1 /* $NetBSD: rfcomm_session.c,v 1.14.4.1 2010/01/03 17:52:13 jdc Exp $ */
2
3 /*-
4 * Copyright (c) 2006 Itronix Inc.
5 * All rights reserved.
6 *
7 * Written by Iain Hibbert for Itronix Inc.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. The name of Itronix Inc. may not be used to endorse
18 * or promote products derived from this software without specific
19 * prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY ITRONIX INC. ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
23 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
24 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ITRONIX INC. BE LIABLE FOR ANY
25 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
26 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
27 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
28 * ON ANY THEORY OF LIABILITY, WHETHER IN
29 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
30 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31 * POSSIBILITY OF SUCH DAMAGE.
32 */
33
34 #include <sys/cdefs.h>
35 __KERNEL_RCSID(0, "$NetBSD: rfcomm_session.c,v 1.14.4.1 2010/01/03 17:52:13 jdc Exp $");
36
37 #include <sys/param.h>
38 #include <sys/kernel.h>
39 #include <sys/mbuf.h>
40 #include <sys/proc.h>
41 #include <sys/socketvar.h>
42 #include <sys/systm.h>
43 #include <sys/types.h>
44
45 #include <netbt/bluetooth.h>
46 #include <netbt/hci.h>
47 #include <netbt/l2cap.h>
48 #include <netbt/rfcomm.h>
49
50 /******************************************************************************
51 *
52 * RFCOMM Multiplexer Sessions sit directly on L2CAP channels, and can
53 * multiplex up to 30 incoming and 30 outgoing connections.
54 * Only one Multiplexer is allowed between any two devices.
55 */
56
57 static void rfcomm_session_timeout(void *);
58 static void rfcomm_session_recv_sabm(struct rfcomm_session *, int);
59 static void rfcomm_session_recv_disc(struct rfcomm_session *, int);
60 static void rfcomm_session_recv_ua(struct rfcomm_session *, int);
61 static void rfcomm_session_recv_dm(struct rfcomm_session *, int);
62 static void rfcomm_session_recv_uih(struct rfcomm_session *, int, int, struct mbuf *, int);
63 static void rfcomm_session_recv_mcc(struct rfcomm_session *, struct mbuf *);
64 static void rfcomm_session_recv_mcc_test(struct rfcomm_session *, int, struct mbuf *);
65 static void rfcomm_session_recv_mcc_fcon(struct rfcomm_session *, int);
66 static void rfcomm_session_recv_mcc_fcoff(struct rfcomm_session *, int);
67 static void rfcomm_session_recv_mcc_msc(struct rfcomm_session *, int, struct mbuf *);
68 static void rfcomm_session_recv_mcc_rpn(struct rfcomm_session *, int, struct mbuf *);
69 static void rfcomm_session_recv_mcc_rls(struct rfcomm_session *, int, struct mbuf *);
70 static void rfcomm_session_recv_mcc_pn(struct rfcomm_session *, int, struct mbuf *);
71 static void rfcomm_session_recv_mcc_nsc(struct rfcomm_session *, int, struct mbuf *);
72
73 /* L2CAP callbacks */
74 static void rfcomm_session_connecting(void *);
75 static void rfcomm_session_connected(void *);
76 static void rfcomm_session_disconnected(void *, int);
77 static void *rfcomm_session_newconn(void *, struct sockaddr_bt *, struct sockaddr_bt *);
78 static void rfcomm_session_complete(void *, int);
79 static void rfcomm_session_linkmode(void *, int);
80 static void rfcomm_session_input(void *, struct mbuf *);
81
82 static const struct btproto rfcomm_session_proto = {
83 rfcomm_session_connecting,
84 rfcomm_session_connected,
85 rfcomm_session_disconnected,
86 rfcomm_session_newconn,
87 rfcomm_session_complete,
88 rfcomm_session_linkmode,
89 rfcomm_session_input,
90 };
91
92 struct rfcomm_session_list
93 rfcomm_session_active = LIST_HEAD_INITIALIZER(rfcomm_session_active);
94
95 struct rfcomm_session_list
96 rfcomm_session_listen = LIST_HEAD_INITIALIZER(rfcomm_session_listen);
97
98 POOL_INIT(rfcomm_credit_pool, sizeof(struct rfcomm_credit),
99 0, 0, 0, "rfcomm_credit", NULL, IPL_SOFTNET);
100
101 /*
102 * RFCOMM System Parameters (see section 5.3)
103 */
104 int rfcomm_mtu_default = 127; /* bytes */
105 int rfcomm_ack_timeout = 20; /* seconds */
106 int rfcomm_mcc_timeout = 20; /* seconds */
107
108 /*
109 * Reversed CRC table as per TS 07.10 Annex B.3.5
110 */
111 static const uint8_t crctable[256] = { /* reversed, 8-bit, poly=0x07 */
112 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
113 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
114 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
115 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
116
117 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
118 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
119 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
120 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
121
122 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
123 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
124 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
125 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
126
127 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
128 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
129 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
130 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
131
132 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
133 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
134 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
135 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
136
137 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
138 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
139 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
140 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
141
142 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
143 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
144 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
145 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
146
147 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
148 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
149 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
150 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
151 };
152
153 #define FCS(f, d) crctable[(f) ^ (d)]
154
155 /*
156 * rfcomm_session_alloc(list, sockaddr)
157 *
158 * allocate a new session and fill in the blanks, then
159 * attach session to front of specified list (active or listen)
160 */
161 struct rfcomm_session *
162 rfcomm_session_alloc(struct rfcomm_session_list *list,
163 struct sockaddr_bt *laddr)
164 {
165 struct rfcomm_session *rs;
166 struct sockopt sopt;
167 int err;
168
169 rs = malloc(sizeof(*rs), M_BLUETOOTH, M_NOWAIT | M_ZERO);
170 if (rs == NULL)
171 return NULL;
172
173 rs->rs_state = RFCOMM_SESSION_CLOSED;
174
175 callout_init(&rs->rs_timeout, 0);
176 callout_setfunc(&rs->rs_timeout, rfcomm_session_timeout, rs);
177
178 SIMPLEQ_INIT(&rs->rs_credits);
179 LIST_INIT(&rs->rs_dlcs);
180
181 err = l2cap_attach(&rs->rs_l2cap, &rfcomm_session_proto, rs);
182 if (err) {
183 free(rs, M_BLUETOOTH);
184 return NULL;
185 }
186
187 sockopt_init(&sopt, BTPROTO_L2CAP, SO_L2CAP_OMTU, 0);
188 (void)l2cap_getopt(rs->rs_l2cap, &sopt);
189 (void)sockopt_get(&sopt, &rs->rs_mtu, sizeof(rs->rs_mtu));
190 sockopt_destroy(&sopt);
191
192 if (laddr->bt_psm == L2CAP_PSM_ANY)
193 laddr->bt_psm = L2CAP_PSM_RFCOMM;
194
195 (void)l2cap_bind(rs->rs_l2cap, laddr);
196
197 LIST_INSERT_HEAD(list, rs, rs_next);
198
199 return rs;
200 }
201
202 /*
203 * rfcomm_session_free(rfcomm_session)
204 *
205 * release a session, including any cleanup
206 */
207 void
208 rfcomm_session_free(struct rfcomm_session *rs)
209 {
210 struct rfcomm_credit *credit;
211
212 KASSERT(rs != NULL);
213 KASSERT(LIST_EMPTY(&rs->rs_dlcs));
214
215 rs->rs_state = RFCOMM_SESSION_CLOSED;
216
217 /*
218 * If the callout is already invoked we have no way to stop it,
219 * but it will call us back right away (there are no DLC's) so
220 * not to worry.
