net/mac80211/parse.c at v6.14-rc2

tjh.dev / kernel
fork atom
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / net / mac80211 / parse.c
at v6.14-rc2 1082 lines 29 kB view raw
wrap content
   1// SPDX-License-Identifier: GPL-2.0-only
   2/*
   3 * Copyright 2002-2005, Instant802 Networks, Inc.
   4 * Copyright 2005-2006, Devicescape Software, Inc.
   5 * Copyright 2006-2007	Jiri Benc <jbenc@suse.cz>
   6 * Copyright 2007	Johannes Berg <johannes@sipsolutions.net>
   7 * Copyright 2013-2014  Intel Mobile Communications GmbH
   8 * Copyright (C) 2015-2017	Intel Deutschland GmbH
   9 * Copyright (C) 2018-2024 Intel Corporation
  10 *
  11 * element parsing for mac80211
  12 */
  13
  14#include <net/mac80211.h>
  15#include <linux/netdevice.h>
  16#include <linux/export.h>
  17#include <linux/types.h>
  18#include <linux/slab.h>
  19#include <linux/skbuff.h>
  20#include <linux/etherdevice.h>
  21#include <linux/if_arp.h>
  22#include <linux/bitmap.h>
  23#include <linux/crc32.h>
  24#include <net/net_namespace.h>
  25#include <net/cfg80211.h>
  26#include <net/rtnetlink.h>
  27#include <kunit/visibility.h>
  28
  29#include "ieee80211_i.h"
  30#include "driver-ops.h"
  31#include "rate.h"
  32#include "mesh.h"
  33#include "wme.h"
  34#include "led.h"
  35#include "wep.h"
  36
  37struct ieee80211_elems_parse {
  38	/* must be first for kfree to work */
  39	struct ieee802_11_elems elems;
  40
  41	/* The basic Multi-Link element in the original elements */
  42	const struct element *ml_basic_elem;
  43
  44	/* The reconfiguration Multi-Link element in the original elements */
  45	const struct element *ml_reconf_elem;
  46
  47	/* The EPCS Multi-Link element in the original elements */
  48	const struct element *ml_epcs_elem;
  49
  50	/*
  51	 * scratch buffer that can be used for various element parsing related
  52	 * tasks, e.g., element de-fragmentation etc.
  53	 */
  54	size_t scratch_len;
  55	u8 *scratch_pos;
  56	u8 scratch[] __counted_by(scratch_len);
  57};
  58
  59static void
  60ieee80211_parse_extension_element(u32 *crc,
  61				  const struct element *elem,
  62				  struct ieee80211_elems_parse *elems_parse,
  63				  struct ieee80211_elems_parse_params *params)
  64{
  65	struct ieee802_11_elems *elems = &elems_parse->elems;
  66	const void *data = elem->data + 1;
  67	bool calc_crc = false;
  68	u8 len;
  69
  70	if (!elem->datalen)
  71		return;
  72
  73	len = elem->datalen - 1;
  74
  75	switch (elem->data[0]) {
  76	case WLAN_EID_EXT_HE_MU_EDCA:
  77		if (params->mode < IEEE80211_CONN_MODE_HE)
  78			break;
  79		calc_crc = true;
  80		if (len >= sizeof(*elems->mu_edca_param_set))
  81			elems->mu_edca_param_set = data;
  82		break;
  83	case WLAN_EID_EXT_HE_CAPABILITY:
  84		if (params->mode < IEEE80211_CONN_MODE_HE)
  85			break;
  86		if (ieee80211_he_capa_size_ok(data, len)) {
  87			elems->he_cap = data;
  88			elems->he_cap_len = len;
  89		}
  90		break;
  91	case WLAN_EID_EXT_HE_OPERATION:
  92		if (params->mode < IEEE80211_CONN_MODE_HE)
  93			break;
  94		calc_crc = true;
  95		if (len >= sizeof(*elems->he_operation) &&
  96		    len >= ieee80211_he_oper_size(data) - 1)
  97			elems->he_operation = data;
  98		break;
  99	case WLAN_EID_EXT_UORA:
 100		if (params->mode < IEEE80211_CONN_MODE_HE)
 101			break;
 102		if (len >= 1)
 103			elems->uora_element = data;
 104		break;
 105	case WLAN_EID_EXT_MAX_CHANNEL_SWITCH_TIME:
 106		if (len == 3)
 107			elems->max_channel_switch_time = data;
 108		break;
 109	case WLAN_EID_EXT_MULTIPLE_BSSID_CONFIGURATION:
 110		if (len >= sizeof(*elems->mbssid_config_ie))
 111			elems->mbssid_config_ie = data;
 112		break;
 113	case WLAN_EID_EXT_HE_SPR:
 114		if (params->mode < IEEE80211_CONN_MODE_HE)
 115			break;
 116		if (len >= sizeof(*elems->he_spr) &&
 117		    len >= ieee80211_he_spr_size(data) - 1)
 118			elems->he_spr = data;
 119		break;
 120	case WLAN_EID_EXT_HE_6GHZ_CAPA:
 121		if (params->mode < IEEE80211_CONN_MODE_HE)
 122			break;
 123		if (len >= sizeof(*elems->he_6ghz_capa))
 124			elems->he_6ghz_capa = data;
