1/*- 2 * Copyright (c) 2007-2009 Sam Leffler, Errno Consulting 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 26#include <sys/cdefs.h> 27#ifdef __FreeBSD__ 28__FBSDID("$FreeBSD: stable/11/sys/net80211/ieee80211_adhoc.c 344969 2019-03-09 12:54:10Z avos $"); 29#endif 30 31/* 32 * IEEE 802.11 IBSS mode support. 33 */ 34#include "opt_inet.h" 35#include "opt_wlan.h" 36 37#include <sys/param.h> 38#include <sys/systm.h> 39#include <sys/mbuf.h> 40#include <sys/malloc.h> 41#include <sys/kernel.h> 42 43#include <sys/socket.h> 44#include <sys/sockio.h> 45#include <sys/endian.h> 46#include <sys/errno.h> 47#include <sys/proc.h> 48#include <sys/sysctl.h> 49 50#include <net/if.h> 51#include <net/if_var.h> 52#include <net/if_media.h> 53#include <net/if_llc.h> 54#include <net/ethernet.h> 55 56#include <net/bpf.h> 57 58#include <net80211/ieee80211_var.h> 59#include <net80211/ieee80211_adhoc.h> 60#include <net80211/ieee80211_input.h> 61#ifdef IEEE80211_SUPPORT_SUPERG 62#include <net80211/ieee80211_superg.h> 63#endif 64#ifdef IEEE80211_SUPPORT_TDMA 65#include <net80211/ieee80211_tdma.h> 66#endif 67#include <net80211/ieee80211_sta.h> 68 69#define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2) 70 71static void adhoc_vattach(struct ieee80211vap *); 72static int adhoc_newstate(struct ieee80211vap *, enum ieee80211_state, int); 73static int adhoc_input(struct ieee80211_node *, struct mbuf *, 74 const struct ieee80211_rx_stats *, int, int); 75static void adhoc_recv_mgmt(struct ieee80211_node *, struct mbuf *, 76 int subtype, const struct ieee80211_rx_stats *, int, int); 77static void ahdemo_recv_mgmt(struct ieee80211_node *, struct mbuf *, 78 int subtype, const struct ieee80211_rx_stats *rxs, int, int); 79static void adhoc_recv_ctl(struct ieee80211_node *, struct mbuf *, int subtype); 80 81void 82ieee80211_adhoc_attach(struct ieee80211com *ic) 83{ 84 ic->ic_vattach[IEEE80211_M_IBSS] = adhoc_vattach; 85 ic->ic_vattach[IEEE80211_M_AHDEMO] = adhoc_vattach; 86} 87 88void 89ieee80211_adhoc_detach(struct ieee80211com *ic) 90{ 91} 92 93static void 94adhoc_vdetach(struct ieee80211vap *vap) 95{ 96} 97 98static void 99adhoc_vattach(struct ieee80211vap *vap) 100{ 101 vap->iv_newstate = adhoc_newstate; 102 vap->iv_input = adhoc_input; 103 if (vap->iv_opmode == IEEE80211_M_IBSS) 104 vap->iv_recv_mgmt = adhoc_recv_mgmt; 105 else 106 vap->iv_recv_mgmt = ahdemo_recv_mgmt; 107 vap->iv_recv_ctl = adhoc_recv_ctl; 108 vap->iv_opdetach = adhoc_vdetach; 109#ifdef IEEE80211_SUPPORT_TDMA 110 /* 111 * Throw control to tdma support. Note we do this 112 * after setting up our callbacks so it can piggyback 113 * on top of us. 114 */ 115 if (vap->iv_caps & IEEE80211_C_TDMA) 116 ieee80211_tdma_vattach(vap); 117#endif 118} 119 120static void 121sta_leave(void *arg, struct ieee80211_node *ni) 122{ 123 struct ieee80211vap *vap = arg; 124 125 if (ni->ni_vap == vap && ni != vap->iv_bss) 126 ieee80211_node_leave(ni); 127} 128 129/* 130 * IEEE80211_M_IBSS+IEEE80211_M_AHDEMO vap state machine handler. 131 */ 132static int 133adhoc_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg) 134{ 135 struct ieee80211com *ic = vap->iv_ic; 136 struct ieee80211_node *ni; 137 enum ieee80211_state ostate; 138 139 IEEE80211_LOCK_ASSERT(vap->iv_ic); 140 141 ostate = vap->iv_state; 142 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n", 143 __func__, ieee80211_state_name[ostate], 144 ieee80211_state_name[nstate], arg); 145 vap->iv_state = nstate; /* state transition */ 146 if (ostate != IEEE80211_S_SCAN) 147 ieee80211_cancel_scan(vap); /* background scan */ 148 ni = vap->iv_bss; /* NB: no reference held */ 149 switch (nstate) { 150 case IEEE80211_S_INIT: 