221 */
222 callout_stop(&rs->rs_timeout);
223 if (callout_invoking(&rs->rs_timeout))
224 return;
225
226 /*
227 * Take care that rfcomm_session_disconnected() doesnt call
228 * us back either as it will do if the l2cap_channel has not
229 * been closed when we detach it..
230 */
231 if (rs->rs_flags & RFCOMM_SESSION_FREE)
232 return;
233
234 rs->rs_flags |= RFCOMM_SESSION_FREE;
235
236 /* throw away any remaining credit notes */
237 while ((credit = SIMPLEQ_FIRST(&rs->rs_credits)) != NULL) {
238 SIMPLEQ_REMOVE_HEAD(&rs->rs_credits, rc_next);
239 pool_put(&rfcomm_credit_pool, credit);
240 }
241
242 KASSERT(SIMPLEQ_EMPTY(&rs->rs_credits));
243
244 /* Goodbye! */
245 LIST_REMOVE(rs, rs_next);
246 l2cap_detach(&rs->rs_l2cap);
247 callout_destroy(&rs->rs_timeout);
248 free(rs, M_BLUETOOTH);
249 }
250
251 /*
252 * rfcomm_session_lookup(sockaddr, sockaddr)
253 *
254 * Find active rfcomm session matching src and dest addresses
255 * when src is BDADDR_ANY match any local address
256 */
257 struct rfcomm_session *
258 rfcomm_session_lookup(struct sockaddr_bt *src, struct sockaddr_bt *dest)
259 {
260 struct rfcomm_session *rs;
261 struct sockaddr_bt addr;
262
263 LIST_FOREACH(rs, &rfcomm_session_active, rs_next) {
264 if (rs->rs_state == RFCOMM_SESSION_CLOSED)
265 continue;
266
267 l2cap_sockaddr(rs->rs_l2cap, &addr);
268
269 if (bdaddr_same(&src->bt_bdaddr, &addr.bt_bdaddr) == 0)
270 if (bdaddr_any(&src->bt_bdaddr) == 0)
271 continue;
272
273 l2cap_peeraddr(rs->rs_l2cap, &addr);
274
275 if (addr.bt_psm != dest->bt_psm)
276 continue;
277
278 if (bdaddr_same(&dest->bt_bdaddr, &addr.bt_bdaddr))
279 break;
280 }
281
282 return rs;
283 }
284
285 /*
286 * rfcomm_session_timeout(rfcomm_session)
287 *
288 * Session timeouts are scheduled when a session is left or
289 * created with no DLCs, and when SABM(0) or DISC(0) are
290 * sent.
291 *
292 * So, if it is in an open state with DLC's attached then
293 * we leave it alone, otherwise the session is lost.
294 */
295 static void
296 rfcomm_session_timeout(void *arg)
297 {
298 struct rfcomm_session *rs = arg;
299 struct rfcomm_dlc *dlc;
300
301 KASSERT(rs != NULL);
302
303 mutex_enter(bt_lock);
304 callout_ack(&rs->rs_timeout);
305
306 if (rs->rs_state != RFCOMM_SESSION_OPEN) {
307 DPRINTF("timeout\n");
308 rs->rs_state = RFCOMM_SESSION_CLOSED;
309
310 while (!LIST_EMPTY(&rs->rs_dlcs)) {
311 dlc = LIST_FIRST(&rs->rs_dlcs);
312
313 rfcomm_dlc_close(dlc, ETIMEDOUT);
314 }
315 }
316
317 if (LIST_EMPTY(&rs->rs_dlcs)) {
318 DPRINTF("expiring\n");
319 rfcomm_session_free(rs);
320 }
321 mutex_exit(bt_lock);
322 }
323
324 /***********************************************************************
325 *
326 * RFCOMM Session L2CAP protocol callbacks
327 *
328 */
329
330 static void
331 rfcomm_session_connecting(void *arg)
332 {
333 /* struct rfcomm_session *rs = arg; */
334
335 DPRINTF("Connecting\n");
336 }
337
338 static void
339 rfcomm_session_connected(void *arg)
340 {
341 struct rfcomm_session *rs = arg;
342 struct sockopt sopt;
343
344 DPRINTF("Connected\n");
345
346 /*
347 * L2CAP is open.
348 *
349 * If we are initiator, we can send our SABM(0)
350 * a timeout should be active?
351 *
352 * We must take note of the L2CAP MTU because currently
353 * the L2CAP implementation can only do Basic Mode.
354 */
355 sockopt_init(&sopt, BTPROTO_L2CAP, SO_L2CAP_OMTU, 0);
356 (void)l2cap_getopt(rs->rs_l2cap, &sopt);
357 (void)sockopt_get(&sopt, &rs->rs_mtu, sizeof(rs->rs_mtu));
358 sockopt_destroy(&sopt);
359
360 rs->rs_mtu -= 6; /* (RFCOMM overhead could be this big) */
361 if (rs->rs_mtu < RFCOMM_MTU_MIN) {
362 rfcomm_session_disconnected(rs, EINVAL);
363 return;
364 }
365
366 if (IS_INITIATOR(rs)) {
367 int err;
368
369 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_SABM, 0);
370 if (err)
371 rfcomm_session_disconnected(rs, err);
372
373 callout_schedule(&rs->rs_timeout, rfcomm_ack_timeout * hz);
374 }
375 }
376
377 static void
378 rfcomm_session_disconnected(void *arg, int err)
379 {
380 struct rfcomm_session *rs = arg;
381 struct rfcomm_dlc *dlc;
382
383 DPRINTF("Disconnected\n");
384
385 rs->rs_state = RFCOMM_SESSION_CLOSED;
386
387 while (!LIST_EMPTY(&rs->rs_dlcs)) {
388 dlc = LIST_FIRST(&rs->rs_dlcs);
389
390 rfcomm_dlc_close(dlc, err);
391 }
392
393 rfcomm_session_free(rs);
394 }
395
396 static void *
397 rfcomm_session_newconn(void *arg, struct sockaddr_bt *laddr,
398 struct sockaddr_bt *raddr)
399 {
400 struct rfcomm_session *new, *rs = arg;
401
402 DPRINTF("New Connection\n");
403
404 /*
405 * Incoming session connect request. We should return a new
406 * session pointer if this is acceptable. The L2CAP layer
407 * passes local and remote addresses, which we must check as
408 * only one RFCOMM session is allowed between any two devices
409 */
410 new = rfcomm_session_lookup(laddr, raddr);
411 if (new != NULL)
412 return NULL;
413
414 new = rfcomm_session_alloc(&rfcomm_session_active, laddr);
415 if (new == NULL)
416 return NULL;
417
418 new->rs_mtu = rs->rs_mtu;
419 new->rs_state = RFCOMM_SESSION_WAIT_CONNECT;
420
421 /*
422 * schedule an expiry so that if nothing comes of it we
423 * can punt.
