hostap_80211_rx.c (32600B)
1// SPDX-License-Identifier: GPL-2.0 2#include <linux/etherdevice.h> 3#include <linux/slab.h> 4#include <linux/export.h> 5#include <net/lib80211.h> 6#include <linux/if_arp.h> 7 8#include "hostap_80211.h" 9#include "hostap.h" 10#include "hostap_ap.h" 11 12/* See IEEE 802.1H for LLC/SNAP encapsulation/decapsulation */ 13/* Ethernet-II snap header (RFC1042 for most EtherTypes) */ 14static unsigned char rfc1042_header[] = 15{ 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 }; 16/* Bridge-Tunnel header (for EtherTypes ETH_P_AARP and ETH_P_IPX) */ 17static unsigned char bridge_tunnel_header[] = 18{ 0xaa, 0xaa, 0x03, 0x00, 0x00, 0xf8 }; 19/* No encapsulation header if EtherType < 0x600 (=length) */ 20 21void hostap_dump_rx_80211(const char *name, struct sk_buff *skb, 22 struct hostap_80211_rx_status *rx_stats) 23{ 24 struct ieee80211_hdr *hdr; 25 u16 fc; 26 27 hdr = (struct ieee80211_hdr *) skb->data; 28 29 printk(KERN_DEBUG "%s: RX signal=%d noise=%d rate=%d len=%d " 30 "jiffies=%ld\n", 31 name, rx_stats->signal, rx_stats->noise, rx_stats->rate, 32 skb->len, jiffies); 33 34 if (skb->len < 2) 35 return; 36 37 fc = le16_to_cpu(hdr->frame_control); 38 printk(KERN_DEBUG " FC=0x%04x (type=%d:%d)%s%s", 39 fc, (fc & IEEE80211_FCTL_FTYPE) >> 2, 40 (fc & IEEE80211_FCTL_STYPE) >> 4, 41 fc & IEEE80211_FCTL_TODS ? " [ToDS]" : "", 42 fc & IEEE80211_FCTL_FROMDS ? " [FromDS]" : ""); 43 44 if (skb->len < IEEE80211_DATA_HDR3_LEN) { 45 printk("\n"); 46 return; 47 } 48 49 printk(" dur=0x%04x seq=0x%04x\n", le16_to_cpu(hdr->duration_id), 50 le16_to_cpu(hdr->seq_ctrl)); 51 52 printk(KERN_DEBUG " A1=%pM", hdr->addr1); 53 printk(" A2=%pM", hdr->addr2); 54 printk(" A3=%pM", hdr->addr3); 55 if (skb->len >= 30) 56 printk(" A4=%pM", hdr->addr4); 57 printk("\n"); 58} 59 60 61/* Send RX frame to netif with 802.11 (and possible prism) header. 62 * Called from hardware or software IRQ context. */ 63int prism2_rx_80211(struct net_device *dev, struct sk_buff *skb, 64 struct hostap_80211_rx_status *rx_stats, int type) 65{ 66 struct hostap_interface *iface; 67 local_info_t *local; 68 int hdrlen, phdrlen, head_need, tail_need; 69 u16 fc; 70 int prism_header, ret; 71 struct ieee80211_hdr *fhdr; 72 73 iface = netdev_priv(dev); 74 local = iface->local; 75 76 if (dev->type == ARPHRD_IEEE80211_PRISM) { 77 if (local->monitor_type == PRISM2_MONITOR_PRISM) { 78 prism_header = 1; 79 phdrlen = sizeof(struct linux_wlan_ng_prism_hdr); 80 } else { /* local->monitor_type == PRISM2_MONITOR_CAPHDR */ 81 prism_header = 2; 82 phdrlen = sizeof(struct linux_wlan_ng_cap_hdr); 83 } 84 } else if (dev->type == ARPHRD_IEEE80211_RADIOTAP) { 85 prism_header = 3; 86 phdrlen = sizeof(struct hostap_radiotap_rx); 87 } else { 88 prism_header = 0; 89 phdrlen = 0; 90 } 91 92 fhdr = (struct ieee80211_hdr *) skb->data; 93 fc = le16_to_cpu(fhdr->frame_control); 94 95 if (type == PRISM2_RX_MGMT && (fc & IEEE80211_FCTL_VERS)) { 96 printk(KERN_DEBUG "%s: dropped management frame with header " 97 "version %d\n", dev->name, fc & IEEE80211_FCTL_VERS); 98 dev_kfree_skb_any(skb); 99 return 0; 100 } 101 102 hdrlen = hostap_80211_get_hdrlen(fhdr->frame_control); 103 104 /* check if there is enough room for extra data; if not, expand skb 105 * buffer to be large enough for the changes */ 106 head_need = phdrlen; 107 tail_need = 0; 108#ifdef PRISM2_ADD_BOGUS_CRC 109 tail_need += 4; 110#endif /* PRISM2_ADD_BOGUS_CRC */ 111 112 head_need -= skb_headroom(skb); 113 tail_need -= skb_tailroom(skb); 114 115 if (head_need > 0 || tail_need > 0) { 116 if (pskb_expand_head(skb, head_need > 0 ? head_need : 0, 117 tail_need > 0 ? tail_need : 0, 118 GFP_ATOMIC)) { 119 printk(KERN_DEBUG "%s: prism2_rx_80211 failed to " 120 "reallocate skb buffer\n", dev->name); 121 dev_kfree_skb_any(skb); 122 return 0; 123 } 124 } 125 126 /* We now have an skb with enough head and tail room, so just insert 127 * the extra data */ 128 129#ifdef PRISM2_ADD_BOGUS_CRC 130 memset(skb_put(skb, 4), 0xff, 4); /* Prism2 strips CRC */ 131#endif /* PRISM2_ADD_BOGUS_CRC */ 132 133 if (prism_header == 1) { 134 struct linux_wlan_ng_prism_hdr *hdr; 135 hdr = skb_push(skb, phdrlen); 136 memset(hdr, 0, phdrlen); 137 hdr->msgcode = LWNG_CAP_DID_BASE; 138 hdr->msglen = sizeof(*hdr); 139 memcpy(hdr->devname, dev->name, sizeof(hdr->devname)); 