Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
hostap_80211_rx.c
Go to the documentation of this file.
1 #include <linux/etherdevice.h>
2 #include <linux/slab.h>
3 #include <linux/export.h>
4 #include <net/lib80211.h>
5 #include <linux/if_arp.h>
6 
7 #include "hostap_80211.h"
8 #include "hostap.h"
9 #include "hostap_ap.h"
10 
11 /* See IEEE 802.1H for LLC/SNAP encapsulation/decapsulation */
12 /* Ethernet-II snap header (RFC1042 for most EtherTypes) */
13 static unsigned char rfc1042_header[] =
14 { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 };
15 /* Bridge-Tunnel header (for EtherTypes ETH_P_AARP and ETH_P_IPX) */
16 static unsigned char bridge_tunnel_header[] =
17 { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0xf8 };
18 /* No encapsulation header if EtherType < 0x600 (=length) */
19 
20 void hostap_dump_rx_80211(const char *name, struct sk_buff *skb,
22 {
23  struct ieee80211_hdr *hdr;
24  u16 fc;
25 
26  hdr = (struct ieee80211_hdr *) skb->data;
27 
28  printk(KERN_DEBUG "%s: RX signal=%d noise=%d rate=%d len=%d "
29  "jiffies=%ld\n",
30  name, rx_stats->signal, rx_stats->noise, rx_stats->rate,
31  skb->len, jiffies);
32 
33  if (skb->len < 2)
34  return;
35 
36  fc = le16_to_cpu(hdr->frame_control);
37  printk(KERN_DEBUG " FC=0x%04x (type=%d:%d)%s%s",
38  fc, (fc & IEEE80211_FCTL_FTYPE) >> 2,
39  (fc & IEEE80211_FCTL_STYPE) >> 4,
40  fc & IEEE80211_FCTL_TODS ? " [ToDS]" : "",
41  fc & IEEE80211_FCTL_FROMDS ? " [FromDS]" : "");
42 
43  if (skb->len < IEEE80211_DATA_HDR3_LEN) {
44  printk("\n");
45  return;
46  }
47 
48  printk(" dur=0x%04x seq=0x%04x\n", le16_to_cpu(hdr->duration_id),
49  le16_to_cpu(hdr->seq_ctrl));
50 
51  printk(KERN_DEBUG " A1=%pM", hdr->addr1);
52  printk(" A2=%pM", hdr->addr2);
53  printk(" A3=%pM", hdr->addr3);
54  if (skb->len >= 30)
55  printk(" A4=%pM", hdr->addr4);
56  printk("\n");
57 }
58 
59 
60 /* Send RX frame to netif with 802.11 (and possible prism) header.
61  * Called from hardware or software IRQ context. */
62 int prism2_rx_80211(struct net_device *dev, struct sk_buff *skb,
64 {
65  struct hostap_interface *iface;
66  local_info_t *local;
67  int hdrlen, phdrlen, head_need, tail_need;
68  u16 fc;
69  int prism_header, ret;
70  struct ieee80211_hdr *fhdr;
71 
72  iface = netdev_priv(dev);
73  local = iface->local;
74 
75  if (dev->type == ARPHRD_IEEE80211_PRISM) {
76  if (local->monitor_type == PRISM2_MONITOR_PRISM) {
77  prism_header = 1;
78  phdrlen = sizeof(struct linux_wlan_ng_prism_hdr);
79  } else { /* local->monitor_type == PRISM2_MONITOR_CAPHDR */
80  prism_header = 2;
81  phdrlen = sizeof(struct linux_wlan_ng_cap_hdr);
82  }
83  } else if (dev->type == ARPHRD_IEEE80211_RADIOTAP) {
84  prism_header = 3;
85  phdrlen = sizeof(struct hostap_radiotap_rx);
86  } else {
87  prism_header = 0;
88  phdrlen = 0;
89  }
90 
91  fhdr = (struct ieee80211_hdr *) skb->data;
92  fc = le16_to_cpu(fhdr->frame_control);
93 
94  if (type == PRISM2_RX_MGMT && (fc & IEEE80211_FCTL_VERS)) {
95  printk(KERN_DEBUG "%s: dropped management frame with header "
96  "version %d\n", dev->name, fc & IEEE80211_FCTL_VERS);
97  dev_kfree_skb_any(skb);
98  return 0;
99  }
100 
101  hdrlen = hostap_80211_get_hdrlen(fhdr->frame_control);
102 
103  /* check if there is enough room for extra data; if not, expand skb
104  * buffer to be large enough for the changes */
105  head_need = phdrlen;
106  tail_need = 0;
107 #ifdef PRISM2_ADD_BOGUS_CRC
108  tail_need += 4;
109 #endif /* PRISM2_ADD_BOGUS_CRC */
110 
111  head_need -= skb_headroom(skb);
112  tail_need -= skb_tailroom(skb);
113 
114  if (head_need > 0 || tail_need > 0) {
115  if (pskb_expand_head(skb, head_need > 0 ? head_need : 0,
116  tail_need > 0 ? tail_need : 0,
117  GFP_ATOMIC)) {
118  printk(KERN_DEBUG "%s: prism2_rx_80211 failed to "
119  "reallocate skb buffer\n", dev->name);
120  dev_kfree_skb_any(skb);
121  return 0;
122  }
123  }
124 
125  /* We now have an skb with enough head and tail room, so just insert
126  * the extra data */
127 
128 #ifdef PRISM2_ADD_BOGUS_CRC
129  memset(skb_put(skb, 4), 0xff, 4); /* Prism2 strips CRC */
130 #endif /* PRISM2_ADD_BOGUS_CRC */
131 
132  if (prism_header == 1) {
134  hdr = (struct linux_wlan_ng_prism_hdr *)
135  skb_push(skb, phdrlen);
136  memset(hdr, 0, phdrlen);
137  hdr->msgcode = LWNG_CAP_DID_BASE;
138  hdr->msglen = sizeof(*hdr);
