| From: Felix Fietkau <nbd@nbd.name> |
| Date: Tue, 6 Dec 2022 11:15:02 +0100 |
| Subject: [PATCH] wifi: mac80211: fix receiving A-MSDU frames on mesh |
| interfaces |
| |
| The current mac80211 mesh A-MSDU receive path fails to parse A-MSDU packets |
| on mesh interfaces, because it assumes that the Mesh Control field is always |
| directly after the 802.11 header. |
| 802.11-2020 9.3.2.2.2 Figure 9-70 shows that the Mesh Control field is |
| actually part of the A-MSDU subframe header. |
| This makes more sense, since it allows packets for multiple different |
| destinations to be included in the same A-MSDU, as long as RA and TID are |
| still the same. |
| Another issue is the fact that the A-MSDU subframe length field was apparently |
| accidentally defined as little-endian in the standard. |
| |
| In order to fix this, the mesh forwarding path needs happen at a different |
| point in the receive path. |
| |
| ieee80211_data_to_8023_exthdr is changed to ignore the mesh control field |
| and leave it in after the ethernet header. This also affects the source/dest |
| MAC address fields, which now in the case of mesh point to the mesh SA/DA. |
| |
| ieee80211_amsdu_to_8023s is changed to deal with the endian difference and |
| to add the Mesh Control length to the subframe length, since it's not covered |
| by the MSDU length field. |
| |
| With these changes, the mac80211 will get the same packet structure for |
| converted regular data packets and unpacked A-MSDU subframes. |
| |
| The mesh forwarding checks are now only performed after the A-MSDU decap. |
| For locally received packets, the Mesh Control header is stripped away. |
| For forwarded packets, a new 802.11 header gets added. |
| |
| Signed-off-by: Felix Fietkau <nbd@nbd.name> |
| --- |
| |
| --- a/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c |
| +++ b/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c |
| @@ -33,7 +33,7 @@ static int mwifiex_11n_dispatch_amsdu_pk |
| skb_trim(skb, le16_to_cpu(local_rx_pd->rx_pkt_length)); |
| |
| ieee80211_amsdu_to_8023s(skb, &list, priv->curr_addr, |
| - priv->wdev.iftype, 0, NULL, NULL); |
| + priv->wdev.iftype, 0, NULL, NULL, false); |
| |
| while (!skb_queue_empty(&list)) { |
| struct rx_packet_hdr *rx_hdr; |
| --- a/include/net/cfg80211.h |
| +++ b/include/net/cfg80211.h |
| @@ -6208,11 +6208,36 @@ static inline int ieee80211_data_to_8023 |
| * @extra_headroom: The hardware extra headroom for SKBs in the @list. |
| * @check_da: DA to check in the inner ethernet header, or NULL |
| * @check_sa: SA to check in the inner ethernet header, or NULL |
| + * @mesh_control: A-MSDU subframe header includes the mesh control field |
| */ |
| void ieee80211_amsdu_to_8023s(struct sk_buff *skb, struct sk_buff_head *list, |
| const u8 *addr, enum nl80211_iftype iftype, |
| const unsigned int extra_headroom, |
| - const u8 *check_da, const u8 *check_sa); |
| + const u8 *check_da, const u8 *check_sa, |
| + bool mesh_control); |
| + |
| +/** |
| + * ieee80211_get_8023_tunnel_proto - get RFC1042 or bridge tunnel encap protocol |
| + * |
| + * Check for RFC1042 or bridge tunnel header and fetch the encapsulated |
| + * protocol. |
| + * |
| + * @hdr: pointer to the MSDU payload |
