parse.c source code [Linux/net/mac80211/parse.c]

1	// SPDX-License-Identifier: GPL-2.0-only
2	/*
3	* Copyright 2002-2005, Instant802 Networks, Inc.
4	* Copyright 2005-2006, Devicescape Software, Inc.
5	* Copyright 2006-2007 Jiri Benc <jbenc@suse.cz>
6	* Copyright 2007 Johannes Berg <johannes@sipsolutions.net>
7	* Copyright 2013-2014 Intel Mobile Communications GmbH
8	* Copyright (C) 2015-2017 Intel Deutschland GmbH
9	* Copyright (C) 2018-2024 Intel Corporation
10	*
11	* element parsing for mac80211
12	*/
13
14	#include <net/mac80211.h>
15	#include <linux/netdevice.h>
16	#include <linux/export.h>
17	#include <linux/types.h>
18	#include <linux/slab.h>
19	#include <linux/skbuff.h>
20	#include <linux/etherdevice.h>
21	#include <linux/if_arp.h>
22	#include <linux/bitmap.h>
23	#include <linux/crc32.h>
24	#include <net/net_namespace.h>
25	#include <net/cfg80211.h>
26	#include <net/rtnetlink.h>
27	#include <kunit/visibility.h>
28
29	#include "ieee80211_i.h"
30	#include "driver-ops.h"
31	#include "rate.h"
32	#include "mesh.h"
33	#include "wme.h"
34	#include "led.h"
35	#include "wep.h"
36
37	struct ieee80211_elems_parse {
38	/ must be first for kfree to work /
39	struct ieee802_11_elems elems;
40
41	/ The basic Multi-Link element in the original elements /
42	const struct element *ml_basic_elem;
43
44	/ The reconfiguration Multi-Link element in the original elements /
45	const struct element *ml_reconf_elem;
46
47	/ The EPCS Multi-Link element in the original elements /
48	const struct element *ml_epcs_elem;
49
50	bool multi_link_inner;
51	bool skip_vendor;
52
53	/*
54	* scratch buffer that can be used for various element parsing related
55	* tasks, e.g., element de-fragmentation etc.
56	*/
57	size_t scratch_len;
58	u8 *scratch_pos;
59	u8 scratch[] __counted_by(scratch_len);
60	};
61
62	static void
63	ieee80211_parse_extension_element(u32 *crc,
64	const struct element *elem,
65	struct ieee80211_elems_parse *elems_parse,
66	struct ieee80211_elems_parse_params *params)
67	{
68	struct ieee802_11_elems *elems = &elems_parse->elems;
69	const void *data = elem->data + `1`;
70	bool calc_crc = false;
71	u8 len;
72
73	if (!elem->datalen)
74	return;
75
76	len = elem->datalen - `1`;
77
78	switch (elem->data[`0`]) {
79	case WLAN_EID_EXT_HE_MU_EDCA:
80	if (params->mode < IEEE80211_CONN_MODE_HE)
81	break;
82	calc_crc = true;
83	if (len >= sizeof(*elems->mu_edca_param_set))
84	elems->mu_edca_param_set = data;
85	break;
86	case WLAN_EID_EXT_HE_CAPABILITY:
87	if (params->mode < IEEE80211_CONN_MODE_HE)
88	break;
89	if (ieee80211_he_capa_size_ok(data, len)) {
90	elems->he_cap = data;
91	elems->he_cap_len = len;
92	}
93	break;
94	case WLAN_EID_EXT_HE_OPERATION:
95	if (params->mode < IEEE80211_CONN_MODE_HE)
96	break;
97	calc_crc = true;
98	if (len >= sizeof(*elems->he_operation) &&
99	len >= ieee80211_he_oper_size(he_oper_ie: data) - `1`)
100	elems->he_operation = data;
101	break;
102	case WLAN_EID_EXT_UORA:
103	if (params->mode < IEEE80211_CONN_MODE_HE)
104	break;
105	if (len >= `1`)
106	elems->uora_element = data;
107	break;
108	case WLAN_EID_EXT_MAX_CHANNEL_SWITCH_TIME:
109	if (len == `3`)
110	elems->max_channel_switch_time = data;
111	break;
112	case WLAN_EID_EXT_MULTIPLE_BSSID_CONFIGURATION:
113	if (len >= sizeof(*elems->mbssid_config_ie))
114	elems->mbssid_config_ie = data;
115	break;
116	case WLAN_EID_EXT_HE_SPR:
117	if (params->mode < IEEE80211_CONN_MODE_HE)
118	break;
119	if (len >= sizeof(*elems->he_spr) &&
120	len >= ieee80211_he_spr_size(he_spr_ie: data) - `1`)
121	elems->he_spr = data;
122	break;
123	case WLAN_EID_EXT_HE_6GHZ_CAPA:
124	if (params->mode < IEEE80211_CONN_MODE_HE)
125	break;
126	if (len >= sizeof(*elems->he_6ghz_capa))
127	elems->he_6ghz_capa = data;
128	break;
129	case WLAN_EID_EXT_EHT_CAPABILITY:
130	if (params->mode < IEEE80211_CONN_MODE_EHT)
131	break;
132	if (ieee80211_eht_capa_size_ok(he_capa: elems->he_cap,
133	data, len,
134	from_ap: params->from_ap)) {
135	elems->eht_cap = data;
136	elems->eht_cap_len = len;
137	}
138	break;
139	case WLAN_EID_EXT_EHT_OPERATION:
140	if (params->mode < IEEE80211_CONN_MODE_EHT)
141	break;
142	if (ieee80211_eht_oper_size_ok(data, len))
143	elems->eht_operation = data;
144	calc_crc = true;
145	break;
146	case WLAN_EID_EXT_EHT_MULTI_LINK:
147	if (params->mode < IEEE80211_CONN_MODE_EHT)
