The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/netbt/rfcomm_session.c

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 /* $DragonFly: src/sys/netbt/rfcomm_session.c,v 1.2 2008/03/18 13:41:42 hasso Exp $ */
    2 /* $OpenBSD: src/sys/netbt/rfcomm_session.c,v 1.3 2008/02/24 21:34:48 uwe Exp $ */
    3 /* $NetBSD: rfcomm_session.c,v 1.12 2008/01/31 19:30:23 plunky Exp $ */
    4 
    5 /*-
    6  * Copyright (c) 2006 Itronix Inc.
    7  * All rights reserved.
    8  *
    9  * Written by Iain Hibbert for Itronix Inc.
   10  *
   11  * Redistribution and use in source and binary forms, with or without
   12  * modification, are permitted provided that the following conditions
   13  * are met:
   14  * 1. Redistributions of source code must retain the above copyright
   15  *    notice, this list of conditions and the following disclaimer.
   16  * 2. Redistributions in binary form must reproduce the above copyright
   17  *    notice, this list of conditions and the following disclaimer in the
   18  *    documentation and/or other materials provided with the distribution.
   19  * 3. The name of Itronix Inc. may not be used to endorse
   20  *    or promote products derived from this software without specific
   21  *    prior written permission.
   22  *
   23  * THIS SOFTWARE IS PROVIDED BY ITRONIX INC. ``AS IS'' AND
   24  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
   25  * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
   26  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL ITRONIX INC. BE LIABLE FOR ANY
   27  * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
   28  * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
   29  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
   30  * ON ANY THEORY OF LIABILITY, WHETHER IN
   31  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
   32  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
   33  * POSSIBILITY OF SUCH DAMAGE.
   34  */
   35 
   36 #include <sys/param.h>
   37 #include <sys/kernel.h>
   38 #include <sys/mbuf.h>
   39 #include <sys/proc.h>
   40 #include <sys/systm.h>
   41 #include <sys/types.h>
   42 #include <sys/endian.h>
   43 
   44 #include <net/if.h>
   45 
   46 #include <netbt/bluetooth.h>
   47 #include <netbt/hci.h>
   48 #include <netbt/l2cap.h>
   49 #include <netbt/rfcomm.h>
   50 
   51 /******************************************************************************
   52  *
   53  * RFCOMM Multiplexer Sessions sit directly on L2CAP channels, and can
   54  * multiplex up to 30 incoming and 30 outgoing connections.
   55  * Only one Multiplexer is allowed between any two devices.
   56  */
   57 
   58 static void rfcomm_session_recv_sabm(struct rfcomm_session *, int);
   59 static void rfcomm_session_recv_disc(struct rfcomm_session *, int);
   60 static void rfcomm_session_recv_ua(struct rfcomm_session *, int);
   61 static void rfcomm_session_recv_dm(struct rfcomm_session *, int);
   62 static void rfcomm_session_recv_uih(struct rfcomm_session *, int, int, struct mbuf *, int);
   63 static void rfcomm_session_recv_mcc(struct rfcomm_session *, struct mbuf *);
   64 static void rfcomm_session_recv_mcc_test(struct rfcomm_session *, int, struct mbuf *);
   65 static void rfcomm_session_recv_mcc_fcon(struct rfcomm_session *, int);
   66 static void rfcomm_session_recv_mcc_fcoff(struct rfcomm_session *, int);
   67 static void rfcomm_session_recv_mcc_msc(struct rfcomm_session *, int, struct mbuf *);
   68 static void rfcomm_session_recv_mcc_rpn(struct rfcomm_session *, int, struct mbuf *);
   69 static void rfcomm_session_recv_mcc_rls(struct rfcomm_session *, int, struct mbuf *);
   70 static void rfcomm_session_recv_mcc_pn(struct rfcomm_session *, int, struct mbuf *);
   71 static void rfcomm_session_recv_mcc_nsc(struct rfcomm_session *, int, struct mbuf *);
   72 
   73 /* L2CAP callbacks */
   74 static void rfcomm_session_connecting(void *);
   75 static void rfcomm_session_connected(void *);
   76 static void rfcomm_session_disconnected(void *, int);
   77 static void *rfcomm_session_newconn(void *, struct sockaddr_bt *, struct sockaddr_bt *);
   78 static void rfcomm_session_complete(void *, int);
   79 static void rfcomm_session_linkmode(void *, int);
   80 static void rfcomm_session_input(void *, struct mbuf *);
   81 
   82 static const struct btproto rfcomm_session_proto = {
   83         rfcomm_session_connecting,
   84         rfcomm_session_connected,
   85         rfcomm_session_disconnected,
   86         rfcomm_session_newconn,
   87         rfcomm_session_complete,
   88         rfcomm_session_linkmode,
   89         rfcomm_session_input,
   90 };
   91 
   92 struct rfcomm_session_list
   93         rfcomm_session_active = LIST_HEAD_INITIALIZER(rfcomm_session_active);
   94 
   95 struct rfcomm_session_list
   96         rfcomm_session_listen = LIST_HEAD_INITIALIZER(rfcomm_session_listen);
   97 
   98 vm_zone_t rfcomm_credit_pool;
   99 
  100 /*
  101  * RFCOMM System Parameters (see section 5.3)
  102  */
  103 int rfcomm_mtu_default = 127;   /* bytes */
  104 int rfcomm_ack_timeout = 20;    /* seconds */
  105 int rfcomm_mcc_timeout = 20;    /* seconds */
  106 
  107 /*
  108  * Reversed CRC table as per TS 07.10 Annex B.3.5
  109  */
  110 static const uint8_t crctable[256] = {  /* reversed, 8-bit, poly=0x07 */
  111         0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
  112         0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
  113         0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
  114         0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
  115 
  116         0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
  117         0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
  118         0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
  119         0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
  120 
  121         0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
  122         0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
  123         0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
  124         0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
  125 
  126         0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
  127         0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
  128         0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
  129         0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
  130 
  131         0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
  132         0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
  133         0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
  134         0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
  135 
  136         0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
  137         0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
  138         0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
  139         0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
  140 
  141         0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
  142         0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
  143         0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
  144         0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
  145 
  146         0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
  147         0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
  148         0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
  149         0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
  150 };
  151 
  152 #define FCS(f, d)       crctable[(f) ^ (d)]
  153 
  154 /*
  155  * rfcomm_init()
  156  *
  157  * initialize the "credit pool".
  158  */
  159 void
  160 rfcomm_init(void)
  161 {
  162         rfcomm_credit_pool = zinit("rfcomm_credit",
  163             sizeof(struct rfcomm_credit), 0, 0, 0);
  164 }
  165 
  166 /*
  167  * rfcomm_session_alloc(list, sockaddr)
  168  *
  169  * allocate a new session and fill in the blanks, then
  170  * attach session to front of specified list (active or listen)
  171  */
  172 struct rfcomm_session *
  173 rfcomm_session_alloc(struct rfcomm_session_list *list,
  174                         struct sockaddr_bt *laddr)
  175 {
  176         struct rfcomm_session *rs;
  177         int err;
  178 
  179         rs = kmalloc(sizeof(*rs), M_BLUETOOTH, M_NOWAIT | M_ZERO);
  180         if (rs == NULL)
  181                 return NULL;
  182 
  183         rs->rs_state = RFCOMM_SESSION_CLOSED;
  184 
  185         callout_init(&rs->rs_timeout);
  186 
  187         STAILQ_INIT(&rs->rs_credits);
  188         LIST_INIT(&rs->rs_dlcs);
  189 
  190         err = l2cap_attach(&rs->rs_l2cap, &rfcomm_session_proto, rs);
  191         if (err) {
  192                 kfree(rs, M_BLUETOOTH);
  193                 return NULL;
  194         }
  195 
  196         (void)l2cap_getopt(rs->rs_l2cap, SO_L2CAP_OMTU, &rs->rs_mtu);
  197 
  198         if (laddr->bt_psm == L2CAP_PSM_ANY)
  199                 laddr->bt_psm = L2CAP_PSM_RFCOMM;
  200 
  201         (void)l2cap_bind(rs->rs_l2cap, laddr);
  202 
  203         LIST_INSERT_HEAD(list, rs, rs_next);
  204 
  205         return rs;
  206 }
  207 
  208 /*
  209  * rfcomm_session_free(rfcomm_session)
  210  *
  211  * release a session, including any cleanup
  212  */
  213 void
  214 rfcomm_session_free(struct rfcomm_session *rs)
  215 {
  216         struct rfcomm_credit *credit;
  217 
  218         KKASSERT(rs != NULL);
  219         KKASSERT(LIST_EMPTY(&rs->rs_dlcs));
  220 
  221         rs->rs_state = RFCOMM_SESSION_CLOSED;
  222 
  223         /*
  224          * If the callout is already invoked we have no way to stop it,
  225          * but it will call us back right away (there are no DLC's) so
  226          * not to worry.
