1 #include <linux/etherdevice.h> 2 #include <linux/slab.h> 3 #include <linux/export.h> 4 #include <net/lib80211.h> 5 #include <linux/if_arp.h> 6 7 #include "hostap_80211.h" 8 #include "hostap.h" 9 #include "hostap_ap.h" 10 11 /* See IEEE 802.1H for LLC/SNAP encapsulation/decapsulation */ 12 /* Ethernet-II snap header (RFC1042 for most EtherTypes) */ 13 static unsigned char rfc1042_header[] = 14 { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 }; 15 /* Bridge-Tunnel header (for EtherTypes ETH_P_AARP and ETH_P_IPX) */ 16 static unsigned char bridge_tunnel_header[] = 17 { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0xf8 }; 18 /* No encapsulation header if EtherType < 0x600 (=length) */ 19 20 void hostap_dump_rx_80211(const char *name, struct sk_buff *skb, 21 struct hostap_80211_rx_status *rx_stats) 22 { 23 struct ieee80211_hdr *hdr; 24 u16 fc; 25 26 hdr = (struct ieee80211_hdr *) skb->data; 27 28 printk(KERN_DEBUG "%s: RX signal=%d noise=%d rate=%d len=%d " 29 "jiffies=%ld\n", 30 name, rx_stats->signal, rx_stats->noise, rx_stats->rate, 31 skb->len, jiffies); 32 33 if (skb->len < 2) 34 return; 35 36 fc = le16_to_cpu(hdr->frame_control); 37 printk(KERN_DEBUG " FC=0x%04x (type=%d:%d)%s%s", 38 fc, (fc & IEEE80211_FCTL_FTYPE) >> 2, 39 (fc & IEEE80211_FCTL_STYPE) >> 4, 40 fc & IEEE80211_FCTL_TODS ? " [ToDS]" : "", 41 fc & IEEE80211_FCTL_FROMDS ? " [FromDS]" : ""); 42 43 if (skb->len < IEEE80211_DATA_HDR3_LEN) { 44 printk("\n"); 45 return; 46 } 47 48 printk(" dur=0x%04x seq=0x%04x\n", le16_to_cpu(hdr->duration_id), 49 le16_to_cpu(hdr->seq_ctrl)); 50 51 printk(KERN_DEBUG " A1=%pM", hdr->addr1); 52 printk(" A2=%pM", hdr->addr2); 53 printk(" A3=%pM", hdr->addr3); 54 if (skb->len >= 30) 55 printk(" A4=%pM", hdr->addr4); 56 printk("\n"); 57 } 58 59 60 /* Send RX frame to netif with 802.11 (and possible prism) header. 61 * Called from hardware or software IRQ context. */ 62 int prism2_rx_80211(struct net_device *dev, struct sk_buff *skb, 63 struct hostap_80211_rx_status *rx_stats, int type) 64 { 65 struct hostap_interface *iface; 66 local_info_t *local; 67 int hdrlen, phdrlen, head_need, tail_need; 68 u16 fc; 69 int prism_header, ret; 70 struct ieee80211_hdr *fhdr; 71 72 iface = netdev_priv(dev); 73 local = iface->local; 74 75 if (dev->type == ARPHRD_IEEE80211_PRISM) { 76 if (local->monitor_type == PRISM2_MONITOR_PRISM) { 77 prism_header = 1; 78 phdrlen = sizeof(struct linux_wlan_ng_prism_hdr); 79 } else { /* local->monitor_type == PRISM2_MONITOR_CAPHDR */ 80 prism_header = 2; 81 phdrlen = sizeof(struct linux_wlan_ng_cap_hdr); 82 } 83 } else if (dev->type == ARPHRD_IEEE80211_RADIOTAP) { 84 prism_header = 3; 85 phdrlen = sizeof(struct hostap_radiotap_rx); 86 } else { 87 prism_header = 0; 88 phdrlen = 0; 89 } 90 91 fhdr = (struct ieee80211_hdr *) skb->data; 92 fc = le16_to_cpu(fhdr->frame_control); 93 94 if (type == PRISM2_RX_MGMT && (fc & IEEE80211_FCTL_VERS)) { 95 printk(KERN_DEBUG "%s: dropped management frame with header " 96 "version %d\n", dev->name, fc & IEEE80211_FCTL_VERS); 97 dev_kfree_skb_any(skb); 98 return 0; 99 } 100 101 hdrlen = hostap_80211_get_hdrlen(fhdr->frame_control); 102 103 /* check if there is enough room for extra data; if not, expand skb 104 * buffer to be large enough for the changes */ 105 head_need = phdrlen; 106 tail_need = 0; 107 #ifdef PRISM2_ADD_BOGUS_CRC 108 tail_need += 4; 109 #endif /* PRISM2_ADD_BOGUS_CRC */ 110 111 head_need -= skb_headroom(skb); 112 tail_need -= skb_tailroom(skb); 113 114 if (head_need > 0 || tail_need > 0) { 115 if (pskb_expand_head(skb, head_need > 0 ? head_need : 0, 116 tail_need > 0 ? tail_need : 0, 117 GFP_ATOMIC)) { 118 printk(KERN_DEBUG "%s: prism2_rx_80211 failed to " 119 "reallocate skb buffer\n", dev->name); 120 dev_kfree_skb_any(skb); 121 return 0; 122 } 123 } 124 125 /* We now have an skb with enough head and tail room, so just insert 126 * the extra data */ 127 128 #ifdef PRISM2_ADD_BOGUS_CRC 129 memset(skb_put(skb, 4), 0xff, 4); /* Prism2 strips CRC */ 130 #endif /* PRISM2_ADD_BOGUS_CRC */ 131 132 if (prism_header == 1) { 133 struct linux_wlan_ng_prism_hdr *hdr; 134 hdr = skb_push(skb, phdrlen); 135 memset(hdr, 0, phdrlen); 136 hdr->msgcode = LWNG_CAP_DID_BASE; 137 hdr->msglen = sizeof(*hdr); 138 memcpy(hdr->devname, dev->name, sizeof(hdr->devname)); 139 #define