 125		break;
 126	case WLAN_EID_EXT_EHT_CAPABILITY:
 127		if (params->mode < IEEE80211_CONN_MODE_EHT)
 128			break;
 129		if (ieee80211_eht_capa_size_ok(elems->he_cap,
 130					       data, len,
 131					       params->from_ap)) {
 132			elems->eht_cap = data;
 133			elems->eht_cap_len = len;
 134		}
 135		break;
 136	case WLAN_EID_EXT_EHT_OPERATION:
 137		if (params->mode < IEEE80211_CONN_MODE_EHT)
 138			break;
 139		if (ieee80211_eht_oper_size_ok(data, len))
 140			elems->eht_operation = data;
 141		calc_crc = true;
 142		break;
 143	case WLAN_EID_EXT_EHT_MULTI_LINK:
 144		if (params->mode < IEEE80211_CONN_MODE_EHT)
 145			break;
 146		calc_crc = true;
 147
 148		if (ieee80211_mle_size_ok(data, len)) {
 149			const struct ieee80211_multi_link_elem *mle =
 150				(void *)data;
 151
 152			switch (le16_get_bits(mle->control,
 153					      IEEE80211_ML_CONTROL_TYPE)) {
 154			case IEEE80211_ML_CONTROL_TYPE_BASIC:
 155				if (elems_parse->ml_basic_elem) {
 156					elems->parse_error |=
 157						IEEE80211_PARSE_ERR_DUP_NEST_ML_BASIC;
 158					break;
 159				}
 160				elems_parse->ml_basic_elem = elem;
 161				break;
 162			case IEEE80211_ML_CONTROL_TYPE_RECONF:
 163				elems_parse->ml_reconf_elem = elem;
 164				break;
 165			case IEEE80211_ML_CONTROL_TYPE_PRIO_ACCESS:
 166				elems_parse->ml_epcs_elem = elem;
 167				break;
 168			default:
 169				break;
 170			}
 171		}
 172		break;
 173	case WLAN_EID_EXT_BANDWIDTH_INDICATION:
 174		if (params->mode < IEEE80211_CONN_MODE_EHT)
 175			break;
 176		if (ieee80211_bandwidth_indication_size_ok(data, len))
 177			elems->bandwidth_indication = data;
 178		calc_crc = true;
 179		break;
 180	case WLAN_EID_EXT_TID_TO_LINK_MAPPING:
 181		if (params->mode < IEEE80211_CONN_MODE_EHT)
 182			break;
 183		calc_crc = true;
 184		if (ieee80211_tid_to_link_map_size_ok(data, len) &&
 185		    elems->ttlm_num < ARRAY_SIZE(elems->ttlm)) {
 186			elems->ttlm[elems->ttlm_num] = (void *)data;
 187			elems->ttlm_num++;
 188		}
 189		break;
 190	}
 191
 192	if (crc && calc_crc)
 193		*crc = crc32_be(*crc, (void *)elem, elem->datalen + 2);
 194}
 195
 196static void ieee80211_parse_tpe(struct ieee80211_parsed_tpe *tpe,
 197				const u8 *data, u8 len)
 198{
 199	const struct ieee80211_tx_pwr_env *env = (const void *)data;
 200	u8 count, interpret, category;
 201	u8 *out, N, *cnt_out = NULL, *N_out = NULL;
 202
 203	if (!ieee80211_valid_tpe_element(data, len))
 204		return;
 205
 206	count = u8_get_bits(env->info, IEEE80211_TX_PWR_ENV_INFO_COUNT);
 207	interpret = u8_get_bits(env->info, IEEE80211_TX_PWR_ENV_INFO_INTERPRET);
 208	category = u8_get_bits(env->info, IEEE80211_TX_PWR_ENV_INFO_CATEGORY);
 209
 210	switch (interpret) {
 211	case IEEE80211_TPE_LOCAL_EIRP:
 212		out = tpe->max_local[category].power;
 213		cnt_out = &tpe->max_local[category].count;
 214		tpe->max_local[category].valid = true;
 215		break;
 216	case IEEE80211_TPE_REG_CLIENT_EIRP:
 217		out = tpe->max_reg_client[category].power;
 218		cnt_out = &tpe->max_reg_client[category].count;
 219		tpe->max_reg_client[category].valid = true;
 220		break;
 221	case IEEE80211_TPE_LOCAL_EIRP_PSD:
 222		out = tpe->psd_local[category].power;
 223		cnt_out = &tpe->psd_local[category].count;
 224		N_out = &tpe->psd_local[category].n;
 225		tpe->psd_local[category].valid = true;
 226		break;
 227	case IEEE80211_TPE_REG_CLIENT_EIRP_PSD:
 228		out = tpe->psd_reg_client[category].power;
 229		cnt_out = &tpe->psd_reg_client[category].count;
 230		N_out = &tpe->psd_reg_client[category].n;
 231		tpe->psd_reg_client[category].valid = true;
 232		break;
 233	}
 234
 235	switch (interpret) {
 236	case IEEE80211_TPE_LOCAL_EIRP:
 237	case IEEE80211_TPE_REG_CLIENT_EIRP:
 238		/* count was validated <= 3, plus 320 MHz */
 239		BUILD_BUG_ON(IEEE80211_TPE_EIRP_ENTRIES_320MHZ < 5);
 240		memcpy(out, env->variable, count + 1);
 241		*cnt_out = count + 1;
 242		/* separately take 320 MHz if present */
 243		if (count == 3 && len > sizeof(*env) + count + 1) {
 244			out[4] = env->variable[4];
 245			*cnt_out = 5;
 246		}
 247		break;
