The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/netbt/rfcomm_session.c

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 /*      $NetBSD: rfcomm_session.c,v 1.4.2.2 2010/01/03 17:12:44 jdc Exp $       */
    2 
    3 /*-
    4  * Copyright (c) 2006 Itronix Inc.
    5  * All rights reserved.
    6  *
    7  * Written by Iain Hibbert for Itronix Inc.
    8  *
    9  * Redistribution and use in source and binary forms, with or without
   10  * modification, are permitted provided that the following conditions
   11  * are met:
   12  * 1. Redistributions of source code must retain the above copyright
   13  *    notice, this list of conditions and the following disclaimer.
   14  * 2. Redistributions in binary form must reproduce the above copyright
   15  *    notice, this list of conditions and the following disclaimer in the
   16  *    documentation and/or other materials provided with the distribution.
   17  * 3. The name of Itronix Inc. may not be used to endorse
   18  *    or promote products derived from this software without specific
   19  *    prior written permission.
   20  *
   21  * THIS SOFTWARE IS PROVIDED BY ITRONIX INC. ``AS IS'' AND
   22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
   23  * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
   24  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL ITRONIX INC. BE LIABLE FOR ANY
   25  * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
   26  * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
   27  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
   28  * ON ANY THEORY OF LIABILITY, WHETHER IN
   29  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
   30  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
   31  * POSSIBILITY OF SUCH DAMAGE.
   32  */
   33 
   34 #include <sys/cdefs.h>
   35 __KERNEL_RCSID(0, "$NetBSD: rfcomm_session.c,v 1.4.2.2 2010/01/03 17:12:44 jdc Exp $");
   36 
   37 #include <sys/param.h>
   38 #include <sys/kernel.h>
   39 #include <sys/mbuf.h>
   40 #include <sys/proc.h>
   41 #include <sys/systm.h>
   42 #include <sys/types.h>
   43 
   44 #include <netbt/bluetooth.h>
   45 #include <netbt/hci.h>
   46 #include <netbt/l2cap.h>
   47 #include <netbt/rfcomm.h>
   48 
   49 /******************************************************************************
   50  *
   51  * RFCOMM Multiplexer Sessions sit directly on L2CAP channels, and can
   52  * multiplex up to 30 incoming and 30 outgoing connections.
   53  * Only one Multiplexer is allowed between any two devices.
   54  */
   55 
   56 static void rfcomm_session_timeout(void *);
   57 static void rfcomm_session_recv_sabm(struct rfcomm_session *, int);
   58 static void rfcomm_session_recv_disc(struct rfcomm_session *, int);
   59 static void rfcomm_session_recv_ua(struct rfcomm_session *, int);
   60 static void rfcomm_session_recv_dm(struct rfcomm_session *, int);
   61 static void rfcomm_session_recv_uih(struct rfcomm_session *, int, int, struct mbuf *, int);
   62 static void rfcomm_session_recv_mcc(struct rfcomm_session *, struct mbuf *);
   63 static void rfcomm_session_recv_mcc_test(struct rfcomm_session *, int, struct mbuf *);
   64 static void rfcomm_session_recv_mcc_fcon(struct rfcomm_session *, int);
   65 static void rfcomm_session_recv_mcc_fcoff(struct rfcomm_session *, int);
   66 static void rfcomm_session_recv_mcc_msc(struct rfcomm_session *, int, struct mbuf *);
   67 static void rfcomm_session_recv_mcc_rpn(struct rfcomm_session *, int, struct mbuf *);
   68 static void rfcomm_session_recv_mcc_rls(struct rfcomm_session *, int, struct mbuf *);
   69 static void rfcomm_session_recv_mcc_pn(struct rfcomm_session *, int, struct mbuf *);
   70 static void rfcomm_session_recv_mcc_nsc(struct rfcomm_session *, int, struct mbuf *);
   71 
   72 /* L2CAP callbacks */
   73 static void rfcomm_session_connecting(void *);
   74 static void rfcomm_session_connected(void *);
   75 static void rfcomm_session_disconnected(void *, int);
   76 static void *rfcomm_session_newconn(void *, struct sockaddr_bt *, struct sockaddr_bt *);
   77 static void rfcomm_session_complete(void *, int);
   78 static void rfcomm_session_linkmode(void *, int);
   79 static void rfcomm_session_input(void *, struct mbuf *);
   80 
   81 static const struct btproto rfcomm_session_proto = {
   82         rfcomm_session_connecting,
   83         rfcomm_session_connected,
   84         rfcomm_session_disconnected,
   85         rfcomm_session_newconn,
   86         rfcomm_session_complete,
   87         rfcomm_session_linkmode,
   88         rfcomm_session_input,
   89 };
   90 
   91 struct rfcomm_session_list
   92         rfcomm_session_active = LIST_HEAD_INITIALIZER(rfcomm_session_active);
   93 
   94 struct rfcomm_session_list
   95         rfcomm_session_listen = LIST_HEAD_INITIALIZER(rfcomm_session_listen);
   96 
   97 POOL_INIT(rfcomm_credit_pool, sizeof(struct rfcomm_credit),
   98                 0, 0, 0, "rfcomm_credit", NULL);
   99 
  100 /*
  101  * RFCOMM System Parameters (see section 5.3)
  102  */
  103 int rfcomm_mtu_default = 127;   /* bytes */
  104 int rfcomm_ack_timeout = 20;    /* seconds */
  105 int rfcomm_mcc_timeout = 20;    /* seconds */
  106 
  107 /*
  108  * Reversed CRC table as per TS 07.10 Annex B.3.5
  109  */
  110 static uint8_t crctable[256] = {        /* reversed, 8-bit, poly=0x07 */
  111         0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
  112         0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
  113         0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
  114         0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
  115 
  116         0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
  117         0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
  118         0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
  119         0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
  120 
  121         0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
  122         0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
  123         0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
  124         0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
  125 
  126         0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
  127         0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
  128         0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
  129         0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
  130 
  131         0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
  132         0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
  133         0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
  134         0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
  135 
  136         0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
  137         0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
  138         0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
  139         0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
  140 
  141         0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
  142         0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
  143         0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
  144         0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
  145 
  146         0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
  147         0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
  148         0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
  149         0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
  150 };
  151 
  152 #define FCS(f, d)       crctable[(f) ^ (d)]
  153 
  154 /*
  155  * rfcomm_session_alloc(list, sockaddr)
  156  *
  157  * allocate a new session and fill in the blanks, then
  158  * attach session to front of specified list (active or listen)
  159  */
  160 struct rfcomm_session *
  161 rfcomm_session_alloc(struct rfcomm_session_list *list,
  162                         struct sockaddr_bt *laddr)
  163 {
  164         struct rfcomm_session *rs;
  165         int err;
  166 
  167         rs = malloc(sizeof(*rs), M_BLUETOOTH, M_NOWAIT | M_ZERO);
  168         if (rs == NULL)
  169                 return NULL;
  170 
  171         rs->rs_state = RFCOMM_SESSION_CLOSED;
  172 
  173         callout_init(&rs->rs_timeout);
  174         callout_setfunc(&rs->rs_timeout, rfcomm_session_timeout, rs);
  175 
  176         SIMPLEQ_INIT(&rs->rs_credits);
  177         LIST_INIT(&rs->rs_dlcs);
  178 
  179         err = l2cap_attach(&rs->rs_l2cap, &rfcomm_session_proto, rs);
  180         if (err) {
  181                 free(rs, M_BLUETOOTH);
  182                 return NULL;
  183         }
  184 
  185         (void)l2cap_getopt(rs->rs_l2cap, SO_L2CAP_OMTU, &rs->rs_mtu);
  186 
  187         if (laddr->bt_psm == L2CAP_PSM_ANY)
  188                 laddr->bt_psm = L2CAP_PSM_RFCOMM;
  189 
  190         (void)l2cap_bind(rs->rs_l2cap, laddr);
  191 
  192         LIST_INSERT_HEAD(list, rs, rs_next);
  193 
  194         return rs;
  195 }
  196 
  197 /*
  198  * rfcomm_session_free(rfcomm_session)
  199  *
  200  * release a session, including any cleanup
  201  */
  202 void
  203 rfcomm_session_free(struct rfcomm_session *rs)
  204 {
  205         struct rfcomm_credit *credit;
  206 
  207         KASSERT(rs != NULL);
  208         KASSERT(LIST_EMPTY(&rs->rs_dlcs));
  209 
  210         rs->rs_state = RFCOMM_SESSION_CLOSED;
  211 
  212         /*
  213          * If the callout is already invoked we have no way to stop it,
  214          * but it will call us back right away (there are no DLC's) so
  215          * not to worry.
