• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 #include <linux/etherdevice.h>
2 #include <linux/slab.h>
3 #include <linux/export.h>
4 #include <net/lib80211.h>
5 #include <linux/if_arp.h>
6 
7 #include "hostap_80211.h"
8 #include "hostap.h"
9 #include "hostap_ap.h"
10 
11 /* See IEEE 802.1H for LLC/SNAP encapsulation/decapsulation */
12 /* Ethernet-II snap header (RFC1042 for most EtherTypes) */
13 static unsigned char rfc1042_header[] =
14 { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 };
15 /* Bridge-Tunnel header (for EtherTypes ETH_P_AARP and ETH_P_IPX) */
16 static unsigned char bridge_tunnel_header[] =
17 { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0xf8 };
18 /* No encapsulation header if EtherType < 0x600 (=length) */
19 
hostap_dump_rx_80211(const char * name,struct sk_buff * skb,struct hostap_80211_rx_status * rx_stats)20 void hostap_dump_rx_80211(const char *name, struct sk_buff *skb,
21 			  struct hostap_80211_rx_status *rx_stats)
22 {
23 	struct ieee80211_hdr *hdr;
24 	u16 fc;
25 
26 	hdr = (struct ieee80211_hdr *) skb->data;
27 
28 	printk(KERN_DEBUG "%s: RX signal=%d noise=%d rate=%d len=%d "
29 	       "jiffies=%ld\n",
30 	       name, rx_stats->signal, rx_stats->noise, rx_stats->rate,
31 	       skb->len, jiffies);
32 
33 	if (skb->len < 2)
34 		return;
35 
36 	fc = le16_to_cpu(hdr->frame_control);
37 	printk(KERN_DEBUG "   FC=0x%04x (type=%d:%d)%s%s",
38 	       fc, (fc & IEEE80211_FCTL_FTYPE) >> 2,
39 	       (fc & IEEE80211_FCTL_STYPE) >> 4,
40 	       fc & IEEE80211_FCTL_TODS ? " [ToDS]" : "",
41 	       fc & IEEE80211_FCTL_FROMDS ? " [FromDS]" : "");
42 
43 	if (skb->len < IEEE80211_DATA_HDR3_LEN) {
44 		printk("\n");
45 		return;
46 	}
47 
48 	printk(" dur=0x%04x seq=0x%04x\n", le16_to_cpu(hdr->duration_id),
49 	       le16_to_cpu(hdr->seq_ctrl));
50 
51 	printk(KERN_DEBUG "   A1=%pM", hdr->addr1);
52 	printk(" A2=%pM", hdr->addr2);
53 	printk(" A3=%pM", hdr->addr3);
54 	if (skb->len >= 30)
55 		printk(" A4=%pM", hdr->addr4);
56 	printk("\n");
57 }
58 
59 
60 /* Send RX frame to netif with 802.11 (and possible prism) header.
61  * Called from hardware or software IRQ context. */
prism2_rx_80211(struct net_device * dev,struct sk_buff * skb,struct hostap_80211_rx_status * rx_stats,int type)62 int prism2_rx_80211(struct net_device *dev, struct sk_buff *skb,
63 		    struct hostap_80211_rx_status *rx_stats, int type)
64 {
65 	struct hostap_interface *iface;
66 	local_info_t *local;
67 	int hdrlen, phdrlen, head_need, tail_need;
68 	u16 fc;
69 	int prism_header, ret;
70 	struct ieee80211_hdr *fhdr;
71 
72 	iface = netdev_priv(dev);
73 	local = iface->local;
74 
75 	if (dev->type == ARPHRD_IEEE80211_PRISM) {
76 		if (local->monitor_type == PRISM2_MONITOR_PRISM) {
77 			prism_header = 1;
78 			phdrlen = sizeof(struct linux_wlan_ng_prism_hdr);
79 		} else { /* local->monitor_type == PRISM2_MONITOR_CAPHDR */
80 			prism_header = 2;
81 			phdrlen = sizeof(struct linux_wlan_ng_cap_hdr);
82 		}
83 	} else if (dev->type == ARPHRD_IEEE80211_RADIOTAP) {
84 		prism_header = 3;
85 		phdrlen = sizeof(struct hostap_radiotap_rx);
86 	} else {
87 		prism_header = 0;
88 		phdrlen = 0;
89 	}
90 
91 	fhdr = (struct ieee80211_hdr *) skb->data;
92 	fc = le16_to_cpu(fhdr->frame_control);
93 
94 	if (type == PRISM2_RX_MGMT && (fc & IEEE80211_FCTL_VERS)) {
95 		printk(KERN_DEBUG "%s: dropped management frame with header "
96 		       "version %d\n", dev->name, fc & IEEE80211_FCTL_VERS);
97 		dev_kfree_skb_any(skb);
98 		return 0;
99 	}
100 
101 	hdrlen = hostap_80211_get_hdrlen(fhdr->frame_control);
102 
103 	/* check if there is enough room for extra data; if not, expand skb
104 	 * buffer to be large enough for the changes */
105 	head_need = phdrlen;
106 	tail_need = 0;
107 #ifdef PRISM2_ADD_BOGUS_CRC
108 	tail_need += 4;
109 #endif /* PRISM2_ADD_BOGUS_CRC */
110 
111 	head_need -= skb_headroom(skb);
112 	tail_need -= skb_tailroom(skb);
113 
114 	if (head_need > 0 || tail_need > 0) {
115 		if (pskb_expand_head(skb, head_need > 0 ? head_need : 0,
116 				     tail_need > 0 ? tail_need : 0,
117 				     GFP_ATOMIC)) {
118 			printk(KERN_DEBUG "%s: prism2_rx_80211 failed to "
119 			       "reallocate skb buffer\n", dev->name);
120 			dev_kfree_skb_any(skb);
121 			return 0;
122 		}
123 	}
124 
125 	/* We now have an skb with enough head and tail room, so just insert
126 	 * the extra data */
127 
128 #ifdef PRISM2_ADD_BOGUS_CRC
