1 #include <linux/etherdevice.h>
2 #include <linux/slab.h>
3 #include <linux/export.h>
4 #include <net/lib80211.h>
5 #include <linux/if_arp.h>
6 
7 #include "hostap_80211.h"
8 #include "hostap.h"
9 #include "hostap_ap.h"
10 
11 /* See IEEE 802.1H for LLC/SNAP encapsulation/decapsulation */
12 /* Ethernet-II snap header (RFC1042 for most EtherTypes) */
13 static unsigned char rfc1042_header[] =
14 { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 };
15 /* Bridge-Tunnel header (for EtherTypes ETH_P_AARP and ETH_P_IPX) */
16 static unsigned char bridge_tunnel_header[] =
17 { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0xf8 };
18 /* No encapsulation header if EtherType < 0x600 (=length) */
19 
20 void hostap_dump_rx_80211(const char *name, struct sk_buff *skb,
21 			  struct hostap_80211_rx_status *rx_stats)
22 {
23 	struct ieee80211_hdr *hdr;
24 	u16 fc;
25 
26 	hdr = (struct ieee80211_hdr *) skb->data;
27 
28 	printk(KERN_DEBUG "%s: RX signal=%d noise=%d rate=%d len=%d "
29 	       "jiffies=%ld\n",
30 	       name, rx_stats->signal, rx_stats->noise, rx_stats->rate,
31 	       skb->len, jiffies);
32 
33 	if (skb->len < 2)
34 		return;
35 
36 	fc = le16_to_cpu(hdr->frame_control);
37 	printk(KERN_DEBUG "   FC=0x%04x (type=%d:%d)%s%s",
38 	       fc, (fc & IEEE80211_FCTL_FTYPE) >> 2,
39 	       (fc & IEEE80211_FCTL_STYPE) >> 4,
40 	       fc & IEEE80211_FCTL_TODS ? " [ToDS]" : "",
41 	       fc & IEEE80211_FCTL_FROMDS ? " [FromDS]" : "");
42 
43 	if (skb->len < IEEE80211_DATA_HDR3_LEN) {
44 		printk("\n");
45 		return;
46 	}
47 
48 	printk(" dur=0x%04x seq=0x%04x\n", le16_to_cpu(hdr->duration_id),
49 	       le16_to_cpu(hdr->seq_ctrl));
50 
51 	printk(KERN_DEBUG "   A1=%pM", hdr->addr1);
52 	printk(" A2=%pM", hdr->addr2);
53 	printk(" A3=%pM", hdr->addr3);
54 	if (skb->len >= 30)
55 		printk(" A4=%pM", hdr->addr4);
56 	printk("\n");
57 }
58 
59 
60 /* Send RX frame to netif with 802.11 (and possible prism) header.
61  * Called from hardware or software IRQ context. */
62 int prism2_rx_80211(struct net_device *dev, struct sk_buff *skb,
63 		    struct hostap_80211_rx_status *rx_stats, int type)
64 {
65 	struct hostap_interface *iface;
66 	local_info_t *local;
67 	int hdrlen, phdrlen, head_need, tail_need;
68 	u16 fc;
69 	int prism_header, ret;
70 	struct ieee80211_hdr *fhdr;
71 
72 	iface = netdev_priv(dev);
73 	local = iface->local;
74 
75 	if (dev->type == ARPHRD_IEEE80211_PRISM) {
76 		if (local->monitor_type == PRISM2_MONITOR_PRISM) {
77 			prism_header = 1;
78 			phdrlen = sizeof(struct linux_wlan_ng_prism_hdr);
79 		} else { /* local->monitor_type == PRISM2_MONITOR_CAPHDR */
80 			prism_header = 2;
81 			phdrlen = sizeof(struct linux_wlan_ng_cap_hdr);
82 		}
83 	} else if (dev->type == ARPHRD_IEEE80211_RADIOTAP) {
84 		prism_header = 3;
85 		phdrlen = sizeof(struct hostap_radiotap_rx);
86 	} else {
87 		prism_header = 0;
88 		phdrlen = 0;
89 	}
90 
91 	fhdr = (struct ieee80211_hdr *) skb->data;
92 	fc = le16_to_cpu(fhdr->frame_control);
93 
94 	if (type == PRISM2_RX_MGMT && (fc & IEEE80211_FCTL_VERS)) {
95 		printk(KERN_DEBUG "%s: dropped management frame with header "
96 		       "version %d\n", dev->name, fc & IEEE80211_FCTL_VERS);
97 		dev_kfree_skb_any(skb);
98 		return 0;
99 	}
100 
101 	hdrlen = hostap_80211_get_hdrlen(fhdr->frame_control);
102 
103 	/* check if there is enough room for extra data; if not, expand skb
104 	 * buffer to be large enough for the changes */
105 	head_need = phdrlen;
106 	tail_need = 0;
107 #ifdef PRISM2_ADD_BOGUS_CRC
108 	tail_need += 4;
109 #endif /* PRISM2_ADD_BOGUS_CRC */
110 
111 	head_need -= skb_headroom(skb);
112 	tail_need -= skb_tailroom(skb);
113 
114 	if (head_need > 0 || tail_need > 0) {
115 		if (pskb_expand_head(skb, head_need > 0 ? head_need : 0,
116 				     tail_need > 0 ? tail_need : 0,
117 				     GFP_ATOMIC)) {
118 			printk(KERN_DEBUG "%s: prism2_rx_80211 failed to "
119 			       "reallocate skb buffer\n", dev->name);
120 			dev_kfree_skb_any(skb);
121 			return 0;
122 		}
123 	}
124 
125 	/* We now have an skb with enough head and tail room, so just insert
126 	 * the extra data */
127 
128 #ifdef PRISM2_ADD_BOGUS_CRC