LWNG_SETVAL(f,i,s,l,d) \ 140 hdr->f.did = LWNG_CAP_DID_BASE | (i << 12); \ 141 hdr->f.status = s; hdr->f.len = l; hdr->f.data = d 142 LWNG_SETVAL(hosttime, 1, 0, 4, jiffies); 143 LWNG_SETVAL(mactime, 2, 0, 4, rx_stats->mac_time); 144 LWNG_SETVAL(channel, 3, 1 /* no value */, 4, 0); 145 LWNG_SETVAL(rssi, 4, 1 /* no value */, 4, 0); 146 LWNG_SETVAL(sq, 5, 1 /* no value */, 4, 0); 147 LWNG_SETVAL(signal, 6, 0, 4, rx_stats->signal); 148 LWNG_SETVAL(noise, 7, 0, 4, rx_stats->noise); 149 LWNG_SETVAL(rate, 8, 0, 4, rx_stats->rate / 5); 150 LWNG_SETVAL(istx, 9, 0, 4, 0); 151 LWNG_SETVAL(frmlen, 10, 0, 4, skb->len - phdrlen); 152 #undef LWNG_SETVAL 153 } else if (prism_header == 2) { 154 struct linux_wlan_ng_cap_hdr *hdr; 155 hdr = skb_push(skb, phdrlen); 156 memset(hdr, 0, phdrlen); 157 hdr->version = htonl(LWNG_CAPHDR_VERSION); 158 hdr->length = htonl(phdrlen); 159 hdr->mactime = __cpu_to_be64(rx_stats->mac_time); 160 hdr->hosttime = __cpu_to_be64(jiffies); 161 hdr->phytype = htonl(4); /* dss_dot11_b */ 162 hdr->channel = htonl(local->channel); 163 hdr->datarate = htonl(rx_stats->rate); 164 hdr->antenna = htonl(0); /* unknown */ 165 hdr->priority = htonl(0); /* unknown */ 166 hdr->ssi_type = htonl(3); /* raw */ 167 hdr->ssi_signal = htonl(rx_stats->signal); 168 hdr->ssi_noise = htonl(rx_stats->noise); 169 hdr->preamble = htonl(0); /* unknown */ 170 hdr->encoding = htonl(1); /* cck */ 171 } else if (prism_header == 3) { 172 struct hostap_radiotap_rx *hdr; 173 hdr = skb_push(skb, phdrlen); 174 memset(hdr, 0, phdrlen); 175 hdr->hdr.it_len = cpu_to_le16(phdrlen); 176 hdr->hdr.it_present = 177 cpu_to_le32((1 << IEEE80211_RADIOTAP_TSFT) | 178 (1 << IEEE80211_RADIOTAP_CHANNEL) | 179 (1 << IEEE80211_RADIOTAP_RATE) | 180 (1 << IEEE80211_RADIOTAP_DBM_ANTSIGNAL) | 181 (1 << IEEE80211_RADIOTAP_DBM_ANTNOISE)); 182 hdr->tsft = cpu_to_le64(rx_stats->mac_time); 183 hdr->chan_freq = cpu_to_le16(freq_list[local->channel - 1]); 184 hdr->chan_flags = cpu_to_le16(IEEE80211_CHAN_CCK | 185 IEEE80211_CHAN_2GHZ); 186 hdr->rate = rx_stats->rate / 5; 187 hdr->dbm_antsignal = rx_stats->signal; 188 hdr->dbm_antnoise = rx_stats->noise; 189 } 190 191 ret = skb->len - phdrlen; 192 skb->dev = dev; 193 skb_reset_mac_header(skb); 194 skb_pull(skb, hdrlen); 195 if (prism_header) 196 skb_pull(skb, phdrlen); 197 skb->pkt_type = PACKET_OTHERHOST; 198 skb->protocol = cpu_to_be16(ETH_P_802_2); 199 memset(skb->cb, 0, sizeof(skb->cb)); 200 netif_rx(skb); 201 202 return ret; 203 } 204 205 206 /* Called only as a tasklet (software IRQ) */ 207 static void monitor_rx(struct net_device *dev, struct sk_buff *skb, 208 struct hostap_80211_rx_status *rx_stats) 209 { 210 int len; 211 212 len = prism2_rx_80211(dev, skb, rx_stats, PRISM2_RX_MONITOR); 213 dev->stats.rx_packets++; 214 dev->stats.rx_bytes += len; 215 } 216 217 218 /* Called only as a tasklet (software IRQ) */ 219 static struct prism2_frag_entry * 220 prism2_frag_cache_find(local_info_t *local, unsigned int seq, 221 unsigned int frag, u8 *src, u8 *dst) 222 { 223 struct prism2_frag_entry *entry; 224 int i; 225 226 for (i = 0; i < PRISM2_FRAG_CACHE_LEN; i++) { 227 entry = &local->frag_cache[i]; 228 if (entry->skb != NULL && 229 time_after(jiffies, entry->first_frag_time + 2 * HZ)) { 230 printk(KERN_DEBUG "%s: expiring fragment cache entry " 231 "seq=%u last_frag=%u\n", 232 local->dev->name, entry->seq, entry->last_frag); 233 dev_kfree_skb(entry->skb); 234 entry->skb = NULL; 235 } 236 237 if (entry->skb != NULL && entry->seq == seq && 238 (entry->last_frag + 1 == frag || frag == -1) && 239 memcmp(entry->src_addr, src, ETH_ALEN) == 0 && 240 memcmp(entry->dst_addr, dst, ETH_ALEN) == 0) 241 return entry; 242 } 243 244 return NULL; 245 } 246 247 248 /* Called only as a tasklet (software IRQ) */ 249 static struct sk_buff * 250 prism2_frag_cache_get(local_info_t *local, struct ieee80211_hdr *hdr) 251 { 252 struct sk_buff *skb = NULL; 253 u16 sc; 254 unsigned int frag, seq; 255 struct prism2_frag_entry *entry; 256 257 sc = le16_to_cpu(hdr->seq_ctrl); 258 frag = sc & IEEE80211_SCTL_FRAG; 259 seq = (sc & IEEE80211_SCTL_SEQ) >> 4; 260 261 if (frag == 0) { 262 /* Reserve enough space to fit maximum frame length */ 263 skb = dev_alloc_skb(local->dev->mtu + 264 sizeof(struct ieee80211_hdr) + 265 8 /* LLC */ + 266 2 /* alignment */ + 267 8 /* WEP */ + ETH_ALEN /* WDS */); 268 if (skb == NULL) 269 return NULL; 270 271 entry = &local->frag_cache[local->frag_next_idx]; 272 local->frag_next_idx++; 273 if (local->frag_next_idx >= PRISM2_FRAG_CACHE_LEN) 274 local->frag_next_idx = 0; 275 276 if (entry->skb != NULL) 277 dev_kfree_skb(entry->skb); 278 279 entry->first_frag_time = jiffies; 280 entry->seq = seq; 281 entry->last_frag = frag; 282 entry->skb = skb; 283 memcpy(entry->src_addr, hdr->addr2, ETH_ALEN); 284 memcpy(entry->dst_addr, hdr->addr1, ETH_ALEN); 285 } else { 286 /* received a fragment of a frame for which the head fragment 287 * should have already been received */ 288 entry = prism2_frag_cache_find(local, seq, frag, hdr->addr2, 289 hdr->addr1); 290 if (entry != NULL) { 291 entry->last_frag = frag; 292 skb = entry->skb; 293 } 294 } 295 296 return skb; 297 } 298 299 300 /* Called only as a tasklet (software IRQ) */ 301 static int prism2_frag_cache_invalidate(local_info_t *local, 302 struct ieee80211_hdr *hdr) 303 { 304 u16 sc; 305 unsigned int seq; 306 struct prism2_frag_entry *entry; 307 308 sc = le16_to_cpu(hdr->seq_ctrl); 309 seq = (sc & IEEE80211_SCTL_SEQ) >> 4; 310 311 entry = prism2_frag_cache_find(local, seq, -1, hdr->addr2, hdr->addr1); 312 313 if (entry == NULL) { 314 printk(KERN_DEBUG "%s: could not invalidate fragment cache " 315 "entry (seq=%u)\n", 316 local->dev->name, seq); 317 return -1; 318 } 319 320 entry->skb = NULL; 321 return 0; 322 } 323 324 325 static struct hostap_bss_info *__hostap_get_bss(local_info_t *local, u8 *bssid, 326 u8 *ssid, size_t ssid_len) 327 { 328 struct list_head *ptr; 329 struct hostap_bss_info *bss; 330 331 list_for_each(ptr, &local->bss_list) { 332 bss = list_entry(ptr, struct hostap_bss_info, list); 333 if (memcmp(bss->bssid, bssid, ETH_ALEN) == 0 && 334 (ssid == NULL || 335 (ssid_len == bss->ssid_len && 336 memcmp(ssid, bss->ssid, ssid_len) == 0))) { 337 list_move(&bss->list, &local->bss_list); 338 return bss; 339 } 340 } 341 342 return NULL; 343 } 344 345 346 static struct hostap_bss_info *__hostap_add_bss(local_info_t *local, u8 *bssid, 347 u8 *ssid, size_t ssid_len) 348 { 349 struct hostap_bss_info *bss; 350 351 if (local->num_bss_info >= HOSTAP_MAX_BSS_COUNT) { 352 bss = list_entry(local->bss_list.prev, 353 struct hostap_bss_info, list); 354 list_del(&bss->list); 355 local->num_bss_info--; 356 } else { 357 bss = kmalloc(sizeof(*bss), GFP_ATOMIC); 358 if (bss == NULL) 359 return NULL; 360 } 361 362 memset(bss, 0, sizeof(*bss)); 363 memcpy(bss->bssid, bssid, ETH_ALEN); 364 memcpy(bss->ssid, ssid, ssid_len); 365 bss->ssid_len = ssid_len; 366 local->num_bss_info++; 367 list_add(&bss->list, &local->bss_list); 368 return bss; 369 } 370 371 372 static void __hostap_expire_bss(local_info_t *local) 373 { 374 struct hostap_bss_info *bss; 375 376 while (local->num_bss_info > 0) { 377 bss = list_entry(local->bss_list.prev, 378 struct hostap_bss_info, list); 379 if (!time_after(jiffies, bss->last_update + 60 * HZ)) 380 break; 381 382 list_del(&bss->list); 383 local->num_bss_info--; 384 kfree(bss); 385 } 386 } 387 388 389 /* Both IEEE 802.11 Beacon and Probe Response frames have similar structure, so 390 * the same routine can be used to parse both of them. */ 391 static void hostap_rx_sta_beacon(local_info_t *local, struct sk_buff *skb, 392 int stype) 393 { 394 struct hostap_ieee80211_mgmt *mgmt; 395 int left, chan = 0; 396 u8 *pos; 397 u8 *ssid = NULL, *wpa = NULL, *rsn = NULL; 398 size_t ssid_len = 0, wpa_len = 0, rsn_len = 0; 399 struct hostap_bss_info *bss; 400 401 if (skb->len < IEEE80211_MGMT_HDR_LEN + sizeof(mgmt->u.beacon)) 402 return; 403 404 mgmt = (struct hostap_ieee80211_mgmt *) skb->data; 405 pos = mgmt->u.beacon.variable; 406 left = skb->len - (pos - skb->data); 407 408 while (left >= 2) { 409 if (2 + pos[1] > left) 410 return; /* parse failed */ 411 switch (*pos) { 412 case WLAN_EID_SSID: 413 ssid = pos + 2; 414 ssid_len = pos[1]; 415 break; 416 case WLAN_EID_VENDOR_SPECIFIC: 417 if (pos[1] >= 4 && 418 pos[2] == 0x00 && pos[3] == 0x50 && 419 pos[4] == 0xf2 && pos[5] == 1) { 420 wpa = pos; 421 wpa_len = pos[1] + 2; 422 } 423 break; 424 case WLAN_EID_RSN: 425 rsn = pos; 426 rsn_len = pos[1] + 2; 427 break; 428 case WLAN_EID_DS_PARAMS: 429 if (pos[1] >= 1) 430 chan = pos[2]; 431 break; 432 } 433 left -= 2 + pos[1]; 434 pos += 2 + pos[1]; 435 } 436 437 