1
/*-
2
 * SPDX-License-Identifier: BSD-2-Clause
3
 *
4
 * Copyright (c) 2007-2009 Sam Leffler, Errno Consulting
5
 * All rights reserved.
6
 *
7
 * Redistribution and use in source and binary forms, with or without
8
 * modification, are permitted provided that the following conditions
9
 * are met:
10
 * 1. Redistributions of source code must retain the above copyright
11
 *    notice, this list of conditions and the following disclaimer.
12
 * 2. Redistributions in binary form must reproduce the above copyright
13
 *    notice, this list of conditions and the following disclaimer in the
14
 *    documentation and/or other materials provided with the distribution.
15
 *
16
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
21
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
25
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26
 */
27

28
/*
29
 * IEEE 802.11 IBSS mode support.
30
 */
31
#include "opt_inet.h"
32
#include "opt_wlan.h"
33

34
#include <sys/param.h>
35
#include <sys/systm.h> 
36
#include <sys/mbuf.h>   
37
#include <sys/malloc.h>
38
#include <sys/kernel.h>
39

40
#include <sys/socket.h>
41
#include <sys/sockio.h>
42
#include <sys/endian.h>
43
#include <sys/errno.h>
44
#include <sys/proc.h>
45
#include <sys/sysctl.h>
46

47
#include <net/if.h>
48
#include <net/if_var.h>
49
#include <net/if_media.h>
50
#include <net/if_llc.h>
51
#include <net/ethernet.h>
52

53
#include <net/bpf.h>
54

55
#include <net80211/ieee80211_var.h>
56
#include <net80211/ieee80211_adhoc.h>
57
#include <net80211/ieee80211_input.h>
58
#ifdef IEEE80211_SUPPORT_SUPERG
59
#include <net80211/ieee80211_superg.h>
60
#endif
61
#ifdef IEEE80211_SUPPORT_TDMA
62
#include <net80211/ieee80211_tdma.h>
63
#endif
64
#include <net80211/ieee80211_sta.h>
65

66
#define	IEEE80211_RATE2MBS(r)	(((r) & IEEE80211_RATE_VAL) / 2)
67

68
static	void adhoc_vattach(struct ieee80211vap *);
69
static	int adhoc_newstate(struct ieee80211vap *, enum ieee80211_state, int);
70
static int adhoc_input(struct ieee80211_node *, struct mbuf *,
71
	    const struct ieee80211_rx_stats *, int, int);
72
static void adhoc_recv_mgmt(struct ieee80211_node *, struct mbuf *,
73
	int subtype, const struct ieee80211_rx_stats *, int, int);
74
static void ahdemo_recv_mgmt(struct ieee80211_node *, struct mbuf *,
75
	    int subtype, const struct ieee80211_rx_stats *rxs, int, int);
76
static void adhoc_recv_ctl(struct ieee80211_node *, struct mbuf *, int subtype);
77

78
void
79
ieee80211_adhoc_attach(struct ieee80211com *ic)
80
{
81
	ic->ic_vattach[IEEE80211_M_IBSS] = adhoc_vattach;
82
	ic->ic_vattach[IEEE80211_M_AHDEMO] = adhoc_vattach;
83
}
84

85
void
86
ieee80211_adhoc_detach(struct ieee80211com *ic)
87
{
88
}
89

90
static void
91
adhoc_vdetach(struct ieee80211vap *vap)
92
{
93
}
94

95
static void
96
adhoc_vattach(struct ieee80211vap *vap)
97
{
98
	vap->iv_newstate = adhoc_newstate;
99
	vap->iv_input = adhoc_input;
100
	if (vap->iv_opmode == IEEE80211_M_IBSS)
101
		vap->iv_recv_mgmt = adhoc_recv_mgmt;
102
	else
103
		vap->iv_recv_mgmt = ahdemo_recv_mgmt;
104
	vap->iv_recv_ctl = adhoc_recv_ctl;
105
	vap->iv_opdetach = adhoc_vdetach;
106
#ifdef IEEE80211_SUPPORT_TDMA
107
	/*
108
	 * Throw control to tdma support.  Note we do this
109
	 * after setting up our callbacks so it can piggyback
110
	 * on top of us.
111
	 */
112
	if (vap->iv_caps & IEEE80211_C_TDMA)
113
		ieee80211_tdma_vattach(vap);
114
#endif
115
}
116

117
static void
118
sta_leave(void *arg, struct ieee80211_node *ni)
119
{
120
	struct ieee80211vap *vap = ni->ni_vap;
121

122
	if (ni != vap->iv_bss)
123
		ieee80211_node_leave(ni);
124
}
125

126
/*
127
 * IEEE80211_M_IBSS+IEEE80211_M_AHDEMO vap state machine handler.
128
 */
129
static int
130
adhoc_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
131
{
132
	struct ieee80211com *ic = vap->iv_ic;
133
	struct ieee80211_node *ni;
134
	enum ieee80211_state ostate;
135

