1 /* $OpenBSD: src/sys/netbt/rfcomm_session.c,v 1.3 2008/02/24 21:34:48 uwe Exp $ */
2 /* $NetBSD: rfcomm_session.c,v 1.12 2008/01/31 19:30:23 plunky Exp $ */
3
4 /*-
5 * Copyright (c) 2006 Itronix Inc.
6 * All rights reserved.
7 *
8 * Written by Iain Hibbert for Itronix Inc.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 * 3. The name of Itronix Inc. may not be used to endorse
19 * or promote products derived from this software without specific
20 * prior written permission.
21 *
22 * THIS SOFTWARE IS PROVIDED BY ITRONIX INC. ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
24 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
25 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ITRONIX INC. BE LIABLE FOR ANY
26 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
27 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
28 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
29 * ON ANY THEORY OF LIABILITY, WHETHER IN
30 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
31 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
32 * POSSIBILITY OF SUCH DAMAGE.
33 */
34
35 #include <sys/param.h>
36 #include <sys/kernel.h>
37 #include <sys/malloc.h>
38 #include <sys/mbuf.h>
39 #include <sys/proc.h>
40 #include <sys/systm.h>
41 #include <sys/types.h>
42 #include <sys/endian.h>
43
44 #include <net/if.h>
45
46 #include <netbt/bluetooth.h>
47 #include <netbt/hci.h>
48 #include <netbt/l2cap.h>
49 #include <netbt/rfcomm.h>
50
51 /******************************************************************************
52 *
53 * RFCOMM Multiplexer Sessions sit directly on L2CAP channels, and can
54 * multiplex up to 30 incoming and 30 outgoing connections.
55 * Only one Multiplexer is allowed between any two devices.
56 */
57
58 static void rfcomm_session_recv_sabm(struct rfcomm_session *, int);
59 static void rfcomm_session_recv_disc(struct rfcomm_session *, int);
60 static void rfcomm_session_recv_ua(struct rfcomm_session *, int);
61 static void rfcomm_session_recv_dm(struct rfcomm_session *, int);
62 static void rfcomm_session_recv_uih(struct rfcomm_session *, int, int, struct mbuf *, int);
63 static void rfcomm_session_recv_mcc(struct rfcomm_session *, struct mbuf *);
64 static void rfcomm_session_recv_mcc_test(struct rfcomm_session *, int, struct mbuf *);
65 static void rfcomm_session_recv_mcc_fcon(struct rfcomm_session *, int);
66 static void rfcomm_session_recv_mcc_fcoff(struct rfcomm_session *, int);
67 static void rfcomm_session_recv_mcc_msc(struct rfcomm_session *, int, struct mbuf *);
68 static void rfcomm_session_recv_mcc_rpn(struct rfcomm_session *, int, struct mbuf *);
69 static void rfcomm_session_recv_mcc_rls(struct rfcomm_session *, int, struct mbuf *);
70 static void rfcomm_session_recv_mcc_pn(struct rfcomm_session *, int, struct mbuf *);
71 static void rfcomm_session_recv_mcc_nsc(struct rfcomm_session *, int, struct mbuf *);
72
73 /* L2CAP callbacks */
74 static void rfcomm_session_connecting(void *);
75 static void rfcomm_session_connected(void *);
76 static void rfcomm_session_disconnected(void *, int);
77 static void *rfcomm_session_newconn(void *, struct sockaddr_bt *, struct sockaddr_bt *);
78 static void rfcomm_session_complete(void *, int);
79 static void rfcomm_session_linkmode(void *, int);
80 static void rfcomm_session_input(void *, struct mbuf *);
81
82 static const struct btproto rfcomm_session_proto = {
83 rfcomm_session_connecting,
84 rfcomm_session_connected,
85 rfcomm_session_disconnected,
86 rfcomm_session_newconn,
87 rfcomm_session_complete,
88 rfcomm_session_linkmode,
89 rfcomm_session_input,
90 };
91
92 struct rfcomm_session_list
93 rfcomm_session_active = LIST_HEAD_INITIALIZER(rfcomm_session_active);
94
95 struct rfcomm_session_list
96 rfcomm_session_listen = LIST_HEAD_INITIALIZER(rfcomm_session_listen);
97
98 vm_zone_t rfcomm_credit_pool;
99
100 /*
101 * RFCOMM System Parameters (see section 5.3)
102 */
103 int rfcomm_mtu_default = 127; /* bytes */
104 int rfcomm_ack_timeout = 20; /* seconds */
105 int rfcomm_mcc_timeout = 20; /* seconds */
106
107 /*
108 * Reversed CRC table as per TS 07.10 Annex B.3.5
109 */
110 static const uint8_t crctable[256] = { /* reversed, 8-bit, poly=0x07 */
111 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
112 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
113 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
114 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
115
116 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
117 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
118 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
119 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
120
121 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
122 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
123 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
124 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
125
126 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
127 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
128 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
129 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
130
131 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
132 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
133 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
134 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
135
136 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
137 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
138 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
139 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
140
141 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
142 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
143 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
144 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
145
146 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
147 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
148 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
149 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
150 };
151
152 #define FCS(f, d) crctable[(f) ^ (d)]
153
154 /*
155 * rfcomm_init()
156 *
157 * initialize the "credit pool".
