Commit Graph

159 Commits

Author SHA1 Message Date
avos
ce3bc9d258 net80211: fix use-after-free in frame defragmentation procedure.
- Assign frame sequence/fragment number before frame concatenation;
otherwise, frame header pointer (wh) will be invalid.
- Move this code block upper and eliminate duplicate 'lwh = mtod()'
assignment.

Tested with wpi(4) (transmitter) (STA mode) and urtwn(4) (receiver)
(HOSTAP mode).
2016-05-28 18:49:17 +00:00
avos
b389a6beb1 net80211: hide subtype mask & shift in function call.
Hide subtype mask/shift (which is used for index calculation
in ieee80211_mgt_subtype_name[] array) in function call.

Tested with RTL8188CUS, STA mode.

Reviewed by:	adrian
Differential Revision:	https://reviews.freebsd.org/D5369
2016-04-20 21:15:55 +00:00
avos
a5ff8b0e31 net80211: replace internal LE_READ_*/LE_WRITE_* macro with system
le*dec / le*enc functions.

Replace net80211 specific macros with system-wide bytestream
encoding/decoding functions:
- LE_READ_2 ->  le16dec
- LE_READ_4 ->  le32dec
- LE_WRITE_2 -> le16enc
- LE_WRITE_4 -> le32enc

+ drop ieee80211_input.h include, where it was included for these
operations only.

Reviewed by:	adrian
Differential Revision:	https://reviews.freebsd.org/D6030
2016-04-20 18:29:30 +00:00
adrian
07ff8741cf [net80211] IE 127 is not MESHEXTCAP, just EXTCAP.
It's not a mesh extended capabilities; it's just extended capabilities.
This is from 802.11-2012 8.4.2.29 (Extended Capabilities element.)
2016-03-18 04:00:57 +00:00
adrian
9f278f3fc9 [net80211] handle unlisted information elements.
This displays the IE names in ifconfig but it doesn't yet decode things.

Submitted by: Idwer Vollering <vidwer@gmail.com>
Differential Revision:	https://reviews.freebsd.org/D3782
2016-03-14 04:39:35 +00:00
markj
a7d6563062 Use m_catpkt(9) to avoid a possible use-after-free in ieee80211_defrag().
m is not guaranteed to be valid after m_cat() returns. The effects of this
are most noticeable when INVARIANTS is enabled, since m's header length
field is given a value of 0xdeadc0de by the trash dtor.

Reviewed by:	glebius
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D5497
2016-03-02 05:01:58 +00:00
adrian
f0c602f715 Perform some rather amusing layering violations to add mbuf tags to the
net80211 receive path.  This allows drivers (notably USB right now, but
anything/everything!) to optionally defer bulk RX of 802.11 frames until
/outside/ of the driver lock(s), rather than doing:

UNLOCK(sc);
ieee80211_input*()
LOCK(sc);

.. which is really stupid.

The existing API is maintaned - if ieee80211_input() / ieee80211_input_all()
is called then the RSSI/NF values are used.  If the MIMO versions are called
with a given rx status pointer then it's used. Else, it'll use whatever
is in the RX mbuf tag.
2015-09-26 00:53:37 +00:00
glebius
23e01a9f6f Cleanup compat shims for FreeBSD versions that predate 10.0-RELEASE.
There are no plans to merge anything save a trivial bugfix to stable/9.

Discussed with:	adrian
2015-05-25 20:06:49 +00:00
adrian
daa4dc6942 Convert malloc/free back to #define's, as part of OS portability work.
DragonflyBSD uses the FreeBSD wireless stack and drivers.  Their malloc()
API is named differently, so they don't have userland/kernel symbol
clashes like we do (think libuinet.)

So, to make it easier for them and to port to other BSDs/other operating
systems, start hiding the malloc specific bits behind defines in
ieee80211_freebsd.h.

DragonflyBSD can now put these portability defines in their local
ieee80211_dragonflybsd.h.

This should be a great big no-op for everyone running wifi.

