[PATCH v2] mac80211: fix A-MSDU outer SA/DA

[PATCH v2] mac80211: fix A-MSDU outer SA/DA

[Michael Braun]

According to IEEE 802.11-2012 section 8.3.2 table 8-19, the outer SA/DA
of A-MSDU frames need to be changed depending on FromDS/ToDS values.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>

--
v2:
 - avoid the extra write to amsdu_hdr
 - avoid copy of asmdu_hdr into skb, use ptr instead
---
 net/mac80211/tx.c | 45 ++++++++++++++++++++++++++++++++++++---------
 1 file changed, 36 insertions(+), 9 deletions(-)

diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 5023966..ebd2aa6 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -3046,11 +3046,12 @@ static bool ieee80211_amsdu_prepare_head(struct ieee80211_sub_if_data *sdata,
 	struct ieee80211_local *local = sdata->local;
 	struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
 	struct ieee80211_hdr *hdr;
-	struct ethhdr amsdu_hdr;
+	struct ethhdr *amsdu_hdr;
 	int hdr_len = fast_tx->hdr_len - sizeof(rfc1042_header);
 	int subframe_len = skb->len - hdr_len;
 	void *data;
 	u8 *qc;
+	const u8 *src_addr, *dst_addr, *bssid;
 
 	if (info->flags & IEEE80211_TX_CTL_RATE_CTRL_PROBE)
 		return false;
@@ -3058,19 +3059,45 @@ static bool ieee80211_amsdu_prepare_head(struct ieee80211_sub_if_data *sdata,
 	if (info->control.flags & IEEE80211_TX_CTRL_AMSDU)
 		return true;
 
-	if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(amsdu_hdr),
+	if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(*amsdu_hdr),
 					 &subframe_len))
 		return false;
 
-	amsdu_hdr.h_proto = cpu_to_be16(subframe_len);
-	memcpy(amsdu_hdr.h_source, skb->data + fast_tx->sa_offs, ETH_ALEN);
-	memcpy(amsdu_hdr.h_dest, skb->data + fast_tx->da_offs, ETH_ALEN);
+	data = skb_push(skb, sizeof(*amsdu_hdr));
+	memmove(data, data + sizeof(*amsdu_hdr), hdr_len);
+	hdr = data;
+	amsdu_hdr = data + hdr_len;
+
+	/* according to IEEE 802.11-2012 8.3.2 table 8-19, the outer SA/DA
+	 * fields needs to be changed to BSSID for A-MSDU frames depending
+	 * on FromDS/ToDS values.
+	 */
+	switch (sdata->vif.type) {
+	case NL80211_IFTYPE_STATION:
+		bssid = sdata->u.mgd.bssid;
+		break;
+	case NL80211_IFTYPE_AP:
+	case NL80211_IFTYPE_AP_VLAN:
+		bssid = sdata->vif.addr;
+		break;
+	default:
+		bssid = NULL;
+	}
+
+	if (bssid && ieee80211_has_fromds(hdr->frame_control))
+		src_addr = bssid;
+	else
+		src_addr = skb->data + fast_tx->sa_offs;
+
+	if (bssid && ieee80211_has_tods(hdr->frame_control))
+		dst_addr = bssid;
+	else
+		dst_addr = skb->data + fast_tx->da_offs;
 
-	data = skb_push(skb, sizeof(amsdu_hdr));
-	memmove(data, data + sizeof(amsdu_hdr), hdr_len);
-	memcpy(data + hdr_len, &amsdu_hdr, sizeof(amsdu_hdr));
+	amsdu_hdr->h_proto = cpu_to_be16(subframe_len);
+	memcpy(amsdu_hdr->h_source, src_addr, ETH_ALEN);
+	memcpy(amsdu_hdr->h_dest, dst_addr, ETH_ALEN);
 
-	hdr = data;
 	qc = ieee80211_get_qos_ctl(hdr);
 	*qc |= IEEE80211_QOS_CTL_A_MSDU_PRESENT;
 
-- 
2.1.4

Re: [PATCH v2] mac80211: fix A-MSDU outer SA/DA

[Johannes Berg]

On Wed, 2016-10-12 at 12:57 +0200, Michael Braun wrote:
> According to IEEE 802.11-2012 section 8.3.2 table 8-19, the outer
> SA/DA of A-MSDU frames need to be changed depending on FromDS/ToDS
> values.

actually ...

>  	struct ieee80211_hdr *hdr;

802.11 header

> -	struct ethhdr amsdu_hdr;
> +	struct ethhdr *amsdu_hdr;
>  	int hdr_len = fast_tx->hdr_len - sizeof(rfc1042_header);

802.11 header length

> +	data = skb_push(skb, sizeof(*amsdu_hdr));

push ethernet header in

> +	memmove(data, data + sizeof(*amsdu_hdr), hdr_len);

move 802.11 header from back to front

> +	hdr = data;

hdr is at the beginning of the frame

> +	amsdu_hdr = data + hdr_len;

amsdu_hdr is actually the *inner* header after all.


So, I actually think my first instinct that you were erroneously
changing the inner header *was* right.


Seems like this code should be inserted towards the end of
ieee80211_amsdu_aggregate() instead, where it's adding the RFC 1042
header?

Need Felix to take a look, I guess.

johannes

Re: [PATCH v2] mac80211: fix A-MSDU outer SA/DA

[michael-dev]

Am 12.10.2016 14:25, schrieb Johannes Berg:
> So, I actually think my first instinct that you were erroneously
> changing the inner header *was* right.

You're right.

> Seems like this code should be inserted towards the end of
> ieee80211_amsdu_aggregate() instead, where it's adding the RFC 1042
> header?

I'm not convinced.

ieee80211_amsdu_aggregate handles two skbs: the "skb" var and the "head" 
var.
The skb is appended to the frag list of head by setting frag_tail and 
does not appear to have an ieee80211_hdr, as memmove is only 2 * 
ETH_ALEN. Additionally, the rfc1042_header is written after 2 bytes 
containing subframe_len, so it looks like an A-MSDU subframe with 
rfc1042_header is inserted at the beginning of the inner MSDU.

Only the head skb is processed by ieee80211_amsdu_prepare_head and 
appears to have an 802.11 header. So its da/sa address should be 
changed.

Regards,
M. Braun