140#define LWNG_SETVAL(f,i,s,l,d) \ 141hdr->f.did = LWNG_CAP_DID_BASE | (i << 12); \ 142hdr->f.status = s; hdr->f.len = l; hdr->f.data = d 143 LWNG_SETVAL(hosttime, 1, 0, 4, jiffies); 144 LWNG_SETVAL(mactime, 2, 0, 4, rx_stats->mac_time); 145 LWNG_SETVAL(channel, 3, 1 /* no value */, 4, 0); 146 LWNG_SETVAL(rssi, 4, 1 /* no value */, 4, 0); 147 LWNG_SETVAL(sq, 5, 1 /* no value */, 4, 0); 148 LWNG_SETVAL(signal, 6, 0, 4, rx_stats->signal); 149 LWNG_SETVAL(noise, 7, 0, 4, rx_stats->noise); 150 LWNG_SETVAL(rate, 8, 0, 4, rx_stats->rate / 5); 151 LWNG_SETVAL(istx, 9, 0, 4, 0); 152 LWNG_SETVAL(frmlen, 10, 0, 4, skb->len - phdrlen); 153#undef LWNG_SETVAL 154 } else if (prism_header == 2) { 155 struct linux_wlan_ng_cap_hdr *hdr; 156 hdr = skb_push(skb, phdrlen); 157 memset(hdr, 0, phdrlen); 158 hdr->version = htonl(LWNG_CAPHDR_VERSION); 159 hdr->length = htonl(phdrlen); 160 hdr->mactime = __cpu_to_be64(rx_stats->mac_time); 161 hdr->hosttime = __cpu_to_be64(jiffies); 162 hdr->phytype = htonl(4); /* dss_dot11_b */ 163 hdr->channel = htonl(local->channel); 164 hdr->datarate = htonl(rx_stats->rate); 165 hdr->antenna = htonl(0); /* unknown */ 166 hdr->priority = htonl(0); /* unknown */ 167 hdr->ssi_type = htonl(3); /* raw */ 168 hdr->ssi_signal = htonl(rx_stats->signal); 169 hdr->ssi_noise = htonl(rx_stats->noise); 170 hdr->preamble = htonl(0); /* unknown */ 171 hdr->encoding = htonl(1); /* cck */ 172 } else if (prism_header == 3) { 173 struct hostap_radiotap_rx *hdr; 174 hdr = skb_push(skb, phdrlen); 175 memset(hdr, 0, phdrlen); 176 hdr->hdr.it_len = cpu_to_le16(phdrlen); 177 hdr->hdr.it_present = 178 cpu_to_le32((1 << IEEE80211_RADIOTAP_TSFT) | 179 (1 << IEEE80211_RADIOTAP_CHANNEL) | 180 (1 << IEEE80211_RADIOTAP_RATE) | 181 (1 << IEEE80211_RADIOTAP_DBM_ANTSIGNAL) | 182 (1 << IEEE80211_RADIOTAP_DBM_ANTNOISE)); 183 hdr->tsft = cpu_to_le64(rx_stats->mac_time); 184 hdr->chan_freq = cpu_to_le16(freq_list[local->channel - 1]); 185 hdr->chan_flags = cpu_to_le16(IEEE80211_CHAN_CCK | 186 IEEE80211_CHAN_2GHZ); 187 hdr->rate = rx_stats->rate / 5; 188 hdr->dbm_antsignal = rx_stats->signal; 189 hdr->dbm_antnoise = rx_stats->noise; 190 } 191 192 ret = skb->len - phdrlen; 193 skb->dev = dev; 194 skb_reset_mac_header(skb); 195 skb_pull(skb, hdrlen); 196 if (prism_header) 197 skb_pull(skb, phdrlen); 198 skb->pkt_type = PACKET_OTHERHOST; 199 skb->protocol = cpu_to_be16(ETH_P_802_2); 200 memset(skb->cb, 0, sizeof(skb->cb)); 201 netif_rx(skb); 202 203 return ret; 204} 205 206 207/* Called only as a tasklet (software IRQ) */ 208static void monitor_rx(struct net_device *dev, struct sk_buff *skb, 209 struct hostap_80211_rx_status *rx_stats) 210{ 211 int len; 212 213 len = prism2_rx_80211(dev, skb, rx_stats, PRISM2_RX_MONITOR); 214 dev->stats.rx_packets++; 215 dev->stats.rx_bytes += len; 216} 217 218 219/* Called only as a tasklet (software IRQ) */ 220static struct prism2_frag_entry * 221prism2_frag_cache_find(local_info_t *local, unsigned int seq, 222 unsigned int frag, u8 *src, u8 *dst) 223{ 224 struct prism2_frag_entry *entry; 225 int i; 226 227 for (i = 0; i < PRISM2_FRAG_CACHE_LEN; i++) { 228 entry = &local->frag_cache[i]; 229 if (entry->skb != NULL && 230 time_after(jiffies, entry->first_frag_time + 2 * HZ)) { 231 printk(KERN_DEBUG "%s: expiring fragment cache entry " 232 "seq=%u last_frag=%u\n", 233 local->dev->name, entry->seq, entry->last_frag); 234 dev_kfree_skb(entry->skb); 235 entry->skb = NULL; 236 } 237 238 if (entry->skb != NULL && entry->seq == seq && 239 (entry->last_frag + 1 == frag || frag == -1) && 240 memcmp(entry->src_addr, src, ETH_ALEN) == 0 && 241 memcmp(entry->dst_addr, dst, ETH_ALEN) == 0) 242 return entry; 243 } 244 245 return NULL; 246} 247 248 249/* Called only as a tasklet (software IRQ) */ 250static struct sk_buff * 251prism2_frag_cache_get(local_info_t *local, struct ieee80211_hdr *hdr) 252{ 253 struct sk_buff *skb = NULL; 254 u16 sc; 255 unsigned int frag, seq; 256 struct prism2_frag_entry *entry; 257 258 sc = le16_to_cpu(hdr->seq_ctrl); 259 frag = sc & IEEE80211_SCTL_FRAG; 260 seq = (sc & IEEE80211_SCTL_SEQ) >> 4; 261 262 if (frag == 0) { 263 /* Reserve enough space to fit maximum frame length */ 264 skb = dev_alloc_skb(local->dev->mtu + 265 sizeof(struct ieee80211_hdr) + 266 8 /* LLC */ + 267 2 /* alignment */ + 268 8 /* WEP */ + ETH_ALEN /* WDS */); 269 if (skb == NULL) 270 return NULL; 271 272 entry = &local->frag_cache[local->frag_next_idx]; 273 local->frag_next_idx++; 274 if (local->frag_next_idx >= PRISM2_FRAG_CACHE_LEN) 275 local->frag_next_idx = 0; 276 277 if (entry->skb != NULL) 278 dev_kfree_skb(entry->skb); 279 280 entry->first_frag_time = jiffies; 281 entry->seq = seq; 282 entry->last_frag = frag; 283 entry->skb = skb; 284 memcpy(entry->src_addr, hdr->addr2, ETH_ALEN); 285 memcpy(entry->dst_addr, hdr->addr1, ETH_ALEN); 286 } else { 287 /* received a fragment of a frame for which the head fragment 288 * should have already been received */ 289 entry = prism2_frag_cache_find(local, seq, frag, hdr->addr2, 290 hdr->addr1); 291 if (entry != NULL) { 292 entry->last_frag = frag; 293 skb = entry->skb; 294 } 295 } 296 297 return skb; 298} 299 300 301/* Called only as a tasklet (software IRQ) */ 302static int prism2_frag_cache_invalidate(local_info_t *local, 303 struct ieee80211_hdr *hdr) 304{ 305 u16 sc; 306 unsigned int seq; 307 struct prism2_frag_entry *entry; 308 309 sc = le16_to_cpu(hdr->seq_ctrl); 310 seq = (sc & IEEE80211_SCTL_SEQ) >> 4; 311 312 entry = prism2_frag_cache_find(local, seq, -1, hdr->addr2, hdr->addr1); 313 314 if (entry == NULL) { 315 printk(KERN_DEBUG "%s: could not invalidate fragment cache " 316 "entry (seq=%u)\n", 317 local->dev->name, seq); 318 return -1; 319 } 320 321 entry->skb = NULL; 322 return 0; 323} 324 325 326static struct hostap_bss_info *__hostap_get_bss(local_info_t *local, u8 *bssid, 327 u8 *ssid, size_t ssid_len) 328{ 329 struct list_head *ptr; 330 struct hostap_bss_info *bss; 331 332 list_for_each(ptr, &local->bss_list) { 333 bss = list_entry(ptr, struct hostap_bss_info, list); 334 if (memcmp(bss->bssid, bssid, ETH_ALEN) == 0 && 335 (ssid == NULL || 336 (ssid_len == bss->ssid_len && 337 memcmp(ssid, bss->ssid, ssid_len) == 0))) { 338 list_move(&bss->list, &local->bss_list); 339 return bss; 340 } 341 } 342 343 return NULL; 344} 345 346 347static struct hostap_bss_info *__hostap_add_bss(local_info_t *local, u8 *bssid, 348 u8 *ssid, size_t ssid_len) 349{ 350 struct hostap_bss_info *bss; 351 352 if (local->num_bss_info >= HOSTAP_MAX_BSS_COUNT) { 353 bss = list_entry(local->bss_list.prev, 354 struct hostap_bss_info, list); 355 list_del(&bss->list); 356 local->num_bss_info--; 357 } else { 358 bss = kmalloc(sizeof(*bss), GFP_ATOMIC); 359 if (bss == NULL) 360 return NULL; 361 } 362 363 memset(bss, 0, sizeof(*bss)); 364 memcpy(bss->bssid, bssid, ETH_ALEN); 365 memcpy(bss->ssid, ssid, ssid_len); 366 bss->ssid_len = ssid_len; 367 local->num_bss_info++; 368 list_add(&bss->list, &local->bss_list); 369 return bss; 370} 371 372 373static void __hostap_expire_bss(local_info_t *local) 374{ 375 struct hostap_bss_info *bss; 376 377 while (local->num_bss_info > 0) { 378 bss = list_entry(local->bss_list.prev, 379 struct hostap_bss_info, list); 380 if (!time_after(jiffies, bss->last_update + 60 * HZ)) 381 break; 382 383 list_del(&bss->list); 384 local->num_bss_info--; 385 kfree(bss); 386 } 387} 388 389 390/* Both IEEE 802.11 Beacon and Probe Response frames have similar structure, so 391 * the same routine can be used to parse both of them. */ 392static void hostap_rx_sta_beacon(local_info_t *local, struct sk_buff *skb, 393 int stype) 394{ 395 struct hostap_ieee80211_mgmt *mgmt; 396 int left, chan = 0; 397 u8 *pos; 398 u8 *ssid = NULL, *wpa = NULL, *rsn = NULL; 399 size_t ssid_len = 0, wpa_len = 0, rsn_len = 0; 400 struct hostap_bss_info *bss; 401 402 if (skb->len < IEEE80211_MGMT_HDR_LEN + sizeof(mgmt->u.beacon)) 403 return; 404 405 mgmt = (struct hostap_ieee80211_mgmt *) skb->data; 406 pos = mgmt->u.beacon.variable; 407 left = skb->len - (pos - skb->data); 408 409 while (left >= 2) { 410 if (2 + pos[1] > left) 411 return; /* parse failed */ 412 switch (*pos) { 413 case WLAN_EID_SSID: 414 ssid = pos + 2; 415 ssid_len = pos[1]; 416 break; 417 case WLAN_EID_VENDOR_SPECIFIC: 418 if (pos[1] >= 4 && 419 pos[2] == 0x00 && pos[3] == 0x50 && 420 pos[4] == 0xf2 && pos[5] == 1) { 421 wpa = pos; 422 wpa_len = pos[1] + 2; 423 } 424 break; 425 case WLAN_EID_RSN: 426 rsn = pos; 427 rsn_len = pos[1] + 2; 428 break; 429 case WLAN_EID_DS_PARAMS: 430 if (pos[1] >= 1) 431 chan = pos[2]; 432 break; 433 } 434 left -= 2 + pos[1]; 435 pos += 2 + pos[1]; 436 } 