2 * Copyright (c) 2001 Atsushi Onoe
3 * Copyright (c) 2002-2007 Sam Leffler, Errno Consulting
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 #include <sys/cdefs.h>
28 __FBSDID("$FreeBSD$");
30 #include <sys/param.h>
31 #include <sys/systm.h>
33 #include <sys/malloc.h>
34 #include <sys/endian.h>
35 #include <sys/kernel.h>
37 #include <sys/socket.h>
40 #include <net/if_media.h>
41 #include <net/ethernet.h>
42 #include <net/if_llc.h>
43 #include <net/if_vlan_var.h>
45 #include <net80211/ieee80211_var.h>
49 #ifdef IEEE80211_DEBUG
50 #include <machine/stdarg.h>
53 * Decide if a received management frame should be
54 * printed when debugging is enabled. This filters some
55 * of the less interesting frames that come frequently
59 doprint(struct ieee80211com *ic, int subtype)
62 case IEEE80211_FC0_SUBTYPE_BEACON:
63 return (ic->ic_flags & IEEE80211_F_SCAN);
64 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
65 return (ic->ic_opmode == IEEE80211_M_IBSS);
70 static const uint8_t *ieee80211_getbssid(struct ieee80211com *,
71 const struct ieee80211_frame *);
72 #endif /* IEEE80211_DEBUG */
74 static struct mbuf *ieee80211_defrag(struct ieee80211com *,
75 struct ieee80211_node *, struct mbuf *, int);
76 static struct mbuf *ieee80211_decap(struct ieee80211com *, struct mbuf *, int);
77 static void ieee80211_send_error(struct ieee80211com *, struct ieee80211_node *,
78 const uint8_t *mac, int subtype, int arg);
79 static struct mbuf *ieee80211_decap_fastframe(struct ieee80211com *,
80 struct ieee80211_node *, struct mbuf *);
81 static void ieee80211_recv_pspoll(struct ieee80211com *,
82 struct ieee80211_node *, struct mbuf *);
85 * Process a received frame. The node associated with the sender
86 * should be supplied. If nothing was found in the node table then
87 * the caller is assumed to supply a reference to ic_bss instead.
88 * The RSSI and a timestamp are also supplied. The RSSI data is used
89 * during AP scanning to select a AP to associate with; it can have
90 * any units so long as values have consistent units and higher values
91 * mean ``better signal''. The receive timestamp is currently not used
92 * by the 802.11 layer.
95 ieee80211_input(struct ieee80211com *ic, struct mbuf *m,
96 struct ieee80211_node *ni, int rssi, int noise, uint32_t rstamp)
98 #define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0)
99 #define HAS_SEQ(type) ((type & 0x4) == 0)
100 struct ifnet *ifp = ic->ic_ifp;
101 struct ieee80211_frame *wh;
102 struct ieee80211_key *key;
103 struct ether_header *eh;
104 int hdrspace, need_tap;
105 uint8_t dir, type, subtype, qos;
109 if (m->m_flags & M_AMPDU) {
111 * Fastpath for A-MPDU reorder q resubmission. Frames
112 * w/ M_AMPDU marked have already passed through here
113 * but were received out of order and been held on the
114 * reorder queue. When resubmitted they are marked
115 * with the M_AMPDU flag and we can bypass most of the
118 wh = mtod(m, struct ieee80211_frame *);
119 type = IEEE80211_FC0_TYPE_DATA;
120 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
121 subtype = IEEE80211_FC0_SUBTYPE_QOS;
122 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */
127 KASSERT(ni != NULL, ("null node"));
128 ni->ni_inact = ni->ni_inact_reload;
130 need_tap = 1; /* mbuf need to be tapped. */
131 type = -1; /* undefined */
133 * In monitor mode, send everything directly to bpf.
134 * XXX may want to include the CRC
136 if (ic->ic_opmode == IEEE80211_M_MONITOR)
139 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
140 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
141 ni->ni_macaddr, NULL,
142 "too short (1): len %u", m->m_pkthdr.len);
143 ic->ic_stats.is_rx_tooshort++;
147 * Bit of a cheat here, we use a pointer for a 3-address
148 * frame format but don't reference fields past outside
149 * ieee80211_frame_min w/o first validating the data is
152 wh = mtod(m, struct ieee80211_frame *);
154 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
155 IEEE80211_FC0_VERSION_0) {
156 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
157 ni->ni_macaddr, NULL, "wrong version %x", wh->i_fc[0]);
158 ic->ic_stats.is_rx_badversion++;
162 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
163 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
164 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
165 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
166 switch (ic->ic_opmode) {
167 case IEEE80211_M_STA:
169 if (!IEEE80211_ADDR_EQ(bssid, ni->ni_bssid)) {
170 /* not interested in */
171 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
172 bssid, NULL, "%s", "not to bss");
173 ic->ic_stats.is_rx_wrongbss++;
177 case IEEE80211_M_IBSS:
178 case IEEE80211_M_AHDEMO:
179 case IEEE80211_M_HOSTAP:
180 if (dir != IEEE80211_FC1_DIR_NODS)
182 else if (type == IEEE80211_FC0_TYPE_CTL)
185 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
186 IEEE80211_DISCARD_MAC(ic,
187 IEEE80211_MSG_ANY, ni->ni_macaddr,
188 NULL, "too short (2): len %u",
190 ic->ic_stats.is_rx_tooshort++;
195 if (type != IEEE80211_FC0_TYPE_DATA)
198 * Data frame, validate the bssid.
200 if (!IEEE80211_ADDR_EQ(bssid, ic->ic_bss->ni_bssid) &&
201 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) {
202 /* not interested in */
203 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
204 bssid, NULL, "%s", "not to bss");
205 ic->ic_stats.is_rx_wrongbss++;
209 * For adhoc mode we cons up a node when it doesn't
210 * exist. This should probably done after an ACL check.
212 if (ni == ic->ic_bss &&
213 ic->ic_opmode != IEEE80211_M_HOSTAP &&
214 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) {
216 * Fake up a node for this newly
217 * discovered member of the IBSS.
219 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta,
222 /* NB: stat kept for alloc failure */
231 ni->ni_noise = noise;
232 ni->ni_rstamp = rstamp;
235 if (IEEE80211_QOS_HAS_SEQ(wh)) {
236 tid = ((struct ieee80211_qosframe *)wh)->
237 i_qos[0] & IEEE80211_QOS_TID;
238 if (TID_TO_WME_AC(tid) >= WME_AC_VI)
239 ic->ic_wme.wme_hipri_traffic++;
242 tid = IEEE80211_NONQOS_TID;
243 rxseq = le16toh(*(uint16_t *)wh->i_seq);
244 if ((ni->ni_flags & IEEE80211_NODE_HT) == 0 &&
245 (wh->i_fc[1] & IEEE80211_FC1_RETRY) &&
246 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) {
247 /* duplicate, discard */
248 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
250 "seqno <%u,%u> fragno <%u,%u> tid %u",
251 rxseq >> IEEE80211_SEQ_SEQ_SHIFT,
252 ni->ni_rxseqs[tid] >>
253 IEEE80211_SEQ_SEQ_SHIFT,
254 rxseq & IEEE80211_SEQ_FRAG_MASK,
256 IEEE80211_SEQ_FRAG_MASK,
258 ic->ic_stats.is_rx_dup++;
259 IEEE80211_NODE_STAT(ni, rx_dup);
262 ni->ni_rxseqs[tid] = rxseq;
267 case IEEE80211_FC0_TYPE_DATA:
268 hdrspace = ieee80211_hdrspace(ic, wh);
269 if (m->m_len < hdrspace &&
270 (m = m_pullup(m, hdrspace)) == NULL) {
271 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
272 ni->ni_macaddr, NULL,
273 "data too short: expecting %u", hdrspace);
274 ic->ic_stats.is_rx_tooshort++;
277 switch (ic->ic_opmode) {
278 case IEEE80211_M_STA:
279 if (dir != IEEE80211_FC1_DIR_FROMDS) {
280 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
281 wh, "data", "unknown dir 0x%x", dir);
282 ic->ic_stats.is_rx_wrongdir++;
285 if ((ifp->if_flags & IFF_SIMPLEX) &&
286 IEEE80211_IS_MULTICAST(wh->i_addr1) &&
287 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) {
289 * In IEEE802.11 network, multicast packet
290 * sent from me is broadcasted from AP.
291 * It should be silently discarded for
294 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
295 wh, NULL, "%s", "multicast echo");
296 ic->ic_stats.is_rx_mcastecho++;
300 case IEEE80211_M_IBSS:
301 case IEEE80211_M_AHDEMO:
302 if (dir != IEEE80211_FC1_DIR_NODS) {
303 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
304 wh, "data", "unknown dir 0x%x", dir);
305 ic->ic_stats.is_rx_wrongdir++;
308 /* XXX no power-save support */
310 case IEEE80211_M_HOSTAP:
311 if (dir != IEEE80211_FC1_DIR_TODS) {
312 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
313 wh, "data", "unknown dir 0x%x", dir);
314 ic->ic_stats.is_rx_wrongdir++;
317 /* check if source STA is associated */
318 if (ni == ic->ic_bss) {
319 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
320 wh, "data", "%s", "unknown src");
321 ieee80211_send_error(ic, ni, wh->i_addr2,
322 IEEE80211_FC0_SUBTYPE_DEAUTH,
323 IEEE80211_REASON_NOT_AUTHED);
324 ic->ic_stats.is_rx_notassoc++;
327 if (ni->ni_associd == 0) {
328 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
329 wh, "data", "%s", "unassoc src");
330 IEEE80211_SEND_MGMT(ic, ni,
331 IEEE80211_FC0_SUBTYPE_DISASSOC,
332 IEEE80211_REASON_NOT_ASSOCED);
333 ic->ic_stats.is_rx_notassoc++;
338 * Check for power save state change.
339 * XXX out-of-order A-MPDU frames?
341 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^
342 (ni->ni_flags & IEEE80211_NODE_PWR_MGT)))
343 ieee80211_node_pwrsave(ni,
344 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT);
347 /* XXX here to keep compiler happy */
352 * Handle A-MPDU re-ordering. The station must be
353 * associated and negotiated HT. The frame must be
354 * a QoS frame (not QoS null data) and not previously
355 * processed for A-MPDU re-ordering. If the frame is
356 * to be processed directly then ieee80211_ampdu_reorder
357 * will return 0; otherwise it has consumed the mbuf
358 * and we should do nothing more with it.
360 if ((ni->ni_flags & IEEE80211_NODE_HT) &&
361 subtype == IEEE80211_FC0_SUBTYPE_QOS &&
362 ieee80211_ampdu_reorder(ni, m) != 0) {
369 * Handle privacy requirements. Note that we
370 * must not be preempted from here until after
371 * we (potentially) call ieee80211_crypto_demic;
372 * otherwise we may violate assumptions in the
373 * crypto cipher modules used to do delayed update
374 * of replay sequence numbers.
376 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
377 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) {
379 * Discard encrypted frames when privacy is off.
381 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
382 wh, "WEP", "%s", "PRIVACY off");
383 ic->ic_stats.is_rx_noprivacy++;
384 IEEE80211_NODE_STAT(ni, rx_noprivacy);
387 key = ieee80211_crypto_decap(ic, ni, m, hdrspace);
389 /* NB: stats+msgs handled in crypto_decap */
390 IEEE80211_NODE_STAT(ni, rx_wepfail);
393 wh = mtod(m, struct ieee80211_frame *);
394 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
396 /* XXX M_WEP and IEEE80211_F_PRIVACY */
401 * Save QoS bits for use below--before we strip the header.
403 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) {
404 qos = (dir == IEEE80211_FC1_DIR_DSTODS) ?
405 ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] :
406 ((struct ieee80211_qosframe *)wh)->i_qos[0];
411 * Next up, any fragmentation.
413 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
414 m = ieee80211_defrag(ic, ni, m, hdrspace);
416 /* Fragment dropped or frame not complete yet */
420 wh = NULL; /* no longer valid, catch any uses */
423 * Next strip any MSDU crypto bits.
425 if (key != NULL && !ieee80211_crypto_demic(ic, key, m, 0)) {
426 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
427 ni->ni_macaddr, "data", "%s", "demic error");
428 ic->ic_stats.is_rx_demicfail++;
429 IEEE80211_NODE_STAT(ni, rx_demicfail);
433 /* copy to listener after decrypt */
434 if (bpf_peers_present(ic->ic_rawbpf))
435 bpf_mtap(ic->ic_rawbpf, m);
439 * Finally, strip the 802.11 header.
441 m = ieee80211_decap(ic, m, hdrspace);
443 /* don't count Null data frames as errors */
444 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA ||
445 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL)
447 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
448 ni->ni_macaddr, "data", "%s", "decap error");
449 ic->ic_stats.is_rx_decap++;
450 IEEE80211_NODE_STAT(ni, rx_decap);
453 eh = mtod(m, struct ether_header *);
454 if (!ieee80211_node_is_authorized(ni)) {
456 * Deny any non-PAE frames received prior to
457 * authorization. For open/shared-key
458 * authentication the port is mark authorized
459 * after authentication completes. For 802.1x
460 * the port is not marked authorized by the
461 * authenticator until the handshake has completed.
463 if (eh->ether_type != htons(ETHERTYPE_PAE)) {
464 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
465 eh->ether_shost, "data",
466 "unauthorized port: ether type 0x%x len %u",
467 eh->ether_type, m->m_pkthdr.len);
468 ic->ic_stats.is_rx_unauth++;
469 IEEE80211_NODE_STAT(ni, rx_unauth);
474 * When denying unencrypted frames, discard
475 * any non-PAE frames received without encryption.