  216          */
  217         callout_stop(&rs->rs_timeout);
  218         if (callout_invoking(&rs->rs_timeout))
  219                 return;
  220 
  221         /*
  222          * Take care that rfcomm_session_disconnected() doesnt call
  223          * us back either as it will do if the l2cap_channel has not
  224          * been closed when we detach it..
  225          */
  226         if (rs->rs_flags & RFCOMM_SESSION_FREE)
  227                 return;
  228 
  229         rs->rs_flags |= RFCOMM_SESSION_FREE;
  230 
  231         /* throw away any remaining credit notes */
  232         while ((credit = SIMPLEQ_FIRST(&rs->rs_credits)) != NULL) {
  233                 SIMPLEQ_REMOVE_HEAD(&rs->rs_credits, rc_next);
  234                 pool_put(&rfcomm_credit_pool, credit);
  235         }
  236 
  237         KASSERT(SIMPLEQ_EMPTY(&rs->rs_credits));
  238 
  239         /* Goodbye! */
  240         LIST_REMOVE(rs, rs_next);
  241         l2cap_detach(&rs->rs_l2cap);
  242         free(rs, M_BLUETOOTH);
  243 }
  244 
  245 /*
  246  * rfcomm_session_lookup(sockaddr, sockaddr)
  247  *
  248  * Find active rfcomm session matching src and dest addresses
  249  * when src is BDADDR_ANY match any local address
  250  */
  251 struct rfcomm_session *
  252 rfcomm_session_lookup(struct sockaddr_bt *src, struct sockaddr_bt *dest)
  253 {
  254         struct rfcomm_session *rs;
  255         struct sockaddr_bt addr;
  256 
  257         LIST_FOREACH(rs, &rfcomm_session_active, rs_next) {
  258                 if (rs->rs_state == RFCOMM_SESSION_CLOSED)
  259                         continue;
  260 
  261                 l2cap_sockaddr(rs->rs_l2cap, &addr);
  262 
  263                 if (bdaddr_same(&src->bt_bdaddr, &addr.bt_bdaddr) == 0)
  264                         if (bdaddr_any(&src->bt_bdaddr) == 0)
  265                                 continue;
  266 
  267                 l2cap_peeraddr(rs->rs_l2cap, &addr);
  268 
  269                 if (addr.bt_psm != dest->bt_psm)
  270                         continue;
  271 
  272                 if (bdaddr_same(&dest->bt_bdaddr, &addr.bt_bdaddr))
  273                         break;
  274         }
  275 
  276         return rs;
  277 }
  278 
  279 /*
  280  * rfcomm_session_timeout(rfcomm_session)
  281  *
  282  * Session timeouts are scheduled when a session is left or
  283  * created with no DLCs, and when SABM(0) or DISC(0) are
  284  * sent.
  285  *
  286  * So, if it is in an open state with DLC's attached then
  287  * we leave it alone, otherwise the session is lost.
  288  */
  289 static void
  290 rfcomm_session_timeout(void *arg)
  291 {
  292         struct rfcomm_session *rs = arg;
  293         struct rfcomm_dlc *dlc;
  294         int s;
  295 
  296         KASSERT(rs != NULL);
  297 
  298         s = splsoftnet();
  299         callout_ack(&rs->rs_timeout);
  300 
  301         if (rs->rs_state != RFCOMM_SESSION_OPEN) {
  302                 DPRINTF("timeout\n");
  303                 rs->rs_state = RFCOMM_SESSION_CLOSED;
  304 
  305                 while (!LIST_EMPTY(&rs->rs_dlcs)) {
  306                         dlc = LIST_FIRST(&rs->rs_dlcs);
  307 
  308                         rfcomm_dlc_close(dlc, ETIMEDOUT);
  309                 }
  310         }
  311 
  312         if (LIST_EMPTY(&rs->rs_dlcs)) {
  313                 DPRINTF("expiring\n");
  314                 rfcomm_session_free(rs);
  315         }
  316         splx(s);
  317 }
  318 
  319 /***********************************************************************
  320  *
  321  *      RFCOMM Session L2CAP protocol callbacks
  322  *
  323  */
  324 
  325 static void
  326 rfcomm_session_connecting(void *arg)
  327 {
  328         //struct rfcomm_session *rs = arg;
  329 
  330         DPRINTF("Connecting\n");
  331 }
  332 
  333 static void
  334 rfcomm_session_connected(void *arg)
  335 {
  336         struct rfcomm_session *rs = arg;
  337 
  338         DPRINTF("Connected\n");
  339 
  340         /*
  341          * L2CAP is open.
  342          *
  343          * If we are initiator, we can send our SABM(0)
  344          * a timeout should be active?
  345          *
  346          * We must take note of the L2CAP MTU because currently
  347          * the L2CAP implementation can only do Basic Mode.
  348          */
  349         l2cap_getopt(rs->rs_l2cap, SO_L2CAP_OMTU, &rs->rs_mtu);
  350 
  351         rs->rs_mtu -= 6; /* (RFCOMM overhead could be this big) */
  352         if (rs->rs_mtu < RFCOMM_MTU_MIN) {
  353                 rfcomm_session_disconnected(rs, EINVAL);
  354                 return;
  355         }
  356 
  357         if (IS_INITIATOR(rs)) {
  358                 int err;
  359 
  360                 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_SABM, 0);
  361                 if (err)
  362                         rfcomm_session_disconnected(rs, err);
  363 
  364                 callout_schedule(&rs->rs_timeout, rfcomm_ack_timeout * hz);
  365         }
  366 }
  367 
  368 static void
  369 rfcomm_session_disconnected(void *arg, int err)
  370 {
  371         struct rfcomm_session *rs = arg;
  372         struct rfcomm_dlc *dlc;
  373 
  374         DPRINTF("Disconnected\n");
  375 
  376         rs->rs_state = RFCOMM_SESSION_CLOSED;
  377 
  378         while (!LIST_EMPTY(&rs->rs_dlcs)) {
  379                 dlc = LIST_FIRST(&rs->rs_dlcs);
  380 
  381                 rfcomm_dlc_close(dlc, err);
  382         }
  383 
  384         rfcomm_session_free(rs);
  385 }
  386 
  387 static void *
  388 rfcomm_session_newconn(void *arg, struct sockaddr_bt *laddr,
  389                                 struct sockaddr_bt *raddr)
  390 {
  391         struct rfcomm_session *new, *rs = arg;
  392 
  393         DPRINTF("New Connection\n");
  394 
  395         /*
  396          * Incoming session connect request. We should return a new
  397          * session pointer if this is acceptable. The L2CAP layer
  398          * passes local and remote addresses, which we must check as
  399          * only one RFCOMM session is allowed between any two devices
  400          */
  401         new = rfcomm_session_lookup(laddr, raddr);
  402         if (new != NULL)
  403                 return NULL;
  404 
  405         new = rfcomm_session_alloc(&rfcomm_session_active, laddr);
  406         if (new == NULL)
  407                 return NULL;
  408 
  409         new->rs_mtu = rs->rs_mtu;
  410         new->rs_state = RFCOMM_SESSION_WAIT_CONNECT;
  411 
  412         /*
  413          * schedule an expiry so that if nothing comes of it we
  414          * can punt.
