1#include <linux/etherdevice.h> 2#include <net/ieee80211_crypt.h> 3 4#include "hostap_80211.h" 5#include "hostap.h" 6#include "hostap_ap.h" 7 8/* See IEEE 802.1H for LLC/SNAP encapsulation/decapsulation */ 9/* Ethernet-II snap header (RFC1042 for most EtherTypes) */ 10static unsigned char rfc1042_header[] = 11{ 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 }; 12/* Bridge-Tunnel header (for EtherTypes ETH_P_AARP and ETH_P_IPX) */ 13static unsigned char bridge_tunnel_header[] = 14{ 0xaa, 0xaa, 0x03, 0x00, 0x00, 0xf8 }; 15/* No encapsulation header if EtherType < 0x600 (=length) */ 16 17void hostap_dump_rx_80211(const char *name, struct sk_buff *skb, 18 struct hostap_80211_rx_status *rx_stats) 19{ 20 struct ieee80211_hdr_4addr *hdr; 21 u16 fc; 22 23 hdr = (struct ieee80211_hdr_4addr *) skb->data; 24 25 printk(KERN_DEBUG "%s: RX signal=%d noise=%d rate=%d len=%d " 26 "jiffies=%ld\n", 27 name, rx_stats->signal, rx_stats->noise, rx_stats->rate, 28 skb->len, jiffies); 29 30 if (skb->len < 2) 31 return; 32 33 fc = le16_to_cpu(hdr->frame_ctl); 34 printk(KERN_DEBUG " FC=0x%04x (type=%d:%d)%s%s", 35 fc, WLAN_FC_GET_TYPE(fc) >> 2, WLAN_FC_GET_STYPE(fc) >> 4, 36 fc & IEEE80211_FCTL_TODS ? " [ToDS]" : "", 37 fc & IEEE80211_FCTL_FROMDS ? " [FromDS]" : ""); 38 39 if (skb->len < IEEE80211_DATA_HDR3_LEN) { 40 printk("\n"); 41 return; 42 } 43 44 printk(" dur=0x%04x seq=0x%04x\n", le16_to_cpu(hdr->duration_id), 45 le16_to_cpu(hdr->seq_ctl)); 46 47 printk(KERN_DEBUG " A1=" MACSTR " A2=" MACSTR " A3=" MACSTR, 48 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2), MAC2STR(hdr->addr3)); 49 if (skb->len >= 30) 50 printk(" A4=" MACSTR, MAC2STR(hdr->addr4)); 51 printk("\n"); 52} 53 54 55/* Send RX frame to netif with 802.11 (and possible prism) header. 56 * Called from hardware or software IRQ context. */ 57int prism2_rx_80211(struct net_device *dev, struct sk_buff *skb, 58 struct hostap_80211_rx_status *rx_stats, int type) 59{ 60 struct hostap_interface *iface; 61 local_info_t *local; 62 int hdrlen, phdrlen, head_need, tail_need; 63 u16 fc; 64 int prism_header, ret; 65 struct ieee80211_hdr_4addr *hdr; 66 67 iface = netdev_priv(dev); 68 local = iface->local; 69 dev->last_rx = jiffies; 70 71 if (dev->type == ARPHRD_IEEE80211_PRISM) { 72 if (local->monitor_type == PRISM2_MONITOR_PRISM) { 73 prism_header = 1; 74 phdrlen = sizeof(struct linux_wlan_ng_prism_hdr); 75 } else { /* local->monitor_type == PRISM2_MONITOR_CAPHDR */ 76 prism_header = 2; 77 phdrlen = sizeof(struct linux_wlan_ng_cap_hdr); 78 } 79 } else { 80 prism_header = 0; 81 phdrlen = 0; 82 } 83 84 hdr = (struct ieee80211_hdr_4addr *) skb->data; 85 fc = le16_to_cpu(hdr->frame_ctl); 86 87 if (type == PRISM2_RX_MGMT && (fc & IEEE80211_FCTL_VERS)) { 88 printk(KERN_DEBUG "%s: dropped management frame with header " 89 "version %d\n", dev->name, fc & IEEE80211_FCTL_VERS); 90 dev_kfree_skb_any(skb); 91 return 0; 92 } 93 94 hdrlen = hostap_80211_get_hdrlen(fc); 95 96 /* check if there is enough room for extra data; if not, expand skb 97 * buffer to be large enough for the changes */ 98 head_need = phdrlen; 99 tail_need = 0; 100#ifdef PRISM2_ADD_BOGUS_CRC 101 tail_need += 4; 102#endif /* PRISM2_ADD_BOGUS_CRC */ 103 104 head_need -= skb_headroom(skb); 105 tail_need -= skb_tailroom(skb); 106 107 if (head_need > 0 || tail_need > 0) { 108 if (pskb_expand_head(skb, head_need > 0 ? head_need : 0, 109 tail_need > 0 ? tail_need : 0, 110 GFP_ATOMIC)) { 111 printk(KERN_DEBUG "%s: prism2_rx_80211 failed to " 112 "reallocate skb buffer\n", dev->name); 113 dev_kfree_skb_any(skb); 114 return 0; 115 } 116 } 117 118 /* We now have an skb with enough head and tail room, so just insert 119 * the extra data */ 120 121#ifdef PRISM2_ADD_BOGUS_CRC 122 memset(skb_put(skb, 4), 0xff, 4); /* Prism2 strips CRC */ 123#endif /* PRISM2_ADD_BOGUS_CRC */ 124 125 if (prism_header == 1) { 126 struct linux_wlan_ng_prism_hdr *hdr; 127 hdr = (struct linux_wlan_ng_prism_hdr *) 128 skb_push(skb, phdrlen); 129 memset(hdr, 0, phdrlen); 130 hdr->msgcode = LWNG_CAP_DID_BASE; 131 hdr->msglen = sizeof(*hdr); 132 memcpy(hdr->devname, dev->name, sizeof(hdr->devname)); 133#define LWNG_SETVAL(f,i,s,l,d) \ 134hdr->f.did = LWNG_CAP_DID_BASE | (i << 12); \ 