477 if ((ic->ic_flags & IEEE80211_F_DROPUNENC) &&
478 (key == NULL && (m->m_flags & M_WEP) == 0) &&
479 eh->ether_type != htons(ETHERTYPE_PAE)) {
481 * Drop unencrypted frames.
483 ic->ic_stats.is_rx_unencrypted++;
484 IEEE80211_NODE_STAT(ni, rx_unencrypted);
488 /* XXX require HT? */
489 if (qos & IEEE80211_QOS_AMSDU) {
490 m = ieee80211_decap_amsdu(ni, m);
492 return IEEE80211_FC0_TYPE_DATA;
493 } else if ((ni->ni_ath_flags & IEEE80211_NODE_FF) &&
494 #define FF_LLC_SIZE (sizeof(struct ether_header) + sizeof(struct llc))
495 m->m_pkthdr.len >= 3*FF_LLC_SIZE) {
499 * Check for fast-frame tunnel encapsulation.
501 if (m->m_len < FF_LLC_SIZE &&
502 (m = m_pullup(m, FF_LLC_SIZE)) == NULL) {
503 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
504 ni->ni_macaddr, "fast-frame",
505 "%s", "m_pullup(llc) failed");
506 ic->ic_stats.is_rx_tooshort++;
507 return IEEE80211_FC0_TYPE_DATA;
509 llc = (struct llc *)(mtod(m, uint8_t *) +
510 sizeof(struct ether_header));
511 if (llc->llc_snap.ether_type == htons(ATH_FF_ETH_TYPE)) {
512 m_adj(m, FF_LLC_SIZE);
513 m = ieee80211_decap_fastframe(ic, ni, m);
515 return IEEE80211_FC0_TYPE_DATA;
519 ieee80211_deliver_data(ic, ni, m);
520 return IEEE80211_FC0_TYPE_DATA;
522 case IEEE80211_FC0_TYPE_MGT:
523 ic->ic_stats.is_rx_mgmt++;
524 IEEE80211_NODE_STAT(ni, rx_mgmt);
525 if (dir != IEEE80211_FC1_DIR_NODS) {
526 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
527 wh, "data", "unknown dir 0x%x", dir);
528 ic->ic_stats.is_rx_wrongdir++;
531 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
532 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
533 ni->ni_macaddr, "mgt", "too short: len %u",
535 ic->ic_stats.is_rx_tooshort++;
538 #ifdef IEEE80211_DEBUG
539 if ((ieee80211_msg_debug(ic) && doprint(ic, subtype)) ||
540 ieee80211_msg_dumppkts(ic)) {
541 if_printf(ic->ic_ifp, "received %s from %s rssi %d\n",
542 ieee80211_mgt_subtype_name[subtype >>
543 IEEE80211_FC0_SUBTYPE_SHIFT],
544 ether_sprintf(wh->i_addr2), rssi);
547 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
548 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
550 * Only shared key auth frames with a challenge
551 * should be encrypted, discard all others.
553 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
554 wh, ieee80211_mgt_subtype_name[subtype >>
555 IEEE80211_FC0_SUBTYPE_SHIFT],
556 "%s", "WEP set but not permitted");
557 ic->ic_stats.is_rx_mgtdiscard++; /* XXX */
560 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) {
562 * Discard encrypted frames when privacy is off.
564 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
565 wh, "mgt", "%s", "WEP set but PRIVACY off");
566 ic->ic_stats.is_rx_noprivacy++;
569 hdrspace = ieee80211_hdrspace(ic, wh);
570 key = ieee80211_crypto_decap(ic, ni, m, hdrspace);
572 /* NB: stats+msgs handled in crypto_decap */
575 wh = mtod(m, struct ieee80211_frame *);
576 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
578 if (bpf_peers_present(ic->ic_rawbpf))
579 bpf_mtap(ic->ic_rawbpf, m);
580 (*ic->ic_recv_mgmt)(ic, m, ni, subtype, rssi, noise, rstamp);
582 return IEEE80211_FC0_TYPE_MGT;
584 case IEEE80211_FC0_TYPE_CTL:
585 ic->ic_stats.is_rx_ctl++;
586 IEEE80211_NODE_STAT(ni, rx_ctrl);
587 if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
589 case IEEE80211_FC0_SUBTYPE_PS_POLL:
590 ieee80211_recv_pspoll(ic, ni, m);
592 case IEEE80211_FC0_SUBTYPE_BAR:
593 ieee80211_recv_bar(ni, m);
599 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY,
600 wh, NULL, "bad frame type 0x%x", type);
601 /* should not come here */
608 if (bpf_peers_present(ic->ic_rawbpf) && need_tap)
609 bpf_mtap(ic->ic_rawbpf, m);
617 * This function reassemble fragments.
620 ieee80211_defrag(struct ieee80211com *ic, struct ieee80211_node *ni,
621 struct mbuf *m, int hdrspace)
623 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *);
624 struct ieee80211_frame *lwh;
627 uint8_t more_frag = wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG;
630 KASSERT(!IEEE80211_IS_MULTICAST(wh->i_addr1), ("multicast fragm?"));
632 rxseq = le16toh(*(uint16_t *)wh->i_seq);
633 fragno = rxseq & IEEE80211_SEQ_FRAG_MASK;
635 /* Quick way out, if there's nothing to defragment */
636 if (!more_frag && fragno == 0 && ni->ni_rxfrag[0] == NULL)
640 * Remove frag to insure it doesn't get reaped by timer.
642 if (ni->ni_table == NULL) {
644 * Should never happen. If the node is orphaned (not in
645 * the table) then input packets should not reach here.
646 * Otherwise, a concurrent request that yanks the table
647 * should be blocked by other interlocking and/or by first
648 * shutting the driver down. Regardless, be defensive
651 /* XXX need msg+stat */
655 IEEE80211_NODE_LOCK(ni->ni_table);
656 mfrag = ni->ni_rxfrag[0];
657 ni->ni_rxfrag[0] = NULL;
658 IEEE80211_NODE_UNLOCK(ni->ni_table);
661 * Validate new fragment is in order and
662 * related to the previous ones.
667 lwh = mtod(mfrag, struct ieee80211_frame *);
668 last_rxseq = le16toh(*(uint16_t *)lwh->i_seq);
669 /* NB: check seq # and frag together */
670 if (rxseq != last_rxseq+1 ||
671 !IEEE80211_ADDR_EQ(wh->i_addr1, lwh->i_addr1) ||
672 !IEEE80211_ADDR_EQ(wh->i_addr2, lwh->i_addr2)) {
674 * Unrelated fragment or no space for it,
675 * clear current fragments.
683 if (fragno != 0) { /* !first fragment, discard */
684 ic->ic_stats.is_rx_defrag++;
685 IEEE80211_NODE_STAT(ni, rx_defrag);
690 } else { /* concatenate */
691 m_adj(m, hdrspace); /* strip header */
693 /* NB: m_cat doesn't update the packet header */
694 mfrag->m_pkthdr.len += m->m_pkthdr.len;
695 /* track last seqnum and fragno */
696 lwh = mtod(mfrag, struct ieee80211_frame *);
697 *(uint16_t *) lwh->i_seq = *(uint16_t *) wh->i_seq;
699 if (more_frag) { /* more to come, save */
700 ni->ni_rxfragstamp = ticks;
701 ni->ni_rxfrag[0] = mfrag;
708 ieee80211_deliver_data(struct ieee80211com *ic,
709 struct ieee80211_node *ni, struct mbuf *m)
711 struct ether_header *eh = mtod(m, struct ether_header *);
712 struct ifnet *ifp = ic->ic_ifp;
718 IEEE80211_NODE_STAT(ni, rx_data);
719 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len);
720 if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
721 m->m_flags |= M_MCAST; /* XXX M_BCAST? */
722 IEEE80211_NODE_STAT(ni, rx_mcast);
724 IEEE80211_NODE_STAT(ni, rx_ucast);
726 /* clear driver/net80211 flags before passing up */
727 m->m_flags &= ~M_80211_RX;
729 /* perform as a bridge within the AP */
730 if (ic->ic_opmode == IEEE80211_M_HOSTAP &&
731 (ic->ic_flags & IEEE80211_F_NOBRIDGE) == 0) {
732 struct mbuf *m1 = NULL;
734 if (m->m_flags & M_MCAST) {
735 m1 = m_dup(m, M_DONTWAIT);
739 m1->m_flags |= M_MCAST;
742 * Check if the destination is known; if so
743 * and the port is authorized dispatch directly.
745 struct ieee80211_node *sta =
746 ieee80211_find_node(&ic->ic_sta, eh->ether_dhost);
748 if (ieee80211_node_is_authorized(sta)) {
750 * Beware of sending to ourself; this
751 * needs to happen via the normal
754 if (sta != ic->ic_bss) {
759 ic->ic_stats.is_rx_unauth++;
760 IEEE80211_NODE_STAT(sta, rx_unauth);
762 ieee80211_free_node(sta);
766 (void) IF_HANDOFF(&ifp->if_snd, m1, ifp);
769 m->m_pkthdr.rcvif = ifp;
770 if (ni->ni_vlan != 0) {
771 /* attach vlan tag */
772 m->m_pkthdr.ether_vtag = ni->ni_vlan;
773 m->m_flags |= M_VLANTAG;
775 (*ifp->if_input)(ifp, m);
780 ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, int hdrlen)
782 struct ieee80211_qosframe_addr4 wh; /* Max size address frames */
783 struct ether_header *eh;
786 if (m->m_len < hdrlen + sizeof(*llc) &&
787 (m = m_pullup(m, hdrlen + sizeof(*llc))) == NULL) {
791 memcpy(&wh, mtod(m, caddr_t), hdrlen);
792 llc = (struct llc *)(mtod(m, caddr_t) + hdrlen);
793 if (llc->llc_dsap == LLC_SNAP_LSAP && llc->llc_ssap == LLC_SNAP_LSAP &&
794 llc->llc_control == LLC_UI && llc->llc_snap.org_code[0] == 0 &&
795 llc->llc_snap.org_code[1] == 0 && llc->llc_snap.org_code[2] == 0) {
796 m_adj(m, hdrlen + sizeof(struct llc) - sizeof(*eh));
799 m_adj(m, hdrlen - sizeof(*eh));
801 eh = mtod(m, struct ether_header *);
802 switch (wh.i_fc[1] & IEEE80211_FC1_DIR_MASK) {
803 case IEEE80211_FC1_DIR_NODS:
804 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1);
805 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2);
807 case IEEE80211_FC1_DIR_TODS:
808 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3);
809 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2);
811 case IEEE80211_FC1_DIR_FROMDS:
812 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1);
813 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr3);
815 case IEEE80211_FC1_DIR_DSTODS:
816 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3);
817 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr4);
820 #ifdef ALIGNED_POINTER
821 if (!ALIGNED_POINTER(mtod(m, caddr_t) + sizeof(*eh), uint32_t)) {
822 struct mbuf *n, *n0, **np;
829 pktlen = m->m_pkthdr.len;
830 while (pktlen > off) {
832 MGETHDR(n, M_DONTWAIT, MT_DATA);
840 MGET(n, M_DONTWAIT, MT_DATA);
848 if (pktlen - off >= MINCLSIZE) {
849 MCLGET(n, M_DONTWAIT);
850 if (n->m_flags & M_EXT)
851 n->m_len = n->m_ext.ext_size;
855 (caddr_t)ALIGN(n->m_data + sizeof(*eh)) -
857 n->m_len -= newdata - n->m_data;
860 if (n->m_len > pktlen - off)
861 n->m_len = pktlen - off;
862 m_copydata(m, off, n->m_len, mtod(n, caddr_t));
870 #endif /* ALIGNED_POINTER */
872 eh = mtod(m, struct ether_header *);
873 eh->ether_type = htons(m->m_pkthdr.len - sizeof(*eh));
879 * Decap a frame encapsulated in a fast-frame/A-MSDU.
882 ieee80211_decap1(struct mbuf *m, int *framelen)
884 #define FF_LLC_SIZE (sizeof(struct ether_header) + sizeof(struct llc))
885 struct ether_header *eh;
889 * The frame has an 802.3 header followed by an 802.2
890 * LLC header. The encapsulated frame length is in the
891 * first header type field; save that and overwrite it
892 * with the true type field found in the second. Then
893 * copy the 802.3 header up to where it belongs and
894 * adjust the mbuf contents to remove the void.
896 if (m->m_len < FF_LLC_SIZE && (m = m_pullup(m, FF_LLC_SIZE)) == NULL)
898 eh = mtod(m, struct ether_header *); /* 802.3 header is first */
899 llc = (struct llc *)&eh[1]; /* 802.2 header follows */
900 *framelen = ntohs(eh->ether_type) /* encap'd frame size */
901 + sizeof(struct ether_header) - sizeof(struct llc);
902 eh->ether_type = llc->llc_un.type_snap.ether_type;
903 ovbcopy(eh, mtod(m, uint8_t *) + sizeof(struct llc),
904 sizeof(struct ether_header));
905 m_adj(m, sizeof(struct llc));
911 * Decap the encapsulated frame pair and dispatch the first
912 * for delivery. The second frame is returned for delivery
913 * via the normal path.
