net/mac80211/parse.c at master · tjh.dev/kernel

tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
kernel / net / mac80211 / parse.c
at master 31 kB view raw
   1// SPDX-License-Identifier: GPL-2.0-only
   2/*
   3 * Copyright 2002-2005, Instant802 Networks, Inc.
   4 * Copyright 2005-2006, Devicescape Software, Inc.
   5 * Copyright 2006-2007	Jiri Benc <jbenc@suse.cz>
   6 * Copyright 2007	Johannes Berg <johannes@sipsolutions.net>
   7 * Copyright 2013-2014  Intel Mobile Communications GmbH
   8 * Copyright (C) 2015-2017	Intel Deutschland GmbH
   9 * Copyright (C) 2018-2025 Intel Corporation
  10 *
  11 * element parsing for mac80211
  12 */
  13
  14#include <net/mac80211.h>
  15#include <linux/netdevice.h>
  16#include <linux/export.h>
  17#include <linux/types.h>
  18#include <linux/slab.h>
  19#include <linux/skbuff.h>
  20#include <linux/etherdevice.h>
  21#include <linux/if_arp.h>
  22#include <linux/bitmap.h>
  23#include <linux/crc32.h>
  24#include <net/net_namespace.h>
  25#include <net/cfg80211.h>
  26#include <net/rtnetlink.h>
  27#include <kunit/visibility.h>
  28
  29#include "ieee80211_i.h"
  30#include "driver-ops.h"
  31#include "rate.h"
  32#include "mesh.h"
  33#include "wme.h"
  34#include "led.h"
  35#include "wep.h"
  36
  37struct ieee80211_elems_parse {
  38	/* must be first for kfree to work */
  39	struct ieee802_11_elems elems;
  40
  41	/* The basic Multi-Link element in the original elements */
  42	const struct element *ml_basic_elem;
  43
  44	/* The reconfiguration Multi-Link element in the original elements */
  45	const struct element *ml_reconf_elem;
  46
  47	/* The EPCS Multi-Link element in the original elements */
  48	const struct element *ml_epcs_elem;
  49
  50	bool multi_link_inner;
  51	bool skip_vendor;
  52
  53	/*
  54	 * scratch buffer that can be used for various element parsing related
  55	 * tasks, e.g., element de-fragmentation etc.
  56	 */
  57	size_t scratch_len;
  58	u8 *scratch_pos;
  59	u8 scratch[] __counted_by(scratch_len);
  60};
  61
  62static void
  63ieee80211_parse_extension_element(u32 *crc,
  64				  const struct element *elem,
  65				  struct ieee80211_elems_parse *elems_parse,
  66				  struct ieee80211_elems_parse_params *params)
  67{
  68	struct ieee802_11_elems *elems = &elems_parse->elems;
  69	const void *data = elem->data + 1;
  70	bool calc_crc = false;
  71	u8 len;
  72
  73	if (!elem->datalen)
  74		return;
  75
  76	len = elem->datalen - 1;
  77
  78	switch (elem->data[0]) {
  79	case WLAN_EID_EXT_HE_MU_EDCA:
  80		if (params->mode < IEEE80211_CONN_MODE_HE)
  81			break;
  82		calc_crc = true;
  83		if (len >= sizeof(*elems->mu_edca_param_set))
  84			elems->mu_edca_param_set = data;
  85		break;
  86	case WLAN_EID_EXT_HE_CAPABILITY:
  87		if (params->mode < IEEE80211_CONN_MODE_HE)
  88			break;
  89		if (ieee80211_he_capa_size_ok(data, len)) {
  90			elems->he_cap = data;
  91			elems->he_cap_len = len;
  92		}
  93		break;
  94	case WLAN_EID_EXT_HE_OPERATION:
  95		if (params->mode < IEEE80211_CONN_MODE_HE)
  96			break;
  97		calc_crc = true;
  98		if (len >= sizeof(*elems->he_operation) &&
  99		    len >= ieee80211_he_oper_size(data) - 1)
 100			elems->he_operation = data;
 101		break;
 102	case WLAN_EID_EXT_UORA:
 103		if (params->mode < IEEE80211_CONN_MODE_HE)
 104			break;
 105		if (len >= 1)
 106			elems->uora_element = data;
 107		break;
 108	case WLAN_EID_EXT_MAX_CHANNEL_SWITCH_TIME:
 109		if (len == 3)
 110			elems->max_channel_switch_time = data;
 111		break;
 112	case WLAN_EID_EXT_MULTIPLE_BSSID_CONFIGURATION:
 113		if (len >= sizeof(*elems->mbssid_config_ie))
 114			elems->mbssid_config_ie = data;
 115		break;
 116	case WLAN_EID_EXT_HE_SPR:
 117		if (params->mode < IEEE80211_CONN_MODE_HE)
 118			break;
 119		if (len >= sizeof(*elems->he_spr) &&
 120		    len >= ieee80211_he_spr_size(data) - 1)
 121			elems->he_spr = data;
 122		break;
 123	case WLAN_EID_EXT_HE_6GHZ_CAPA:
 124		if (params->mode < IEEE80211_CONN_MODE_HE)
 125			break;
 126		if (len >= sizeof(*elems->he_6ghz_capa))
 127			elems->he_6ghz_capa = data;
 128		break;
 129	case WLAN_EID_EXT_EHT_CAPABILITY:
 130		if (params->mode < IEEE80211_CONN_MODE_EHT)
 131			break;
 132		if (ieee80211_eht_capa_size_ok(elems->he_cap,
 133					       data, len,
 134					       params->from_ap)) {
 135			elems->eht_cap = data;
 136			elems->eht_cap_len = len;
 137		}
 138		break;
 139	case WLAN_EID_EXT_EHT_OPERATION:
 140		if (params->mode < IEEE80211_CONN_MODE_EHT)
 141			break;
 142		if (ieee80211_eht_oper_size_ok(data, len))
 143			elems->eht_operation = data;