TODO:

* kill M_WAITOK - some platforms just don't want you to use it
* .. and/or handle it returning NULL rather than waiting forever.
* MALLOC_DEFINE() ?
* Migrate the well-known malloc names (eg M_TEMP) to net80211
  namespace defines.
2015-05-25 19:18:16 +00:00
adrian
7eab7c352d Begin plumbing ieee80211_rx_stats through the receive path.
Smart NICs with firmware (eg wpi, iwn, the new atheros parts, the intel 7260
series, etc) support doing a lot of things in firmware.  This includes but
isn't limited to things like scanning, sending probe requests and receiving
probe responses.  However, net80211 doesn't know about any of this - it still
drives the whole scan/probe infrastructure itself.

In order to move towards suppoting smart NICs, the receive path needs to
know about the channel/details for each received packet.  In at least
the iwn and 7260 firmware (and I believe wpi, but I haven't tried it yet)
it will do the scanning, power-save and off-channel buffering for you -
all you need to do is handle receiving beacons and probe responses on
channels that aren't what you're currently on.  However the whole receive
path is peppered with ic->ic_curchan and manual scan/powersave handling.
The beacon parsing code also checks ic->ic_curchan to determine if the
received beacon is on the correct channel or not.[1]

So:

* add freq/ieee values to ieee80211_rx_stats;
* change ieee80211_parse_beacon() to accept the 'current' channel
  as an argument;
* modify the iv_input() and iv_recv_mgmt() methods to include the rx_stats;
* add a new method - ieee80211_lookup_channel_rxstats() - that looks up
  a channel based on the contents of ieee80211_rx_stats;
* if it exists, use it in the mgmt path to switch the current channel
  (which still defaults to ic->ic_curchan) over to something determined
  by rx_stats.

This is enough to kick-start scan offload support in the Intel 7260
driver that Rui/I are working on.  It also is a good start for scan
offload support for a handful of existing NICs (wpi, iwn, some USB
parts) and it'll very likely dramatically improve stability/performance
there.  It's not the whole thing - notably, we don't need to do powersave,
we should not scan all channels, and we should leave probe request sending
to the firmware and not do it ourselves.  But, this allows for continued
development on the above features whilst actually having a somewhat
working NIC.

TODO:

* Finish tidying up how the net80211 input path works.
  Right now ieee80211_input / ieee80211_input_all act as the top-level
  that everything feeds into; it should change so the MIMO input routines
  are those and the legacy routines are phased out.

* The band selection should be done by the driver, not by the net80211
  layer.

* ieee80211_lookup_channel_rxstats() only determines 11b or 11g channels
  for now - this is enough for scanning, but not 100% true in all cases.
  If we ever need to handle off-channel scan support for things like
  static-40MHz or static-80MHz, or turbo-G, or half/quarter rates,
  then we should extend this.

[1] This is a side effect of frequency-hopping and CCK modes - you
    can receive beacons when you think you're on a different channel.
    In particular, CCK (which is used by the low 11b rates, eg beacons!)
    is decodable from adjacent channels - just at a low SNR.
    FH is a side effect of having the hardware/firmware do the frequency
    hopping - it may pick up beacons transmitted from other FH networks
    that are in a different phase of hopping frequencies.
2015-05-25 16:37:41 +00:00
glebius
2ca697202c Mechanically convert to if_inc_counter(). 2014-09-19 09:20:55 +00:00
glebius
ff6e113f1b The r48589 promised to remove implicit inclusion of if_var.h soon. Prepare
to this event, adding if_var.h to files that do need it. Also, include
all includes that now are included due to implicit pollution via if_var.h

Sponsored by:	Netflix
Sponsored by:	Nginx, Inc.
2013-10-26 17:58:36 +00:00
adrian
40e805bbd2 Add in some backwards compatability hacks to make -HEAD net80211 compile
on -9.
2013-08-22 05:53:47 +00:00
andre
7cc6cc696c Add m_clrprotoflags() to clear protocol specific mbuf flags at up and
downwards layer crossings.

Consistently use it within IP, IPv6 and ethernet protocols.