916 ieee80211_decap_fastframe(struct ieee80211com *ic,
917 struct ieee80211_node *ni, struct mbuf *m)
919 #define MS(x,f) (((x) & f) >> f##_S)
924 m_copydata(m, 0, sizeof(uint32_t), (caddr_t) &ath);
925 if (MS(ath, ATH_FF_PROTO) != ATH_FF_PROTO_L2TUNNEL) {
926 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
927 ni->ni_macaddr, "fast-frame",
928 "unsupport tunnel protocol, header 0x%x", ath);
929 ic->ic_stats.is_ff_badhdr++;
933 /* NB: skip header and alignment padding */
934 m_adj(m, roundup(sizeof(uint32_t) - 2, 4) + 2);
936 ic->ic_stats.is_ff_decap++;
939 * Decap the first frame, bust it apart from the
940 * second and deliver; then decap the second frame
941 * and return it to the caller for normal delivery.
943 m = ieee80211_decap1(m, &framelen);
945 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
946 ni->ni_macaddr, "fast-frame", "%s", "first decap failed");
947 ic->ic_stats.is_ff_tooshort++;
950 n = m_split(m, framelen, M_NOWAIT);
952 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
953 ni->ni_macaddr, "fast-frame",
954 "%s", "unable to split encapsulated frames");
955 ic->ic_stats.is_ff_split++;
956 m_freem(m); /* NB: must reclaim */
959 ieee80211_deliver_data(ic, ni, m); /* 1st of pair */
962 * Decap second frame.
964 m_adj(n, roundup2(framelen, 4) - framelen); /* padding */
965 n = ieee80211_decap1(n, &framelen);
967 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
968 ni->ni_macaddr, "fast-frame", "%s", "second decap failed");
969 ic->ic_stats.is_ff_tooshort++;
971 /* XXX verify framelen against mbuf contents */
972 return n; /* 2nd delivered by caller */
977 * Install received rate set information in the node's state block.
980 ieee80211_setup_rates(struct ieee80211_node *ni,
981 const uint8_t *rates, const uint8_t *xrates, int flags)
983 struct ieee80211com *ic = ni->ni_ic;
984 struct ieee80211_rateset *rs = &ni->ni_rates;
986 memset(rs, 0, sizeof(*rs));
987 rs->rs_nrates = rates[1];
988 memcpy(rs->rs_rates, rates + 2, rs->rs_nrates);
989 if (xrates != NULL) {
992 * Tack on 11g extended supported rate element.
995 if (rs->rs_nrates + nxrates > IEEE80211_RATE_MAXSIZE) {
996 nxrates = IEEE80211_RATE_MAXSIZE - rs->rs_nrates;
997 IEEE80211_DPRINTF(ic, IEEE80211_MSG_XRATE,
998 "[%s] extended rate set too large;"
999 " only using %u of %u rates\n",
1000 ether_sprintf(ni->ni_macaddr), nxrates, xrates[1]);
1001 ic->ic_stats.is_rx_rstoobig++;
1003 memcpy(rs->rs_rates + rs->rs_nrates, xrates+2, nxrates);
1004 rs->rs_nrates += nxrates;
1006 return ieee80211_fix_rate(ni, rs, flags);
1010 ieee80211_auth_open(struct ieee80211com *ic, struct ieee80211_frame *wh,
1011 struct ieee80211_node *ni, int rssi, int noise, uint32_t rstamp,
1012 uint16_t seq, uint16_t status)
1015 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
1016 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1017 ni->ni_macaddr, "open auth",
1018 "bad sta auth mode %u", ni->ni_authmode);
1019 ic->ic_stats.is_rx_bad_auth++; /* XXX */
1020 if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
1022 * Clear any challenge text that may be there if
1023 * a previous shared key auth failed and then an
1024 * open auth is attempted.
1026 if (ni->ni_challenge != NULL) {
1027 FREE(ni->ni_challenge, M_80211_NODE);
1028 ni->ni_challenge = NULL;
1030 /* XXX hack to workaround calling convention */
1031 ieee80211_send_error(ic, ni, wh->i_addr2,
1032 IEEE80211_FC0_SUBTYPE_AUTH,
1033 (seq + 1) | (IEEE80211_STATUS_ALG<<16));
1037 switch (ic->ic_opmode) {
1038 case IEEE80211_M_IBSS:
1039 case IEEE80211_M_AHDEMO:
1040 case IEEE80211_M_MONITOR:
1041 case IEEE80211_M_WDS:
1042 /* should not come here */
1043 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1044 ni->ni_macaddr, "open auth",
1045 "bad operating mode %u", ic->ic_opmode);
1048 case IEEE80211_M_HOSTAP:
1049 if (ic->ic_state != IEEE80211_S_RUN ||
1050 seq != IEEE80211_AUTH_OPEN_REQUEST) {
1051 ic->ic_stats.is_rx_bad_auth++;
1054 /* always accept open authentication requests */
1055 if (ni == ic->ic_bss) {
1056 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2);
1059 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
1060 (void) ieee80211_ref_node(ni);
1062 * Mark the node as referenced to reflect that it's
1063 * reference count has been bumped to insure it remains
1064 * after the transaction completes.
1066 ni->ni_flags |= IEEE80211_NODE_AREF;
1068 IEEE80211_SEND_MGMT(ic, ni,
1069 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1070 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1071 "[%s] station authenticated (open)\n",
1072 ether_sprintf(ni->ni_macaddr));
1074 * When 802.1x is not in use mark the port
1075 * authorized at this point so traffic can flow.
1077 if (ni->ni_authmode != IEEE80211_AUTH_8021X)
1078 ieee80211_node_authorize(ni);
1081 case IEEE80211_M_STA:
1082 if (ic->ic_state != IEEE80211_S_AUTH ||
1083 seq != IEEE80211_AUTH_OPEN_RESPONSE) {
1084 ic->ic_stats.is_rx_bad_auth++;
1088 IEEE80211_DPRINTF(ic,
1089 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1090 "[%s] open auth failed (reason %d)\n",
1091 ether_sprintf(ni->ni_macaddr), status);
1092 /* XXX can this happen? */
1093 if (ni != ic->ic_bss)
1095 ic->ic_stats.is_rx_auth_fail++;
1096 ieee80211_new_state(ic, IEEE80211_S_SCAN,
1097 IEEE80211_SCAN_FAIL_STATUS);
1099 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 0);
1105 * Send a management frame error response to the specified
1106 * station. If ni is associated with the station then use
1107 * it; otherwise allocate a temporary node suitable for
1108 * transmitting the frame and then free the reference so
1109 * it will go away as soon as the frame has been transmitted.
1112 ieee80211_send_error(struct ieee80211com *ic, struct ieee80211_node *ni,
1113 const uint8_t *mac, int subtype, int arg)
1117 if (ni == ic->ic_bss) {
1118 ni = ieee80211_tmp_node(ic, mac);
1126 IEEE80211_SEND_MGMT(ic, ni, subtype, arg);
1128 ieee80211_free_node(ni);
1132 alloc_challenge(struct ieee80211com *ic, struct ieee80211_node *ni)
1134 if (ni->ni_challenge == NULL)
1135 MALLOC(ni->ni_challenge, uint32_t*, IEEE80211_CHALLENGE_LEN,
1136 M_80211_NODE, M_NOWAIT);
1137 if (ni->ni_challenge == NULL) {
1138 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1139 "[%s] shared key challenge alloc failed\n",
1140 ether_sprintf(ni->ni_macaddr));
1143 return (ni->ni_challenge != NULL);
1146 /* XXX TODO: add statistics */
1148 ieee80211_auth_shared(struct ieee80211com *ic, struct ieee80211_frame *wh,
1149 uint8_t *frm, uint8_t *efrm, struct ieee80211_node *ni,
1150 int rssi, int noise, uint32_t rstamp, uint16_t seq, uint16_t status)
1153 int allocbs, estatus;
1156 * NB: this can happen as we allow pre-shared key
1157 * authentication to be enabled w/o wep being turned
1158 * on so that configuration of these can be done
1159 * in any order. It may be better to enforce the
1160 * ordering in which case this check would just be
1161 * for sanity/consistency.
1163 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) {
1164 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1165 ni->ni_macaddr, "shared key auth",
1166 "%s", " PRIVACY is disabled");
1167 estatus = IEEE80211_STATUS_ALG;
1171 * Pre-shared key authentication is evil; accept
1172 * it only if explicitly configured (it is supported
1173 * mainly for compatibility with clients like OS X).
1175 if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
1176 ni->ni_authmode != IEEE80211_AUTH_SHARED) {
1177 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1178 ni->ni_macaddr, "shared key auth",
1179 "bad sta auth mode %u", ni->ni_authmode);
1180 ic->ic_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */
1181 estatus = IEEE80211_STATUS_ALG;
1186 if (frm + 1 < efrm) {
1187 if ((frm[1] + 2) > (efrm - frm)) {
1188 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1189 ni->ni_macaddr, "shared key auth",
1190 "ie %d/%d too long",
1191 frm[0], (frm[1] + 2) - (efrm - frm));
1192 ic->ic_stats.is_rx_bad_auth++;
1193 estatus = IEEE80211_STATUS_CHALLENGE;
1196 if (*frm == IEEE80211_ELEMID_CHALLENGE)
1201 case IEEE80211_AUTH_SHARED_CHALLENGE:
1202 case IEEE80211_AUTH_SHARED_RESPONSE:
1203 if (challenge == NULL) {
1204 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1205 ni->ni_macaddr, "shared key auth",
1206 "%s", "no challenge");
1207 ic->ic_stats.is_rx_bad_auth++;
1208 estatus = IEEE80211_STATUS_CHALLENGE;
1211 if (challenge[1] != IEEE80211_CHALLENGE_LEN) {
1212 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1213 ni->ni_macaddr, "shared key auth",
1214 "bad challenge len %d", challenge[1]);
1215 ic->ic_stats.is_rx_bad_auth++;
1216 estatus = IEEE80211_STATUS_CHALLENGE;
1222 switch (ic->ic_opmode) {
1223 case IEEE80211_M_MONITOR:
1224 case IEEE80211_M_AHDEMO:
1225 case IEEE80211_M_IBSS:
1226 case IEEE80211_M_WDS:
1227 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1228 ni->ni_macaddr, "shared key auth",
1229 "bad operating mode %u", ic->ic_opmode);
1231 case IEEE80211_M_HOSTAP:
1232 if (ic->ic_state != IEEE80211_S_RUN) {
1233 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1234 ni->ni_macaddr, "shared key auth",
1235 "bad state %u", ic->ic_state);
1236 estatus = IEEE80211_STATUS_ALG; /* XXX */
1240 case IEEE80211_AUTH_SHARED_REQUEST:
1241 if (ni == ic->ic_bss) {
1242 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2);
1244 /* NB: no way to return an error */
1249 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
1250 (void) ieee80211_ref_node(ni);
1254 * Mark the node as referenced to reflect that it's
1255 * reference count has been bumped to insure it remains
1256 * after the transaction completes.
1258 ni->ni_flags |= IEEE80211_NODE_AREF;
1260 ni->ni_noise = noise;
1261 ni->ni_rstamp = rstamp;
1262 if (!alloc_challenge(ic, ni)) {
1263 /* NB: don't return error so they rexmit */
1266 get_random_bytes(ni->ni_challenge,
1267 IEEE80211_CHALLENGE_LEN);
1268 IEEE80211_DPRINTF(ic,
1269 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1270 "[%s] shared key %sauth request\n",
1271 ether_sprintf(ni->ni_macaddr),
1272 allocbs ? "" : "re");
1274 case IEEE80211_AUTH_SHARED_RESPONSE:
1275 if (ni == ic->ic_bss) {
1276 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1277 ni->ni_macaddr, "shared key response",
1278 "%s", "unknown station");
1279 /* NB: don't send a response */
1282 if (ni->ni_challenge == NULL) {
1283 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1284 ni->ni_macaddr, "shared key response",
1285 "%s", "no challenge recorded");
1286 ic->ic_stats.is_rx_bad_auth++;
1287 estatus = IEEE80211_STATUS_CHALLENGE;
1290 if (memcmp(ni->ni_challenge, &challenge[2],
1291 challenge[1]) != 0) {
1292 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1293 ni->ni_macaddr, "shared key response",
1294 "%s", "challenge mismatch");
1295 ic->ic_stats.is_rx_auth_fail++;
1296 estatus = IEEE80211_STATUS_CHALLENGE;
1299 IEEE80211_DPRINTF(ic,
1300 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1301 "[%s] station authenticated (shared key)\n",
1302 ether_sprintf(ni->ni_macaddr));
1303 ieee80211_node_authorize(ni);
1306 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1307 ni->ni_macaddr, "shared key auth",
1309 ic->ic_stats.is_rx_bad_auth++;
1310 estatus = IEEE80211_STATUS_SEQUENCE;
1313 IEEE80211_SEND_MGMT(ic, ni,
1314 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1317 case IEEE80211_M_STA:
1318 if (ic->ic_state != IEEE80211_S_AUTH)
1321 case IEEE80211_AUTH_SHARED_PASS:
1322 if (ni->ni_challenge != NULL) {
1323 FREE(ni->ni_challenge, M_80211_NODE);
1324 ni->ni_challenge = NULL;
1327 IEEE80211_DPRINTF(ic,
1328 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1329 "[%s] shared key auth failed (reason %d)\n",
1330 ether_sprintf(ieee80211_getbssid(ic, wh)),
1332 /* XXX can this happen? */
1333 if (ni != ic->ic_bss)
1335 ic->ic_stats.is_rx_auth_fail++;
1338 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 0);
1340 case IEEE80211_AUTH_SHARED_CHALLENGE:
1341 if (!alloc_challenge(ic, ni))
1343 /* XXX could optimize by passing recvd challenge */
1344 memcpy(ni->ni_challenge, &challenge[2], challenge[1]);
1345 IEEE80211_SEND_MGMT(ic, ni,
1346 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1349 IEEE80211_DISCARD(ic, IEEE80211_MSG_AUTH,
1350 wh, "shared key auth", "bad seq %d", seq);
1351 ic->ic_stats.is_rx_bad_auth++;
1359 * Send an error response; but only when operating as an AP.
