1 /* $NetBSD: rfcomm_session.c,v 1.4.2.2 2010/01/03 17:12:44 jdc Exp $ */
2
3 /*-
4 * Copyright (c) 2006 Itronix Inc.
5 * All rights reserved.
6 *
7 * Written by Iain Hibbert for Itronix Inc.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. The name of Itronix Inc. may not be used to endorse
18 * or promote products derived from this software without specific
19 * prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY ITRONIX INC. ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
23 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
24 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ITRONIX INC. BE LIABLE FOR ANY
25 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
26 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
27 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
28 * ON ANY THEORY OF LIABILITY, WHETHER IN
29 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
30 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31 * POSSIBILITY OF SUCH DAMAGE.
32 */
33
34 #include <sys/cdefs.h>
35 __KERNEL_RCSID(0, "$NetBSD: rfcomm_session.c,v 1.4.2.2 2010/01/03 17:12:44 jdc Exp $");
36
37 #include <sys/param.h>
38 #include <sys/kernel.h>
39 #include <sys/mbuf.h>
40 #include <sys/proc.h>
41 #include <sys/systm.h>
42 #include <sys/types.h>
43
44 #include <netbt/bluetooth.h>
45 #include <netbt/hci.h>
46 #include <netbt/l2cap.h>
47 #include <netbt/rfcomm.h>
48
49 /******************************************************************************
50 *
51 * RFCOMM Multiplexer Sessions sit directly on L2CAP channels, and can
52 * multiplex up to 30 incoming and 30 outgoing connections.
53 * Only one Multiplexer is allowed between any two devices.
54 */
55
56 static void rfcomm_session_timeout(void *);
57 static void rfcomm_session_recv_sabm(struct rfcomm_session *, int);
58 static void rfcomm_session_recv_disc(struct rfcomm_session *, int);
59 static void rfcomm_session_recv_ua(struct rfcomm_session *, int);
60 static void rfcomm_session_recv_dm(struct rfcomm_session *, int);
61 static void rfcomm_session_recv_uih(struct rfcomm_session *, int, int, struct mbuf *, int);
62 static void rfcomm_session_recv_mcc(struct rfcomm_session *, struct mbuf *);
63 static void rfcomm_session_recv_mcc_test(struct rfcomm_session *, int, struct mbuf *);
64 static void rfcomm_session_recv_mcc_fcon(struct rfcomm_session *, int);
65 static void rfcomm_session_recv_mcc_fcoff(struct rfcomm_session *, int);
66 static void rfcomm_session_recv_mcc_msc(struct rfcomm_session *, int, struct mbuf *);
67 static void rfcomm_session_recv_mcc_rpn(struct rfcomm_session *, int, struct mbuf *);
68 static void rfcomm_session_recv_mcc_rls(struct rfcomm_session *, int, struct mbuf *);
69 static void rfcomm_session_recv_mcc_pn(struct rfcomm_session *, int, struct mbuf *);
70 static void rfcomm_session_recv_mcc_nsc(struct rfcomm_session *, int, struct mbuf *);
71
72 /* L2CAP callbacks */
73 static void rfcomm_session_connecting(void *);
74 static void rfcomm_session_connected(void *);
75 static void rfcomm_session_disconnected(void *, int);
76 static void *rfcomm_session_newconn(void *, struct sockaddr_bt *, struct sockaddr_bt *);
77 static void rfcomm_session_complete(void *, int);
78 static void rfcomm_session_linkmode(void *, int);
79 static void rfcomm_session_input(void *, struct mbuf *);
80
81 static const struct btproto rfcomm_session_proto = {
82 rfcomm_session_connecting,
83 rfcomm_session_connected,
84 rfcomm_session_disconnected,
85 rfcomm_session_newconn,
86 rfcomm_session_complete,
87 rfcomm_session_linkmode,
88 rfcomm_session_input,
89 };
90
91 struct rfcomm_session_list
92 rfcomm_session_active = LIST_HEAD_INITIALIZER(rfcomm_session_active);
93
94 struct rfcomm_session_list
95 rfcomm_session_listen = LIST_HEAD_INITIALIZER(rfcomm_session_listen);
96
97 POOL_INIT(rfcomm_credit_pool, sizeof(struct rfcomm_credit),
98 0, 0, 0, "rfcomm_credit", NULL);
99
100 /*
101 * RFCOMM System Parameters (see section 5.3)
102 */
103 int rfcomm_mtu_default = 127; /* bytes */
104 int rfcomm_ack_timeout = 20; /* seconds */
105 int rfcomm_mcc_timeout = 20; /* seconds */
106
107 /*
108 * Reversed CRC table as per TS 07.10 Annex B.3.5
109 */
110 static uint8_t crctable[256] = { /* reversed, 8-bit, poly=0x07 */
111 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
112 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
113 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
114 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
115
116 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
117 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
118 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
119 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
120
121 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
122 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
123 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
124 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
125
126 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
127 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
128 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
129 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
130
131 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
132 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
133 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
134 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
135
136 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
137 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
138 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
139 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
140
141 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
142 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
143 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
144 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
145
146 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
147 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
148 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
149 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
150 };
151
152 #define FCS(f, d) crctable[(f) ^ (d)]
153
154 /*
155 * rfcomm_session_alloc(list, sockaddr)
156 *
157 * allocate a new session and fill in the blanks, then
158 * attach session to front of specified list (active or listen)
159 */
160 struct rfcomm_session *
161 rfcomm_session_alloc(struct rfcomm_session_list *list,
162 struct sockaddr_bt *laddr)
163 {
164 struct rfcomm_session *rs;
165 int err;
166
167 rs = malloc(sizeof(*rs), M_BLUETOOTH, M_NOWAIT | M_ZERO);
168 if (rs == NULL)
169 return NULL;
170
171 rs->rs_state = RFCOMM_SESSION_CLOSED;
172
173 callout_init(&rs->rs_timeout);
174 callout_setfunc(&rs->rs_timeout, rfcomm_session_timeout, rs);
175
176 SIMPLEQ_INIT(&rs->rs_credits);
177 LIST_INIT(&rs->rs_dlcs);
178
179 err = l2cap_attach(&rs->rs_l2cap, &rfcomm_session_proto, rs);
180 if (err) {
181 free(rs, M_BLUETOOTH);
182 return NULL;
183 }
184
185 (void)l2cap_getopt(rs->rs_l2cap, SO_L2CAP_OMTU, &rs->rs_mtu);
186
187 if (laddr->bt_psm == L2CAP_PSM_ANY)
188 laddr->bt_psm = L2CAP_PSM_RFCOMM;
189
190 (void)l2cap_bind(rs->rs_l2cap, laddr);
191
192 LIST_INSERT_HEAD(list, rs, rs_next);
193
194 return rs;
195 }
196
197 /*
198 * rfcomm_session_free(rfcomm_session)
199 *
200 * release a session, including any cleanup
201 */
202 void
203 rfcomm_session_free(struct rfcomm_session *rs)
204 {
205 struct rfcomm_credit *credit;
206
207 KASSERT(rs != NULL);
208 KASSERT(LIST_EMPTY(&rs->rs_dlcs));
209
210 rs->rs_state = RFCOMM_SESSION_CLOSED;
211
212 /*
213 * If the callout is already invoked we have no way to stop it,
214 * but it will call us back right away (there are no DLC's) so
215 * not to worry.
