sys/net80211/ieee80211_sta.c

   1 /*-
   2  * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting
   3  * All rights reserved.
   4  *
   5  * Redistribution and use in source and binary forms, with or without
   6  * modification, are permitted provided that the following conditions
   7  * are met:
   8  * 1. Redistributions of source code must retain the above copyright
   9  *    notice, this list of conditions and the following disclaimer.
  10  * 2. Redistributions in binary form must reproduce the above copyright
  11  *    notice, this list of conditions and the following disclaimer in the
  12  *    documentation and/or other materials provided with the distribution.
  13  *
  14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  15  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  16  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  17  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  18  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  19  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  20  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  21  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  23  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  24  */
  25
  26 #include <sys/cdefs.h>
  27 #ifdef __FreeBSD__
  28 __FBSDID("$FreeBSD$");
  29 #endif
  30
  31 /*
  32  * IEEE 802.11 Station mode support.
  33  */
  34 #include "opt_inet.h"
  35 #include "opt_wlan.h"
  36
  37 #include <sys/param.h>
  38 #include <sys/systm.h>
  39 #include <sys/mbuf.h>
  40 #include <sys/malloc.h>
  41 #include <sys/kernel.h>
  42
  43 #include <sys/socket.h>
  44 #include <sys/sockio.h>
  45 #include <sys/endian.h>
  46 #include <sys/errno.h>
  47 #include <sys/proc.h>
  48 #include <sys/sysctl.h>
  49
  50 #include <net/if.h>
  51 #include <net/if_media.h>
  52 #include <net/if_llc.h>
  53 #include <net/ethernet.h>
  54
  55 #include <net/bpf.h>
  56
  57 #include <net80211/ieee80211_var.h>
  58 #include <net80211/ieee80211_sta.h>
  59 #include <net80211/ieee80211_input.h>
  60 #ifdef IEEE80211_SUPPORT_SUPERG
  61 #include <net80211/ieee80211_superg.h>
  62 #endif
  63
  64 #define IEEE80211_RATE2MBS(r)   (((r) & IEEE80211_RATE_VAL) / 2)
  65
  66 static  void sta_vattach(struct ieee80211vap *);
  67 static  void sta_beacon_miss(struct ieee80211vap *);
  68 static  int sta_newstate(struct ieee80211vap *, enum ieee80211_state, int);
  69 static  int sta_input(struct ieee80211_node *, struct mbuf *,
  70             int rssi, int noise, uint32_t rstamp);
  71 static void sta_recv_mgmt(struct ieee80211_node *, struct mbuf *,
  72             int subtype, int rssi, int noise, uint32_t rstamp);
  73 static void sta_recv_ctl(struct ieee80211_node *, struct mbuf *, int subtype);
  74
  75 void
  76 ieee80211_sta_attach(struct ieee80211com *ic)
  77 {
  78         ic->ic_vattach[IEEE80211_M_STA] = sta_vattach;
  79 }
  80
  81 void
  82 ieee80211_sta_detach(struct ieee80211com *ic)
  83 {
  84 }
  85
  86 static void
  87 sta_vdetach(struct ieee80211vap *vap)
  88 {
  89 }
  90
  91 static void
  92 sta_vattach(struct ieee80211vap *vap)
  93 {
  94         vap->iv_newstate = sta_newstate;
  95         vap->iv_input = sta_input;
  96         vap->iv_recv_mgmt = sta_recv_mgmt;
  97         vap->iv_recv_ctl = sta_recv_ctl;
  98         vap->iv_opdetach = sta_vdetach;
  99         vap->iv_bmiss = sta_beacon_miss;
 100 }
 101
 102 /*
 103  * Handle a beacon miss event.  The common code filters out
 104  * spurious events that can happen when scanning and/or before
 105  * reaching RUN state.
 106  */
 107 static void
 108 sta_beacon_miss(struct ieee80211vap *vap)
 109 {
 110         KASSERT((vap->iv_ic->ic_flags & IEEE80211_F_SCAN) == 0, ("scanning"));
 111         KASSERT(vap->iv_state == IEEE80211_S_RUN,
 112             ("wrong state %d", vap->iv_state));
 113
 114         IEEE80211_DPRINTF(vap,
 115                 IEEE80211_MSG_STATE | IEEE80211_MSG_DEBUG,
 116                 "beacon miss, mode %u state %s\n",
 117                 vap->iv_opmode, ieee80211_state_name[vap->iv_state]);
 118
 119         if (++vap->iv_bmiss_count < vap->iv_bmiss_max) {
 120                 /*
 121                  * Send a directed probe req before falling back to a
 122                  * scan; if we receive a response ic_bmiss_count will
 123                  * be reset.  Some cards mistakenly report beacon miss
 124                  * so this avoids the expensive scan if the ap is
 125                  * still there.
 126                  */
 127                 ieee80211_send_probereq(vap->iv_bss, vap->iv_myaddr,
 128                         vap->iv_bss->ni_bssid, vap->iv_bss->ni_bssid,
 129                         vap->iv_bss->ni_essid, vap->iv_bss->ni_esslen);
 130                 return;
 131         }
 132         vap->iv_bmiss_count = 0;
 133         vap->iv_stats.is_beacon_miss++;
 134         if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) {
 135 #ifdef IEEE80211_SUPPORT_SUPERG
 136                 struct ieee80211com *ic = vap->iv_ic;
 137
 138                 /*
 139                  * If we receive a beacon miss interrupt when using
 140                  * dynamic turbo, attempt to switch modes before
 141                  * reassociating.
 142                  */
 143                 if (IEEE80211_ATH_CAP(vap, vap->iv_bss, IEEE80211_NODE_TURBOP))
 144                         ieee80211_dturbo_switch(vap,
 145                             ic->ic_bsschan->ic_flags ^ IEEE80211_CHAN_TURBO);
 146 #endif
 147                 /*
 148                  * Try to reassociate before scanning for a new ap.
 149                  */
 150                 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 1);
 151         } else {
 152                 /*
 153                  * Somebody else is controlling state changes (e.g.
 154                  * a user-mode app) don't do anything that would
 155                  * confuse them; just drop into scan mode so they'll
 156                  * notified of the state change and given control.
 157                  */
 158                 ieee80211_new_state(vap, IEEE80211_S_SCAN, 0);
 159         }
 160 }
 161
 162 /*
 163  * Handle deauth with reason.  We retry only for
 164  * the cases where we might succeed.  Otherwise
 165  * we downgrade the ap and scan.
 166  */
 167 static void
 168 sta_authretry(struct ieee80211vap *vap, struct ieee80211_node *ni, int reason)
 169 {
 170         switch (reason) {
 171         case IEEE80211_STATUS_SUCCESS:          /* NB: MLME assoc */
 172         case IEEE80211_STATUS_TIMEOUT:
 173         case IEEE80211_REASON_ASSOC_EXPIRE:
 174         case IEEE80211_REASON_NOT_AUTHED:
 175         case IEEE80211_REASON_NOT_ASSOCED:
 176         case IEEE80211_REASON_ASSOC_LEAVE:
 177         case IEEE80211_REASON_ASSOC_NOT_AUTHED:
 178                 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, 1);
 179                 break;
 180         default:
 181                 ieee80211_scan_assoc_fail(vap, vap->iv_bss->ni_macaddr, reason);
 182                 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO)
 183                         ieee80211_check_scan_current(vap);
 184                 break;
 185         }
 186 }
 187
 188 /*
 189  * IEEE80211_M_STA vap state machine handler.
 190  * This routine handles the main states in the 802.11 protocol.