148	break;
149	calc_crc = true;
150
151	if (ieee80211_mle_size_ok(data, len)) {
152	const struct ieee80211_multi_link_elem *mle =
153	(void *)data;
154
155	switch (le16_get_bits(v: mle->control,
156	IEEE80211_ML_CONTROL_TYPE)) {
157	case IEEE80211_ML_CONTROL_TYPE_BASIC:
158	if (elems_parse->multi_link_inner) {
159	elems->parse_error \|=
160	IEEE80211_PARSE_ERR_DUP_NEST_ML_BASIC;
161	break;
162	}
163	break;
164	case IEEE80211_ML_CONTROL_TYPE_RECONF:
165	elems_parse->ml_reconf_elem = elem;
166	break;
167	case IEEE80211_ML_CONTROL_TYPE_PRIO_ACCESS:
168	elems_parse->ml_epcs_elem = elem;
169	break;
170	default:
171	break;
172	}
173	}
174	break;
175	case WLAN_EID_EXT_BANDWIDTH_INDICATION:
176	if (params->mode < IEEE80211_CONN_MODE_EHT)
177	break;
178	if (ieee80211_bandwidth_indication_size_ok(data, len))
179	elems->bandwidth_indication = data;
180	calc_crc = true;
181	break;
182	case WLAN_EID_EXT_TID_TO_LINK_MAPPING:
183	if (params->mode < IEEE80211_CONN_MODE_EHT)
184	break;
185	calc_crc = true;
186	if (ieee80211_tid_to_link_map_size_ok(data, len) &&
187	elems->ttlm_num < ARRAY_SIZE(elems->ttlm)) {
188	elems->ttlm[elems->ttlm_num] = (void *)data;
189	elems->ttlm_num++;
190	}
191	break;
192	}
193
194	if (crc && calc_crc)
195	crc = crc32_be(crc: crc, p: (void *)elem, len: elem->datalen + `2`);
196	}
197
198	static void ieee80211_parse_tpe(struct ieee80211_parsed_tpe *tpe,
199	const u8 *data, u8 len)
200	{
201	const struct ieee80211_tx_pwr_env env = (const* void *)data;
202	u8 count, interpret, category;
203	u8 out, N, cnt_out = NULL, *N_out = NULL;
204
205	if (!ieee80211_valid_tpe_element(data, len))
206	return;
207
208	count = u8_get_bits(v: env->info, IEEE80211_TX_PWR_ENV_INFO_COUNT);
209	interpret = u8_get_bits(v: env->info, IEEE80211_TX_PWR_ENV_INFO_INTERPRET);
210	category = u8_get_bits(v: env->info, IEEE80211_TX_PWR_ENV_INFO_CATEGORY);
211
212	switch (interpret) {
213	case IEEE80211_TPE_LOCAL_EIRP:
214	out = tpe->max_local[category].power;
215	cnt_out = &tpe->max_local[category].count;
216	tpe->max_local[category].valid = true;
217	break;
218	case IEEE80211_TPE_REG_CLIENT_EIRP:
219	out = tpe->max_reg_client[category].power;
220	cnt_out = &tpe->max_reg_client[category].count;
221	tpe->max_reg_client[category].valid = true;
222	break;
223	case IEEE80211_TPE_LOCAL_EIRP_PSD:
224	out = tpe->psd_local[category].power;
225	cnt_out = &tpe->psd_local[category].count;
226	N_out = &tpe->psd_local[category].n;
227	tpe->psd_local[category].valid = true;
228	break;
229	case IEEE80211_TPE_REG_CLIENT_EIRP_PSD:
230	out = tpe->psd_reg_client[category].power;
231	cnt_out = &tpe->psd_reg_client[category].count;
232	N_out = &tpe->psd_reg_client[category].n;
233	tpe->psd_reg_client[category].valid = true;
234	break;
235	}
236
237	switch (interpret) {
238	case IEEE80211_TPE_LOCAL_EIRP:
239	case IEEE80211_TPE_REG_CLIENT_EIRP:
240	/ count was validated <= 3, plus 320 MHz /
241	BUILD_BUG_ON(IEEE80211_TPE_EIRP_ENTRIES_320MHZ < `5`);
242	memcpy(to: out, from: env->variable, len: count + `1`);
243	*cnt_out = count + `1`;
244	/ separately take 320 MHz if present /
245	if (count == `3` && len > sizeof(*env) + count + `1`) {
246	out[`4`] = env->variable[`4`];
247	*cnt_out = `5`;
248	}
249	break;
250	case IEEE80211_TPE_LOCAL_EIRP_PSD:
251	case IEEE80211_TPE_REG_CLIENT_EIRP_PSD:
252	if (!count) {
253	memset(s: out, c: env->variable[`0`],
254	IEEE80211_TPE_PSD_ENTRIES_320MHZ);
255	*cnt_out = IEEE80211_TPE_PSD_ENTRIES_320MHZ;
256	break;
257	}
258
259	N = `1` << (count - `1`);
260	memcpy(to: out, from: env->variable, len: N);
261	*cnt_out = N;
262	*N_out = N;
263
264	if (len > sizeof(*env) + N) {
265	int K = u8_get_bits(v: env->variable[N],
266	IEEE80211_TX_PWR_ENV_EXT_COUNT);
267
268	K = min(K, IEEE80211_TPE_PSD_ENTRIES_320MHZ - N);
269	memcpy(to: out + N, from: env->variable + N + `1`, len: K);
270	(*cnt_out) += K;
271	}
272	break;
273	}
274	}
275
276	static u32
277	_ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params,
278	struct ieee80211_elems_parse *elems_parse,
279	const struct element *check_inherit)
280	{
281	struct ieee802_11_elems *elems = &elems_parse->elems;
282	const struct element *elem;
283	bool calc_crc = params->filter != `0`;
284	DECLARE_BITMAP(seen_elems, `256`);
285	u32 crc = params->crc;
286
287	bitmap_zero(dst: seen_elems, nbits: `256`);