  227          */
  228         callout_stop(&rs->rs_timeout);
  229         if (callout_active(&rs->rs_timeout))
  230                 return;
  231 
  232         /*
  233          * Take care that rfcomm_session_disconnected() doesnt call
  234          * us back either as it will do if the l2cap_channel has not
  235          * been closed when we detach it..
  236          */
  237         if (rs->rs_flags & RFCOMM_SESSION_FREE)
  238                 return;
  239 
  240         rs->rs_flags |= RFCOMM_SESSION_FREE;
  241 
  242         /* throw away any remaining credit notes */
  243         while ((credit = STAILQ_FIRST(&rs->rs_credits)) != NULL) {
  244                 STAILQ_REMOVE_HEAD(&rs->rs_credits, rc_next);
  245                 zfree(rfcomm_credit_pool, credit);
  246         }
  247 
  248         KKASSERT(STAILQ_EMPTY(&rs->rs_credits));
  249 
  250         /* Goodbye! */
  251         LIST_REMOVE(rs, rs_next);
  252         l2cap_detach(&rs->rs_l2cap);
  253         kfree(rs, M_BLUETOOTH);
  254 }
  255 
  256 /*
  257  * rfcomm_session_lookup(sockaddr, sockaddr)
  258  *
  259  * Find active rfcomm session matching src and dest addresses
  260  * when src is BDADDR_ANY match any local address
  261  */
  262 struct rfcomm_session *
  263 rfcomm_session_lookup(struct sockaddr_bt *src, struct sockaddr_bt *dest)
  264 {
  265         struct rfcomm_session *rs;
  266         struct sockaddr_bt addr;
  267 
  268         LIST_FOREACH(rs, &rfcomm_session_active, rs_next) {
  269                 if (rs->rs_state == RFCOMM_SESSION_CLOSED)
  270                         continue;
  271 
  272                 l2cap_sockaddr(rs->rs_l2cap, &addr);
  273 
  274                 if (bdaddr_same(&src->bt_bdaddr, &addr.bt_bdaddr) == 0)
  275                         if (bdaddr_any(&src->bt_bdaddr) == 0)
  276                                 continue;
  277 
  278                 l2cap_peeraddr(rs->rs_l2cap, &addr);
  279 
  280                 if (addr.bt_psm != dest->bt_psm)
  281                         continue;
  282 
  283                 if (bdaddr_same(&dest->bt_bdaddr, &addr.bt_bdaddr))
  284                         break;
  285         }
  286 
  287         return rs;
  288 }
  289 
  290 /*
  291  * rfcomm_session_timeout(rfcomm_session)
  292  *
  293  * Session timeouts are scheduled when a session is left or
  294  * created with no DLCs, and when SABM(0) or DISC(0) are
  295  * sent.
  296  *
  297  * So, if it is in an open state with DLC's attached then
  298  * we leave it alone, otherwise the session is lost.
  299  */
  300 void
  301 rfcomm_session_timeout(void *arg)
  302 {
  303         struct rfcomm_session *rs = arg;
  304         struct rfcomm_dlc *dlc;
  305 
  306         KKASSERT(rs != NULL);
  307 
  308         crit_enter();
  309 
  310         if (rs->rs_state != RFCOMM_SESSION_OPEN) {
  311                 DPRINTF("timeout\n");
  312                 rs->rs_state = RFCOMM_SESSION_CLOSED;
  313 
  314                 while (!LIST_EMPTY(&rs->rs_dlcs)) {
  315                         dlc = LIST_FIRST(&rs->rs_dlcs);
  316 
  317                         rfcomm_dlc_close(dlc, ETIMEDOUT);
  318                 }
  319         }
  320 
  321         if (LIST_EMPTY(&rs->rs_dlcs)) {
  322                 DPRINTF("expiring\n");
  323                 rfcomm_session_free(rs);
  324         }
  325         crit_exit();
  326 }
  327 
  328 /***********************************************************************
  329  *
  330  *      RFCOMM Session L2CAP protocol callbacks
  331  *
  332  */
  333 
  334 static void
  335 rfcomm_session_connecting(void *arg)
  336 {
  337         /* struct rfcomm_session *rs = arg; */
  338 
  339         DPRINTF("Connecting\n");
  340 }
  341 
  342 static void
  343 rfcomm_session_connected(void *arg)
  344 {
  345         struct rfcomm_session *rs = arg;
  346 
  347         DPRINTF("Connected\n");
  348 
  349         /*
  350          * L2CAP is open.
  351          *
  352          * If we are initiator, we can send our SABM(0)
  353          * a timeout should be active?
  354          *
  355          * We must take note of the L2CAP MTU because currently
  356          * the L2CAP implementation can only do Basic Mode.
  357          */
  358         l2cap_getopt(rs->rs_l2cap, SO_L2CAP_OMTU, &rs->rs_mtu);
  359 
  360         rs->rs_mtu -= 6; /* (RFCOMM overhead could be this big) */
  361         if (rs->rs_mtu < RFCOMM_MTU_MIN) {
  362                 rfcomm_session_disconnected(rs, EINVAL);
  363                 return;
  364         }
  365 
  366         if (IS_INITIATOR(rs)) {
  367                 int err;
  368 
  369                 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_SABM, 0);
  370                 if (err)
  371                         rfcomm_session_disconnected(rs, err);
  372 
  373                 callout_reset(&rs->rs_timeout, rfcomm_ack_timeout * hz,
  374                     rfcomm_session_timeout, rs);
  375         }
  376 }
  377 
  378 static void
  379 rfcomm_session_disconnected(void *arg, int err)
  380 {
  381         struct rfcomm_session *rs = arg;
  382         struct rfcomm_dlc *dlc;
  383 
  384         DPRINTF("Disconnected\n");
  385 
  386         rs->rs_state = RFCOMM_SESSION_CLOSED;
  387 
  388         while (!LIST_EMPTY(&rs->rs_dlcs)) {
  389                 dlc = LIST_FIRST(&rs->rs_dlcs);
  390 
  391                 rfcomm_dlc_close(dlc, err);
  392         }
  393 
  394         rfcomm_session_free(rs);
  395 }
  396 
  397 static void *
  398 rfcomm_session_newconn(void *arg, struct sockaddr_bt *laddr,
  399                                 struct sockaddr_bt *raddr)
  400 {
  401         struct rfcomm_session *new, *rs = arg;
  402 
  403         DPRINTF("New Connection\n");
  404 
  405         /*
  406          * Incoming session connect request. We should return a new
  407          * session pointer if this is acceptable. The L2CAP layer
  408          * passes local and remote addresses, which we must check as
  409          * only one RFCOMM session is allowed between any two devices
  410          */
  411         new = rfcomm_session_lookup(laddr, raddr);
  412         if (new != NULL)
  413                 return NULL;
  414 
  415         new = rfcomm_session_alloc(&rfcomm_session_active, laddr);
  416         if (new == NULL)
  417                 return NULL;
  418 
  419         new->rs_mtu = rs->rs_mtu;
  420         new->rs_state = RFCOMM_SESSION_WAIT_CONNECT;
  421 
  422         /*
  423          * schedule an expiry so that if nothing comes of it we
  424          * can punt.