136
	IEEE80211_LOCK_ASSERT(vap->iv_ic);
137

138
	ostate = vap->iv_state;
139
	IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n",
140
	    __func__, ieee80211_state_name[ostate],
141
	    ieee80211_state_name[nstate], arg);
142
	vap->iv_state = nstate;			/* state transition */
143
	if (ostate != IEEE80211_S_SCAN)
144
		ieee80211_cancel_scan(vap);	/* background scan */
145
	ni = vap->iv_bss;			/* NB: no reference held */
146
	switch (nstate) {
147
	case IEEE80211_S_INIT:
148
		switch (ostate) {
149
		case IEEE80211_S_SCAN:
150
			ieee80211_cancel_scan(vap);
151
			break;
152
		default:
153
			break;
154
		}
155
		if (ostate != IEEE80211_S_INIT) {
156
			/* NB: optimize INIT -> INIT case */
157
			ieee80211_reset_bss(vap);
158
		}
159
		break;
160
	case IEEE80211_S_SCAN:
161
		switch (ostate) {
162
		case IEEE80211_S_RUN:		/* beacon miss */
163
			/* purge station table; entries are stale */
164
			ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
165
			    sta_leave, NULL);
166
			/* fall thru... */
167
		case IEEE80211_S_INIT:
168
			if (vap->iv_des_chan != IEEE80211_CHAN_ANYC &&
169
			    !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) {
170
				/*
171
				 * Already have a channel; bypass the
172
				 * scan and startup immediately.
173
				 */
174
				ieee80211_create_ibss(vap,
175
				    ieee80211_ht_adjust_channel(ic,
176
				    vap->iv_des_chan, vap->iv_flags_ht));
177
				break;
178
			}
179
			/*
180
			 * Initiate a scan.  We can come here as a result
181
			 * of an IEEE80211_IOC_SCAN_REQ too in which case
182
			 * the vap will be marked with IEEE80211_FEXT_SCANREQ
183
			 * and the scan request parameters will be present
184
			 * in iv_scanreq.  Otherwise we do the default.
185
			 */
186
			if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) {
187
				ieee80211_check_scan(vap,
188
				    vap->iv_scanreq_flags,
189
				    vap->iv_scanreq_duration,
190
				    vap->iv_scanreq_mindwell,
191
				    vap->iv_scanreq_maxdwell,
192
				    vap->iv_scanreq_nssid, vap->iv_scanreq_ssid);
193
				vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ;
194
			} else
195
				ieee80211_check_scan_current(vap);
196
			break;
197
		case IEEE80211_S_SCAN:
198
			/*
199
			 * This can happen because of a change in state
200
			 * that requires a reset.  Trigger a new scan
201
			 * unless we're in manual roaming mode in which
202
			 * case an application must issue an explicit request.
203
			 */
204
			if (vap->iv_roaming == IEEE80211_ROAMING_AUTO)
205
				ieee80211_check_scan_current(vap);
206
			break;
207
		default:
208
			goto invalid;
209
		}
210
		break;
211
	case IEEE80211_S_RUN:
212
		if (vap->iv_flags & IEEE80211_F_WPA) {
213
			/* XXX validate prerequisites */
214
		}
215
		switch (ostate) {
216
		case IEEE80211_S_INIT:
217
			/*
218
			 * Already have a channel; bypass the
219
			 * scan and startup immediately.
220
			 * Note that ieee80211_create_ibss will call
221
			 * back to do a RUN->RUN state change.
222
			 */
223
			ieee80211_create_ibss(vap,
224
			    ieee80211_ht_adjust_channel(ic,
225
				ic->ic_curchan, vap->iv_flags_ht));
226
			/* NB: iv_bss is changed on return */
227
			ni = vap->iv_bss;
228
			break;
229
		case IEEE80211_S_SCAN:
230
#ifdef IEEE80211_DEBUG
231
			if (ieee80211_msg_debug(vap)) {
232
				ieee80211_note(vap,
233
				    "synchronized with %s ssid ",
234
				    ether_sprintf(ni->ni_bssid));
235
				ieee80211_print_essid(vap->iv_bss->ni_essid,
236
				    ni->ni_esslen);
237
				net80211_printf(" channel %d start %uMbit/s\n",
238
				    ieee80211_chan2ieee(ic, ic->ic_curchan),
239
				    ieee80211_node_get_txrate_kbit(ni) / 1000);
240
			}
241
#endif
242
			break;
243
		case IEEE80211_S_RUN:	/* IBSS merge */
244
			break;
245
		default:
246
			goto invalid;
247
		}
248
		/*
249
		 * When 802.1x is not in use mark the port authorized
250
		 * at this point so traffic can flow.
251
		 */
252
		if (ni->ni_authmode != IEEE80211_AUTH_8021X)
253
			ieee80211_node_authorize(ni);
254
		/*
255
		 * Fake association when joining an existing bss.
256
		 */
257
		if (!IEEE80211_ADDR_EQ(ni->ni_macaddr, vap->iv_myaddr) &&
258
		    ic->ic_newassoc != NULL)
259
			ic->ic_newassoc(ni, ostate != IEEE80211_S_RUN);
260
		break;
261
	case IEEE80211_S_SLEEP:
262
		vap->iv_sta_ps(vap, 0);
263
		break;
264
	default:
265
	invalid:
266
		IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE,
267
		    "%s: unexpected state transition %s -> %s\n", __func__,
268
		    ieee80211_state_name[ostate], ieee80211_state_name[nstate]);
269
		break;
270
	}
271
	return 0;
272
}
273