135hdr->f.status = s; hdr->f.len = l; hdr->f.data = d 136 LWNG_SETVAL(hosttime, 1, 0, 4, jiffies); 137 LWNG_SETVAL(mactime, 2, 0, 4, rx_stats->mac_time); 138 LWNG_SETVAL(channel, 3, 1 /* no value */, 4, 0); 139 LWNG_SETVAL(rssi, 4, 1 /* no value */, 4, 0); 140 LWNG_SETVAL(sq, 5, 1 /* no value */, 4, 0); 141 LWNG_SETVAL(signal, 6, 0, 4, rx_stats->signal); 142 LWNG_SETVAL(noise, 7, 0, 4, rx_stats->noise); 143 LWNG_SETVAL(rate, 8, 0, 4, rx_stats->rate / 5); 144 LWNG_SETVAL(istx, 9, 0, 4, 0); 145 LWNG_SETVAL(frmlen, 10, 0, 4, skb->len - phdrlen); 146#undef LWNG_SETVAL 147 } else if (prism_header == 2) { 148 struct linux_wlan_ng_cap_hdr *hdr; 149 hdr = (struct linux_wlan_ng_cap_hdr *) 150 skb_push(skb, phdrlen); 151 memset(hdr, 0, phdrlen); 152 hdr->version = htonl(LWNG_CAPHDR_VERSION); 153 hdr->length = htonl(phdrlen); 154 hdr->mactime = __cpu_to_be64(rx_stats->mac_time); 155 hdr->hosttime = __cpu_to_be64(jiffies); 156 hdr->phytype = htonl(4); /* dss_dot11_b */ 157 hdr->channel = htonl(local->channel); 158 hdr->datarate = htonl(rx_stats->rate); 159 hdr->antenna = htonl(0); /* unknown */ 160 hdr->priority = htonl(0); /* unknown */ 161 hdr->ssi_type = htonl(3); /* raw */ 162 hdr->ssi_signal = htonl(rx_stats->signal); 163 hdr->ssi_noise = htonl(rx_stats->noise); 164 hdr->preamble = htonl(0); /* unknown */ 165 hdr->encoding = htonl(1); /* cck */ 166 } 167 168 ret = skb->len - phdrlen; 169 skb->dev = dev; 170 skb_reset_mac_header(skb); 171 skb_pull(skb, hdrlen); 172 if (prism_header) 173 skb_pull(skb, phdrlen); 174 skb->pkt_type = PACKET_OTHERHOST; 175 skb->protocol = __constant_htons(ETH_P_802_2); 176 memset(skb->cb, 0, sizeof(skb->cb)); 177 netif_rx(skb); 178 179 return ret; 180} 181 182 183/* Called only as a tasklet (software IRQ) */ 184static void monitor_rx(struct net_device *dev, struct sk_buff *skb, 185 struct hostap_80211_rx_status *rx_stats) 186{ 187 struct net_device_stats *stats; 188 int len; 189 190 len = prism2_rx_80211(dev, skb, rx_stats, PRISM2_RX_MONITOR); 191 stats = hostap_get_stats(dev); 192 stats->rx_packets++; 193 stats->rx_bytes += len; 194} 195 196 197/* Called only as a tasklet (software IRQ) */ 198static struct prism2_frag_entry * 199prism2_frag_cache_find(local_info_t *local, unsigned int seq, 200 unsigned int frag, u8 *src, u8 *dst) 201{ 202 struct prism2_frag_entry *entry; 203 int i; 204 205 for (i = 0; i < PRISM2_FRAG_CACHE_LEN; i++) { 206 entry = &local->frag_cache[i]; 207 if (entry->skb != NULL && 208 time_after(jiffies, entry->first_frag_time + 2 * HZ)) { 209 printk(KERN_DEBUG "%s: expiring fragment cache entry " 210 "seq=%u last_frag=%u\n", 211 local->dev->name, entry->seq, entry->last_frag); 212 dev_kfree_skb(entry->skb); 213 entry->skb = NULL; 214 } 215 216 if (entry->skb != NULL && entry->seq == seq && 217 (entry->last_frag + 1 == frag || frag == -1) && 218 memcmp(entry->src_addr, src, ETH_ALEN) == 0 && 219 memcmp(entry->dst_addr, dst, ETH_ALEN) == 0) 220 return entry; 221 } 222 223 return NULL; 224} 225 226 227/* Called only as a tasklet (software IRQ) */ 228static struct sk_buff * 229prism2_frag_cache_get(local_info_t *local, struct ieee80211_hdr_4addr *hdr) 230{ 231 struct sk_buff *skb = NULL; 232 u16 sc; 233 unsigned int frag, seq; 234 struct prism2_frag_entry *entry; 235 236 sc = le16_to_cpu(hdr->seq_ctl); 237 frag = WLAN_GET_SEQ_FRAG(sc); 238 seq = WLAN_GET_SEQ_SEQ(sc) >> 4; 239 240 if (frag == 0) { 241 /* Reserve enough space to fit maximum frame length */ 242 skb = dev_alloc_skb(local->dev->mtu + 243 sizeof(struct ieee80211_hdr_4addr) + 244 8 /* LLC */ + 245 2 /* alignment */ + 246 8 /* WEP */ + ETH_ALEN /* WDS */); 247 if (skb == NULL) 248 return NULL; 249 250 entry = &local->frag_cache[local->frag_next_idx]; 251 local->frag_next_idx++; 252 if (local->frag_next_idx >= PRISM2_FRAG_CACHE_LEN) 253 local->frag_next_idx = 0; 254 255 if (entry->skb != NULL) 256 dev_kfree_skb(entry->skb); 257 258 entry->first_frag_time = jiffies; 259 entry->seq = seq; 260 entry->last_frag = frag; 261 entry->skb = skb; 262 memcpy(entry->src_addr, hdr->addr2, ETH_ALEN); 263 memcpy(entry->dst_addr, hdr->addr1, ETH_ALEN); 264 } else { 265 /* received a fragment of a frame for which the head fragment 266 * should have already been