Discussed with:	trociny, glebius
2013-08-19 13:27:32 +00:00
glebius
f03c14c9a7 Substitute '#ifdef ALIGNED_POINTER' with '#ifndef __NO_STRICT_ALIGNMENT',
since the former is defined everywhere. This cuts off some code not
necessary on non strict aligment arches.

Reviewed by:	adrian
Sponsored by:	Nginx, Inc.
2013-02-12 11:24:37 +00:00
monthadar
92c96a118c Start accepting IEEE80211_ACTION_MESH_GANN frames;
* Add IEEE80211_ACTION_MESH_GANN Action frame verification in
  ieee80211_parse_action;

Approved by:	adrian (mentor)
2013-02-07 21:22:14 +00:00
glebius
8e20fa5ae9 Mechanically substitute flags from historic mbuf allocator with
malloc(9) flags within sys.

Exceptions:

- sys/contrib not touched
- sys/mbuf.h edited manually
2012-12-05 08:04:20 +00:00
monthadar
3b1abc6390 Added Self-protected action category (including MPM).
* Added new action category IEEE80211_ACTION_CAT_SELF_PROT which is used by 11s
for Mesh Peering Management;
* Updated Self protected enum Action codes to start from 1 instead of 0
according to the standard spec;
* Removed old and wrong action categories IEEE80211_ACTION_CAT_MESHPEERING;
* Modified ieee80211_mesh.c and ieee80211_action.c to use the new action
category code;
* Added earlier verification code in ieee80211_input;

Approved by: adrian
2012-05-01 15:35:10 +00:00
glebius
2ef7dea431 Fix build w/o 'options IEEE80211_SUPPORT_MESH'. 2012-03-04 09:45:43 +00:00
adrian
8d7335fa92 * Added IEEE80211_ACTION_CAT_MESH in ieee80211.h as specified amendment spec;
* Moved old categories as specified by D4.0 to be action fields of MESH category
  as specified in amendment spec;
* Modified functions to use MESH category and its action fields:
  + ieee80211_send_action_register
  + ieee80211_send_action
  + ieee80211_recv_action_register
  +ieee80211_recv_action;
* Modified ieee80211_hwmp_init and hwmp_send_action so they uses correct
  action fields as specified in amendment spec;
* Modified ieee80211_parse_action so that it verifies MESH frames.
* Change Mesh Link Metric to use one information element as amendment spec.
  Draft 4.0 defined two different information elements for request and response.

Submitted by:	monthadar@gmail.com
2012-03-04 05:49:39 +00:00
adrian
c12af6cbb1 Print out the bogus beacon interval. 2012-02-28 21:41:47 +00:00
adrian
1a3216b041 Add 802.11h quiet time element support into net80211.
This supports both station and hostap modes:

* Station mode quiet time element support listens to quiet time
  IE's and modifies the local quiet time configuration as appropriate;
* Hostap mode both obeys the locally configured quiet time period
  and includes it in beacon frames so stations also can obey as needed.

Submitted by:	Himali Patel <himali.patel@sibridgetech.com>
Sponsored by:	Sibridge Technologies
2011-11-08 04:00:24 +00:00
adrian
04a664ee1b Add initial support for MIMO statistics to net80211.
This introduces struct ieee80211_rx_stats - which stores the various kinds
of RX statistics which a MIMO and non-MIMO 802.11 device can export.

It also fleshes out the mimo export to userland (node_getmimoinfo()).

It assumes that MIMO radios (for now) export both ctl and ext channels.
Non-11n MIMO radios are possible (and I believe Atheros made at least
one), so if that chipset support is added, extra flags to the
struct ieee80211_rx_stats can be added to extend this support.

Two new input functions have been added - ieee80211_input_mimo() and
ieee80211_input_mimo_all() - which MIMO-aware devices can call with
MIMO specific statistics.