129 	memset(skb_put(skb, 4), 0xff, 4); /* Prism2 strips CRC */
130 #endif /* PRISM2_ADD_BOGUS_CRC */
131 
132 	if (prism_header == 1) {
133 		struct linux_wlan_ng_prism_hdr *hdr;
134 		hdr = (struct linux_wlan_ng_prism_hdr *)
135 			skb_push(skb, phdrlen);
136 		memset(hdr, 0, phdrlen);
137 		hdr->msgcode = LWNG_CAP_DID_BASE;
138 		hdr->msglen = sizeof(*hdr);
139 		memcpy(hdr->devname, dev->name, sizeof(hdr->devname));
140 #define LWNG_SETVAL(f,i,s,l,d) \
141 hdr->f.did = LWNG_CAP_DID_BASE | (i << 12); \
142 hdr->f.status = s; hdr->f.len = l; hdr->f.data = d
143 		LWNG_SETVAL(hosttime, 1, 0, 4, jiffies);
144 		LWNG_SETVAL(mactime, 2, 0, 4, rx_stats->mac_time);
145 		LWNG_SETVAL(channel, 3, 1 /* no value */, 4, 0);
146 		LWNG_SETVAL(rssi, 4, 1 /* no value */, 4, 0);
147 		LWNG_SETVAL(sq, 5, 1 /* no value */, 4, 0);
148 		LWNG_SETVAL(signal, 6, 0, 4, rx_stats->signal);
149 		LWNG_SETVAL(noise, 7, 0, 4, rx_stats->noise);
150 		LWNG_SETVAL(rate, 8, 0, 4, rx_stats->rate / 5);
151 		LWNG_SETVAL(istx, 9, 0, 4, 0);
152 		LWNG_SETVAL(frmlen, 10, 0, 4, skb->len - phdrlen);
153 #undef LWNG_SETVAL
154 	} else if (prism_header == 2) {
155 		struct linux_wlan_ng_cap_hdr *hdr;
156 		hdr = (struct linux_wlan_ng_cap_hdr *)
157 			skb_push(skb, phdrlen);
158 		memset(hdr, 0, phdrlen);
159 		hdr->version    = htonl(LWNG_CAPHDR_VERSION);
160 		hdr->length     = htonl(phdrlen);
161 		hdr->mactime    = __cpu_to_be64(rx_stats->mac_time);
162 		hdr->hosttime   = __cpu_to_be64(jiffies);
163 		hdr->phytype    = htonl(4); /* dss_dot11_b */
164 		hdr->channel    = htonl(local->channel);
165 		hdr->datarate   = htonl(rx_stats->rate);
166 		hdr->antenna    = htonl(0); /* unknown */
167 		hdr->priority   = htonl(0); /* unknown */
168 		hdr->ssi_type   = htonl(3); /* raw */
169 		hdr->ssi_signal = htonl(rx_stats->signal);
170 		hdr->ssi_noise  = htonl(rx_stats->noise);
171 		hdr->preamble   = htonl(0); /* unknown */
172 		hdr->encoding   = htonl(1); /* cck */
173 	} else if (prism_header == 3) {
174 		struct hostap_radiotap_rx *hdr;
175 		hdr = (struct hostap_radiotap_rx *)skb_push(skb, phdrlen);
176 		memset(hdr, 0, phdrlen);
177 		hdr->hdr.it_len = cpu_to_le16(phdrlen);
178 		hdr->hdr.it_present =
179 			cpu_to_le32((1 << IEEE80211_RADIOTAP_TSFT) |
180 				    (1 << IEEE80211_RADIOTAP_CHANNEL) |
181 				    (1 << IEEE80211_RADIOTAP_RATE) |
182 				    (1 << IEEE80211_RADIOTAP_DBM_ANTSIGNAL) |
183 				    (1 << IEEE80211_RADIOTAP_DBM_ANTNOISE));
184 		hdr->tsft = cpu_to_le64(rx_stats->mac_time);
185 		hdr->chan_freq = cpu_to_le16(freq_list[local->channel - 1]);
186 		hdr->chan_flags = cpu_to_le16(IEEE80211_CHAN_CCK |
187 						 IEEE80211_CHAN_2GHZ);
188 		hdr->rate = rx_stats->rate / 5;
189 		hdr->dbm_antsignal = rx_stats->signal;
190 		hdr->dbm_antnoise = rx_stats->noise;
191 	}
192 
193 	ret = skb->len - phdrlen;
194 	skb->dev = dev;
195 	skb_reset_mac_header(skb);
196 	skb_pull(skb, hdrlen);
197 	if (prism_header)
198 		skb_pull(skb, phdrlen);
199 	skb->pkt_type = PACKET_OTHERHOST;
200 	skb->protocol = cpu_to_be16(ETH_P_802_2);
201 	memset(skb->cb, 0, sizeof(skb->cb));
202 	netif_rx(skb);
203 
204 	return ret;
205 }
206 
207 
208 /* Called only as a tasklet (software IRQ) */
monitor_rx(struct net_device * dev,struct sk_buff * skb,struct hostap_80211_rx_status * rx_stats)209 static void monitor_rx(struct net_device *dev, struct sk_buff *skb,
210 		       struct hostap_80211_rx_status *rx_stats)
211 {
212 	int len;
213 
214 	len = prism2_rx_80211(dev, skb, rx_stats, PRISM2_RX_MONITOR);
215 	dev->stats.rx_packets++;
216 	dev->stats.rx_bytes += len;
217 }
218 
219 
220 /* Called only as a tasklet (software IRQ) */
221 static struct prism2_frag_entry *
prism2_frag_cache_find(local_info_t * local,unsigned int seq,unsigned int frag,u8 * src,u8 * dst)222 prism2_frag_cache_find(local_info_t *local, unsigned int seq,
223 		       unsigned int frag, u8 *src, u8 *dst)
224 {
225 	struct prism2_frag_entry *entry;
226 	int i;
227 
228 	for (i = 0; i < PRISM2_FRAG_CACHE_LEN; i++) {
229 		entry = &local->frag_cache[i];
230 		if (entry->skb != NULL &&
231 		    time_after(jiffies, entry->first_frag_time + 2 * HZ)) {
232 			printk(KERN_DEBUG "%s: expiring fragment cache entry "
233 			       "seq=%u last_frag=%u\n",
234 			       local->dev->name, entry->seq, entry->last_frag);
235 			dev_kfree_skb(entry->skb);
236 			entry->skb = NULL;
237 		}
238 
239 		if (entry->skb != NULL && entry->seq == seq &&
