2 * Copyright (c) 2001 Atsushi Onoe
3 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 * 3. The name of the author may not be used to endorse or promote products
15 * derived from this software without specific prior written permission.
17 * Alternatively, this software may be distributed under the terms of the
18 * GNU General Public License ("GPL") version 2 as published by the Free
19 * Software Foundation.
21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
32 * $FreeBSD: src/sys/net80211/ieee80211_input.c,v 1.21 2004/06/13 17:29:09 mlaier Exp $
33 * $DragonFly: src/sys/netproto/802_11/wlan/ieee80211_input.c,v 1.1 2004/07/26 16:30:17 joerg Exp $
38 #include <sys/param.h>
39 #include <sys/systm.h>
41 #include <sys/malloc.h>
42 #include <sys/kernel.h>
43 #include <sys/socket.h>
44 #include <sys/sockio.h>
45 #include <sys/endian.h>
46 #include <sys/errno.h>
49 #include <sys/sysctl.h>
51 #include <machine/atomic.h>
54 #include <net/if_dl.h>
55 #include <net/if_media.h>
56 #include <net/if_arp.h>
57 #include <net/ethernet.h>
58 #include <net/if_llc.h>
60 #include <netproto/802_11/ieee80211_var.h>
65 #include <netinet/in.h>
66 #include <netinet/if_ether.h>
70 * Process a received frame. The node associated with the sender
71 * should be supplied. If nothing was found in the node table then
72 * the caller is assumed to supply a reference to ic_bss instead.
73 * The RSSI and a timestamp are also supplied. The RSSI data is used
74 * during AP scanning to select a AP to associate with; it can have
75 * any units so long as values have consistent units and higher values
76 * mean ``better signal''. The receive timestamp is currently not used
77 * by the 802.11 layer.
80 ieee80211_input(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni,
81 int rssi, uint32_t rstamp)
83 struct ieee80211com *ic = (void *)ifp;
84 struct ieee80211_frame *wh;
85 struct ether_header *eh;
88 uint8_t dir, type, subtype;
92 KASSERT(ni != NULL, ("null node"));
95 /* trim CRC here so WEP can find its own CRC at the end of packet. */
96 if (m->m_flags & M_HASFCS) {
97 m_adj(m, -IEEE80211_CRC_LEN);
98 m->m_flags &= ~M_HASFCS;
101 KASSERT(m->m_pkthdr.len >= sizeof(struct ieee80211_frame_min),
102 ("frame length too short: %u", m->m_pkthdr.len));
105 * In monitor mode, send everything directly to bpf.
106 * XXX may want to include the CRC
108 if (ic->ic_opmode == IEEE80211_M_MONITOR)
111 wh = mtod(m, struct ieee80211_frame *);
112 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
113 IEEE80211_FC0_VERSION_0) {
114 if (ifp->if_flags & IFF_DEBUG)
115 if_printf(ifp, "receive packet with wrong version: %x\n",
117 ic->ic_stats.is_rx_badversion++;
121 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
122 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
124 * NB: We are not yet prepared to handle control frames,
125 * but permitting drivers to send them to us allows
126 * them to go through bpf tapping at the 802.11 layer.
128 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
130 IEEE80211_DPRINTF2(("%s: frame too short, len %u\n",
131 __func__, m->m_pkthdr.len));
132 ic->ic_stats.is_rx_tooshort++;
135 if (ic->ic_state != IEEE80211_S_SCAN) {
136 switch (ic->ic_opmode) {
137 case IEEE80211_M_STA:
138 if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid)) {
139 /* not interested in */
140 IEEE80211_DPRINTF2(("%s: discard frame from "
141 "bss %6D\n", __func__,
143 ic->ic_stats.is_rx_wrongbss++;
147 case IEEE80211_M_IBSS:
148 case IEEE80211_M_AHDEMO:
149 case IEEE80211_M_HOSTAP:
150 if (dir == IEEE80211_FC1_DIR_NODS)
154 if (!IEEE80211_ADDR_EQ(bssid, ic->ic_bss->ni_bssid) &&
155 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) {
156 /* not interested in */
157 IEEE80211_DPRINTF2(("%s: discard frame from "
158 "bss %6D\n", __func__,
160 ic->ic_stats.is_rx_wrongbss++;
164 case IEEE80211_M_MONITOR:
167 /* XXX catch bad values */
171 ni->ni_rstamp = rstamp;
172 rxseq = ni->ni_rxseq;
174 le16toh(*(uint16_t *)wh->i_seq) >> IEEE80211_SEQ_SEQ_SHIFT;
176 if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) &&
177 rxseq == ni->ni_rxseq) {
178 /* duplicate, silently discarded */
179 ic->ic_stats.is_rx_dup++; /* XXX per-station stat */
186 case IEEE80211_FC0_TYPE_DATA:
187 switch (ic->ic_opmode) {
188 case IEEE80211_M_STA:
189 if (dir != IEEE80211_FC1_DIR_FROMDS) {
190 ic->ic_stats.is_rx_wrongdir++;
193 if ((ifp->if_flags & IFF_SIMPLEX) &&
194 IEEE80211_IS_MULTICAST(wh->i_addr1) &&
195 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) {
197 * In IEEE802.11 network, multicast packet
198 * sent from me is broadcasted from AP.