  425          */
  426         callout_reset(&rs->rs_timeout, rfcomm_mcc_timeout * hz,
  427             rfcomm_session_timeout, rs);
  428 
  429         return new->rs_l2cap;
  430 }
  431 
  432 static void
  433 rfcomm_session_complete(void *arg, int count)
  434 {
  435         struct rfcomm_session *rs = arg;
  436         struct rfcomm_credit *credit;
  437         struct rfcomm_dlc *dlc;
  438 
  439         /*
  440          * count L2CAP packets are 'complete', meaning that they are cleared
  441          * our buffers (for best effort) or arrived safe (for guaranteed) so
  442          * we can take it off our list and pass the message on, so that
  443          * eventually the data can be removed from the sockbuf
  444          */
  445         while (count-- > 0) {
  446                 credit = STAILQ_FIRST(&rs->rs_credits);
  447 #ifdef DIAGNOSTIC
  448                 if (credit == NULL) {
  449                         kprintf("%s: too many packets completed!\n", __func__);
  450                         break;
  451                 }
  452 #endif
  453                 dlc = credit->rc_dlc;
  454                 if (dlc != NULL) {
  455                         dlc->rd_pending--;
  456                         (*dlc->rd_proto->complete)
  457                                         (dlc->rd_upper, credit->rc_len);
  458 
  459                         /*
  460                          * if not using credit flow control, we may push
  461                          * more data now
  462                          */
  463                         if ((rs->rs_flags & RFCOMM_SESSION_CFC) == 0
  464                             && dlc->rd_state == RFCOMM_DLC_OPEN) {
  465                                 rfcomm_dlc_start(dlc);
  466                         }
  467 
  468                         /*
  469                          * When shutdown is indicated, we are just waiting to
  470                          * clear outgoing data.
  471                          */
  472                         if ((dlc->rd_flags & RFCOMM_DLC_SHUTDOWN)
  473                             && dlc->rd_txbuf == NULL && dlc->rd_pending == 0) {
  474                                 dlc->rd_state = RFCOMM_DLC_WAIT_DISCONNECT;
  475                                 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC,
  476                                                             dlc->rd_dlci);
  477                                 callout_reset(&dlc->rd_timeout,
  478                                     rfcomm_ack_timeout * hz,
  479                                     rfcomm_dlc_timeout, dlc);
  480                         }
  481                 }
  482 
  483                 STAILQ_REMOVE_HEAD(&rs->rs_credits, rc_next);
  484                 zfree(rfcomm_credit_pool, credit);
  485         }
  486 
  487         /*
  488          * If session is closed, we are just waiting to clear the queue
  489          */
  490         if (rs->rs_state == RFCOMM_SESSION_CLOSED) {
  491                 if (STAILQ_EMPTY(&rs->rs_credits))
  492                         l2cap_disconnect(rs->rs_l2cap, 0);
  493         }
  494 }
  495 
  496 /*
  497  * Link Mode changed
  498  *
  499  * This is called when a mode change is complete. Proceed with connections
  500  * where appropriate, or pass the new mode to any active DLCs.
  501  */
  502 static void
  503 rfcomm_session_linkmode(void *arg, int new)
  504 {
  505         struct rfcomm_session *rs = arg;
  506         struct rfcomm_dlc *dlc, *next;
  507         int err, mode = 0;
  508 
  509         DPRINTF("auth %s, encrypt %s, secure %s\n",
  510                 (new & L2CAP_LM_AUTH ? "on" : "off"),
  511                 (new & L2CAP_LM_ENCRYPT ? "on" : "off"),
  512                 (new & L2CAP_LM_SECURE ? "on" : "off"));
  513 
  514         if (new & L2CAP_LM_AUTH)
  515                 mode |= RFCOMM_LM_AUTH;
  516 
  517         if (new & L2CAP_LM_ENCRYPT)
  518                 mode |= RFCOMM_LM_ENCRYPT;
  519 
  520         if (new & L2CAP_LM_SECURE)
  521                 mode |= RFCOMM_LM_SECURE;
  522 
  523         next = LIST_FIRST(&rs->rs_dlcs);
  524         while ((dlc = next) != NULL) {
  525                 next = LIST_NEXT(dlc, rd_next);
  526 
  527                 switch (dlc->rd_state) {
  528                 case RFCOMM_DLC_WAIT_SEND_SABM: /* we are connecting */
  529                         if ((mode & dlc->rd_mode) != dlc->rd_mode) {
  530                                 rfcomm_dlc_close(dlc, ECONNABORTED);
  531                         } else {
  532                                 err = rfcomm_session_send_frame(rs,
  533                                             RFCOMM_FRAME_SABM, dlc->rd_dlci);
  534                                 if (err) {
  535                                         rfcomm_dlc_close(dlc, err);
  536                                 } else {
  537                                         dlc->rd_state = RFCOMM_DLC_WAIT_RECV_UA;
  538                                         callout_reset(&dlc->rd_timeout,
  539                                             rfcomm_ack_timeout * hz,
  540                                             rfcomm_dlc_timeout, dlc);
  541 
  542                                         break;
  543                                 }
  544                         }
  545 
  546                         /*
  547                          * If we aborted the connection and there are no more DLCs
  548                          * on the session, it is our responsibility to disconnect.
  549                          */
  550                         if (!LIST_EMPTY(&rs->rs_dlcs))
  551                                 break;
  552 
  553                         rs->rs_state = RFCOMM_SESSION_WAIT_DISCONNECT;
  554                         rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 0);
  555                         callout_reset(&rs->rs_timeout, rfcomm_ack_timeout * hz,
  556                             rfcomm_session_timeout, rs);
  557                         break;
  558 
  559                 case RFCOMM_DLC_WAIT_SEND_UA: /* they are connecting */
  560                         if ((mode & dlc->rd_mode) != dlc->rd_mode) {
  561                                 rfcomm_session_send_frame(rs,
  562                                             RFCOMM_FRAME_DM, dlc->rd_dlci);
  563                                 rfcomm_dlc_close(dlc, ECONNABORTED);
  564                                 break;
  565                         }
  566 
  567                         err = rfcomm_session_send_frame(rs,
  568                                             RFCOMM_FRAME_UA, dlc->rd_dlci);
  569                         if (err) {
  570                                 rfcomm_session_send_frame(rs,
  571                                                 RFCOMM_FRAME_DM, dlc->rd_dlci);
  572                                 rfcomm_dlc_close(dlc, err);
  573                                 break;
  574                         }
  575 
  576                         err = rfcomm_dlc_open(dlc);
  577                         if (err) {
  578                                 rfcomm_session_send_frame(rs,
  579                                                 RFCOMM_FRAME_DM, dlc->rd_dlci);
  580                                 rfcomm_dlc_close(dlc, err);
  581                                 break;
  582                         }
  583 
  584                         break;
  585 
  586                 case RFCOMM_DLC_WAIT_RECV_UA:
  587                 case RFCOMM_DLC_OPEN: /* already established */
  588                         (*dlc->rd_proto->linkmode)(dlc->rd_upper, mode);
  589                         break;
  590 
  591                 default:
  592                         break;
  593                 }
  594         }
  595 }
  596 
  597 /*
  598  * Receive data from L2CAP layer for session. There is always exactly one
  599  * RFCOMM frame contained in each L2CAP frame.