 191  */
 192 static int
 193 sta_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
 194 {
 195         struct ieee80211com *ic = vap->iv_ic;
 196         struct ieee80211_node *ni;
 197         enum ieee80211_state ostate;
 198
 199         IEEE80211_LOCK_ASSERT(ic);
 200
 201         ostate = vap->iv_state;
 202         IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n",
 203             __func__, ieee80211_state_name[ostate],
 204             ieee80211_state_name[nstate], arg);
 205         vap->iv_state = nstate;                 /* state transition */
 206         callout_stop(&vap->iv_mgtsend);         /* XXX callout_drain */
 207         if (ostate != IEEE80211_S_SCAN)
 208                 ieee80211_cancel_scan(vap);     /* background scan */
 209         ni = vap->iv_bss;                       /* NB: no reference held */
 210         if (vap->iv_flags_ext & IEEE80211_FEXT_SWBMISS)
 211                 callout_stop(&vap->iv_swbmiss);
 212         switch (nstate) {
 213         case IEEE80211_S_INIT:
 214                 switch (ostate) {
 215                 case IEEE80211_S_SLEEP:
 216                         /* XXX wakeup */
 217                 case IEEE80211_S_RUN:
 218                         IEEE80211_SEND_MGMT(ni,
 219                             IEEE80211_FC0_SUBTYPE_DISASSOC,
 220                             IEEE80211_REASON_ASSOC_LEAVE);
 221                         ieee80211_sta_leave(ni);
 222                         break;
 223                 case IEEE80211_S_ASSOC:
 224                         IEEE80211_SEND_MGMT(ni,
 225                             IEEE80211_FC0_SUBTYPE_DEAUTH,
 226                             IEEE80211_REASON_AUTH_LEAVE);
 227                         break;
 228                 case IEEE80211_S_SCAN:
 229                         ieee80211_cancel_scan(vap);
 230                         break;
 231                 default:
 232                         goto invalid;
 233                 }
 234                 if (ostate != IEEE80211_S_INIT) {
 235                         /* NB: optimize INIT -> INIT case */
 236                         ieee80211_reset_bss(vap);
 237                 }
 238                 if (vap->iv_auth->ia_detach != NULL)
 239                         vap->iv_auth->ia_detach(vap);
 240                 break;
 241         case IEEE80211_S_SCAN:
 242                 switch (ostate) {
 243                 case IEEE80211_S_INIT:
 244                         /*
 245                          * Initiate a scan.  We can come here as a result
 246                          * of an IEEE80211_IOC_SCAN_REQ too in which case
 247                          * the vap will be marked with IEEE80211_FEXT_SCANREQ
 248                          * and the scan request parameters will be present
 249                          * in iv_scanreq.  Otherwise we do the default.
 250                          */
 251                         if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) {
 252                                 ieee80211_check_scan(vap,
 253                                     vap->iv_scanreq_flags,
 254                                     vap->iv_scanreq_duration,
 255                                     vap->iv_scanreq_mindwell,
 256                                     vap->iv_scanreq_maxdwell,
 257                                     vap->iv_scanreq_nssid, vap->iv_scanreq_ssid);
 258                                 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ;
 259                         } else
 260                                 ieee80211_check_scan_current(vap);
 261                         break;
 262                 case IEEE80211_S_SCAN:
 263                 case IEEE80211_S_AUTH:
 264                 case IEEE80211_S_ASSOC:
 265                         /*
 266                          * These can happen either because of a timeout
 267                          * on an assoc/auth response or because of a
 268                          * change in state that requires a reset.  For
 269                          * the former we're called with a non-zero arg
 270                          * that is the cause for the failure; pass this
 271                          * to the scan code so it can update state.
 272                          * Otherwise trigger a new scan unless we're in
 273                          * manual roaming mode in which case an application
 274                          * must issue an explicit scan request.
 275                          */
 276                         if (arg != 0)
 277                                 ieee80211_scan_assoc_fail(vap,
 278                                         vap->iv_bss->ni_macaddr, arg);
 279                         if (vap->iv_roaming == IEEE80211_ROAMING_AUTO)
 280                                 ieee80211_check_scan_current(vap);
 281                         break;
 282                 case IEEE80211_S_RUN:           /* beacon miss */
 283                         /*
 284                          * Beacon miss.  Notify user space and if not
 285                          * under control of a user application (roaming
 286                          * manual) kick off a scan to re-connect.
 287                          */
 288                         ieee80211_sta_leave(ni);
 289                         if (vap->iv_roaming == IEEE80211_ROAMING_AUTO)
 290                                 ieee80211_check_scan_current(vap);
 291                         break;
 292                 default:
 293                         goto invalid;
 294                 }
 295                 break;
 296         case IEEE80211_S_AUTH:
 297                 switch (ostate) {
 298                 case IEEE80211_S_INIT:
 299                 case IEEE80211_S_SCAN:
 300                         IEEE80211_SEND_MGMT(ni,
 301                             IEEE80211_FC0_SUBTYPE_AUTH, 1);
 302                         break;
 303                 case IEEE80211_S_AUTH:
 304                 case IEEE80211_S_ASSOC:
 305                         switch (arg & 0xff) {
 306                         case IEEE80211_FC0_SUBTYPE_AUTH:
 307                                 /* ??? */
 308                                 IEEE80211_SEND_MGMT(ni,
 309                                     IEEE80211_FC0_SUBTYPE_AUTH, 2);
 310                                 break;
 311                         case IEEE80211_FC0_SUBTYPE_DEAUTH:
 312                                 sta_authretry(vap, ni, arg>>8);
 313                                 break;
 314                         }
 315                         break;
 316                 case IEEE80211_S_RUN:
 317                         switch (arg & 0xff) {
 318                         case IEEE80211_FC0_SUBTYPE_AUTH:
 319                                 IEEE80211_SEND_MGMT(ni,
 320                                     IEEE80211_FC0_SUBTYPE_AUTH, 2);
 321                                 vap->iv_state = ostate; /* stay RUN */
 322                                 break;
 323                         case IEEE80211_FC0_SUBTYPE_DEAUTH:
 324                                 ieee80211_sta_leave(ni);
 325                                 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) {
 326                                         /* try to reauth */
 327                                         IEEE80211_SEND_MGMT(ni,
 328                                             IEEE80211_FC0_SUBTYPE_AUTH, 1);
 329                                 }
 330                                 break;
 331                         }
 332                         break;
 333                 default:
 334                         goto invalid;
 335                 }
 336                 break;
 337         case IEEE80211_S_ASSOC:
 338                 switch (ostate) {
 339                 case IEEE80211_S_AUTH:
 340                 case IEEE80211_S_ASSOC:
 341                         IEEE80211_SEND_MGMT(ni,
 342                             IEEE80211_FC0_SUBTYPE_ASSOC_REQ, 0);
 343                         break;
 344                 case IEEE80211_S_SLEEP:         /* cannot happen */
 345                 case IEEE80211_S_RUN:
 346                         ieee80211_sta_leave(ni);
 347                         if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) {
 348                                 IEEE80211_SEND_MGMT(ni, arg ?
 349                                     IEEE80211_FC0_SUBTYPE_REASSOC_REQ :
 350                                     IEEE80211_FC0_SUBTYPE_ASSOC_REQ, 0);
 351                         }
 352                         break;
 353                 default:
 354                         goto invalid;
 355                 }
 356                 break;
 357         case IEEE80211_S_RUN:
 358                 if (vap->iv_flags & IEEE80211_F_WPA) {
 359                         /* XXX validate prerequisites */
 360                 }
 361                 switch (ostate) {
 362                 case IEEE80211_S_RUN:
 363                         break;
 364                 case IEEE80211_S_AUTH:          /* when join is done in fw */
 365                 case IEEE80211_S_ASSOC:
 366 #ifdef IEEE80211_DEBUG
 367                         if (ieee80211_msg_debug(vap)) {
 368                                 ieee80211_note(vap, "%s with %s ssid ",
 369                                     (vap->iv_opmode == IEEE80211_M_STA ?
 370                                     "associated" : "synchronized"),
 371                                     ether_sprintf(ni->ni_bssid));
 372                                 ieee80211_print_essid(vap->iv_bss->ni_essid,
 373                                     ni->ni_esslen);
 374                                 /* XXX MCS/HT */
 375                                 printf(" channel %d start %uMb\n",
 376                                     ieee80211_chan2ieee(ic, ic->ic_curchan),
 377                                     IEEE80211_RATE2MBS(ni->ni_txrate));
 378                         }
 379 #endif
 380                         ieee80211_scan_assoc_success(vap, ni->ni_macaddr);
 381                         ieee80211_notify_node_join(ni,
 382                             arg == IEEE80211_FC0_SUBTYPE_ASSOC_RESP);
 383                         break;
 384                 case IEEE80211_S_SLEEP:
 385                         ieee80211_sta_pwrsave(vap, 0);
 386                         break;
 387                 default:
 388                         goto invalid;
 389                 }
 390                 ieee80211_sync_curchan(ic);
 391                 if (ostate != IEEE80211_S_RUN &&
 392                     (vap->iv_flags_ext & IEEE80211_FEXT_SWBMISS)) {
 393                         /*
 394                          * Start s/w beacon miss timer for devices w/o
 395                          * hardware support.  We fudge a bit here since
 396                          * we're doing this in software.
 397                          */
 398                         vap->iv_swbmiss_period = IEEE80211_TU_TO_TICKS(
 399                                 2 * vap->iv_bmissthreshold * ni->ni_intval);
 400                         vap->iv_swbmiss_count = 0;
 401                         callout_reset(&vap->iv_swbmiss, vap->iv_swbmiss_period,
 402                                 ieee80211_swbmiss, vap);
 403                 }
 404                 /*
 405                  * When 802.1x is not in use mark the port authorized
 406                  * at this point so traffic can flow.