437 438 if (wpa_len > MAX_WPA_IE_LEN) 439 wpa_len = MAX_WPA_IE_LEN; 440 if (rsn_len > MAX_WPA_IE_LEN) 441 rsn_len = MAX_WPA_IE_LEN; 442 if (ssid_len > sizeof(bss->ssid)) 443 ssid_len = sizeof(bss->ssid); 444 445 spin_lock(&local->lock); 446 bss = __hostap_get_bss(local, mgmt->bssid, ssid, ssid_len); 447 if (bss == NULL) 448 bss = __hostap_add_bss(local, mgmt->bssid, ssid, ssid_len); 449 if (bss) { 450 bss->last_update = jiffies; 451 bss->count++; 452 bss->capab_info = le16_to_cpu(mgmt->u.beacon.capab_info); 453 if (wpa) { 454 memcpy(bss->wpa_ie, wpa, wpa_len); 455 bss->wpa_ie_len = wpa_len; 456 } else 457 bss->wpa_ie_len = 0; 458 if (rsn) { 459 memcpy(bss->rsn_ie, rsn, rsn_len); 460 bss->rsn_ie_len = rsn_len; 461 } else 462 bss->rsn_ie_len = 0; 463 bss->chan = chan; 464 } 465 __hostap_expire_bss(local); 466 spin_unlock(&local->lock); 467} 468 469 470static int 471hostap_rx_frame_mgmt(local_info_t *local, struct sk_buff *skb, 472 struct hostap_80211_rx_status *rx_stats, u16 type, 473 u16 stype) 474{ 475 if (local->iw_mode == IW_MODE_MASTER) 476 hostap_update_sta_ps(local, (struct ieee80211_hdr *) skb->data); 477 478 if (local->hostapd && type == IEEE80211_FTYPE_MGMT) { 479 if (stype == IEEE80211_STYPE_BEACON && 480 local->iw_mode == IW_MODE_MASTER) { 481 struct sk_buff *skb2; 482 /* Process beacon frames also in kernel driver to 483 * update STA(AP) table statistics */ 484 skb2 = skb_clone(skb, GFP_ATOMIC); 485 if (skb2) 486 hostap_rx(skb2->dev, skb2, rx_stats); 487 } 488 489 /* send management frames to the user space daemon for 490 * processing */ 491 local->apdevstats.rx_packets++; 492 local->apdevstats.rx_bytes += skb->len; 493 if (local->apdev == NULL) 494 return -1; 495 prism2_rx_80211(local->apdev, skb, rx_stats, PRISM2_RX_MGMT); 496 return 0; 497 } 498 499 if (local->iw_mode == IW_MODE_MASTER) { 500 if (type != IEEE80211_FTYPE_MGMT && 501 type != IEEE80211_FTYPE_CTL) { 502 printk(KERN_DEBUG "%s: unknown management frame " 503 "(type=0x%02x, stype=0x%02x) dropped\n", 504 skb->dev->name, type >> 2, stype >> 4); 505 return -1; 506 } 507 508 hostap_rx(skb->dev, skb, rx_stats); 509 return 0; 510 } else if (type == IEEE80211_FTYPE_MGMT && 511 (stype == IEEE80211_STYPE_BEACON || 512 stype == IEEE80211_STYPE_PROBE_RESP)) { 513 hostap_rx_sta_beacon(local, skb, stype); 514 return -1; 515 } else if (type == IEEE80211_FTYPE_MGMT && 516 (stype == IEEE80211_STYPE_ASSOC_RESP || 517 stype == IEEE80211_STYPE_REASSOC_RESP)) { 518 /* Ignore (Re)AssocResp silently since these are not currently 519 * needed but are still received when WPA/RSN mode is enabled. 520 */ 521 return -1; 522 } else { 523 printk(KERN_DEBUG "%s: hostap_rx_frame_mgmt: dropped unhandled" 524 " management frame in non-Host AP mode (type=%d:%d)\n", 525 skb->dev->name, type >> 2, stype >> 4); 526 return -1; 527 } 528} 529 530 531/* Called only as a tasklet (software IRQ) */ 532static struct net_device *prism2_rx_get_wds(local_info_t *local, 533 u8 *addr) 534{ 535 struct hostap_interface *iface = NULL; 536 struct list_head *ptr; 537 538 read_lock_bh(&local->iface_lock); 539 list_for_each(ptr, &local->hostap_interfaces) { 540 iface = list_entry(ptr, struct hostap_interface, list); 541 if (iface->type == HOSTAP_INTERFACE_WDS && 542 memcmp(iface->u.wds.remote_addr, addr, ETH_ALEN) == 0) 543 break; 544 iface = NULL; 545 } 546 read_unlock_bh(&local->iface_lock); 547 548 return iface ? iface->dev : NULL; 549} 550 551 552static int 553hostap_rx_frame_wds(local_info_t *local, struct ieee80211_hdr *hdr, u16 fc, 554 struct net_device **wds) 555{ 556 /* FIX: is this really supposed to accept WDS frames only in Master 557 * mode? What about Repeater or Managed with WDS frames? */ 558 if ((fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) != 559 (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS) && 560 (local->iw_mode != IW_MODE_MASTER || !(fc & IEEE80211_FCTL_TODS))) 561 return 0; /* not a WDS frame */ 562 563 /* Possible WDS frame: either IEEE 802.11 compliant (if FromDS) 564 * or own non-standard frame with 4th address after payload */ 565 if (!ether_addr_equal(hdr->addr1, local->dev->dev_addr) && 566 (hdr->addr1[0] != 0xff || hdr->addr1[1] != 0xff || 567 hdr->addr1[2] != 0xff || hdr->addr1[3] != 0xff || 568 hdr->addr1[4] != 0xff || hdr->addr1[5] != 0xff)) { 569 /* RA (or BSSID) is not ours - drop */ 570 PDEBUG(DEBUG_EXTRA2, "%s: received WDS frame with " 571 "not own or broadcast %s=%pM\n", 572 local->dev->name, 573 fc & IEEE80211_FCTL_FROMDS ? "RA" : "BSSID", 574 hdr->addr1); 575 return -1; 576 } 577 578 /* check if the frame came from a registered WDS connection */ 579 *wds = prism2_rx_get_wds(local, hdr->addr2); 580 if (*wds == NULL && fc & IEEE80211_FCTL_FROMDS && 581 (local->iw_mode != IW_MODE_INFRA || 582 !