151 switch (ostate) { 152 case IEEE80211_S_SCAN: 153 ieee80211_cancel_scan(vap); 154 break; 155 default: 156 break; 157 } 158 if (ostate != IEEE80211_S_INIT) { 159 /* NB: optimize INIT -> INIT case */ 160 ieee80211_reset_bss(vap); 161 } 162 break; 163 case IEEE80211_S_SCAN: 164 switch (ostate) { 165 case IEEE80211_S_RUN: /* beacon miss */ 166 /* purge station table; entries are stale */ 167 ieee80211_iterate_nodes(&ic->ic_sta, sta_leave, vap); 168 /* fall thru... */ 169 case IEEE80211_S_INIT: 170 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC && 171 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) { 172 /* 173 * Already have a channel; bypass the 174 * scan and startup immediately. 175 */ 176 ieee80211_create_ibss(vap, 177 ieee80211_ht_adjust_channel(ic, 178 vap->iv_des_chan, vap->iv_flags_ht)); 179 break; 180 } 181 /* 182 * Initiate a scan. We can come here as a result 183 * of an IEEE80211_IOC_SCAN_REQ too in which case 184 * the vap will be marked with IEEE80211_FEXT_SCANREQ 185 * and the scan request parameters will be present 186 * in iv_scanreq. Otherwise we do the default. 187 */ 188 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) { 189 ieee80211_check_scan(vap, 190 vap->iv_scanreq_flags, 191 vap->iv_scanreq_duration, 192 vap->iv_scanreq_mindwell, 193 vap->iv_scanreq_maxdwell, 194 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid); 195 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ; 196 } else 197 ieee80211_check_scan_current(vap); 198 break; 199 case IEEE80211_S_SCAN: 200 /* 201 * This can happen because of a change in state 202 * that requires a reset. Trigger a new scan 203 * unless we're in manual roaming mode in which 204 * case an application must issue an explicit request. 205 */ 206 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) 207 ieee80211_check_scan_current(vap); 208 break; 209 default: 210 goto invalid; 211 } 212 break; 213 case IEEE80211_S_RUN: 214 if (vap->iv_flags & IEEE80211_F_WPA) { 215 /* XXX validate prerequisites */ 216 } 217 switch (ostate) { 218 case IEEE80211_S_SCAN: 219#ifdef IEEE80211_DEBUG 220 if (ieee80211_msg_debug(vap)) { 221 ieee80211_note(vap, 222 "synchronized with %s ssid ", 223 ether_sprintf(ni->ni_bssid)); 224 ieee80211_print_essid(vap->iv_bss->ni_essid, 225 ni->ni_esslen); 226 /* XXX MCS/HT */ 227 printf(" channel %d start %uMb\n", 228 ieee80211_chan2ieee(ic, ic->ic_curchan), 229 IEEE80211_RATE2MBS(ni->ni_txrate)); 230 } 231#endif 232 break; 233 case IEEE80211_S_RUN: /* IBSS merge */ 234 break; 235 default: 236 goto invalid; 237 } 238 /* 239 * When 802.1x is not in use mark the port authorized 240 * at this point so traffic can flow. 241 */ 242 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 243 ieee80211_node_authorize(ni); 244 /* 245 * Fake association when joining an existing bss. 246 */ 247 if (!IEEE80211_ADDR_EQ(ni->ni_macaddr, vap->iv_myaddr) && 248 ic->ic_newassoc != NULL) 249 ic->ic_newassoc(ni, ostate != IEEE80211_S_RUN); 250 break; 251 case IEEE80211_S_SLEEP: 252 vap->iv_sta_ps(vap, 0); 253 break; 254 default: 255 invalid: 256 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, 257 "%s: unexpected state transition %s -> %s\n", __func__, 258 ieee80211_state_name[ostate], ieee80211_state_name[nstate]); 259 break; 260 } 261 return 0; 262} 263 264/* 265 * Decide if a received management frame should be 266 * printed when debugging is enabled. This filters some 267 * of the less interesting frames that come frequently 268 * (e.g. beacons). 