  600  */
  601 static void
  602 rfcomm_session_input(void *arg, struct mbuf *m)
  603 {
  604         struct rfcomm_session *rs = arg;
  605         int dlci, len, type, pf;
  606         uint8_t fcs, b;
  607 
  608         KKASSERT(m != NULL);
  609         KKASSERT(rs != NULL);
  610 
  611         /*
  612          * UIH frames: FCS is only calculated on address and control fields
  613          * For other frames: FCS is calculated on address, control and length
  614          * Length may extend to two octets
  615          */
  616         fcs = 0xff;
  617 
  618         if (m->m_pkthdr.len < 4) {
  619                 DPRINTF("short frame (%d), discarded\n", m->m_pkthdr.len);
  620                 goto done;
  621         }
  622 
  623         /* address - one octet */
  624         m_copydata(m, 0, 1, &b);
  625         m_adj(m, 1);
  626         fcs = FCS(fcs, b);
  627         dlci = RFCOMM_DLCI(b);
  628 
  629         /* control - one octet */
  630         m_copydata(m, 0, 1, &b);
  631         m_adj(m, 1);
  632         fcs = FCS(fcs, b);
  633         type = RFCOMM_TYPE(b);
  634         pf = RFCOMM_PF(b);
  635 
  636         /* length - may be two octets */
  637         m_copydata(m, 0, 1, &b);
  638         m_adj(m, 1);
  639         if (type != RFCOMM_FRAME_UIH)
  640                 fcs = FCS(fcs, b);
  641         len = (b >> 1) & 0x7f;
  642 
  643         if (RFCOMM_EA(b) == 0) {
  644                 if (m->m_pkthdr.len < 2) {
  645                         DPRINTF("short frame (%d, EA = 0), discarded\n",
  646                                 m->m_pkthdr.len);
  647                         goto done;
  648                 }
  649 
  650                 m_copydata(m, 0, 1, &b);
  651                 m_adj(m, 1);
  652                 if (type != RFCOMM_FRAME_UIH)
  653                         fcs = FCS(fcs, b);
  654 
  655                 len |= (b << 7);
  656         }
  657 
  658         /* FCS byte is last octet in frame */
  659         m_copydata(m, m->m_pkthdr.len - 1, 1, &b);
  660         m_adj(m, -1);
  661         fcs = FCS(fcs, b);
  662 
  663         if (fcs != 0xcf) {
  664                 DPRINTF("Bad FCS value (%#2.2x), frame discarded\n", fcs);
  665                 goto done;
  666         }
  667 
  668         DPRINTFN(10, "dlci %d, type %2.2x, len = %d\n", dlci, type, len);
  669 
  670         switch (type) {
  671         case RFCOMM_FRAME_SABM:
  672                 if (pf)
  673                         rfcomm_session_recv_sabm(rs, dlci);
  674                 break;
  675 
  676         case RFCOMM_FRAME_DISC:
  677                 if (pf)
  678                         rfcomm_session_recv_disc(rs, dlci);
  679                 break;
  680 
  681         case RFCOMM_FRAME_UA:
  682                 if (pf)
  683                         rfcomm_session_recv_ua(rs, dlci);
  684                 break;
  685 
  686         case RFCOMM_FRAME_DM:
  687                 rfcomm_session_recv_dm(rs, dlci);
  688                 break;
  689 
  690         case RFCOMM_FRAME_UIH:
  691                 rfcomm_session_recv_uih(rs, dlci, pf, m, len);
  692                 return; /* (no release) */
  693 
  694         default:
  695                 UNKNOWN(type);
  696                 break;
  697         }
  698 
  699 done:
  700         m_freem(m);
  701 }
  702 
  703 /***********************************************************************
  704  *
  705  *      RFCOMM Session receive processing
  706  */
  707 
  708 /*
  709  * rfcomm_session_recv_sabm(rfcomm_session, dlci)
  710  *
  711  * Set Asyncrhonous Balanced Mode - open the channel.
  712  */
  713 static void
  714 rfcomm_session_recv_sabm(struct rfcomm_session *rs, int dlci)
  715 {
  716         struct rfcomm_dlc *dlc;
  717         int err;
  718 
  719         DPRINTFN(5, "SABM(%d)\n", dlci);
  720 
  721         if (dlci == 0) {        /* Open Session */
  722                 rs->rs_state = RFCOMM_SESSION_OPEN;
  723                 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, 0);
  724                 LIST_FOREACH(dlc, &rs->rs_dlcs, rd_next) {
  725                         if (dlc->rd_state == RFCOMM_DLC_WAIT_SESSION)
  726                                 rfcomm_dlc_connect(dlc);
  727                 }
  728                 return;
  729         }
  730 
  731         if (rs->rs_state != RFCOMM_SESSION_OPEN) {
  732                 DPRINTF("session was not even open!\n");
  733                 return;
  734         }
  735 
  736         /* validate direction bit */
  737         if ((IS_INITIATOR(rs) && !RFCOMM_DIRECTION(dlci))
  738             || (!IS_INITIATOR(rs) && RFCOMM_DIRECTION(dlci))) {
  739                 DPRINTF("Invalid direction bit on DLCI\n");
  740                 return;
  741         }
  742 
  743         /*
  744          * look for our DLC - this may exist if we received PN
  745          * already, or we may have to fabricate a new one.
  746          */
  747         dlc = rfcomm_dlc_lookup(rs, dlci);
  748         if (dlc == NULL) {
  749                 dlc = rfcomm_dlc_newconn(rs, dlci);
  750                 if (dlc == NULL)
  751                         return; /* (DM is sent) */
  752         }
  753 
  754         /*
  755          * ..but if this DLC is not waiting to connect, they did
  756          * something wrong, ignore it.
  757          */
  758         if (dlc->rd_state != RFCOMM_DLC_WAIT_CONNECT)
  759                 return;
  760 
  761         /* set link mode */
  762         err = rfcomm_dlc_setmode(dlc);
  763         if (err == EINPROGRESS) {
  764                 dlc->rd_state = RFCOMM_DLC_WAIT_SEND_UA;
  765                 (*dlc->rd_proto->connecting)(dlc->rd_upper);
  766                 return;
  767         }
  768         if (err)
  769                 goto close;
  770 
  771         err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, dlci);
  772         if (err)
  773                 goto close;
  774 
  775         /* and mark it open */
  776         err = rfcomm_dlc_open(dlc);
  777         if (err)
  778                 goto close;
  779 
  780         return;
  781 
  782 close:
  783         rfcomm_dlc_close(dlc, err);
  784 }
  785 
  786 /*
  787  * Receive Disconnect Command
  788  */
  789 static void
  790 rfcomm_session_recv_disc(struct rfcomm_session *rs, int dlci)
  791 {
  792         struct rfcomm_dlc *dlc;
  793 
  794         DPRINTFN(5, "DISC(%d)\n", dlci);
  795 
  796         if (dlci == 0) {
  797                 /*
  798                  * Disconnect Session
  799                  *
  800                  * We set the session state to CLOSED so that when
  801                  * the UA frame is clear the session will be closed
  802                  * automatically. We wont bother to close any DLC's
  803                  * just yet as there should be none. In the unlikely
  804                  * event that something is left, it will get flushed
  805                  * out as the session goes down.
  806                  */
  807                 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, 0);
  808                 rs->rs_state = RFCOMM_SESSION_CLOSED;
  809                 return;
  810         }
  811 
  812         dlc = rfcomm_dlc_lookup(rs, dlci);
  813         if (dlc == NULL) {
  814                 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, dlci);
  815                 return;
  816         }
  817 
  818         rfcomm_dlc_close(dlc, ECONNRESET);
  819         rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, dlci);
  820 }
  821 
  822 /*
  823  * Receive Unnumbered Acknowledgement Response
  824  *
  825  * This should be a response to a DISC or SABM frame that we
  826  * have previously sent. If unexpected, ignore it.
  827  */
  828 static void
  829 rfcomm_session_recv_ua(struct rfcomm_session *rs, int dlci)
  830 {
  831         struct rfcomm_dlc *dlc;
  832 
  833         DPRINTFN(5, "UA(%d)\n", dlci);
  834 
  835         if (dlci == 0) {
  836                 switch (rs->rs_state) {
  837                 case RFCOMM_SESSION_WAIT_CONNECT:       /* We sent SABM */
  838                         callout_stop(&rs->rs_timeout);
  839                         rs->rs_state = RFCOMM_SESSION_OPEN;
  840                         LIST_FOREACH(dlc, &rs->rs_dlcs, rd_next) {
  841                                 if (dlc->rd_state == RFCOMM_DLC_WAIT_SESSION)
  842                                         rfcomm_dlc_connect(dlc);
  843                         }
  844                         break;
  845 
  846                 case RFCOMM_SESSION_WAIT_DISCONNECT:    /* We sent DISC */
  847                         callout_stop(&rs->rs_timeout);
  848                         rs->rs_state = RFCOMM_SESSION_CLOSED;
  849                         l2cap_disconnect(rs->rs_l2cap, 0);
  850                         break;
  851 
  852                 default:
  853                         DPRINTF("Received spurious UA(0)!\n");
  854                         break;
  855                 }
  856 
  857                 return;
  858         }
  859 
  860         /*
  861          * If we have no DLC on this dlci, we may have aborted
  862          * without shutting down properly, so check if the session
  863          * needs disconnecting.
  864          */
  865         dlc = rfcomm_dlc_lookup(rs, dlci);
  866         if (dlc == NULL)
  867                 goto check;
  868 
  869         switch (dlc->rd_state) {
  870         case RFCOMM_DLC_WAIT_RECV_UA:           /* We sent SABM */
  871                 rfcomm_dlc_open(dlc);
  872                 return;
  873 
  874         case RFCOMM_DLC_WAIT_DISCONNECT:        /* We sent DISC */
  875                 rfcomm_dlc_close(dlc, 0);
  876                 break;
  877 
  878         default:
  879                 DPRINTF("Received spurious UA(%d)!\n", dlci);
  880                 return;
  881         }
  882 
  883 check:  /* last one out turns out the light */
  884         if (LIST_EMPTY(&rs->rs_dlcs)) {
  885                 rs->rs_state = RFCOMM_SESSION_WAIT_DISCONNECT;
  886                 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 0);
  887                 callout_reset(&rs->rs_timeout, rfcomm_ack_timeout*hz,rfcomm_session_timeout,rs);
  888         }
  889 }
  890 
  891 /*
  892  * Receive Disconnected Mode Response
  893  *
  894  * If this does not apply to a known DLC then we may ignore it.