139  memcpy(hdr->devname, dev->name, sizeof(hdr->devname));
140 #define LWNG_SETVAL(f,i,s,l,d) \
141 hdr->f.did = LWNG_CAP_DID_BASE | (i << 12); \
142 hdr->f.status = s; hdr->f.len = l; hdr->f.data = d
143  LWNG_SETVAL(hosttime, 1, 0, 4, jiffies);
144  LWNG_SETVAL(mactime, 2, 0, 4, rx_stats->mac_time);
145  LWNG_SETVAL(channel, 3, 1 /* no value */, 4, 0);
146  LWNG_SETVAL(rssi, 4, 1 /* no value */, 4, 0);
147  LWNG_SETVAL(sq, 5, 1 /* no value */, 4, 0);
148  LWNG_SETVAL(signal, 6, 0, 4, rx_stats->signal);
149  LWNG_SETVAL(noise, 7, 0, 4, rx_stats->noise);
150  LWNG_SETVAL(rate, 8, 0, 4, rx_stats->rate / 5);
151  LWNG_SETVAL(istx, 9, 0, 4, 0);
152  LWNG_SETVAL(frmlen, 10, 0, 4, skb->len - phdrlen);
153 #undef LWNG_SETVAL
154  } else if (prism_header == 2) {
155  struct linux_wlan_ng_cap_hdr *hdr;
156  hdr = (struct linux_wlan_ng_cap_hdr *)
157  skb_push(skb, phdrlen);
158  memset(hdr, 0, phdrlen);
160  hdr->length = htonl(phdrlen);
161  hdr->mactime = __cpu_to_be64(rx_stats->mac_time);
163  hdr->phytype = htonl(4); /* dss_dot11_b */
164  hdr->channel = htonl(local->channel);
165  hdr->datarate = htonl(rx_stats->rate);
166  hdr->antenna = htonl(0); /* unknown */
167  hdr->priority = htonl(0); /* unknown */
168  hdr->ssi_type = htonl(3); /* raw */
169  hdr->ssi_signal = htonl(rx_stats->signal);
170  hdr->ssi_noise = htonl(rx_stats->noise);
171  hdr->preamble = htonl(0); /* unknown */
172  hdr->encoding = htonl(1); /* cck */
173  } else if (prism_header == 3) {
174  struct hostap_radiotap_rx *hdr;
175  hdr = (struct hostap_radiotap_rx *)skb_push(skb, phdrlen);
176  memset(hdr, 0, phdrlen);
177  hdr->hdr.it_len = cpu_to_le16(phdrlen);
178  hdr->hdr.it_present =
181  (1 << IEEE80211_RADIOTAP_RATE) |
184  hdr->tsft = cpu_to_le64(rx_stats->mac_time);
185  hdr->chan_freq = cpu_to_le16(freq_list[local->channel - 1]);
188  hdr->rate = rx_stats->rate / 5;
189  hdr->dbm_antsignal = rx_stats->signal;
190  hdr->dbm_antnoise = rx_stats->noise;
191  }
192 
193  ret = skb->len - phdrlen;
194  skb->dev = dev;
195  skb_reset_mac_header(skb);
196  skb_pull(skb, hdrlen);
197  if (prism_header)
198  skb_pull(skb, phdrlen);
199  skb->pkt_type = PACKET_OTHERHOST;
201  memset(skb->cb, 0, sizeof(skb->cb));
202  netif_rx(skb);
203 
204  return ret;
205 }
206 
207 
208 /* Called only as a tasklet (software IRQ) */
209 static void monitor_rx(struct net_device *dev, struct sk_buff *skb,
211 {
212  int len;
213 
214  len = prism2_rx_80211(dev, skb, rx_stats, PRISM2_RX_MONITOR);
215  dev->stats.rx_packets++;
216  dev->stats.rx_bytes += len;
217 }
218 
219 
220 /* Called only as a tasklet (software IRQ) */
221 static struct prism2_frag_entry *
222 prism2_frag_cache_find(local_info_t *local, unsigned int seq,
223  unsigned int frag, u8 *src, u8 *dst)
224 {
225  struct prism2_frag_entry *entry;
226  int i;
227 
228  for (i = 0; i < PRISM2_FRAG_CACHE_LEN; i++) {
229  entry = &local->frag_cache[i];
230  if (entry->skb != NULL &&
231  time_after(jiffies, entry->first_frag_time + 2 * HZ)) {
232  printk(KERN_DEBUG "%s: expiring fragment cache entry "
233  "seq=%u last_frag=%u\n",
234  local->dev->name, entry->seq, entry->last_frag);
235  dev_kfree_skb(entry->skb);
236  entry->skb = NULL;
237  }
238 
239  if (entry->skb != NULL && entry->seq == seq &&
240  (entry->last_frag + 1 == frag || frag == -1) &&
241  memcmp(entry->src_addr, src, ETH_ALEN) == 0 &&
242  memcmp(entry->dst_addr, dst, ETH_ALEN) == 0)
243  return entry;
244  }
245 
246  return NULL;
247 }
248 
249 
250 /* Called only as a tasklet (software IRQ) */
251 static struct sk_buff *
252 prism2_frag_cache_get(local_info_t *local, struct ieee80211_hdr *hdr)
253 {
254  struct sk_buff *skb = NULL;
255  u16 sc;
256  unsigned int frag, seq;
257  struct prism2_frag_entry *entry;
258 
259  sc = le16_to_cpu(hdr->seq_ctrl);
260  frag = sc & IEEE80211_SCTL_FRAG;
261  seq = (sc & IEEE80211_SCTL_SEQ) >> 4;
262 
263  if (frag == 0) {
264  /* Reserve enough space to fit maximum frame length */
265  skb = dev_alloc_skb(local->dev->mtu +
266  sizeof(struct ieee80211_hdr) +
267  8 /* LLC */ +
268  2 /* alignment */ +
269  8 /* WEP */ + ETH_ALEN /* WDS */);
270  if (skb == NULL)
271  return NULL;
272 
273  entry = &local->frag_cache[local->frag_next_idx];
274  local->frag_next_idx++;
275  if (local->frag_next_idx >= PRISM2_FRAG_CACHE_LEN)
276  local->frag_next_idx = 0;
277 