269 */ 270static __inline int 271doprint(struct ieee80211vap *vap, int subtype) 272{ 273 switch (subtype) { 274 case IEEE80211_FC0_SUBTYPE_BEACON: 275 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN); 276 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 277 return 1; 278 } 279 return 1; 280} 281 282/* 283 * Process a received frame. The node associated with the sender 284 * should be supplied. If nothing was found in the node table then 285 * the caller is assumed to supply a reference to iv_bss instead. 286 * The RSSI and a timestamp are also supplied. The RSSI data is used 287 * during AP scanning to select a AP to associate with; it can have 288 * any units so long as values have consistent units and higher values 289 * mean ``better signal''. The receive timestamp is currently not used 290 * by the 802.11 layer. 291 */ 292static int 293adhoc_input(struct ieee80211_node *ni, struct mbuf *m, 294 const struct ieee80211_rx_stats *rxs, int rssi, int nf) 295{ 296 struct ieee80211vap *vap = ni->ni_vap; 297 struct ieee80211com *ic = ni->ni_ic; 298 struct ifnet *ifp = vap->iv_ifp; 299 struct ieee80211_frame *wh; 300 struct ieee80211_key *key; 301 struct ether_header *eh; 302 int hdrspace, need_tap = 1; /* mbuf need to be tapped. */ 303 uint8_t dir, type, subtype, qos; 304 uint8_t *bssid; 305 306 if (m->m_flags & M_AMPDU_MPDU) { 307 /* 308 * Fastpath for A-MPDU reorder q resubmission. Frames 309 * w/ M_AMPDU_MPDU marked have already passed through 310 * here but were received out of order and been held on 311 * the reorder queue. When resubmitted they are marked 312 * with the M_AMPDU_MPDU flag and we can bypass most of 313 * the normal processing. 314 */ 315 wh = mtod(m, struct ieee80211_frame *); 316 type = IEEE80211_FC0_TYPE_DATA; 317 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 318 subtype = IEEE80211_FC0_SUBTYPE_QOS; 319 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */ 320 goto resubmit_ampdu; 321 } 322 323 KASSERT(ni != NULL, ("null node")); 324 ni->ni_inact = ni->ni_inact_reload; 325 326 type = -1; /* undefined */ 327 328 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 329 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 330 ni->ni_macaddr, NULL, 331 "too short (1): len %u", m->m_pkthdr.len); 332 vap->iv_stats.is_rx_tooshort++; 333 goto out; 334 } 335 /* 336 * Bit of a cheat here, we use a pointer for a 3-address 337 * frame format but don't reference fields past outside 338 * ieee80211_frame_min w/o first validating the data is 339 * present. 340 */ 341 wh = mtod(m, struct ieee80211_frame *); 342 343 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 344 IEEE80211_FC0_VERSION_0) { 345 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 346 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x", 347 wh->i_fc[0], wh->i_fc[1]); 348 vap->iv_stats.is_rx_badversion++; 349 goto err; 350 } 351 352 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 353 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 354 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 355 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 356 if (dir != IEEE80211_FC1_DIR_NODS) 357 bssid = wh->i_addr1; 358 else if (type == IEEE80211_FC0_TYPE_CTL) 359 bssid = wh->i_addr1; 360 else { 361 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 362 IEEE80211_DISCARD_MAC(vap, 363 IEEE80211_MSG_ANY, ni->ni_macaddr, 364 NULL, "too short (2): len %u", 365 m->m_pkthdr.len); 366 vap->iv_stats.is_rx_tooshort++; 367 goto out; 368 } 369 bssid = wh->i_addr3; 370 } 371 /* 372 * Validate the bssid. 373 */ 374 if (!(type == IEEE80211_FC0_TYPE_MGT && 375 (subtype == IEEE80211_FC0_SUBTYPE_BEACON || 376 subtype == IEEE80211_FC0_SUBTYPE_PROBE_RESP)) && 377 !