1 /* $DragonFly: src/sys/netbt/rfcomm_session.c,v 1.2 2008/03/18 13:41:42 hasso Exp $ */
2 /* $OpenBSD: src/sys/netbt/rfcomm_session.c,v 1.3 2008/02/24 21:34:48 uwe Exp $ */
3 /* $NetBSD: rfcomm_session.c,v 1.12 2008/01/31 19:30:23 plunky Exp $ */
4
5 /*-
6 * Copyright (c) 2006 Itronix Inc.
7 * All rights reserved.
8 *
9 * Written by Iain Hibbert for Itronix Inc.
10 *
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
13 * are met:
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * 3. The name of Itronix Inc. may not be used to endorse
20 * or promote products derived from this software without specific
21 * prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY ITRONIX INC. ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
25 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
26 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ITRONIX INC. BE LIABLE FOR ANY
27 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
28 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
29 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
30 * ON ANY THEORY OF LIABILITY, WHETHER IN
31 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
32 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33 * POSSIBILITY OF SUCH DAMAGE.
34 */
35
36 #include <sys/param.h>
37 #include <sys/kernel.h>
38 #include <sys/mbuf.h>
39 #include <sys/proc.h>
40 #include <sys/systm.h>
41 #include <sys/types.h>
42 #include <sys/endian.h>
43
44 #include <net/if.h>
45
46 #include <netbt/bluetooth.h>
47 #include <netbt/hci.h>
48 #include <netbt/l2cap.h>
49 #include <netbt/rfcomm.h>
50
51 /******************************************************************************
52 *
53 * RFCOMM Multiplexer Sessions sit directly on L2CAP channels, and can
54 * multiplex up to 30 incoming and 30 outgoing connections.
55 * Only one Multiplexer is allowed between any two devices.
56 */
57
58 static void rfcomm_session_recv_sabm(struct rfcomm_session *, int);
59 static void rfcomm_session_recv_disc(struct rfcomm_session *, int);
60 static void rfcomm_session_recv_ua(struct rfcomm_session *, int);
61 static void rfcomm_session_recv_dm(struct rfcomm_session *, int);
62 static void rfcomm_session_recv_uih(struct rfcomm_session *, int, int, struct mbuf *, int);
63 static void rfcomm_session_recv_mcc(struct rfcomm_session *, struct mbuf *);
64 static void rfcomm_session_recv_mcc_test(struct rfcomm_session *, int, struct mbuf *);
65 static void rfcomm_session_recv_mcc_fcon(struct rfcomm_session *, int);
66 static void rfcomm_session_recv_mcc_fcoff(struct rfcomm_session *, int);
67 static void rfcomm_session_recv_mcc_msc(struct rfcomm_session *, int, struct mbuf *);
68 static void rfcomm_session_recv_mcc_rpn(struct rfcomm_session *, int, struct mbuf *);
69 static void rfcomm_session_recv_mcc_rls(struct rfcomm_session *, int, struct mbuf *);
70 static void rfcomm_session_recv_mcc_pn(struct rfcomm_session *, int, struct mbuf *);
71 static void rfcomm_session_recv_mcc_nsc(struct rfcomm_session *, int, struct mbuf *);
72
73 /* L2CAP callbacks */
74 static void rfcomm_session_connecting(void *);
75 static void rfcomm_session_connected(void *);
76 static void rfcomm_session_disconnected(void *, int);
77 static void *rfcomm_session_newconn(void *, struct sockaddr_bt *, struct sockaddr_bt *);
78 static void rfcomm_session_complete(void *, int);
79 static void rfcomm_session_linkmode(void *, int);
80 static void rfcomm_session_input(void *, struct mbuf *);
81
82 static const struct btproto rfcomm_session_proto = {
83 rfcomm_session_connecting,
84 rfcomm_session_connected,
85 rfcomm_session_disconnected,
86 rfcomm_session_newconn,
87 rfcomm_session_complete,
88 rfcomm_session_linkmode,
89 rfcomm_session_input,
90 };
91
92 struct rfcomm_session_list
93 rfcomm_session_active = LIST_HEAD_INITIALIZER(rfcomm_session_active);
94
95 struct rfcomm_session_list
96 rfcomm_session_listen = LIST_HEAD_INITIALIZER(rfcomm_session_listen);
97
98 vm_zone_t rfcomm_credit_pool;
99
100 /*
101 * RFCOMM System Parameters (see section 5.3)
102 */
103 int rfcomm_mtu_default = 127; /* bytes */
104 int rfcomm_ack_timeout = 20; /* seconds */
105 int rfcomm_mcc_timeout = 20; /* seconds */
106
107 /*
108 * Reversed CRC table as per TS 07.10 Annex B.3.5
109 */
110 static const uint8_t crctable[256] = { /* reversed, 8-bit, poly=0x07 */
111 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
112 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
113 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
114 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
115
116 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
117 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
118 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
119 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
120
121 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
122 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
123 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
124 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
125
126 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
127 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
128 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
129 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
130
131 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
132 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
133 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
134 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
135
136 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
137 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
138 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
139 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
140
141 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
142 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
143 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
144 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
145
146 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
147 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
148 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
149 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
150 };
151
152 #define FCS(f, d) crctable[(f) ^ (d)]
153
154 /*
155 * rfcomm_init()
156 *
157 * initialize the "credit pool".
158 */
159 void
160 rfcomm_init(void)
161 {
162 rfcomm_credit_pool = zinit("rfcomm_credit",
163 sizeof(struct rfcomm_credit), 0, 0, 0);
164 }
165
166 /*
167 * rfcomm_session_alloc(list, sockaddr)
168 *
169 * allocate a new session and fill in the blanks, then
170 * attach session to front of specified list (active or listen)
171 */
172 struct rfcomm_session *
173 rfcomm_session_alloc(struct rfcomm_session_list *list,
174 struct sockaddr_bt *laddr)
175 {
176 struct rfcomm_session *rs;
177 int err;
178
179 rs = kmalloc(sizeof(*rs), M_BLUETOOTH, M_NOWAIT | M_ZERO);
180 if (rs == NULL)
181 return NULL;
182
183 rs->rs_state = RFCOMM_SESSION_CLOSED;
184
185 callout_init(&rs->rs_timeout);
186
187 STAILQ_INIT(&rs->rs_credits);
188 LIST_INIT(&rs->rs_dlcs);
189
190 err = l2cap_attach(&rs->rs_l2cap, &rfcomm_session_proto, rs);
191 if (err) {
192 kfree(rs, M_BLUETOOTH);
193 return NULL;
194 }
195
196 (void)l2cap_getopt(rs->rs_l2cap, SO_L2CAP_OMTU, &rs->rs_mtu);
197
198 if (laddr->bt_psm == L2CAP_PSM_ANY)
199 laddr->bt_psm = L2CAP_PSM_RFCOMM;
200
201 (void)l2cap_bind(rs->rs_l2cap, laddr);
202
203 LIST_INSERT_HEAD(list, rs, rs_next);
204
205 return rs;
206 }
207
208 /*
209 * rfcomm_session_free(rfcomm_session)
210 *
211 * release a session, including any cleanup
212 */
213 void
214 rfcomm_session_free(struct rfcomm_session *rs)
215 {
216 struct rfcomm_credit *credit;
217
218 KKASSERT(rs != NULL);
219 KKASSERT(LIST_EMPTY(&rs->rs_dlcs));
220
221 rs->rs_state = RFCOMM_SESSION_CLOSED;
222
223 /*
224 * If the callout is already invoked we have no way to stop it,
225 * but it will call us back right away (there are no DLC's) so
226 * not to worry.