278  if (entry->skb != NULL)
279  dev_kfree_skb(entry->skb);
280 
281  entry->first_frag_time = jiffies;
282  entry->seq = seq;
283  entry->last_frag = frag;
284  entry->skb = skb;
285  memcpy(entry->src_addr, hdr->addr2, ETH_ALEN);
286  memcpy(entry->dst_addr, hdr->addr1, ETH_ALEN);
287  } else {
288  /* received a fragment of a frame for which the head fragment
289  * should have already been received */
290  entry = prism2_frag_cache_find(local, seq, frag, hdr->addr2,
291  hdr->addr1);
292  if (entry != NULL) {
293  entry->last_frag = frag;
294  skb = entry->skb;
295  }
296  }
297 
298  return skb;
299 }
300 
301 
302 /* Called only as a tasklet (software IRQ) */
303 static int prism2_frag_cache_invalidate(local_info_t *local,
304  struct ieee80211_hdr *hdr)
305 {
306  u16 sc;
307  unsigned int seq;
308  struct prism2_frag_entry *entry;
309 
310  sc = le16_to_cpu(hdr->seq_ctrl);
311  seq = (sc & IEEE80211_SCTL_SEQ) >> 4;
312 
313  entry = prism2_frag_cache_find(local, seq, -1, hdr->addr2, hdr->addr1);
314 
315  if (entry == NULL) {
316  printk(KERN_DEBUG "%s: could not invalidate fragment cache "
317  "entry (seq=%u)\n",
318  local->dev->name, seq);
319  return -1;
320  }
321 
322  entry->skb = NULL;
323  return 0;
324 }
325 
326 
327 static struct hostap_bss_info *__hostap_get_bss(local_info_t *local, u8 *bssid,
328  u8 *ssid, size_t ssid_len)
329 {
330  struct list_head *ptr;
331  struct hostap_bss_info *bss;
332 
333  list_for_each(ptr, &local->bss_list) {
334  bss = list_entry(ptr, struct hostap_bss_info, list);
335  if (memcmp(bss->bssid, bssid, ETH_ALEN) == 0 &&
336  (ssid == NULL ||
337  (ssid_len == bss->ssid_len &&
338  memcmp(ssid, bss->ssid, ssid_len) == 0))) {
339  list_move(&bss->list, &local->bss_list);
340  return bss;
341  }
342  }
343 
344  return NULL;
345 }
346 
347 
348 static struct hostap_bss_info *__hostap_add_bss(local_info_t *local, u8 *bssid,
349  u8 *ssid, size_t ssid_len)
350 {
351  struct hostap_bss_info *bss;
352 
353  if (local->num_bss_info >= HOSTAP_MAX_BSS_COUNT) {
354  bss = list_entry(local->bss_list.prev,
355  struct hostap_bss_info, list);
356  list_del(&bss->list);
357  local->num_bss_info--;
358  } else {
359  bss = kmalloc(sizeof(*bss), GFP_ATOMIC);
360  if (bss == NULL)
361  return NULL;
362  }
363 
364  memset(bss, 0, sizeof(*bss));
365  memcpy(bss->bssid, bssid, ETH_ALEN);
366  memcpy(bss->ssid, ssid, ssid_len);
367  bss->ssid_len = ssid_len;
368  local->num_bss_info++;
369  list_add(&bss->list, &local->bss_list);
370  return bss;
371 }
372 
373 
374 static void __hostap_expire_bss(local_info_t *local)
375 {
376  struct hostap_bss_info *bss;
377 
378  while (local->num_bss_info > 0) {
379  bss = list_entry(local->bss_list.prev,
380  struct hostap_bss_info, list);
381  if (!time_after(jiffies, bss->last_update + 60 * HZ))
382  break;
383 
384  list_del(&bss->list);
385  local->num_bss_info--;
386  kfree(bss);
387  }
388 }
389 
390 
391 /* Both IEEE 802.11 Beacon and Probe Response frames have similar structure, so
392  * the same routine can be used to parse both of them. */
393 static void hostap_rx_sta_beacon(local_info_t *local, struct sk_buff *skb,
394  int stype)
395 {
396  struct hostap_ieee80211_mgmt *mgmt;
397  int left, chan = 0;
398  u8 *pos;
399  u8 *ssid = NULL, *wpa = NULL, *rsn = NULL;
400  size_t ssid_len = 0, wpa_len = 0, rsn_len = 0;
401  struct hostap_bss_info *bss;
402 
403  if (skb->len < IEEE80211_MGMT_HDR_LEN + sizeof(mgmt->u.beacon))
404  return;
405 
406  mgmt = (struct hostap_ieee80211_mgmt *) skb->data;
407  pos = mgmt->u.beacon.variable;
408  left = skb->len - (pos - skb->data);
409 
410  while (left >= 2) {
411  if (2 + pos[1] > left)
412  return; /* parse failed */
413  switch (*pos) {
414  case WLAN_EID_SSID:
415  ssid = pos + 2;
416  ssid_len = pos[1];
417  break;
418  case WLAN_EID_GENERIC:
419  if (pos[1] >= 4 &&
420  pos[2] == 0x00 && pos[3] == 0x50 &&
421  pos[4] == 0xf2 && pos[5] == 1) {
422  wpa = pos;
423  wpa_len = pos[1] + 2;
424  }
425  break;
426  case WLAN_EID_RSN:
427  rsn = pos;
428  rsn_len = pos[1] + 2;
429  break;
430  case WLAN_EID_DS_PARAMS:
431  if (pos[1] >= 1)
432  chan = pos[2];
433  break;
434  }
435  left -= 2 + pos[1];
436  pos += 2 + pos[1];
437  }
438 
439  if (wpa_len > MAX_WPA_IE_LEN)
440  wpa_len = MAX_WPA_IE_LEN;
441  if (rsn_len > MAX_WPA_IE_LEN)
442  rsn_len = MAX_WPA_IE_LEN;