129 	memset(skb_put(skb, 4), 0xff, 4); /* Prism2 strips CRC */
130 #endif /* PRISM2_ADD_BOGUS_CRC */
131 
132 	if (prism_header == 1) {
133 		struct linux_wlan_ng_prism_hdr *hdr;
134 		hdr = skb_push(skb, phdrlen);
135 		memset(hdr, 0, phdrlen);
136 		hdr->msgcode = LWNG_CAP_DID_BASE;
137 		hdr->msglen = sizeof(*hdr);
138 		memcpy(hdr->devname, dev->name, sizeof(hdr->devname));
139 #define LWNG_SETVAL(f,i,s,l,d) \
140 hdr->f.did = LWNG_CAP_DID_BASE | (i << 12); \
141 hdr->f.status = s; hdr->f.len = l; hdr->f.data = d
142 		LWNG_SETVAL(hosttime, 1, 0, 4, jiffies);
143 		LWNG_SETVAL(mactime, 2, 0, 4, rx_stats->mac_time);
144 		LWNG_SETVAL(channel, 3, 1 /* no value */, 4, 0);
145 		LWNG_SETVAL(rssi, 4, 1 /* no value */, 4, 0);
146 		LWNG_SETVAL(sq, 5, 1 /* no value */, 4, 0);
147 		LWNG_SETVAL(signal, 6, 0, 4, rx_stats->signal);
148 		LWNG_SETVAL(noise, 7, 0, 4, rx_stats->noise);
149 		LWNG_SETVAL(rate, 8, 0, 4, rx_stats->rate / 5);
150 		LWNG_SETVAL(istx, 9, 0, 4, 0);
151 		LWNG_SETVAL(frmlen, 10, 0, 4, skb->len - phdrlen);
152 #undef LWNG_SETVAL
153 	} else if (prism_header == 2) {
154 		struct linux_wlan_ng_cap_hdr *hdr;
155 		hdr = skb_push(skb, phdrlen);
156 		memset(hdr, 0, phdrlen);
157 		hdr->version    = htonl(LWNG_CAPHDR_VERSION);
158 		hdr->length     = htonl(phdrlen);
159 		hdr->mactime    = __cpu_to_be64(rx_stats->mac_time);
160 		hdr->hosttime   = __cpu_to_be64(jiffies);
161 		hdr->phytype    = htonl(4); /* dss_dot11_b */
162 		hdr->channel    = htonl(local->channel);
163 		hdr->datarate   = htonl(rx_stats->rate);
164 		hdr->antenna    = htonl(0); /* unknown */
165 		hdr->priority   = htonl(0); /* unknown */
166 		hdr->ssi_type   = htonl(3); /* raw */
167 		hdr->ssi_signal = htonl(rx_stats->signal);
168 		hdr->ssi_noise  = htonl(rx_stats->noise);
169 		hdr->preamble   = htonl(0); /* unknown */
170 		hdr->encoding   = htonl(1); /* cck */
171 	} else if (prism_header == 3) {
172 		struct hostap_radiotap_rx *hdr;
173 		hdr = skb_push(skb, phdrlen);
174 		memset(hdr, 0, phdrlen);
175 		hdr->hdr.it_len = cpu_to_le16(phdrlen);
176 		hdr->hdr.it_present =
177 			cpu_to_le32((1 << IEEE80211_RADIOTAP_TSFT) |
178 				    (1 << IEEE80211_RADIOTAP_CHANNEL) |
179 				    (1 << IEEE80211_RADIOTAP_RATE) |
180 				    (1 << IEEE80211_RADIOTAP_DBM_ANTSIGNAL) |
181 				    (1 << IEEE80211_RADIOTAP_DBM_ANTNOISE));
182 		hdr->tsft = cpu_to_le64(rx_stats->mac_time);
183 		hdr->chan_freq = cpu_to_le16(freq_list[local->channel - 1]);
184 		hdr->chan_flags = cpu_to_le16(IEEE80211_CHAN_CCK |
185 						 IEEE80211_CHAN_2GHZ);
186 		hdr->rate = rx_stats->rate / 5;
187 		hdr->dbm_antsignal = rx_stats->signal;
188 		hdr->dbm_antnoise = rx_stats->noise;
189 	}
190 
191 	ret = skb->len - phdrlen;
192 	skb->dev = dev;
193 	skb_reset_mac_header(skb);
194 	skb_pull(skb, hdrlen);
195 	if (prism_header)
196 		skb_pull(skb, phdrlen);
197 	skb->pkt_type = PACKET_OTHERHOST;
198 	skb->protocol = cpu_to_be16(ETH_P_802_2);
199 	memset(skb->cb, 0, sizeof(skb->cb));
200 	netif_rx(skb);
201 
202 	return ret;
203 }
204 
205 
206 /* Called only as a tasklet (software IRQ) */
207 static void monitor_rx(struct net_device *dev, struct sk_buff *skb,
208 		       struct hostap_80211_rx_status *rx_stats)
209 {
210 	int len;
211 
212 	len = prism2_rx_80211(dev, skb, rx_stats, PRISM2_RX_MONITOR);
213 	dev->stats.rx_packets++;
214 	dev->stats.rx_bytes += len;
215 }
216 
217 
218 /* Called only as a tasklet (software IRQ) */
219 static struct prism2_frag_entry *
220 prism2_frag_cache_find(local_info_t *local, unsigned int seq,
221 		       unsigned int frag, u8 *src, u8 *dst)
222 {
223 	struct prism2_frag_entry *entry;
224 	int i;
225 
226 	for (i = 0; i < PRISM2_FRAG_CACHE_LEN; i++) {
227 		entry = &local->frag_cache[i];
228 		if (entry->skb != NULL &&
229 		    time_after(jiffies, entry->first_frag_time + 2 * HZ)) {
230 			printk(KERN_DEBUG "%s: expiring fragment cache entry "
231 			       "seq=%u last_frag=%u\n",
232 			       local->dev->name, entry->seq, entry->last_frag);
233 			dev_kfree_skb(entry->skb);
234 			entry->skb = NULL;
235 		}
236 
237 		if (entry->skb != NULL && entry->seq == seq &&