received */ 267 entry = prism2_frag_cache_find(local, seq, frag, hdr->addr2, 268 hdr->addr1); 269 if (entry != NULL) { 270 entry->last_frag = frag; 271 skb = entry->skb; 272 } 273 } 274 275 return skb; 276} 277 278 279/* Called only as a tasklet (software IRQ) */ 280static int prism2_frag_cache_invalidate(local_info_t *local, 281 struct ieee80211_hdr_4addr *hdr) 282{ 283 u16 sc; 284 unsigned int seq; 285 struct prism2_frag_entry *entry; 286 287 sc = le16_to_cpu(hdr->seq_ctl); 288 seq = WLAN_GET_SEQ_SEQ(sc) >> 4; 289 290 entry = prism2_frag_cache_find(local, seq, -1, hdr->addr2, hdr->addr1); 291 292 if (entry == NULL) { 293 printk(KERN_DEBUG "%s: could not invalidate fragment cache " 294 "entry (seq=%u)\n", 295 local->dev->name, seq); 296 return -1; 297 } 298 299 entry->skb = NULL; 300 return 0; 301} 302 303 304static struct hostap_bss_info *__hostap_get_bss(local_info_t *local, u8 *bssid, 305 u8 *ssid, size_t ssid_len) 306{ 307 struct list_head *ptr; 308 struct hostap_bss_info *bss; 309 310 list_for_each(ptr, &local->bss_list) { 311 bss = list_entry(ptr, struct hostap_bss_info, list); 312 if (memcmp(bss->bssid, bssid, ETH_ALEN) == 0 && 313 (ssid == NULL || 314 (ssid_len == bss->ssid_len && 315 memcmp(ssid, bss->ssid, ssid_len) == 0))) { 316 list_move(&bss->list, &local->bss_list); 317 return bss; 318 } 319 } 320 321 return NULL; 322} 323 324 325static struct hostap_bss_info *__hostap_add_bss(local_info_t *local, u8 *bssid, 326 u8 *ssid, size_t ssid_len) 327{ 328 struct hostap_bss_info *bss; 329 330 if (local->num_bss_info >= HOSTAP_MAX_BSS_COUNT) { 331 bss = list_entry(local->bss_list.prev, 332 struct hostap_bss_info, list); 333 list_del(&bss->list); 334 local->num_bss_info--; 335 } else { 336 bss = (struct hostap_bss_info *) 337 kmalloc(sizeof(*bss), GFP_ATOMIC); 338 if (bss == NULL) 339 return NULL; 340 } 341 342 memset(bss, 0, sizeof(*bss)); 343 memcpy(bss->bssid, bssid, ETH_ALEN); 344 memcpy(bss->ssid, ssid, ssid_len); 345 bss->ssid_len = ssid_len; 346 local->num_bss_info++; 347 list_add(&bss->list, &local->bss_list); 348 return bss; 349} 350 351 352static void __hostap_expire_bss(local_info_t *local) 353{ 354 struct hostap_bss_info *bss; 355 356 while (local->num_bss_info > 0) { 357 bss = list_entry(local->bss_list.prev, 358 struct hostap_bss_info, list); 359 if (!time_after(jiffies, bss->last_update + 60 * HZ)) 360 break; 361 362 list_del(&bss->list); 363 local->num_bss_info--; 364 kfree(bss); 365 } 366} 367 368 369/* Both IEEE 802.11 Beacon and Probe Response frames have similar structure, so 370 * the same routine can be used to parse both of them. */ 371static void hostap_rx_sta_beacon(local_info_t *local, struct sk_buff *skb, 372 int stype) 373{ 374 struct hostap_ieee80211_mgmt *mgmt; 375 int left, chan = 0; 376 u8 *pos; 377 u8 *ssid = NULL, *wpa = NULL, *rsn = NULL; 378 size_t ssid_len = 0, wpa_len = 0, rsn_len = 0; 379 struct hostap_bss_info *bss; 380 381 if (skb->len < IEEE80211_MGMT_HDR_LEN + sizeof(mgmt->u.beacon)) 382 return; 383 384 mgmt = (struct hostap_ieee80211_mgmt *) skb->data; 385 pos = mgmt->u.beacon.variable; 386 left = skb->len - (pos - skb->data); 387 388 while (left >= 2) { 389 if (2 + pos[1] > left) 390 return; /* parse failed */ 391 switch (*pos) { 392 case WLAN_EID_SSID: 393 ssid = pos + 2; 394 ssid_len = pos[1]; 395 break; 396 case WLAN_EID_GENERIC: 397 if (pos[1] >= 4 && 398 pos[2] == 0x00 && pos[3] == 0x50 && 399 pos[4] == 0xf2 && pos[5] == 1) { 400 wpa = pos; 401 wpa_len = pos[1] + 2; 402 } 403 break; 404 case WLAN_EID_RSN: 405 rsn = pos; 406 rsn_len = pos[1] + 2; 407 break; 408 case WLAN_EID_DS_PARAMS: 409 if (pos[1] >= 1) 410 chan = pos[2]; 411 break; 412 } 413 left -= 2 + pos[1]; 414 pos += 2 + pos[1]; 415 } 416 417 if (wpa_len > MAX_WPA_IE_LEN) 418 wpa_len = MAX_WPA_IE_LEN; 419 if (rsn_len > MAX_WPA_IE_LEN) 420 rsn_len = MAX_WPA_IE_LEN; 421 if (ssid_len > sizeof(bss->ssid)) 422 ssid_len = sizeof(bss->ssid); 423 424 spin_lock(&local->lock); 425 bss = __hostap_get_bss(local, mgmt->bssid, ssid, ssid_len); 426 if (bss == NULL) 427 bss = __hostap_add_bss(local, mgmt->bssid, ssid, ssid_len); 428 if (bss) { 429 bss->last_update = jiffies; 430 bss->count++; 431 bss->capab_info = le16_to_cpu(mgmt->u.beacon.capab_info); 