199 * It should be silently discarded for
202 ic->ic_stats.is_rx_mcastecho++;
206 case IEEE80211_M_IBSS:
207 case IEEE80211_M_AHDEMO:
208 if (dir != IEEE80211_FC1_DIR_NODS) {
209 ic->ic_stats.is_rx_wrongdir++;
213 case IEEE80211_M_HOSTAP:
214 if (dir != IEEE80211_FC1_DIR_TODS) {
215 ic->ic_stats.is_rx_wrongdir++;
218 /* check if source STA is associated */
219 if (ni == ic->ic_bss) {
220 IEEE80211_DPRINTF(("%s: data from unknown src "
223 /* NB: caller deals with reference */
224 ni = ieee80211_dup_bss(ic, wh->i_addr2);
226 IEEE80211_SEND_MGMT(ic, ni,
227 IEEE80211_FC0_SUBTYPE_DEAUTH,
228 IEEE80211_REASON_NOT_AUTHED);
229 ieee80211_free_node(ic, ni);
231 ic->ic_stats.is_rx_notassoc++;
234 if (ni->ni_associd == 0) {
235 IEEE80211_DPRINTF(("ieee80211_input: "
236 "data from unassoc src %6D\n",
238 IEEE80211_SEND_MGMT(ic, ni,
239 IEEE80211_FC0_SUBTYPE_DISASSOC,
240 IEEE80211_REASON_NOT_ASSOCED);
241 ieee80211_unref_node(&ni);
242 ic->ic_stats.is_rx_notassoc++;
246 case IEEE80211_M_MONITOR:
249 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
250 if (ic->ic_flags & IEEE80211_F_WEPON) {
251 m = ieee80211_wep_crypt(ifp, m, 0);
253 ic->ic_stats.is_rx_wepfail++;
256 wh = mtod(m, struct ieee80211_frame *);
258 ic->ic_stats.is_rx_nowep++;
262 /* copy to listener after decrypt */
263 #ifdef IEEE80211_RAWBPF
265 bpf_mtap(ic->ic_rawbpf, m);
267 m = ieee80211_decap(ifp, m);
269 ic->ic_stats.is_rx_decap++;
274 /* perform as a bridge within the AP */
276 if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
277 eh = mtod(m, struct ether_header *);
278 if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
279 m1 = m_copypacket(m, MB_DONTWAIT);
283 m1->m_flags |= M_MCAST;
285 ni = ieee80211_find_node(ic, eh->ether_dhost);
287 if (ni->ni_associd != 0) {
291 ieee80211_free_node(ic, ni);
295 len = m1->m_pkthdr.len;
296 IF_ENQUEUE(&ifp->if_snd, m1);
299 ifp->if_obytes += len;
303 (*ifp->if_input)(ifp, m);
306 case IEEE80211_FC0_TYPE_MGT:
307 if (dir != IEEE80211_FC1_DIR_NODS) {
308 ic->ic_stats.is_rx_wrongdir++;
311 if (ic->ic_opmode == IEEE80211_M_AHDEMO) {
312 ic->ic_stats.is_rx_ahdemo_mgt++;
315 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
317 /* drop frames without interest */
318 if (ic->ic_state == IEEE80211_S_SCAN) {
319 if (subtype != IEEE80211_FC0_SUBTYPE_BEACON &&
320 subtype != IEEE80211_FC0_SUBTYPE_PROBE_RESP) {
321 ic->ic_stats.is_rx_mgtdiscard++;
325 if (ic->ic_opmode != IEEE80211_M_IBSS &&
326 subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
327 ic->ic_stats.is_rx_mgtdiscard++;
332 if (ifp->if_flags & IFF_DEBUG) {
333 /* avoid to print too many frames */
337 case IEEE80211_FC0_SUBTYPE_BEACON:
338 if (ic->ic_state == IEEE80211_S_SCAN)
341 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
342 if (ic->ic_opmode == IEEE80211_M_IBSS)
349 #ifdef IEEE80211_DEBUG
350 doprint += ieee80211_debug;
353 if_printf(ifp, "received %s from %6D rssi %d\n",