  415          */
  416         callout_schedule(&new->rs_timeout, rfcomm_mcc_timeout * hz);
  417 
  418         return new->rs_l2cap;
  419 }
  420 
  421 static void
  422 rfcomm_session_complete(void *arg, int count)
  423 {
  424         struct rfcomm_session *rs = arg;
  425         struct rfcomm_credit *credit;
  426         struct rfcomm_dlc *dlc;
  427 
  428         /*
  429          * count L2CAP packets are 'complete', meaning that they are cleared
  430          * our buffers (for best effort) or arrived safe (for guaranteed) so
  431          * we can take it off our list and pass the message on, so that
  432          * eventually the data can be removed from the sockbuf
  433          */
  434         while (count-- > 0) {
  435                 credit = SIMPLEQ_FIRST(&rs->rs_credits);
  436 #ifdef DIAGNOSTIC
  437                 if (credit == NULL) {
  438                         printf("%s: too many packets completed!\n", __func__);
  439                         break;
  440                 }
  441 #endif
  442                 dlc = credit->rc_dlc;
  443                 if (dlc != NULL) {
  444                         dlc->rd_pending--;
  445                         (*dlc->rd_proto->complete)
  446                                         (dlc->rd_upper, credit->rc_len);
  447 
  448                         /*
  449                          * if not using credit flow control, we may push
  450                          * more data now
  451                          */
  452                         if ((rs->rs_flags & RFCOMM_SESSION_CFC) == 0
  453                             && dlc->rd_state == RFCOMM_DLC_OPEN) {
  454                                 rfcomm_dlc_start(dlc);
  455                         }
  456 
  457                         /*
  458                          * When shutdown is indicated, we are just waiting to
  459                          * clear outgoing data.
  460                          */
  461                         if ((dlc->rd_flags & RFCOMM_DLC_SHUTDOWN)
  462                             && dlc->rd_txbuf == NULL && dlc->rd_pending == 0) {
  463                                 dlc->rd_state = RFCOMM_DLC_WAIT_DISCONNECT;
  464                                 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC,
  465                                                             dlc->rd_dlci);
  466                                 callout_schedule(&dlc->rd_timeout,
  467                                                     rfcomm_ack_timeout * hz);
  468                         }
  469                 }
  470 
  471                 SIMPLEQ_REMOVE_HEAD(&rs->rs_credits, rc_next);
  472                 pool_put(&rfcomm_credit_pool, credit);
  473         }
  474 
  475         /*
  476          * If session is closed, we are just waiting to clear the queue
  477          */
  478         if (rs->rs_state == RFCOMM_SESSION_CLOSED) {
  479                 if (SIMPLEQ_EMPTY(&rs->rs_credits))
  480                         l2cap_disconnect(rs->rs_l2cap, 0);
  481         }
  482 }
  483 
  484 /*
  485  * Link Mode changed
  486  *
  487  * This is called when a mode change is complete. Proceed with connections
  488  * where appropriate, or pass the new mode to any active DLCs.
  489  */
  490 static void
  491 rfcomm_session_linkmode(void *arg, int new)
  492 {
  493         struct rfcomm_session *rs = arg;
  494         struct rfcomm_dlc *dlc, *next;
  495         int err, mode = 0;
  496 
  497         DPRINTF("auth %s, encrypt %s, secure %s\n",
  498                 (new & L2CAP_LM_AUTH ? "on" : "off"),
  499                 (new & L2CAP_LM_ENCRYPT ? "on" : "off"),
  500                 (new & L2CAP_LM_SECURE ? "on" : "off"));
  501 
  502         if (new & L2CAP_LM_AUTH)
  503                 mode |= RFCOMM_LM_AUTH;
  504 
  505         if (new & L2CAP_LM_ENCRYPT)
  506                 mode |= RFCOMM_LM_ENCRYPT;
  507 
  508         if (new & L2CAP_LM_SECURE)
  509                 mode |= RFCOMM_LM_SECURE;
  510 
  511         next = LIST_FIRST(&rs->rs_dlcs);
  512         while ((dlc = next) != NULL) {
  513                 next = LIST_NEXT(dlc, rd_next);
  514 
  515                 switch (dlc->rd_state) {
  516                 case RFCOMM_DLC_WAIT_SEND_SABM: /* we are connecting */
  517                         if ((mode & dlc->rd_mode) != dlc->rd_mode) {
  518                                 rfcomm_dlc_close(dlc, ECONNABORTED);
  519                         } else {
  520                                 err = rfcomm_session_send_frame(rs,
  521                                             RFCOMM_FRAME_SABM, dlc->rd_dlci);
  522                                 if (err) {
  523                                         rfcomm_dlc_close(dlc, err);
  524                                 } else {
  525                                         dlc->rd_state = RFCOMM_DLC_WAIT_RECV_UA;
  526                                         callout_schedule(&dlc->rd_timeout,
  527                                                         rfcomm_ack_timeout * hz);
  528                                         break;
  529                                 }
  530                         }
  531 
  532                         /*
  533                          * If we aborted the connection and there are no more DLCs
  534                          * on the session, it is our responsibility to disconnect.
  535                          */
  536                         if (!LIST_EMPTY(&rs->rs_dlcs))
  537                                 break;
  538 
  539                         rs->rs_state = RFCOMM_SESSION_WAIT_DISCONNECT;
  540                         rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 0);
  541                         callout_schedule(&rs->rs_timeout, rfcomm_ack_timeout * hz);
  542                         break;
  543 
  544                 case RFCOMM_DLC_WAIT_SEND_UA: /* they are connecting */
  545                         if ((mode & dlc->rd_mode) != dlc->rd_mode) {
  546                                 rfcomm_session_send_frame(rs,
  547                                             RFCOMM_FRAME_DM, dlc->rd_dlci);
  548                                 rfcomm_dlc_close(dlc, ECONNABORTED);
  549                                 break;
  550                         }
  551 
  552                         err = rfcomm_session_send_frame(rs,
  553                                             RFCOMM_FRAME_UA, dlc->rd_dlci);
  554                         if (err) {
  555                                 rfcomm_session_send_frame(rs,
  556                                                 RFCOMM_FRAME_DM, dlc->rd_dlci);
  557                                 rfcomm_dlc_close(dlc, err);
  558                                 break;
  559                         }
  560 
  561                         err = rfcomm_dlc_open(dlc);
  562                         if (err) {
  563                                 rfcomm_session_send_frame(rs,
  564                                                 RFCOMM_FRAME_DM, dlc->rd_dlci);
  565                                 rfcomm_dlc_close(dlc, err);
  566                                 break;
  567                         }
  568 
  569                         break;
  570 
  571                 case RFCOMM_DLC_WAIT_RECV_UA:
  572                 case RFCOMM_DLC_OPEN: /* already established */
  573                         (*dlc->rd_proto->linkmode)(dlc->rd_upper, mode);
  574                         break;
  575 
  576                 default:
  577                         break;
  578                 }
  579         }
  580 }
  581 
  582 /*
  583  * Receive data from L2CAP layer for session. There is always exactly one
  584  * RFCOMM frame contained in each L2CAP frame.
  585  */
  586 static void
  587 rfcomm_session_input(void *arg, struct mbuf *m)
  588 {
  589         struct rfcomm_session *rs = arg;
  590         int dlci, len, type, pf;
  591         uint8_t fcs, b;
  592 
  593         KASSERT(m != NULL);
  594         KASSERT(rs != NULL);
  595 
  596         /*
  597          * UIH frames: FCS is only calculated on address and control fields
  598          * For other frames: FCS is calculated on address, control and length
  599          * Length may extend to two octets
  600          */
  601         fcs = 0xff;
  602 
  603         if (m->m_pkthdr.len < 4) {
  604                 DPRINTF("short frame (%d), discarded\n", m->m_pkthdr.len);
  605                 goto done;
  606         }
  607 
  608         /* address - one octet */
  609         m_copydata(m, 0, 1, &b);
  610         m_adj(m, 1);
  611         fcs = FCS(fcs, b);
  612         dlci = RFCOMM_DLCI(b);
  613 
  614         /* control - one octet */
  615         m_copydata(m, 0, 1, &b);
  616         m_adj(m, 1);
  617         fcs = FCS(fcs, b);
  618         type = RFCOMM_TYPE(b);
  619         pf = RFCOMM_PF(b);
  620 
  621         /* length - may be two octets */
  622         m_copydata(m, 0, 1, &b);
  623         m_adj(m, 1);
  624         if (type != RFCOMM_FRAME_UIH)
  625                 fcs = FCS(fcs, b);
  626         len = (b >> 1) & 0x7f;
  627 
  628         if (RFCOMM_EA(b) == 0) {
  629                 if (m->m_pkthdr.len < 2) {
  630                         DPRINTF("short frame (%d, EA = 0), discarded\n",
  631                                 m->m_pkthdr.len);
  632                         goto done;
  633                 }
  634 
  635                 m_copydata(m, 0, 1, &b);
  636                 m_adj(m, 1);
  637                 if (type != RFCOMM_FRAME_UIH)
  638                         fcs = FCS(fcs, b);
  639 
  640                 len |= (b << 7);
  641         }
  642 
  643         /* FCS byte is last octet in frame */
  644         m_copydata(m, m->m_pkthdr.len - 1, 1, &b);
  645         m_adj(m, -1);
  646         fcs = FCS(fcs, b);
  647 
  648         if (fcs != 0xcf) {
  649                 DPRINTF("Bad FCS value (%#2.2x), frame discarded\n", fcs);
  650                 goto done;
  651         }
  652 
  653         DPRINTFN(10, "dlci %d, type %2.2x, len = %d\n", dlci, type, len);
  654 
  655         switch (type) {
  656         case RFCOMM_FRAME_SABM:
  657                 if (pf)
  658                         rfcomm_session_recv_sabm(rs, dlci);
  659                 break;
  660 
  661         case RFCOMM_FRAME_DISC:
  662                 if (pf)
  663                         rfcomm_session_recv_disc(rs, dlci);
  664                 break;
  665 
  666         case RFCOMM_FRAME_UA:
  667                 if (pf)
  668                         rfcomm_session_recv_ua(rs, dlci);
  669                 break;
  670 
  671         case RFCOMM_FRAME_DM:
  672                 rfcomm_session_recv_dm(rs, dlci);
  673                 break;
  674 
  675         case RFCOMM_FRAME_UIH:
  676                 rfcomm_session_recv_uih(rs, dlci, pf, m, len);
  677                 return; /* (no release) */
  678 
  679         default:
  680                 UNKNOWN(type);
  681                 break;
  682         }
  683 
  684 done:
  685         m_freem(m);
  686 }
  687 
  688 /***********************************************************************
  689  *
  690  *      RFCOMM Session receive processing
  691  */
  692 
  693 /*
  694  * rfcomm_session_recv_sabm(rfcomm_session, dlci)
  695  *
  696  * Set Asyncrhonous Balanced Mode - open the channel.