424 */
425 callout_schedule(&new->rs_timeout, rfcomm_mcc_timeout * hz);
426
427 return new->rs_l2cap;
428 }
429
430 static void
431 rfcomm_session_complete(void *arg, int count)
432 {
433 struct rfcomm_session *rs = arg;
434 struct rfcomm_credit *credit;
435 struct rfcomm_dlc *dlc;
436
437 /*
438 * count L2CAP packets are 'complete', meaning that they are cleared
439 * our buffers (for best effort) or arrived safe (for guaranteed) so
440 * we can take it off our list and pass the message on, so that
441 * eventually the data can be removed from the sockbuf
442 */
443 while (count-- > 0) {
444 credit = SIMPLEQ_FIRST(&rs->rs_credits);
445 #ifdef DIAGNOSTIC
446 if (credit == NULL) {
447 printf("%s: too many packets completed!\n", __func__);
448 break;
449 }
450 #endif
451 dlc = credit->rc_dlc;
452 if (dlc != NULL) {
453 dlc->rd_pending--;
454 (*dlc->rd_proto->complete)
455 (dlc->rd_upper, credit->rc_len);
456
457 /*
458 * if not using credit flow control, we may push
459 * more data now
460 */
461 if ((rs->rs_flags & RFCOMM_SESSION_CFC) == 0
462 && dlc->rd_state == RFCOMM_DLC_OPEN) {
463 rfcomm_dlc_start(dlc);
464 }
465
466 /*
467 * When shutdown is indicated, we are just waiting to
468 * clear outgoing data.
469 */
470 if ((dlc->rd_flags & RFCOMM_DLC_SHUTDOWN)
471 && dlc->rd_txbuf == NULL && dlc->rd_pending == 0) {
472 dlc->rd_state = RFCOMM_DLC_WAIT_DISCONNECT;
473 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC,
474 dlc->rd_dlci);
475 callout_schedule(&dlc->rd_timeout,
476 rfcomm_ack_timeout * hz);
477 }
478 }
479
480 SIMPLEQ_REMOVE_HEAD(&rs->rs_credits, rc_next);
481 pool_put(&rfcomm_credit_pool, credit);
482 }
483
484 /*
485 * If session is closed, we are just waiting to clear the queue
486 */
487 if (rs->rs_state == RFCOMM_SESSION_CLOSED) {
488 if (SIMPLEQ_EMPTY(&rs->rs_credits))
489 l2cap_disconnect(rs->rs_l2cap, 0);
490 }
491 }
492
493 /*
494 * Link Mode changed
495 *
496 * This is called when a mode change is complete. Proceed with connections
497 * where appropriate, or pass the new mode to any active DLCs.
498 */
499 static void
500 rfcomm_session_linkmode(void *arg, int new)
501 {
502 struct rfcomm_session *rs = arg;
503 struct rfcomm_dlc *dlc, *next;
504 int err, mode = 0;
505
506 DPRINTF("auth %s, encrypt %s, secure %s\n",
507 (new & L2CAP_LM_AUTH ? "on" : "off"),
508 (new & L2CAP_LM_ENCRYPT ? "on" : "off"),
509 (new & L2CAP_LM_SECURE ? "on" : "off"));
510
511 if (new & L2CAP_LM_AUTH)
512 mode |= RFCOMM_LM_AUTH;
513
514 if (new & L2CAP_LM_ENCRYPT)
515 mode |= RFCOMM_LM_ENCRYPT;
516
517 if (new & L2CAP_LM_SECURE)
518 mode |= RFCOMM_LM_SECURE;
519
520 next = LIST_FIRST(&rs->rs_dlcs);
521 while ((dlc = next) != NULL) {
522 next = LIST_NEXT(dlc, rd_next);
523
524 switch (dlc->rd_state) {
525 case RFCOMM_DLC_WAIT_SEND_SABM: /* we are connecting */
526 if ((mode & dlc->rd_mode) != dlc->rd_mode) {
527 rfcomm_dlc_close(dlc, ECONNABORTED);
528 } else {
529 err = rfcomm_session_send_frame(rs,
530 RFCOMM_FRAME_SABM, dlc->rd_dlci);
531 if (err) {
532 rfcomm_dlc_close(dlc, err);
533 } else {
534 dlc->rd_state = RFCOMM_DLC_WAIT_RECV_UA;
535 callout_schedule(&dlc->rd_timeout,
536 rfcomm_ack_timeout * hz);
537 break;
538 }
539 }
540
541 /*
542 * If we aborted the connection and there are no more DLCs
543 * on the session, it is our responsibility to disconnect.
544 */
545 if (!LIST_EMPTY(&rs->rs_dlcs))
546 break;
547
548 rs->rs_state = RFCOMM_SESSION_WAIT_DISCONNECT;
549 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 0);
550 callout_schedule(&rs->rs_timeout, rfcomm_ack_timeout * hz);
551 break;
552
553 case RFCOMM_DLC_WAIT_SEND_UA: /* they are connecting */
554 if ((mode & dlc->rd_mode) != dlc->rd_mode) {
555 rfcomm_session_send_frame(rs,
556 RFCOMM_FRAME_DM, dlc->rd_dlci);
557 rfcomm_dlc_close(dlc, ECONNABORTED);
558 break;
559 }
560
561 err = rfcomm_session_send_frame(rs,
562 RFCOMM_FRAME_UA, dlc->rd_dlci);
563 if (err) {
564 rfcomm_session_send_frame(rs,
565 RFCOMM_FRAME_DM, dlc->rd_dlci);
566 rfcomm_dlc_close(dlc, err);
567 break;
568 }
569
570 err = rfcomm_dlc_open(dlc);
571 if (err) {
572 rfcomm_session_send_frame(rs,
573 RFCOMM_FRAME_DM, dlc->rd_dlci);
574 rfcomm_dlc_close(dlc, err);
575 break;
576 }
577
578 break;
579
580 case RFCOMM_DLC_WAIT_RECV_UA:
581 case RFCOMM_DLC_OPEN: /* already established */
582 (*dlc->rd_proto->linkmode)(dlc->rd_upper, mode);
583 break;
584
585 default:
586 break;
587 }
588 }
589 }
590
591 /*
592 * Receive data from L2CAP layer for session. There is always exactly one
593 * RFCOMM frame contained in each L2CAP frame.
594 */
595 static void
596 rfcomm_session_input(void *arg, struct mbuf *m)
597 {
598 struct rfcomm_session *rs = arg;
599 int dlci, len, type, pf;
600 uint8_t fcs, b;
601
602 KASSERT(m != NULL);
603 KASSERT(rs != NULL);
604
605 /*
606 * UIH frames: FCS is only calculated on address and control fields
607 * For other frames: FCS is calculated on address, control and length
608 * Length may extend to two octets
609 */
610 fcs = 0xff;
611
612 if (m->m_pkthdr.len < 4) {
613 DPRINTF("short frame (%d), discarded\n", m->m_pkthdr.len);
614 goto done;
615 }
616
617 /* address - one octet */
618 m_copydata(m, 0, 1, &b);
619 m_adj(m, 1);
620 fcs = FCS(fcs, b);
621 dlci = RFCOMM_DLCI(b);
622
623 /* control - one octet */
624 m_copydata(m, 0, 1, &b);
625 m_adj(m, 1);
626 fcs = FCS(fcs, b);
627 type = RFCOMM_TYPE(b);
628 pf = RFCOMM_PF(b);
629
630 /* length - may be two octets */
631 m_copydata(m, 0, 1, &b);
632 m_adj(m, 1);
633 if (type != RFCOMM_FRAME_UIH)
634 fcs = FCS(fcs, b);
635 len = (b >> 1) & 0x7f;
636
637 if (RFCOMM_EA(b) == 0) {
638 if (m->m_pkthdr.len < 2) {
639 DPRINTF("short frame (%d, EA = 0), discarded\n",
640 m->m_pkthdr.len);
641 goto done;
642 }
643
644 m_copydata(m, 0, 1, &b);
645 m_adj(m, 1);
646 if (type != RFCOMM_FRAME_UIH)
647 fcs = FCS(fcs, b);
648
649 len |= (b << 7);
650 }
651
652 /* FCS byte is last octet in frame */
653 m_copydata(m, m->m_pkthdr.len - 1, 1, &b);
654 m_adj(m, -1);
655 fcs = FCS(fcs, b);
656
657 if (fcs != 0xcf) {
658 DPRINTF("Bad FCS value (%#2.2x), frame discarded\n", fcs);
659 goto done;
660 }
661
662 DPRINTFN(10, "dlci %d, type %2.2x, len = %d\n", dlci, type, len);
663
664 switch (type) {
665 case RFCOMM_FRAME_SABM:
666 if (pf)
667 rfcomm_session_recv_sabm(rs, dlci);
668 break;
669
670 case RFCOMM_FRAME_DISC:
671 if (pf)
672 rfcomm_session_recv_disc(rs, dlci);
673 break;
674
675 case RFCOMM_FRAME_UA:
676 if (pf)
677 rfcomm_session_recv_ua(rs, dlci);
678 break;
679
680 case RFCOMM_FRAME_DM:
681 rfcomm_session_recv_dm(rs, dlci);
682 break;
683
684 case RFCOMM_FRAME_UIH:
685 rfcomm_session_recv_uih(rs, dlci, pf, m, len);
686 return; /* (no release) */
687
688 default:
689 UNKNOWN(type);
690 break;
691 }
692
693 done:
694 m_freem(m);
695 }
696
697 /***********************************************************************
698 *
699 * RFCOMM Session receive processing
700 */
701
702 /*
703 * rfcomm_session_recv_sabm(rfcomm_session, dlci)
704 *
705 * Set Asyncrhonous Balanced Mode - open the channel.