if (wpa_len > MAX_WPA_IE_LEN) 438 wpa_len = MAX_WPA_IE_LEN; 439 if (rsn_len > MAX_WPA_IE_LEN) 440 rsn_len = MAX_WPA_IE_LEN; 441 if (ssid_len > sizeof(bss->ssid)) 442 ssid_len = sizeof(bss->ssid); 443 444 spin_lock(&local->lock); 445 bss = __hostap_get_bss(local, mgmt->bssid, ssid, ssid_len); 446 if (bss == NULL) 447 bss = __hostap_add_bss(local, mgmt->bssid, ssid, ssid_len); 448 if (bss) { 449 bss->last_update = jiffies; 450 bss->count++; 451 bss->capab_info = le16_to_cpu(mgmt->u.beacon.capab_info); 452 if (wpa) { 453 memcpy(bss->wpa_ie, wpa, wpa_len); 454 bss->wpa_ie_len = wpa_len; 455 } else 456 bss->wpa_ie_len = 0; 457 if (rsn) { 458 memcpy(bss->rsn_ie, rsn, rsn_len); 459 bss->rsn_ie_len = rsn_len; 460 } else 461 bss->rsn_ie_len = 0; 462 bss->chan = chan; 463 } 464 __hostap_expire_bss(local); 465 spin_unlock(&local->lock); 466 } 467 468 469 static int 470 hostap_rx_frame_mgmt(local_info_t *local, struct sk_buff *skb, 471 struct hostap_80211_rx_status *rx_stats, u16 type, 472 u16 stype) 473 { 474 if (local->iw_mode == IW_MODE_MASTER) 475 hostap_update_sta_ps(local, (struct ieee80211_hdr *) skb->data); 476 477 if (local->hostapd && type == IEEE80211_FTYPE_MGMT) { 478 if (stype == IEEE80211_STYPE_BEACON && 479 local->iw_mode == IW_MODE_MASTER) { 480 struct sk_buff *skb2; 481 /* Process beacon frames also in kernel driver to 482 * update STA(AP) table statistics */ 483 skb2 = skb_clone(skb, GFP_ATOMIC); 484 if (skb2) 485 hostap_rx(skb2->dev, skb2, rx_stats); 486 } 487 488 /* send management frames to the user space daemon for 489 * processing */ 490 local->apdevstats.rx_packets++; 491 local->apdevstats.rx_bytes += skb->len; 492 if (local->apdev == NULL) 493 return -1; 494 prism2_rx_80211(local->apdev, skb, rx_stats, PRISM2_RX_MGMT); 495 return 0; 496 } 497 498 if (local->iw_mode == IW_MODE_MASTER) { 499 if (type != IEEE80211_FTYPE_MGMT && 500 type != IEEE80211_FTYPE_CTL) { 501 printk(KERN_DEBUG "%s: unknown management frame " 502 "(type=0x%02x, stype=0x%02x) dropped\n", 503 skb->dev->name, type >> 2, stype >> 4); 504 return -1; 505 } 506 507 hostap_rx(skb->dev, skb, rx_stats); 508 return 0; 509 } else if (type == IEEE80211_FTYPE_MGMT && 510 (stype == IEEE80211_STYPE_BEACON || 511 stype == IEEE80211_STYPE_PROBE_RESP)) { 512 hostap_rx_sta_beacon(local, skb, stype); 513 return -1; 514 } else if (type == IEEE80211_FTYPE_MGMT && 515 (stype == IEEE80211_STYPE_ASSOC_RESP || 516 stype == IEEE80211_STYPE_REASSOC_RESP)) { 517 /* Ignore (Re)AssocResp silently since these are not currently 518 * needed but are still received when WPA/RSN mode is enabled. 519 */ 520 return -1; 521 } else { 522 printk(KERN_DEBUG "%s: hostap_rx_frame_mgmt: dropped unhandled" 523 " management frame in non-Host AP mode (type=%d:%d)\n", 524 skb->dev->name, type >> 2, stype >> 4); 525 return -1; 526 } 527 } 528 529 530 /* Called only as a tasklet (software IRQ) */ 531 static struct net_device *prism2_rx_get_wds(local_info_t *local, 532 u8 *addr) 533 { 534 struct hostap_interface *iface = NULL; 535 struct list_head *ptr; 536 537 read_lock_bh(&local->iface_lock); 538 list_for_each(ptr, &local->hostap_interfaces) { 539 iface = list_entry(ptr, struct hostap_interface, list); 540 if (iface->type == HOSTAP_INTERFACE_WDS && 541 memcmp(iface->u.wds.remote_addr, addr, ETH_ALEN) == 0) 542 break; 543 iface = NULL; 544 } 545 read_unlock_bh(&local->iface_lock); 546 547 return iface ? iface->dev : NULL; 548 } 549 550 551 static int 552 hostap_rx_frame_wds(local_info_t *local, struct ieee80211_hdr *hdr, u16 fc, 553 struct net_device **wds) 554 { 555 /* FIX: is this really supposed to accept WDS frames only in Master 556 * mode? What about Repeater or Managed with WDS frames? */ 557 if ((fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) != 558 (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS) && 559 (local->iw_mode != IW_MODE_MASTER || !(fc & IEEE80211_FCTL_TODS))) 560 return 0; /* not a WDS frame */ 561 562 /* Possible WDS frame: either IEEE 802.11 compliant (if FromDS) 563 * or own non-standard frame with 4th address after payload */ 564 if (!ether_addr_equal(hdr->addr1, local->dev->dev_addr) && 565 (hdr->addr1[0] != 0xff || hdr->addr1[1] != 0xff || 566 hdr->addr1[2] != 0xff || hdr->addr1[3] != 0xff || 567 hdr->addr1[4] != 0xff || hdr->addr1[5] != 0xff)) { 568 /* RA (or BSSID) is not ours - drop */ 569 PDEBUG(DEBUG_EXTRA2, "%s: received WDS frame with " 570 "not own or broadcast %s=%pM\n", 571 local->dev->name, 572 fc & IEEE80211_FCTL_FROMDS ? "RA" : "BSSID", 573 hdr->addr1); 574 return -1; 575 } 576 577 /* check if the frame came from a registered WDS connection */ 578 *wds = prism2_rx_get_wds(local, hdr->addr2); 579 if (*wds == NULL && fc & IEEE80211_FCTL_FROMDS && 580 (local->iw_mode != IW_MODE_INFRA || 581 !