216 */
217 callout_stop(&rs->rs_timeout);
218 if (callout_invoking(&rs->rs_timeout))
219 return;
220
221 /*
222 * Take care that rfcomm_session_disconnected() doesnt call
223 * us back either as it will do if the l2cap_channel has not
224 * been closed when we detach it..
225 */
226 if (rs->rs_flags & RFCOMM_SESSION_FREE)
227 return;
228
229 rs->rs_flags |= RFCOMM_SESSION_FREE;
230
231 /* throw away any remaining credit notes */
232 while ((credit = SIMPLEQ_FIRST(&rs->rs_credits)) != NULL) {
233 SIMPLEQ_REMOVE_HEAD(&rs->rs_credits, rc_next);
234 pool_put(&rfcomm_credit_pool, credit);
235 }
236
237 KASSERT(SIMPLEQ_EMPTY(&rs->rs_credits));
238
239 /* Goodbye! */
240 LIST_REMOVE(rs, rs_next);
241 l2cap_detach(&rs->rs_l2cap);
242 free(rs, M_BLUETOOTH);
243 }
244
245 /*
246 * rfcomm_session_lookup(sockaddr, sockaddr)
247 *
248 * Find active rfcomm session matching src and dest addresses
249 * when src is BDADDR_ANY match any local address
250 */
251 struct rfcomm_session *
252 rfcomm_session_lookup(struct sockaddr_bt *src, struct sockaddr_bt *dest)
253 {
254 struct rfcomm_session *rs;
255 struct sockaddr_bt addr;
256
257 LIST_FOREACH(rs, &rfcomm_session_active, rs_next) {
258 if (rs->rs_state == RFCOMM_SESSION_CLOSED)
259 continue;
260
261 l2cap_sockaddr(rs->rs_l2cap, &addr);
262
263 if (bdaddr_same(&src->bt_bdaddr, &addr.bt_bdaddr) == 0)
264 if (bdaddr_any(&src->bt_bdaddr) == 0)
265 continue;
266
267 l2cap_peeraddr(rs->rs_l2cap, &addr);
268
269 if (addr.bt_psm != dest->bt_psm)
270 continue;
271
272 if (bdaddr_same(&dest->bt_bdaddr, &addr.bt_bdaddr))
273 break;
274 }
275
276 return rs;
277 }
278
279 /*
280 * rfcomm_session_timeout(rfcomm_session)
281 *
282 * Session timeouts are scheduled when a session is left or
283 * created with no DLCs, and when SABM(0) or DISC(0) are
284 * sent.
285 *
286 * So, if it is in an open state with DLC's attached then
287 * we leave it alone, otherwise the session is lost.
288 */
289 static void
290 rfcomm_session_timeout(void *arg)
291 {
292 struct rfcomm_session *rs = arg;
293 struct rfcomm_dlc *dlc;
294 int s;
295
296 KASSERT(rs != NULL);
297
298 s = splsoftnet();
299 callout_ack(&rs->rs_timeout);
300
301 if (rs->rs_state != RFCOMM_SESSION_OPEN) {
302 DPRINTF("timeout\n");
303 rs->rs_state = RFCOMM_SESSION_CLOSED;
304
305 while (!LIST_EMPTY(&rs->rs_dlcs)) {
306 dlc = LIST_FIRST(&rs->rs_dlcs);
307
308 rfcomm_dlc_close(dlc, ETIMEDOUT);
309 }
310 }
311
312 if (LIST_EMPTY(&rs->rs_dlcs)) {
313 DPRINTF("expiring\n");
314 rfcomm_session_free(rs);
315 }
316 splx(s);
317 }
318
319 /***********************************************************************
320 *
321 * RFCOMM Session L2CAP protocol callbacks
322 *
323 */
324
325 static void
326 rfcomm_session_connecting(void *arg)
327 {
328 //struct rfcomm_session *rs = arg;
329
330 DPRINTF("Connecting\n");
331 }
332
333 static void
334 rfcomm_session_connected(void *arg)
335 {
336 struct rfcomm_session *rs = arg;
337
338 DPRINTF("Connected\n");
339
340 /*
341 * L2CAP is open.
342 *
343 * If we are initiator, we can send our SABM(0)
344 * a timeout should be active?
345 *
346 * We must take note of the L2CAP MTU because currently
347 * the L2CAP implementation can only do Basic Mode.
348 */
349 l2cap_getopt(rs->rs_l2cap, SO_L2CAP_OMTU, &rs->rs_mtu);
350
351 rs->rs_mtu -= 6; /* (RFCOMM overhead could be this big) */
352 if (rs->rs_mtu < RFCOMM_MTU_MIN) {
353 rfcomm_session_disconnected(rs, EINVAL);
354 return;
355 }
356
357 if (IS_INITIATOR(rs)) {
358 int err;
359
360 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_SABM, 0);
361 if (err)
362 rfcomm_session_disconnected(rs, err);
363
364 callout_schedule(&rs->rs_timeout, rfcomm_ack_timeout * hz);
365 }
366 }
367
368 static void
369 rfcomm_session_disconnected(void *arg, int err)
370 {
371 struct rfcomm_session *rs = arg;
372 struct rfcomm_dlc *dlc;
373
374 DPRINTF("Disconnected\n");
375
376 rs->rs_state = RFCOMM_SESSION_CLOSED;
377
378 while (!LIST_EMPTY(&rs->rs_dlcs)) {
379 dlc = LIST_FIRST(&rs->rs_dlcs);
380
381 rfcomm_dlc_close(dlc, err);
382 }
383
384 rfcomm_session_free(rs);
385 }
386
387 static void *
388 rfcomm_session_newconn(void *arg, struct sockaddr_bt *laddr,
389 struct sockaddr_bt *raddr)
390 {
391 struct rfcomm_session *new, *rs = arg;
392
393 DPRINTF("New Connection\n");
394
395 /*
396 * Incoming session connect request. We should return a new
397 * session pointer if this is acceptable. The L2CAP layer
398 * passes local and remote addresses, which we must check as
399 * only one RFCOMM session is allowed between any two devices
400 */
401 new = rfcomm_session_lookup(laddr, raddr);
402 if (new != NULL)
403 return NULL;
404
405 new = rfcomm_session_alloc(&rfcomm_session_active, laddr);
406 if (new == NULL)
407 return NULL;
408
409 new->rs_mtu = rs->rs_mtu;
410 new->rs_state = RFCOMM_SESSION_WAIT_CONNECT;
411
412 /*
413 * schedule an expiry so that if nothing comes of it we
414 * can punt.
415 */
416 callout_schedule(&new->rs_timeout, rfcomm_mcc_timeout * hz);
417
418 return new->rs_l2cap;
419 }
420
421 static void
422 rfcomm_session_complete(void *arg, int count)
423 {
424 struct rfcomm_session *rs = arg;
425 struct rfcomm_credit *credit;
426 struct rfcomm_dlc *dlc;
427
428 /*
429 * count L2CAP packets are 'complete', meaning that they are cleared
430 * our buffers (for best effort) or arrived safe (for guaranteed) so
431 * we can take it off our list and pass the message on, so that
432 * eventually the data can be removed from the sockbuf
433 */
434 while (count-- > 0) {
435 credit = SIMPLEQ_FIRST(&rs->rs_credits);
436 #ifdef DIAGNOSTIC
437 if (credit == NULL) {
438 printf("%s: too many packets completed!\n", __func__);
439 break;
440 }
441 #endif
442 dlc = credit->rc_dlc;
443 if (dlc != NULL) {
444 dlc->rd_pending--;
445 (*dlc->rd_proto->complete)
446 (dlc->rd_upper, credit->rc_len);
447
448 /*
449 * if not using credit flow control, we may push
450 * more data now
451 */
452 if ((rs->rs_flags & RFCOMM_SESSION_CFC) == 0
453 && dlc->rd_state == RFCOMM_DLC_OPEN) {
454 rfcomm_dlc_start(dlc);
455 }
456
457 /*
458 * When shutdown is indicated, we are just waiting to
459 * clear outgoing data.