706 */
707 static void
708 rfcomm_session_recv_sabm(struct rfcomm_session *rs, int dlci)
709 {
710 struct rfcomm_dlc *dlc;
711 int err;
712
713 DPRINTFN(5, "SABM(%d)\n", dlci);
714
715 if (dlci == 0) { /* Open Session */
716 rs->rs_state = RFCOMM_SESSION_OPEN;
717 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, 0);
718 LIST_FOREACH(dlc, &rs->rs_dlcs, rd_next) {
719 if (dlc->rd_state == RFCOMM_DLC_WAIT_SESSION)
720 rfcomm_dlc_connect(dlc);
721 }
722 return;
723 }
724
725 if (rs->rs_state != RFCOMM_SESSION_OPEN) {
726 DPRINTF("session was not even open!\n");
727 return;
728 }
729
730 /* validate direction bit */
731 if ((IS_INITIATOR(rs) && !RFCOMM_DIRECTION(dlci))
732 || (!IS_INITIATOR(rs) && RFCOMM_DIRECTION(dlci))) {
733 DPRINTF("Invalid direction bit on DLCI\n");
734 return;
735 }
736
737 /*
738 * look for our DLC - this may exist if we received PN
739 * already, or we may have to fabricate a new one.
740 */
741 dlc = rfcomm_dlc_lookup(rs, dlci);
742 if (dlc == NULL) {
743 dlc = rfcomm_dlc_newconn(rs, dlci);
744 if (dlc == NULL)
745 return; /* (DM is sent) */
746 }
747
748 /*
749 * ..but if this DLC is not waiting to connect, they did
750 * something wrong, ignore it.
751 */
752 if (dlc->rd_state != RFCOMM_DLC_WAIT_CONNECT)
753 return;
754
755 /* set link mode */
756 err = rfcomm_dlc_setmode(dlc);
757 if (err == EINPROGRESS) {
758 dlc->rd_state = RFCOMM_DLC_WAIT_SEND_UA;
759 (*dlc->rd_proto->connecting)(dlc->rd_upper);
760 return;
761 }
762 if (err)
763 goto close;
764
765 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, dlci);
766 if (err)
767 goto close;
768
769 /* and mark it open */
770 err = rfcomm_dlc_open(dlc);
771 if (err)
772 goto close;
773
774 return;
775
776 close:
777 rfcomm_dlc_close(dlc, err);
778 }
779
780 /*
781 * Receive Disconnect Command
782 */
783 static void
784 rfcomm_session_recv_disc(struct rfcomm_session *rs, int dlci)
785 {
786 struct rfcomm_dlc *dlc;
787
788 DPRINTFN(5, "DISC(%d)\n", dlci);
789
790 if (dlci == 0) {
791 /*
792 * Disconnect Session
793 *
794 * We set the session state to CLOSED so that when
795 * the UA frame is clear the session will be closed
796 * automatically. We wont bother to close any DLC's
797 * just yet as there should be none. In the unlikely
798 * event that something is left, it will get flushed
799 * out as the session goes down.
800 */
801 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, 0);
802 rs->rs_state = RFCOMM_SESSION_CLOSED;
803 return;
804 }
805
806 dlc = rfcomm_dlc_lookup(rs, dlci);
807 if (dlc == NULL) {
808 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, dlci);
809 return;
810 }
811
812 rfcomm_dlc_close(dlc, ECONNRESET);
813 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, dlci);
814 }
815
816 /*
817 * Receive Unnumbered Acknowledgement Response
818 *
819 * This should be a response to a DISC or SABM frame that we
820 * have previously sent. If unexpected, ignore it.
821 */
822 static void
823 rfcomm_session_recv_ua(struct rfcomm_session *rs, int dlci)
824 {
825 struct rfcomm_dlc *dlc;
826
827 DPRINTFN(5, "UA(%d)\n", dlci);
828
829 if (dlci == 0) {
830 switch (rs->rs_state) {
831 case RFCOMM_SESSION_WAIT_CONNECT: /* We sent SABM */
832 callout_stop(&rs->rs_timeout);
833 rs->rs_state = RFCOMM_SESSION_OPEN;
834 LIST_FOREACH(dlc, &rs->rs_dlcs, rd_next) {
835 if (dlc->rd_state == RFCOMM_DLC_WAIT_SESSION)
836 rfcomm_dlc_connect(dlc);
837 }
838 break;
839
840 case RFCOMM_SESSION_WAIT_DISCONNECT: /* We sent DISC */
841 callout_stop(&rs->rs_timeout);
842 rs->rs_state = RFCOMM_SESSION_CLOSED;
843 l2cap_disconnect(rs->rs_l2cap, 0);
844 break;
845
846 default:
847 DPRINTF("Received spurious UA(0)!\n");
848 break;
849 }
850
851 return;
852 }
853
854 /*
855 * If we have no DLC on this dlci, we may have aborted
856 * without shutting down properly, so check if the session
857 * needs disconnecting.
858 */
859 dlc = rfcomm_dlc_lookup(rs, dlci);
860 if (dlc == NULL)
861 goto check;
862
863 switch (dlc->rd_state) {
864 case RFCOMM_DLC_WAIT_RECV_UA: /* We sent SABM */
865 rfcomm_dlc_open(dlc);
866 return;
867
868 case RFCOMM_DLC_WAIT_DISCONNECT: /* We sent DISC */
869 rfcomm_dlc_close(dlc, 0);
870 break;
871
872 default:
873 DPRINTF("Received spurious UA(%d)!\n", dlci);
874 return;
875 }
876
877 check: /* last one out turns out the light */
878 if (LIST_EMPTY(&rs->rs_dlcs)) {
879 rs->rs_state = RFCOMM_SESSION_WAIT_DISCONNECT;
880 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 0);
881 callout_schedule(&rs->rs_timeout, rfcomm_ack_timeout * hz);
882 }
883 }
884
885 /*
886 * Receive Disconnected Mode Response
887 *
888 * If this does not apply to a known DLC then we may ignore it.
