1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright 2002-2005, Instant802 Networks, Inc. 4 * Copyright 2005-2006, Devicescape Software, Inc. 5 * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz> 6 * Copyright 2007 Johannes Berg <johannes@sipsolutions.net> 7 * Copyright 2013-2014 Intel Mobile Communications GmbH 8 * Copyright (C) 2015-2017 Intel Deutschland GmbH 9 * Copyright (C) 2018-2024 Intel Corporation 10 * 11 * element parsing for mac80211 12 */ 13 14 #include <net/mac80211.h> 15 #include <linux/netdevice.h> 16 #include <linux/export.h> 17 #include <linux/types.h> 18 #include <linux/slab.h> 19 #include <linux/skbuff.h> 20 #include <linux/etherdevice.h> 21 #include <linux/if_arp.h> 22 #include <linux/bitmap.h> 23 #include <linux/crc32.h> 24 #include <net/net_namespace.h> 25 #include <net/cfg80211.h> 26 #include <net/rtnetlink.h> 27 #include <kunit/visibility.h> 28 29 #include "ieee80211_i.h" 30 #include "driver-ops.h" 31 #include "rate.h" 32 #include "mesh.h" 33 #include "wme.h" 34 #include "led.h" 35 #include "wep.h" 36 37 struct ieee80211_elems_parse { 38 /* must be first for kfree to work */ 39 struct ieee802_11_elems elems; 40 41 /* The basic Multi-Link element in the original elements */ 42 const struct element *ml_basic_elem; 43 44 /* The reconfiguration Multi-Link element in the original elements */ 45 const struct element *ml_reconf_elem; 46 47 /* 48 * scratch buffer that can be used for various element parsing related 49 * tasks, e.g., element de-fragmentation etc. 50 */ 51 size_t scratch_len; 52 u8 *scratch_pos; 53 u8 scratch[] __counted_by(scratch_len); 54 }; 55 56 static void ieee80211_parse_extension_element(u32 * crc,const struct element * elem,struct ieee80211_elems_parse * elems_parse,struct ieee80211_elems_parse_params * params)57 ieee80211_parse_extension_element(u32 *crc, 58 const struct element *elem, 59 struct ieee80211_elems_parse *elems_parse, 60 struct ieee80211_elems_parse_params *params) 61 { 62 struct ieee802_11_elems *elems = &elems_parse->elems; 63 const void *data = elem->data + 1; 64 bool calc_crc = false; 65 u8 len; 66 67 if (!elem->datalen) 68 return; 69 70 len = elem->datalen - 1; 71 72 switch (elem->data[0]) { 73 case WLAN_EID_EXT_HE_MU_EDCA: 74 if (params->mode < IEEE80211_CONN_MODE_HE) 75 break; 76 calc_crc = true; 77 if (len >= sizeof(*elems->mu_edca_param_set)) 78 elems->mu_edca_param_set = data; 79 break; 80 case WLAN_EID_EXT_HE_CAPABILITY: 81 if (params->mode < IEEE80211_CONN_MODE_HE) 82 break; 83 if (ieee80211_he_capa_size_ok(data, len)) { 84 elems->he_cap = data; 85 elems->he_cap_len = len; 86 } 87 break; 88 case WLAN_EID_EXT_HE_OPERATION: 89 if (params->mode < IEEE80211_CONN_MODE_HE) 90 break; 91 calc_crc = true; 92 if (len >= sizeof(*elems->he_operation) && 93 len >= ieee80211_he_oper_size(data) - 1) 94 elems->he_operation = data; 95 break; 96 case WLAN_EID_EXT_UORA: 97 if (params->mode < IEEE80211_CONN_MODE_HE) 98 break; 99 if (len >= 1) 100 elems->uora_element = data; 101 break; 102 case WLAN_EID_EXT_MAX_CHANNEL_SWITCH_TIME: 103 if (len == 3) 104 elems->max_channel_switch_time = data; 105 break; 106 case WLAN_EID_EXT_MULTIPLE_BSSID_CONFIGURATION: 107 if (len >= sizeof(*elems->mbssid_config_ie)) 108 elems->mbssid_config_ie = data; 109 break; 110 case WLAN_EID_EXT_HE_SPR: 111 if (params->mode < IEEE80211_CONN_MODE_HE) 112 break; 113 if (len >= sizeof(*elems->he_spr) && 114 len >= ieee80211_he_spr_size(data) - 1) 115 elems->he_spr = data; 116 break; 117 case WLAN_EID_EXT_HE_6GHZ_CAPA: 118 if (params->mode < IEEE80211_CONN_MODE_HE) 119 break; 120 if (len >= sizeof(*elems->he_6ghz_capa)) 121 elems->he_6ghz_capa = data; 122 break; 123 case WLAN_EID_EXT_EHT_CAPABILITY: 124 if (params->mode < IEEE80211_CONN_MODE_EHT) 125 break; 126 if (ieee80211_eht_capa_size_ok(elems->he_cap, 127 data, len, 128 params->from_ap)) { 129 elems->eht_cap = data; 130 