Loading...
1// SPDX-License-Identifier: GPL-2.0-only
2/*
3 * Copyright 2002-2005, Instant802 Networks, Inc.
4 * Copyright 2005-2006, Devicescape Software, Inc.
5 * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz>
6 * Copyright 2007 Johannes Berg <johannes@sipsolutions.net>
7 * Copyright 2013-2014 Intel Mobile Communications GmbH
8 * Copyright (C) 2015-2017 Intel Deutschland GmbH
9 * Copyright (C) 2018-2024 Intel Corporation
10 *
11 * element parsing for mac80211
12 */
13
14#include <net/mac80211.h>
15#include <linux/netdevice.h>
16#include <linux/export.h>
17#include <linux/types.h>
18#include <linux/slab.h>
19#include <linux/skbuff.h>
20#include <linux/etherdevice.h>
21#include <linux/if_arp.h>
22#include <linux/bitmap.h>
23#include <linux/crc32.h>
24#include <net/net_namespace.h>
25#include <net/cfg80211.h>
26#include <net/rtnetlink.h>
27#include <kunit/visibility.h>
28
29#include "ieee80211_i.h"
30#include "driver-ops.h"
31#include "rate.h"
32#include "mesh.h"
33#include "wme.h"
34#include "led.h"
35#include "wep.h"
36
37struct ieee80211_elems_parse {
38 /* must be first for kfree to work */
39 struct ieee802_11_elems elems;
40
41 /* The basic Multi-Link element in the original elements */
42 const struct element *ml_basic_elem;
43
44 /* The reconfiguration Multi-Link element in the original elements */
45 const struct element *ml_reconf_elem;
46
47 /* The EPCS Multi-Link element in the original elements */
48 const struct element *ml_epcs_elem;
49
50 bool multi_link_inner;
51 bool skip_vendor;
52
53 /*
54 * scratch buffer that can be used for various element parsing related
55 * tasks, e.g., element de-fragmentation etc.
56 */
57 size_t scratch_len;
58 u8 *scratch_pos;
59 u8 scratch[] __counted_by(scratch_len);
60};
61
62static void
63ieee80211_parse_extension_element(u32 *crc,
64 const struct element *elem,
65 struct ieee80211_elems_parse *elems_parse,
66 struct ieee80211_elems_parse_params *params)
67{
68 struct ieee802_11_elems *elems = &elems_parse->elems;
69 const void *data = elem->data + 1;
70 bool calc_crc = false;
71 u8 len;
72
73 if (!elem->datalen)
74 return;
75
76 len = elem->datalen - 1;
77
78 switch (elem->data[0]) {
79 case WLAN_EID_EXT_HE_MU_EDCA:
80 if (params->mode < IEEE80211_CONN_MODE_HE)
81 break;
82 calc_crc = true;
83 if (len >= sizeof(*elems->mu_edca_param_set))
84 elems->mu_edca_param_set = data;
85 break;
86 case WLAN_EID_EXT_HE_CAPABILITY:
87 if (params->mode < IEEE80211_CONN_MODE_HE)
88 break;
89 if (ieee80211_he_capa_size_ok(data, len)) {
90 elems->he_cap = data;
91 elems->he_cap_len = len;
92 }
93 break;
94 case WLAN_EID_EXT_HE_OPERATION:
95 if (params->mode < IEEE80211_CONN_MODE_HE)
96 break;
97 calc_crc = true;
98 if (len >= sizeof(*elems->he_operation) &&
99 len >= ieee80211_he_oper_size(data) - 1)
100 elems->he_operation = data;
101 break;
102 case WLAN_EID_EXT_UORA:
103 if (params->mode < IEEE80211_CONN_MODE_HE)
104 break;
105 if (len >= 1)
106 elems->uora_element = data;
107 break;
108 case WLAN_EID_EXT_MAX_CHANNEL_SWITCH_TIME:
109 if (len == 3)
110 elems->max_channel_switch_time = data;
111 break;
112 case WLAN_EID_EXT_MULTIPLE_BSSID_CONFIGURATION:
113 if (len >= sizeof(*elems->mbssid_config_ie))
114 elems->mbssid_config_ie = data;
115 break;
116 case WLAN_EID_EXT_HE_SPR:
117 if (params->mode < IEEE80211_CONN_MODE_HE)
118 break;
119 if (len >= sizeof(*elems->he_spr) &&
120 len >= ieee80211_he_spr_size(data) - 1)
121 elems->he_spr = data;
122 break;
123 case WLAN_EID_EXT_HE_6GHZ_CAPA:
124 if (params->mode < IEEE80211_CONN_MODE_HE)
125 break;
126 if (len >= sizeof(*elems->he_6ghz_capa))
127 elems->he_6ghz_capa = data;
128 break;
129 case WLAN_EID_EXT_EHT_CAPABILITY:
130 if (params->mode < IEEE80211_CONN_MODE_EHT)
131 break;
132 if (ieee80211_eht_capa_size_ok(elems->he_cap,
133 data, len,
134 params->from_ap)) {
135 elems->eht_cap = data;
136 elems->eht_cap_len = len;
137 }
138 break;
139 case WLAN_EID_EXT_EHT_OPERATION:
140 if (params->mode < IEEE80211_CONN_MODE_EHT)
141 break;
142 if (ieee80211_eht_oper_size_ok(data, len))
143 elems->eht_operation = data;
144 calc_crc = true;
145 break;
146 case WLAN_EID_EXT_EHT_MULTI_LINK:
147 if (params->mode < IEEE80211_CONN_MODE_EHT)
148 break;
149 calc_crc = true;
150
151 if (ieee80211_mle_size_ok(data, len)) {
152 const struct ieee80211_multi_link_elem *mle =
153 (void *)data;
154
155 switch (le16_get_bits(mle->control,
156 IEEE80211_ML_CONTROL_TYPE)) {
157 case IEEE80211_ML_CONTROL_TYPE_BASIC:
158 if (elems_parse->multi_link_inner) {
159 elems->parse_error |=
160 IEEE80211_PARSE_ERR_DUP_NEST_ML_BASIC;
161 break;
162 }
163 break;
164 case IEEE80211_ML_CONTROL_TYPE_RECONF:
165 elems_parse->ml_reconf_elem = elem;
166 break;
167 case IEEE80211_ML_CONTROL_TYPE_PRIO_ACCESS:
168 elems_parse->ml_epcs_elem = elem;
169 break;
170 default:
171 break;
172 }
173 }
174 break;
175 case WLAN_EID_EXT_BANDWIDTH_INDICATION:
176 if (params->mode < IEEE80211_CONN_MODE_EHT)
177 break;
178 if (ieee80211_bandwidth_indication_size_ok(data, len))
179 elems->bandwidth_indication = data;
180 calc_crc = true;
181 break;
182 case WLAN_EID_EXT_TID_TO_LINK_MAPPING:
183 if (params->mode < IEEE80211_CONN_MODE_EHT)
184 break;
185 calc_crc = true;
186 if (ieee80211_tid_to_link_map_size_ok(data, len) &&
187 elems->ttlm_num < ARRAY_SIZE(elems->ttlm)) {
188 elems->ttlm[elems->ttlm_num] = (void *)data;
189 elems->ttlm_num++;
190 }
191 break;
192 }
193
194 if (crc && calc_crc)
195 *crc = crc32_be(*crc, (void *)elem, elem->datalen + 2);
196}
197
198static void ieee80211_parse_tpe(struct ieee80211_parsed_tpe *tpe,
199 const u8 *data, u8 len)
200{
201 const struct ieee80211_tx_pwr_env *env = (const void *)data;
202 u8 count, interpret, category;
203 u8 *out, N, *cnt_out = NULL, *N_out = NULL;
204
205 if (!ieee80211_valid_tpe_element(data, len))
206 return;
207
208 count = u8_get_bits(env->info, IEEE80211_TX_PWR_ENV_INFO_COUNT);
209 interpret = u8_get_bits(env->info, IEEE80211_TX_PWR_ENV_INFO_INTERPRET);
210 category = u8_get_bits(env->info, IEEE80211_TX_PWR_ENV_INFO_CATEGORY);
211
212 switch (interpret) {
213 case IEEE80211_TPE_LOCAL_EIRP:
214 out = tpe->max_local[category].power;
215 cnt_out = &tpe->max_local[category].count;
216 tpe->max_local[category].valid = true;
217 break;
218 case IEEE80211_TPE_REG_CLIENT_EIRP:
219 out = tpe->max_reg_client[category].power;
220 cnt_out = &tpe->max_reg_client[category].count;
221 tpe->max_reg_client[category].valid = true;
222 break;
223 case IEEE80211_TPE_LOCAL_EIRP_PSD:
224 out = tpe->psd_local[category].power;
225 cnt_out = &tpe->psd_local[category].count;
226 N_out = &tpe->psd_local[category].n;
227 tpe->psd_local[category].valid = true;
228 break;
229 case IEEE80211_TPE_REG_CLIENT_EIRP_PSD:
230 out = tpe->psd_reg_client[category].power;
231 cnt_out = &tpe->psd_reg_client[category].count;
232 N_out = &tpe->psd_reg_client[category].n;
233 tpe->psd_reg_client[category].valid = true;
234 break;
235 }
236
237 switch (interpret) {
238 case IEEE80211_TPE_LOCAL_EIRP:
239 case IEEE80211_TPE_REG_CLIENT_EIRP:
240 /* count was validated <= 3, plus 320 MHz */
241 BUILD_BUG_ON(IEEE80211_TPE_EIRP_ENTRIES_320MHZ < 5);
242 memcpy(out, env->variable, count + 1);
243 *cnt_out = count + 1;
244 /* separately take 320 MHz if present */
245 if (count == 3 && len > sizeof(*env) + count + 1) {
246 out[4] = env->variable[4];
247 *cnt_out = 5;
248 }
249 break;
250 case IEEE80211_TPE_LOCAL_EIRP_PSD:
251 case IEEE80211_TPE_REG_CLIENT_EIRP_PSD:
252 if (!count) {
253 memset(out, env->variable[0],
254 IEEE80211_TPE_PSD_ENTRIES_320MHZ);
255 *cnt_out = IEEE80211_TPE_PSD_ENTRIES_320MHZ;
256 break;
257 }
258
259 N = 1 << (count - 1);
260 memcpy(out, env->variable, N);
261 *cnt_out = N;
262 *N_out = N;
263
264 if (len > sizeof(*env) + N) {
265 int K = u8_get_bits(env->variable[N],
266 IEEE80211_TX_PWR_ENV_EXT_COUNT);
267
268 K = min(K, IEEE80211_TPE_PSD_ENTRIES_320MHZ - N);
269 memcpy(out + N, env->variable + N + 1, K);
270 (*cnt_out) += K;
271 }
272 break;
273 }
274}
275
276static u32
277_ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params,
278 struct ieee80211_elems_parse *elems_parse,
279 const struct element *check_inherit)
280{
281 struct ieee802_11_elems *elems = &elems_parse->elems;
282 const struct element *elem;
283 bool calc_crc = params->filter != 0;
284 DECLARE_BITMAP(seen_elems, 256);
285 u32 crc = params->crc;
286
287 bitmap_zero(seen_elems, 256);
288
289 for_each_element(elem, params->start, params->len) {
290 const struct element *subelem;
291 u8 elem_parse_failed;
292 u8 id = elem->id;
293 u8 elen = elem->datalen;
294 const u8 *pos = elem->data;
295
296 if (check_inherit &&
297 !cfg80211_is_element_inherited(elem,
298 check_inherit))
299 continue;
300
301 switch (id) {
302 case WLAN_EID_SSID:
303 case WLAN_EID_SUPP_RATES:
304 case WLAN_EID_FH_PARAMS:
305 case WLAN_EID_DS_PARAMS:
306 case WLAN_EID_CF_PARAMS:
307 case WLAN_EID_TIM:
308 case WLAN_EID_IBSS_PARAMS:
309 case WLAN_EID_CHALLENGE:
310 case WLAN_EID_RSN:
311 case WLAN_EID_ERP_INFO:
312 case WLAN_EID_EXT_SUPP_RATES:
313 case WLAN_EID_HT_CAPABILITY:
314 case WLAN_EID_HT_OPERATION:
315 case WLAN_EID_VHT_CAPABILITY:
316 case WLAN_EID_VHT_OPERATION:
317 case WLAN_EID_MESH_ID:
318 case WLAN_EID_MESH_CONFIG:
319 case WLAN_EID_PEER_MGMT:
320 case WLAN_EID_PREQ:
321 case WLAN_EID_PREP:
322 case WLAN_EID_PERR:
323 case WLAN_EID_RANN:
324 case WLAN_EID_CHANNEL_SWITCH:
325 case WLAN_EID_EXT_CHANSWITCH_ANN:
326 case WLAN_EID_COUNTRY:
327 case WLAN_EID_PWR_CONSTRAINT:
328 case WLAN_EID_TIMEOUT_INTERVAL:
329 case WLAN_EID_SECONDARY_CHANNEL_OFFSET:
330 case WLAN_EID_WIDE_BW_CHANNEL_SWITCH:
331 case WLAN_EID_CHAN_SWITCH_PARAM:
332 case WLAN_EID_EXT_CAPABILITY:
333 case WLAN_EID_CHAN_SWITCH_TIMING:
334 case WLAN_EID_LINK_ID:
335 case WLAN_EID_BSS_MAX_IDLE_PERIOD:
336 case WLAN_EID_RSNX:
337 case WLAN_EID_S1G_BCN_COMPAT:
338 case WLAN_EID_S1G_CAPABILITIES:
339 case WLAN_EID_S1G_OPERATION:
340 case WLAN_EID_AID_RESPONSE:
341 case WLAN_EID_S1G_SHORT_BCN_INTERVAL:
342 /*
343 * not listing WLAN_EID_CHANNEL_SWITCH_WRAPPER -- it seems possible
344 * that if the content gets bigger it might be needed more than once
345 */
346 if (test_bit(id, seen_elems)) {
347 elems->parse_error |=
348 IEEE80211_PARSE_ERR_DUP_ELEM;
349 continue;
350 }
351 break;
352 }
353
354 if (calc_crc && id < 64 && (params->filter & (1ULL << id)))
355 crc = crc32_be(crc, pos - 2, elen + 2);
356
357 elem_parse_failed = 0;
358
359 switch (id) {
360 case WLAN_EID_LINK_ID:
361 if (elen + 2 < sizeof(struct ieee80211_tdls_lnkie)) {
362 elem_parse_failed =
363 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
364 break;
365 }
366 elems->lnk_id = (void *)(pos - 2);
367 break;
368 case WLAN_EID_CHAN_SWITCH_TIMING:
369 if (elen < sizeof(struct ieee80211_ch_switch_timing)) {
370 elem_parse_failed =
371 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
372 break;
373 }
374 elems->ch_sw_timing = (void *)pos;
375 break;
376 case WLAN_EID_EXT_CAPABILITY:
377 elems->ext_capab = pos;
378 elems->ext_capab_len = elen;
379 break;
380 case WLAN_EID_SSID:
381 elems->ssid = pos;
382 elems->ssid_len = elen;
383 break;
384 case WLAN_EID_SUPP_RATES:
385 elems->supp_rates = pos;
386 elems->supp_rates_len = elen;
387 break;
388 case WLAN_EID_DS_PARAMS:
389 if (elen >= 1)
390 elems->ds_params = pos;
391 else
392 elem_parse_failed =
393 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
394 break;
395 case WLAN_EID_TIM:
396 if (elen >= sizeof(struct ieee80211_tim_ie)) {
397 elems->tim = (void *)pos;
398 elems->tim_len = elen;
399 } else
400 elem_parse_failed =
401 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
402 break;
403 case WLAN_EID_VENDOR_SPECIFIC:
404 if (elems_parse->skip_vendor)
405 break;
406
407 if (elen >= 4 && pos[0] == 0x00 && pos[1] == 0x50 &&
408 pos[2] == 0xf2) {
409 /* Microsoft OUI (00:50:F2) */
410
411 if (calc_crc)
412 crc = crc32_be(crc, pos - 2, elen + 2);
413
414 if (elen >= 5 && pos[3] == 2) {
415 /* OUI Type 2 - WMM IE */
416 if (pos[4] == 0) {
417 elems->wmm_info = pos;
418 elems->wmm_info_len = elen;
419 } else if (pos[4] == 1) {
420 elems->wmm_param = pos;
421 elems->wmm_param_len = elen;
422 }
423 }
424 }
425 break;
426 case WLAN_EID_RSN:
427 elems->rsn = pos;
428 elems->rsn_len = elen;
429 break;
430 case WLAN_EID_ERP_INFO:
431 if (elen >= 1)
432 elems->erp_info = pos;
433 else
434 elem_parse_failed =
435 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
436 break;
437 case WLAN_EID_EXT_SUPP_RATES:
438 elems->ext_supp_rates = pos;
439 elems->ext_supp_rates_len = elen;
440 break;
441 case WLAN_EID_HT_CAPABILITY:
442 if (params->mode < IEEE80211_CONN_MODE_HT)
443 break;
444 if (elen >= sizeof(struct ieee80211_ht_cap))
445 elems->ht_cap_elem = (void *)pos;
446 else
447 elem_parse_failed =
448 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
449 break;
450 case WLAN_EID_HT_OPERATION:
451 if (params->mode < IEEE80211_CONN_MODE_HT)
452 break;
453 if (elen >= sizeof(struct ieee80211_ht_operation))
454 elems->ht_operation = (void *)pos;
455 else
456 elem_parse_failed =
457 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
458 break;
459 case WLAN_EID_VHT_CAPABILITY:
460 if (params->mode < IEEE80211_CONN_MODE_VHT)
461 break;
462 if (elen >= sizeof(struct ieee80211_vht_cap))
463 elems->vht_cap_elem = (void *)pos;
464 else
465 elem_parse_failed =
466 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
467 break;
468 case WLAN_EID_VHT_OPERATION:
469 if (params->mode < IEEE80211_CONN_MODE_VHT)
470 break;
471 if (elen >= sizeof(struct ieee80211_vht_operation)) {
472 elems->vht_operation = (void *)pos;
473 if (calc_crc)
474 crc = crc32_be(crc, pos - 2, elen + 2);
475 break;
476 }
477 elem_parse_failed =
478 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
479 break;
480 case WLAN_EID_OPMODE_NOTIF:
481 if (params->mode < IEEE80211_CONN_MODE_VHT)
482 break;
483 if (elen > 0) {
484 elems->opmode_notif = pos;
485 if (calc_crc)
486 crc = crc32_be(crc, pos - 2, elen + 2);
487 break;
488 }
489 elem_parse_failed =
490 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
491 break;
492 case WLAN_EID_MESH_ID:
493 elems->mesh_id = pos;
494 elems->mesh_id_len = elen;
495 break;
496 case WLAN_EID_MESH_CONFIG:
497 if (elen >= sizeof(struct ieee80211_meshconf_ie))
498 elems->mesh_config = (void *)pos;
499 else
500 elem_parse_failed =
501 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
502 break;
503 case WLAN_EID_PEER_MGMT:
504 elems->peering = pos;
505 elems->peering_len = elen;
506 break;
507 case WLAN_EID_MESH_AWAKE_WINDOW:
508 if (elen >= 2)
509 elems->awake_window = (void *)pos;
510 break;
511 case WLAN_EID_PREQ:
512 elems->preq = pos;
513 elems->preq_len = elen;
514 break;
515 case WLAN_EID_PREP:
516 elems->prep = pos;
517 elems->prep_len = elen;
518 break;
519 case WLAN_EID_PERR:
520 elems->perr = pos;