889 */
890 static void
891 rfcomm_session_recv_dm(struct rfcomm_session *rs, int dlci)
892 {
893 struct rfcomm_dlc *dlc;
894
895 DPRINTFN(5, "DM(%d)\n", dlci);
896
897 dlc = rfcomm_dlc_lookup(rs, dlci);
898 if (dlc == NULL)
899 return;
900
901 if (dlc->rd_state == RFCOMM_DLC_WAIT_CONNECT)
902 rfcomm_dlc_close(dlc, ECONNREFUSED);
903 else
904 rfcomm_dlc_close(dlc, ECONNRESET);
905 }
906
907 /*
908 * Receive Unnumbered Information with Header check (MCC or data packet)
909 */
910 static void
911 rfcomm_session_recv_uih(struct rfcomm_session *rs, int dlci,
912 int pf, struct mbuf *m, int len)
913 {
914 struct rfcomm_dlc *dlc;
915 uint8_t credits = 0;
916
917 DPRINTFN(10, "UIH(%d)\n", dlci);
918
919 if (dlci == 0) {
920 rfcomm_session_recv_mcc(rs, m);
921 return;
922 }
923
924 if (m->m_pkthdr.len != len + pf) {
925 DPRINTF("Bad Frame Length (%d), frame discarded\n",
926 m->m_pkthdr.len);
927
928 goto discard;
929 }
930
931 dlc = rfcomm_dlc_lookup(rs, dlci);
932 if (dlc == NULL) {
933 DPRINTF("UIH received for non existent DLC, discarded\n");
934 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, dlci);
935 goto discard;
936 }
937
938 if (dlc->rd_state != RFCOMM_DLC_OPEN) {
939 DPRINTF("non-open DLC (state = %d), discarded\n",
940 dlc->rd_state);
941 goto discard;
942 }
943
944 /* if PF is set, credits were included */
945 if (rs->rs_flags & RFCOMM_SESSION_CFC) {
946 if (pf != 0) {
947 if (m->m_pkthdr.len < sizeof(credits)) {
948 DPRINTF("Bad PF value, UIH discarded\n");
949 goto discard;
950 }
951
952 m_copydata(m, 0, sizeof(credits), &credits);
953 m_adj(m, sizeof(credits));
954
955 dlc->rd_txcred += credits;
956
957 if (credits > 0 && dlc->rd_txbuf != NULL)
958 rfcomm_dlc_start(dlc);
959 }
960
961 if (len == 0)
962 goto discard;
963
964 if (dlc->rd_rxcred == 0) {
965 DPRINTF("Credit limit reached, UIH discarded\n");
966 goto discard;
967 }
968
969 if (len > dlc->rd_rxsize) {
970 DPRINTF("UIH frame exceeds rxsize, discarded\n");
971 goto discard;
972 }
973
974 dlc->rd_rxcred--;
975 dlc->rd_rxsize -= len;
976 }
977
978 (*dlc->rd_proto->input)(dlc->rd_upper, m);
979 return;
980
981 discard:
982 m_freem(m);
983 }
984
985 /*
986 * Receive Multiplexer Control Command
987 */
988 static void
989 rfcomm_session_recv_mcc(struct rfcomm_session *rs, struct mbuf *m)
990 {
991 int type, cr, len;
992 uint8_t b;
993
994 /*
995 * Extract MCC header.
996 *
997 * Fields are variable length using extension bit = 1 to signify the
998 * last octet in the sequence.
999 *
1000 * Only single octet types are defined in TS 07.10/RFCOMM spec
1001 *
1002 * Length can realistically only use 15 bits (max RFCOMM MTU)
1003 */
1004 if (m->m_pkthdr.len < sizeof(b)) {
1005 DPRINTF("Short MCC header, discarded\n");
1006 goto release;
1007 }
1008
1009 m_copydata(m, 0, sizeof(b), &b);
1010 m_adj(m, sizeof(b));
1011
1012 if (RFCOMM_EA(b) == 0) { /* verify no extensions */
1013 DPRINTF("MCC type EA = 0, discarded\n");
1014 goto release;
1015 }
1016
1017 type = RFCOMM_MCC_TYPE(b);
1018 cr = RFCOMM_CR(b);
1019
1020 len = 0;
1021 do {
1022 if (m->m_pkthdr.len < sizeof(b)) {
1023 DPRINTF("Short MCC header, discarded\n");
1024 goto release;
1025 }
1026
1027 m_copydata(m, 0, sizeof(b), &b);
1028 m_adj(m, sizeof(b));
1029
1030 len = (len << 7) | (b >> 1);
1031 len = min(len, RFCOMM_MTU_MAX);
1032 } while (RFCOMM_EA(b) == 0);
1033
1034 if (len != m->m_pkthdr.len) {
1035 DPRINTF("Incorrect MCC length, discarded\n");
1036 goto release;
1037 }
1038
1039 DPRINTFN(2, "MCC %s type %2.2x (%d bytes)\n",
1040 (cr ? "command" : "response"), type, len);
1041
1042 /*
1043 * pass to command handler
1044 */
1045 switch(type) {
1046 case RFCOMM_MCC_TEST: /* Test */
1047 rfcomm_session_recv_mcc_test(rs, cr, m);
1048 break;
1049
1050 case RFCOMM_MCC_FCON: /* Flow Control On */
1051 rfcomm_session_recv_mcc_fcon(rs, cr);
1052 break;
1053
1054 case RFCOMM_MCC_FCOFF: /* Flow Control Off */
1055 rfcomm_session_recv_mcc_fcoff(rs, cr);
1056 break;
1057
1058 case RFCOMM_MCC_MSC: /* Modem Status Command */
1059 rfcomm_session_recv_mcc_msc(rs, cr, m);
1060 break;
1061
1062 case RFCOMM_MCC_RPN: /* Remote Port Negotiation */
1063 rfcomm_session_recv_mcc_rpn(rs, cr, m);
1064 break;
1065
1066 case RFCOMM_MCC_RLS: /* Remote Line Status */
1067 rfcomm_session_recv_mcc_rls(rs, cr, m);
1068 break;
1069
1070 case RFCOMM_MCC_PN: /* Parameter Negotiation */
1071 rfcomm_session_recv_mcc_pn(rs, cr, m);
1072 break;
1073
1074 case RFCOMM_MCC_NSC: /* Non Supported Command */
1075 rfcomm_session_recv_mcc_nsc(rs, cr, m);
1076 break;
1077
1078 default:
1079 b = RFCOMM_MKMCC_TYPE(cr, type);
1080 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_NSC, &b, sizeof(b));
1081 }
1082
1083 release:
1084 m_freem(m);
1085 }
1086
1087 /*
1088 * process TEST command/response
1089 */
1090 static void
1091 rfcomm_session_recv_mcc_test(struct rfcomm_session *rs, int cr, struct mbuf *m)
1092 {
1093 void *data;
1094 int len;
1095
1096 if (cr == 0) /* ignore ack */
1097 return;
1098
1099 /*
1100 * we must send all the data they included back as is
1101 */
1102