432 if (wpa) { 433 memcpy(bss->wpa_ie, wpa, wpa_len); 434 bss->wpa_ie_len = wpa_len; 435 } else 436 bss->wpa_ie_len = 0; 437 if (rsn) { 438 memcpy(bss->rsn_ie, rsn, rsn_len); 439 bss->rsn_ie_len = rsn_len; 440 } else 441 bss->rsn_ie_len = 0; 442 bss->chan = chan; 443 } 444 __hostap_expire_bss(local); 445 spin_unlock(&local->lock); 446} 447 448 449static int 450hostap_rx_frame_mgmt(local_info_t *local, struct sk_buff *skb, 451 struct hostap_80211_rx_status *rx_stats, u16 type, 452 u16 stype) 453{ 454 if (local->iw_mode == IW_MODE_MASTER) { 455 hostap_update_sta_ps(local, (struct ieee80211_hdr_4addr *) 456 skb->data); 457 } 458 459 if (local->hostapd && type == IEEE80211_FTYPE_MGMT) { 460 if (stype == IEEE80211_STYPE_BEACON && 461 local->iw_mode == IW_MODE_MASTER) { 462 struct sk_buff *skb2; 463 /* Process beacon frames also in kernel driver to 464 * update STA(AP) table statistics */ 465 skb2 = skb_clone(skb, GFP_ATOMIC); 466 if (skb2) 467 hostap_rx(skb2->dev, skb2, rx_stats); 468 } 469 470 /* send management frames to the user space daemon for 471 * processing */ 472 local->apdevstats.rx_packets++; 473 local->apdevstats.rx_bytes += skb->len; 474 if (local->apdev == NULL) 475 return -1; 476 prism2_rx_80211(local->apdev, skb, rx_stats, PRISM2_RX_MGMT); 477 return 0; 478 } 479 480 if (local->iw_mode == IW_MODE_MASTER) { 481 if (type != IEEE80211_FTYPE_MGMT && 482 type != IEEE80211_FTYPE_CTL) { 483 printk(KERN_DEBUG "%s: unknown management frame " 484 "(type=0x%02x, stype=0x%02x) dropped\n", 485 skb->dev->name, type >> 2, stype >> 4); 486 return -1; 487 } 488 489 hostap_rx(skb->dev, skb, rx_stats); 490 return 0; 491 } else if (type == IEEE80211_FTYPE_MGMT && 492 (stype == IEEE80211_STYPE_BEACON || 493 stype == IEEE80211_STYPE_PROBE_RESP)) { 494 hostap_rx_sta_beacon(local, skb, stype); 495 return -1; 496 } else if (type == IEEE80211_FTYPE_MGMT && 497 (stype == IEEE80211_STYPE_ASSOC_RESP || 498 stype == IEEE80211_STYPE_REASSOC_RESP)) { 499 /* Ignore (Re)AssocResp silently since these are not currently 500 * needed but are still received when WPA/RSN mode is enabled. 501 */ 502 return -1; 503 } else { 504 printk(KERN_DEBUG "%s: hostap_rx_frame_mgmt: dropped unhandled" 505 " management frame in non-Host AP mode (type=%d:%d)\n", 506 skb->dev->name, type >> 2, stype >> 4); 507 return -1; 508 } 509} 510 511 512/* Called only as a tasklet (software IRQ) */ 513static struct net_device *prism2_rx_get_wds(local_info_t *local, 514 u8 *addr) 515{ 516 struct hostap_interface *iface = NULL; 517 struct list_head *ptr; 518 519 read_lock_bh(&local->iface_lock); 520 list_for_each(ptr, &local->hostap_interfaces) { 521 iface = list_entry(ptr, struct hostap_interface, list); 522 if (iface->type == HOSTAP_INTERFACE_WDS && 523 memcmp(iface->u.wds.remote_addr, addr, ETH_ALEN) == 0) 524 break; 525 iface = NULL; 526 } 527 read_unlock_bh(&local->iface_lock); 528 529 return iface ? iface->dev : NULL; 530} 531 532 533static int 534hostap_rx_frame_wds(local_info_t *local, struct ieee80211_hdr_4addr *hdr, 535 u16 fc, struct net_device **wds) 536{ 537 /* FIX: is this really supposed to accept WDS frames only in Master 538 * mode? What about Repeater or Managed with WDS frames? */ 539 if ((fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) != 540 (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS) && 541 (local->iw_mode != IW_MODE_MASTER || !(fc & IEEE80211_FCTL_TODS))) 542 return 0; /* not a WDS frame */ 543 544 /* Possible WDS frame: either IEEE 802.11 compliant (if FromDS) 545 * or own non-standard frame with 4th address after payload */ 546 if (memcmp(hdr->addr1, local->dev->dev_addr, ETH_ALEN) != 0 && 547 (hdr->addr1[0] != 0xff || hdr->addr1[1] != 0xff || 548 hdr->addr1[2] != 0xff || hdr->addr1[3] != 0xff || 549 hdr->addr1[4] != 0xff || hdr->addr1[5] != 0xff)) { 550 /* RA (or BSSID) is not ours - drop */ 551 PDEBUG(DEBUG_EXTRA, "%s: received WDS frame with " 552 "not own or broadcast %s=" MACSTR "\n", 553 local->dev->name, 554 fc & IEEE80211_FCTL_FROMDS ? "RA" : "BSSID", 555 MAC2STR(hdr->addr1)); 556 return -1; 557 } 558 559 /* check if the frame came from a registered WDS connection */ 560 *wds = prism2_rx_get_wds(local, hdr->addr2); 561 if (*wds == NULL && fc & IEEE80211_FCTL_FROMDS && 562 (local->iw_mode != IW_MODE_INFRA || 563 !