 144		calc_crc = true;
 145		break;
 146	case WLAN_EID_EXT_EHT_MULTI_LINK:
 147		if (params->mode < IEEE80211_CONN_MODE_EHT)
 148			break;
 149		calc_crc = true;
 150
 151		if (ieee80211_mle_size_ok(data, len)) {
 152			const struct ieee80211_multi_link_elem *mle =
 153				(void *)data;
 154
 155			switch (le16_get_bits(mle->control,
 156					      IEEE80211_ML_CONTROL_TYPE)) {
 157			case IEEE80211_ML_CONTROL_TYPE_BASIC:
 158				if (elems_parse->multi_link_inner) {
 159					elems->parse_error |=
 160						IEEE80211_PARSE_ERR_DUP_NEST_ML_BASIC;
 161					break;
 162				}
 163				break;
 164			case IEEE80211_ML_CONTROL_TYPE_RECONF:
 165				elems_parse->ml_reconf_elem = elem;
 166				break;
 167			case IEEE80211_ML_CONTROL_TYPE_PRIO_ACCESS:
 168				elems_parse->ml_epcs_elem = elem;
 169				break;
 170			default:
 171				break;
 172			}
 173		}
 174		break;
 175	case WLAN_EID_EXT_BANDWIDTH_INDICATION:
 176		if (params->mode < IEEE80211_CONN_MODE_EHT)
 177			break;
 178		if (ieee80211_bandwidth_indication_size_ok(data, len))
 179			elems->bandwidth_indication = data;
 180		calc_crc = true;
 181		break;
 182	case WLAN_EID_EXT_TID_TO_LINK_MAPPING:
 183		if (params->mode < IEEE80211_CONN_MODE_EHT)
 184			break;
 185		calc_crc = true;
 186		if (ieee80211_tid_to_link_map_size_ok(data, len) &&
 187		    elems->ttlm_num < ARRAY_SIZE(elems->ttlm)) {
 188			elems->ttlm[elems->ttlm_num] = (void *)data;
 189			elems->ttlm_num++;
 190		}
 191		break;
 192	}
 193
 194	if (crc && calc_crc)
 195		*crc = crc32_be(*crc, (void *)elem, elem->datalen + 2);
 196}
 197
 198static void ieee80211_parse_tpe(struct ieee80211_parsed_tpe *tpe,
 199				const u8 *data, u8 len)
 200{
 201	const struct ieee80211_tx_pwr_env *env = (const void *)data;
 202	u8 count, interpret, category;
 203	u8 *out, N, *cnt_out = NULL, *N_out = NULL;
 204
 205	if (!ieee80211_valid_tpe_element(data, len))
 206		return;
 207
 208	count = u8_get_bits(env->info, IEEE80211_TX_PWR_ENV_INFO_COUNT);
 209	interpret = u8_get_bits(env->info, IEEE80211_TX_PWR_ENV_INFO_INTERPRET);
 210	category = u8_get_bits(env->info, IEEE80211_TX_PWR_ENV_INFO_CATEGORY);
 211
 212	switch (interpret) {
 213	case IEEE80211_TPE_LOCAL_EIRP:
 214		out = tpe->max_local[category].power;
 215		cnt_out = &tpe->max_local[category].count;
 216		tpe->max_local[category].valid = true;
 217		break;
 218	case IEEE80211_TPE_REG_CLIENT_EIRP:
 219		out = tpe->max_reg_client[category].power;
 220		cnt_out = &tpe->max_reg_client[category].count;
 221		tpe->max_reg_client[category].valid = true;
 222		break;
 223	case IEEE80211_TPE_LOCAL_EIRP_PSD:
 224		out = tpe->psd_local[category].power;
 225		cnt_out = &tpe->psd_local[category].count;
 226		N_out = &tpe->psd_local[category].n;
 227		tpe->psd_local[category].valid = true;
 228		break;
 229	case IEEE80211_TPE_REG_CLIENT_EIRP_PSD:
 230		out = tpe->psd_reg_client[category].power;
 231		cnt_out = &tpe->psd_reg_client[category].count;
 232		N_out = &tpe->psd_reg_client[category].n;
 233		tpe->psd_reg_client[category].valid = true;
 234		break;
 235	}
 236
 237	switch (interpret) {
 238	case IEEE80211_TPE_LOCAL_EIRP:
 239	case IEEE80211_TPE_REG_CLIENT_EIRP:
 240		/* count was validated <= 3, plus 320 MHz */
 241		BUILD_BUG_ON(IEEE80211_TPE_EIRP_ENTRIES_320MHZ < 5);
 242		memcpy(out, env->variable, count + 1);
 243		*cnt_out = count + 1;
 244		/* separately take 320 MHz if present */
 245		if (count == 3 && len > sizeof(*env) + count + 1) {
 246			out[4] = env->variable[4];
 247			*cnt_out = 5;
 248		}
 249		break;
 250	case IEEE80211_TPE_LOCAL_EIRP_PSD:
 251	case IEEE80211_TPE_REG_CLIENT_EIRP_PSD:
 252		if (!count) {
 253			memset(out, env->variable[0],
 254			       IEEE80211_TPE_PSD_ENTRIES_320MHZ);
 255			*cnt_out = IEEE80211_TPE_PSD_ENTRIES_320MHZ;
 256			break;
 257		}
 258
 259		N = 1 << (count - 1);
 260		memcpy(out, env->variable, N);
 261		*cnt_out = N;
 262		*N_out = N;
 263
 264		if (len > sizeof(*env) + N) {
 265			int K = u8_get_bits(env->variable[N],
 266					    IEEE80211_TX_PWR_ENV_EXT_COUNT);
 267
 268			K = min(K, IEEE80211_TPE_PSD_ENTRIES_320MHZ - N);
 269			memcpy(out + N, env->variable + N + 1, K);
 270			(*cnt_out) += K;
 271		}
 272		break;
 273	}
 274}
 275
 276static u32
 277_ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params,
 278			     struct ieee80211_elems_parse *elems_parse,
 279			     const struct element *check_inherit)
 280{
 281	struct ieee802_11_elems *elems = &elems_parse->elems;
 282	const struct element *elem;
 283	bool calc_crc = params->filter != 0;
 284	DECLARE_BITMAP(seen_elems, 256);
 285	u32 crc = params->crc;