(local->wds_type & HOSTAP_WDS_AP_CLIENT) || 583 memcmp(hdr->addr2, local->bssid, ETH_ALEN) != 0)) { 584 /* require that WDS link has been registered with TA or the 585 * frame is from current AP when using 'AP client mode' */ 586 PDEBUG(DEBUG_EXTRA, "%s: received WDS[4 addr] frame " 587 "from unknown TA=%pM\n", 588 local->dev->name, hdr->addr2); 589 if (local->ap && local->ap->autom_ap_wds) 590 hostap_wds_link_oper(local, hdr->addr2, WDS_ADD); 591 return -1; 592 } 593 594 if (*wds && !(fc & IEEE80211_FCTL_FROMDS) && local->ap && 595 hostap_is_sta_assoc(local->ap, hdr->addr2)) { 596 /* STA is actually associated with us even though it has a 597 * registered WDS link. Assume it is in 'AP client' mode. 598 * Since this is a 3-addr frame, assume it is not (bogus) WDS 599 * frame and process it like any normal ToDS frame from 600 * associated STA. */ 601 *wds = NULL; 602 } 603 604 return 0; 605} 606 607 608static int hostap_is_eapol_frame(local_info_t *local, struct sk_buff *skb) 609{ 610 struct net_device *dev = local->dev; 611 u16 fc, ethertype; 612 struct ieee80211_hdr *hdr; 613 u8 *pos; 614 615 if (skb->len < 24) 616 return 0; 617 618 hdr = (struct ieee80211_hdr *) skb->data; 619 fc = le16_to_cpu(hdr->frame_control); 620 621 /* check that the frame is unicast frame to us */ 622 if ((fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) == 623 IEEE80211_FCTL_TODS && 624 ether_addr_equal(hdr->addr1, dev->dev_addr) && 625 ether_addr_equal(hdr->addr3, dev->dev_addr)) { 626 /* ToDS frame with own addr BSSID and DA */ 627 } else if ((fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) == 628 IEEE80211_FCTL_FROMDS && 629 ether_addr_equal(hdr->addr1, dev->dev_addr)) { 630 /* FromDS frame with own addr as DA */ 631 } else 632 return 0; 633 634 if (skb->len < 24 + 8) 635 return 0; 636 637 /* check for port access entity Ethernet type */ 638 pos = skb->data + 24; 639 ethertype = (pos[6] << 8) | pos[7]; 640 if (ethertype == ETH_P_PAE) 641 return 1; 642 643 return 0; 644} 645 646 647/* Called only as a tasklet (software IRQ) */ 648static int 649hostap_rx_frame_decrypt(local_info_t *local, struct sk_buff *skb, 650 struct lib80211_crypt_data *crypt) 651{ 652 struct ieee80211_hdr *hdr; 653 int res, hdrlen; 654 655 if (crypt == NULL || crypt->ops->decrypt_mpdu == NULL) 656 return 0; 657 658 hdr = (struct ieee80211_hdr *) skb->data; 659 hdrlen = hostap_80211_get_hdrlen(hdr->frame_control); 660 661 if (local->tkip_countermeasures && 662 strcmp(crypt->ops->name, "TKIP") == 0) { 663 if (net_ratelimit()) { 664 printk(KERN_DEBUG "%s: TKIP countermeasures: dropped " 665 "received packet from %pM\n", 666 local->dev->name, hdr->addr2); 667 } 668 return -1; 669 } 670 671 atomic_inc(&crypt->refcnt); 672 res = crypt->ops->decrypt_mpdu(skb, hdrlen, crypt->priv); 673 atomic_dec(&crypt->refcnt); 674 if (res < 0) { 675 printk(KERN_DEBUG "%s: decryption failed (SA=%pM) res=%d\n", 676 local->dev->name, hdr->addr2, res); 677 local->comm_tallies.rx_discards_wep_undecryptable++; 678 return -1; 679 } 680 681 return res; 682} 683 684 685/* Called only as a tasklet (software IRQ) */ 686static int 687hostap_rx_frame_decrypt_msdu(local_info_t *local, struct sk_buff *skb, 688 int keyidx, struct lib80211_crypt_data *crypt) 689{ 690 struct ieee80211_hdr *hdr; 691 int res, hdrlen; 692 693 if (crypt == NULL || crypt->ops->decrypt_msdu == NULL) 694 return 0; 695 696 hdr = (struct ieee80211_hdr *) skb->data; 697 hdrlen = hostap_80211_get_hdrlen(hdr->frame_control); 698 699 atomic_inc(&crypt->refcnt); 700 res = crypt->ops->decrypt_msdu(skb, keyidx, hdrlen, crypt->priv); 701 atomic_dec(&crypt->refcnt); 702 if (res < 0) { 703 printk(KERN_DEBUG "%s: MSDU decryption/MIC verification failed" 704 " (SA=%pM keyidx=%d)\n", 705 local->dev->name, hdr->addr2, keyidx); 706 return -1; 707 } 708 709 return 0; 710} 711 712 713/* All received frames are sent