 407                  */
 408                 if (ni->ni_authmode != IEEE80211_AUTH_8021X)
 409                         ieee80211_node_authorize(ni);
 410                 /*
 411                  * Fake association when joining an existing bss.
 412                  */
 413                 if (ic->ic_newassoc != NULL)
 414                         ic->ic_newassoc(vap->iv_bss, ostate != IEEE80211_S_RUN);
 415                 break;
 416         case IEEE80211_S_SLEEP:
 417                 ieee80211_sta_pwrsave(vap, 0);
 418                 break;
 419         default:
 420         invalid:
 421                 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE,
 422                     "%s: unexpected state transition %s -> %s\n", __func__,
 423                     ieee80211_state_name[ostate], ieee80211_state_name[nstate]);
 424                 break;
 425         }
 426         return 0;
 427 }
 428
 429 /*
 430  * Return non-zero if the frame is an echo of a multicast
 431  * frame sent by ourself.  The dir is known to be DSTODS.
 432  */
 433 static __inline int
 434 isdstods_mcastecho(struct ieee80211vap *vap, const struct ieee80211_frame *wh)
 435 {
 436 #define QWH4(wh)        ((const struct ieee80211_qosframe_addr4 *)wh)
 437 #define WH4(wh)         ((const struct ieee80211_frame_addr4 *)wh)
 438         const uint8_t *sa;
 439
 440         KASSERT(vap->iv_opmode == IEEE80211_M_STA, ("wrong mode"));
 441
 442         if (!IEEE80211_IS_MULTICAST(wh->i_addr3))
 443                 return 0;
 444         sa = IEEE80211_QOS_HAS_SEQ(wh) ? QWH4(wh)->i_addr4 : WH4(wh)->i_addr4;
 445         return IEEE80211_ADDR_EQ(sa, vap->iv_myaddr);
 446 #undef WH4
 447 #undef QWH4
 448 }
 449
 450 /*
 451  * Return non-zero if the frame is an echo of a multicast
 452  * frame sent by ourself.  The dir is known to be FROMDS.
 453  */
 454 static __inline int
 455 isfromds_mcastecho(struct ieee80211vap *vap, const struct ieee80211_frame *wh)
 456 {
 457         KASSERT(vap->iv_opmode == IEEE80211_M_STA, ("wrong mode"));
 458
 459         if (!IEEE80211_IS_MULTICAST(wh->i_addr1))
 460                 return 0;
 461         return IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_myaddr);
 462 }
 463
 464 /*
 465  * Decide if a received management frame should be
 466  * printed when debugging is enabled.  This filters some
 467  * of the less interesting frames that come frequently
 468  * (e.g. beacons).
 469  */
 470 static __inline int
 471 doprint(struct ieee80211vap *vap, int subtype)
 472 {
 473         switch (subtype) {
 474         case IEEE80211_FC0_SUBTYPE_BEACON:
 475                 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN);
 476         case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
 477                 return 0;
 478         }
 479         return 1;
 480 }
 481
 482 /*
 483  * Process a received frame.  The node associated with the sender
 484  * should be supplied.  If nothing was found in the node table then
 485  * the caller is assumed to supply a reference to iv_bss instead.
 486  * The RSSI and a timestamp are also supplied.  The RSSI data is used
 487  * during AP scanning to select a AP to associate with; it can have
 488  * any units so long as values have consistent units and higher values
 489  * mean ``better signal''.  The receive timestamp is currently not used
 490  * by the 802.11 layer.
 491  */
 492 static int
 493 sta_input(struct ieee80211_node *ni, struct mbuf *m,
 494         int rssi, int noise, uint32_t rstamp)
 495 {
 496 #define SEQ_LEQ(a,b)    ((int)((a)-(b)) <= 0)
 497 #define HAS_SEQ(type)   ((type & 0x4) == 0)
 498         struct ieee80211vap *vap = ni->ni_vap;
 499         struct ieee80211com *ic = ni->ni_ic;
 500         struct ifnet *ifp = vap->iv_ifp;
 501         struct ieee80211_frame *wh;
 502         struct ieee80211_key *key;
 503         struct ether_header *eh;
 504         int hdrspace, need_tap;
 505         uint8_t dir, type, subtype, qos;
 506         uint8_t *bssid;
 507         uint16_t rxseq;
 508
 509         if (m->m_flags & M_AMPDU_MPDU) {
 510                 /*
 511                  * Fastpath for A-MPDU reorder q resubmission.  Frames
 512                  * w/ M_AMPDU_MPDU marked have already passed through
 513                  * here but were received out of order and been held on
 514                  * the reorder queue.  When resubmitted they are marked
 515                  * with the M_AMPDU_MPDU flag and we can bypass most of
 516                  * the normal processing.
 517                  */
 518                 wh = mtod(m, struct ieee80211_frame *);
 519                 type = IEEE80211_FC0_TYPE_DATA;
 520                 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
 521                 subtype = IEEE80211_FC0_SUBTYPE_QOS;
 522                 hdrspace = ieee80211_hdrspace(ic, wh);  /* XXX optimize? */
 523                 goto resubmit_ampdu;
 524         }
 525
 526         KASSERT(ni != NULL, ("null node"));
 527         ni->ni_inact = ni->ni_inact_reload;
 528
 529         need_tap = 1;                   /* mbuf need to be tapped. */
 530         type = -1;                      /* undefined */
 531
 532         if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
 533                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
 534                     ni->ni_macaddr, NULL,
 535                     "too short (1): len %u", m->m_pkthdr.len);
 536                 vap->iv_stats.is_rx_tooshort++;
 537                 goto out;
 538         }
 539         /*
 540          * Bit of a cheat here, we use a pointer for a 3-address
 541          * frame format but don't reference fields past outside
 542          * ieee80211_frame_min w/o first validating the data is
 543          * present.
 544          */
 545         wh = mtod(m, struct ieee80211_frame *);
 546
 547         if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
 548             IEEE80211_FC0_VERSION_0) {
 549                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
 550                     ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x",
 551                     wh->i_fc[0], wh->i_fc[1]);
 552                 vap->iv_stats.is_rx_badversion++;
 553                 goto err;
 554         }
 555
 556         dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
 557         type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
 558         subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
 559         if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
 560                 bssid = wh->i_addr2;
 561                 if (!IEEE80211_ADDR_EQ(bssid, ni->ni_bssid)) {
 562                         /* not interested in */
 563                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
 564                             bssid, NULL, "%s", "not to bss");
 565                         vap->iv_stats.is_rx_wrongbss++;
 566                         goto out;
 567                 }
 568                 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
 569                 ni->ni_noise = noise;
 570                 ni->ni_rstamp = rstamp;
 571                 if (HAS_SEQ(type)) {
 572                         uint8_t tid = ieee80211_gettid(wh);
 573                         if (IEEE80211_QOS_HAS_SEQ(wh) &&
 574                             TID_TO_WME_AC(tid) >= WME_AC_VI)
 575                                 ic->ic_wme.wme_hipri_traffic++;
 576                         rxseq = le16toh(*(uint16_t *)wh->i_seq);
 577                         if ((ni->ni_flags & IEEE80211_NODE_HT) == 0 &&
 578                             (wh->i_fc[1] & IEEE80211_FC1_RETRY) &&
 579                             SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) {
 580                                 /* duplicate, discard */
 581                                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
 582                                     bssid, "duplicate",
 583                                     "seqno <%u,%u> fragno <%u,%u> tid %u",
 584                                     rxseq >> IEEE80211_SEQ_SEQ_SHIFT,
 585                                     ni->ni_rxseqs[tid] >>
 586                                         IEEE80211_SEQ_SEQ_SHIFT,
 587                                     rxseq & IEEE80211_SEQ_FRAG_MASK,
 588                                     ni->ni_rxseqs[tid] &
 589                                         IEEE80211_SEQ_FRAG_MASK,
 590                                     tid);
 591                                 vap->iv_stats.is_rx_dup++;
 592                                 IEEE80211_NODE_STAT(ni, rx_dup);
 593                                 goto out;
 594                         }
 595                         ni->ni_rxseqs[tid] = rxseq;
 596                 }
 597         }
 598
 599         switch (type) {
 600         case IEEE80211_FC0_TYPE_DATA:
 601                 hdrspace = ieee80211_hdrspace(ic, wh);
 602                 if (m->m_len < hdrspace &&
 603                     (m = m_pullup(m, hdrspace)) == NULL) {
 604                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
 605                             ni->ni_macaddr, NULL,
 606                             "data too short: expecting %u", hdrspace);
 607                         vap->iv_stats.is_rx_tooshort++;
 608                         goto out;               /* XXX */
 609                 }
 610                 /*
 611                  * Handle A-MPDU re-ordering.  If the frame is to be
 612                  * processed directly then ieee80211_ampdu_reorder
 613                  * will return 0; otherwise it has consumed the mbuf
 614                  * and we should do nothing more with it.