(local->wds_type & HOSTAP_WDS_AP_CLIENT) || 564 memcmp(hdr->addr2, local->bssid, ETH_ALEN) != 0)) { 565 /* require that WDS link has been registered with TA or the 566 * frame is from current AP when using 'AP client mode' */ 567 PDEBUG(DEBUG_EXTRA, "%s: received WDS[4 addr] frame " 568 "from unknown TA=" MACSTR "\n", 569 local->dev->name, MAC2STR(hdr->addr2)); 570 if (local->ap && local->ap->autom_ap_wds) 571 hostap_wds_link_oper(local, hdr->addr2, WDS_ADD); 572 return -1; 573 } 574 575 if (*wds && !(fc & IEEE80211_FCTL_FROMDS) && local->ap && 576 hostap_is_sta_assoc(local->ap, hdr->addr2)) { 577 /* STA is actually associated with us even though it has a 578 * registered WDS link. Assume it is in 'AP client' mode. 579 * Since this is a 3-addr frame, assume it is not (bogus) WDS 580 * frame and process it like any normal ToDS frame from 581 * associated STA. */ 582 *wds = NULL; 583 } 584 585 return 0; 586} 587 588 589static int hostap_is_eapol_frame(local_info_t *local, struct sk_buff *skb) 590{ 591 struct net_device *dev = local->dev; 592 u16 fc, ethertype; 593 struct ieee80211_hdr_4addr *hdr; 594 u8 *pos; 595 596 if (skb->len < 24) 597 return 0; 598 599 hdr = (struct ieee80211_hdr_4addr *) skb->data; 600 fc = le16_to_cpu(hdr->frame_ctl); 601 602 /* check that the frame is unicast frame to us */ 603 if ((fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) == 604 IEEE80211_FCTL_TODS && 605 memcmp(hdr->addr1, dev->dev_addr, ETH_ALEN) == 0 && 606 memcmp(hdr->addr3, dev->dev_addr, ETH_ALEN) == 0) { 607 /* ToDS frame with own addr BSSID and DA */ 608 } else if ((fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) == 609 IEEE80211_FCTL_FROMDS && 610 memcmp(hdr->addr1, dev->dev_addr, ETH_ALEN) == 0) { 611 /* FromDS frame with own addr as DA */ 612 } else 613 return 0; 614 615 if (skb->len < 24 + 8) 616 return 0; 617 618 /* check for port access entity Ethernet type */ 619 pos = skb->data + 24; 620 ethertype = (pos[6] << 8) | pos[7]; 621 if (ethertype == ETH_P_PAE) 622 return 1; 623 624 return 0; 625} 626 627 628/* Called only as a tasklet (software IRQ) */ 629static int 630hostap_rx_frame_decrypt(local_info_t *local, struct sk_buff *skb, 631 struct ieee80211_crypt_data *crypt) 632{ 633 struct ieee80211_hdr_4addr *hdr; 634 int res, hdrlen; 635 636 if (crypt == NULL || crypt->ops->decrypt_mpdu == NULL) 637 return 0; 638 639 hdr = (struct ieee80211_hdr_4addr *) skb->data; 640 hdrlen = hostap_80211_get_hdrlen(le16_to_cpu(hdr->frame_ctl)); 641 642 if (local->tkip_countermeasures && 643 strcmp(crypt->ops->name, "TKIP") == 0) { 644 if (net_ratelimit()) { 645 printk(KERN_DEBUG "%s: TKIP countermeasures: dropped " 646 "received packet from " MACSTR "\n", 647 local->dev->name, MAC2STR(hdr->addr2)); 648 } 649 return -1; 650 } 651 652 atomic_inc(&crypt->refcnt); 653 res = crypt->ops->decrypt_mpdu(skb, hdrlen, crypt->priv); 654 atomic_dec(&crypt->refcnt); 655 if (res < 0) { 656 printk(KERN_DEBUG "%s: decryption failed (SA=" MACSTR 657 ") res=%d\n", 658 local->dev->name, MAC2STR(hdr->addr2), res); 659 local->comm_tallies.rx_discards_wep_undecryptable++; 660 return -1; 661 } 662 663 return res; 664} 665 666 667/* Called only as a tasklet (software IRQ) */ 668static int 669hostap_rx_frame_decrypt_msdu(local_info_t *local, struct sk_buff *skb, 670 int keyidx, struct ieee80211_crypt_data *crypt) 671{ 672 struct ieee80211_hdr_4addr *hdr; 673 int res, hdrlen; 674 675 if (crypt == NULL || crypt->ops->decrypt_msdu == NULL) 676 return 0; 677 678 hdr = (struct ieee80211_hdr_4addr *) skb->data; 679 hdrlen = hostap_80211_get_hdrlen(le16_to_cpu(hdr->frame_ctl)); 680 681 atomic_inc(&crypt->refcnt); 682 res = crypt->ops->decrypt_msdu(skb, keyidx, hdrlen, crypt->priv); 683 atomic_dec(&crypt->refcnt); 684 if (res < 0) { 685 printk(KERN_DEBUG "%s: MSDU decryption/MIC verification failed" 686 " (SA=" MACSTR " keyidx=%d)\n", 687 local->dev->name, MAC2STR(hdr->addr2), keyidx); 688 return -1; 689 } 690 691 return 0; 692} 693 694 695/* All received frames are sent to this function. @skb contains the frame in 696 * IEEE 802.11 format, i.e., in the format it was sent over air. 697 * This function is called