to this function. @skb contains the frame in 714 * IEEE 802.11 format, i.e., in the format it was sent over air. 715 * This function is called only as a tasklet (software IRQ). */ 716void hostap_80211_rx(struct net_device *dev, struct sk_buff *skb, 717 struct hostap_80211_rx_status *rx_stats) 718{ 719 struct hostap_interface *iface; 720 local_info_t *local; 721 struct ieee80211_hdr *hdr; 722 size_t hdrlen; 723 u16 fc, type, stype, sc; 724 struct net_device *wds = NULL; 725 unsigned int frag; 726 u8 *payload; 727 struct sk_buff *skb2 = NULL; 728 u16 ethertype; 729 int frame_authorized = 0; 730 int from_assoc_ap = 0; 731 u8 dst[ETH_ALEN]; 732 u8 src[ETH_ALEN]; 733 struct lib80211_crypt_data *crypt = NULL; 734 void *sta = NULL; 735 int keyidx = 0; 736 737 iface = netdev_priv(dev); 738 local = iface->local; 739 iface->stats.rx_packets++; 740 iface->stats.rx_bytes += skb->len; 741 742 /* dev is the master radio device; change this to be the default 743 * virtual interface (this may be changed to WDS device below) */ 744 dev = local->ddev; 745 iface = netdev_priv(dev); 746 747 hdr = (struct ieee80211_hdr *) skb->data; 748 749 if (skb->len < 10) 750 goto rx_dropped; 751 752 fc = le16_to_cpu(hdr->frame_control); 753 type = fc & IEEE80211_FCTL_FTYPE; 754 stype = fc & IEEE80211_FCTL_STYPE; 755 sc = le16_to_cpu(hdr->seq_ctrl); 756 frag = sc & IEEE80211_SCTL_FRAG; 757 hdrlen = hostap_80211_get_hdrlen(hdr->frame_control); 758 759 /* Put this code here so that we avoid duplicating it in all 760 * Rx paths. - Jean II */ 761#ifdef IW_WIRELESS_SPY /* defined in iw_handler.h */ 762 /* If spy monitoring on */ 763 if (iface->spy_data.spy_number > 0) { 764 struct iw_quality wstats; 765 wstats.level = rx_stats->signal; 766 wstats.noise = rx_stats->noise; 767 wstats.updated = IW_QUAL_LEVEL_UPDATED | IW_QUAL_NOISE_UPDATED 768 | IW_QUAL_QUAL_INVALID | IW_QUAL_DBM; 769 /* Update spy records */ 770 wireless_spy_update(dev, hdr->addr2, &wstats); 771 } 772#endif /* IW_WIRELESS_SPY */ 773 hostap_update_rx_stats(local->ap, hdr, rx_stats); 774 775 if (local->iw_mode == IW_MODE_MONITOR) { 776 monitor_rx(dev, skb, rx_stats); 777 return; 778 } 779 780 if (local->host_decrypt) { 781 int idx = 0; 782 if (skb->len >= hdrlen + 3) 783 idx = skb->data[hdrlen + 3] >> 6; 784 crypt = local->crypt_info.crypt[idx]; 785 sta = NULL; 786 787 /* Use station specific key to override default keys if the 788 * receiver address is a unicast address ("individual RA"). If 789 * bcrx_sta_key parameter is set, station specific key is used 790 * even with broad/multicast targets (this is against IEEE 791 * 802.11, but makes it easier to use different keys with 792 * stations that do not support WEP key mapping). */ 793 794 if (!(hdr->addr1[0] & 0x01) || local->bcrx_sta_key) 795 (void) hostap_handle_sta_crypto(local, hdr, &crypt, 796 &sta); 797 798 /* allow NULL decrypt to indicate an station specific override 799 * for default encryption */ 800 if (crypt && (crypt->ops == NULL || 801 crypt->ops->decrypt_mpdu == NULL)) 802 crypt = NULL; 803 804 if (!crypt && (fc & IEEE80211_FCTL_PROTECTED)) { 805#if 0 806 /* This seems to be triggered by some (multicast?) 807 * frames from other than current BSS, so just drop the 808 * frames silently instead of filling system log with 809 * these reports. */ 810 printk(KERN_DEBUG "%s: WEP decryption failed (not set)" 811 " (SA=%pM)\n", 812 local->dev->name, hdr->addr2); 813#endif 814 local->comm_tallies.rx_discards_wep_undecryptable++; 815 goto rx_dropped; 816 } 817 } 818 819 if (type != IEEE80211_FTYPE_DATA) { 820 if (type == IEEE80211_FTYPE_MGMT && 821 stype == IEEE80211_STYPE_AUTH && 822 fc & IEEE80211_FCTL_PROTECTED && local->host_decrypt && 823 (keyidx = hostap_rx_frame_decrypt(local, skb, crypt)) < 0) 824 { 825 printk(KERN_DEBUG "%s: failed to decrypt mgmt::auth " 826 "from %pM\n", dev->name, hdr->addr2); 827 /* TODO: could inform hostapd about this so that it 828 * could send auth failure report */ 829 goto rx_dropped; 830 } 831 832 if (hostap_rx_frame_mgmt(local, skb, rx_stats, type, stype)) 833 goto rx_dropped; 834 else 835 goto rx_exit; 836 } 837 838 /* Data frame - extract src/dst addresses */ 839 if (skb->len < IEEE80211_DATA_HDR3_LEN) 840 goto rx_dropped; 841 842 switch (fc & (IEEE80211_FCTL_FROMDS | IEEE80211_FCTL_TODS)) { 843 case