 248	case IEEE80211_TPE_LOCAL_EIRP_PSD:
 249	case IEEE80211_TPE_REG_CLIENT_EIRP_PSD:
 250		if (!count) {
 251			memset(out, env->variable[0],
 252			       IEEE80211_TPE_PSD_ENTRIES_320MHZ);
 253			*cnt_out = IEEE80211_TPE_PSD_ENTRIES_320MHZ;
 254			break;
 255		}
 256
 257		N = 1 << (count - 1);
 258		memcpy(out, env->variable, N);
 259		*cnt_out = N;
 260		*N_out = N;
 261
 262		if (len > sizeof(*env) + N) {
 263			int K = u8_get_bits(env->variable[N],
 264					    IEEE80211_TX_PWR_ENV_EXT_COUNT);
 265
 266			K = min(K, IEEE80211_TPE_PSD_ENTRIES_320MHZ - N);
 267			memcpy(out + N, env->variable + N + 1, K);
 268			(*cnt_out) += K;
 269		}
 270		break;
 271	}
 272}
 273
 274static u32
 275_ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params,
 276			     struct ieee80211_elems_parse *elems_parse,
 277			     const struct element *check_inherit)
 278{
 279	struct ieee802_11_elems *elems = &elems_parse->elems;
 280	const struct element *elem;
 281	bool calc_crc = params->filter != 0;
 282	DECLARE_BITMAP(seen_elems, 256);
 283	u32 crc = params->crc;
 284
 285	bitmap_zero(seen_elems, 256);
 286
 287	for_each_element(elem, params->start, params->len) {
 288		const struct element *subelem;
 289		u8 elem_parse_failed;
 290		u8 id = elem->id;
 291		u8 elen = elem->datalen;
 292		const u8 *pos = elem->data;
 293
 294		if (check_inherit &&
 295		    !cfg80211_is_element_inherited(elem,
 296						   check_inherit))
 297			continue;
 298
 299		switch (id) {
 300		case WLAN_EID_SSID:
 301		case WLAN_EID_SUPP_RATES:
 302		case WLAN_EID_FH_PARAMS:
 303		case WLAN_EID_DS_PARAMS:
 304		case WLAN_EID_CF_PARAMS:
 305		case WLAN_EID_TIM:
 306		case WLAN_EID_IBSS_PARAMS:
 307		case WLAN_EID_CHALLENGE:
 308		case WLAN_EID_RSN:
 309		case WLAN_EID_ERP_INFO:
 310		case WLAN_EID_EXT_SUPP_RATES:
 311		case WLAN_EID_HT_CAPABILITY:
 312		case WLAN_EID_HT_OPERATION:
 313		case WLAN_EID_VHT_CAPABILITY:
 314		case WLAN_EID_VHT_OPERATION:
 315		case WLAN_EID_MESH_ID:
 316		case WLAN_EID_MESH_CONFIG:
 317		case WLAN_EID_PEER_MGMT:
 318		case WLAN_EID_PREQ:
 319		case WLAN_EID_PREP:
 320		case WLAN_EID_PERR:
 321		case WLAN_EID_RANN:
 322		case WLAN_EID_CHANNEL_SWITCH:
 323		case WLAN_EID_EXT_CHANSWITCH_ANN:
 324		case WLAN_EID_COUNTRY:
 325		case WLAN_EID_PWR_CONSTRAINT:
 326		case WLAN_EID_TIMEOUT_INTERVAL:
 327		case WLAN_EID_SECONDARY_CHANNEL_OFFSET:
 328		case WLAN_EID_WIDE_BW_CHANNEL_SWITCH:
 329		case WLAN_EID_CHAN_SWITCH_PARAM:
 330		case WLAN_EID_EXT_CAPABILITY:
 331		case WLAN_EID_CHAN_SWITCH_TIMING:
 332		case WLAN_EID_LINK_ID:
 333		case WLAN_EID_BSS_MAX_IDLE_PERIOD:
 334		case WLAN_EID_RSNX:
 335		case WLAN_EID_S1G_BCN_COMPAT:
 336		case WLAN_EID_S1G_CAPABILITIES:
 337		case WLAN_EID_S1G_OPERATION:
 338		case WLAN_EID_AID_RESPONSE:
 339		case WLAN_EID_S1G_SHORT_BCN_INTERVAL:
 340		/*
 341		 * not listing WLAN_EID_CHANNEL_SWITCH_WRAPPER -- it seems possible
 342		 * that if the content gets bigger it might be needed more than once
 343		 */
 344			if (test_bit(id, seen_elems)) {
 345				elems->parse_error |=
 346					IEEE80211_PARSE_ERR_DUP_ELEM;
 347				continue;
 348			}
 349			break;
 350		}
 351
 352		if (calc_crc && id < 64 && (params->filter & (1ULL << id)))
 353			crc = crc32_be(crc, pos - 2, elen + 2);
 354
 355		elem_parse_failed = 0;
 356
 357		switch (id) {
 358		case WLAN_EID_LINK_ID:
 359			if (elen + 2 < sizeof(struct ieee80211_tdls_lnkie)) {
 360				elem_parse_failed =
 361					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 362				break;
 363			}
 364			elems->lnk_id = (void *)(pos - 2);
 365			break;
 366		case WLAN_EID_CHAN_SWITCH_TIMING:
 367			if (elen < sizeof(struct ieee80211_ch_switch_timing)) {
 368				elem_parse_failed =
 369					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 370				break;
 371			}
 372			elems->ch_sw_timing = (void *)pos;
 373			break;
 374		case WLAN_EID_EXT_CAPABILITY:
 375			elems->ext_capab = pos;
 376			elems->ext_capab_len = elen;
 377			break;
 378		case WLAN_EID_SSID:
 379			elems->ssid = pos;
 380			elems->ssid_len = elen;
 381			break;