1103 len = m->m_pkthdr.len;
1104 if (len > RFCOMM_MTU_MAX)
1105 return;
1106
1107 data = malloc(len, M_BLUETOOTH, M_NOWAIT);
1108 if (data == NULL)
1109 return;
1110
1111 m_copydata(m, 0, len, data);
1112 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_TEST, data, len);
1113 free(data, M_BLUETOOTH);
1114 }
1115
1116 /*
1117 * process Flow Control ON command/response
1118 */
1119 static void
1120 rfcomm_session_recv_mcc_fcon(struct rfcomm_session *rs, int cr)
1121 {
1122
1123 if (cr == 0) /* ignore ack */
1124 return;
1125
1126 rs->rs_flags |= RFCOMM_SESSION_RFC;
1127 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_FCON, NULL, 0);
1128 }
1129
1130 /*
1131 * process Flow Control OFF command/response
1132 */
1133 static void
1134 rfcomm_session_recv_mcc_fcoff(struct rfcomm_session *rs, int cr)
1135 {
1136
1137 if (cr == 0) /* ignore ack */
1138 return;
1139
1140 rs->rs_flags &= ~RFCOMM_SESSION_RFC;
1141 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_FCOFF, NULL, 0);
1142 }
1143
1144 /*
1145 * process Modem Status Command command/response
1146 */
1147 static void
1148 rfcomm_session_recv_mcc_msc(struct rfcomm_session *rs, int cr, struct mbuf *m)
1149 {
1150 struct rfcomm_mcc_msc msc; /* (3 octets) */
1151 struct rfcomm_dlc *dlc;
1152 int len = 0;
1153
1154 /* [ADDRESS] */
1155 if (m->m_pkthdr.len < sizeof(msc.address))
1156 return;
1157
1158 m_copydata(m, 0, sizeof(msc.address), &msc.address);
1159 m_adj(m, sizeof(msc.address));
1160 len += sizeof(msc.address);
1161
1162 dlc = rfcomm_dlc_lookup(rs, RFCOMM_DLCI(msc.address));
1163
1164 if (cr == 0) { /* ignore acks */
1165 if (dlc != NULL)
1166 callout_stop(&dlc->rd_timeout);
1167
1168 return;
1169 }
1170
1171 if (dlc == NULL) {
1172 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM,
1173 RFCOMM_DLCI(msc.address));
1174 return;
1175 }
1176
1177 /* [SIGNALS] */
1178 if (m->m_pkthdr.len < sizeof(msc.modem))
1179 return;
1180
1181 m_copydata(m, 0, sizeof(msc.modem), &msc.modem);
1182 m_adj(m, sizeof(msc.modem));
1183 len += sizeof(msc.modem);
1184
1185 dlc->rd_rmodem = msc.modem;
1186 /* XXX how do we signal this upstream? */
1187
1188 if (RFCOMM_EA(msc.modem) == 0) {
1189 if (m->m_pkthdr.len < sizeof(msc.brk))
1190 return;
1191
1192 m_copydata(m, 0, sizeof(msc.brk), &msc.brk);
1193 m_adj(m, sizeof(msc.brk));
1194 len += sizeof(msc.brk);
1195
1196 /* XXX how do we signal this upstream? */
1197 }
1198
1199 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_MSC, &msc, len);
1200 }
1201
1202 /*
1203 * process Remote Port Negotiation command/response
1204 */
1205 static void
1206 rfcomm_session_recv_mcc_rpn(struct rfcomm_session *rs, int cr, struct mbuf *m)
1207 {
1208 struct rfcomm_mcc_rpn rpn;
1209 uint16_t mask;
1210
1211 if (cr == 0) /* ignore ack */
1212 return;
1213
1214 /* default values */
1215 rpn.bit_rate = RFCOMM_RPN_BR_9600;
1216 rpn.line_settings = RFCOMM_RPN_8_N_1;
1217 rpn.flow_control = RFCOMM_RPN_FLOW_NONE;
1218 rpn.xon_char = RFCOMM_RPN_XON_CHAR;
1219 rpn.xoff_char = RFCOMM_RPN_XOFF_CHAR;
1220
1221 if (m->m_pkthdr.len == sizeof(rpn)) {
1222 m_copydata(m, 0, sizeof(rpn), &rpn);
1223 rpn.param_mask = RFCOMM_RPN_PM_ALL;
1224 } else if (m->m_pkthdr.len == 1) {
1225 m_copydata(m, 0, 1, &rpn);
1226 rpn.param_mask = le16toh(rpn.param_mask);
1227 } else {
1228 DPRINTF("Bad RPN length (%d)\n", m->m_pkthdr.len);
1229 return;
1230 }
1231
1232 mask = 0;
1233
1234 if (rpn.param_mask & RFCOMM_RPN_PM_RATE)
1235 mask |= RFCOMM_RPN_PM_RATE;
1236
1237 if (rpn.param_mask & RFCOMM_RPN_PM_DATA
1238 && RFCOMM_RPN_DATA_BITS(rpn.line_settings) == RFCOMM_RPN_DATA_8)
1239 mask |= RFCOMM_RPN_PM_DATA;
1240
1241 if (rpn.param_mask & RFCOMM_RPN_PM_STOP
1242 && RFCOMM_RPN_STOP_BITS(rpn.line_settings) == RFCOMM_RPN_STOP_1)
1243 mask |= RFCOMM_RPN_PM_STOP;
1244
1245 if (rpn.param_mask & RFCOMM_RPN_PM_PARITY
1246 && RFCOMM_RPN_PARITY(rpn.line_settings) == RFCOMM_RPN_PARITY_NONE)
1247 mask |= RFCOMM_RPN_PM_PARITY;
1248
1249 if (rpn.param_mask & RFCOMM_RPN_PM_XON
1250 && rpn.xon_char == RFCOMM_RPN_XON_CHAR)
1251 mask |= RFCOMM_RPN_PM_XON;
1252
1253 if (rpn.param_mask & RFCOMM_RPN_PM_XOFF
1254 && rpn.xoff_char == RFCOMM_RPN_XOFF_CHAR)
1255 mask |= RFCOMM_RPN_PM_XOFF;
1256
1257 if (rpn.param_mask & RFCOMM_RPN_PM_FLOW
1258 && rpn.flow_control == RFCOMM_RPN_FLOW_NONE)
1259 mask |= RFCOMM_RPN_PM_FLOW;
1260
1261 rpn.param_mask = htole16(mask);
1262
1263 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_RPN, &rpn, sizeof(rpn));
1264 }
1265
1266 /*
1267 * process Remote Line Status command/response
1268 */
1269 static void
1270 rfcomm_session_recv_mcc_rls(struct rfcomm_session *rs, int cr, struct mbuf *m)
1271 {
1272 struct rfcomm_mcc_rls rls;
1273
1274 if (cr == 0) /* ignore ack */
1275 return;
1276
1277 if (m->m_pkthdr.len != sizeof(rls)) {
1278 DPRINTF("Bad RLS length %d\n", m->m_pkthdr.len);
1279 return;
1280 }
1281
1282 m_copydata(m, 0, sizeof(rls), &rls);
1283
1284 /*
1285 * So far as I can tell, we just send back what
1286 * they sent us. This signifies errors that seem
1287 * irrelevent for RFCOMM over L2CAP.