238 		    (entry->last_frag + 1 == frag || frag == -1) &&
239 		    memcmp(entry->src_addr, src, ETH_ALEN) == 0 &&
240 		    memcmp(entry->dst_addr, dst, ETH_ALEN) == 0)
241 			return entry;
242 	}
243 
244 	return NULL;
245 }
246 
247 
248 /* Called only as a tasklet (software IRQ) */
249 static struct sk_buff *
250 prism2_frag_cache_get(local_info_t *local, struct ieee80211_hdr *hdr)
251 {
252 	struct sk_buff *skb = NULL;
253 	u16 sc;
254 	unsigned int frag, seq;
255 	struct prism2_frag_entry *entry;
256 
257 	sc = le16_to_cpu(hdr->seq_ctrl);
258 	frag = sc & IEEE80211_SCTL_FRAG;
259 	seq = (sc & IEEE80211_SCTL_SEQ) >> 4;
260 
261 	if (frag == 0) {
262 		/* Reserve enough space to fit maximum frame length */
263 		skb = dev_alloc_skb(local->dev->mtu +
264 				    sizeof(struct ieee80211_hdr) +
265 				    8 /* LLC */ +
266 				    2 /* alignment */ +
267 				    8 /* WEP */ + ETH_ALEN /* WDS */);
268 		if (skb == NULL)
269 			return NULL;
270 
271 		entry = &local->frag_cache[local->frag_next_idx];
272 		local->frag_next_idx++;
273 		if (local->frag_next_idx >= PRISM2_FRAG_CACHE_LEN)
274 			local->frag_next_idx = 0;
275 
276 		if (entry->skb != NULL)
277 			dev_kfree_skb(entry->skb);
278 
279 		entry->first_frag_time = jiffies;
280 		entry->seq = seq;
281 		entry->last_frag = frag;
282 		entry->skb = skb;
283 		memcpy(entry->src_addr, hdr->addr2, ETH_ALEN);
284 		memcpy(entry->dst_addr, hdr->addr1, ETH_ALEN);
285 	} else {
286 		/* received a fragment of a frame for which the head fragment
287 		 * should have already been received */
288 		entry = prism2_frag_cache_find(local, seq, frag, hdr->addr2,
289 					       hdr->addr1);
290 		if (entry != NULL) {
291 			entry->last_frag = frag;
292 			skb = entry->skb;
293 		}
294 	}
295 
296 	return skb;
297 }
298 
299 
300 /* Called only as a tasklet (software IRQ) */
301 static int prism2_frag_cache_invalidate(local_info_t *local,
302 					struct ieee80211_hdr *hdr)
303 {
304 	u16 sc;
305 	unsigned int seq;
306 	struct prism2_frag_entry *entry;
307 
308 	sc = le16_to_cpu(hdr->seq_ctrl);
309 	seq = (sc & IEEE80211_SCTL_SEQ) >> 4;
310 
311 	entry = prism2_frag_cache_find(local, seq, -1, hdr->addr2, hdr->addr1);
312 
313 	if (entry == NULL) {
314 		printk(KERN_DEBUG "%s: could not invalidate fragment cache "
315 		       "entry (seq=%u)\n",
316 		       local->dev->name, seq);
317 		return -1;
318 	}
319 
320 	entry->skb = NULL;
321 	return 0;
322 }
323 
324 
325 static struct hostap_bss_info *__hostap_get_bss(local_info_t *local, u8 *bssid,
326 						u8 *ssid, size_t ssid_len)
327 {
328 	struct list_head *ptr;
329 	struct hostap_bss_info *bss;
330 
331 	list_for_each(ptr, &local->bss_list) {
332 		bss = list_entry(ptr, struct hostap_bss_info, list);
333 		if (memcmp(bss->bssid, bssid, ETH_ALEN) == 0 &&
334 		    (ssid == NULL ||
335 		     (ssid_len == bss->ssid_len &&
336 		      memcmp(ssid, bss->ssid, ssid_len) == 0))) {
337 			list_move(&bss->list, &local->bss_list);
338 			return bss;
339 		}
340 	}
341 
342 	return NULL;
343 }
344 
345 
346 static struct hostap_bss_info *__hostap_add_bss(local_info_t *local, u8 *bssid,
347 						u8 *ssid, size_t ssid_len)
348 {
349 	struct hostap_bss_info *bss;
350 
351 	if (local->num_bss_info >= HOSTAP_MAX_BSS_COUNT) {
352 		bss = list_entry(local->bss_list.prev,
353 				 struct hostap_bss_info, list);
354 		list_del(&bss->list);
355 		local->num_bss_info--;
356 	} else {
357 		bss = kmalloc(sizeof(*bss), GFP_ATOMIC);
358 		if (bss == NULL)
359 			return NULL;
360 	}
361 
362 	memset(bss, 0, sizeof(*bss));
363 	memcpy(bss->bssid, bssid, ETH_ALEN);
364 	memcpy(bss->ssid, ssid, ssid_len);
365 	bss->ssid_len = ssid_len;
366 	local->num_bss_info++;
367 	list_add(&bss->list, &local->bss_list);
368 	return bss;
369 }
370 
371 
372 static void __hostap_expire_bss(local_info_t *local)
373 {
374 	struct hostap_bss_info *bss;
375 
376 	while (local->num_bss_info > 0) {
377 		bss = list_entry(local->bss_list.prev,
378 				 struct hostap_bss_info, list);
379 		if (!time_after(jiffies, bss->last_update + 60 * HZ))
380 			break;
381 
382 		list_del(&bss->list);
383 		local->num_bss_info--;
384 		kfree(bss);
385 	}
386 }
387 
388 