elems->eht_cap_len = len; 131 } 132 break; 133 case WLAN_EID_EXT_EHT_OPERATION: 134 if (params->mode < IEEE80211_CONN_MODE_EHT) 135 break; 136 if (ieee80211_eht_oper_size_ok(data, len)) 137 elems->eht_operation = data; 138 calc_crc = true; 139 break; 140 case WLAN_EID_EXT_EHT_MULTI_LINK: 141 if (params->mode < IEEE80211_CONN_MODE_EHT) 142 break; 143 calc_crc = true; 144 145 if (ieee80211_mle_size_ok(data, len)) { 146 const struct ieee80211_multi_link_elem *mle = 147 (void *)data; 148 149 switch (le16_get_bits(mle->control, 150 IEEE80211_ML_CONTROL_TYPE)) { 151 case IEEE80211_ML_CONTROL_TYPE_BASIC: 152 if (elems_parse->ml_basic_elem) { 153 elems->parse_error |= 154 IEEE80211_PARSE_ERR_DUP_NEST_ML_BASIC; 155 break; 156 } 157 elems_parse->ml_basic_elem = elem; 158 break; 159 case IEEE80211_ML_CONTROL_TYPE_RECONF: 160 elems_parse->ml_reconf_elem = elem; 161 break; 162 default: 163 break; 164 } 165 } 166 break; 167 case WLAN_EID_EXT_BANDWIDTH_INDICATION: 168 if (params->mode < IEEE80211_CONN_MODE_EHT) 169 break; 170 if (ieee80211_bandwidth_indication_size_ok(data, len)) 171 elems->bandwidth_indication = data; 172 calc_crc = true; 173 break; 174 case WLAN_EID_EXT_TID_TO_LINK_MAPPING: 175 if (params->mode < IEEE80211_CONN_MODE_EHT) 176 break; 177 calc_crc = true; 178 if (ieee80211_tid_to_link_map_size_ok(data, len) && 179 elems->ttlm_num < ARRAY_SIZE(elems->ttlm)) { 180 elems->ttlm[elems->ttlm_num] = (void *)data; 181 elems->ttlm_num++; 182 } 183 break; 184 } 185 186 if (crc && calc_crc) 187 *crc = crc32_be(*crc, (void *)elem, elem->datalen + 2); 188 } 189 ieee80211_parse_tpe(struct ieee80211_parsed_tpe * tpe,const u8 * data,u8 len)190 static void ieee80211_parse_tpe(struct ieee80211_parsed_tpe *tpe, 191 const u8 *data, u8 len) 192 { 193 const struct ieee80211_tx_pwr_env *env = (const void *)data; 194 u8 count, interpret, category; 195 u8 *out, N, *cnt_out = NULL, *N_out = NULL; 196 197 if (!ieee80211_valid_tpe_element(data, len)) 198 return; 199 200 count = u8_get_bits(env->info, IEEE80211_TX_PWR_ENV_INFO_COUNT); 201 interpret = u8_get_bits(env->info, IEEE80211_TX_PWR_ENV_INFO_INTERPRET); 202 category = u8_get_bits(env->info, IEEE80211_TX_PWR_ENV_INFO_CATEGORY); 203 204 switch (interpret) { 205 case IEEE80211_TPE_LOCAL_EIRP: 206 out = tpe->max_local[category].power; 207 cnt_out = &tpe->max_local[category].count; 208 tpe->max_local[category].valid = true; 209 break; 210 case IEEE80211_TPE_REG_CLIENT_EIRP: 211 out = tpe->max_reg_client[category].power; 212 cnt_out = &tpe->max_reg_client[category].count; 213 tpe->max_reg_client[category].valid = true; 214 break; 215 case IEEE80211_TPE_LOCAL_EIRP_PSD: 216 out = tpe->psd_local[category].power; 217 cnt_out = &tpe->psd_local[category].count; 218 N_out = &tpe->psd_local[category].n; 219 tpe->psd_local[category].valid = true; 220 break; 221 case IEEE80211_TPE_REG_CLIENT_EIRP_PSD: 222 out = tpe->psd_reg_client[category].power; 223 cnt_out = &tpe->psd_reg_client[category].count; 224 N_out = &tpe->psd_reg_client[category].n; 225 tpe->psd_reg_client[category].valid = true; 226 break; 227 } 228 229 switch (interpret) { 230 case IEEE80211_TPE_LOCAL_EIRP: 231 case IEEE80211_TPE_REG_CLIENT_EIRP: 232 /* count was validated <= 3, plus 320 MHz */ 233 BUILD_BUG_ON(IEEE80211_TPE_EIRP_ENTRIES_320MHZ < 5); 234 memcpy(out, env->variable, count + 1); 235 *cnt_out = count + 1; 236 /* separately take 320 MHz if present */ 237 if (count == 3 && len > sizeof(*env) + count + 1) { 238 out[4] = env->variable[4]; 239 *cnt_out = 5; 240 } 241 break; 242 case IEEE80211_TPE_LOCAL_EIRP_PSD: 243 case IEEE80211_TPE_REG_CLIENT_EIRP_PSD: 244 if (!count) { 245 memset(out, env->variable[0], 246 IEEE80211_TPE_PSD_ENTRIES_320MHZ); 247 *cnt_out = IEEE80211_TPE_PSD_ENTRIES_320MHZ; 248 break; 249 } 250 251 N = 1 << (count - 1); 252 memcpy(out, env->variable, N); 253 *cnt_out = N; 254 *N_out = N; 255 256 if (len > sizeof(*env) + N) { 257 int K = u8_get_bits(env->variable[N], 258 IEEE80211_TX_PWR_ENV_EXT_COUNT); 259 260 K = min(K, IEEE80211_TPE_PSD_ENTRIES_320MHZ - N); 261 memcpy(out + N, env->variable + N + 1, K); 262 (*cnt_out) += K; 263 } 264 break; 265 } 266 } 267 268 static u32 _ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params * params,struct ieee80211_elems_parse * elems_parse,const struct element * check_inherit)269 _ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params, 270 struct ieee80211_elems_parse *elems_parse, 271 const struct element *check_inherit) 272 { 273 struct ieee802_11_elems *elems = &elems_parse->elems; 274 const struct element *elem; 275 bool calc_crc = params->filter != 0; 276 DECLARE_BITMAP(seen_elems, 256); 277 u32 crc = params->crc; 278 279 bitmap_zero(seen_elems, 256); 280 281 for_each_element(elem, params->start, params->len) { 282 const struct element *subelem; 283 u8 elem_parse_failed; 284 u8 id = elem->id; 285 u8 elen = elem->datalen; 286 const u8 *pos = elem->data; 287 288 if (check_inherit && 289 !cfg80211_is_element_inherited(elem, 290 check_inherit)) 291 continue; 292 293 switch (id) { 294 case WLAN_EID_SSID: 295 case WLAN_EID_SUPP_RATES: 296 case WLAN_EID_FH_PARAMS: 297 case WLAN_EID_DS_PARAMS: 298 case WLAN_EID_CF_PARAMS: 299 case WLAN_EID_TIM: 300 case WLAN_EID_IBSS_PARAMS: 301 case WLAN_EID_CHALLENGE: 302 case WLAN_EID_RSN: 303 case WLAN_EID_ERP_INFO: 304 case WLAN_EID_EXT_SUPP_RATES: 305 case WLAN_EID_HT_CAPABILITY: 306 case WLAN_EID_HT_OPERATION: 307 case WLAN_EID_VHT_CAPABILITY: 308 case WLAN_EID_VHT_OPERATION: 309 case WLAN_EID_MESH_ID: 310 case WLAN_EID_MESH_CONFIG: 311 case WLAN_EID_PEER_MGMT: 312 case WLAN_EID_PREQ: 313 case WLAN_EID_PREP: 314 case WLAN_EID_PERR: 315 case WLAN_EID_RANN: 316 case WLAN_EID_CHANNEL_SWITCH: 317 case WLAN_EID_EXT_CHANSWITCH_ANN: 318 case WLAN_EID_COUNTRY: 319 case WLAN_EID_PWR_CONSTRAINT: 320 case WLAN_EID_TIMEOUT_INTERVAL: 321 case WLAN_EID_SECONDARY_CHANNEL_OFFSET: 322 case WLAN_EID_WIDE_BW_CHANNEL_SWITCH: 323 case WLAN_EID_CHAN_SWITCH_PARAM: 324 case WLAN_EID_EXT_CAPABILITY: 325 case WLAN_EID_CHAN_SWITCH_TIMING: 326 case WLAN_EID_LINK_ID: 327 case WLAN_EID_BSS_MAX_IDLE_PERIOD: 328 case WLAN_EID_RSNX: 329 case WLAN_EID_S1G_BCN_COMPAT: 330 case WLAN_EID_S1G_CAPABILITIES: 331 case WLAN_EID_S1G_OPERATION: 332 case WLAN_EID_AID_RESPONSE: 333 case WLAN_EID_S1G_SHORT_BCN_INTERVAL: 334 /* 335 * not listing WLAN_EID_CHANNEL_SWITCH_WRAPPER -- it seems possible 336 * that if the content gets bigger it might be needed more than once 337 */ 338 if (test_bit(id, seen_elems)) { 339 elems->parse_error |= 340 IEEE80211_PARSE_ERR_DUP_ELEM; 341 continue; 342 } 343 break; 344 } 345 346 if (calc_crc && id < 64 && (params->filter & (1ULL << id))) 347 crc = crc32_be(crc, pos - 2, elen + 2); 348 349 elem_parse_failed = 0; 350 351 switch (id) { 352 case WLAN_EID_LINK_ID: 353 if (elen + 2 < sizeof(struct ieee80211_tdls_lnkie)) { 354 elem_parse_failed = 355 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 356 break; 357 } 358 elems->lnk_id = (void *)(pos - 2); 359 break; 360 case WLAN_EID_CHAN_SWITCH_TIMING: 361 if (elen < sizeof(struct ieee80211_ch_switch_timing)) { 362 elem_parse_failed = 363 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 364 break; 365 } 366 elems->ch_sw_timing = (void *)pos; 367 break; 368 case WLAN_EID_EXT_CAPABILITY: 369 elems->ext_capab = pos; 370 elems->ext_capab_len = elen; 371 break; 372 case WLAN_EID_SSID: 373 elems->ssid = pos; 374 elems->ssid_len = elen; 375 break; 376 case WLAN_EID_SUPP_RATES: 377 elems->supp_rates = pos; 378 elems->supp_rates_len = elen; 379 break; 380 case WLAN_EID_DS_PARAMS: 381 if (elen >= 1) 382 elems->ds_params = pos; 383 else 384 elem_parse_failed = 385 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 386 break; 387 case WLAN_EID_TIM: 388 if (elen >= sizeof(struct ieee80211_tim_ie)) { 