(local->wds_type & HOSTAP_WDS_AP_CLIENT) || 582 memcmp(hdr->addr2, local->bssid, ETH_ALEN) != 0)) { 583 /* require that WDS link has been registered with TA or the 584 * frame is from current AP when using 'AP client mode' */ 585 PDEBUG(DEBUG_EXTRA, "%s: received WDS[4 addr] frame " 586 "from unknown TA=%pM\n", 587 local->dev->name, hdr->addr2); 588 if (local->ap && local->ap->autom_ap_wds) 589 hostap_wds_link_oper(local, hdr->addr2, WDS_ADD); 590 return -1; 591 } 592 593 if (*wds && !(fc & IEEE80211_FCTL_FROMDS) && local->ap && 594 hostap_is_sta_assoc(local->ap, hdr->addr2)) { 595 /* STA is actually associated with us even though it has a 596 * registered WDS link. Assume it is in 'AP client' mode. 597 * Since this is a 3-addr frame, assume it is not (bogus) WDS 598 * frame and process it like any normal ToDS frame from 599 * associated STA. */ 600 *wds = NULL; 601 } 602 603 return 0; 604 } 605 606 607 static int hostap_is_eapol_frame(local_info_t *local, struct sk_buff *skb) 608 { 609 struct net_device *dev = local->dev; 610 u16 fc, ethertype; 611 struct ieee80211_hdr *hdr; 612 u8 *pos; 613 614 if (skb->len < 24) 615 return 0; 616 617 hdr = (struct ieee80211_hdr *) skb->data; 618 fc = le16_to_cpu(hdr->frame_control); 619 620 /* check that the frame is unicast frame to us */ 621 if ((fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) == 622 IEEE80211_FCTL_TODS && 623 ether_addr_equal(hdr->addr1, dev->dev_addr) && 624 ether_addr_equal(hdr->addr3, dev->dev_addr)) { 625 /* ToDS frame with own addr BSSID and DA */ 626 } else if ((fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) == 627 IEEE80211_FCTL_FROMDS && 628 ether_addr_equal(hdr->addr1, dev->dev_addr)) { 629 /* FromDS frame with own addr as DA */ 630 } else 631 return 0; 632 633 if (skb->len < 24 + 8) 634 return 0; 635 636 /* check for port access entity Ethernet type */ 637 pos = skb->data + 24; 638 ethertype = (pos[6] << 8) | pos[7]; 639 if (ethertype == ETH_P_PAE) 640 return 1; 641 642 return 0; 643 } 644 645 646 /* Called only as a tasklet (software IRQ) */ 647 static int 648 hostap_rx_frame_decrypt(local_info_t *local, struct sk_buff *skb, 649 struct lib80211_crypt_data *crypt) 650 { 651 struct ieee80211_hdr *hdr; 652 int res, hdrlen; 653 654 if (crypt == NULL || crypt->ops->decrypt_mpdu == NULL) 655 return 0; 656 657 hdr = (struct ieee80211_hdr *) skb->data; 658 hdrlen = hostap_80211_get_hdrlen(hdr->frame_control); 659 660 if (local->tkip_countermeasures && 661 strcmp(crypt->ops->name, "TKIP") == 0) { 662 if (net_ratelimit()) { 663 printk(KERN_DEBUG "%s: TKIP countermeasures: dropped " 664 "received packet from %pM\n", 665 local->dev->name, hdr->addr2); 666 } 667 return -1; 668 } 669 670 atomic_inc(&crypt->refcnt); 671 res = crypt->ops->decrypt_mpdu(skb, hdrlen, crypt->priv); 672 atomic_dec(&crypt->refcnt); 673 if (res < 0) { 674 printk(KERN_DEBUG "%s: decryption failed (SA=%pM) res=%d\n", 675 local->dev->name, hdr->addr2, res); 676 local->comm_tallies.rx_discards_wep_undecryptable++; 677 return -1; 678 } 679 680 return res; 681 } 682 683 684 /* Called only as a tasklet (software IRQ) */ 685 static int 686 hostap_rx_frame_decrypt_msdu(local_info_t *local, struct sk_buff *skb, 687 int keyidx, struct lib80211_crypt_data *crypt) 688 { 689 struct ieee80211_hdr *hdr; 690 int res, hdrlen; 691 692 if (crypt == NULL || crypt->ops->decrypt_msdu == NULL) 693 return 0; 694 695 hdr = (struct ieee80211_hdr *) skb->data; 696 hdrlen = hostap_80211_get_hdrlen(hdr->frame_control); 697 698 atomic_inc(&crypt->refcnt); 699 res = crypt->ops->decrypt_msdu(skb, keyidx, hdrlen, crypt->priv); 700 atomic_dec(&crypt->refcnt); 701 if (res < 0) { 702 printk(KERN_DEBUG "%s: MSDU decryption/MIC verification failed" 703 " (SA=%pM keyidx=%d)\n", 704 local->dev->name, hdr->addr2, keyidx); 705 return -1; 706 } 707 708 return 0; 709 } 710 711 712 /* All received frames