240 		    (entry->last_frag + 1 == frag || frag == -1) &&
241 		    memcmp(entry->src_addr, src, ETH_ALEN) == 0 &&
242 		    memcmp(entry->dst_addr, dst, ETH_ALEN) == 0)
243 			return entry;
244 	}
245 
246 	return NULL;
247 }
248 
249 
250 /* Called only as a tasklet (software IRQ) */
251 static struct sk_buff *
prism2_frag_cache_get(local_info_t * local,struct ieee80211_hdr * hdr)252 prism2_frag_cache_get(local_info_t *local, struct ieee80211_hdr *hdr)
253 {
254 	struct sk_buff *skb = NULL;
255 	u16 sc;
256 	unsigned int frag, seq;
257 	struct prism2_frag_entry *entry;
258 
259 	sc = le16_to_cpu(hdr->seq_ctrl);
260 	frag = sc & IEEE80211_SCTL_FRAG;
261 	seq = (sc & IEEE80211_SCTL_SEQ) >> 4;
262 
263 	if (frag == 0) {
264 		/* Reserve enough space to fit maximum frame length */
265 		skb = dev_alloc_skb(local->dev->mtu +
266 				    sizeof(struct ieee80211_hdr) +
267 				    8 /* LLC */ +
268 				    2 /* alignment */ +
269 				    8 /* WEP */ + ETH_ALEN /* WDS */);
270 		if (skb == NULL)
271 			return NULL;
272 
273 		entry = &local->frag_cache[local->frag_next_idx];
274 		local->frag_next_idx++;
275 		if (local->frag_next_idx >= PRISM2_FRAG_CACHE_LEN)
276 			local->frag_next_idx = 0;
277 
278 		if (entry->skb != NULL)
279 			dev_kfree_skb(entry->skb);
280 
281 		entry->first_frag_time = jiffies;
282 		entry->seq = seq;
283 		entry->last_frag = frag;
284 		entry->skb = skb;
285 		memcpy(entry->src_addr, hdr->addr2, ETH_ALEN);
286 		memcpy(entry->dst_addr, hdr->addr1, ETH_ALEN);
287 	} else {
288 		/* received a fragment of a frame for which the head fragment
289 		 * should have already been received */
290 		entry = prism2_frag_cache_find(local, seq, frag, hdr->addr2,
291 					       hdr->addr1);
292 		if (entry != NULL) {
293 			entry->last_frag = frag;
294 			skb = entry->skb;
295 		}
296 	}
297 
298 	return skb;
299 }
300 
301 
302 /* Called only as a tasklet (software IRQ) */
prism2_frag_cache_invalidate(local_info_t * local,struct ieee80211_hdr * hdr)303 static int prism2_frag_cache_invalidate(local_info_t *local,
304 					struct ieee80211_hdr *hdr)
305 {
306 	u16 sc;
307 	unsigned int seq;
308 	struct prism2_frag_entry *entry;
309 
310 	sc = le16_to_cpu(hdr->seq_ctrl);
311 	seq = (sc & IEEE80211_SCTL_SEQ) >> 4;
312 
313 	entry = prism2_frag_cache_find(local, seq, -1, hdr->addr2, hdr->addr1);
314 
315 	if (entry == NULL) {
316 		printk(KERN_DEBUG "%s: could not invalidate fragment cache "
317 		       "entry (seq=%u)\n",
318 		       local->dev->name, seq);
319 		return -1;
320 	}
321 
322 	entry->skb = NULL;
323 	return 0;
324 }
325 
326 
__hostap_get_bss(local_info_t * local,u8 * bssid,u8 * ssid,size_t ssid_len)327 static struct hostap_bss_info *__hostap_get_bss(local_info_t *local, u8 *bssid,
328 						u8 *ssid, size_t ssid_len)
329 {
330 	struct list_head *ptr;
331 	struct hostap_bss_info *bss;
332 
333 	list_for_each(ptr, &local->bss_list) {
334 		bss = list_entry(ptr, struct hostap_bss_info, list);
335 		if (memcmp(bss->bssid, bssid, ETH_ALEN) == 0 &&
336 		    (ssid == NULL ||
337 		     (ssid_len == bss->ssid_len &&
338 		      memcmp(ssid, bss->ssid, ssid_len) == 0))) {
339 			list_move(&bss->list, &local->bss_list);
340 			return bss;
341 		}
342 	}
343 
344 	return NULL;
345 }
346 
347 
__hostap_add_bss(local_info_t * local,u8 * bssid,u8 * ssid,size_t ssid_len)348 static struct hostap_bss_info *__hostap_add_bss(local_info_t *local, u8 *bssid,
349 						u8 *ssid, size_t ssid_len)
350 {
351 	struct hostap_bss_info *bss;
352 
353 	if (local->num_bss_info >= HOSTAP_MAX_BSS_COUNT) {
354 		bss = list_entry(local->bss_list.prev,
355 				 struct hostap_bss_info, list);
356 		list_del(&bss->list);
357 		local->num_bss_info--;
358 	} else {
359 		bss = kmalloc(sizeof(*bss), GFP_ATOMIC);
360 		if (bss == NULL)
361 			return NULL;
362 	}
363 
364 	memset(bss, 0, sizeof(*bss));
365 	memcpy(bss->bssid, bssid, ETH_ALEN);
366 	memcpy(bss->ssid, ssid, ssid_len);
367 	bss->ssid_len = ssid_len;
368 	local->num_bss_info++;
369 	list_add(&bss->list, &local->bss_list);
370 	return bss;
371 }
372 
373 
__hostap_expire_bss(local_info_t * local)374 static void __hostap_expire_bss(local_info_t *local)
375 {
376 	struct hostap_bss_info *bss;
377 
378 	while (local->num_bss_info > 0) {
379 		bss = list_entry(local->bss_list.prev,
380 				 struct hostap_bss_info, list);
381 		if (!time_after(jiffies, bss->last_update + 60 * HZ))
382 			break;
383 
384 		list_del(&bss->list);