460 */
461 if ((dlc->rd_flags & RFCOMM_DLC_SHUTDOWN)
462 && dlc->rd_txbuf == NULL && dlc->rd_pending == 0) {
463 dlc->rd_state = RFCOMM_DLC_WAIT_DISCONNECT;
464 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC,
465 dlc->rd_dlci);
466 callout_schedule(&dlc->rd_timeout,
467 rfcomm_ack_timeout * hz);
468 }
469 }
470
471 SIMPLEQ_REMOVE_HEAD(&rs->rs_credits, rc_next);
472 pool_put(&rfcomm_credit_pool, credit);
473 }
474
475 /*
476 * If session is closed, we are just waiting to clear the queue
477 */
478 if (rs->rs_state == RFCOMM_SESSION_CLOSED) {
479 if (SIMPLEQ_EMPTY(&rs->rs_credits))
480 l2cap_disconnect(rs->rs_l2cap, 0);
481 }
482 }
483
484 /*
485 * Link Mode changed
486 *
487 * This is called when a mode change is complete. Proceed with connections
488 * where appropriate, or pass the new mode to any active DLCs.
489 */
490 static void
491 rfcomm_session_linkmode(void *arg, int new)
492 {
493 struct rfcomm_session *rs = arg;
494 struct rfcomm_dlc *dlc, *next;
495 int err, mode = 0;
496
497 DPRINTF("auth %s, encrypt %s, secure %s\n",
498 (new & L2CAP_LM_AUTH ? "on" : "off"),
499 (new & L2CAP_LM_ENCRYPT ? "on" : "off"),
500 (new & L2CAP_LM_SECURE ? "on" : "off"));
501
502 if (new & L2CAP_LM_AUTH)
503 mode |= RFCOMM_LM_AUTH;
504
505 if (new & L2CAP_LM_ENCRYPT)
506 mode |= RFCOMM_LM_ENCRYPT;
507
508 if (new & L2CAP_LM_SECURE)
509 mode |= RFCOMM_LM_SECURE;
510
511 next = LIST_FIRST(&rs->rs_dlcs);
512 while ((dlc = next) != NULL) {
513 next = LIST_NEXT(dlc, rd_next);
514
515 switch (dlc->rd_state) {
516 case RFCOMM_DLC_WAIT_SEND_SABM: /* we are connecting */
517 if ((mode & dlc->rd_mode) != dlc->rd_mode) {
518 rfcomm_dlc_close(dlc, ECONNABORTED);
519 } else {
520 err = rfcomm_session_send_frame(rs,
521 RFCOMM_FRAME_SABM, dlc->rd_dlci);
522 if (err) {
523 rfcomm_dlc_close(dlc, err);
524 } else {
525 dlc->rd_state = RFCOMM_DLC_WAIT_RECV_UA;
526 callout_schedule(&dlc->rd_timeout,
527 rfcomm_ack_timeout * hz);
528 break;
529 }
530 }
531
532 /*
533 * If we aborted the connection and there are no more DLCs
534 * on the session, it is our responsibility to disconnect.
535 */
536 if (!LIST_EMPTY(&rs->rs_dlcs))
537 break;
538
539 rs->rs_state = RFCOMM_SESSION_WAIT_DISCONNECT;
540 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 0);
541 callout_schedule(&rs->rs_timeout, rfcomm_ack_timeout * hz);
542 break;
543
544 case RFCOMM_DLC_WAIT_SEND_UA: /* they are connecting */
545 if ((mode & dlc->rd_mode) != dlc->rd_mode) {
546 rfcomm_session_send_frame(rs,
547 RFCOMM_FRAME_DM, dlc->rd_dlci);
548 rfcomm_dlc_close(dlc, ECONNABORTED);
549 break;
550 }
551
552 err = rfcomm_session_send_frame(rs,
553 RFCOMM_FRAME_UA, dlc->rd_dlci);
554 if (err) {
555 rfcomm_session_send_frame(rs,
556 RFCOMM_FRAME_DM, dlc->rd_dlci);
557 rfcomm_dlc_close(dlc, err);
558 break;
559 }
560
561 err = rfcomm_dlc_open(dlc);
562 if (err) {
563 rfcomm_session_send_frame(rs,
564 RFCOMM_FRAME_DM, dlc->rd_dlci);
565 rfcomm_dlc_close(dlc, err);
566 break;
567 }
568
569 break;
570
571 case RFCOMM_DLC_WAIT_RECV_UA:
572 case RFCOMM_DLC_OPEN: /* already established */
573 (*dlc->rd_proto->linkmode)(dlc->rd_upper, mode);
574 break;
575
576 default:
577 break;
578 }
579 }
580 }
581
582 /*
583 * Receive data from L2CAP layer for session. There is always exactly one
584 * RFCOMM frame contained in each L2CAP frame.
585 */
586 static void
587 rfcomm_session_input(void *arg, struct mbuf *m)
588 {
589 struct rfcomm_session *rs = arg;
590 int dlci, len, type, pf;
591 uint8_t fcs, b;
592
593 KASSERT(m != NULL);
594 KASSERT(rs != NULL);
595
596 /*
597 * UIH frames: FCS is only calculated on address and control fields
598 * For other frames: FCS is calculated on address, control and length
599 * Length may extend to two octets
600 */
601 fcs = 0xff;
602
603 if (m->m_pkthdr.len < 4) {
604 DPRINTF("short frame (%d), discarded\n", m->m_pkthdr.len);
605 goto done;
606 }
607
608 /* address - one octet */
609 m_copydata(m, 0, 1, &b);
610 m_adj(m, 1);
611 fcs = FCS(fcs, b);
612 dlci = RFCOMM_DLCI(b);
613
614 /* control - one octet */
615 m_copydata(m, 0, 1, &b);
616 m_adj(m, 1);
617 fcs = FCS(fcs, b);
618 type = RFCOMM_TYPE(b);
619 pf = RFCOMM_PF(b);
620
621 /* length - may be two octets */
622 m_copydata(m, 0, 1, &b);
623 m_adj(m, 1);
624 if (type != RFCOMM_FRAME_UIH)
625 fcs = FCS(fcs, b);
626 len = (b >> 1) & 0x7f;
627
628 if (RFCOMM_EA(b) == 0) {
629 if (m->m_pkthdr.len < 2) {
630 DPRINTF("short frame (%d, EA = 0), discarded\n",
631 m->m_pkthdr.len);
632 goto done;
633 }
634
635 m_copydata(m, 0, 1, &b);
636 m_adj(m, 1);
637 if (type != RFCOMM_FRAME_UIH)
638 fcs = FCS(fcs, b);
639
640 len |= (b << 7);
641 }
642
643 /* FCS byte is last octet in frame */
644 m_copydata(m, m->m_pkthdr.len - 1, 1, &b);
645 m_adj(m, -1);
646 fcs = FCS(fcs, b);
647
648 if (fcs != 0xcf) {
649 DPRINTF("Bad FCS value (%#2.2x), frame discarded\n", fcs);
650 goto done;
651 }
652
653 DPRINTFN(10, "dlci %d, type %2.2x, len = %d\n", dlci, type, len);
654
655 switch (type) {
656 case RFCOMM_FRAME_SABM:
657 if (pf)
658 rfcomm_session_recv_sabm(rs, dlci);
659 break;
660
661 case RFCOMM_FRAME_DISC:
662 if (pf)
663 rfcomm_session_recv_disc(rs, dlci);
664 break;
665
666 case RFCOMM_FRAME_UA:
667 if (pf)
668 rfcomm_session_recv_ua(rs, dlci);
669 break;
670
671 case RFCOMM_FRAME_DM:
672 rfcomm_session_recv_dm(rs, dlci);
673 break;
674
675 case RFCOMM_FRAME_UIH:
676 rfcomm_session_recv_uih(rs, dlci, pf, m, len);
677 return; /* (no release) */
678
679 default:
680 UNKNOWN(type);
681 break;
682 }
683
684 done:
685 m_freem(m);
686 }
687
688 /***********************************************************************
689 *
690 * RFCOMM Session receive processing
691 */
692
693 /*
694 * rfcomm_session_recv_sabm(rfcomm_session, dlci)
695 *
696 * Set Asyncrhonous Balanced Mode - open the channel.