389 elems->tim = (void *)pos; 390 elems->tim_len = elen; 391 } else 392 elem_parse_failed = 393 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 394 break; 395 case WLAN_EID_VENDOR_SPECIFIC: 396 if (elen >= 4 && pos[0] == 0x00 && pos[1] == 0x50 && 397 pos[2] == 0xf2) { 398 /* Microsoft OUI (00:50:F2) */ 399 400 if (calc_crc) 401 crc = crc32_be(crc, pos - 2, elen + 2); 402 403 if (elen >= 5 && pos[3] == 2) { 404 /* OUI Type 2 - WMM IE */ 405 if (pos[4] == 0) { 406 elems->wmm_info = pos; 407 elems->wmm_info_len = elen; 408 } else if (pos[4] == 1) { 409 elems->wmm_param = pos; 410 elems->wmm_param_len = elen; 411 } 412 } 413 } 414 break; 415 case WLAN_EID_RSN: 416 elems->rsn = pos; 417 elems->rsn_len = elen; 418 break; 419 case WLAN_EID_ERP_INFO: 420 if (elen >= 1) 421 elems->erp_info = pos; 422 else 423 elem_parse_failed = 424 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 425 break; 426 case WLAN_EID_EXT_SUPP_RATES: 427 elems->ext_supp_rates = pos; 428 elems->ext_supp_rates_len = elen; 429 break; 430 case WLAN_EID_HT_CAPABILITY: 431 if (params->mode < IEEE80211_CONN_MODE_HT) 432 break; 433 if (elen >= sizeof(struct ieee80211_ht_cap)) 434 elems->ht_cap_elem = (void *)pos; 435 else 436 elem_parse_failed = 437 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 438 break; 439 case WLAN_EID_HT_OPERATION: 440 if (params->mode < IEEE80211_CONN_MODE_HT) 441 break; 442 if (elen >= sizeof(struct ieee80211_ht_operation)) 443 elems->ht_operation = (void *)pos; 444 else 445 elem_parse_failed = 446 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 447 break; 448 case WLAN_EID_VHT_CAPABILITY: 449 if (params->mode < IEEE80211_CONN_MODE_VHT) 450 break; 451 if (elen >= sizeof(struct ieee80211_vht_cap)) 452 elems->vht_cap_elem = (void *)pos; 453 else 454 elem_parse_failed = 455 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 456 break; 457 case WLAN_EID_VHT_OPERATION: 458 if (params->mode < IEEE80211_CONN_MODE_VHT) 459 break; 460 if (elen >= sizeof(struct ieee80211_vht_operation)) { 461 elems->vht_operation = (void *)pos; 462 if (calc_crc) 463 crc = crc32_be(crc, pos - 2, elen + 2); 464 break; 465 } 466 elem_parse_failed = 467 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 468 break; 469 case WLAN_EID_OPMODE_NOTIF: 470 if (params->mode < IEEE80211_CONN_MODE_VHT) 471 break; 472 if (elen > 0) { 473 elems->opmode_notif = pos; 474 if (calc_crc) 475 crc = crc32_be(crc, pos - 2, elen + 2); 476 break; 477 } 478 elem_parse_failed = 479 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 480 break; 481 case WLAN_EID_MESH_ID: 482 elems->mesh_id = pos; 483 elems->mesh_id_len = elen; 484 break; 485 case WLAN_EID_MESH_CONFIG: 486 if (elen >= sizeof(struct ieee80211_meshconf_ie)) 487 elems->mesh_config = (void *)pos; 488 else 489 elem_parse_failed = 490 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 491 break; 492 case WLAN_EID_PEER_MGMT: 493 elems->peering = pos; 494 elems->peering_len = elen; 495 break; 496 case WLAN_EID_MESH_AWAKE_WINDOW: 497 if (elen >= 2) 498 elems->awake_window = (void *)pos; 499 break; 500 case WLAN_EID_PREQ: 501 elems->preq = pos; 502 elems->preq_len = elen; 503 break; 504 case WLAN_EID_PREP: 505 elems->prep = pos; 506 elems->prep_len = elen; 507 break; 508 case WLAN_EID_PERR: 509 elems->perr = pos; 510 elems->perr_len = elen; 511 break; 512 case WLAN_EID_RANN: 513 if (elen >= sizeof(struct ieee80211_rann_ie)) 514 elems->rann = (void *)pos; 515 else 516 elem_parse_failed = 517 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 518 break; 519 case WLAN_EID_CHANNEL_SWITCH: 520 if (elen != sizeof(struct ieee80211_channel_sw_ie)) { 521 elem_parse_failed = 522 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 523 break; 524 } 525 elems->ch_switch_ie = (void *)pos; 526 break; 527 case WLAN_EID_EXT_CHANSWITCH_ANN: 528 if (elen != sizeof(struct ieee80211_ext_chansw_ie)) { 529 