ieee80211_input.c revision 1.28
1 /* $NetBSD: ieee80211_input.c,v 1.28 2004/07/23 08:31:39 mycroft Exp $ */ 2 /*- 3 * Copyright (c) 2001 Atsushi Onoe 4 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. The name of the author may not be used to endorse or promote products 16 * derived from this software without specific prior written permission. 17 * 18 * Alternatively, this software may be distributed under the terms of the 19 * GNU General Public License ("GPL") version 2 as published by the Free 20 * Software Foundation. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 23 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 24 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 25 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 26 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 27 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 28 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 29 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 30 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 31 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32 */ 33 34 #include <sys/cdefs.h> 35 #ifdef __FreeBSD__ 36 __FBSDID("$FreeBSD: src/sys/net80211/ieee80211_input.c,v 1.20 2004/04/02 23:35:24 sam Exp $"); 37 #else 38 __KERNEL_RCSID(0, "$NetBSD: ieee80211_input.c,v 1.28 2004/07/23 08:31:39 mycroft Exp $"); 39 #endif 40 41 #include "opt_inet.h" 42 43 #ifdef __NetBSD__ 44 #include "bpfilter.h" 45 #endif /* __NetBSD__ */ 46 47 #include <sys/param.h> 48 #include <sys/systm.h> 49 #include <sys/mbuf.h> 50 #include <sys/malloc.h> 51 #include <sys/kernel.h> 52 #include <sys/socket.h> 53 #include <sys/sockio.h> 54 #include <sys/endian.h> 55 #include <sys/errno.h> 56 #ifdef __FreeBSD__ 57 #include <sys/bus.h> 58 #endif 59 #include <sys/proc.h> 60 #include <sys/sysctl.h> 61 62 #ifdef __FreeBSD__ 63 #include <machine/atomic.h> 64 #endif 65 66 #include <net/if.h> 67 #include <net/if_dl.h> 68 #include <net/if_media.h> 69 #include <net/if_arp.h> 70 #ifdef __FreeBSD__ 71 #include <net/ethernet.h> 72 #else 73 #include <net/if_ether.h> 74 #endif 75 #include <net/if_llc.h> 76 77 #include <net80211/ieee80211_var.h> 78 #include <net80211/ieee80211_compat.h> 79 80 #if NBPFILTER > 0 81 #include <net/bpf.h> 82 #endif 83 84 #ifdef INET 85 #include <netinet/in.h> 86 #ifdef __FreeBSD__ 87 #include <netinet/if_ether.h> 88 #else 89 #include <net/if_ether.h> 90 #endif 91 #endif 92 93 static void ieee80211_recv_pspoll(struct ieee80211com *, 94 struct mbuf *, int, u_int32_t); 95 96 #ifdef IEEE80211_DEBUG 97 /* 98 * Decide if a received management frame should be 99 * printed when debugging is enabled. This filters some 100 * of the less interesting frames that come frequently 101 * (e.g. beacons). 102 */ 103 static __inline int 104 doprint(struct ieee80211com *ic, int subtype) 105 { 106 switch (subtype) { 107 case IEEE80211_FC0_SUBTYPE_BEACON: 108 return (ic->ic_state == IEEE80211_S_SCAN); 109 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 110 return (ic->ic_opmode == IEEE80211_M_IBSS); 111 } 112 return 1; 113 } 114 #endif 115 116 /* 117 * Process a received frame. The node associated with the sender 118 * should be supplied. If nothing was found in the node table then 119 * the caller is assumed to supply a reference to ic_bss instead. 120 * The RSSI and a timestamp are also supplied. The RSSI data is used 121 * during AP scanning to select a AP to associate with; it can have 122 * any units so long as values have consistent units and higher values 123 * mean ``better signal''. The receive timestamp is currently not used 124 * by the 802.11 layer. 125 */ 126 void 127 ieee80211_input(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni, 128 int rssi, u_int32_t rstamp) 129 { 130 struct ieee80211com *ic = (void *)ifp; 131 struct ieee80211_frame *wh; 132 struct ether_header *eh; 133 struct mbuf *m1; 134 int len; 135 u_int8_t dir, type, subtype; 136 u_int8_t *bssid; 137 u_int16_t rxseq; 138 ALTQ_DECL(struct altq_pktattr pktattr;) 139 140 IASSERT(ni != NULL, ("null node")); 141 142 /* trim CRC here so WEP can find its own CRC at the end of packet. */ 143 if (m->m_flags & M_HASFCS) { 144 m_adj(m, -IEEE80211_CRC_LEN); 145 m->m_flags &= ~M_HASFCS; 146 } 147 148 /* 149 * In monitor mode, send everything directly to bpf. 150 * Also do not process frames w/o i_addr2 any further. 151 * XXX may want to include the CRC 152 */ 153 if (ic->ic_opmode == IEEE80211_M_MONITOR || 154 m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) 155 goto out; 156 157 wh = mtod(m, struct ieee80211_frame *); 158 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 159 IEEE80211_FC0_VERSION_0) { 160 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 161 ("receive packet with wrong version: %x\n", 162 wh->i_fc[0])); 163 ic->ic_stats.is_rx_badversion++; 164 goto err; 165 } 166 167 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 168 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 169 /* 170 * NB: We are not yet prepared to handle control frames, 171 * but permitting drivers to send them to us allows 172 * them to go through bpf tapping at the 802.11 layer. 173 */ 174 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 175 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 176 ("%s: frame too short, len %u\n", 177 __func__, m->m_pkthdr.len)); 178 ic->ic_stats.is_rx_tooshort++; 179 goto out; 180 } 181 if (ic->ic_state != IEEE80211_S_SCAN) { 182 switch (ic->ic_opmode) { 183 case IEEE80211_M_STA: 184 if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid)) { 185 /* not interested in */ 186 IEEE80211_DPRINTF(ic, IEEE80211_MSG_INPUT, 187 ("%s: discard frame from " 188 "bss %s\n", __func__, 189 ether_sprintf(wh->i_addr2))); 190 ic->ic_stats.is_rx_wrongbss++; 191 goto out; 192 } 193 break; 194 case IEEE80211_M_IBSS: 195 case IEEE80211_M_AHDEMO: 196 case IEEE80211_M_HOSTAP: 197 if (dir == IEEE80211_FC1_DIR_NODS) 198 bssid = wh->i_addr3; 199 else 200 bssid = wh->i_addr1; 201 if (!IEEE80211_ADDR_EQ(bssid, ic->ic_bss->ni_bssid) && 202 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr) && 203 (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) == 