697 */
698 static void
699 rfcomm_session_recv_sabm(struct rfcomm_session *rs, int dlci)
700 {
701 struct rfcomm_dlc *dlc;
702 int err;
703
704 DPRINTFN(5, "SABM(%d)\n", dlci);
705
706 if (dlci == 0) { /* Open Session */
707 rs->rs_state = RFCOMM_SESSION_OPEN;
708 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, 0);
709 LIST_FOREACH(dlc, &rs->rs_dlcs, rd_next) {
710 if (dlc->rd_state == RFCOMM_DLC_WAIT_SESSION)
711 rfcomm_dlc_connect(dlc);
712 }
713 return;
714 }
715
716 if (rs->rs_state != RFCOMM_SESSION_OPEN) {
717 DPRINTF("session was not even open!\n");
718 return;
719 }
720
721 /* validate direction bit */
722 if ((IS_INITIATOR(rs) && !RFCOMM_DIRECTION(dlci))
723 || (!IS_INITIATOR(rs) && RFCOMM_DIRECTION(dlci))) {
724 DPRINTF("Invalid direction bit on DLCI\n");
725 return;
726 }
727
728 /*
729 * look for our DLC - this may exist if we received PN
730 * already, or we may have to fabricate a new one.
731 */
732 dlc = rfcomm_dlc_lookup(rs, dlci);
733 if (dlc == NULL) {
734 dlc = rfcomm_dlc_newconn(rs, dlci);
735 if (dlc == NULL)
736 return; /* (DM is sent) */
737 }
738
739 /*
740 * ..but if this DLC is not waiting to connect, they did
741 * something wrong, ignore it.
742 */
743 if (dlc->rd_state != RFCOMM_DLC_WAIT_CONNECT)
744 return;
745
746 /* set link mode */
747 err = rfcomm_dlc_setmode(dlc);
748 if (err == EINPROGRESS) {
749 dlc->rd_state = RFCOMM_DLC_WAIT_SEND_UA;
750 (*dlc->rd_proto->connecting)(dlc->rd_upper);
751 return;
752 }
753 if (err)
754 goto close;
755
756 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, dlci);
757 if (err)
758 goto close;
759
760 /* and mark it open */
761 err = rfcomm_dlc_open(dlc);
762 if (err)
763 goto close;
764
765 return;
766
767 close:
768 rfcomm_dlc_close(dlc, err);
769 }
770
771 /*
772 * Receive Disconnect Command
773 */
774 static void
775 rfcomm_session_recv_disc(struct rfcomm_session *rs, int dlci)
776 {
777 struct rfcomm_dlc *dlc;
778
779 DPRINTFN(5, "DISC(%d)\n", dlci);
780
781 if (dlci == 0) {
782 /*
783 * Disconnect Session
784 *
785 * We set the session state to CLOSED so that when
786 * the UA frame is clear the session will be closed
787 * automatically. We wont bother to close any DLC's
788 * just yet as there should be none. In the unlikely
789 * event that something is left, it will get flushed
790 * out as the session goes down.
791 */
792 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, 0);
793 rs->rs_state = RFCOMM_SESSION_CLOSED;
794 return;
795 }
796
797 dlc = rfcomm_dlc_lookup(rs, dlci);
798 if (dlc == NULL) {
799 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, dlci);
800 return;
801 }
802
803 rfcomm_dlc_close(dlc, ECONNRESET);
804 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, dlci);
805 }
806
807 /*
808 * Receive Unnumbered Acknowledgement Response
809 *
810 * This should be a response to a DISC or SABM frame that we
811 * have previously sent. If unexpected, ignore it.
812 */
813 static void
814 rfcomm_session_recv_ua(struct rfcomm_session *rs, int dlci)
815 {
816 struct rfcomm_dlc *dlc;
817
818 DPRINTFN(5, "UA(%d)\n", dlci);
819
820 if (dlci == 0) {
821 switch (rs->rs_state) {
822 case RFCOMM_SESSION_WAIT_CONNECT: /* We sent SABM */
823 callout_stop(&rs->rs_timeout);
824 rs->rs_state = RFCOMM_SESSION_OPEN;
825 LIST_FOREACH(dlc, &rs->rs_dlcs, rd_next) {
826 if (dlc->rd_state == RFCOMM_DLC_WAIT_SESSION)
827 rfcomm_dlc_connect(dlc);
828 }
829 break;
830
831 case RFCOMM_SESSION_WAIT_DISCONNECT: /* We sent DISC */
832 callout_stop(&rs->rs_timeout);
833 rs->rs_state = RFCOMM_SESSION_CLOSED;
834 l2cap_disconnect(rs->rs_l2cap, 0);
835 break;
836
837 default:
838 DPRINTF("Received spurious UA(0)!\n");
839 break;
840 }
841
842 return;
843 }
844
845 /*
846 * If we have no DLC on this dlci, we may have aborted
847 * without shutting down properly, so check if the session
848 * needs disconnecting.
849 */
850 dlc = rfcomm_dlc_lookup(rs, dlci);
851 if (dlc == NULL)
852 goto check;
853
854 switch (dlc->rd_state) {
855 case RFCOMM_DLC_WAIT_RECV_UA: /* We sent SABM */
856 rfcomm_dlc_open(dlc);
857 return;
858
859 case RFCOMM_DLC_WAIT_DISCONNECT: /* We sent DISC */
860 rfcomm_dlc_close(dlc, 0);
861 break;
862
863 default:
864 DPRINTF("Received spurious UA(%d)!\n", dlci);
865 return;
866 }
867
868 check: /* last one out turns out the light */
869 if (LIST_EMPTY(&rs->rs_dlcs)) {
870 rs->rs_state = RFCOMM_SESSION_WAIT_DISCONNECT;
871 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 0);
872 callout_schedule(&rs->rs_timeout, rfcomm_ack_timeout * hz);
873 }
874 }
875
876 /*
877 * Receive Disconnected Mode Response
878 *
879 * If this does not apply to a known DLC then we may ignore it.