274
/*
275
 * Decide if a received management frame should be
276
 * printed when debugging is enabled.  This filters some
277
 * of the less interesting frames that come frequently
278
 * (e.g. beacons).
279
 */
280
static __inline int
281
doprint(struct ieee80211vap *vap, int subtype)
282
{
283
	switch (subtype) {
284
	case IEEE80211_FC0_SUBTYPE_BEACON:
285
		return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN);
286
	case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
287
		return 1;
288
	}
289
	return 1;
290
}
291

292
/*
293
 * Process a received frame.  The node associated with the sender
294
 * should be supplied.  If nothing was found in the node table then
295
 * the caller is assumed to supply a reference to iv_bss instead.
296
 * The RSSI and a timestamp are also supplied.  The RSSI data is used
297
 * during AP scanning to select a AP to associate with; it can have
298
 * any units so long as values have consistent units and higher values
299
 * mean ``better signal''.  The receive timestamp is currently not used
300
 * by the 802.11 layer.
301
 */
302
static int
303
adhoc_input(struct ieee80211_node *ni, struct mbuf *m,
304
    const struct ieee80211_rx_stats *rxs, int rssi, int nf)
305
{
306
	struct ieee80211vap *vap = ni->ni_vap;
307
	struct ieee80211com *ic = ni->ni_ic;
308
	struct ifnet *ifp = vap->iv_ifp;
309
	struct ieee80211_frame *wh;
310
	struct ieee80211_key *key;
311
	struct ether_header *eh;
312
	int hdrspace, need_tap = 1;	/* mbuf need to be tapped. */	
313
	uint8_t dir, type, subtype, qos;
314
	uint8_t *bssid;
315
	int is_hw_decrypted = 0;
316
	int has_decrypted = 0;
317

318
	/*
319
	 * Some devices do hardware decryption all the way through
320
	 * to pretending the frame wasn't encrypted in the first place.
321
	 * So, tag it appropriately so it isn't discarded inappropriately.
322
	 */
323
	if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_DECRYPTED))
324
		is_hw_decrypted = 1;
325

326
	if (m->m_flags & M_AMPDU_MPDU) {
327
		/*
328
		 * Fastpath for A-MPDU reorder q resubmission.  Frames
329
		 * w/ M_AMPDU_MPDU marked have already passed through
330
		 * here but were received out of order and been held on
331
		 * the reorder queue.  When resubmitted they are marked
332
		 * with the M_AMPDU_MPDU flag and we can bypass most of
333
		 * the normal processing.
334
		 */
335
		wh = mtod(m, struct ieee80211_frame *);
336
		type = IEEE80211_FC0_TYPE_DATA;
337
		dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
338
		subtype = IEEE80211_FC0_SUBTYPE_QOS_DATA;
339
		hdrspace = ieee80211_hdrspace(ic, wh);	/* XXX optimize? */
340
		goto resubmit_ampdu;
341
	}
342

343
	KASSERT(ni != NULL, ("null node"));
344
	ni->ni_inact = ni->ni_inact_reload;
345

346
	type = -1;			/* undefined */
347

348
	if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
349
		IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
350
		    ni->ni_macaddr, NULL,
351
		    "too short (1): len %u", m->m_pkthdr.len);
352
		vap->iv_stats.is_rx_tooshort++;
353
		goto out;
354
	}
355
	/*
356
	 * Bit of a cheat here, we use a pointer for a 3-address
357
	 * frame format but don't reference fields past outside
358
	 * ieee80211_frame_min w/o first validating the data is
359
	 * present.
360
	 */
361
	wh = mtod(m, struct ieee80211_frame *);
362

363
	if (!IEEE80211_IS_FC0_CHECK_VER(wh, IEEE80211_FC0_VERSION_0)) {
364
		IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
365
		    ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x",
366
		    wh->i_fc[0], wh->i_fc[1]);
367
		vap->iv_stats.is_rx_badversion++;
368
		goto err;
369
	}
370