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) && 378 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 379 /* not interested in */ 380 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 381 bssid, NULL, "%s", "not to bss"); 382 vap->iv_stats.is_rx_wrongbss++; 383 goto out; 384 } 385 /* 386 * Data frame, cons up a node when it doesn't 387 * exist. This should probably done after an ACL check. 388 */ 389 if (type == IEEE80211_FC0_TYPE_DATA && 390 ni == vap->iv_bss && 391 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 392 /* 393 * Beware of frames that come in too early; we 394 * can receive broadcast frames and creating sta 395 * entries will blow up because there is no bss 396 * channel yet. 397 */ 398 if (vap->iv_state != IEEE80211_S_RUN) { 399 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 400 wh, "data", "not in RUN state (%s)", 401 ieee80211_state_name[vap->iv_state]); 402 vap->iv_stats.is_rx_badstate++; 403 goto err; 404 } 405 /* 406 * Fake up a node for this newly 407 * discovered member of the IBSS. 408 */ 409 ni = ieee80211_fakeup_adhoc_node(vap, wh->i_addr2); 410 if (ni == NULL) { 411 /* NB: stat kept for alloc failure */ 412 goto err; 413 } 414 } 415 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 416 ni->ni_noise = nf; 417 if (IEEE80211_HAS_SEQ(type, subtype) && 418 IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 419 uint8_t tid = ieee80211_gettid(wh); 420 if (IEEE80211_QOS_HAS_SEQ(wh) && 421 TID_TO_WME_AC(tid) >= WME_AC_VI) 422 ic->ic_wme.wme_hipri_traffic++; 423 if (! ieee80211_check_rxseq(ni, wh, bssid)) 424 goto out; 425 } 426 } 427 428 switch (type) { 429 case IEEE80211_FC0_TYPE_DATA: 430 hdrspace = ieee80211_hdrspace(ic, wh); 431 if (m->m_len < hdrspace && 432 (m = m_pullup(m, hdrspace)) == NULL) { 433 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 434 ni->ni_macaddr, NULL, 435 "data too short: expecting %u", hdrspace); 436 vap->iv_stats.is_rx_tooshort++; 437 goto out; /* XXX */ 438 } 439 if (dir != IEEE80211_FC1_DIR_NODS) { 440 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 441 wh, "data", "incorrect dir 0x%x", dir); 442 vap->iv_stats.is_rx_wrongdir++; 443 goto out; 444 } 445 /* XXX no power-save support */ 446 447 /* 448 * Handle A-MPDU re-ordering. If the frame is to be 449 * processed directly then ieee80211_ampdu_reorder 450 * will return 0; otherwise it has consumed the mbuf 451 * and we should do nothing more with it. 452 */ 453 if ((m->m_flags & M_AMPDU) && 454 ieee80211_ampdu_reorder(ni, m) != 0) { 455 m = NULL; 456 goto out; 457 } 458 resubmit_ampdu: 459 460 /* 461 * Handle privacy requirements. Note that we 462 * must not be preempted from here until after 463 * we (potentially) call ieee80211_crypto_demic; 464 * otherwise we may violate assumptions in the 465 * crypto cipher modules used to do delayed update 466 * of replay sequence numbers. 467 */ 468 if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) { 469 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 470 /* 471 * Discard encrypted frames when privacy is off. 472 */ 473 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 474 wh, "WEP", "%s", "PRIVACY off"); 475 vap->iv_stats.is_rx_noprivacy++; 476 IEEE80211_NODE_STAT(ni, rx_noprivacy); 477 goto out; 478 } 479 key = ieee80211_crypto_decap(ni, m, hdrspace); 480 if (key == NULL) { 481 /* NB: stats+msgs handled in crypto_decap */ 482 IEEE80211_NODE_STAT(ni, rx_wepfail); 483 goto out; 484 } 485 wh = mtod(m, struct ieee80211_frame *); 486 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 487 } else { 488 /* XXX M_WEP and IEEE80211_F_PRIVACY */ 489 key = NULL; 490 } 491 492 /* 493 * Save QoS bits for use below--before we strip the header. 