From 541d8676f1dbb712a3ab3c8978cb198a56fac1dc Mon Sep 17 00:00:00 2001 From: monthadar Date: Thu, 7 Feb 2013 21:32:09 +0000 Subject: Mesh: recevied GANN frames where not parsed correctly. * Added mesh_parse_meshgate_action that parse all values to host endian; * Add more detailed debug output; Approved by: adrian (mentor) --- sys/net80211/ieee80211_mesh.c | 92 +++++++++++++++++++++++++++++++------------ 1 file changed, 66 insertions(+), 26 deletions(-) (limited to 'sys/net80211') diff --git a/sys/net80211/ieee80211_mesh.c b/sys/net80211/ieee80211_mesh.c index 38b7cea..ee9eaed 100644 --- a/sys/net80211/ieee80211_mesh.c +++ b/sys/net80211/ieee80211_mesh.c @@ -533,9 +533,6 @@ mesh_gatemode_cb(void *arg) struct ieee80211_mesh_state *ms = vap->iv_mesh; struct ieee80211_meshgann_ie gann; - IEEE80211_NOTE(vap, IEEE80211_MSG_MESH, vap->iv_bss, - "%s", "send broadcast GANN"); - gann.gann_flags = 0; /* Reserved */ gann.gann_hopcount = 0; gann.gann_ttl = ms->ms_ttl; @@ -543,6 +540,9 @@ mesh_gatemode_cb(void *arg) gann.gann_seq = ms->ms_gateseq++; gann.gann_interval = ieee80211_mesh_gateint; + IEEE80211_NOTE(vap, IEEE80211_MSG_MESH, vap->iv_bss, + "send broadcast GANN (seq %u)", gann.gann_seq); + ieee80211_send_action(vap->iv_bss, IEEE80211_ACTION_CAT_MESH, IEEE80211_ACTION_MESH_GANN, &gann); mesh_gatemode_setup(vap); @@ -2605,6 +2605,40 @@ mesh_recv_action_meshlmetric(struct ieee80211_node *ni, } /* + * Parse meshgate action ie's for GANN frames. + * Returns -1 if parsing fails, otherwise 0. + */ +static int +mesh_parse_meshgate_action(struct ieee80211_node *ni, + const struct ieee80211_frame *wh, /* XXX for VERIFY_LENGTH */ + struct ieee80211_meshgann_ie *ie, const uint8_t *frm, const uint8_t *efrm) +{ + struct ieee80211vap *vap = ni->ni_vap; + const struct ieee80211_meshgann_ie *gannie; + + while (efrm - frm > 1) { + IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return -1); + switch (*frm) { + case IEEE80211_ELEMID_MESHGANN: + gannie = (const struct ieee80211_meshgann_ie *) frm; + memset(ie, 0, sizeof(ie)); + ie->gann_ie = gannie->gann_ie; + ie->gann_len = gannie->gann_len; + ie->gann_flags = gannie->gann_flags; + ie->gann_hopcount = gannie->gann_hopcount; + ie->gann_ttl = gannie->gann_ttl; + IEEE80211_ADDR_COPY(ie->gann_addr, gannie->gann_addr); + ie->gann_seq = LE_READ_4(&gannie->gann_seq); + ie->gann_interval = LE_READ_2(&gannie->gann_interval); + break; + } + frm += frm[1] + 2; + } + + return 0; +} + +/* * Mesh Gate Announcement handling. */ static int @@ -2617,29 +2651,36 @@ mesh_recv_action_meshgate(struct ieee80211_node *ni, struct ieee80211_mesh_gate_route *gr, *next; struct ieee80211_mesh_route *rt_gate; struct ieee80211_meshgann_ie pgann; + struct ieee80211_meshgann_ie ie; int found = 0; - const struct ieee80211_meshgann_ie *ie = - (const struct ieee80211_meshgann_ie *) - (frm+2); /* action + code */ - if (IEEE80211_ADDR_EQ(vap->iv_myaddr, ie->gann_addr)) + /* +2 for action + code */ + if (mesh_parse_meshgate_action(ni, wh, &ie, frm+2, efrm) != 0) { + IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_MESH, + ni->ni_macaddr, NULL, "%s", + "GANN parsing failed"); + vap->iv_stats.is_rx_mgtdiscard++; + return (0); + } + + if (IEEE80211_ADDR_EQ(vap->iv_myaddr, ie.gann_addr)) return 0; IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_MESH, ni->ni_macaddr, - "received GANN, meshgate: %6D (seq %u)", ie->gann_addr, ":", - ie->gann_seq); + "received GANN, meshgate: %6D (seq %u)", ie.gann_addr, ":", + ie.gann_seq); if (ms == NULL) return (0); MESH_RT_LOCK(ms); TAILQ_FOREACH_SAFE(gr, &ms->ms_known_gates, gr_next, next) { - if (!IEEE80211_ADDR_EQ(gr->gr_addr, ie->gann_addr)) + if (!IEEE80211_ADDR_EQ(gr->gr_addr, ie.gann_addr)) continue; - if (ie->gann_seq <= gr->gr_lastseq) { + if (ie.gann_seq <= gr->gr_lastseq) { IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_MESH, ni->ni_macaddr, NULL, "GANN old seqno %u <= %u", - ie->gann_seq, gr->gr_lastseq); + ie.gann_seq, gr->gr_lastseq); MESH_RT_UNLOCK(ms); return (0); } @@ -2650,14 +2691,14 @@ mesh_recv_action_meshgate(struct ieee80211_node *ni, } if (found == 0) { /* this GANN is from a new mesh Gate add it to known table. */ - IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_MESH, ie->gann_addr, - "stored new GANN information, seq %u.", ie->gann_seq); + IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_MESH, ie.gann_addr, + "stored new GANN information, seq %u.", ie.gann_seq); gr = malloc(ALIGN(sizeof(struct ieee80211_mesh_gate_route)), M_80211_MESH_GT_RT, M_NOWAIT | M_ZERO); - IEEE80211_ADDR_COPY(gr->gr_addr, ie->gann_addr); + IEEE80211_ADDR_COPY(gr->gr_addr, ie.gann_addr); TAILQ_INSERT_TAIL(&ms->ms_known_gates, gr, gr_next); } - gr->gr_lastseq = ie->gann_seq; + gr->gr_lastseq = ie.gann_seq; /* check if we have a path to this gate */ rt_gate = mesh_rt_find_locked(ms, gr->gr_addr); @@ -2670,17 +2711,16 @@ mesh_recv_action_meshgate(struct ieee80211_node *ni, MESH_RT_UNLOCK(ms); /* popagate only if decremented ttl >= 1 && forwarding is enabled */ - if ((ie->gann_ttl - 1) < 1 && - !(ms->ms_flags & IEEE80211_MESHFLAGS_FWD)) + if ((ie.gann_ttl - 1) < 1 && !(ms->ms_flags & IEEE80211_MESHFLAGS_FWD)) return 0; - pgann.gann_flags = ie->gann_flags; /* Reserved */ - pgann.gann_hopcount = ie->gann_hopcount + 1; - pgann.gann_ttl = ie->gann_ttl - 1; - IEEE80211_ADDR_COPY(pgann.gann_addr, ie->gann_addr); - pgann.gann_seq = ie->gann_seq; - pgann.gann_interval = ie->gann_interval; - - IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_MESH, ie->gann_addr, + pgann.gann_flags = ie.gann_flags; /* Reserved */ + pgann.gann_hopcount = ie.gann_hopcount + 1; + pgann.gann_ttl = ie.gann_ttl - 1; + IEEE80211_ADDR_COPY(pgann.gann_addr, ie.gann_addr); + pgann.gann_seq = ie.gann_seq; + pgann.gann_interval = ie.gann_interval; + + IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_MESH, ie.gann_addr, "%s", "propagate GANN"); ieee80211_send_action(vap->iv_bss, IEEE80211_ACTION_CAT_MESH, -- cgit v1.1