802.11 devices calling the non-MIMO input functions will still function.
2011-04-08 09:20:45 +00:00
bschmidt
4a678eb796 Add a new mgmt subtype "ACTION NO ACK" defined in 802.11n-2009, while here
clean up parts of the *_recv_mgmt() functions.
- make sure appropriate counters are bumped and debug messages are printed
- order the unhandled subtypes by value and add a few missing ones
- fix some whitespace nits
- remove duplicate code in adhoc_recv_mgmt()
- remove a useless comment, probably left in while c&p
2011-02-21 19:59:43 +00:00
rpaulo
7baff87d11 Constify vap argument of ieee80211_{note,discard}* functions.
MFC after:	1 week
2010-03-31 16:07:36 +00:00
rpaulo
75d3b6b740 Fix a typo in ifdef mesh support. This would make mesh unworkable if
TDMA support was compiled out.

Approved by:	re (kib)
2009-08-17 12:57:57 +00:00
rpaulo
0dabd4da95 More mesh bits, namely:
* bridge support (sam)
* handling of errors (sam)
* deletion of inactive routing entries
* more debug msgs (sam)
* fixed some inconsistencies with the spec.
* decap is now specific to mesh (sam)
* print mesh seq. no. on ifconfig list mesh
* small perf. improvements

Reviewed by:	sam
Approved by:	re (kib)
2009-07-20 19:12:08 +00:00
sam
c70ad2698e Move code that does payload realigment to a new routine, ieee80211_realign,
so it can be reused.  While here rewrite the logic to always use a single mbuf.

Reviewed by:	rpaulo
Approved by:	re (kib)
2009-07-18 20:19:53 +00:00
rpaulo
8424d74020 Implementation of the upcoming Wireless Mesh standard, 802.11s, on the
net80211 wireless stack. This work is based on the March 2009 D3.0 draft
standard. This standard is expected to become final next year.
This includes two main net80211 modules, ieee80211_mesh.c
which deals with peer link management, link metric calculation,
routing table control and mesh configuration and ieee80211_hwmp.c
which deals with the actually routing process on the mesh network.
HWMP is the mandatory routing protocol on by the mesh standard, but
others, such as RA-OLSR, can be implemented.

Authentication and encryption are not implemented.

There are several scripts under tools/tools/net80211/scripts that can be
used to test different mesh network topologies and they also teach you
how to setup a mesh vap (for the impatient: ifconfig wlan0 create
wlandev ... wlanmode mesh).

A new build option is available: IEEE80211_SUPPORT_MESH and it's enabled
by default on GENERIC kernels for i386, amd64, sparc64 and pc98.

Drivers that support mesh networks right now are: ath, ral and mwl.

More information at: http://wiki.freebsd.org/WifiMesh

Please note that this work is experimental. Also, please note that
bridging a mesh vap with another network interface is not yet supported.

Many thanks to the FreeBSD Foundation for sponsoring this project and to
Sam Leffler for his support.
Also, I would like to thank Gateworks Corporation for sending me a
Cambria board which was used during the development of this project.

Reviewed by:	sam
Approved by:	re (kensmith)
Obtained from:	projects/mesh11s
2009-07-11 15:02:45 +00:00
sam
33549e3857 iv_flags_ext is full, make room by moving HT-related flags to a new
iv_flags_ht word
2009-06-07 22:00:22 +00:00
sam
e673d3b5e9 o station mode channel switch support
o IEEE80211_IOC_CHANSWITCH fixups:
  - restrict to hostap vaps
  - return EOPNOTSUPP instead of EINVAL when applied to !hostap vap
    or to a vap w/o 11h enabled
  - interpret count of 0 to mean cancel the current CSA

