1 /* 2 * Radiotap parser 3 * 4 * Copyright 2007 Andy Green <andy@warmcat.com> 5 * Copyright 2009 Johannes Berg <johannes@sipsolutions.net> 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License version 2 as 9 * published by the Free Software Foundation. 10 * 11 * Alternatively, this software may be distributed under the terms of ISC 12 * license, see COPYING for more details. 13 */ 14 #include "platform.h" 15 #include "radiotap_iter.h" 16 17 /* function prototypes and related defs are in radiotap_iter.h */ 18 19 static const struct radiotap_align_size rtap_namespace_sizes[] = { 20 [IEEE80211_RADIOTAP_TSFT] = { .align = 8, .size = 8, }, 21 [IEEE80211_RADIOTAP_FLAGS] = { .align = 1, .size = 1, }, 22 [IEEE80211_RADIOTAP_RATE] = { .align = 1, .size = 1, }, 23 [IEEE80211_RADIOTAP_CHANNEL] = { .align = 2, .size = 4, }, 24 [IEEE80211_RADIOTAP_FHSS] = { .align = 2, .size = 2, }, 25 [IEEE80211_RADIOTAP_DBM_ANTSIGNAL] = { .align = 1, .size = 1, }, 26 [IEEE80211_RADIOTAP_DBM_ANTNOISE] = { .align = 1, .size = 1, }, 27 [IEEE80211_RADIOTAP_LOCK_QUALITY] = { .align = 2, .size = 2, }, 28 [IEEE80211_RADIOTAP_TX_ATTENUATION] = { .align = 2, .size = 2, }, 29 [IEEE80211_RADIOTAP_DB_TX_ATTENUATION] = { .align = 2, .size = 2, }, 30 [IEEE80211_RADIOTAP_DBM_TX_POWER] = { .align = 1, .size = 1, }, 31 [IEEE80211_RADIOTAP_ANTENNA] = { .align = 1, .size = 1, }, 32 [IEEE80211_RADIOTAP_DB_ANTSIGNAL] = { .align = 1, .size = 1, }, 33 [IEEE80211_RADIOTAP_DB_ANTNOISE] = { .align = 1, .size = 1, }, 34 [IEEE80211_RADIOTAP_RX_FLAGS] = { .align = 2, .size = 2, }, 35 [IEEE80211_RADIOTAP_TX_FLAGS] = { .align = 2, .size = 2, }, 36 [IEEE80211_RADIOTAP_RTS_RETRIES] = { .align = 1, .size = 1, }, 37 [IEEE80211_RADIOTAP_DATA_RETRIES] = { .align = 1, .size = 1, }, 38 [IEEE80211_RADIOTAP_MCS] = { .align = 1, .size = 3, }, 39 [IEEE80211_RADIOTAP_AMPDU_STATUS] = { .align = 4, .size = 8, }, 40 [IEEE80211_RADIOTAP_VHT] = { .align = 2, .size = 12, }, 41 [IEEE80211_RADIOTAP_TIMESTAMP] = { .align = 8, .size = 12, }, 42 /* 43 * add more here as they are defined in radiotap.h 44 */ 45 }; 46 47 static const struct ieee80211_radiotap_namespace radiotap_ns = { 48 .n_bits = sizeof(rtap_namespace_sizes) / sizeof(rtap_namespace_sizes[0]), 49 .align_size = rtap_namespace_sizes, 50 }; 51 52 /** 53 * ieee80211_radiotap_iterator_init - radiotap parser iterator initialization 54 * @iterator: radiotap_iterator to initialize 55 * @radiotap_header: radiotap header to parse 56 * @max_length: total length we can parse into (eg, whole packet length) 57 * 58 * Returns: 0 or a negative error code if there is a problem. 59 * 60 * This function initializes an opaque iterator struct which can then 61 * be passed to ieee80211_radiotap_iterator_next() to visit every radiotap 62 * argument which is present in the header. It knows about extended 63 * present headers and handles them. 64 * 65 * How to use: 66 * call __ieee80211_radiotap_iterator_init() to init a semi-opaque iterator 67 * struct ieee80211_radiotap_iterator (no need to init the struct beforehand) 68 * checking for a good 0 return code. Then loop calling 69 * __ieee80211_radiotap_iterator_next()... it returns either 0, 70 * -ENOENT if there are no more args to parse, or -EINVAL if there is a problem. 71 * The iterator's @this_arg member points to the start of the argument 72 * associated with the current argument index that is present, which can be 73 * found in the iterator's @this_arg_index member. This arg index corresponds 74 * to the IEEE80211_RADIOTAP_... defines. 