elem_parse_failed = 530 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 531 break; 532 } 533 elems->ext_chansw_ie = (void *)pos; 534 break; 535 case WLAN_EID_SECONDARY_CHANNEL_OFFSET: 536 if (params->mode < IEEE80211_CONN_MODE_HT) 537 break; 538 if (elen != sizeof(struct ieee80211_sec_chan_offs_ie)) { 539 elem_parse_failed = 540 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 541 break; 542 } 543 elems->sec_chan_offs = (void *)pos; 544 break; 545 case WLAN_EID_CHAN_SWITCH_PARAM: 546 if (elen < 547 sizeof(*elems->mesh_chansw_params_ie)) { 548 elem_parse_failed = 549 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 550 break; 551 } 552 elems->mesh_chansw_params_ie = (void *)pos; 553 break; 554 case WLAN_EID_WIDE_BW_CHANNEL_SWITCH: 555 if (params->mode < IEEE80211_CONN_MODE_VHT) 556 break; 557 558 if (!params->action) { 559 elem_parse_failed = 560 IEEE80211_PARSE_ERR_UNEXPECTED_ELEM; 561 break; 562 } 563 564 if (elen < sizeof(*elems->wide_bw_chansw_ie)) { 565 elem_parse_failed = 566 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 567 break; 568 } 569 elems->wide_bw_chansw_ie = (void *)pos; 570 break; 571 case WLAN_EID_CHANNEL_SWITCH_WRAPPER: 572 if (params->mode < IEEE80211_CONN_MODE_VHT) 573 break; 574 if (params->action) { 575 elem_parse_failed = 576 IEEE80211_PARSE_ERR_UNEXPECTED_ELEM; 577 break; 578 } 579 /* 580 * This is a bit tricky, but as we only care about 581 * a few elements, parse them out manually. 582 */ 583 subelem = cfg80211_find_elem(WLAN_EID_WIDE_BW_CHANNEL_SWITCH, 584 pos, elen); 585 if (subelem) { 586 if (subelem->datalen >= sizeof(*elems->wide_bw_chansw_ie)) 587 elems->wide_bw_chansw_ie = 588 (void *)subelem->data; 589 else 590 elem_parse_failed = 591 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 592 } 593 594 if (params->mode < IEEE80211_CONN_MODE_EHT) 595 break; 596 597 subelem = cfg80211_find_ext_elem(WLAN_EID_EXT_BANDWIDTH_INDICATION, 598 pos, elen); 599 if (subelem) { 600 const void *edata = subelem->data + 1; 601 u8 edatalen = subelem->datalen - 1; 602 603 if (ieee80211_bandwidth_indication_size_ok(edata, 604 edatalen)) 605 elems->bandwidth_indication = edata; 606 else 607 elem_parse_failed = 608 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 609 } 610 611 subelem = cfg80211_find_ext_elem(WLAN_EID_TX_POWER_ENVELOPE, 612 pos, elen); 613 if (subelem) 614 ieee80211_parse_tpe(&elems->csa_tpe, 615 subelem->data + 1, 616 subelem->datalen - 1); 617 break; 618 case WLAN_EID_COUNTRY: 619 elems->country_elem = pos; 620 elems->country_elem_len = elen; 621 break; 622 case WLAN_EID_PWR_CONSTRAINT: 623 if (elen != 1) { 624 elem_parse_failed = 625 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 626 break; 627 } 628 elems->pwr_constr_elem = pos; 629 break; 630 case WLAN_EID_CISCO_VENDOR_SPECIFIC: 631 /* Lots of different options exist, but we only care 632 * about the Dynamic Transmit Power Control element. 633 * First check for the Cisco OUI, then for the DTPC 634 * tag (0x00). 635 */ 636 if (elen < 4) { 637 elem_parse_failed = 638 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 639 break; 640 } 641 642 if (pos[0] != 0x00 || pos[1] != 0x40 || 643 pos[2] != 0x96 || pos[3] != 0x00) 644 break; 645 646 if (elen != 6) { 647 elem_parse_failed = 648 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 649 break; 650 } 651 652 if (calc_crc) 653 crc = crc32_be(crc, pos - 2, elen + 2); 654 655 elems->cisco_dtpc_elem = pos; 656 break; 657 case WLAN_EID_ADDBA_EXT: 658 if (elen < sizeof(struct ieee80211_addba_ext_ie)) { 659 elem_parse_failed = 660 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 661 break; 662 } 663 elems->addba_ext_ie = (void *)pos; 664 break; 665 case WLAN_EID_TIMEOUT_INTERVAL: 666 if (elen >= sizeof(struct ieee80211_timeout_interval_ie)) 667 elems->timeout_int = (void *)pos; 668 else 669 elem_parse_failed = 670 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 671 break; 672 case WLAN_EID_BSS_MAX_IDLE_PERIOD: 673 if (elen >= sizeof(*elems->max_idle_period_ie)) 674 elems->max_idle_period_ie = (void *)pos; 675 break; 676 case WLAN_EID_RSNX: 677 elems->rsnx = pos; 678 elems->rsnx_len = elen; 679 break; 680 case WLAN_EID_TX_POWER_ENVELOPE: 681 if (params->mode < IEEE80211_CONN_MODE_HE) 682 break; 683 ieee80211_parse_tpe(&elems->tpe, pos, elen); 684 break; 685 case WLAN_EID_EXTENSION: 686 ieee80211_parse_extension_element(calc_crc ? 