443  if (ssid_len > sizeof(bss->ssid))
444  ssid_len = sizeof(bss->ssid);
445 
446  spin_lock(&local->lock);
447  bss = __hostap_get_bss(local, mgmt->bssid, ssid, ssid_len);
448  if (bss == NULL)
449  bss = __hostap_add_bss(local, mgmt->bssid, ssid, ssid_len);
450  if (bss) {
451  bss->last_update = jiffies;
452  bss->count++;
453  bss->capab_info = le16_to_cpu(mgmt->u.beacon.capab_info);
454  if (wpa) {
455  memcpy(bss->wpa_ie, wpa, wpa_len);
456  bss->wpa_ie_len = wpa_len;
457  } else
458  bss->wpa_ie_len = 0;
459  if (rsn) {
460  memcpy(bss->rsn_ie, rsn, rsn_len);
461  bss->rsn_ie_len = rsn_len;
462  } else
463  bss->rsn_ie_len = 0;
464  bss->chan = chan;
465  }
466  __hostap_expire_bss(local);
467  spin_unlock(&local->lock);
468 }
469 
470 
471 static int
472 hostap_rx_frame_mgmt(local_info_t *local, struct sk_buff *skb,
474  u16 stype)
475 {
476  if (local->iw_mode == IW_MODE_MASTER)
477  hostap_update_sta_ps(local, (struct ieee80211_hdr *) skb->data);
478 
479  if (local->hostapd && type == IEEE80211_FTYPE_MGMT) {
480  if (stype == IEEE80211_STYPE_BEACON &&
481  local->iw_mode == IW_MODE_MASTER) {
482  struct sk_buff *skb2;
483  /* Process beacon frames also in kernel driver to
484  * update STA(AP) table statistics */
485  skb2 = skb_clone(skb, GFP_ATOMIC);
486  if (skb2)
487  hostap_rx(skb2->dev, skb2, rx_stats);
488  }
489 
490  /* send management frames to the user space daemon for
491  * processing */
492  local->apdevstats.rx_packets++;
493  local->apdevstats.rx_bytes += skb->len;
494  if (local->apdev == NULL)
495  return -1;
496  prism2_rx_80211(local->apdev, skb, rx_stats, PRISM2_RX_MGMT);
497  return 0;
498  }
499 
500  if (local->iw_mode == IW_MODE_MASTER) {
501  if (type != IEEE80211_FTYPE_MGMT &&
502  type != IEEE80211_FTYPE_CTL) {
503  printk(KERN_DEBUG "%s: unknown management frame "
504  "(type=0x%02x, stype=0x%02x) dropped\n",
505  skb->dev->name, type >> 2, stype >> 4);
506  return -1;
507  }
508 
509  hostap_rx(skb->dev, skb, rx_stats);
510  return 0;
511  } else if (type == IEEE80211_FTYPE_MGMT &&
512  (stype == IEEE80211_STYPE_BEACON ||
513  stype == IEEE80211_STYPE_PROBE_RESP)) {
514  hostap_rx_sta_beacon(local, skb, stype);
515  return -1;
516  } else if (type == IEEE80211_FTYPE_MGMT &&
517  (stype == IEEE80211_STYPE_ASSOC_RESP ||
518  stype == IEEE80211_STYPE_REASSOC_RESP)) {
519  /* Ignore (Re)AssocResp silently since these are not currently
520  * needed but are still received when WPA/RSN mode is enabled.
521  */
522  return -1;
523  } else {
524  printk(KERN_DEBUG "%s: hostap_rx_frame_mgmt: dropped unhandled"
525  " management frame in non-Host AP mode (type=%d:%d)\n",
526  skb->dev->name, type >> 2, stype >> 4);
527  return -1;
528  }
529 }
530 
531 
532 /* Called only as a tasklet (software IRQ) */
533 static struct net_device *prism2_rx_get_wds(local_info_t *local,
534  u8 *addr)
535 {
536  struct hostap_interface *iface = NULL;
537  struct list_head *ptr;
538 
539  read_lock_bh(&local->iface_lock);
540  list_for_each(ptr, &local->hostap_interfaces) {
541  iface = list_entry(ptr, struct hostap_interface, list);
542  if (iface->type == HOSTAP_INTERFACE_WDS &&
543  memcmp(iface->u.wds.remote_addr, addr, ETH_ALEN) == 0)
544  break;
545  iface = NULL;
546  }
547  read_unlock_bh(&local->iface_lock);
548 
549  return iface ? iface->dev : NULL;
550 }
551 
552 
553 static int
554 hostap_rx_frame_wds(local_info_t *local, struct ieee80211_hdr *hdr, u16 fc,
555  struct net_device **wds)
556 {
557  /* FIX: is this really supposed to accept WDS frames only in Master
558  * mode? What about Repeater or Managed with WDS frames? */
561  (local->iw_mode != IW_MODE_MASTER || !(fc & IEEE80211_FCTL_TODS)))
562  return 0; /* not a WDS frame */
563 
564  /* Possible WDS frame: either IEEE 802.11 compliant (if FromDS)
565  * or own non-standard frame with 4th address after payload */
566  if (memcmp(hdr->addr1, local->dev->dev_addr, ETH_ALEN) != 0 &&
567  (hdr->addr1[0] != 0xff || hdr->addr1[1] != 0xff ||
568  hdr->addr1[2] != 0xff || hdr->addr1[3] != 0xff ||
569  hdr->addr1[4] != 0xff || hdr->addr1[5] != 0xff)) {
570  /* RA (or BSSID) is not ours - drop */
571  PDEBUG(DEBUG_EXTRA2, "%s: received WDS frame with "
572  "not own or broadcast %s=%pM\n",
573  local->dev->name,
574  fc & IEEE80211_FCTL_FROMDS ? "RA" : "BSSID",
575  hdr->addr1);
576  return -1;