 286
 287	bitmap_zero(seen_elems, 256);
 288
 289	switch (params->type) {
 290	/* we don't need to parse assoc request, luckily (it's value 0) */
 291	case IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ASSOC_REQ:
 292	case IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_REASSOC_REQ:
 293	default:
 294		WARN(1, "invalid frame type 0x%x for element parsing\n",
 295		     params->type);
 296		break;
 297	case IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ASSOC_RESP:
 298	case IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_REASSOC_RESP:
 299	case IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_PROBE_REQ:
 300	case IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_PROBE_RESP:
 301	case IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_BEACON:
 302	case IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION:
 303	case IEEE80211_FTYPE_EXT | IEEE80211_STYPE_S1G_BEACON:
 304		break;
 305	}
 306
 307	for_each_element(elem, params->start, params->len) {
 308		const struct element *subelem;
 309		u8 elem_parse_failed;
 310		u8 id = elem->id;
 311		u8 elen = elem->datalen;
 312		const u8 *pos = elem->data;
 313
 314		if (check_inherit &&
 315		    !cfg80211_is_element_inherited(elem,
 316						   check_inherit))
 317			continue;
 318
 319		switch (id) {
 320		case WLAN_EID_SSID:
 321		case WLAN_EID_SUPP_RATES:
 322		case WLAN_EID_FH_PARAMS:
 323		case WLAN_EID_DS_PARAMS:
 324		case WLAN_EID_CF_PARAMS:
 325		case WLAN_EID_TIM:
 326		case WLAN_EID_IBSS_PARAMS:
 327		case WLAN_EID_CHALLENGE:
 328		case WLAN_EID_RSN:
 329		case WLAN_EID_ERP_INFO:
 330		case WLAN_EID_EXT_SUPP_RATES:
 331		case WLAN_EID_HT_CAPABILITY:
 332		case WLAN_EID_HT_OPERATION:
 333		case WLAN_EID_VHT_CAPABILITY:
 334		case WLAN_EID_VHT_OPERATION:
 335		case WLAN_EID_MESH_ID:
 336		case WLAN_EID_MESH_CONFIG:
 337		case WLAN_EID_PEER_MGMT:
 338		case WLAN_EID_PREQ:
 339		case WLAN_EID_PREP:
 340		case WLAN_EID_PERR:
 341		case WLAN_EID_RANN:
 342		case WLAN_EID_CHANNEL_SWITCH:
 343		case WLAN_EID_EXT_CHANSWITCH_ANN:
 344		case WLAN_EID_COUNTRY:
 345		case WLAN_EID_PWR_CONSTRAINT:
 346		case WLAN_EID_TIMEOUT_INTERVAL:
 347		case WLAN_EID_SECONDARY_CHANNEL_OFFSET:
 348		case WLAN_EID_WIDE_BW_CHANNEL_SWITCH:
 349		case WLAN_EID_CHAN_SWITCH_PARAM:
 350		case WLAN_EID_EXT_CAPABILITY:
 351		case WLAN_EID_CHAN_SWITCH_TIMING:
 352		case WLAN_EID_LINK_ID:
 353		case WLAN_EID_BSS_MAX_IDLE_PERIOD:
 354		case WLAN_EID_RSNX:
 355		case WLAN_EID_S1G_BCN_COMPAT:
 356		case WLAN_EID_S1G_CAPABILITIES:
 357		case WLAN_EID_S1G_OPERATION:
 358		case WLAN_EID_AID_RESPONSE:
 359		case WLAN_EID_S1G_SHORT_BCN_INTERVAL:
 360		/*
 361		 * not listing WLAN_EID_CHANNEL_SWITCH_WRAPPER -- it seems possible
 362		 * that if the content gets bigger it might be needed more than once
 363		 */
 364			if (test_bit(id, seen_elems)) {
 365				elems->parse_error |=
 366					IEEE80211_PARSE_ERR_DUP_ELEM;
 367				continue;
 368			}
 369			break;
 370		}
 371
 372		if (calc_crc && id < 64 && (params->filter & (1ULL << id)))
 373			crc = crc32_be(crc, pos - 2, elen + 2);
 374
 375		elem_parse_failed = 0;
 376
 377		switch (id) {
 378		case WLAN_EID_LINK_ID:
 379			if (elen + 2 < sizeof(struct ieee80211_tdls_lnkie)) {
 380				elem_parse_failed =
 381					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 382				break;
 383			}
 384			elems->lnk_id = (void *)(pos - 2);
 385			break;
 386		case WLAN_EID_CHAN_SWITCH_TIMING:
 387			if (elen < sizeof(struct ieee80211_ch_switch_timing)) {
 388				elem_parse_failed =
 389					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 390				break;
 391			}
 392			elems->ch_sw_timing = (void *)pos;
 393			break;
 394		case WLAN_EID_EXT_CAPABILITY:
 395			elems->ext_capab = pos;
 396			elems->ext_capab_len = elen;
 397			break;
 398		case WLAN_EID_SSID:
 399			elems->ssid = pos;
 400			elems->ssid_len = elen;
 401			break;
 402		case WLAN_EID_SUPP_RATES:
 403			elems->supp_rates = pos;
 404			elems->supp_rates_len = elen;
 405			break;
 406		case WLAN_EID_DS_PARAMS:
 407			if (elen >= 1)
 408				elems->ds_params = pos;
 409			else
 410				elem_parse_failed =
 411					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 412			break;
 413		case WLAN_EID_TIM:
 414			if (elen >= sizeof(struct ieee80211_tim_ie)) {
 415				elems->tim = (void *)pos;
 416				elems->tim_len = elen;
 417			} else
 418				elem_parse_failed =
 419					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 420			break;
 421		case WLAN_EID_VENDOR_SPECIFIC:
 422			if (elems_parse->skip_vendor)
 423				break;
 424