 615                  */
 616                 if ((m->m_flags & M_AMPDU) &&
 617                     (dir == IEEE80211_FC1_DIR_FROMDS ||
 618                      dir == IEEE80211_FC1_DIR_DSTODS) &&
 619                     ieee80211_ampdu_reorder(ni, m) != 0) {
 620                         m = NULL;
 621                         goto out;
 622                 }
 623         resubmit_ampdu:
 624                 if (dir == IEEE80211_FC1_DIR_FROMDS) {
 625                         if ((ifp->if_flags & IFF_SIMPLEX) &&
 626                             isfromds_mcastecho(vap, wh)) {
 627                                 /*
 628                                  * In IEEE802.11 network, multicast
 629                                  * packets sent from "me" are broadcast
 630                                  * from the AP; silently discard for
 631                                  * SIMPLEX interface.
 632                                  */
 633                                 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
 634                                     wh, "data", "%s", "multicast echo");
 635                                 vap->iv_stats.is_rx_mcastecho++;
 636                                 goto out;
 637                         }
 638                         if ((vap->iv_flags & IEEE80211_F_DWDS) &&
 639                             IEEE80211_IS_MULTICAST(wh->i_addr1)) {
 640                                 /*
 641                                  * DWDS sta's must drop 3-address mcast frames
 642                                  * as they will be sent separately as a 4-addr
 643                                  * frame.  Accepting the 3-addr frame will
 644                                  * confuse the bridge into thinking the sending
 645                                  * sta is located at the end of WDS link.
 646                                  */
 647                                 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, wh,
 648                                     "3-address data", "%s", "DWDS enabled");
 649                                 vap->iv_stats.is_rx_mcastecho++;
 650                                 goto out;
 651                         }
 652                 } else if (dir == IEEE80211_FC1_DIR_DSTODS) {
 653                         if ((vap->iv_flags & IEEE80211_F_DWDS) == 0) {
 654                                 IEEE80211_DISCARD(vap,
 655                                     IEEE80211_MSG_INPUT, wh, "4-address data",
 656                                     "%s", "DWDS not enabled");
 657                                 vap->iv_stats.is_rx_wrongdir++;
 658                                 goto out;
 659                         }
 660                         if ((ifp->if_flags & IFF_SIMPLEX) &&
 661                             isdstods_mcastecho(vap, wh)) {
 662                                 /*
 663                                  * In IEEE802.11 network, multicast
 664                                  * packets sent from "me" are broadcast
 665                                  * from the AP; silently discard for
 666                                  * SIMPLEX interface.
 667                                  */
 668                                 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, wh,
 669                                     "4-address data", "%s", "multicast echo");
 670                                 vap->iv_stats.is_rx_mcastecho++;
 671                                 goto out;
 672                         }
 673                 } else {
 674                         IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, wh,
 675                             "data", "incorrect dir 0x%x", dir);
 676                         vap->iv_stats.is_rx_wrongdir++;
 677                         goto out;
 678                 }
 679
 680                 /*
 681                  * Handle privacy requirements.  Note that we
 682                  * must not be preempted from here until after
 683                  * we (potentially) call ieee80211_crypto_demic;
 684                  * otherwise we may violate assumptions in the
 685                  * crypto cipher modules used to do delayed update
 686                  * of replay sequence numbers.
 687                  */
 688                 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
 689                         if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
 690                                 /*
 691                                  * Discard encrypted frames when privacy is off.
 692                                  */
 693                                 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
 694                                     wh, "WEP", "%s", "PRIVACY off");
 695                                 vap->iv_stats.is_rx_noprivacy++;
 696                                 IEEE80211_NODE_STAT(ni, rx_noprivacy);
 697                                 goto out;
 698                         }
 699                         key = ieee80211_crypto_decap(ni, m, hdrspace);
 700                         if (key == NULL) {
 701                                 /* NB: stats+msgs handled in crypto_decap */
 702                                 IEEE80211_NODE_STAT(ni, rx_wepfail);
 703                                 goto out;
 704                         }
 705                         wh = mtod(m, struct ieee80211_frame *);
 706                         wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
 707                 } else {
 708                         /* XXX M_WEP and IEEE80211_F_PRIVACY */
 709                         key = NULL;
 710                 }
 711
 712                 /*
 713                  * Save QoS bits for use below--before we strip the header.
 714                  */
 715                 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) {
 716                         qos = (dir == IEEE80211_FC1_DIR_DSTODS) ?
 717                             ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] :
 718                             ((struct ieee80211_qosframe *)wh)->i_qos[0];
 719                 } else
 720                         qos = 0;
 721
 722                 /*
 723                  * Next up, any fragmentation.
 724                  */
 725                 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
 726                         m = ieee80211_defrag(ni, m, hdrspace);
 727                         if (m == NULL) {
 728                                 /* Fragment dropped or frame not complete yet */
 729                                 goto out;
 730                         }
 731                 }
 732                 wh = NULL;              /* no longer valid, catch any uses */
 733
 734                 /*
 735                  * Next strip any MSDU crypto bits.
 736                  */
 737                 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) {
 738                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
 739                             ni->ni_macaddr, "data", "%s", "demic error");
 740                         vap->iv_stats.is_rx_demicfail++;
 741                         IEEE80211_NODE_STAT(ni, rx_demicfail);
 742                         goto out;
 743                 }
 744
 745                 /* copy to listener after decrypt */
 746                 if (bpf_peers_present(vap->iv_rawbpf))
 747                         bpf_mtap(vap->iv_rawbpf, m);
 748                 need_tap = 0;
 749
 750                 /*
 751                  * Finally, strip the 802.11 header.
 752                  */
 753                 m = ieee80211_decap(vap, m, hdrspace);
 754                 if (m == NULL) {
 755                         /* XXX mask bit to check for both */
 756                         /* don't count Null data frames as errors */
 757                         if (subtype == IEEE80211_FC0_SUBTYPE_NODATA ||
 758                             subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL)
 759                                 goto out;
 760                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
 761                             ni->ni_macaddr, "data", "%s", "decap error");
 762                         vap->iv_stats.is_rx_decap++;
 763                         IEEE80211_NODE_STAT(ni, rx_decap);
 764                         goto err;
 765                 }
 766                 eh = mtod(m, struct ether_header *);
 767                 if (!ieee80211_node_is_authorized(ni)) {
 768                         /*
 769                          * Deny any non-PAE frames received prior to
 770                          * authorization.  For open/shared-key
 771                          * authentication the port is mark authorized
 772                          * after authentication completes.  For 802.1x
 773                          * the port is not marked authorized by the
 774                          * authenticator until the handshake has completed.
 775                          */
 776                         if (eh->ether_type != htons(ETHERTYPE_PAE)) {
 777                                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
 778                                     eh->ether_shost, "data",
 779                                     "unauthorized port: ether type 0x%x len %u",
 780                                     eh->ether_type, m->m_pkthdr.len);
 781                                 vap->iv_stats.is_rx_unauth++;
 782                                 IEEE80211_NODE_STAT(ni, rx_unauth);
 783                                 goto err;
 784                         }
 785                 } else {
 786                         /*
 787                          * When denying unencrypted frames, discard
 788                          * any non-PAE frames received without encryption.
 789                          */
 790                         if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
 791                             (key == NULL && (m->m_flags & M_WEP) == 0) &&
 792                             eh->ether_type != htons(ETHERTYPE_PAE)) {
 793                                 /*
 794                                  * Drop unencrypted frames.