494 */ 495 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) 496 qos = ieee80211_getqos(wh)[0]; 497 else 498 qos = 0; 499 500 /* 501 * Next up, any fragmentation. 502 */ 503 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 504 m = ieee80211_defrag(ni, m, hdrspace); 505 if (m == NULL) { 506 /* Fragment dropped or frame not complete yet */ 507 goto out; 508 } 509 } 510 wh = NULL; /* no longer valid, catch any uses */ 511 512 /* 513 * Next strip any MSDU crypto bits. 514 */ 515 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) { 516 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 517 ni->ni_macaddr, "data", "%s", "demic error"); 518 vap->iv_stats.is_rx_demicfail++; 519 IEEE80211_NODE_STAT(ni, rx_demicfail); 520 goto out; 521 } 522 523 /* copy to listener after decrypt */ 524 if (ieee80211_radiotap_active_vap(vap)) 525 ieee80211_radiotap_rx(vap, m); 526 need_tap = 0; 527 528 /* 529 * Finally, strip the 802.11 header. 530 */ 531 m = ieee80211_decap(vap, m, hdrspace); 532 if (m == NULL) { 533 /* XXX mask bit to check for both */ 534 /* don't count Null data frames as errors */ 535 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA || 536 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL) 537 goto out; 538 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 539 ni->ni_macaddr, "data", "%s", "decap error"); 540 vap->iv_stats.is_rx_decap++; 541 IEEE80211_NODE_STAT(ni, rx_decap); 542 goto err; 543 } 544 eh = mtod(m, struct ether_header *); 545 if (!ieee80211_node_is_authorized(ni)) { 546 /* 547 * Deny any non-PAE frames received prior to 548 * authorization. For open/shared-key 549 * authentication the port is mark authorized 550 * after authentication completes. For 802.1x 551 * the port is not marked authorized by the 552 * authenticator until the handshake has completed. 553 */ 554 if (eh->ether_type != htons(ETHERTYPE_PAE)) { 555 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 556 eh->ether_shost, "data", 557 "unauthorized port: ether type 0x%x len %u", 558 eh->ether_type, m->m_pkthdr.len); 559 vap->iv_stats.is_rx_unauth++; 560 IEEE80211_NODE_STAT(ni, rx_unauth); 561 goto err; 562 } 563 } else { 564 /* 565 * When denying unencrypted frames, discard 566 * any non-PAE frames received without encryption. 567 */ 568 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && 569 (key == NULL && (m->m_flags & M_WEP) == 0) && 570 eh->ether_type != htons(ETHERTYPE_PAE)) { 571 /* 572 * Drop unencrypted frames. 573 */ 574 vap->iv_stats.is_rx_unencrypted++; 575 IEEE80211_NODE_STAT(ni, rx_unencrypted); 576 goto out; 577 } 578 } 579 /* XXX require HT? */ 580 if (qos & IEEE80211_QOS_AMSDU) { 581 m = ieee80211_decap_amsdu(ni, m); 582 if (m == NULL) 583 return IEEE80211_FC0_TYPE_DATA; 584 } else { 585#ifdef IEEE80211_SUPPORT_SUPERG 586 m = ieee80211_decap_fastframe(vap, ni, m); 587 if (m == NULL) 588 return IEEE80211_FC0_TYPE_DATA; 589#endif 590 } 591 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL) 592 ieee80211_deliver_data(ni->ni_wdsvap, ni, m); 593 else 594 ieee80211_deliver_data(vap, ni, m); 595 return IEEE80211_FC0_TYPE_DATA; 596 597 case IEEE80211_FC0_TYPE_MGT: 598 vap->iv_stats.is_rx_mgmt++; 599 IEEE80211_NODE_STAT(ni, rx_mgmt); 600 if (dir != IEEE80211_FC1_DIR_NODS) { 601 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 602 wh, "data", "incorrect dir 0x%x", dir); 603 vap->iv_stats.is_rx_wrongdir++; 604 goto err; 605 } 606 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 607 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 608 ni->ni_macaddr, "mgt", "too short: len %u", 609 m->m_pkthdr.len); 610 vap->iv_stats.is_rx_tooshort++; 611 goto out; 612 } 613#ifdef IEEE80211_DEBUG 614 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) || 