 425			if (elen >= 4 && pos[0] == 0x00 && pos[1] == 0x50 &&
 426			    pos[2] == 0xf2) {
 427				/* Microsoft OUI (00:50:F2) */
 428
 429				if (calc_crc)
 430					crc = crc32_be(crc, pos - 2, elen + 2);
 431
 432				if (elen >= 5 && pos[3] == 2) {
 433					/* OUI Type 2 - WMM IE */
 434					if (pos[4] == 0) {
 435						elems->wmm_info = pos;
 436						elems->wmm_info_len = elen;
 437					} else if (pos[4] == 1) {
 438						elems->wmm_param = pos;
 439						elems->wmm_param_len = elen;
 440					}
 441				}
 442			}
 443			break;
 444		case WLAN_EID_RSN:
 445			elems->rsn = pos;
 446			elems->rsn_len = elen;
 447			break;
 448		case WLAN_EID_ERP_INFO:
 449			if (elen >= 1)
 450				elems->erp_info = pos;
 451			else
 452				elem_parse_failed =
 453					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 454			break;
 455		case WLAN_EID_EXT_SUPP_RATES:
 456			elems->ext_supp_rates = pos;
 457			elems->ext_supp_rates_len = elen;
 458			break;
 459		case WLAN_EID_HT_CAPABILITY:
 460			if (params->mode < IEEE80211_CONN_MODE_HT)
 461				break;
 462			if (elen >= sizeof(struct ieee80211_ht_cap))
 463				elems->ht_cap_elem = (void *)pos;
 464			else
 465				elem_parse_failed =
 466					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 467			break;
 468		case WLAN_EID_HT_OPERATION:
 469			if (params->mode < IEEE80211_CONN_MODE_HT)
 470				break;
 471			if (elen >= sizeof(struct ieee80211_ht_operation))
 472				elems->ht_operation = (void *)pos;
 473			else
 474				elem_parse_failed =
 475					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 476			break;
 477		case WLAN_EID_VHT_CAPABILITY:
 478			if (params->mode < IEEE80211_CONN_MODE_VHT)
 479				break;
 480			if (elen >= sizeof(struct ieee80211_vht_cap))
 481				elems->vht_cap_elem = (void *)pos;
 482			else
 483				elem_parse_failed =
 484					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 485			break;
 486		case WLAN_EID_VHT_OPERATION:
 487			if (params->mode < IEEE80211_CONN_MODE_VHT)
 488				break;
 489			if (elen >= sizeof(struct ieee80211_vht_operation)) {
 490				elems->vht_operation = (void *)pos;
 491				if (calc_crc)
 492					crc = crc32_be(crc, pos - 2, elen + 2);
 493				break;
 494			}
 495			elem_parse_failed =
 496				IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 497			break;
 498		case WLAN_EID_OPMODE_NOTIF:
 499			if (params->mode < IEEE80211_CONN_MODE_VHT)
 500				break;
 501			if (elen > 0) {
 502				elems->opmode_notif = pos;
 503				if (calc_crc)
 504					crc = crc32_be(crc, pos - 2, elen + 2);
 505				break;
 506			}
 507			elem_parse_failed =
 508				IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 509			break;
 510		case WLAN_EID_MESH_ID:
 511			elems->mesh_id = pos;
 512			elems->mesh_id_len = elen;
 513			break;
 514		case WLAN_EID_MESH_CONFIG:
 515			if (elen >= sizeof(struct ieee80211_meshconf_ie))
 516				elems->mesh_config = (void *)pos;
 517			else
 518				elem_parse_failed =
 519					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 520			break;
 521		case WLAN_EID_PEER_MGMT:
 522			elems->peering = pos;
 523			elems->peering_len = elen;
 524			break;
 525		case WLAN_EID_MESH_AWAKE_WINDOW:
 526			if (elen >= 2)
 527				elems->awake_window = (void *)pos;
 528			break;
 529		case WLAN_EID_PREQ:
 530			elems->preq = pos;
 531			elems->preq_len = elen;
 532			break;
 533		case WLAN_EID_PREP:
 534			elems->prep = pos;
 535			elems->prep_len = elen;
 536			break;
 537		case WLAN_EID_PERR:
 538			elems->perr = pos;
 539			elems->perr_len = elen;
 540			break;
 541		case WLAN_EID_RANN:
 542			if (elen >= sizeof(struct ieee80211_rann_ie))
 543				elems->rann = (void *)pos;
 544			else
 545				elem_parse_failed =
 546					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 547			break;
 548		case WLAN_EID_CHANNEL_SWITCH:
 549			if (elen != sizeof(struct ieee80211_channel_sw_ie)) {
 550				elem_parse_failed =
 551					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 552				break;
 553			}
 554			elems->ch_switch_ie = (void *)pos;
 555			break;
 556		case WLAN_EID_EXT_CHANSWITCH_ANN:
 557			if (elen != sizeof(struct ieee80211_ext_chansw_ie)) {
 558				elem_parse_failed =
 559					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 560				break;
 561			}
 562			elems->ext_chansw_ie = (void *)pos;
 563			break;
 564		case WLAN_EID_SECONDARY_CHANNEL_OFFSET:
 565			if (params->mode < IEEE80211_CONN_MODE_HT)
 566				break;
 567			if (elen != sizeof(struct ieee80211_sec_chan_offs_ie)) {
 568				elem_parse_failed =
 569					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 570				break;
 571			}
 572			elems->sec_chan_offs = (void *)pos;