204 IEEE80211_FC0_TYPE_DATA) { 205 /* not interested in */ 206 IEEE80211_DPRINTF(ic, IEEE80211_MSG_INPUT, 207 ("%s: discard data frame from bss %s\n", 208 __func__, ether_sprintf(bssid))); 209 ic->ic_stats.is_rx_wrongbss++; 210 goto out; 211 } 212 break; 213 case IEEE80211_M_MONITOR: 214 goto out; 215 default: 216 /* XXX catch bad values */ 217 break; 218 } 219 ni->ni_rssi = rssi; 220 ni->ni_rstamp = rstamp; 221 rxseq = ni->ni_rxseq; 222 ni->ni_rxseq = 223 le16toh(*(u_int16_t *)wh->i_seq) >> IEEE80211_SEQ_SEQ_SHIFT; 224 /* TODO: fragment */ 225 if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) && 226 rxseq == ni->ni_rxseq) { 227 /* duplicate, silently discarded */ 228 ic->ic_stats.is_rx_dup++; /* XXX per-station stat */ 229 goto out; 230 } 231 ni->ni_inact = 0; 232 } 233 234 if (ic->ic_set_tim != NULL && 235 (wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) 236 && ni->ni_pwrsave == 0) { 237 /* turn on power save mode */ 238 239 if (ifp->if_flags & IFF_DEBUG) 240 printf("%s: power save mode on for %s\n", 241 ifp->if_xname, ether_sprintf(wh->i_addr2)); 242 243 ni->ni_pwrsave = IEEE80211_PS_SLEEP; 244 } 245 if (ic->ic_set_tim != NULL && 246 (wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) == 0 && 247 ni->ni_pwrsave != 0) { 248 /* turn off power save mode, dequeue stored packets */ 249 250 ni->ni_pwrsave = 0; 251 if (ic->ic_set_tim) 252 ic->ic_set_tim(ic, ni->ni_associd, 0); 253 254 if (ifp->if_flags & IFF_DEBUG) 255 printf("%s: power save mode off for %s\n", 256 ifp->if_xname, ether_sprintf(wh->i_addr2)); 257 258 while (!IF_IS_EMPTY(&ni->ni_savedq)) { 259 struct mbuf *m; 260 IF_DEQUEUE(&ni->ni_savedq, m); 261 IF_ENQUEUE(&ic->ic_pwrsaveq, m); 262 (*ifp->if_start)(ifp); 263 } 264 } 265 266 switch (type) { 267 case IEEE80211_FC0_TYPE_DATA: 268 switch (ic->ic_opmode) { 269 case IEEE80211_M_STA: 270 if (dir != IEEE80211_FC1_DIR_FROMDS) { 271 ic->ic_stats.is_rx_wrongdir++; 272 goto out; 273 } 274 if ((ifp->if_flags & IFF_SIMPLEX) && 275 IEEE80211_IS_MULTICAST(wh->i_addr1) && 276 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 277 /* 278 * In IEEE802.11 network, multicast packet 279 * sent from me is broadcasted from AP. 280 * It should be silently discarded for 281 * SIMPLEX interface. 282 */ 283 ic->ic_stats.is_rx_mcastecho++; 284 goto out; 285 } 286 break; 287 case IEEE80211_M_IBSS: 288 case IEEE80211_M_AHDEMO: 289 if (dir != IEEE80211_FC1_DIR_NODS) { 290 ic->ic_stats.is_rx_wrongdir++; 291 goto out; 292 } 293 break; 294 case IEEE80211_M_HOSTAP: 295 if (dir != IEEE80211_FC1_DIR_TODS) { 296 ic->ic_stats.is_rx_wrongdir++; 297 goto out; 298 } 299 /* check if source STA is associated */ 300 if (ni == ic->ic_bss) { 301 IEEE80211_DPRINTF(ic, IEEE80211_MSG_INPUT, 302 ("%s: data from unknown src %s\n", 303 __func__, ether_sprintf(wh->i_addr2))); 304 /* NB: caller deals with reference */ 305 ni = ieee80211_dup_bss(ic, wh->i_addr2); 306 if (ni != NULL) { 307 IEEE80211_SEND_MGMT(ic, ni, 308 IEEE80211_FC0_SUBTYPE_DEAUTH, 309 IEEE80211_REASON_NOT_AUTHED); 310 ieee80211_free_node(ic, ni); 311 } 312 ic->ic_stats.is_rx_notassoc++; 313 goto err; 314 } 315 if (ni->ni_associd == 0) { 316 IEEE80211_DPRINTF(ic, IEEE80211_MSG_INPUT, 317 ("%s: data from unassoc src %s\n", 318 __func__, ether_sprintf(wh->i_addr2))); 319 IEEE80211_SEND_MGMT(ic, ni, 320 IEEE80211_FC0_SUBTYPE_DISASSOC, 321 IEEE80211_REASON_NOT_ASSOCED); 322 ieee80211_unref_node(&ni); 323 ic->ic_stats.is_rx_notassoc++; 324 goto err; 325 } 326 break; 327 case IEEE80211_M_MONITOR: 328 break; 329 } 330 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 331 if (ic->ic_flags & IEEE80211_F_PRIVACY) { 332 m = ieee80211_wep_crypt(ifp, m, 0); 333 if (m == NULL) { 334 ic->ic_stats.is_rx_wepfail++; 335 goto err; 336 } 337 wh = mtod(m, struct ieee80211_frame *); 338 } else { 339 ic->ic_stats.is_rx_nowep++; 340 goto out; 341 } 342 } 343 #if NBPFILTER > 0 344 /* copy to listener after decrypt */ 345 if (ic->ic_rawbpf) 346 bpf_mtap(ic->ic_rawbpf, m); 347 #endif 348 m = ieee80211_decap(ifp, m); 349 if (m == NULL) { 350 IEEE80211_DPRINTF(ic, IEEE80211_MSG_INPUT, 351 ("%s: decapsulation error for src %s\n", 352 __func__, ether_sprintf(wh->i_addr2))); 353 ic->ic_stats.is_rx_decap++; 354 goto err; 355 } 356 ifp->if_ipackets++; 357 358 /* perform as a bridge within the AP */ 359 m1 = NULL; 360 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 361 eh = mtod(m, struct ether_header *); 362 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 363 m1 = m_copypacket(m, M_DONTWAIT); 364 if (m1 == NULL) 365 ifp->if_oerrors++; 366 else 367 m1->m_flags |= M_MCAST; 368 } else { 369 ni = ieee80211_find_node(ic, eh->ether_dhost); 370 if (ni != NULL) { 371 if (ni->ni_associd != 0) { 372 m1 = m; 373 m = NULL; 374 } 375 ieee80211_free_node(ic, ni); 376 } 377 } 378 if (m1 != NULL) { 379 #ifdef ALTQ 380 if (ALTQ_IS_ENABLED(&ifp->if_snd)) 381 altq_etherclassify(&ifp->if_snd, m1, 382 &pktattr); 383 #endif 384 len = m1->m_pkthdr.len; 385 IF_ENQUEUE(&ifp->if_snd, m1); 386 if (m != NULL) 387 ifp->if_omcasts++; 388 ifp->if_obytes += len; 389 } 390 } 391 if (m != NULL) { 392 #if NBPFILTER > 0 393 /* 394 * If we forward packet into transmitter of the AP, 395 * we don't need to duplicate for DLT_EN10MB. 396 */ 397 if (ifp->if_bpf && m1 == NULL) 398 bpf_mtap(ifp->if_bpf, m); 399 #endif 400 (*ifp->if_input)(ifp, m); 401 } 402 return; 403 404 case IEEE80211_FC0_TYPE_MGT: 405 if (dir != IEEE80211_FC1_DIR_NODS) { 406 ic->ic_stats.is_rx_wrongdir++; 407 goto err; 408 } 409 if (ic->ic_opmode == IEEE80211_M_AHDEMO) { 410 ic->ic_stats.is_rx_ahdemo_mgt++; 411 goto out; 412 } 413 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 414 415 /* drop frames without interest */ 416 if (ic->ic_state == IEEE80211_S_SCAN) { 417 if (subtype != IEEE80211_FC0_SUBTYPE_BEACON && 418 subtype != IEEE80211_FC0_SUBTYPE_PROBE_RESP) { 419 ic->ic_stats.is_rx_mgtdiscard++; 420 goto out; 421 } 422 } else { 423 if (ic->ic_opmode != IEEE80211_M_IBSS && 424 subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 425 ic->ic_stats.is_rx_mgtdiscard++; 426 goto out; 427 } 428 } 429 430 #ifdef IEEE80211_DEBUG 