75 * 76 * Radiotap header length: 77 * You can find the CPU-endian total radiotap header length in 78 * iterator->max_length after executing ieee80211_radiotap_iterator_init() 79 * successfully. 80 * 81 * Alignment Gotcha: 82 * You must take care when dereferencing iterator.this_arg 83 * for multibyte types... the pointer is not aligned. Use 84 * get_unaligned((type *)iterator.this_arg) to dereference 85 * iterator.this_arg for type "type" safely on all arches. 86 * 87 * Example code: parse.c 88 */ 89 ieee80211_radiotap_iterator_init(struct ieee80211_radiotap_iterator * iterator,struct ieee80211_radiotap_header * radiotap_header,int max_length,const struct ieee80211_radiotap_vendor_namespaces * vns)90 int ieee80211_radiotap_iterator_init( 91 struct ieee80211_radiotap_iterator *iterator, 92 struct ieee80211_radiotap_header *radiotap_header, 93 int max_length, const struct ieee80211_radiotap_vendor_namespaces *vns) 94 { 95 /* must at least have the radiotap header */ 96 if (max_length < (int)sizeof(struct ieee80211_radiotap_header)) 97 return -EINVAL; 98 99 /* Linux only supports version 0 radiotap format */ 100 if (radiotap_header->it_version) 101 return -EINVAL; 102 103 /* sanity check for allowed length and radiotap length field */ 104 if (max_length < get_unaligned_le16(&radiotap_header->it_len)) 105 return -EINVAL; 106 107 iterator->_rtheader = radiotap_header; 108 iterator->_max_length = get_unaligned_le16(&radiotap_header->it_len); 109 iterator->_arg_index = 0; 110 iterator->_bitmap_shifter = get_unaligned_le32(&radiotap_header->it_present); 111 iterator->_arg = (uint8_t *)radiotap_header + sizeof(*radiotap_header); 112 iterator->_next_ns_data = NULL; 113 iterator->_reset_on_ext = 0; 114 iterator->_next_bitmap = (le32 *) (((u8 *) radiotap_header) + offsetof(struct ieee80211_radiotap_header, it_present)); 115 iterator->_next_bitmap++; 116 iterator->_vns = vns; 117 iterator->current_namespace = &radiotap_ns; 118 iterator->is_radiotap_ns = 1; 119 #ifdef RADIOTAP_SUPPORT_OVERRIDES 120 iterator->n_overrides = 0; 121 iterator->overrides = NULL; 122 #endif 123 124 /* find payload start allowing for extended bitmap(s) */ 125 126 if (iterator->_bitmap_shifter & BIT(IEEE80211_RADIOTAP_EXT)) { 127 if ((unsigned long)iterator->_arg - 128 (unsigned long)iterator->_rtheader + sizeof(uint32_t) > 129 (unsigned long)iterator->_max_length) 130 return -EINVAL; 131 while (get_unaligned_le32(iterator->_arg) & 132 BIT(IEEE80211_RADIOTAP_EXT)) { 133 iterator->_arg += sizeof(uint32_t); 134 135 /* 136 * check for insanity where the present bitmaps 137 * keep claiming to extend up to or even beyond the 138 * stated radiotap header length 139 */ 140 141 if ((unsigned long)iterator->_arg - 142 (unsigned long)iterator->_rtheader + 143 sizeof(uint32_t) > 144 (unsigned long)iterator->_max_length) 145 return -EINVAL; 146 } 147 148 iterator->_arg += sizeof(uint32_t); 149 150 /* 151 * no need to check again for blowing past stated radiotap 152 * header length, because ieee80211_radiotap_iterator_next 153 * checks it before it is dereferenced 154 */ 155 } 156 157 iterator->this_arg = iterator->_arg; 158 iterator->this_arg_index = 0; 159 iterator->this_arg_size = 0; 160 161 /* we are all initialized happily */ 162 163 return 0; 164 } 165 find_ns(struct ieee80211_radiotap_iterator * iterator,uint32_t oui,uint8_t subns)166 static void find_ns(struct