389 /* Both IEEE 802.11 Beacon and Probe Response frames have similar structure, so
390  * the same routine can be used to parse both of them. */
391 static void hostap_rx_sta_beacon(local_info_t *local, struct sk_buff *skb,
392 				 int stype)
393 {
394 	struct hostap_ieee80211_mgmt *mgmt;
395 	int left, chan = 0;
396 	u8 *pos;
397 	u8 *ssid = NULL, *wpa = NULL, *rsn = NULL;
398 	size_t ssid_len = 0, wpa_len = 0, rsn_len = 0;
399 	struct hostap_bss_info *bss;
400 
401 	if (skb->len < IEEE80211_MGMT_HDR_LEN + sizeof(mgmt->u.beacon))
402 		return;
403 
404 	mgmt = (struct hostap_ieee80211_mgmt *) skb->data;
405 	pos = mgmt->u.beacon.variable;
406 	left = skb->len - (pos - skb->data);
407 
408 	while (left >= 2) {
409 		if (2 + pos[1] > left)
410 			return; /* parse failed */
411 		switch (*pos) {
412 		case WLAN_EID_SSID:
413 			ssid = pos + 2;
414 			ssid_len = pos[1];
415 			break;
416 		case WLAN_EID_VENDOR_SPECIFIC:
417 			if (pos[1] >= 4 &&
418 			    pos[2] == 0x00 && pos[3] == 0x50 &&
419 			    pos[4] == 0xf2 && pos[5] == 1) {
420 				wpa = pos;
421 				wpa_len = pos[1] + 2;
422 			}
423 			break;
424 		case WLAN_EID_RSN:
425 			rsn = pos;
426 			rsn_len = pos[1] + 2;
427 			break;
428 		case WLAN_EID_DS_PARAMS:
429 			if (pos[1] >= 1)
430 				chan = pos[2];
431 			break;
432 		}
433 		left -= 2 + pos[1];
434 		pos += 2 + pos[1];
435 	}
436 
437 	if (wpa_len > MAX_WPA_IE_LEN)
438 		wpa_len = MAX_WPA_IE_LEN;
439 	if (rsn_len > MAX_WPA_IE_LEN)
440 		rsn_len = MAX_WPA_IE_LEN;
441 	if (ssid_len > sizeof(bss->ssid))
442 		ssid_len = sizeof(bss->ssid);
443 
444 	spin_lock(&local->lock);
445 	bss = __hostap_get_bss(local, mgmt->bssid, ssid, ssid_len);
446 	if (bss == NULL)
447 		bss = __hostap_add_bss(local, mgmt->bssid, ssid, ssid_len);
448 	if (bss) {
449 		bss->last_update = jiffies;
450 		bss->count++;
451 		bss->capab_info = le16_to_cpu(mgmt->u.beacon.capab_info);
452 		if (wpa) {
453 			memcpy(bss->wpa_ie, wpa, wpa_len);
454 			bss->wpa_ie_len = wpa_len;
455 		} else
456 			bss->wpa_ie_len = 0;
457 		if (rsn) {
458 			memcpy(bss->rsn_ie, rsn, rsn_len);
459 			bss->rsn_ie_len = rsn_len;
460 		} else
461 			bss->rsn_ie_len = 0;
462 		bss->chan = chan;
463 	}
464 	__hostap_expire_bss(local);
465 	spin_unlock(&local->lock);
466 }
467 
468 
469 static int
470 hostap_rx_frame_mgmt(local_info_t *local, struct sk_buff *skb,
471 		     struct hostap_80211_rx_status *rx_stats, u16 type,
472 		     u16 stype)
473 {
474 	if (local->iw_mode == IW_MODE_MASTER)
475 		hostap_update_sta_ps(local, (struct ieee80211_hdr *) skb->data);
476 
477 	if (local->hostapd && type == IEEE80211_FTYPE_MGMT) {
478 		if (stype == IEEE80211_STYPE_BEACON &&
479 		    local->iw_mode == IW_MODE_MASTER) {
480 			struct sk_buff *skb2;
481 			/* Process beacon frames also in kernel driver to
482 			 * update STA(AP) table statistics */
483 			skb2 = skb_clone(skb, GFP_ATOMIC);
484 			if (skb2)
485 				hostap_rx(skb2->dev, skb2, rx_stats);
486 		}
487 
488 		/* send management frames to the user space daemon for
489 		 * processing */
490 		local->apdevstats.rx_packets++;
491 		local->apdevstats.rx_bytes += skb->len;
492 		if (local->apdev == NULL)
493 			return -1;
494 		prism2_rx_80211(local->apdev, skb, rx_stats, PRISM2_RX_MGMT);
495 		return 0;
496 	}
497 
498 	if (local->iw_mode == IW_MODE_MASTER) {
499 		if (type != IEEE80211_FTYPE_MGMT &&
500 		    type != IEEE80211_FTYPE_CTL) {
501 			printk(KERN_DEBUG "%s: unknown management frame "
502 			       "(type=0x%02x, stype=0x%02x) dropped\n",
503 			       skb->dev->name, type >> 2, stype >> 4);
504 			return -1;
505 		}
506 
507 		hostap_rx(skb->dev, skb, rx_stats);
508 		return 0;
509 	} else if (type == IEEE80211_FTYPE_MGMT &&
510 		   (stype == IEEE80211_STYPE_BEACON ||
511 		    stype == IEEE80211_STYPE_PROBE_RESP)) {
512 		hostap_rx_sta_beacon(local, skb, stype);
513 		return -1;
514 	} else if (type == IEEE80211_FTYPE_MGMT &&
515 		   (stype == IEEE80211_STYPE_ASSOC_RESP ||
516 		    stype == IEEE80211_STYPE_REASSOC_RESP)) {
517 		/* Ignore (Re)AssocResp silently since these are not currently
518 		 * needed but are still received when WPA/RSN mode is enabled.