288
289	for_each_element(elem, params->start, params->len) {
290	const struct element *subelem;
291	u8 elem_parse_failed;
292	u8 id = elem->id;
293	u8 elen = elem->datalen;
294	const u8 *pos = elem->data;
295
296	if (check_inherit &&
297	!cfg80211_is_element_inherited(element: elem,
298	non_inherit_element: check_inherit))
299	continue;
300
301	switch (id) {
302	case WLAN_EID_SSID:
303	case WLAN_EID_SUPP_RATES:
304	case WLAN_EID_FH_PARAMS:
305	case WLAN_EID_DS_PARAMS:
306	case WLAN_EID_CF_PARAMS:
307	case WLAN_EID_TIM:
308	case WLAN_EID_IBSS_PARAMS:
309	case WLAN_EID_CHALLENGE:
310	case WLAN_EID_RSN:
311	case WLAN_EID_ERP_INFO:
312	case WLAN_EID_EXT_SUPP_RATES:
313	case WLAN_EID_HT_CAPABILITY:
314	case WLAN_EID_HT_OPERATION:
315	case WLAN_EID_VHT_CAPABILITY:
316	case WLAN_EID_VHT_OPERATION:
317	case WLAN_EID_MESH_ID:
318	case WLAN_EID_MESH_CONFIG:
319	case WLAN_EID_PEER_MGMT:
320	case WLAN_EID_PREQ:
321	case WLAN_EID_PREP:
322	case WLAN_EID_PERR:
323	case WLAN_EID_RANN:
324	case WLAN_EID_CHANNEL_SWITCH:
325	case WLAN_EID_EXT_CHANSWITCH_ANN:
326	case WLAN_EID_COUNTRY:
327	case WLAN_EID_PWR_CONSTRAINT:
328	case WLAN_EID_TIMEOUT_INTERVAL:
329	case WLAN_EID_SECONDARY_CHANNEL_OFFSET:
330	case WLAN_EID_WIDE_BW_CHANNEL_SWITCH:
331	case WLAN_EID_CHAN_SWITCH_PARAM:
332	case WLAN_EID_EXT_CAPABILITY:
333	case WLAN_EID_CHAN_SWITCH_TIMING:
334	case WLAN_EID_LINK_ID:
335	case WLAN_EID_BSS_MAX_IDLE_PERIOD:
336	case WLAN_EID_RSNX:
337	case WLAN_EID_S1G_BCN_COMPAT:
338	case WLAN_EID_S1G_CAPABILITIES:
339	case WLAN_EID_S1G_OPERATION:
340	case WLAN_EID_AID_RESPONSE:
341	case WLAN_EID_S1G_SHORT_BCN_INTERVAL:
342	/*
343	* not listing WLAN_EID_CHANNEL_SWITCH_WRAPPER -- it seems possible
344	* that if the content gets bigger it might be needed more than once
345	*/
346	if (test_bit(id, seen_elems)) {
347	elems->parse_error \|=
348	IEEE80211_PARSE_ERR_DUP_ELEM;
349	continue;
350	}
351	break;
352	}
353
354	if (calc_crc && id < `64` && (params->filter & (`1ULL` << id)))
355	crc = crc32_be(crc, p: pos - `2`, len: elen + `2`);
356
357	elem_parse_failed = `0`;
358
359	switch (id) {
360	case WLAN_EID_LINK_ID:
361	if (elen + `2` < sizeof(struct ieee80211_tdls_lnkie)) {
362	elem_parse_failed =
363	IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
364	break;
365	}
366	elems->lnk_id = (void *)(pos - `2`);
367	break;
368	case WLAN_EID_CHAN_SWITCH_TIMING:
369	if (elen < sizeof(struct ieee80211_ch_switch_timing)) {
370	elem_parse_failed =
371	IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
372	break;
373	}
374	elems->ch_sw_timing = (void *)pos;
375	break;
376	case WLAN_EID_EXT_CAPABILITY:
377	elems->ext_capab = pos;
378	elems->ext_capab_len = elen;
379	break;
380	case WLAN_EID_SSID:
381	elems->ssid = pos;
382	elems->ssid_len = elen;
383	break;
384	case WLAN_EID_SUPP_RATES:
385	elems->supp_rates = pos;
386	elems->supp_rates_len = elen;
387	break;
388	case WLAN_EID_DS_PARAMS:
389	if (elen >= `1`)
390	elems->ds_params = pos;
391	else
392	elem_parse_failed =
393	IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
394	break;
395	case WLAN_EID_TIM:
396	if (elen >= sizeof(struct ieee80211_tim_ie)) {
397	elems->tim = (void *)pos;
398	elems->tim_len = elen;
399	} else
400	elem_parse_failed =
401	IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
402	break;
403	case WLAN_EID_VENDOR_SPECIFIC:
404	if (elems_parse->skip_vendor)
405	break;
406
407	if (elen >= `4` && pos[`0`] == `0x00` && pos[`1`] == `0x50` &&
408	pos[`2`] == `0xf2`) {
409	/ Microsoft OUI (00:50:F2) /
410
411	if (calc_crc)
412	crc = crc32_be(crc, p: pos - `2`, len: elen + `2`);
413
414	if (elen >= `5` && pos[`3`] == `2`) {
415	/ OUI Type 2 - WMM IE /
416	if (pos[`4`] == `0`) {
417	elems->wmm_info = pos;
418	elems->wmm_info_len = elen;
419	} else if (pos[`4`] == `1`) {
420	elems->wmm_param = pos;
421	elems->wmm_param_len = elen;
422	}
423	}
424	}
425	break;
426	case WLAN_EID_RSN:
427	elems->rsn = pos;
428	elems->rsn_len = elen;
429	break;
430	case WLAN_EID_ERP_INFO:
431	if (elen >= `1`)
432	elems->erp_info = pos;
433	else
434	elem_parse_failed =
435	IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
436	break;
437	case WLAN_EID_EXT_SUPP_RATES:
438	elems->ext_supp_rates = pos;
439	elems->ext_supp_rates_len = elen;
440	break;
441	case WLAN_EID_HT_CAPABILITY:
442	if (params->mode < IEEE80211_CONN_MODE_HT)
443	break;
444	if (elen >= sizeof(struct ieee80211_ht_cap))
445	elems->ht_cap_elem = (void *)pos;
446	else
447	elem_parse_failed =
448	IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
449	break;
450	case WLAN_EID_HT_OPERATION:
451	if (params->mode < IEEE80211_CONN_MODE_HT)
452	break;
453	if (elen >= sizeof(struct ieee80211_ht_operation))
454	elems->ht_operation = (void *)pos;
455	else
456	elem_parse_failed =
457	IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
458	break;
459	case WLAN_EID_VHT_CAPABILITY:
460	if (params->mode < IEEE80211_CONN_MODE_VHT)
461	break;
462	if (elen >= sizeof(struct ieee80211_vht_cap))
463	elems->vht_cap_elem = (void *)pos;
464	else
465	elem_parse_failed =
466	IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
467	break;
468	case WLAN_EID_VHT_OPERATION:
469	if (params->mode < IEEE80211_CONN_MODE_VHT)
470	break;
471	if (elen >= sizeof(struct ieee80211_vht_operation)) {
472	elems->vht_operation = (void *)pos;
473	if (calc_crc)
474	crc = crc32_be(crc, p: pos - `2`, len: elen + `2`);
475	break;
476	}
477	elem_parse_failed =
478	IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
479	break;
480	case WLAN_EID_OPMODE_NOTIF:
481	if (params->mode < IEEE80211_CONN_MODE_VHT)
482	break;
483	if (elen > `0`) {
484	elems->opmode_notif = pos;
485	if (calc_crc)
486	crc = crc32_be(crc, p: pos - `2`, len: elen + `2`);
487	break;
488	}
489	elem_parse_failed =
490	IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
491	break;
492	case WLAN_EID_MESH_ID:
493	elems->mesh_id = pos;
494	elems->mesh_id_len = elen;
495	break;
496	case WLAN_EID_MESH_CONFIG:
497	if (elen >= sizeof(struct ieee80211_meshconf_ie))
498	elems->mesh_config = (void *)pos;
499	else
500	elem_parse_failed =
501	IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
502	break;
503	case WLAN_EID_PEER_MGMT:
504	elems->peering = pos;
505	elems->peering_len = elen;
506	break;
507	case WLAN_EID_MESH_AWAKE_WINDOW:
508	if (elen >= `2`)
509	elems->awake_window = (void *)pos;
510	break;
511	case WLAN_EID_PREQ:
512	elems->preq = pos;
513	elems->preq_len = elen;
514	break;
515	case WLAN_EID_PREP:
516	elems->prep = pos;
517	elems->prep_len = elen;
518	break;
519	case WLAN_EID_PERR:
520	elems->perr = pos;
521	elems->perr_len = elen;
522	break;
523	case WLAN_EID_RANN:
524	if (elen >= sizeof(struct ieee80211_rann_ie))
525	elems->rann = (void *)pos;
526	else
527	elem_parse_failed =
528	IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
529	break;
530	case WLAN_EID_CHANNEL_SWITCH:
531	if (elen != sizeof(struct ieee80211_channel_sw_ie)) {
532	elem_parse_failed =
533	IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
534	break;
535	}
536	elems->ch_switch_ie = (void *)pos;
537	break;
538	case WLAN_EID_EXT_CHANSWITCH_ANN:
539	if (elen != sizeof(struct ieee80211_ext_chansw_ie)) {
540	elem_parse_failed =
541	IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
542	break;
543	}
544	elems->ext_chansw_ie = (void *)pos;
545	break;
546	case WLAN_EID_SECONDARY_CHANNEL_OFFSET:
547	if (params->mode < IEEE80211_CONN_MODE_HT)
548	break;
549	if (elen != sizeof(struct ieee80211_sec_chan_offs_ie)) {
550	elem_parse_failed =
551	IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
552	break;
553	}
554	elems->sec_chan_offs = (void *)pos;
555	break;
556	case WLAN_EID_CHAN_SWITCH_PARAM:
557	if (elen <
558	sizeof(*elems->mesh_chansw_params_ie)) {
559	elem_parse_failed =
560	IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
561	break;
562	}
563	elems->mesh_chansw_params_ie = (void *)pos;
564	break;
565	case WLAN_EID_WIDE_BW_CHANNEL_SWITCH:
566	if (params->mode < IEEE80211_CONN_MODE_VHT)
567	break;
568
569	if (!params->action) {
570	elem_parse_failed =
571	IEEE80211_PARSE_ERR_UNEXPECTED_ELEM;
572	break;
573	}
574
575	if (elen < sizeof(*elems->wide_bw_chansw_ie)) {
576	elem_parse_failed =
577	IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
578	break;
579	}
580	elems->wide_bw_chansw_ie = (void *)pos;
581	break;
582	case WLAN_EID_CHANNEL_SWITCH_WRAPPER:
583	if (params->mode < IEEE80211_CONN_MODE_VHT)
584	break;
585	if (params->action) {
586	elem_parse_failed =
587	IEEE80211_PARSE_ERR_UNEXPECTED_ELEM;
588	break;
589	}
590	/*
591	* This is a bit tricky, but as we only care about
592	* a few elements, parse them out manually.
