ieee80211_input.c revision 1.34
1 /* $NetBSD: ieee80211_input.c,v 1.34 2004/07/30 17:45:21 mycroft Exp $ */ 2 /*- 3 * Copyright (c) 2001 Atsushi Onoe 4 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. The name of the author may not be used to endorse or promote products 16 * derived from this software without specific prior written permission. 17 * 18 * Alternatively, this software may be distributed under the terms of the 19 * GNU General Public License ("GPL") version 2 as published by the Free 20 * Software Foundation. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 23 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 24 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 25 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 26 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 27 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 28 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 29 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 30 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 31 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32 */ 33 34 #include <sys/cdefs.h> 35 #ifdef __FreeBSD__ 36 __FBSDID("$FreeBSD: src/sys/net80211/ieee80211_input.c,v 1.20 2004/04/02 23:35:24 sam Exp $"); 37 #else 38 __KERNEL_RCSID(0, "$NetBSD: ieee80211_input.c,v 1.34 2004/07/30 17:45:21 mycroft Exp $"); 39 #endif 40 41 #include "opt_inet.h" 42 43 #ifdef __NetBSD__ 44 #include "bpfilter.h" 45 #endif /* __NetBSD__ */ 46 47 #include <sys/param.h> 48 #include <sys/systm.h> 49 #include <sys/mbuf.h> 50 #include <sys/malloc.h> 51 #include <sys/kernel.h> 52 #include <sys/socket.h> 53 #include <sys/sockio.h> 54 #include <sys/endian.h> 55 #include <sys/errno.h> 56 #ifdef __FreeBSD__ 57 #include <sys/bus.h> 58 #endif 59 #include <sys/proc.h> 60 #include <sys/sysctl.h> 61 62 #ifdef __FreeBSD__ 63 #include <machine/atomic.h> 64 #endif 65 66 #include <net/if.h> 67 #include <net/if_dl.h> 68 #include <net/if_media.h> 69 #include <net/if_arp.h> 70 #ifdef __FreeBSD__ 71 #include <net/ethernet.h> 72 #else 73 #include <net/if_ether.h> 74 #endif 75 #include <net/if_llc.h> 76 77 #include <net80211/ieee80211_var.h> 78 #include <net80211/ieee80211_compat.h> 79 80 #if NBPFILTER > 0 81 #include <net/bpf.h> 82 #endif 83 84 #ifdef INET 85 #include <netinet/in.h> 86 #ifdef __FreeBSD__ 87 #include <netinet/if_ether.h> 88 #else 89 #include <net/if_ether.h> 90 #endif 91 #endif 92 93 const struct timeval ieee80211_merge_print_intvl = {.tv_sec = 1, .tv_usec = 0}; 94 95 static void ieee80211_recv_pspoll(struct ieee80211com *, 96 struct mbuf *, int, u_int32_t); 97 98 #ifdef IEEE80211_DEBUG 99 /* 100 * Decide if a received management frame should be 101 * printed when debugging is enabled. This filters some 102 * of the less interesting frames that come frequently 103 * (e.g. beacons). 104 */ 105 static __inline int 106 doprint(struct ieee80211com *ic, int subtype) 107 { 108 switch (subtype) { 109 case IEEE80211_FC0_SUBTYPE_BEACON: 110 return (ic->ic_state == IEEE80211_S_SCAN); 111 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 112 return (ic->ic_opmode == IEEE80211_M_IBSS); 113 } 114 return 1; 115 } 116 #endif 117 118 /* 119 * Process a received frame. The node associated with the sender 120 * should be supplied. If nothing was found in the node table then 121 * the caller is assumed to supply a reference to ic_bss instead. 122 * The RSSI and a timestamp are also supplied. The RSSI data is used 123 * during AP scanning to select a AP to associate with; it can have 124 * any units so long as values have consistent units and higher values 125 * mean ``better signal''. The receive timestamp is currently not used 126 * by the 802.11 layer. 127 */ 128 void 129 ieee80211_input(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni, 130 int rssi, u_int32_t rstamp) 131 { 132 struct ieee80211com *ic = (void *)ifp; 133 struct ieee80211_frame *wh; 134 struct ether_header *eh; 135 struct mbuf *m1; 136 int len; 137 u_int8_t dir, type, subtype; 138 u_int16_t rxseq; 139 ALTQ_DECL(struct altq_pktattr pktattr;) 140 141 IASSERT(ni != NULL, ("null node")); 142 143 /* trim CRC here so WEP can find its own CRC at the end of packet. */ 144 if (m->m_flags & M_HASFCS) { 145 m_adj(m, -IEEE80211_CRC_LEN); 146 m->m_flags &= ~M_HASFCS; 147 } 148 149 /* 150 * In monitor mode, send everything directly to bpf. 151 * Also do not process frames w/o i_addr2 any further. 152 * XXX may want to include the CRC 153 */ 154 if (ic->ic_opmode == IEEE80211_M_MONITOR || 155 m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) 156 goto out; 157 158 wh = mtod(m, struct ieee80211_frame *); 159 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 160 IEEE80211_FC0_VERSION_0) { 161 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 162 ("receive packet with wrong version: %x\n", 163 wh->i_fc[0])); 164 ic->ic_stats.is_rx_badversion++; 165 goto err; 166 } 167 168 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 169 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 170 /* 171 * NB: We are not yet prepared to handle control frames, 172 * but permitting drivers to send them to us allows 173 * them to go through bpf tapping at the 802.11 layer. 174 */ 175 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 176 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 177 ("%s: frame too short, len %u\n", 178 __func__, m->m_pkthdr.len)); 179 ic->ic_stats.is_rx_tooshort++; 180 goto out; 181 } 182 if (ic->ic_state != IEEE80211_S_SCAN) { 183 ni->ni_rssi = rssi; 184 ni->ni_rstamp = rstamp; 185 rxseq = ni->ni_rxseq; 186 ni->ni_rxseq = 187 le16toh(*(u_int16_t *)wh->i_seq) >> IEEE80211_SEQ_SEQ_SHIFT; 188 /* TODO: fragment */ 189 if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) && 190 rxseq == ni->ni_rxseq) { 191 /* duplicate, silently discarded */ 192 ic->ic_stats.is_rx_dup++; /* XXX per-station stat */ 193 goto out; 194 } 195 ni->ni_inact = 0; 196 if (ic->ic_opmode == IEEE80211_M_MONITOR) 197 goto out; 198 } 199 200 if (ic->ic_set_tim != NULL && 201 (wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) 202 && ni->ni_pwrsave == 0) { 203 /* turn on power save mode */ 204 205 if (ifp->if_flags & IFF_DEBUG) 206 printf("%s: power save mode on for %s\n", 207 ifp->if_xname, ether_sprintf(wh->i_addr2)); 208 209 ni->ni_pwrsave = IEEE80211_PS_SLEEP; 210 } 211 if (ic->ic_set_tim != NULL && 212 (wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) == 0 && 213 ni->ni_pwrsave != 0) { 214 /* turn off power save mode, dequeue stored packets */ 215 216 ni->ni_pwrsave = 0; 217 if (ic->ic_set_tim) 218 ic->ic_set_tim(ic, ni->ni_associd, 0); 219 220 if (ifp->if_flags & IFF_DEBUG) 221 printf("%s: power save mode off for %s\n", 222 ifp->if_xname, ether_sprintf(wh->i_addr2)); 223 224 while (!IF_IS_EMPTY(&ni->ni_savedq)) { 225 struct mbuf *m; 226 IF_DEQUEUE(&ni->ni_savedq, m); 227 IF_ENQUEUE(&ic->ic_pwrsaveq, m); 228 (*ifp->if_start)(ifp); 229 } 230 } 231 232 switch (type) { 233 case IEEE80211_FC0_TYPE_DATA: 234 switch (ic->ic_opmode) { 235 case IEEE80211_M_STA: 236 if (dir != IEEE80211_FC1_DIR_FROMDS) { 237 ic->ic_stats.is_rx_wrongdir++; 238 goto out; 239 } 240 if (ic->ic_state != IEEE80211_S_SCAN && 241 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid)) { 242 /* Source address is not our BSS. */ 243 IEEE80211_DPRINTF(ic, IEEE80211_MSG_INPUT, 244 ("%s: discard frame from SA %s\n", 245 __func__, ether_sprintf(wh->i_addr2))); 246 ic->ic_stats.is_rx_wrongbss++; 247 goto out; 248 } 249 if ((ifp->if_flags & IFF_SIMPLEX) && 250 IEEE80211_IS_MULTICAST(wh->i_addr1) && 251 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 252 /* 253 * In IEEE802.11 network, multicast packet 254 * sent from me is broadcasted from AP. 255 * It should be silently discarded for 256 * SIMPLEX interface. 257 */ 258 ic->ic_stats.is_rx_mcastecho++; 259 goto out; 260 } 261 break; 262 case IEEE80211_M_IBSS: 263 case IEEE80211_M_AHDEMO: 264 if (dir != IEEE80211_FC1_DIR_NODS) { 265 ic->ic_stats.is_rx_wrongdir++; 266 goto out; 267 } 268 if (ic->ic_state != IEEE80211_S_SCAN && 269 !IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid) && 270 !IEEE80211_ADDR_EQ(wh->i_addr3, ifp->if_broadcastaddr)) { 271 /* Destination is not our BSS or broadcast. */ 272 IEEE80211_DPRINTF(ic, IEEE80211_MSG_INPUT, 273 ("%s: discard data frame to DA %s\n", 274 __func__, ether_sprintf(wh->i_addr3))); 275 ic->ic_stats.is_rx_wrongbss++; 276 goto out; 277 } 278 break; 279 case IEEE80211_M_HOSTAP: 280 if (dir != IEEE80211_FC1_DIR_TODS) { 281 ic->ic_stats.is_rx_wrongdir++; 282 goto out; 283 } 284 if (ic->ic_state != IEEE80211_S_SCAN && 285 !IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_bss->ni_bssid) && 286 !IEEE80211_ADDR_EQ(wh->i_addr1, ifp->if_broadcastaddr)) { 287 /* BSS is not us or broadcast. */ 288 IEEE80211_DPRINTF(ic, IEEE80211_MSG_INPUT, 289 ("%s: discard data frame to BSS %s\n", 290 __func__, ether_sprintf(wh->i_addr1))); 291 ic->ic_stats.is_rx_wrongbss++; 292 goto out; 293 } 294 /* check if source STA is associated */ 295 if (ni == ic->ic_bss) { 296 IEEE80211_DPRINTF(ic, IEEE80211_MSG_INPUT, 297 ("%s: data from unknown src %s\n", 298 __func__, ether_sprintf(wh->i_addr2))); 299 /* NB: caller deals with reference */ 300 ni = ieee80211_dup_bss(ic, wh->i_addr2); 301 if (ni != NULL) { 302 IEEE80211_SEND_MGMT(ic, ni, 303 IEEE80211_FC0_SUBTYPE_DEAUTH, 304 IEEE80211_REASON_NOT_AUTHED); 305 ieee80211_free_node(ic, ni); 306 } 307 ic->ic_stats.is_rx_notassoc++; 308 goto err; 309 } 310 if (ni->ni_associd == 0) { 311 IEEE80211_DPRINTF(ic, IEEE80211_MSG_INPUT, 312 ("%s: data from unassoc src %s\n", 313 __func__, ether_sprintf(wh->i_addr2))); 314 IEEE80211_SEND_MGMT(ic, ni, 315 IEEE80211_FC0_SUBTYPE_DISASSOC, 316 IEEE80211_REASON_NOT_ASSOCED); 317 ieee80211_unref_node(&ni); 318 ic->ic_stats.is_rx_notassoc++; 319 goto err; 320 } 321 break; 322 case IEEE80211_M_MONITOR: 323 break; 324 } 325 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 326 if (ic->ic_flags & IEEE80211_F_PRIVACY) { 327 m = ieee80211_wep_crypt(ifp, m, 0); 328 if (m == NULL) { 329 ic->ic_stats.is_rx_wepfail++; 330 goto err; 331 } 332 wh = mtod(m, struct ieee80211_frame *); 333 } else { 334 ic->ic_stats.is_rx_nowep++; 335 goto out; 336 } 337 } 338 #if NBPFILTER > 0 339 /* copy to listener after decrypt */ 340 if (ic->ic_rawbpf) 341 bpf_mtap(ic->ic_rawbpf, m); 342 #endif 343 m = ieee80211_decap(ifp, m); 344 if (m == NULL) { 345 IEEE80211_DPRINTF(ic, IEEE80211_MSG_INPUT, 346 ("%s: decapsulation error for src %s\n", 347 __func__, ether_sprintf(wh->i_addr2))); 348 ic->ic_stats.is_rx_decap++; 349 goto err; 350 } 351 ifp->if_ipackets++; 352 353 /* perform as a bridge within the AP */ 354 m1 = NULL; 355 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 356 eh = mtod(m, struct ether_header *); 357 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 358 m1 = m_copypacket(m, M_DONTWAIT); 359 if (m1 == NULL) 360 ifp->if_oerrors++; 361 else 362 m1->m_flags |= M_MCAST; 363 } else { 364 ni = ieee80211_find_node(ic, eh->ether_dhost); 365 if (ni != NULL) { 366 if (ni->ni_associd != 0) { 367 m1 = m; 368 m = NULL; 369 } 370 ieee80211_free_node(ic, ni); 371 } 372 } 373 if (m1 != NULL) { 374 #ifdef ALTQ 375 if (ALTQ_IS_ENABLED(&ifp->if_snd)) 376 altq_etherclassify(&ifp->if_snd, m1, 377 &pktattr); 378 #endif 379 len = m1->m_pkthdr.len; 380 IF_ENQUEUE(&ifp->if_snd, m1); 381 if (m != NULL) 382 ifp->if_omcasts++; 383 ifp->if_obytes += len; 384 } 385 } 386 if (m != NULL) { 387 #if NBPFILTER > 0 388 /* 389 * If we forward packet into transmitter of the AP, 390 * we don't need to duplicate for DLT_EN10MB. 391 */ 392 if (ifp->if_bpf && m1 == NULL) 393 bpf_mtap(ifp->if_bpf, m); 394 #endif 395 (*ifp->if_input)(ifp, m); 396 } 397 return; 398 399 case IEEE80211_FC0_TYPE_MGT: 400 if (dir != IEEE80211_FC1_DIR_NODS) { 401 ic->ic_stats.is_rx_wrongdir++; 402 goto err; 403 } 404 if (ic->ic_opmode == IEEE80211_M_AHDEMO) { 405 ic->ic_stats.is_rx_ahdemo_mgt++; 406 goto out; 407 } 408 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 409 410 /* drop frames without interest */ 411 if (ic->ic_state == IEEE80211_S_SCAN) { 412 if (subtype != IEEE80211_FC0_SUBTYPE_BEACON && 413 subtype != IEEE80211_FC0_SUBTYPE_PROBE_RESP) { 414 ic->ic_stats.is_rx_mgtdiscard++; 415 goto out; 416 } 417 } 418 419 #ifdef IEEE80211_DEBUG 420 if ((ieee80211_msg_debug(ic) && doprint(ic, subtype)) || 421 ieee80211_msg_dumppkts(ic)) { 422 if_printf(ifp, "received %s from %s rssi %d\n", 423 ieee80211_mgt_subtype_name[subtype 424 >> IEEE80211_FC0_SUBTYPE_SHIFT], 425 ether_sprintf(wh->i_addr2), rssi); 426 } 427 #endif 428 #if NBPFILTER > 0 429 if (ic->ic_rawbpf) 430 bpf_mtap(ic->ic_rawbpf, m); 431 #endif 432 (*ic->ic_recv_mgmt)(ic, m, ni, subtype, rssi, rstamp); 433 m_freem(m); 434 return; 435 436 case IEEE80211_FC0_TYPE_CTL: 