521 elems->perr_len = elen;
522 break;
523 case WLAN_EID_RANN:
524 if (elen >= sizeof(struct ieee80211_rann_ie))
525 elems->rann = (void *)pos;
526 else
527 elem_parse_failed =
528 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
529 break;
530 case WLAN_EID_CHANNEL_SWITCH:
531 if (elen != sizeof(struct ieee80211_channel_sw_ie)) {
532 elem_parse_failed =
533 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
534 break;
535 }
536 elems->ch_switch_ie = (void *)pos;
537 break;
538 case WLAN_EID_EXT_CHANSWITCH_ANN:
539 if (elen != sizeof(struct ieee80211_ext_chansw_ie)) {
540 elem_parse_failed =
541 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
542 break;
543 }
544 elems->ext_chansw_ie = (void *)pos;
545 break;
546 case WLAN_EID_SECONDARY_CHANNEL_OFFSET:
547 if (params->mode < IEEE80211_CONN_MODE_HT)
548 break;
549 if (elen != sizeof(struct ieee80211_sec_chan_offs_ie)) {
550 elem_parse_failed =
551 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
552 break;
553 }
554 elems->sec_chan_offs = (void *)pos;
555 break;
556 case WLAN_EID_CHAN_SWITCH_PARAM:
557 if (elen <
558 sizeof(*elems->mesh_chansw_params_ie)) {
559 elem_parse_failed =
560 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
561 break;
562 }
563 elems->mesh_chansw_params_ie = (void *)pos;
564 break;
565 case WLAN_EID_WIDE_BW_CHANNEL_SWITCH:
566 if (params->mode < IEEE80211_CONN_MODE_VHT)
567 break;
568
569 if (!params->action) {
570 elem_parse_failed =
571 IEEE80211_PARSE_ERR_UNEXPECTED_ELEM;
572 break;
573 }
574
575 if (elen < sizeof(*elems->wide_bw_chansw_ie)) {
576 elem_parse_failed =
577 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
578 break;
579 }
580 elems->wide_bw_chansw_ie = (void *)pos;
581 break;
582 case WLAN_EID_CHANNEL_SWITCH_WRAPPER:
583 if (params->mode < IEEE80211_CONN_MODE_VHT)
584 break;
585 if (params->action) {
586 elem_parse_failed =
587 IEEE80211_PARSE_ERR_UNEXPECTED_ELEM;
588 break;
589 }
590 /*
591 * This is a bit tricky, but as we only care about
592 * a few elements, parse them out manually.
593 */
594 subelem = cfg80211_find_elem(WLAN_EID_WIDE_BW_CHANNEL_SWITCH,
595 pos, elen);
596 if (subelem) {
597 if (subelem->datalen >= sizeof(*elems->wide_bw_chansw_ie))
598 elems->wide_bw_chansw_ie =
599 (void *)subelem->data;
600 else
601 elem_parse_failed =
602 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
603 }
604
605 if (params->mode < IEEE80211_CONN_MODE_EHT)
606 break;
607
608 subelem = cfg80211_find_ext_elem(WLAN_EID_EXT_BANDWIDTH_INDICATION,
609 pos, elen);
610 if (subelem) {
611 const void *edata = subelem->data + 1;
612 u8 edatalen = subelem->datalen - 1;
613
614 if (ieee80211_bandwidth_indication_size_ok(edata,
615 edatalen))
616 elems->bandwidth_indication = edata;
617 else
618 elem_parse_failed =
619 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
620 }
621
622 subelem = cfg80211_find_ext_elem(WLAN_EID_TX_POWER_ENVELOPE,
623 pos, elen);
624 if (subelem)
625 ieee80211_parse_tpe(&elems->csa_tpe,
626 subelem->data + 1,
627 subelem->datalen - 1);
628 break;
629 case WLAN_EID_COUNTRY:
630 elems->country_elem = pos;
631 elems->country_elem_len = elen;
632 break;
633 case WLAN_EID_PWR_CONSTRAINT:
634 if (elen != 1) {
635 elem_parse_failed =
636 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
637 break;
638 }
639 elems->pwr_constr_elem = pos;
640 break;
641 case WLAN_EID_CISCO_VENDOR_SPECIFIC:
642 /* Lots of different options exist, but we only care
643 * about the Dynamic Transmit Power Control element.
644 * First check for the Cisco OUI, then for the DTPC
645 * tag (0x00).
646 */
647 if (elen < 4) {
648 elem_parse_failed =
649 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
650 break;
651 }
652
653 if (pos[0] != 0x00 || pos[1] != 0x40 ||
654 pos[2] != 0x96 || pos[3] != 0x00)
655 break;
656
657 if (elen != 6) {
658 elem_parse_failed =
659 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
660 break;
661 }
662
663 if (calc_crc)
664 crc = crc32_be(crc, pos - 2, elen + 2);
665
666 elems->cisco_dtpc_elem = pos;
667 break;
668 case WLAN_EID_ADDBA_EXT:
669 if (elen < sizeof(struct ieee80211_addba_ext_ie)) {
670 elem_parse_failed =
671 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
672 break;
673 }
674 elems->addba_ext_ie = (void *)pos;
675 break;
676 case WLAN_EID_TIMEOUT_INTERVAL:
677 if (elen >= sizeof(struct ieee80211_timeout_interval_ie))
678 elems->timeout_int = (void *)pos;
679 else
680 elem_parse_failed =
681 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
682 break;
683 case WLAN_EID_BSS_MAX_IDLE_PERIOD:
684 if (elen >= sizeof(*elems->max_idle_period_ie))
685 elems->max_idle_period_ie = (void *)pos;
686 break;
687 case WLAN_EID_RSNX:
688 elems->rsnx = pos;
689 elems->rsnx_len = elen;
690 break;
691 case WLAN_EID_TX_POWER_ENVELOPE:
692 if (params->mode < IEEE80211_CONN_MODE_HE)
693 break;
694 ieee80211_parse_tpe(&elems->tpe, pos, elen);
695 break;
696 case WLAN_EID_EXTENSION:
697 ieee80211_parse_extension_element(calc_crc ?
698 &crc : NULL,
699 elem, elems_parse,
700 params);
701 break;
702 case WLAN_EID_S1G_CAPABILITIES:
703 if (params->mode != IEEE80211_CONN_MODE_S1G)
704 break;
705 if (elen >= sizeof(*elems->s1g_capab))
706 elems->s1g_capab = (void *)pos;
707 else
708 elem_parse_failed =
709 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
710 break;
711 case WLAN_EID_S1G_OPERATION:
712 if (params->mode != IEEE80211_CONN_MODE_S1G)
713 break;
714 if (elen == sizeof(*elems->s1g_oper))
715 elems->s1g_oper = (void *)pos;
716 else
717 elem_parse_failed =
718 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
719 break;
720 case WLAN_EID_S1G_BCN_COMPAT:
721 if (params->mode != IEEE80211_CONN_MODE_S1G)
722 break;
723 if (elen == sizeof(*elems->s1g_bcn_compat))
724 elems->s1g_bcn_compat = (void *)pos;
725 else
726 elem_parse_failed =
727 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
728 break;
729 case WLAN_EID_AID_RESPONSE:
730 if (params->mode != IEEE80211_CONN_MODE_S1G)
731 break;
732 if (elen == sizeof(struct ieee80211_aid_response_ie))
733 elems->aid_resp = (void *)pos;
734 else
735 elem_parse_failed =
736 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
737 break;
738 default:
739 break;
740 }
741
742 if (elem_parse_failed)
743 elems->parse_error |= elem_parse_failed;
744 else
745 __set_bit(id, seen_elems);
746 }
747
748 if (!for_each_element_completed(elem, params->start, params->len))
749 elems->parse_error |= IEEE80211_PARSE_ERR_INVALID_END;
750
751 return crc;
752}
753
754static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len,
755 struct ieee802_11_elems *elems,
756 struct cfg80211_bss *bss,
757 u8 *nontransmitted_profile)
758{
759 const struct element *elem, *sub;
760 size_t profile_len = 0;
761 bool found = false;
762
763 if (!bss || !bss->transmitted_bss)
764 return profile_len;
765
766 for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, start, len) {
767 if (elem->datalen < 2)
768 continue;
769 if (elem->data[0] < 1 || elem->data[0] > 8)
770 continue;
771
772 for_each_element(sub, elem->data + 1, elem->datalen - 1) {
773 u8 new_bssid[ETH_ALEN];
774 const u8 *index;
775
776 if (sub->id != 0 || sub->datalen < 4) {
777 /* not a valid BSS profile */
778 continue;
779 }
780
781 if (sub->data[0] != WLAN_EID_NON_TX_BSSID_CAP ||
782 sub->data[1] != 2) {
783 /* The first element of the
784 * Nontransmitted BSSID Profile is not
785 * the Nontransmitted BSSID Capability
786 * element.