227 */
228 callout_stop(&rs->rs_timeout);
229 if (callout_active(&rs->rs_timeout))
230 return;
231
232 /*
233 * Take care that rfcomm_session_disconnected() doesnt call
234 * us back either as it will do if the l2cap_channel has not
235 * been closed when we detach it..
236 */
237 if (rs->rs_flags & RFCOMM_SESSION_FREE)
238 return;
239
240 rs->rs_flags |= RFCOMM_SESSION_FREE;
241
242 /* throw away any remaining credit notes */
243 while ((credit = STAILQ_FIRST(&rs->rs_credits)) != NULL) {
244 STAILQ_REMOVE_HEAD(&rs->rs_credits, rc_next);
245 zfree(rfcomm_credit_pool, credit);
246 }
247
248 KKASSERT(STAILQ_EMPTY(&rs->rs_credits));
249
250 /* Goodbye! */
251 LIST_REMOVE(rs, rs_next);
252 l2cap_detach(&rs->rs_l2cap);
253 kfree(rs, M_BLUETOOTH);
254 }
255
256 /*
257 * rfcomm_session_lookup(sockaddr, sockaddr)
258 *
259 * Find active rfcomm session matching src and dest addresses
260 * when src is BDADDR_ANY match any local address
261 */
262 struct rfcomm_session *
263 rfcomm_session_lookup(struct sockaddr_bt *src, struct sockaddr_bt *dest)
264 {
265 struct rfcomm_session *rs;
266 struct sockaddr_bt addr;
267
268 LIST_FOREACH(rs, &rfcomm_session_active, rs_next) {
269 if (rs->rs_state == RFCOMM_SESSION_CLOSED)
270 continue;
271
272 l2cap_sockaddr(rs->rs_l2cap, &addr);
273
274 if (bdaddr_same(&src->bt_bdaddr, &addr.bt_bdaddr) == 0)
275 if (bdaddr_any(&src->bt_bdaddr) == 0)
276 continue;
277
278 l2cap_peeraddr(rs->rs_l2cap, &addr);
279
280 if (addr.bt_psm != dest->bt_psm)
281 continue;
282
283 if (bdaddr_same(&dest->bt_bdaddr, &addr.bt_bdaddr))
284 break;
285 }
286
287 return rs;
288 }
289
290 /*
291 * rfcomm_session_timeout(rfcomm_session)
292 *
293 * Session timeouts are scheduled when a session is left or
294 * created with no DLCs, and when SABM(0) or DISC(0) are
295 * sent.
296 *
297 * So, if it is in an open state with DLC's attached then
298 * we leave it alone, otherwise the session is lost.
299 */
300 void
301 rfcomm_session_timeout(void *arg)
302 {
303 struct rfcomm_session *rs = arg;
304 struct rfcomm_dlc *dlc;
305
306 KKASSERT(rs != NULL);
307
308 crit_enter();
309
310 if (rs->rs_state != RFCOMM_SESSION_OPEN) {
311 DPRINTF("timeout\n");
312 rs->rs_state = RFCOMM_SESSION_CLOSED;
313
314 while (!LIST_EMPTY(&rs->rs_dlcs)) {
315 dlc = LIST_FIRST(&rs->rs_dlcs);
316
317 rfcomm_dlc_close(dlc, ETIMEDOUT);
318 }
319 }
320
321 if (LIST_EMPTY(&rs->rs_dlcs)) {
322 DPRINTF("expiring\n");
323 rfcomm_session_free(rs);
324 }
325 crit_exit();
326 }
327
328 /***********************************************************************
329 *
330 * RFCOMM Session L2CAP protocol callbacks
331 *
332 */
333
334 static void
335 rfcomm_session_connecting(void *arg)
336 {
337 /* struct rfcomm_session *rs = arg; */
338
339 DPRINTF("Connecting\n");
340 }
341
342 static void
343 rfcomm_session_connected(void *arg)
344 {
345 struct rfcomm_session *rs = arg;
346
347 DPRINTF("Connected\n");
348
349 /*
350 * L2CAP is open.
351 *
352 * If we are initiator, we can send our SABM(0)
353 * a timeout should be active?
354 *
355 * We must take note of the L2CAP MTU because currently
356 * the L2CAP implementation can only do Basic Mode.
357 */
358 l2cap_getopt(rs->rs_l2cap, SO_L2CAP_OMTU, &rs->rs_mtu);
359
360 rs->rs_mtu -= 6; /* (RFCOMM overhead could be this big) */
361 if (rs->rs_mtu < RFCOMM_MTU_MIN) {
362 rfcomm_session_disconnected(rs, EINVAL);
363 return;
364 }
365
366 if (IS_INITIATOR(rs)) {
367 int err;
368
369 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_SABM, 0);
370 if (err)
371 rfcomm_session_disconnected(rs, err);
372
373 callout_reset(&rs->rs_timeout, rfcomm_ack_timeout * hz,
374 rfcomm_session_timeout, rs);
375 }
376 }
377
378 static void
379 rfcomm_session_disconnected(void *arg, int err)
380 {
381 struct rfcomm_session *rs = arg;
382 struct rfcomm_dlc *dlc;
383
384 DPRINTF("Disconnected\n");
385
386 rs->rs_state = RFCOMM_SESSION_CLOSED;
387
388 while (!LIST_EMPTY(&rs->rs_dlcs)) {
389 dlc = LIST_FIRST(&rs->rs_dlcs);
390
391 rfcomm_dlc_close(dlc, err);
392 }
393
394 rfcomm_session_free(rs);
395 }
396
397 static void *
398 rfcomm_session_newconn(void *arg, struct sockaddr_bt *laddr,
399 struct sockaddr_bt *raddr)
400 {
401 struct rfcomm_session *new, *rs = arg;
402
403 DPRINTF("New Connection\n");
404
405 /*
406 * Incoming session connect request. We should return a new
407 * session pointer if this is acceptable. The L2CAP layer
408 * passes local and remote addresses, which we must check as
409 * only one RFCOMM session is allowed between any two devices
410 */
411 new = rfcomm_session_lookup(laddr, raddr);
412 if (new != NULL)
413 return NULL;
414
415 new = rfcomm_session_alloc(&rfcomm_session_active, laddr);
416 if (new == NULL)
417 return NULL;
418
419 new->rs_mtu = rs->rs_mtu;
420 new->rs_state = RFCOMM_SESSION_WAIT_CONNECT;
421
422 /*
423 * schedule an expiry so that if nothing comes of it we
424 * can punt.
425 */
426 callout_reset(&rs->rs_timeout, rfcomm_mcc_timeout * hz,
427 rfcomm_session_timeout, rs);
428
429 return new->rs_l2cap;
430 }
431
432 static void
433 rfcomm_session_complete(void *arg, int count)
434 {
435 struct rfcomm_session *rs = arg;
436 struct rfcomm_credit *credit;
437 struct rfcomm_dlc *dlc;
438
439 /*
440 * count L2CAP packets are 'complete', meaning that they are cleared
441 * our buffers (for best effort) or arrived safe (for guaranteed) so
442 * we can take it off our list and pass the message on, so that
443 * eventually the data can be removed from the sockbuf
444 */
445 while (count-- > 0) {
446 credit = STAILQ_FIRST(&rs->rs_credits);
447 #ifdef DIAGNOSTIC
448 if (credit == NULL) {
449 kprintf("%s: too many packets completed!\n", __func__);
450 break;
451 }
452 #endif
453 dlc = credit->rc_dlc;
454 if (dlc != NULL) {
455 dlc->rd_pending--;
456 (*dlc->rd_proto->complete)
457 (dlc->rd_upper, credit->rc_len);
458
459 /*
460 * if not using credit flow control, we may push
461 * more data now
462 */
463 if ((rs->rs_flags & RFCOMM_SESSION_CFC) == 0
464 && dlc->rd_state == RFCOMM_DLC_OPEN) {
465 rfcomm_dlc_start(dlc);
466 }
467
468 /*
469 * When shutdown is indicated, we are just waiting to
470 * clear outgoing data.