437 ic->ic_stats.is_rx_ctl++; 438 if (ic->ic_opmode != IEEE80211_M_HOSTAP) 439 goto out; 440 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 441 if (subtype == IEEE80211_FC0_SUBTYPE_PS_POLL) { 442 /* XXX statistic */ 443 /* Dump out a single packet from the host */ 444 if (ifp->if_flags & IFF_DEBUG) 445 printf("%s: got power save probe from %s\n", 446 ifp->if_xname, 447 ether_sprintf(wh->i_addr2)); 448 ieee80211_recv_pspoll(ic, m, rssi, rstamp); 449 } 450 goto out; 451 default: 452 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 453 ("%s: bad frame type %x\n", __func__, type)); 454 /* should not come here */ 455 break; 456 } 457 err: 458 ifp->if_ierrors++; 459 out: 460 if (m != NULL) { 461 #if NBPFILTER > 0 462 if (ic->ic_rawbpf) 463 bpf_mtap(ic->ic_rawbpf, m); 464 #endif 465 m_freem(m); 466 } 467 } 468 469 struct mbuf * 470 ieee80211_decap(struct ifnet *ifp, struct mbuf *m) 471 { 472 struct ether_header *eh; 473 struct ieee80211_frame wh; 474 struct llc *llc; 475 476 if (m->m_len < sizeof(wh) + sizeof(*llc)) { 477 m = m_pullup(m, sizeof(wh) + sizeof(*llc)); 478 if (m == NULL) 479 return NULL; 480 } 481 memcpy(&wh, mtod(m, caddr_t), sizeof(wh)); 482 llc = (struct llc *)(mtod(m, caddr_t) + sizeof(wh)); 483 if (llc->llc_dsap == LLC_SNAP_LSAP && llc->llc_ssap == LLC_SNAP_LSAP && 484 llc->llc_control == LLC_UI && llc->llc_snap.org_code[0] == 0 && 485 llc->llc_snap.org_code[1] == 0 && llc->llc_snap.org_code[2] == 0) { 486 m_adj(m, sizeof(wh) + sizeof(struct llc) - sizeof(*eh)); 487 llc = NULL; 488 } else { 489 m_adj(m, sizeof(wh) - sizeof(*eh)); 490 } 491 eh = mtod(m, struct ether_header *); 492 switch (wh.i_fc[1] & IEEE80211_FC1_DIR_MASK) { 493 case IEEE80211_FC1_DIR_NODS: 494 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 495 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 496 break; 497 case IEEE80211_FC1_DIR_TODS: 498 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3); 499 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 500 break; 501 case IEEE80211_FC1_DIR_FROMDS: 502 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 503 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr3); 504 break; 505 case IEEE80211_FC1_DIR_DSTODS: 506 /* not yet supported */ 507 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 508 ("%s: discard DS to DS frame\n", __func__)); 509 m_freem(m); 510 return NULL; 511 } 512 #ifdef ALIGNED_POINTER 513 if (!ALIGNED_POINTER(mtod(m, caddr_t) + sizeof(*eh), u_int32_t)) { 514 struct mbuf *n, *n0, **np; 515 caddr_t newdata; 516 int off, pktlen; 517 518 n0 = NULL; 519 np = &n0; 520 off = 0; 521 pktlen = m->m_pkthdr.len; 522 while (pktlen > off) { 523 if (n0 == NULL) { 524 MGETHDR(n, M_DONTWAIT, MT_DATA); 525 if (n == NULL) { 526 m_freem(m); 527 return NULL; 528 } 529 #ifdef __FreeBSD__ 530 M_MOVE_PKTHDR(n, m); 531 #else 532 M_COPY_PKTHDR(n, m); 533 #endif 534 n->m_len = MHLEN; 535 } else { 536 MGET(n, M_DONTWAIT, MT_DATA); 537 if (n == NULL) { 538 m_freem(m); 539 m_freem(n0); 540 return NULL; 541 } 542 n->m_len = MLEN; 543 } 544 if (pktlen - off >= MINCLSIZE) { 545 MCLGET(n, M_DONTWAIT); 546 if (n->m_flags & M_EXT) 547 n->m_len = n->m_ext.ext_size; 548 } 549 if (n0 == NULL) { 550 newdata = 551 (caddr_t)ALIGN(n->m_data + sizeof(*eh)) - 552 sizeof(*eh); 553 n->m_len -= newdata - n->m_data; 554 n->m_data = newdata; 555 } 556 if (n->m_len > pktlen - off) 557 n->m_len = pktlen - off; 558 m_copydata(m, off, n->m_len, mtod(n, caddr_t)); 559 off += n->m_len; 560 *np = n; 561 np = &n->m_next; 562 } 563 m_freem(m); 564 m = n0; 565 } 566 #endif /* ALIGNED_POINTER */ 567 if (llc != NULL) { 568 eh = mtod(m, struct ether_header *); 569 eh->ether_type = htons(m->m_pkthdr.len - sizeof(*eh)); 570 } 571 return m; 572 } 573 574 /* 575 * Install received rate set information in the node's state block. 576 */ 577 static int 578 ieee80211_setup_rates(struct ieee80211com *ic, struct ieee80211_node *ni, 579 u_int8_t *rates, u_int8_t *xrates, int flags) 580 { 581 struct ieee80211_rateset *rs = &ni->ni_rates; 582 583 memset(rs, 0, sizeof(*rs)); 584 rs->rs_nrates = rates[1]; 585 memcpy(rs->rs_rates, rates + 2, rs->rs_nrates); 586 if (xrates != NULL) { 587 u_int8_t nxrates; 588 /* 589 * Tack on 11g extended supported rate element. 590 */ 591 nxrates = xrates[1]; 592 if (rs->rs_nrates + nxrates > IEEE80211_RATE_MAXSIZE) { 593 nxrates = IEEE80211_RATE_MAXSIZE - rs->rs_nrates; 594 IEEE80211_DPRINTF(ic, IEEE80211_MSG_XRATE, 595 ("%s: extended rate set too large;" 596 " only using %u of %u rates\n", 597 __func__, nxrates, xrates[1])); 598 ic->ic_stats.is_rx_rstoobig++; 599 } 600 memcpy(rs->rs_rates + rs->rs_nrates, xrates+2, nxrates); 601 rs->rs_nrates += nxrates; 602 } 603 return ieee80211_fix_rate(ic, ni, flags); 604 } 605 606 /* Verify the existence and length of __elem or get out. */ 607 #define IEEE80211_VERIFY_ELEMENT(__elem, __maxlen) do { \ 608 if ((__elem) == NULL) { \ 609 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ELEMID, \ 610 ("%s: no " #__elem "in %s frame\n", \ 611 __func__, ieee80211_mgt_subtype_name[subtype >> \ 612 IEEE80211_FC0_SUBTYPE_SHIFT])); \ 613 ic->ic_stats.is_rx_elem_missing++; \ 614 return; \ 615 } \ 616 if ((__elem)[1] > (__maxlen)) { \ 617 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ELEMID, \ 618 ("%s: bad " #__elem " len %d in %s frame from %s\n",\ 619 __func__, (__elem)[1], \ 620 ieee80211_mgt_subtype_name[subtype >> \ 621 IEEE80211_FC0_SUBTYPE_SHIFT], \ 622 ether_sprintf(wh->i_addr2))); \ 623 ic->ic_stats.is_rx_elem_toobig++; \ 624 return; \ 625 } \ 626 } while (0) 627 628 #define IEEE80211_VERIFY_LENGTH(_len, _minlen) do { \ 629 if ((_len) < (_minlen)) { \ 630 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ELEMID, \ 631 ("%s: %s frame too short from %s\n", \ 632 __func__, \ 633 ieee80211_mgt_subtype_name[subtype >> \ 634 IEEE80211_FC0_SUBTYPE_SHIFT], \ 635 ether_sprintf(wh->i_addr2))); \ 636 ic->ic_stats.is_rx_elem_toosmall++; \ 637 return; \ 638 } \ 639 } while (0) 640 641 #ifdef IEEE80211_DEBUG 642 static void 643 ieee80211_ssid_mismatch(struct ieee80211com *ic, const char *tag, 644 u_int8_t mac[IEEE80211_ADDR_LEN], u_int8_t *ssid) 645 { 646 printf("[%s] %s req ssid mismatch: ", ether_sprintf(mac), tag); 647 ieee80211_print_essid(ssid + 2, ssid[1]); 648 printf("\n"); 649 } 650 651 #define IEEE80211_VERIFY_SSID(_ni, _ssid, _packet_type) do { \ 652 if ((_ssid)[1] != 0 && \ 653 ((_ssid)[1] != (_ni)->ni_esslen || \ 654 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 655 if (ieee80211_msg_input(ic)) \ 656 ieee80211_ssid_mismatch(ic, _packet_type, \ 657 wh->i_addr2, _ssid); \ 658 ic->ic_stats.is_rx_ssidmismatch++; \ 659 return; \ 660 } \ 661 } while (0) 662 #else /* !IEEE80211_DEBUG */ 663 #define IEEE80211_VERIFY_SSID(_ni, _ssid, _packet_type) do { \ 664 if ((_ssid)[1] != 0 && \ 665 ((_ssid)[1] != (_ni)->ni_esslen || \ 666 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 667 ic->ic_stats.is_rx_ssidmismatch++; \ 668 return; \ 669 } \ 670 } while (0) 671 #endif /* !IEEE80211_DEBUG */ 672 673 static void 674 ieee80211_auth_open(struct ieee80211com *ic, struct ieee80211_frame *wh, 675 struct ieee80211_node *ni, int rssi, u_int32_t rstamp, u_int16_t seq, 676 u_int16_t status) 677 { 678 int allocbs; 679 switch (ic->ic_opmode) { 680 case IEEE80211_M_IBSS: 681 if (ic->ic_state != IEEE80211_S_RUN || 682 seq != IEEE80211_AUTH_OPEN_REQUEST) { 683 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 684 ("%s: discard auth from %s; state %u, seq %u\n", 685 __func__, ether_sprintf(wh->i_addr2), 686 ic->ic_state, seq)); 687 ic->ic_stats.is_rx_bad_auth++; 688 return; 689 } 690 ieee80211_new_state(ic, IEEE80211_S_AUTH, 691 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 692 break; 693 694 case IEEE80211_M_AHDEMO: 695 /* should not come here */ 696 break; 697 698 case IEEE80211_M_HOSTAP: 699 if (ic->ic_state != IEEE80211_S_RUN || 700 seq != IEEE80211_AUTH_OPEN_REQUEST) { 701 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 702 ("%s: discard auth from %s; state %u, seq %u\n", 703 __func__, ether_sprintf(wh->i_addr2), 704 ic->ic_state, seq)); 705 ic->ic_stats.is_rx_bad_auth++; 706 return; 707 } 708 if (ni == ic->ic_bss) { 709 ni = ieee80211_alloc_node(ic, wh->i_addr2); 710 if (ni == NULL) { 711 ic->ic_stats.is_rx_nodealloc++; 712 return; 713 } 714 IEEE80211_ADDR_COPY(ni->ni_bssid, ic->ic_bss->ni_bssid); 715 ni->ni_rssi = rssi; 716 ni->ni_rstamp = rstamp; 717 ni->ni_chan = ic->ic_bss->ni_chan; 718 allocbs = 1; 719 } else 720 allocbs = 0; 721 IEEE80211_SEND_MGMT(ic, ni, 722 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 723 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 724 ("station %s %s authenticated (open)\n", 725 ether_sprintf(ni->ni_macaddr), 726 (allocbs ? "newly" : "already"))); 727 break; 728 729 case IEEE80211_M_STA: 730 if (ic->ic_state != IEEE80211_S_AUTH || 731 seq != IEEE80211_AUTH_OPEN_RESPONSE) { 732 ic->ic_stats.is_rx_bad_auth++; 733 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 734 ("%s: discard auth from %s; state %u, seq %u\n", 735 __func__, ether_sprintf(wh->i_addr2), 736 ic->ic_state, seq)); 737 return; 738 } 739 if (status != 0) { 740 IEEE80211_DPRINTF(ic, 741 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 742 ("open authentication failed (reason %d) for %s\n", 743 status, 744 ether_sprintf(wh->i_addr3))); 745 if (ni != ic->ic_bss) 746 ni->ni_fails++; 747 ic->ic_stats.is_rx_auth_fail++; 748 return; 749 } 750 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 751 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 752 break; 753 case IEEE80211_M_MONITOR: 754 break; 755 } 756 } 757 758 /* TBD send appropriate responses on error? */ 759 static void 760 ieee80211_auth_shared(struct ieee80211com *ic, struct ieee80211_frame *wh, 761 u_int8_t *frm, u_int8_t *efrm, struct ieee80211_node *ni, int rssi, 762 u_int32_t rstamp, u_int16_t seq, u_int16_t status) 763 { 764 u_int8_t *challenge = NULL; 765 int allocbs, i; 766 767 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 768 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 769 ("%s: WEP is off\n", __func__)); 770 return; 771 } 772 773 if (frm + 1 < efrm) { 774 if (frm[1] + 2 > efrm - frm) { 775 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 776 ("%s: elt %d %d bytes too long\n", __func__, 777 frm[0], (frm[1] + 2) - (int)(efrm - frm))); 778 ic->ic_stats.is_rx_bad_auth++; 779 return; 780 } 781 if (*frm == IEEE80211_ELEMID_CHALLENGE) 782 challenge = frm; 783 frm += frm[1] + 2; 784 } 785 switch (seq) { 786 case IEEE80211_AUTH_SHARED_CHALLENGE: 787 case IEEE80211_AUTH_SHARED_RESPONSE: 788 if (challenge == NULL) { 789 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 790 ("%s: no challenge sent\n", __func__)); 791 ic->ic_stats.is_rx_bad_auth++; 792 return; 793 } 794 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 795 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 796 ("%s: bad challenge len %d\n", 797 __func__, challenge[1])); 798 ic->ic_stats.is_rx_bad_auth++; 799 return; 800 } 801 default: 802 break; 803 } 804 switch (ic->ic_opmode) { 805 case IEEE80211_M_MONITOR: 806 case IEEE80211_M_AHDEMO: 807 case IEEE80211_M_IBSS: 808 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 809 ("%s: unexpected operating mode\n", __func__)); 810 return; 811 case IEEE80211_M_HOSTAP: 812 if (ic->ic_state != IEEE80211_S_RUN) { 813 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 814 ("%s: not running\n", __func__)); 815 return; 816 } 817 switch (seq) { 818 case IEEE80211_AUTH_SHARED_REQUEST: 819 if (ni == ic->ic_bss) { 820 ni = ieee80211_alloc_node(ic, wh->i_addr2); 821 if (ni == NULL) { 822 ic->ic_stats.is_rx_nodealloc++; 823 return; 824 } 825 IEEE80211_ADDR_COPY(ni->ni_bssid, 826 ic->ic_bss->ni_bssid); 827 ni->ni_rssi = rssi; 828 ni->ni_rstamp = rstamp; 829 ni->ni_chan = ic->ic_bss->ni_chan; 830 allocbs = 1; 831 } else 832 allocbs = 0; 833 if (ni->ni_challenge == NULL) 834 ni->ni_challenge = (u_int32_t*)malloc( 835 IEEE80211_CHALLENGE_LEN, M_DEVBUF, 836 M_NOWAIT); 837 if (ni->ni_challenge == NULL) { 838 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 839 ("%s: challenge alloc failed\n", 840 __func__)); 841 /* XXX statistic */ 842 return; 843 } 844 for (i = IEEE80211_CHALLENGE_LEN / sizeof(u_int32_t); 845 --i >= 0; ) 846 ni->ni_challenge[i] = arc4random(); 847 IEEE80211_DPRINTF(ic, 848 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 849 ("shared key %sauth request from station %s\n", 850 (allocbs ? "" : "re"), 851 ether_sprintf(ni->ni_macaddr))); 852 break; 853 case IEEE80211_AUTH_SHARED_RESPONSE: 854 if (ni == ic->ic_bss) { 855 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 856 ("%s: unknown STA\n", __func__)); 857 return; 858 } 859 if (ni->ni_challenge == NULL) { 860 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 