577  }
578 
579  /* check if the frame came from a registered WDS connection */
580  *wds = prism2_rx_get_wds(local, hdr->addr2);
581  if (*wds == NULL && fc & IEEE80211_FCTL_FROMDS &&
582  (local->iw_mode != IW_MODE_INFRA ||
583  !(local->wds_type & HOSTAP_WDS_AP_CLIENT) ||
584  memcmp(hdr->addr2, local->bssid, ETH_ALEN) != 0)) {
585  /* require that WDS link has been registered with TA or the
586  * frame is from current AP when using 'AP client mode' */
587  PDEBUG(DEBUG_EXTRA, "%s: received WDS[4 addr] frame "
588  "from unknown TA=%pM\n",
589  local->dev->name, hdr->addr2);
590  if (local->ap && local->ap->autom_ap_wds)
591  hostap_wds_link_oper(local, hdr->addr2, WDS_ADD);
592  return -1;
593  }
594 
595  if (*wds && !(fc & IEEE80211_FCTL_FROMDS) && local->ap &&
596  hostap_is_sta_assoc(local->ap, hdr->addr2)) {
597  /* STA is actually associated with us even though it has a
598  * registered WDS link. Assume it is in 'AP client' mode.
599  * Since this is a 3-addr frame, assume it is not (bogus) WDS
600  * frame and process it like any normal ToDS frame from
601  * associated STA. */
602  *wds = NULL;
603  }
604 
605  return 0;
606 }
607 
608 
609 static int hostap_is_eapol_frame(local_info_t *local, struct sk_buff *skb)
610 {
611  struct net_device *dev = local->dev;
612  u16 fc, ethertype;
613  struct ieee80211_hdr *hdr;
614  u8 *pos;
615 
616  if (skb->len < 24)
617  return 0;
618 
619  hdr = (struct ieee80211_hdr *) skb->data;
620  fc = le16_to_cpu(hdr->frame_control);
621 
622  /* check that the frame is unicast frame to us */
623  if ((fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) ==
624  IEEE80211_FCTL_TODS &&
625  memcmp(hdr->addr1, dev->dev_addr, ETH_ALEN) == 0 &&
626  memcmp(hdr->addr3, dev->dev_addr, ETH_ALEN) == 0) {
627  /* ToDS frame with own addr BSSID and DA */
628  } else if ((fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) ==
629  IEEE80211_FCTL_FROMDS &&
630  memcmp(hdr->addr1, dev->dev_addr, ETH_ALEN) == 0) {
631  /* FromDS frame with own addr as DA */
632  } else
633  return 0;
634 
635  if (skb->len < 24 + 8)
636  return 0;
637 
638  /* check for port access entity Ethernet type */
639  pos = skb->data + 24;
640  ethertype = (pos[6] << 8) | pos[7];
641  if (ethertype == ETH_P_PAE)
642  return 1;
643 
644  return 0;
645 }
646 
647 
648 /* Called only as a tasklet (software IRQ) */
649 static int
650 hostap_rx_frame_decrypt(local_info_t *local, struct sk_buff *skb,
651  struct lib80211_crypt_data *crypt)
652 {
653  struct ieee80211_hdr *hdr;
654  int res, hdrlen;
655 
656  if (crypt == NULL || crypt->ops->decrypt_mpdu == NULL)
657  return 0;
658 
659  hdr = (struct ieee80211_hdr *) skb->data;
660  hdrlen = hostap_80211_get_hdrlen(hdr->frame_control);
661 
662  if (local->tkip_countermeasures &&
663  strcmp(crypt->ops->name, "TKIP") == 0) {
664  if (net_ratelimit()) {
665  printk(KERN_DEBUG "%s: TKIP countermeasures: dropped "
666  "received packet from %pM\n",
667  local->dev->name, hdr->addr2);
668  }
669  return -1;
670  }
671 
672  atomic_inc(&crypt->refcnt);
673  res = crypt->ops->decrypt_mpdu(skb, hdrlen, crypt->priv);
674  atomic_dec(&crypt->refcnt);
675  if (res < 0) {
676  printk(KERN_DEBUG "%s: decryption failed (SA=%pM) res=%d\n",
677  local->dev->name, hdr->addr2, res);
678  local->comm_tallies.rx_discards_wep_undecryptable++;
679  return -1;
680  }
681 
682  return res;
683 }
684 
685 
686 /* Called only as a tasklet (software IRQ) */
687 static int
688 hostap_rx_frame_decrypt_msdu(local_info_t *local, struct sk_buff *skb,
689  int keyidx, struct lib80211_crypt_data *crypt)
690 {
691  struct ieee80211_hdr *hdr;
692  int res, hdrlen;
693 
694  if (crypt == NULL || crypt->ops->decrypt_msdu == NULL)
695  return 0;
696 
697  hdr = (struct ieee80211_hdr *) skb->data;
698  hdrlen = hostap_80211_get_hdrlen(hdr->frame_control);
699 
700  atomic_inc(&crypt->refcnt);
701  res = crypt->ops->decrypt_msdu(skb, keyidx, hdrlen, crypt->priv);
702  atomic_dec(&crypt->refcnt);
703  if (res < 0) {
704  printk(KERN_DEBUG "%s: MSDU decryption/MIC verification failed"
705  " (SA=%pM keyidx=%d)\n",
706  local->dev->name, hdr->addr2, keyidx);
707  return -1;
708  }
709 
710  return 0;
711 }
712 
713 
714 /* All received frames are sent to this function. @skb contains the frame in
715  * IEEE 802.11 format, i.e., in the format it was sent over air.