354 ieee80211_mgt_subtype_name[subtype
355 >> IEEE80211_FC0_SUBTYPE_SHIFT],
356 wh->i_addr2, ":", rssi);
358 #ifdef IEEE80211_RAWBPF
360 bpf_mtap(ic->ic_rawbpf, m);
362 (*ic->ic_recv_mgmt)(ic, m, ni, subtype, rssi, rstamp);
366 case IEEE80211_FC0_TYPE_CTL:
367 ic->ic_stats.is_rx_ctl++;
370 IEEE80211_DPRINTF(("%s: bad type %x\n", __func__, type));
371 /* should not come here */
378 #ifdef IEEE80211_RAWBPF
380 bpf_mtap(ic->ic_rawbpf, m);
387 ieee80211_decap(struct ifnet *ifp, struct mbuf *m)
389 struct ether_header *eh;
390 struct ieee80211_frame wh;
393 if (m->m_len < sizeof(wh) + sizeof(*llc)) {
394 m = m_pullup(m, sizeof(wh) + sizeof(*llc));
398 memcpy(&wh, mtod(m, caddr_t), sizeof(wh));
399 llc = (struct llc *)(mtod(m, caddr_t) + sizeof(wh));
400 if (llc->llc_dsap == LLC_SNAP_LSAP && llc->llc_ssap == LLC_SNAP_LSAP &&
401 llc->llc_control == LLC_UI && llc->llc_snap.org_code[0] == 0 &&
402 llc->llc_snap.org_code[1] == 0 && llc->llc_snap.org_code[2] == 0) {
403 m_adj(m, sizeof(wh) + sizeof(struct llc) - sizeof(*eh));
406 m_adj(m, sizeof(wh) - sizeof(*eh));
408 eh = mtod(m, struct ether_header *);
409 switch (wh.i_fc[1] & IEEE80211_FC1_DIR_MASK) {
410 case IEEE80211_FC1_DIR_NODS:
411 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1);
412 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2);
414 case IEEE80211_FC1_DIR_TODS:
415 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3);
416 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2);
418 case IEEE80211_FC1_DIR_FROMDS:
419 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1);
420 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr3);
422 case IEEE80211_FC1_DIR_DSTODS:
423 /* not yet supported */
424 IEEE80211_DPRINTF(("%s: DS to DS\n", __func__));
428 #ifdef ALIGNED_POINTER
429 if (!ALIGNED_POINTER(mtod(m, caddr_t) + sizeof(*eh), uint32_t)) {
430 struct mbuf *n, *n0, **np;
437 pktlen = m->m_pkthdr.len;
438 while (pktlen > off) {
440 MGETHDR(n, MB_DONTWAIT, MT_DATA);
448 MGET(n, MB_DONTWAIT, MT_DATA);
456 if (pktlen - off >= MINCLSIZE) {
457 MCLGET(n, MB_DONTWAIT);
458 if (n->m_flags & M_EXT)
459 n->m_len = n->m_ext.ext_size;
463 (caddr_t)ALIGN(n->m_data + sizeof(*eh)) -
465 n->m_len -= newdata - n->m_data;
468 if (n->m_len > pktlen - off)
469 n->m_len = pktlen - off;
470 m_copydata(m, off, n->m_len, mtod(n, caddr_t));
478 #endif /* ALIGNED_POINTER */
480 eh = mtod(m, struct ether_header *);
481 eh->ether_type = htons(m->m_pkthdr.len - sizeof(*eh));
487 * Install received rate set information in the node's state block.
490 ieee80211_setup_rates(struct ieee80211com *ic, struct ieee80211_node *ni,
491 uint8_t *rates, uint8_t *xrates, int flags)
493 struct ieee80211_rateset *rs = &ni->ni_rates;
495 memset(rs, 0, sizeof(*rs));
496 rs->rs_nrates = rates[1];
497 memcpy(rs->rs_rates, rates + 2, rs->rs_nrates);
498 if (xrates != NULL) {
501 * Tack on 11g extended supported rate element.