687 &crc : NULL, 688 elem, elems_parse, 689 params); 690 break; 691 case WLAN_EID_S1G_CAPABILITIES: 692 if (params->mode != IEEE80211_CONN_MODE_S1G) 693 break; 694 if (elen >= sizeof(*elems->s1g_capab)) 695 elems->s1g_capab = (void *)pos; 696 else 697 elem_parse_failed = 698 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 699 break; 700 case WLAN_EID_S1G_OPERATION: 701 if (params->mode != IEEE80211_CONN_MODE_S1G) 702 break; 703 if (elen == sizeof(*elems->s1g_oper)) 704 elems->s1g_oper = (void *)pos; 705 else 706 elem_parse_failed = 707 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 708 break; 709 case WLAN_EID_S1G_BCN_COMPAT: 710 if (params->mode != IEEE80211_CONN_MODE_S1G) 711 break; 712 if (elen == sizeof(*elems->s1g_bcn_compat)) 713 elems->s1g_bcn_compat = (void *)pos; 714 else 715 elem_parse_failed = 716 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 717 break; 718 case WLAN_EID_AID_RESPONSE: 719 if (params->mode != IEEE80211_CONN_MODE_S1G) 720 break; 721 if (elen == sizeof(struct ieee80211_aid_response_ie)) 722 elems->aid_resp = (void *)pos; 723 else 724 elem_parse_failed = 725 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 726 break; 727 default: 728 break; 729 } 730 731 if (elem_parse_failed) 732 elems->parse_error |= elem_parse_failed; 733 else 734 __set_bit(id, seen_elems); 735 } 736 737 if (!for_each_element_completed(elem, params->start, params->len)) 738 elems->parse_error |= IEEE80211_PARSE_ERR_INVALID_END; 739 740 return crc; 741 } 742 ieee802_11_find_bssid_profile(const u8 * start,size_t len,struct ieee802_11_elems * elems,struct cfg80211_bss * bss,u8 * nontransmitted_profile)743 static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len, 744 struct ieee802_11_elems *elems, 745 struct cfg80211_bss *bss, 746 u8 *nontransmitted_profile) 747 { 748 const struct element *elem, *sub; 749 size_t profile_len = 0; 750 bool found = false; 751 752 if (!bss || !bss->transmitted_bss) 753 return profile_len; 754 755 for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, start, len) { 756 if (elem->datalen < 2) 757 continue; 758 if (elem->data[0] < 1 || elem->data[0] > 8) 759 continue; 760 761 for_each_element(sub, elem->data + 1, elem->datalen - 1) { 762 u8 new_bssid[ETH_ALEN]; 763 const u8 *index; 764 765 if (sub->id != 0 || sub->datalen < 4) { 766 /* not a valid BSS profile */ 767 continue; 768 } 769 770 if (sub->data[0] != WLAN_EID_NON_TX_BSSID_CAP || 771 sub->data[1] != 2) { 772 /* The first element of the 773 * Nontransmitted BSSID Profile is not 774 * the Nontransmitted BSSID Capability 775 * element. 776 */ 777 continue; 778 } 779 780 memset(nontransmitted_profile, 0, len); 781 profile_len = cfg80211_merge_profile(start, len, 782 elem, 783 sub, 784 nontransmitted_profile, 785 len); 786 787 /* found a Nontransmitted BSSID Profile */ 788 index = cfg80211_find_ie(WLAN_EID_MULTI_BSSID_IDX, 789 nontransmitted_profile, 790 profile_len); 791 if (!index || index[1] < 1 || index[2] == 0) { 792 /* Invalid MBSSID Index element */ 793 continue; 794 } 795 796 cfg80211_gen_new_bssid(bss->transmitted_bss->bssid, 797 elem->data[0], 798 index[2], 799 new_bssid); 800 if (ether_addr_equal(new_bssid, bss->bssid)) { 801 found = true; 802 elems->bssid_index_len = index[1]; 803 elems->bssid_index = (void *)&index[2]; 804 break; 805 } 806 } 807 } 808 809 return found ? profile_len : 0; 810 } 811 812 