only as a tasklet (software IRQ). */ 698void hostap_80211_rx(struct net_device *dev, struct sk_buff *skb, 699 struct hostap_80211_rx_status *rx_stats) 700{ 701 struct hostap_interface *iface; 702 local_info_t *local; 703 struct ieee80211_hdr_4addr *hdr; 704 size_t hdrlen; 705 u16 fc, type, stype, sc; 706 struct net_device *wds = NULL; 707 struct net_device_stats *stats; 708 unsigned int frag; 709 u8 *payload; 710 struct sk_buff *skb2 = NULL; 711 u16 ethertype; 712 int frame_authorized = 0; 713 int from_assoc_ap = 0; 714 u8 dst[ETH_ALEN]; 715 u8 src[ETH_ALEN]; 716 struct ieee80211_crypt_data *crypt = NULL; 717 void *sta = NULL; 718 int keyidx = 0; 719 720 iface = netdev_priv(dev); 721 local = iface->local; 722 iface->stats.rx_packets++; 723 iface->stats.rx_bytes += skb->len; 724 725 /* dev is the master radio device; change this to be the default 726 * virtual interface (this may be changed to WDS device below) */ 727 dev = local->ddev; 728 iface = netdev_priv(dev); 729 730 hdr = (struct ieee80211_hdr_4addr *) skb->data; 731 stats = hostap_get_stats(dev); 732 733 if (skb->len < 10) 734 goto rx_dropped; 735 736 fc = le16_to_cpu(hdr->frame_ctl); 737 type = WLAN_FC_GET_TYPE(fc); 738 stype = WLAN_FC_GET_STYPE(fc); 739 sc = le16_to_cpu(hdr->seq_ctl); 740 frag = WLAN_GET_SEQ_FRAG(sc); 741 hdrlen = hostap_80211_get_hdrlen(fc); 742 743 /* Put this code here so that we avoid duplicating it in all 744 * Rx paths. - Jean II */ 745#ifdef IW_WIRELESS_SPY /* defined in iw_handler.h */ 746 /* If spy monitoring on */ 747 if (iface->spy_data.spy_number > 0) { 748 struct iw_quality wstats; 749 wstats.level = rx_stats->signal; 750 wstats.noise = rx_stats->noise; 751 wstats.updated = IW_QUAL_LEVEL_UPDATED | IW_QUAL_NOISE_UPDATED 752 | IW_QUAL_QUAL_INVALID | IW_QUAL_DBM; 753 /* Update spy records */ 754 wireless_spy_update(dev, hdr->addr2, &wstats); 755 } 756#endif /* IW_WIRELESS_SPY */ 757 hostap_update_rx_stats(local->ap, hdr, rx_stats); 758 759 if (local->iw_mode == IW_MODE_MONITOR) { 760 monitor_rx(dev, skb, rx_stats); 761 return; 762 } 763 764 if (local->host_decrypt) { 765 int idx = 0; 766 if (skb->len >= hdrlen + 3) 767 idx = skb->data[hdrlen + 3] >> 6; 768 crypt = local->crypt[idx]; 769 sta = NULL; 770 771 /* Use station specific key to override default keys if the 772 * receiver address is a unicast address ("individual RA"). If 773 * bcrx_sta_key parameter is set, station specific key is used 774 * even with broad/multicast targets (this is against IEEE 775 * 802.11, but makes it easier to use different keys with 776 * stations that do not support WEP key mapping). */ 777 778 if (!(hdr->addr1[0] & 0x01) || local->bcrx_sta_key) 779 (void) hostap_handle_sta_crypto(local, hdr, &crypt, 780 &sta); 781 782 /* allow NULL decrypt to indicate an station specific override 783 * for default encryption */ 784 if (crypt && (crypt->ops == NULL || 785 crypt->ops->decrypt_mpdu == NULL)) 786 crypt = NULL; 787 788 if (!crypt && (fc & IEEE80211_FCTL_PROTECTED)) { 789 local->comm_tallies.rx_discards_wep_undecryptable++; 790 goto rx_dropped; 791 } 792 } 793 794 if (type != IEEE80211_FTYPE_DATA) { 795 if (type == IEEE80211_FTYPE_MGMT && 796 stype == IEEE80211_STYPE_AUTH && 797 fc & IEEE80211_FCTL_PROTECTED && local->host_decrypt && 798 (keyidx = hostap_rx_frame_decrypt(local, skb, crypt)) < 0) 799 { 800 printk(KERN_DEBUG "%s: failed to decrypt mgmt::auth " 801 "from " MACSTR "\n", dev->name, 802 MAC2STR(hdr->addr2)); 803 /* TODO: could inform hostapd about this so that it 804 * could send auth failure report */ 805 goto rx_dropped; 806 } 807 808 if (hostap_rx_frame_mgmt(local, skb, rx_stats, type, stype)) 809 goto rx_dropped; 810 else 811 goto rx_exit; 812 } 813 814 /* Data frame - extract src/dst addresses */ 815 if (skb->len < IEEE80211_DATA_HDR3_LEN) 816 goto rx_dropped; 817 818 switch (fc & (IEEE80211_FCTL_FROMDS | IEEE80211_FCTL_TODS)) { 819 case IEEE80211_FCTL_FROMDS: 820 memcpy(dst, hdr->addr1, ETH_ALEN); 821 memcpy(src, hdr->addr3, ETH_ALEN); 822 break; 823 case IEEE80211_FCTL_TODS: 824 memcpy(dst, hdr->addr3, ETH_ALEN); 825 memcpy(src, hdr->addr2, ETH_ALEN); 826 break; 827 case IEEE80211_FCTL_FROMDS | IEEE80211_FCTL_TODS: 828 if (skb->len < IEEE80211_DATA_HDR4_LEN) 