504 if (rs->rs_nrates + nxrates > IEEE80211_RATE_MAXSIZE) {
505 nxrates = IEEE80211_RATE_MAXSIZE - rs->rs_nrates;
506 IEEE80211_DPRINTF(("%s: extended rate set too large;"
507 " only using %u of %u rates\n",
508 __func__, nxrates, xrates[1]));
509 ic->ic_stats.is_rx_rstoobig++;
511 memcpy(rs->rs_rates + rs->rs_nrates, xrates+2, nxrates);
512 rs->rs_nrates += nxrates;
514 return ieee80211_fix_rate(ic, ni, flags);
517 /* Verify the existence and length of __elem or get out. */
518 #define IEEE80211_VERIFY_ELEMENT(__elem, __maxlen) do { \
519 if ((__elem) == NULL) { \
520 IEEE80211_DPRINTF(("%s: no " #__elem "in %s frame\n", \
521 __func__, ieee80211_mgt_subtype_name[subtype >> \
522 IEEE80211_FC0_SUBTYPE_SHIFT])); \
523 ic->ic_stats.is_rx_elem_missing++; \
526 if ((__elem)[1] > (__maxlen)) { \
527 IEEE80211_DPRINTF(("%s: bad " #__elem " len %d in %s " \
528 "frame from %6D\n", __func__, (__elem)[1], \
529 ieee80211_mgt_subtype_name[subtype >> \
530 IEEE80211_FC0_SUBTYPE_SHIFT], \
531 wh->i_addr2, ":")); \
532 ic->ic_stats.is_rx_elem_toobig++; \
537 #define IEEE80211_VERIFY_LENGTH(_len, _minlen) do { \
538 if ((_len) < (_minlen)) { \
539 IEEE80211_DPRINTF(("%s: %s frame too short from %6D\n", \
541 ieee80211_mgt_subtype_name[subtype >> \
542 IEEE80211_FC0_SUBTYPE_SHIFT], \
543 wh->i_addr2, ":")); \
544 ic->ic_stats.is_rx_elem_toosmall++; \
550 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0,
551 struct ieee80211_node *ni,
552 int subtype, int rssi, uint32_t rstamp)
554 struct ifnet *ifp = &ic->ic_if;
555 struct ieee80211_frame *wh;
557 uint8_t *ssid, *rates, *xrates;
558 int reassoc, resp, newassoc, allocbs;
560 wh = mtod(m0, struct ieee80211_frame *);
561 frm = (uint8_t *)&wh[1];
562 efrm = mtod(m0, uint8_t *) + m0->m_len;
564 case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
565 case IEEE80211_FC0_SUBTYPE_BEACON: {
566 uint8_t *tstamp, *bintval, *capinfo, *country;
567 uint8_t chan, bchan, fhindex, erp;
571 if (ic->ic_opmode != IEEE80211_M_IBSS &&
572 ic->ic_state != IEEE80211_S_SCAN) {
573 /* XXX: may be useful for background scan */
576 isprobe = (subtype == IEEE80211_FC0_SUBTYPE_PROBE_RESP);
579 * beacon/probe response frame format
581 * [2] beacon interval
582 * [2] capability information
584 * [tlv] supported rates
585 * [tlv] country information
586 * [tlv] parameter set (FH/DS)
587 * [tlv] erp information
588 * [tlv] extended supported rates
590 IEEE80211_VERIFY_LENGTH(efrm - frm, 12);
591 tstamp = frm; frm += 8;
592 bintval = frm; frm += 2;
593 capinfo = frm; frm += 2;
594 ssid = rates = xrates = country = NULL;
595 bchan = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan);
602 case IEEE80211_ELEMID_SSID:
605 case IEEE80211_ELEMID_RATES:
608 case IEEE80211_ELEMID_COUNTRY:
611 case IEEE80211_ELEMID_FHPARMS:
612 if (ic->ic_phytype == IEEE80211_T_FH) {
613 fhdwell = (frm[3] << 8) | frm[2];
614 chan = IEEE80211_FH_CHAN(frm[4], frm[5]);
618 case IEEE80211_ELEMID_DSPARMS:
620 * XXX hack this since depending on phytype
621 * is problematic for multi-mode devices.