158 */
159 void
rfcomm_init(void)160 rfcomm_init(void)
161 {
162 rfcomm_credit_pool = zinit("rfcomm_credit",
163 sizeof(struct rfcomm_credit),
164 0, 0);
165 }
166
167 /*
168 * rfcomm_session_alloc(list, sockaddr)
169 *
170 * allocate a new session and fill in the blanks, then
171 * attach session to front of specified list (active or listen)
172 */
173 struct rfcomm_session *
rfcomm_session_alloc(struct rfcomm_session_list * list,struct sockaddr_bt * laddr)174 rfcomm_session_alloc(struct rfcomm_session_list *list,
175 struct sockaddr_bt *laddr)
176 {
177 struct rfcomm_session *rs;
178 int err;
179
180 rs = kmalloc(sizeof(*rs), M_BLUETOOTH, M_NOWAIT | M_ZERO);
181 if (rs == NULL)
182 return NULL;
183
184 rs->rs_state = RFCOMM_SESSION_CLOSED;
185
186 callout_init(&rs->rs_timeout);
187
188 STAILQ_INIT(&rs->rs_credits);
189 LIST_INIT(&rs->rs_dlcs);
190
191 err = l2cap_attach(&rs->rs_l2cap, &rfcomm_session_proto, rs);
192 if (err) {
193 kfree(rs, M_BLUETOOTH);
194 return NULL;
195 }
196
197 (void)l2cap_getopt(rs->rs_l2cap, SO_L2CAP_OMTU, &rs->rs_mtu);
198
199 if (laddr->bt_psm == L2CAP_PSM_ANY)
200 laddr->bt_psm = L2CAP_PSM_RFCOMM;
201
202 (void)l2cap_bind(rs->rs_l2cap, laddr);
203
204 LIST_INSERT_HEAD(list, rs, rs_next);
205
206 return rs;
207 }
208
209 /*
210 * rfcomm_session_free(rfcomm_session)
211 *
212 * release a session, including any cleanup
213 */
214 void
rfcomm_session_free(struct rfcomm_session * rs)215 rfcomm_session_free(struct rfcomm_session *rs)
216 {
217 struct rfcomm_credit *credit;
218
219 KKASSERT(rs != NULL);
220 KKASSERT(LIST_EMPTY(&rs->rs_dlcs));
221
222 rs->rs_state = RFCOMM_SESSION_CLOSED;
223
224 /*
225 * If the callout is already invoked we have no way to stop it,
226 * but it will call us back right away (there are no DLC's) so
227 * not to worry.
228 */
229 callout_stop(&rs->rs_timeout);
230 if (callout_active(&rs->rs_timeout))
231 return;
232
233 /*
234 * Take care that rfcomm_session_disconnected() doesnt call
235 * us back either as it will do if the l2cap_channel has not
236 * been closed when we detach it..
237 */
238 if (rs->rs_flags & RFCOMM_SESSION_FREE)
239 return;
240
241 rs->rs_flags |= RFCOMM_SESSION_FREE;
242
243 /* throw away any remaining credit notes */
244 while ((credit = STAILQ_FIRST(&rs->rs_credits)) != NULL) {
245 STAILQ_REMOVE_HEAD(&rs->rs_credits, rc_next);
246 zfree(rfcomm_credit_pool, credit);
247 }
248
249 KKASSERT(STAILQ_EMPTY(&rs->rs_credits));
250
251 /* Goodbye! */
252 LIST_REMOVE(rs, rs_next);
253 l2cap_detach(&rs->rs_l2cap);
254 kfree(rs, M_BLUETOOTH);
255 }
256
257 /*
258 * rfcomm_session_lookup(sockaddr, sockaddr)
259 *
260 * Find active rfcomm session matching src and dest addresses
261 * when src is BDADDR_ANY match any local address
262 */
263 struct rfcomm_session *
rfcomm_session_lookup(struct sockaddr_bt * src,struct sockaddr_bt * dest)264 rfcomm_session_lookup(struct sockaddr_bt *src, struct sockaddr_bt *dest)
265 {
266 struct rfcomm_session *rs;
267 struct sockaddr_bt addr;
268
269 LIST_FOREACH(rs, &rfcomm_session_active, rs_next) {
270 if (rs->rs_state == RFCOMM_SESSION_CLOSED)
271 continue;
272
273 l2cap_sockaddr(rs->rs_l2cap, &addr);
274
275 if (bdaddr_same(&src->bt_bdaddr, &addr.bt_bdaddr) == 0)
276 if (bdaddr_any(&src->bt_bdaddr) == 0)
277 continue;
278
279 l2cap_peeraddr(rs->rs_l2cap, &addr);
280
281 if (addr.bt_psm != dest->bt_psm)
282 continue;
283
284 if (bdaddr_same(&dest->bt_bdaddr, &addr.bt_bdaddr))
285 break;
286 }
287
288 return rs;
289 }
290
291 /*
292 * rfcomm_session_timeout(rfcomm_session)
293 *
294 * Session timeouts are scheduled when a session is left or
295 * created with no DLCs, and when SABM(0) or DISC(0) are
296 * sent.
297 *
298 * So, if it is in an open state with DLC's attached then
299 * we leave it alone, otherwise the session is lost.
300 */
301 void
rfcomm_session_timeout(void * arg)302 rfcomm_session_timeout(void *arg)
303 {
304 struct rfcomm_session *rs = arg;
305 struct rfcomm_dlc *dlc;
306
307 KKASSERT(rs != NULL);
308
309 crit_enter();
310
311 if (rs->rs_state != RFCOMM_SESSION_OPEN) {
312 DPRINTF("timeout\n");
313 rs->rs_state = RFCOMM_SESSION_CLOSED;
314
315 while (!LIST_EMPTY(&rs->rs_dlcs)) {
316 dlc = LIST_FIRST(&rs->rs_dlcs);
317
318 rfcomm_dlc_close(dlc, ETIMEDOUT);
319 }
320 }
321
322 if (LIST_EMPTY(&rs->rs_dlcs)) {
323 DPRINTF("expiring\n");
324 rfcomm_session_free(rs);
325 }
326 crit_exit();
327 }
328
329 /***********************************************************************
330 *
331 * RFCOMM Session L2CAP protocol callbacks
332 *
333 */
334
335 static void
rfcomm_session_connecting(void * arg)336 rfcomm_session_connecting(void *arg)
337 {
338 /* struct rfcomm_session *rs = arg; */
339
340 DPRINTF("Connecting\n");
341 }
342
343 static void
rfcomm_session_connected(void * arg)344 rfcomm_session_connected(void *arg)
345 {
346 struct rfcomm_session *rs = arg;
347
348 DPRINTF("Connected\n");
349
350 /*
351 * L2CAP is open.
352 *
353 * If we are initiator, we can send our SABM(0)
354 * a timeout should be active?
355 *
356 * We must take note of the L2CAP MTU because currently
357 * the L2CAP implementation can only do Basic Mode.