519 		 */
520 		return -1;
521 	} else {
522 		printk(KERN_DEBUG "%s: hostap_rx_frame_mgmt: dropped unhandled"
523 		       " management frame in non-Host AP mode (type=%d:%d)\n",
524 		       skb->dev->name, type >> 2, stype >> 4);
525 		return -1;
526 	}
527 }
528 
529 
530 /* Called only as a tasklet (software IRQ) */
531 static struct net_device *prism2_rx_get_wds(local_info_t *local,
532 						   u8 *addr)
533 {
534 	struct hostap_interface *iface = NULL;
535 	struct list_head *ptr;
536 
537 	read_lock_bh(&local->iface_lock);
538 	list_for_each(ptr, &local->hostap_interfaces) {
539 		iface = list_entry(ptr, struct hostap_interface, list);
540 		if (iface->type == HOSTAP_INTERFACE_WDS &&
541 		    memcmp(iface->u.wds.remote_addr, addr, ETH_ALEN) == 0)
542 			break;
543 		iface = NULL;
544 	}
545 	read_unlock_bh(&local->iface_lock);
546 
547 	return iface ? iface->dev : NULL;
548 }
549 
550 
551 static int
552 hostap_rx_frame_wds(local_info_t *local, struct ieee80211_hdr *hdr, u16 fc,
553 		    struct net_device **wds)
554 {
555 	/* FIX: is this really supposed to accept WDS frames only in Master
556 	 * mode? What about Repeater or Managed with WDS frames? */
557 	if ((fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) !=
558 	    (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS) &&
559 	    (local->iw_mode != IW_MODE_MASTER || !(fc & IEEE80211_FCTL_TODS)))
560 		return 0; /* not a WDS frame */
561 
562 	/* Possible WDS frame: either IEEE 802.11 compliant (if FromDS)
563 	 * or own non-standard frame with 4th address after payload */
564 	if (!ether_addr_equal(hdr->addr1, local->dev->dev_addr) &&
565 	    (hdr->addr1[0] != 0xff || hdr->addr1[1] != 0xff ||
566 	     hdr->addr1[2] != 0xff || hdr->addr1[3] != 0xff ||
567 	     hdr->addr1[4] != 0xff || hdr->addr1[5] != 0xff)) {
568 		/* RA (or BSSID) is not ours - drop */
569 		PDEBUG(DEBUG_EXTRA2, "%s: received WDS frame with "
570 		       "not own or broadcast %s=%pM\n",
571 		       local->dev->name,
572 		       fc & IEEE80211_FCTL_FROMDS ? "RA" : "BSSID",
573 		       hdr->addr1);
574 		return -1;
575 	}
576 
577 	/* check if the frame came from a registered WDS connection */
578 	*wds = prism2_rx_get_wds(local, hdr->addr2);
579 	if (*wds == NULL && fc & IEEE80211_FCTL_FROMDS &&
580 	    (local->iw_mode != IW_MODE_INFRA ||
581 	     !(local->wds_type & HOSTAP_WDS_AP_CLIENT) ||
582 	     memcmp(hdr->addr2, local->bssid, ETH_ALEN) != 0)) {
583 		/* require that WDS link has been registered with TA or the
584 		 * frame is from current AP when using 'AP client mode' */
585 		PDEBUG(DEBUG_EXTRA, "%s: received WDS[4 addr] frame "
586 		       "from unknown TA=%pM\n",
587 		       local->dev->name, hdr->addr2);
588 		if (local->ap && local->ap->autom_ap_wds)
589 			hostap_wds_link_oper(local, hdr->addr2, WDS_ADD);
590 		return -1;
591 	}
592 
593 	if (*wds && !(fc & IEEE80211_FCTL_FROMDS) && local->ap &&
594 	    hostap_is_sta_assoc(local->ap, hdr->addr2)) {
595 		/* STA is actually associated with us even though it has a
596 		 * registered WDS link. Assume it is in 'AP client' mode.
597 		 * Since this is a 3-addr frame, assume it is not (bogus) WDS
598 		 * frame and process it like any normal ToDS frame from
599 		 * associated STA. */
600 		*wds = NULL;
601 	}
602 
603 	return 0;
604 }
605 
606 
607 static int hostap_is_eapol_frame(local_info_t *local, struct sk_buff *skb)
608 {
609 	struct net_device *dev = local->dev;
610 	u16 fc, ethertype;
611 	struct ieee80211_hdr *hdr;
612 	u8 *pos;
613 
614 	if (skb->len < 24)
615 		return 0;
616 
617 	hdr = (struct ieee80211_hdr *) skb->data;
618 	fc = le16_to_cpu(hdr->frame_control);
619 
620 	/* check that the frame is unicast frame to us */
621 	if ((fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) ==
622 	    IEEE80211_FCTL_TODS &&
623 	    ether_addr_equal(hdr->addr1, dev->dev_addr) &&
624 	    ether_addr_equal(hdr->addr3, dev->dev_addr)) {
625 		/* ToDS frame with own addr BSSID and DA */
626 	} else if ((fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) ==
627 		   IEEE80211_FCTL_FROMDS &&
628 		   ether_addr_equal(hdr->addr1, dev->dev_addr)) {
629 		/* FromDS frame with own addr as DA */
630 	} else
631 		return 0;
632 
633 	if (skb->len < 24 + 8)
634 		return 0;
635 
636 	/* check for port access entity Ethernet type */
637 	pos = skb->data + 24;
638 	ethertype = (pos[6] << 8) | pos[7];
639 	if (ethertype == ETH_P_PAE)
640 		return 1;
641 
642 	return 0;
643 }
644 
645 
646 /* Called only as a tasklet (software IRQ) */
647 static int
648 hostap_rx_frame_decrypt(local_info_t *local, struct sk_buff *skb,
649 			struct lib80211_crypt_data *crypt)
650 {
651 	struct ieee80211_hdr *hdr;
652 	int res, hdrlen;
653 
654 	if (crypt == NULL || crypt->ops->decrypt_mpdu == NULL)
655 		return 0;
656 
657 	hdr = (struct ieee80211_hdr *) skb->data;
658 	hdrlen = hostap_80211_get_hdrlen(hdr->frame_control);
659 
660 	if (local->tkip_countermeasures &&
661 	    strcmp(crypt->ops->name, "TKIP") == 0) {
662 		if (net_ratelimit()) {
663 			printk(KERN_DEBUG "%s: TKIP countermeasures: dropped "
664 			       "received packet from %pM\n",
665 			       local->dev->name, hdr->addr2);
666 		}
667 		return -1;
668 	}
669 
670 	atomic_inc(&crypt->refcnt);
671 	res = crypt->ops->decrypt_mpdu(skb, hdrlen, crypt->priv);
672 	atomic_dec(&crypt->refcnt);
673 	if (res < 0) {
674 		printk(KERN_DEBUG "%s: decryption failed (SA=%pM) res=%d\n",
675 		       local->dev->name, hdr->addr2, res);
676 		local->comm_tallies.rx_discards_wep_undecryptable++;
677 		return -1;
678 	}
679 
680 	return res;
681 }
682 
683 
684 /* Called only as a tasklet (software IRQ) */
685 static int
686 hostap_rx_frame_decrypt_msdu(local_info_t *local, struct sk_buff *skb,
687 			     int keyidx, struct lib80211_crypt_data *crypt)
688 {
689 	struct ieee80211_hdr *hdr;
690 	int res, hdrlen;
691 
692 	if (crypt == NULL || crypt->ops->decrypt_msdu == NULL)
693 		return 0;
694 
695 	hdr = (struct ieee80211_hdr *) skb->data;
696 	hdrlen = hostap_80211_get_hdrlen(hdr->frame_control);
697 
698 	atomic_inc(&crypt->refcnt);
699 	res = crypt->ops->decrypt_msdu(skb, keyidx, hdrlen, crypt->priv);
700 	atomic_dec(&crypt->refcnt);
701 	if (res < 0) {
702 		printk(KERN_DEBUG "%s: MSDU decryption/MIC verification failed"
703 		       " (SA=%pM keyidx=%d)\n",
704 		       local->dev->name, hdr->addr2, keyidx);
705 		return -1;
706 	}
707 
708 	return 0;
709 }
710 
711 
712 /* All received frames are sent to this function. @skb contains the frame in
713  * IEEE 802.11 format, i.e., in the format it was sent over air.