623 if (ic->ic_phytype != IEEE80211_T_FH)
626 case IEEE80211_ELEMID_TIM:
628 case IEEE80211_ELEMID_IBSSPARMS:
630 case IEEE80211_ELEMID_XRATES:
633 case IEEE80211_ELEMID_ERP:
635 IEEE80211_DPRINTF(("%s: invalid ERP "
636 "element; length %u, expecting "
637 "1\n", __func__, frm[1]));
638 ic->ic_stats.is_rx_elem_toobig++;
644 IEEE80211_DPRINTF2(("%s: element id %u/len %u "
645 "ignored\n", __func__, *frm, frm[1]));
646 ic->ic_stats.is_rx_elem_unknown++;
651 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE);
652 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN);
654 #if IEEE80211_CHAN_MAX < 255
655 chan > IEEE80211_CHAN_MAX ||
657 isclr(ic->ic_chan_active, chan)) {
658 IEEE80211_DPRINTF(("%s: ignore %s with invalid channel "
660 isprobe ? "probe response" : "beacon",
662 ic->ic_stats.is_rx_badchan++;
665 if (chan != bchan && ic->ic_phytype != IEEE80211_T_FH) {
667 * Frame was received on a channel different from the
668 * one indicated in the DS params element id;
669 * silently discard it.
671 * NB: this can happen due to signal leakage.
672 * But we should take it for FH phy because
673 * the rssi value should be correct even for
674 * different hop pattern in FH.
676 IEEE80211_DPRINTF(("%s: ignore %s on channel %u marked "
677 "for channel %u\n", __func__,
678 isprobe ? "probe response" : "beacon",
680 ic->ic_stats.is_rx_chanmismatch++;
685 * Use mac and channel for lookup so we collect all
686 * potential AP's when scanning. Otherwise we may
687 * see the same AP on multiple channels and will only
688 * record the last one. We could filter APs here based
689 * on rssi, etc. but leave that to the end of the scan
690 * so we can keep the selection criteria in one spot.
691 * This may result in a bloat of the scanned AP list but
692 * it shouldn't be too much.
694 ni = ieee80211_lookup_node(ic, wh->i_addr2,
695 &ic->ic_channels[chan]);
696 #ifdef IEEE80211_DEBUG
697 if (ieee80211_debug &&
698 (ni == NULL || ic->ic_state == IEEE80211_S_SCAN)) {
699 printf("%s: %s%s on chan %u (bss chan %u) ",
700 __func__, (ni == NULL ? "new " : ""),
701 isprobe ? "probe response" : "beacon",
703 ieee80211_print_essid(ssid + 2, ssid[1]);
704 printf(" from %6D\n", wh->i_addr2, ":");
705 printf("%s: caps 0x%x bintval %u erp 0x%x\n",
706 __func__, le16toh(*(uint16_t *)capinfo),
707 le16toh(*(uint16_t *)bintval), erp);
709 printf("%s: country info %*D\n",
710 __func__, country[1], country+2, " ");
714 ni = ieee80211_alloc_node(ic, wh->i_addr2);
717 ni->ni_esslen = ssid[1];
718 memset(ni->ni_essid, 0, sizeof(ni->ni_essid));
719 memcpy(ni->ni_essid, ssid + 2, ssid[1]);
721 } else if (ssid[1] != 0 && isprobe) {
723 * Update ESSID at probe response to adopt hidden AP by
724 * Lucent/Cisco, which announces null ESSID in beacon.
726 ni->ni_esslen = ssid[1];
727 memset(ni->ni_essid, 0, sizeof(ni->ni_essid));
728 memcpy(ni->ni_essid, ssid + 2, ssid[1]);
732 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3);
734 ni->ni_rstamp = rstamp;
735 memcpy(ni->ni_tstamp, tstamp, sizeof(ni->ni_tstamp));
736 ni->ni_intval = le16toh(*(uint16_t *)bintval);
737 ni->ni_capinfo = le16toh(*(uint16_t *)capinfo);
738 /* XXX validate channel # */
739 ni->ni_chan = &ic->ic_channels[chan];
740 ni->ni_fhdwell = fhdwell;
741 ni->ni_fhindex = fhindex;
743 /* NB: must be after ni_chan is setup */
744 ieee80211_setup_rates(ic, ni, rates, xrates, IEEE80211_F_DOSORT);
746 * When scanning we record results (nodes) with a zero
747 * refcnt. Otherwise we want to hold the reference for
748 * ibss neighbors so the nodes don't get released prematurely.
749 * Anything else can be discarded (XXX and should be handled
750 * above so we don't do so much work).