861 ("%s: no challenge recorded\n", 862 __func__)); 863 ic->ic_stats.is_rx_bad_auth++; 864 return; 865 } 866 if (memcmp(ni->ni_challenge, &challenge[2], 867 challenge[1]) != 0) { 868 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 869 ("%s: challenge mismatch\n", __func__)); 870 ic->ic_stats.is_rx_auth_fail++; 871 return; 872 } 873 IEEE80211_DPRINTF(ic, 874 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 875 ("station %s authenticated (shared key)\n", 876 ether_sprintf(ni->ni_macaddr))); 877 break; 878 default: 879 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 880 ("%s: bad shared key auth seq %d from %s\n", 881 __func__, seq, ether_sprintf(wh->i_addr2))); 882 ic->ic_stats.is_rx_bad_auth++; 883 return; 884 } 885 IEEE80211_SEND_MGMT(ic, ni, 886 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 887 break; 888 889 case IEEE80211_M_STA: 890 if (ic->ic_state != IEEE80211_S_AUTH) 891 return; 892 switch (seq) { 893 case IEEE80211_AUTH_SHARED_PASS: 894 if (ni->ni_challenge != NULL) { 895 FREE(ni->ni_challenge, M_DEVBUF); 896 ni->ni_challenge = NULL; 897 } 898 if (status != 0) { 899 IEEE80211_DPRINTF(ic, 900 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 901 ("%s: auth failed (reason %d) for %s\n", 902 __func__, status, 903 ether_sprintf(wh->i_addr3))); 904 if (ni != ic->ic_bss) 905 ni->ni_fails++; 906 ic->ic_stats.is_rx_auth_fail++; 907 return; 908 } 909 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 910 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 911 break; 912 case IEEE80211_AUTH_SHARED_CHALLENGE: 913 if (ni->ni_challenge == NULL) 914 ni->ni_challenge = (u_int32_t*)malloc( 915 challenge[1], M_DEVBUF, M_NOWAIT); 916 if (ni->ni_challenge == NULL) { 917 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 918 ("%s: challenge alloc failed\n", __func__)); 919 /* XXX statistic */ 920 return; 921 } 922 memcpy(ni->ni_challenge, &challenge[2], challenge[1]); 923 IEEE80211_SEND_MGMT(ic, ni, 924 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 925 break; 926 default: 927 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 928 ("%s: bad seq %d from %s\n", __func__, seq, 929 ether_sprintf(wh->i_addr2))); 930 ic->ic_stats.is_rx_bad_auth++; 931 return; 932 } 933 break; 934 } 935 } 936 937 void 938 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0, 939 struct ieee80211_node *ni, 940 int subtype, int rssi, u_int32_t rstamp) 941 { 942 #define ISPROBE(_st) ((_st) == IEEE80211_FC0_SUBTYPE_PROBE_RESP) 943 #define ISREASSOC(_st) ((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP) 944 struct ieee80211_frame *wh; 945 u_int8_t *frm, *efrm; 946 u_int8_t *ssid, *rates, *xrates; 947 int reassoc, resp, allocbs; 948 949 wh = mtod(m0, struct ieee80211_frame *); 950 frm = (u_int8_t *)&wh[1]; 951 efrm = mtod(m0, u_int8_t *) + m0->m_len; 952 switch (subtype) { 953 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 954 case IEEE80211_FC0_SUBTYPE_BEACON: { 955 u_int8_t *tstamp, *bintval, *capinfo, *country; 956 u_int8_t chan, bchan, fhindex, erp; 957 u_int16_t fhdwell; 958 959 /* 960 * We process beacon/probe response frames for: 961 * o station mode: to collect state 962 * updates such as 802.11g slot time and for passive 963 * scanning of APs 964 * o adhoc mode: to discover neighbors 965 * o hostap mode: for passive scanning of neighbor APs 966 * o when scanning 967 * In other words, in all modes other than monitor (which 968 * does not process incoming packets) and adhoc-demo (which 969 * does not use management frames at all). 970 */ 971 #ifdef DIAGNOSTIC 972 if (ic->ic_opmode != IEEE80211_M_STA && 973 ic->ic_opmode != IEEE80211_M_IBSS && 974 ic->ic_opmode != IEEE80211_M_HOSTAP && 975 ic->ic_state != IEEE80211_S_SCAN) { 976 panic("%s: impossible", __func__); 977 } 978 #endif 979 /* 980 * beacon/probe response frame format 981 * [8] time stamp 982 * [2] beacon interval 983 * [2] capability information 984 * [tlv] ssid 985 * [tlv] supported rates 986 * [tlv] country information 987 * [tlv] parameter set (FH/DS) 988 * [tlv] erp information 989 * [tlv] extended supported rates 990 */ 991 IEEE80211_VERIFY_LENGTH(efrm - frm, 12); 992 tstamp = frm; frm += 8; 993 bintval = frm; frm += 2; 994 capinfo = frm; frm += 2; 995 ssid = rates = xrates = country = NULL; 996 bchan = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan); 997 chan = bchan; 998 fhdwell = 0; 999 fhindex = 0; 1000 erp = 0; 1001 while (frm < efrm) { 1002 switch (*frm) { 1003 case IEEE80211_ELEMID_SSID: 1004 ssid = frm; 1005 break; 1006 case IEEE80211_ELEMID_RATES: 1007 rates = frm; 1008 break; 1009 case IEEE80211_ELEMID_COUNTRY: 1010 country = frm; 1011 break; 1012 case IEEE80211_ELEMID_FHPARMS: 1013 if (ic->ic_phytype == IEEE80211_T_FH) { 1014 fhdwell = (frm[3] << 8) | frm[2]; 1015 chan = IEEE80211_FH_CHAN(frm[4], frm[5]); 1016 fhindex = frm[6]; 1017 } 1018 break; 1019 case IEEE80211_ELEMID_DSPARMS: 1020 /* 1021 * XXX hack this since depending on phytype 1022 * is problematic for multi-mode devices. 1023 */ 1024 if (ic->ic_phytype != IEEE80211_T_FH) 1025 chan = frm[2]; 1026 break; 1027 case IEEE80211_ELEMID_TIM: 1028 break; 1029 case IEEE80211_ELEMID_IBSSPARMS: 1030 break; 1031 case IEEE80211_ELEMID_XRATES: 1032 xrates = frm; 1033 break; 1034 case IEEE80211_ELEMID_ERP: 1035 if (frm[1] != 1) { 1036 IEEE80211_DPRINTF(ic, 1037 IEEE80211_MSG_ELEMID, 1038 ("%s: invalid ERP element; " 1039 "length %u, expecting 1\n", 1040 __func__, frm[1])); 1041 ic->ic_stats.is_rx_elem_toobig++; 1042 break; 1043 } 1044 erp = frm[2]; 1045 break; 1046 default: 1047 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ELEMID, 1048 ("%s: element id %u/len %u ignored\n", 1049 __func__, *frm, frm[1])); 1050 ic->ic_stats.is_rx_elem_unknown++; 1051 break; 1052 } 1053 frm += frm[1] + 2; 1054 } 1055 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 1056 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 1057 if ( 1058 #if IEEE80211_CHAN_MAX < 255 1059 chan > IEEE80211_CHAN_MAX || 1060 #endif 1061 isclr(ic->ic_chan_active, chan)) { 1062 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ELEMID, 1063 ("%s: ignore %s with invalid channel %u\n", 1064 __func__, 1065 ISPROBE(subtype) ? "probe response" : "beacon", 1066 chan)); 1067 ic->ic_stats.is_rx_badchan++; 1068 return; 1069 } 1070 if (chan != bchan && ic->ic_phytype != IEEE80211_T_FH) { 1071 /* 1072 * Frame was received on a channel different from the 1073 * one indicated in the DS params element id; 1074 * silently discard it. 1075 * 1076 * NB: this can happen due to signal leakage. 