 795                                  */
 796                                 vap->iv_stats.is_rx_unencrypted++;
 797                                 IEEE80211_NODE_STAT(ni, rx_unencrypted);
 798                                 goto out;
 799                         }
 800                 }
 801                 /* XXX require HT? */
 802                 if (qos & IEEE80211_QOS_AMSDU) {
 803                         m = ieee80211_decap_amsdu(ni, m);
 804                         if (m == NULL)
 805                                 return IEEE80211_FC0_TYPE_DATA;
 806                 } else {
 807 #ifdef IEEE80211_SUPPORT_SUPERG
 808                         m = ieee80211_decap_fastframe(vap, ni, m);
 809                         if (m == NULL)
 810                                 return IEEE80211_FC0_TYPE_DATA;
 811 #endif
 812                 }
 813                 ieee80211_deliver_data(vap, ni, m);
 814                 return IEEE80211_FC0_TYPE_DATA;
 815
 816         case IEEE80211_FC0_TYPE_MGT:
 817                 vap->iv_stats.is_rx_mgmt++;
 818                 IEEE80211_NODE_STAT(ni, rx_mgmt);
 819                 if (dir != IEEE80211_FC1_DIR_NODS) {
 820                         IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
 821                             wh, "data", "incorrect dir 0x%x", dir);
 822                         vap->iv_stats.is_rx_wrongdir++;
 823                         goto err;
 824                 }
 825                 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
 826                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
 827                             ni->ni_macaddr, "mgt", "too short: len %u",
 828                             m->m_pkthdr.len);
 829                         vap->iv_stats.is_rx_tooshort++;
 830                         goto out;
 831                 }
 832 #ifdef IEEE80211_DEBUG
 833                 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) ||
 834                     ieee80211_msg_dumppkts(vap)) {
 835                         if_printf(ifp, "received %s from %s rssi %d\n",
 836                             ieee80211_mgt_subtype_name[subtype >>
 837                                 IEEE80211_FC0_SUBTYPE_SHIFT],
 838                             ether_sprintf(wh->i_addr2), rssi);
 839                 }
 840 #endif
 841                 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
 842                         if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
 843                                 /*
 844                                  * Only shared key auth frames with a challenge
 845                                  * should be encrypted, discard all others.
 846                                  */
 847                                 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
 848                                     wh, ieee80211_mgt_subtype_name[subtype >>
 849                                         IEEE80211_FC0_SUBTYPE_SHIFT],
 850                                     "%s", "WEP set but not permitted");
 851                                 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */
 852                                 goto out;
 853                         }
 854                         if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
 855                                 /*
 856                                  * Discard encrypted frames when privacy is off.
 857                                  */
 858                                 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
 859                                     wh, "mgt", "%s", "WEP set but PRIVACY off");
 860                                 vap->iv_stats.is_rx_noprivacy++;
 861                                 goto out;
 862                         }
 863                         hdrspace = ieee80211_hdrspace(ic, wh);
 864                         key = ieee80211_crypto_decap(ni, m, hdrspace);
 865                         if (key == NULL) {
 866                                 /* NB: stats+msgs handled in crypto_decap */
 867                                 goto out;
 868                         }
 869                         wh = mtod(m, struct ieee80211_frame *);
 870                         wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
 871                 }
 872                 vap->iv_recv_mgmt(ni, m, subtype, rssi, noise, rstamp);
 873                 goto out;
 874
 875         case IEEE80211_FC0_TYPE_CTL:
 876                 vap->iv_stats.is_rx_ctl++;
 877                 IEEE80211_NODE_STAT(ni, rx_ctrl);
 878                 vap->iv_recv_ctl(ni, m, subtype);
 879                 goto out;
 880
 881         default:
 882                 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
 883                     wh, NULL, "bad frame type 0x%x", type);
 884                 /* should not come here */
 885                 break;
 886         }
 887 err:
 888         ifp->if_ierrors++;
 889 out:
 890         if (m != NULL) {
 891                 if (need_tap && bpf_peers_present(vap->iv_rawbpf))
 892                         bpf_mtap(vap->iv_rawbpf, m);
 893                 m_freem(m);
 894         }
 895         return type;
 896 #undef SEQ_LEQ
 897 }
 898
 899 static void
 900 sta_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh,
 901     int rssi, int noise, uint32_t rstamp, uint16_t seq, uint16_t status)
 902 {
 903         struct ieee80211vap *vap = ni->ni_vap;
 904
 905         if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
 906                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
 907                     ni->ni_macaddr, "open auth",
 908                     "bad sta auth mode %u", ni->ni_authmode);
 909                 vap->iv_stats.is_rx_bad_auth++; /* XXX */
 910                 return;
 911         }
 912         if (vap->iv_state != IEEE80211_S_AUTH ||
 913             seq != IEEE80211_AUTH_OPEN_RESPONSE) {
 914                 vap->iv_stats.is_rx_bad_auth++;
 915                 return;
 916         }
 917         if (status != 0) {
 918                 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
 919                     ni, "open auth failed (reason %d)", status);
 920                 vap->iv_stats.is_rx_auth_fail++;
 921                 vap->iv_stats.is_rx_authfail_code = status;
 922                 ieee80211_new_state(vap, IEEE80211_S_SCAN,
 923                     IEEE80211_SCAN_FAIL_STATUS);
 924         } else
 925                 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 0);
 926 }
 927
 928 static void
 929 sta_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh,
 930     uint8_t *frm, uint8_t *efrm, int rssi, int noise, uint32_t rstamp,
 931     uint16_t seq, uint16_t status)
 932 {
 933         struct ieee80211vap *vap = ni->ni_vap;
 934         uint8_t *challenge;
 935         int estatus;
 936
 937         /*
 938          * NB: this can happen as we allow pre-shared key
 939          * authentication to be enabled w/o wep being turned
 940          * on so that configuration of these can be done
 941          * in any order.  It may be better to enforce the
 942          * ordering in which case this check would just be
 943          * for sanity/consistency.
 944          */
 945         if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
 946                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
 947                     ni->ni_macaddr, "shared key auth",
 948                     "%s", " PRIVACY is disabled");
 949                 estatus = IEEE80211_STATUS_ALG;
 950                 goto bad;
 951         }
 952         /*
 953          * Pre-shared key authentication is evil; accept
 954          * it only if explicitly configured (it is supported
 955          * mainly for compatibility with clients like OS X).
 956          */
 957         if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
 958             ni->ni_authmode != IEEE80211_AUTH_SHARED) {
 959                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
 960                     ni->ni_macaddr, "shared key auth",
 961                     "bad sta auth mode %u", ni->ni_authmode);
 962                 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */
 963                 estatus = IEEE80211_STATUS_ALG;
 964                 goto bad;
 965         }
 966
 967         challenge = NULL;
 968         if (frm + 1 < efrm) {
 969                 if ((frm[1] + 2) > (efrm - frm)) {
 970                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
 971                             ni->ni_macaddr, "shared key auth",
 972                             "ie %d/%d too long",
 973                             frm[0], (frm[1] + 2) - (efrm - frm));
 974                         vap->iv_stats.is_rx_bad_auth++;
 975                         estatus = IEEE80211_STATUS_CHALLENGE;
 976                         goto bad;
 977                 }
 978                 if (*frm == IEEE80211_ELEMID_CHALLENGE)
 979                         challenge = frm;
 980                 frm += frm[1] + 2;
 981         }
 982         switch (seq) {
 983         case IEEE80211_AUTH_SHARED_CHALLENGE:
 984         case IEEE80211_AUTH_SHARED_RESPONSE:
 985                 if (challenge == NULL) {
 986                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
 987                             ni->ni_macaddr, "shared key auth",
 988                             "%s", "no challenge");
 989                         vap->iv_stats.is_rx_bad_auth++;
 990                         estatus = IEEE80211_STATUS_CHALLENGE;
 991                         goto bad;
 992                 }
 993                 if (challenge[1] != IEEE80211_CHALLENGE_LEN) {
 994                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
 995                             ni->ni_macaddr, "shared key auth",
 996                             "bad challenge len %d", challenge[1]);
 997                         vap->iv_stats.is_rx_bad_auth++;
 998                         estatus = IEEE80211_STATUS_CHALLENGE;
 999                         goto bad;
1000                 }
1001         default:
1002                 break;
1003         }
1004         if (vap->iv_state != IEEE80211_S_AUTH)
1005                 return;
1006         switch (seq) {
1007         case IEEE80211_AUTH_SHARED_PASS:
1008                 if (ni->ni_challenge != NULL) {
1009                         free(ni->ni_challenge, M_80211_NODE);
1010                         ni->ni_challenge = NULL;
1011                 }
1012                 if (status != 0) {
1013                         IEEE80211_NOTE_FRAME(vap,
1014                             IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, wh,
1015                             "shared key auth failed (reason %d)", status);
1016                         vap->iv_stats.is_rx_auth_fail++;
1017                         vap->iv_stats.is_rx_authfail_code = status;
1018                         return;
1019                 }
1020                 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 0);
1021                 break;
1022         case IEEE80211_AUTH_SHARED_CHALLENGE:
1023                 if (!ieee80211_alloc_challenge(ni))
1024                         return;
1025                 /* XXX could optimize by passing recvd challenge */
1026                 memcpy(ni->ni_challenge, &challenge[2], challenge[1]);
1027                 IEEE80211_SEND_MGMT(ni,
1028                         IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1029                 break;
1030         default:
1031                 IEEE80211_DISCARD(vap, IEEE80211_MSG_AUTH,
1032                     wh, "shared key auth", "bad seq %d", seq);
1033                 vap->iv_stats.is_rx_bad_auth++;
1034                 return;
1035         }
1036         return;
1037 bad:
1038         /*
1039          * Kick the state machine.  This short-circuits
1040          * using the mgt frame timeout to trigger the
1041          * state transition.