358 */
359 l2cap_getopt(rs->rs_l2cap, SO_L2CAP_OMTU, &rs->rs_mtu);
360
361 rs->rs_mtu -= 6; /* (RFCOMM overhead could be this big) */
362 if (rs->rs_mtu < RFCOMM_MTU_MIN) {
363 rfcomm_session_disconnected(rs, EINVAL);
364 return;
365 }
366
367 if (IS_INITIATOR(rs)) {
368 int err;
369
370 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_SABM, 0);
371 if (err)
372 rfcomm_session_disconnected(rs, err);
373
374 callout_reset(&rs->rs_timeout, rfcomm_ack_timeout * hz,
375 rfcomm_session_timeout, rs);
376 }
377 }
378
379 static void
rfcomm_session_disconnected(void * arg,int err)380 rfcomm_session_disconnected(void *arg, int err)
381 {
382 struct rfcomm_session *rs = arg;
383 struct rfcomm_dlc *dlc;
384
385 DPRINTF("Disconnected\n");
386
387 rs->rs_state = RFCOMM_SESSION_CLOSED;
388
389 while (!LIST_EMPTY(&rs->rs_dlcs)) {
390 dlc = LIST_FIRST(&rs->rs_dlcs);
391
392 rfcomm_dlc_close(dlc, err);
393 }
394
395 rfcomm_session_free(rs);
396 }
397
398 static void *
rfcomm_session_newconn(void * arg,struct sockaddr_bt * laddr,struct sockaddr_bt * raddr)399 rfcomm_session_newconn(void *arg, struct sockaddr_bt *laddr,
400 struct sockaddr_bt *raddr)
401 {
402 struct rfcomm_session *new, *rs = arg;
403
404 DPRINTF("New Connection\n");
405
406 /*
407 * Incoming session connect request. We should return a new
408 * session pointer if this is acceptable. The L2CAP layer
409 * passes local and remote addresses, which we must check as
410 * only one RFCOMM session is allowed between any two devices
411 */
412 new = rfcomm_session_lookup(laddr, raddr);
413 if (new != NULL)
414 return NULL;
415
416 new = rfcomm_session_alloc(&rfcomm_session_active, laddr);
417 if (new == NULL)
418 return NULL;
419
420 new->rs_mtu = rs->rs_mtu;
421 new->rs_state = RFCOMM_SESSION_WAIT_CONNECT;
422
423 /*
424 * schedule an expiry so that if nothing comes of it we
425 * can punt.
426 */
427 callout_reset(&rs->rs_timeout, rfcomm_mcc_timeout * hz,
428 rfcomm_session_timeout, rs);
429
430 return new->rs_l2cap;
431 }
432
433 static void
rfcomm_session_complete(void * arg,int count)434 rfcomm_session_complete(void *arg, int count)
435 {
436 struct rfcomm_session *rs = arg;
437 struct rfcomm_credit *credit;
438 struct rfcomm_dlc *dlc;
439
440 /*
441 * count L2CAP packets are 'complete', meaning that they are cleared
442 * our buffers (for best effort) or arrived safe (for guaranteed) so
443 * we can take it off our list and pass the message on, so that
444 * eventually the data can be removed from the sockbuf
445 */
446 while (count-- > 0) {
447 credit = STAILQ_FIRST(&rs->rs_credits);
448 #ifdef DIAGNOSTIC
449 if (credit == NULL) {
450 kprintf("%s: too many packets completed!\n", __func__);
451 break;
452 }
453 #endif
454 dlc = credit->rc_dlc;
455 if (dlc != NULL) {
456 dlc->rd_pending--;
457 (*dlc->rd_proto->complete)
458 (dlc->rd_upper, credit->rc_len);
459
460 /*
461 * if not using credit flow control, we may push
462 * more data now
463 */
464 if ((rs->rs_flags & RFCOMM_SESSION_CFC) == 0
465 && dlc->rd_state == RFCOMM_DLC_OPEN) {
466 rfcomm_dlc_start(dlc);
467 }
468
469 /*
470 * When shutdown is indicated, we are just waiting to
471 * clear outgoing data.
472 */
473 if ((dlc->rd_flags & RFCOMM_DLC_SHUTDOWN)
474 && dlc->rd_txbuf == NULL && dlc->rd_pending == 0) {
475 dlc->rd_state = RFCOMM_DLC_WAIT_DISCONNECT;
476 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC,
477 dlc->rd_dlci);
478 callout_reset(&dlc->rd_timeout,
479 rfcomm_ack_timeout * hz,
480 rfcomm_dlc_timeout, dlc);
481 }
482 }
483
484 STAILQ_REMOVE_HEAD(&rs->rs_credits, rc_next);
485 zfree(rfcomm_credit_pool, credit);
486 }
487
488 /*
489 * If session is closed, we are just waiting to clear the queue
490 */
491 if (rs->rs_state == RFCOMM_SESSION_CLOSED) {
492 if (STAILQ_EMPTY(&rs->rs_credits))
493 l2cap_disconnect(rs->rs_l2cap, 0);
494 }
495 }
496
497 /*
498 * Link Mode changed
499 *
500 * This is called when a mode change is complete. Proceed with connections
501 * where appropriate, or pass the new mode to any active DLCs.
502 */
503 static void
rfcomm_session_linkmode(void * arg,int new)504 rfcomm_session_linkmode(void *arg, int new)
505 {
506 struct rfcomm_session *rs = arg;
507 struct rfcomm_dlc *dlc, *next;
508 int err, mode = 0;
509
510 DPRINTF("auth %s, encrypt %s, secure %s\n",
511 (new & L2CAP_LM_AUTH ? "on" : "off"),
512 (new & L2CAP_LM_ENCRYPT ? "on" : "off"),
513 (new & L2CAP_LM_SECURE ? "on" : "off"));
514
515 if (new & L2CAP_LM_AUTH)
516 mode |= RFCOMM_LM_AUTH;
517
518 if (new & L2CAP_LM_ENCRYPT)
519 mode |= RFCOMM_LM_ENCRYPT;
520
521 if (new & L2CAP_LM_SECURE)
522 mode |= RFCOMM_LM_SECURE;
523
524 next = LIST_FIRST(&rs->rs_dlcs);
525 while ((dlc = next) != NULL) {
526 next = LIST_NEXT(dlc, rd_next);
527
528 switch (dlc->rd_state) {
529 case RFCOMM_DLC_WAIT_SEND_SABM: /* we are connecting */
530 if ((mode & dlc->rd_mode) != dlc->rd_mode) {
531 rfcomm_dlc_close(dlc, ECONNABORTED);
532 } else {
533 err = rfcomm_session_send_frame(rs,
534 RFCOMM_FRAME_SABM, dlc->rd_dlci);
535 if (err) {
536 rfcomm_dlc_close(dlc, err);
537 } else {
538 dlc->rd_state = RFCOMM_DLC_WAIT_RECV_UA;
539 callout_reset(&dlc->rd_timeout,
540 rfcomm_ack_timeout * hz,
541 rfcomm_dlc_timeout, dlc);
542
543 break;
544 }
545 }
546
547 /*
548 * If we aborted the connection and there are no more DLCs
549 * on the session, it is our responsibility to disconnect.