471 */
472 if ((dlc->rd_flags & RFCOMM_DLC_SHUTDOWN)
473 && dlc->rd_txbuf == NULL && dlc->rd_pending == 0) {
474 dlc->rd_state = RFCOMM_DLC_WAIT_DISCONNECT;
475 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC,
476 dlc->rd_dlci);
477 callout_reset(&dlc->rd_timeout,
478 rfcomm_ack_timeout * hz,
479 rfcomm_dlc_timeout, dlc);
480 }
481 }
482
483 STAILQ_REMOVE_HEAD(&rs->rs_credits, rc_next);
484 zfree(rfcomm_credit_pool, credit);
485 }
486
487 /*
488 * If session is closed, we are just waiting to clear the queue
489 */
490 if (rs->rs_state == RFCOMM_SESSION_CLOSED) {
491 if (STAILQ_EMPTY(&rs->rs_credits))
492 l2cap_disconnect(rs->rs_l2cap, 0);
493 }
494 }
495
496 /*
497 * Link Mode changed
498 *
499 * This is called when a mode change is complete. Proceed with connections
500 * where appropriate, or pass the new mode to any active DLCs.
501 */
502 static void
503 rfcomm_session_linkmode(void *arg, int new)
504 {
505 struct rfcomm_session *rs = arg;
506 struct rfcomm_dlc *dlc, *next;
507 int err, mode = 0;
508
509 DPRINTF("auth %s, encrypt %s, secure %s\n",
510 (new & L2CAP_LM_AUTH ? "on" : "off"),
511 (new & L2CAP_LM_ENCRYPT ? "on" : "off"),
512 (new & L2CAP_LM_SECURE ? "on" : "off"));
513
514 if (new & L2CAP_LM_AUTH)
515 mode |= RFCOMM_LM_AUTH;
516
517 if (new & L2CAP_LM_ENCRYPT)
518 mode |= RFCOMM_LM_ENCRYPT;
519
520 if (new & L2CAP_LM_SECURE)
521 mode |= RFCOMM_LM_SECURE;
522
523 next = LIST_FIRST(&rs->rs_dlcs);
524 while ((dlc = next) != NULL) {
525 next = LIST_NEXT(dlc, rd_next);
526
527 switch (dlc->rd_state) {
528 case RFCOMM_DLC_WAIT_SEND_SABM: /* we are connecting */
529 if ((mode & dlc->rd_mode) != dlc->rd_mode) {
530 rfcomm_dlc_close(dlc, ECONNABORTED);
531 } else {
532 err = rfcomm_session_send_frame(rs,
533 RFCOMM_FRAME_SABM, dlc->rd_dlci);
534 if (err) {
535 rfcomm_dlc_close(dlc, err);
536 } else {
537 dlc->rd_state = RFCOMM_DLC_WAIT_RECV_UA;
538 callout_reset(&dlc->rd_timeout,
539 rfcomm_ack_timeout * hz,
540 rfcomm_dlc_timeout, dlc);
541
542 break;
543 }
544 }
545
546 /*
547 * If we aborted the connection and there are no more DLCs
548 * on the session, it is our responsibility to disconnect.
549 */
550 if (!LIST_EMPTY(&rs->rs_dlcs))
551 break;
552
553 rs->rs_state = RFCOMM_SESSION_WAIT_DISCONNECT;
554 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 0);
555 callout_reset(&rs->rs_timeout, rfcomm_ack_timeout * hz,
556 rfcomm_session_timeout, rs);
557 break;
558
559 case RFCOMM_DLC_WAIT_SEND_UA: /* they are connecting */
560 if ((mode & dlc->rd_mode) != dlc->rd_mode) {
561 rfcomm_session_send_frame(rs,
562 RFCOMM_FRAME_DM, dlc->rd_dlci);
563 rfcomm_dlc_close(dlc, ECONNABORTED);
564 break;
565 }
566
567 err = rfcomm_session_send_frame(rs,
568 RFCOMM_FRAME_UA, dlc->rd_dlci);
569 if (err) {
570 rfcomm_session_send_frame(rs,
571 RFCOMM_FRAME_DM, dlc->rd_dlci);
572 rfcomm_dlc_close(dlc, err);
573 break;
574 }
575
576 err = rfcomm_dlc_open(dlc);
577 if (err) {
578 rfcomm_session_send_frame(rs,
579 RFCOMM_FRAME_DM, dlc->rd_dlci);
580 rfcomm_dlc_close(dlc, err);
581 break;
582 }
583
584 break;
585
586 case RFCOMM_DLC_WAIT_RECV_UA:
587 case RFCOMM_DLC_OPEN: /* already established */
588 (*dlc->rd_proto->linkmode)(dlc->rd_upper, mode);
589 break;
590
591 default:
592 break;
593 }
594 }
595 }
596
597 /*
598 * Receive data from L2CAP layer for session. There is always exactly one
599 * RFCOMM frame contained in each L2CAP frame.
600 */
601 static void
602 rfcomm_session_input(void *arg, struct mbuf *m)
603 {
604 struct rfcomm_session *rs = arg;
605 int dlci, len, type, pf;
606 uint8_t fcs, b;
607
608 KKASSERT(m != NULL);
609 KKASSERT(rs != NULL);
610
611 /*
612 * UIH frames: FCS is only calculated on address and control fields
613 * For other frames: FCS is calculated on address, control and length
614 * Length may extend to two octets
615 */
616 fcs = 0xff;
617
618 if (m->m_pkthdr.len < 4) {
619 DPRINTF("short frame (%d), discarded\n", m->m_pkthdr.len);
620 goto done;
621 }
622
623 /* address - one octet */
624 m_copydata(m, 0, 1, &b);
625 m_adj(m, 1);
626 fcs = FCS(fcs, b);
627 dlci = RFCOMM_DLCI(b);
628
629 /* control - one octet */
630 m_copydata(m, 0, 1, &b);
631 m_adj(m, 1);
632 fcs = FCS(fcs, b);
633 type = RFCOMM_TYPE(b);
634 pf = RFCOMM_PF(b);
635
636 /* length - may be two octets */
637 m_copydata(m, 0, 1, &b);
638 m_adj(m, 1);
639 if (type != RFCOMM_FRAME_UIH)
640 fcs = FCS(fcs, b);
641 len = (b >> 1) & 0x7f;
642
643 if (RFCOMM_EA(b) == 0) {
644 if (m->m_pkthdr.len < 2) {
645 DPRINTF("short frame (%d, EA = 0), discarded\n",
646 m->m_pkthdr.len);
647 goto done;
648 }
649
650 m_copydata(m, 0, 1, &b);
651 m_adj(m, 1);
652 if (type != RFCOMM_FRAME_UIH)
653 fcs = FCS(fcs, b);
654
655 len |= (b << 7);
656 }
657
658 /* FCS byte is last octet in frame */
659 m_copydata(m, m->m_pkthdr.len - 1, 1, &b);
660 m_adj(m, -1);
661 fcs = FCS(fcs, b);
662
663 if (fcs != 0xcf) {
664 DPRINTF("Bad FCS value (%#2.2x), frame discarded\n", fcs);
665 goto done;
666 }
667
668 DPRINTFN(10, "dlci %d, type %2.2x, len = %d\n", dlci, type, len);
669
670 switch (type) {
671 case RFCOMM_FRAME_SABM:
672 if (pf)
673 rfcomm_session_recv_sabm(rs, dlci);
674 break;
675
676 case RFCOMM_FRAME_DISC:
677 if (pf)
678 rfcomm_session_recv_disc(rs, dlci);
679 break;
680
681 case RFCOMM_FRAME_UA:
682 if (pf)
683 rfcomm_session_recv_ua(rs, dlci);
684 break;
685
686 case RFCOMM_FRAME_DM:
687 rfcomm_session_recv_dm(rs, dlci);
688 break;
689
690 case RFCOMM_FRAME_UIH:
691 rfcomm_session_recv_uih(rs, dlci, pf, m, len);
692 return; /* (no release) */
693
694 default:
695 UNKNOWN(type);
696 break;
697 }
698
699 done:
700 m_freem(m);
701 }
702
703 /***********************************************************************
704 *
705 * RFCOMM Session receive processing
706 */
707
708 /*
709 * rfcomm_session_recv_sabm(rfcomm_session, dlci)
710 *
711 * Set Asyncrhonous Balanced Mode - open the channel.