  895  */
  896 static void
  897 rfcomm_session_recv_dm(struct rfcomm_session *rs, int dlci)
  898 {
  899         struct rfcomm_dlc *dlc;
  900 
  901         DPRINTFN(5, "DM(%d)\n", dlci);
  902 
  903         dlc = rfcomm_dlc_lookup(rs, dlci);
  904         if (dlc == NULL)
  905                 return;
  906 
  907         if (dlc->rd_state == RFCOMM_DLC_WAIT_CONNECT)
  908                 rfcomm_dlc_close(dlc, ECONNREFUSED);
  909         else
  910                 rfcomm_dlc_close(dlc, ECONNRESET);
  911 }
  912 
  913 /*
  914  * Receive Unnumbered Information with Header check (MCC or data packet)
  915  */
  916 static void
  917 rfcomm_session_recv_uih(struct rfcomm_session *rs, int dlci,
  918                         int pf, struct mbuf *m, int len)
  919 {
  920         struct rfcomm_dlc *dlc;
  921         uint8_t credits = 0;
  922 
  923         DPRINTFN(10, "UIH(%d)\n", dlci);
  924 
  925         if (dlci == 0) {
  926                 rfcomm_session_recv_mcc(rs, m);
  927                 return;
  928         }
  929 
  930         if (m->m_pkthdr.len != len + pf) {
  931                 DPRINTF("Bad Frame Length (%d), frame discarded\n",
  932                             m->m_pkthdr.len);
  933 
  934                 goto discard;
  935         }
  936 
  937         dlc = rfcomm_dlc_lookup(rs, dlci);
  938         if (dlc == NULL) {
  939                 DPRINTF("UIH received for non existent DLC, discarded\n");
  940                 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, dlci);
  941                 goto discard;
  942         }
  943 
  944         if (dlc->rd_state != RFCOMM_DLC_OPEN) {
  945                 DPRINTF("non-open DLC (state = %d), discarded\n",
  946                                 dlc->rd_state);
  947                 goto discard;
  948         }
  949 
  950         /* if PF is set, credits were included */
  951         if (rs->rs_flags & RFCOMM_SESSION_CFC) {
  952                 if (pf != 0) {
  953                         if (m->m_pkthdr.len < sizeof(credits)) {
  954                                 DPRINTF("Bad PF value, UIH discarded\n");
  955                                 goto discard;
  956                         }
  957 
  958                         m_copydata(m, 0, sizeof(credits), &credits);
  959                         m_adj(m, sizeof(credits));
  960 
  961                         dlc->rd_txcred += credits;
  962 
  963                         if (credits > 0 && dlc->rd_txbuf != NULL)
  964                                 rfcomm_dlc_start(dlc);
  965                 }
  966 
  967                 if (len == 0)
  968                         goto discard;
  969 
  970                 if (dlc->rd_rxcred == 0) {
  971                         DPRINTF("Credit limit reached, UIH discarded\n");
  972                         goto discard;
  973                 }
  974 
  975                 if (len > dlc->rd_rxsize) {
  976                         DPRINTF("UIH frame exceeds rxsize, discarded\n");
  977                         goto discard;
  978                 }
  979 
  980                 dlc->rd_rxcred--;
  981                 dlc->rd_rxsize -= len;
  982         }
  983 
  984         (*dlc->rd_proto->input)(dlc->rd_upper, m);
  985         return;
  986 
  987 discard:
  988         m_freem(m);
  989 }
  990 
  991 /*
  992  * Receive Multiplexer Control Command
  993  */
  994 static void
  995 rfcomm_session_recv_mcc(struct rfcomm_session *rs, struct mbuf *m)
  996 {
  997         int type, cr, len;
  998         uint8_t b;
  999 
 1000         /*
 1001          * Extract MCC header.
 1002          *
 1003          * Fields are variable length using extension bit = 1 to signify the
 1004          * last octet in the sequence.
 1005          *
 1006          * Only single octet types are defined in TS 07.10/RFCOMM spec
 1007          *
 1008          * Length can realistically only use 15 bits (max RFCOMM MTU)
 1009          */
 1010         if (m->m_pkthdr.len < sizeof(b)) {
 1011                 DPRINTF("Short MCC header, discarded\n");
 1012                 goto release;
 1013         }
 1014 
 1015         m_copydata(m, 0, sizeof(b), &b);
 1016         m_adj(m, sizeof(b));
 1017 
 1018         if (RFCOMM_EA(b) == 0) {        /* verify no extensions */
 1019                 DPRINTF("MCC type EA = 0, discarded\n");
 1020                 goto release;
 1021         }
 1022 
 1023         type = RFCOMM_MCC_TYPE(b);
 1024         cr = RFCOMM_CR(b);
 1025 
 1026         len = 0;
 1027         do {
 1028                 if (m->m_pkthdr.len < sizeof(b)) {
 1029                         DPRINTF("Short MCC header, discarded\n");
 1030                         goto release;
 1031                 }
 1032 
 1033                 m_copydata(m, 0, sizeof(b), &b);
 1034                 m_adj(m, sizeof(b));
 1035 
 1036                 len = (len << 7) | (b >> 1);
 1037                 len = min(len, RFCOMM_MTU_MAX);
 1038         } while (RFCOMM_EA(b) == 0);
 1039 
 1040         if (len != m->m_pkthdr.len) {
 1041                 DPRINTF("Incorrect MCC length, discarded\n");
 1042                 goto release;
 1043         }
 1044 
 1045         DPRINTFN(2, "MCC %s type %2.2x (%d bytes)\n",
 1046                 (cr ? "command" : "response"), type, len);
 1047 
 1048         /*
 1049          * pass to command handler
 1050          */
 1051         switch(type) {
 1052         case RFCOMM_MCC_TEST:   /* Test */
 1053                 rfcomm_session_recv_mcc_test(rs, cr, m);
 1054                 break;
 1055 
 1056         case RFCOMM_MCC_FCON:   /* Flow Control On */
 1057                 rfcomm_session_recv_mcc_fcon(rs, cr);
 1058                 break;
 1059 
 1060         case RFCOMM_MCC_FCOFF:  /* Flow Control Off */
 1061                 rfcomm_session_recv_mcc_fcoff(rs, cr);
 1062                 break;
 1063 
 1064         case RFCOMM_MCC_MSC:    /* Modem Status Command */
 1065                 rfcomm_session_recv_mcc_msc(rs, cr, m);
 1066                 break;
 1067 
 1068         case RFCOMM_MCC_RPN:    /* Remote Port Negotiation */
 1069                 rfcomm_session_recv_mcc_rpn(rs, cr, m);
 1070                 break;
 1071 
 1072         case RFCOMM_MCC_RLS:    /* Remote Line Status */
 1073                 rfcomm_session_recv_mcc_rls(rs, cr, m);
 1074                 break;
 1075 
 1076         case RFCOMM_MCC_PN:     /* Parameter Negotiation */
 1077                 rfcomm_session_recv_mcc_pn(rs, cr, m);
 1078                 break;
 1079 
 1080         case RFCOMM_MCC_NSC:    /* Non Supported Command */
 1081                 rfcomm_session_recv_mcc_nsc(rs, cr, m);
 1082                 break;
 1083 
 1084         default:
 1085                 b = RFCOMM_MKMCC_TYPE(cr, type);
 1086                 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_NSC, &b, sizeof(b));
 1087         }
 1088 
 1089 release:
 1090         m_freem(m);
 1091 }
 1092 
 1093 /*