IEEE80211_FCTL_FROMDS: 844 memcpy(dst, hdr->addr1, ETH_ALEN); 845 memcpy(src, hdr->addr3, ETH_ALEN); 846 break; 847 case IEEE80211_FCTL_TODS: 848 memcpy(dst, hdr->addr3, ETH_ALEN); 849 memcpy(src, hdr->addr2, ETH_ALEN); 850 break; 851 case IEEE80211_FCTL_FROMDS | IEEE80211_FCTL_TODS: 852 if (skb->len < IEEE80211_DATA_HDR4_LEN) 853 goto rx_dropped; 854 memcpy(dst, hdr->addr3, ETH_ALEN); 855 memcpy(src, hdr->addr4, ETH_ALEN); 856 break; 857 default: 858 memcpy(dst, hdr->addr1, ETH_ALEN); 859 memcpy(src, hdr->addr2, ETH_ALEN); 860 break; 861 } 862 863 if (hostap_rx_frame_wds(local, hdr, fc, &wds)) 864 goto rx_dropped; 865 if (wds) 866 skb->dev = dev = wds; 867 868 if (local->iw_mode == IW_MODE_MASTER && !wds && 869 (fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) == 870 IEEE80211_FCTL_FROMDS && 871 local->stadev && 872 memcmp(hdr->addr2, local->assoc_ap_addr, ETH_ALEN) == 0) { 873 /* Frame from BSSID of the AP for which we are a client */ 874 skb->dev = dev = local->stadev; 875 from_assoc_ap = 1; 876 } 877 878 if ((local->iw_mode == IW_MODE_MASTER || 879 local->iw_mode == IW_MODE_REPEAT) && 880 !from_assoc_ap) { 881 switch (hostap_handle_sta_rx(local, dev, skb, rx_stats, 882 wds != NULL)) { 883 case AP_RX_CONTINUE_NOT_AUTHORIZED: 884 frame_authorized = 0; 885 break; 886 case AP_RX_CONTINUE: 887 frame_authorized = 1; 888 break; 889 case AP_RX_DROP: 890 goto rx_dropped; 891 case AP_RX_EXIT: 892 goto rx_exit; 893 } 894 } 895 896 /* Nullfunc frames may have PS-bit set, so they must be passed to 897 * hostap_handle_sta_rx() before being dropped here. */ 898 if (stype != IEEE80211_STYPE_DATA && 899 stype != IEEE80211_STYPE_DATA_CFACK && 900 stype != IEEE80211_STYPE_DATA_CFPOLL && 901 stype != IEEE80211_STYPE_DATA_CFACKPOLL) { 902 if (stype != IEEE80211_STYPE_NULLFUNC) 903 printk(KERN_DEBUG "%s: RX: dropped data frame " 904 "with no data (type=0x%02x, subtype=0x%02x)\n", 905 dev->name, type >> 2, stype >> 4); 906 goto rx_dropped; 907 } 908 909 /* skb: hdr + (possibly fragmented, possibly encrypted) payload */ 910 911 if (local->host_decrypt && (fc & IEEE80211_FCTL_PROTECTED) && 912 (keyidx = hostap_rx_frame_decrypt(local, skb, crypt)) < 0) 913 goto rx_dropped; 914 hdr = (struct ieee80211_hdr *) skb->data; 915 916 /* skb: hdr + (possibly fragmented) plaintext payload */ 917 918 if (local->host_decrypt && (fc & IEEE80211_FCTL_PROTECTED) && 919 (frag != 0 || (fc & IEEE80211_FCTL_MOREFRAGS))) { 920 int flen; 921 struct sk_buff *frag_skb = 922 prism2_frag_cache_get(local, hdr); 923 if (!frag_skb) { 924 printk(KERN_DEBUG "%s: Rx cannot get skb from " 925 "fragment cache (morefrag=%d seq=%u frag=%u)\n", 926 dev->name, (fc & IEEE80211_FCTL_MOREFRAGS) != 0, 927 (sc & IEEE80211_SCTL_SEQ) >> 4, frag); 928 goto rx_dropped; 929 } 930 931 flen = skb->len; 932 if (frag != 0) 933 flen -= hdrlen; 934 935 if (frag_skb->tail + flen > frag_skb->end) { 936 printk(KERN_WARNING "%s: host decrypted and " 937 "reassembled frame did not fit skb\n", 938 dev->name); 939 prism2_frag_cache_invalidate(local, hdr); 940 goto rx_dropped; 941 } 942 943 if (frag == 0) { 944 /* copy first fragment (including full headers) into 945 * beginning of the fragment cache skb */ 946 skb_copy_from_linear_data(skb, skb_put(frag_skb, flen), 947 flen); 948 } else { 949 /* append frame payload to the end of the fragment 950 * cache skb */ 951 skb_copy_from_linear_data_offset(skb, hdrlen, 952 skb_put(frag_skb, 953 flen), flen); 954 } 955 dev_kfree_skb(skb); 956 skb = NULL; 957 958 if (fc & IEEE80211_FCTL_MOREFRAGS) { 959 /* more fragments expected - leave the skb in fragment 960 * cache for now; it will be delivered to upper layers 961 * after all fragments have been received */ 962 goto rx_exit; 963 } 964 965 /* this was the last fragment and the frame will be 966 * delivered, so remove skb from fragment cache */ 967 skb = frag_skb; 968 hdr = (struct ieee80211_hdr *) skb->data; 969 prism2_frag_cache_invalidate(local, hdr); 970 } 971 972 /* skb: hdr + (possible reassembled) full MSDU payload; possibly still 973 * encrypted/authenticated */ 974 975 if (local->host_decrypt && (fc & IEEE80211_FCTL_PROTECTED) && 976 hostap_rx_frame_decrypt_msdu(local, skb, keyidx, crypt)) 977 goto rx_dropped; 978 979 hdr = (struct ieee80211_hdr *) skb->data; 980 if (crypt && !