 382		case WLAN_EID_SUPP_RATES:
 383			elems->supp_rates = pos;
 384			elems->supp_rates_len = elen;
 385			break;
 386		case WLAN_EID_DS_PARAMS:
 387			if (elen >= 1)
 388				elems->ds_params = pos;
 389			else
 390				elem_parse_failed =
 391					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 392			break;
 393		case WLAN_EID_TIM:
 394			if (elen >= sizeof(struct ieee80211_tim_ie)) {
 395				elems->tim = (void *)pos;
 396				elems->tim_len = elen;
 397			} else
 398				elem_parse_failed =
 399					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 400			break;
 401		case WLAN_EID_VENDOR_SPECIFIC:
 402			if (elen >= 4 && pos[0] == 0x00 && pos[1] == 0x50 &&
 403			    pos[2] == 0xf2) {
 404				/* Microsoft OUI (00:50:F2) */
 405
 406				if (calc_crc)
 407					crc = crc32_be(crc, pos - 2, elen + 2);
 408
 409				if (elen >= 5 && pos[3] == 2) {
 410					/* OUI Type 2 - WMM IE */
 411					if (pos[4] == 0) {
 412						elems->wmm_info = pos;
 413						elems->wmm_info_len = elen;
 414					} else if (pos[4] == 1) {
 415						elems->wmm_param = pos;
 416						elems->wmm_param_len = elen;
 417					}
 418				}
 419			}
 420			break;
 421		case WLAN_EID_RSN:
 422			elems->rsn = pos;
 423			elems->rsn_len = elen;
 424			break;
 425		case WLAN_EID_ERP_INFO:
 426			if (elen >= 1)
 427				elems->erp_info = pos;
 428			else
 429				elem_parse_failed =
 430					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 431			break;
 432		case WLAN_EID_EXT_SUPP_RATES:
 433			elems->ext_supp_rates = pos;
 434			elems->ext_supp_rates_len = elen;
 435			break;
 436		case WLAN_EID_HT_CAPABILITY:
 437			if (params->mode < IEEE80211_CONN_MODE_HT)
 438				break;
 439			if (elen >= sizeof(struct ieee80211_ht_cap))
 440				elems->ht_cap_elem = (void *)pos;
 441			else
 442				elem_parse_failed =
 443					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 444			break;
 445		case WLAN_EID_HT_OPERATION:
 446			if (params->mode < IEEE80211_CONN_MODE_HT)
 447				break;
 448			if (elen >= sizeof(struct ieee80211_ht_operation))
 449				elems->ht_operation = (void *)pos;
 450			else
 451				elem_parse_failed =
 452					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 453			break;
 454		case WLAN_EID_VHT_CAPABILITY:
 455			if (params->mode < IEEE80211_CONN_MODE_VHT)
 456				break;
 457			if (elen >= sizeof(struct ieee80211_vht_cap))
 458				elems->vht_cap_elem = (void *)pos;
 459			else
 460				elem_parse_failed =
 461					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 462			break;
 463		case WLAN_EID_VHT_OPERATION:
 464			if (params->mode < IEEE80211_CONN_MODE_VHT)
 465				break;
 466			if (elen >= sizeof(struct ieee80211_vht_operation)) {
 467				elems->vht_operation = (void *)pos;
 468				if (calc_crc)
 469					crc = crc32_be(crc, pos - 2, elen + 2);
 470				break;
 471			}
 472			elem_parse_failed =
 473				IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 474			break;
 475		case WLAN_EID_OPMODE_NOTIF:
 476			if (params->mode < IEEE80211_CONN_MODE_VHT)
 477				break;
 478			if (elen > 0) {
 479				elems->opmode_notif = pos;
 480				if (calc_crc)
 481					crc = crc32_be(crc, pos - 2, elen + 2);
 482				break;
 483			}
 484			elem_parse_failed =
 485				IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 486			break;
 487		case WLAN_EID_MESH_ID:
 488			elems->mesh_id = pos;
 489			elems->mesh_id_len = elen;
 490			break;
 491		case WLAN_EID_MESH_CONFIG:
 492			if (elen >= sizeof(struct ieee80211_meshconf_ie))
 493				elems->mesh_config = (void *)pos;
 494			else
 495				elem_parse_failed =
 496					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 497			break;
 498		case WLAN_EID_PEER_MGMT:
 499			elems->peering = pos;
 500			elems->peering_len = elen;
 501			break;
 502		case WLAN_EID_MESH_AWAKE_WINDOW:
 503			if (elen >= 2)
 504				elems->awake_window = (void *)pos;
 505			break;
 506		case WLAN_EID_PREQ:
 507			elems->preq = pos;
 508			elems->preq_len = elen;
 509			break;
 510		case WLAN_EID_PREP:
 511			elems->prep = pos;
 512			elems->prep_len = elen;
 513			break;
 514		case WLAN_EID_PERR:
 515			elems->perr = pos;
 516			elems->perr_len = elen;
 517			break;
 518		case WLAN_EID_RANN:
 519			if (elen >= sizeof(struct ieee80211_rann_ie))
 520				elems->rann = (void *)pos;
 521			else
 522				elem_parse_failed =
 523					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 524			break;
 525		case WLAN_EID_CHANNEL_SWITCH:
 526			if (elen != sizeof(struct ieee80211_channel_sw_ie)) {
 527				elem_parse_failed =
 528					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 529				break;
 530			}
 531			elems->ch_switch_ie = (void *)pos;
 532			break;
 533		case WLAN_EID_EXT_CHANSWITCH_ANN:
 534			if (elen != sizeof(struct ieee80211_ext_chansw_ie)) {
 535				elem_parse_failed =
 536					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 537				break;
 538			}
 539			elems->ext_chansw_ie = (void *)pos;
 540			break;
 541		case WLAN_EID_SECONDARY_CHANNEL_OFFSET:
 542			if (params->mode < IEEE80211_CONN_MODE_HT)
 543				break;
 544			if (elen != sizeof(struct ieee80211_sec_chan_offs_ie)) {
 545				elem_parse_failed =
 546					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 547				break;
 548			}
 549			elems->sec_chan_offs = (void *)pos;
 550			break;
 551		case WLAN_EID_CHAN_SWITCH_PARAM:
 552			if (elen <
 553			    sizeof(*elems->mesh_chansw_params_ie)) {
 554				elem_parse_failed =
 555					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 556				break;
 557			}
 558			elems->mesh_chansw_params_ie = (void *)pos;
 559			break;
 560		case WLAN_EID_WIDE_BW_CHANNEL_SWITCH:
 561			if (params->mode < IEEE80211_CONN_MODE_VHT)
 562				break;
 563
 564			if (!params->action) {
 565				elem_parse_failed =
 566					IEEE80211_PARSE_ERR_UNEXPECTED_ELEM;
 567				break;
 568			}
 569
 570			if (elen < sizeof(*elems->wide_bw_chansw_ie)) {
 571				elem_parse_failed =
 572					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 573				break;
 574			}
 575			elems->wide_bw_chansw_ie = (void *)pos;
 576			break;
 577		case WLAN_EID_CHANNEL_SWITCH_WRAPPER:
 578			if (params->mode < IEEE80211_CONN_MODE_VHT)
 579				break;
 580			if (params->action) {
 581				elem_parse_failed =
 582					IEEE80211_PARSE_ERR_UNEXPECTED_ELEM;
 583				break;
 584			}
 585			/*
 586			 * This is a bit tricky, but as we only care about
 587			 * a few elements, parse them out manually.
 588			 */
 589			subelem = cfg80211_find_elem(WLAN_EID_WIDE_BW_CHANNEL_SWITCH,
 590						     pos, elen);
 591			if (subelem) {
 592				if (subelem->datalen >= sizeof(*elems->wide_bw_chansw_ie))
 593					elems->wide_bw_chansw_ie =
 594						(void *)subelem->data;
 595				else
 596					elem_parse_failed =
 597						IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 598			}
 599
 600			if (params->mode < IEEE80211_CONN_MODE_EHT)
 601				break;
 602
 603			subelem = cfg80211_find_ext_elem(WLAN_EID_EXT_BANDWIDTH_INDICATION,
 604							 pos, elen);
 605			if (subelem) {
 606				const void *edata = subelem->data + 1;
 607				u8 edatalen = subelem->datalen - 1;
 608
 609				if (ieee80211_bandwidth_indication_size_ok(edata,
 610									   edatalen))
 611					elems->bandwidth_indication = edata;
 612				else
 613					elem_parse_failed =
 614						IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 615			}
 616
 617			subelem = cfg80211_find_ext_elem(WLAN_EID_TX_POWER_ENVELOPE,
 618							 pos, elen);
 619			if (subelem)
 620				ieee80211_parse_tpe(&elems->csa_tpe,
 621						    subelem->data + 1,
 622						    subelem->datalen - 1);
 623			break;
 624		case WLAN_EID_COUNTRY:
 625			elems->country_elem = pos;
 626			elems->country_elem_len = elen;
 627			break;
 628		case WLAN_EID_PWR_CONSTRAINT:
 629			if (elen != 1) {
 630				elem_parse_failed =
 631					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 632				break;
 633			}
 634			elems->pwr_constr_elem = pos;
 635			break;
 636		case WLAN_EID_CISCO_VENDOR_SPECIFIC:
 637			/* Lots of different options exist, but we only care
 638			 * about the Dynamic Transmit Power Control element.
 639			 * First check for the Cisco OUI, then for the DTPC
 640			 * tag (0x00).