712 */
713 static void
714 rfcomm_session_recv_sabm(struct rfcomm_session *rs, int dlci)
715 {
716 struct rfcomm_dlc *dlc;
717 int err;
718
719 DPRINTFN(5, "SABM(%d)\n", dlci);
720
721 if (dlci == 0) { /* Open Session */
722 rs->rs_state = RFCOMM_SESSION_OPEN;
723 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, 0);
724 LIST_FOREACH(dlc, &rs->rs_dlcs, rd_next) {
725 if (dlc->rd_state == RFCOMM_DLC_WAIT_SESSION)
726 rfcomm_dlc_connect(dlc);
727 }
728 return;
729 }
730
731 if (rs->rs_state != RFCOMM_SESSION_OPEN) {
732 DPRINTF("session was not even open!\n");
733 return;
734 }
735
736 /* validate direction bit */
737 if ((IS_INITIATOR(rs) && !RFCOMM_DIRECTION(dlci))
738 || (!IS_INITIATOR(rs) && RFCOMM_DIRECTION(dlci))) {
739 DPRINTF("Invalid direction bit on DLCI\n");
740 return;
741 }
742
743 /*
744 * look for our DLC - this may exist if we received PN
745 * already, or we may have to fabricate a new one.
746 */
747 dlc = rfcomm_dlc_lookup(rs, dlci);
748 if (dlc == NULL) {
749 dlc = rfcomm_dlc_newconn(rs, dlci);
750 if (dlc == NULL)
751 return; /* (DM is sent) */
752 }
753
754 /*
755 * ..but if this DLC is not waiting to connect, they did
756 * something wrong, ignore it.
757 */
758 if (dlc->rd_state != RFCOMM_DLC_WAIT_CONNECT)
759 return;
760
761 /* set link mode */
762 err = rfcomm_dlc_setmode(dlc);
763 if (err == EINPROGRESS) {
764 dlc->rd_state = RFCOMM_DLC_WAIT_SEND_UA;
765 (*dlc->rd_proto->connecting)(dlc->rd_upper);
766 return;
767 }
768 if (err)
769 goto close;
770
771 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, dlci);
772 if (err)
773 goto close;
774
775 /* and mark it open */
776 err = rfcomm_dlc_open(dlc);
777 if (err)
778 goto close;
779
780 return;
781
782 close:
783 rfcomm_dlc_close(dlc, err);
784 }
785
786 /*
787 * Receive Disconnect Command
788 */
789 static void
790 rfcomm_session_recv_disc(struct rfcomm_session *rs, int dlci)
791 {
792 struct rfcomm_dlc *dlc;
793
794 DPRINTFN(5, "DISC(%d)\n", dlci);
795
796 if (dlci == 0) {
797 /*
798 * Disconnect Session
799 *
800 * We set the session state to CLOSED so that when
801 * the UA frame is clear the session will be closed
802 * automatically. We wont bother to close any DLC's
803 * just yet as there should be none. In the unlikely
804 * event that something is left, it will get flushed
805 * out as the session goes down.
806 */
807 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, 0);
808 rs->rs_state = RFCOMM_SESSION_CLOSED;
809 return;
810 }
811
812 dlc = rfcomm_dlc_lookup(rs, dlci);
813 if (dlc == NULL) {
814 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, dlci);
815 return;
816 }
817
818 rfcomm_dlc_close(dlc, ECONNRESET);
819 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, dlci);
820 }
821
822 /*
823 * Receive Unnumbered Acknowledgement Response
824 *
825 * This should be a response to a DISC or SABM frame that we
826 * have previously sent. If unexpected, ignore it.
827 */
828 static void
829 rfcomm_session_recv_ua(struct rfcomm_session *rs, int dlci)
830 {
831 struct rfcomm_dlc *dlc;
832
833 DPRINTFN(5, "UA(%d)\n", dlci);
834
835 if (dlci == 0) {
836 switch (rs->rs_state) {
837 case RFCOMM_SESSION_WAIT_CONNECT: /* We sent SABM */
838 callout_stop(&rs->rs_timeout);
839 rs->rs_state = RFCOMM_SESSION_OPEN;
840 LIST_FOREACH(dlc, &rs->rs_dlcs, rd_next) {
841 if (dlc->rd_state == RFCOMM_DLC_WAIT_SESSION)
842 rfcomm_dlc_connect(dlc);
843 }
844 break;
845
846 case RFCOMM_SESSION_WAIT_DISCONNECT: /* We sent DISC */
847 callout_stop(&rs->rs_timeout);
848 rs->rs_state = RFCOMM_SESSION_CLOSED;
849 l2cap_disconnect(rs->rs_l2cap, 0);
850 break;
851
852 default:
853 DPRINTF("Received spurious UA(0)!\n");
854 break;
855 }
856
857 return;
858 }
859
860 /*
861 * If we have no DLC on this dlci, we may have aborted
862 * without shutting down properly, so check if the session
863 * needs disconnecting.
864 */
865 dlc = rfcomm_dlc_lookup(rs, dlci);
866 if (dlc == NULL)
867 goto check;
868
869 switch (dlc->rd_state) {
870 case RFCOMM_DLC_WAIT_RECV_UA: /* We sent SABM */
871 rfcomm_dlc_open(dlc);
872 return;
873
874 case RFCOMM_DLC_WAIT_DISCONNECT: /* We sent DISC */
875 rfcomm_dlc_close(dlc, 0);
876 break;
877
878 default:
879 DPRINTF("Received spurious UA(%d)!\n", dlci);
880 return;
881 }
882
883 check: /* last one out turns out the light */
884 if (LIST_EMPTY(&rs->rs_dlcs)) {
885 rs->rs_state = RFCOMM_SESSION_WAIT_DISCONNECT;
886 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 0);
887 callout_reset(&rs->rs_timeout, rfcomm_ack_timeout*hz,rfcomm_session_timeout,rs);
888 }
889 }
890
891 /*
892 * Receive Disconnected Mode Response
893 *
894 * If this does not apply to a known DLC then we may ignore it.