1361 if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
1362 /* XXX hack to workaround calling convention */
1363 ieee80211_send_error(ic, ni, wh->i_addr2,
1364 IEEE80211_FC0_SUBTYPE_AUTH,
1365 (seq + 1) | (estatus<<16));
1366 } else if (ic->ic_opmode == IEEE80211_M_STA) {
1368 * Kick the state machine. This short-circuits
1369 * using the mgt frame timeout to trigger the
1372 if (ic->ic_state == IEEE80211_S_AUTH)
1373 ieee80211_new_state(ic, IEEE80211_S_SCAN,
1374 IEEE80211_SCAN_FAIL_STATUS);
1378 /* Verify the existence and length of __elem or get out. */
1379 #define IEEE80211_VERIFY_ELEMENT(__elem, __maxlen) do { \
1380 if ((__elem) == NULL) { \
1381 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \
1382 wh, ieee80211_mgt_subtype_name[subtype >> \
1383 IEEE80211_FC0_SUBTYPE_SHIFT], \
1384 "%s", "no " #__elem ); \
1385 ic->ic_stats.is_rx_elem_missing++; \
1388 if ((__elem)[1] > (__maxlen)) { \
1389 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \
1390 wh, ieee80211_mgt_subtype_name[subtype >> \
1391 IEEE80211_FC0_SUBTYPE_SHIFT], \
1392 "bad " #__elem " len %d", (__elem)[1]); \
1393 ic->ic_stats.is_rx_elem_toobig++; \
1398 #define IEEE80211_VERIFY_LENGTH(_len, _minlen, _action) do { \
1399 if ((_len) < (_minlen)) { \
1400 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \
1401 wh, ieee80211_mgt_subtype_name[subtype >> \
1402 IEEE80211_FC0_SUBTYPE_SHIFT], \
1403 "ie too short, got %d, expected %d", \
1404 (_len), (_minlen)); \
1405 ic->ic_stats.is_rx_elem_toosmall++; \
1410 #ifdef IEEE80211_DEBUG
1412 ieee80211_ssid_mismatch(struct ieee80211com *ic, const char *tag,
1413 uint8_t mac[IEEE80211_ADDR_LEN], uint8_t *ssid)
1415 printf("[%s] discard %s frame, ssid mismatch: ",
1416 ether_sprintf(mac), tag);
1417 ieee80211_print_essid(ssid + 2, ssid[1]);
1421 #define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \
1422 if ((_ssid)[1] != 0 && \
1423 ((_ssid)[1] != (_ni)->ni_esslen || \
1424 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \
1425 if (ieee80211_msg_input(ic)) \
1426 ieee80211_ssid_mismatch(ic, \
1427 ieee80211_mgt_subtype_name[subtype >> \
1428 IEEE80211_FC0_SUBTYPE_SHIFT], \
1429 wh->i_addr2, _ssid); \
1430 ic->ic_stats.is_rx_ssidmismatch++; \
1434 #else /* !IEEE80211_DEBUG */
1435 #define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \
1436 if ((_ssid)[1] != 0 && \
1437 ((_ssid)[1] != (_ni)->ni_esslen || \
1438 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \
1439 ic->ic_stats.is_rx_ssidmismatch++; \
1443 #endif /* !IEEE80211_DEBUG */
1445 /* unalligned little endian access */
1446 #define LE_READ_2(p) \
1448 ((((const uint8_t *)(p))[0] ) | \
1449 (((const uint8_t *)(p))[1] << 8)))
1450 #define LE_READ_4(p) \
1452 ((((const uint8_t *)(p))[0] ) | \
1453 (((const uint8_t *)(p))[1] << 8) | \
1454 (((const uint8_t *)(p))[2] << 16) | \
1455 (((const uint8_t *)(p))[3] << 24)))
1458 iswpaoui(const uint8_t *frm)
1460 return frm[1] > 3 && LE_READ_4(frm+2) == ((WPA_OUI_TYPE<<24)|WPA_OUI);
1464 iswmeoui(const uint8_t *frm)
1466 return frm[1] > 3 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI);
1470 iswmeparam(const uint8_t *frm)
1472 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) &&
1473 frm[6] == WME_PARAM_OUI_SUBTYPE;
1477 iswmeinfo(const uint8_t *frm)
1479 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) &&
1480 frm[6] == WME_INFO_OUI_SUBTYPE;
1484 isatherosoui(const uint8_t *frm)
1486 return frm[1] > 3 && LE_READ_4(frm+2) == ((ATH_OUI_TYPE<<24)|ATH_OUI);
1490 ishtcapoui(const uint8_t *frm)
1492 return frm[1] > 3 && LE_READ_4(frm+2) == ((BCM_OUI_HTCAP<<24)|BCM_OUI);
1496 ishtinfooui(const uint8_t *frm)
1498 return frm[1] > 3 && LE_READ_4(frm+2) == ((BCM_OUI_HTINFO<<24)|BCM_OUI);
1502 * Convert a WPA cipher selector OUI to an internal
1503 * cipher algorithm. Where appropriate we also
1504 * record any key length.
1507 wpa_cipher(uint8_t *sel, uint8_t *keylen)
1509 #define WPA_SEL(x) (((x)<<24)|WPA_OUI)
1510 uint32_t w = LE_READ_4(sel);
1513 case WPA_SEL(WPA_CSE_NULL):
1514 return IEEE80211_CIPHER_NONE;
1515 case WPA_SEL(WPA_CSE_WEP40):
1517 *keylen = 40 / NBBY;
1518 return IEEE80211_CIPHER_WEP;
1519 case WPA_SEL(WPA_CSE_WEP104):
1521 *keylen = 104 / NBBY;
1522 return IEEE80211_CIPHER_WEP;
1523 case WPA_SEL(WPA_CSE_TKIP):
1524 return IEEE80211_CIPHER_TKIP;
1525 case WPA_SEL(WPA_CSE_CCMP):
1526 return IEEE80211_CIPHER_AES_CCM;
1528 return 32; /* NB: so 1<< is discarded */
1533 * Convert a WPA key management/authentication algorithm
1534 * to an internal code.
1537 wpa_keymgmt(uint8_t *sel)
1539 #define WPA_SEL(x) (((x)<<24)|WPA_OUI)
1540 uint32_t w = LE_READ_4(sel);
1543 case WPA_SEL(WPA_ASE_8021X_UNSPEC):
1544 return WPA_ASE_8021X_UNSPEC;
1545 case WPA_SEL(WPA_ASE_8021X_PSK):
1546 return WPA_ASE_8021X_PSK;
1547 case WPA_SEL(WPA_ASE_NONE):
1548 return WPA_ASE_NONE;
1550 return 0; /* NB: so is discarded */
1555 * Parse a WPA information element to collect parameters
1556 * and validate the parameters against what has been
1557 * configured for the system.
1560 ieee80211_parse_wpa(struct ieee80211com *ic, uint8_t *frm,
1561 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1563 uint8_t len = frm[1];
1568 * Check the length once for fixed parts: OUI, type,
1569 * version, mcast cipher, and 2 selector counts.
1570 * Other, variable-length data, must be checked separately.
1572 if ((ic->ic_flags & IEEE80211_F_WPA1) == 0) {
1573 IEEE80211_DISCARD_IE(ic,
1574 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1575 wh, "WPA", "not WPA, flags 0x%x", ic->ic_flags);
1576 return IEEE80211_REASON_IE_INVALID;
1579 IEEE80211_DISCARD_IE(ic,
1580 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1581 wh, "WPA", "too short, len %u", len);
1582 return IEEE80211_REASON_IE_INVALID;
1584 frm += 6, len -= 4; /* NB: len is payload only */
1585 /* NB: iswapoui already validated the OUI and type */
1587 if (w != WPA_VERSION) {
1588 IEEE80211_DISCARD_IE(ic,
1589 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1590 wh, "WPA", "bad version %u", w);
1591 return IEEE80211_REASON_IE_INVALID;
1595 /* multicast/group cipher */
1596 w = wpa_cipher(frm, &rsn->rsn_mcastkeylen);
1597 if (w != rsn->rsn_mcastcipher) {
1598 IEEE80211_DISCARD_IE(ic,
1599 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1600 wh, "WPA", "mcast cipher mismatch; got %u, expected %u",
1601 w, rsn->rsn_mcastcipher);
1602 return IEEE80211_REASON_IE_INVALID;
1606 /* unicast ciphers */
1610 IEEE80211_DISCARD_IE(ic,
1611 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1612 wh, "WPA", "ucast cipher data too short; len %u, n %u",
1614 return IEEE80211_REASON_IE_INVALID;
1617 for (; n > 0; n--) {
1618 w |= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen);
1621 w &= rsn->rsn_ucastcipherset;
1623 IEEE80211_DISCARD_IE(ic,
1624 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1625 wh, "WPA", "%s", "ucast cipher set empty");
1626 return IEEE80211_REASON_IE_INVALID;
1628 if (w & (1<<IEEE80211_CIPHER_TKIP))
1629 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1631 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1633 /* key management algorithms */
1637 IEEE80211_DISCARD_IE(ic,
1638 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1639 wh, "WPA", "key mgmt alg data too short; len %u, n %u",
1641 return IEEE80211_REASON_IE_INVALID;
1644 for (; n > 0; n--) {
1645 w |= wpa_keymgmt(frm);
1648 w &= rsn->rsn_keymgmtset;
1650 IEEE80211_DISCARD_IE(ic,
1651 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1652 wh, "WPA", "%s", "no acceptable key mgmt alg");
1653 return IEEE80211_REASON_IE_INVALID;
1655 if (w & WPA_ASE_8021X_UNSPEC)
1656 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC;
1658 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK;
1660 if (len > 2) /* optional capabilities */
1661 rsn->rsn_caps = LE_READ_2(frm);
1667 * Convert an RSN cipher selector OUI to an internal
1668 * cipher algorithm. Where appropriate we also
1669 * record any key length.
1672 rsn_cipher(uint8_t *sel, uint8_t *keylen)
1674 #define RSN_SEL(x) (((x)<<24)|RSN_OUI)
1675 uint32_t w = LE_READ_4(sel);
1678 case RSN_SEL(RSN_CSE_NULL):
1679 return IEEE80211_CIPHER_NONE;
1680 case RSN_SEL(RSN_CSE_WEP40):
1682 *keylen = 40 / NBBY;
1683 return IEEE80211_CIPHER_WEP;
1684 case RSN_SEL(RSN_CSE_WEP104):
1686 *keylen = 104 / NBBY;
1687 return IEEE80211_CIPHER_WEP;
1688 case RSN_SEL(RSN_CSE_TKIP):
1689 return IEEE80211_CIPHER_TKIP;
1690 case RSN_SEL(RSN_CSE_CCMP):
1691 return IEEE80211_CIPHER_AES_CCM;
1692 case RSN_SEL(RSN_CSE_WRAP):
1693 return IEEE80211_CIPHER_AES_OCB;
1695 return 32; /* NB: so 1<< is discarded */
1700 * Convert an RSN key management/authentication algorithm
1701 * to an internal code.
1704 rsn_keymgmt(uint8_t *sel)
1706 #define RSN_SEL(x) (((x)<<24)|RSN_OUI)
1707 uint32_t w = LE_READ_4(sel);
1710 case RSN_SEL(RSN_ASE_8021X_UNSPEC):
1711 return RSN_ASE_8021X_UNSPEC;
1712 case RSN_SEL(RSN_ASE_8021X_PSK):
1713 return RSN_ASE_8021X_PSK;
1714 case RSN_SEL(RSN_ASE_NONE):
1715 return RSN_ASE_NONE;
1717 return 0; /* NB: so is discarded */
1722 * Parse a WPA/RSN information element to collect parameters
1723 * and validate the parameters against what has been
1724 * configured for the system.
1727 ieee80211_parse_rsn(struct ieee80211com *ic, uint8_t *frm,
1728 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1730 uint8_t len = frm[1];
1735 * Check the length once for fixed parts:
1736 * version, mcast cipher, and 2 selector counts.
1737 * Other, variable-length data, must be checked separately.