static void ieee80211_mle_get_sta_prof(struct ieee80211_elems_parse * elems_parse,u8 link_id)813 ieee80211_mle_get_sta_prof(struct ieee80211_elems_parse *elems_parse, 814 u8 link_id) 815 { 816 struct ieee802_11_elems *elems = &elems_parse->elems; 817 const struct ieee80211_multi_link_elem *ml = elems->ml_basic; 818 ssize_t ml_len = elems->ml_basic_len; 819 const struct element *sub; 820 821 for_each_mle_subelement(sub, (u8 *)ml, ml_len) { 822 struct ieee80211_mle_per_sta_profile *prof = (void *)sub->data; 823 ssize_t sta_prof_len; 824 u16 control; 825 826 if (sub->id != IEEE80211_MLE_SUBELEM_PER_STA_PROFILE) 827 continue; 828 829 if (!ieee80211_mle_basic_sta_prof_size_ok(sub->data, 830 sub->datalen)) 831 return; 832 833 control = le16_to_cpu(prof->control); 834 835 if (link_id != u16_get_bits(control, 836 IEEE80211_MLE_STA_CONTROL_LINK_ID)) 837 continue; 838 839 if (!(control & IEEE80211_MLE_STA_CONTROL_COMPLETE_PROFILE)) 840 return; 841 842 /* the sub element can be fragmented */ 843 sta_prof_len = 844 cfg80211_defragment_element(sub, 845 (u8 *)ml, ml_len, 846 elems_parse->scratch_pos, 847 elems_parse->scratch + 848 elems_parse->scratch_len - 849 elems_parse->scratch_pos, 850 IEEE80211_MLE_SUBELEM_FRAGMENT); 851 852 if (sta_prof_len < 0) 853 return; 854 855 elems->prof = (void *)elems_parse->scratch_pos; 856 elems->sta_prof_len = sta_prof_len; 857 elems_parse->scratch_pos += sta_prof_len; 858 859 return; 860 } 861 } 862 ieee80211_mle_parse_link(struct ieee80211_elems_parse * elems_parse,struct ieee80211_elems_parse_params * params)863 static void ieee80211_mle_parse_link(struct ieee80211_elems_parse *elems_parse, 864 struct ieee80211_elems_parse_params *params) 865 { 866 struct ieee802_11_elems *elems = &elems_parse->elems; 867 struct ieee80211_mle_per_sta_profile *prof; 868 struct ieee80211_elems_parse_params sub = { 869 .mode = params->mode, 870 .action = params->action, 871 .from_ap = params->from_ap, 872 .link_id = -1, 873 }; 874 ssize_t ml_len = elems->ml_basic_len; 875 const struct element *non_inherit = NULL; 876 const u8 *end; 877 878 ml_len = cfg80211_defragment_element(elems_parse->ml_basic_elem, 879 elems->ie_start, 880 elems->total_len, 881 elems_parse->scratch_pos, 882 elems_parse->scratch + 883 elems_parse->scratch_len - 884 elems_parse->scratch_pos, 885 WLAN_EID_FRAGMENT); 886 887 if (ml_len < 0) 888 return; 889 890 elems->ml_basic = (const void *)elems_parse->scratch_pos; 891 elems->ml_basic_len = ml_len; 892 elems_parse->scratch_pos += ml_len; 893 894 if (params->link_id == -1) 895 return; 896 897 ieee80211_mle_get_sta_prof(elems_parse, params->link_id); 898 prof = elems->prof; 899 900 if (!prof) 901 return; 902 903 /* check if we have the 4 bytes for the fixed part in assoc response */ 904 if (elems->sta_prof_len < sizeof(*prof) + prof->sta_info_len - 1 + 4) { 905 elems->prof = NULL; 906 elems->sta_prof_len = 0; 907 return; 908 } 909 910 /* 911 * Skip the capability information and the status code that are expected 912 * as part of the station profile in association response frames. Note 913 * the -1 is because the 'sta_info_len' is accounted to as part of the 914 * per-STA profile, but not part of the 'u8 variable[]' portion. 915 */ 916 sub.start = prof->variable + prof->sta_info_len - 1 + 4; 917 end = (const u8 *)prof + elems->sta_prof_len; 918 sub.len = end - sub.start; 919 920 non_inherit = cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, 921 sub.start, sub.len); 922 _ieee802_11_parse_elems_full(&sub, elems_parse, non_inherit); 923 } 924 925 static void ieee80211_mle_defrag_reconf(struct ieee80211_elems_parse * elems_parse)926 ieee80211_mle_defrag_reconf(struct ieee80211_elems_parse *elems_parse) 927 { 928 struct ieee802_11_elems *elems = &elems_parse->elems; 929 ssize_t ml_len; 930 931 ml_len = cfg80211_defragment_element(elems_parse->ml_reconf_elem, 932 elems->ie_start, 933 