593	*/
594	subelem = cfg80211_find_elem(eid: WLAN_EID_WIDE_BW_CHANNEL_SWITCH,
595	ies: pos, len: elen);
596	if (subelem) {
597	if (subelem->datalen >= sizeof(*elems->wide_bw_chansw_ie))
598	elems->wide_bw_chansw_ie =
599	(void *)subelem->data;
600	else
601	elem_parse_failed =
602	IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
603	}
604
605	if (params->mode < IEEE80211_CONN_MODE_EHT)
606	break;
607
608	subelem = cfg80211_find_ext_elem(ext_eid: WLAN_EID_EXT_BANDWIDTH_INDICATION,
609	ies: pos, len: elen);
610	if (subelem) {
611	const void *edata = subelem->data + `1`;
612	u8 edatalen = subelem->datalen - `1`;
613
614	if (ieee80211_bandwidth_indication_size_ok(data: edata,
615	len: edatalen))
616	elems->bandwidth_indication = edata;
617	else
618	elem_parse_failed =
619	IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
620	}
621
622	subelem = cfg80211_find_ext_elem(ext_eid: WLAN_EID_TX_POWER_ENVELOPE,
623	ies: pos, len: elen);
624	if (subelem)
625	ieee80211_parse_tpe(tpe: &elems->csa_tpe,
626	data: subelem->data + `1`,
627	len: subelem->datalen - `1`);
628	break;
629	case WLAN_EID_COUNTRY:
630	elems->country_elem = pos;
631	elems->country_elem_len = elen;
632	break;
633	case WLAN_EID_PWR_CONSTRAINT:
634	if (elen != `1`) {
635	elem_parse_failed =
636	IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
637	break;
638	}
639	elems->pwr_constr_elem = pos;
640	break;
641	case WLAN_EID_CISCO_VENDOR_SPECIFIC:
642	/ Lots of different options exist, but we only care*
643	* about the Dynamic Transmit Power Control element.
644	* First check for the Cisco OUI, then for the DTPC
645	* tag (0x00).
646	*/
647	if (elen < `4`) {
648	elem_parse_failed =
649	IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
650	break;
651	}
652
653	if (pos[`0`] != `0x00` \|\| pos[`1`] != `0x40` \|\|
654	pos[`2`] != `0x96` \|\| pos[`3`] != `0x00`)
655	break;
656
657	if (elen != `6`) {
658	elem_parse_failed =
659	IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
660	break;
661	}
662
663	if (calc_crc)
664	crc = crc32_be(crc, p: pos - `2`, len: elen + `2`);
665
666	elems->cisco_dtpc_elem = pos;
667	break;
668	case WLAN_EID_ADDBA_EXT:
669	if (elen < sizeof(struct ieee80211_addba_ext_ie)) {
670	elem_parse_failed =
671	IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
672	break;
673	}
674	elems->addba_ext_ie = (void *)pos;
675	break;
676	case WLAN_EID_TIMEOUT_INTERVAL:
677	if (elen >= sizeof(struct ieee80211_timeout_interval_ie))
678	elems->timeout_int = (void *)pos;
679	else
680	elem_parse_failed =
681	IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
682	break;
683	case WLAN_EID_BSS_MAX_IDLE_PERIOD:
684	if (elen >= sizeof(*elems->max_idle_period_ie))
685	elems->max_idle_period_ie = (void *)pos;
686	break;
687	case WLAN_EID_RSNX:
688	elems->rsnx = pos;
689	elems->rsnx_len = elen;
690	break;
691	case WLAN_EID_TX_POWER_ENVELOPE:
692	if (params->mode < IEEE80211_CONN_MODE_HE)
693	break;
694	ieee80211_parse_tpe(tpe: &elems->tpe, data: pos, len: elen);
695	break;
696	case WLAN_EID_EXTENSION:
697	ieee80211_parse_extension_element(crc: calc_crc ?