714  * This function is called only as a tasklet (software IRQ). */
715 void hostap_80211_rx(struct net_device *dev, struct sk_buff *skb,
716 		     struct hostap_80211_rx_status *rx_stats)
717 {
718 	struct hostap_interface *iface;
719 	local_info_t *local;
720 	struct ieee80211_hdr *hdr;
721 	size_t hdrlen;
722 	u16 fc, type, stype, sc;
723 	struct net_device *wds = NULL;
724 	unsigned int frag;
725 	u8 *payload;
726 	struct sk_buff *skb2 = NULL;
727 	u16 ethertype;
728 	int frame_authorized = 0;
729 	int from_assoc_ap = 0;
730 	u8 dst[ETH_ALEN];
731 	u8 src[ETH_ALEN];
732 	struct lib80211_crypt_data *crypt = NULL;
733 	void *sta = NULL;
734 	int keyidx = 0;
735 
736 	iface = netdev_priv(dev);
737 	local = iface->local;
738 	iface->stats.rx_packets++;
739 	iface->stats.rx_bytes += skb->len;
740 
741 	/* dev is the master radio device; change this to be the default
742 	 * virtual interface (this may be changed to WDS device below) */
743 	dev = local->ddev;
744 	iface = netdev_priv(dev);
745 
746 	hdr = (struct ieee80211_hdr *) skb->data;
747 
748 	if (skb->len < 10)
749 		goto rx_dropped;
750 
751 	fc = le16_to_cpu(hdr->frame_control);
752 	type = fc & IEEE80211_FCTL_FTYPE;
753 	stype = fc & IEEE80211_FCTL_STYPE;
754 	sc = le16_to_cpu(hdr->seq_ctrl);
755 	frag = sc & IEEE80211_SCTL_FRAG;
756 	hdrlen = hostap_80211_get_hdrlen(hdr->frame_control);
757 
758 	/* Put this code here so that we avoid duplicating it in all
759 	 * Rx paths. - Jean II */
760 #ifdef IW_WIRELESS_SPY		/* defined in iw_handler.h */
761 	/* If spy monitoring on */
762 	if (iface->spy_data.spy_number > 0) {
763 		struct iw_quality wstats;
764 		wstats.level = rx_stats->signal;
765 		wstats.noise = rx_stats->noise;
766 		wstats.updated = IW_QUAL_LEVEL_UPDATED | IW_QUAL_NOISE_UPDATED
767 			| IW_QUAL_QUAL_INVALID | IW_QUAL_DBM;
768 		/* Update spy records */
769 		wireless_spy_update(dev, hdr->addr2, &wstats);
770 	}
771 #endif /* IW_WIRELESS_SPY */
772 	hostap_update_rx_stats(local->ap, hdr, rx_stats);
773 
774 	if (local->iw_mode == IW_MODE_MONITOR) {
775 		monitor_rx(dev, skb, rx_stats);
776 		return;
777 	}
778 
779 	if (local->host_decrypt) {
780 		int idx = 0;
781 		if (skb->len >= hdrlen + 3)
782 			idx = skb->data[hdrlen + 3] >> 6;
783 		crypt = local->crypt_info.crypt[idx];
784 		sta = NULL;
785 
786 		/* Use station specific key to override default keys if the
787 		 * receiver address is a unicast address ("individual RA"). If
788 		 * bcrx_sta_key parameter is set, station specific key is used
789 		 * even with broad/multicast targets (this is against IEEE
790 		 * 802.11, but makes it easier to use different keys with
791 		 * stations that do not support WEP key mapping). */
792 
793 		if (!(hdr->addr1[0] & 0x01) || local->bcrx_sta_key)
794 			(void) hostap_handle_sta_crypto(local, hdr, &crypt,
795 							&sta);
796 
797 		/* allow NULL decrypt to indicate an station specific override
798 		 * for default encryption */
799 		if (crypt && (crypt->ops == NULL ||
800 			      crypt->ops->decrypt_mpdu == NULL))
801 			crypt = NULL;
802 
803 		if (!crypt && (fc & IEEE80211_FCTL_PROTECTED)) {
804 #if 0
805 			/* This seems to be triggered by some (multicast?)