385 		local->num_bss_info--;
386 		kfree(bss);
387 	}
388 }
389 
390 
391 /* Both IEEE 802.11 Beacon and Probe Response frames have similar structure, so
392  * the same routine can be used to parse both of them. */
hostap_rx_sta_beacon(local_info_t * local,struct sk_buff * skb,int stype)393 static void hostap_rx_sta_beacon(local_info_t *local, struct sk_buff *skb,
394 				 int stype)
395 {
396 	struct hostap_ieee80211_mgmt *mgmt;
397 	int left, chan = 0;
398 	u8 *pos;
399 	u8 *ssid = NULL, *wpa = NULL, *rsn = NULL;
400 	size_t ssid_len = 0, wpa_len = 0, rsn_len = 0;
401 	struct hostap_bss_info *bss;
402 
403 	if (skb->len < IEEE80211_MGMT_HDR_LEN + sizeof(mgmt->u.beacon))
404 		return;
405 
406 	mgmt = (struct hostap_ieee80211_mgmt *) skb->data;
407 	pos = mgmt->u.beacon.variable;
408 	left = skb->len - (pos - skb->data);
409 
410 	while (left >= 2) {
411 		if (2 + pos[1] > left)
412 			return; /* parse failed */
413 		switch (*pos) {
414 		case WLAN_EID_SSID:
415 			ssid = pos + 2;
416 			ssid_len = pos[1];
417 			break;
418 		case WLAN_EID_GENERIC:
419 			if (pos[1] >= 4 &&
420 			    pos[2] == 0x00 && pos[3] == 0x50 &&
421 			    pos[4] == 0xf2 && pos[5] == 1) {
422 				wpa = pos;
423 				wpa_len = pos[1] + 2;
424 			}
425 			break;
426 		case WLAN_EID_RSN:
427 			rsn = pos;
428 			rsn_len = pos[1] + 2;
429 			break;
430 		case WLAN_EID_DS_PARAMS:
431 			if (pos[1] >= 1)
432 				chan = pos[2];
433 			break;
434 		}
435 		left -= 2 + pos[1];
436 		pos += 2 + pos[1];
437 	}
438 
439 	if (wpa_len > MAX_WPA_IE_LEN)
440 		wpa_len = MAX_WPA_IE_LEN;
441 	if (rsn_len > MAX_WPA_IE_LEN)
442 		rsn_len = MAX_WPA_IE_LEN;
443 	if (ssid_len > sizeof(bss->ssid))
444 		ssid_len = sizeof(bss->ssid);
445 
446 	spin_lock(&local->lock);
447 	bss = __hostap_get_bss(local, mgmt->bssid, ssid, ssid_len);
448 	if (bss == NULL)
449 		bss = __hostap_add_bss(local, mgmt->bssid, ssid, ssid_len);
450 	if (bss) {
451 		bss->last_update = jiffies;
452 		bss->count++;
453 		bss->capab_info = le16_to_cpu(mgmt->u.beacon.capab_info);
454 		if (wpa) {
455 			memcpy(bss->wpa_ie, wpa, wpa_len);
456 			bss->wpa_ie_len = wpa_len;
457 		} else
458 			bss->wpa_ie_len = 0;
459 		if (rsn) {
460 			memcpy(bss->rsn_ie, rsn, rsn_len);
461 			bss->rsn_ie_len = rsn_len;
462 		} else
463 			bss->rsn_ie_len = 0;
464 		bss->chan = chan;
465 	}
466 	__hostap_expire_bss(local);
467 	spin_unlock(&local->lock);
468 }
469 
470 
471 static int
hostap_rx_frame_mgmt(local_info_t * local,struct sk_buff * skb,struct hostap_80211_rx_status * rx_stats,u16 type,u16 stype)472 hostap_rx_frame_mgmt(local_info_t *local, struct sk_buff *skb,
473 		     struct hostap_80211_rx_status *rx_stats, u16 type,
474 		     u16 stype)
475 {
476 	if (local->iw_mode == IW_MODE_MASTER)
477 		hostap_update_sta_ps(local, (struct ieee80211_hdr *) skb->data);
478 
479 	if (local->hostapd && type == IEEE80211_FTYPE_MGMT) {
480 		if (stype == IEEE80211_STYPE_BEACON &&
481 		    local->iw_mode == IW_MODE_MASTER) {
482 			struct sk_buff *skb2;
483 			/* Process beacon frames also in kernel driver to
484 			 * update STA(AP) table statistics */
485 			skb2 = skb_clone(skb, GFP_ATOMIC);
486 			if (skb2)
487 				hostap_rx(skb2->dev, skb2, rx_stats);
488 		}
489 
490 		/* send management frames to the user space daemon for
491 		 * processing */
492 		local->apdevstats.rx_packets++;
493 		local->apdevstats.rx_bytes += skb->len;
494 		if (local->apdev == NULL)
495 			return -1;
496 		prism2_rx_80211(local->apdev, skb, rx_stats, PRISM2_RX_MGMT);
497 		return 0;
498 	}
499 
500 	if (local->iw_mode == IW_MODE_MASTER) {
501 		if (type != IEEE80211_FTYPE_MGMT &&
502 		    type != IEEE80211_FTYPE_CTL) {
503 			printk(KERN_DEBUG "%s: unknown management frame "
504 			       "(type=0x%02x, stype=0x%02x) dropped\n",
505 			       skb->dev->name, type >> 2, stype >> 4);
506 			return -1;
507 		}
508 
509 		hostap_rx(skb->dev, skb, rx_stats);
510 		return 0;
511 	} else if (type == IEEE80211_FTYPE_MGMT &&
512 		   (stype == IEEE80211_STYPE_BEACON ||
513 		    stype == IEEE80211_STYPE_PROBE_RESP)) {
514 		hostap_rx_sta_beacon(local, skb, stype);
515 		return -1;
516 	} else if (type == IEEE80211_FTYPE_MGMT &&
517 		   (stype == IEEE80211_STYPE_ASSOC_RESP ||
518 		    stype == IEEE80211_STYPE_REASSOC_RESP)) {
519 		/* Ignore (Re)AssocResp silently since these are not currently
520 		 * needed but are still received when WPA/RSN mode is enabled.