431 if ((ieee80211_msg_debug(ic) && doprint(ic, subtype)) || 432 ieee80211_msg_dumppkts(ic)) { 433 if_printf(ifp, "received %s from %s rssi %d\n", 434 ieee80211_mgt_subtype_name[subtype 435 >> IEEE80211_FC0_SUBTYPE_SHIFT], 436 ether_sprintf(wh->i_addr2), rssi); 437 } 438 #endif 439 #if NBPFILTER > 0 440 if (ic->ic_rawbpf) 441 bpf_mtap(ic->ic_rawbpf, m); 442 #endif 443 (*ic->ic_recv_mgmt)(ic, m, ni, subtype, rssi, rstamp); 444 m_freem(m); 445 return; 446 447 case IEEE80211_FC0_TYPE_CTL: 448 ic->ic_stats.is_rx_ctl++; 449 if (ic->ic_opmode != IEEE80211_M_HOSTAP) 450 goto out; 451 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 452 if (subtype == IEEE80211_FC0_SUBTYPE_PS_POLL) { 453 /* XXX statistic */ 454 /* Dump out a single packet from the host */ 455 if (ifp->if_flags & IFF_DEBUG) 456 printf("%s: got power save probe from %s\n", 457 ifp->if_xname, 458 ether_sprintf(wh->i_addr2)); 459 ieee80211_recv_pspoll(ic, m, rssi, rstamp); 460 } 461 goto out; 462 default: 463 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 464 ("%s: bad frame type %x\n", __func__, type)); 465 /* should not come here */ 466 break; 467 } 468 err: 469 ifp->if_ierrors++; 470 out: 471 if (m != NULL) { 472 #if NBPFILTER > 0 473 if (ic->ic_rawbpf) 474 bpf_mtap(ic->ic_rawbpf, m); 475 #endif 476 m_freem(m); 477 } 478 } 479 480 struct mbuf * 481 ieee80211_decap(struct ifnet *ifp, struct mbuf *m) 482 { 483 struct ether_header *eh; 484 struct ieee80211_frame wh; 485 struct llc *llc; 486 487 if (m->m_len < sizeof(wh) + sizeof(*llc)) { 488 m = m_pullup(m, sizeof(wh) + sizeof(*llc)); 489 if (m == NULL) 490 return NULL; 491 } 492 memcpy(&wh, mtod(m, caddr_t), sizeof(wh)); 493 llc = (struct llc *)(mtod(m, caddr_t) + sizeof(wh)); 494 if (llc->llc_dsap == LLC_SNAP_LSAP && llc->llc_ssap == LLC_SNAP_LSAP && 495 llc->llc_control == LLC_UI && llc->llc_snap.org_code[0] == 0 && 496 llc->llc_snap.org_code[1] == 0 && llc->llc_snap.org_code[2] == 0) { 497 m_adj(m, sizeof(wh) + sizeof(struct llc) - sizeof(*eh)); 498 llc = NULL; 499 } else { 500 m_adj(m, sizeof(wh) - sizeof(*eh)); 501 } 502 eh = mtod(m, struct ether_header *); 503 switch (wh.i_fc[1] & IEEE80211_FC1_DIR_MASK) { 504 case IEEE80211_FC1_DIR_NODS: 505 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 506 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 507 break; 508 case IEEE80211_FC1_DIR_TODS: 509 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3); 510 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 511 break; 512 case IEEE80211_FC1_DIR_FROMDS: 513 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 514 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr3); 515 break; 516 case IEEE80211_FC1_DIR_DSTODS: 517 /* not yet supported */ 518 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 519 ("%s: discard DS to DS frame\n", __func__)); 520 m_freem(m); 521 return NULL; 522 } 523 #ifdef ALIGNED_POINTER 524 if (!ALIGNED_POINTER(mtod(m, caddr_t) + sizeof(*eh), u_int32_t)) { 525 struct mbuf *n, *n0, **np; 526 caddr_t newdata; 527 int off, pktlen; 528 529 n0 = NULL; 530 np = &n0; 531 off = 0; 532 pktlen = m->m_pkthdr.len; 533 while (pktlen > off) { 534 if (n0 == NULL) { 535 MGETHDR(n, M_DONTWAIT, MT_DATA); 536 if (n == NULL) { 537 m_freem(m); 538 return NULL; 539 } 540 #ifdef __FreeBSD__ 541 M_MOVE_PKTHDR(n, m); 542 #else 543 M_COPY_PKTHDR(n, m); 544 #endif 545 n->m_len = MHLEN; 546 } else { 547 MGET(n, M_DONTWAIT, MT_DATA); 548 if (n == NULL) { 549 m_freem(m); 550 m_freem(n0); 551 return NULL; 552 } 553 n->m_len = MLEN; 554 } 555 if (pktlen - off >= MINCLSIZE) { 556 MCLGET(n, M_DONTWAIT); 557 if (n->m_flags & M_EXT) 558 n->m_len = n->m_ext.ext_size; 559 } 560 if (n0 == NULL) { 561 newdata = 562 (caddr_t)ALIGN(n->m_data + sizeof(*eh)) - 563 sizeof(*eh); 564 n->m_len -= newdata - n->m_data; 565 n->m_data = newdata; 566 } 567 if (n->m_len > pktlen - off) 568 n->m_len = pktlen - off; 569 m_copydata(m, off, n->m_len, mtod(n, caddr_t)); 570 off += n->m_len; 571 *np = n; 572 np = &n->m_next; 573 } 574 m_freem(m); 575 m = n0; 576 } 577 #endif /* ALIGNED_POINTER */ 578 if (llc != NULL) { 579 eh = mtod(m, struct ether_header *); 580 eh->ether_type = htons(m->m_pkthdr.len - sizeof(*eh)); 581 } 582 return m; 583 } 584 585 /* 586 * Install received rate set information in the node's state block. 587 */ 588 static int 589 ieee80211_setup_rates(struct ieee80211com *ic, struct ieee80211_node *ni, 590 u_int8_t *rates, u_int8_t *xrates, int flags) 591 { 592 struct ieee80211_rateset *rs = &ni->ni_rates; 593 594 memset(rs, 0, sizeof(*rs)); 595 rs->rs_nrates = rates[1]; 596 memcpy(rs->rs_rates, rates + 2, rs->rs_nrates); 597 if (xrates != NULL) { 598 u_int8_t nxrates; 599 /* 600 * Tack on 11g extended supported rate element. 601 */ 602 nxrates = xrates[1]; 603 if (rs->rs_nrates + nxrates > IEEE80211_RATE_MAXSIZE) { 604 nxrates = IEEE80211_RATE_MAXSIZE - rs->rs_nrates; 605 IEEE80211_DPRINTF(ic, IEEE80211_MSG_XRATE, 606 ("%s: extended rate set too large;" 607 " only using %u of %u rates\n", 608 __func__, nxrates, xrates[1])); 609 ic->ic_stats.is_rx_rstoobig++; 610 } 611 memcpy(rs->rs_rates + rs->rs_nrates, xrates+2, nxrates); 612 rs->rs_nrates += nxrates; 613 } 614 return ieee80211_fix_rate(ic, ni, flags); 615 } 616 617 /* Verify the existence and length of __elem or get out. */ 618 #define IEEE80211_VERIFY_ELEMENT(__elem, __maxlen) do { \ 619 if ((__elem) == NULL) { \ 620 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ELEMID, \ 621 ("%s: no " #__elem "in %s frame\n", \ 622 __func__, ieee80211_mgt_subtype_name[subtype >> \ 623 IEEE80211_FC0_SUBTYPE_SHIFT])); \ 624 ic->ic_stats.is_rx_elem_missing++; \ 625 return; \ 626 } \ 627 if ((__elem)[1] > (__maxlen)) { \ 628 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ELEMID, \ 629 ("%s: bad " #__elem " len %d in %s frame from %s\n",\ 630 __func__, (__elem)[1], \ 631 ieee80211_mgt_subtype_name[subtype >> \ 632 IEEE80211_FC0_SUBTYPE_SHIFT], \ 633 ether_sprintf(wh->i_addr2))); \ 634 ic->ic_stats.is_rx_elem_toobig++; \ 635 return; \ 636 } \ 637 } while (0) 638 639 #define IEEE80211_VERIFY_LENGTH(_len, _minlen) do { \ 640 if ((_len) < (_minlen)) { \ 