Reviewed by:	rpaulo, avatar
2009-06-04 15:57:38 +00:00
sam
35d42ca22f Fix monitor mode vaps to work as intended:
o track # bpf taps on monitor mode vaps instead of # monitor mode vaps
o spam monitor mode taps on tx/rx
o fix ieee80211_radiotap_rx_all to dispatch frames only if the vap is up
o while here print radiotap (and superg) state in show com
2009-06-02 00:33:28 +00:00
sam
cab175ca2d don't dispatch frames to vap's not running 2009-06-02 00:06:39 +00:00
sam
68f7a1034a Overhaul monitor mode handling:
o replace DLT_IEEE802_11 support in net80211 with DLT_IEEE802_11_RADIO
  and remove explicit bpf support from wireless drivers; drivers now
  use ieee80211_radiotap_attach to setup shared data structures that
  hold the radiotap header for each packet tx/rx
o remove rx timestamp from the rx path; it was used only by the tdma support
  for debugging and was mostly useless due to it being 32-bits and mostly
  unavailable
o track DLT_IEEE80211_RADIO bpf attachments and maintain per-vap and
  per-com state when there are active taps
o track the number of monitor mode vaps
o use bpf tap and monitor mode vap state to decide when to collect radiotap
  state and dispatch frames; drivers no longer explicitly directly check
  bpf state or use bpf calls to tap frames
o handle radiotap state updates on channel change in net80211; drivers
  should not do this (unless they bypass net80211 which is almost always
  a mistake)
o update various drivers to be more consistent/correct in handling radiotap
o update ral to include TSF in radiotap'd frames
o add promisc mode callback to wi

Reviewed by:	cbzimmer, rpaulo, thompsa
2009-05-20 20:00:40 +00:00
sam
88b91b235f split Atheros SuperG support out into it's own file that's included only
with a new IEEE80211_SUPPORT_SUPERG option
2009-03-24 20:39:08 +00:00
rpaulo
24d921c8b2 Use plural in a comment. No functional change. 2009-03-18 21:33:28 +00:00
sam
98ad45c3d3 TDMA support for long distance point-to-point links using ath devices:
o add net80211 support for a tdma vap that is built on top of the
  existing adhoc-demo support
o add tdma scheduling of frame transmission to the ath driver; it's
  conceivable other devices might be capable of this too in which case
  they can make use of the 802.11 protocol additions etc.
o add minor bits to user tools that need to know: ifconfig to setup and
  configure, new statistics in athstats, and new debug mask bits

While the architecture can support >2 slots in a TDMA BSS the current
design is intended (and tested) for only 2 slots.

Sponsored by:	Intel
2009-01-08 17:12:47 +00:00
sam
7aaeeb0704 convert MALLOC/FREE to malloc/free 2008-12-18 23:00:09 +00:00
sam
dc256886cd Fix definition of IEEE80211_CHAN_MAX; it was defined as 255 but
really was meant to be 256.  Adjust usage accordingly and replace
bogus usage of this value in checking IEEE channel #'s.

NB: this causes an ABI change; ifconfig must be recompiled
2008-12-15 01:26:33 +00:00
sam
27b294c5a8 ignore IEEE80211_ELEMID_PWRCNSTR when parsing beacon/probe response frames
to avoid counting it as an unknown elemid (we often beacon this so it shows
up as a "false positive")
2008-10-25 23:26:57 +00:00
des
2668f9825b Revert the removal of the MALLOC and FREE macros from the net80211 code.
Requested by:	sam
2008-10-23 19:57:13 +00:00
des
66f807ed8b Retire the MALLOC and FREE macros. They are an abomination unto style(9).
MFC after:	3 months
2008-10-23 15:53:51 +00:00
sam
23d2075246 correct decap of of AppleTalk and IPX frames; don't strip the SNAP
header as they have one natively

Submitted by:	Chris Zimmermann
2008-08-02 18:02:57 +00:00
sam
3569e353ca Multi-bss (aka vap) support for 802.11 devices.
Note this includes changes to all drivers and moves some device firmware
loading to use firmware(9) and a separate module (e.g. ral).  Also there
no longer are separate wlan_scan* modules; this functionality is now
bundled into the wlan module.