1739 if ((ic->ic_flags & IEEE80211_F_WPA2) == 0) {
1740 IEEE80211_DISCARD_IE(ic,
1741 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1742 wh, "WPA", "not RSN, flags 0x%x", ic->ic_flags);
1743 return IEEE80211_REASON_IE_INVALID;
1746 IEEE80211_DISCARD_IE(ic,
1747 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1748 wh, "RSN", "too short, len %u", len);
1749 return IEEE80211_REASON_IE_INVALID;
1753 if (w != RSN_VERSION) {
1754 IEEE80211_DISCARD_IE(ic,
1755 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1756 wh, "RSN", "bad version %u", w);
1757 return IEEE80211_REASON_IE_INVALID;
1761 /* multicast/group cipher */
1762 w = rsn_cipher(frm, &rsn->rsn_mcastkeylen);
1763 if (w != rsn->rsn_mcastcipher) {
1764 IEEE80211_DISCARD_IE(ic,
1765 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1766 wh, "RSN", "mcast cipher mismatch; got %u, expected %u",
1767 w, rsn->rsn_mcastcipher);
1768 return IEEE80211_REASON_IE_INVALID;
1772 /* unicast ciphers */
1776 IEEE80211_DISCARD_IE(ic,
1777 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1778 wh, "RSN", "ucast cipher data too short; len %u, n %u",
1780 return IEEE80211_REASON_IE_INVALID;
1783 for (; n > 0; n--) {
1784 w |= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen);
1787 w &= rsn->rsn_ucastcipherset;
1789 IEEE80211_DISCARD_IE(ic,
1790 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1791 wh, "RSN", "%s", "ucast cipher set empty");
1792 return IEEE80211_REASON_IE_INVALID;
1794 if (w & (1<<IEEE80211_CIPHER_TKIP))
1795 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1797 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1799 /* key management algorithms */
1803 IEEE80211_DISCARD_IE(ic,
1804 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1805 wh, "RSN", "key mgmt alg data too short; len %u, n %u",
1807 return IEEE80211_REASON_IE_INVALID;
1810 for (; n > 0; n--) {
1811 w |= rsn_keymgmt(frm);
1814 w &= rsn->rsn_keymgmtset;
1816 IEEE80211_DISCARD_IE(ic,
1817 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1818 wh, "RSN", "%s", "no acceptable key mgmt alg");
1819 return IEEE80211_REASON_IE_INVALID;
1821 if (w & RSN_ASE_8021X_UNSPEC)
1822 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC;
1824 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK;
1826 /* optional RSN capabilities */
1828 rsn->rsn_caps = LE_READ_2(frm);
1835 ieee80211_parse_wmeparams(struct ieee80211com *ic, uint8_t *frm,
1836 const struct ieee80211_frame *wh)
1838 #define MS(_v, _f) (((_v) & _f) >> _f##_S)
1839 struct ieee80211_wme_state *wme = &ic->ic_wme;
1840 u_int len = frm[1], qosinfo;
1843 if (len < sizeof(struct ieee80211_wme_param)-2) {
1844 IEEE80211_DISCARD_IE(ic,
1845 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WME,
1846 wh, "WME", "too short, len %u", len);
1849 qosinfo = frm[__offsetof(struct ieee80211_wme_param, param_qosInfo)];
1850 qosinfo &= WME_QOSINFO_COUNT;
1851 /* XXX do proper check for wraparound */
1852 if (qosinfo == wme->wme_wmeChanParams.cap_info)
1854 frm += __offsetof(struct ieee80211_wme_param, params_acParams);
1855 for (i = 0; i < WME_NUM_AC; i++) {
1856 struct wmeParams *wmep =
1857 &wme->wme_wmeChanParams.cap_wmeParams[i];
1858 /* NB: ACI not used */
1859 wmep->wmep_acm = MS(frm[0], WME_PARAM_ACM);
1860 wmep->wmep_aifsn = MS(frm[0], WME_PARAM_AIFSN);
1861 wmep->wmep_logcwmin = MS(frm[1], WME_PARAM_LOGCWMIN);
1862 wmep->wmep_logcwmax = MS(frm[1], WME_PARAM_LOGCWMAX);
1863 wmep->wmep_txopLimit = LE_READ_2(frm+2);
1866 wme->wme_wmeChanParams.cap_info = qosinfo;
1872 ieee80211_parse_athparams(struct ieee80211_node *ni, uint8_t *frm,
1873 const struct ieee80211_frame *wh)
1875 struct ieee80211com *ic = ni->ni_ic;
1876 const struct ieee80211_ath_ie *ath;
1881 if (len < sizeof(struct ieee80211_ath_ie)-2) {
1882 IEEE80211_DISCARD_IE(ic,
1883 IEEE80211_MSG_ELEMID | IEEE80211_MSG_SUPERG,
1884 wh, "Atheros", "too short, len %u", len);
1887 ath = (const struct ieee80211_ath_ie *)frm;
1888 capschanged = (ni->ni_ath_flags != ath->ath_capability);
1889 defkeyix = LE_READ_2(ath->ath_defkeyix);
1890 if (capschanged || defkeyix != ni->ni_ath_defkeyix) {
1891 ni->ni_ath_flags = ath->ath_capability;
1892 ni->ni_ath_defkeyix = defkeyix;
1893 IEEE80211_DPRINTF(ic, IEEE80211_MSG_SUPERG,
1894 "[%s] ath ie change: new caps 0x%x defkeyix 0x%x\n",
1895 ether_sprintf(ni->ni_macaddr),
1896 ni->ni_ath_flags, ni->ni_ath_defkeyix);
1898 if (IEEE80211_ATH_CAP(ic, ni, ATHEROS_CAP_TURBO_PRIME)) {
1899 uint16_t curflags, newflags;
1902 * Check for turbo mode switch. Calculate flags
1903 * for the new mode and effect the switch.
1905 newflags = curflags = ic->ic_bsschan->ic_flags;
1906 /* NB: BOOST is not in ic_flags, so get it from the ie */
1907 if (ath->ath_capability & ATHEROS_CAP_BOOST)
1908 newflags |= IEEE80211_CHAN_TURBO;
1910 newflags &= ~IEEE80211_CHAN_TURBO;
1911 if (newflags != curflags)
1912 ieee80211_dturbo_switch(ic, newflags);
1918 ieee80211_saveath(struct ieee80211_node *ni, uint8_t *ie)
1920 const struct ieee80211_ath_ie *ath =
1921 (const struct ieee80211_ath_ie *) ie;
1923 ni->ni_ath_flags = ath->ath_capability;
1924 ni->ni_ath_defkeyix = LE_READ_2(&ath->ath_defkeyix);
1925 ieee80211_saveie(&ni->ni_ath_ie, ie);
1929 ieee80211_saveie(uint8_t **iep, const uint8_t *ie)
1931 u_int ielen = ie[1]+2;
1933 * Record information element for later use.
1935 if (*iep == NULL || (*iep)[1] != ie[1]) {
1937 FREE(*iep, M_80211_NODE);
1938 MALLOC(*iep, void*, ielen, M_80211_NODE, M_NOWAIT);
1941 memcpy(*iep, ie, ielen);
1942 /* XXX note failure */
1945 /* XXX find a better place for definition */
1946 struct l2_update_frame {
1947 struct ether_header eh;
1955 * Deliver a TGf L2UF frame on behalf of a station.
1956 * This primes any bridge when the station is roaming
1957 * between ap's on the same wired network.
1960 ieee80211_deliver_l2uf(struct ieee80211_node *ni)
1962 struct ieee80211com *ic = ni->ni_ic;
1963 struct ifnet *ifp = ic->ic_ifp;
1965 struct l2_update_frame *l2uf;
1966 struct ether_header *eh;
1968 m = m_gethdr(M_NOWAIT, MT_DATA);
1970 IEEE80211_NOTE(ic, IEEE80211_MSG_ASSOC, ni,
1971 "%s", "no mbuf for l2uf frame");
1972 ic->ic_stats.is_rx_nobuf++; /* XXX not right */
1975 l2uf = mtod(m, struct l2_update_frame *);
1977 /* dst: Broadcast address */
1978 IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr);
1979 /* src: associated STA */
1980 IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr);
1981 eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh));
1985 l2uf->control = 0xf5;
1986 l2uf->xid[0] = 0x81;
1987 l2uf->xid[1] = 0x80;
1988 l2uf->xid[2] = 0x00;
1990 m->m_pkthdr.len = m->m_len = sizeof(*l2uf);
1991 ieee80211_deliver_data(ic, ni, m);
1995 contbgscan(struct ieee80211com *ic)
1997 return ((ic->ic_flags_ext & IEEE80211_FEXT_BGSCAN) &&
1998 time_after(ticks, ic->ic_lastdata + ic->ic_bgscanidle));
2002 startbgscan(struct ieee80211com *ic)
2004 return ((ic->ic_flags & IEEE80211_F_BGSCAN) &&
2005 !IEEE80211_IS_CHAN_DTURBO(ic->ic_curchan) &&
2006 time_after(ticks, ic->ic_lastscan + ic->ic_bgscanintvl) &&
2007 time_after(ticks, ic->ic_lastdata + ic->ic_bgscanidle));
2011 ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
2012 int reassoc, int resp, const char *tag, int rate)
2014 struct ieee80211com *ic = ni->ni_ic;
2016 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY,
2017 "[%s] deny %s request, %s rate set mismatch, rate 0x%x\n",
2018 ether_sprintf(wh->i_addr2),
2019 reassoc ? "reassoc" : "assoc", tag, rate);
2020 IEEE80211_SEND_MGMT(ic, ni, resp, IEEE80211_STATUS_BASIC_RATE);
2021 ieee80211_node_leave(ic, ni);
2022 ic->ic_stats.is_rx_assoc_norate++;
2026 capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
2027 int reassoc, int resp, const char *tag, int capinfo)
2029 struct ieee80211com *ic = ni->ni_ic;
2031 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY,
2032 "[%s] deny %s request, %s mismatch 0x%x\n",
2033 ether_sprintf(wh->i_addr2),
2034 reassoc ? "reassoc" : "assoc", tag, capinfo);
2035 IEEE80211_SEND_MGMT(ic, ni, resp, IEEE80211_STATUS_CAPINFO);
2036 ieee80211_node_leave(ic, ni);
2037 ic->ic_stats.is_rx_assoc_capmismatch++;
2041 htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
2042 int reassoc, int resp)
2044 struct ieee80211com *ic = ni->ni_ic;
2046 IEEE80211_NOTE_MAC(ic, IEEE80211_MSG_ANY, wh->i_addr2,
2047 "deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc");
2048 /* XXX no better code */
2049 IEEE80211_SEND_MGMT(ic, ni, resp, IEEE80211_STATUS_OTHER);
2050 ieee80211_node_leave(ic, ni);
2054 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0,
2055 struct ieee80211_node *ni,
2056 int subtype, int rssi, int noise, uint32_t rstamp)
2058 #define ISPROBE(_st) ((_st) == IEEE80211_FC0_SUBTYPE_PROBE_RESP)
2059 #define ISREASSOC(_st) ((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP)
2060 struct ieee80211_frame *wh;
2061 uint8_t *frm, *efrm;
2062 uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap, *htinfo;
2063 int reassoc, resp, allocbs;
2066 wh = mtod(m0, struct ieee80211_frame *);
2067 frm = (uint8_t *)&wh[1];
2068 efrm = mtod(m0, uint8_t *) + m0->m_len;
2070 case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
2071 case IEEE80211_FC0_SUBTYPE_BEACON: {
2072 struct ieee80211_scanparams scan;
2075 * We process beacon/probe response frames:
2076 * o when scanning, or
2077 * o station mode when associated (to collect state
2078 * updates such as 802.11g slot time), or
2079 * o adhoc mode (to discover neighbors)
2080 * Frames otherwise received are discarded.
2082 if (!((ic->ic_flags & IEEE80211_F_SCAN) ||
2083 (ic->ic_opmode == IEEE80211_M_STA && ni->ni_associd) ||
2084 ic->ic_opmode == IEEE80211_M_IBSS)) {
2085 ic->ic_stats.is_rx_mgtdiscard++;
2089 * beacon/probe response frame format
2091 * [2] beacon interval
2092 * [2] capability information
2094 * [tlv] supported rates
2095 * [tlv] country information
2096 * [tlv] parameter set (FH/DS)
2097 * [tlv] erp information
2098 * [tlv] extended supported rates
2101 * [tlv] HT capabilities
2102 * [tlv] HT information
2103 * [tlv] Atheros capabilities
2105 IEEE80211_VERIFY_LENGTH(efrm - frm, 12, return);
2106 memset(&scan, 0, sizeof(scan));
2107 scan.tstamp = frm; frm += 8;
2108 scan.bintval = le16toh(*(uint16_t *)frm); frm += 2;
2109 scan.capinfo = le16toh(*(uint16_t *)frm); frm += 2;
2110 scan.bchan = IEEE80211_CHAN2IEEE(ic->ic_curchan);
2111 scan.curchan = ic->ic_curchan;
2113 while (efrm - frm > 1) {
2114 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
2116 case IEEE80211_ELEMID_SSID:
2119 case IEEE80211_ELEMID_RATES:
2122 case IEEE80211_ELEMID_COUNTRY:
2125 case IEEE80211_ELEMID_FHPARMS:
2126 if (ic->ic_phytype == IEEE80211_T_FH) {
2127 scan.fhdwell = LE_READ_2(&frm[2]);
2128 scan.bchan = IEEE80211_FH_CHAN(frm[4], frm[5]);
2129 scan.fhindex = frm[6];
2132 case IEEE80211_ELEMID_DSPARMS:
2134 * XXX hack this since depending on phytype
2135 * is problematic for multi-mode devices.
2137 if (ic->ic_phytype != IEEE80211_T_FH)
2138 scan.bchan = frm[2];
2140 case IEEE80211_ELEMID_TIM:
2143 scan.timoff = frm - mtod(m0, uint8_t *);
2145 case IEEE80211_ELEMID_IBSSPARMS:
2147 case IEEE80211_ELEMID_XRATES:
2150 case IEEE80211_ELEMID_ERP:
2152 IEEE80211_DISCARD_IE(ic,
2153 IEEE80211_MSG_ELEMID, wh, "ERP",
2154 "bad len %u", frm[1]);
2155 ic->ic_stats.is_rx_elem_toobig++;
2160 case IEEE80211_ELEMID_HTCAP:
2163 case IEEE80211_ELEMID_RSN:
2166 case IEEE80211_ELEMID_HTINFO:
2169 case IEEE80211_ELEMID_VENDOR:
2172 else if (iswmeparam(frm) || iswmeinfo(frm))
2174 else if (isatherosoui(frm))
2176 else if (ic->ic_flags_ext & IEEE80211_FEXT_HTCOMPAT) {
2178 * Accept pre-draft HT ie's if the
2179 * standard ones have not been seen.