1042          */
1043         if (vap->iv_state == IEEE80211_S_AUTH)
1044                 ieee80211_new_state(vap, IEEE80211_S_SCAN,
1045                     IEEE80211_SCAN_FAIL_STATUS);
1046 }
1047
1048 static int
1049 ieee80211_parse_wmeparams(struct ieee80211vap *vap, uint8_t *frm,
1050         const struct ieee80211_frame *wh)
1051 {
1052 #define MS(_v, _f)      (((_v) & _f) >> _f##_S)
1053         struct ieee80211_wme_state *wme = &vap->iv_ic->ic_wme;
1054         u_int len = frm[1], qosinfo;
1055         int i;
1056
1057         if (len < sizeof(struct ieee80211_wme_param)-2) {
1058                 IEEE80211_DISCARD_IE(vap,
1059                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WME,
1060                     wh, "WME", "too short, len %u", len);
1061                 return -1;
1062         }
1063         qosinfo = frm[__offsetof(struct ieee80211_wme_param, param_qosInfo)];
1064         qosinfo &= WME_QOSINFO_COUNT;
1065         /* XXX do proper check for wraparound */
1066         if (qosinfo == wme->wme_wmeChanParams.cap_info)
1067                 return 0;
1068         frm += __offsetof(struct ieee80211_wme_param, params_acParams);
1069         for (i = 0; i < WME_NUM_AC; i++) {
1070                 struct wmeParams *wmep =
1071                         &wme->wme_wmeChanParams.cap_wmeParams[i];
1072                 /* NB: ACI not used */
1073                 wmep->wmep_acm = MS(frm[0], WME_PARAM_ACM);
1074                 wmep->wmep_aifsn = MS(frm[0], WME_PARAM_AIFSN);
1075                 wmep->wmep_logcwmin = MS(frm[1], WME_PARAM_LOGCWMIN);
1076                 wmep->wmep_logcwmax = MS(frm[1], WME_PARAM_LOGCWMAX);
1077                 wmep->wmep_txopLimit = LE_READ_2(frm+2);
1078                 frm += 4;
1079         }
1080         wme->wme_wmeChanParams.cap_info = qosinfo;
1081         return 1;
1082 #undef MS
1083 }
1084
1085 /*
1086  * Return non-zero if a background scan may be continued:
1087  * o bg scan is active
1088  * o no channel switch is pending
1089  * o there has not been any traffic recently
1090  *
1091  * Note we do not check if there is an administrative enable;
1092  * this is only done to start the scan.  We assume that any
1093  * change in state will be accompanied by a request to cancel
1094  * active scans which will otherwise cause this test to fail.
1095  */
1096 static __inline int
1097 contbgscan(struct ieee80211vap *vap)
1098 {
1099         struct ieee80211com *ic = vap->iv_ic;
1100
1101         return ((ic->ic_flags_ext & IEEE80211_FEXT_BGSCAN) &&
1102             (ic->ic_flags & IEEE80211_F_CSAPENDING) == 0 &&
1103             vap->iv_state == IEEE80211_S_RUN &&         /* XXX? */
1104             time_after(ticks, ic->ic_lastdata + vap->iv_bgscanidle));
1105 }
1106
1107 /*
1108  * Return non-zero if a backgrond scan may be started:
1109  * o bg scanning is administratively enabled
1110  * o no channel switch is pending
1111  * o we are not boosted on a dynamic turbo channel
1112  * o there has not been a scan recently
1113  * o there has not been any traffic recently
1114  */
1115 static __inline int
1116 startbgscan(struct ieee80211vap *vap)
1117 {
1118         struct ieee80211com *ic = vap->iv_ic;
1119
1120         return ((vap->iv_flags & IEEE80211_F_BGSCAN) &&
1121             (ic->ic_flags & IEEE80211_F_CSAPENDING) == 0 &&
1122 #ifdef IEEE80211_SUPPORT_SUPERG
1123             !IEEE80211_IS_CHAN_DTURBO(ic->ic_curchan) &&
1124 #endif
1125             time_after(ticks, ic->ic_lastscan + vap->iv_bgscanintvl) &&
1126             time_after(ticks, ic->ic_lastdata + vap->iv_bgscanidle));
1127 }
1128
1129 static void
1130 sta_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0,
1131         int subtype, int rssi, int noise, uint32_t rstamp)
1132 {
1133 #define ISPROBE(_st)    ((_st) == IEEE80211_FC0_SUBTYPE_PROBE_RESP)
1134 #define ISREASSOC(_st)  ((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP)
1135         struct ieee80211vap *vap = ni->ni_vap;
1136         struct ieee80211com *ic = ni->ni_ic;
1137         struct ieee80211_frame *wh;
1138         uint8_t *frm, *efrm;
1139         uint8_t *rates, *xrates, *wme, *htcap, *htinfo;
1140         uint8_t rate;
1141
1142         wh = mtod(m0, struct ieee80211_frame *);
1143         frm = (uint8_t *)&wh[1];
1144         efrm = mtod(m0, uint8_t *) + m0->m_len;
1145         switch (subtype) {
1146         case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
1147         case IEEE80211_FC0_SUBTYPE_BEACON: {
1148                 struct ieee80211_scanparams scan;
1149                 /*
1150                  * We process beacon/probe response frames:
1151                  *    o when scanning, or
1152                  *    o station mode when associated (to collect state
1153                  *      updates such as 802.11g slot time)
1154                  * Frames otherwise received are discarded.
1155                  */
1156                 if (!((ic->ic_flags & IEEE80211_F_SCAN) || ni->ni_associd)) {
1157                         vap->iv_stats.is_rx_mgtdiscard++;
1158                         return;
1159                 }
1160                 /* XXX probe response in sta mode when !scanning? */
1161                 if (ieee80211_parse_beacon(ni, m0, &scan) != 0)
1162                         return;
1163                 /*
1164                  * Count frame now that we know it's to be processed.
1165                  */
1166                 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
1167                         vap->iv_stats.is_rx_beacon++;           /* XXX remove */
1168                         IEEE80211_NODE_STAT(ni, rx_beacons);
1169                 } else
1170                         IEEE80211_NODE_STAT(ni, rx_proberesp);
1171                 /*
1172                  * When operating in station mode, check for state updates.
1173                  * Be careful to ignore beacons received while doing a
1174                  * background scan.  We consider only 11g/WMM stuff right now.