| + * @proto: destination pointer to store the protocol |
| + * Return: true if encapsulation was found |
| + */ |
| +bool ieee80211_get_8023_tunnel_proto(const void *hdr, __be16 *proto); |
| + |
| +/** |
| + * ieee80211_strip_8023_mesh_hdr - strip mesh header from converted 802.3 frames |
| + * |
| + * Strip the mesh header, which was left in by ieee80211_data_to_8023 as part |
| + * of the MSDU data. Also move any source/destination addresses from the mesh |
| + * header to the ethernet header (if present). |
| + * |
| + * @skb: The 802.3 frame with embedded mesh header |
| + */ |
| +int ieee80211_strip_8023_mesh_hdr(struct sk_buff *skb); |
| |
| /** |
| * cfg80211_classify8021d - determine the 802.1p/1d tag for a data frame |
| --- a/net/mac80211/rx.c |
| +++ b/net/mac80211/rx.c |
| @@ -2720,6 +2720,174 @@ ieee80211_deliver_skb(struct ieee80211_r |
| } |
| } |
| |
| +static ieee80211_rx_result |
| +ieee80211_rx_mesh_data(struct ieee80211_sub_if_data *sdata, struct sta_info *sta, |
| + struct sk_buff *skb) |
| +{ |
| +#ifdef CPTCFG_MAC80211_MESH |
| + struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh; |
| + struct ieee80211_local *local = sdata->local; |
| + uint16_t fc = IEEE80211_FTYPE_DATA | IEEE80211_STYPE_QOS_DATA; |
| + struct ieee80211_hdr hdr = { |
| + .frame_control = cpu_to_le16(fc) |
| + }; |
| + struct ieee80211_hdr *fwd_hdr; |
| + struct ieee80211s_hdr *mesh_hdr; |
| + struct ieee80211_tx_info *info; |
| + struct sk_buff *fwd_skb; |
| + struct ethhdr *eth; |
| + bool multicast; |
| + int tailroom = 0; |
| + int hdrlen, mesh_hdrlen; |
| + u8 *qos; |
| + |
| + if (!ieee80211_vif_is_mesh(&sdata->vif)) |
| + return RX_CONTINUE; |
| + |
| + if (!pskb_may_pull(skb, sizeof(*eth) + 6)) |
| + return RX_DROP_MONITOR; |
| + |
| + mesh_hdr = (struct ieee80211s_hdr *)(skb->data + sizeof(*eth)); |
| + mesh_hdrlen = ieee80211_get_mesh_hdrlen(mesh_hdr); |
| + |
| + if (!pskb_may_pull(skb, sizeof(*eth) + mesh_hdrlen)) |
| + return RX_DROP_MONITOR; |
| + |
| + eth = (struct ethhdr *)skb->data; |
| + multicast = is_multicast_ether_addr(eth->h_dest); |
| + |
| + mesh_hdr = (struct ieee80211s_hdr *)(eth + 1); |
| + if (!mesh_hdr->ttl) |
| + return RX_DROP_MONITOR; |
| + |
| + /* frame is in RMC, don't forward */ |
| + if (is_multicast_ether_addr(eth->h_dest) && |
| + mesh_rmc_check(sdata, eth->h_source, mesh_hdr)) |
| + return RX_DROP_MONITOR; |
| + |
| + /* Frame has reached destination. Don't forward */ |
| + if (ether_addr_equal(sdata->vif.addr, eth->h_dest)) |
| + goto rx_accept; |
| + |
| + if (!ifmsh->mshcfg.dot11MeshForwarding) { |
| + if (is_multicast_ether_addr(eth->h_dest)) |
| + goto rx_accept; |
| + |
| + return RX_DROP_MONITOR; |
| + } |
| + |
| + /* forward packet */ |
| + if (sdata->crypto_tx_tailroom_needed_cnt) |
| + tailroom = IEEE80211_ENCRYPT_TAILROOM; |
| + |
| + if (!--mesh_hdr->ttl) { |
| + if (multicast) |
| + goto rx_accept; |
| + |
| + IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_ttl); |
| + return RX_DROP_MONITOR; |
| + } |
| + |
| + if (mesh_hdr->flags & MESH_FLAGS_AE) { |
| + struct mesh_path *mppath; |
| + char *proxied_addr; |
| + |
| + if (multicast) |
| + proxied_addr = mesh_hdr->eaddr1; |
| + else if ((mesh_hdr->flags & MESH_FLAGS_AE) == MESH_FLAGS_AE_A5_A6) |