615 ieee80211_msg_dumppkts(vap)) { 616 if_printf(ifp, "received %s from %s rssi %d\n", 617 ieee80211_mgt_subtype_name(subtype), 618 ether_sprintf(wh->i_addr2), rssi); 619 } 620#endif 621 if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) { 622 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 623 wh, NULL, "%s", "WEP set but not permitted"); 624 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */ 625 goto out; 626 } 627 vap->iv_recv_mgmt(ni, m, subtype, rxs, rssi, nf); 628 goto out; 629 630 case IEEE80211_FC0_TYPE_CTL: 631 vap->iv_stats.is_rx_ctl++; 632 IEEE80211_NODE_STAT(ni, rx_ctrl); 633 vap->iv_recv_ctl(ni, m, subtype); 634 goto out; 635 636 default: 637 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 638 wh, "bad", "frame type 0x%x", type); 639 /* should not come here */ 640 break; 641 } 642err: 643 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1); 644out: 645 if (m != NULL) { 646 if (need_tap && ieee80211_radiotap_active_vap(vap)) 647 ieee80211_radiotap_rx(vap, m); 648 m_freem(m); 649 } 650 return type; 651} 652 653static int 654is11bclient(const uint8_t *rates, const uint8_t *xrates) 655{ 656 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11); 657 int i; 658 659 /* NB: the 11b clients we care about will not have xrates */ 660 if (xrates != NULL || rates == NULL) 661 return 0; 662 for (i = 0; i < rates[1]; i++) { 663 int r = rates[2+i] & IEEE80211_RATE_VAL; 664 if (r > 2*11 || ((1<<r) & brates) == 0) 665 return 0; 666 } 667 return 1; 668} 669 670static void 671adhoc_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, 672 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf) 673{ 674 struct ieee80211vap *vap = ni->ni_vap; 675 struct ieee80211com *ic = ni->ni_ic; 676 struct ieee80211_channel *rxchan = ic->ic_curchan; 677 struct ieee80211_frame *wh; 678 uint8_t *frm, *efrm; 679 uint8_t *ssid, *rates, *xrates; 680#if 0 681 int ht_state_change = 0; 682#endif 683 684 wh = mtod(m0, struct ieee80211_frame *); 685 frm = (uint8_t *)&wh[1]; 686 efrm = mtod(m0, uint8_t *) + m0->m_len; 687 switch (subtype) { 688 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 689 case IEEE80211_FC0_SUBTYPE_BEACON: { 690 struct ieee80211_scanparams scan; 691 struct ieee80211_channel *c; 692 /* 693 * We process beacon/probe response 694 * frames to discover neighbors. 695 */ 696 if (rxs != NULL) { 697 c = ieee80211_lookup_channel_rxstatus(vap, rxs); 698 if (c != NULL) 699 rxchan = c; 700 } 701 if (ieee80211_parse_beacon(ni, m0, rxchan, &scan) != 0) 702 return; 703 /* 704 * Count frame now that we know it's to be processed. 705 */ 706 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 707 vap->iv_stats.is_rx_beacon++; /* XXX remove */ 708 IEEE80211_NODE_STAT(ni, rx_beacons); 709 } else 710 IEEE80211_NODE_STAT(ni, rx_proberesp); 711 /* 712 * If scanning, just pass information to the scan module. 713 */ 714 if (ic->ic_flags & IEEE80211_F_SCAN) { 715 if (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN) { 716 /* 717 * Actively scanning a channel marked passive; 718 * send a probe request now that we know there 719 * is 802.11 traffic present. 720 * 721 * XXX check if the beacon we recv'd gives 722 * us what we need and suppress the probe req 723 */ 724 ieee80211_probe_curchan(vap, 1); 725 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 726 } 727 ieee80211_add_scan(vap, rxchan, &scan, wh, 728 subtype, rssi, nf); 729 return; 730 } 731 if (scan.capinfo & IEEE80211_CAPINFO_IBSS) { 732 if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 733 /* 734 * Create a new entry in the neighbor table. 