1288 */
1289 rls.address |= 0x03; /* EA = 1, CR = 1 */
1290 rls.status &= 0x0f; /* only 4 bits valid */
1291
1292 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_RLS, &rls, sizeof(rls));
1293 }
1294
1295 /*
1296 * process Parameter Negotiation command/response
1297 */
1298 static void
1299 rfcomm_session_recv_mcc_pn(struct rfcomm_session *rs, int cr, struct mbuf *m)
1300 {
1301 struct rfcomm_dlc *dlc;
1302 struct rfcomm_mcc_pn pn;
1303 int err;
1304
1305 if (m->m_pkthdr.len != sizeof(pn)) {
1306 DPRINTF("Bad PN length %d\n", m->m_pkthdr.len);
1307 return;
1308 }
1309
1310 m_copydata(m, 0, sizeof(pn), &pn);
1311
1312 pn.dlci &= 0x3f;
1313 pn.mtu = le16toh(pn.mtu);
1314
1315 dlc = rfcomm_dlc_lookup(rs, pn.dlci);
1316 if (cr) { /* Command */
1317 /*
1318 * If there is no DLC present, this is a new
1319 * connection so attempt to make one
1320 */
1321 if (dlc == NULL) {
1322 dlc = rfcomm_dlc_newconn(rs, pn.dlci);
1323 if (dlc == NULL)
1324 return; /* (DM is sent) */
1325 }
1326
1327 /* accept any valid MTU, and offer it back */
1328 pn.mtu = min(pn.mtu, RFCOMM_MTU_MAX);
1329 pn.mtu = min(pn.mtu, rs->rs_mtu);
1330 pn.mtu = max(pn.mtu, RFCOMM_MTU_MIN);
1331 dlc->rd_mtu = pn.mtu;
1332 pn.mtu = htole16(pn.mtu);
1333
1334 /* credits are only set before DLC is open */
1335 if (dlc->rd_state == RFCOMM_DLC_WAIT_CONNECT
1336 && (pn.flow_control & 0xf0) == 0xf0) {
1337 rs->rs_flags |= RFCOMM_SESSION_CFC;
1338 dlc->rd_txcred = pn.credits & 0x07;
1339
1340 dlc->rd_rxcred = (dlc->rd_rxsize / dlc->rd_mtu);
1341 dlc->rd_rxcred = min(dlc->rd_rxcred,
1342 RFCOMM_CREDITS_DEFAULT);
1343
1344 pn.flow_control = 0xe0;
1345 pn.credits = dlc->rd_rxcred;
1346 } else {
1347 pn.flow_control = 0x00;
1348 pn.credits = 0x00;
1349 }
1350
1351 /* unused fields must be ignored and set to zero */
1352 pn.ack_timer = 0;
1353 pn.max_retrans = 0;
1354
1355 /* send our response */
1356 err = rfcomm_session_send_mcc(rs, 0,
1357 RFCOMM_MCC_PN, &pn, sizeof(pn));
1358 if (err)
1359 goto close;
1360
1361 } else { /* Response */
1362 /* ignore responses with no matching DLC */
1363 if (dlc == NULL)
1364 return;
1365
1366 callout_stop(&dlc->rd_timeout);
1367
1368 /* reject invalid or unacceptable MTU */
1369 if (pn.mtu < RFCOMM_MTU_MIN || pn.mtu > dlc->rd_mtu) {
1370 dlc->rd_state = RFCOMM_DLC_WAIT_DISCONNECT;
1371 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC,
1372 pn.dlci);
1373 if (err)
1374 goto close;
1375
1376 callout_schedule(&dlc->rd_timeout,
1377 rfcomm_ack_timeout * hz);
1378 return;
1379 }
1380 dlc->rd_mtu = pn.mtu;
1381
1382 /* if DLC is not waiting to connect, we are done */
1383 if (dlc->rd_state != RFCOMM_DLC_WAIT_CONNECT)
1384 return;
1385
1386 /* set initial credits according to RFCOMM spec */
1387 if ((pn.flow_control & 0xf0) == 0xe0) {
1388 rs->rs_flags |= RFCOMM_SESSION_CFC;
1389 dlc->rd_txcred = (pn.credits & 0x07);
1390 }
1391
1392 callout_schedule(&dlc->rd_timeout, rfcomm_ack_timeout * hz);
1393
1394 /* set link mode */
1395 err = rfcomm_dlc_setmode(dlc);
1396 if (err == EINPROGRESS) {
1397 dlc->rd_state = RFCOMM_DLC_WAIT_SEND_SABM;
1398 (*dlc->rd_proto->connecting)(dlc->rd_upper);
1399 return;
1400 }
1401 if (err)
1402 goto close;
1403
1404 /* we can proceed now */
1405 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_SABM, pn.dlci);
1406 if (err)
1407 goto close;
1408
1409 dlc->rd_state = RFCOMM_DLC_WAIT_RECV_UA;
1410 }
1411 return;
1412
1413 close:
1414 rfcomm_dlc_close(dlc, err);
1415 }
1416
1417 /*
1418 * process Non Supported Command command/response
1419 */
1420 static void
1421 rfcomm_session_recv_mcc_nsc(struct rfcomm_session *rs,
1422 int cr, struct mbuf *m)
1423 {
1424 struct rfcomm_dlc *dlc, *next;
1425
1426 /*
1427 * Since we did nothing that is not mandatory,
1428 * we just abort the whole session..
1429 */
1430
1431 next = LIST_FIRST(&rs->rs_dlcs);
1432 while ((dlc = next) != NULL) {
1433 next = LIST_NEXT(dlc, rd_next);
1434 rfcomm_dlc_close(dlc, ECONNABORTED);
1435 }
1436
1437 rfcomm_session_free(rs);
1438 }
1439
1440 /***********************************************************************
1441 *
1442 * RFCOMM Session outward frame/uih/mcc building
1443 */
1444
1445 /*
1446 * SABM/DISC/DM/UA frames are all minimal and mostly identical.
1447 */
1448 int
1449 rfcomm_session_send_frame(struct rfcomm_session *rs, int type, int dlci)
1450 {
1451 struct rfcomm_cmd_hdr *hdr;
1452 struct rfcomm_credit *credit;
1453 struct mbuf *m;
1454 uint8_t fcs, cr;
1455
1456 credit = pool_get(&rfcomm_credit_pool, PR_NOWAIT);
1457 if (credit == NULL)
1458 return ENOMEM;
1459
1460 m = m_gethdr(M_DONTWAIT, MT_DATA);
1461 if (m == NULL) {
1462 pool_put(&rfcomm_credit_pool, credit);
1463 return ENOMEM;
1464 }
1465
1466 /*
1467 * The CR (command/response) bit identifies the frame either as a
1468 * commmand or a response and is used along with the DLCI to form
1469 * the address. Commands contain the non-initiator address, whereas
1470 * responses contain the initiator address, so the CR value is
1471 * also dependent on the session direction.