  697  */
  698 static void
  699 rfcomm_session_recv_sabm(struct rfcomm_session *rs, int dlci)
  700 {
  701         struct rfcomm_dlc *dlc;
  702         int err;
  703 
  704         DPRINTFN(5, "SABM(%d)\n", dlci);
  705 
  706         if (dlci == 0) {        /* Open Session */
  707                 rs->rs_state = RFCOMM_SESSION_OPEN;
  708                 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, 0);
  709                 LIST_FOREACH(dlc, &rs->rs_dlcs, rd_next) {
  710                         if (dlc->rd_state == RFCOMM_DLC_WAIT_SESSION)
  711                                 rfcomm_dlc_connect(dlc);
  712                 }
  713                 return;
  714         }
  715 
  716         if (rs->rs_state != RFCOMM_SESSION_OPEN) {
  717                 DPRINTF("session was not even open!\n");
  718                 return;
  719         }
  720 
  721         /* validate direction bit */
  722         if ((IS_INITIATOR(rs) && !RFCOMM_DIRECTION(dlci))
  723             || (!IS_INITIATOR(rs) && RFCOMM_DIRECTION(dlci))) {
  724                 DPRINTF("Invalid direction bit on DLCI\n");
  725                 return;
  726         }
  727 
  728         /*
  729          * look for our DLC - this may exist if we received PN
  730          * already, or we may have to fabricate a new one.
  731          */
  732         dlc = rfcomm_dlc_lookup(rs, dlci);
  733         if (dlc == NULL) {
  734                 dlc = rfcomm_dlc_newconn(rs, dlci);
  735                 if (dlc == NULL)
  736                         return; /* (DM is sent) */
  737         }
  738 
  739         /*
  740          * ..but if this DLC is not waiting to connect, they did
  741          * something wrong, ignore it.
  742          */
  743         if (dlc->rd_state != RFCOMM_DLC_WAIT_CONNECT)
  744                 return;
  745 
  746         /* set link mode */
  747         err = rfcomm_dlc_setmode(dlc);
  748         if (err == EINPROGRESS) {
  749                 dlc->rd_state = RFCOMM_DLC_WAIT_SEND_UA;
  750                 (*dlc->rd_proto->connecting)(dlc->rd_upper);
  751                 return;
  752         }
  753         if (err)
  754                 goto close;
  755 
  756         err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, dlci);
  757         if (err)
  758                 goto close;
  759 
  760         /* and mark it open */
  761         err = rfcomm_dlc_open(dlc);
  762         if (err)
  763                 goto close;
  764 
  765         return;
  766 
  767 close:
  768         rfcomm_dlc_close(dlc, err);
  769 }
  770 
  771 /*
  772  * Receive Disconnect Command
  773  */
  774 static void
  775 rfcomm_session_recv_disc(struct rfcomm_session *rs, int dlci)
  776 {
  777         struct rfcomm_dlc *dlc;
  778 
  779         DPRINTFN(5, "DISC(%d)\n", dlci);
  780 
  781         if (dlci == 0) {
  782                 /*
  783                  * Disconnect Session
  784                  *
  785                  * We set the session state to CLOSED so that when
  786                  * the UA frame is clear the session will be closed
  787                  * automatically. We wont bother to close any DLC's
  788                  * just yet as there should be none. In the unlikely
  789                  * event that something is left, it will get flushed
  790                  * out as the session goes down.
  791                  */
  792                 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, 0);
  793                 rs->rs_state = RFCOMM_SESSION_CLOSED;
  794                 return;
  795         }
  796 
  797         dlc = rfcomm_dlc_lookup(rs, dlci);
  798         if (dlc == NULL) {
  799                 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, dlci);
  800                 return;
  801         }
  802 
  803         rfcomm_dlc_close(dlc, ECONNRESET);
  804         rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, dlci);
  805 }
  806 
  807 /*
  808  * Receive Unnumbered Acknowledgement Response
  809  *
  810  * This should be a response to a DISC or SABM frame that we
  811  * have previously sent. If unexpected, ignore it.
  812  */
  813 static void
  814 rfcomm_session_recv_ua(struct rfcomm_session *rs, int dlci)
  815 {
  816         struct rfcomm_dlc *dlc;
  817 
  818         DPRINTFN(5, "UA(%d)\n", dlci);
  819 
  820         if (dlci == 0) {
  821                 switch (rs->rs_state) {
  822                 case RFCOMM_SESSION_WAIT_CONNECT:       /* We sent SABM */
  823                         callout_stop(&rs->rs_timeout);
  824                         rs->rs_state = RFCOMM_SESSION_OPEN;
  825                         LIST_FOREACH(dlc, &rs->rs_dlcs, rd_next) {
  826                                 if (dlc->rd_state == RFCOMM_DLC_WAIT_SESSION)
  827                                         rfcomm_dlc_connect(dlc);
  828                         }
  829                         break;
  830 
  831                 case RFCOMM_SESSION_WAIT_DISCONNECT:    /* We sent DISC */
  832                         callout_stop(&rs->rs_timeout);
  833                         rs->rs_state = RFCOMM_SESSION_CLOSED;
  834                         l2cap_disconnect(rs->rs_l2cap, 0);
  835                         break;
  836 
  837                 default:
  838                         DPRINTF("Received spurious UA(0)!\n");
  839                         break;
  840                 }
  841 
  842                 return;
  843         }
  844 
  845         /*
  846          * If we have no DLC on this dlci, we may have aborted
  847          * without shutting down properly, so check if the session
  848          * needs disconnecting.
  849          */
  850         dlc = rfcomm_dlc_lookup(rs, dlci);
  851         if (dlc == NULL)
  852                 goto check;
  853 
  854         switch (dlc->rd_state) {
  855         case RFCOMM_DLC_WAIT_RECV_UA:           /* We sent SABM */
  856                 rfcomm_dlc_open(dlc);
  857                 return;
  858 
  859         case RFCOMM_DLC_WAIT_DISCONNECT:        /* We sent DISC */
  860                 rfcomm_dlc_close(dlc, 0);
  861                 break;
  862 
  863         default:
  864                 DPRINTF("Received spurious UA(%d)!\n", dlci);
  865                 return;
  866         }
  867 
  868 check:  /* last one out turns out the light */
  869         if (LIST_EMPTY(&rs->rs_dlcs)) {
  870                 rs->rs_state = RFCOMM_SESSION_WAIT_DISCONNECT;
  871                 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 0);
  872                 callout_schedule(&rs->rs_timeout, rfcomm_ack_timeout * hz);
  873         }
  874 }
  875 
  876 /*
  877  * Receive Disconnected Mode Response
  878  *
  879  * If this does not apply to a known DLC then we may ignore it.