829 goto rx_dropped; 830 memcpy(dst, hdr->addr3, ETH_ALEN); 831 memcpy(src, hdr->addr4, ETH_ALEN); 832 break; 833 case 0: 834 memcpy(dst, hdr->addr1, ETH_ALEN); 835 memcpy(src, hdr->addr2, ETH_ALEN); 836 break; 837 } 838 839 if (hostap_rx_frame_wds(local, hdr, fc, &wds)) 840 goto rx_dropped; 841 if (wds) { 842 skb->dev = dev = wds; 843 stats = hostap_get_stats(dev); 844 } 845 846 if (local->iw_mode == IW_MODE_MASTER && !wds && 847 (fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) == 848 IEEE80211_FCTL_FROMDS && 849 local->stadev && 850 memcmp(hdr->addr2, local->assoc_ap_addr, ETH_ALEN) == 0) { 851 /* Frame from BSSID of the AP for which we are a client */ 852 skb->dev = dev = local->stadev; 853 stats = hostap_get_stats(dev); 854 from_assoc_ap = 1; 855 } 856 857 dev->last_rx = jiffies; 858 859 if ((local->iw_mode == IW_MODE_MASTER || 860 local->iw_mode == IW_MODE_REPEAT) && 861 !from_assoc_ap) { 862 switch (hostap_handle_sta_rx(local, dev, skb, rx_stats, 863 wds != NULL)) { 864 case AP_RX_CONTINUE_NOT_AUTHORIZED: 865 frame_authorized = 0; 866 break; 867 case AP_RX_CONTINUE: 868 frame_authorized = 1; 869 break; 870 case AP_RX_DROP: 871 goto rx_dropped; 872 case AP_RX_EXIT: 873 goto rx_exit; 874 } 875 } 876 877 /* Nullfunc frames may have PS-bit set, so they must be passed to 878 * hostap_handle_sta_rx() before being dropped here. */ 879 if (stype != IEEE80211_STYPE_DATA && 880 stype != IEEE80211_STYPE_DATA_CFACK && 881 stype != IEEE80211_STYPE_DATA_CFPOLL && 882 stype != IEEE80211_STYPE_DATA_CFACKPOLL) { 883 if (stype != IEEE80211_STYPE_NULLFUNC) 884 printk(KERN_DEBUG "%s: RX: dropped data frame " 885 "with no data (type=0x%02x, subtype=0x%02x)\n", 886 dev->name, type >> 2, stype >> 4); 887 goto rx_dropped; 888 } 889 890 /* skb: hdr + (possibly fragmented, possibly encrypted) payload */ 891 892 if (local->host_decrypt && (fc & IEEE80211_FCTL_PROTECTED) && 893 (keyidx = hostap_rx_frame_decrypt(local, skb, crypt)) < 0) 894 goto rx_dropped; 895 hdr = (struct ieee80211_hdr_4addr *) skb->data; 896 897 /* skb: hdr + (possibly fragmented) plaintext payload */ 898 899 if (local->host_decrypt && (fc & IEEE80211_FCTL_PROTECTED) && 900 (frag != 0 || (fc & IEEE80211_FCTL_MOREFRAGS))) { 901 int flen; 902 struct sk_buff *frag_skb = 903 prism2_frag_cache_get(local, hdr); 904 if (!frag_skb) { 905 printk(KERN_DEBUG "%s: Rx cannot get skb from " 906 "fragment cache (morefrag=%d seq=%u frag=%u)\n", 907 dev->name, (fc & IEEE80211_FCTL_MOREFRAGS) != 0, 908 WLAN_GET_SEQ_SEQ(sc) >> 4, frag); 909 goto rx_dropped; 910 } 911 912 flen = skb->len; 913 if (frag != 0) 914 flen -= hdrlen; 915 916 if (frag_skb->tail + flen > frag_skb->end) { 917 printk(KERN_WARNING "%s: host decrypted and " 918 "reassembled frame did not fit skb\n", 919 dev->name); 920 prism2_frag_cache_invalidate(local, hdr); 921 goto rx_dropped; 922 } 923 924 if (frag == 0) { 925 /* copy first fragment (including full headers) into 926 * beginning of the fragment cache skb */ 927 skb_copy_from_linear_data(skb, skb_put(frag_skb, flen), 928 flen); 929 } else { 930 /* append frame payload to the end of the fragment 931 * cache skb */ 932 skb_copy_from_linear_data_offset(skb, hdrlen, 933 skb_put(frag_skb, 934 flen), flen); 935 } 936 dev_kfree_skb(skb); 937 skb = NULL; 938 939 if (fc & IEEE80211_FCTL_MOREFRAGS) { 940 /* more fragments expected - leave the skb in fragment 941 * cache for now; it will be delivered to upper layers 942 * after all fragments have been received */ 943 goto rx_exit; 944 } 945 946 /* this was the last fragment and the frame will be 947 * delivered, so remove skb from fragment cache */ 948 skb = frag_skb; 949 hdr = (struct ieee80211_hdr_4addr *) skb->data; 950 prism2_frag_cache_invalidate(local, hdr); 951 } 952 953 /* skb: hdr + (possible reassembled) full MSDU payload; possibly still 954 * encrypted/authenticated */ 955 956 if (local->host_decrypt && (fc & IEEE80211_FCTL_PROTECTED) && 957 hostap_rx_frame_decrypt_msdu(local, skb, keyidx, crypt)) 958 goto rx_dropped; 959 960 hdr = (struct ieee80211_hdr_4addr *) skb->data; 961 if (crypt && !