are sent to this function. @skb contains the frame in 713 * IEEE 802.11 format, i.e., in the format it was sent over air. 714 * This function is called only as a tasklet (software IRQ). */ 715 void hostap_80211_rx(struct net_device *dev, struct sk_buff *skb, 716 struct hostap_80211_rx_status *rx_stats) 717 { 718 struct hostap_interface *iface; 719 local_info_t *local; 720 struct ieee80211_hdr *hdr; 721 size_t hdrlen; 722 u16 fc, type, stype, sc; 723 struct net_device *wds = NULL; 724 unsigned int frag; 725 u8 *payload; 726 struct sk_buff *skb2 = NULL; 727 u16 ethertype; 728 int frame_authorized = 0; 729 int from_assoc_ap = 0; 730 u8 dst[ETH_ALEN]; 731 u8 src[ETH_ALEN]; 732 struct lib80211_crypt_data *crypt = NULL; 733 void *sta = NULL; 734 int keyidx = 0; 735 736 iface = netdev_priv(dev); 737 local = iface->local; 738 iface->stats.rx_packets++; 739 iface->stats.rx_bytes += skb->len; 740 741 /* dev is the master radio device; change this to be the default 742 * virtual interface (this may be changed to WDS device below) */ 743 dev = local->ddev; 744 iface = netdev_priv(dev); 745 746 hdr = (struct ieee80211_hdr *) skb->data; 747 748 if (skb->len < 10) 749 goto rx_dropped; 750 751 fc = le16_to_cpu(hdr->frame_control); 752 type = fc & IEEE80211_FCTL_FTYPE; 753 stype = fc & IEEE80211_FCTL_STYPE; 754 sc = le16_to_cpu(hdr->seq_ctrl); 755 frag = sc & IEEE80211_SCTL_FRAG; 756 hdrlen = hostap_80211_get_hdrlen(hdr->frame_control); 757 758 /* Put this code here so that we avoid duplicating it in all 759 * Rx paths. - Jean II */ 760 #ifdef IW_WIRELESS_SPY /* defined in iw_handler.h */ 761 /* If spy monitoring on */ 762 if (iface->spy_data.spy_number > 0) { 763 struct iw_quality wstats; 764 wstats.level = rx_stats->signal; 765 wstats.noise = rx_stats->noise; 766 wstats.updated = IW_QUAL_LEVEL_UPDATED | IW_QUAL_NOISE_UPDATED 767 | IW_QUAL_QUAL_INVALID | IW_QUAL_DBM; 768 /* Update spy records */ 769 wireless_spy_update(dev, hdr->addr2, &wstats); 770 } 771 #endif /* IW_WIRELESS_SPY */ 772 hostap_update_rx_stats(local->ap, hdr, rx_stats); 773 774 if (local->iw_mode == IW_MODE_MONITOR) { 775 monitor_rx(dev, skb, rx_stats); 776 return; 777 } 778 779 if (local->host_decrypt) { 780 int idx = 0; 781 if (skb->len >= hdrlen + 3) 782 idx = skb->data[hdrlen + 3] >> 6; 783 crypt = local->crypt_info.crypt[idx]; 784 sta = NULL; 785 786 /* Use station specific key to override default keys if the 787 * receiver address is a unicast address ("individual RA"). If 788 * bcrx_sta_key parameter is set, station specific key is used 789 * even with broad/multicast targets (this is against IEEE 790 * 802.11, but makes it easier to use different keys with 791 * stations that do not support WEP key mapping). */ 792 793 if (!(hdr->addr1[0] & 0x01) || local->bcrx_sta_key) 794 (void) hostap_handle_sta_crypto(local, hdr, &crypt, 795 &sta); 796 797 /* allow NULL decrypt to indicate an station specific override 798 * for default encryption */ 799 if (crypt && (crypt->ops == NULL || 800 crypt->ops->decrypt_mpdu == NULL)) 801 crypt = NULL; 802 803 if (!crypt && (fc & IEEE80211_FCTL_PROTECTED)) { 804 #if 0 805 /* This seems to be triggered by some (multicast?) 806 * frames from other than current BSS, so just drop the 807 * frames silently instead of filling system log with 808 * these reports. */ 809 printk(KERN_DEBUG "%s: WEP decryption failed (not set)" 810 " (SA=%pM)\n", 811 local->dev->name, hdr->addr2); 812 #endif 813 local->comm_tallies.rx_discards_wep_undecryptable++; 814 goto rx_dropped; 815 } 816 } 817 818 if (type != IEEE80211_FTYPE_DATA) { 819 if (type == IEEE80211_FTYPE_MGMT && 820 stype == IEEE80211_STYPE_AUTH && 821 fc & IEEE80211_FCTL_PROTECTED && local->host_decrypt && 822 (keyidx = hostap_rx_frame_decrypt(local, skb, crypt)) < 0) 823 { 824 printk(KERN_DEBUG "%s: failed to decrypt mgmt::auth " 825 "from %pM\n", dev->name, hdr->addr2); 826 /* TODO: could inform hostapd about this so that it 827 * could send auth failure report */ 828 goto rx_dropped; 829 } 830 831 if (hostap_rx_frame_mgmt(local, skb, rx_stats, type, stype)) 832 goto rx_dropped; 833 else 834 goto rx_exit; 835 } 836 837 /* Data frame - extract src/dst addresses */ 838 if (skb->len < IEEE80211_DATA_HDR3_LEN) 839 goto rx_dropped; 840 841 switch (fc & (IEEE80211_FCTL_FROMDS | IEEE80211_FCTL_TODS)) { 842 case