371
	dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
372
	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
373
	subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
374
	if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
375
		if (dir != IEEE80211_FC1_DIR_NODS)
376
			bssid = wh->i_addr1;
377
		else if (type == IEEE80211_FC0_TYPE_CTL)
378
			bssid = wh->i_addr1;
379
		else {
380
			if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
381
				IEEE80211_DISCARD_MAC(vap,
382
				    IEEE80211_MSG_ANY, ni->ni_macaddr,
383
				    NULL, "too short (2): len %u",
384
				    m->m_pkthdr.len);
385
				vap->iv_stats.is_rx_tooshort++;
386
				goto out;
387
			}
388
			bssid = wh->i_addr3;
389
		}
390
		/*
391
		 * Validate the bssid.
392
		 */
393
		if (!(type == IEEE80211_FC0_TYPE_MGT &&
394
		     (subtype == IEEE80211_FC0_SUBTYPE_BEACON ||
395
		      subtype == IEEE80211_FC0_SUBTYPE_PROBE_RESP)) &&
396
		    !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) &&
397
		    !IEEE80211_ADDR_EQ(bssid,
398
		        ieee80211_vap_get_broadcast_address(vap))) {
399
			/* not interested in */
400
			IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
401
			    bssid, NULL, "%s", "not to bss");
402
			vap->iv_stats.is_rx_wrongbss++;
403
			goto out;
404
		}
405
		/*
406
		 * Data frame, cons up a node when it doesn't
407
		 * exist. This should probably done after an ACL check.
408
		 */
409
		if (type == IEEE80211_FC0_TYPE_DATA &&
410
		    ni == vap->iv_bss &&
411
		    !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) {
412
			/*
413
			 * Beware of frames that come in too early; we
414
			 * can receive broadcast frames and creating sta
415
			 * entries will blow up because there is no bss
416
			 * channel yet.
417
			 */
418
			if (vap->iv_state != IEEE80211_S_RUN) {
419
				IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
420
				    wh, "data", "not in RUN state (%s)",
421
				    ieee80211_state_name[vap->iv_state]);
422
				vap->iv_stats.is_rx_badstate++;
423
				goto err;
424
			}
425
			/*
426
			 * Fake up a node for this newly discovered member
427
			 * of the IBSS.
428
			 *
429
			 * Note: This doesn't "upgrade" the node to 11n;
430
			 * that will happen after a probe request/response
431
			 * exchange.
432
			 */
433
			ni = ieee80211_fakeup_adhoc_node(vap, wh->i_addr2);
434
			if (ni == NULL) {
435
				/* NB: stat kept for alloc failure */
436
				goto err;
437
			}
438
		}
439
		IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
440
		ni->ni_noise = nf;
441
		if (IEEE80211_HAS_SEQ(type, subtype) &&
442
		    IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) {
443
			uint8_t tid = ieee80211_gettid(wh);
444
			if (IEEE80211_QOS_HAS_SEQ(wh) &&
445
			    TID_TO_WME_AC(tid) >= WME_AC_VI)
446
				ic->ic_wme.wme_hipri_traffic++;
447
			if (! ieee80211_check_rxseq(ni, wh, bssid, rxs))
448
				goto out;
449
		}
450
	}
451

452
	switch (type) {
453
	case IEEE80211_FC0_TYPE_DATA:
454
		hdrspace = ieee80211_hdrspace(ic, wh);
455
		if (m->m_len < hdrspace &&
456
		    (m = m_pullup(m, hdrspace)) == NULL) {
457
			IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
458
			    ni->ni_macaddr, NULL,
459
			    "data too short: expecting %u", hdrspace);
460
			vap->iv_stats.is_rx_tooshort++;
461
			goto out;		/* XXX */
462
		}
463
		if (dir != IEEE80211_FC1_DIR_NODS) {
464
			IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
465
			    wh, "data", "incorrect dir 0x%x", dir);
466
			vap->iv_stats.is_rx_wrongdir++;
467
			goto out;
468
		}
469
		/* XXX no power-save support */
470

471
		/*
472
		 * Handle A-MPDU re-ordering.  If the frame is to be
473
		 * processed directly then ieee80211_ampdu_reorder
474
		 * will return 0; otherwise it has consumed the mbuf
475
		 * and we should do nothing more with it.
476
		 */
477
		if ((m->m_flags & M_AMPDU) &&
478
		    ieee80211_ampdu_reorder(ni, m, rxs) != 0) {
479
			m = NULL;
480
			goto out;
481
		}
482
	resubmit_ampdu:
483

484
		/*
485
		 * Handle privacy requirements.  Note that we
486
		 * must not be preempted from here until after
487
		 * we (potentially) call ieee80211_crypto_demic;
488
		 * otherwise we may violate assumptions in the
489
		 * crypto cipher modules used to do delayed update
490
		 * of replay sequence numbers.
491
		 */
492
		if (is_hw_decrypted || IEEE80211_IS_PROTECTED(wh)) {
493
			if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
494
				/*
495
				 * Discard encrypted frames when privacy is off.
496
				 */
497
				IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
498
				    wh, "WEP", "%s", "PRIVACY off");
499
				vap->iv_stats.is_rx_noprivacy++;
500
				IEEE80211_NODE_STAT(ni, rx_noprivacy);
501
				goto out;
502
			}
503
			if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) {
504
				/* NB: stats+msgs handled in crypto_decap */
505
				IEEE80211_NODE_STAT(ni, rx_wepfail);
506
				goto out;
507
			}
508
			wh = mtod(m, struct ieee80211_frame *);
509
			wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
510
			has_decrypted = 1;
511
		} else {
512
			/* XXX M_WEP and IEEE80211_F_PRIVACY */
513
			key = NULL;
514
		}
515

516
		/*
517
		 * Save QoS bits for use below--before we strip the header.
518
		 */
519
		if (subtype == IEEE80211_FC0_SUBTYPE_QOS_DATA)
520
			qos = ieee80211_getqos(wh)[0];
521
		else
522
			qos = 0;
523