716  * This function is called only as a tasklet (software IRQ). */
717 void hostap_80211_rx(struct net_device *dev, struct sk_buff *skb,
718  struct hostap_80211_rx_status *rx_stats)
719 {
720  struct hostap_interface *iface;
721  local_info_t *local;
722  struct ieee80211_hdr *hdr;
723  size_t hdrlen;
724  u16 fc, type, stype, sc;
725  struct net_device *wds = NULL;
726  unsigned int frag;
727  u8 *payload;
728  struct sk_buff *skb2 = NULL;
729  u16 ethertype;
730  int frame_authorized = 0;
731  int from_assoc_ap = 0;
732  u8 dst[ETH_ALEN];
733  u8 src[ETH_ALEN];
734  struct lib80211_crypt_data *crypt = NULL;
735  void *sta = NULL;
736  int keyidx = 0;
737 
738  iface = netdev_priv(dev);
739  local = iface->local;
740  iface->stats.rx_packets++;
741  iface->stats.rx_bytes += skb->len;
742 
743  /* dev is the master radio device; change this to be the default
744  * virtual interface (this may be changed to WDS device below) */
745  dev = local->ddev;
746  iface = netdev_priv(dev);
747 
748  hdr = (struct ieee80211_hdr *) skb->data;
749 
750  if (skb->len < 10)
751  goto rx_dropped;
752 
753  fc = le16_to_cpu(hdr->frame_control);
754  type = fc & IEEE80211_FCTL_FTYPE;
755  stype = fc & IEEE80211_FCTL_STYPE;
756  sc = le16_to_cpu(hdr->seq_ctrl);
757  frag = sc & IEEE80211_SCTL_FRAG;
758  hdrlen = hostap_80211_get_hdrlen(hdr->frame_control);
759 
760  /* Put this code here so that we avoid duplicating it in all
761  * Rx paths. - Jean II */
762 #ifdef IW_WIRELESS_SPY /* defined in iw_handler.h */
763  /* If spy monitoring on */
764  if (iface->spy_data.spy_number > 0) {
765  struct iw_quality wstats;
766  wstats.level = rx_stats->signal;
767  wstats.noise = rx_stats->noise;
770  /* Update spy records */
771  wireless_spy_update(dev, hdr->addr2, &wstats);
772  }
773 #endif /* IW_WIRELESS_SPY */
774  hostap_update_rx_stats(local->ap, hdr, rx_stats);
775 
776  if (local->iw_mode == IW_MODE_MONITOR) {
777  monitor_rx(dev, skb, rx_stats);
778  return;
779  }
780 
781  if (local->host_decrypt) {
782  int idx = 0;
783  if (skb->len >= hdrlen + 3)
784  idx = skb->data[hdrlen + 3] >> 6;
785  crypt = local->crypt_info.crypt[idx];
786  sta = NULL;
787 
788  /* Use station specific key to override default keys if the
789  * receiver address is a unicast address ("individual RA"). If
790  * bcrx_sta_key parameter is set, station specific key is used
791  * even with broad/multicast targets (this is against IEEE
792  * 802.11, but makes it easier to use different keys with
793  * stations that do not support WEP key mapping). */
794 
795  if (!(hdr->addr1[0] & 0x01) || local->bcrx_sta_key)
796  (void) hostap_handle_sta_crypto(local, hdr, &crypt,
797  &sta);
798 
799  /* allow NULL decrypt to indicate an station specific override
800  * for default encryption */
801  if (crypt && (crypt->ops == NULL ||
802  crypt->ops->decrypt_mpdu == NULL))
803  crypt = NULL;
804 
805  if (!crypt && (fc & IEEE80211_FCTL_PROTECTED)) {
806 #if 0
807  /* This seems to be triggered by some (multicast?)
