211_REASON_NOT_ASSOCED);
3172		return;
3173	}
3174
3175	aid = le16toh(*(uint16_t *)wh->i_dur);
3176	if (aid != ni->ni_associd) {
3177		IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
3178		    (struct ieee80211_frame *) wh, "ps-poll",
3179		    "aid mismatch: sta aid 0x%x poll aid 0x%x",
3180		    ni->ni_associd, aid);
3181		ic->ic_stats.is_ps_badaid++;
3182		IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
3183			IEEE80211_REASON_NOT_ASSOCED);
3184		return;
3185	}
3186
3187	/* Okay, take the first queued packet and put it out... */
3188	IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen);
3189	if (m == NULL) {
3190		IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
3191		    "[%s] recv ps-poll, but queue empty\n",
3192		    ether_sprintf(wh->i_addr2));
3193		ieee80211_send_nulldata(ieee80211_ref_node(ni));
3194		ic->ic_stats.is_ps_qempty++;	/* XXX node stat */
3195		if (ic->ic_set_tim != NULL)
3196			ic->ic_set_tim(ni, 0);	/* just in case */
3197		return;
3198	}
3199	/*
3200	 * If there are more packets, set the more packets bit
3201	 * in the packet dispatched to the station; otherwise
3202	 * turn off the TIM bit.
3203	 */
3204	if (qlen != 0) {
3205		IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
3206		    "[%s] recv ps-poll, send packet, %u still queued\n",
3207		    ether_sprintf(ni->ni_macaddr), qlen);
3208		m->m_flags |= M_MORE_DATA;
3209	} else {
3210		IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
3211		    "[%s] recv ps-poll, send packet, queue empty\n",
3212		    ether_sprintf(ni->ni_macaddr));
3213		if (ic->ic_set_tim != NULL)
3214			ic->ic_set_tim(ni, 0);
3215	}
3216	m->m_flags |= M_PWR_SAV;		/* bypass PS handling */
3217	IF_ENQUEUE(&ic->ic_ifp->if_snd, m);
3218}
3219
3220#ifdef IEEE80211_DEBUG
3221/*
3222 * Debugging support.
3223 */
3224
3225/*
3226 * Return the bssid of a frame.
3227 */
3228static const uint8_t *
3229ieee80211_getbssid(struct ieee80211com *ic, const struct ieee80211_frame *wh)
3230{
3231	if (ic->ic_opmode == IEEE80211_M_STA)
3232		return wh->i_addr2;
3233	if ((wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) != IEEE80211_FC1_DIR_NODS)
3234		return wh->i_addr1;
3235	if ((wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) == IEEE80211_FC0_SUBTYPE_PS_POLL)
3236		return wh->i_addr1;
3237	return wh->i_addr3;
3238}
3239
3240void
3241ieee80211_note(struct ieee80211com *ic, const char *fmt, ...)
3242{
3243	char buf[128];		/* XXX */
3244	va_list ap;
3245
3246	va_start(ap, fmt);
3247	vsnprintf(buf, sizeof(buf), fmt, ap);
3248	va_end(ap);
3249
3250	if_printf(ic->ic_ifp, "%s", buf);	/* NB: no \n */
3251}
3252
3253void
3254ieee80211_note_frame(struct ieee80211com *ic,
3255	const struct ieee80211_frame *wh,
3256	const char *fmt, ...)
3257{
3258	char buf[128];		/* XXX */
3259	va_list ap;
3260
3261	va_start(ap, fmt);
3262	vsnprintf(buf, sizeof(buf), fmt, ap);
3263	va_end(ap);
3264	if_printf(ic->ic_ifp, "[%s] %s\n",
3265		ether_sprintf(ieee80211_getbssid(ic, wh)), buf);
3266}
3267
3268void
3269ieee80211_note_mac(struct ieee80211com *ic,
3270	const uint8_t mac[IEEE80211_ADDR_LEN],
3271	const char *fmt, ...)
3272{
3273	char buf[128];		/* XXX */
3274	va_list ap;
3275
3276	va_start(ap, fmt);
3277	vsnprintf(buf, sizeof(buf), fmt, ap);
3278	va_end(ap);
3279	if_printf(ic->ic_ifp, "[%s] %s\n", ether_sprintf(mac), buf);
3280}
3281
3282void
3283ieee80211_discard_frame(struct ieee80211com *ic,
3284	const struct ieee80211_frame *wh,
3285	const char *type, const char *fmt, ...)
3286{
3287	va_list ap;
3288
3289	printf("[%s:%s] discard ", ic->ic_ifp->if_xname,
3290		ether_sprintf(ieee80211_getbssid(ic, wh)));
3291	if (type != NULL)
3292		printf("%s frame, ", type);
3293	else
3294		printf("frame, ");
3295	va_start(ap, fmt);
3296	vprintf(fmt, ap);
3297	va_end(ap);
3298	printf("\n");
3299}
3300
3301void
3302ieee80211_discard_ie(struct ieee80211com *ic,
3303	const struct ieee80211_frame *wh,
3304	const char *type, const char *fmt, ...)
3305{
3306	va_list ap;
3307
3308	printf("[%s:%s] discard ", ic->ic_ifp->if_xname,
3309		ether_sprintf(ieee80211_getbssid(ic, wh)));
3310	if (type != NULL)
3311		printf("%s information element, ", type);
3312	else
3313		printf("information element, ");
3314	va_start(ap, fmt);
3315	vprintf(fmt, ap);
3316	va_end(ap);
3317	printf("\n");
3318}
3319
3320void
3321ieee80211_discard_mac(struct ieee80211com *ic,
3322	const uint8_t mac[IEEE80211_ADDR_LEN],
3323	const char *type, const char *fmt, ...)
3324{
3325	va_list ap;
3326
3327	printf("[%s:%s] discard ", ic->ic_ifp->if_xname, ether_sprintf(mac));
3328	if (type != NULL)
3329		printf("%s frame, ", type);
3330	else
3331		printf("frame, ");
3332	va_start(ap, fmt);
3333	vprintf(fmt, ap);
3334	va_end(ap);
3335	printf("\n");
3336}
3337#endif /* IEEE80211_DEBUG */
3338