 573			break;
 574		case WLAN_EID_CHAN_SWITCH_PARAM:
 575			if (elen <
 576			    sizeof(*elems->mesh_chansw_params_ie)) {
 577				elem_parse_failed =
 578					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 579				break;
 580			}
 581			elems->mesh_chansw_params_ie = (void *)pos;
 582			break;
 583		case WLAN_EID_WIDE_BW_CHANNEL_SWITCH:
 584			if (params->mode < IEEE80211_CONN_MODE_VHT)
 585				break;
 586
 587			if (params->type != (IEEE80211_FTYPE_MGMT |
 588					     IEEE80211_STYPE_ACTION)) {
 589				elem_parse_failed =
 590					IEEE80211_PARSE_ERR_UNEXPECTED_ELEM;
 591				break;
 592			}
 593
 594			if (elen < sizeof(*elems->wide_bw_chansw_ie)) {
 595				elem_parse_failed =
 596					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 597				break;
 598			}
 599			elems->wide_bw_chansw_ie = (void *)pos;
 600			break;
 601		case WLAN_EID_CHANNEL_SWITCH_WRAPPER:
 602			if (params->mode < IEEE80211_CONN_MODE_VHT)
 603				break;
 604			if (params->type == (IEEE80211_FTYPE_MGMT |
 605					     IEEE80211_STYPE_ACTION)) {
 606				elem_parse_failed =
 607					IEEE80211_PARSE_ERR_UNEXPECTED_ELEM;
 608				break;
 609			}
 610			/*
 611			 * This is a bit tricky, but as we only care about
 612			 * a few elements, parse them out manually.
 613			 */
 614			subelem = cfg80211_find_elem(WLAN_EID_WIDE_BW_CHANNEL_SWITCH,
 615						     pos, elen);
 616			if (subelem) {
 617				if (subelem->datalen >= sizeof(*elems->wide_bw_chansw_ie))
 618					elems->wide_bw_chansw_ie =
 619						(void *)subelem->data;
 620				else
 621					elem_parse_failed =
 622						IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 623			}
 624
 625			if (params->mode < IEEE80211_CONN_MODE_EHT)
 626				break;
 627
 628			subelem = cfg80211_find_ext_elem(WLAN_EID_EXT_BANDWIDTH_INDICATION,
 629							 pos, elen);
 630			if (subelem) {
 631				const void *edata = subelem->data + 1;
 632				u8 edatalen = subelem->datalen - 1;
 633
 634				if (ieee80211_bandwidth_indication_size_ok(edata,
 635									   edatalen))
 636					elems->bandwidth_indication = edata;
 637				else
 638					elem_parse_failed =
 639						IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 640			}
 641
 642			subelem = cfg80211_find_ext_elem(WLAN_EID_TX_POWER_ENVELOPE,
 643							 pos, elen);
 644			if (subelem)
 645				ieee80211_parse_tpe(&elems->csa_tpe,
 646						    subelem->data + 1,
 647						    subelem->datalen - 1);
 648			break;
 649		case WLAN_EID_COUNTRY:
 650			elems->country_elem = pos;
 651			elems->country_elem_len = elen;
 652			break;
 653		case WLAN_EID_PWR_CONSTRAINT:
 654			if (elen != 1) {
 655				elem_parse_failed =
 656					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 657				break;
 658			}
 659			elems->pwr_constr_elem = pos;
 660			break;
 661		case WLAN_EID_CISCO_VENDOR_SPECIFIC:
 662			/* Lots of different options exist, but we only care
 663			 * about the Dynamic Transmit Power Control element.
 664			 * First check for the Cisco OUI, then for the DTPC
 665			 * tag (0x00).
 666			 */
 667			if (elen < 4) {
 668				elem_parse_failed =
 669					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 670				break;
 671			}
 672
 673			if (pos[0] != 0x00 || pos[1] != 0x40 ||
 674			    pos[2] != 0x96 || pos[3] != 0x00)
 675				break;
 676
 677			if (elen != 6) {
 678				elem_parse_failed =
 679					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 680				break;
 681			}
 682
 683			if (calc_crc)
 684				crc = crc32_be(crc, pos - 2, elen + 2);
 685
 686			elems->cisco_dtpc_elem = pos;
 687			break;
 688		case WLAN_EID_ADDBA_EXT:
 689			if (elen < sizeof(struct ieee80211_addba_ext_ie)) {
 690				elem_parse_failed =
 691					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 692				break;
 693			}
 694			elems->addba_ext_ie = (void *)pos;
 695			break;
 696		case WLAN_EID_TIMEOUT_INTERVAL:
 697			if (elen >= sizeof(struct ieee80211_timeout_interval_ie))
 698				elems->timeout_int = (void *)pos;
 699			else
 700				elem_parse_failed =
 701					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 702			break;
 703		case WLAN_EID_BSS_MAX_IDLE_PERIOD:
 704			if (elen >= sizeof(*elems->max_idle_period_ie))
 705				elems->max_idle_period_ie = (void *)pos;
 706			break;
 707		case WLAN_EID_RSNX:
 708			elems->rsnx = pos;
 709			elems->rsnx_len = elen;
 710			break;
 711		case WLAN_EID_TX_POWER_ENVELOPE:
 712			if (params->mode < IEEE80211_CONN_MODE_HE)
 713				break;
 714			ieee80211_parse_tpe(&elems->tpe, pos, elen);
 715			break;
 716		case WLAN_EID_EXTENSION:
 717			ieee80211_parse_extension_element(calc_crc ?