880 */
881 static void
882 rfcomm_session_recv_dm(struct rfcomm_session *rs, int dlci)
883 {
884 struct rfcomm_dlc *dlc;
885
886 DPRINTFN(5, "DM(%d)\n", dlci);
887
888 dlc = rfcomm_dlc_lookup(rs, dlci);
889 if (dlc == NULL)
890 return;
891
892 if (dlc->rd_state == RFCOMM_DLC_WAIT_CONNECT)
893 rfcomm_dlc_close(dlc, ECONNREFUSED);
894 else
895 rfcomm_dlc_close(dlc, ECONNRESET);
896 }
897
898 /*
899 * Receive Unnumbered Information with Header check (MCC or data packet)
900 */
901 static void
902 rfcomm_session_recv_uih(struct rfcomm_session *rs, int dlci,
903 int pf, struct mbuf *m, int len)
904 {
905 struct rfcomm_dlc *dlc;
906 uint8_t credits = 0;
907
908 DPRINTFN(10, "UIH(%d)\n", dlci);
909
910 if (dlci == 0) {
911 rfcomm_session_recv_mcc(rs, m);
912 return;
913 }
914
915 if (m->m_pkthdr.len != len + pf) {
916 DPRINTF("Bad Frame Length (%d), frame discarded\n",
917 m->m_pkthdr.len);
918
919 goto discard;
920 }
921
922 dlc = rfcomm_dlc_lookup(rs, dlci);
923 if (dlc == NULL) {
924 DPRINTF("UIH received for non existent DLC, discarded\n");
925 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, dlci);
926 goto discard;
927 }
928
929 if (dlc->rd_state != RFCOMM_DLC_OPEN) {
930 DPRINTF("non-open DLC (state = %d), discarded\n",
931 dlc->rd_state);
932 goto discard;
933 }
934
935 /* if PF is set, credits were included */
936 if (rs->rs_flags & RFCOMM_SESSION_CFC) {
937 if (pf != 0) {
938 if (m->m_pkthdr.len < sizeof(credits)) {
939 DPRINTF("Bad PF value, UIH discarded\n");
940 goto discard;
941 }
942
943 m_copydata(m, 0, sizeof(credits), &credits);
944 m_adj(m, sizeof(credits));
945
946 dlc->rd_txcred += credits;
947
948 if (credits > 0 && dlc->rd_txbuf != NULL)
949 rfcomm_dlc_start(dlc);
950 }
951
952 if (len == 0)
953 goto discard;
954
955 if (dlc->rd_rxcred == 0) {
956 DPRINTF("Credit limit reached, UIH discarded\n");
957 goto discard;
958 }
959
960 if (len > dlc->rd_rxsize) {
961 DPRINTF("UIH frame exceeds rxsize, discarded\n");
962 goto discard;
963 }
964
965 dlc->rd_rxcred--;
966 dlc->rd_rxsize -= len;
967 }
968
969 (*dlc->rd_proto->input)(dlc->rd_upper, m);
970 return;
971
972 discard:
973 m_freem(m);
974 }
975
976 /*
977 * Receive Multiplexer Control Command
978 */
979 static void
980 rfcomm_session_recv_mcc(struct rfcomm_session *rs, struct mbuf *m)
981 {
982 int type, cr, len;
983 uint8_t b;
984
985 /*
986 * Extract MCC header.
987 *
988 * Fields are variable length using extension bit = 1 to signify the
989 * last octet in the sequence.
990 *
991 * Only single octet types are defined in TS 07.10/RFCOMM spec
992 *
993 * Length can realistically only use 15 bits (max RFCOMM MTU)
994 */
995 if (m->m_pkthdr.len < sizeof(b)) {
996 DPRINTF("Short MCC header, discarded\n");
997 goto release;
998 }
999
1000 m_copydata(m, 0, sizeof(b), &b);
1001 m_adj(m, sizeof(b));
1002
1003 if (RFCOMM_EA(b) == 0) { /* verify no extensions */
1004 DPRINTF("MCC type EA = 0, discarded\n");
1005 goto release;
1006 }
1007
1008 type = RFCOMM_MCC_TYPE(b);
1009 cr = RFCOMM_CR(b);
1010
1011 len = 0;
1012 do {
1013 if (m->m_pkthdr.len < sizeof(b)) {
1014 DPRINTF("Short MCC header, discarded\n");
1015 goto release;
1016 }
1017
1018 m_copydata(m, 0, sizeof(b), &b);
1019 m_adj(m, sizeof(b));
1020
1021 len = (len << 7) | (b >> 1);
1022 len = min(len, RFCOMM_MTU_MAX);
1023 } while (RFCOMM_EA(b) == 0);
1024
1025 if (len != m->m_pkthdr.len) {
1026 DPRINTF("Incorrect MCC length, discarded\n");
1027 goto release;
1028 }
1029
1030 DPRINTFN(2, "MCC %s type %2.2x (%d bytes)\n",
1031 (cr ? "command" : "response"), type, len);
1032
1033 /*
1034 * pass to command handler
1035 */
1036 switch(type) {
1037 case RFCOMM_MCC_TEST: /* Test */
1038 rfcomm_session_recv_mcc_test(rs, cr, m);
1039 break;
1040
1041 case RFCOMM_MCC_FCON: /* Flow Control On */
1042 rfcomm_session_recv_mcc_fcon(rs, cr);
1043 break;
1044
1045 case RFCOMM_MCC_FCOFF: /* Flow Control Off */
1046 rfcomm_session_recv_mcc_fcoff(rs, cr);
1047 break;
1048
1049 case RFCOMM_MCC_MSC: /* Modem Status Command */
1050 rfcomm_session_recv_mcc_msc(rs, cr, m);
1051 break;
1052
1053 case RFCOMM_MCC_RPN: /* Remote Port Negotiation */
1054 rfcomm_session_recv_mcc_rpn(rs, cr, m);
1055 break;
1056
1057 case RFCOMM_MCC_RLS: /* Remote Line Status */
1058 rfcomm_session_recv_mcc_rls(rs, cr, m);
1059 break;
1060
1061 case RFCOMM_MCC_PN: /* Parameter Negotiation */
1062 rfcomm_session_recv_mcc_pn(rs, cr, m);
1063 break;
1064
1065 case RFCOMM_MCC_NSC: /* Non Supported Command */
1066 rfcomm_session_recv_mcc_nsc(rs, cr, m);
1067 break;
1068
1069 default:
1070 b = RFCOMM_MKMCC_TYPE(cr, type);
1071 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_NSC, &b, sizeof(b));
1072 }
1073
1074 release:
1075 m_freem(m);
1076 }
1077
1078 /*
1079 * process TEST command/response
1080 */
1081 static void
1082 rfcomm_session_recv_mcc_test(struct rfcomm_session *rs, int cr, struct mbuf *m)
1083 {
1084 void *data;
1085 int len;
1086
1087 if (cr == 0) /* ignore ack */
1088 return;
1089
1090 /*
1091 * we must send all the data they included back as is
1092 */
1093
1094 len = m->m_pkthdr.len;
1095 if (len > RFCOMM_MTU_MAX)
1096 return;
1097
1098 data = malloc(len, M_BLUETOOTH, M_NOWAIT);
1099 if (data == NULL)
1100 return;
1101
1102 m_copydata(m, 0, len, data);
1103 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_TEST, data, len);
1104 free(data, M_BLUETOOTH);
1105 }
1106
1107 /*
1108 * process Flow Control ON command/response
1109 */
1110 static void
1111 rfcomm_session_recv_mcc_fcon(struct rfcomm_session *rs, int cr)
1112 {
1113
1114 if (cr == 0) /* ignore ack */
1115 return;
1116
1117 rs->rs_flags |= RFCOMM_SESSION_RFC;
1118 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_FCON, NULL, 0);
1119 }
1120
1121 /*
1122 * process Flow Control OFF command/response
1123 */
1124 static void
1125 rfcomm_session_recv_mcc_fcoff(struct rfcomm_session *rs, int cr)
1126 {
1127
1128 if (cr == 0) /* ignore ack */
1129 return;
1130
1131 rs->rs_flags &= ~RFCOMM_SESSION_RFC;
1132 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_FCOFF, NULL, 0);
1133 }
1134
1135 /*
1136 * process Modem Status Command command/response
1137 */
1138 static void
1139 rfcomm_session_recv_mcc_msc(struct rfcomm_session *rs, int cr, struct mbuf *m)
1140 {
1141 struct rfcomm_mcc_msc msc; /* (3 octets) */
1142 struct rfcomm_dlc *dlc;
1143 int len = 0;
1144
1145 /* [ADDRESS] */
1146 if (m->m_pkthdr.len < sizeof(msc.address))
1147 return;
1148
1149 m_copydata(m, 0, sizeof(msc.address), &msc.address);
1150 m_adj(m, sizeof(msc.address));
1151 len += sizeof(msc.address);
1152
1153 dlc = rfcomm_dlc_lookup(rs, RFCOMM_DLCI(msc.address));
1154
1155 if (cr == 0) { /* ignore acks */
1156 if (dlc != NULL)
1157 callout_stop(&dlc->rd_timeout);
1158
1159 return;
1160 }
1161
1162 if (dlc == NULL) {
1163 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM,
1164 RFCOMM_DLCI(msc.address));
1165 return;
1166 }
1167
1168 /* [SIGNALS] */
1169 if (m->m_pkthdr.len < sizeof(msc.modem))
1170 return;
1171
1172 m_copydata(m, 0, sizeof(msc.modem), &msc.modem);
1173 m_adj(m, sizeof(msc.modem));
1174 len += sizeof(msc.modem);
1175
1176 dlc->rd_rmodem = msc.modem;
1177 // XXX how do we signal this upstream?