 641			 */
 642			if (elen < 4) {
 643				elem_parse_failed =
 644					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 645				break;
 646			}
 647
 648			if (pos[0] != 0x00 || pos[1] != 0x40 ||
 649			    pos[2] != 0x96 || pos[3] != 0x00)
 650				break;
 651
 652			if (elen != 6) {
 653				elem_parse_failed =
 654					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 655				break;
 656			}
 657
 658			if (calc_crc)
 659				crc = crc32_be(crc, pos - 2, elen + 2);
 660
 661			elems->cisco_dtpc_elem = pos;
 662			break;
 663		case WLAN_EID_ADDBA_EXT:
 664			if (elen < sizeof(struct ieee80211_addba_ext_ie)) {
 665				elem_parse_failed =
 666					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 667				break;
 668			}
 669			elems->addba_ext_ie = (void *)pos;
 670			break;
 671		case WLAN_EID_TIMEOUT_INTERVAL:
 672			if (elen >= sizeof(struct ieee80211_timeout_interval_ie))
 673				elems->timeout_int = (void *)pos;
 674			else
 675				elem_parse_failed =
 676					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 677			break;
 678		case WLAN_EID_BSS_MAX_IDLE_PERIOD:
 679			if (elen >= sizeof(*elems->max_idle_period_ie))
 680				elems->max_idle_period_ie = (void *)pos;
 681			break;
 682		case WLAN_EID_RSNX:
 683			elems->rsnx = pos;
 684			elems->rsnx_len = elen;
 685			break;
 686		case WLAN_EID_TX_POWER_ENVELOPE:
 687			if (params->mode < IEEE80211_CONN_MODE_HE)
 688				break;
 689			ieee80211_parse_tpe(&elems->tpe, pos, elen);
 690			break;
 691		case WLAN_EID_EXTENSION:
 692			ieee80211_parse_extension_element(calc_crc ?
 693								&crc : NULL,
 694							  elem, elems_parse,
 695							  params);
 696			break;
 697		case WLAN_EID_S1G_CAPABILITIES:
 698			if (params->mode != IEEE80211_CONN_MODE_S1G)
 699				break;
 700			if (elen >= sizeof(*elems->s1g_capab))
 701				elems->s1g_capab = (void *)pos;
 702			else
 703				elem_parse_failed =
 704					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 705			break;
 706		case WLAN_EID_S1G_OPERATION:
 707			if (params->mode != IEEE80211_CONN_MODE_S1G)
 708				break;
 709			if (elen == sizeof(*elems->s1g_oper))
 710				elems->s1g_oper = (void *)pos;
 711			else
 712				elem_parse_failed =
 713					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 714			break;
 715		case WLAN_EID_S1G_BCN_COMPAT:
 716			if (params->mode != IEEE80211_CONN_MODE_S1G)
 717				break;
 718			if (elen == sizeof(*elems->s1g_bcn_compat))
 719				elems->s1g_bcn_compat = (void *)pos;
 720			else
 721				elem_parse_failed =
 722					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 723			break;
 724		case WLAN_EID_AID_RESPONSE:
 725			if (params->mode != IEEE80211_CONN_MODE_S1G)
 726				break;
 727			if (elen == sizeof(struct ieee80211_aid_response_ie))
 728				elems->aid_resp = (void *)pos;
 729			else
 730				elem_parse_failed =
 731					IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
 732			break;
 733		default:
 734			break;
 735		}
 736
 737		if (elem_parse_failed)
 738			elems->parse_error |= elem_parse_failed;
 739		else
 740			__set_bit(id, seen_elems);
 741	}
 742
 743	if (!for_each_element_completed(elem, params->start, params->len))
 744		elems->parse_error |= IEEE80211_PARSE_ERR_INVALID_END;
 745
 746	return crc;
 747}
 748
 749static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len,
 750					    struct ieee802_11_elems *elems,
 751					    struct cfg80211_bss *bss,
 752					    u8 *nontransmitted_profile)
 753{
 754	const struct element *elem, *sub;
 755	size_t profile_len = 0;
 756	bool found = false;
 757
 758	if (!bss || !bss->transmitted_bss)
 759		return profile_len;
 760
 761	for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, start, len) {
 762		if (elem->datalen < 2)
 763			continue;
 764		if (elem->data[0] < 1 || elem->data[0] > 8)
 765			continue;
 766
 767		for_each_element(sub, elem->data + 1, elem->datalen - 1) {
 768			u8 new_bssid[ETH_ALEN];
 769			const u8 *index;
 770
 771			if (sub->id != 0 || sub->datalen < 4) {
 772				/* not a valid BSS profile */
 773				continue;
 774			}
 775
 776			if (sub->data[0] != WLAN_EID_NON_TX_BSSID_CAP ||
 777			    sub->data[1] != 2) {
 778				/* The first element of the
 779				 * Nontransmitted BSSID Profile is not
 780				 * the Nontransmitted BSSID Capability
 781				 * element.