2181 if (ishtcapoui(frm)) {
2182 if (scan.htcap == NULL)
2184 } else if (ishtinfooui(frm)) {
2185 if (scan.htinfo == NULL)
2191 IEEE80211_DISCARD_IE(ic, IEEE80211_MSG_ELEMID,
2193 "id %u, len %u", *frm, frm[1]);
2194 ic->ic_stats.is_rx_elem_unknown++;
2199 IEEE80211_VERIFY_ELEMENT(scan.rates, IEEE80211_RATE_MAXSIZE);
2200 if (scan.xrates != NULL)
2201 IEEE80211_VERIFY_ELEMENT(scan.xrates,
2202 IEEE80211_RATE_MAXSIZE - scan.rates[1]);
2203 IEEE80211_VERIFY_ELEMENT(scan.ssid, IEEE80211_NWID_LEN);
2204 #if IEEE80211_CHAN_MAX < 255
2205 if (scan.chan > IEEE80211_CHAN_MAX) {
2206 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID,
2207 wh, ieee80211_mgt_subtype_name[subtype >>
2208 IEEE80211_FC0_SUBTYPE_SHIFT],
2209 "invalid channel %u", scan.chan);
2210 ic->ic_stats.is_rx_badchan++;
2214 if (IEEE80211_CHAN2IEEE(scan.curchan) != scan.bchan &&
2215 ic->ic_phytype != IEEE80211_T_FH) {
2217 * Frame was received on a channel different from the
2218 * one indicated in the DS params element id;
2219 * silently discard it.
2221 * NB: this can happen due to signal leakage.
2222 * But we should take it for FH phy because
2223 * the rssi value should be correct even for
2224 * different hop pattern in FH.
2226 IEEE80211_DISCARD(ic,
2227 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT,
2228 wh, ieee80211_mgt_subtype_name[subtype >>
2229 IEEE80211_FC0_SUBTYPE_SHIFT],
2230 "for off-channel %u",
2231 IEEE80211_CHAN2IEEE(scan.curchan));
2232 ic->ic_stats.is_rx_chanmismatch++;
2235 if (!(IEEE80211_BINTVAL_MIN <= scan.bintval &&
2236 scan.bintval <= IEEE80211_BINTVAL_MAX)) {
2237 IEEE80211_DISCARD(ic,
2238 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT,
2239 wh, ieee80211_mgt_subtype_name[subtype >>
2240 IEEE80211_FC0_SUBTYPE_SHIFT],
2241 "bogus beacon interval", scan.bintval);
2242 ic->ic_stats.is_rx_badbintval++;
2246 * Process HT ie's. This is complicated by our
2247 * accepting both the standard ie's and the pre-draft
2248 * vendor OUI ie's that some vendors still use/require.
2250 if (scan.htcap != NULL) {
2251 IEEE80211_VERIFY_LENGTH(scan.htcap[1],
2252 scan.htcap[0] == IEEE80211_ELEMID_VENDOR ?
2253 4 + sizeof(struct ieee80211_ie_htcap)-2 :
2254 sizeof(struct ieee80211_ie_htcap)-2,
2257 if (scan.htinfo != NULL) {
2258 IEEE80211_VERIFY_LENGTH(scan.htinfo[1],
2259 scan.htinfo[0] == IEEE80211_ELEMID_VENDOR ?
2260 4 + sizeof(struct ieee80211_ie_htinfo)-2 :
2261 sizeof(struct ieee80211_ie_htinfo)-2,
2262 scan.htinfo = NULL);
2266 * Count frame now that we know it's to be processed.
2268 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
2269 ic->ic_stats.is_rx_beacon++; /* XXX remove */
2270 IEEE80211_NODE_STAT(ni, rx_beacons);
2272 IEEE80211_NODE_STAT(ni, rx_proberesp);
2275 * When operating in station mode, check for state updates.
2276 * Be careful to ignore beacons received while doing a
2277 * background scan. We consider only 11g/WMM stuff right now.
2279 if (ic->ic_opmode == IEEE80211_M_STA &&
2280 ni->ni_associd != 0 &&
2281 ((ic->ic_flags & IEEE80211_F_SCAN) == 0 ||
2282 IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid))) {
2283 /* record tsf of last beacon */
2284 memcpy(ni->ni_tstamp.data, scan.tstamp,
2285 sizeof(ni->ni_tstamp));
2286 /* count beacon frame for s/w bmiss handling */
2287 ic->ic_swbmiss_count++;
2288 ic->ic_bmiss_count = 0;
2289 if (ni->ni_erp != scan.erp) {
2290 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2291 "[%s] erp change: was 0x%x, now 0x%x\n",
2292 ether_sprintf(wh->i_addr2),
2293 ni->ni_erp, scan.erp);
2294 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
2295 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION))
2296 ic->ic_flags |= IEEE80211_F_USEPROT;
2298 ic->ic_flags &= ~IEEE80211_F_USEPROT;
2299 ni->ni_erp = scan.erp;
2302 if ((ni->ni_capinfo ^ scan.capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME) {
2303 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2304 "[%s] capabilities change: before 0x%x,"
2306 ether_sprintf(wh->i_addr2),
2307 ni->ni_capinfo, scan.capinfo);
2309 * NB: we assume short preamble doesn't
2310 * change dynamically
2312 ieee80211_set_shortslottime(ic,
2313 IEEE80211_IS_CHAN_A(ic->ic_bsschan) ||
2314 (scan.capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
2315 ni->ni_capinfo = (ni->ni_capinfo &~ IEEE80211_CAPINFO_SHORT_SLOTTIME)
2316 | (scan.capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME);
2319 if (scan.wme != NULL &&
2320 (ni->ni_flags & IEEE80211_NODE_QOS) &&
2321 ieee80211_parse_wmeparams(ic, scan.wme, wh) > 0)
2322 ieee80211_wme_updateparams(ic);
2323 if (scan.ath != NULL)
2324 ieee80211_parse_athparams(ni, scan.ath, wh);
2325 if (scan.htcap != NULL)
2326 ieee80211_parse_htcap(ni, scan.htcap);
2327 if (scan.htinfo != NULL) {
2328 ieee80211_parse_htinfo(ni, scan.htinfo);
2329 if (ni->ni_chan != ic->ic_bsschan) {
2331 * Channel has been adjusted based on
2332 * negotiated HT parameters; force the
2333 * channel state to follow.
2335 ieee80211_setbsschan(ic, ni->ni_chan);
2338 if (scan.tim != NULL) {
2339 struct ieee80211_tim_ie *tim =
2340 (struct ieee80211_tim_ie *) scan.tim;
2342 int aid = IEEE80211_AID(ni->ni_associd);
2343 int ix = aid / NBBY;
2344 int min = tim->tim_bitctl &~ 1;
2345 int max = tim->tim_len + min - 4;
2346 if ((tim->tim_bitctl&1) ||
2347 (min <= ix && ix <= max &&
2348 isset(tim->tim_bitmap - min, aid))) {
2350 * XXX Do not let bg scan kick off
2351 * we are expecting data.
2353 ic->ic_lastdata = ticks;
2354 ieee80211_sta_pwrsave(ic, 0);
2357 ni->ni_dtim_count = tim->tim_count;
2358 ni->ni_dtim_period = tim->tim_period;
2361 * If scanning, pass the info to the scan module.
2362 * Otherwise, check if it's the right time to do
2363 * a background scan. Background scanning must
2364 * be enabled and we must not be operating in the
2365 * turbo phase of dynamic turbo mode. Then,
2366 * it's been a while since the last background
2367 * scan and if no data frames have come through
2368 * recently, kick off a scan. Note that this
2369 * is the mechanism by which a background scan
2370 * is started _and_ continued each time we
2371 * return on-channel to receive a beacon from
2374 if (ic->ic_flags & IEEE80211_F_SCAN) {
2375 ieee80211_add_scan(ic, &scan, wh,
2376 subtype, rssi, noise, rstamp);
2377 } else if (contbgscan(ic)) {
2378 ieee80211_bg_scan(ic);
2379 } else if (startbgscan(ic)) {
2381 /* wakeup if we are sleeing */
2382 ieee80211_set_pwrsave(ic, 0);
2384 ieee80211_bg_scan(ic);
2389 * If scanning, just pass information to the scan module.
2391 if (ic->ic_flags & IEEE80211_F_SCAN) {
2392 if (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN) {
2394 * Actively scanning a channel marked passive;
2395 * send a probe request now that we know there
2396 * is 802.11 traffic present.
2398 * XXX check if the beacon we recv'd gives
2399 * us what we need and suppress the probe req
2401 ieee80211_probe_curchan(ic, 1);
2402 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
2404 ieee80211_add_scan(ic, &scan, wh,
2405 subtype, rssi, noise, rstamp);
2408 if (scan.capinfo & IEEE80211_CAPINFO_IBSS) {
2409 if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) {
2411 * Create a new entry in the neighbor table.
2413 ni = ieee80211_add_neighbor(ic, wh, &scan);
2414 } else if (ni->ni_capinfo == 0) {
2416 * Update faked node created on transmit.
2417 * Note this also updates the tsf.
2419 ieee80211_init_neighbor(ni, wh, &scan);
2422 * Record tsf for potential resync.
2424 memcpy(ni->ni_tstamp.data, scan.tstamp,
2425 sizeof(ni->ni_tstamp));
2429 ni->ni_noise = noise;
2430 ni->ni_rstamp = rstamp;
2436 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
2437 if (ic->ic_opmode == IEEE80211_M_STA ||
2438 ic->ic_state != IEEE80211_S_RUN) {
2439 ic->ic_stats.is_rx_mgtdiscard++;
2442 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) {
2443 /* frame must be directed */
2444 ic->ic_stats.is_rx_mgtdiscard++; /* XXX stat */
2449 * prreq frame format
2451 * [tlv] supported rates
2452 * [tlv] extended supported rates
2453 * [tlv] Atheros capabilities
2455 ssid = rates = xrates = ath = NULL;
2456 while (efrm - frm > 1) {
2457 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
2459 case IEEE80211_ELEMID_SSID:
2462 case IEEE80211_ELEMID_RATES:
2465 case IEEE80211_ELEMID_XRATES:
2468 case IEEE80211_ELEMID_VENDOR:
2469 if (isatherosoui(frm))
2475 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE);
2477 IEEE80211_VERIFY_ELEMENT(xrates,
2478 IEEE80211_RATE_MAXSIZE - rates[1]);
2479 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN);
2480 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid);
2481 if ((ic->ic_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) {
2482 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
2483 wh, ieee80211_mgt_subtype_name[subtype >>
2484 IEEE80211_FC0_SUBTYPE_SHIFT],
2485 "%s", "no ssid with ssid suppression enabled");
2486 ic->ic_stats.is_rx_ssidmismatch++; /*XXX*/
2491 if (ni == ic->ic_bss) {
2492 if (ic->ic_opmode != IEEE80211_M_IBSS) {
2493 ni = ieee80211_tmp_node(ic, wh->i_addr2);
2495 } else if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) {
2497 * XXX Cannot tell if the sender is operating
2498 * in ibss mode. But we need a new node to
2499 * send the response so blindly add them to the
2502 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta,
2508 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2509 "[%s] recv probe req\n", ether_sprintf(wh->i_addr2));
2511 ni->ni_rstamp = rstamp;
2512 rate = ieee80211_setup_rates(ni, rates, xrates,
2513 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE
2514 | IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
2515 if (rate & IEEE80211_RATE_BASIC) {
2516 IEEE80211_DISCARD(ic, IEEE80211_MSG_XRATE,
2517 wh, ieee80211_mgt_subtype_name[subtype >>
2518 IEEE80211_FC0_SUBTYPE_SHIFT],
2519 "%s", "recv'd rate set invalid");
2521 IEEE80211_SEND_MGMT(ic, ni,
2522 IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0);
2526 * Temporary node created just to send a
2527 * response, reclaim immediately.
2529 ieee80211_free_node(ni);
2530 } else if (ath != NULL)
2531 ieee80211_saveath(ni, ath);
2534 case IEEE80211_FC0_SUBTYPE_AUTH: {
2535 uint16_t algo, seq, status;
2543 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
2544 algo = le16toh(*(uint16_t *)frm);
2545 seq = le16toh(*(uint16_t *)(frm + 2));
2546 status = le16toh(*(uint16_t *)(frm + 4));
2547 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH,
2548 "[%s] recv auth frame with algorithm %d seq %d\n",
2549 ether_sprintf(wh->i_addr2), algo, seq);
2551 * Consult the ACL policy module if setup.