1175                  */
1176                 if (ni->ni_associd != 0 &&
1177                     ((ic->ic_flags & IEEE80211_F_SCAN) == 0 ||
1178                      IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid))) {
1179                         /* record tsf of last beacon */
1180                         memcpy(ni->ni_tstamp.data, scan.tstamp,
1181                                 sizeof(ni->ni_tstamp));
1182                         /* count beacon frame for s/w bmiss handling */
1183                         vap->iv_swbmiss_count++;
1184                         vap->iv_bmiss_count = 0;
1185                         if (ni->ni_erp != scan.erp) {
1186                                 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC,
1187                                     wh->i_addr2,
1188                                     "erp change: was 0x%x, now 0x%x",
1189                                     ni->ni_erp, scan.erp);
1190                                 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
1191                                     (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION))
1192                                         ic->ic_flags |= IEEE80211_F_USEPROT;
1193                                 else
1194                                         ic->ic_flags &= ~IEEE80211_F_USEPROT;
1195                                 ni->ni_erp = scan.erp;
1196                                 /* XXX statistic */
1197                                 /* XXX driver notification */
1198                         }
1199                         if ((ni->ni_capinfo ^ scan.capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME) {
1200                                 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC,
1201                                     wh->i_addr2,
1202                                     "capabilities change: was 0x%x, now 0x%x",
1203                                     ni->ni_capinfo, scan.capinfo);
1204                                 /*
1205                                  * NB: we assume short preamble doesn't
1206                                  *     change dynamically
1207                                  */
1208                                 ieee80211_set_shortslottime(ic,
1209                                         IEEE80211_IS_CHAN_A(ic->ic_bsschan) ||
1210                                         (scan.capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
1211                                 ni->ni_capinfo = (ni->ni_capinfo &~ IEEE80211_CAPINFO_SHORT_SLOTTIME)
1212                                                | (scan.capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME);
1213                                 /* XXX statistic */
1214                         }
1215                         if (scan.wme != NULL &&
1216                             (ni->ni_flags & IEEE80211_NODE_QOS) &&
1217                             ieee80211_parse_wmeparams(vap, scan.wme, wh) > 0)
1218                                 ieee80211_wme_updateparams(vap);
1219 #ifdef IEEE80211_SUPPORT_SUPERG
1220                         if (scan.ath != NULL)
1221                                 ieee80211_parse_athparams(ni, scan.ath, wh);
1222 #endif
1223                         if (scan.htcap != NULL && scan.htinfo != NULL &&
1224                             (vap->iv_flags_ext & IEEE80211_FEXT_HT)) {
1225                                 ieee80211_ht_updateparams(ni,
1226                                     scan.htcap, scan.htinfo);
1227                                 /* XXX state changes? */
1228                         }
1229                         if (scan.tim != NULL) {
1230                                 struct ieee80211_tim_ie *tim =
1231                                     (struct ieee80211_tim_ie *) scan.tim;
1232 #if 0
1233                                 int aid = IEEE80211_AID(ni->ni_associd);
1234                                 int ix = aid / NBBY;
1235                                 int min = tim->tim_bitctl &~ 1;
1236                                 int max = tim->tim_len + min - 4;
1237                                 if ((tim->tim_bitctl&1) ||
1238                                     (min <= ix && ix <= max &&
1239                                      isset(tim->tim_bitmap - min, aid))) {
1240                                         /*
1241                                          * XXX Do not let bg scan kick off
1242                                          * we are expecting data.
1243                                          */
1244                                         ic->ic_lastdata = ticks;
1245                                         ieee80211_sta_pwrsave(vap, 0);
1246                                 }
1247 #endif
1248                                 ni->ni_dtim_count = tim->tim_count;
1249                                 ni->ni_dtim_period = tim->tim_period;
1250                         }
1251                         /*
1252                          * If scanning, pass the info to the scan module.
1253                          * Otherwise, check if it's the right time to do
1254                          * a background scan.  Background scanning must
1255                          * be enabled and we must not be operating in the
1256                          * turbo phase of dynamic turbo mode.  Then,
1257                          * it's been a while since the last background
1258                          * scan and if no data frames have come through
1259                          * recently, kick off a scan.  Note that this
1260                          * is the mechanism by which a background scan
1261                          * is started _and_ continued each time we
1262                          * return on-channel to receive a beacon from
1263                          * our ap.
1264                          */
1265                         if (ic->ic_flags & IEEE80211_F_SCAN) {
1266                                 ieee80211_add_scan(vap, &scan, wh,
1267                                         subtype, rssi, noise, rstamp);
1268                         } else if (contbgscan(vap)) {
1269                                 ieee80211_bg_scan(vap, 0);
1270                         } else if (startbgscan(vap)) {
1271                                 vap->iv_stats.is_scan_bg++;
1272 #if 0
1273                                 /* wakeup if we are sleeing */
1274                                 ieee80211_set_pwrsave(vap, 0);
1275 #endif
1276                                 ieee80211_bg_scan(vap, 0);
1277                         }
1278                         return;
1279                 }
1280                 /*
1281                  * If scanning, just pass information to the scan module.
1282                  */
1283                 if (ic->ic_flags & IEEE80211_F_SCAN) {
1284                         if (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN) {
1285                                 /*
1286                                  * Actively scanning a channel marked passive;
1287                                  * send a probe request now that we know there
1288                                  * is 802.11 traffic present.
1289                                  *
1290                                  * XXX check if the beacon we recv'd gives
1291                                  * us what we need and suppress the probe req
1292                                  */
1293                                 ieee80211_probe_curchan(vap, 1);
1294                                 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
1295                         }
1296                         ieee80211_add_scan(vap, &scan, wh,
1297                                 subtype, rssi, noise, rstamp);
1298                         return;
1299                 }
1300                 break;
1301         }
1302
1303         case IEEE80211_FC0_SUBTYPE_AUTH: {
1304                 uint16_t algo, seq, status;
1305                 /*
1306                  * auth frame format
1307                  *      [2] algorithm
1308                  *      [2] sequence
1309                  *      [2] status
1310                  *      [tlv*] challenge
1311                  */
1312                 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
1313                 algo   = le16toh(*(uint16_t *)frm);
1314                 seq    = le16toh(*(uint16_t *)(frm + 2));
1315                 status = le16toh(*(uint16_t *)(frm + 4));
1316                 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2,
1317                     "recv auth frame with algorithm %d seq %d", algo, seq);
1318
1319                 if (vap->iv_flags & IEEE80211_F_COUNTERM) {
1320                         IEEE80211_DISCARD(vap,
1321                             IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO,
1322                             wh, "auth", "%s", "TKIP countermeasures enabled");
1323                         vap->iv_stats.is_rx_auth_countermeasures++;
1324                         if (vap->iv_opmode == IEEE80211_M_HOSTAP) {
1325                                 ieee80211_send_error(ni, wh->i_addr2,
1326                                         IEEE80211_FC0_SUBTYPE_AUTH,
1327                                         IEEE80211_REASON_MIC_FAILURE);
1328                         }
1329                         return;
1330                 }
1331                 if (algo == IEEE80211_AUTH_ALG_SHARED)
1332                         sta_auth_shared(ni, wh, frm + 6, efrm, rssi,
1333                             noise, rstamp, seq, status);
1334                 else if (algo == IEEE80211_AUTH_ALG_OPEN)
1335                         sta_auth_open(ni, wh, rssi, noise, rstamp,
1336                             seq, status);
1337                 else {
1338                         IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1339                             wh, "auth", "unsupported alg %d", algo);
1340                         vap->iv_stats.is_rx_auth_unsupported++;
1341                         return;
1342                 }
1343                 break;
1344         }
1345
1346         case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
1347         case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: {
1348                 uint16_t capinfo, associd;
1349                 uint16_t status;
1350
1351                 if (vap->iv_state != IEEE80211_S_ASSOC) {
1352                         vap->iv_stats.is_rx_mgtdiscard++;
1353                         return;
1354                 }
1355
1356                 /*
1357                  * asresp frame format
1358                  *      [2] capability information
1359                  *      [2] status
1360                  *      [2] association ID
1361                  *      [tlv] supported rates
1362                  *      [tlv] extended supported rates
1363                  *      [tlv] WME
1364                  *      [tlv] HT capabilities
1365                  *      [tlv] HT info
1366                  */
1367                 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
1368                 ni = vap->iv_bss;
1369                 capinfo = le16toh(*(uint16_t *)frm);
1370                 frm += 2;
1371                 status = le16toh(*(uint16_t *)frm);
1372                 frm += 2;
1373                 if (status != 0) {
1374                         IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC,
1375                             wh->i_addr2, "%sassoc failed (reason %d)",
1376                             ISREASSOC(subtype) ?  "re" : "", status);
1377                         vap->iv_stats.is_rx_auth_fail++;        /* XXX */
1378                         return;
1379                 }
1380                 associd = le16toh(*(uint16_t *)frm);
1381                 frm += 2;
1382
1383                 rates = xrates = wme = htcap = htinfo = NULL;
1384                 while (efrm - frm > 1) {
1385                         IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
1386                         switch (*frm) {
1387                         case IEEE80211_ELEMID_RATES:
1388                                 rates = frm;
1389                                 break;
1390                         case IEEE80211_ELEMID_XRATES:
1391                                 xrates = frm;
1392                                 break;
1393                         case IEEE80211_ELEMID_HTCAP:
1394                                 htcap = frm;
1395                                 break;
1396                         case IEEE80211_ELEMID_HTINFO:
1397                                 htinfo = frm;
1398                                 break;
1399                         case IEEE80211_ELEMID_VENDOR:
1400                                 if (iswmeoui(frm))
1401                                         wme = frm;
1402                                 else if (vap->iv_flags_ext & IEEE80211_FEXT_HTCOMPAT) {
1403                                         /*
1404                                          * Accept pre-draft HT ie's if the
1405                                          * standard ones have not been seen.