1178
1179 if (RFCOMM_EA(msc.modem) == 0) {
1180 if (m->m_pkthdr.len < sizeof(msc.brk))
1181 return;
1182
1183 m_copydata(m, 0, sizeof(msc.brk), &msc.brk);
1184 m_adj(m, sizeof(msc.brk));
1185 len += sizeof(msc.brk);
1186
1187 // XXX how do we signal this upstream?
1188 }
1189
1190 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_MSC, &msc, len);
1191 }
1192
1193 /*
1194 * process Remote Port Negotiation command/response
1195 */
1196 static void
1197 rfcomm_session_recv_mcc_rpn(struct rfcomm_session *rs, int cr, struct mbuf *m)
1198 {
1199 struct rfcomm_mcc_rpn rpn;
1200 uint16_t mask;
1201
1202 if (cr == 0) /* ignore ack */
1203 return;
1204
1205 /* default values */
1206 rpn.bit_rate = RFCOMM_RPN_BR_9600;
1207 rpn.line_settings = RFCOMM_RPN_8_N_1;
1208 rpn.flow_control = RFCOMM_RPN_FLOW_NONE;
1209 rpn.xon_char = RFCOMM_RPN_XON_CHAR;
1210 rpn.xoff_char = RFCOMM_RPN_XOFF_CHAR;
1211
1212 if (m->m_pkthdr.len == sizeof(rpn)) {
1213 m_copydata(m, 0, sizeof(rpn), &rpn);
1214 rpn.param_mask = RFCOMM_RPN_PM_ALL;
1215 } else if (m->m_pkthdr.len == 1) {
1216 m_copydata(m, 0, 1, &rpn);
1217 rpn.param_mask = le16toh(rpn.param_mask);
1218 } else {
1219 DPRINTF("Bad RPN length (%d)\n", m->m_pkthdr.len);
1220 return;
1221 }
1222
1223 mask = 0;
1224
1225 if (rpn.param_mask & RFCOMM_RPN_PM_RATE)
1226 mask |= RFCOMM_RPN_PM_RATE;
1227
1228 if (rpn.param_mask & RFCOMM_RPN_PM_DATA
1229 && RFCOMM_RPN_DATA_BITS(rpn.line_settings) == RFCOMM_RPN_DATA_8)
1230 mask |= RFCOMM_RPN_PM_DATA;
1231
1232 if (rpn.param_mask & RFCOMM_RPN_PM_STOP
1233 && RFCOMM_RPN_STOP_BITS(rpn.line_settings) == RFCOMM_RPN_STOP_1)
1234 mask |= RFCOMM_RPN_PM_STOP;
1235
1236 if (rpn.param_mask & RFCOMM_RPN_PM_PARITY
1237 && RFCOMM_RPN_PARITY(rpn.line_settings) == RFCOMM_RPN_PARITY_NONE)
1238 mask |= RFCOMM_RPN_PM_PARITY;
1239
1240 if (rpn.param_mask & RFCOMM_RPN_PM_XON
1241 && rpn.xon_char == RFCOMM_RPN_XON_CHAR)
1242 mask |= RFCOMM_RPN_PM_XON;
1243
1244 if (rpn.param_mask & RFCOMM_RPN_PM_XOFF
1245 && rpn.xoff_char == RFCOMM_RPN_XOFF_CHAR)
1246 mask |= RFCOMM_RPN_PM_XOFF;
1247
1248 if (rpn.param_mask & RFCOMM_RPN_PM_FLOW
1249 && rpn.flow_control == RFCOMM_RPN_FLOW_NONE)
1250 mask |= RFCOMM_RPN_PM_FLOW;
1251
1252 rpn.param_mask = htole16(mask);
1253
1254 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_RPN, &rpn, sizeof(rpn));
1255 }
1256
1257 /*
1258 * process Remote Line Status command/response
1259 */
1260 static void
1261 rfcomm_session_recv_mcc_rls(struct rfcomm_session *rs, int cr, struct mbuf *m)
1262 {
1263 struct rfcomm_mcc_rls rls;
1264
1265 if (cr == 0) /* ignore ack */
1266 return;
1267
1268 if (m->m_pkthdr.len != sizeof(rls)) {
1269 DPRINTF("Bad RLS length %d\n", m->m_pkthdr.len);
1270 return;
1271 }
1272
1273 m_copydata(m, 0, sizeof(rls), &rls);
1274
1275 /*
1276 * So far as I can tell, we just send back what
1277 * they sent us. This signifies errors that seem
1278 * irrelevent for RFCOMM over L2CAP.