787 */
788 continue;
789 }
790
791 memset(nontransmitted_profile, 0, len);
792 profile_len = cfg80211_merge_profile(start, len,
793 elem,
794 sub,
795 nontransmitted_profile,
796 len);
797
798 /* found a Nontransmitted BSSID Profile */
799 index = cfg80211_find_ie(WLAN_EID_MULTI_BSSID_IDX,
800 nontransmitted_profile,
801 profile_len);
802 if (!index || index[1] < 1 || index[2] == 0) {
803 /* Invalid MBSSID Index element */
804 continue;
805 }
806
807 cfg80211_gen_new_bssid(bss->transmitted_bss->bssid,
808 elem->data[0],
809 index[2],
810 new_bssid);
811 if (ether_addr_equal(new_bssid, bss->bssid)) {
812 found = true;
813 elems->bssid_index_len = index[1];
814 elems->bssid_index = (void *)&index[2];
815 break;
816 }
817 }
818 }
819
820 return found ? profile_len : 0;
821}
822
823static void
824ieee80211_mle_get_sta_prof(struct ieee80211_elems_parse *elems_parse,
825 u8 link_id)
826{
827 struct ieee802_11_elems *elems = &elems_parse->elems;
828 const struct ieee80211_multi_link_elem *ml = elems->ml_basic;
829 ssize_t ml_len = elems->ml_basic_len;
830 const struct element *sub;
831
832 for_each_mle_subelement(sub, (u8 *)ml, ml_len) {
833 struct ieee80211_mle_per_sta_profile *prof = (void *)sub->data;
834 ssize_t sta_prof_len;
835 u16 control;
836
837 if (sub->id != IEEE80211_MLE_SUBELEM_PER_STA_PROFILE)
838 continue;
839
840 if (!ieee80211_mle_basic_sta_prof_size_ok(sub->data,
841 sub->datalen))
842 return;
843
844 control = le16_to_cpu(prof->control);
845
846 if (link_id != u16_get_bits(control,
847 IEEE80211_MLE_STA_CONTROL_LINK_ID))
848 continue;
849
850 if (!(control & IEEE80211_MLE_STA_CONTROL_COMPLETE_PROFILE))
851 return;
852
853 /* the sub element can be fragmented */
854 sta_prof_len =
855 cfg80211_defragment_element(sub,
856 (u8 *)ml, ml_len,
857 elems_parse->scratch_pos,
858 elems_parse->scratch +
859 elems_parse->scratch_len -
860 elems_parse->scratch_pos,
861 IEEE80211_MLE_SUBELEM_FRAGMENT);
862
863 if (sta_prof_len < 0)
864 return;
865
866 elems->prof = (void *)elems_parse->scratch_pos;
867 elems->sta_prof_len = sta_prof_len;
868 elems_parse->scratch_pos += sta_prof_len;
869
870 return;
871 }
872}
873
874static const struct element *
875ieee80211_prep_mle_link_parse(struct ieee80211_elems_parse *elems_parse,
876 struct ieee80211_elems_parse_params *params,
877 struct ieee80211_elems_parse_params *sub)
878{
879 struct ieee802_11_elems *elems = &elems_parse->elems;
880 struct ieee80211_mle_per_sta_profile *prof;
881 const struct element *tmp;
882 ssize_t ml_len;
883 const u8 *end;
884
885 if (params->mode < IEEE80211_CONN_MODE_EHT)
886 return NULL;
887
888 for_each_element_extid(tmp, WLAN_EID_EXT_EHT_MULTI_LINK,
889 elems->ie_start, elems->total_len) {
890 const struct ieee80211_multi_link_elem *mle =
891 (void *)tmp->data + 1;
892
893 if (!ieee80211_mle_size_ok(tmp->data + 1, tmp->datalen - 1))
894 continue;
895
896 if (le16_get_bits(mle->control, IEEE80211_ML_CONTROL_TYPE) !=
897 IEEE80211_ML_CONTROL_TYPE_BASIC)
898 continue;
899
900 elems_parse->ml_basic_elem = tmp;
901 break;
902 }
903
904 ml_len = cfg80211_defragment_element(elems_parse->ml_basic_elem,
905 elems->ie_start,
906 elems->total_len,
907 elems_parse->scratch_pos,
908 elems_parse->scratch +
909 elems_parse->scratch_len -
910 elems_parse->scratch_pos,
911 WLAN_EID_FRAGMENT);
912
913 if (ml_len < 0)
914 return NULL;
915
916 elems->ml_basic = (const void *)elems_parse->scratch_pos;
917 elems->ml_basic_len = ml_len;
918 elems_parse->scratch_pos += ml_len;
919
920 if (params->link_id == -1)
921 return NULL;
922
923 ieee80211_mle_get_sta_prof(elems_parse, params->link_id);
924 prof = elems->prof;
925
926 if (!prof)
927 return NULL;
928
929 /* check if we have the 4 bytes for the fixed part in assoc response */
930 if (elems->sta_prof_len < sizeof(*prof) + prof->sta_info_len - 1 + 4) {
931 elems->prof = NULL;
932 elems->sta_prof_len = 0;
933 return NULL;
934 }
935
936 /*
937 * Skip the capability information and the status code that are expected
938 * as part of the station profile in association response frames. Note
939 * the -1 is because the 'sta_info_len' is accounted to as part of the
940 * per-STA profile, but not part of the 'u8 variable[]' portion.
941 */
942 sub->start = prof->variable + prof->sta_info_len - 1 + 4;
943 end = (const u8 *)prof + elems->sta_prof_len;
944 sub->len = end - sub->start;
945
946 sub->mode = params->mode;
947 sub->action = params->action;
948 sub->from_ap = params->from_ap;
949 sub->link_id = -1;
950
951 return cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
952 sub->start, sub->len);
953}
954
955static void
956ieee80211_mle_defrag_reconf(struct ieee80211_elems_parse *elems_parse)
957{
958 struct ieee802_11_elems *elems = &elems_parse->elems;
959 ssize_t ml_len;
960
961 ml_len = cfg80211_defragment_element(elems_parse->ml_reconf_elem,
962 elems->ie_start,
963 elems->total_len,
964 elems_parse->scratch_pos,
965 elems_parse->scratch +
966 elems_parse->scratch_len -
967 elems_parse->scratch_pos,
968 WLAN_EID_FRAGMENT);
969 if (ml_len < 0)
970 return;
971 elems->ml_reconf = (void *)elems_parse->scratch_pos;
972 elems->ml_reconf_len = ml_len;
973 elems_parse->scratch_pos += ml_len;
974}
975
976static void
977ieee80211_mle_defrag_epcs(struct ieee80211_elems_parse *elems_parse)
978{
979 struct ieee802_11_elems *elems = &elems_parse->elems;
980 ssize_t ml_len;
981
982 ml_len = cfg80211_defragment_element(elems_parse->ml_epcs_elem,
983 elems->ie_start,
984 elems->total_len,
985 elems_parse->scratch_pos,
986 elems_parse->scratch +
987 elems_parse->scratch_len -
988 elems_parse->scratch_pos,
989 WLAN_EID_FRAGMENT);
990 if (ml_len < 0)
991 return;
992 elems->ml_epcs = (void *)elems_parse->scratch_pos;
993 elems->ml_epcs_len = ml_len;
994 elems_parse->scratch_pos += ml_len;
995}
996
997struct ieee802_11_elems *
998ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params)
999{
1000 struct ieee80211_elems_parse_params sub = {};
1001 struct ieee80211_elems_parse *elems_parse;
1002 const struct element *non_inherit = NULL;
1003 struct ieee802_11_elems *elems;
1004 size_t scratch_len = 3 * params->len;
1005 bool multi_link_inner = false;
1006
1007 BUILD_BUG_ON(offsetof(typeof(*elems_parse), elems) != 0);
1008
1009 /* cannot parse for both a specific link and non-transmitted BSS */
1010 if (WARN_ON(params->link_id >= 0 && params->bss))
1011 return NULL;
1012
1013 elems_parse = kzalloc(struct_size(elems_parse, scratch, scratch_len),
1014 GFP_ATOMIC);
1015 if (!elems_parse)
1016 return NULL;
1017
1018 elems_parse->scratch_len = scratch_len;
1019 elems_parse->scratch_pos = elems_parse->scratch;
1020
1021 elems = &elems_parse->elems;
1022 elems->ie_start = params->start;
1023 elems->total_len = params->len;
1024
1025 /* set all TPE entries to unlimited (but invalid) */
1026 ieee80211_clear_tpe(&elems->tpe);
1027 ieee80211_clear_tpe(&elems->csa_tpe);
1028
1029 /*
1030 * If we're looking for a non-transmitted BSS then we cannot at
1031 * the same time be looking for a second link as the two can only
1032 * appear in the same frame carrying info for different BSSes.
1033 *
1034 * In any case, we only look for one at a time, as encoded by
1035 * the WARN_ON above.