550 */
551 if (!LIST_EMPTY(&rs->rs_dlcs))
552 break;
553
554 rs->rs_state = RFCOMM_SESSION_WAIT_DISCONNECT;
555 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 0);
556 callout_reset(&rs->rs_timeout, rfcomm_ack_timeout * hz,
557 rfcomm_session_timeout, rs);
558 break;
559
560 case RFCOMM_DLC_WAIT_SEND_UA: /* they are connecting */
561 if ((mode & dlc->rd_mode) != dlc->rd_mode) {
562 rfcomm_session_send_frame(rs,
563 RFCOMM_FRAME_DM, dlc->rd_dlci);
564 rfcomm_dlc_close(dlc, ECONNABORTED);
565 break;
566 }
567
568 err = rfcomm_session_send_frame(rs,
569 RFCOMM_FRAME_UA, dlc->rd_dlci);
570 if (err) {
571 rfcomm_session_send_frame(rs,
572 RFCOMM_FRAME_DM, dlc->rd_dlci);
573 rfcomm_dlc_close(dlc, err);
574 break;
575 }
576
577 err = rfcomm_dlc_open(dlc);
578 if (err) {
579 rfcomm_session_send_frame(rs,
580 RFCOMM_FRAME_DM, dlc->rd_dlci);
581 rfcomm_dlc_close(dlc, err);
582 break;
583 }
584
585 break;
586
587 case RFCOMM_DLC_WAIT_RECV_UA:
588 case RFCOMM_DLC_OPEN: /* already established */
589 (*dlc->rd_proto->linkmode)(dlc->rd_upper, mode);
590 break;
591
592 default:
593 break;
594 }
595 }
596 }
597
598 /*
599 * Receive data from L2CAP layer for session. There is always exactly one
600 * RFCOMM frame contained in each L2CAP frame.
601 */
602 static void
rfcomm_session_input(void * arg,struct mbuf * m)603 rfcomm_session_input(void *arg, struct mbuf *m)
604 {
605 struct rfcomm_session *rs = arg;
606 int dlci, len, type, pf;
607 uint8_t fcs, b;
608
609 KKASSERT(m != NULL);
610 KKASSERT(rs != NULL);
611
612 /*
613 * UIH frames: FCS is only calculated on address and control fields
614 * For other frames: FCS is calculated on address, control and length
615 * Length may extend to two octets
616 */
617 fcs = 0xff;
618
619 if (m->m_pkthdr.len < 4) {
620 DPRINTF("short frame (%d), discarded\n", m->m_pkthdr.len);
621 goto done;
622 }
623
624 /* address - one octet */
625 m_copydata(m, 0, 1, &b);
626 m_adj(m, 1);
627 fcs = FCS(fcs, b);
628 dlci = RFCOMM_DLCI(b);
629
630 /* control - one octet */
631 m_copydata(m, 0, 1, &b);
632 m_adj(m, 1);
633 fcs = FCS(fcs, b);
634 type = RFCOMM_TYPE(b);
635 pf = RFCOMM_PF(b);
636
637 /* length - may be two octets */
638 m_copydata(m, 0, 1, &b);
639 m_adj(m, 1);
640 if (type != RFCOMM_FRAME_UIH)
641 fcs = FCS(fcs, b);
642 len = (b >> 1) & 0x7f;
643
644 if (RFCOMM_EA(b) == 0) {
645 if (m->m_pkthdr.len < 2) {
646 DPRINTF("short frame (%d, EA = 0), discarded\n",
647 m->m_pkthdr.len);
648 goto done;
649 }
650
651 m_copydata(m, 0, 1, &b);
652 m_adj(m, 1);
653 if (type != RFCOMM_FRAME_UIH)
654 fcs = FCS(fcs, b);
655
656 len |= (b << 7);
657 }
658
659 /* FCS byte is last octet in frame */
660 m_copydata(m, m->m_pkthdr.len - 1, 1, &b);
661 m_adj(m, -1);
662 fcs = FCS(fcs, b);
663
664 if (fcs != 0xcf) {
665 DPRINTF("Bad FCS value (%#2.2x), frame discarded\n", fcs);
666 goto done;
667 }
668
669 DPRINTFN(10, "dlci %d, type %2.2x, len = %d\n", dlci, type, len);
670
671 switch (type) {
672 case RFCOMM_FRAME_SABM:
673 if (pf)
674 rfcomm_session_recv_sabm(rs, dlci);
675 break;
676
677 case RFCOMM_FRAME_DISC:
678 if (pf)
679 rfcomm_session_recv_disc(rs, dlci);
680 break;
681
682 case RFCOMM_FRAME_UA:
683 if (pf)
684 rfcomm_session_recv_ua(rs, dlci);
685 break;
686
687 case RFCOMM_FRAME_DM:
688 rfcomm_session_recv_dm(rs, dlci);
689 break;
690
691 case RFCOMM_FRAME_UIH:
692 rfcomm_session_recv_uih(rs, dlci, pf, m, len);
693 return; /* (no release) */
694
695 default:
696 UNKNOWN(type);
697 break;
698 }
699
700 done:
701 m_freem(m);
702 }
703
704 /***********************************************************************
705 *
706 * RFCOMM Session receive processing
707 */
708
709 /*
710 * rfcomm_session_recv_sabm(rfcomm_session, dlci)
711 *
712 * Set Asyncrhonous Balanced Mode - open the channel.