  880  */
  881 static void
  882 rfcomm_session_recv_dm(struct rfcomm_session *rs, int dlci)
  883 {
  884         struct rfcomm_dlc *dlc;
  885 
  886         DPRINTFN(5, "DM(%d)\n", dlci);
  887 
  888         dlc = rfcomm_dlc_lookup(rs, dlci);
  889         if (dlc == NULL)
  890                 return;
  891 
  892         if (dlc->rd_state == RFCOMM_DLC_WAIT_CONNECT)
  893                 rfcomm_dlc_close(dlc, ECONNREFUSED);
  894         else
  895                 rfcomm_dlc_close(dlc, ECONNRESET);
  896 }
  897 
  898 /*
  899  * Receive Unnumbered Information with Header check (MCC or data packet)
  900  */
  901 static void
  902 rfcomm_session_recv_uih(struct rfcomm_session *rs, int dlci,
  903                         int pf, struct mbuf *m, int len)
  904 {
  905         struct rfcomm_dlc *dlc;
  906         uint8_t credits = 0;
  907 
  908         DPRINTFN(10, "UIH(%d)\n", dlci);
  909 
  910         if (dlci == 0) {
  911                 rfcomm_session_recv_mcc(rs, m);
  912                 return;
  913         }
  914 
  915         if (m->m_pkthdr.len != len + pf) {
  916                 DPRINTF("Bad Frame Length (%d), frame discarded\n",
  917                             m->m_pkthdr.len);
  918 
  919                 goto discard;
  920         }
  921 
  922         dlc = rfcomm_dlc_lookup(rs, dlci);
  923         if (dlc == NULL) {
  924                 DPRINTF("UIH received for non existent DLC, discarded\n");
  925                 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, dlci);
  926                 goto discard;
  927         }
  928 
  929         if (dlc->rd_state != RFCOMM_DLC_OPEN) {
  930                 DPRINTF("non-open DLC (state = %d), discarded\n",
  931                                 dlc->rd_state);
  932                 goto discard;
  933         }
  934 
  935         /* if PF is set, credits were included */
  936         if (rs->rs_flags & RFCOMM_SESSION_CFC) {
  937                 if (pf != 0) {
  938                         if (m->m_pkthdr.len < sizeof(credits)) {
  939                                 DPRINTF("Bad PF value, UIH discarded\n");
  940                                 goto discard;
  941                         }
  942 
  943                         m_copydata(m, 0, sizeof(credits), &credits);
  944                         m_adj(m, sizeof(credits));
  945 
  946                         dlc->rd_txcred += credits;
  947 
  948                         if (credits > 0 && dlc->rd_txbuf != NULL)
  949                                 rfcomm_dlc_start(dlc);
  950                 }
  951 
  952                 if (len == 0)
  953                         goto discard;
  954 
  955                 if (dlc->rd_rxcred == 0) {
  956                         DPRINTF("Credit limit reached, UIH discarded\n");
  957                         goto discard;
  958                 }
  959 
  960                 if (len > dlc->rd_rxsize) {
  961                         DPRINTF("UIH frame exceeds rxsize, discarded\n");
  962                         goto discard;
  963                 }
  964 
  965                 dlc->rd_rxcred--;
  966                 dlc->rd_rxsize -= len;
  967         }
  968 
  969         (*dlc->rd_proto->input)(dlc->rd_upper, m);
  970         return;
  971 
  972 discard:
  973         m_freem(m);
  974 }
  975 
  976 /*
  977  * Receive Multiplexer Control Command
  978  */
  979 static void
  980 rfcomm_session_recv_mcc(struct rfcomm_session *rs, struct mbuf *m)
  981 {
  982         int type, cr, len;
  983         uint8_t b;
  984 
  985         /*
  986          * Extract MCC header.
  987          *
  988          * Fields are variable length using extension bit = 1 to signify the
  989          * last octet in the sequence.
  990          *
  991          * Only single octet types are defined in TS 07.10/RFCOMM spec
  992          *
  993          * Length can realistically only use 15 bits (max RFCOMM MTU)
  994          */
  995         if (m->m_pkthdr.len < sizeof(b)) {
  996                 DPRINTF("Short MCC header, discarded\n");
  997                 goto release;
  998         }
  999 
 1000         m_copydata(m, 0, sizeof(b), &b);
 1001         m_adj(m, sizeof(b));
 1002 
 1003         if (RFCOMM_EA(b) == 0) {        /* verify no extensions */
 1004                 DPRINTF("MCC type EA = 0, discarded\n");
 1005                 goto release;
 1006         }
 1007 
 1008         type = RFCOMM_MCC_TYPE(b);
 1009         cr = RFCOMM_CR(b);
 1010 
 1011         len = 0;
 1012         do {
 1013                 if (m->m_pkthdr.len < sizeof(b)) {
 1014                         DPRINTF("Short MCC header, discarded\n");
 1015                         goto release;
 1016                 }
 1017 
 1018                 m_copydata(m, 0, sizeof(b), &b);
 1019                 m_adj(m, sizeof(b));
 1020 
 1021                 len = (len << 7) | (b >> 1);
 1022                 len = min(len, RFCOMM_MTU_MAX);
 1023         } while (RFCOMM_EA(b) == 0);
 1024 
 1025         if (len != m->m_pkthdr.len) {
 1026                 DPRINTF("Incorrect MCC length, discarded\n");
 1027                 goto release;
 1028         }
 1029 
 1030         DPRINTFN(2, "MCC %s type %2.2x (%d bytes)\n",
 1031                 (cr ? "command" : "response"), type, len);
 1032 
 1033         /*
 1034          * pass to command handler
 1035          */
 1036         switch(type) {
 1037         case RFCOMM_MCC_TEST:   /* Test */
 1038                 rfcomm_session_recv_mcc_test(rs, cr, m);
 1039                 break;
 1040 
 1041         case RFCOMM_MCC_FCON:   /* Flow Control On */
 1042                 rfcomm_session_recv_mcc_fcon(rs, cr);
 1043                 break;
 1044 
 1045         case RFCOMM_MCC_FCOFF:  /* Flow Control Off */
 1046                 rfcomm_session_recv_mcc_fcoff(rs, cr);
 1047                 break;
 1048 
 1049         case RFCOMM_MCC_MSC:    /* Modem Status Command */
 1050                 rfcomm_session_recv_mcc_msc(rs, cr, m);
 1051                 break;
 1052 
 1053         case RFCOMM_MCC_RPN:    /* Remote Port Negotiation */
 1054                 rfcomm_session_recv_mcc_rpn(rs, cr, m);
 1055                 break;
 1056 
 1057         case RFCOMM_MCC_RLS:    /* Remote Line Status */
 1058                 rfcomm_session_recv_mcc_rls(rs, cr, m);
 1059                 break;
 1060 
 1061         case RFCOMM_MCC_PN:     /* Parameter Negotiation */
 1062                 rfcomm_session_recv_mcc_pn(rs, cr, m);
 1063                 break;
 1064 
 1065         case RFCOMM_MCC_NSC:    /* Non Supported Command */
 1066                 rfcomm_session_recv_mcc_nsc(rs, cr, m);
 1067                 break;
 1068 
 1069         default:
 1070                 b = RFCOMM_MKMCC_TYPE(cr, type);
 1071                 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_NSC, &b, sizeof(b));
 1072         }
 1073 
 1074 release:
 1075         m_freem(m);
 1076 }
 1077 