752 if (ic->ic_state == IEEE80211_S_SCAN)
753 ieee80211_unref_node(&ni); /* NB: do not free */
754 else if (ic->ic_opmode == IEEE80211_M_IBSS &&
755 allocbs && isprobe) {
757 * Fake an association so the driver can setup it's
758 * private state. The rate set has been setup above;
759 * there is no handshake as in ap/station operation.
762 (*ic->ic_newassoc)(ic, ni, 1);
763 /* NB: hold reference */
765 /* XXX optimize to avoid work done above */
766 ieee80211_free_node(ic, ni);
771 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: {
774 if (ic->ic_opmode == IEEE80211_M_STA)
776 if (ic->ic_state != IEEE80211_S_RUN)
782 * [tlv] supported rates
783 * [tlv] extended supported rates
785 ssid = rates = xrates = NULL;
788 case IEEE80211_ELEMID_SSID:
791 case IEEE80211_ELEMID_RATES:
794 case IEEE80211_ELEMID_XRATES:
800 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE);
801 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN);
803 (ssid[1] != ic->ic_bss->ni_esslen ||
804 memcmp(ssid + 2, ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen) != 0)) {
805 #ifdef IEEE80211_DEBUG
806 if (ieee80211_debug) {
807 printf("%s: ssid unmatch ", __func__);
808 ieee80211_print_essid(ssid + 2, ssid[1]);
809 printf(" from %6D\n", wh->i_addr2, ":");
812 ic->ic_stats.is_rx_ssidmismatch++;
816 if (ni == ic->ic_bss) {
817 ni = ieee80211_dup_bss(ic, wh->i_addr2);
820 IEEE80211_DPRINTF(("%s: new req from %6D\n",
821 __func__, wh->i_addr2, ":"));
826 ni->ni_rstamp = rstamp;
827 rate = ieee80211_setup_rates(ic, ni, rates, xrates,
828 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE
829 | IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
830 if (rate & IEEE80211_RATE_BASIC) {
831 IEEE80211_DPRINTF(("%s: rate negotiation failed: %6D\n",
832 __func__, wh->i_addr2, ":"));
834 IEEE80211_SEND_MGMT(ic, ni,
835 IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0);
838 ieee80211_free_node(ic, ni);
842 case IEEE80211_FC0_SUBTYPE_AUTH: {
843 uint16_t algo, seq, status;
851 IEEE80211_VERIFY_LENGTH(efrm - frm, 6);
852 algo = le16toh(*(uint16_t *)frm);
853 seq = le16toh(*(uint16_t *)(frm + 2));
854 status = le16toh(*(uint16_t *)(frm + 4));
855 if (algo != IEEE80211_AUTH_ALG_OPEN) {
856 /* TODO: shared key auth */
857 IEEE80211_DPRINTF(("%s: unsupported auth %d from %6D\n",
858 __func__, algo, wh->i_addr2, ":"));
859 ic->ic_stats.is_rx_auth_unsupported++;
862 switch (ic->ic_opmode) {
863 case IEEE80211_M_IBSS:
864 if (ic->ic_state != IEEE80211_S_RUN || seq != 1) {
865 IEEE80211_DPRINTF(("%s: discard auth from %6D; "
866 "state %u, seq %u\n", __func__,
869 ic->ic_stats.is_rx_bad_auth++;
872 ieee80211_new_state(ic, IEEE80211_S_AUTH,
873 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK);
876 case IEEE80211_M_AHDEMO:
877 /* should not come here */
880 case IEEE80211_M_HOSTAP:
881 if (ic->ic_state != IEEE80211_S_RUN || seq != 1) {
882 IEEE80211_DPRINTF(("%s: discard auth from %6D; "
883 "state %u, seq %u\n", __func__,
886 ic->ic_stats.is_rx_bad_auth++;
889 if (ni == ic->ic_bss) {
890 ni = ieee80211_alloc_node(ic, wh->i_addr2);