806 			 * frames from other than current BSS, so just drop the
807 			 * frames silently instead of filling system log with
808 			 * these reports. */
809 			printk(KERN_DEBUG "%s: WEP decryption failed (not set)"
810 			       " (SA=%pM)\n",
811 			       local->dev->name, hdr->addr2);
812 #endif
813 			local->comm_tallies.rx_discards_wep_undecryptable++;
814 			goto rx_dropped;
815 		}
816 	}
817 
818 	if (type != IEEE80211_FTYPE_DATA) {
819 		if (type == IEEE80211_FTYPE_MGMT &&
820 		    stype == IEEE80211_STYPE_AUTH &&
821 		    fc & IEEE80211_FCTL_PROTECTED && local->host_decrypt &&
822 		    (keyidx = hostap_rx_frame_decrypt(local, skb, crypt)) < 0)
823 		{
824 			printk(KERN_DEBUG "%s: failed to decrypt mgmt::auth "
825 			       "from %pM\n", dev->name, hdr->addr2);
826 			/* TODO: could inform hostapd about this so that it
827 			 * could send auth failure report */
828 			goto rx_dropped;
829 		}
830 
831 		if (hostap_rx_frame_mgmt(local, skb, rx_stats, type, stype))
832 			goto rx_dropped;
833 		else
834 			goto rx_exit;
835 	}
836 
837 	/* Data frame - extract src/dst addresses */
838 	if (skb->len < IEEE80211_DATA_HDR3_LEN)
839 		goto rx_dropped;
840 
841 	switch (fc & (IEEE80211_FCTL_FROMDS | IEEE80211_FCTL_TODS)) {
842 	case IEEE80211_FCTL_FROMDS:
843 		memcpy(dst, hdr->addr1, ETH_ALEN);
844 		memcpy(src, hdr->addr3, ETH_ALEN);
845 		break;
846 	case IEEE80211_FCTL_TODS:
847 		memcpy(dst, hdr->addr3, ETH_ALEN);
848 		memcpy(src, hdr->addr2, ETH_ALEN);
849 		break;
850 	case IEEE80211_FCTL_FROMDS | IEEE80211_FCTL_TODS:
851 		if (skb->len < IEEE80211_DATA_HDR4_LEN)
852 			goto rx_dropped;
853 		memcpy(dst, hdr->addr3, ETH_ALEN);
854 		memcpy(src, hdr->addr4, ETH_ALEN);
855 		break;
856 	default:
857 		memcpy(dst, hdr->addr1, ETH_ALEN);
858 		memcpy(src, hdr->addr2, ETH_ALEN);
859 		break;
860 	}
861 
862 	if (hostap_rx_frame_wds(local, hdr, fc, &wds))
863 		goto rx_dropped;
864 	if (wds)
865 		skb->dev = dev = wds;
866 
867 	if (local->iw_mode == IW_MODE_MASTER && !wds &&
868 	    (fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) ==
869 	    IEEE80211_FCTL_FROMDS &&
870 	    local->stadev &&
871 	    memcmp(hdr->addr2, local->assoc_ap_addr, ETH_ALEN) == 0) {
872 		/* Frame from BSSID of the AP for which we are a client */
873 		skb->dev = dev = local->stadev;
874 		from_assoc_ap = 1;
875 	}
876 
877 	if ((local->iw_mode == IW_MODE_MASTER ||
878 	     local->iw_mode == IW_MODE_REPEAT) &&
879 	    !from_assoc_ap) {
880 		switch (hostap_handle_sta_rx(local, dev, skb, rx_stats,
881 					     wds != NULL)) {
882 		case AP_RX_CONTINUE_NOT_AUTHORIZED:
883 			frame_authorized = 0;
884 			break;
885 		case AP_RX_CONTINUE:
886 			frame_authorized = 1;
887 			break;
888 		case AP_RX_DROP:
889 			goto rx_dropped;
890 		case AP_RX_EXIT:
891 			goto rx_exit;
892 		}
893 	}
894 
895 	/* Nullfunc frames may have PS-bit set, so they must be passed to
896 	 * hostap_handle_sta_rx() before being dropped here. */
897 	if (stype != IEEE80211_STYPE_DATA &&
898 	    stype != IEEE80211_STYPE_DATA_CFACK &&
899 	    stype != IEEE80211_STYPE_DATA_CFPOLL &&
900 	    stype != IEEE80211_STYPE_DATA_CFACKPOLL) {
901 		if (stype != IEEE80211_STYPE_NULLFUNC)
902 			printk(KERN_DEBUG "%s: RX: dropped data frame "
903 			       "with no data (type=0x%02x, subtype=0x%02x)\n",
904 			       dev->name, type >> 2, stype >> 4);
905 		goto rx_dropped;
906 	}
907 
908 	/* skb: hdr + (possibly fragmented, possibly encrypted) payload */
909 
910 	if (local->host_decrypt && (fc & IEEE80211_FCTL_PROTECTED) &&
911 	    (keyidx = hostap_rx_frame_decrypt(local, skb, crypt)) < 0)
912 		goto rx_dropped;
913 	hdr = (struct ieee80211_hdr *) skb->data;
914 
915 	/* skb: hdr + (possibly fragmented) plaintext payload */
916 
917 	if (local->host_decrypt && (fc & IEEE80211_FCTL_PROTECTED) &&
918 	    (frag != 0 || (fc & IEEE80211_FCTL_MOREFRAGS))) {
919 		int flen;
920 		struct sk_buff *frag_skb =
921 			prism2_frag_cache_get(local, hdr);
922 		if (!frag_skb) {
923 			printk(KERN_DEBUG "%s: Rx cannot get skb from "
924 			       "fragment cache (morefrag=%d seq=%u frag=%u)\n",
925 			       dev->name, (fc & IEEE80211_FCTL_MOREFRAGS) != 0,
926 			       (sc & IEEE80211_SCTL_SEQ) >> 4, frag);
927 			goto rx_dropped;
928 		}
929 
930 		flen = skb->len;
931 		if (frag != 0)
932 			flen -= hdrlen;
933 
934 		if (frag_skb->tail + flen > frag_skb->end) {
935 			printk(KERN_WARNING "%s: host decrypted and "
936 			       "reassembled frame did not fit skb\n",
937 			       dev->name);
938 			prism2_frag_cache_invalidate(local, hdr);
939 			goto rx_dropped;
940 		}
941 
942 		if (frag == 0) {
943 			/* copy first fragment (including full headers) into
944 			 * beginning of the fragment cache skb */
945 			skb_copy_from_linear_data(skb, skb_put(frag_skb, flen),
946 						  flen);
947 		} else {
948 			/* append frame payload to the end of the fragment
949 			 * cache skb */
950 			skb_copy_from_linear_data_offset(skb, hdrlen,
951 							 skb_put(frag_skb,
952 								 flen), flen);
953 		}
954 		dev_kfree_skb(skb);
955 		skb = NULL;
956 
957 		if (fc & IEEE80211_FCTL_MOREFRAGS) {
958 			/* more fragments expected - leave the skb in fragment
959 			 * cache for now; it will be delivered to upper layers
960 			 * after all fragments have been received */
961 			goto rx_exit;
962 		}