| + /* has_a4 already checked in ieee80211_rx_mesh_check */ |
| + proxied_addr = mesh_hdr->eaddr2; |
| + else |
| + return RX_DROP_MONITOR; |
| + |
| + rcu_read_lock(); |
| + mppath = mpp_path_lookup(sdata, proxied_addr); |
| + if (!mppath) { |
| + mpp_path_add(sdata, proxied_addr, eth->h_source); |
| + } else { |
| + spin_lock_bh(&mppath->state_lock); |
| + if (!ether_addr_equal(mppath->mpp, eth->h_source)) |
| + memcpy(mppath->mpp, eth->h_source, ETH_ALEN); |
| + mppath->exp_time = jiffies; |
| + spin_unlock_bh(&mppath->state_lock); |
| + } |
| + rcu_read_unlock(); |
| + } |
| + |
| + skb_set_queue_mapping(skb, ieee802_1d_to_ac[skb->priority]); |
| + |
| + ieee80211_fill_mesh_addresses(&hdr, &hdr.frame_control, |
| + eth->h_dest, eth->h_source); |
| + hdrlen = ieee80211_hdrlen(hdr.frame_control); |
| + if (multicast) { |
| + int extra_head = sizeof(struct ieee80211_hdr) - sizeof(*eth); |
| + |
| + fwd_skb = skb_copy_expand(skb, local->tx_headroom + extra_head + |
| + IEEE80211_ENCRYPT_HEADROOM, |
| + tailroom, GFP_ATOMIC); |
| + if (!fwd_skb) |
| + goto rx_accept; |
| + } else { |
| + fwd_skb = skb; |
| + skb = NULL; |
| + |
| + if (skb_cow_head(fwd_skb, hdrlen - sizeof(struct ethhdr))) |
| + return RX_DROP_UNUSABLE; |
| + } |
| + |
| + fwd_hdr = skb_push(fwd_skb, hdrlen - sizeof(struct ethhdr)); |
| + memcpy(fwd_hdr, &hdr, hdrlen - 2); |
| + qos = ieee80211_get_qos_ctl(fwd_hdr); |
| + qos[0] = qos[1] = 0; |
| + |
| + skb_reset_mac_header(fwd_skb); |
| + hdrlen += mesh_hdrlen; |
| + if (ieee80211_get_8023_tunnel_proto(fwd_skb->data + hdrlen, |
| + &fwd_skb->protocol)) |
| + hdrlen += ETH_ALEN; |
| + else |
| + fwd_skb->protocol = htons(fwd_skb->len - hdrlen); |
| + skb_set_network_header(fwd_skb, hdrlen); |
| + |
| + info = IEEE80211_SKB_CB(fwd_skb); |
| + memset(info, 0, sizeof(*info)); |
| + info->control.flags |= IEEE80211_TX_INTCFL_NEED_TXPROCESSING; |
| + info->control.vif = &sdata->vif; |
| + info->control.jiffies = jiffies; |
| + if (multicast) { |
| + IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_mcast); |
| + memcpy(fwd_hdr->addr2, sdata->vif.addr, ETH_ALEN); |
| + /* update power mode indication when forwarding */ |
| + ieee80211_mps_set_frame_flags(sdata, NULL, fwd_hdr); |
| + } else if (!mesh_nexthop_lookup(sdata, fwd_skb)) { |
| + /* mesh power mode flags updated in mesh_nexthop_lookup */ |
| + IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_unicast); |
| + } else { |
| + /* unable to resolve next hop */ |
| + if (sta) |
| + mesh_path_error_tx(sdata, ifmsh->mshcfg.element_ttl, |
| + hdr.addr3, 0, |
| + WLAN_REASON_MESH_PATH_NOFORWARD, |
| + sta->sta.addr); |
| + IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_no_route); |
| + kfree_skb(fwd_skb); |
| + goto rx_accept; |
| + } |
| + |
| + IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_frames); |
| + fwd_skb->dev = sdata->dev; |
| + ieee80211_add_pending_skb(local, fwd_skb); |
| + |
| +rx_accept: |
| + if (!skb) |
| + return RX_QUEUED; |
| + |
| + ieee80211_strip_8023_mesh_hdr(skb); |
| +#endif |
| + |
| + return RX_CONTINUE; |
| +} |
| + |
| static ieee80211_rx_result debug_noinline |
| __ieee80211_rx_h_amsdu(struct ieee80211_rx_data *rx, u8 data_offset) |
| { |
| @@ -2728,8 +2896,10 @@ __ieee80211_rx_h_amsdu(struct ieee80211_ |
| struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; |
| __le16 fc = hdr->frame_control; |
| struct sk_buff_head frame_list; |
| + static ieee80211_rx_result res; |
| struct ethhdr ethhdr; |
| const u8 *check_da = ethhdr.h_dest, *check_sa = ethhdr.h_source; |
| + bool mesh = false; |
| |
| if (unlikely(ieee80211_has_a4(hdr->frame_control))) { |
| check_da = NULL; |
| @@ -2746,6 +2916,8 @@ __ieee80211_rx_h_amsdu(struct ieee80211_ |
| break; |
| case NL80211_IFTYPE_MESH_POINT: |
| check_sa = NULL; |
| + check_da = NULL; |
| + mesh = true; |
| break; |
| default: |
| break; |
| @@ -2763,17 +2935,29 @@ __ieee80211_rx_h_amsdu(struct ieee80211_ |
| ieee80211_amsdu_to_8023s(skb, &frame_list, dev->dev_addr, |
| rx->sdata->vif.type, |
| rx->local->hw.extra_tx_headroom, |
| - check_da, check_sa); |
| + check_da, check_sa, mesh); |
| |
| while (!skb_queue_empty(&frame_list)) { |
| rx->skb = __skb_dequeue(&frame_list); |
| |
| - if (!ieee80211_frame_allowed(rx, fc)) { |
| - dev_kfree_skb(rx->skb); |
| + res = ieee80211_rx_mesh_data(rx->sdata, rx->sta, rx->skb); |
| + switch (res) { |
| + case RX_QUEUED: |
| continue; |
| + case RX_CONTINUE: |
| + break; |
| + default: |
| + goto free; |
| } |
| |
| + if (!ieee80211_frame_allowed(rx, fc)) |
| + goto free; |
| + |
| ieee80211_deliver_skb(rx); |
| + continue; |
| + |
| +free: |
| + dev_kfree_skb(rx->skb); |
| } |
| |
| return RX_QUEUED; |
| @@ -2806,6 +2990,8 @@ ieee80211_rx_h_amsdu(struct ieee80211_rx |
| if (!rx->sdata->u.mgd.use_4addr) |
| return RX_DROP_UNUSABLE; |
| break; |
| + case NL80211_IFTYPE_MESH_POINT: |
| + break; |
| default: |
| return RX_DROP_UNUSABLE; |
| } |
| @@ -2834,155 +3020,6 @@ ieee80211_rx_h_amsdu(struct ieee80211_rx |
| return __ieee80211_rx_h_amsdu(rx, 0); |
| } |
| |
| -#ifdef CPTCFG_MAC80211_MESH |
| -static ieee80211_rx_result |
| -ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx) |
| -{ |
| - struct ieee80211_hdr *fwd_hdr, *hdr; |
| - struct ieee80211_tx_info *info; |
| - struct ieee80211s_hdr *mesh_hdr; |
| - struct sk_buff *skb = rx->skb, *fwd_skb; |
| - struct ieee80211_local *local = rx->local; |
| - struct ieee80211_sub_if_data *sdata = rx->sdata; |
| - struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh; |
| - u16 ac, q, hdrlen; |
| - int tailroom = 0; |
| - |
| - hdr = (struct ieee80211_hdr *) skb->data; |
| - hdrlen = ieee80211_hdrlen(hdr->frame_control); |
| - |
| - /* make sure fixed part of mesh header is there, also checks skb len */ |
| - if (!pskb_may_pull(rx->skb, hdrlen + 6)) |
| - return RX_DROP_MONITOR; |
| - |
| - mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen); |
| - |
| - /* make sure full mesh header is there, also checks skb len */ |
| - if (!pskb_may_pull(rx->skb, |
| - hdrlen + ieee80211_get_mesh_hdrlen(mesh_hdr))) |
| - return RX_DROP_MONITOR; |
| - |
| - /* reload pointers */ |
| - hdr = (struct ieee80211_hdr *) skb->data; |
| - mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen); |
| - |
| - if (ieee80211_drop_unencrypted(rx, hdr->frame_control)) { |
| - int offset = hdrlen + ieee80211_get_mesh_hdrlen(mesh_hdr) + |
| - sizeof(rfc1042_header); |
| - __be16 ethertype; |
| - |
| - if (!ether_addr_equal(hdr->addr1, rx->sdata->vif.addr) || |
