o validate the ba policy in addba response

o leave a check for the max ba window disabled; we accept out of range values and just truncate them but may want to act differently in the future
svn path=/head/; revision=182829
2008-09-06 17:38:20 +00:00 · 2008-09-06 17:38:20 +00:00 · eaff8e2689 · 2020-12-20 02:59:44 +00:00
commit eaff8e2689
parent 9c62b7d4ed
2 changed files with 29 additions and 2 deletions
--- a/sys/net80211/ieee80211_ht.c
+++ b/sys/net80211/ieee80211_ht.c
@ -1402,7 +1402,7 @@ ieee80211_aggr_recv_action(struct ieee80211_node *ni,
 	const struct ieee80211_action *ia;
 	struct ieee80211_rx_ampdu *rap;
 	struct ieee80211_tx_ampdu *tap;
-	uint8_t dialogtoken;
+	uint8_t dialogtoken, policy;
 	uint16_t baparamset, batimeout, baseqctl, code;
 	uint16_t args[4];
 	int tid, ac, bufsiz;
@ -1470,6 +1470,7 @@ ieee80211_aggr_recv_action(struct ieee80211_node *ni,
 			baparamset = LE_READ_2(frm+5);
 			tid = MS(baparamset, IEEE80211_BAPS_TID);
 			bufsiz = MS(baparamset, IEEE80211_BAPS_BUFSIZ);
+			policy = MS(baparamset, IEEE80211_BAPS_POLICY);
 			batimeout = LE_READ_2(frm+7);

 			ac = TID_TO_WME_AC(tid);
@ -1493,6 +1494,31 @@ ieee80211_aggr_recv_action(struct ieee80211_node *ni,
 				vap->iv_stats.is_addba_badtoken++;
 				return;
 			}
+			/* NB: assumes IEEE80211_AGGR_IMMEDIATE is 1 */
+			if (policy != (tap->txa_flags & IEEE80211_AGGR_IMMEDIATE)) {
+				IEEE80211_DISCARD_MAC(vap,
+				    IEEE80211_MSG_ACTION | IEEE80211_MSG_11N,
+				    ni->ni_macaddr, "ADDBA response",
+				    "policy mismatch: expecting %s, "
+				    "received %s, tid %d code %d",
+				    tap->txa_flags & IEEE80211_AGGR_IMMEDIATE,
+				    policy, tid, code);
+				vap->iv_stats.is_addba_badpolicy++;
+				return;
+			}
+#if 0
+			/* XXX we take MIN in ieee80211_addba_response */
+			if (bufsiz > IEEE80211_AGGR_BAWMAX) {
+				IEEE80211_DISCARD_MAC(vap,
+				    IEEE80211_MSG_ACTION | IEEE80211_MSG_11N,
+				    ni->ni_macaddr, "ADDBA response",
+				    "BA window too large: max %d, "
+				    "received %d, tid %d code %d",
+				    bufsiz, IEEE80211_AGGR_BAWMAX, tid, code);
+				vap->iv_stats.is_addba_badbawinsize++;
+				return;
+			}
+#endif

 			IEEE80211_NOTE(vap,
 			    IEEE80211_MSG_ACTION | IEEE80211_MSG_11N, ni,
--- a/sys/net80211/ieee80211_ioctl.h
+++ b/sys/net80211/ieee80211_ioctl.h
@ -207,6 +207,7 @@ struct ieee80211_stats {
 	uint32_t	is_addba_norequest;	/* ADDBA response w/o ADDBA */
 	uint32_t	is_addba_badtoken;	/* ADDBA response w/ wrong
 						   dialogtoken */
+	uint32_t	is_addba_badpolicy;	/* ADDBA resp w/ wrong policy */
 	uint32_t	is_ampdu_stop;		/* A-MPDU stream stopped */
 	uint32_t	is_ampdu_stop_failed;	/* A-MPDU stream not running */
 	uint32_t	is_ampdu_rx_reorder;	/* A-MPDU held for rx reorder */
@ -215,7 +216,7 @@ struct ieee80211_stats {
 	uint8_t		is_rx_disassoc_code;	/* last rx'd disassoc reason */
 	uint8_t		is_rx_authfail_code;	/* last rx'd auth fail reason */
 	uint32_t	is_beacon_miss;		/* beacon miss notification */
-	uint32_t	is_spare[14];
+	uint32_t	is_spare[13];
 };

 /*