 1078 /*
 1079  * process TEST command/response
 1080  */
 1081 static void
 1082 rfcomm_session_recv_mcc_test(struct rfcomm_session *rs, int cr, struct mbuf *m)
 1083 {
 1084         void *data;
 1085         int len;
 1086 
 1087         if (cr == 0)    /* ignore ack */
 1088                 return;
 1089 
 1090         /*
 1091          * we must send all the data they included back as is
 1092          */
 1093 
 1094         len = m->m_pkthdr.len;
 1095         if (len > RFCOMM_MTU_MAX)
 1096                 return;
 1097 
 1098         data = malloc(len, M_BLUETOOTH, M_NOWAIT);
 1099         if (data == NULL)
 1100                 return;
 1101 
 1102         m_copydata(m, 0, len, data);
 1103         rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_TEST, data, len);
 1104         free(data, M_BLUETOOTH);
 1105 }
 1106 
 1107 /*
 1108  * process Flow Control ON command/response
 1109  */
 1110 static void
 1111 rfcomm_session_recv_mcc_fcon(struct rfcomm_session *rs, int cr)
 1112 {
 1113 
 1114         if (cr == 0)    /* ignore ack */
 1115                 return;
 1116 
 1117         rs->rs_flags |= RFCOMM_SESSION_RFC;
 1118         rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_FCON, NULL, 0);
 1119 }
 1120 
 1121 /*
 1122  * process Flow Control OFF command/response
 1123  */
 1124 static void
 1125 rfcomm_session_recv_mcc_fcoff(struct rfcomm_session *rs, int cr)
 1126 {
 1127 
 1128         if (cr == 0)    /* ignore ack */
 1129                 return;
 1130 
 1131         rs->rs_flags &= ~RFCOMM_SESSION_RFC;
 1132         rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_FCOFF, NULL, 0);
 1133 }
 1134 
 1135 /*
 1136  * process Modem Status Command command/response
 1137  */
 1138 static void
 1139 rfcomm_session_recv_mcc_msc(struct rfcomm_session *rs, int cr, struct mbuf *m)
 1140 {
 1141         struct rfcomm_mcc_msc msc;      /* (3 octets) */
 1142         struct rfcomm_dlc *dlc;
 1143         int len = 0;
 1144 
 1145         /* [ADDRESS] */
 1146         if (m->m_pkthdr.len < sizeof(msc.address))
 1147                 return;
 1148 
 1149         m_copydata(m, 0, sizeof(msc.address), &msc.address);
 1150         m_adj(m, sizeof(msc.address));
 1151         len += sizeof(msc.address);
 1152 
 1153         dlc = rfcomm_dlc_lookup(rs, RFCOMM_DLCI(msc.address));
 1154 
 1155         if (cr == 0) {  /* ignore acks */
 1156                 if (dlc != NULL)
 1157                         callout_stop(&dlc->rd_timeout);
 1158 
 1159                 return;
 1160         }
 1161 
 1162         if (dlc == NULL) {
 1163                 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM,
 1164                                                 RFCOMM_DLCI(msc.address));
 1165                 return;
 1166         }
 1167 
 1168         /* [SIGNALS] */
 1169         if (m->m_pkthdr.len < sizeof(msc.modem))
 1170                 return;
 1171 
 1172         m_copydata(m, 0, sizeof(msc.modem), &msc.modem);
 1173         m_adj(m, sizeof(msc.modem));
 1174         len += sizeof(msc.modem);
 1175 
 1176         dlc->rd_rmodem = msc.modem;
 1177         // XXX how do we signal this upstream?
 1178 
 1179         if (RFCOMM_EA(msc.modem) == 0) {
 1180                 if (m->m_pkthdr.len < sizeof(msc.brk))
 1181                         return;
 1182 
 1183                 m_copydata(m, 0, sizeof(msc.brk), &msc.brk);
 1184                 m_adj(m, sizeof(msc.brk));
 1185                 len += sizeof(msc.brk);
 1186 
 1187                 // XXX how do we signal this upstream?
 1188         }
 1189 
 1190         rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_MSC, &msc, len);
 1191 }
 1192 
 1193 /*
 1194  * process Remote Port Negotiation command/response
 1195  */
 1196 static void
 1197 rfcomm_session_recv_mcc_rpn(struct rfcomm_session *rs, int cr, struct mbuf *m)
 1198 {
 1199         struct rfcomm_mcc_rpn rpn;
 1200         uint16_t mask;
 1201 
 1202         if (cr == 0)    /* ignore ack */
 1203                 return;
 1204 
 1205         /* default values */
 1206         rpn.bit_rate = RFCOMM_RPN_BR_9600;
 1207         rpn.line_settings = RFCOMM_RPN_8_N_1;
 1208         rpn.flow_control = RFCOMM_RPN_FLOW_NONE;
 1209         rpn.xon_char = RFCOMM_RPN_XON_CHAR;
 1210         rpn.xoff_char = RFCOMM_RPN_XOFF_CHAR;
 1211 
 1212         if (m->m_pkthdr.len == sizeof(rpn)) {
 1213                 m_copydata(m, 0, sizeof(rpn), &rpn);
 1214                 rpn.param_mask = RFCOMM_RPN_PM_ALL;
 1215         } else if (m->m_pkthdr.len == 1) {
 1216                 m_copydata(m, 0, 1, &rpn);
 1217                 rpn.param_mask = le16toh(rpn.param_mask);
 1218         } else {
 1219                 DPRINTF("Bad RPN length (%d)\n", m->m_pkthdr.len);
 1220                 return;
 1221         }
 1222 
 1223         mask = 0;
 1224 
 1225         if (rpn.param_mask & RFCOMM_RPN_PM_RATE)
 1226                 mask |= RFCOMM_RPN_PM_RATE;
 1227 
 1228         if (rpn.param_mask & RFCOMM_RPN_PM_DATA
 1229             && RFCOMM_RPN_DATA_BITS(rpn.line_settings) == RFCOMM_RPN_DATA_8)
 1230                 mask |= RFCOMM_RPN_PM_DATA;
 1231 
 1232         if (rpn.param_mask & RFCOMM_RPN_PM_STOP
 1233             && RFCOMM_RPN_STOP_BITS(rpn.line_settings) == RFCOMM_RPN_STOP_1)
 1234                 mask |= RFCOMM_RPN_PM_STOP;
 1235 
 1236         if (rpn.param_mask & RFCOMM_RPN_PM_PARITY
 1237             && RFCOMM_RPN_PARITY(rpn.line_settings) == RFCOMM_RPN_PARITY_NONE)
 1238                 mask |= RFCOMM_RPN_PM_PARITY;
 1239 
 1240         if (rpn.param_mask & RFCOMM_RPN_PM_XON
 1241             && rpn.xon_char == RFCOMM_RPN_XON_CHAR)
 1242                 mask |= RFCOMM_RPN_PM_XON;
 1243 
 1244         if (rpn.param_mask & RFCOMM_RPN_PM_XOFF
 1245             && rpn.xoff_char == RFCOMM_RPN_XOFF_CHAR)
 1246                 mask |= RFCOMM_RPN_PM_XOFF;
 1247 
 1248         if (rpn.param_mask & RFCOMM_RPN_PM_FLOW
 1249             && rpn.flow_control == RFCOMM_RPN_FLOW_NONE)
 1250                 mask |= RFCOMM_RPN_PM_FLOW;
 1251 
 1252         rpn.param_mask = htole16(mask);
 1253 
 1254         rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_RPN, &rpn, sizeof(rpn));
 1255 }
 1256 
 1257 /*
 1258  * process Remote Line Status command/response
 1259  */
 1260 static void
 1261 rfcomm_session_recv_mcc_rls(struct rfcomm_session *rs, int cr, struct mbuf *m)
 1262 {
 1263         struct rfcomm_mcc_rls rls;
 1264 
 1265         if (cr == 0)    /* ignore ack */
 1266                 return;
 1267 
 1268         if (m->m_pkthdr.len != sizeof(rls)) {
 1269                 DPRINTF("Bad RLS length %d\n", m->m_pkthdr.len);
 1270                 return;
 1271         }
 1272 
 1273         m_copydata(m, 0, sizeof(rls), &rls);
 1274 
 1275         /*
 1276          * So far as I can tell, we just send back what
 1277          * they sent us. This signifies errors that seem
 1278          * irrelevent for RFCOMM over L2CAP.