2553 if (ic->ic_acl != NULL &&
2554 !ic->ic_acl->iac_check(ic, wh->i_addr2)) {
2555 IEEE80211_DISCARD(ic, IEEE80211_MSG_ACL,
2556 wh, "auth", "%s", "disallowed by ACL");
2557 ic->ic_stats.is_rx_acl++;
2558 if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
2559 IEEE80211_SEND_MGMT(ic, ni,
2560 IEEE80211_FC0_SUBTYPE_AUTH,
2561 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16));
2565 if (ic->ic_flags & IEEE80211_F_COUNTERM) {
2566 IEEE80211_DISCARD(ic,
2567 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO,
2568 wh, "auth", "%s", "TKIP countermeasures enabled");
2569 ic->ic_stats.is_rx_auth_countermeasures++;
2570 if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
2571 IEEE80211_SEND_MGMT(ic, ni,
2572 IEEE80211_FC0_SUBTYPE_AUTH,
2573 IEEE80211_REASON_MIC_FAILURE);
2577 if (algo == IEEE80211_AUTH_ALG_SHARED)
2578 ieee80211_auth_shared(ic, wh, frm + 6, efrm, ni, rssi,
2579 noise, rstamp, seq, status);
2580 else if (algo == IEEE80211_AUTH_ALG_OPEN)
2581 ieee80211_auth_open(ic, wh, ni, rssi, noise, rstamp,
2584 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY,
2585 wh, "auth", "unsupported alg %d", algo);
2586 ic->ic_stats.is_rx_auth_unsupported++;
2587 if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
2589 IEEE80211_SEND_MGMT(ic, ni,
2590 IEEE80211_FC0_SUBTYPE_AUTH,
2591 (seq+1) | (IEEE80211_STATUS_ALG<<16));
2598 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
2599 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: {
2600 uint16_t capinfo, lintval;
2601 struct ieee80211_rsnparms rsnparms;
2605 if (ic->ic_opmode != IEEE80211_M_HOSTAP ||
2606 ic->ic_state != IEEE80211_S_RUN) {
2607 ic->ic_stats.is_rx_mgtdiscard++;
2611 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
2613 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP;
2616 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP;
2619 * asreq frame format
2620 * [2] capability information
2621 * [2] listen interval
2622 * [6*] current AP address (reassoc only)
2624 * [tlv] supported rates
2625 * [tlv] extended supported rates
2627 * [tlv] HT capabilities
2628 * [tlv] Atheros capabilities
2630 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return);
2631 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) {
2632 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY,
2633 wh, ieee80211_mgt_subtype_name[subtype >>
2634 IEEE80211_FC0_SUBTYPE_SHIFT],
2635 "%s", "wrong bssid");
2636 ic->ic_stats.is_rx_assoc_bss++;
2639 capinfo = le16toh(*(uint16_t *)frm); frm += 2;
2640 lintval = le16toh(*(uint16_t *)frm); frm += 2;
2642 frm += 6; /* ignore current AP info */
2643 ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL;
2644 while (efrm - frm > 1) {
2645 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
2647 case IEEE80211_ELEMID_SSID:
2650 case IEEE80211_ELEMID_RATES:
2653 case IEEE80211_ELEMID_XRATES:
2656 /* XXX verify only one of RSN and WPA ie's? */
2657 case IEEE80211_ELEMID_RSN:
2660 case IEEE80211_ELEMID_HTCAP:
2663 case IEEE80211_ELEMID_VENDOR:
2666 else if (iswmeinfo(frm))
2668 else if (isatherosoui(frm))
2670 else if (ic->ic_flags_ext & IEEE80211_FEXT_HTCOMPAT) {
2671 if (ishtcapoui(frm) && htcap == NULL)
2678 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE);
2680 IEEE80211_VERIFY_ELEMENT(xrates,
2681 IEEE80211_RATE_MAXSIZE - rates[1]);
2682 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN);
2683 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid);
2684 if (htcap != NULL) {
2685 IEEE80211_VERIFY_LENGTH(htcap[1],
2686 htcap[0] == IEEE80211_ELEMID_VENDOR ?
2687 4 + sizeof(struct ieee80211_ie_htcap)-2 :
2688 sizeof(struct ieee80211_ie_htcap)-2,
2689 return); /* XXX just NULL out? */
2692 if (ni == ic->ic_bss) {
2693 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY,
2694 "[%s] deny %s request, sta not authenticated\n",
2695 ether_sprintf(wh->i_addr2),
2696 reassoc ? "reassoc" : "assoc");
2697 ieee80211_send_error(ic, ni, wh->i_addr2,
2698 IEEE80211_FC0_SUBTYPE_DEAUTH,
2699 IEEE80211_REASON_ASSOC_NOT_AUTHED);
2700 ic->ic_stats.is_rx_assoc_notauth++;
2703 /* assert right association security credentials */
2705 switch (ic->ic_flags & IEEE80211_F_WPA) {
2706 case IEEE80211_F_WPA1:
2710 case IEEE80211_F_WPA2:
2714 case IEEE80211_F_WPA1|IEEE80211_F_WPA2:
2715 if (wpa == NULL && rsn == NULL)
2720 IEEE80211_DPRINTF(ic,
2721 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
2722 "[%s] no WPA/RSN IE in association request\n",
2723 ether_sprintf(wh->i_addr2));
2724 IEEE80211_SEND_MGMT(ic, ni,
2725 IEEE80211_FC0_SUBTYPE_DEAUTH,
2726 IEEE80211_REASON_IE_INVALID);
2727 ieee80211_node_leave(ic, ni);
2728 ic->ic_stats.is_rx_assoc_badwpaie++;
2731 if (wpa != NULL || rsn != NULL) {
2733 * Parse WPA/RSN information element. Note that
2734 * we initialize the param block from the node
2735 * state so that information in the IE overrides
2736 * our defaults. The resulting parameters are
2737 * installed below after the association is assured.
2739 rsnparms = ni->ni_rsn;
2741 reason = ieee80211_parse_wpa(ic, wpa, &rsnparms, wh);
2743 reason = ieee80211_parse_rsn(ic, rsn, &rsnparms, wh);
2745 IEEE80211_SEND_MGMT(ic, ni,
2746 IEEE80211_FC0_SUBTYPE_DEAUTH, reason);
2747 ieee80211_node_leave(ic, ni);
2748 /* XXX distinguish WPA/RSN? */
2749 ic->ic_stats.is_rx_assoc_badwpaie++;
2752 IEEE80211_DPRINTF(ic,
2753 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
2754 "[%s] %s ie: mc %u/%u uc %u/%u key %u caps 0x%x\n",
2755 ether_sprintf(wh->i_addr2),
2756 wpa != NULL ? "WPA" : "RSN",
2757 rsnparms.rsn_mcastcipher, rsnparms.rsn_mcastkeylen,
2758 rsnparms.rsn_ucastcipher, rsnparms.rsn_ucastkeylen,
2759 rsnparms.rsn_keymgmt, rsnparms.rsn_caps);
2761 /* discard challenge after association */
2762 if (ni->ni_challenge != NULL) {
2763 FREE(ni->ni_challenge, M_80211_NODE);
2764 ni->ni_challenge = NULL;
2766 /* NB: 802.11 spec says to ignore station's privacy bit */
2767 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) {
2768 capinfomismatch(ni, wh, reassoc, resp,
2769 "capability", capinfo);
2773 * Disallow re-associate w/ invalid slot time setting.
2775 if (ni->ni_associd != 0 &&
2776 IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) &&
2777 ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) {
2778 capinfomismatch(ni, wh, reassoc, resp,
2779 "slot time", capinfo);
2782 rate = ieee80211_setup_rates(ni, rates, xrates,
2783 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
2784 IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
2785 if (rate & IEEE80211_RATE_BASIC) {
2786 ratesetmismatch(ni, wh, reassoc, resp, "basic", rate);
2790 * If constrained to 11g-only stations reject an
2791 * 11b-only station. We cheat a bit here by looking
2792 * at the max negotiated xmit rate and assuming anyone
2793 * with a best rate <24Mb/s is an 11b station.
2795 if ((ic->ic_flags & IEEE80211_F_PUREG) && rate < 48) {
2796 ratesetmismatch(ni, wh, reassoc, resp, "11g", rate);
2799 /* XXX enforce PUREN */
2800 /* 802.11n-specific rateset handling */
2801 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan) && htcap != NULL) {
2802 rate = ieee80211_setup_htrates(ni, htcap,
2803 IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO |
2805 if (rate & IEEE80211_RATE_BASIC) {
2806 /* XXX 11n-specific stat */
2807 ratesetmismatch(ni, wh, reassoc, resp,
2811 ieee80211_ht_node_init(ni, htcap);
2812 } else if (ni->ni_flags & IEEE80211_NODE_HT)
2813 ieee80211_ht_node_cleanup(ni);
2815 * Allow AMPDU operation only with unencrypted traffic
2816 * or AES-CCM; the 11n spec only specifies these ciphers
2817 * so permitting any others is undefined and can lead
2818 * to interoperability problems.
2820 * NB: We check for AES by looking at the GTK cipher
2821 * since the WPA/11i specs say the PTK cipher has
2822 * to be "as good or better".
2824 if ((ni->ni_flags & IEEE80211_NODE_HT) &&
2825 (((ic->ic_flags & IEEE80211_F_WPA) &&
2826 rsnparms.rsn_mcastcipher != IEEE80211_CIPHER_AES_CCM) ||
2827 (ic->ic_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) {
2829 IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni,
2830 "disallow HT use because WEP or TKIP requested, "
2831 "capinfo 0x%x mcastcipher %d", capinfo,
2832 rsnparms.rsn_mcastcipher);
2833 ieee80211_ht_node_cleanup(ni);
2834 ic->ic_stats.is_ht_assoc_downgrade++;
2837 * If constrained to 11n-only stations reject legacy stations.
2839 if ((ic->ic_flags_ext & IEEE80211_FEXT_PUREN) &&
2840 (ni->ni_flags & IEEE80211_NODE_HT) == 0) {
2841 htcapmismatch(ni, wh, reassoc, resp);
2842 ic->ic_stats.is_ht_assoc_nohtcap++;
2846 ni->ni_noise = noise;
2847 ni->ni_rstamp = rstamp;
2848 ni->ni_intval = lintval;
2849 ni->ni_capinfo = capinfo;
2850 ni->ni_chan = ic->ic_bsschan;
2851 ni->ni_fhdwell = ic->ic_bss->ni_fhdwell;
2852 ni->ni_fhindex = ic->ic_bss->ni_fhindex;
2855 * Record WPA parameters for station, mark
2856 * node as using WPA and record information element
2857 * for applications that require it.
2859 ni->ni_rsn = rsnparms;
2860 ieee80211_saveie(&ni->ni_wpa_ie, wpa);
2861 } else if (ni->ni_wpa_ie != NULL) {
2863 * Flush any state from a previous association.
2865 FREE(ni->ni_wpa_ie, M_80211_NODE);
2866 ni->ni_wpa_ie = NULL;
2870 * Record RSN parameters for station, mark
2871 * node as using WPA and record information element
2872 * for applications that require it.
2874 ni->ni_rsn = rsnparms;
2875 ieee80211_saveie(&ni->ni_rsn_ie, rsn);
2876 } else if (ni->ni_rsn_ie != NULL) {
2878 * Flush any state from a previous association.
2880 FREE(ni->ni_rsn_ie, M_80211_NODE);
2881 ni->ni_rsn_ie = NULL;
2885 * Record WME parameters for station, mark node
2886 * as capable of QoS and record information
2887 * element for applications that require it.
2889 ieee80211_saveie(&ni->ni_wme_ie, wme);
2890 ni->ni_flags |= IEEE80211_NODE_QOS;
2891 } else if (ni->ni_wme_ie != NULL) {
2893 * Flush any state from a previous association.
2895 FREE(ni->ni_wme_ie, M_80211_NODE);
2896 ni->ni_wme_ie = NULL;
2897 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2901 * Record ATH parameters for station, mark
2902 * node with appropriate capabilities, and
2903 * record the information element for
2904 * applications that require it.
2906 ieee80211_saveath(ni, ath);
2907 } else if (ni->ni_ath_ie != NULL) {
2909 * Flush any state from a previous association.
2911 FREE(ni->ni_ath_ie, M_80211_NODE);
2912 ni->ni_ath_ie = NULL;
2913 ni->ni_ath_flags = 0;
2915 ieee80211_node_join(ic, ni, resp);
2916 ieee80211_deliver_l2uf(ni);
2920 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
2921 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: {
2922 uint16_t capinfo, associd;
2925 if (ic->ic_opmode != IEEE80211_M_STA ||
2926 ic->ic_state != IEEE80211_S_ASSOC) {
2927 ic->ic_stats.is_rx_mgtdiscard++;
2932 * asresp frame format
2933 * [2] capability information
2935 * [2] association ID
2936 * [tlv] supported rates
2937 * [tlv] extended supported rates
2939 * [tlv] HT capabilities
2942 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
2944 capinfo = le16toh(*(uint16_t *)frm);
2946 status = le16toh(*(uint16_t *)frm);
2949 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2950 "[%s] %sassoc failed (reason %d)\n",
2951 ether_sprintf(wh->i_addr2),
2952 ISREASSOC(subtype) ? "re" : "", status);
2953 if (ni != ic->ic_bss) /* XXX never true? */
2955 ic->ic_stats.is_rx_auth_fail++; /* XXX */
2958 associd = le16toh(*(uint16_t *)frm);
2961 rates = xrates = wme = htcap = htinfo = NULL;
2962 while (efrm - frm > 1) {
2963 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
2965 case IEEE80211_ELEMID_RATES:
2968 case IEEE80211_ELEMID_XRATES:
2971 case IEEE80211_ELEMID_HTCAP:
2974 case IEEE80211_ELEMID_HTINFO:
2977 case IEEE80211_ELEMID_VENDOR:
2980 else if (ic->ic_flags_ext & IEEE80211_FEXT_HTCOMPAT) {
2982 * Accept pre-draft HT ie's if the
2983 * standard ones have not been seen.