698	&crc : NULL,
699	elem, elems_parse,
700	params);
701	break;
702	case WLAN_EID_S1G_CAPABILITIES:
703	if (params->mode != IEEE80211_CONN_MODE_S1G)
704	break;
705	if (elen >= sizeof(*elems->s1g_capab))
706	elems->s1g_capab = (void *)pos;
707	else
708	elem_parse_failed =
709	IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
710	break;
711	case WLAN_EID_S1G_OPERATION:
712	if (params->mode != IEEE80211_CONN_MODE_S1G)
713	break;
714	if (elen == sizeof(*elems->s1g_oper))
715	elems->s1g_oper = (void *)pos;
716	else
717	elem_parse_failed =
718	IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
719	break;
720	case WLAN_EID_S1G_BCN_COMPAT:
721	if (params->mode != IEEE80211_CONN_MODE_S1G)
722	break;
723	if (elen == sizeof(*elems->s1g_bcn_compat))
724	elems->s1g_bcn_compat = (void *)pos;
725	else
726	elem_parse_failed =
727	IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
728	break;
729	case WLAN_EID_AID_RESPONSE:
730	if (params->mode != IEEE80211_CONN_MODE_S1G)
731	break;
732	if (elen == sizeof(struct ieee80211_aid_response_ie))
733	elems->aid_resp = (void *)pos;
734	else
735	elem_parse_failed =
736	IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
737	break;
738	default:
739	break;
740	}
741
742	if (elem_parse_failed)
743	elems->parse_error \|= elem_parse_failed;
744	else
745	__set_bit(id, seen_elems);
746	}
747
748	if (!for_each_element_completed(element: elem, data: params->start, datalen: params->len))
749	elems->parse_error \|= IEEE80211_PARSE_ERR_INVALID_END;
750
751	return crc;
752	}
753
754	static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len,
755	struct ieee802_11_elems *elems,
756	struct cfg80211_bss *bss,
757	u8 *nontransmitted_profile)
758	{
759	const struct element elem, sub;
760	size_t profile_len = `0`;
761
762	if (!bss \|\| !bss->transmitted_bss)
763	return profile_len;
764
765	for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, start, len) {
766	if (elem->datalen < `2`)
767	continue;
768	if (elem->data[`0`] < `1` \|\| elem->data[`0`] > `8`)
769	continue;
770
771	for_each_element(sub, elem->data + `1`, elem->datalen - `1`) {
772	u8 new_bssid[ETH_ALEN];
773	const u8 *index;
774
775	if (sub->id != `0` \|\| sub->datalen < `4`) {
776	/ not a valid BSS profile /
777	continue;
778	}
779
780	if (sub->data[`0`] != WLAN_EID_NON_TX_BSSID_CAP \|\|
781	sub->data[`1`] != `2`) {
782	/ The first element of the*
783	* Nontransmitted BSSID Profile is not
784	* the Nontransmitted BSSID Capability
785	* element.
786	*/
787	continue;
788	}
789
790	memset(s: nontransmitted_profile, c: `0`, n: len);
791	profile_len = cfg80211_merge_profile(ie: start, ielen: len,
792	mbssid_elem: elem,
793	sub_elem: sub,
794	merged_ie: nontransmitted_profile,
795	max_copy_len: len);
796
797	/ found a Nontransmitted BSSID Profile /
798	index = cfg80211_find_ie(eid: WLAN_EID_MULTI_BSSID_IDX,
799	ies: nontransmitted_profile,
800	len: profile_len);
801	if (!index \|\| index[`1`] < `1` \|\| index[`2`] == `0`) {
802	/ Invalid MBSSID Index element /
803	continue;
804	}
805
806	cfg80211_gen_new_bssid(bssid: bss->transmitted_bss->bssid,
807	max_bssid: elem->data[`0`],
808	mbssid_index: index[`2`],
809	new_bssid);
810	if (ether_addr_equal(addr1: new_bssid, addr2: bss->bssid)) {
811	elems->bssid_index_len = index[`1`];
812	elems->bssid_index = (void *)&index[`2`];
813	return profile_len;
814	}
815	}
816	}
817
818	return `0`;
819	}
820
821	static void
822	ieee80211_mle_get_sta_prof(struct ieee80211_elems_parse *elems_parse,
823	u8 link_id)
824	{
825	struct ieee802_11_elems *elems = &elems_parse->elems;
826	const struct ieee80211_multi_link_elem *ml = elems->ml_basic;
827	ssize_t ml_len = elems->ml_basic_len;
828	const struct element *sub;
829
830	for_each_mle_subelement(sub, (u8 *)ml, ml_len) {
831	struct ieee80211_mle_per_sta_profile prof = (void* *)sub->data;
832	ssize_t sta_prof_len;
833	u16 control;
834
835	if (sub->id != IEEE80211_MLE_SUBELEM_PER_STA_PROFILE)
836	continue;
837
838	if (!ieee80211_mle_basic_sta_prof_size_ok(data: sub->data,
839	len: sub->datalen))
840	return;
841
842	control = le16_to_cpu(prof->control);
843
844	if (link_id != u16_get_bits(v: control,
845	IEEE80211_MLE_STA_CONTROL_LINK_ID))
846	continue;
847
848	if (!(control & IEEE80211_MLE_STA_CONTROL_COMPLETE_PROFILE))
849	return;
850