895 */
896 static void
897 rfcomm_session_recv_dm(struct rfcomm_session *rs, int dlci)
898 {
899 struct rfcomm_dlc *dlc;
900
901 DPRINTFN(5, "DM(%d)\n", dlci);
902
903 dlc = rfcomm_dlc_lookup(rs, dlci);
904 if (dlc == NULL)
905 return;
906
907 if (dlc->rd_state == RFCOMM_DLC_WAIT_CONNECT)
908 rfcomm_dlc_close(dlc, ECONNREFUSED);
909 else
910 rfcomm_dlc_close(dlc, ECONNRESET);
911 }
912
913 /*
914 * Receive Unnumbered Information with Header check (MCC or data packet)
915 */
916 static void
917 rfcomm_session_recv_uih(struct rfcomm_session *rs, int dlci,
918 int pf, struct mbuf *m, int len)
919 {
920 struct rfcomm_dlc *dlc;
921 uint8_t credits = 0;
922
923 DPRINTFN(10, "UIH(%d)\n", dlci);
924
925 if (dlci == 0) {
926 rfcomm_session_recv_mcc(rs, m);
927 return;
928 }
929
930 if (m->m_pkthdr.len != len + pf) {
931 DPRINTF("Bad Frame Length (%d), frame discarded\n",
932 m->m_pkthdr.len);
933
934 goto discard;
935 }
936
937 dlc = rfcomm_dlc_lookup(rs, dlci);
938 if (dlc == NULL) {
939 DPRINTF("UIH received for non existent DLC, discarded\n");
940 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, dlci);
941 goto discard;
942 }
943
944 if (dlc->rd_state != RFCOMM_DLC_OPEN) {
945 DPRINTF("non-open DLC (state = %d), discarded\n",
946 dlc->rd_state);
947 goto discard;
948 }
949
950 /* if PF is set, credits were included */
951 if (rs->rs_flags & RFCOMM_SESSION_CFC) {
952 if (pf != 0) {
953 if (m->m_pkthdr.len < sizeof(credits)) {
954 DPRINTF("Bad PF value, UIH discarded\n");
955 goto discard;
956 }
957
958 m_copydata(m, 0, sizeof(credits), &credits);
959 m_adj(m, sizeof(credits));
960
961 dlc->rd_txcred += credits;
962
963 if (credits > 0 && dlc->rd_txbuf != NULL)
964 rfcomm_dlc_start(dlc);
965 }
966
967 if (len == 0)
968 goto discard;
969
970 if (dlc->rd_rxcred == 0) {
971 DPRINTF("Credit limit reached, UIH discarded\n");
972 goto discard;
973 }
974
975 if (len > dlc->rd_rxsize) {
976 DPRINTF("UIH frame exceeds rxsize, discarded\n");
977 goto discard;
978 }
979
980 dlc->rd_rxcred--;
981 dlc->rd_rxsize -= len;
982 }
983
984 (*dlc->rd_proto->input)(dlc->rd_upper, m);
985 return;
986
987 discard:
988 m_freem(m);
989 }
990
991 /*
992 * Receive Multiplexer Control Command
993 */
994 static void
995 rfcomm_session_recv_mcc(struct rfcomm_session *rs, struct mbuf *m)
996 {
997 int type, cr, len;
998 uint8_t b;
999
1000 /*
1001 * Extract MCC header.
1002 *
1003 * Fields are variable length using extension bit = 1 to signify the
1004 * last octet in the sequence.
1005 *
1006 * Only single octet types are defined in TS 07.10/RFCOMM spec
1007 *
1008 * Length can realistically only use 15 bits (max RFCOMM MTU)
1009 */
1010 if (m->m_pkthdr.len < sizeof(b)) {
1011 DPRINTF("Short MCC header, discarded\n");
1012 goto release;
1013 }
1014
1015 m_copydata(m, 0, sizeof(b), &b);
1016 m_adj(m, sizeof(b));
1017
1018 if (RFCOMM_EA(b) == 0) { /* verify no extensions */
1019 DPRINTF("MCC type EA = 0, discarded\n");
1020 goto release;
1021 }
1022
1023 type = RFCOMM_MCC_TYPE(b);
1024 cr = RFCOMM_CR(b);
1025
1026 len = 0;
1027 do {
1028 if (m->m_pkthdr.len < sizeof(b)) {
1029 DPRINTF("Short MCC header, discarded\n");
1030 goto release;
1031 }
1032
1033 m_copydata(m, 0, sizeof(b), &b);
1034 m_adj(m, sizeof(b));
1035
1036 len = (len << 7) | (b >> 1);
1037 len = min(len, RFCOMM_MTU_MAX);
1038 } while (RFCOMM_EA(b) == 0);
1039
1040 if (len != m->m_pkthdr.len) {
1041 DPRINTF("Incorrect MCC length, discarded\n");
1042 goto release;
1043 }
1044
1045 DPRINTFN(2, "MCC %s type %2.2x (%d bytes)\n",
1046 (cr ? "command" : "response"), type, len);
1047
1048 /*
1049 * pass to command handler
1050 */
1051 switch(type) {
1052 case RFCOMM_MCC_TEST: /* Test */
1053 rfcomm_session_recv_mcc_test(rs, cr, m);
1054 break;
1055
1056 case RFCOMM_MCC_FCON: /* Flow Control On */
1057 rfcomm_session_recv_mcc_fcon(rs, cr);
1058 break;
1059
1060 case RFCOMM_MCC_FCOFF: /* Flow Control Off */
1061 rfcomm_session_recv_mcc_fcoff(rs, cr);
1062 break;
1063
1064 case RFCOMM_MCC_MSC: /* Modem Status Command */
1065 rfcomm_session_recv_mcc_msc(rs, cr, m);
1066 break;
1067
1068 case RFCOMM_MCC_RPN: /* Remote Port Negotiation */
1069 rfcomm_session_recv_mcc_rpn(rs, cr, m);
1070 break;
1071
1072 case RFCOMM_MCC_RLS: /* Remote Line Status */
1073 rfcomm_session_recv_mcc_rls(rs, cr, m);
1074 break;
1075
1076 case RFCOMM_MCC_PN: /* Parameter Negotiation */
1077 rfcomm_session_recv_mcc_pn(rs, cr, m);
1078 break;
1079
1080 case RFCOMM_MCC_NSC: /* Non Supported Command */
1081 rfcomm_session_recv_mcc_nsc(rs, cr, m);
1082 break;
1083
1084 default:
1085 b = RFCOMM_MKMCC_TYPE(cr, type);
1086 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_NSC, &b, sizeof(b));
1087 }
1088
1089 release:
1090 m_freem(m);
1091 }
1092
1093 /*
1094 * process TEST command/response
1095 */
1096 static void
1097 rfcomm_session_recv_mcc_test(struct rfcomm_session *rs, int cr, struct mbuf *m)
1098 {
1099 void *data;
1100 int len;
1101
1102 if (cr == 0) /* ignore ack */
1103 return;
1104
1105 /*
1106 * we must send all the data they included back as is
1107 */
1108