 718								&crc : NULL,
 719							  elem, elems_parse,
 720							  params);
 721			break;
 722		case WLAN_EID_S1G_CAPABILITIES:
 723			if (params->mode != IEEE80211_CONN_MODE_S1G)
 724				break;
 725			if (elen >= sizeof(*elems->s1g_capab))
 726				elems->s1g_capab = (void *)pos;
 727			else
 728				elem_parse_failed =
 729					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 730			break;
 731		case WLAN_EID_S1G_OPERATION:
 732			if (params->mode != IEEE80211_CONN_MODE_S1G)
 733				break;
 734			if (elen == sizeof(*elems->s1g_oper))
 735				elems->s1g_oper = (void *)pos;
 736			else
 737				elem_parse_failed =
 738					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 739			break;
 740		case WLAN_EID_S1G_BCN_COMPAT:
 741			if (params->mode != IEEE80211_CONN_MODE_S1G)
 742				break;
 743			if (elen == sizeof(*elems->s1g_bcn_compat))
 744				elems->s1g_bcn_compat = (void *)pos;
 745			else
 746				elem_parse_failed =
 747					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 748			break;
 749		case WLAN_EID_AID_RESPONSE:
 750			if (params->mode != IEEE80211_CONN_MODE_S1G)
 751				break;
 752			if (elen == sizeof(struct ieee80211_aid_response_ie))
 753				elems->aid_resp = (void *)pos;
 754			else
 755				elem_parse_failed =
 756					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 757			break;
 758		default:
 759			break;
 760		}
 761
 762		if (elem_parse_failed)
 763			elems->parse_error |= elem_parse_failed;
 764		else
 765			__set_bit(id, seen_elems);
 766	}
 767
 768	if (!for_each_element_completed(elem, params->start, params->len))
 769		elems->parse_error |= IEEE80211_PARSE_ERR_INVALID_END;
 770
 771	return crc;
 772}
 773
 774static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len,
 775					    struct ieee802_11_elems *elems,
 776					    struct cfg80211_bss *bss,
 777					    u8 *nontransmitted_profile)
 778{
 779	const struct element *elem, *sub;
 780	size_t profile_len = 0;
 781
 782	if (!bss || !bss->transmitted_bss)
 783		return profile_len;
 784
 785	for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, start, len) {
 786		if (elem->datalen < 2)
 787			continue;
 788		if (elem->data[0] < 1 || elem->data[0] > 8)
 789			continue;
 790
 791		for_each_element(sub, elem->data + 1, elem->datalen - 1) {
 792			u8 new_bssid[ETH_ALEN];
 793			const u8 *index;
 794
 795			if (sub->id != 0 || sub->datalen < 4) {
 796				/* not a valid BSS profile */
 797				continue;
 798			}
 799
 800			if (sub->data[0] != WLAN_EID_NON_TX_BSSID_CAP ||
 801			    sub->data[1] != 2) {
 802				/* The first element of the
 803				 * Nontransmitted BSSID Profile is not
 804				 * the Nontransmitted BSSID Capability
 805				 * element.
 806				 */
 807				continue;
 808			}
 809
 810			memset(nontransmitted_profile, 0, len);
 811			profile_len = cfg80211_merge_profile(start, len,
 812							     elem,
 813							     sub,
 814							     nontransmitted_profile,
 815							     len);
 816
 817			/* found a Nontransmitted BSSID Profile */
 818			index = cfg80211_find_ie(WLAN_EID_MULTI_BSSID_IDX,
 819						 nontransmitted_profile,
 820						 profile_len);
 821			if (!index || index[1] < 1 || index[2] == 0) {
 822				/* Invalid MBSSID Index element */
 823				continue;
 824			}
 825
 826			cfg80211_gen_new_bssid(bss->transmitted_bss->bssid,
 827					       elem->data[0],
 828					       index[2],
 829					       new_bssid);
 830			if (ether_addr_equal(new_bssid, bss->bssid)) {
 831				elems->bssid_index_len = index[1];
 832				elems->bssid_index = (void *)&index[2];
 833				return profile_len;
 834			}
 835		}
 836	}
 837
 838	return 0;
 839}
 840
 841static void
 842ieee80211_mle_get_sta_prof(struct ieee80211_elems_parse *elems_parse,