713 */
714 static void
rfcomm_session_recv_sabm(struct rfcomm_session * rs,int dlci)715 rfcomm_session_recv_sabm(struct rfcomm_session *rs, int dlci)
716 {
717 struct rfcomm_dlc *dlc;
718 int err;
719
720 DPRINTFN(5, "SABM(%d)\n", dlci);
721
722 if (dlci == 0) { /* Open Session */
723 rs->rs_state = RFCOMM_SESSION_OPEN;
724 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, 0);
725 LIST_FOREACH(dlc, &rs->rs_dlcs, rd_next) {
726 if (dlc->rd_state == RFCOMM_DLC_WAIT_SESSION)
727 rfcomm_dlc_connect(dlc);
728 }
729 return;
730 }
731
732 if (rs->rs_state != RFCOMM_SESSION_OPEN) {
733 DPRINTF("session was not even open!\n");
734 return;
735 }
736
737 /* validate direction bit */
738 if ((IS_INITIATOR(rs) && !RFCOMM_DIRECTION(dlci))
739 || (!IS_INITIATOR(rs) && RFCOMM_DIRECTION(dlci))) {
740 DPRINTF("Invalid direction bit on DLCI\n");
741 return;
742 }
743
744 /*
745 * look for our DLC - this may exist if we received PN
746 * already, or we may have to fabricate a new one.
747 */
748 dlc = rfcomm_dlc_lookup(rs, dlci);
749 if (dlc == NULL) {
750 dlc = rfcomm_dlc_newconn(rs, dlci);
751 if (dlc == NULL)
752 return; /* (DM is sent) */
753 }
754
755 /*
756 * ..but if this DLC is not waiting to connect, they did
757 * something wrong, ignore it.
758 */
759 if (dlc->rd_state != RFCOMM_DLC_WAIT_CONNECT)
760 return;
761
762 /* set link mode */
763 err = rfcomm_dlc_setmode(dlc);
764 if (err == EINPROGRESS) {
765 dlc->rd_state = RFCOMM_DLC_WAIT_SEND_UA;
766 (*dlc->rd_proto->connecting)(dlc->rd_upper);
767 return;
768 }
769 if (err)
770 goto close;
771
772 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, dlci);
773 if (err)
774 goto close;
775
776 /* and mark it open */
777 err = rfcomm_dlc_open(dlc);
778 if (err)
779 goto close;
780
781 return;
782
783 close:
784 rfcomm_dlc_close(dlc, err);
785 }
786
787 /*
788 * Receive Disconnect Command
789 */
790 static void
rfcomm_session_recv_disc(struct rfcomm_session * rs,int dlci)791 rfcomm_session_recv_disc(struct rfcomm_session *rs, int dlci)
792 {
793 struct rfcomm_dlc *dlc;
794
795 DPRINTFN(5, "DISC(%d)\n", dlci);
796
797 if (dlci == 0) {
798 /*
799 * Disconnect Session
800 *
801 * We set the session state to CLOSED so that when
802 * the UA frame is clear the session will be closed
803 * automatically. We wont bother to close any DLC's
804 * just yet as there should be none. In the unlikely
805 * event that something is left, it will get flushed
806 * out as the session goes down.
807 */
808 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, 0);
809 rs->rs_state = RFCOMM_SESSION_CLOSED;
810 return;
811 }
812
813 dlc = rfcomm_dlc_lookup(rs, dlci);
814 if (dlc == NULL) {
815 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, dlci);
816 return;
817 }
818
819 rfcomm_dlc_close(dlc, ECONNRESET);
820 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, dlci);
821 }
822
823 /*
824 * Receive Unnumbered Acknowledgement Response
825 *
826 * This should be a response to a DISC or SABM frame that we
827 * have previously sent. If unexpected, ignore it.
828 */
829 static void
rfcomm_session_recv_ua(struct rfcomm_session * rs,int dlci)830 rfcomm_session_recv_ua(struct rfcomm_session *rs, int dlci)
831 {
832 struct rfcomm_dlc *dlc;
833
834 DPRINTFN(5, "UA(%d)\n", dlci);
835
836 if (dlci == 0) {
837 switch (rs->rs_state) {
838 case RFCOMM_SESSION_WAIT_CONNECT: /* We sent SABM */
839 callout_stop(&rs->rs_timeout);
840 rs->rs_state = RFCOMM_SESSION_OPEN;
841 LIST_FOREACH(dlc, &rs->rs_dlcs, rd_next) {
842 if (dlc->rd_state == RFCOMM_DLC_WAIT_SESSION)
843 rfcomm_dlc_connect(dlc);
844 }
845 break;
846
847 case RFCOMM_SESSION_WAIT_DISCONNECT: /* We sent DISC */
848 callout_stop(&rs->rs_timeout);
849 rs->rs_state = RFCOMM_SESSION_CLOSED;
850 l2cap_disconnect(rs->rs_l2cap, 0);
851 break;
852
853 default:
854 DPRINTF("Received spurious UA(0)!\n");
855 break;
856 }
857
858 return;
859 }
860
861 /*
862 * If we have no DLC on this dlci, we may have aborted
863 * without shutting down properly, so check if the session
864 * needs disconnecting.
865 */
866 dlc = rfcomm_dlc_lookup(rs, dlci);
867 if (dlc == NULL)
868 goto check;
869
870 switch (dlc->rd_state) {
871 case RFCOMM_DLC_WAIT_RECV_UA: /* We sent SABM */
872 rfcomm_dlc_open(dlc);
873 return;
874
875 case RFCOMM_DLC_WAIT_DISCONNECT: /* We sent DISC */
876 rfcomm_dlc_close(dlc, 0);
877 break;
878
879 default:
880 DPRINTF("Received spurious UA(%d)!\n", dlci);
881 return;
882 }
883
884 check: /* last one out turns out the light */
885 if (LIST_EMPTY(&rs->rs_dlcs)) {
886 rs->rs_state = RFCOMM_SESSION_WAIT_DISCONNECT;
887 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 0);
888 callout_reset(&rs->rs_timeout, rfcomm_ack_timeout*hz,rfcomm_session_timeout,rs);
889 }
890 }
891
892 /*
893 * Receive Disconnected Mode Response
894 *
895 * If this does not apply to a known DLC then we may ignore it.