521 		 */
522 		return -1;
523 	} else {
524 		printk(KERN_DEBUG "%s: hostap_rx_frame_mgmt: dropped unhandled"
525 		       " management frame in non-Host AP mode (type=%d:%d)\n",
526 		       skb->dev->name, type >> 2, stype >> 4);
527 		return -1;
528 	}
529 }
530 
531 
532 /* Called only as a tasklet (software IRQ) */
prism2_rx_get_wds(local_info_t * local,u8 * addr)533 static struct net_device *prism2_rx_get_wds(local_info_t *local,
534 						   u8 *addr)
535 {
536 	struct hostap_interface *iface = NULL;
537 	struct list_head *ptr;
538 
539 	read_lock_bh(&local->iface_lock);
540 	list_for_each(ptr, &local->hostap_interfaces) {
541 		iface = list_entry(ptr, struct hostap_interface, list);
542 		if (iface->type == HOSTAP_INTERFACE_WDS &&
543 		    memcmp(iface->u.wds.remote_addr, addr, ETH_ALEN) == 0)
544 			break;
545 		iface = NULL;
546 	}
547 	read_unlock_bh(&local->iface_lock);
548 
549 	return iface ? iface->dev : NULL;
550 }
551 
552 
553 static int
hostap_rx_frame_wds(local_info_t * local,struct ieee80211_hdr * hdr,u16 fc,struct net_device ** wds)554 hostap_rx_frame_wds(local_info_t *local, struct ieee80211_hdr *hdr, u16 fc,
555 		    struct net_device **wds)
556 {
557 	/* FIX: is this really supposed to accept WDS frames only in Master
558 	 * mode? What about Repeater or Managed with WDS frames? */
559 	if ((fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) !=
560 	    (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS) &&
561 	    (local->iw_mode != IW_MODE_MASTER || !(fc & IEEE80211_FCTL_TODS)))
562 		return 0; /* not a WDS frame */
563 
564 	/* Possible WDS frame: either IEEE 802.11 compliant (if FromDS)
565 	 * or own non-standard frame with 4th address after payload */
566 	if (memcmp(hdr->addr1, local->dev->dev_addr, ETH_ALEN) != 0 &&
567 	    (hdr->addr1[0] != 0xff || hdr->addr1[1] != 0xff ||
568 	     hdr->addr1[2] != 0xff || hdr->addr1[3] != 0xff ||
569 	     hdr->addr1[4] != 0xff || hdr->addr1[5] != 0xff)) {
570 		/* RA (or BSSID) is not ours - drop */
571 		PDEBUG(DEBUG_EXTRA2, "%s: received WDS frame with "
572 		       "not own or broadcast %s=%pM\n",
573 		       local->dev->name,
574 		       fc & IEEE80211_FCTL_FROMDS ? "RA" : "BSSID",
575 		       hdr->addr1);
576 		return -1;
577 	}
578 
579 	/* check if the frame came from a registered WDS connection */
580 	*wds = prism2_rx_get_wds(local, hdr->addr2);
581 	if (*wds == NULL && fc & IEEE80211_FCTL_FROMDS &&
582 	    (local->iw_mode != IW_MODE_INFRA ||
583 	     !(local->wds_type & HOSTAP_WDS_AP_CLIENT) ||
584 	     memcmp(hdr->addr2, local->bssid, ETH_ALEN) != 0)) {
585 		/* require that WDS link has been registered with TA or the
586 		 * frame is from current AP when using 'AP client mode' */
587 		PDEBUG(DEBUG_EXTRA, "%s: received WDS[4 addr] frame "
588 		       "from unknown TA=%pM\n",
589 		       local->dev->name, hdr->addr2);
590 		if (local->ap && local->ap->autom_ap_wds)
591 			hostap_wds_link_oper(local, hdr->addr2, WDS_ADD);
592 		return -1;
593 	}
594 
595 	if (*wds && !(fc & IEEE80211_FCTL_FROMDS) && local->ap &&
596 	    hostap_is_sta_assoc(local->ap, hdr->addr2)) {
597 		/* STA is actually associated with us even though it has a
598 		 * registered WDS link. Assume it is in 'AP client' mode.
599 		 * Since this is a 3-addr frame, assume it is not (bogus) WDS
600 		 * frame and process it like any normal ToDS frame from
601 		 * associated STA. */
602 		*wds = NULL;
603 	}
604 
605 	return 0;
606 }
607 
608 
hostap_is_eapol_frame(local_info_t * local,struct sk_buff * skb)609 static int hostap_is_eapol_frame(local_info_t *local, struct sk_buff *skb)
610 {
611 	struct net_device *dev = local->dev;
612 	u16 fc, ethertype;
613 	struct ieee80211_hdr *hdr;
614 	u8 *pos;
615 
616 	if (skb->len < 24)
617 		return 0;
618 
619 	hdr = (struct ieee80211_hdr *) skb->data;
620 	fc = le16_to_cpu(hdr->frame_control);
621 
622 	/* check that the frame is unicast frame to us */
623 	if ((fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) ==
624 	    IEEE80211_FCTL_TODS &&
625 	    memcmp(hdr->addr1, dev->dev_addr, ETH_ALEN) == 0 &&
626 	    memcmp(hdr->addr3, dev->dev_addr, ETH_ALEN) == 0) {
627 		/* ToDS frame with own addr BSSID and DA */
628 	} else if ((fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) ==
629 		   IEEE80211_FCTL_FROMDS &&
630 		   memcmp(hdr->addr1, dev->dev_addr, ETH_ALEN) == 0) {
631 		/* FromDS frame with own addr as DA */
632 	} else
633 		return 0;
634 
635 	if (skb->len < 24 + 8)
636 		return 0;
637 
638 	/* check for port access entity Ethernet type */
639 	pos = skb->data + 24;
640 	ethertype = (pos[6] << 8) | pos[7];
641 	if (ethertype == ETH_P_PAE)
642 		return 1;
643 
644 	return 0;
645 }
646 
647 
648 /* Called only as a tasklet (software IRQ) */
649 static int
hostap_rx_frame_decrypt(local_info_t * local,struct sk_buff * skb,struct lib80211_crypt_data * crypt)650 hostap_rx_frame_decrypt(local_info_t *local, struct sk_buff *skb,
651 			struct lib80211_crypt_data *crypt)
652 {
653 	struct ieee80211_hdr *hdr;
654 	int res, hdrlen;
655 
656 	if (crypt == NULL || crypt->ops->decrypt_mpdu == NULL)
657 		return 0;
658 
659 	hdr = (struct ieee80211_hdr *) skb->data;
660 	hdrlen = hostap_80211_get_hdrlen(hdr->frame_control);
661 
662 	if (local->tkip_countermeasures &&
663 	    strcmp(crypt->ops->name, "TKIP") == 0) {
664 		if (net_ratelimit()) {
665 			printk(KERN_DEBUG "%s: TKIP countermeasures: dropped "
666 			       "received packet from %pM\n",
667 			       local->dev->name, hdr->addr2);
668 		}
669 		return -1;
670 	}
671 
672 	atomic_inc(&crypt->refcnt);
673 	res = crypt->ops->decrypt_mpdu(skb, hdrlen, crypt->priv);
674 	atomic_dec(&crypt->refcnt);
675 	if (res < 0) {
676 		printk(KERN_DEBUG "%s: decryption failed (SA=%pM) res=%d\n",
677 		       local->dev->name, hdr->addr2, res);
678 		local->comm_tallies.rx_discards_wep_undecryptable++;
679 		return -1;
680 	}
681 
682 	return res;
683 }
684 
685 
686 /* Called only as a tasklet (software IRQ) */
687 static int
hostap_rx_frame_decrypt_msdu(local_info_t * local,struct sk_buff * skb,int keyidx,struct lib80211_crypt_data * crypt)688 hostap_rx_frame_decrypt_msdu(local_info_t *local, struct sk_buff *skb,
689 			     int keyidx, struct lib80211_crypt_data *crypt)
690 {
691 	struct ieee80211_hdr *hdr;
692 	int res, hdrlen;
693 
694 	if (crypt == NULL || crypt->ops->decrypt_msdu == NULL)
695 		return 0;
696 
697 	hdr = (struct ieee80211_hdr *) skb->data;
698 	hdrlen = hostap_80211_get_hdrlen(hdr->frame_control);
699 
700 	atomic_inc(&crypt->refcnt);
701 	res = crypt->ops->decrypt_msdu(skb, keyidx, hdrlen, crypt->priv);
702 	atomic_dec(&crypt->refcnt);
703 	if (res < 0) {
704 		printk(KERN_DEBUG "%s: MSDU decryption/MIC verification failed"
705 		       " (SA=%pM keyidx=%d)\n",
706 		       local->dev->name, hdr->addr2, keyidx);
707 		return -1;
708 	}
709 
710 	return 0;
711 }
712 
713 
714 /* All received frames are sent to this function. @skb contains the frame in
715  * IEEE 802.11 format, i.e., in the format it was sent over air.
