From owner-svn-src-head@FreeBSD.ORG Thu Feb 7 21:32:10 2013 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id F3F6EFEE; Thu, 7 Feb 2013 21:32:09 +0000 (UTC) (envelope-from monthadar@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id D4F4FFC5; Thu, 7 Feb 2013 21:32:09 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.5/8.14.5) with ESMTP id r17LW9OG014466; Thu, 7 Feb 2013 21:32:09 GMT (envelope-from monthadar@svn.freebsd.org) Received: (from monthadar@localhost) by svn.freebsd.org (8.14.5/8.14.5/Submit) id r17LW9uQ014465; Thu, 7 Feb 2013 21:32:09 GMT (envelope-from monthadar@svn.freebsd.org) Message-Id: <201302072132.r17LW9uQ014465@svn.freebsd.org> From: Monthadar Al Jaberi Date: Thu, 7 Feb 2013 21:32:09 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r246520 - head/sys/net80211 X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2013 21:32:10 -0000 Author: monthadar Date: Thu Feb 7 21:32:09 2013 New Revision: 246520 URL: http://svnweb.freebsd.org/changeset/base/246520 Log: Mesh: recevied GANN frames where not parsed correctly. * Added mesh_parse_meshgate_action that parse all values to host endian; * Add more detailed debug output; Approved by: adrian (mentor) Modified: head/sys/net80211/ieee80211_mesh.c Modified: head/sys/net80211/ieee80211_mesh.c ============================================================================== --- head/sys/net80211/ieee80211_mesh.c Thu Feb 7 21:31:37 2013 (r246519) +++ head/sys/net80211/ieee80211_mesh.c Thu Feb 7 21:32:09 2013 (r246520) @@ -533,9 +533,6 @@ mesh_gatemode_cb(void *arg) struct ieee80211_mesh_state *ms = vap->iv_mesh; struct ieee80211_meshgann_ie gann; - IEEE80211_NOTE(vap, IEEE80211_MSG_MESH, vap->iv_bss, - "%s", "send broadcast GANN"); - gann.gann_flags = 0; /* Reserved */ gann.gann_hopcount = 0; gann.gann_ttl = ms->ms_ttl; @@ -543,6 +540,9 @@ mesh_gatemode_cb(void *arg) gann.gann_seq = ms->ms_gateseq++; gann.gann_interval = ieee80211_mesh_gateint; + IEEE80211_NOTE(vap, IEEE80211_MSG_MESH, vap->iv_bss, + "send broadcast GANN (seq %u)", gann.gann_seq); + ieee80211_send_action(vap->iv_bss, IEEE80211_ACTION_CAT_MESH, IEEE80211_ACTION_MESH_GANN, &gann); mesh_gatemode_setup(vap); @@ -2605,6 +2605,40 @@ mesh_recv_action_meshlmetric(struct ieee } /* + * Parse meshgate action ie's for GANN frames. + * Returns -1 if parsing fails, otherwise 0. + */ +static int +mesh_parse_meshgate_action(struct ieee80211_node *ni, + const struct ieee80211_frame *wh, /* XXX for VERIFY_LENGTH */ + struct ieee80211_meshgann_ie *ie, const uint8_t *frm, const uint8_t *efrm) +{ + struct ieee80211vap *vap = ni->ni_vap; + const struct ieee80211_meshgann_ie *gannie; + + while (efrm - frm > 1) { + IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return -1); + switch (*frm) { + case IEEE80211_ELEMID_MESHGANN: + gannie = (const struct ieee80211_meshgann_ie *) frm; + memset(ie, 0, sizeof(ie)); + ie->gann_ie = gannie->gann_ie; + ie->gann_len = gannie->gann_len; + ie->gann_flags = gannie->gann_flags; + ie->gann_hopcount = gannie->gann_hopcount; + ie->gann_ttl = gannie->gann_ttl; + IEEE80211_ADDR_COPY(ie->gann_addr, gannie->gann_addr); + ie->gann_seq = LE_READ_4(&gannie->gann_seq); + ie->gann_interval = LE_READ_2(&gannie->gann_interval); + break; + } + frm += frm[1] + 2; + } + + return 0; +} + +/* * Mesh Gate Announcement handling. */ static int @@ -2617,29 +2651,36 @@ mesh_recv_action_meshgate(struct ieee802 struct ieee80211_mesh_gate_route *gr, *next; struct ieee80211_mesh_route *rt_gate; struct ieee80211_meshgann_ie pgann; + struct ieee80211_meshgann_ie ie; int found = 0; - const struct ieee80211_meshgann_ie *ie = - (const struct ieee80211_meshgann_ie *) - (frm+2); /* action + code */ - if (IEEE80211_ADDR_EQ(vap->iv_myaddr, ie->gann_addr)) + /* +2 for action + code */ + if (mesh_parse_meshgate_action(ni, wh, &ie, frm+2, efrm) != 0) { + IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_MESH, + ni->ni_macaddr, NULL, "%s", + "GANN parsing failed"); + vap->iv_stats.is_rx_mgtdiscard++; + return (0); + } + + if (IEEE80211_ADDR_EQ(vap->iv_myaddr, ie.gann_addr)) return 0; IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_MESH, ni->ni_macaddr, - "received GANN, meshgate: %6D (seq %u)", ie->gann_addr, ":", - ie->gann_seq); + "received GANN, meshgate: %6D (seq %u)", ie.gann_addr, ":", + ie.gann_seq); if (ms == NULL) return (0); MESH_RT_LOCK(ms); TAILQ_FOREACH_SAFE(gr, &ms->ms_known_gates, gr_next, next) { - if (!IEEE80211_ADDR_EQ(gr->gr_addr, ie->gann_addr)) + if (!IEEE80211_ADDR_EQ(gr->gr_addr, ie.gann_addr)) continue; - if (ie->gann_seq <= gr->gr_lastseq) { + if (ie.gann_seq <= gr->gr_lastseq) { IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_MESH, ni->ni_macaddr, NULL, "GANN old seqno %u <= %u", - ie->gann_seq, gr->gr_lastseq); + ie.gann_seq, gr->gr_lastseq); MESH_RT_UNLOCK(ms); return (0); } @@ -2650,14 +2691,14 @@ mesh_recv_action_meshgate(struct ieee802 } if (found == 0) { /* this GANN is from a new mesh Gate add it to known table. */ - IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_MESH, ie->gann_addr, - "stored new GANN information, seq %u.", ie->gann_seq); + IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_MESH, ie.gann_addr, + "stored new GANN information, seq %u.", ie.gann_seq); gr = malloc(ALIGN(sizeof(struct ieee80211_mesh_gate_route)), M_80211_MESH_GT_RT, M_NOWAIT | M_ZERO); - IEEE80211_ADDR_COPY(gr->gr_addr, ie->gann_addr); + IEEE80211_ADDR_COPY(gr->gr_addr, ie.gann_addr); TAILQ_INSERT_TAIL(&ms->ms_known_gates, gr, gr_next); } - gr->gr_lastseq = ie->gann_seq; + gr->gr_lastseq = ie.gann_seq; /* check if we have a path to this gate */ rt_gate = mesh_rt_find_locked(ms, gr->gr_addr); @@ -2670,17 +2711,16 @@ mesh_recv_action_meshgate(struct ieee802 MESH_RT_UNLOCK(ms); /* popagate only if decremented ttl >= 1 && forwarding is enabled */ - if ((ie->gann_ttl - 1) < 1 && - !(ms->ms_flags & IEEE80211_MESHFLAGS_FWD)) + if ((ie.gann_ttl - 1) < 1 && !(ms->ms_flags & IEEE80211_MESHFLAGS_FWD)) return 0; - pgann.gann_flags = ie->gann_flags; /* Reserved */ - pgann.gann_hopcount = ie->gann_hopcount + 1; - pgann.gann_ttl = ie->gann_ttl - 1; - IEEE80211_ADDR_COPY(pgann.gann_addr, ie->gann_addr); - pgann.gann_seq = ie->gann_seq; - pgann.gann_interval = ie->gann_interval; + pgann.gann_flags = ie.gann_flags; /* Reserved */ + pgann.gann_hopcount = ie.gann_hopcount + 1; + pgann.gann_ttl = ie.gann_ttl - 1; + IEEE80211_ADDR_COPY(pgann.gann_addr, ie.gann_addr); + pgann.gann_seq = ie.gann_seq; + pgann.gann_interval = ie.gann_interval; - IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_MESH, ie->gann_addr, + IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_MESH, ie.gann_addr, "%s", "propagate GANN"); ieee80211_send_action(vap->iv_bss, IEEE80211_ACTION_CAT_MESH,