IEEE80211_FCTL_FROMDS: 843 memcpy(dst, hdr->addr1, ETH_ALEN); 844 memcpy(src, hdr->addr3, ETH_ALEN); 845 break; 846 case IEEE80211_FCTL_TODS: 847 memcpy(dst, hdr->addr3, ETH_ALEN); 848 memcpy(src, hdr->addr2, ETH_ALEN); 849 break; 850 case IEEE80211_FCTL_FROMDS | IEEE80211_FCTL_TODS: 851 if (skb->len < IEEE80211_DATA_HDR4_LEN) 852 goto rx_dropped; 853 memcpy(dst, hdr->addr3, ETH_ALEN); 854 memcpy(src, hdr->addr4, ETH_ALEN); 855 break; 856 default: 857 memcpy(dst, hdr->addr1, ETH_ALEN); 858 memcpy(src, hdr->addr2, ETH_ALEN); 859 break; 860 } 861 862 if (hostap_rx_frame_wds(local, hdr, fc, &wds)) 863 goto rx_dropped; 864 if (wds) 865 skb->dev = dev = wds; 866 867 if (local->iw_mode == IW_MODE_MASTER && !wds && 868 (fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) == 869 IEEE80211_FCTL_FROMDS && 870 local->stadev && 871 memcmp(hdr->addr2, local->assoc_ap_addr, ETH_ALEN) == 0) { 872 /* Frame from BSSID of the AP for which we are a client */ 873 skb->dev = dev = local->stadev; 874 from_assoc_ap = 1; 875 } 876 877 if ((local->iw_mode == IW_MODE_MASTER || 878 local->iw_mode == IW_MODE_REPEAT) && 879 !from_assoc_ap) { 880 switch (hostap_handle_sta_rx(local, dev, skb, rx_stats, 881 wds != NULL)) { 882 case AP_RX_CONTINUE_NOT_AUTHORIZED: 883 frame_authorized = 0; 884 break; 885 case AP_RX_CONTINUE: 886 frame_authorized = 1; 887 break; 888 case AP_RX_DROP: 889 goto rx_dropped; 890 case AP_RX_EXIT: 891 goto rx_exit; 892 } 893 } 894 895 /* Nullfunc frames may have PS-bit set, so they must be passed to 896 * hostap_handle_sta_rx() before being dropped here. */ 897 if (stype != IEEE80211_STYPE_DATA && 898 stype != IEEE80211_STYPE_DATA_CFACK && 899 stype != IEEE80211_STYPE_DATA_CFPOLL && 900 stype != IEEE80211_STYPE_DATA_CFACKPOLL) { 901 if (stype != IEEE80211_STYPE_NULLFUNC) 902 printk(KERN_DEBUG "%s: RX: dropped data frame " 903 "with no data (type=0x%02x, subtype=0x%02x)\n", 904 dev->name, type >> 2, stype >> 4); 905 goto rx_dropped; 906 } 907 908 /* skb: hdr + (possibly fragmented, possibly encrypted) payload */ 909 910 if (local->host_decrypt && (fc & IEEE80211_FCTL_PROTECTED) && 911 (keyidx = hostap_rx_frame_decrypt(local, skb, crypt)) < 0) 912 goto rx_dropped; 913 hdr = (struct ieee80211_hdr *) skb->data; 914 915 /* skb: hdr + (possibly fragmented) plaintext payload */ 916 917 if (local->host_decrypt && (fc & IEEE80211_FCTL_PROTECTED) && 918 (frag != 0 || (fc & IEEE80211_FCTL_MOREFRAGS))) { 919 int flen; 920 struct sk_buff *frag_skb = 921 prism2_frag_cache_get(local, hdr); 922 if (!frag_skb) { 923 printk(KERN_DEBUG "%s: Rx cannot get skb from " 924 "fragment cache (morefrag=%d seq=%u frag=%u)\n", 925 dev->name, (fc & IEEE80211_FCTL_MOREFRAGS) != 0, 926 (sc & IEEE80211_SCTL_SEQ) >> 4, frag); 927 goto rx_dropped; 928 } 929 930 flen = skb->len; 931 if (frag != 0) 932 flen -= hdrlen; 933 934 if (frag_skb->tail + flen > frag_skb->end) { 935 printk(KERN_WARNING "%s: host decrypted and " 936 "reassembled frame did not fit skb\n", 937 dev->name); 938 prism2_frag_cache_invalidate(local, hdr); 939 goto rx_dropped; 940 } 941 942 if (frag == 0) { 943 /* copy first fragment (including full headers) into 944 * beginning of the fragment cache skb */ 945 skb_copy_from_linear_data(skb, skb_put(frag_skb, flen), 946 flen); 947 } else { 948 /* append frame payload to the end of the fragment 949 * cache skb */ 950 skb_copy_from_linear_data_offset(skb, hdrlen, 951 skb_put(frag_skb, 952 flen), flen); 953 } 954 dev_kfree_skb(skb); 955 skb = NULL; 956 957 if (fc & IEEE80211_FCTL_MOREFRAGS) { 958 /* more fragments expected - leave the skb in fragment 959 * cache for now; it will be delivered to upper layers 960 * after all fragments have been received */ 961 goto rx_exit; 962 } 963 964 /* this was the last fragment and the frame will be 965 * delivered, so remove skb from fragment cache */ 966 skb = frag_skb; 967 hdr = (struct ieee80211_hdr *) skb->data; 968 prism2_frag_cache_invalidate(local, hdr); 969 } 970 971 /* skb: hdr + (possible reassembled) full MSDU payload; possibly still 972 * encrypted/authenticated */ 973 974 if (local->host_decrypt && (fc & IEEE80211_FCTL_PROTECTED) && 975 hostap_rx_frame_decrypt_msdu(local, skb, keyidx, crypt)) 976 goto rx_dropped; 977 978 hdr = (struct ieee80211_hdr *) skb->data; 979 if (crypt && !