893 IEEE80211_ADDR_COPY(ni->ni_bssid, ic->ic_bss->ni_bssid);
895 ni->ni_rstamp = rstamp;
896 ni->ni_chan = ic->ic_bss->ni_chan;
900 IEEE80211_SEND_MGMT(ic, ni,
901 IEEE80211_FC0_SUBTYPE_AUTH, 2);
902 if (ifp->if_flags & IFF_DEBUG)
903 if_printf(ifp, "station %6D %s authenticated\n",
905 (allocbs ? "newly" : "already"));
908 case IEEE80211_M_STA:
909 if (ic->ic_state != IEEE80211_S_AUTH || seq != 2) {
910 IEEE80211_DPRINTF(("%s: discard auth from %6D; "
911 "state %u, seq %u\n", __func__,
914 ic->ic_stats.is_rx_bad_auth++;
918 if_printf(&ic->ic_if,
919 "authentication failed (reason %d) for %6D\n",
922 if (ni != ic->ic_bss)
924 ic->ic_stats.is_rx_auth_fail++;
927 ieee80211_new_state(ic, IEEE80211_S_ASSOC,
928 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK);
930 case IEEE80211_M_MONITOR:
936 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
937 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: {
938 uint16_t capinfo, bintval;
940 if (ic->ic_opmode != IEEE80211_M_HOSTAP ||
941 (ic->ic_state != IEEE80211_S_RUN))
944 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
946 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP;
949 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP;
953 * [2] capability information
954 * [2] listen interval
955 * [6*] current AP address (reassoc only)
957 * [tlv] supported rates
958 * [tlv] extended supported rates
960 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4));
961 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) {
962 IEEE80211_DPRINTF(("%s: ignore other bss from %6D\n",
963 __func__, wh->i_addr2, ":"));
964 ic->ic_stats.is_rx_assoc_bss++;
967 capinfo = le16toh(*(uint16_t *)frm); frm += 2;
968 bintval = le16toh(*(uint16_t *)frm); frm += 2;
970 frm += 6; /* ignore current AP info */
971 ssid = rates = xrates = NULL;
974 case IEEE80211_ELEMID_SSID:
977 case IEEE80211_ELEMID_RATES:
980 case IEEE80211_ELEMID_XRATES:
986 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE);
987 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN);
988 if (ssid[1] != ic->ic_bss->ni_esslen ||
989 memcmp(ssid + 2, ic->ic_bss->ni_essid, ssid[1]) != 0) {
990 #ifdef IEEE80211_DEBUG
991 if (ieee80211_debug) {
992 printf("%s: ssid unmatch ", __func__);
993 ieee80211_print_essid(ssid + 2, ssid[1]);
994 printf(" from %6D\n", wh->i_addr2, ":");
997 ic->ic_stats.is_rx_ssidmismatch++;
1000 if (ni == ic->ic_bss) {
1001 IEEE80211_DPRINTF(("%s: not authenticated for %6D\n",
1002 __func__, wh->i_addr2, ":"));
1003 ni = ieee80211_dup_bss(ic, wh->i_addr2);
1005 IEEE80211_SEND_MGMT(ic, ni,
1006 IEEE80211_FC0_SUBTYPE_DEAUTH,
1007 IEEE80211_REASON_ASSOC_NOT_AUTHED);
1008 ieee80211_free_node(ic, ni);
1010 ic->ic_stats.is_rx_assoc_notauth++;
1013 /* XXX per-node cipher suite */
1014 /* XXX some stations use the privacy bit for handling APs
1015 that suport both encrypted and unencrypted traffic */
1016 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0 ||
1017 (capinfo & IEEE80211_CAPINFO_PRIVACY) !=
1018 ((ic->ic_flags & IEEE80211_F_WEPON) ?