808  * frames from other than current BSS, so just drop the
809  * frames silently instead of filling system log with
810  * these reports. */
811  printk(KERN_DEBUG "%s: WEP decryption failed (not set)"
812  " (SA=%pM)\n",
813  local->dev->name, hdr->addr2);
814 #endif
815  local->comm_tallies.rx_discards_wep_undecryptable++;
816  goto rx_dropped;
817  }
818  }
819 
820  if (type != IEEE80211_FTYPE_DATA) {
821  if (type == IEEE80211_FTYPE_MGMT &&
822  stype == IEEE80211_STYPE_AUTH &&
823  fc & IEEE80211_FCTL_PROTECTED && local->host_decrypt &&
824  (keyidx = hostap_rx_frame_decrypt(local, skb, crypt)) < 0)
825  {
826  printk(KERN_DEBUG "%s: failed to decrypt mgmt::auth "
827  "from %pM\n", dev->name, hdr->addr2);
828  /* TODO: could inform hostapd about this so that it
829  * could send auth failure report */
830  goto rx_dropped;
831  }
832 
833  if (hostap_rx_frame_mgmt(local, skb, rx_stats, type, stype))
834  goto rx_dropped;
835  else
836  goto rx_exit;
837  }
838 
839  /* Data frame - extract src/dst addresses */
840  if (skb->len < IEEE80211_DATA_HDR3_LEN)
841  goto rx_dropped;
842 
843  switch (fc & (IEEE80211_FCTL_FROMDS | IEEE80211_FCTL_TODS)) {
844  case IEEE80211_FCTL_FROMDS:
845  memcpy(dst, hdr->addr1, ETH_ALEN);
846  memcpy(src, hdr->addr3, ETH_ALEN);
847  break;
848  case IEEE80211_FCTL_TODS:
849  memcpy(dst, hdr->addr3, ETH_ALEN);
850  memcpy(src, hdr->addr2, ETH_ALEN);
851  break;
852  case IEEE80211_FCTL_FROMDS | IEEE80211_FCTL_TODS:
853  if (skb->len < IEEE80211_DATA_HDR4_LEN)
854  goto rx_dropped;
855  memcpy(dst, hdr->addr3, ETH_ALEN);
856  memcpy(src, hdr->addr4, ETH_ALEN);
857  break;
858  case 0:
859  memcpy(dst, hdr->addr1, ETH_ALEN);
860  memcpy(src, hdr->addr2, ETH_ALEN);
861  break;
862  }
863 
864  if (hostap_rx_frame_wds(local, hdr, fc, &wds))
865  goto rx_dropped;
866  if (wds)
867  skb->dev = dev = wds;
868 
869  if (local->iw_mode == IW_MODE_MASTER && !wds &&
870  (fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) ==
871  IEEE80211_FCTL_FROMDS &&
872  local->stadev &&
873  memcmp(hdr->addr2, local->assoc_ap_addr, ETH_ALEN) == 0) {
874  /* Frame from BSSID of the AP for which we are a client */
875  skb->dev = dev = local->stadev;
876  from_assoc_ap = 1;
877  }
878 
879  if ((local->iw_mode == IW_MODE_MASTER ||
880  local->iw_mode == IW_MODE_REPEAT) &&
881  !from_assoc_ap) {
882  switch (hostap_handle_sta_rx(local, dev, skb, rx_stats,
883  wds != NULL)) {
885  frame_authorized = 0;
886  break;
887  case AP_RX_CONTINUE:
888  frame_authorized = 1;
889  break;
890  case AP_RX_DROP:
891  goto rx_dropped;
892  case AP_RX_EXIT:
893  goto rx_exit;
894  }
895  }
896 
897  /* Nullfunc frames may have PS-bit set, so they must be passed to
898  * hostap_handle_sta_rx() before being dropped here. */
899  if (stype != IEEE80211_STYPE_DATA &&
900  stype != IEEE80211_STYPE_DATA_CFACK &&
901  stype != IEEE80211_STYPE_DATA_CFPOLL &&
903  if (stype != IEEE80211_STYPE_NULLFUNC)
904  printk(KERN_DEBUG "%s: RX: dropped data frame "
905  "with no data (type=0x%02x, subtype=0x%02x)\n",
906  dev->name, type >> 2, stype >> 4);
907  goto rx_dropped;
908  }
909 
910  /* skb: hdr + (possibly fragmented, possibly encrypted) payload */
911 
912  if (local->host_decrypt && (fc & IEEE80211_FCTL_PROTECTED) &&
913  (keyidx = hostap_rx_frame_decrypt(local, skb, crypt)) < 0)
914  goto rx_dropped;
915  hdr = (struct ieee80211_hdr *) skb->data;
916 
917  /* skb: hdr + (possibly fragmented) plaintext payload */
918 
919  if (local->host_decrypt && (fc & IEEE80211_FCTL_PROTECTED) &&
920  (frag != 0 || (fc & IEEE80211_FCTL_MOREFRAGS))) {
921  int flen;
922  struct sk_buff *frag_skb =
923  prism2_frag_cache_get(local, hdr);
924  if (!frag_skb) {
925  printk(KERN_DEBUG "%s: Rx cannot get skb from "
926  "fragment cache (morefrag=%d seq=%u frag=%u)\n",
927  dev->name, (fc & IEEE80211_FCTL_MOREFRAGS) != 0,
928  (sc & IEEE80211_SCTL_SEQ) >> 4, frag);
929  goto rx_dropped;
930  }
931 
932  flen = skb->len;
933  if (frag != 0)
934  flen -= hdrlen;
935 
936  if (frag_skb->tail + flen > frag_skb->end) {
937  printk(KERN_WARNING "%s: host decrypted and "
938  "reassembled frame did not fit skb\n",
939  dev->name);
940  prism2_frag_cache_invalidate(local, hdr);
941  goto rx_dropped;
942  }
943 
944  if (frag == 0) {
945  /* copy first fragment (including full headers) into
946  * beginning of the fragment cache skb */
947  skb_copy_from_linear_data(skb, skb_put(frag_skb, flen),
948  flen);
949  } else {
950  /* append frame payload to the end of the fragment
951  * cache skb */
952  skb_copy_from_linear_data_offset(skb, hdrlen,
953  skb_put(frag_skb,
954  flen), flen);
955  }
956  dev_kfree_skb(skb);
957  skb = NULL;
958 
959  if (fc & IEEE80211_FCTL_MOREFRAGS) {
960  /* more fragments expected - leave the skb in fragment
961  * cache for now; it will be delivered to upper layers
962  * after all fragments have been received */
963  goto rx_exit;
964  }
965 