(fc & IEEE80211_FCTL_PROTECTED) && !local->open_wep) { 980 if (local->ieee_802_1x && 981 hostap_is_eapol_frame(local, skb)) { 982 /* pass unencrypted EAPOL frames even if encryption is 983 * configured */ 984 PDEBUG(DEBUG_EXTRA2, "%s: RX: IEEE 802.1X - passing " 985 "unencrypted EAPOL frame\n", local->dev->name); 986 } else { 987 printk(KERN_DEBUG "%s: encryption configured, but RX " 988 "frame not encrypted (SA=%pM)\n", 989 local->dev->name, hdr->addr2); 990 goto rx_dropped; 991 } 992 } 993 994 if (local->drop_unencrypted && !(fc & IEEE80211_FCTL_PROTECTED) && 995 !hostap_is_eapol_frame(local, skb)) { 996 if (net_ratelimit()) { 997 printk(KERN_DEBUG "%s: dropped unencrypted RX data " 998 "frame from %pM (drop_unencrypted=1)\n", 999 dev->name, hdr->addr2); 1000 } 1001 goto rx_dropped; 1002 } 1003 1004 /* skb: hdr + (possible reassembled) full plaintext payload */ 1005 1006 payload = skb->data + hdrlen; 1007 ethertype = (payload[6] << 8) | payload[7]; 1008 1009 /* If IEEE 802.1X is used, check whether the port is authorized to send 1010 * the received frame. */ 1011 if (local->ieee_802_1x && local->iw_mode == IW_MODE_MASTER) { 1012 if (ethertype == ETH_P_PAE) { 1013 PDEBUG(DEBUG_EXTRA2, "%s: RX: IEEE 802.1X frame\n", 1014 dev->name); 1015 if (local->hostapd && local->apdev) { 1016 /* Send IEEE 802.1X frames to the user 1017 * space daemon for processing */ 1018 prism2_rx_80211(local->apdev, skb, rx_stats, 1019 PRISM2_RX_MGMT); 1020 local->apdevstats.rx_packets++; 1021 local->apdevstats.rx_bytes += skb->len; 1022 goto rx_exit; 1023 } 1024 } else if (!frame_authorized) { 1025 printk(KERN_DEBUG "%s: dropped frame from " 1026 "unauthorized port (IEEE 802.1X): " 1027 "ethertype=0x%04x\n", 1028 dev->name, ethertype); 1029 goto rx_dropped; 1030 } 1031 } 1032 1033 /* convert hdr + possible LLC headers into Ethernet header */ 1034 if (skb->len - hdrlen >= 8 && 1035 ((memcmp(payload, rfc1042_header, 6) == 0 && 1036 ethertype != ETH_P_AARP && ethertype != ETH_P_IPX) || 1037 memcmp(payload, bridge_tunnel_header, 6) == 0)) { 1038 /* remove RFC1042 or Bridge-Tunnel encapsulation and 1039 * replace EtherType */ 1040 skb_pull(skb, hdrlen + 6); 1041 memcpy(skb_push(skb, ETH_ALEN), src, ETH_ALEN); 1042 memcpy(skb_push(skb, ETH_ALEN), dst, ETH_ALEN); 1043 } else { 1044 __be16 len; 1045 /* Leave Ethernet header part of hdr and full payload */ 1046 skb_pull(skb, hdrlen); 1047 len = htons(skb->len); 1048 memcpy(skb_push(skb, 2), &len, 2); 1049 memcpy(skb_push(skb, ETH_ALEN), src, ETH_ALEN); 1050 memcpy(skb_push(skb, ETH_ALEN), dst, ETH_ALEN); 1051 } 1052 1053 if (wds && ((fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) == 1054 IEEE80211_FCTL_TODS) && 1055 skb->len >= ETH_HLEN + ETH_ALEN) { 1056 /* Non-standard frame: get addr4 from its bogus location after 1057 * the payload */ 1058 skb_copy_from_linear_data_offset(skb, skb->len - ETH_ALEN, 1059 skb->data + ETH_ALEN, 1060 ETH_ALEN); 1061 skb_trim(skb, skb->len - ETH_ALEN); 1062 } 1063 1064 dev->stats.rx_packets++; 1065 dev->stats.rx_bytes += skb->len; 1066 1067 if (local->iw_mode == IW_MODE_MASTER && !wds && 1068 local->ap->bridge_packets) { 1069 if (dst[0] & 0x01) { 1070 /* copy multicast frame both to the higher layers and 1071 * to the wireless media */ 1072 local->ap->bridged_multicast++; 1073 skb2 = skb_clone(skb, GFP_ATOMIC); 1074 if (skb2 == NULL) 1075 printk(KERN_DEBUG "%s: skb_clone failed for " 1076 "multicast frame\n", dev->name); 1077 } else if (hostap_is_sta_authorized(local->ap, dst)) { 1078 /* send frame directly to the associated STA using 1079 * wireless media and not passing to higher layers */ 1080 local->ap->bridged_unicast++; 1081 skb2 = skb; 1082 skb = NULL; 1083 } 1084 } 1085 1086 if (skb2 != NULL) { 1087 /* send to wireless media */ 1088 skb2->dev = dev; 1089 skb2->protocol = cpu_to_be16(ETH_P_802_3); 1090 skb_reset_mac_header(skb2); 1091 skb_reset_network_header(skb2); 1092 /* skb2->network_header += ETH_HLEN; */ 1093 dev_queue_xmit(skb2); 1094 } 1095 1096 if (skb) { 1097 skb->protocol = eth_type_trans(skb, dev); 1098 memset(skb->cb, 0, sizeof(skb->cb)); 1099 netif_rx(skb); 1100 } 1101 1102 rx_exit: 1103 if (sta) 1104 hostap_handle_sta_release(sta); 1105 return; 1106 1107 rx_dropped: 1108 dev_kfree_skb(skb); 1109 1110 dev->stats.rx_dropped++; 1111 goto rx_exit; 1112 } 1113 1114 1115 EXPORT_SYMBOL(hostap_80211_rx); 1116