716  * This function is called only as a tasklet (software IRQ). */
hostap_80211_rx(struct net_device * dev,struct sk_buff * skb,struct hostap_80211_rx_status * rx_stats)717 void hostap_80211_rx(struct net_device *dev, struct sk_buff *skb,
718 		     struct hostap_80211_rx_status *rx_stats)
719 {
720 	struct hostap_interface *iface;
721 	local_info_t *local;
722 	struct ieee80211_hdr *hdr;
723 	size_t hdrlen;
724 	u16 fc, type, stype, sc;
725 	struct net_device *wds = NULL;
726 	unsigned int frag;
727 	u8 *payload;
728 	struct sk_buff *skb2 = NULL;
729 	u16 ethertype;
730 	int frame_authorized = 0;
731 	int from_assoc_ap = 0;
732 	u8 dst[ETH_ALEN];
733 	u8 src[ETH_ALEN];
734 	struct lib80211_crypt_data *crypt = NULL;
735 	void *sta = NULL;
736 	int keyidx = 0;
737 
738 	iface = netdev_priv(dev);
739 	local = iface->local;
740 	iface->stats.rx_packets++;
741 	iface->stats.rx_bytes += skb->len;
742 
743 	/* dev is the master radio device; change this to be the default
744 	 * virtual interface (this may be changed to WDS device below) */
745 	dev = local->ddev;
746 	iface = netdev_priv(dev);
747 
748 	hdr = (struct ieee80211_hdr *) skb->data;
749 
750 	if (skb->len < 10)
751 		goto rx_dropped;
752 
753 	fc = le16_to_cpu(hdr->frame_control);
754 	type = fc & IEEE80211_FCTL_FTYPE;
755 	stype = fc & IEEE80211_FCTL_STYPE;
756 	sc = le16_to_cpu(hdr->seq_ctrl);
757 	frag = sc & IEEE80211_SCTL_FRAG;
758 	hdrlen = hostap_80211_get_hdrlen(hdr->frame_control);
759 
760 	/* Put this code here so that we avoid duplicating it in all
761 	 * Rx paths. - Jean II */
762 #ifdef IW_WIRELESS_SPY		/* defined in iw_handler.h */
763 	/* If spy monitoring on */
764 	if (iface->spy_data.spy_number > 0) {
765 		struct iw_quality wstats;
766 		wstats.level = rx_stats->signal;
767 		wstats.noise = rx_stats->noise;
768 		wstats.updated = IW_QUAL_LEVEL_UPDATED | IW_QUAL_NOISE_UPDATED
769 			| IW_QUAL_QUAL_INVALID | IW_QUAL_DBM;
770 		/* Update spy records */
771 		wireless_spy_update(dev, hdr->addr2, &wstats);
772 	}
773 #endif /* IW_WIRELESS_SPY */
774 	hostap_update_rx_stats(local->ap, hdr, rx_stats);
775 
776 	if (local->iw_mode == IW_MODE_MONITOR) {
777 		monitor_rx(dev, skb, rx_stats);
778 		return;
779 	}
780 
781 	if (local->host_decrypt) {
782 		int idx = 0;
783 		if (skb->len >= hdrlen + 3)
784 			idx = skb->data[hdrlen + 3] >> 6;
785 		crypt = local->crypt_info.crypt[idx];
786 		sta = NULL;
787 
788 		/* Use station specific key to override default keys if the
789 		 * receiver address is a unicast address ("individual RA"). If
790 		 * bcrx_sta_key parameter is set, station specific key is used
791 		 * even with broad/multicast targets (this is against IEEE
792 		 * 802.11, but makes it easier to use different keys with
793 		 * stations that do not support WEP key mapping). */
794 
795 		if (!(hdr->addr1[0] & 0x01) || local->bcrx_sta_key)
796 			(void) hostap_handle_sta_crypto(local, hdr, &crypt,
797 							&sta);
798 
799 		/* allow NULL decrypt to indicate an station specific override
800 		 * for default encryption */
801 		if (crypt && (crypt->ops == NULL ||
802 			      crypt->ops->decrypt_mpdu == NULL))
803 			crypt = NULL;
804 
805 		if (!crypt && (fc & IEEE80211_FCTL_PROTECTED)) {
806 #if 0
807 			/* This seems to be triggered by some (multicast?)