1036 */
1037 if (params->bss) {
1038 int nontx_len =
1039 ieee802_11_find_bssid_profile(params->start,
1040 params->len,
1041 elems, params->bss,
1042 elems_parse->scratch_pos);
1043 sub.start = elems_parse->scratch_pos;
1044 sub.mode = params->mode;
1045 sub.len = nontx_len;
1046 sub.action = params->action;
1047 sub.link_id = params->link_id;
1048
1049 /* consume the space used for non-transmitted profile */
1050 elems_parse->scratch_pos += nontx_len;
1051
1052 non_inherit = cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
1053 sub.start, nontx_len);
1054 } else {
1055 /* must always parse to get elems_parse->ml_basic_elem */
1056 non_inherit = ieee80211_prep_mle_link_parse(elems_parse, params,
1057 &sub);
1058 multi_link_inner = true;
1059 }
1060
1061 elems_parse->skip_vendor =
1062 cfg80211_find_elem(WLAN_EID_VENDOR_SPECIFIC,
1063 sub.start, sub.len);
1064 elems->crc = _ieee802_11_parse_elems_full(params, elems_parse,
1065 non_inherit);
1066
1067 /* Override with nontransmitted/per-STA profile if found */
1068 if (sub.len) {
1069 elems_parse->multi_link_inner = multi_link_inner;
1070 elems_parse->skip_vendor = false;
1071 _ieee802_11_parse_elems_full(&sub, elems_parse, NULL);
1072 }
1073
1074 ieee80211_mle_defrag_reconf(elems_parse);
1075
1076 ieee80211_mle_defrag_epcs(elems_parse);
1077
1078 if (elems->tim && !elems->parse_error) {
1079 const struct ieee80211_tim_ie *tim_ie = elems->tim;
1080
1081 elems->dtim_period = tim_ie->dtim_period;
1082 elems->dtim_count = tim_ie->dtim_count;
1083 }
1084
1085 /* Override DTIM period and count if needed */
1086 if (elems->bssid_index &&
1087 elems->bssid_index_len >=
1088 offsetofend(struct ieee80211_bssid_index, dtim_period))
1089 elems->dtim_period = elems->bssid_index->dtim_period;
1090
1091 if (elems->bssid_index &&
1092 elems->bssid_index_len >=
1093 offsetofend(struct ieee80211_bssid_index, dtim_count))
1094 elems->dtim_count = elems->bssid_index->dtim_count;
1095
1096 return elems;
1097}
1098EXPORT_SYMBOL_IF_KUNIT(ieee802_11_parse_elems_full);
1099
1100int ieee80211_parse_bitrates(enum nl80211_chan_width width,
1101 const struct ieee80211_supported_band *sband,
1102 const u8 *srates, int srates_len, u32 *rates)
1103{
1104 u32 rate_flags = ieee80211_chanwidth_rate_flags(width);
1105 struct ieee80211_rate *br;
1106 int brate, rate, i, j, count = 0;
1107
1108 *rates = 0;
1109
1110 for (i = 0; i < srates_len; i++) {
1111 rate = srates[i] & 0x7f;
1112
1113 for (j = 0; j < sband->n_bitrates; j++) {
1114 br = &sband->bitrates[j];
1115 if ((rate_flags & br->flags) != rate_flags)
1116 continue;
1117
1118 brate = DIV_ROUND_UP(br->bitrate, 5);
1119 if (brate == rate) {
1120 *rates |= BIT(j);
1121 count++;
1122 break;
1123 }
1124 }
1125 }
1126 return count;
1127}
1// SPDX-License-Identifier: GPL-2.0-only
2/*
3 * Copyright 2002-2005, Instant802 Networks, Inc.
4 * Copyright 2005-2006, Devicescape Software, Inc.
5 * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz>
6 * Copyright 2007 Johannes Berg <johannes@sipsolutions.net>
7 * Copyright 2013-2014 Intel Mobile Communications GmbH
8 * Copyright (C) 2015-2017 Intel Deutschland GmbH
9 * Copyright (C) 2018-2024 Intel Corporation
10 *
11 * element parsing for mac80211
12 */
13
14#include <net/mac80211.h>
15#include <linux/netdevice.h>
16#include <linux/export.h>
17#include <linux/types.h>
18#include <linux/slab.h>
19#include <linux/skbuff.h>
20#include <linux/etherdevice.h>
21#include <linux/if_arp.h>
22#include <linux/bitmap.h>
23#include <linux/crc32.h>
24#include <net/net_namespace.h>
25#include <net/cfg80211.h>
26#include <net/rtnetlink.h>
27#include <kunit/visibility.h>
28
29#include "ieee80211_i.h"
30#include "driver-ops.h"
31#include "rate.h"
32#include "mesh.h"
33#include "wme.h"
34#include "led.h"
35#include "wep.h"
36
37struct ieee80211_elems_parse {
38 /* must be first for kfree to work */
39 struct ieee802_11_elems elems;
40
41 /* The basic Multi-Link element in the original elements */
42 const struct element *ml_basic_elem;
43
44 /* The reconfiguration Multi-Link element in the original elements */
45 const struct element *ml_reconf_elem;
46
47 /*
48 * scratch buffer that can be used for various element parsing related
49 * tasks, e.g., element de-fragmentation etc.
50 */
51 size_t scratch_len;
52 u8 *scratch_pos;
53 u8 scratch[] __counted_by(scratch_len);
54};
55
56static void
57ieee80211_parse_extension_element(u32 *crc,
58 const struct element *elem,
59 struct ieee80211_elems_parse *elems_parse,
60 struct ieee80211_elems_parse_params *params)
61{
62 struct ieee802_11_elems *elems = &elems_parse->elems;
63 const void *data = elem->data + 1;
64 bool calc_crc = false;
65 u8 len;
66
67 if (!elem->datalen)
68 return;
69
70 len = elem->datalen - 1;
71
72 switch (elem->data[0]) {
73 case WLAN_EID_EXT_HE_MU_EDCA:
74 if (params->mode < IEEE80211_CONN_MODE_HE)
75 break;
76 calc_crc = true;
77 if (len >= sizeof(*elems->mu_edca_param_set))
78 elems->mu_edca_param_set = data;
79 break;
80 case WLAN_EID_EXT_HE_CAPABILITY:
81 if (params->mode < IEEE80211_CONN_MODE_HE)
82 break;
83 if (ieee80211_he_capa_size_ok(data, len)) {
84 elems->he_cap = data;
85 elems->he_cap_len = len;
86 }
87 break;
88 case WLAN_EID_EXT_HE_OPERATION:
89 if (params->mode < IEEE80211_CONN_MODE_HE)
90 break;
91 calc_crc = true;
92 if (len >= sizeof(*elems->he_operation) &&
93 len >= ieee80211_he_oper_size(data) - 1)
94 elems->he_operation = data;
95 break;
96 case WLAN_EID_EXT_UORA:
97 if (params->mode < IEEE80211_CONN_MODE_HE)
98 break;
99 if (len >= 1)
100 elems->uora_element = data;
101 break;
102 case WLAN_EID_EXT_MAX_CHANNEL_SWITCH_TIME:
103 if (len == 3)
104 elems->max_channel_switch_time = data;
105 break;
106 case WLAN_EID_EXT_MULTIPLE_BSSID_CONFIGURATION:
107 if (len >= sizeof(*elems->mbssid_config_ie))
108 elems->mbssid_config_ie = data;
109 break;
110 case WLAN_EID_EXT_HE_SPR:
111 if (params->mode < IEEE80211_CONN_MODE_HE)
112 break;
113 if (len >= sizeof(*elems->he_spr) &&
114 len >= ieee80211_he_spr_size(data))
115 elems->he_spr = data;
116 break;
117 case WLAN_EID_EXT_HE_6GHZ_CAPA:
118 if (params->mode < IEEE80211_CONN_MODE_HE)
119 break;
120 if (len >= sizeof(*elems->he_6ghz_capa))
121 elems->he_6ghz_capa = data;
122 break;
123 case WLAN_EID_EXT_EHT_CAPABILITY:
124 if (params->mode < IEEE80211_CONN_MODE_EHT)
125 break;
126 if (ieee80211_eht_capa_size_ok(elems->he_cap,
127 data, len,
128 params->from_ap)) {
129 elems->eht_cap = data;
130 elems->eht_cap_len = len;
131 }
132 break;
133 case WLAN_EID_EXT_EHT_OPERATION:
134 if (params->mode < IEEE80211_CONN_MODE_EHT)
135 break;
136 if (ieee80211_eht_oper_size_ok(data, len))
137 elems->eht_operation = data;
138 calc_crc = true;
139 break;
140 case WLAN_EID_EXT_EHT_MULTI_LINK:
141 if (params->mode < IEEE80211_CONN_MODE_EHT)
142 break;
143 calc_crc = true;
144
145 if (ieee80211_mle_size_ok(data, len)) {
146 const struct ieee80211_multi_link_elem *mle =
147 (void *)data;
148
149 switch (le16_get_bits(mle->control,
150 IEEE80211_ML_CONTROL_TYPE)) {
151 case IEEE80211_ML_CONTROL_TYPE_BASIC:
152 if (elems_parse->ml_basic_elem) {
153 elems->parse_error |=
154 IEEE80211_PARSE_ERR_DUP_NEST_ML_BASIC;
155 break;
156 }
157 elems_parse->ml_basic_elem = elem;
158 break;
159 case IEEE80211_ML_CONTROL_TYPE_RECONF:
160 elems_parse->ml_reconf_elem = elem;
161 break;
162 default:
163 break;
164 }
165 }
166 break;
167 case WLAN_EID_EXT_BANDWIDTH_INDICATION:
168 if (params->mode < IEEE80211_CONN_MODE_EHT)
169 break;
170 if (ieee80211_bandwidth_indication_size_ok(data, len))
171 elems->bandwidth_indication = data;
172 calc_crc = true;
173 break;
174 case WLAN_EID_EXT_TID_TO_LINK_MAPPING:
175 if (params->mode < IEEE80211_CONN_MODE_EHT)
176 break;
177 calc_crc = true;
178 if (ieee80211_tid_to_link_map_size_ok(data, len) &&
179 elems->ttlm_num < ARRAY_SIZE(elems->ttlm)) {
180 elems->ttlm[elems->ttlm_num] = (void *)data;
181 elems->ttlm_num++;
182 }
183 break;
184 }
185
186 if (crc && calc_crc)
187 *crc = crc32_be(*crc, (void *)elem, elem->datalen + 2);
188}
189
190static u32
191_ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params,
192 struct ieee80211_elems_parse *elems_parse,
193 const struct element *check_inherit)
194{
195 struct ieee802_11_elems *elems = &elems_parse->elems;
196 const struct element *elem;
197 bool calc_crc = params->filter != 0;
198 DECLARE_BITMAP(seen_elems, 256);
199 u32 crc = params->crc;
200
201 bitmap_zero(seen_elems, 256);
202
203 for_each_element(elem, params->start, params->len) {
204 const struct element *subelem;
205 u8 elem_parse_failed;
206 u8 id = elem->id;
207 u8 elen = elem->datalen;
208 const u8 *pos = elem->data;
209
210 if (check_inherit &&
211 !cfg80211_is_element_inherited(elem,
212 check_inherit))
213 continue;
214
215 switch (id) {
216 case WLAN_EID_SSID:
217 case WLAN_EID_SUPP_RATES:
218 case WLAN_EID_FH_PARAMS:
219 case WLAN_EID_DS_PARAMS:
220 case WLAN_EID_CF_PARAMS:
221 case WLAN_EID_TIM:
222 case WLAN_EID_IBSS_PARAMS:
223 case WLAN_EID_CHALLENGE:
224 case WLAN_EID_RSN:
225 case WLAN_EID_ERP_INFO:
226 case WLAN_EID_EXT_SUPP_RATES:
227 case WLAN_EID_HT_CAPABILITY:
228 case WLAN_EID_HT_OPERATION:
229 case WLAN_EID_VHT_CAPABILITY:
230 case WLAN_EID_VHT_OPERATION:
231 case WLAN_EID_MESH_ID:
232 case WLAN_EID_MESH_CONFIG:
233 case WLAN_EID_PEER_MGMT:
234 case WLAN_EID_PREQ:
235 case WLAN_EID_PREP:
236 case WLAN_EID_PERR:
237 case WLAN_EID_RANN:
238 case WLAN_EID_CHANNEL_SWITCH:
239 case WLAN_EID_EXT_CHANSWITCH_ANN:
240 case WLAN_EID_COUNTRY:
241 case WLAN_EID_PWR_CONSTRAINT:
242 case WLAN_EID_TIMEOUT_INTERVAL:
243 case WLAN_EID_SECONDARY_CHANNEL_OFFSET:
244 case WLAN_EID_WIDE_BW_CHANNEL_SWITCH:
245 case WLAN_EID_CHAN_SWITCH_PARAM:
246 case WLAN_EID_EXT_CAPABILITY:
247 case WLAN_EID_CHAN_SWITCH_TIMING:
248 case WLAN_EID_LINK_ID:
249 case WLAN_EID_BSS_MAX_IDLE_PERIOD:
250 case WLAN_EID_RSNX:
251 case WLAN_EID_S1G_BCN_COMPAT:
252 case WLAN_EID_S1G_CAPABILITIES:
253 case WLAN_EID_S1G_OPERATION:
254 case WLAN_EID_AID_RESPONSE:
255 case WLAN_EID_S1G_SHORT_BCN_INTERVAL:
256 /*
257 * not listing WLAN_EID_CHANNEL_SWITCH_WRAPPER -- it seems possible
258 * that if the content gets bigger it might be needed more than once
259 */
260 if (test_bit(id, seen_elems)) {
261 elems->parse_error |=
262 IEEE80211_PARSE_ERR_DUP_ELEM;
263 continue;
264 }
265 break;
266 }
267
268 if (calc_crc && id < 64 && (params->filter & (1ULL << id)))
269 crc = crc32_be(crc, pos - 2, elen + 2);
270
271 elem_parse_failed = 0;
272
273 switch (id) {
274 case WLAN_EID_LINK_ID:
275 if (elen + 2 < sizeof(struct ieee80211_tdls_lnkie)) {
276 elem_parse_failed =
277 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
278 break;
279 }
280 elems->lnk_id = (void *)(pos - 2);
281 break;
282 case WLAN_EID_CHAN_SWITCH_TIMING:
283 if (elen < sizeof(struct ieee80211_ch_switch_timing)) {
284 elem_parse_failed =
285 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
286 break;
287 }
288 elems->ch_sw_timing = (void *)pos;
289 break;
290 case WLAN_EID_EXT_CAPABILITY:
291 elems->ext_capab = pos;
292 elems->ext_capab_len = elen;
293 break;
294 case WLAN_EID_SSID:
295 elems->ssid = pos;
296 elems->ssid_len = elen;
297 break;
298 case WLAN_EID_SUPP_RATES:
299 elems->supp_rates = pos;
300 elems->supp_rates_len = elen;
301 break;
302 case WLAN_EID_DS_PARAMS:
303 if (elen >= 1)
304 elems->ds_params = pos;
305 else
306 elem_parse_failed =
307 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
308 break;
309 case WLAN_EID_TIM:
310 if (elen >= sizeof(struct ieee80211_tim_ie)) {
311 elems->tim = (void *)pos;
312 elems->tim_len = elen;
313 } else
314 elem_parse_failed =
315 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
316 break;
317 case WLAN_EID_VENDOR_SPECIFIC:
318 if (elen >= 4 && pos[0] == 0x00 && pos[1] == 0x50 &&
319 pos[2] == 0xf2) {
320 /* Microsoft OUI (00:50:F2) */
321
322 if (calc_crc)
323 crc = crc32_be(crc, pos - 2, elen + 2);
324
325 if (elen >= 5 && pos[3] == 2) {
326 /* OUI Type 2 - WMM IE */
327 if (pos[4] == 0) {
328 elems->wmm_info = pos;
329 elems->wmm_info_len = elen;
330 } else if (pos[4] == 1) {
331 elems->wmm_param = pos;
332 elems->wmm_param_len = elen;
333 }
334 }
335 }
336 break;
337 case WLAN_EID_RSN:
338 elems->rsn = pos;
339 elems->rsn_len = elen;
340 break;
341 case WLAN_EID_ERP_INFO:
342 if (elen >= 1)
343 elems->erp_info = pos;
344 else
345 elem_parse_failed =
346 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
347 break;
348 case WLAN_EID_EXT_SUPP_RATES:
349 elems->ext_supp_rates = pos;
350 elems->ext_supp_rates_len = elen;
351 break;
352 case WLAN_EID_HT_CAPABILITY:
353 if (params->mode < IEEE80211_CONN_MODE_HT)
354 break;
355 if (elen >= sizeof(struct ieee80211_ht_cap))
356 elems->ht_cap_elem = (void *)pos;
357 else
358 elem_parse_failed =
359 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
360 break;
361 case WLAN_EID_HT_OPERATION:
362 if (params->mode < IEEE80211_CONN_MODE_HT)
363 break;
364 if (elen >= sizeof(struct ieee80211_ht_operation))
365 elems->ht_operation = (void *)pos;
366 else
367 elem_parse_failed =
368 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
369 break;
370 case WLAN_EID_VHT_CAPABILITY:
371 if (params->mode < IEEE80211_CONN_MODE_VHT)
372 break;
373 if (elen >= sizeof(struct ieee80211_vht_cap))
374 elems->vht_cap_elem = (void *)pos;
375 else
376 elem_parse_failed =
377 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
378 break;
379 case WLAN_EID_VHT_OPERATION:
380 if (params->mode < IEEE80211_CONN_MODE_VHT)
381 break;
382 if (elen >= sizeof(struct ieee80211_vht_operation)) {
383 elems->vht_operation = (void *)pos;
384 if (calc_crc)
385 crc = crc32_be(crc, pos - 2, elen + 2);
386 break;
387 }
388 elem_parse_failed =
389 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
390 break;
391 case WLAN_EID_OPMODE_NOTIF:
392 if (params->mode < IEEE80211_CONN_MODE_VHT)
393 break;
394 if (elen > 0) {
395 elems->opmode_notif = pos;
396 if (calc_crc)
397 crc = crc32_be(crc, pos - 2, elen + 2);
398 break;
399 }
400 elem_parse_failed =
401 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
402 break;
403 case WLAN_EID_MESH_ID:
404 elems->mesh_id = pos;
405 elems->mesh_id_len = elen;
406 break;
407 case WLAN_EID_MESH_CONFIG:
408 if (elen >= sizeof(struct ieee80211_meshconf_ie))
409 elems->mesh_config = (void *)pos;
410 else
411 elem_parse_failed =
412 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
413 break;
414 case WLAN_EID_PEER_MGMT:
415 elems->peering = pos;
416 elems->peering_len = elen;
417 break;
418 case WLAN_EID_MESH_AWAKE_WINDOW:
419 if (elen >= 2)
420 elems->awake_window = (void *)pos;
421 break;
422 case WLAN_EID_PREQ:
423 elems->preq = pos;
424 elems->preq_len = elen;
425 break;
426 case WLAN_EID_PREP:
427 elems->prep = pos;
428 elems->prep_len = elen;
429 break;
430 case WLAN_EID_PERR:
431 elems->perr = pos;
432 elems->perr_len = elen;