| - skb_copy_bits(rx->skb, offset, ðertype, 2) != 0 || |
| - ethertype != rx->sdata->control_port_protocol) |
| - return RX_DROP_MONITOR; |
| - } |
| - |
| - /* frame is in RMC, don't forward */ |
| - if (ieee80211_is_data(hdr->frame_control) && |
| - is_multicast_ether_addr(hdr->addr1) && |
| - mesh_rmc_check(rx->sdata, hdr->addr3, mesh_hdr)) |
| - return RX_DROP_MONITOR; |
| - |
| - if (!ieee80211_is_data(hdr->frame_control)) |
| - return RX_CONTINUE; |
| - |
| - if (!mesh_hdr->ttl) |
| - return RX_DROP_MONITOR; |
| - |
| - if (mesh_hdr->flags & MESH_FLAGS_AE) { |
| - struct mesh_path *mppath; |
| - char *proxied_addr; |
| - char *mpp_addr; |
| - |
| - if (is_multicast_ether_addr(hdr->addr1)) { |
| - mpp_addr = hdr->addr3; |
| - proxied_addr = mesh_hdr->eaddr1; |
| - } else if ((mesh_hdr->flags & MESH_FLAGS_AE) == |
| - MESH_FLAGS_AE_A5_A6) { |
| - /* has_a4 already checked in ieee80211_rx_mesh_check */ |
| - mpp_addr = hdr->addr4; |
| - proxied_addr = mesh_hdr->eaddr2; |
| - } else { |
| - return RX_DROP_MONITOR; |
| - } |
| - |
| - rcu_read_lock(); |
| - mppath = mpp_path_lookup(sdata, proxied_addr); |
| - if (!mppath) { |
| - mpp_path_add(sdata, proxied_addr, mpp_addr); |
| - } else { |
| - spin_lock_bh(&mppath->state_lock); |
| - if (!ether_addr_equal(mppath->mpp, mpp_addr)) |
| - memcpy(mppath->mpp, mpp_addr, ETH_ALEN); |
| - mppath->exp_time = jiffies; |
| - spin_unlock_bh(&mppath->state_lock); |
| - } |
| - rcu_read_unlock(); |
| - } |
| - |
| - /* Frame has reached destination. Don't forward */ |
| - if (!is_multicast_ether_addr(hdr->addr1) && |
| - ether_addr_equal(sdata->vif.addr, hdr->addr3)) |
| - return RX_CONTINUE; |
| - |
| - ac = ieee802_1d_to_ac[skb->priority]; |
| - skb_set_queue_mapping(skb, ac); |
| - |
| - if (!--mesh_hdr->ttl) { |
| - if (!is_multicast_ether_addr(hdr->addr1)) |
| - IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, |
| - dropped_frames_ttl); |
| - goto out; |
| - } |
| - |
| - if (!ifmsh->mshcfg.dot11MeshForwarding) |
| - goto out; |
| - |
| - if (sdata->crypto_tx_tailroom_needed_cnt) |
| - tailroom = IEEE80211_ENCRYPT_TAILROOM; |
| - |
| - fwd_skb = skb_copy_expand(skb, local->tx_headroom + |
| - IEEE80211_ENCRYPT_HEADROOM, |
| - tailroom, GFP_ATOMIC); |
| - if (!fwd_skb) |
| - goto out; |
| - |
| - fwd_skb->dev = sdata->dev; |
| - fwd_hdr = (struct ieee80211_hdr *) fwd_skb->data; |
| - fwd_hdr->frame_control &= ~cpu_to_le16(IEEE80211_FCTL_RETRY); |
| - info = IEEE80211_SKB_CB(fwd_skb); |
| - memset(info, 0, sizeof(*info)); |
| - info->control.flags |= IEEE80211_TX_INTCFL_NEED_TXPROCESSING; |
| - info->control.vif = &rx->sdata->vif; |
| - info->control.jiffies = jiffies; |
| - if (is_multicast_ether_addr(fwd_hdr->addr1)) { |
| - IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_mcast); |
| - memcpy(fwd_hdr->addr2, sdata->vif.addr, ETH_ALEN); |
| - /* update power mode indication when forwarding */ |
| - ieee80211_mps_set_frame_flags(sdata, NULL, fwd_hdr); |
| - } else if (!mesh_nexthop_lookup(sdata, fwd_skb)) { |
| - /* mesh power mode flags updated in mesh_nexthop_lookup */ |
| - IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_unicast); |
| - } else { |
| - /* unable to resolve next hop */ |
| - mesh_path_error_tx(sdata, ifmsh->mshcfg.element_ttl, |