524
		/*
525
		 * Next up, any fragmentation.
526
		 */
527
		if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
528
			m = ieee80211_defrag(ni, m, hdrspace, has_decrypted);
529
			if (m == NULL) {
530
				/* Fragment dropped or frame not complete yet */
531
				goto out;
532
			}
533
		}
534
		wh = NULL;		/* no longer valid, catch any uses */
535

536
		/*
537
		 * Next strip any MSDU crypto bits.
538
		 */
539
		if (!ieee80211_crypto_demic(vap, key, m, 0)) {
540
			IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
541
			    ni->ni_macaddr, "data", "%s", "demic error");
542
			vap->iv_stats.is_rx_demicfail++;
543
			IEEE80211_NODE_STAT(ni, rx_demicfail);
544
			goto out;
545
		}
546

547
		/* copy to listener after decrypt */
548
		if (ieee80211_radiotap_active_vap(vap))
549
			ieee80211_radiotap_rx(vap, m);
550
		need_tap = 0;
551

552
		/*
553
		 * Finally, strip the 802.11 header.
554
		 */
555
		m = ieee80211_decap(vap, m, hdrspace, qos);
556
		if (m == NULL) {
557
			/* XXX mask bit to check for both */
558
			/* don't count Null data frames as errors */
559
			if (subtype == IEEE80211_FC0_SUBTYPE_NODATA ||
560
			    subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL)
561
				goto out;
562
			IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
563
			    ni->ni_macaddr, "data", "%s", "decap error");
564
			vap->iv_stats.is_rx_decap++;
565
			IEEE80211_NODE_STAT(ni, rx_decap);
566
			goto err;
567
		}
568
		if (!(qos & IEEE80211_QOS_AMSDU))
569
			eh = mtod(m, struct ether_header *);
570
		else
571
			eh = NULL;
572
		if (!ieee80211_node_is_authorized(ni)) {
573
			/*
574
			 * Deny any non-PAE frames received prior to
575
			 * authorization.  For open/shared-key
576
			 * authentication the port is mark authorized
577
			 * after authentication completes.  For 802.1x
578
			 * the port is not marked authorized by the
579
			 * authenticator until the handshake has completed.
580
			 */
581
			if (eh == NULL ||
582
			    eh->ether_type != htons(ETHERTYPE_PAE)) {
583
				IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
584
				    ni->ni_macaddr, "data", "unauthorized or "
585
				    "unknown port: ether type 0x%x len %u",
586
				    eh == NULL ? -1 : eh->ether_type,
587
				    m->m_pkthdr.len);
588
				vap->iv_stats.is_rx_unauth++;
589
				IEEE80211_NODE_STAT(ni, rx_unauth);
590
				goto err;
591
			}
592
		} else {
593
			/*
594
			 * When denying unencrypted frames, discard
595
			 * any non-PAE frames received without encryption.
596
			 */
597
			if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
598
			    ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) &&
599
			    (is_hw_decrypted == 0) &&
600
			    (eh == NULL ||
601
			     eh->ether_type != htons(ETHERTYPE_PAE))) {
602
				/*
603
				 * Drop unencrypted frames.
604
				 */
605
				vap->iv_stats.is_rx_unencrypted++;
606
				IEEE80211_NODE_STAT(ni, rx_unencrypted);
607
				goto out;
608
			}
609
		}
610
		/* XXX require HT? */
611
		if (qos & IEEE80211_QOS_AMSDU) {
612
			m = ieee80211_decap_amsdu(ni, m);
613
			if (m == NULL)
614
				return IEEE80211_FC0_TYPE_DATA;
615
		} else {
616
#ifdef IEEE80211_SUPPORT_SUPERG
617
			m = ieee80211_decap_fastframe(vap, ni, m);
618
			if (m == NULL)
619
				return IEEE80211_FC0_TYPE_DATA;
620
#endif
621
		}
622
		if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL)
623
			ieee80211_deliver_data(ni->ni_wdsvap, ni, m);
624
		else
625
			ieee80211_deliver_data(vap, ni, m);
626
		return IEEE80211_FC0_TYPE_DATA;
627

628
	case IEEE80211_FC0_TYPE_MGT:
629
		vap->iv_stats.is_rx_mgmt++;
630
		IEEE80211_NODE_STAT(ni, rx_mgmt);
631
		if (dir != IEEE80211_FC1_DIR_NODS) {
632
			IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
633
			    wh, "data", "incorrect dir 0x%x", dir);
634
			vap->iv_stats.is_rx_wrongdir++;
635
			goto err;
636
		}
637
		if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
638
			IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
639
			    ni->ni_macaddr, "mgt", "too short: len %u",
640
			    m->m_pkthdr.len);
641
			vap->iv_stats.is_rx_tooshort++;
642
			goto out;
643
		}
644
#ifdef IEEE80211_DEBUG
645
		if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) ||
646
		    ieee80211_msg_dumppkts(vap)) {
647
			net80211_vap_printf(vap,
648
			    "received %s from %s rssi %d\n",
649
			    ieee80211_mgt_subtype_name(subtype),
650
			    ether_sprintf(wh->i_addr2), rssi);
651
		}
652
#endif
653
		if (IEEE80211_IS_PROTECTED(wh)) {
654
			IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
655
			    wh, NULL, "%s", "WEP set but not permitted");
656
			vap->iv_stats.is_rx_mgtdiscard++; /* XXX */
657
			goto out;
658
		}
659
		vap->iv_recv_mgmt(ni, m, subtype, rxs, rssi, nf);
660
		goto out;
661