1077 * But we should take it for FH phy because 1078 * the rssi value should be correct even for 1079 * different hop pattern in FH. 1080 */ 1081 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ELEMID, 1082 ("%s: ignore %s on channel %u marked " 1083 "for channel %u\n", __func__, 1084 ISPROBE(subtype) ? "probe response" : "beacon", 1085 bchan, chan)); 1086 ic->ic_stats.is_rx_chanmismatch++; 1087 return; 1088 } 1089 1090 /* 1091 * Use mac and channel for lookup so we collect all 1092 * potential AP's when scanning. Otherwise we may 1093 * see the same AP on multiple channels and will only 1094 * record the last one. We could filter APs here based 1095 * on rssi, etc. but leave that to the end of the scan 1096 * so we can keep the selection criteria in one spot. 1097 * This may result in a bloat of the scanned AP list but 1098 * it shouldn't be too much. 1099 */ 1100 ni = ieee80211_find_node_for_beacon(ic, wh->i_addr2, 1101 &ic->ic_channels[chan], ssid); 1102 #ifdef IEEE80211_DEBUG 1103 if (ieee80211_debug && 1104 (ni == NULL || ic->ic_state == IEEE80211_S_SCAN)) { 1105 printf("%s: %s%s on chan %u (bss chan %u) ", 1106 __func__, (ni == NULL ? "new " : ""), 1107 ISPROBE(subtype) ? "probe response" : "beacon", 1108 chan, bchan); 1109 ieee80211_print_essid(ssid + 2, ssid[1]); 1110 printf(" from %s\n", ether_sprintf(wh->i_addr2)); 1111 printf("%s: caps 0x%x bintval %u erp 0x%x\n", 1112 __func__, le16toh(*(u_int16_t *)capinfo), 1113 le16toh(*(u_int16_t *)bintval), erp); 1114 if (country) { 1115 int i; 1116 printf("%s: country info", __func__); 1117 for (i = 0; i < country[1]; i++) 1118 printf(" %02x", country[i+2]); 1119 printf("\n"); 1120 } 1121 } 1122 #endif 1123 if (ni == NULL) { 1124 ni = ieee80211_alloc_node(ic, wh->i_addr2); 1125 if (ni == NULL) 1126 return; 1127 allocbs = 1; 1128 } else 1129 allocbs = 0; 1130 if (ssid[1] != 0 && ni->ni_esslen == 0) { 1131 /* 1132 * Update ESSID at probe response to adopt hidden AP by 1133 * Lucent/Cisco, which announces null ESSID in beacon. 1134 */ 1135 ni->ni_esslen = ssid[1]; 1136 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1137 memcpy(ni->ni_essid, ssid + 2, ssid[1]); 1138 } 1139 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3); 1140 ni->ni_rssi = rssi; 1141 ni->ni_rstamp = rstamp; 1142 memcpy(ni->ni_tstamp, tstamp, sizeof(ni->ni_tstamp)); 1143 ni->ni_intval = le16toh(*(u_int16_t *)bintval); 1144 ni->ni_capinfo = le16toh(*(u_int16_t *)capinfo); 1145 /* XXX validate channel # */ 1146 ni->ni_chan = &ic->ic_channels[chan]; 1147 ni->ni_fhdwell = fhdwell; 1148 ni->ni_fhindex = fhindex; 1149 ni->ni_erp = erp; 1150 /* NB: must be after ni_chan is setup */ 1151 ieee80211_setup_rates(ic, ni, rates, xrates, IEEE80211_F_DOSORT); 1152 /* 1153 * When scanning we record results (nodes) with a zero 1154 * refcnt. Otherwise we want to hold the reference for 1155 * ibss neighbors so the nodes don't get released prematurely. 1156 * Anything else can be discarded (XXX and should be handled 1157 * above so we don't do so much work). 1158 */ 1159 if (ic->ic_opmode == IEEE80211_M_IBSS && allocbs && 1160 ISPROBE(subtype)) { 1161 /* 1162 * Fake an association so the driver can setup it's 1163 * private state. The rate set has been setup above; 1164 * there is no handshake as in ap/station operation. 1165 */ 1166 if (ic->ic_newassoc) 1167 (*ic->ic_newassoc)(ic, ni, 1); 1168 /* NB: hold reference */ 1169 } else 1170 ieee80211_unref_node(&ni); /* NB: do not free */ 1171 break; 1172 } 1173 1174 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: { 1175 u_int8_t rate; 1176 1177 if (ic->ic_opmode == IEEE80211_M_STA) 1178 return; 1179 if (ic->ic_state != IEEE80211_S_RUN) 1180 return; 1181 1182 /* 1183 * prreq frame format 1184 * [tlv] ssid 1185 * [tlv] supported rates 1186 * [tlv] extended supported rates 1187 */ 1188 ssid = rates = xrates = NULL; 1189 while (frm < efrm) { 1190 switch (*frm) { 1191 case IEEE80211_ELEMID_SSID: 1192 ssid = frm; 1193 break; 1194 case IEEE80211_ELEMID_RATES: 1195 rates = frm; 1196 break; 1197 case IEEE80211_ELEMID_XRATES: 1198 xrates = frm; 1199 break; 1200 } 1201 frm += frm[1] + 2; 1202 } 1203 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 1204 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 1205 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid, "probe"); 1206 1207 if (ni == ic->ic_bss) { 1208 ni = ieee80211_dup_bss(ic, wh->i_addr2); 1209 if (ni == NULL) 1210 return; 1211 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 1212 ("%s: new probe req from %s\n", 1213 __func__, ether_sprintf(wh->i_addr2))); 1214 allocbs = 1; 1215 } else 1216 allocbs = 0; 1217 ni->ni_rssi = rssi; 1218 ni->ni_rstamp = rstamp; 1219 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 1220 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE 1221 | IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 1222 if (rate & IEEE80211_RATE_BASIC) { 1223 IEEE80211_DPRINTF(ic, IEEE80211_MSG_XRATE, 1224 ("%s: rate negotiation failed: %s\n", 1225 __func__,ether_sprintf(wh->i_addr2))); 1226 } else { 1227 IEEE80211_SEND_MGMT(ic, ni, 1228 IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 1229 } 1230 if (allocbs) 1231 ieee80211_free_node(ic, ni); 1232 break; 1233 } 1234 1235 case IEEE80211_FC0_SUBTYPE_AUTH: { 1236 u_int16_t algo, seq, status; 1237 /* 1238 * auth frame format 1239 * [2] algorithm 1240 * [2] sequence 1241 * [2] status 1242 * [tlv*] challenge 1243 */ 1244 IEEE80211_VERIFY_LENGTH(efrm - frm, 6); 1245 algo = le16toh(*(u_int16_t *)frm); 1246 seq = le16toh(*(u_int16_t *)(frm + 2)); 1247 status = le16toh(*(u_int16_t *)(frm + 4)); 1248 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 1249 ("%s: algorithm %d seq %d from %s\n", 1250 __func__, algo, seq, ether_sprintf(wh->i_addr2))); 1251 1252 if (algo == IEEE80211_AUTH_ALG_SHARED) 1253 ieee80211_auth_shared(ic, wh, frm + 6, efrm, ni, rssi, 1254 rstamp, seq, status); 1255 else if (algo == IEEE80211_AUTH_ALG_OPEN) 1256 ieee80211_auth_open(ic, wh, ni, rssi, rstamp, seq, 1257 status); 1258 else { 1259 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 1260 ("%s: unsupported auth algorithm %d from %s\n", 1261 __func__, algo, ether_sprintf(wh->i_addr2))); 1262 ic->ic_stats.is_rx_auth_unsupported++; 1263 