elems->total_len, 934 elems_parse->scratch_pos, 935 elems_parse->scratch + 936 elems_parse->scratch_len - 937 elems_parse->scratch_pos, 938 WLAN_EID_FRAGMENT); 939 if (ml_len < 0) 940 return; 941 elems->ml_reconf = (void *)elems_parse->scratch_pos; 942 elems->ml_reconf_len = ml_len; 943 elems_parse->scratch_pos += ml_len; 944 } 945 946 struct ieee802_11_elems * ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params * params)947 ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params) 948 { 949 struct ieee80211_elems_parse *elems_parse; 950 struct ieee802_11_elems *elems; 951 const struct element *non_inherit = NULL; 952 u8 *nontransmitted_profile; 953 int nontransmitted_profile_len = 0; 954 size_t scratch_len = 3 * params->len; 955 956 BUILD_BUG_ON(offsetof(typeof(*elems_parse), elems) != 0); 957 958 elems_parse = kzalloc(struct_size(elems_parse, scratch, scratch_len), 959 GFP_ATOMIC); 960 if (!elems_parse) 961 return NULL; 962 963 elems_parse->scratch_len = scratch_len; 964 elems_parse->scratch_pos = elems_parse->scratch; 965 966 elems = &elems_parse->elems; 967 elems->ie_start = params->start; 968 elems->total_len = params->len; 969 970 /* set all TPE entries to unlimited (but invalid) */ 971 ieee80211_clear_tpe(&elems->tpe); 972 ieee80211_clear_tpe(&elems->csa_tpe); 973 974 nontransmitted_profile = elems_parse->scratch_pos; 975 nontransmitted_profile_len = 976 ieee802_11_find_bssid_profile(params->start, params->len, 977 elems, params->bss, 978 nontransmitted_profile); 979 elems_parse->scratch_pos += nontransmitted_profile_len; 980 non_inherit = cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, 981 nontransmitted_profile, 982 nontransmitted_profile_len); 983 984 elems->crc = _ieee802_11_parse_elems_full(params, elems_parse, 985 non_inherit); 986 987 /* Override with nontransmitted profile, if found */ 988 if (nontransmitted_profile_len) { 989 struct ieee80211_elems_parse_params sub = { 990 .mode = params->mode, 991 .start = nontransmitted_profile, 992 .len = nontransmitted_profile_len, 993 .action = params->action, 994 .link_id = params->link_id, 995 }; 996 997 _ieee802_11_parse_elems_full(&sub, elems_parse, NULL); 998 } 999 1000 ieee80211_mle_parse_link(elems_parse, params); 1001 1002 ieee80211_mle_defrag_reconf(elems_parse); 1003 1004 if (elems->tim && !elems->parse_error) { 1005 const struct ieee80211_tim_ie *tim_ie = elems->tim; 1006 1007 elems->dtim_period = tim_ie->dtim_period; 1008 elems->dtim_count = tim_ie->dtim_count; 1009 } 1010 1011 /* Override DTIM period and count if needed */ 1012 if (elems->bssid_index && 1013 elems->bssid_index_len >= 1014 offsetofend(struct ieee80211_bssid_index, dtim_period)) 1015 elems->dtim_period = elems->bssid_index->dtim_period; 1016 1017 if (elems->bssid_index && 1018 elems->bssid_index_len >= 1019 offsetofend(struct ieee80211_bssid_index, dtim_count)) 1020 elems->dtim_count = elems->bssid_index->dtim_count; 1021 1022 return elems; 1023 } 1024 EXPORT_SYMBOL_IF_KUNIT(ieee802_11_parse_elems_full); 1025 ieee80211_parse_bitrates(enum nl80211_chan_width width,const struct ieee80211_supported_band * sband,const u8 * srates,int srates_len,u32 * rates)1026 int ieee80211_parse_bitrates(enum nl80211_chan_width width, 1027 const struct ieee80211_supported_band *sband, 1028 const u8 *srates, int srates_len, u32 *rates) 1029 { 1030 u32 rate_flags = ieee80211_chanwidth_rate_flags(width); 1031 struct ieee80211_rate *br; 1032 int brate, rate, i, j, count = 0; 1033 1034 *rates = 0; 1035 1036 for (i = 0; i < srates_len; i++) { 1037 rate = srates[i] & 0x7f; 1038 1039 for (j = 0; j < sband->n_bitrates; j++) { 1040 br = &sband->bitrates[j]; 1041 if ((rate_flags & br->flags) != rate_flags) 1042 continue; 1043 1044 brate = DIV_ROUND_UP(br->bitrate, 5); 1045 if (brate == rate) { 1046 *rates |= BIT(j); 1047 count++; 1048 break; 1049 } 1050 } 1051 } 1052 return count; 1053 } 1054