851	/ the sub element can be fragmented /
852	sta_prof_len =
853	cfg80211_defragment_element(elem: sub,
854	ies: (u8 *)ml, ieslen: ml_len,
855	data: elems_parse->scratch_pos,
856	data_len: elems_parse->scratch +
857	elems_parse->scratch_len -
858	elems_parse->scratch_pos,
859	frag_id: IEEE80211_MLE_SUBELEM_FRAGMENT);
860
861	if (sta_prof_len < `0`)
862	return;
863
864	elems->prof = (void *)elems_parse->scratch_pos;
865	elems->sta_prof_len = sta_prof_len;
866	elems_parse->scratch_pos += sta_prof_len;
867
868	return;
869	}
870	}
871
872	static const struct element *
873	ieee80211_prep_mle_link_parse(struct ieee80211_elems_parse *elems_parse,
874	struct ieee80211_elems_parse_params *params,
875	struct ieee80211_elems_parse_params *sub)
876	{
877	struct ieee802_11_elems *elems = &elems_parse->elems;
878	struct ieee80211_mle_per_sta_profile *prof;
879	const struct element *tmp;
880	ssize_t ml_len;
881	const u8 *end;
882
883	if (params->mode < IEEE80211_CONN_MODE_EHT)
884	return NULL;
885
886	for_each_element_extid(tmp, WLAN_EID_EXT_EHT_MULTI_LINK,
887	elems->ie_start, elems->total_len) {
888	const struct ieee80211_multi_link_elem *mle =
889	(void *)tmp->data + `1`;
890
891	if (!ieee80211_mle_size_ok(data: tmp->data + `1`, len: tmp->datalen - `1`))
892	continue;
893
894	if (le16_get_bits(v: mle->control, IEEE80211_ML_CONTROL_TYPE) !=
895	IEEE80211_ML_CONTROL_TYPE_BASIC)
896	continue;
897
898	elems_parse->ml_basic_elem = tmp;
899	break;
900	}
901
902	ml_len = cfg80211_defragment_element(elem: elems_parse->ml_basic_elem,
903	ies: elems->ie_start,
904	ieslen: elems->total_len,
905	data: elems_parse->scratch_pos,
906	data_len: elems_parse->scratch +
907	elems_parse->scratch_len -
908	elems_parse->scratch_pos,
909	frag_id: WLAN_EID_FRAGMENT);
910
911	if (ml_len < `0`)
912	return NULL;
913
914	elems->ml_basic = (const void *)elems_parse->scratch_pos;
915	elems->ml_basic_len = ml_len;
916	elems_parse->scratch_pos += ml_len;
917
918	if (params->link_id == -`1`)
919	return NULL;
920
921	ieee80211_mle_get_sta_prof(elems_parse, link_id: params->link_id);
922	prof = elems->prof;
923
924	if (!prof)
925	return NULL;
926
927	/ check if we have the 4 bytes for the fixed part in assoc response /
928	if (elems->sta_prof_len < sizeof(*prof) + prof->sta_info_len - `1` + `4`) {
929	elems->prof = NULL;
930	elems->sta_prof_len = `0`;
931	return NULL;
932	}
933
934	/*
935	* Skip the capability information and the status code that are expected
936	* as part of the station profile in association response frames. Note
937	* the -1 is because the 'sta_info_len' is accounted to as part of the
938	* per-STA profile, but not part of the 'u8 variable[]' portion.
939	*/
940	sub->start = prof->variable + prof->sta_info_len - `1` + `4`;
941	end = (const u8 *)prof + elems->sta_prof_len;
942	sub->len = end - sub->start;
943
944	sub->mode = params->mode;
945	sub->action = params->action;
946	sub->from_ap = params->from_ap;
947	sub->link_id = -`1`;
948
949	return cfg80211_find_ext_elem(ext_eid: WLAN_EID_EXT_NON_INHERITANCE,
950	ies: sub->start, len: sub->len);
951	}
952
953	static void
954	ieee80211_mle_defrag_reconf(struct ieee80211_elems_parse *elems_parse)
955	{
956	struct ieee802_11_elems *elems = &elems_parse->elems;
957	ssize_t ml_len;
958
959	ml_len = cfg80211_defragment_element(elem: elems_parse->ml_reconf_elem,
960	ies: elems->ie_start,
961	ieslen: elems->total_len,
962	data: elems_parse->scratch_pos,
963	data_len: elems_parse->scratch +
964	elems_parse->scratch_len -
965	elems_parse->scratch_pos,
966	frag_id: WLAN_EID_FRAGMENT);
967	if (ml_len < `0`)
968	return;
969	elems->ml_reconf = (void *)elems_parse->scratch_pos;
970	elems->ml_reconf_len = ml_len;
971	elems_parse->scratch_pos += ml_len;
972	}
973
974	static void
975	ieee80211_mle_defrag_epcs(struct ieee80211_elems_parse *elems_parse)
976	{
977	struct ieee802_11_elems *elems = &elems_parse->elems;
978	ssize_t ml_len;
979
980	ml_len = cfg80211_defragment_element(elem: elems_parse->ml_epcs_elem,
981	ies: elems->ie_start,
982	ieslen: elems->total_len,
983	data: elems_parse->scratch_pos,
984	data_len: elems_parse->scratch +
985	elems_parse->scratch_len -
986	elems_parse->scratch_pos,
987	frag_id: WLAN_EID_FRAGMENT);
988	if (ml_len < `0`)
989	return;
990	elems->ml_epcs = (void *)elems_parse->scratch_pos;