 843			   u8 link_id)
 844{
 845	struct ieee802_11_elems *elems = &elems_parse->elems;
 846	const struct ieee80211_multi_link_elem *ml = elems->ml_basic;
 847	ssize_t ml_len = elems->ml_basic_len;
 848	const struct element *sub;
 849
 850	for_each_mle_subelement(sub, (u8 *)ml, ml_len) {
 851		struct ieee80211_mle_per_sta_profile *prof = (void *)sub->data;
 852		ssize_t sta_prof_len;
 853		u16 control;
 854
 855		if (sub->id != IEEE80211_MLE_SUBELEM_PER_STA_PROFILE)
 856			continue;
 857
 858		if (!ieee80211_mle_basic_sta_prof_size_ok(sub->data,
 859							  sub->datalen))
 860			return;
 861
 862		control = le16_to_cpu(prof->control);
 863
 864		if (link_id != u16_get_bits(control,
 865					    IEEE80211_MLE_STA_CONTROL_LINK_ID))
 866			continue;
 867
 868		if (!(control & IEEE80211_MLE_STA_CONTROL_COMPLETE_PROFILE))
 869			return;
 870
 871		/* the sub element can be fragmented */
 872		sta_prof_len =
 873			cfg80211_defragment_element(sub,
 874						    (u8 *)ml, ml_len,
 875						    elems_parse->scratch_pos,
 876						    elems_parse->scratch +
 877							elems_parse->scratch_len -
 878							elems_parse->scratch_pos,
 879						    IEEE80211_MLE_SUBELEM_FRAGMENT);
 880
 881		if (sta_prof_len < 0)
 882			return;
 883
 884		elems->prof = (void *)elems_parse->scratch_pos;
 885		elems->sta_prof_len = sta_prof_len;
 886		elems_parse->scratch_pos += sta_prof_len;
 887
 888		return;
 889	}
 890}
 891
 892static const struct element *
 893ieee80211_prep_mle_link_parse(struct ieee80211_elems_parse *elems_parse,
 894			      struct ieee80211_elems_parse_params *params,
 895			      struct ieee80211_elems_parse_params *sub)
 896{
 897	struct ieee802_11_elems *elems = &elems_parse->elems;
 898	struct ieee80211_mle_per_sta_profile *prof;
 899	const struct element *tmp;
 900	ssize_t ml_len;
 901	const u8 *end;
 902
 903	if (params->mode < IEEE80211_CONN_MODE_EHT)
 904		return NULL;
 905
 906	for_each_element_extid(tmp, WLAN_EID_EXT_EHT_MULTI_LINK,
 907			       elems->ie_start, elems->total_len) {
 908		const struct ieee80211_multi_link_elem *mle =
 909			(void *)tmp->data + 1;
 910
 911		if (!ieee80211_mle_size_ok(tmp->data + 1, tmp->datalen - 1))
 912			continue;
 913
 914		if (le16_get_bits(mle->control, IEEE80211_ML_CONTROL_TYPE) !=
 915		    IEEE80211_ML_CONTROL_TYPE_BASIC)
 916			continue;
 917
 918		elems_parse->ml_basic_elem = tmp;
 919		break;
 920	}
 921
 922	ml_len = cfg80211_defragment_element(elems_parse->ml_basic_elem,
 923					     elems->ie_start,
 924					     elems->total_len,
 925					     elems_parse->scratch_pos,
 926					     elems_parse->scratch +
 927						elems_parse->scratch_len -
 928						elems_parse->scratch_pos,
 929					     WLAN_EID_FRAGMENT);
 930
 931	if (ml_len < 0)
 932		return NULL;
 933
 934	elems->ml_basic = (const void *)elems_parse->scratch_pos;
 935	elems->ml_basic_len = ml_len;
 936	elems_parse->scratch_pos += ml_len;
 937
 938	if (params->link_id == -1)
 939		return NULL;
 940
 941	ieee80211_mle_get_sta_prof(elems_parse, params->link_id);
 942	prof = elems->prof;
 943
 944	if (!prof)
 945		return NULL;
 946
 947	/* check if we have the 4 bytes for the fixed part in assoc response */
 948	if (elems->sta_prof_len < sizeof(*prof) + prof->sta_info_len - 1 + 4) {
 949		elems->prof = NULL;
 950		elems->sta_prof_len = 0;
 951		return NULL;
 952	}
 953
 954	/*
 955	 * Skip the capability information and the status code that are expected
 956	 * as part of the station profile in association response frames. Note
 957	 * the -1 is because the 'sta_info_len' is accounted to as part of the
 958	 * per-STA profile, but not part of the 'u8 variable[]' portion.