433 break;
434 case WLAN_EID_RANN:
435 if (elen >= sizeof(struct ieee80211_rann_ie))
436 elems->rann = (void *)pos;
437 else
438 elem_parse_failed =
439 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
440 break;
441 case WLAN_EID_CHANNEL_SWITCH:
442 if (elen != sizeof(struct ieee80211_channel_sw_ie)) {
443 elem_parse_failed =
444 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
445 break;
446 }
447 elems->ch_switch_ie = (void *)pos;
448 break;
449 case WLAN_EID_EXT_CHANSWITCH_ANN:
450 if (elen != sizeof(struct ieee80211_ext_chansw_ie)) {
451 elem_parse_failed =
452 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
453 break;
454 }
455 elems->ext_chansw_ie = (void *)pos;
456 break;
457 case WLAN_EID_SECONDARY_CHANNEL_OFFSET:
458 if (params->mode < IEEE80211_CONN_MODE_HT)
459 break;
460 if (elen != sizeof(struct ieee80211_sec_chan_offs_ie)) {
461 elem_parse_failed =
462 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
463 break;
464 }
465 elems->sec_chan_offs = (void *)pos;
466 break;
467 case WLAN_EID_CHAN_SWITCH_PARAM:
468 if (elen <
469 sizeof(*elems->mesh_chansw_params_ie)) {
470 elem_parse_failed =
471 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
472 break;
473 }
474 elems->mesh_chansw_params_ie = (void *)pos;
475 break;
476 case WLAN_EID_WIDE_BW_CHANNEL_SWITCH:
477 if (params->mode < IEEE80211_CONN_MODE_VHT)
478 break;
479
480 if (!params->action) {
481 elem_parse_failed =
482 IEEE80211_PARSE_ERR_UNEXPECTED_ELEM;
483 break;
484 }
485
486 if (elen < sizeof(*elems->wide_bw_chansw_ie)) {
487 elem_parse_failed =
488 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
489 break;
490 }
491 elems->wide_bw_chansw_ie = (void *)pos;
492 break;
493 case WLAN_EID_CHANNEL_SWITCH_WRAPPER:
494 if (params->mode < IEEE80211_CONN_MODE_VHT)
495 break;
496 if (params->action) {
497 elem_parse_failed =
498 IEEE80211_PARSE_ERR_UNEXPECTED_ELEM;
499 break;
500 }
501 /*
502 * This is a bit tricky, but as we only care about
503 * a few elements, parse them out manually.
504 */
505 subelem = cfg80211_find_elem(WLAN_EID_WIDE_BW_CHANNEL_SWITCH,
506 pos, elen);
507 if (subelem) {
508 if (subelem->datalen >= sizeof(*elems->wide_bw_chansw_ie))
509 elems->wide_bw_chansw_ie =
510 (void *)subelem->data;
511 else
512 elem_parse_failed =
513 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
514 }
515
516 if (params->mode < IEEE80211_CONN_MODE_EHT)
517 break;
518
519 subelem = cfg80211_find_ext_elem(WLAN_EID_EXT_BANDWIDTH_INDICATION,
520 pos, elen);
521 if (subelem) {
522 const void *edata = subelem->data + 1;
523 u8 edatalen = subelem->datalen - 1;
524
525 if (ieee80211_bandwidth_indication_size_ok(edata,
526 edatalen))
527 elems->bandwidth_indication = edata;
528 else
529 elem_parse_failed =
530 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
531 }
532 break;
533 case WLAN_EID_COUNTRY:
534 elems->country_elem = pos;
535 elems->country_elem_len = elen;
536 break;
537 case WLAN_EID_PWR_CONSTRAINT:
538 if (elen != 1) {
539 elem_parse_failed =
540 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
541 break;
542 }
543 elems->pwr_constr_elem = pos;
544 break;
545 case WLAN_EID_CISCO_VENDOR_SPECIFIC:
546 /* Lots of different options exist, but we only care
547 * about the Dynamic Transmit Power Control element.
548 * First check for the Cisco OUI, then for the DTPC
549 * tag (0x00).
550 */
551 if (elen < 4) {
552 elem_parse_failed =
553 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
554 break;
555 }
556
557 if (pos[0] != 0x00 || pos[1] != 0x40 ||
558 pos[2] != 0x96 || pos[3] != 0x00)
559 break;
560
561 if (elen != 6) {
562 elem_parse_failed =
563 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
564 break;
565 }
566
567 if (calc_crc)
568 crc = crc32_be(crc, pos - 2, elen + 2);
569
570 elems->cisco_dtpc_elem = pos;
571 break;
572 case WLAN_EID_ADDBA_EXT:
573 if (elen < sizeof(struct ieee80211_addba_ext_ie)) {
574 elem_parse_failed =
575 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
576 break;
577 }
578 elems->addba_ext_ie = (void *)pos;
579 break;
580 case WLAN_EID_TIMEOUT_INTERVAL:
581 if (elen >= sizeof(struct ieee80211_timeout_interval_ie))
582 elems->timeout_int = (void *)pos;
583 else
584 elem_parse_failed =
585 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
586 break;
587 case WLAN_EID_BSS_MAX_IDLE_PERIOD:
588 if (elen >= sizeof(*elems->max_idle_period_ie))
589 elems->max_idle_period_ie = (void *)pos;
590 break;
591 case WLAN_EID_RSNX:
592 elems->rsnx = pos;
593 elems->rsnx_len = elen;
594 break;
595 case WLAN_EID_TX_POWER_ENVELOPE:
596 if (elen < 1 ||
597 elen > sizeof(struct ieee80211_tx_pwr_env))
598 break;
599
600 if (elems->tx_pwr_env_num >= ARRAY_SIZE(elems->tx_pwr_env))
601 break;
602
603 elems->tx_pwr_env[elems->tx_pwr_env_num] = (void *)pos;
604 elems->tx_pwr_env_len[elems->tx_pwr_env_num] = elen;
605 elems->tx_pwr_env_num++;
606 break;
607 case WLAN_EID_EXTENSION:
608 ieee80211_parse_extension_element(calc_crc ?
609 &crc : NULL,
610 elem, elems_parse,
611 params);
612 break;
613 case WLAN_EID_S1G_CAPABILITIES:
614 if (params->mode != IEEE80211_CONN_MODE_S1G)
615 break;
616 if (elen >= sizeof(*elems->s1g_capab))
617 elems->s1g_capab = (void *)pos;
618 else
619 elem_parse_failed =
620 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
621 break;
622 case WLAN_EID_S1G_OPERATION:
623 if (params->mode != IEEE80211_CONN_MODE_S1G)
624 break;
625 if (elen == sizeof(*elems->s1g_oper))
626 elems->s1g_oper = (void *)pos;
627 else
628 elem_parse_failed =
629 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
630 break;
631 case WLAN_EID_S1G_BCN_COMPAT:
632 if (params->mode != IEEE80211_CONN_MODE_S1G)
633 break;
634 if (elen == sizeof(*elems->s1g_bcn_compat))
635 elems->s1g_bcn_compat = (void *)pos;
636 else
637 elem_parse_failed =
638 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
639 break;
640 case WLAN_EID_AID_RESPONSE:
641 if (params->mode != IEEE80211_CONN_MODE_S1G)
642 break;
643 if (elen == sizeof(struct ieee80211_aid_response_ie))
644 elems->aid_resp = (void *)pos;
645 else
646 elem_parse_failed =
647 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
648 break;
649 default:
650 break;
651 }
652
653 if (elem_parse_failed)
654 elems->parse_error |= elem_parse_failed;
655 else
656 __set_bit(id, seen_elems);
657 }
658
659 if (!for_each_element_completed(elem, params->start, params->len))
660 elems->parse_error |= IEEE80211_PARSE_ERR_INVALID_END;
661
662 return crc;
663}
664
665static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len,
666 struct ieee802_11_elems *elems,
667 struct cfg80211_bss *bss,
668 u8 *nontransmitted_profile)
669{
670 const struct element *elem, *sub;
671 size_t profile_len = 0;
672 bool found = false;
673
674 if (!bss || !bss->transmitted_bss)
675 return profile_len;
676
677 for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, start, len) {
678 if (elem->datalen < 2)
679 continue;
680 if (elem->data[0] < 1 || elem->data[0] > 8)
681 continue;
682
683 for_each_element(sub, elem->data + 1, elem->datalen - 1) {
684 u8 new_bssid[ETH_ALEN];
685 const u8 *index;
686
687 if (sub->id != 0 || sub->datalen < 4) {
688 /* not a valid BSS profile */
689 continue;
690 }
691
692 if (sub->data[0] != WLAN_EID_NON_TX_BSSID_CAP ||
693 sub->data[1] != 2) {
694 /* The first element of the
695 * Nontransmitted BSSID Profile is not
696 * the Nontransmitted BSSID Capability
697 * element.