| - fwd_hdr->addr3, 0, |
| - WLAN_REASON_MESH_PATH_NOFORWARD, |
| - fwd_hdr->addr2); |
| - IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_no_route); |
| - kfree_skb(fwd_skb); |
| - return RX_DROP_MONITOR; |
| - } |
| - |
| - IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_frames); |
| - ieee80211_add_pending_skb(local, fwd_skb); |
| - out: |
| - if (is_multicast_ether_addr(hdr->addr1)) |
| - return RX_CONTINUE; |
| - return RX_DROP_MONITOR; |
| -} |
| -#endif |
| - |
| static ieee80211_rx_result debug_noinline |
| ieee80211_rx_h_data(struct ieee80211_rx_data *rx) |
| { |
| @@ -2991,6 +3028,7 @@ ieee80211_rx_h_data(struct ieee80211_rx_ |
| struct net_device *dev = sdata->dev; |
| struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; |
| __le16 fc = hdr->frame_control; |
| + static ieee80211_rx_result res; |
| bool port_control; |
| int err; |
| |
| @@ -3017,6 +3055,10 @@ ieee80211_rx_h_data(struct ieee80211_rx_ |
| if (unlikely(err)) |
| return RX_DROP_UNUSABLE; |
| |
| + res = ieee80211_rx_mesh_data(rx->sdata, rx->sta, rx->skb); |
| + if (res != RX_CONTINUE) |
| + return res; |
| + |
| if (!ieee80211_frame_allowed(rx, fc)) |
| return RX_DROP_MONITOR; |
| |
| @@ -3987,10 +4029,6 @@ static void ieee80211_rx_handlers(struct |
| CALL_RXH(ieee80211_rx_h_defragment); |
| CALL_RXH(ieee80211_rx_h_michael_mic_verify); |
| /* must be after MMIC verify so header is counted in MPDU mic */ |
| -#ifdef CPTCFG_MAC80211_MESH |
| - if (ieee80211_vif_is_mesh(&rx->sdata->vif)) |
| - CALL_RXH(ieee80211_rx_h_mesh_fwding); |
| -#endif |
| CALL_RXH(ieee80211_rx_h_amsdu); |
| CALL_RXH(ieee80211_rx_h_data); |
| |
| --- a/net/wireless/util.c |
| +++ b/net/wireless/util.c |
| @@ -542,7 +542,7 @@ unsigned int ieee80211_get_mesh_hdrlen(s |
| } |
| EXPORT_SYMBOL(ieee80211_get_mesh_hdrlen); |
| |
| -static bool ieee80211_get_8023_tunnel_proto(const void *hdr, __be16 *proto) |
| +bool ieee80211_get_8023_tunnel_proto(const void *hdr, __be16 *proto) |
| { |
| const __be16 *hdr_proto = hdr + ETH_ALEN; |
| |
| @@ -556,6 +556,49 @@ static bool ieee80211_get_8023_tunnel_pr |
| |
| return true; |
| } |
| +EXPORT_SYMBOL(ieee80211_get_8023_tunnel_proto); |
| + |
| +int ieee80211_strip_8023_mesh_hdr(struct sk_buff *skb) |
| +{ |
| + const void *mesh_addr; |
| + struct { |
| + struct ethhdr eth; |
| + u8 flags; |
| + } payload; |
| + int hdrlen; |
| + int ret; |
| + |
| + ret = skb_copy_bits(skb, 0, &payload, sizeof(payload)); |
| + if (ret) |
| + return ret; |
| + |
| + hdrlen = sizeof(payload.eth) + __ieee80211_get_mesh_hdrlen(payload.flags); |
| + |
| + if (likely(pskb_may_pull(skb, hdrlen + 8) && |
| + ieee80211_get_8023_tunnel_proto(skb->data + hdrlen, |
| + &payload.eth.h_proto))) |
| + hdrlen += ETH_ALEN + 2; |
| + else if (!pskb_may_pull(skb, hdrlen)) |
| + return -EINVAL; |
| + |
| + mesh_addr = skb->data + sizeof(payload.eth) + ETH_ALEN; |
| + switch (payload.flags & MESH_FLAGS_AE) { |
| + case MESH_FLAGS_AE_A4: |
| + memcpy(&payload.eth.h_source, mesh_addr, ETH_ALEN); |
| + break; |
| + case MESH_FLAGS_AE_A5_A6: |
| + memcpy(&payload.eth.h_dest, mesh_addr, 2 * ETH_ALEN); |
| + break; |
| + default: |
| + break; |
| + } |
| + |
| + pskb_pull(skb, hdrlen - sizeof(payload.eth)); |