641 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ELEMID, \ 642 ("%s: %s frame too short from %s\n", \ 643 __func__, \ 644 ieee80211_mgt_subtype_name[subtype >> \ 645 IEEE80211_FC0_SUBTYPE_SHIFT], \ 646 ether_sprintf(wh->i_addr2))); \ 647 ic->ic_stats.is_rx_elem_toosmall++; \ 648 return; \ 649 } \ 650 } while (0) 651 652 #ifdef IEEE80211_DEBUG 653 static void 654 ieee80211_ssid_mismatch(struct ieee80211com *ic, const char *tag, 655 u_int8_t mac[IEEE80211_ADDR_LEN], u_int8_t *ssid) 656 { 657 printf("[%s] %s req ssid mismatch: ", ether_sprintf(mac), tag); 658 ieee80211_print_essid(ssid + 2, ssid[1]); 659 printf("\n"); 660 } 661 662 #define IEEE80211_VERIFY_SSID(_ni, _ssid, _packet_type) do { \ 663 if ((_ssid)[1] != 0 && \ 664 ((_ssid)[1] != (_ni)->ni_esslen || \ 665 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 666 if (ieee80211_msg_input(ic)) \ 667 ieee80211_ssid_mismatch(ic, _packet_type, \ 668 wh->i_addr2, _ssid); \ 669 ic->ic_stats.is_rx_ssidmismatch++; \ 670 return; \ 671 } \ 672 } while (0) 673 #else /* !IEEE80211_DEBUG */ 674 #define IEEE80211_VERIFY_SSID(_ni, _ssid, _packet_type) do { \ 675 if ((_ssid)[1] != 0 && \ 676 ((_ssid)[1] != (_ni)->ni_esslen || \ 677 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 678 ic->ic_stats.is_rx_ssidmismatch++; \ 679 return; \ 680 } \ 681 } while (0) 682 #endif /* !IEEE80211_DEBUG */ 683 684 static void 685 ieee80211_auth_open(struct ieee80211com *ic, struct ieee80211_frame *wh, 686 struct ieee80211_node *ni, int rssi, u_int32_t rstamp, u_int16_t seq, 687 u_int16_t status) 688 { 689 int allocbs; 690 switch (ic->ic_opmode) { 691 case IEEE80211_M_IBSS: 692 if (ic->ic_state != IEEE80211_S_RUN || 693 seq != IEEE80211_AUTH_OPEN_REQUEST) { 694 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 695 ("%s: discard auth from %s; state %u, seq %u\n", 696 __func__, ether_sprintf(wh->i_addr2), 697 ic->ic_state, seq)); 698 ic->ic_stats.is_rx_bad_auth++; 699 return; 700 } 701 ieee80211_new_state(ic, IEEE80211_S_AUTH, 702 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 703 break; 704 705 case IEEE80211_M_AHDEMO: 706 /* should not come here */ 707 break; 708 709 case IEEE80211_M_HOSTAP: 710 if (ic->ic_state != IEEE80211_S_RUN || 711 seq != IEEE80211_AUTH_OPEN_REQUEST) { 712 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 713 ("%s: discard auth from %s; state %u, seq %u\n", 714 __func__, ether_sprintf(wh->i_addr2), 715 ic->ic_state, seq)); 716 ic->ic_stats.is_rx_bad_auth++; 717 return; 718 } 719 if (ni == ic->ic_bss) { 720 ni = ieee80211_alloc_node(ic, wh->i_addr2); 721 if (ni == NULL) { 722 ic->ic_stats.is_rx_nodealloc++; 723 return; 724 } 725 IEEE80211_ADDR_COPY(ni->ni_bssid, ic->ic_bss->ni_bssid); 726 ni->ni_rssi = rssi; 727 ni->ni_rstamp = rstamp; 728 ni->ni_chan = ic->ic_bss->ni_chan; 729 allocbs = 1; 730 } else 731 allocbs = 0; 732 IEEE80211_SEND_MGMT(ic, ni, 733 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 734 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 735 ("station %s %s authenticated (open)\n", 736 ether_sprintf(ni->ni_macaddr), 737 (allocbs ? "newly" : "already"))); 738 break; 739 740 case IEEE80211_M_STA: 741 if (ic->ic_state != IEEE80211_S_AUTH || 742 seq != IEEE80211_AUTH_OPEN_RESPONSE) { 743 ic->ic_stats.is_rx_bad_auth++; 744 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 745 ("%s: discard auth from %s; state %u, seq %u\n", 746 __func__, ether_sprintf(wh->i_addr2), 747 ic->ic_state, seq)); 748 return; 749 } 750 if (status != 0) { 751 IEEE80211_DPRINTF(ic, 752 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 753 ("open authentication failed (reason %d) for %s\n", 754 status, 755 ether_sprintf(wh->i_addr3))); 756 if (ni != ic->ic_bss) 757 ni->ni_fails++; 758 ic->ic_stats.is_rx_auth_fail++; 759 return; 760 } 761 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 762 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 763 break; 764 case IEEE80211_M_MONITOR: 765 break; 766 } 767 } 768 769 /* TBD send appropriate responses on error? */ 770 static void 771 ieee80211_auth_shared(struct ieee80211com *ic, struct ieee80211_frame *wh, 772 u_int8_t *frm, u_int8_t *efrm, struct ieee80211_node *ni, int rssi, 773 u_int32_t rstamp, u_int16_t seq, u_int16_t status) 774 { 775 u_int8_t *challenge = NULL; 776 int allocbs, i; 777 778 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 779 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 780 ("%s: WEP is off\n", __func__)); 781 return; 782 } 783 784 if (frm + 1 < efrm) { 785 if (frm[1] + 2 > efrm - frm) { 786 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 787 ("%s: elt %d %d bytes too long\n", __func__, 788 frm[0], (frm[1] + 2) - (int)(efrm - frm))); 789 ic->ic_stats.is_rx_bad_auth++; 790 return; 791 } 792 if (*frm == IEEE80211_ELEMID_CHALLENGE) 793 challenge = frm; 794 frm += frm[1] + 2; 795 } 796 switch (seq) { 797 case IEEE80211_AUTH_SHARED_CHALLENGE: 798 case IEEE80211_AUTH_SHARED_RESPONSE: 799 if (challenge == NULL) { 800 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 801 ("%s: no challenge sent\n", __func__)); 802 ic->ic_stats.is_rx_bad_auth++; 803 return; 804 } 805 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 806 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 807 ("%s: bad challenge len %d\n", 808 __func__, challenge[1])); 809 ic->ic_stats.is_rx_bad_auth++; 810 return; 811 } 812 default: 813 break; 814 } 815 switch (ic->ic_opmode) { 816 case IEEE80211_M_MONITOR: 817 case IEEE80211_M_AHDEMO: 818 case IEEE80211_M_IBSS: 819 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 820 ("%s: unexpected operating mode\n", __func__)); 821 return; 822 case IEEE80211_M_HOSTAP: 823 if (ic->ic_state != IEEE80211_S_RUN) { 824 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 825 ("%s: not running\n", __func__)); 826 return; 827 } 828 switch (seq) { 829 case IEEE80211_AUTH_SHARED_REQUEST: 830 if (ni == ic->ic_bss) { 831 ni = ieee80211_alloc_node(ic, wh->i_addr2); 832 if (ni == NULL) { 833 ic->ic_stats.is_rx_nodealloc++; 834 return; 835 } 836 IEEE80211_ADDR_COPY(ni->ni_bssid, 837 ic->ic_bss->ni_bssid); 838 ni->ni_rssi = rssi; 839 ni->ni_rstamp = rstamp; 840 ni->ni_chan = ic->ic_bss->ni_chan; 841 allocbs = 1; 842 } else 843 allocbs = 0; 844 if (ni->ni_challenge == NULL) 845 ni->ni_challenge = (u_int32_t*)malloc( 846 IEEE80211_CHALLENGE_LEN, M_DEVBUF, 847 M_NOWAIT); 848 if (ni->ni_challenge == NULL) { 849 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 850 ("%s: challenge alloc failed\n", 851 __func__)); 852 /* XXX statistic */ 853 return; 854 } 855 for (i = IEEE80211_CHALLENGE_LEN / sizeof(u_int32_t); 856 --i >= 0; ) 857 ni->ni_challenge[i] = arc4random(); 858 IEEE80211_DPRINTF(ic, 859 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 860 ("shared key %sauth request from station %s\n", 861 (allocbs ? "" : "re"), 862 ether_sprintf(ni->ni_macaddr))); 863 break; 864 case IEEE80211_AUTH_SHARED_RESPONSE: 865 if (ni == ic->ic_bss) { 866 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 867 ("%s: unknown STA\n", __func__)); 868 return; 869 } 870 if (ni->ni_challenge == NULL) { 871 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 872 ("%s: no challenge recorded\n", 873 __func__)); 874 ic->ic_stats.is_rx_bad_auth++; 875 return; 876 } 877 if (memcmp(ni->ni_challenge, &challenge[2], 878 challenge[1]) != 0) { 879 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 880 ("%s: challenge mismatch\n", __func__)); 881 ic->ic_stats.is_rx_auth_fail++; 882 return; 883 } 884 IEEE80211_DPRINTF(ic, 885 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 886 ("station %s authenticated (shared key)\n", 887 ether_sprintf(ni->ni_macaddr))); 888 break; 889 default: 890 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 891 ("%s: bad shared key auth seq %d from %s\n", 892 __func__, seq, ether_sprintf(wh->i_addr2))); 893 ic->ic_stats.is_rx_bad_auth++; 894 return; 895 } 896 IEEE80211_SEND_MGMT(ic, ni, 897 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 898 break; 899 900 case IEEE80211_M_STA: 901 if (ic->ic_state != IEEE80211_S_AUTH) 902 return; 903 switch (seq) { 904 case IEEE80211_AUTH_SHARED_PASS: 905 if (ni->ni_challenge != NULL) { 906 FREE(ni->ni_challenge, M_DEVBUF); 907 ni->ni_challenge = NULL; 908 } 909 if (status != 0) { 910 IEEE80211_DPRINTF(ic, 911 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 912 ("%s: auth failed (reason %d) for %s\n", 913 __func__, status, 914 ether_sprintf(wh->i_addr3))); 915 if (ni != ic->ic_bss) 916 ni->ni_fails++; 917 ic->ic_stats.is_rx_auth_fail++; 918 return; 919 } 920 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 921 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 922 break; 923 case IEEE80211_AUTH_SHARED_CHALLENGE: 924 if (ni->ni_challenge == NULL) 925 ni->ni_challenge = (u_int32_t*)malloc( 926 challenge[1], M_DEVBUF, M_NOWAIT); 927 if (ni->ni_challenge == NULL) { 928 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 929 ("%s: challenge alloc failed\n", __func__)); 930 /* XXX statistic */ 931 return; 932 } 933 memcpy(ni->ni_challenge, &challenge[2], challenge[1]); 934 IEEE80211_SEND_MGMT(ic, ni, 935 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 936 break; 937 default: 938 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 939 ("%s: bad seq %d from %s\n", __func__, seq, 940 ether_sprintf(wh->i_addr2))); 941 ic->ic_stats.is_rx_bad_auth++; 942 return; 943 } 944 break; 945 } 946 } 947 948 void 949 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0, 950 struct ieee80211_node *ni, 951 int subtype, int rssi, u_int32_t rstamp) 952 { 953 #define ISPROBE(_st) ((_st) == IEEE80211_FC0_SUBTYPE_PROBE_RESP) 954 #define ISREASSOC(_st) ((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP) 955 struct ieee80211_frame *wh; 956 u_int8_t *frm, *efrm; 957 u_int8_t *ssid, *rates, *xrates; 958 int reassoc, resp, newassoc, allocbs; 959 960 wh = mtod(m0, struct ieee80211_frame *); 961 frm = (u_int8_t *)&wh[1]; 962 efrm = mtod(m0, u_int8_t *) + m0->m_len; 963 switch (subtype) { 964 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 965 case IEEE80211_FC0_SUBTYPE_BEACON: { 966 u_int8_t *tstamp, *bintval, *capinfo, *country; 967 u_int8_t chan, bchan, fhindex, erp; 968 u_int16_t fhdwell; 969 970 if (ic->ic_opmode != IEEE80211_M_IBSS && 971 ic->ic_state != IEEE80211_S_SCAN) { 972 /* XXX: may be useful for background scan */ 973 return; 974 } 975 976 /* 977 * beacon/probe response frame format 978 * [8] time stamp 979 * [2] beacon interval 980 * [2] capability information 981 * [tlv] ssid 982 * [tlv] supported rates 983 * [tlv] country information 984 * [tlv] parameter set (FH/DS) 985 * [tlv] erp information 986 * [tlv] extended supported rates 987 */ 988 IEEE80211_VERIFY_LENGTH(efrm - frm, 12); 989 tstamp = frm; frm += 8; 990 bintval = frm; frm += 2; 991 capinfo = frm; frm += 2; 992 ssid = rates = xrates = country = NULL; 993 bchan = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan); 994 chan = bchan; 995 fhdwell = 0; 996 fhindex = 0; 997 erp = 0; 998 while (frm < efrm) { 999 switch (*frm) { 1000 case IEEE80211_ELEMID_SSID: 1001 ssid = frm; 1002 break; 1003 case IEEE80211_ELEMID_RATES: 1004 rates = frm; 1005 break; 1006 case IEEE80211_ELEMID_COUNTRY: 1007 country = frm; 1008 break; 1009 case IEEE80211_ELEMID_FHPARMS: 1010 if (ic->ic_phytype == IEEE80211_T_FH) { 1011 fhdwell = (frm[3] << 8) | frm[2]; 1012 chan = IEEE80211_FH_CHAN(frm[4], frm[5]); 1013 fhindex = frm[6]; 1014 } 1015 break; 1016 case IEEE80211_ELEMID_DSPARMS: 1017 /* 1018 * XXX hack this since depending on phytype 1019 * is problematic for multi-mode devices. 