 959	 */
 960	sub->start = prof->variable + prof->sta_info_len - 1 + 4;
 961	end = (const u8 *)prof + elems->sta_prof_len;
 962	sub->len = end - sub->start;
 963
 964	sub->mode = params->mode;
 965	sub->type = params->type;
 966	sub->from_ap = params->from_ap;
 967	sub->link_id = -1;
 968
 969	return cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
 970				      sub->start, sub->len);
 971}
 972
 973static void
 974ieee80211_mle_defrag_reconf(struct ieee80211_elems_parse *elems_parse)
 975{
 976	struct ieee802_11_elems *elems = &elems_parse->elems;
 977	ssize_t ml_len;
 978
 979	ml_len = cfg80211_defragment_element(elems_parse->ml_reconf_elem,
 980					     elems->ie_start,
 981					     elems->total_len,
 982					     elems_parse->scratch_pos,
 983					     elems_parse->scratch +
 984						elems_parse->scratch_len -
 985						elems_parse->scratch_pos,
 986					     WLAN_EID_FRAGMENT);
 987	if (ml_len < 0)
 988		return;
 989	elems->ml_reconf = (void *)elems_parse->scratch_pos;
 990	elems->ml_reconf_len = ml_len;
 991	elems_parse->scratch_pos += ml_len;
 992}
 993
 994static void
 995ieee80211_mle_defrag_epcs(struct ieee80211_elems_parse *elems_parse)
 996{
 997	struct ieee802_11_elems *elems = &elems_parse->elems;
 998	ssize_t ml_len;
 999
1000	ml_len = cfg80211_defragment_element(elems_parse->ml_epcs_elem,
1001					     elems->ie_start,
1002					     elems->total_len,
1003					     elems_parse->scratch_pos,
1004					     elems_parse->scratch +
1005						elems_parse->scratch_len -
1006						elems_parse->scratch_pos,
1007					     WLAN_EID_FRAGMENT);
1008	if (ml_len < 0)
1009		return;
1010	elems->ml_epcs = (void *)elems_parse->scratch_pos;
1011	elems->ml_epcs_len = ml_len;
1012	elems_parse->scratch_pos += ml_len;
1013}
1014
1015struct ieee802_11_elems *
1016ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params)
1017{
1018	struct ieee80211_elems_parse_params sub = {};
1019	struct ieee80211_elems_parse *elems_parse;
1020	const struct element *non_inherit = NULL;
1021	struct ieee802_11_elems *elems;
1022	size_t scratch_len = 3 * params->len;
1023	bool multi_link_inner = false;
1024
1025	BUILD_BUG_ON(offsetof(typeof(*elems_parse), elems) != 0);
1026
1027	/* cannot parse for both a specific link and non-transmitted BSS */
1028	if (WARN_ON(params->link_id >= 0 && params->bss))
1029		return NULL;
1030
1031	elems_parse = kzalloc(struct_size(elems_parse, scratch, scratch_len),
1032			      GFP_ATOMIC);
1033	if (!elems_parse)
1034		return NULL;
1035
1036	elems_parse->scratch_len = scratch_len;
1037	elems_parse->scratch_pos = elems_parse->scratch;
1038
1039	elems = &elems_parse->elems;
1040	elems->ie_start = params->start;
1041	elems->total_len = params->len;
1042
1043	/* set all TPE entries to unlimited (but invalid) */
1044	ieee80211_clear_tpe(&elems->tpe);
1045	ieee80211_clear_tpe(&elems->csa_tpe);
1046
1047	/*
1048	 * If we're looking for a non-transmitted BSS then we cannot at
1049	 * the same time be looking for a second link as the two can only
1050	 * appear in the same frame carrying info for different BSSes.
1051	 *
1052	 * In any case, we only look for one at a time, as encoded by
1053	 * the WARN_ON above.
1054	 */
1055	if (params->bss) {
1056		int nontx_len =
1057			ieee802_11_find_bssid_profile(params->start,
1058						      params->len,
1059						      elems, params->bss,
1060						      elems_parse->scratch_pos);
1061		sub.start = elems_parse->scratch_pos;
1062		sub.mode = params->mode;
1063		sub.len = nontx_len;
1064		sub.type = params->type;
1065		sub.link_id = params->link_id;
1066
1067		/* consume the space used for non-transmitted profile */
1068		elems_parse->scratch_pos += nontx_len;
1069
1070		non_inherit = cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
1071						     sub.start, nontx_len);
1072	} else {
1073		/* must always parse to get elems_parse->ml_basic_elem */
1074		non_inherit = ieee80211_prep_mle_link_parse(elems_parse, params,
1075							    &sub);
1076		multi_link_inner = true;
1077	}
1078
1079	elems_parse->skip_vendor =
1080		cfg80211_find_elem(WLAN_EID_VENDOR_SPECIFIC,
1081				   sub.start, sub.len);
1082	elems->crc = _ieee802_11_parse_elems_full(params, elems_parse,
1083						  non_inherit);
1084
1085	/* Override with nontransmitted/per-STA profile if found */
1086	if (sub.len) {
1087		elems_parse->multi_link_inner = multi_link_inner;
1088		elems_parse->skip_vendor = false;
1089		_ieee802_11_parse_elems_full(&sub, elems_parse, NULL);
1090	}
1091
1092	ieee80211_mle_defrag_reconf(elems_parse);
1093
1094	ieee80211_mle_defrag_epcs(elems_parse);
1095
1096	if (elems->tim && !elems->parse_error) {
1097		const struct ieee80211_tim_ie *tim_ie = elems->tim;
1098
1099		elems->dtim_period = tim_ie->dtim_period;
1100		elems->dtim_count = tim_ie->dtim_count;
1101	}
1102
1103	/* Override DTIM period and count if needed */
1104	if (elems->bssid_index &&
1105	    elems->bssid_index_len >=
1106	    offsetofend(struct ieee80211_bssid_index, dtim_period))
1107		elems->dtim_period = elems->bssid_index->dtim_period;
1108
1109	if (elems->bssid_index &&
1110	    elems->bssid_index_len >=
1111	    offsetofend(struct ieee80211_bssid_index, dtim_count))
1112		elems->dtim_count = elems->bssid_index->dtim_count;
1113
1114	return elems;
1115}
1116EXPORT_SYMBOL_IF_KUNIT(ieee802_11_parse_elems_full);
1117
1118int ieee80211_parse_bitrates(enum nl80211_chan_width width,
1119			     const struct ieee80211_supported_band *sband,
1120			     const u8 *srates, int srates_len, u32 *rates)
1121{
1122	struct ieee80211_rate *br;
1123	int brate, rate, i, j, count = 0;
1124
1125	*rates = 0;
1126
1127	for (i = 0; i < srates_len; i++) {
1128		rate = srates[i] & 0x7f;
1129
1130		for (j = 0; j < sband->n_bitrates; j++) {
1131			br = &sband->bitrates[j];
1132
1133			brate = DIV_ROUND_UP(br->bitrate, 5);
1134			if (brate == rate) {
1135				*rates |= BIT(j);
1136				count++;
1137				break;
1138			}
1139		}
1140	}
1141	return count;
1142}