896 */
897 static void
rfcomm_session_recv_dm(struct rfcomm_session * rs,int dlci)898 rfcomm_session_recv_dm(struct rfcomm_session *rs, int dlci)
899 {
900 struct rfcomm_dlc *dlc;
901
902 DPRINTFN(5, "DM(%d)\n", dlci);
903
904 dlc = rfcomm_dlc_lookup(rs, dlci);
905 if (dlc == NULL)
906 return;
907
908 if (dlc->rd_state == RFCOMM_DLC_WAIT_CONNECT)
909 rfcomm_dlc_close(dlc, ECONNREFUSED);
910 else
911 rfcomm_dlc_close(dlc, ECONNRESET);
912 }
913
914 /*
915 * Receive Unnumbered Information with Header check (MCC or data packet)
916 */
917 static void
rfcomm_session_recv_uih(struct rfcomm_session * rs,int dlci,int pf,struct mbuf * m,int len)918 rfcomm_session_recv_uih(struct rfcomm_session *rs, int dlci,
919 int pf, struct mbuf *m, int len)
920 {
921 struct rfcomm_dlc *dlc;
922 uint8_t credits = 0;
923
924 DPRINTFN(10, "UIH(%d)\n", dlci);
925
926 if (dlci == 0) {
927 rfcomm_session_recv_mcc(rs, m);
928 return;
929 }
930
931 if (m->m_pkthdr.len != len + pf) {
932 DPRINTF("Bad Frame Length (%d), frame discarded\n",
933 m->m_pkthdr.len);
934
935 goto discard;
936 }
937
938 dlc = rfcomm_dlc_lookup(rs, dlci);
939 if (dlc == NULL) {
940 DPRINTF("UIH received for non existent DLC, discarded\n");
941 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, dlci);
942 goto discard;
943 }
944
945 if (dlc->rd_state != RFCOMM_DLC_OPEN) {
946 DPRINTF("non-open DLC (state = %d), discarded\n",
947 dlc->rd_state);
948 goto discard;
949 }
950
951 /* if PF is set, credits were included */
952 if (rs->rs_flags & RFCOMM_SESSION_CFC) {
953 if (pf != 0) {
954 if (m->m_pkthdr.len < sizeof(credits)) {
955 DPRINTF("Bad PF value, UIH discarded\n");
956 goto discard;
957 }
958
959 m_copydata(m, 0, sizeof(credits), &credits);
960 m_adj(m, sizeof(credits));
961
962 dlc->rd_txcred += credits;
963
964 if (credits > 0 && dlc->rd_txbuf != NULL)
965 rfcomm_dlc_start(dlc);
966 }
967
968 if (len == 0)
969 goto discard;
970
971 if (dlc->rd_rxcred == 0) {
972 DPRINTF("Credit limit reached, UIH discarded\n");
973 goto discard;
974 }
975
976 if (len > dlc->rd_rxsize) {
977 DPRINTF("UIH frame exceeds rxsize, discarded\n");
978 goto discard;
979 }
980
981 dlc->rd_rxcred--;
982 dlc->rd_rxsize -= len;
983 }
984
985 (*dlc->rd_proto->input)(dlc->rd_upper, m);
986 return;
987
988 discard:
989 m_freem(m);
990 }
991
992 /*
993 * Receive Multiplexer Control Command
994 */
995 static void
rfcomm_session_recv_mcc(struct rfcomm_session * rs,struct mbuf * m)996 rfcomm_session_recv_mcc(struct rfcomm_session *rs, struct mbuf *m)
997 {
998 int type, cr, len;
999 uint8_t b;
1000
1001 /*
1002 * Extract MCC header.
1003 *
1004 * Fields are variable length using extension bit = 1 to signify the
1005 * last octet in the sequence.
1006 *
1007 * Only single octet types are defined in TS 07.10/RFCOMM spec
1008 *
1009 * Length can realistically only use 15 bits (max RFCOMM MTU)
1010 */
1011 if (m->m_pkthdr.len < sizeof(b)) {
1012 DPRINTF("Short MCC header, discarded\n");
1013 goto release;
1014 }
1015
1016 m_copydata(m, 0, sizeof(b), &b);
1017 m_adj(m, sizeof(b));
1018
1019 if (RFCOMM_EA(b) == 0) { /* verify no extensions */
1020 DPRINTF("MCC type EA = 0, discarded\n");
1021 goto release;
1022 }
1023
1024 type = RFCOMM_MCC_TYPE(b);
1025 cr = RFCOMM_CR(b);
1026
1027 len = 0;
1028 do {
1029 if (m->m_pkthdr.len < sizeof(b)) {
1030 DPRINTF("Short MCC header, discarded\n");
1031 goto release;
1032 }
1033
1034 m_copydata(m, 0, sizeof(b), &b);
1035 m_adj(m, sizeof(b));
1036
1037 len = (len << 7) | (b >> 1);
1038 len = min(len, RFCOMM_MTU_MAX);
1039 } while (RFCOMM_EA(b) == 0);
1040
1041 if (len != m->m_pkthdr.len) {
1042 DPRINTF("Incorrect MCC length, discarded\n");
1043 goto release;
1044 }
1045
1046 DPRINTFN(2, "MCC %s type %2.2x (%d bytes)\n",
1047 (cr ? "command" : "response"), type, len);
1048
1049 /*
1050 * pass to command handler
1051 */
1052 switch(type) {
1053 case RFCOMM_MCC_TEST: /* Test */
1054 rfcomm_session_recv_mcc_test(rs, cr, m);
1055 break;
1056
1057 case RFCOMM_MCC_FCON: /* Flow Control On */
1058 rfcomm_session_recv_mcc_fcon(rs, cr);
1059 break;
1060
1061 case RFCOMM_MCC_FCOFF: /* Flow Control Off */
1062 rfcomm_session_recv_mcc_fcoff(rs, cr);
1063 break;
1064
1065 case RFCOMM_MCC_MSC: /* Modem Status Command */
1066 rfcomm_session_recv_mcc_msc(rs, cr, m);
1067 break;
1068
1069 case RFCOMM_MCC_RPN: /* Remote Port Negotiation */
1070 rfcomm_session_recv_mcc_rpn(rs, cr, m);
1071 break;
1072
1073 case RFCOMM_MCC_RLS: /* Remote Line Status */
1074 rfcomm_session_recv_mcc_rls(rs, cr, m);
1075 break;
1076