1109 len = m->m_pkthdr.len;
1110 if (len > RFCOMM_MTU_MAX)
1111 return;
1112
1113 data = kmalloc(len, M_BLUETOOTH, M_NOWAIT);
1114 if (data == NULL)
1115 return;
1116
1117 m_copydata(m, 0, len, data);
1118 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_TEST, data, len);
1119 kfree(data, M_BLUETOOTH);
1120 }
1121
1122 /*
1123 * process Flow Control ON command/response
1124 */
1125 static void
1126 rfcomm_session_recv_mcc_fcon(struct rfcomm_session *rs, int cr)
1127 {
1128
1129 if (cr == 0) /* ignore ack */
1130 return;
1131
1132 rs->rs_flags |= RFCOMM_SESSION_RFC;
1133 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_FCON, NULL, 0);
1134 }
1135
1136 /*
1137 * process Flow Control OFF command/response
1138 */
1139 static void
1140 rfcomm_session_recv_mcc_fcoff(struct rfcomm_session *rs, int cr)
1141 {
1142 if (cr == 0) /* ignore ack */
1143 return;
1144
1145 rs->rs_flags &= ~RFCOMM_SESSION_RFC;
1146 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_FCOFF, NULL, 0);
1147 }
1148
1149 /*
1150 * process Modem Status Command command/response
1151 */
1152 static void
1153 rfcomm_session_recv_mcc_msc(struct rfcomm_session *rs, int cr, struct mbuf *m)
1154 {
1155 struct rfcomm_mcc_msc msc; /* (3 octets) */
1156 struct rfcomm_dlc *dlc;
1157 int len = 0;
1158
1159 /* [ADDRESS] */
1160 if (m->m_pkthdr.len < sizeof(msc.address))
1161 return;
1162
1163 m_copydata(m, 0, sizeof(msc.address), &msc.address);
1164 m_adj(m, sizeof(msc.address));
1165 len += sizeof(msc.address);
1166
1167 dlc = rfcomm_dlc_lookup(rs, RFCOMM_DLCI(msc.address));
1168
1169 if (cr == 0) { /* ignore acks */
1170 if (dlc != NULL)
1171 callout_stop(&dlc->rd_timeout);
1172
1173 return;
1174 }
1175
1176 if (dlc == NULL) {
1177 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM,
1178 RFCOMM_DLCI(msc.address));
1179 return;
1180 }
1181
1182 /* [SIGNALS] */
1183 if (m->m_pkthdr.len < sizeof(msc.modem))
1184 return;
1185
1186 m_copydata(m, 0, sizeof(msc.modem), &msc.modem);
1187 m_adj(m, sizeof(msc.modem));
1188 len += sizeof(msc.modem);
1189
1190 dlc->rd_rmodem = msc.modem;
1191 /* XXX how do we signal this upstream? */
1192
1193 if (RFCOMM_EA(msc.modem) == 0) {
1194 if (m->m_pkthdr.len < sizeof(msc.brk))
1195 return;
1196
1197 m_copydata(m, 0, sizeof(msc.brk), &msc.brk);
1198 m_adj(m, sizeof(msc.brk));
1199 len += sizeof(msc.brk);
1200
1201 /* XXX how do we signal this upstream? */
1202 }
1203
1204 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_MSC, &msc, len);
1205 }
1206
1207 /*
1208 * process Remote Port Negotiation command/response
1209 */
1210 static void
1211 rfcomm_session_recv_mcc_rpn(struct rfcomm_session *rs, int cr, struct mbuf *m)
1212 {
1213 struct rfcomm_mcc_rpn rpn;
1214 uint16_t mask;
1215
1216 if (cr == 0) /* ignore ack */
1217 return;
1218
1219 /* default values */
1220 rpn.bit_rate = RFCOMM_RPN_BR_9600;
1221 rpn.line_settings = RFCOMM_RPN_8_N_1;
1222 rpn.flow_control = RFCOMM_RPN_FLOW_NONE;
1223 rpn.xon_char = RFCOMM_RPN_XON_CHAR;
1224 rpn.xoff_char = RFCOMM_RPN_XOFF_CHAR;
1225
1226 if (m->m_pkthdr.len == sizeof(rpn)) {
1227 m_copydata(m, 0, sizeof(rpn), (caddr_t)&rpn);
1228 rpn.param_mask = RFCOMM_RPN_PM_ALL;
1229 } else if (m->m_pkthdr.len == 1) {
1230 m_copydata(m, 0, 1, (caddr_t)&rpn);
1231 rpn.param_mask = letoh16(rpn.param_mask);
1232 } else {
1233 DPRINTF("Bad RPN length (%d)\n", m->m_pkthdr.len);
1234 return;
1235 }
1236
1237 mask = 0;
1238
1239 if (rpn.param_mask & RFCOMM_RPN_PM_RATE)
1240 mask |= RFCOMM_RPN_PM_RATE;
1241
1242 if (rpn.param_mask & RFCOMM_RPN_PM_DATA
1243 && RFCOMM_RPN_DATA_BITS(rpn.line_settings) == RFCOMM_RPN_DATA_8)
1244 mask |= RFCOMM_RPN_PM_DATA;
1245
1246 if (rpn.param_mask & RFCOMM_RPN_PM_STOP
1247 && RFCOMM_RPN_STOP_BITS(rpn.line_settings) == RFCOMM_RPN_STOP_1)
1248 mask |= RFCOMM_RPN_PM_STOP;
1249
1250 if (rpn.param_mask & RFCOMM_RPN_PM_PARITY
1251 && RFCOMM_RPN_PARITY(rpn.line_settings) == RFCOMM_RPN_PARITY_NONE)
1252 mask |= RFCOMM_RPN_PM_PARITY;
1253
1254 if (rpn.param_mask & RFCOMM_RPN_PM_XON
1255 && rpn.xon_char == RFCOMM_RPN_XON_CHAR)
1256 mask |= RFCOMM_RPN_PM_XON;
1257
1258 if (rpn.param_mask & RFCOMM_RPN_PM_XOFF
1259 && rpn.xoff_char == RFCOMM_RPN_XOFF_CHAR)
1260 mask |= RFCOMM_RPN_PM_XOFF;
1261
1262 if (rpn.param_mask & RFCOMM_RPN_PM_FLOW
1263 && rpn.flow_control == RFCOMM_RPN_FLOW_NONE)
1264 mask |= RFCOMM_RPN_PM_FLOW;
1265
1266 rpn.param_mask = htole16(mask);
1267
1268 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_RPN, &rpn, sizeof(rpn));
1269 }
1270
1271 /*
1272 * process Remote Line Status command/response
1273 */
1274 static void
1275 rfcomm_session_recv_mcc_rls(struct rfcomm_session *rs, int cr, struct mbuf *m)
1276 {
1277 struct rfcomm_mcc_rls rls;
1278
1279 if (cr == 0) /* ignore ack */
1280 return;
1281
1282 if (m->m_pkthdr.len != sizeof(rls)) {
1283 DPRINTF("Bad RLS length %d\n", m->m_pkthdr.len);
1284 return;
1285 }
1286
1287 m_copydata(m, 0, sizeof(rls), (caddr_t)&rls);
1288
1289 /*
1290 * So far as I can tell, we just send back what
1291 * they sent us. This signifies errors that seem
1292 * irrelevent for RFCOMM over L2CAP.