963 
964 		/* this was the last fragment and the frame will be
965 		 * delivered, so remove skb from fragment cache */
966 		skb = frag_skb;
967 		hdr = (struct ieee80211_hdr *) skb->data;
968 		prism2_frag_cache_invalidate(local, hdr);
969 	}
970 
971 	/* skb: hdr + (possible reassembled) full MSDU payload; possibly still
972 	 * encrypted/authenticated */
973 
974 	if (local->host_decrypt && (fc & IEEE80211_FCTL_PROTECTED) &&
975 	    hostap_rx_frame_decrypt_msdu(local, skb, keyidx, crypt))
976 		goto rx_dropped;
977 
978 	hdr = (struct ieee80211_hdr *) skb->data;
979 	if (crypt && !(fc & IEEE80211_FCTL_PROTECTED) && !local->open_wep) {
980 		if (local->ieee_802_1x &&
981 		    hostap_is_eapol_frame(local, skb)) {
982 			/* pass unencrypted EAPOL frames even if encryption is
983 			 * configured */
984 			PDEBUG(DEBUG_EXTRA2, "%s: RX: IEEE 802.1X - passing "
985 			       "unencrypted EAPOL frame\n", local->dev->name);
986 		} else {
987 			printk(KERN_DEBUG "%s: encryption configured, but RX "
988 			       "frame not encrypted (SA=%pM)\n",
989 			       local->dev->name, hdr->addr2);
990 			goto rx_dropped;
991 		}
992 	}
993 
994 	if (local->drop_unencrypted && !(fc & IEEE80211_FCTL_PROTECTED) &&
995 	    !hostap_is_eapol_frame(local, skb)) {
996 		if (net_ratelimit()) {
997 			printk(KERN_DEBUG "%s: dropped unencrypted RX data "
998 			       "frame from %pM (drop_unencrypted=1)\n",
999 			       dev->name, hdr->addr2);
1000 		}
1001 		goto rx_dropped;
1002 	}
1003 
1004 	/* skb: hdr + (possible reassembled) full plaintext payload */
1005 
1006 	payload = skb->data + hdrlen;
1007 	ethertype = (payload[6] << 8) | payload[7];
1008 
1009 	/* If IEEE 802.1X is used, check whether the port is authorized to send
1010 	 * the received frame. */
1011 	if (local->ieee_802_1x && local->iw_mode == IW_MODE_MASTER) {
1012 		if (ethertype == ETH_P_PAE) {
1013 			PDEBUG(DEBUG_EXTRA2, "%s: RX: IEEE 802.1X frame\n",
1014 			       dev->name);
1015 			if (local->hostapd && local->apdev) {
1016 				/* Send IEEE 802.1X frames to the user
1017 				 * space daemon for processing */
1018 				prism2_rx_80211(local->apdev, skb, rx_stats,
1019 						PRISM2_RX_MGMT);
1020 				local->apdevstats.rx_packets++;
1021 				local->apdevstats.rx_bytes += skb->len;
1022 				goto rx_exit;
1023 			}
1024 		} else if (!frame_authorized) {
1025 			printk(KERN_DEBUG "%s: dropped frame from "
1026 			       "unauthorized port (IEEE 802.1X): "
1027 			       "ethertype=0x%04x\n",
1028 			       dev->name, ethertype);
1029 			goto rx_dropped;
1030 		}
1031 	}
1032 
1033 	/* convert hdr + possible LLC headers into Ethernet header */
1034 	if (skb->len - hdrlen >= 8 &&
1035 	    ((memcmp(payload, rfc1042_header, 6) == 0 &&
1036 	      ethertype != ETH_P_AARP && ethertype != ETH_P_IPX) ||
1037 	     memcmp(payload, bridge_tunnel_header, 6) == 0)) {
1038 		/* remove RFC1042 or Bridge-Tunnel encapsulation and
1039 		 * replace EtherType */
1040 		skb_pull(skb, hdrlen + 6);
1041 		memcpy(skb_push(skb, ETH_ALEN), src, ETH_ALEN);
1042 		memcpy(skb_push(skb, ETH_ALEN), dst, ETH_ALEN);
1043 	} else {
1044 		__be16 len;
1045 		/* Leave Ethernet header part of hdr and full payload */
1046 		skb_pull(skb, hdrlen);
1047 		len = htons(skb->len);
1048 		memcpy(skb_push(skb, 2), &len, 2);
1049 		memcpy(skb_push(skb, ETH_ALEN), src, ETH_ALEN);
1050 		memcpy(skb_push(skb, ETH_ALEN), dst, ETH_ALEN);
1051 	}
1052 
1053 	if (wds && ((fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) ==
1054 		    IEEE80211_FCTL_TODS) &&
1055 	    skb->len >= ETH_HLEN + ETH_ALEN) {
1056 		/* Non-standard frame: get addr4 from its bogus location after
1057 		 * the payload */
1058 		skb_copy_from_linear_data_offset(skb, skb->len - ETH_ALEN,
1059 						 skb->data + ETH_ALEN,
1060 						 ETH_ALEN);
1061 		skb_trim(skb, skb->len - ETH_ALEN);
1062 	}
1063 
1064 	dev->stats.rx_packets++;
1065 	dev->stats.rx_bytes += skb->len;
1066 
1067 	if (local->iw_mode == IW_MODE_MASTER && !wds &&
1068 	    local->ap->bridge_packets) {
1069 		if (dst[0] & 0x01) {
1070 			/* copy multicast frame both to the higher layers and
1071 			 * to the wireless media */
1072 			local->ap->bridged_multicast++;
1073 			skb2 = skb_clone(skb, GFP_ATOMIC);
1074 			if (skb2 == NULL)
1075 				printk(KERN_DEBUG "%s: skb_clone failed for "
1076 				       "multicast frame\n", dev->name);
1077 		} else if (hostap_is_sta_authorized(local->ap, dst)) {
1078 			/* send frame directly to the associated STA using
1079 			 * wireless media and not passing to higher layers */
1080 			local->ap->bridged_unicast++;
1081 			skb2 = skb;
1082 			skb = NULL;
1083 		}
1084 	}
1085 
1086 	if (skb2 != NULL) {
1087 		/* send to wireless media */
1088 		skb2->dev = dev;
1089 		skb2->protocol = cpu_to_be16(ETH_P_802_3);
1090 		skb_reset_mac_header(skb2);
1091 		skb_reset_network_header(skb2);
1092 		/* skb2->network_header += ETH_HLEN; */
1093 		dev_queue_xmit(skb2);
1094 	}
1095 
1096 	if (skb) {
1097 		skb->protocol = eth_type_trans(skb, dev);
1098 		memset(skb->cb, 0, sizeof(skb->cb));
1099 		netif_rx(skb);
1100 	}
1101 
1102  rx_exit:
1103 	if (sta)
1104 		hostap_handle_sta_release(sta);
1105 	return;
1106 
1107  rx_dropped:
1108 	dev_kfree_skb(skb);
1109 
1110 	dev->stats.rx_dropped++;
1111 	goto rx_exit;
1112 }
1113 
1114 
1115 EXPORT_SYMBOL(hostap_80211_rx);
1116