 1094  * process TEST command/response
 1095  */
 1096 static void
 1097 rfcomm_session_recv_mcc_test(struct rfcomm_session *rs, int cr, struct mbuf *m)
 1098 {
 1099         void *data;
 1100         int len;
 1101 
 1102         if (cr == 0)    /* ignore ack */
 1103                 return;
 1104 
 1105         /*
 1106          * we must send all the data they included back as is
 1107          */
 1108 
 1109         len = m->m_pkthdr.len;
 1110         if (len > RFCOMM_MTU_MAX)
 1111                 return;
 1112 
 1113         data = kmalloc(len, M_BLUETOOTH, M_NOWAIT);
 1114         if (data == NULL)
 1115                 return;
 1116 
 1117         m_copydata(m, 0, len, data);
 1118         rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_TEST, data, len);
 1119         kfree(data, M_BLUETOOTH);
 1120 }
 1121 
 1122 /*
 1123  * process Flow Control ON command/response
 1124  */
 1125 static void
 1126 rfcomm_session_recv_mcc_fcon(struct rfcomm_session *rs, int cr)
 1127 {
 1128 
 1129         if (cr == 0)    /* ignore ack */
 1130                 return;
 1131 
 1132         rs->rs_flags |= RFCOMM_SESSION_RFC;
 1133         rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_FCON, NULL, 0);
 1134 }
 1135 
 1136 /*
 1137  * process Flow Control OFF command/response
 1138  */
 1139 static void
 1140 rfcomm_session_recv_mcc_fcoff(struct rfcomm_session *rs, int cr)
 1141 {
 1142         if (cr == 0)    /* ignore ack */
 1143                 return;
 1144 
 1145         rs->rs_flags &= ~RFCOMM_SESSION_RFC;
 1146         rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_FCOFF, NULL, 0);
 1147 }
 1148 
 1149 /*
 1150  * process Modem Status Command command/response
 1151  */
 1152 static void
 1153 rfcomm_session_recv_mcc_msc(struct rfcomm_session *rs, int cr, struct mbuf *m)
 1154 {
 1155         struct rfcomm_mcc_msc msc;      /* (3 octets) */
 1156         struct rfcomm_dlc *dlc;
 1157         int len = 0;
 1158 
 1159         /* [ADDRESS] */
 1160         if (m->m_pkthdr.len < sizeof(msc.address))
 1161                 return;
 1162 
 1163         m_copydata(m, 0, sizeof(msc.address), &msc.address);
 1164         m_adj(m, sizeof(msc.address));
 1165         len += sizeof(msc.address);
 1166 
 1167         dlc = rfcomm_dlc_lookup(rs, RFCOMM_DLCI(msc.address));
 1168 
 1169         if (cr == 0) {  /* ignore acks */
 1170                 if (dlc != NULL)
 1171                         callout_stop(&dlc->rd_timeout);
 1172 
 1173                 return;
 1174         }
 1175 
 1176         if (dlc == NULL) {
 1177                 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM,
 1178                                                 RFCOMM_DLCI(msc.address));
 1179                 return;
 1180         }
 1181 
 1182         /* [SIGNALS] */
 1183         if (m->m_pkthdr.len < sizeof(msc.modem))
 1184                 return;
 1185 
 1186         m_copydata(m, 0, sizeof(msc.modem), &msc.modem);
 1187         m_adj(m, sizeof(msc.modem));
 1188         len += sizeof(msc.modem);
 1189 
 1190         dlc->rd_rmodem = msc.modem;
 1191         /* XXX how do we signal this upstream? */
 1192 
 1193         if (RFCOMM_EA(msc.modem) == 0) {
 1194                 if (m->m_pkthdr.len < sizeof(msc.brk))
 1195                         return;
 1196 
 1197                 m_copydata(m, 0, sizeof(msc.brk), &msc.brk);
 1198                 m_adj(m, sizeof(msc.brk));
 1199                 len += sizeof(msc.brk);
 1200 
 1201                 /* XXX how do we signal this upstream? */
 1202         }
 1203 
 1204         rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_MSC, &msc, len);
 1205 }
 1206 
 1207 /*
 1208  * process Remote Port Negotiation command/response
 1209  */
 1210 static void
 1211 rfcomm_session_recv_mcc_rpn(struct rfcomm_session *rs, int cr, struct mbuf *m)
 1212 {
 1213         struct rfcomm_mcc_rpn rpn;
 1214         uint16_t mask;
 1215 
 1216         if (cr == 0)    /* ignore ack */
 1217                 return;
 1218 
 1219         /* default values */
 1220         rpn.bit_rate = RFCOMM_RPN_BR_9600;
 1221         rpn.line_settings = RFCOMM_RPN_8_N_1;
 1222         rpn.flow_control = RFCOMM_RPN_FLOW_NONE;
 1223         rpn.xon_char = RFCOMM_RPN_XON_CHAR;
 1224         rpn.xoff_char = RFCOMM_RPN_XOFF_CHAR;
 1225 
 1226         if (m->m_pkthdr.len == sizeof(rpn)) {
 1227                 m_copydata(m, 0, sizeof(rpn), (caddr_t)&rpn);
 1228                 rpn.param_mask = RFCOMM_RPN_PM_ALL;
 1229         } else if (m->m_pkthdr.len == 1) {
 1230                 m_copydata(m, 0, 1, (caddr_t)&rpn);
 1231                 rpn.param_mask = letoh16(rpn.param_mask);
 1232         } else {
 1233                 DPRINTF("Bad RPN length (%d)\n", m->m_pkthdr.len);
 1234                 return;
 1235         }
 1236 
 1237         mask = 0;
 1238 
 1239         if (rpn.param_mask & RFCOMM_RPN_PM_RATE)
 1240                 mask |= RFCOMM_RPN_PM_RATE;
 1241 
 1242         if (rpn.param_mask & RFCOMM_RPN_PM_DATA
 1243             && RFCOMM_RPN_DATA_BITS(rpn.line_settings) == RFCOMM_RPN_DATA_8)
 1244                 mask |= RFCOMM_RPN_PM_DATA;
 1245 
 1246         if (rpn.param_mask & RFCOMM_RPN_PM_STOP
 1247             && RFCOMM_RPN_STOP_BITS(rpn.line_settings) == RFCOMM_RPN_STOP_1)
 1248                 mask |= RFCOMM_RPN_PM_STOP;
 1249 
 1250         if (rpn.param_mask & RFCOMM_RPN_PM_PARITY
 1251             && RFCOMM_RPN_PARITY(rpn.line_settings) == RFCOMM_RPN_PARITY_NONE)
 1252                 mask |= RFCOMM_RPN_PM_PARITY;
 1253 
 1254         if (rpn.param_mask & RFCOMM_RPN_PM_XON
 1255             && rpn.xon_char == RFCOMM_RPN_XON_CHAR)
 1256                 mask |= RFCOMM_RPN_PM_XON;
 1257 
 1258         if (rpn.param_mask & RFCOMM_RPN_PM_XOFF
 1259             && rpn.xoff_char == RFCOMM_RPN_XOFF_CHAR)
 1260                 mask |= RFCOMM_RPN_PM_XOFF;
 1261 
 1262         if (rpn.param_mask & RFCOMM_RPN_PM_FLOW
 1263             && rpn.flow_control == RFCOMM_RPN_FLOW_NONE)
 1264                 mask |= RFCOMM_RPN_PM_FLOW;
 1265 
 1266         rpn.param_mask = htole16(mask);
 1267 
 1268         rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_RPN, &rpn, sizeof(rpn));
 1269 }
 1270 
 1271 /*
 1272  * process Remote Line Status command/response
 1273  */
 1274 static void
 1275 rfcomm_session_recv_mcc_rls(struct rfcomm_session *rs, int cr, struct mbuf *m)
 1276 {
 1277         struct rfcomm_mcc_rls rls;
 1278 
 1279         if (cr == 0)    /* ignore ack */
 1280                 return;
 1281 
 1282         if (m->m_pkthdr.len != sizeof(rls)) {
 1283                 DPRINTF("Bad RLS length %d\n", m->m_pkthdr.len);
 1284                 return;
 1285         }
 1286 
 1287         m_copydata(m, 0, sizeof(rls), (caddr_t)&rls);
 1288 
 1289         /*
 1290          * So far as I can tell, we just send back what
 1291          * they sent us. This signifies errors that seem
 1292          * irrelevent for RFCOMM over L2CAP.