1293 */
1294 rls.address |= 0x03; /* EA = 1, CR = 1 */
1295 rls.status &= 0x0f; /* only 4 bits valid */
1296
1297 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_RLS, &rls, sizeof(rls));
1298 }
1299
1300 /*
1301 * process Parameter Negotiation command/response
1302 */
1303 static void
1304 rfcomm_session_recv_mcc_pn(struct rfcomm_session *rs, int cr, struct mbuf *m)
1305 {
1306 struct rfcomm_dlc *dlc;
1307 struct rfcomm_mcc_pn pn;
1308 int err;
1309
1310 if (m->m_pkthdr.len != sizeof(pn)) {
1311 DPRINTF("Bad PN length %d\n", m->m_pkthdr.len);
1312 return;
1313 }
1314
1315 m_copydata(m, 0, sizeof(pn), (caddr_t)&pn);
1316
1317 pn.dlci &= 0x3f;
1318 pn.mtu = letoh16(pn.mtu);
1319
1320 dlc = rfcomm_dlc_lookup(rs, pn.dlci);
1321 if (cr) { /* Command */
1322 /*
1323 * If there is no DLC present, this is a new
1324 * connection so attempt to make one
1325 */
1326 if (dlc == NULL) {
1327 dlc = rfcomm_dlc_newconn(rs, pn.dlci);
1328 if (dlc == NULL)
1329 return; /* (DM is sent) */
1330 }
1331
1332 /* accept any valid MTU, and offer it back */
1333 pn.mtu = min(pn.mtu, RFCOMM_MTU_MAX);
1334 pn.mtu = min(pn.mtu, rs->rs_mtu);
1335 pn.mtu = max(pn.mtu, RFCOMM_MTU_MIN);
1336 dlc->rd_mtu = pn.mtu;
1337 pn.mtu = htole16(pn.mtu);
1338
1339 /* credits are only set before DLC is open */
1340 if (dlc->rd_state == RFCOMM_DLC_WAIT_CONNECT
1341 && (pn.flow_control & 0xf0) == 0xf0) {
1342 rs->rs_flags |= RFCOMM_SESSION_CFC;
1343 dlc->rd_txcred = pn.credits & 0x07;
1344
1345 dlc->rd_rxcred = (dlc->rd_rxsize / dlc->rd_mtu);
1346 dlc->rd_rxcred = min(dlc->rd_rxcred,
1347 RFCOMM_CREDITS_DEFAULT);
1348
1349 pn.flow_control = 0xe0;
1350 pn.credits = dlc->rd_rxcred;
1351 } else {
1352 pn.flow_control = 0x00;
1353 pn.credits = 0x00;
1354 }
1355
1356 /* unused fields must be ignored and set to zero */
1357 pn.ack_timer = 0;
1358 pn.max_retrans = 0;
1359
1360 /* send our response */
1361 err = rfcomm_session_send_mcc(rs, 0,
1362 RFCOMM_MCC_PN, &pn, sizeof(pn));
1363 if (err)
1364 goto close;
1365
1366 } else { /* Response */
1367 /* ignore responses with no matching DLC */
1368 if (dlc == NULL)
1369 return;
1370
1371 callout_stop(&dlc->rd_timeout);
1372
1373 if (pn.mtu > RFCOMM_MTU_MAX || pn.mtu > dlc->rd_mtu) {
1374 dlc->rd_state = RFCOMM_DLC_WAIT_DISCONNECT;
1375 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC,
1376 pn.dlci);
1377 if (err)
1378 goto close;
1379
1380 callout_reset(&dlc->rd_timeout, rfcomm_ack_timeout * hz,
1381 rfcomm_dlc_timeout, dlc);
1382 return;
1383 }
1384 dlc->rd_mtu = pn.mtu;
1385
1386 /* if DLC is not waiting to connect, we are done */
1387 if (dlc->rd_state != RFCOMM_DLC_WAIT_CONNECT)
1388 return;
1389
1390 /* set initial credits according to RFCOMM spec */
1391 if ((pn.flow_control & 0xf0) == 0xe0) {
1392 rs->rs_flags |= RFCOMM_SESSION_CFC;
1393 dlc->rd_txcred = (pn.credits & 0x07);
1394 }
1395
1396 callout_reset(&dlc->rd_timeout, rfcomm_ack_timeout * hz,
1397 rfcomm_dlc_timeout, dlc);
1398
1399 /* set link mode */
1400 err = rfcomm_dlc_setmode(dlc);
1401 if (err == EINPROGRESS) {
1402 dlc->rd_state = RFCOMM_DLC_WAIT_SEND_SABM;
1403 (*dlc->rd_proto->connecting)(dlc->rd_upper);
1404 return;
1405 }
1406 if (err)
1407 goto close;
1408
1409 /* we can proceed now */
1410 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_SABM, pn.dlci);
1411 if (err)
1412 goto close;
1413
1414 dlc->rd_state = RFCOMM_DLC_WAIT_RECV_UA;
1415 }
1416 return;
1417
1418 close:
1419 rfcomm_dlc_close(dlc, err);
1420 }
1421
1422 /*
1423 * process Non Supported Command command/response
1424 */
1425 static void
1426 rfcomm_session_recv_mcc_nsc(struct rfcomm_session *rs,
1427 int cr, struct mbuf *m)
1428 {
1429 struct rfcomm_dlc *dlc, *next;
1430
1431 /*
1432 * Since we did nothing that is not mandatory,
1433 * we just abort the whole session..
1434 */
1435
1436 next = LIST_FIRST(&rs->rs_dlcs);
1437 while ((dlc = next) != NULL) {
1438 next = LIST_NEXT(dlc, rd_next);
1439 rfcomm_dlc_close(dlc, ECONNABORTED);
1440 }
1441
1442 rfcomm_session_free(rs);
1443 }
1444
1445 /***********************************************************************
1446 *
1447 * RFCOMM Session outward frame/uih/mcc building
1448 */
1449
1450 /*
1451 * SABM/DISC/DM/UA frames are all minimal and mostly identical.
1452 */
1453 int
1454 rfcomm_session_send_frame(struct rfcomm_session *rs, int type, int dlci)
1455 {
1456 struct rfcomm_cmd_hdr *hdr;
1457 struct rfcomm_credit *credit;
1458 struct mbuf *m;
1459 uint8_t fcs, cr;
1460
1461 credit = zalloc(rfcomm_credit_pool);
1462 if (credit == NULL)
1463 return ENOMEM;
1464
1465 m = m_gethdr(MB_DONTWAIT, MT_DATA);
1466 if (m == NULL) {
1467 zfree(rfcomm_credit_pool, credit);
1468 return ENOMEM;
1469 }
1470
1471 /*
1472 * The CR (command/response) bit identifies the frame either as a
1473 * commmand or a response and is used along with the DLCI to form
1474 * the address. Commands contain the non-initiator address, whereas
1475 * responses contain the initiator address, so the CR value is
1476 * also dependent on the session direction.