 1279          */
 1280         rls.address |= 0x03;    /* EA = 1, CR = 1 */
 1281         rls.status &= 0x0f;     /* only 4 bits valid */
 1282 
 1283         rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_RLS, &rls, sizeof(rls));
 1284 }
 1285 
 1286 /*
 1287  * process Parameter Negotiation command/response
 1288  */
 1289 static void
 1290 rfcomm_session_recv_mcc_pn(struct rfcomm_session *rs, int cr, struct mbuf *m)
 1291 {
 1292         struct rfcomm_dlc *dlc;
 1293         struct rfcomm_mcc_pn pn;
 1294         int err;
 1295 
 1296         if (m->m_pkthdr.len != sizeof(pn)) {
 1297                 DPRINTF("Bad PN length %d\n", m->m_pkthdr.len);
 1298                 return;
 1299         }
 1300 
 1301         m_copydata(m, 0, sizeof(pn), &pn);
 1302 
 1303         pn.dlci &= 0x3f;
 1304         pn.mtu = le16toh(pn.mtu);
 1305 
 1306         dlc = rfcomm_dlc_lookup(rs, pn.dlci);
 1307         if (cr) {       /* Command */
 1308                 /*
 1309                  * If there is no DLC present, this is a new
 1310                  * connection so attempt to make one
 1311                  */
 1312                 if (dlc == NULL) {
 1313                         dlc = rfcomm_dlc_newconn(rs, pn.dlci);
 1314                         if (dlc == NULL)
 1315                                 return; /* (DM is sent) */
 1316                 }
 1317 
 1318                 /* accept any valid MTU, and offer it back */
 1319                 pn.mtu = min(pn.mtu, RFCOMM_MTU_MAX);
 1320                 pn.mtu = min(pn.mtu, rs->rs_mtu);
 1321                 pn.mtu = max(pn.mtu, RFCOMM_MTU_MIN);
 1322                 dlc->rd_mtu = pn.mtu;
 1323                 pn.mtu = htole16(pn.mtu);
 1324 
 1325                 /* credits are only set before DLC is open */
 1326                 if (dlc->rd_state == RFCOMM_DLC_WAIT_CONNECT
 1327                     && (pn.flow_control & 0xf0) == 0xf0) {
 1328                         rs->rs_flags |= RFCOMM_SESSION_CFC;
 1329                         dlc->rd_txcred = pn.credits & 0x07;
 1330 
 1331                         dlc->rd_rxcred = (dlc->rd_rxsize / dlc->rd_mtu);
 1332                         dlc->rd_rxcred = min(dlc->rd_rxcred,
 1333                                                 RFCOMM_CREDITS_DEFAULT);
 1334 
 1335                         pn.flow_control = 0xe0;
 1336                         pn.credits = dlc->rd_rxcred;
 1337                 } else {
 1338                         pn.flow_control = 0x00;
 1339                         pn.credits = 0x00;
 1340                 }
 1341 
 1342                 /* unused fields must be ignored and set to zero */
 1343                 pn.ack_timer = 0;
 1344                 pn.max_retrans = 0;
 1345 
 1346                 /* send our response */
 1347                 err = rfcomm_session_send_mcc(rs, 0,
 1348                                         RFCOMM_MCC_PN, &pn, sizeof(pn));
 1349                 if (err)
 1350                         goto close;
 1351 
 1352         } else {        /* Response */
 1353                 /* ignore responses with no matching DLC */
 1354                 if (dlc == NULL)
 1355                         return;
 1356 
 1357                 callout_stop(&dlc->rd_timeout);
 1358 
 1359                 /* reject invalid or unacceptable MTU */
 1360                 if (pn.mtu < RFCOMM_MTU_MIN || pn.mtu > dlc->rd_mtu) {
 1361                         dlc->rd_state = RFCOMM_DLC_WAIT_DISCONNECT;
 1362                         err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC,
 1363                                                         pn.dlci);
 1364                         if (err)
 1365                                 goto close;
 1366 
 1367                         callout_schedule(&dlc->rd_timeout,
 1368                                             rfcomm_ack_timeout * hz);
 1369                         return;
 1370                 }
 1371                 dlc->rd_mtu = pn.mtu;
 1372 
 1373                 /* if DLC is not waiting to connect, we are done */
 1374                 if (dlc->rd_state != RFCOMM_DLC_WAIT_CONNECT)
 1375                         return;
 1376 
 1377                 /* set initial credits according to RFCOMM spec */
 1378                 if ((pn.flow_control & 0xf0) == 0xe0) {
 1379                         rs->rs_flags |= RFCOMM_SESSION_CFC;
 1380                         dlc->rd_txcred = (pn.credits & 0x07);
 1381                 }
 1382 
 1383                 callout_schedule(&dlc->rd_timeout, rfcomm_ack_timeout * hz);
 1384 
 1385                 /* set link mode */
 1386                 err = rfcomm_dlc_setmode(dlc);
 1387                 if (err == EINPROGRESS) {
 1388                         dlc->rd_state = RFCOMM_DLC_WAIT_SEND_SABM;
 1389                         (*dlc->rd_proto->connecting)(dlc->rd_upper);
 1390                         return;
 1391                 }
 1392                 if (err)
 1393                         goto close;
 1394 
 1395                 /* we can proceed now */
 1396                 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_SABM, pn.dlci);
 1397                 if (err)
 1398                         goto close;
 1399 
 1400                 dlc->rd_state = RFCOMM_DLC_WAIT_RECV_UA;
 1401         }
 1402         return;
 1403 
 1404 close:
 1405         rfcomm_dlc_close(dlc, err);
 1406 }
 1407 
 1408 /*
 1409  * process Non Supported Command command/response
 1410  */
 1411 static void
 1412 rfcomm_session_recv_mcc_nsc(struct rfcomm_session *rs,
 1413     int cr, struct mbuf *m)
 1414 {
 1415         struct rfcomm_dlc *dlc, *next;
 1416 
 1417         /*
 1418          * Since we did nothing that is not mandatory,
 1419          * we just abort the whole session..
 1420          */
 1421 
 1422         next = LIST_FIRST(&rs->rs_dlcs);
 1423         while ((dlc = next) != NULL) {
 1424                 next = LIST_NEXT(dlc, rd_next);
 1425                 rfcomm_dlc_close(dlc, ECONNABORTED);
 1426         }
 1427 
 1428         rfcomm_session_free(rs);
 1429 }
 1430 
 1431 /***********************************************************************
 1432  *
 1433  *      RFCOMM Session outward frame/uih/mcc building
 1434  */
 1435 
 1436 /*
 1437  * SABM/DISC/DM/UA frames are all minimal and mostly identical.
 1438  */
 1439 int
 1440 rfcomm_session_send_frame(struct rfcomm_session *rs, int type, int dlci)
 1441 {
 1442         struct rfcomm_cmd_hdr *hdr;
 1443         struct rfcomm_credit *credit;
 1444         struct mbuf *m;
 1445         uint8_t fcs, cr;
 1446 
 1447         credit = pool_get(&rfcomm_credit_pool, PR_NOWAIT);
 1448         if (credit == NULL)
 1449                 return ENOMEM;
 1450 
 1451         m = m_gethdr(M_DONTWAIT, MT_DATA);
 1452         if (m == NULL) {
 1453                 pool_put(&rfcomm_credit_pool, credit);
 1454                 return ENOMEM;
 1455         }
 1456 
 1457         /*
 1458          * The CR (command/response) bit identifies the frame either as a
 1459          * commmand or a response and is used along with the DLCI to form
 1460          * the address. Commands contain the non-initiator address, whereas
 1461          * responses contain the initiator address, so the CR value is
 1462          * also dependent on the session direction.