1077 case RFCOMM_MCC_PN: /* Parameter Negotiation */
1078 rfcomm_session_recv_mcc_pn(rs, cr, m);
1079 break;
1080
1081 case RFCOMM_MCC_NSC: /* Non Supported Command */
1082 rfcomm_session_recv_mcc_nsc(rs, cr, m);
1083 break;
1084
1085 default:
1086 b = RFCOMM_MKMCC_TYPE(cr, type);
1087 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_NSC, &b, sizeof(b));
1088 }
1089
1090 release:
1091 m_freem(m);
1092 }
1093
1094 /*
1095 * process TEST command/response
1096 */
1097 static void
rfcomm_session_recv_mcc_test(struct rfcomm_session * rs,int cr,struct mbuf * m)1098 rfcomm_session_recv_mcc_test(struct rfcomm_session *rs, int cr, struct mbuf *m)
1099 {
1100 void *data;
1101 int len;
1102
1103 if (cr == 0) /* ignore ack */
1104 return;
1105
1106 /*
1107 * we must send all the data they included back as is
1108 */
1109
1110 len = m->m_pkthdr.len;
1111 if (len > RFCOMM_MTU_MAX)
1112 return;
1113
1114 data = kmalloc(len, M_BLUETOOTH, M_NOWAIT);
1115 if (data == NULL)
1116 return;
1117
1118 m_copydata(m, 0, len, data);
1119 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_TEST, data, len);
1120 kfree(data, M_BLUETOOTH);
1121 }
1122
1123 /*
1124 * process Flow Control ON command/response
1125 */
1126 static void
rfcomm_session_recv_mcc_fcon(struct rfcomm_session * rs,int cr)1127 rfcomm_session_recv_mcc_fcon(struct rfcomm_session *rs, int cr)
1128 {
1129
1130 if (cr == 0) /* ignore ack */
1131 return;
1132
1133 rs->rs_flags |= RFCOMM_SESSION_RFC;
1134 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_FCON, NULL, 0);
1135 }
1136
1137 /*
1138 * process Flow Control OFF command/response
1139 */
1140 static void
rfcomm_session_recv_mcc_fcoff(struct rfcomm_session * rs,int cr)1141 rfcomm_session_recv_mcc_fcoff(struct rfcomm_session *rs, int cr)
1142 {
1143 if (cr == 0) /* ignore ack */
1144 return;
1145
1146 rs->rs_flags &= ~RFCOMM_SESSION_RFC;
1147 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_FCOFF, NULL, 0);
1148 }
1149
1150 /*
1151 * process Modem Status Command command/response
1152 */
1153 static void
rfcomm_session_recv_mcc_msc(struct rfcomm_session * rs,int cr,struct mbuf * m)1154 rfcomm_session_recv_mcc_msc(struct rfcomm_session *rs, int cr, struct mbuf *m)
1155 {
1156 struct rfcomm_mcc_msc msc; /* (3 octets) */
1157 struct rfcomm_dlc *dlc;
1158 int len = 0;
1159
1160 /* [ADDRESS] */
1161 if (m->m_pkthdr.len < sizeof(msc.address))
1162 return;
1163
1164 m_copydata(m, 0, sizeof(msc.address), &msc.address);
1165 m_adj(m, sizeof(msc.address));
1166 len += sizeof(msc.address);
1167
1168 dlc = rfcomm_dlc_lookup(rs, RFCOMM_DLCI(msc.address));
1169
1170 if (cr == 0) { /* ignore acks */
1171 if (dlc != NULL)
1172 callout_stop(&dlc->rd_timeout);
1173
1174 return;
1175 }
1176
1177 if (dlc == NULL) {
1178 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM,
1179 RFCOMM_DLCI(msc.address));
1180 return;
1181 }
1182
1183 /* [SIGNALS] */
1184 if (m->m_pkthdr.len < sizeof(msc.modem))
1185 return;
1186
1187 m_copydata(m, 0, sizeof(msc.modem), &msc.modem);
1188 m_adj(m, sizeof(msc.modem));
1189 len += sizeof(msc.modem);
1190
1191 dlc->rd_rmodem = msc.modem;
1192 /* XXX how do we signal this upstream? */
1193
1194 if (RFCOMM_EA(msc.modem) == 0) {
1195 if (m->m_pkthdr.len < sizeof(msc.brk))
1196 return;
1197
1198 m_copydata(m, 0, sizeof(msc.brk), &msc.brk);
1199 m_adj(m, sizeof(msc.brk));
1200 len += sizeof(msc.brk);
1201
1202 /* XXX how do we signal this upstream? */
1203 }
1204
1205 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_MSC, &msc, len);
1206 }
1207
1208 /*
1209 * process Remote Port Negotiation command/response
1210 */
1211 static void
rfcomm_session_recv_mcc_rpn(struct rfcomm_session * rs,int cr,struct mbuf * m)1212 rfcomm_session_recv_mcc_rpn(struct rfcomm_session *rs, int cr, struct mbuf *m)
1213 {
1214 struct rfcomm_mcc_rpn rpn;
1215 uint16_t mask;
1216
1217 if (cr == 0) /* ignore ack */
1218 return;
1219
1220 /* default values */
1221 rpn.bit_rate = RFCOMM_RPN_BR_9600;
1222 rpn.line_settings = RFCOMM_RPN_8_N_1;
1223 rpn.flow_control = RFCOMM_RPN_FLOW_NONE;
1224 rpn.xon_char = RFCOMM_RPN_XON_CHAR;
1225 rpn.xoff_char = RFCOMM_RPN_XOFF_CHAR;
1226
1227 if (m->m_pkthdr.len == sizeof(rpn)) {
1228 m_copydata(m, 0, sizeof(rpn), &rpn);
1229 rpn.param_mask = RFCOMM_RPN_PM_ALL;
1230 } else if (m->m_pkthdr.len == 1) {
1231 m_copydata(m, 0, 1, &rpn);
1232 rpn.param_mask = letoh16(rpn.param_mask);
1233 } else {
1234 DPRINTF("Bad RPN length (%d)\n", m->m_pkthdr.len);
1235 return;
1236 }
1237
1238 mask = 0;
1239
1240 if (rpn.param_mask & RFCOMM_RPN_PM_RATE)