2985 if (ishtcapoui(frm)) {
2988 } else if (ishtinfooui(frm)) {
2993 /* XXX Atheros OUI support */
2999 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE);
3001 IEEE80211_VERIFY_ELEMENT(xrates,
3002 IEEE80211_RATE_MAXSIZE - rates[1]);
3003 rate = ieee80211_setup_rates(ni, rates, xrates,
3005 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
3006 IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
3007 if (rate & IEEE80211_RATE_BASIC) {
3008 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
3009 "[%s] %sassoc failed (rate set mismatch)\n",
3010 ether_sprintf(wh->i_addr2),
3011 ISREASSOC(subtype) ? "re" : "");
3012 if (ni != ic->ic_bss) /* XXX never true? */
3014 ic->ic_stats.is_rx_assoc_norate++;
3015 ieee80211_new_state(ic, IEEE80211_S_SCAN,
3016 IEEE80211_SCAN_FAIL_STATUS);
3020 ni->ni_capinfo = capinfo;
3021 ni->ni_associd = associd;
3023 ieee80211_parse_wmeparams(ic, wme, wh) >= 0) {
3024 ni->ni_flags |= IEEE80211_NODE_QOS;
3025 ieee80211_wme_updateparams(ic);
3027 ni->ni_flags &= ~IEEE80211_NODE_QOS;
3029 * Setup HT state according to the negotiation.
3031 if ((ic->ic_htcaps & IEEE80211_HTC_HT) &&
3032 htcap != NULL && htinfo != NULL) {
3033 ieee80211_ht_node_init(ni, htcap);
3034 ieee80211_parse_htinfo(ni, htinfo);
3035 ieee80211_setup_htrates(ni,
3036 htcap, IEEE80211_F_JOIN | IEEE80211_F_DOBRS);
3037 ieee80211_setup_basic_htrates(ni, htinfo);
3038 if (ni->ni_chan != ic->ic_bsschan) {
3040 * Channel has been adjusted based on
3041 * negotiated HT parameters; force the
3042 * channel state to follow.
3044 ieee80211_setbsschan(ic, ni->ni_chan);
3048 * Configure state now that we are associated.
3050 * XXX may need different/additional driver callbacks?
3052 if (IEEE80211_IS_CHAN_A(ic->ic_curchan) ||
3053 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) {
3054 ic->ic_flags |= IEEE80211_F_SHPREAMBLE;
3055 ic->ic_flags &= ~IEEE80211_F_USEBARKER;
3057 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE;
3058 ic->ic_flags |= IEEE80211_F_USEBARKER;
3060 ieee80211_set_shortslottime(ic,
3061 IEEE80211_IS_CHAN_A(ic->ic_curchan) ||
3062 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
3064 * Honor ERP protection.
3066 * NB: ni_erp should zero for non-11g operation.
3068 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
3069 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION))
3070 ic->ic_flags |= IEEE80211_F_USEPROT;
3072 ic->ic_flags &= ~IEEE80211_F_USEPROT;
3073 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
3074 "[%s] %sassoc success: %s preamble, %s slot time%s%s%s%s\n",
3075 ether_sprintf(wh->i_addr2),
3076 ISREASSOC(subtype) ? "re" : "",
3077 ic->ic_flags&IEEE80211_F_SHPREAMBLE ? "short" : "long",
3078 ic->ic_flags&IEEE80211_F_SHSLOT ? "short" : "long",
3079 ic->ic_flags&IEEE80211_F_USEPROT ? ", protection" : "",
3080 ni->ni_flags & IEEE80211_NODE_QOS ? ", QoS" : "",
3081 ni->ni_flags & IEEE80211_NODE_HT ?
3082 (ni->ni_chw == 20 ? ", HT20" : ", HT40") : "",
3083 ni->ni_flags & IEEE80211_NODE_AMPDU ? " (+AMPDU)" : "",
3084 IEEE80211_ATH_CAP(ic, ni, IEEE80211_NODE_FF) ?
3085 ", fast-frames" : "",
3086 IEEE80211_ATH_CAP(ic, ni, IEEE80211_NODE_TURBOP) ?
3089 ieee80211_new_state(ic, IEEE80211_S_RUN, subtype);
3093 case IEEE80211_FC0_SUBTYPE_DEAUTH: {
3096 if (ic->ic_state == IEEE80211_S_SCAN) {
3097 ic->ic_stats.is_rx_mgtdiscard++;
3101 * deauth frame format
3104 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
3105 reason = le16toh(*(uint16_t *)frm);
3106 ic->ic_stats.is_rx_deauth++;
3107 IEEE80211_NODE_STAT(ni, rx_deauth);
3109 if (!IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) {
3110 /* NB: can happen when in promiscuous mode */
3111 ic->ic_stats.is_rx_mgtdiscard++;
3114 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH,
3115 "[%s] recv deauthenticate (reason %d)\n",
3116 ether_sprintf(ni->ni_macaddr), reason);
3117 switch (ic->ic_opmode) {
3118 case IEEE80211_M_STA:
3119 ieee80211_new_state(ic, IEEE80211_S_AUTH,
3120 (reason << 8) | IEEE80211_FC0_SUBTYPE_DEAUTH);
3122 case IEEE80211_M_HOSTAP:
3123 if (ni != ic->ic_bss)
3124 ieee80211_node_leave(ic, ni);
3127 ic->ic_stats.is_rx_mgtdiscard++;
3133 case IEEE80211_FC0_SUBTYPE_DISASSOC: {
3136 if (ic->ic_state != IEEE80211_S_RUN &&
3137 ic->ic_state != IEEE80211_S_ASSOC &&
3138 ic->ic_state != IEEE80211_S_AUTH) {
3139 ic->ic_stats.is_rx_mgtdiscard++;
3143 * disassoc frame format
3146 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
3147 reason = le16toh(*(uint16_t *)frm);
3148 ic->ic_stats.is_rx_disassoc++;
3149 IEEE80211_NODE_STAT(ni, rx_disassoc);
3151 if (!IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) {
3152 /* NB: can happen when in promiscuous mode */
3153 ic->ic_stats.is_rx_mgtdiscard++;
3156 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
3157 "[%s] recv disassociate (reason %d)\n",
3158 ether_sprintf(ni->ni_macaddr), reason);
3159 switch (ic->ic_opmode) {
3160 case IEEE80211_M_STA:
3161 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 0);
3163 case IEEE80211_M_HOSTAP:
3164 if (ni != ic->ic_bss)
3165 ieee80211_node_leave(ic, ni);
3168 ic->ic_stats.is_rx_mgtdiscard++;
3174 case IEEE80211_FC0_SUBTYPE_ACTION: {
3175 const struct ieee80211_action *ia;
3177 if (ic->ic_state != IEEE80211_S_RUN &&
3178 ic->ic_state != IEEE80211_S_ASSOC &&
3179 ic->ic_state != IEEE80211_S_AUTH) {
3180 ic->ic_stats.is_rx_mgtdiscard++;
3184 * action frame format:
3189 IEEE80211_VERIFY_LENGTH(efrm - frm,
3190 sizeof(struct ieee80211_action), return);
3191 ia = (const struct ieee80211_action *) frm;
3193 ic->ic_stats.is_rx_action++;
3194 IEEE80211_NODE_STAT(ni, rx_action);
3196 /* verify frame payloads but defer processing */
3197 /* XXX maybe push this to method */
3198 switch (ia->ia_category) {
3199 case IEEE80211_ACTION_CAT_BA:
3200 switch (ia->ia_action) {
3201 case IEEE80211_ACTION_BA_ADDBA_REQUEST:
3202 IEEE80211_VERIFY_LENGTH(efrm - frm,
3203 sizeof(struct ieee80211_action_ba_addbarequest),
3206 case IEEE80211_ACTION_BA_ADDBA_RESPONSE:
3207 IEEE80211_VERIFY_LENGTH(efrm - frm,
3208 sizeof(struct ieee80211_action_ba_addbaresponse),
3211 case IEEE80211_ACTION_BA_DELBA:
3212 IEEE80211_VERIFY_LENGTH(efrm - frm,
3213 sizeof(struct ieee80211_action_ba_delba),
3218 case IEEE80211_ACTION_CAT_HT:
3219 switch (ia->ia_action) {
3220 case IEEE80211_ACTION_HT_TXCHWIDTH:
3221 IEEE80211_VERIFY_LENGTH(efrm - frm,
3222 sizeof(struct ieee80211_action_ht_txchwidth),
3228 ic->ic_recv_action(ni, frm, efrm);
3233 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY,
3234 wh, "mgt", "subtype 0x%x not handled", subtype);
3235 ic->ic_stats.is_rx_badsubtype++;
3241 #undef IEEE80211_VERIFY_LENGTH
3242 #undef IEEE80211_VERIFY_ELEMENT
3245 * Process a received ps-poll frame.
3248 ieee80211_recv_pspoll(struct ieee80211com *ic,
3249 struct ieee80211_node *ni, struct mbuf *m0)
3251 struct ieee80211_frame_min *wh;
3256 wh = mtod(m0, struct ieee80211_frame_min *);
3257 if (ni->ni_associd == 0) {
3258 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
3259 (struct ieee80211_frame *) wh, "ps-poll",
3260 "%s", "unassociated station");
3261 ic->ic_stats.is_ps_unassoc++;
3262 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
3263 IEEE80211_REASON_NOT_ASSOCED);
3267 aid = le16toh(*(uint16_t *)wh->i_dur);
3268 if (aid != ni->ni_associd) {
3269 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
3270 (struct ieee80211_frame *) wh, "ps-poll",
3271 "aid mismatch: sta aid 0x%x poll aid 0x%x",
3272 ni->ni_associd, aid);
3273 ic->ic_stats.is_ps_badaid++;
3274 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
3275 IEEE80211_REASON_NOT_ASSOCED);
3279 /* Okay, take the first queued packet and put it out... */
3280 IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen);
3282 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
3283 "[%s] recv ps-poll, but queue empty\n",
3284 ether_sprintf(wh->i_addr2));
3285 ieee80211_send_nulldata(ieee80211_ref_node(ni));
3286 ic->ic_stats.is_ps_qempty++; /* XXX node stat */
3287 if (ic->ic_set_tim != NULL)
3288 ic->ic_set_tim(ni, 0); /* just in case */
3292 * If there are more packets, set the more packets bit
3293 * in the packet dispatched to the station; otherwise
3294 * turn off the TIM bit.
3297 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
3298 "[%s] recv ps-poll, send packet, %u still queued\n",
3299 ether_sprintf(ni->ni_macaddr), qlen);
3300 m->m_flags |= M_MORE_DATA;
3302 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
3303 "[%s] recv ps-poll, send packet, queue empty\n",
3304 ether_sprintf(ni->ni_macaddr));
3305 if (ic->ic_set_tim != NULL)
3306 ic->ic_set_tim(ni, 0);
3308 m->m_flags |= M_PWR_SAV; /* bypass PS handling */
3309 IF_ENQUEUE(&ic->ic_ifp->if_snd, m);
3312 #ifdef IEEE80211_DEBUG
3314 * Debugging support.
3318 * Return the bssid of a frame.
3320 static const uint8_t *
3321 ieee80211_getbssid(struct ieee80211com *ic, const struct ieee80211_frame *wh)
3323 if (ic->ic_opmode == IEEE80211_M_STA)
3325 if ((wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) != IEEE80211_FC1_DIR_NODS)
3327 if ((wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) == IEEE80211_FC0_SUBTYPE_PS_POLL)
3333 ieee80211_note(struct ieee80211com *ic, const char *fmt, ...)
3335 char buf[128]; /* XXX */
3339 vsnprintf(buf, sizeof(buf), fmt, ap);
3342 if_printf(ic->ic_ifp, "%s", buf); /* NB: no \n */
3346 ieee80211_note_frame(struct ieee80211com *ic,
3347 const struct ieee80211_frame *wh,
3348 const char *fmt, ...)
3350 char buf[128]; /* XXX */
3354 vsnprintf(buf, sizeof(buf), fmt, ap);
3356 if_printf(ic->ic_ifp, "[%s] %s\n",
3357 ether_sprintf(ieee80211_getbssid(ic, wh)), buf);
3361 ieee80211_note_mac(struct ieee80211com *ic,
3362 const uint8_t mac[IEEE80211_ADDR_LEN],
3363 const char *fmt, ...)
3365 char buf[128]; /* XXX */
3369 vsnprintf(buf, sizeof(buf), fmt, ap);
3371 if_printf(ic->ic_ifp, "[%s] %s\n", ether_sprintf(mac), buf);
3375 ieee80211_discard_frame(struct ieee80211com *ic,
3376 const struct ieee80211_frame *wh,
3377 const char *type, const char *fmt, ...)
3381 printf("[%s:%s] discard ", ic->ic_ifp->if_xname,
3382 ether_sprintf(ieee80211_getbssid(ic, wh)));
3384 printf("%s frame, ", type);
3394 ieee80211_discard_ie(struct ieee80211com *ic,
3395 const struct ieee80211_frame *wh,
3396 const char *type, const char *fmt, ...)
3400 printf("[%s:%s] discard ", ic->ic_ifp->if_xname,
3401 ether_sprintf(ieee80211_getbssid(ic, wh)));
3403 printf("%s information element, ", type);
3405 printf("information element, ");
3413 ieee80211_discard_mac(struct ieee80211com *ic,
3414 const uint8_t mac[IEEE80211_ADDR_LEN],
3415 const char *type, const char *fmt, ...)
3419 printf("[%s:%s] discard ", ic->ic_ifp->if_xname, ether_sprintf(mac));
3421 printf("%s frame, ", type);
3429 #endif /* IEEE80211_DEBUG */