 1463          */
 1464         if (type == RFCOMM_FRAME_UA || type == RFCOMM_FRAME_DM)
 1465                 cr = IS_INITIATOR(rs) ? 0 : 1;
 1466         else
 1467                 cr = IS_INITIATOR(rs) ? 1 : 0;
 1468 
 1469         hdr = mtod(m, struct rfcomm_cmd_hdr *);
 1470         hdr->address = RFCOMM_MKADDRESS(cr, dlci);
 1471         hdr->control = RFCOMM_MKCONTROL(type, 1);   /* PF = 1 */
 1472         hdr->length = (0x00 << 1) | 0x01;           /* len = 0x00, EA = 1 */
 1473 
 1474         fcs = 0xff;
 1475         fcs = FCS(fcs, hdr->address);
 1476         fcs = FCS(fcs, hdr->control);
 1477         fcs = FCS(fcs, hdr->length);
 1478         fcs = 0xff - fcs;       /* ones complement */
 1479         hdr->fcs = fcs;
 1480 
 1481         m->m_pkthdr.len = m->m_len = sizeof(struct rfcomm_cmd_hdr);
 1482 
 1483         /* empty credit note */
 1484         credit->rc_dlc = NULL;
 1485         credit->rc_len = m->m_pkthdr.len;
 1486         SIMPLEQ_INSERT_TAIL(&rs->rs_credits, credit, rc_next);
 1487 
 1488         DPRINTFN(5, "dlci %d type %2.2x (%d bytes, fcs=%#2.2x)\n",
 1489                 dlci, type, m->m_pkthdr.len, fcs);
 1490 
 1491         return l2cap_send(rs->rs_l2cap, m);
 1492 }
 1493 
 1494 /*
 1495  * rfcomm_session_send_uih(rfcomm_session, rfcomm_dlc, credits, mbuf)
 1496  *
 1497  * UIH frame is per DLC data or Multiplexer Control Commands
 1498  * when no DLC is given. Data mbuf is optional (just credits
 1499  * will be sent in that case)
 1500  */
 1501 int
 1502 rfcomm_session_send_uih(struct rfcomm_session *rs, struct rfcomm_dlc *dlc,
 1503                         int credits, struct mbuf *m)
 1504 {
 1505         struct rfcomm_credit *credit;
 1506         struct mbuf *m0 = NULL;
 1507         int err, len;
 1508         uint8_t fcs, *hdr;
 1509 
 1510         KASSERT(rs != NULL);
 1511 
 1512         len = (m == NULL) ? 0 : m->m_pkthdr.len;
 1513         KASSERT(!(credits == 0 && len == 0));
 1514 
 1515         /*
 1516          * Make a credit note for the completion notification
 1517          */
 1518         credit = pool_get(&rfcomm_credit_pool, PR_NOWAIT);
 1519         if (credit == NULL)
 1520                 goto nomem;
 1521 
 1522         credit->rc_len = len;
 1523         credit->rc_dlc = dlc;
 1524 
 1525         /*
 1526          * Wrap UIH frame information around payload.
 1527          *
 1528          * [ADDRESS] [CONTROL] [LENGTH] [CREDITS] [...] [FCS]
 1529          *
 1530          * Address is one octet.
 1531          * Control is one octet.
 1532          * Length is one or two octets.
 1533          * Credits may be one octet.
 1534          *
 1535          * FCS is one octet and calculated on address and
 1536          *      control octets only.
 1537          *
 1538          * If there are credits to be sent, we will set the PF
 1539          * flag and include them in the frame.
 1540          */
 1541         m0 = m_gethdr(M_DONTWAIT, MT_DATA);
 1542         if (m0 == NULL)
 1543                 goto nomem;
 1544 
 1545         MH_ALIGN(m0, 5);        /* (max 5 header octets) */
 1546         hdr = mtod(m0, uint8_t *);
 1547 
 1548         /* CR bit is set according to the initiator of the session */
 1549         *hdr = RFCOMM_MKADDRESS((IS_INITIATOR(rs) ? 1 : 0),
 1550                                 (dlc ? dlc->rd_dlci : 0));
 1551         fcs = FCS(0xff, *hdr);
 1552         hdr++;
 1553 
 1554         /* PF bit is set if credits are being sent */
 1555         *hdr = RFCOMM_MKCONTROL(RFCOMM_FRAME_UIH, (credits > 0 ? 1 : 0));
 1556         fcs = FCS(fcs, *hdr);
 1557         hdr++;
 1558 
 1559         if (len < (1 << 7)) {
 1560                 *hdr++ = ((len << 1) & 0xfe) | 0x01;    /* 7 bits, EA = 1 */
 1561         } else {
 1562                 *hdr++ = ((len << 1) & 0xfe);           /* 7 bits, EA = 0 */
 1563                 *hdr++ = ((len >> 7) & 0xff);           /* 8 bits, no EA */
 1564         }
 1565 
 1566         if (credits > 0)
 1567                 *hdr++ = (uint8_t)credits;
 1568 
 1569         m0->m_len = hdr - mtod(m0, uint8_t *);
 1570 
 1571         /* Append payload */
 1572         m0->m_next = m;
 1573         m = NULL;
 1574 
 1575         m0->m_pkthdr.len = m0->m_len + len;
 1576 
 1577         /* Append FCS */
 1578         fcs = 0xff - fcs;       /* ones complement */
 1579         len = m0->m_pkthdr.len;
 1580         m_copyback(m0, len, sizeof(fcs), &fcs);
 1581         if (m0->m_pkthdr.len != len + sizeof(fcs))
 1582                 goto nomem;
 1583 
 1584         DPRINTFN(10, "dlci %d, pktlen %d (%d data, %d credits), fcs=%#2.2x\n",
 1585                 dlc ? dlc->rd_dlci : 0, m0->m_pkthdr.len, credit->rc_len,
 1586                 credits, fcs);
 1587 
 1588         /*
 1589          * UIH frame ready to go..
 1590          */
 1591         err = l2cap_send(rs->rs_l2cap, m0);
 1592         if (err)
 1593                 goto fail;
 1594 
 1595         SIMPLEQ_INSERT_TAIL(&rs->rs_credits, credit, rc_next);
 1596         return 0;
 1597 
 1598 nomem:
 1599         err = ENOMEM;
 1600 
 1601         if (m0 != NULL)
 1602                 m_freem(m0);
 1603 
 1604         if (m != NULL)
 1605                 m_freem(m);
 1606 
 1607 fail:
 1608         if (credit != NULL)
 1609                 pool_put(&rfcomm_credit_pool, credit);
 1610 
 1611         return err;
 1612 }
 1613 
 1614 /*
 1615  * send Multiplexer Control Command (or Response) on session
 1616  */
 1617 int
 1618 rfcomm_session_send_mcc(struct rfcomm_session *rs, int cr,
 1619                         uint8_t type, void *data, int len)
 1620 {
 1621         struct mbuf *m;
 1622         uint8_t *hdr;
 1623         int hlen;
 1624 
 1625         m = m_gethdr(M_DONTWAIT, MT_DATA);
 1626         if (m == NULL)
 1627                 return ENOMEM;
 1628 
 1629         hdr = mtod(m, uint8_t *);
 1630 
 1631         /*
 1632          * Technically the type field can extend past one octet, but none
 1633          * currently defined will do that.
 1634          */
 1635         *hdr++ = RFCOMM_MKMCC_TYPE(cr, type);
 1636 
 1637         /*
 1638          * In the frame, the max length size is 2 octets (15 bits) whereas
 1639          * no max length size is specified for MCC commands. We must allow
 1640          * for 3 octets since for MCC frames we use 7 bits + EA in each.
 1641          *
 1642          * Only test data can possibly be that big.
 1643          *
 1644          * XXX Should we check this against the MTU?
 1645          */
 1646         if (len < (1 << 7)) {
 1647                 *hdr++ = ((len << 1) & 0xfe) | 0x01;    /* 7 bits, EA = 1 */
 1648         } else if (len < (1 << 14)) {
 1649                 *hdr++ = ((len << 1) & 0xfe);           /* 7 bits, EA = 0 */
 1650                 *hdr++ = ((len >> 6) & 0xfe) | 0x01;    /* 7 bits, EA = 1 */
 1651         } else if (len < (1 << 15)) {
 1652                 *hdr++ = ((len << 1) & 0xfe);           /* 7 bits, EA = 0 */
 1653                 *hdr++ = ((len >> 6) & 0xfe);           /* 7 bits, EA = 0 */
 1654                 *hdr++ = ((len >> 13) & 0x02) | 0x01;   /* 1 bit,  EA = 1 */
 1655         } else {
 1656                 DPRINTF("incredible length! (%d)\n", len);
 1657                 m_freem(m);
 1658                 return EMSGSIZE;
 1659         }
 1660 
 1661         /*
 1662          * add command data (to same mbuf if possible)
 1663          */
 1664         hlen = hdr - mtod(m, uint8_t *);
 1665 
 1666         if (len > 0) {
 1667                 m->m_pkthdr.len = m->m_len = MHLEN;
 1668                 m_copyback(m, hlen, len, data);
 1669                 if (m->m_pkthdr.len != max(MHLEN, hlen + len)) {
 1670                         m_freem(m);
 1671                         return ENOMEM;
 1672                 }
 1673         }
 1674 
 1675         m->m_pkthdr.len = hlen + len;
 1676         m->m_len = min(MHLEN, m->m_pkthdr.len);
 1677 
 1678         DPRINTFN(5, "%s type %2.2x len %d\n",
 1679                 (cr ? "command" : "response"), type, m->m_pkthdr.len);
 1680 
 1681         return rfcomm_session_send_uih(rs, NULL, 0, m);
 1682 }

Cache object: cdf4b133a6f510711878da0c0a29d5c1


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.