966  /* this was the last fragment and the frame will be
967  * delivered, so remove skb from fragment cache */
968  skb = frag_skb;
969  hdr = (struct ieee80211_hdr *) skb->data;
970  prism2_frag_cache_invalidate(local, hdr);
971  }
972 
973  /* skb: hdr + (possible reassembled) full MSDU payload; possibly still
974  * encrypted/authenticated */
975 
976  if (local->host_decrypt && (fc & IEEE80211_FCTL_PROTECTED) &&
977  hostap_rx_frame_decrypt_msdu(local, skb, keyidx, crypt))
978  goto rx_dropped;
979 
980  hdr = (struct ieee80211_hdr *) skb->data;
981  if (crypt && !(fc & IEEE80211_FCTL_PROTECTED) && !local->open_wep) {
982  if (local->ieee_802_1x &&
983  hostap_is_eapol_frame(local, skb)) {
984  /* pass unencrypted EAPOL frames even if encryption is
985  * configured */
986  PDEBUG(DEBUG_EXTRA2, "%s: RX: IEEE 802.1X - passing "
987  "unencrypted EAPOL frame\n", local->dev->name);
988  } else {
989  printk(KERN_DEBUG "%s: encryption configured, but RX "
990  "frame not encrypted (SA=%pM)\n",
991  local->dev->name, hdr->addr2);
992  goto rx_dropped;
993  }
994  }
995 
996  if (local->drop_unencrypted && !(fc & IEEE80211_FCTL_PROTECTED) &&
997  !hostap_is_eapol_frame(local, skb)) {
998  if (net_ratelimit()) {
999  printk(KERN_DEBUG "%s: dropped unencrypted RX data "
1000  "frame from %pM (drop_unencrypted=1)\n",
1001  dev->name, hdr->addr2);
1002  }
1003  goto rx_dropped;
1004  }
1005 
1006  /* skb: hdr + (possible reassembled) full plaintext payload */
1007 
1008  payload = skb->data + hdrlen;
1009  ethertype = (payload[6] << 8) | payload[7];
1010 
1011  /* If IEEE 802.1X is used, check whether the port is authorized to send
1012  * the received frame. */
1013  if (local->ieee_802_1x && local->iw_mode == IW_MODE_MASTER) {
1014  if (ethertype == ETH_P_PAE) {
1015  PDEBUG(DEBUG_EXTRA2, "%s: RX: IEEE 802.1X frame\n",
1016  dev->name);
1017  if (local->hostapd && local->apdev) {
1018  /* Send IEEE 802.1X frames to the user
1019  * space daemon for processing */
1020  prism2_rx_80211(local->apdev, skb, rx_stats,
1021  PRISM2_RX_MGMT);
1022  local->apdevstats.rx_packets++;
1023  local->apdevstats.rx_bytes += skb->len;
1024  goto rx_exit;
1025  }
1026  } else if (!frame_authorized) {
1027  printk(KERN_DEBUG "%s: dropped frame from "
1028  "unauthorized port (IEEE 802.1X): "
1029  "ethertype=0x%04x\n",
1030  dev->name, ethertype);
1031  goto rx_dropped;
1032  }
1033  }
1034 
1035  /* convert hdr + possible LLC headers into Ethernet header */
1036  if (skb->len - hdrlen >= 8 &&
1037  ((memcmp(payload, rfc1042_header, 6) == 0 &&
1038  ethertype != ETH_P_AARP && ethertype != ETH_P_IPX) ||
1039  memcmp(payload, bridge_tunnel_header, 6) == 0)) {
1040  /* remove RFC1042 or Bridge-Tunnel encapsulation and
1041  * replace EtherType */
1042  skb_pull(skb, hdrlen + 6);
1043  memcpy(skb_push(skb, ETH_ALEN), src, ETH_ALEN);
1044  memcpy(skb_push(skb, ETH_ALEN), dst, ETH_ALEN);
1045  } else {
1046  __be16 len;
1047  /* Leave Ethernet header part of hdr and full payload */
1048  skb_pull(skb, hdrlen);
1049  len = htons(skb->len);
1050  memcpy(skb_push(skb, 2), &len, 2);
1051  memcpy(skb_push(skb, ETH_ALEN), src, ETH_ALEN);
1052  memcpy(skb_push(skb, ETH_ALEN), dst, ETH_ALEN);
1053  }
1054 
1055  if (wds && ((fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) ==
1056  IEEE80211_FCTL_TODS) &&
1057  skb->len >= ETH_HLEN + ETH_ALEN) {
1058  /* Non-standard frame: get addr4 from its bogus location after
1059  * the payload */
1060  skb_copy_from_linear_data_offset(skb, skb->len - ETH_ALEN,
1061  skb->data + ETH_ALEN,
1062  ETH_ALEN);
1063  skb_trim(skb, skb->len - ETH_ALEN);
1064  }
1065 
1066  dev->stats.rx_packets++;
1067  dev->stats.rx_bytes += skb->len;
1068 
1069  if (local->iw_mode == IW_MODE_MASTER && !wds &&
1070  local->ap->bridge_packets) {
1071  if (dst[0] & 0x01) {
1072  /* copy multicast frame both to the higher layers and
1073  * to the wireless media */
1074  local->ap->bridged_multicast++;
1075  skb2 = skb_clone(skb, GFP_ATOMIC);
1076  if (skb2 == NULL)
1077  printk(KERN_DEBUG "%s: skb_clone failed for "
1078  "multicast frame\n", dev->name);
1079  } else if (hostap_is_sta_authorized(local->ap, dst)) {
1080  /* send frame directly to the associated STA using
1081  * wireless media and not passing to higher layers */
1082  local->ap->bridged_unicast++;
1083  skb2 = skb;
1084  skb = NULL;
1085  }
1086  }
1087 
1088  if (skb2 != NULL) {
1089  /* send to wireless media */
1090  skb2->dev = dev;
1091  skb2->protocol = cpu_to_be16(ETH_P_802_3);
1092  skb_reset_mac_header(skb2);
1093  skb_reset_network_header(skb2);
1094  /* skb2->network_header += ETH_HLEN; */
1095  dev_queue_xmit(skb2);
1096  }
1097 
1098  if (skb) {
1099  skb->protocol = eth_type_trans(skb, dev);
1100  memset(skb->cb, 0, sizeof(skb->cb));
1101  netif_rx(skb);
1102  }
1103 
1104  rx_exit:
1105  if (sta)
1107  return;
1108 
1109  rx_dropped:
1110  dev_kfree_skb(skb);
1111 
1112  dev->stats.rx_dropped++;
1113  goto rx_exit;
1114 }
1115 
1116