1477 */
1478 if (type == RFCOMM_FRAME_UA || type == RFCOMM_FRAME_DM)
1479 cr = IS_INITIATOR(rs) ? 0 : 1;
1480 else
1481 cr = IS_INITIATOR(rs) ? 1 : 0;
1482
1483 hdr = mtod(m, struct rfcomm_cmd_hdr *);
1484 hdr->address = RFCOMM_MKADDRESS(cr, dlci);
1485 hdr->control = RFCOMM_MKCONTROL(type, 1); /* PF = 1 */
1486 hdr->length = (0x00 << 1) | 0x01; /* len = 0x00, EA = 1 */
1487
1488 fcs = 0xff;
1489 fcs = FCS(fcs, hdr->address);
1490 fcs = FCS(fcs, hdr->control);
1491 fcs = FCS(fcs, hdr->length);
1492 fcs = 0xff - fcs; /* ones complement */
1493 hdr->fcs = fcs;
1494
1495 m->m_pkthdr.len = m->m_len = sizeof(struct rfcomm_cmd_hdr);
1496
1497 /* empty credit note */
1498 credit->rc_dlc = NULL;
1499 credit->rc_len = m->m_pkthdr.len;
1500 STAILQ_INSERT_TAIL(&rs->rs_credits, credit, rc_next);
1501
1502 DPRINTFN(5, "dlci %d type %2.2x (%d bytes, fcs=%#2.2x)\n",
1503 dlci, type, m->m_pkthdr.len, fcs);
1504
1505 return l2cap_send(rs->rs_l2cap, m);
1506 }
1507
1508 /*
1509 * rfcomm_session_send_uih(rfcomm_session, rfcomm_dlc, credits, mbuf)
1510 *
1511 * UIH frame is per DLC data or Multiplexer Control Commands
1512 * when no DLC is given. Data mbuf is optional (just credits
1513 * will be sent in that case)
1514 */
1515 int
1516 rfcomm_session_send_uih(struct rfcomm_session *rs, struct rfcomm_dlc *dlc,
1517 int credits, struct mbuf *m)
1518 {
1519 struct rfcomm_credit *credit;
1520 struct mbuf *m0 = NULL;
1521 int err, len;
1522 uint8_t fcs, *hdr;
1523
1524 KKASSERT(rs != NULL);
1525
1526 len = (m == NULL) ? 0 : m->m_pkthdr.len;
1527 KKASSERT(!(credits == 0 && len == 0));
1528
1529 /*
1530 * Make a credit note for the completion notification
1531 */
1532 credit = zalloc(rfcomm_credit_pool);
1533 if (credit == NULL)
1534 goto nomem;
1535
1536 credit->rc_len = len;
1537 credit->rc_dlc = dlc;
1538
1539 /*
1540 * Wrap UIH frame information around payload.
1541 *
1542 * [ADDRESS] [CONTROL] [LENGTH] [CREDITS] [...] [FCS]
1543 *
1544 * Address is one octet.
1545 * Control is one octet.
1546 * Length is one or two octets.
1547 * Credits may be one octet.
1548 *
1549 * FCS is one octet and calculated on address and
1550 * control octets only.
1551 *
1552 * If there are credits to be sent, we will set the PF
1553 * flag and include them in the frame.
1554 */
1555 m0 = m_gethdr(MB_DONTWAIT, MT_DATA);
1556 if (m0 == NULL)
1557 goto nomem;
1558
1559 MH_ALIGN(m0, 5); /* (max 5 header octets) */
1560 hdr = mtod(m0, uint8_t *);
1561
1562 /* CR bit is set according to the initiator of the session */
1563 *hdr = RFCOMM_MKADDRESS((IS_INITIATOR(rs) ? 1 : 0),
1564 (dlc ? dlc->rd_dlci : 0));
1565 fcs = FCS(0xff, *hdr);
1566 hdr++;
1567
1568 /* PF bit is set if credits are being sent */
1569 *hdr = RFCOMM_MKCONTROL(RFCOMM_FRAME_UIH, (credits > 0 ? 1 : 0));
1570 fcs = FCS(fcs, *hdr);
1571 hdr++;
1572
1573 if (len < (1 << 7)) {
1574 *hdr++ = ((len << 1) & 0xfe) | 0x01; /* 7 bits, EA = 1 */
1575 } else {
1576 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */
1577 *hdr++ = ((len >> 7) & 0xff); /* 8 bits, no EA */
1578 }
1579
1580 if (credits > 0)
1581 *hdr++ = (uint8_t)credits;
1582
1583 m0->m_len = hdr - mtod(m0, uint8_t *);
1584
1585 /* Append payload */
1586 m0->m_next = m;
1587 m = NULL;
1588
1589 m0->m_pkthdr.len = m0->m_len + len;
1590
1591 /* Append FCS */
1592 fcs = 0xff - fcs; /* ones complement */
1593 len = m0->m_pkthdr.len;
1594 m_copyback(m0, len, sizeof(fcs), &fcs);
1595 if (m0->m_pkthdr.len != len + sizeof(fcs))
1596 goto nomem;
1597
1598 DPRINTFN(10, "dlci %d, pktlen %d (%d data, %d credits), fcs=%#2.2x\n",
1599 dlc ? dlc->rd_dlci : 0, m0->m_pkthdr.len, credit->rc_len,
1600 credits, fcs);
1601
1602 /*
1603 * UIH frame ready to go..
1604 */
1605 err = l2cap_send(rs->rs_l2cap, m0);
1606 if (err)
1607 goto fail;
1608
1609 STAILQ_INSERT_TAIL(&rs->rs_credits, credit, rc_next);
1610 return 0;
1611
1612 nomem:
1613 err = ENOMEM;
1614
1615 if (m0 != NULL)
1616 m_freem(m0);
1617
1618 if (m != NULL)
1619 m_freem(m);
1620
1621 fail:
1622 if (credit != NULL)
1623 zfree(rfcomm_credit_pool, credit);
1624
1625 return err;
1626 }
1627
1628 /*
1629 * send Multiplexer Control Command (or Response) on session
1630 */
1631 int
1632 rfcomm_session_send_mcc(struct rfcomm_session *rs, int cr,
1633 uint8_t type, void *data, int len)
1634 {
1635 struct mbuf *m;
1636 uint8_t *hdr;
1637 int hlen;
1638
1639 m = m_gethdr(MB_DONTWAIT, MT_DATA);
1640 if (m == NULL)
1641 return ENOMEM;
1642
1643 hdr = mtod(m, uint8_t *);
1644
1645 /*
1646 * Technically the type field can extend past one octet, but none
1647 * currently defined will do that.
1648 */
1649 *hdr++ = RFCOMM_MKMCC_TYPE(cr, type);
1650
1651 /*
1652 * In the frame, the max length size is 2 octets (15 bits) whereas
1653 * no max length size is specified for MCC commands. We must allow
1654 * for 3 octets since for MCC frames we use 7 bits + EA in each.
1655 *
1656 * Only test data can possibly be that big.
1657 *
1658 * XXX Should we check this against the MTU?
1659 */
1660 if (len < (1 << 7)) {
1661 *hdr++ = ((len << 1) & 0xfe) | 0x01; /* 7 bits, EA = 1 */
1662 } else if (len < (1 << 14)) {
1663 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */
1664 *hdr++ = ((len >> 6) & 0xfe) | 0x01; /* 7 bits, EA = 1 */
1665 } else if (len < (1 << 15)) {
1666 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */
1667 *hdr++ = ((len >> 6) & 0xfe); /* 7 bits, EA = 0 */
1668 *hdr++ = ((len >> 13) & 0x02) | 0x01; /* 1 bit, EA = 1 */
1669 } else {
1670 DPRINTF("incredible length! (%d)\n", len);
1671 m_freem(m);
1672 return EMSGSIZE;
1673 }
1674
1675 /*
1676 * add command data (to same mbuf if possible)
1677 */
1678 hlen = hdr - mtod(m, uint8_t *);
1679
1680 if (len > 0) {
1681 m->m_pkthdr.len = m->m_len = MHLEN;
1682 m_copyback(m, hlen, len, data);
1683 if (m->m_pkthdr.len != max(MHLEN, hlen + len)) {
1684 m_freem(m);
1685 return ENOMEM;
1686 }
1687 }
1688
1689 m->m_pkthdr.len = hlen + len;
1690 m->m_len = min(MHLEN, m->m_pkthdr.len);
1691
1692 DPRINTFN(5, "%s type %2.2x len %d\n",
1693 (cr ? "command" : "response"), type, m->m_pkthdr.len);
1694
1695 return rfcomm_session_send_uih(rs, NULL, 0, m);
1696 }
Cache object: 646657a339aabf41788768102f094e4c
|