| + memcpy(skb->data, &payload.eth, sizeof(payload.eth)); |
| + |
| + return 0; |
| +} |
| +EXPORT_SYMBOL(ieee80211_strip_8023_mesh_hdr); |
| |
| int ieee80211_data_to_8023_exthdr(struct sk_buff *skb, struct ethhdr *ehdr, |
| const u8 *addr, enum nl80211_iftype iftype, |
| @@ -568,7 +611,6 @@ int ieee80211_data_to_8023_exthdr(struct |
| } payload; |
| struct ethhdr tmp; |
| u16 hdrlen; |
| - u8 mesh_flags = 0; |
| |
| if (unlikely(!ieee80211_is_data_present(hdr->frame_control))) |
| return -1; |
| @@ -589,12 +631,6 @@ int ieee80211_data_to_8023_exthdr(struct |
| memcpy(tmp.h_dest, ieee80211_get_DA(hdr), ETH_ALEN); |
| memcpy(tmp.h_source, ieee80211_get_SA(hdr), ETH_ALEN); |
| |
| - if (iftype == NL80211_IFTYPE_MESH_POINT && |
| - skb_copy_bits(skb, hdrlen, &mesh_flags, 1) < 0) |
| - return -1; |
| - |
| - mesh_flags &= MESH_FLAGS_AE; |
| - |
| switch (hdr->frame_control & |
| cpu_to_le16(IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) { |
| case cpu_to_le16(IEEE80211_FCTL_TODS): |
| @@ -608,17 +644,6 @@ int ieee80211_data_to_8023_exthdr(struct |
| iftype != NL80211_IFTYPE_AP_VLAN && |
| iftype != NL80211_IFTYPE_STATION)) |
| return -1; |
| - if (iftype == NL80211_IFTYPE_MESH_POINT) { |
| - if (mesh_flags == MESH_FLAGS_AE_A4) |
| - return -1; |
| - if (mesh_flags == MESH_FLAGS_AE_A5_A6 && |
| - skb_copy_bits(skb, hdrlen + |
| - offsetof(struct ieee80211s_hdr, eaddr1), |
| - tmp.h_dest, 2 * ETH_ALEN) < 0) |
| - return -1; |
| - |
| - hdrlen += __ieee80211_get_mesh_hdrlen(mesh_flags); |
| - } |
| break; |
| case cpu_to_le16(IEEE80211_FCTL_FROMDS): |
| if ((iftype != NL80211_IFTYPE_STATION && |
| @@ -627,16 +652,6 @@ int ieee80211_data_to_8023_exthdr(struct |
| (is_multicast_ether_addr(tmp.h_dest) && |
| ether_addr_equal(tmp.h_source, addr))) |
| return -1; |
| - if (iftype == NL80211_IFTYPE_MESH_POINT) { |
| - if (mesh_flags == MESH_FLAGS_AE_A5_A6) |
| - return -1; |
| - if (mesh_flags == MESH_FLAGS_AE_A4 && |
| - skb_copy_bits(skb, hdrlen + |
| - offsetof(struct ieee80211s_hdr, eaddr1), |
| - tmp.h_source, ETH_ALEN) < 0) |
| - return -1; |
| - hdrlen += __ieee80211_get_mesh_hdrlen(mesh_flags); |
| - } |
| break; |
| case cpu_to_le16(0): |
| if (iftype != NL80211_IFTYPE_ADHOC && |
| @@ -646,7 +661,7 @@ int ieee80211_data_to_8023_exthdr(struct |
| break; |
| } |
| |
| - if (likely(!is_amsdu && |
| + if (likely(!is_amsdu && iftype != NL80211_IFTYPE_MESH_POINT && |
| skb_copy_bits(skb, hdrlen, &payload, sizeof(payload)) == 0 && |
| ieee80211_get_8023_tunnel_proto(&payload, &tmp.h_proto))) { |
| /* remove RFC1042 or Bridge-Tunnel encapsulation */ |
| @@ -722,7 +737,8 @@ __ieee80211_amsdu_copy_frag(struct sk_bu |
| |
| static struct sk_buff * |
| __ieee80211_amsdu_copy(struct sk_buff *skb, unsigned int hlen, |
| - int offset, int len, bool reuse_frag) |
| + int offset, int len, bool reuse_frag, |
| + int min_len) |
| { |
| struct sk_buff *frame; |
| int cur_len = len; |
| @@ -736,7 +752,7 @@ __ieee80211_amsdu_copy(struct sk_buff *s |
| * in the stack later. |
| */ |
| if (reuse_frag) |
| - cur_len = min_t(int, len, 32); |
| + cur_len = min_t(int, len, min_len); |
| |
| /* |
| * Allocate and reserve two bytes more for payload |
| @@ -746,6 +762,7 @@ __ieee80211_amsdu_copy(struct sk_buff *s |
| if (!frame) |