ieee80211_radiotap_iterator *iterator, 167 uint32_t oui, uint8_t subns) 168 { 169 int i; 170 171 iterator->current_namespace = NULL; 172 173 if (!iterator->_vns) 174 return; 175 176 for (i = 0; i < iterator->_vns->n_ns; i++) { 177 if (iterator->_vns->ns[i].oui != oui) 178 continue; 179 if (iterator->_vns->ns[i].subns != subns) 180 continue; 181 182 iterator->current_namespace = &iterator->_vns->ns[i]; 183 break; 184 } 185 } 186 187 #ifdef RADIOTAP_SUPPORT_OVERRIDES find_override(struct ieee80211_radiotap_iterator * iterator,int * align,int * size)188 static int find_override(struct ieee80211_radiotap_iterator *iterator, 189 int *align, int *size) 190 { 191 int i; 192 193 if (!iterator->overrides) 194 return 0; 195 196 for (i = 0; i < iterator->n_overrides; i++) { 197 if (iterator->_arg_index == iterator->overrides[i].field) { 198 *align = iterator->overrides[i].align; 199 *size = iterator->overrides[i].size; 200 if (!*align) /* erroneous override */ 201 return 0; 202 return 1; 203 } 204 } 205 206 return 0; 207 } 208 #endif 209 210 211 /** 212 * ieee80211_radiotap_iterator_next - return next radiotap parser iterator arg 213 * @iterator: radiotap_iterator to move to next arg (if any) 214 * 215 * Returns: 0 if there is an argument to handle, 216 * -ENOENT if there are no more args or -EINVAL 217 * if there is something else wrong. 218 * 219 * This function provides the next radiotap arg index (IEEE80211_RADIOTAP_*) 220 * in @this_arg_index and sets @this_arg to point to the 221 * payload for the field. It takes care of alignment handling and extended 222 * present fields. @this_arg can be changed by the caller (eg, 223 * incremented to move inside a compound argument like 224 * IEEE80211_RADIOTAP_CHANNEL). The args pointed to are in 225 * little-endian format whatever the endianness of your CPU. 226 * 227 * Alignment Gotcha: 228 * You must take care when dereferencing iterator.this_arg 229 * for multibyte types... the pointer is not aligned. Use 230 * get_unaligned((type *)iterator.this_arg) to dereference 231 * iterator.this_arg for type "type" safely on all arches. 232 */ 233 ieee80211_radiotap_iterator_next(struct ieee80211_radiotap_iterator * iterator)234 int ieee80211_radiotap_iterator_next( 235 struct ieee80211_radiotap_iterator *iterator) 236 { 237 while (1) { 238 int hit = 0; 239 int pad, align, size, subns; 240 uint32_t oui; 241 242 /* if no more EXT bits, that's it */ 243 if ((iterator->_arg_index % 32) == IEEE80211_RADIOTAP_EXT && 244 !(iterator->_bitmap_shifter & 1)) 245 return -ENOENT; 246 247 if (!(iterator->_bitmap_shifter & 1)) 248 goto next_entry; /* arg not present */ 249 250 /* get alignment/size of data */ 251 switch (iterator->_arg_index % 32) { 252 case IEEE80211_RADIOTAP_RADIOTAP_NAMESPACE: 253 case IEEE80211_RADIOTAP_EXT: 254 align = 1; 255 size = 0; 256 break; 257 case IEEE80211_RADIOTAP_VENDOR_NAMESPACE: 258 align = 2; 259 size = 6; 260 break; 261 default: 262 #ifdef RADIOTAP_SUPPORT_OVERRIDES 263 if (find_override(iterator, &align, &size)) { 264 /* all set */ 265 } else 266 #endif 267 if (!iterator->current_namespace || 268 iterator->_arg_index >= iterator->current_namespace->n_bits) { 269 if (iterator->current_namespace == &radiotap_ns) 270 return -ENOENT; 271 align = 0; 272 } else { 273 align = iterator->current_namespace->align_size[iterator->_arg_index].align; 274 size = iterator->current_namespace->align_size[iterator->_arg_index].size; 275 } 276 if (!align) { 277 /* skip all subsequent data */ 278 iterator->_arg = iterator->_next_ns_data; 279 /* give up on this namespace */ 280 iterator->current_namespace = NULL; 281 goto next_entry; 282 } 283 break; 284 } 285 286 /* 287 * arg is present, account for alignment padding 288 * 289 * Note that these alignments are relative to the start 290 * of the radiotap header. There is no guarantee 291 * that the radiotap header itself is aligned on any 292 * kind of boundary. 