1020 */ 1021 if (ic->ic_phytype != IEEE80211_T_FH) 1022 chan = frm[2]; 1023 break; 1024 case IEEE80211_ELEMID_TIM: 1025 break; 1026 case IEEE80211_ELEMID_IBSSPARMS: 1027 break; 1028 case IEEE80211_ELEMID_XRATES: 1029 xrates = frm; 1030 break; 1031 case IEEE80211_ELEMID_ERP: 1032 if (frm[1] != 1) { 1033 IEEE80211_DPRINTF(ic, 1034 IEEE80211_MSG_ELEMID, 1035 ("%s: invalid ERP element; " 1036 "length %u, expecting 1\n", 1037 __func__, frm[1])); 1038 ic->ic_stats.is_rx_elem_toobig++; 1039 break; 1040 } 1041 erp = frm[2]; 1042 break; 1043 default: 1044 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ELEMID, 1045 ("%s: element id %u/len %u ignored\n", 1046 __func__, *frm, frm[1])); 1047 ic->ic_stats.is_rx_elem_unknown++; 1048 break; 1049 } 1050 frm += frm[1] + 2; 1051 } 1052 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 1053 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 1054 if ( 1055 #if IEEE80211_CHAN_MAX < 255 1056 chan > IEEE80211_CHAN_MAX || 1057 #endif 1058 isclr(ic->ic_chan_active, chan)) { 1059 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ELEMID, 1060 ("%s: ignore %s with invalid channel %u\n", 1061 __func__, 1062 ISPROBE(subtype) ? "probe response" : "beacon", 1063 chan)); 1064 ic->ic_stats.is_rx_badchan++; 1065 return; 1066 } 1067 if (chan != bchan && ic->ic_phytype != IEEE80211_T_FH) { 1068 /* 1069 * Frame was received on a channel different from the 1070 * one indicated in the DS params element id; 1071 * silently discard it. 1072 * 1073 * NB: this can happen due to signal leakage. 1074 * But we should take it for FH phy because 1075 * the rssi value should be correct even for 1076 * different hop pattern in FH. 1077 */ 1078 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ELEMID, 1079 ("%s: ignore %s on channel %u marked " 1080 "for channel %u\n", __func__, 1081 ISPROBE(subtype) ? "probe response" : "beacon", 1082 bchan, chan)); 1083 ic->ic_stats.is_rx_chanmismatch++; 1084 return; 1085 } 1086 1087 /* 1088 * Use mac and channel for lookup so we collect all 1089 * potential AP's when scanning. Otherwise we may 1090 * see the same AP on multiple channels and will only 1091 * record the last one. We could filter APs here based 1092 * on rssi, etc. but leave that to the end of the scan 1093 * so we can keep the selection criteria in one spot. 1094 * This may result in a bloat of the scanned AP list but 1095 * it shouldn't be too much. 1096 */ 1097 ni = ieee80211_lookup_node(ic, wh->i_addr2, 1098 &ic->ic_channels[chan]); 1099 #ifdef IEEE80211_DEBUG 1100 if (ieee80211_debug && 1101 (ni == NULL || ic->ic_state == IEEE80211_S_SCAN)) { 1102 printf("%s: %s%s on chan %u (bss chan %u) ", 1103 __func__, (ni == NULL ? "new " : ""), 1104 ISPROBE(subtype) ? "probe response" : "beacon", 1105 chan, bchan); 1106 ieee80211_print_essid(ssid + 2, ssid[1]); 1107 printf(" from %s\n", ether_sprintf(wh->i_addr2)); 1108 printf("%s: caps 0x%x bintval %u erp 0x%x\n", 1109 __func__, le16toh(*(u_int16_t *)capinfo), 1110 le16toh(*(u_int16_t *)bintval), erp); 1111 if (country) { 1112 int i; 1113 printf("%s: country info", __func__); 1114 for (i = 0; i < country[1]; i++) 1115 printf(" %02x", country[i+2]); 1116 printf("\n"); 1117 } 1118 } 1119 #endif 1120 if (ni == NULL) { 1121 ni = ieee80211_alloc_node(ic, wh->i_addr2); 1122 if (ni == NULL) 1123 return; 1124 ni->ni_esslen = ssid[1]; 1125 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1126 memcpy(ni->ni_essid, ssid + 2, ssid[1]); 1127 allocbs = 1; 1128 } else if (ssid[1] != 0 && 1129 (ISPROBE(subtype) || ni->ni_esslen == 0)) { 1130 /* 1131 * Update ESSID at probe response to adopt hidden AP by 1132 * Lucent/Cisco, which announces null ESSID in beacon. 1133 */ 1134 ni->ni_esslen = ssid[1]; 1135 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1136 memcpy(ni->ni_essid, ssid + 2, ssid[1]); 1137 allocbs = 0; 1138 } else 1139 allocbs = 0; 1140 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3); 1141 ni->ni_rssi = rssi; 1142 ni->ni_rstamp = rstamp; 1143 memcpy(ni->ni_tstamp, tstamp, sizeof(ni->ni_tstamp)); 1144 ni->ni_intval = le16toh(*(u_int16_t *)bintval); 1145 ni->ni_capinfo = le16toh(*(u_int16_t *)capinfo); 1146 /* XXX validate channel # */ 1147 ni->ni_chan = &ic->ic_channels[chan]; 1148 ni->ni_fhdwell = fhdwell; 1149 ni->ni_fhindex = fhindex; 1150 ni->ni_erp = erp; 1151 /* NB: must be after ni_chan is setup */ 1152 ieee80211_setup_rates(ic, ni, rates, xrates, IEEE80211_F_DOSORT); 1153 /* 1154 * When scanning we record results (nodes) with a zero 1155 * refcnt. Otherwise we want to hold the reference for 1156 * ibss neighbors so the nodes don't get released prematurely. 1157 * Anything else can be discarded (XXX and should be handled 1158 * above so we don't do so much work). 1159 */ 1160 if (ic->ic_state == IEEE80211_S_SCAN) 1161 ieee80211_unref_node(&ni); /* NB: do not free */ 1162 else if (ic->ic_opmode == IEEE80211_M_IBSS && 1163 allocbs && ISPROBE(subtype)) { 1164 /* 1165 * Fake an association so the driver can setup it's 1166 * private state. The rate set has been setup above; 1167 * there is no handshake as in ap/station operation. 1168 */ 1169 if (ic->ic_newassoc) 1170 (*ic->ic_newassoc)(ic, ni, 1); 1171 /* NB: hold reference */ 1172 } else { 1173 /* XXX optimize to avoid work done above */ 1174 ieee80211_free_node(ic, ni); 1175 } 1176 break; 1177 } 1178 1179 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: { 1180 u_int8_t rate; 1181 1182 if (ic->ic_opmode == IEEE80211_M_STA) 1183 return; 1184 if (ic->ic_state != IEEE80211_S_RUN) 1185 return; 1186 1187 /* 1188 * prreq frame format 1189 * [tlv] ssid 1190 * [tlv] supported rates 1191 * [tlv] extended supported rates 1192 */ 1193 ssid = rates = xrates = NULL; 1194 while (frm < efrm) { 1195 switch (*frm) { 1196 case IEEE80211_ELEMID_SSID: 1197 ssid = frm; 1198 break; 1199 case IEEE80211_ELEMID_RATES: 1200 rates = frm; 1201 break; 1202 case IEEE80211_ELEMID_XRATES: 1203 xrates = frm; 1204 break; 1205 } 1206 frm += frm[1] + 2; 1207 } 1208 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 1209 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 1210 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid, "probe"); 1211 1212 if (ni == ic->ic_bss) { 1213 ni = ieee80211_dup_bss(ic, wh->i_addr2); 1214 if (ni == NULL) 1215 return; 1216 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 1217 ("%s: new probe req from %s\n", 1218 __func__, ether_sprintf(wh->i_addr2))); 1219 allocbs = 1; 1220 } else 1221 allocbs = 0; 1222 ni->ni_rssi = rssi; 1223 ni->ni_rstamp = rstamp; 1224 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 1225 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE 1226 | IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 1227 if (rate & IEEE80211_RATE_BASIC) { 1228 IEEE80211_DPRINTF(ic, IEEE80211_MSG_XRATE, 1229 ("%s: rate negotiation