 1293          */
 1294         rls.address |= 0x03;    /* EA = 1, CR = 1 */
 1295         rls.status &= 0x0f;     /* only 4 bits valid */
 1296 
 1297         rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_RLS, &rls, sizeof(rls));
 1298 }
 1299 
 1300 /*
 1301  * process Parameter Negotiation command/response
 1302  */
 1303 static void
 1304 rfcomm_session_recv_mcc_pn(struct rfcomm_session *rs, int cr, struct mbuf *m)
 1305 {
 1306         struct rfcomm_dlc *dlc;
 1307         struct rfcomm_mcc_pn pn;
 1308         int err;
 1309 
 1310         if (m->m_pkthdr.len != sizeof(pn)) {
 1311                 DPRINTF("Bad PN length %d\n", m->m_pkthdr.len);
 1312                 return;
 1313         }
 1314 
 1315         m_copydata(m, 0, sizeof(pn), (caddr_t)&pn);
 1316 
 1317         pn.dlci &= 0x3f;
 1318         pn.mtu = letoh16(pn.mtu);
 1319 
 1320         dlc = rfcomm_dlc_lookup(rs, pn.dlci);
 1321         if (cr) {       /* Command */
 1322                 /*
 1323                  * If there is no DLC present, this is a new
 1324                  * connection so attempt to make one
 1325                  */
 1326                 if (dlc == NULL) {
 1327                         dlc = rfcomm_dlc_newconn(rs, pn.dlci);
 1328                         if (dlc == NULL)
 1329                                 return; /* (DM is sent) */
 1330                 }
 1331 
 1332                 /* accept any valid MTU, and offer it back */
 1333                 pn.mtu = min(pn.mtu, RFCOMM_MTU_MAX);
 1334                 pn.mtu = min(pn.mtu, rs->rs_mtu);
 1335                 pn.mtu = max(pn.mtu, RFCOMM_MTU_MIN);
 1336                 dlc->rd_mtu = pn.mtu;
 1337                 pn.mtu = htole16(pn.mtu);
 1338 
 1339                 /* credits are only set before DLC is open */
 1340                 if (dlc->rd_state == RFCOMM_DLC_WAIT_CONNECT
 1341                     && (pn.flow_control & 0xf0) == 0xf0) {
 1342                         rs->rs_flags |= RFCOMM_SESSION_CFC;
 1343                         dlc->rd_txcred = pn.credits & 0x07;
 1344 
 1345                         dlc->rd_rxcred = (dlc->rd_rxsize / dlc->rd_mtu);
 1346                         dlc->rd_rxcred = min(dlc->rd_rxcred,
 1347                                                 RFCOMM_CREDITS_DEFAULT);
 1348 
 1349                         pn.flow_control = 0xe0;
 1350                         pn.credits = dlc->rd_rxcred;
 1351                 } else {
 1352                         pn.flow_control = 0x00;
 1353                         pn.credits = 0x00;
 1354                 }
 1355 
 1356                 /* unused fields must be ignored and set to zero */
 1357                 pn.ack_timer = 0;
 1358                 pn.max_retrans = 0;
 1359 
 1360                 /* send our response */
 1361                 err = rfcomm_session_send_mcc(rs, 0,
 1362                                         RFCOMM_MCC_PN, &pn, sizeof(pn));
 1363                 if (err)
 1364                         goto close;
 1365 
 1366         } else {        /* Response */
 1367                 /* ignore responses with no matching DLC */
 1368                 if (dlc == NULL)
 1369                         return;
 1370 
 1371                 callout_stop(&dlc->rd_timeout);
 1372 
 1373                 if (pn.mtu > RFCOMM_MTU_MAX || pn.mtu > dlc->rd_mtu) {
 1374                         dlc->rd_state = RFCOMM_DLC_WAIT_DISCONNECT;
 1375                         err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC,
 1376                                                         pn.dlci);
 1377                         if (err)
 1378                                 goto close;
 1379 
 1380                         callout_reset(&dlc->rd_timeout, rfcomm_ack_timeout * hz,
 1381                                     rfcomm_dlc_timeout, dlc);
 1382                         return;
 1383                 }
 1384                 dlc->rd_mtu = pn.mtu;
 1385 
 1386                 /* if DLC is not waiting to connect, we are done */
 1387                 if (dlc->rd_state != RFCOMM_DLC_WAIT_CONNECT)
 1388                         return;
 1389 
 1390                 /* set initial credits according to RFCOMM spec */
 1391                 if ((pn.flow_control & 0xf0) == 0xe0) {
 1392                         rs->rs_flags |= RFCOMM_SESSION_CFC;
 1393                         dlc->rd_txcred = (pn.credits & 0x07);
 1394                 }
 1395 
 1396                 callout_reset(&dlc->rd_timeout, rfcomm_ack_timeout * hz,
 1397                                     rfcomm_dlc_timeout, dlc);
 1398 
 1399                 /* set link mode */
 1400                 err = rfcomm_dlc_setmode(dlc);
 1401                 if (err == EINPROGRESS) {
 1402                         dlc->rd_state = RFCOMM_DLC_WAIT_SEND_SABM;
 1403                         (*dlc->rd_proto->connecting)(dlc->rd_upper);
 1404                         return;
 1405                 }
 1406                 if (err)
 1407                         goto close;
 1408 
 1409                 /* we can proceed now */
 1410                 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_SABM, pn.dlci);
 1411                 if (err)
 1412                         goto close;
 1413 
 1414                 dlc->rd_state = RFCOMM_DLC_WAIT_RECV_UA;
 1415         }
 1416         return;
 1417 
 1418 close:
 1419         rfcomm_dlc_close(dlc, err);
 1420 }
 1421 
 1422 /*
 1423  * process Non Supported Command command/response
 1424  */
 1425 static void
 1426 rfcomm_session_recv_mcc_nsc(struct rfcomm_session *rs,
 1427     int cr, struct mbuf *m)
 1428 {
 1429         struct rfcomm_dlc *dlc, *next;
 1430 
 1431         /*
 1432          * Since we did nothing that is not mandatory,
 1433          * we just abort the whole session..
 1434          */
 1435 
 1436         next = LIST_FIRST(&rs->rs_dlcs);
 1437         while ((dlc = next) != NULL) {
 1438                 next = LIST_NEXT(dlc, rd_next);
 1439                 rfcomm_dlc_close(dlc, ECONNABORTED);
 1440         }
 1441 
 1442         rfcomm_session_free(rs);
 1443 }
 1444 
 1445 /***********************************************************************
 1446  *
 1447  *      RFCOMM Session outward frame/uih/mcc building
 1448  */
 1449 
 1450 /*
 1451  * SABM/DISC/DM/UA frames are all minimal and mostly identical.
 1452  */
 1453 int
 1454 rfcomm_session_send_frame(struct rfcomm_session *rs, int type, int dlci)
 1455 {
 1456         struct rfcomm_cmd_hdr *hdr;
 1457         struct rfcomm_credit *credit;
 1458         struct mbuf *m;
 1459         uint8_t fcs, cr;
 1460 
 1461         credit = zalloc(rfcomm_credit_pool);
 1462         if (credit == NULL)
 1463                 return ENOMEM;
 1464 
 1465         m = m_gethdr(MB_DONTWAIT, MT_DATA);
 1466         if (m == NULL) {
 1467                 zfree(rfcomm_credit_pool, credit);
 1468                 return ENOMEM;
 1469         }
 1470 
 1471         /*
 1472          * The CR (command/response) bit identifies the frame either as a
 1473          * commmand or a response and is used along with the DLCI to form
 1474          * the address. Commands contain the non-initiator address, whereas
 1475          * responses contain the initiator address, so the CR value is
 1476          * also dependent on the session direction.