(fc & IEEE80211_FCTL_PROTECTED) && !local->open_wep) { 962 if (local->ieee_802_1x && 963 hostap_is_eapol_frame(local, skb)) { 964 /* pass unencrypted EAPOL frames even if encryption is 965 * configured */ 966 PDEBUG(DEBUG_EXTRA2, "%s: RX: IEEE 802.1X - passing " 967 "unencrypted EAPOL frame\n", local->dev->name); 968 } else { 969 printk(KERN_DEBUG "%s: encryption configured, but RX " 970 "frame not encrypted (SA=" MACSTR ")\n", 971 local->dev->name, MAC2STR(hdr->addr2)); 972 goto rx_dropped; 973 } 974 } 975 976 if (local->drop_unencrypted && !(fc & IEEE80211_FCTL_PROTECTED) && 977 !hostap_is_eapol_frame(local, skb)) { 978 if (net_ratelimit()) { 979 printk(KERN_DEBUG "%s: dropped unencrypted RX data " 980 "frame from " MACSTR " (drop_unencrypted=1)\n", 981 dev->name, MAC2STR(hdr->addr2)); 982 } 983 goto rx_dropped; 984 } 985 986 /* skb: hdr + (possible reassembled) full plaintext payload */ 987 988 payload = skb->data + hdrlen; 989 ethertype = (payload[6] << 8) | payload[7]; 990 991 /* If IEEE 802.1X is used, check whether the port is authorized to send 992 * the received frame. */ 993 if (local->ieee_802_1x && local->iw_mode == IW_MODE_MASTER) { 994 if (ethertype == ETH_P_PAE) { 995 PDEBUG(DEBUG_EXTRA2, "%s: RX: IEEE 802.1X frame\n", 996 dev->name); 997 if (local->hostapd && local->apdev) { 998 /* Send IEEE 802.1X frames to the user 999 * space daemon for processing */ 1000 prism2_rx_80211(local->apdev, skb, rx_stats, 1001 PRISM2_RX_MGMT); 1002 local->apdevstats.rx_packets++; 1003 local->apdevstats.rx_bytes += skb->len; 1004 goto rx_exit; 1005 } 1006 } else if (!frame_authorized) { 1007 printk(KERN_DEBUG "%s: dropped frame from " 1008 "unauthorized port (IEEE 802.1X): " 1009 "ethertype=0x%04x\n", 1010 dev->name, ethertype); 1011 goto rx_dropped; 1012 } 1013 } 1014 1015 /* convert hdr + possible LLC headers into Ethernet header */ 1016 if (skb->len - hdrlen >= 8 && 1017 ((memcmp(payload, rfc1042_header, 6) == 0 && 1018 ethertype != ETH_P_AARP && ethertype != ETH_P_IPX) || 1019 memcmp(payload, bridge_tunnel_header, 6) == 0)) { 1020 /* remove RFC1042 or Bridge-Tunnel encapsulation and 1021 * replace EtherType */ 1022 skb_pull(skb, hdrlen + 6); 1023 memcpy(skb_push(skb, ETH_ALEN), src, ETH_ALEN); 1024 memcpy(skb_push(skb, ETH_ALEN), dst, ETH_ALEN); 1025 } else { 1026 u16 len; 1027 /* Leave Ethernet header part of hdr and full payload */ 1028 skb_pull(skb, hdrlen); 1029 len = htons(skb->len); 1030 memcpy(skb_push(skb, 2), &len, 2); 1031 memcpy(skb_push(skb, ETH_ALEN), src, ETH_ALEN); 1032 memcpy(skb_push(skb, ETH_ALEN), dst, ETH_ALEN); 1033 } 1034 1035 if (wds && ((fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) == 1036 IEEE80211_FCTL_TODS) && 1037 skb->len >= ETH_HLEN + ETH_ALEN) { 1038 /* Non-standard frame: get addr4 from its bogus location after 1039 * the payload */ 1040 skb_copy_from_linear_data_offset(skb, skb->len - ETH_ALEN, 1041 skb->data + ETH_ALEN, 1042 ETH_ALEN); 1043 skb_trim(skb, skb->len - ETH_ALEN); 1044 } 1045 1046 stats->rx_packets++; 1047 stats->rx_bytes += skb->len; 1048 1049 if (local->iw_mode == IW_MODE_MASTER && !wds && 1050 local->ap->bridge_packets) { 1051 if (dst[0] & 0x01) { 1052 /* copy multicast frame both to the higher layers and 1053 * to the wireless media */ 1054 local->ap->bridged_multicast++; 1055 skb2 = skb_clone(skb, GFP_ATOMIC); 1056 if (skb2 == NULL) 1057 printk(KERN_DEBUG "%s: skb_clone failed for " 1058 "multicast frame\n", dev->name); 1059 } else if (hostap_is_sta_authorized(local->ap, dst)) { 1060 /* send frame directly to the associated STA using 1061 * wireless media and not passing to higher layers */ 1062 local->ap->bridged_unicast++; 1063 skb2 = skb; 1064 skb = NULL; 1065 } 1066 } 1067 1068 if (skb2 != NULL) { 1069 /* send to wireless media */ 1070 skb2->dev = dev; 1071 skb2->protocol = __constant_htons(ETH_P_802_3); 1072 skb_reset_mac_header(skb2); 1073 skb_reset_network_header(skb2); 1074 /* skb2->network_header += ETH_HLEN; */ 1075 dev_queue_xmit(skb2); 1076 } 1077 1078 if (skb) { 1079 skb->protocol = eth_type_trans(skb, dev); 1080 memset(skb->cb, 0, sizeof(skb->cb)); 1081 netif_rx(skb); 1082 } 1083 1084 rx_exit: 1085 if (sta) 1086 hostap_handle_sta_release(sta); 1087 return; 1088 1089 rx_dropped: 1090 dev_kfree_skb(skb); 1091 1092 stats->rx_dropped++; 1093 goto rx_exit; 1094} 1095 1096 1097EXPORT_SYMBOL(hostap_80211_rx); 1098