(fc & IEEE80211_FCTL_PROTECTED) && !local->open_wep) { 981 if (local->ieee_802_1x && 982 hostap_is_eapol_frame(local, skb)) { 983 /* pass unencrypted EAPOL frames even if encryption is 984 * configured */ 985 PDEBUG(DEBUG_EXTRA2, "%s: RX: IEEE 802.1X - passing " 986 "unencrypted EAPOL frame\n", local->dev->name); 987 } else { 988 printk(KERN_DEBUG "%s: encryption configured, but RX " 989 "frame not encrypted (SA=%pM)\n", 990 local->dev->name, hdr->addr2); 991 goto rx_dropped; 992 } 993 } 994 995 if (local->drop_unencrypted && !(fc & IEEE80211_FCTL_PROTECTED) && 996 !hostap_is_eapol_frame(local, skb)) { 997 if (net_ratelimit()) { 998 printk(KERN_DEBUG "%s: dropped unencrypted RX data " 999 "frame from %pM (drop_unencrypted=1)\n", 1000 dev->name, hdr->addr2); 1001 } 1002 goto rx_dropped; 1003 } 1004 1005 /* skb: hdr + (possible reassembled) full plaintext payload */ 1006 1007 payload = skb->data + hdrlen; 1008 ethertype = (payload[6] << 8) | payload[7]; 1009 1010 /* If IEEE 802.1X is used, check whether the port is authorized to send 1011 * the received frame. */ 1012 if (local->ieee_802_1x && local->iw_mode == IW_MODE_MASTER) { 1013 if (ethertype == ETH_P_PAE) { 1014 PDEBUG(DEBUG_EXTRA2, "%s: RX: IEEE 802.1X frame\n", 1015 dev->name); 1016 if (local->hostapd && local->apdev) { 1017 /* Send IEEE 802.1X frames to the user 1018 * space daemon for processing */ 1019 prism2_rx_80211(local->apdev, skb, rx_stats, 1020 PRISM2_RX_MGMT); 1021 local->apdevstats.rx_packets++; 1022 local->apdevstats.rx_bytes += skb->len; 1023 goto rx_exit; 1024 } 1025 } else if (!frame_authorized) { 1026 printk(KERN_DEBUG "%s: dropped frame from " 1027 "unauthorized port (IEEE 802.1X): " 1028 "ethertype=0x%04x\n", 1029 dev->name, ethertype); 1030 goto rx_dropped; 1031 } 1032 } 1033 1034 /* convert hdr + possible LLC headers into Ethernet header */ 1035 if (skb->len - hdrlen >= 8 && 1036 ((memcmp(payload, rfc1042_header, 6) == 0 && 1037 ethertype != ETH_P_AARP && ethertype != ETH_P_IPX) || 1038 memcmp(payload, bridge_tunnel_header, 6) == 0)) { 1039 /* remove RFC1042 or Bridge-Tunnel encapsulation and 1040 * replace EtherType */ 1041 skb_pull(skb, hdrlen + 6); 1042 memcpy(skb_push(skb, ETH_ALEN), src, ETH_ALEN); 1043 memcpy(skb_push(skb, ETH_ALEN), dst, ETH_ALEN); 1044 } else { 1045 __be16 len; 1046 /* Leave Ethernet header part of hdr and full payload */ 1047 skb_pull(skb, hdrlen); 1048 len = htons(skb->len); 1049 memcpy(skb_push(skb, 2), &len, 2); 1050 memcpy(skb_push(skb, ETH_ALEN), src, ETH_ALEN); 1051 memcpy(skb_push(skb, ETH_ALEN), dst, ETH_ALEN); 1052 } 1053 1054 if (wds && ((fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) == 1055 IEEE80211_FCTL_TODS) && 1056 skb->len >= ETH_HLEN + ETH_ALEN) { 1057 /* Non-standard frame: get addr4 from its bogus location after 1058 * the payload */ 1059 skb_copy_from_linear_data_offset(skb, skb->len - ETH_ALEN, 1060 skb->data + ETH_ALEN, 1061 ETH_ALEN); 1062 skb_trim(skb, skb->len - ETH_ALEN); 1063 } 1064 1065 dev->stats.rx_packets++; 1066 dev->stats.rx_bytes += skb->len; 1067 1068 if (local->iw_mode == IW_MODE_MASTER && !wds && 1069 local->ap->bridge_packets) { 1070 if (dst[0] & 0x01) { 1071 /* copy multicast frame both to the higher layers and 1072 * to the wireless media */ 1073 local->ap->bridged_multicast++; 1074 skb2 = skb_clone(skb, GFP_ATOMIC); 1075 if (skb2 == NULL) 1076 printk(KERN_DEBUG "%s: skb_clone failed for " 1077 "multicast frame\n", dev->name); 1078 } else if (hostap_is_sta_authorized(local->ap, dst)) { 1079 /* send frame directly to the associated STA using 1080 * wireless media and not passing to higher layers */ 1081 local->ap->bridged_unicast++; 1082 skb2 = skb; 1083 skb = NULL; 1084 } 1085 } 1086 1087 if (skb2 != NULL) { 1088 /* send to wireless media */ 1089 skb2->dev = dev; 1090 skb2->protocol = cpu_to_be16(ETH_P_802_3); 1091 skb_reset_mac_header(skb2); 1092 skb_reset_network_header(skb2); 1093 /* skb2->network_header += ETH_HLEN; */ 1094 dev_queue_xmit(skb2); 1095 } 1096 1097 if (skb) { 1098 skb->protocol = eth_type_trans(skb, dev); 1099 memset(skb->cb, 0, sizeof(skb->cb)); 1100 netif_rx(skb); 1101 } 1102 1103 rx_exit: 1104 if (sta) 1105 hostap_handle_sta_release(sta); 1106 return; 1107 1108 rx_dropped: 1109 dev_kfree_skb(skb); 1110 1111 dev->stats.rx_dropped++; 1112 goto rx_exit; 1113} 1114 1115 1116EXPORT_SYMBOL(hostap_80211_rx);