1279 */
1280 rls.address |= 0x03; /* EA = 1, CR = 1 */
1281 rls.status &= 0x0f; /* only 4 bits valid */
1282
1283 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_RLS, &rls, sizeof(rls));
1284 }
1285
1286 /*
1287 * process Parameter Negotiation command/response
1288 */
1289 static void
1290 rfcomm_session_recv_mcc_pn(struct rfcomm_session *rs, int cr, struct mbuf *m)
1291 {
1292 struct rfcomm_dlc *dlc;
1293 struct rfcomm_mcc_pn pn;
1294 int err;
1295
1296 if (m->m_pkthdr.len != sizeof(pn)) {
1297 DPRINTF("Bad PN length %d\n", m->m_pkthdr.len);
1298 return;
1299 }
1300
1301 m_copydata(m, 0, sizeof(pn), &pn);
1302
1303 pn.dlci &= 0x3f;
1304 pn.mtu = le16toh(pn.mtu);
1305
1306 dlc = rfcomm_dlc_lookup(rs, pn.dlci);
1307 if (cr) { /* Command */
1308 /*
1309 * If there is no DLC present, this is a new
1310 * connection so attempt to make one
1311 */
1312 if (dlc == NULL) {
1313 dlc = rfcomm_dlc_newconn(rs, pn.dlci);
1314 if (dlc == NULL)
1315 return; /* (DM is sent) */
1316 }
1317
1318 /* accept any valid MTU, and offer it back */
1319 pn.mtu = min(pn.mtu, RFCOMM_MTU_MAX);
1320 pn.mtu = min(pn.mtu, rs->rs_mtu);
1321 pn.mtu = max(pn.mtu, RFCOMM_MTU_MIN);
1322 dlc->rd_mtu = pn.mtu;
1323 pn.mtu = htole16(pn.mtu);
1324
1325 /* credits are only set before DLC is open */
1326 if (dlc->rd_state == RFCOMM_DLC_WAIT_CONNECT
1327 && (pn.flow_control & 0xf0) == 0xf0) {
1328 rs->rs_flags |= RFCOMM_SESSION_CFC;
1329 dlc->rd_txcred = pn.credits & 0x07;
1330
1331 dlc->rd_rxcred = (dlc->rd_rxsize / dlc->rd_mtu);
1332 dlc->rd_rxcred = min(dlc->rd_rxcred,
1333 RFCOMM_CREDITS_DEFAULT);
1334
1335 pn.flow_control = 0xe0;
1336 pn.credits = dlc->rd_rxcred;
1337 } else {
1338 pn.flow_control = 0x00;
1339 pn.credits = 0x00;
1340 }
1341
1342 /* unused fields must be ignored and set to zero */
1343 pn.ack_timer = 0;
1344 pn.max_retrans = 0;
1345
1346 /* send our response */
1347 err = rfcomm_session_send_mcc(rs, 0,
1348 RFCOMM_MCC_PN, &pn, sizeof(pn));
1349 if (err)
1350 goto close;
1351
1352 } else { /* Response */
1353 /* ignore responses with no matching DLC */
1354 if (dlc == NULL)
1355 return;
1356
1357 callout_stop(&dlc->rd_timeout);
1358
1359 /* reject invalid or unacceptable MTU */
1360 if (pn.mtu < RFCOMM_MTU_MIN || pn.mtu > dlc->rd_mtu) {
1361 dlc->rd_state = RFCOMM_DLC_WAIT_DISCONNECT;
1362 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC,
1363 pn.dlci);
1364 if (err)
1365 goto close;
1366
1367 callout_schedule(&dlc->rd_timeout,
1368 rfcomm_ack_timeout * hz);
1369 return;
1370 }
1371 dlc->rd_mtu = pn.mtu;
1372
1373 /* if DLC is not waiting to connect, we are done */
1374 if (dlc->rd_state != RFCOMM_DLC_WAIT_CONNECT)
1375 return;
1376
1377 /* set initial credits according to RFCOMM spec */
1378 if ((pn.flow_control & 0xf0) == 0xe0) {
1379 rs->rs_flags |= RFCOMM_SESSION_CFC;
1380 dlc->rd_txcred = (pn.credits & 0x07);
1381 }
1382
1383 callout_schedule(&dlc->rd_timeout, rfcomm_ack_timeout * hz);
1384
1385 /* set link mode */
1386 err = rfcomm_dlc_setmode(dlc);
1387 if (err == EINPROGRESS) {
1388 dlc->rd_state = RFCOMM_DLC_WAIT_SEND_SABM;
1389 (*dlc->rd_proto->connecting)(dlc->rd_upper);
1390 return;
1391 }
1392 if (err)
1393 goto close;
1394
1395 /* we can proceed now */
1396 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_SABM, pn.dlci);
1397 if (err)
1398 goto close;
1399
1400 dlc->rd_state = RFCOMM_DLC_WAIT_RECV_UA;
1401 }
1402 return;
1403
1404 close:
1405 rfcomm_dlc_close(dlc, err);
1406 }
1407
1408 /*
1409 * process Non Supported Command command/response
1410 */
1411 static void
1412 rfcomm_session_recv_mcc_nsc(struct rfcomm_session *rs,
1413 int cr, struct mbuf *m)
1414 {
1415 struct rfcomm_dlc *dlc, *next;
1416
1417 /*
1418 * Since we did nothing that is not mandatory,
1419 * we just abort the whole session..
1420 */
1421
1422 next = LIST_FIRST(&rs->rs_dlcs);
1423 while ((dlc = next) != NULL) {
1424 next = LIST_NEXT(dlc, rd_next);
1425 rfcomm_dlc_close(dlc, ECONNABORTED);
1426 }
1427
1428 rfcomm_session_free(rs);
1429 }
1430
1431 /***********************************************************************
1432 *
1433 * RFCOMM Session outward frame/uih/mcc building
1434 */
1435
1436 /*
1437 * SABM/DISC/DM/UA frames are all minimal and mostly identical.
1438 */
1439 int
1440 rfcomm_session_send_frame(struct rfcomm_session *rs, int type, int dlci)
1441 {
1442 struct rfcomm_cmd_hdr *hdr;
1443 struct rfcomm_credit *credit;
1444 struct mbuf *m;
1445 uint8_t fcs, cr;
1446
1447 credit = pool_get(&rfcomm_credit_pool, PR_NOWAIT);
1448 if (credit == NULL)
1449 return ENOMEM;
1450
1451 m = m_gethdr(M_DONTWAIT, MT_DATA);
1452 if (m == NULL) {
1453 pool_put(&rfcomm_credit_pool, credit);
1454 return ENOMEM;
1455 }
1456
1457 /*
1458 * The CR (command/response) bit identifies the frame either as a
1459 * commmand or a response and is used along with the DLCI to form
1460 * the address. Commands contain the non-initiator address, whereas
1461 * responses contain the initiator address, so the CR value is
1462 * also dependent on the session direction.