return; 1264 } 1265 break; 1266 } 1267 1268 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 1269 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { 1270 u_int16_t capinfo, bintval; 1271 1272 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 1273 (ic->ic_state != IEEE80211_S_RUN)) 1274 return; 1275 1276 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 1277 reassoc = 1; 1278 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 1279 } else { 1280 reassoc = 0; 1281 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 1282 } 1283 /* 1284 * asreq frame format 1285 * [2] capability information 1286 * [2] listen interval 1287 * [6*] current AP address (reassoc only) 1288 * [tlv] ssid 1289 * [tlv] supported rates 1290 * [tlv] extended supported rates 1291 */ 1292 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4)); 1293 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 1294 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 1295 ("%s: ignore assoc request with bss %s not " 1296 "our own\n", 1297 __func__, ether_sprintf(wh->i_addr2))); 1298 ic->ic_stats.is_rx_assoc_bss++; 1299 return; 1300 } 1301 capinfo = le16toh(*(u_int16_t *)frm); frm += 2; 1302 bintval = le16toh(*(u_int16_t *)frm); frm += 2; 1303 if (reassoc) 1304 frm += 6; /* ignore current AP info */ 1305 ssid = rates = xrates = NULL; 1306 while (frm < efrm) { 1307 switch (*frm) { 1308 case IEEE80211_ELEMID_SSID: 1309 ssid = frm; 1310 break; 1311 case IEEE80211_ELEMID_RATES: 1312 rates = frm; 1313 break; 1314 case IEEE80211_ELEMID_XRATES: 1315 xrates = frm; 1316 break; 1317 } 1318 frm += frm[1] + 2; 1319 } 1320 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 1321 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 1322 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid, 1323 reassoc ? "reassoc" : "assoc"); 1324 1325 if (ni == ic->ic_bss) { 1326 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 1327 ("%s: deny %sassoc from %s, not authenticated\n", 1328 __func__, reassoc ? "re" : "", 1329 ether_sprintf(wh->i_addr2))); 1330 ni = ieee80211_dup_bss(ic, wh->i_addr2); 1331 if (ni != NULL) { 1332 IEEE80211_SEND_MGMT(ic, ni, 1333 IEEE80211_FC0_SUBTYPE_DEAUTH, 1334 IEEE80211_REASON_ASSOC_NOT_AUTHED); 1335 ieee80211_free_node(ic, ni); 1336 } 1337 ic->ic_stats.is_rx_assoc_notauth++; 1338 return; 1339 } 1340 /* discard challenge after association */ 1341 if (ni->ni_challenge != NULL) { 1342 FREE(ni->ni_challenge, M_DEVBUF); 1343 ni->ni_challenge = NULL; 1344 } 1345 /* XXX per-node cipher suite */ 1346 /* XXX some stations use the privacy bit for handling APs 1347 that suport both encrypted and unencrypted traffic */ 1348 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0 || 1349 (capinfo & IEEE80211_CAPINFO_PRIVACY) != 1350 ((ic->ic_flags & IEEE80211_F_PRIVACY) ? 1351 IEEE80211_CAPINFO_PRIVACY : 0)) { 1352 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 1353 ("%s: capability mismatch %x for %s\n", 1354 __func__, capinfo, ether_sprintf(wh->i_addr2))); 1355 IEEE80211_SEND_MGMT(ic, ni, resp, 1356 IEEE80211_STATUS_CAPINFO); 1357 ieee80211_node_leave(ic, ni); 1358 ic->ic_stats.is_rx_assoc_capmismatch++; 1359 return; 1360 } 1361 ieee80211_setup_rates(ic, ni, rates, xrates, 1362 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 1363 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 1364 if (ni->ni_rates.rs_nrates == 0) { 1365 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 1366 ("%s: rate mismatch for %s\n", 1367 __func__, ether_sprintf(wh->i_addr2))); 1368 IEEE80211_SEND_MGMT(ic, ni, resp, 1369 IEEE80211_STATUS_BASIC_RATE); 1370 ieee80211_node_leave(ic, ni); 1371 ic->ic_stats.is_rx_assoc_norate++; 1372 return; 1373 } 1374 ni->ni_rssi = rssi; 1375 ni->ni_rstamp = rstamp; 1376 ni->ni_intval = bintval; 1377 ni->ni_capinfo = capinfo; 1378 ni->ni_chan = ic->ic_bss->ni_chan; 1379 ni->ni_fhdwell = ic->ic_bss->ni_fhdwell; 1380 ni->ni_fhindex = ic->ic_bss->ni_fhindex; 1381 ieee80211_node_join(ic, ni, resp); 1382 break; 1383 } 1384 1385 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 1386 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: { 1387 u_int16_t status; 1388 1389 if (ic->ic_opmode != IEEE80211_M_STA || 1390 ic->ic_state != IEEE80211_S_ASSOC) { 1391 ic->ic_stats.is_rx_mgtdiscard++; 1392 return; 1393 } 1394 1395 /* 1396 * asresp frame format 1397 * [2] capability information 1398 * [2] status 1399 * [2] association ID 1400 * [tlv] supported rates 1401 * [tlv] extended supported rates 1402 */ 1403 IEEE80211_VERIFY_LENGTH(efrm - frm, 6); 1404 ni = ic->ic_bss; 1405 ni->ni_capinfo = le16toh(*(u_int16_t *)frm); 1406 frm += 2; 1407 1408 status = le16toh(*(u_int16_t *)frm); 1409 frm += 2; 1410 if (status != 0) { 1411 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 1412 ("%sassociation failed (reason %d) for %s\n", 1413 ISREASSOC(subtype) ? "re" : "", 1414 status, ether_sprintf(wh->i_addr3))); 1415 if (ni != ic->ic_bss) 1416 ni->ni_fails++; 1417 ic->ic_stats.is_rx_auth_fail++; 1418 return; 1419 } 1420 ni->ni_associd = le16toh(*(u_int16_t *)frm); 1421 frm += 2; 1422 1423 rates = xrates = NULL; 1424 while (frm < efrm) { 1425 switch (*frm) { 1426 case IEEE80211_ELEMID_RATES: 1427 rates = frm; 1428 break; 1429 case IEEE80211_ELEMID_XRATES: 1430 xrates = frm; 1431 break; 1432 } 1433 frm += frm[1] + 2; 1434 } 1435 1436 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 1437 ieee80211_setup_rates(ic, ni, rates, xrates, 1438 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 1439 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 1440 if (ni->ni_rates.rs_nrates != 0) 1441 ieee80211_new_state(ic, IEEE80211_S_RUN, 1442 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 1443 break; 1444 } 1445 1446 case IEEE80211_FC0_SUBTYPE_DEAUTH: { 1447 u_int16_t reason; 1448 /* 1449 * deauth frame format 1450 * [2] reason 1451 */ 1452 IEEE80211_VERIFY_LENGTH(efrm - frm, 2); 1453 reason = le16toh(*(u_int16_t *)frm); 1454 ic->ic_stats.is_rx_deauth++; 1455 switch (ic->ic_opmode) { 1456 case IEEE80211_M_STA: 1457 ieee80211_new_state(ic, IEEE80211_S_AUTH, 1458 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 1459 break; 1460 case IEEE80211_M_HOSTAP: 1461 if (ni != ic->ic_bss) { 1462 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 1463 ("station %s deauthenticated by " 1464 "peer (reason %d)\n", 1465 ether_sprintf(ni->ni_macaddr), reason)); 1466 ieee80211_node_leave(ic, ni); 