1019 IEEE80211_CAPINFO_PRIVACY : 0)) {
1020 IEEE80211_DPRINTF(("%s: capability mismatch %x for %6D\n",
1021 __func__, capinfo, wh->i_addr2, ":"));
1023 IEEE80211_SEND_MGMT(ic, ni, resp,
1024 IEEE80211_STATUS_CAPINFO);
1025 ic->ic_stats.is_rx_assoc_capmismatch++;
1028 ieee80211_setup_rates(ic, ni, rates, xrates,
1029 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
1030 IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
1031 if (ni->ni_rates.rs_nrates == 0) {
1032 IEEE80211_DPRINTF(("%s: rate unmatch for %6D\n",
1033 __func__, wh->i_addr2, ":"));
1035 IEEE80211_SEND_MGMT(ic, ni, resp,
1036 IEEE80211_STATUS_BASIC_RATE);
1037 ic->ic_stats.is_rx_assoc_norate++;
1041 ni->ni_rstamp = rstamp;
1042 ni->ni_intval = bintval;
1043 ni->ni_capinfo = capinfo;
1044 ni->ni_chan = ic->ic_bss->ni_chan;
1045 ni->ni_fhdwell = ic->ic_bss->ni_fhdwell;
1046 ni->ni_fhindex = ic->ic_bss->ni_fhindex;
1047 if (ni->ni_associd == 0) {
1048 /* XXX handle rollover at 2007 */
1049 /* XXX guarantee uniqueness */
1050 ni->ni_associd = 0xc000 | ic->ic_bss->ni_associd++;
1054 /* XXX for 11g must turn off short slot time if long
1055 slot time sta associates */
1056 IEEE80211_SEND_MGMT(ic, ni, resp, IEEE80211_STATUS_SUCCESS);
1057 if (ifp->if_flags & IFF_DEBUG)
1058 if_printf(ifp, "station %6D %s associated\n",
1059 ni->ni_macaddr, ":",
1060 (newassoc ? "newly" : "already"));
1061 /* give driver a chance to setup state like ni_txrate */
1062 if (ic->ic_newassoc)
1063 (*ic->ic_newassoc)(ic, ni, newassoc);
1067 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
1068 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: {
1071 if (ic->ic_opmode != IEEE80211_M_STA ||
1072 ic->ic_state != IEEE80211_S_ASSOC)
1076 * asresp frame format
1077 * [2] capability information
1079 * [2] association ID
1080 * [tlv] supported rates
1081 * [tlv] extended supported rates
1083 IEEE80211_VERIFY_LENGTH(efrm - frm, 6);
1085 ni->ni_capinfo = le16toh(*(uint16_t *)frm);
1088 status = le16toh(*(uint16_t *)frm);
1091 if_printf(ifp, "association failed (reason %d) for %6D\n",
1092 status, wh->i_addr3, ":");
1093 if (ni != ic->ic_bss)
1095 ic->ic_stats.is_rx_auth_fail++;
1098 ni->ni_associd = le16toh(*(uint16_t *)frm);
1101 rates = xrates = NULL;
1102 while (frm < efrm) {
1104 case IEEE80211_ELEMID_RATES:
1107 case IEEE80211_ELEMID_XRATES:
1114 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE);
1115 ieee80211_setup_rates(ic, ni, rates, xrates,
1116 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
1117 IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
1118 if (ni->ni_rates.rs_nrates != 0)
1119 ieee80211_new_state(ic, IEEE80211_S_RUN,
1120 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK);
1124 case IEEE80211_FC0_SUBTYPE_DEAUTH: {
1127 * deauth frame format
1130 IEEE80211_VERIFY_LENGTH(efrm - frm, 2);
1131 reason = le16toh(*(uint16_t *)frm);
1132 ic->ic_stats.is_rx_deauth++;
1133 switch (ic->ic_opmode) {
1134 case IEEE80211_M_STA:
1135 ieee80211_new_state(ic, IEEE80211_S_AUTH,
1136 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK);
1138 case IEEE80211_M_HOSTAP:
1139 if (ni != ic->ic_bss) {
1140 if (ifp->if_flags & IFF_DEBUG)
1141 if_printf(ifp, "station %6D deauthenticated"
1142 " by peer (reason %d)\n",
1143 ni->ni_macaddr, ":", reason);
1144 /* node will be free'd on return */
1145 ieee80211_unref_node(&ni);
1154 case IEEE80211_FC0_SUBTYPE_DISASSOC: {
1157 * disassoc frame format
1160 IEEE80211_VERIFY_LENGTH(efrm - frm, 2);
1161 reason = le16toh(*(uint16_t *)frm);
1162 ic->ic_stats.is_rx_disassoc++;
1163 switch (ic->ic_opmode) {
1164 case IEEE80211_M_STA:
1165 ieee80211_new_state(ic, IEEE80211_S_ASSOC,
1166 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK);
1168 case IEEE80211_M_HOSTAP:
1169 if (ni != ic->ic_bss) {
1170 if (ifp->if_flags & IFF_DEBUG)
1171 if_printf(ifp, "station %6D disassociated"
1172 " by peer (reason %d)\n",
1173 ni->ni_macaddr, ":", reason);
1175 /* XXX node reclaimed how? */
1184 IEEE80211_DPRINTF(("%s: mgmt frame with subtype 0x%x not "
1185 "handled\n", __func__, subtype));
1186 ic->ic_stats.is_rx_badsubtype++;
1190 #undef IEEE80211_VERIFY_LENGTH
1191 #undef IEEE80211_VERIFY_ELEMENT