| return NULL; |
| |
| + frame->priority = skb->priority; |
| skb_reserve(frame, hlen + sizeof(struct ethhdr) + 2); |
| skb_copy_bits(skb, offset, skb_put(frame, cur_len), cur_len); |
| |
| @@ -762,23 +779,37 @@ __ieee80211_amsdu_copy(struct sk_buff *s |
| void ieee80211_amsdu_to_8023s(struct sk_buff *skb, struct sk_buff_head *list, |
| const u8 *addr, enum nl80211_iftype iftype, |
| const unsigned int extra_headroom, |
| - const u8 *check_da, const u8 *check_sa) |
| + const u8 *check_da, const u8 *check_sa, |
| + bool mesh_control) |
| { |
| unsigned int hlen = ALIGN(extra_headroom, 4); |
| struct sk_buff *frame = NULL; |
| int offset = 0, remaining; |
| - struct ethhdr eth; |
| + struct { |
| + struct ethhdr eth; |
| + uint8_t flags; |
| + } hdr; |
| bool reuse_frag = skb->head_frag && !skb_has_frag_list(skb); |
| bool reuse_skb = false; |
| bool last = false; |
| + int copy_len = sizeof(hdr.eth); |
| + |
| + if (iftype == NL80211_IFTYPE_MESH_POINT) |
| + copy_len = sizeof(hdr); |
| |
| while (!last) { |
| unsigned int subframe_len; |
| - int len; |
| + int len, mesh_len = 0; |
| u8 padding; |
| |
| - skb_copy_bits(skb, offset, ð, sizeof(eth)); |
| - len = ntohs(eth.h_proto); |
| + skb_copy_bits(skb, offset, &hdr, copy_len); |
| + if (iftype == NL80211_IFTYPE_MESH_POINT) |
| + mesh_len = __ieee80211_get_mesh_hdrlen(hdr.flags); |
| + if (mesh_control) |
| + len = le16_to_cpu(*(__le16 *)&hdr.eth.h_proto) + mesh_len; |
| + else |
| + len = ntohs(hdr.eth.h_proto); |
| + |
| subframe_len = sizeof(struct ethhdr) + len; |
| padding = (4 - subframe_len) & 0x3; |
| |
| @@ -787,16 +818,16 @@ void ieee80211_amsdu_to_8023s(struct sk_ |
| if (subframe_len > remaining) |
| goto purge; |
| /* mitigate A-MSDU aggregation injection attacks */ |
| - if (ether_addr_equal(eth.h_dest, rfc1042_header)) |
| + if (ether_addr_equal(hdr.eth.h_dest, rfc1042_header)) |
| goto purge; |
| |
| offset += sizeof(struct ethhdr); |
| last = remaining <= subframe_len + padding; |
| |
| /* FIXME: should we really accept multicast DA? */ |
| - if ((check_da && !is_multicast_ether_addr(eth.h_dest) && |
| - !ether_addr_equal(check_da, eth.h_dest)) || |
| - (check_sa && !ether_addr_equal(check_sa, eth.h_source))) { |
| + if ((check_da && !is_multicast_ether_addr(hdr.eth.h_dest) && |
| + !ether_addr_equal(check_da, hdr.eth.h_dest)) || |
| + (check_sa && !ether_addr_equal(check_sa, hdr.eth.h_source))) { |
| offset += len + padding; |
| continue; |
| } |
| @@ -808,7 +839,7 @@ void ieee80211_amsdu_to_8023s(struct sk_ |
| reuse_skb = true; |
| } else { |
| frame = __ieee80211_amsdu_copy(skb, hlen, offset, len, |
| - reuse_frag); |
| + reuse_frag, 32 + mesh_len); |
| if (!frame) |
| goto purge; |
| |
| @@ -819,10 +850,11 @@ void ieee80211_amsdu_to_8023s(struct sk_ |
| frame->dev = skb->dev; |
| frame->priority = skb->priority; |
| |
| - if (likely(ieee80211_get_8023_tunnel_proto(frame->data, ð.h_proto))) |
| + if (likely(iftype != NL80211_IFTYPE_MESH_POINT && |
| + ieee80211_get_8023_tunnel_proto(frame->data, &hdr.eth.h_proto))) |
| skb_pull(frame, ETH_ALEN + 2); |
| |
| - memcpy(skb_push(frame, sizeof(eth)), ð, sizeof(eth)); |
| + memcpy(skb_push(frame, sizeof(hdr.eth)), &hdr.eth, sizeof(hdr.eth)); |
| __skb_queue_tail(list, frame); |
| } |
| |