failed: %s\n", 1230 __func__,ether_sprintf(wh->i_addr2))); 1231 } else { 1232 IEEE80211_SEND_MGMT(ic, ni, 1233 IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 1234 } 1235 if (allocbs) 1236 ieee80211_free_node(ic, ni); 1237 break; 1238 } 1239 1240 case IEEE80211_FC0_SUBTYPE_AUTH: { 1241 u_int16_t algo, seq, status; 1242 /* 1243 * auth frame format 1244 * [2] algorithm 1245 * [2] sequence 1246 * [2] status 1247 * [tlv*] challenge 1248 */ 1249 IEEE80211_VERIFY_LENGTH(efrm - frm, 6); 1250 algo = le16toh(*(u_int16_t *)frm); 1251 seq = le16toh(*(u_int16_t *)(frm + 2)); 1252 status = le16toh(*(u_int16_t *)(frm + 4)); 1253 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 1254 ("%s: algorithm %d seq %d from %s\n", 1255 __func__, algo, seq, ether_sprintf(wh->i_addr2))); 1256 1257 if (algo == IEEE80211_AUTH_ALG_SHARED) 1258 ieee80211_auth_shared(ic, wh, frm + 6, efrm, ni, rssi, 1259 rstamp, seq, status); 1260 else if (algo == IEEE80211_AUTH_ALG_OPEN) 1261 ieee80211_auth_open(ic, wh, ni, rssi, rstamp, seq, 1262 status); 1263 else { 1264 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 1265 ("%s: unsupported auth algorithm %d from %s\n", 1266 __func__, algo, ether_sprintf(wh->i_addr2))); 1267 ic->ic_stats.is_rx_auth_unsupported++; 1268 return; 1269 } 1270 break; 1271 } 1272 1273 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 1274 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { 1275 u_int16_t capinfo, bintval; 1276 1277 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 1278 (ic->ic_state != IEEE80211_S_RUN)) 1279 return; 1280 1281 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 1282 reassoc = 1; 1283 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 1284 } else { 1285 reassoc = 0; 1286 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 1287 } 1288 /* 1289 * asreq frame format 1290 * [2] capability information 1291 * [2] listen interval 1292 * [6*] current AP address (reassoc only) 1293 * [tlv] ssid 1294 * [tlv] supported rates 1295 * [tlv] extended supported rates 1296 */ 1297 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4)); 1298 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 1299 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 1300 ("%s: ignore assoc request with bss %s not " 1301 "our own\n", 1302 __func__, ether_sprintf(wh->i_addr2))); 1303 ic->ic_stats.is_rx_assoc_bss++; 1304 return; 1305 } 1306 capinfo = le16toh(*(u_int16_t *)frm); frm += 2; 1307 bintval = le16toh(*(u_int16_t *)frm); frm += 2; 1308 if (reassoc) 1309 frm += 6; /* ignore current AP info */ 1310 ssid = rates = xrates = NULL; 1311 while (frm < efrm) { 1312 switch (*frm) { 1313 case IEEE80211_ELEMID_SSID: 1314 ssid = frm; 1315 break; 1316 case IEEE80211_ELEMID_RATES: 1317 rates = frm; 1318 break; 1319 case IEEE80211_ELEMID_XRATES: 1320 xrates = frm; 1321 break; 1322 } 1323 frm += frm[1] + 2; 1324 } 1325 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 1326 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 1327 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid, 1328 reassoc ? "reassoc" : "assoc"); 1329 1330 if (ni == ic->ic_bss) { 1331 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 1332 ("%s: deny %sassoc from %s, not authenticated\n", 1333 __func__, reassoc ? "re" : "", 1334 ether_sprintf(wh->i_addr2))); 1335 ni = ieee80211_dup_bss(ic, wh->i_addr2); 1336 if (ni != NULL) { 1337 IEEE80211_SEND_MGMT(ic, ni, 1338 IEEE80211_FC0_SUBTYPE_DEAUTH, 1339 IEEE80211_REASON_ASSOC_NOT_AUTHED); 1340 ieee80211_free_node(ic, ni); 1341 } 1342 ic->ic_stats.is_rx_assoc_notauth++; 1343 return; 1344 } 1345 /* discard challenge after association */ 1346 if (ni->ni_challenge != NULL) { 1347 FREE(ni->ni_challenge, M_DEVBUF); 1348 ni->ni_challenge = NULL; 1349 } 1350 /* XXX per-node cipher suite */ 1351 /* XXX some stations use the privacy bit for handling APs 1352 that suport both encrypted and unencrypted traffic */ 1353 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0 || 1354 (capinfo & IEEE80211_CAPINFO_PRIVACY) != 1355 ((ic->ic_flags & IEEE80211_F_PRIVACY) ? 1356 IEEE80211_CAPINFO_PRIVACY : 0)) { 1357 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 1358 ("%s: capability mismatch %x for %s\n", 1359 __func__, capinfo, ether_sprintf(wh->i_addr2))); 1360 IEEE80211_AID_CLR(ni->ni_associd, ic->ic_aid_bitmap); 1361 ni->ni_associd = 0; 1362 IEEE80211_SEND_MGMT(ic, ni, resp, 1363 IEEE80211_STATUS_CAPINFO); 1364 ic->ic_stats.is_rx_assoc_capmismatch++; 1365 return; 1366 } 1367 ieee80211_setup_rates(ic, ni, rates, xrates, 1368 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 1369 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 1370 if (ni->ni_rates.rs_nrates == 0) { 1371 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 1372 ("%s: rate mismatch for %s\n", 1373 __func__, ether_sprintf(wh->i_addr2))); 1374 IEEE80211_AID_CLR(ni->ni_associd, ic->ic_aid_bitmap); 1375 ni->ni_associd = 0; 1376 IEEE80211_SEND_MGMT(ic, ni, resp, 1377 IEEE80211_STATUS_BASIC_RATE); 1378 ic->ic_stats.is_rx_assoc_norate++; 1379 return; 1380 } 1381 ni->ni_rssi = rssi; 1382 ni->ni_rstamp = rstamp; 1383 ni->ni_intval = bintval; 1384 ni->ni_capinfo = capinfo; 1385 ni->ni_chan = ic->ic_bss->ni_chan; 1386 ni->ni_fhdwell = ic->ic_bss->ni_fhdwell; 1387 ni->ni_fhindex = ic->ic_bss->ni_fhindex; 1388 if (ni->ni_associd == 0) { 1389 u_int16_t aid; 1390 1391 /* 1392 * It would be clever to search the bitmap 1393 * more efficiently, but this will do for now. 1394 */ 1395 for (aid = 1; aid < ic->ic_max_aid; aid++) { 1396 if (!IEEE80211_AID_ISSET(aid, 1397 ic->ic_aid_bitmap)) 1398 break; 1399 } 1400 1401 if (ic->ic_bss->ni_associd >= ic->ic_max_aid) { 1402 IEEE80211_SEND_MGMT(ic, ni, resp, 1403 IEEE80211_REASON_ASSOC_TOOMANY); 1404 return; 1405 } else { 1406 ni->ni_associd = aid | 0xc000; 1407 IEEE80211_AID_SET(ni->ni_associd, 1408 ic->ic_aid_bitmap); 1409 newassoc = 1; 1410 } 1411 } else 1412 newassoc = 0; 1413 /* XXX for 11g must turn off short slot time if long 1414 slot time sta associates */ 1415 IEEE80211_SEND_MGMT(ic, ni, resp, IEEE80211_STATUS_SUCCESS); 1416 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC | IEEE80211_MSG_DEBUG, 1417 ("station %s %s associated at aid %d\n", 1418 ether_sprintf(ni->ni_macaddr), 1419 (newassoc ? "newly" : "already"), 1420 ni->ni_associd & ~0xc000)); 1421 /* give driver a chance to setup state like ni_txrate */ 1422 if (ic->ic_newassoc) 1423 (*ic->ic_newassoc)(ic, ni, newassoc); 1424 break; 1425 } 1426 1427 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 1428 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: { 1429 u_int16_t status; 1430 1431 if (ic->ic_opmode != IEEE80211_M_STA || 1432 ic->ic_state != IEEE80211_S_ASSOC) { 1433 ic->ic_stats.is_rx_mgtdiscard++; 1434 return; 1435 } 1436 1437 /* 1438 * asresp frame format 1439 * [2] capability information 1440 * [2] status 1441 * [2] association ID 1442 * [tlv] supported rates 1443 * [tlv] extended supported rates 1444 */ 1445 IEEE80211_VERIFY_LENGTH(efrm - frm, 6); 1446 ni = ic->ic_bss; 1447 ni->ni_capinfo = le16toh(*(u_int16_t *)frm); 1448 frm += 2; 1449 1450 status = le16toh(*(u_int16_t *)frm); 1451 frm += 2; 1452 if (status != 0) { 1453 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 1454 ("%sassociation failed (reason %d) for %s\n", 1455 ISREASSOC(subtype) ? "re" : "", 1456 status, ether_sprintf(wh->i_addr3))); 1457 if (ni != ic->ic_bss) 1458 ni->ni_fails++; 1459 ic->ic_stats.is_rx_auth_fail++; 1460 return; 1461 } 1462 ni->ni_associd = le16toh(*(u_int16_t *)frm); 1463 frm += 2; 1464 1465 rates = xrates = NULL; 1466 while (frm < efrm) { 1467 switch (*frm) { 1468 case IEEE80211_ELEMID_RATES: 1469 rates = frm; 1470 break; 1471 case IEEE80211_ELEMID_XRATES: 1472 xrates = frm; 1473 break; 1474 } 1475 frm += frm[1] + 2; 1476 } 1477 1478 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 1479 ieee80211_setup_rates(ic, ni, rates, xrates, 1480 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 1481 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 1482 if (ni->ni_rates.rs_nrates != 0) 1483 ieee80211_new_state(ic, IEEE80211_S_RUN, 1484 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 1485 break; 1486 } 1487 1488 case IEEE80211_FC0_SUBTYPE_DEAUTH: { 1489 u_int16_t reason; 1490 /* 1491 * deauth frame format 1492 * [2] reason 1493 */ 1494 IEEE80211_VERIFY_LENGTH(efrm - frm, 2); 1495 reason = le16toh(*(u_int16_t *)frm); 1496 ic->ic_stats.is_rx_deauth++; 1497 switch (ic->ic_opmode) { 1498 case IEEE80211_M_STA: 1499 ieee80211_new_state(ic, IEEE80211_S_AUTH, 1500 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 1501 break; 1502 case IEEE80211_M_HOSTAP: 1503 if (ni != ic->ic_bss) { 1504 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 1505 ("station %s deauthenticated by " 1506 "peer (reason %d)\n", 1507 ether_sprintf(ni->ni_macaddr), reason)); 1508 /* node will be free'd on return */ 1509 ieee80211_unref_node(&ni); 1510 } 1511 break; 1512 default: 1513 break; 1514 } 1515 break; 1516 } 1517 1518 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 1519 u_int16_t reason; 1520 /* 1521 * disassoc frame format 1522 * [2] reason 1523 */ 1524 IEEE80211_VERIFY_LENGTH(efrm - frm, 2); 1525 reason = le16toh(*(u_int16_t *)frm); 1526 ic->ic_stats.is_rx_disassoc++; 1527 switch (ic->ic_opmode) { 1528 case IEEE80211_M_STA: 1529 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 1530 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 1531 break; 1532 case IEEE80211_M_HOSTAP: 1533 if (ni != ic->ic_bss) { 1534 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 1535 ("station %s disassociated by " 1536 "peer (reason %d)\n", 1537 ether_sprintf(ni->ni_macaddr), reason)); 1538 IEEE80211_AID_CLR(ni->ni_associd, 1539 ic->ic_aid_bitmap); 1540 ni->ni_associd = 0; 1541 /* XXX node reclaimed how? */ 1542 } 1543 break; 1544 default: 1545 break; 1546 } 1547 break; 1548 } 1549 default: 1550 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 1551 ("%s: mgmt frame with subtype 0x%x not handled\n", 1552 __func__, subtype)); 1553 ic->ic_stats.is_rx_badsubtype++; 1554 break; 1555 } 1556 } 1557 1558 static void 1559 ieee80211_recv_pspoll(struct ieee80211com *ic, struct mbuf *m0, int rssi, 1560 u_int32_t rstamp) 1561 { 1562 struct ifnet *ifp = &ic->ic_if; 1563 struct ieee80211_frame *wh; 1564 struct ieee80211_node *ni; 1565 struct mbuf *m; 1566 u_int16_t aid; 1567 1568 if (ic->ic_set_tim == NULL) /* No powersaving functionality */ 1569 return; 1570 1571 wh = mtod(m0, struct ieee80211_frame *); 1572 1573 if ((ni = ieee80211_find_node(ic, wh->i_addr2)) == NULL) { 1574 if (ifp->if_flags & IFF_DEBUG) 1575 printf("%s: station %s sent bogus power save poll\n", 1576 ifp->if_xname, ether_sprintf(wh->i_addr2)); 1577 return; 1578 } 1579 1580 memcpy(&aid, wh->i_dur, sizeof(wh->i_dur)); 1581 if ((aid & 0xc000) != 0xc000) { 1582 if (ifp->if_flags & IFF_DEBUG) 1583 printf("%s: station %s sent bogus aid %x\n", 1584 ifp->if_xname, ether_sprintf(wh->i_addr2), aid); 1585 return; 1586 } 1587 1588 if (aid != ni->ni_associd) { 1589 if (ifp->if_flags & IFF_DEBUG) 1590 printf("%s: station %s aid %x doesn't match pspoll " 1591 "aid %x\n", 1592 ifp->if_xname, ether_sprintf(wh->i_addr2), 1593 ni->ni_associd, aid); 1594 return; 1595 } 1596 1597 /* Okay, take the first queued packet and put it out... */ 1598 1599 IF_DEQUEUE(&ni->ni_savedq, m); 1600 if (m == NULL) { 1601 if (ifp->if_flags & IFF_DEBUG) 1602 printf("%s: station %s sent pspoll, " 1603 "but no packets are saved\n", 1604 ifp->if_xname, ether_sprintf(wh->i_addr2)); 1605 return; 1606 } 1607 wh = mtod(m, struct ieee80211_frame *); 1608 1609 /* 1610 * If this is the last packet, turn off the TIM fields. 1611 * If there are more packets, set the more packets bit. 1612 */ 1613 1614 if (IF_IS_EMPTY(&ni->ni_savedq)) { 1615 if (ic->ic_set_tim) 1616 ic->ic_set_tim(ic, ni->ni_associd, 0); 1617 } else { 1618 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 1619 } 1620 1621 if (ifp->if_flags & IFF_DEBUG) 1622 printf("%s: enqueued power saving packet for station %s\n", 1623 ifp->if_xname, ether_sprintf(ni->ni_macaddr)); 1624 1625 IF_ENQUEUE(&ic->ic_pwrsaveq, m); 1626 (*ifp->if_start)(ifp); 1627 } 1628 #undef IEEE80211_VERIFY_LENGTH 1629 #undef IEEE80211_VERIFY_ELEMENT 1630
Indexes created Mon Sep 22 05:09:51 GMT 2025