698 */
699 continue;
700 }
701
702 memset(nontransmitted_profile, 0, len);
703 profile_len = cfg80211_merge_profile(start, len,
704 elem,
705 sub,
706 nontransmitted_profile,
707 len);
708
709 /* found a Nontransmitted BSSID Profile */
710 index = cfg80211_find_ie(WLAN_EID_MULTI_BSSID_IDX,
711 nontransmitted_profile,
712 profile_len);
713 if (!index || index[1] < 1 || index[2] == 0) {
714 /* Invalid MBSSID Index element */
715 continue;
716 }
717
718 cfg80211_gen_new_bssid(bss->transmitted_bss->bssid,
719 elem->data[0],
720 index[2],
721 new_bssid);
722 if (ether_addr_equal(new_bssid, bss->bssid)) {
723 found = true;
724 elems->bssid_index_len = index[1];
725 elems->bssid_index = (void *)&index[2];
726 break;
727 }
728 }
729 }
730
731 return found ? profile_len : 0;
732}
733
734static void
735ieee80211_mle_get_sta_prof(struct ieee80211_elems_parse *elems_parse,
736 u8 link_id)
737{
738 struct ieee802_11_elems *elems = &elems_parse->elems;
739 const struct ieee80211_multi_link_elem *ml = elems->ml_basic;
740 ssize_t ml_len = elems->ml_basic_len;
741 const struct element *sub;
742
743 for_each_mle_subelement(sub, (u8 *)ml, ml_len) {
744 struct ieee80211_mle_per_sta_profile *prof = (void *)sub->data;
745 ssize_t sta_prof_len;
746 u16 control;
747
748 if (sub->id != IEEE80211_MLE_SUBELEM_PER_STA_PROFILE)
749 continue;
750
751 if (!ieee80211_mle_basic_sta_prof_size_ok(sub->data,
752 sub->datalen))
753 return;
754
755 control = le16_to_cpu(prof->control);
756
757 if (link_id != u16_get_bits(control,
758 IEEE80211_MLE_STA_CONTROL_LINK_ID))
759 continue;
760
761 if (!(control & IEEE80211_MLE_STA_CONTROL_COMPLETE_PROFILE))
762 return;
763
764 /* the sub element can be fragmented */
765 sta_prof_len =
766 cfg80211_defragment_element(sub,
767 (u8 *)ml, ml_len,
768 elems_parse->scratch_pos,
769 elems_parse->scratch +
770 elems_parse->scratch_len -
771 elems_parse->scratch_pos,
772 IEEE80211_MLE_SUBELEM_FRAGMENT);
773
774 if (sta_prof_len < 0)
775 return;
776
777 elems->prof = (void *)elems_parse->scratch_pos;
778 elems->sta_prof_len = sta_prof_len;
779 elems_parse->scratch_pos += sta_prof_len;
780
781 return;
782 }
783}
784
785static void ieee80211_mle_parse_link(struct ieee80211_elems_parse *elems_parse,
786 struct ieee80211_elems_parse_params *params)
787{
788 struct ieee802_11_elems *elems = &elems_parse->elems;
789 struct ieee80211_mle_per_sta_profile *prof;
790 struct ieee80211_elems_parse_params sub = {
791 .mode = params->mode,
792 .action = params->action,
793 .from_ap = params->from_ap,
794 .link_id = -1,
795 };
796 ssize_t ml_len = elems->ml_basic_len;
797 const struct element *non_inherit = NULL;
798 const u8 *end;
799
800 ml_len = cfg80211_defragment_element(elems_parse->ml_basic_elem,
801 elems->ie_start,
802 elems->total_len,
803 elems_parse->scratch_pos,
804 elems_parse->scratch +
805 elems_parse->scratch_len -
806 elems_parse->scratch_pos,
807 WLAN_EID_FRAGMENT);
808
809 if (ml_len < 0)
810 return;
811
812 elems->ml_basic = (const void *)elems_parse->scratch_pos;
813 elems->ml_basic_len = ml_len;
814 elems_parse->scratch_pos += ml_len;
815
816 if (params->link_id == -1)
817 return;
818
819 ieee80211_mle_get_sta_prof(elems_parse, params->link_id);
820 prof = elems->prof;
821
822 if (!prof)
823 return;
824
825 /* check if we have the 4 bytes for the fixed part in assoc response */
826 if (elems->sta_prof_len < sizeof(*prof) + prof->sta_info_len - 1 + 4) {
827 elems->prof = NULL;
828 elems->sta_prof_len = 0;
829 return;
830 }
831
832 /*
833 * Skip the capability information and the status code that are expected
834 * as part of the station profile in association response frames. Note
835 * the -1 is because the 'sta_info_len' is accounted to as part of the
836 * per-STA profile, but not part of the 'u8 variable[]' portion.
837 */
838 sub.start = prof->variable + prof->sta_info_len - 1 + 4;
839 end = (const u8 *)prof + elems->sta_prof_len;
840 sub.len = end - sub.start;
841
842 non_inherit = cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
843 sub.start, sub.len);
844 _ieee802_11_parse_elems_full(&sub, elems_parse, non_inherit);
845}
846
847static void
848ieee80211_mle_defrag_reconf(struct ieee80211_elems_parse *elems_parse)
849{
850 struct ieee802_11_elems *elems = &elems_parse->elems;
851 ssize_t ml_len;
852
853 ml_len = cfg80211_defragment_element(elems_parse->ml_reconf_elem,
854 elems->ie_start,
855 elems->total_len,
856 elems_parse->scratch_pos,
857 elems_parse->scratch +
858 elems_parse->scratch_len -
859 elems_parse->scratch_pos,
860 WLAN_EID_FRAGMENT);
861 if (ml_len < 0)
862 return;
863 elems->ml_reconf = (void *)elems_parse->scratch_pos;
864 elems->ml_reconf_len = ml_len;
865 elems_parse->scratch_pos += ml_len;
866}
867
868struct ieee802_11_elems *
869ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params)
870{
871 struct ieee80211_elems_parse *elems_parse;
872 struct ieee802_11_elems *elems;
873 const struct element *non_inherit = NULL;
874 u8 *nontransmitted_profile;
875 int nontransmitted_profile_len = 0;
876 size_t scratch_len = 3 * params->len;
877
878 BUILD_BUG_ON(offsetof(typeof(*elems_parse), elems) != 0);
879
880 elems_parse = kzalloc(struct_size(elems_parse, scratch, scratch_len),
881 GFP_ATOMIC);
882 if (!elems_parse)
883 return NULL;
884
885 elems_parse->scratch_len = scratch_len;
886 elems_parse->scratch_pos = elems_parse->scratch;
887
888 elems = &elems_parse->elems;
889 elems->ie_start = params->start;
890 elems->total_len = params->len;
891
892 nontransmitted_profile = elems_parse->scratch_pos;
893 nontransmitted_profile_len =
894 ieee802_11_find_bssid_profile(params->start, params->len,
895 elems, params->bss,
896 nontransmitted_profile);
897 elems_parse->scratch_pos += nontransmitted_profile_len;
898 non_inherit = cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
899 nontransmitted_profile,
900 nontransmitted_profile_len);
901
902 elems->crc = _ieee802_11_parse_elems_full(params, elems_parse,
903 non_inherit);
904
905 /* Override with nontransmitted profile, if found */
906 if (nontransmitted_profile_len) {
907 struct ieee80211_elems_parse_params sub = {
908 .mode = params->mode,
909 .start = nontransmitted_profile,
910 .len = nontransmitted_profile_len,
911 .action = params->action,
912 .link_id = params->link_id,
913 };
914
915 _ieee802_11_parse_elems_full(&sub, elems_parse, NULL);
916 }
917
918 ieee80211_mle_parse_link(elems_parse, params);
919
920 ieee80211_mle_defrag_reconf(elems_parse);
921
922 if (elems->tim && !elems->parse_error) {
923 const struct ieee80211_tim_ie *tim_ie = elems->tim;
924
925 elems->dtim_period = tim_ie->dtim_period;
926 elems->dtim_count = tim_ie->dtim_count;
927 }
928
929 /* Override DTIM period and count if needed */
930 if (elems->bssid_index &&
931 elems->bssid_index_len >=
932 offsetofend(struct ieee80211_bssid_index, dtim_period))
933 elems->dtim_period = elems->bssid_index->dtim_period;
934
935 if (elems->bssid_index &&
936 elems->bssid_index_len >=
937 offsetofend(struct ieee80211_bssid_index, dtim_count))
938 elems->dtim_count = elems->bssid_index->dtim_count;
939
940 return elems;
941}
942EXPORT_SYMBOL_IF_KUNIT(ieee802_11_parse_elems_full);
943
944int ieee80211_parse_bitrates(enum nl80211_chan_width width,
945 const struct ieee80211_supported_band *sband,
946 const u8 *srates, int srates_len, u32 *rates)
947{
948 u32 rate_flags = ieee80211_chanwidth_rate_flags(width);
949 struct ieee80211_rate *br;
950 int brate, rate, i, j, count = 0;
951
952 *rates = 0;
953
954 for (i = 0; i < srates_len; i++) {
955 rate = srates[i] & 0x7f;
956
957 for (j = 0; j < sband->n_bitrates; j++) {
958 br = &sband->bitrates[j];
959 if ((rate_flags & br->flags) != rate_flags)
960 continue;
961
962 brate = DIV_ROUND_UP(br->bitrate, 5);
963 if (brate == rate) {
964 *rates |= BIT(j);
965 count++;
966 break;
967 }
968 }
969 }
970 return count;
971}