735 * 736 * XXX TODO: 737 * 738 * Here we're not scanning; so if we have an 739 * SSID then make sure it matches our SSID. 740 * Otherwise this code will match on all IBSS 741 * beacons/probe requests for all SSIDs, 742 * filling the node table with nodes that 743 * aren't ours. 744 */ 745 if (ieee80211_ibss_node_check_new(ni, &scan)) 746 ni = ieee80211_add_neighbor(vap, wh, &scan); 747 else 748 ni = NULL; 749 } else if (ni->ni_capinfo == 0) { 750 /* 751 * Update faked node created on transmit. 752 * Note this also updates the tsf. 753 */ 754 ieee80211_init_neighbor(ni, wh, &scan); 755 } else { 756 /* 757 * Record tsf for potential resync. 758 */ 759 memcpy(ni->ni_tstamp.data, scan.tstamp, 760 sizeof(ni->ni_tstamp)); 761 } 762 /* 763 * This isn't enabled yet - otherwise it would 764 * update the HT parameters and channel width 765 * from any node, which could lead to lots of 766 * strange behaviour if the 11n nodes aren't 767 * exactly configured to match. 768 */ 769#if 0 770 if (scan.htcap != NULL && scan.htinfo != NULL && 771 (vap->iv_flags_ht & IEEE80211_FHT_HT)) { 772 if (ieee80211_ht_updateparams(ni, 773 scan.htcap, scan.htinfo)) 774 ht_state_change = 1; 775 } 776#endif 777 if (ni != NULL) { 778 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 779 ni->ni_noise = nf; 780 } 781 /* 782 * Same here - the channel width change should 783 * be applied to the specific peer node, not 784 * to the ic. Ie, the interface configuration 785 * should stay in its current channel width; 786 * but it should change the rate control and 787 * any queued frames for the given node only. 788 * 789 * Since there's no (current) way to inform 790 * the driver that a channel width change has 791 * occurred for a single node, just stub this 792 * out. 793 */ 794#if 0 795 if (ht_state_change) 796 ieee80211_update_chw(ic); 797#endif 798 } 799 break; 800 } 801 802 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 803 if (vap->iv_state != IEEE80211_S_RUN) { 804 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 805 wh, NULL, "wrong state %s", 806 ieee80211_state_name[vap->iv_state]); 807 vap->iv_stats.is_rx_mgtdiscard++; 808 return; 809 } 810 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 811 /* frame must be directed */ 812 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 813 wh, NULL, "%s", "not unicast"); 814 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */ 815 return; 816 } 817 818 /* 819 * prreq frame format 820 * [tlv] ssid 821 * [tlv] supported rates 822 * [tlv] extended supported rates 823 */ 824 ssid = rates = xrates = NULL; 825 while (efrm - frm > 1) { 826 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 827 switch (*frm) { 828 case IEEE80211_ELEMID_SSID: 829 ssid = frm; 830 break; 831 case IEEE80211_ELEMID_RATES: 832 rates = frm; 833 break; 834 case IEEE80211_ELEMID_XRATES: 835 xrates = frm; 836 break; 837 } 838 frm += frm[1] + 2; 839 } 840 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 841 if (xrates != NULL) 842 IEEE80211_VERIFY_ELEMENT(xrates, 843 IEEE80211_RATE_MAXSIZE - rates[1], return); 844 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 845 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 846 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 847 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 848 wh, NULL, 849 "%s", "no ssid with ssid suppression enabled"); 850 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/ 851 return; 852 } 853 854 /* XXX find a better class or define it's own */ 855 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2, 856 "%s", "recv probe req"); 857 /* 858 * Some legacy 11b clients cannot hack a complete 859 * probe response frame. When the request includes 860 * only a bare-bones