662
	case IEEE80211_FC0_TYPE_CTL:
663
		vap->iv_stats.is_rx_ctl++;
664
		IEEE80211_NODE_STAT(ni, rx_ctrl);
665
		if (ieee80211_is_ctl_frame_for_vap(ni, m))
666
			vap->iv_recv_ctl(ni, m, subtype);
667
		goto out;
668

669
	default:
670
		IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
671
		    wh, "bad", "frame type 0x%x", type);
672
		/* should not come here */
673
		break;
674
	}
675
err:
676
	if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
677
out:
678
	if (m != NULL) {
679
		if (need_tap && ieee80211_radiotap_active_vap(vap))
680
			ieee80211_radiotap_rx(vap, m);
681
		m_freem(m);
682
	}
683
	return type;
684
}
685

686
static int
687
is11bclient(const uint8_t *rates, const uint8_t *xrates)
688
{
689
	static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11);
690
	int i;
691

692
	/* NB: the 11b clients we care about will not have xrates */
693
	if (xrates != NULL || rates == NULL)
694
		return 0;
695
	for (i = 0; i < rates[1]; i++) {
696
		int r = rates[2+i] & IEEE80211_RATE_VAL;
697
		if (r > 2*11 || ((1<<r) & brates) == 0)
698
			return 0;
699
	}
700
	return 1;
701
}
702

703
static void
704
adhoc_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0,
705
	int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf)
706
{
707
	struct ieee80211vap *vap = ni->ni_vap;
708
	struct ieee80211com *ic = ni->ni_ic;
709
	struct ieee80211_channel *rxchan = ic->ic_curchan;
710
	struct ieee80211_frame *wh;
711
	uint8_t *frm, *efrm;
712
	uint8_t *ssid, *rates, *xrates;
713
#if 0
714
	int ht_state_change = 0;
715
#endif
716

717
	wh = mtod(m0, struct ieee80211_frame *);
718
	frm = (uint8_t *)&wh[1];
719
	efrm = mtod(m0, uint8_t *) + m0->m_len;
720

721
	IEEE80211_DPRINTF(vap, IEEE80211_MSG_INPUT | IEEE80211_MSG_DEBUG,
722
	    "%s: recv mgmt frame, addr2=%6D, ni=%p (%6D) fc=%.02x %.02x\n",
723
	    __func__,
724
	    wh->i_addr2, ":",
725
	    ni,
726
	    ni->ni_macaddr, ":",
727
	    wh->i_fc[0],
728
	    wh->i_fc[1]);
729
	switch (subtype) {
730
	case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
731
	case IEEE80211_FC0_SUBTYPE_BEACON: {
732
		struct ieee80211_scanparams scan;
733
		struct ieee80211_channel *c;
734
		/*
735
		 * We process beacon/probe response
736
		 * frames to discover neighbors.
737
		 */ 
738
		if (rxs != NULL) {
739
			c = ieee80211_lookup_channel_rxstatus(vap, rxs);
740
			if (c != NULL)
741
				rxchan = c;
742
		}
743
		if (ieee80211_parse_beacon(ni, m0, rxchan, &scan) != 0)
744
			return;
745
		/*
746
		 * Count frame now that we know it's to be processed.
747
		 */
748
		if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
749
			vap->iv_stats.is_rx_beacon++;		/* XXX remove */
750
			IEEE80211_NODE_STAT(ni, rx_beacons);
751
		} else
752
			IEEE80211_NODE_STAT(ni, rx_proberesp);
753
		/*
754
		 * If scanning, just pass information to the scan module.
755
		 */
756
		if (ic->ic_flags & IEEE80211_F_SCAN) {
757
			if (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN) {
758
				/*
759
				 * Actively scanning a channel marked passive;
760
				 * send a probe request now that we know there
761
				 * is 802.11 traffic present.
762
				 *
763
				 * XXX check if the beacon we recv'd gives
764
				 * us what we need and suppress the probe req
765
				 */
766
				ieee80211_probe_curchan(vap, true);
767
				ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
768
			}
769
			ieee80211_add_scan(vap, rxchan, &scan, wh,
770
			    subtype, rssi, nf);
771
			return;
772
		}
773
		if (scan.capinfo & IEEE80211_CAPINFO_IBSS) {
774
			if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) {
775
				/*
776
				 * Create a new entry in the neighbor table.
777
				 *
778
				 * XXX TODO:
779
				 *
780
				 * Here we're not scanning; so if we have an
781
				 * SSID then make sure it matches our SSID.
782
				 * Otherwise this code will match on all IBSS
783
				 * beacons/probe requests for all SSIDs,
784
				 * filling the node table with nodes that
785
				 * aren't ours.
786
				 */
787
				if (ieee80211_ibss_node_check_new(ni, &scan)) {
788
					ni = ieee80211_add_neighbor(vap, wh, &scan);
789
					/*
790
					 * Send a probe request so we announce 11n
791
					 * capabilities.
792
					 */
793
					ieee80211_send_probereq(ni, /* node */
794
					    vap->iv_myaddr, /* SA */
795
					    ni->ni_macaddr, /* DA */
796
					    vap->iv_bss->ni_bssid, /* BSSID */
797
					    vap->iv_bss->ni_essid,
798
					    vap->iv_bss->ni_esslen); /* SSID */
799
				} else
800
					ni = NULL;
801