1463 */
1464 if (type == RFCOMM_FRAME_UA || type == RFCOMM_FRAME_DM)
1465 cr = IS_INITIATOR(rs) ? 0 : 1;
1466 else
1467 cr = IS_INITIATOR(rs) ? 1 : 0;
1468
1469 hdr = mtod(m, struct rfcomm_cmd_hdr *);
1470 hdr->address = RFCOMM_MKADDRESS(cr, dlci);
1471 hdr->control = RFCOMM_MKCONTROL(type, 1); /* PF = 1 */
1472 hdr->length = (0x00 << 1) | 0x01; /* len = 0x00, EA = 1 */
1473
1474 fcs = 0xff;
1475 fcs = FCS(fcs, hdr->address);
1476 fcs = FCS(fcs, hdr->control);
1477 fcs = FCS(fcs, hdr->length);
1478 fcs = 0xff - fcs; /* ones complement */
1479 hdr->fcs = fcs;
1480
1481 m->m_pkthdr.len = m->m_len = sizeof(struct rfcomm_cmd_hdr);
1482
1483 /* empty credit note */
1484 credit->rc_dlc = NULL;
1485 credit->rc_len = m->m_pkthdr.len;
1486 SIMPLEQ_INSERT_TAIL(&rs->rs_credits, credit, rc_next);
1487
1488 DPRINTFN(5, "dlci %d type %2.2x (%d bytes, fcs=%#2.2x)\n",
1489 dlci, type, m->m_pkthdr.len, fcs);
1490
1491 return l2cap_send(rs->rs_l2cap, m);
1492 }
1493
1494 /*
1495 * rfcomm_session_send_uih(rfcomm_session, rfcomm_dlc, credits, mbuf)
1496 *
1497 * UIH frame is per DLC data or Multiplexer Control Commands
1498 * when no DLC is given. Data mbuf is optional (just credits
1499 * will be sent in that case)
1500 */
1501 int
1502 rfcomm_session_send_uih(struct rfcomm_session *rs, struct rfcomm_dlc *dlc,
1503 int credits, struct mbuf *m)
1504 {
1505 struct rfcomm_credit *credit;
1506 struct mbuf *m0 = NULL;
1507 int err, len;
1508 uint8_t fcs, *hdr;
1509
1510 KASSERT(rs != NULL);
1511
1512 len = (m == NULL) ? 0 : m->m_pkthdr.len;
1513 KASSERT(!(credits == 0 && len == 0));
1514
1515 /*
1516 * Make a credit note for the completion notification
1517 */
1518 credit = pool_get(&rfcomm_credit_pool, PR_NOWAIT);
1519 if (credit == NULL)
1520 goto nomem;
1521
1522 credit->rc_len = len;
1523 credit->rc_dlc = dlc;
1524
1525 /*
1526 * Wrap UIH frame information around payload.
1527 *
1528 * [ADDRESS] [CONTROL] [LENGTH] [CREDITS] [...] [FCS]
1529 *
1530 * Address is one octet.
1531 * Control is one octet.
1532 * Length is one or two octets.
1533 * Credits may be one octet.
1534 *
1535 * FCS is one octet and calculated on address and
1536 * control octets only.
1537 *
1538 * If there are credits to be sent, we will set the PF
1539 * flag and include them in the frame.
1540 */
1541 m0 = m_gethdr(M_DONTWAIT, MT_DATA);
1542 if (m0 == NULL)
1543 goto nomem;
1544
1545 MH_ALIGN(m0, 5); /* (max 5 header octets) */
1546 hdr = mtod(m0, uint8_t *);
1547
1548 /* CR bit is set according to the initiator of the session */
1549 *hdr = RFCOMM_MKADDRESS((IS_INITIATOR(rs) ? 1 : 0),
1550 (dlc ? dlc->rd_dlci : 0));
1551 fcs = FCS(0xff, *hdr);
1552 hdr++;
1553
1554 /* PF bit is set if credits are being sent */
1555 *hdr = RFCOMM_MKCONTROL(RFCOMM_FRAME_UIH, (credits > 0 ? 1 : 0));
1556 fcs = FCS(fcs, *hdr);
1557 hdr++;
1558
1559 if (len < (1 << 7)) {
1560 *hdr++ = ((len << 1) & 0xfe) | 0x01; /* 7 bits, EA = 1 */
1561 } else {
1562 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */
1563 *hdr++ = ((len >> 7) & 0xff); /* 8 bits, no EA */
1564 }
1565
1566 if (credits > 0)
1567 *hdr++ = (uint8_t)credits;
1568
1569 m0->m_len = hdr - mtod(m0, uint8_t *);
1570
1571 /* Append payload */
1572 m0->m_next = m;
1573 m = NULL;
1574
1575 m0->m_pkthdr.len = m0->m_len + len;
1576
1577 /* Append FCS */
1578 fcs = 0xff - fcs; /* ones complement */
1579 len = m0->m_pkthdr.len;
1580 m_copyback(m0, len, sizeof(fcs), &fcs);
1581 if (m0->m_pkthdr.len != len + sizeof(fcs))
1582 goto nomem;
1583
1584 DPRINTFN(10, "dlci %d, pktlen %d (%d data, %d credits), fcs=%#2.2x\n",
1585 dlc ? dlc->rd_dlci : 0, m0->m_pkthdr.len, credit->rc_len,
1586 credits, fcs);
1587
1588 /*
1589 * UIH frame ready to go..
1590 */
1591 err = l2cap_send(rs->rs_l2cap, m0);
1592 if (err)
1593 goto fail;
1594
1595 SIMPLEQ_INSERT_TAIL(&rs->rs_credits, credit, rc_next);
1596 return 0;
1597
1598 nomem:
1599 err = ENOMEM;
1600
1601 if (m0 != NULL)
1602 m_freem(m0);
1603
1604 if (m != NULL)
1605 m_freem(m);
1606
1607 fail:
1608 if (credit != NULL)
1609 pool_put(&rfcomm_credit_pool, credit);
1610
1611 return err;
1612 }
1613
1614 /*
1615 * send Multiplexer Control Command (or Response) on session
1616 */
1617 int
1618 rfcomm_session_send_mcc(struct rfcomm_session *rs, int cr,
1619 uint8_t type, void *data, int len)
1620 {
1621 struct mbuf *m;
1622 uint8_t *hdr;
1623 int hlen;
1624
1625 m = m_gethdr(M_DONTWAIT, MT_DATA);
1626 if (m == NULL)
1627 return ENOMEM;
1628
1629 hdr = mtod(m, uint8_t *);
1630
1631 /*
1632 * Technically the type field can extend past one octet, but none
1633 * currently defined will do that.
1634 */
1635 *hdr++ = RFCOMM_MKMCC_TYPE(cr, type);
1636
1637 /*
1638 * In the frame, the max length size is 2 octets (15 bits) whereas
1639 * no max length size is specified for MCC commands. We must allow
1640 * for 3 octets since for MCC frames we use 7 bits + EA in each.
1641 *
1642 * Only test data can possibly be that big.
1643 *
1644 * XXX Should we check this against the MTU?
1645 */
1646 if (len < (1 << 7)) {
1647 *hdr++ = ((len << 1) & 0xfe) | 0x01; /* 7 bits, EA = 1 */
1648 } else if (len < (1 << 14)) {
1649 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */
1650 *hdr++ = ((len >> 6) & 0xfe) | 0x01; /* 7 bits, EA = 1 */
1651 } else if (len < (1 << 15)) {
1652 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */
1653 *hdr++ = ((len >> 6) & 0xfe); /* 7 bits, EA = 0 */
1654 *hdr++ = ((len >> 13) & 0x02) | 0x01; /* 1 bit, EA = 1 */
1655 } else {
1656 DPRINTF("incredible length! (%d)\n", len);
1657 m_freem(m);
1658 return EMSGSIZE;
1659 }
1660
1661 /*
1662 * add command data (to same mbuf if possible)
1663 */
1664 hlen = hdr - mtod(m, uint8_t *);
1665
1666 if (len > 0) {
1667 m->m_pkthdr.len = m->m_len = MHLEN;
1668 m_copyback(m, hlen, len, data);
1669 if (m->m_pkthdr.len != max(MHLEN, hlen + len)) {
1670 m_freem(m);
1671 return ENOMEM;
1672 }
1673 }
1674
1675 m->m_pkthdr.len = hlen + len;
1676 m->m_len = min(MHLEN, m->m_pkthdr.len);
1677
1678 DPRINTFN(5, "%s type %2.2x len %d\n",
1679 (cr ? "command" : "response"), type, m->m_pkthdr.len);
1680
1681 return rfcomm_session_send_uih(rs, NULL, 0, m);
1682 }
Cache object: cdf4b133a6f510711878da0c0a29d5c1
|