Supported by:	Hobnob and Marvell
Reviewed by:	many
Obtained from:	Atheros (some bits)
2008-04-20 20:35:46 +00:00
sephe
f42ebbd1b7 - Correctly handle ALTQ in ieee80211_deliver_data()
- Add comment from sam that ALTQ probably does not work well with WME

PR: kern/119548
Approved by: sam (mentor)
2008-02-03 12:00:03 +00:00
sam
e6720edef5 sync 11n support with vap code base; many changes based on interop
testing with all major vendors

MFC after:	1 week
2007-11-02 05:22:25 +00:00
sam
b24b5693c0 Miscellaneous fixups to 802.11 defs:
o update 11n definitions to D2.0 spec
o add IEEE80211_CAPINFO_SPECTRUM_MGMT for DFS support
o add CSA ie definition for DFS support
o purge some unused definitions
o correct 802.11 reason and status codes
o correct reason code returned when a sta tries to associate to an
  ap operating with WPA/RSN but without a WPA/RSN ie

Reviewed by:	thompsa, avatar
Approved by:	re (blanket wireless)
2007-09-05 20:29:51 +00:00
sam
31b9300aaa o add M_WEP mbuf flag so drivers can mark frames that are decrypted by the
device and have had the crypto bits stripped from the 802.11 header
o strip mbuf flags in the rx path before passing up the stack

Reviewed by:	thompsa, sephe, avatar
Approved by:	re (blanket wireless)
2007-09-05 20:22:59 +00:00
thompsa
03a3b23042 Change the channel number in the scan results struct to be a pointer to the
operating channel and use this in the scan cache rather than directly using
ic_curchan. Some firmware cards can only do a full scan and so ic_curchan does
not have the correct value.

Also add IEEE80211_CHAN2IEEE to directly dereference ic_ieee from the channel
to be used in the fast path.

Reviewed by:	sam, sephe
Approved by:	re (kensmith)
2007-06-30 21:23:23 +00:00
sam
6a8b18f115 Update 802.11 wireless support:
o major overhaul of the way channels are handled: channels are now
  fully enumerated and uniquely identify the operating characteristics;
  these changes are visible to user applications which require changes
o make scanning support independent of the state machine to enable
  background scanning and roaming
o move scanning support into loadable modules based on the operating
  mode to enable different policies and reduce the memory footprint
  on systems w/ constrained resources
o add background scanning in station mode (no support for adhoc/ibss
  mode yet)
o significantly speedup sta mode scanning with a variety of techniques
o add roaming support when background scanning is supported; for now
  we use a simple algorithm to trigger a roam: we threshold the rssi
  and tx rate, if either drops too low we try to roam to a new ap
o add tx fragmentation support
o add first cut at 802.11n support: this code works with forthcoming
  drivers but is incomplete; it's included now to establish a baseline
  for other drivers to be developed and for user applications
o adjust max_linkhdr et. al. to reflect 802.11 requirements; this eliminates
  prepending mbufs for traffic generated locally
o add support for Atheros protocol extensions; mainly the fast frames
  encapsulation (note this can be used with any card that can tx+rx
  large frames correctly)
o add sta support for ap's that beacon both WPA1+2 support
o change all data types from bsd-style to posix-style
o propagate noise floor data from drivers to net80211 and on to user apps
o correct various issues in the sta mode state machine related to handling
  authentication and association failures
o enable the addition of sta mode power save support for drivers that need
  net80211 support (not in this commit)
o remove old WI compatibility ioctls (wicontrol is officially dead)
o change the data structures returned for get sta info and get scan
  results so future additions will not break user apps
o fixed tx rate is now maintained internally as an ieee rate and not an
  index into the rate set; this needs to be extended to deal with
  multi-mode operation
o add extended channel specifications to radiotap to enable 11n sniffing

Drivers:
o ath: add support for bg scanning, tx fragmentation, fast frames,
       dynamic turbo (lightly tested), 11n (sniffing only and needs
       new hal)
o awi: compile tested only
o ndis: lightly tested
o ipw: lightly tested
o iwi: add support for bg scanning (well tested but may have some
       rough edges)
o ral, ural, rum: add suppoort for bg scanning, calibrate rssi data
o wi: lightly tested

This work is based on contributions by Atheros, kmacy, sephe, thompsa,
mlaier, kevlo, and others.  Much of the scanning work was supported by
Atheros.  The 11n work was supported by Marvell.
2007-06-11 03:36:55 +00:00