802
				/*
803
				 * Send a probe request so we announce 11n
804
				 * capabilities.
805
				 *
806
				 * Don't do this if we're scanning.
807
				 */
808
				if (! (ic->ic_flags & IEEE80211_F_SCAN))
809
					ieee80211_send_probereq(ni, /* node */
810
						vap->iv_myaddr, /* SA */
811
						ni->ni_macaddr, /* DA */
812
						vap->iv_bss->ni_bssid, /* BSSID */
813
						vap->iv_bss->ni_essid,
814
						vap->iv_bss->ni_esslen); /* SSID */
815

816
			} else if (ni->ni_capinfo == 0) {
817
				/*
818
				 * Update faked node created on transmit.
819
				 * Note this also updates the tsf.
820
				 */
821
				ieee80211_init_neighbor(ni, wh, &scan);
822

823
				/*
824
				 * Send a probe request so we announce 11n
825
				 * capabilities.
826
				 */
827
				ieee80211_send_probereq(ni, /* node */
828
					vap->iv_myaddr, /* SA */
829
					ni->ni_macaddr, /* DA */
830
					vap->iv_bss->ni_bssid, /* BSSID */
831
					vap->iv_bss->ni_essid,
832
					vap->iv_bss->ni_esslen); /* SSID */
833
			} else {
834
				/*
835
				 * Record tsf for potential resync.
836
				 */
837
				memcpy(ni->ni_tstamp.data, scan.tstamp,
838
					sizeof(ni->ni_tstamp));
839
			}
840
			/*
841
			 * This isn't enabled yet - otherwise it would
842
			 * update the HT parameters and channel width
843
			 * from any node, which could lead to lots of
844
			 * strange behaviour if the 11n nodes aren't
845
			 * exactly configured to match.
846
			 */
847
#if 0
848
			if (scan.htcap != NULL && scan.htinfo != NULL &&
849
			    (vap->iv_flags_ht & IEEE80211_FHT_HT)) {
850
				ieee80211_ht_updateparams(ni,
851
				    scan.htcap, scan.htinfo));
852
				if (ieee80211_ht_updateparams_final(ni,
853
				    scan.htcap, scan.htinfo))
854
					ht_state_change = 1;
855
			}
856

857
			/* XXX same for VHT? */
858
#endif
859
			if (ni != NULL) {
860
				IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
861
				ni->ni_noise = nf;
862
			}
863
			/*
864
			 * Same here - the channel width change should
865
			 * be applied to the specific peer node, not
866
			 * to the ic.  Ie, the interface configuration
867
			 * should stay in its current channel width;
868
			 * but it should change the rate control and
869
			 * any queued frames for the given node only.
870
			 *
871
			 * Since there's no (current) way to inform
872
			 * the driver that a channel width change has
873
			 * occurred for a single node, just stub this
874
			 * out.
875
			 */
876
#if 0
877
			if (ht_state_change)
878
				ieee80211_update_chw(ic);
879
#endif
880
		}
881
		break;
882
	}
883

884
	case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
885
		if (vap->iv_state != IEEE80211_S_RUN) {
886
			IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
887
			    wh, NULL, "wrong state %s",
888
			    ieee80211_state_name[vap->iv_state]);
889
			vap->iv_stats.is_rx_mgtdiscard++;
890
			return;
891
		}
892
		if (IEEE80211_IS_MULTICAST(wh->i_addr2)) {
893
			/* frame must be directed */
894
			IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
895
			    wh, NULL, "%s", "not unicast");
896
			vap->iv_stats.is_rx_mgtdiscard++;	/* XXX stat */
897
			return;
898
		}
899

900
		/*
901
		 * prreq frame format
902
		 *	[tlv] ssid
903
		 *	[tlv] supported rates
904
		 *	[tlv] extended supported rates
905
		 */
906
		ssid = rates = xrates = NULL;
907
		while (efrm - frm > 1) {
908
			IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
909
			switch (*frm) {
910
			case IEEE80211_ELEMID_SSID:
911
				ssid = frm;
912
				break;
913
			case IEEE80211_ELEMID_RATES:
914
				rates = frm;
915
				break;
916
			case IEEE80211_ELEMID_XRATES:
917
				xrates = frm;
918
				break;
919
			}
920
			frm += frm[1] + 2;
921
		}
922
		IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
923
		if (xrates != NULL)
924
			IEEE80211_VERIFY_ELEMENT(xrates,
925
				IEEE80211_RATE_MAXSIZE - rates[1], return);
926
		IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
927
		IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
928
		if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) {
929
			IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
930
			    wh, NULL,
931
			    "%s", "no ssid with ssid suppression enabled");
932
			vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/
933
			return;
934
		}
935