1472 */
1473 if (type == RFCOMM_FRAME_UA || type == RFCOMM_FRAME_DM)
1474 cr = IS_INITIATOR(rs) ? 0 : 1;
1475 else
1476 cr = IS_INITIATOR(rs) ? 1 : 0;
1477
1478 hdr = mtod(m, struct rfcomm_cmd_hdr *);
1479 hdr->address = RFCOMM_MKADDRESS(cr, dlci);
1480 hdr->control = RFCOMM_MKCONTROL(type, 1); /* PF = 1 */
1481 hdr->length = (0x00 << 1) | 0x01; /* len = 0x00, EA = 1 */
1482
1483 fcs = 0xff;
1484 fcs = FCS(fcs, hdr->address);
1485 fcs = FCS(fcs, hdr->control);
1486 fcs = FCS(fcs, hdr->length);
1487 fcs = 0xff - fcs; /* ones complement */
1488 hdr->fcs = fcs;
1489
1490 m->m_pkthdr.len = m->m_len = sizeof(struct rfcomm_cmd_hdr);
1491
1492 /* empty credit note */
1493 credit->rc_dlc = NULL;
1494 credit->rc_len = m->m_pkthdr.len;
1495 SIMPLEQ_INSERT_TAIL(&rs->rs_credits, credit, rc_next);
1496
1497 DPRINTFN(5, "dlci %d type %2.2x (%d bytes, fcs=%#2.2x)\n",
1498 dlci, type, m->m_pkthdr.len, fcs);
1499
1500 return l2cap_send(rs->rs_l2cap, m);
1501 }
1502
1503 /*
1504 * rfcomm_session_send_uih(rfcomm_session, rfcomm_dlc, credits, mbuf)
1505 *
1506 * UIH frame is per DLC data or Multiplexer Control Commands
1507 * when no DLC is given. Data mbuf is optional (just credits
1508 * will be sent in that case)
1509 */
1510 int
1511 rfcomm_session_send_uih(struct rfcomm_session *rs, struct rfcomm_dlc *dlc,
1512 int credits, struct mbuf *m)
1513 {
1514 struct rfcomm_credit *credit;
1515 struct mbuf *m0 = NULL;
1516 int err, len;
1517 uint8_t fcs, *hdr;
1518
1519 KASSERT(rs != NULL);
1520
1521 len = (m == NULL) ? 0 : m->m_pkthdr.len;
1522 KASSERT(!(credits == 0 && len == 0));
1523
1524 /*
1525 * Make a credit note for the completion notification
1526 */
1527 credit = pool_get(&rfcomm_credit_pool, PR_NOWAIT);
1528 if (credit == NULL)
1529 goto nomem;
1530
1531 credit->rc_len = len;
1532 credit->rc_dlc = dlc;
1533
1534 /*
1535 * Wrap UIH frame information around payload.
1536 *
1537 * [ADDRESS] [CONTROL] [LENGTH] [CREDITS] [...] [FCS]
1538 *
1539 * Address is one octet.
1540 * Control is one octet.
1541 * Length is one or two octets.
1542 * Credits may be one octet.
1543 *
1544 * FCS is one octet and calculated on address and
1545 * control octets only.
1546 *
1547 * If there are credits to be sent, we will set the PF
1548 * flag and include them in the frame.
1549 */
1550 m0 = m_gethdr(M_DONTWAIT, MT_DATA);
1551 if (m0 == NULL)
1552 goto nomem;
1553
1554 MH_ALIGN(m0, 5); /* (max 5 header octets) */
1555 hdr = mtod(m0, uint8_t *);
1556
1557 /* CR bit is set according to the initiator of the session */
1558 *hdr = RFCOMM_MKADDRESS((IS_INITIATOR(rs) ? 1 : 0),
1559 (dlc ? dlc->rd_dlci : 0));
1560 fcs = FCS(0xff, *hdr);
1561 hdr++;
1562
1563 /* PF bit is set if credits are being sent */
1564 *hdr = RFCOMM_MKCONTROL(RFCOMM_FRAME_UIH, (credits > 0 ? 1 : 0));
1565 fcs = FCS(fcs, *hdr);
1566 hdr++;
1567
1568 if (len < (1 << 7)) {
1569 *hdr++ = ((len << 1) & 0xfe) | 0x01; /* 7 bits, EA = 1 */
1570 } else {
1571 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */
1572 *hdr++ = ((len >> 7) & 0xff); /* 8 bits, no EA */
1573 }
1574
1575 if (credits > 0)
1576 *hdr++ = (uint8_t)credits;
1577
1578 m0->m_len = hdr - mtod(m0, uint8_t *);
1579
1580 /* Append payload */
1581 m0->m_next = m;
1582 m = NULL;
1583
1584 m0->m_pkthdr.len = m0->m_len + len;
1585
1586 /* Append FCS */
1587 fcs = 0xff - fcs; /* ones complement */
1588 len = m0->m_pkthdr.len;
1589 m_copyback(m0, len, sizeof(fcs), &fcs);
1590 if (m0->m_pkthdr.len != len + sizeof(fcs))
1591 goto nomem;
1592
1593 DPRINTFN(10, "dlci %d, pktlen %d (%d data, %d credits), fcs=%#2.2x\n",
1594 dlc ? dlc->rd_dlci : 0, m0->m_pkthdr.len, credit->rc_len,
1595 credits, fcs);
1596
1597 /*
1598 * UIH frame ready to go..
1599 */
1600 err = l2cap_send(rs->rs_l2cap, m0);
1601 if (err)
1602 goto fail;
1603
1604 SIMPLEQ_INSERT_TAIL(&rs->rs_credits, credit, rc_next);
1605 return 0;
1606
1607 nomem:
1608 err = ENOMEM;
1609
1610 if (m0 != NULL)
1611 m_freem(m0);
1612
1613 if (m != NULL)
1614 m_freem(m);
1615
1616 fail:
1617 if (credit != NULL)
1618 pool_put(&rfcomm_credit_pool, credit);
1619
1620 return err;
1621 }
1622
1623 /*
1624 * send Multiplexer Control Command (or Response) on session
1625 */
1626 int
1627 rfcomm_session_send_mcc(struct rfcomm_session *rs, int cr,
1628 uint8_t type, void *data, int len)
1629 {
1630 struct mbuf *m;
1631 uint8_t *hdr;
1632 int hlen;
1633
1634 m = m_gethdr(M_DONTWAIT, MT_DATA);
1635 if (m == NULL)
1636 return ENOMEM;
1637
1638 hdr = mtod(m, uint8_t *);
1639
1640 /*
1641 * Technically the type field can extend past one octet, but none
1642 * currently defined will do that.
1643 */
1644 *hdr++ = RFCOMM_MKMCC_TYPE(cr, type);
1645
1646 /*
1647 * In the frame, the max length size is 2 octets (15 bits) whereas
1648 * no max length size is specified for MCC commands. We must allow
1649 * for 3 octets since for MCC frames we use 7 bits + EA in each.
1650 *
1651 * Only test data can possibly be that big.
1652 *
1653 * XXX Should we check this against the MTU?
1654 */
1655 if (len < (1 << 7)) {
1656 *hdr++ = ((len << 1) & 0xfe) | 0x01; /* 7 bits, EA = 1 */
1657 } else if (len < (1 << 14)) {
1658 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */
1659 *hdr++ = ((len >> 6) & 0xfe) | 0x01; /* 7 bits, EA = 1 */
1660 } else if (len < (1 << 15)) {
1661 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */
1662 *hdr++ = ((len >> 6) & 0xfe); /* 7 bits, EA = 0 */
1663 *hdr++ = ((len >> 13) & 0x02) | 0x01; /* 1 bit, EA = 1 */
1664 } else {
1665 DPRINTF("incredible length! (%d)\n", len);
1666 m_freem(m);
1667 return EMSGSIZE;
1668 }
1669
1670 /*
1671 * add command data (to same mbuf if possible)
1672 */
1673 hlen = hdr - mtod(m, uint8_t *);
1674
1675 if (len > 0) {
1676 m->m_pkthdr.len = m->m_len = MHLEN;
1677 m_copyback(m, hlen, len, data);
1678 if (m->m_pkthdr.len != max(MHLEN, hlen + len)) {
1679 m_freem(m);
1680 return ENOMEM;
1681 }
1682 }
1683
1684 m->m_pkthdr.len = hlen + len;
1685 m->m_len = min(MHLEN, m->m_pkthdr.len);
1686
1687 DPRINTFN(5, "%s type %2.2x len %d\n",
1688 (cr ? "command" : "response"), type, m->m_pkthdr.len);
1689
1690 return rfcomm_session_send_uih(rs, NULL, 0, m);
1691 }
Cache object: d47961adf05a0104801625a7770685d9
|