808 			 * frames from other than current BSS, so just drop the
809 			 * frames silently instead of filling system log with
810 			 * these reports. */
811 			printk(KERN_DEBUG "%s: WEP decryption failed (not set)"
812 			       " (SA=%pM)\n",
813 			       local->dev->name, hdr->addr2);
814 #endif
815 			local->comm_tallies.rx_discards_wep_undecryptable++;
816 			goto rx_dropped;
817 		}
818 	}
819 
820 	if (type != IEEE80211_FTYPE_DATA) {
821 		if (type == IEEE80211_FTYPE_MGMT &&
822 		    stype == IEEE80211_STYPE_AUTH &&
823 		    fc & IEEE80211_FCTL_PROTECTED && local->host_decrypt &&
824 		    (keyidx = hostap_rx_frame_decrypt(local, skb, crypt)) < 0)
825 		{
826 			printk(KERN_DEBUG "%s: failed to decrypt mgmt::auth "
827 			       "from %pM\n", dev->name, hdr->addr2);
828 			/* TODO: could inform hostapd about this so that it
829 			 * could send auth failure report */
830 			goto rx_dropped;
831 		}
832 
833 		if (hostap_rx_frame_mgmt(local, skb, rx_stats, type, stype))
834 			goto rx_dropped;
835 		else
836 			goto rx_exit;
837 	}
838 
839 	/* Data frame - extract src/dst addresses */
840 	if (skb->len < IEEE80211_DATA_HDR3_LEN)
841 		goto rx_dropped;
842 
843 	switch (fc & (IEEE80211_FCTL_FROMDS | IEEE80211_FCTL_TODS)) {
844 	case IEEE80211_FCTL_FROMDS:
845 		memcpy(dst, hdr->addr1, ETH_ALEN);
846 		memcpy(src, hdr->addr3, ETH_ALEN);
847 		break;
848 	case IEEE80211_FCTL_TODS:
849 		memcpy(dst, hdr->addr3, ETH_ALEN);
850 		memcpy(src, hdr->addr2, ETH_ALEN);
851 		break;
852 	case IEEE80211_FCTL_FROMDS | IEEE80211_FCTL_TODS:
853 		if (skb->len < IEEE80211_DATA_HDR4_LEN)
854 			goto rx_dropped;
855 		memcpy(dst, hdr->addr3, ETH_ALEN);
856 		memcpy(src, hdr->addr4, ETH_ALEN);
857 		break;
858 	case 0:
859 		memcpy(dst, hdr->addr1, ETH_ALEN);
860 		memcpy(src, hdr->addr2, ETH_ALEN);
861 		break;
862 	}
863 
864 	if (hostap_rx_frame_wds(local, hdr, fc, &wds))
865 		goto rx_dropped;
866 	if (wds)
867 		skb->dev = dev = wds;
868 
869 	if (local->iw_mode == IW_MODE_MASTER && !wds &&
870 	    (fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) ==
871 	    IEEE80211_FCTL_FROMDS &&
872 	    local->stadev &&
873 	    memcmp(hdr->addr2, local->assoc_ap_addr, ETH_ALEN) == 0) {
874 		/* Frame from BSSID of the AP for which we are a client */
875 		skb->dev = dev = local->stadev;
876 		from_assoc_ap = 1;
877 	}
878 
879 	if ((local->iw_mode == IW_MODE_MASTER ||
880 	     local->iw_mode == IW_MODE_REPEAT) &&
881 	    !from_assoc_ap) {
882 		switch (hostap_handle_sta_rx(local, dev, skb, rx_stats,
883 					     wds != NULL)) {
884 		case AP_RX_CONTINUE_NOT_AUTHORIZED:
885 			frame_authorized = 0;
886 			break;
887 		case AP_RX_CONTINUE:
888 			frame_authorized = 1;
889 			break;
890 		case AP_RX_DROP:
891 			goto rx_dropped;
892 		case AP_RX_EXIT:
893 			goto rx_exit;
894 		}
895 	}
896 
897 	/* Nullfunc frames may have PS-bit set, so they must be passed to
898 	 * hostap_handle_sta_rx() before being dropped here. */
899 	if (stype != IEEE80211_STYPE_DATA &&
900 	    stype != IEEE80211_STYPE_DATA_CFACK &&
901 	    stype != IEEE80211_STYPE_DATA_CFPOLL &&
902 	    stype != IEEE80211_STYPE_DATA_CFACKPOLL) {
903 		if (stype != IEEE80211_STYPE_NULLFUNC)
904 			printk(KERN_DEBUG "%s: RX: dropped data frame "
905 			       "with no data (type=0x%02x, subtype=0x%02x)\n",
906 			       dev->name, type >> 2, stype >> 4);
907 		goto rx_dropped;
908 	}
909 
910 	/* skb: hdr + (possibly fragmented, possibly encrypted) payload */
911 
912 	if (local->host_decrypt && (fc & IEEE80211_FCTL_PROTECTED) &&
913 	    (keyidx = hostap_rx_frame_decrypt(local, skb, crypt)) < 0)
914 		goto rx_dropped;
915 	hdr = (struct ieee80211_hdr *) skb->data;
916 
917 	/* skb: hdr + (possibly fragmented) plaintext payload */
918 
919 	if (local->host_decrypt && (fc & IEEE80211_FCTL_PROTECTED) &&
920 	    (frag != 0 || (fc & IEEE80211_FCTL_MOREFRAGS))) {
921 		int flen;
922 		struct sk_buff *frag_skb =
923 			prism2_frag_cache_get(local, hdr);
924 		if (!frag_skb) {
925 			printk(KERN_DEBUG "%s: Rx cannot get skb from "
926 			       "fragment cache (morefrag=%d seq=%u frag=%u)\n",
927 			       dev->name, (fc & IEEE80211_FCTL_MOREFRAGS) != 0,
928 			       (sc & IEEE80211_SCTL_SEQ) >> 4, frag);
929 			goto rx_dropped;
930 		}
931 
932 		flen = skb->len;
933 		if (frag != 0)
934 			flen -= hdrlen;
935 
936 		if (frag_skb->tail + flen > frag_skb->end) {
937 			printk(KERN_WARNING "%s: host decrypted and "
938 			       "reassembled frame did not fit skb\n",
939 			       dev->name);
940 			prism2_frag_cache_invalidate(local, hdr);
941 			goto rx_dropped;
942 		}
943 
944 		if (frag == 0) {
945 			/* copy first fragment (including full headers) into
946 			 * beginning of the fragment cache skb */
947 			skb_copy_from_linear_data(skb, skb_put(frag_skb, flen),
948 						  flen);
949 		} else {
950 			/* append frame payload to the end of the fragment
951 			 * cache skb */
952 			skb_copy_from_linear_data_offset(skb, hdrlen,
953 							 skb_put(frag_skb,
954 								 flen), flen);
955 		}
956 		dev_kfree_skb(skb);
957 		skb = NULL;
958 
959 		if (fc & IEEE80211_FCTL_MOREFRAGS) {
960 			/* more fragments expected - leave the skb in fragment
961 			 * cache for now; it will be delivered to upper layers
962 			 * after all fragments have been received */
963 			goto rx_exit;
964 		}
965 