936
		/* XXX find a better class or define it's own */
937
		IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2,
938
		    "%s", "recv probe req");
939
		/*
940
		 * Some legacy 11b clients cannot hack a complete
941
		 * probe response frame.  When the request includes
942
		 * only a bare-bones rate set, communicate this to
943
		 * the transmit side.
944
		 */
945
		ieee80211_send_proberesp(vap, wh->i_addr2,
946
		    is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0);
947

948
		/*
949
		 * Note: we don't benefit from stashing the probe request
950
		 * IEs away to use for IBSS negotiation, because we
951
		 * typically don't get all of the IEs.
952
		 */
953
		break;
954

955
	case IEEE80211_FC0_SUBTYPE_ACTION:
956
	case IEEE80211_FC0_SUBTYPE_ACTION_NOACK:
957
		if ((ni == vap->iv_bss) &&
958
		    !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) {
959
			IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
960
			    wh, NULL, "%s", "unknown node");
961
			vap->iv_stats.is_rx_mgtdiscard++;
962
		} else if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) &&
963
		    !IEEE80211_IS_MULTICAST(wh->i_addr1)) {
964
			IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT | IEEE80211_MSG_DEBUG,
965
			    wh, NULL, "%s", "not for us");
966
			vap->iv_stats.is_rx_mgtdiscard++;
967
		} else if (vap->iv_state != IEEE80211_S_RUN) {
968
			IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT | IEEE80211_MSG_DEBUG,
969
			    wh, NULL, "wrong state %s",
970
			    ieee80211_state_name[vap->iv_state]);
971
			vap->iv_stats.is_rx_mgtdiscard++;
972
		} else {
973
			if (ieee80211_parse_action(ni, m0) == 0)
974
				(void)ic->ic_recv_action(ni, wh, frm, efrm);
975
		}
976
		break;
977

978
	case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
979
	case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
980
	case IEEE80211_FC0_SUBTYPE_REASSOC_REQ:
981
	case IEEE80211_FC0_SUBTYPE_REASSOC_RESP:
982
	case IEEE80211_FC0_SUBTYPE_TIMING_ADV:
983
	case IEEE80211_FC0_SUBTYPE_ATIM:
984
	case IEEE80211_FC0_SUBTYPE_DISASSOC:
985
	case IEEE80211_FC0_SUBTYPE_AUTH:
986
	case IEEE80211_FC0_SUBTYPE_DEAUTH:
987
		IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
988
		    wh, NULL, "%s", "not handled");
989
		vap->iv_stats.is_rx_mgtdiscard++;
990
		break;
991

992
	default:
993
		IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
994
		    wh, "mgt", "subtype 0x%x not handled", subtype);
995
		vap->iv_stats.is_rx_badsubtype++;
996
		break;
997
	}
998
}
999
#undef IEEE80211_VERIFY_LENGTH
1000
#undef IEEE80211_VERIFY_ELEMENT
1001

1002
static void
1003
ahdemo_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0,
1004
	int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf)
1005
{
1006
	struct ieee80211vap *vap = ni->ni_vap;
1007
	struct ieee80211com *ic = ni->ni_ic;
1008

1009
	/*
1010
	 * Process management frames when scanning; useful for doing
1011
	 * a site-survey.
1012
	 */
1013
	if (ic->ic_flags & IEEE80211_F_SCAN)
1014
		adhoc_recv_mgmt(ni, m0, subtype, rxs, rssi, nf);
1015
	else {
1016
#ifdef IEEE80211_DEBUG
1017
		struct ieee80211_frame *wh;
1018

1019
		wh = mtod(m0, struct ieee80211_frame *);
1020
#endif
1021
		switch (subtype) {
1022
		case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
1023
		case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
1024
		case IEEE80211_FC0_SUBTYPE_REASSOC_REQ:
1025
		case IEEE80211_FC0_SUBTYPE_REASSOC_RESP:
1026
		case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
1027
		case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
1028
		case IEEE80211_FC0_SUBTYPE_TIMING_ADV:
1029
		case IEEE80211_FC0_SUBTYPE_BEACON:
1030
		case IEEE80211_FC0_SUBTYPE_ATIM:
1031
		case IEEE80211_FC0_SUBTYPE_DISASSOC:
1032
		case IEEE80211_FC0_SUBTYPE_AUTH:
1033
		case IEEE80211_FC0_SUBTYPE_DEAUTH:
1034
		case IEEE80211_FC0_SUBTYPE_ACTION:
1035
		case IEEE80211_FC0_SUBTYPE_ACTION_NOACK:
1036
			IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
1037
			     wh, NULL, "%s", "not handled");
1038
			vap->iv_stats.is_rx_mgtdiscard++;
1039
			break;
1040
		default:
1041
			IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1042
			     wh, "mgt", "subtype 0x%x not handled", subtype);
1043
			vap->iv_stats.is_rx_badsubtype++;
1044
			break;
1045
		}
1046
	}
1047
}
1048

1049
static void
1050
adhoc_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype)
1051
{
1052

1053
	switch (subtype) {
1054
	case IEEE80211_FC0_SUBTYPE_BAR:
1055
		ieee80211_recv_bar(ni, m);
1056
		break;
1057
	}
1058
}
1059

1060