rate set, communicate this to 861 * the transmit side. 862 */ 863 ieee80211_send_proberesp(vap, wh->i_addr2, 864 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0); 865 break; 866 867 case IEEE80211_FC0_SUBTYPE_ACTION: 868 case IEEE80211_FC0_SUBTYPE_ACTION_NOACK: 869 if ((ni == vap->iv_bss) && 870 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 871 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 872 wh, NULL, "%s", "unknown node"); 873 vap->iv_stats.is_rx_mgtdiscard++; 874 } else if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) && 875 !IEEE80211_IS_MULTICAST(wh->i_addr1)) { 876 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 877 wh, NULL, "%s", "not for us"); 878 vap->iv_stats.is_rx_mgtdiscard++; 879 } else if (vap->iv_state != IEEE80211_S_RUN) { 880 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 881 wh, NULL, "wrong state %s", 882 ieee80211_state_name[vap->iv_state]); 883 vap->iv_stats.is_rx_mgtdiscard++; 884 } else { 885 if (ieee80211_parse_action(ni, m0) == 0) 886 (void)ic->ic_recv_action(ni, wh, frm, efrm); 887 } 888 break; 889 890 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 891 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 892 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 893 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 894 case IEEE80211_FC0_SUBTYPE_TIMING_ADV: 895 case IEEE80211_FC0_SUBTYPE_ATIM: 896 case IEEE80211_FC0_SUBTYPE_DISASSOC: 897 case IEEE80211_FC0_SUBTYPE_AUTH: 898 case IEEE80211_FC0_SUBTYPE_DEAUTH: 899 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 900 wh, NULL, "%s", "not handled"); 901 vap->iv_stats.is_rx_mgtdiscard++; 902 break; 903 904 default: 905 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 906 wh, "mgt", "subtype 0x%x not handled", subtype); 907 vap->iv_stats.is_rx_badsubtype++; 908 break; 909 } 910} 911#undef IEEE80211_VERIFY_LENGTH 912#undef IEEE80211_VERIFY_ELEMENT 913 914static void 915ahdemo_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, 916 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf) 917{ 918 struct ieee80211vap *vap = ni->ni_vap; 919 struct ieee80211com *ic = ni->ni_ic; 920 struct ieee80211_frame *wh; 921 922 /* 923 * Process management frames when scanning; useful for doing 924 * a site-survey. 925 */ 926 if (ic->ic_flags & IEEE80211_F_SCAN) 927 adhoc_recv_mgmt(ni, m0, subtype, rxs, rssi, nf); 928 else { 929 wh = mtod(m0, struct ieee80211_frame *); 930 switch (subtype) { 931 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 932 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 933 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 934 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 935 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 936 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 937 case IEEE80211_FC0_SUBTYPE_TIMING_ADV: 938 case IEEE80211_FC0_SUBTYPE_BEACON: 939 case IEEE80211_FC0_SUBTYPE_ATIM: 940 case IEEE80211_FC0_SUBTYPE_DISASSOC: 941 case IEEE80211_FC0_SUBTYPE_AUTH: 942 case IEEE80211_FC0_SUBTYPE_DEAUTH: 943 case IEEE80211_FC0_SUBTYPE_ACTION: 944 case IEEE80211_FC0_SUBTYPE_ACTION_NOACK: 945 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 946 wh, NULL, "%s", "not handled"); 947 vap->iv_stats.is_rx_mgtdiscard++; 948 break; 949 default: 950 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 951 wh, "mgt", "subtype 0x%x not handled", subtype); 952 vap->iv_stats.is_rx_badsubtype++; 953 break; 954 } 955 } 956} 957 958static void 959adhoc_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype) 960{ 961 962 switch (subtype) { 963 case IEEE80211_FC0_SUBTYPE_BAR: 964 ieee80211_recv_bar(ni, m); 965 break; 966 } 967} 968