 782				 */
 783				continue;
 784			}
 785
 786			memset(nontransmitted_profile, 0, len);
 787			profile_len = cfg80211_merge_profile(start, len,
 788							     elem,
 789							     sub,
 790							     nontransmitted_profile,
 791							     len);
 792
 793			/* found a Nontransmitted BSSID Profile */
 794			index = cfg80211_find_ie(WLAN_EID_MULTI_BSSID_IDX,
 795						 nontransmitted_profile,
 796						 profile_len);
 797			if (!index || index[1] < 1 || index[2] == 0) {
 798				/* Invalid MBSSID Index element */
 799				continue;
 800			}
 801
 802			cfg80211_gen_new_bssid(bss->transmitted_bss->bssid,
 803					       elem->data[0],
 804					       index[2],
 805					       new_bssid);
 806			if (ether_addr_equal(new_bssid, bss->bssid)) {
 807				found = true;
 808				elems->bssid_index_len = index[1];
 809				elems->bssid_index = (void *)&index[2];
 810				break;
 811			}
 812		}
 813	}
 814
 815	return found ? profile_len : 0;
 816}
 817
 818static void
 819ieee80211_mle_get_sta_prof(struct ieee80211_elems_parse *elems_parse,
 820			   u8 link_id)
 821{
 822	struct ieee802_11_elems *elems = &elems_parse->elems;
 823	const struct ieee80211_multi_link_elem *ml = elems->ml_basic;
 824	ssize_t ml_len = elems->ml_basic_len;
 825	const struct element *sub;
 826
 827	for_each_mle_subelement(sub, (u8 *)ml, ml_len) {
 828		struct ieee80211_mle_per_sta_profile *prof = (void *)sub->data;
 829		ssize_t sta_prof_len;
 830		u16 control;
 831
 832		if (sub->id != IEEE80211_MLE_SUBELEM_PER_STA_PROFILE)
 833			continue;
 834
 835		if (!ieee80211_mle_basic_sta_prof_size_ok(sub->data,
 836							  sub->datalen))
 837			return;
 838
 839		control = le16_to_cpu(prof->control);
 840
 841		if (link_id != u16_get_bits(control,
 842					    IEEE80211_MLE_STA_CONTROL_LINK_ID))
 843			continue;
 844
 845		if (!(control & IEEE80211_MLE_STA_CONTROL_COMPLETE_PROFILE))
 846			return;
 847
 848		/* the sub element can be fragmented */
 849		sta_prof_len =
 850			cfg80211_defragment_element(sub,
 851						    (u8 *)ml, ml_len,
 852						    elems_parse->scratch_pos,
 853						    elems_parse->scratch +
 854							elems_parse->scratch_len -
 855							elems_parse->scratch_pos,
 856						    IEEE80211_MLE_SUBELEM_FRAGMENT);
 857
 858		if (sta_prof_len < 0)
 859			return;
 860
 861		elems->prof = (void *)elems_parse->scratch_pos;
 862		elems->sta_prof_len = sta_prof_len;
 863		elems_parse->scratch_pos += sta_prof_len;
 864
 865		return;
 866	}
 867}
 868
 869static void ieee80211_mle_parse_link(struct ieee80211_elems_parse *elems_parse,
 870				     struct ieee80211_elems_parse_params *params)
 871{
 872	struct ieee802_11_elems *elems = &elems_parse->elems;
 873	struct ieee80211_mle_per_sta_profile *prof;
 874	struct ieee80211_elems_parse_params sub = {
 875		.mode = params->mode,
 876		.action = params->action,
 877		.from_ap = params->from_ap,
 878		.link_id = -1,
 879	};
 880	ssize_t ml_len = elems->ml_basic_len;
 881	const struct element *non_inherit = NULL;
 882	const u8 *end;
 883
 884	ml_len = cfg80211_defragment_element(elems_parse->ml_basic_elem,
 885					     elems->ie_start,
 886					     elems->total_len,
 887					     elems_parse->scratch_pos,
 888					     elems_parse->scratch +
 889						elems_parse->scratch_len -
 890						elems_parse->scratch_pos,
 891					     WLAN_EID_FRAGMENT);
 892
 893	if (ml_len < 0)
 894		return;
 895
 896	elems->ml_basic = (const void *)elems_parse->scratch_pos;
 897	elems->ml_basic_len = ml_len;
 898	elems_parse->scratch_pos += ml_len;
 899
 900	if (params->link_id == -1)
 901		return;
 902
 903	ieee80211_mle_get_sta_prof(elems_parse, params->link_id);
 904	prof = elems->prof;
 905
 906	if (!prof)
 907		return;
 908
 909	/* check if we have the 4 bytes for the fixed part in assoc response */
 910	if (elems->sta_prof_len < sizeof(*prof) + prof->sta_info_len - 1 + 4) {
 911		elems->prof = NULL;
 912		elems->sta_prof_len = 0;
 913		return;
 914	}
 915
 916	/*
 917	 * Skip the capability information and the status code that are expected
 918	 * as part of the station profile in association response frames. Note
 919	 * the -1 is because the 'sta_info_len' is accounted to as part of the
 920	 * per-STA profile, but not part of the 'u8 variable[]' portion.