1406                                          */
1407                                         if (ishtcapoui(frm)) {
1408                                                 if (htcap == NULL)
1409                                                         htcap = frm;
1410                                         } else if (ishtinfooui(frm)) {
1411                                                 if (htinfo == NULL)
1412                                                         htcap = frm;
1413                                         }
1414                                 }
1415                                 /* XXX Atheros OUI support */
1416                                 break;
1417                         }
1418                         frm += frm[1] + 2;
1419                 }
1420
1421                 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
1422                 if (xrates != NULL)
1423                         IEEE80211_VERIFY_ELEMENT(xrates,
1424                                 IEEE80211_RATE_MAXSIZE - rates[1], return);
1425                 rate = ieee80211_setup_rates(ni, rates, xrates,
1426                                 IEEE80211_F_JOIN |
1427                                 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
1428                                 IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
1429                 if (rate & IEEE80211_RATE_BASIC) {
1430                         IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC,
1431                             wh->i_addr2,
1432                             "%sassoc failed (rate set mismatch)",
1433                             ISREASSOC(subtype) ?  "re" : "");
1434                         vap->iv_stats.is_rx_assoc_norate++;
1435                         ieee80211_new_state(vap, IEEE80211_S_SCAN,
1436                             IEEE80211_SCAN_FAIL_STATUS);
1437                         return;
1438                 }
1439
1440                 ni->ni_capinfo = capinfo;
1441                 ni->ni_associd = associd;
1442                 if (ni->ni_jointime == 0)
1443                         ni->ni_jointime = time_uptime;
1444                 if (wme != NULL &&
1445                     ieee80211_parse_wmeparams(vap, wme, wh) >= 0) {
1446                         ni->ni_flags |= IEEE80211_NODE_QOS;
1447                         ieee80211_wme_updateparams(vap);
1448                 } else
1449                         ni->ni_flags &= ~IEEE80211_NODE_QOS;
1450                 /*
1451                  * Setup HT state according to the negotiation.
1452                  *
1453                  * NB: shouldn't need to check if HT use is enabled but some
1454                  *     ap's send back HT ie's even when we don't indicate we
1455                  *     are HT capable in our AssocReq.
1456                  */
1457                 if (htcap != NULL && htinfo != NULL &&
1458                     (vap->iv_flags_ext & IEEE80211_FEXT_HT)) {
1459                         ieee80211_ht_node_init(ni);
1460                         ieee80211_ht_updateparams(ni, htcap, htinfo);
1461                         ieee80211_setup_htrates(ni, htcap,
1462                              IEEE80211_F_JOIN | IEEE80211_F_DOBRS);
1463                         ieee80211_setup_basic_htrates(ni, htinfo);
1464                 } else {
1465 #ifdef IEEE80211_SUPPORT_SUPERG
1466                         if (IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_ATH))
1467                                 ieee80211_ff_node_init(ni);
1468 #endif
1469                 }
1470                 /*
1471                  * Configure state now that we are associated.
1472                  *
1473                  * XXX may need different/additional driver callbacks?
1474                  */
1475                 if (IEEE80211_IS_CHAN_A(ic->ic_curchan) ||
1476                     (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) {
1477                         ic->ic_flags |= IEEE80211_F_SHPREAMBLE;
1478                         ic->ic_flags &= ~IEEE80211_F_USEBARKER;
1479                 } else {
1480                         ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE;
1481                         ic->ic_flags |= IEEE80211_F_USEBARKER;
1482                 }
1483                 ieee80211_set_shortslottime(ic,
1484                         IEEE80211_IS_CHAN_A(ic->ic_curchan) ||
1485                         (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
1486                 /*
1487                  * Honor ERP protection.
1488                  *
1489                  * NB: ni_erp should zero for non-11g operation.
1490                  */
1491                 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
1492                     (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION))
1493                         ic->ic_flags |= IEEE80211_F_USEPROT;
1494                 else
1495                         ic->ic_flags &= ~IEEE80211_F_USEPROT;
1496                 IEEE80211_NOTE_MAC(vap,
1497                     IEEE80211_MSG_ASSOC | IEEE80211_MSG_DEBUG, wh->i_addr2,
1498                     "%sassoc success at aid %d: %s preamble, %s slot time%s%s%s%s%s%s%s%s",
1499                     ISREASSOC(subtype) ? "re" : "",
1500                     IEEE80211_NODE_AID(ni),
1501                     ic->ic_flags&IEEE80211_F_SHPREAMBLE ? "short" : "long",
1502                     ic->ic_flags&IEEE80211_F_SHSLOT ? "short" : "long",
1503                     ic->ic_flags&IEEE80211_F_USEPROT ? ", protection" : "",
1504                     ni->ni_flags & IEEE80211_NODE_QOS ? ", QoS" : "",
1505                     ni->ni_flags & IEEE80211_NODE_HT ?
1506                         (ni->ni_chw == 40 ? ", HT40" : ", HT20") : "",
1507                     ni->ni_flags & IEEE80211_NODE_AMPDU ? " (+AMPDU)" : "",
1508                     ni->ni_flags & IEEE80211_NODE_MIMO_RTS ? " (+SMPS-DYN)" :
1509                         ni->ni_flags & IEEE80211_NODE_MIMO_PS ? " (+SMPS)" : "",
1510                     ni->ni_flags & IEEE80211_NODE_RIFS ? " (+RIFS)" : "",
1511                     IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_FF) ?
1512                         ", fast-frames" : "",
1513                     IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_TURBOP) ?
1514                         ", turbo" : ""
1515                 );
1516                 ieee80211_new_state(vap, IEEE80211_S_RUN, subtype);
1517                 break;
1518         }
1519
1520         case IEEE80211_FC0_SUBTYPE_DEAUTH: {
1521                 uint16_t reason;
1522
1523                 if (vap->iv_state == IEEE80211_S_SCAN) {
1524                         vap->iv_stats.is_rx_mgtdiscard++;
1525                         return;
1526                 }
1527                 if (!IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
1528                         /* NB: can happen when in promiscuous mode */
1529                         vap->iv_stats.is_rx_mgtdiscard++;
1530                         break;
1531                 }
1532
1533                 /*
1534                  * deauth frame format
1535                  *      [2] reason
1536                  */
1537                 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
1538                 reason = le16toh(*(uint16_t *)frm);
1539
1540                 vap->iv_stats.is_rx_deauth++;
1541                 vap->iv_stats.is_rx_deauth_code = reason;
1542                 IEEE80211_NODE_STAT(ni, rx_deauth);
1543
1544                 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni,
1545                     "recv deauthenticate (reason %d)", reason);
1546                 ieee80211_new_state(vap, IEEE80211_S_AUTH,
1547                     (reason << 8) | IEEE80211_FC0_SUBTYPE_DEAUTH);
1548                 break;
1549         }
1550
1551         case IEEE80211_FC0_SUBTYPE_DISASSOC: {
1552                 uint16_t reason;
1553
1554                 if (vap->iv_state != IEEE80211_S_RUN &&
1555                     vap->iv_state != IEEE80211_S_ASSOC &&
1556                     vap->iv_state != IEEE80211_S_AUTH) {
1557                         vap->iv_stats.is_rx_mgtdiscard++;
1558                         return;
1559                 }
1560                 if (!IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
1561                         /* NB: can happen when in promiscuous mode */
1562                         vap->iv_stats.is_rx_mgtdiscard++;
1563                         break;
1564                 }
1565
1566                 /*
1567                  * disassoc frame format
1568                  *      [2] reason
1569                  */
1570                 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
1571                 reason = le16toh(*(uint16_t *)frm);
1572
1573                 vap->iv_stats.is_rx_disassoc++;
1574                 vap->iv_stats.is_rx_disassoc_code = reason;
1575                 IEEE80211_NODE_STAT(ni, rx_disassoc);
1576
1577                 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni,
1578                     "recv disassociate (reason %d)", reason);
1579                 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 0);
1580                 break;
1581         }
1582
1583         case IEEE80211_FC0_SUBTYPE_ACTION:
1584                 if (vap->iv_state == IEEE80211_S_RUN) {
1585                         if (ieee80211_parse_action(ni, m0) == 0)
1586                                 ic->ic_recv_action(ni, frm, efrm);
1587                 } else
1588                         vap->iv_stats.is_rx_mgtdiscard++;
1589                 break;
1590
1591         case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
1592         case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
1593         case IEEE80211_FC0_SUBTYPE_REASSOC_REQ:
1594                 vap->iv_stats.is_rx_mgtdiscard++;
1595                 return;
1596         default:
1597                 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1598                      wh, "mgt", "subtype 0x%x not handled", subtype);
1599                 vap->iv_stats.is_rx_badsubtype++;
1600                 break;
1601         }
1602 #undef ISREASSOC
1603 #undef ISPROBE
1604 }
1605
1606 static void
1607 sta_recv_ctl(struct ieee80211_node *ni, struct mbuf *m0, int subtype)
1608 {
1609 }