293 * 294 * The above is why get_unaligned() is used to dereference 295 * multibyte elements from the radiotap area. 296 */ 297 298 pad = ((unsigned long)iterator->_arg - 299 (unsigned long)iterator->_rtheader) & (align - 1); 300 301 if (pad) 302 iterator->_arg += align - pad; 303 304 if (iterator->_arg_index % 32 == IEEE80211_RADIOTAP_VENDOR_NAMESPACE) { 305 int vnslen; 306 307 if ((unsigned long)iterator->_arg + size - 308 (unsigned long)iterator->_rtheader > 309 (unsigned long)iterator->_max_length) 310 return -EINVAL; 311 312 oui = (*iterator->_arg << 16) | 313 (*(iterator->_arg + 1) << 8) | 314 *(iterator->_arg + 2); 315 subns = *(iterator->_arg + 3); 316 317 find_ns(iterator, oui, subns); 318 319 vnslen = get_unaligned_le16(iterator->_arg + 4); 320 iterator->_next_ns_data = iterator->_arg + size + vnslen; 321 if (!iterator->current_namespace) 322 size += vnslen; 323 } 324 325 /* 326 * this is what we will return to user, but we need to 327 * move on first so next call has something fresh to test 328 */ 329 iterator->this_arg_index = iterator->_arg_index; 330 iterator->this_arg = iterator->_arg; 331 iterator->this_arg_size = size; 332 333 /* internally move on the size of this arg */ 334 iterator->_arg += size; 335 336 /* 337 * check for insanity where we are given a bitmap that 338 * claims to have more arg content than the length of the 339 * radiotap section. We will normally end up equalling this 340 * max_length on the last arg, never exceeding it. 341 */ 342 343 if ((unsigned long)iterator->_arg - 344 (unsigned long)iterator->_rtheader > 345 (unsigned long)iterator->_max_length) 346 return -EINVAL; 347 348 /* these special ones are valid in each bitmap word */ 349 switch (iterator->_arg_index % 32) { 350 case IEEE80211_RADIOTAP_VENDOR_NAMESPACE: 351 iterator->_reset_on_ext = 1; 352 353 iterator->is_radiotap_ns = 0; 354 /* 355 * If parser didn't register this vendor 356 * namespace with us, allow it to show it 357 * as 'raw. Do do that, set argument index 358 * to vendor namespace. 359 */ 360 iterator->this_arg_index = 361 IEEE80211_RADIOTAP_VENDOR_NAMESPACE; 362 if (!iterator->current_namespace) 363 hit = 1; 364 goto next_entry; 365 case IEEE80211_RADIOTAP_RADIOTAP_NAMESPACE: 366 iterator->_reset_on_ext = 1; 367 iterator->current_namespace = &radiotap_ns; 368 iterator->is_radiotap_ns = 1; 369 goto next_entry; 370 case IEEE80211_RADIOTAP_EXT: 371 /* 372 * bit 31 was set, there is more 373 * -- move to next u32 bitmap 374 */ 375 iterator->_bitmap_shifter = 376 get_unaligned_le32(iterator->_next_bitmap); 377 iterator->_next_bitmap++; 378 if (iterator->_reset_on_ext) 379 iterator->_arg_index = 0; 380 else 381 iterator->_arg_index++; 382 iterator->_reset_on_ext = 0; 383 break; 384 default: 385 /* we've got a hit! */ 386 hit = 1; 387 next_entry: 388 iterator->_bitmap_shifter >>= 1; 389 iterator->_arg_index++; 390 } 391 392 /* if we found a valid arg earlier, return it now */ 393 if (hit) 394 return 0; 395 } 396 } 397