 921	 */
 922	sub.start = prof->variable + prof->sta_info_len - 1 + 4;
 923	end = (const u8 *)prof + elems->sta_prof_len;
 924	sub.len = end - sub.start;
 925
 926	non_inherit = cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
 927					     sub.start, sub.len);
 928	_ieee802_11_parse_elems_full(&sub, elems_parse, non_inherit);
 929}
 930
 931static void
 932ieee80211_mle_defrag_reconf(struct ieee80211_elems_parse *elems_parse)
 933{
 934	struct ieee802_11_elems *elems = &elems_parse->elems;
 935	ssize_t ml_len;
 936
 937	ml_len = cfg80211_defragment_element(elems_parse->ml_reconf_elem,
 938					     elems->ie_start,
 939					     elems->total_len,
 940					     elems_parse->scratch_pos,
 941					     elems_parse->scratch +
 942						elems_parse->scratch_len -
 943						elems_parse->scratch_pos,
 944					     WLAN_EID_FRAGMENT);
 945	if (ml_len < 0)
 946		return;
 947	elems->ml_reconf = (void *)elems_parse->scratch_pos;
 948	elems->ml_reconf_len = ml_len;
 949	elems_parse->scratch_pos += ml_len;
 950}
 951
 952static void
 953ieee80211_mle_defrag_epcs(struct ieee80211_elems_parse *elems_parse)
 954{
 955	struct ieee802_11_elems *elems = &elems_parse->elems;
 956	ssize_t ml_len;
 957
 958	ml_len = cfg80211_defragment_element(elems_parse->ml_epcs_elem,
 959					     elems->ie_start,
 960					     elems->total_len,
 961					     elems_parse->scratch_pos,
 962					     elems_parse->scratch +
 963						elems_parse->scratch_len -
 964						elems_parse->scratch_pos,
 965					     WLAN_EID_FRAGMENT);
 966	if (ml_len < 0)
 967		return;
 968	elems->ml_epcs = (void *)elems_parse->scratch_pos;
 969	elems->ml_epcs_len = ml_len;
 970	elems_parse->scratch_pos += ml_len;
 971}
 972
 973struct ieee802_11_elems *
 974ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params)
 975{
 976	struct ieee80211_elems_parse *elems_parse;
 977	struct ieee802_11_elems *elems;
 978	const struct element *non_inherit = NULL;
 979	u8 *nontransmitted_profile;
 980	int nontransmitted_profile_len = 0;
 981	size_t scratch_len = 3 * params->len;
 982
 983	BUILD_BUG_ON(offsetof(typeof(*elems_parse), elems) != 0);
 984
 985	elems_parse = kzalloc(struct_size(elems_parse, scratch, scratch_len),
 986			      GFP_ATOMIC);
 987	if (!elems_parse)
 988		return NULL;
 989
 990	elems_parse->scratch_len = scratch_len;
 991	elems_parse->scratch_pos = elems_parse->scratch;
 992
 993	elems = &elems_parse->elems;
 994	elems->ie_start = params->start;
 995	elems->total_len = params->len;
 996
 997	/* set all TPE entries to unlimited (but invalid) */
 998	ieee80211_clear_tpe(&elems->tpe);
 999	ieee80211_clear_tpe(&elems->csa_tpe);
1000
1001	nontransmitted_profile = elems_parse->scratch_pos;
1002	nontransmitted_profile_len =
1003		ieee802_11_find_bssid_profile(params->start, params->len,
1004					      elems, params->bss,
1005					      nontransmitted_profile);
1006	elems_parse->scratch_pos += nontransmitted_profile_len;
1007	non_inherit = cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
1008					     nontransmitted_profile,
1009					     nontransmitted_profile_len);
1010
1011	elems->crc = _ieee802_11_parse_elems_full(params, elems_parse,
1012						  non_inherit);
1013
1014	/* Override with nontransmitted profile, if found */
1015	if (nontransmitted_profile_len) {
1016		struct ieee80211_elems_parse_params sub = {
1017			.mode = params->mode,
1018			.start = nontransmitted_profile,
1019			.len = nontransmitted_profile_len,
1020			.action = params->action,
1021			.link_id = params->link_id,
1022		};
1023
1024		_ieee802_11_parse_elems_full(&sub, elems_parse, NULL);
1025	}
1026
1027	ieee80211_mle_parse_link(elems_parse, params);
1028
1029	ieee80211_mle_defrag_reconf(elems_parse);
1030
1031	ieee80211_mle_defrag_epcs(elems_parse);
1032
1033	if (elems->tim && !elems->parse_error) {
1034		const struct ieee80211_tim_ie *tim_ie = elems->tim;
1035
1036		elems->dtim_period = tim_ie->dtim_period;
1037		elems->dtim_count = tim_ie->dtim_count;
1038	}
1039
1040	/* Override DTIM period and count if needed */
1041	if (elems->bssid_index &&
1042	    elems->bssid_index_len >=
1043	    offsetofend(struct ieee80211_bssid_index, dtim_period))
1044		elems->dtim_period = elems->bssid_index->dtim_period;
1045
1046	if (elems->bssid_index &&
1047	    elems->bssid_index_len >=
1048	    offsetofend(struct ieee80211_bssid_index, dtim_count))
1049		elems->dtim_count = elems->bssid_index->dtim_count;
1050
1051	return elems;
1052}
1053EXPORT_SYMBOL_IF_KUNIT(ieee802_11_parse_elems_full);
1054
1055int ieee80211_parse_bitrates(enum nl80211_chan_width width,
1056			     const struct ieee80211_supported_band *sband,
1057			     const u8 *srates, int srates_len, u32 *rates)
1058{
1059	u32 rate_flags = ieee80211_chanwidth_rate_flags(width);
1060	struct ieee80211_rate *br;
1061	int brate, rate, i, j, count = 0;
1062
1063	*rates = 0;
1064
1065	for (i = 0; i < srates_len; i++) {
1066		rate = srates[i] & 0x7f;
1067
1068		for (j = 0; j < sband->n_bitrates; j++) {
1069			br = &sband->bitrates[j];
1070			if ((rate_flags & br->flags) != rate_flags)
1071				continue;
1072
1073			brate = DIV_ROUND_UP(br->bitrate, 5);
1074			if (brate == rate) {
1075				*rates |= BIT(j);
1076				count++;
1077				break;
1078			}
1079		}
1080	}
1081	return count;
1082}