966 		/* this was the last fragment and the frame will be
967 		 * delivered, so remove skb from fragment cache */
968 		skb = frag_skb;
969 		hdr = (struct ieee80211_hdr *) skb->data;
970 		prism2_frag_cache_invalidate(local, hdr);
971 	}
972 
973 	/* skb: hdr + (possible reassembled) full MSDU payload; possibly still
974 	 * encrypted/authenticated */
975 
976 	if (local->host_decrypt && (fc & IEEE80211_FCTL_PROTECTED) &&
977 	    hostap_rx_frame_decrypt_msdu(local, skb, keyidx, crypt))
978 		goto rx_dropped;
979 
980 	hdr = (struct ieee80211_hdr *) skb->data;
981 	if (crypt && !(fc & IEEE80211_FCTL_PROTECTED) && !local->open_wep) {
982 		if (local->ieee_802_1x &&
983 		    hostap_is_eapol_frame(local, skb)) {
984 			/* pass unencrypted EAPOL frames even if encryption is
985 			 * configured */
986 			PDEBUG(DEBUG_EXTRA2, "%s: RX: IEEE 802.1X - passing "
987 			       "unencrypted EAPOL frame\n", local->dev->name);
988 		} else {
989 			printk(KERN_DEBUG "%s: encryption configured, but RX "
990 			       "frame not encrypted (SA=%pM)\n",
991 			       local->dev->name, hdr->addr2);
992 			goto rx_dropped;
993 		}
994 	}
995 
996 	if (local->drop_unencrypted && !(fc & IEEE80211_FCTL_PROTECTED) &&
997 	    !hostap_is_eapol_frame(local, skb)) {
998 		if (net_ratelimit()) {
999 			printk(KERN_DEBUG "%s: dropped unencrypted RX data "
1000 			       "frame from %pM (drop_unencrypted=1)\n",
1001 			       dev->name, hdr->addr2);
1002 		}
1003 		goto rx_dropped;
1004 	}
1005 
1006 	/* skb: hdr + (possible reassembled) full plaintext payload */
1007 
1008 	payload = skb->data + hdrlen;
1009 	ethertype = (payload[6] << 8) | payload[7];
1010 
1011 	/* If IEEE 802.1X is used, check whether the port is authorized to send
1012 	 * the received frame. */
1013 	if (local->ieee_802_1x && local->iw_mode == IW_MODE_MASTER) {
1014 		if (ethertype == ETH_P_PAE) {
1015 			PDEBUG(DEBUG_EXTRA2, "%s: RX: IEEE 802.1X frame\n",
1016 			       dev->name);
1017 			if (local->hostapd && local->apdev) {
1018 				/* Send IEEE 802.1X frames to the user
1019 				 * space daemon for processing */
1020 				prism2_rx_80211(local->apdev, skb, rx_stats,
1021 						PRISM2_RX_MGMT);
1022 				local->apdevstats.rx_packets++;
1023 				local->apdevstats.rx_bytes += skb->len;
1024 				goto rx_exit;
1025 			}
1026 		} else if (!frame_authorized) {
1027 			printk(KERN_DEBUG "%s: dropped frame from "
1028 			       "unauthorized port (IEEE 802.1X): "
1029 			       "ethertype=0x%04x\n",
1030 			       dev->name, ethertype);
1031 			goto rx_dropped;
1032 		}
1033 	}
1034 
1035 	/* convert hdr + possible LLC headers into Ethernet header */
1036 	if (skb->len - hdrlen >= 8 &&
1037 	    ((memcmp(payload, rfc1042_header, 6) == 0 &&
1038 	      ethertype != ETH_P_AARP && ethertype != ETH_P_IPX) ||
1039 	     memcmp(payload, bridge_tunnel_header, 6) == 0)) {
1040 		/* remove RFC1042 or Bridge-Tunnel encapsulation and
1041 		 * replace EtherType */
1042 		skb_pull(skb, hdrlen + 6);
1043 		memcpy(skb_push(skb, ETH_ALEN), src, ETH_ALEN);
1044 		memcpy(skb_push(skb, ETH_ALEN), dst, ETH_ALEN);
1045 	} else {
1046 		__be16 len;
1047 		/* Leave Ethernet header part of hdr and full payload */
1048 		skb_pull(skb, hdrlen);
1049 		len = htons(skb->len);
1050 		memcpy(skb_push(skb, 2), &len, 2);
1051 		memcpy(skb_push(skb, ETH_ALEN), src, ETH_ALEN);
1052 		memcpy(skb_push(skb, ETH_ALEN), dst, ETH_ALEN);
1053 	}
1054 
1055 	if (wds && ((fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) ==
1056 		    IEEE80211_FCTL_TODS) &&
1057 	    skb->len >= ETH_HLEN + ETH_ALEN) {
1058 		/* Non-standard frame: get addr4 from its bogus location after
1059 		 * the payload */
1060 		skb_copy_from_linear_data_offset(skb, skb->len - ETH_ALEN,
1061 						 skb->data + ETH_ALEN,
1062 						 ETH_ALEN);
1063 		skb_trim(skb, skb->len - ETH_ALEN);
1064 	}
1065 
1066 	dev->stats.rx_packets++;
1067 	dev->stats.rx_bytes += skb->len;
1068 
1069 	if (local->iw_mode == IW_MODE_MASTER && !wds &&
1070 	    local->ap->bridge_packets) {
1071 		if (dst[0] & 0x01) {
1072 			/* copy multicast frame both to the higher layers and
1073 			 * to the wireless media */
1074 			local->ap->bridged_multicast++;
1075 			skb2 = skb_clone(skb, GFP_ATOMIC);
1076 			if (skb2 == NULL)
1077 				printk(KERN_DEBUG "%s: skb_clone failed for "
1078 				       "multicast frame\n", dev->name);
1079 		} else if (hostap_is_sta_authorized(local->ap, dst)) {
1080 			/* send frame directly to the associated STA using
1081 			 * wireless media and not passing to higher layers */
1082 			local->ap->bridged_unicast++;
1083 			skb2 = skb;
1084 			skb = NULL;
1085 		}
1086 	}
1087 
1088 	if (skb2 != NULL) {
1089 		/* send to wireless media */
1090 		skb2->dev = dev;
1091 		skb2->protocol = cpu_to_be16(ETH_P_802_3);
1092 		skb_reset_mac_header(skb2);
1093 		skb_reset_network_header(skb2);
1094 		/* skb2->network_header += ETH_HLEN; */
1095 		dev_queue_xmit(skb2);
1096 	}
1097 
1098 	if (skb) {
1099 		skb->protocol = eth_type_trans(skb, dev);
1100 		memset(skb->cb, 0, sizeof(skb->cb));
1101 		netif_rx(skb);
1102 	}
1103 
1104  rx_exit:
1105 	if (sta)
1106 		hostap_handle_sta_release(sta);
1107 	return;
1108 
1109  rx_dropped:
1110 	dev_kfree_skb(skb);
1111 
1112 	dev->stats.rx_dropped++;
1113 	goto rx_exit;
1114 }
1115 
1116 
1117 EXPORT_SYMBOL(hostap_80211_rx);
1118