 1477          */
 1478         if (type == RFCOMM_FRAME_UA || type == RFCOMM_FRAME_DM)
 1479                 cr = IS_INITIATOR(rs) ? 0 : 1;
 1480         else
 1481                 cr = IS_INITIATOR(rs) ? 1 : 0;
 1482 
 1483         hdr = mtod(m, struct rfcomm_cmd_hdr *);
 1484         hdr->address = RFCOMM_MKADDRESS(cr, dlci);
 1485         hdr->control = RFCOMM_MKCONTROL(type, 1);   /* PF = 1 */
 1486         hdr->length = (0x00 << 1) | 0x01;           /* len = 0x00, EA = 1 */
 1487 
 1488         fcs = 0xff;
 1489         fcs = FCS(fcs, hdr->address);
 1490         fcs = FCS(fcs, hdr->control);
 1491         fcs = FCS(fcs, hdr->length);
 1492         fcs = 0xff - fcs;       /* ones complement */
 1493         hdr->fcs = fcs;
 1494 
 1495         m->m_pkthdr.len = m->m_len = sizeof(struct rfcomm_cmd_hdr);
 1496 
 1497         /* empty credit note */
 1498         credit->rc_dlc = NULL;
 1499         credit->rc_len = m->m_pkthdr.len;
 1500         STAILQ_INSERT_TAIL(&rs->rs_credits, credit, rc_next);
 1501 
 1502         DPRINTFN(5, "dlci %d type %2.2x (%d bytes, fcs=%#2.2x)\n",
 1503                 dlci, type, m->m_pkthdr.len, fcs);
 1504 
 1505         return l2cap_send(rs->rs_l2cap, m);
 1506 }
 1507 
 1508 /*
 1509  * rfcomm_session_send_uih(rfcomm_session, rfcomm_dlc, credits, mbuf)
 1510  *
 1511  * UIH frame is per DLC data or Multiplexer Control Commands
 1512  * when no DLC is given. Data mbuf is optional (just credits
 1513  * will be sent in that case)
 1514  */
 1515 int
 1516 rfcomm_session_send_uih(struct rfcomm_session *rs, struct rfcomm_dlc *dlc,
 1517                         int credits, struct mbuf *m)
 1518 {
 1519         struct rfcomm_credit *credit;
 1520         struct mbuf *m0 = NULL;
 1521         int err, len;
 1522         uint8_t fcs, *hdr;
 1523 
 1524         KKASSERT(rs != NULL);
 1525 
 1526         len = (m == NULL) ? 0 : m->m_pkthdr.len;
 1527         KKASSERT(!(credits == 0 && len == 0));
 1528 
 1529         /*
 1530          * Make a credit note for the completion notification
 1531          */
 1532         credit = zalloc(rfcomm_credit_pool);
 1533         if (credit == NULL)
 1534                 goto nomem;
 1535 
 1536         credit->rc_len = len;
 1537         credit->rc_dlc = dlc;
 1538 
 1539         /*
 1540          * Wrap UIH frame information around payload.
 1541          *
 1542          * [ADDRESS] [CONTROL] [LENGTH] [CREDITS] [...] [FCS]
 1543          *
 1544          * Address is one octet.
 1545          * Control is one octet.
 1546          * Length is one or two octets.
 1547          * Credits may be one octet.
 1548          *
 1549          * FCS is one octet and calculated on address and
 1550          *      control octets only.
 1551          *
 1552          * If there are credits to be sent, we will set the PF
 1553          * flag and include them in the frame.
 1554          */
 1555         m0 = m_gethdr(MB_DONTWAIT, MT_DATA);
 1556         if (m0 == NULL)
 1557                 goto nomem;
 1558 
 1559         MH_ALIGN(m0, 5);        /* (max 5 header octets) */
 1560         hdr = mtod(m0, uint8_t *);
 1561 
 1562         /* CR bit is set according to the initiator of the session */
 1563         *hdr = RFCOMM_MKADDRESS((IS_INITIATOR(rs) ? 1 : 0),
 1564                                 (dlc ? dlc->rd_dlci : 0));
 1565         fcs = FCS(0xff, *hdr);
 1566         hdr++;
 1567 
 1568         /* PF bit is set if credits are being sent */
 1569         *hdr = RFCOMM_MKCONTROL(RFCOMM_FRAME_UIH, (credits > 0 ? 1 : 0));
 1570         fcs = FCS(fcs, *hdr);
 1571         hdr++;
 1572 
 1573         if (len < (1 << 7)) {
 1574                 *hdr++ = ((len << 1) & 0xfe) | 0x01;    /* 7 bits, EA = 1 */
 1575         } else {
 1576                 *hdr++ = ((len << 1) & 0xfe);           /* 7 bits, EA = 0 */
 1577                 *hdr++ = ((len >> 7) & 0xff);           /* 8 bits, no EA */
 1578         }
 1579 
 1580         if (credits > 0)
 1581                 *hdr++ = (uint8_t)credits;
 1582 
 1583         m0->m_len = hdr - mtod(m0, uint8_t *);
 1584 
 1585         /* Append payload */
 1586         m0->m_next = m;
 1587         m = NULL;
 1588 
 1589         m0->m_pkthdr.len = m0->m_len + len;
 1590 
 1591         /* Append FCS */
 1592         fcs = 0xff - fcs;       /* ones complement */
 1593         len = m0->m_pkthdr.len;
 1594         m_copyback(m0, len, sizeof(fcs), &fcs);
 1595         if (m0->m_pkthdr.len != len + sizeof(fcs))
 1596                 goto nomem;
 1597 
 1598         DPRINTFN(10, "dlci %d, pktlen %d (%d data, %d credits), fcs=%#2.2x\n",
 1599                 dlc ? dlc->rd_dlci : 0, m0->m_pkthdr.len, credit->rc_len,
 1600                 credits, fcs);
 1601 
 1602         /*
 1603          * UIH frame ready to go..
 1604          */
 1605         err = l2cap_send(rs->rs_l2cap, m0);
 1606         if (err)
 1607                 goto fail;
 1608 
 1609         STAILQ_INSERT_TAIL(&rs->rs_credits, credit, rc_next);
 1610         return 0;
 1611 
 1612 nomem:
 1613         err = ENOMEM;
 1614 
 1615         if (m0 != NULL)
 1616                 m_freem(m0);
 1617 
 1618         if (m != NULL)
 1619                 m_freem(m);
 1620 
 1621 fail:
 1622         if (credit != NULL)
 1623                 zfree(rfcomm_credit_pool, credit);
 1624 
 1625         return err;
 1626 }
 1627 
 1628 /*
 1629  * send Multiplexer Control Command (or Response) on session
 1630  */
 1631 int
 1632 rfcomm_session_send_mcc(struct rfcomm_session *rs, int cr,
 1633                         uint8_t type, void *data, int len)
 1634 {
 1635         struct mbuf *m;
 1636         uint8_t *hdr;
 1637         int hlen;
 1638 
 1639         m = m_gethdr(MB_DONTWAIT, MT_DATA);
 1640         if (m == NULL)
 1641                 return ENOMEM;
 1642 
 1643         hdr = mtod(m, uint8_t *);
 1644 
 1645         /*
 1646          * Technically the type field can extend past one octet, but none
 1647          * currently defined will do that.
 1648          */
 1649         *hdr++ = RFCOMM_MKMCC_TYPE(cr, type);
 1650 
 1651         /*
 1652          * In the frame, the max length size is 2 octets (15 bits) whereas
 1653          * no max length size is specified for MCC commands. We must allow
 1654          * for 3 octets since for MCC frames we use 7 bits + EA in each.
 1655          *
 1656          * Only test data can possibly be that big.
 1657          *
 1658          * XXX Should we check this against the MTU?
 1659          */
 1660         if (len < (1 << 7)) {
 1661                 *hdr++ = ((len << 1) & 0xfe) | 0x01;    /* 7 bits, EA = 1 */
 1662         } else if (len < (1 << 14)) {
 1663                 *hdr++ = ((len << 1) & 0xfe);           /* 7 bits, EA = 0 */
 1664                 *hdr++ = ((len >> 6) & 0xfe) | 0x01;    /* 7 bits, EA = 1 */
 1665         } else if (len < (1 << 15)) {
 1666                 *hdr++ = ((len << 1) & 0xfe);           /* 7 bits, EA = 0 */
 1667                 *hdr++ = ((len >> 6) & 0xfe);           /* 7 bits, EA = 0 */
 1668                 *hdr++ = ((len >> 13) & 0x02) | 0x01;   /* 1 bit,  EA = 1 */
 1669         } else {
 1670                 DPRINTF("incredible length! (%d)\n", len);
 1671                 m_freem(m);
 1672                 return EMSGSIZE;
 1673         }
 1674 
 1675         /*
 1676          * add command data (to same mbuf if possible)
 1677          */
 1678         hlen = hdr - mtod(m, uint8_t *);
 1679 
 1680         if (len > 0) {
 1681                 m->m_pkthdr.len = m->m_len = MHLEN;
 1682                 m_copyback(m, hlen, len, data);
 1683                 if (m->m_pkthdr.len != max(MHLEN, hlen + len)) {
 1684                         m_freem(m);
 1685                         return ENOMEM;
 1686                 }
 1687         }
 1688 
 1689         m->m_pkthdr.len = hlen + len;
 1690         m->m_len = min(MHLEN, m->m_pkthdr.len);
 1691 
 1692         DPRINTFN(5, "%s type %2.2x len %d\n",
 1693                 (cr ? "command" : "response"), type, m->m_pkthdr.len);
 1694 
 1695         return rfcomm_session_send_uih(rs, NULL, 0, m);
 1696 }

Cache object: 646657a339aabf41788768102f094e4c


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.