991	elems->ml_epcs_len = ml_len;
992	elems_parse->scratch_pos += ml_len;
993	}
994
995	struct ieee802_11_elems *
996	ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params)
997	{
998	struct ieee80211_elems_parse_params sub = {};
999	struct ieee80211_elems_parse *elems_parse;
1000	const struct element *non_inherit = NULL;
1001	struct ieee802_11_elems *elems;
1002	size_t scratch_len = `3` * params->len;
1003	bool multi_link_inner = false;
1004
1005	BUILD_BUG_ON(offsetof(typeof(*elems_parse), elems) != `0`);
1006
1007	/ cannot parse for both a specific link and non-transmitted BSS /
1008	if (WARN_ON(params->link_id >= `0` && params->bss))
1009	return NULL;
1010
1011	elems_parse = kzalloc(struct_size(elems_parse, scratch, scratch_len),
1012	GFP_ATOMIC);
1013	if (!elems_parse)
1014	return NULL;
1015
1016	elems_parse->scratch_len = scratch_len;
1017	elems_parse->scratch_pos = elems_parse->scratch;
1018
1019	elems = &elems_parse->elems;
1020	elems->ie_start = params->start;
1021	elems->total_len = params->len;
1022
1023	/ set all TPE entries to unlimited (but invalid) /
1024	ieee80211_clear_tpe(tpe: &elems->tpe);
1025	ieee80211_clear_tpe(tpe: &elems->csa_tpe);
1026
1027	/*
1028	* If we're looking for a non-transmitted BSS then we cannot at
1029	* the same time be looking for a second link as the two can only
1030	* appear in the same frame carrying info for different BSSes.
1031	*
1032	* In any case, we only look for one at a time, as encoded by
1033	* the WARN_ON above.
1034	*/
1035	if (params->bss) {
1036	int nontx_len =
1037	ieee802_11_find_bssid_profile(start: params->start,
1038	len: params->len,
1039	elems, bss: params->bss,
1040	nontransmitted_profile: elems_parse->scratch_pos);
1041	sub.start = elems_parse->scratch_pos;
1042	sub.mode = params->mode;
1043	sub.len = nontx_len;
1044	sub.action = params->action;
1045	sub.link_id = params->link_id;
1046
1047	/ consume the space used for non-transmitted profile /
1048	elems_parse->scratch_pos += nontx_len;
1049
1050	non_inherit = cfg80211_find_ext_elem(ext_eid: WLAN_EID_EXT_NON_INHERITANCE,
1051	ies: sub.start, len: nontx_len);
1052	} else {
1053	/ must always parse to get elems_parse->ml_basic_elem /
1054	non_inherit = ieee80211_prep_mle_link_parse(elems_parse, params,
1055	sub: &sub);
1056	multi_link_inner = true;
1057	}
1058
1059	elems_parse->skip_vendor =
1060	cfg80211_find_elem(eid: WLAN_EID_VENDOR_SPECIFIC,
1061	ies: sub.start, len: sub.len);
1062	elems->crc = _ieee802_11_parse_elems_full(params, elems_parse,
1063	check_inherit: non_inherit);
1064
1065	/ Override with nontransmitted/per-STA profile if found /
1066	if (sub.len) {
1067	elems_parse->multi_link_inner = multi_link_inner;
1068	elems_parse->skip_vendor = false;
1069	_ieee802_11_parse_elems_full(params: &sub, elems_parse, NULL);
1070	}
1071
1072	ieee80211_mle_defrag_reconf(elems_parse);
1073
1074	ieee80211_mle_defrag_epcs(elems_parse);
1075
1076	if (elems->tim && !elems->parse_error) {
1077	const struct ieee80211_tim_ie *tim_ie = elems->tim;
1078
1079	elems->dtim_period = tim_ie->dtim_period;
1080	elems->dtim_count = tim_ie->dtim_count;
1081	}
1082
1083	/ Override DTIM period and count if needed /
1084	if (elems->bssid_index &&
1085	elems->bssid_index_len >=
1086	offsetofend(struct ieee80211_bssid_index, dtim_period))
1087	elems->dtim_period = elems->bssid_index->dtim_period;
1088
1089	if (elems->bssid_index &&
1090	elems->bssid_index_len >=
1091	offsetofend(struct ieee80211_bssid_index, dtim_count))
1092	elems->dtim_count = elems->bssid_index->dtim_count;
1093
1094	return elems;
1095	}
1096	EXPORT_SYMBOL_IF_KUNIT(ieee802_11_parse_elems_full);
1097
1098	int ieee80211_parse_bitrates(enum nl80211_chan_width width,
1099	const struct ieee80211_supported_band *sband,
1100	const u8 srates, int* srates_len, u32 *rates)
1101	{
1102	struct ieee80211_rate *br;
1103	int brate, rate, i, j, count = `0`;
1104
1105	*rates = `0`;
1106
1107	for (i = `0`; i < srates_len; i++) {
1108	rate = srates[i] & `0x7f`;
1109
1110	for (j = `0`; j < sband->n_bitrates; j++) {
1111	br = &sband->bitrates[j];
1112
1113	brate = DIV_ROUND_UP(br->bitrate, `5`);
1114	if (brate == rate) {
1115	*rates \|= BIT(j);
1116	count++;
1117	break;
1118	}
1119	}
1120	}
1121	return count;
1122	}
1123

Browse the source code of Linux/net/mac80211/parse.c