1467 } 1468 break; 1469 default: 1470 break; 1471 } 1472 break; 1473 } 1474 1475 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 1476 u_int16_t reason; 1477 /* 1478 * disassoc frame format 1479 * [2] reason 1480 */ 1481 IEEE80211_VERIFY_LENGTH(efrm - frm, 2); 1482 reason = le16toh(*(u_int16_t *)frm); 1483 ic->ic_stats.is_rx_disassoc++; 1484 switch (ic->ic_opmode) { 1485 case IEEE80211_M_STA: 1486 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 1487 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 1488 break; 1489 case IEEE80211_M_HOSTAP: 1490 if (ni != ic->ic_bss) { 1491 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 1492 ("station %s disassociated by " 1493 "peer (reason %d)\n", 1494 ether_sprintf(ni->ni_macaddr), reason)); 1495 ieee80211_node_leave(ic, ni); 1496 } 1497 break; 1498 default: 1499 break; 1500 } 1501 break; 1502 } 1503 default: 1504 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 1505 ("%s: mgmt frame with subtype 0x%x not handled\n", 1506 __func__, subtype)); 1507 ic->ic_stats.is_rx_badsubtype++; 1508 break; 1509 } 1510 } 1511 1512 static void 1513 ieee80211_recv_pspoll(struct ieee80211com *ic, struct mbuf *m0, int rssi, 1514 u_int32_t rstamp) 1515 { 1516 struct ifnet *ifp = &ic->ic_if; 1517 struct ieee80211_frame *wh; 1518 struct ieee80211_node *ni; 1519 struct mbuf *m; 1520 u_int16_t aid; 1521 1522 if (ic->ic_set_tim == NULL) /* No powersaving functionality */ 1523 return; 1524 1525 wh = mtod(m0, struct ieee80211_frame *); 1526 1527 if ((ni = ieee80211_find_node(ic, wh->i_addr2)) == NULL) { 1528 if (ifp->if_flags & IFF_DEBUG) 1529 printf("%s: station %s sent bogus power save poll\n", 1530 ifp->if_xname, ether_sprintf(wh->i_addr2)); 1531 return; 1532 } 1533 1534 memcpy(&aid, wh->i_dur, sizeof(wh->i_dur)); 1535 if ((aid & 0xc000) != 0xc000) { 1536 if (ifp->if_flags & IFF_DEBUG) 1537 printf("%s: station %s sent bogus aid %x\n", 1538 ifp->if_xname, ether_sprintf(wh->i_addr2), aid); 1539 return; 1540 } 1541 1542 if (aid != ni->ni_associd) { 1543 if (ifp->if_flags & IFF_DEBUG) 1544 printf("%s: station %s aid %x doesn't match pspoll " 1545 "aid %x\n", 1546 ifp->if_xname, ether_sprintf(wh->i_addr2), 1547 ni->ni_associd, aid); 1548 return; 1549 } 1550 1551 /* Okay, take the first queued packet and put it out... */ 1552 1553 IF_DEQUEUE(&ni->ni_savedq, m); 1554 if (m == NULL) { 1555 if (ifp->if_flags & IFF_DEBUG) 1556 printf("%s: station %s sent pspoll, " 1557 "but no packets are saved\n", 1558 ifp->if_xname, ether_sprintf(wh->i_addr2)); 1559 return; 1560 } 1561 wh = mtod(m, struct ieee80211_frame *); 1562 1563 /* 1564 * If this is the last packet, turn off the TIM fields. 1565 * If there are more packets, set the more packets bit. 1566 */ 1567 1568 if (IF_IS_EMPTY(&ni->ni_savedq)) { 1569 if (ic->ic_set_tim) 1570 ic->ic_set_tim(ic, ni->ni_associd, 0); 1571 } else { 1572 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 1573 } 1574 1575 if (ifp->if_flags & IFF_DEBUG) 1576 printf("%s: enqueued power saving packet for station %s\n", 1577 ifp->if_xname, ether_sprintf(ni->ni_macaddr)); 1578 1579 IF_ENQUEUE(&ic->ic_pwrsaveq, m); 1580 (*ifp->if_start)(ifp); 1581 } 1582 1583 static int 1584 do_slow_print(struct ieee80211com *ic, int *did_print) 1585 { 1586 if ((ic->ic_if.if_flags & IFF_LINK0) == 0) 1587 return 0; 1588 if (!*did_print && (ic->ic_if.if_flags & IFF_DEBUG) == 0 && 1589 !ratecheck(&ic->ic_last_merge_print, &ieee80211_merge_print_intvl)) 1590 return 0; 1591 1592 *did_print = 1; 1593 return 1; 1594 } 1595 1596 /* ieee80211_ibss_merge helps merge 802.11 ad hoc networks. The 1597 * convention, set by the Wireless Ethernet Compatibility Alliance 1598 * (WECA), is that an 802.11 station will change its BSSID to match 1599 * the "oldest" 802.11 ad hoc network, on the same channel, that 1600 * has the station's desired SSID. The "oldest" 802.11 network 1601 * sends beacons with the greatest TSF timestamp. 1602 * 1603 * Return ENETRESET if the BSSID changed, 0 otherwise. 1604 * 1605 * XXX Perhaps we should compensate for the time that elapses 1606 * between the MAC receiving the beacon and the host processing it 1607 * in ieee80211_ibss_merge. 1608 */ 1609 int 1610 ieee80211_ibss_merge(struct ieee80211com *ic, struct ieee80211_node *ni, 1611 uint64_t local_tsft) 1612 { 1613 uint64_t beacon_tsft; 1614 int did_print = 0, sign; 1615 union { 1616 uint64_t word; 1617 uint8_t tstamp[8]; 1618 } u; 1619 1620 /* ensure alignment */ 1621 (void)memcpy(&u, &ni->ni_tstamp[0], sizeof(u)); 1622 beacon_tsft = le64toh(u.word); 1623 1624 /* we are faster, let the other guy catch up */ 1625 if (beacon_tsft < local_tsft) 1626 sign = -1; 1627 else 1628 sign = 1; 1629 1630 if (memcmp(ni->ni_bssid, ic->ic_bss->ni_bssid, 1631 IEEE80211_ADDR_LEN) == 0) { 1632 if (!do_slow_print(ic, &did_print)) 1633 return 0; 1634 printf("%s: tsft offset %s%" PRIu64 "\n", ic->ic_if.if_xname, 1635 (sign < 0) ? "-" : "", 1636 (sign < 0) 1637 ? (local_tsft - beacon_tsft) 1638 : (beacon_tsft - local_tsft)); 1639 return 0; 1640 } 1641 1642 if (sign < 0) 1643 return 0; 1644 1645 if (ieee80211_match_bss(ic, ni) != 0) 1646 return 0; 1647 1648 if (do_slow_print(ic, &did_print)) { 1649 printf("%s: atw_recv_beacon: bssid mismatch %s\n", 1650 ic->ic_if.if_xname, ether_sprintf(ni->ni_bssid)); 1651 printf("%s: my tsft %" PRIu64 " beacon tsft %" PRIu64 "\n", 1652 ic->ic_if.if_xname, local_tsft, beacon_tsft); 1653 printf("%s: sync TSF with %s\n", 1654 ic->ic_if.if_xname, ether_sprintf(ni->ni_macaddr)); 1655 } 1656 1657 ic->ic_flags &= ~IEEE80211_F_SIBSS; 1658 1659 /* negotiate rates with new IBSS */ 1660 ieee80211_fix_rate(ic, ni, IEEE80211_F_DOFRATE | 1661 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 1662 if (ni->ni_rates.rs_nrates == 0) { 1663 if (do_slow_print(ic, &did_print)) { 1664 printf("%s: rates mismatch, BSSID %s\n", 1665 ic->ic_if.if_xname, ether_sprintf(ni->ni_bssid)); 1666 } 1667 return 0; 1668 } 1669 1670 if (do_slow_print(ic, &did_print)) { 1671 printf("%s: sync BSSID %s -> ", 1672 ic->ic_if.if_xname, ether_sprintf(ic->ic_bss->ni_bssid)); 1673 printf("%s ", ether_sprintf(ni->ni_bssid)); 1674 printf("(from %s)\n", ether_sprintf(ni->ni_macaddr)); 1675 } 1676 1677 (*ic->ic_node_copy)(ic, ic->ic_bss, ni); 1678 1679 return ENETRESET; 1680 } 1681 #undef IEEE80211_VERIFY_LENGTH 1682 #undef IEEE80211_VERIFY_ELEMENT 1683
Indexes created Tue Sep 23 07:09:52 GMT 2025