1241 mask |= RFCOMM_RPN_PM_RATE;
1242
1243 if (rpn.param_mask & RFCOMM_RPN_PM_DATA
1244 && RFCOMM_RPN_DATA_BITS(rpn.line_settings) == RFCOMM_RPN_DATA_8)
1245 mask |= RFCOMM_RPN_PM_DATA;
1246
1247 if (rpn.param_mask & RFCOMM_RPN_PM_STOP
1248 && RFCOMM_RPN_STOP_BITS(rpn.line_settings) == RFCOMM_RPN_STOP_1)
1249 mask |= RFCOMM_RPN_PM_STOP;
1250
1251 if (rpn.param_mask & RFCOMM_RPN_PM_PARITY
1252 && RFCOMM_RPN_PARITY(rpn.line_settings) == RFCOMM_RPN_PARITY_NONE)
1253 mask |= RFCOMM_RPN_PM_PARITY;
1254
1255 if (rpn.param_mask & RFCOMM_RPN_PM_XON
1256 && rpn.xon_char == RFCOMM_RPN_XON_CHAR)
1257 mask |= RFCOMM_RPN_PM_XON;
1258
1259 if (rpn.param_mask & RFCOMM_RPN_PM_XOFF
1260 && rpn.xoff_char == RFCOMM_RPN_XOFF_CHAR)
1261 mask |= RFCOMM_RPN_PM_XOFF;
1262
1263 if (rpn.param_mask & RFCOMM_RPN_PM_FLOW
1264 && rpn.flow_control == RFCOMM_RPN_FLOW_NONE)
1265 mask |= RFCOMM_RPN_PM_FLOW;
1266
1267 rpn.param_mask = htole16(mask);
1268
1269 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_RPN, &rpn, sizeof(rpn));
1270 }
1271
1272 /*
1273 * process Remote Line Status command/response
1274 */
1275 static void
rfcomm_session_recv_mcc_rls(struct rfcomm_session * rs,int cr,struct mbuf * m)1276 rfcomm_session_recv_mcc_rls(struct rfcomm_session *rs, int cr, struct mbuf *m)
1277 {
1278 struct rfcomm_mcc_rls rls;
1279
1280 if (cr == 0) /* ignore ack */
1281 return;
1282
1283 if (m->m_pkthdr.len != sizeof(rls)) {
1284 DPRINTF("Bad RLS length %d\n", m->m_pkthdr.len);
1285 return;
1286 }
1287
1288 m_copydata(m, 0, sizeof(rls), &rls);
1289
1290 /*
1291 * So far as I can tell, we just send back what
1292 * they sent us. This signifies errors that seem
1293 * irrelevent for RFCOMM over L2CAP.
1294 */
1295 rls.address |= 0x03; /* EA = 1, CR = 1 */
1296 rls.status &= 0x0f; /* only 4 bits valid */
1297
1298 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_RLS, &rls, sizeof(rls));
1299 }
1300
1301 /*
1302 * process Parameter Negotiation command/response
1303 */
1304 static void
rfcomm_session_recv_mcc_pn(struct rfcomm_session * rs,int cr,struct mbuf * m)1305 rfcomm_session_recv_mcc_pn(struct rfcomm_session *rs, int cr, struct mbuf *m)
1306 {
1307 struct rfcomm_dlc *dlc;
1308 struct rfcomm_mcc_pn pn;
1309 int err;
1310
1311 if (m->m_pkthdr.len != sizeof(pn)) {
1312 DPRINTF("Bad PN length %d\n", m->m_pkthdr.len);
1313 return;
1314 }
1315
1316 m_copydata(m, 0, sizeof(pn), &pn);
1317
1318 pn.dlci &= 0x3f;
1319 pn.mtu = letoh16(pn.mtu);
1320
1321 dlc = rfcomm_dlc_lookup(rs, pn.dlci);
1322 if (cr) { /* Command */
1323 /*
1324 * If there is no DLC present, this is a new
1325 * connection so attempt to make one
1326 */
1327 if (dlc == NULL) {
1328 dlc = rfcomm_dlc_newconn(rs, pn.dlci);
1329 if (dlc == NULL)
1330 return; /* (DM is sent) */
1331 }
1332
1333 /* accept any valid MTU, and offer it back */
1334 pn.mtu = min(pn.mtu, RFCOMM_MTU_MAX);
1335 pn.mtu = min(pn.mtu, rs->rs_mtu);
1336 pn.mtu = max(pn.mtu, RFCOMM_MTU_MIN);
1337 dlc->rd_mtu = pn.mtu;
1338 pn.mtu = htole16(pn.mtu);
1339
1340 /* credits are only set before DLC is open */
1341 if (dlc->rd_state == RFCOMM_DLC_WAIT_CONNECT
1342 && (pn.flow_control & 0xf0) == 0xf0) {
1343 rs->rs_flags |= RFCOMM_SESSION_CFC;
1344 dlc->rd_txcred = pn.credits & 0x07;
1345
1346 dlc->rd_rxcred = (dlc->rd_rxsize / dlc->rd_mtu);
1347 dlc->rd_rxcred = min(dlc->rd_rxcred,
1348 RFCOMM_CREDITS_DEFAULT);
1349
1350 pn.flow_control = 0xe0;
1351 pn.credits = dlc->rd_rxcred;
1352 } else {
1353 pn.flow_control = 0x00;
1354 pn.credits = 0x00;
1355 }
1356
1357 /* unused fields must be ignored and set to zero */
1358 pn.ack_timer = 0;
1359 pn.max_retrans = 0;
1360
1361 /* send our response */
1362 err = rfcomm_session_send_mcc(rs, 0,
1363 RFCOMM_MCC_PN, &pn, sizeof(pn));
1364 if (err)
1365 goto close;
1366
1367 } else { /* Response */
1368 /* ignore responses with no matching DLC */
1369 if (dlc == NULL)
1370 return;
1371
1372 callout_stop(&dlc->rd_timeout);
1373
1374 if (pn.mtu > RFCOMM_MTU_MAX || pn.mtu > dlc->rd_mtu) {
1375 dlc->rd_state = RFCOMM_DLC_WAIT_DISCONNECT;
1376 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC,
1377 pn.dlci);
1378 if (err)
1379 goto close;
1380
1381 callout_reset(&dlc->rd_timeout, rfcomm_ack_timeout * hz,
1382 rfcomm_dlc_timeout, dlc);
1383 return;
1384 }
1385 dlc->rd_mtu = pn.mtu;
1386
1387 /* if DLC is not waiting to connect, we are done */
1388 if (dlc->rd_state != RFCOMM_DLC_WAIT_CONNECT)
1389 return;
1390
1391 /* set initial credits according to RFCOMM spec */
1392 if ((pn.flow_control & 0xf0) == 0xe0) {
1393 rs->rs_flags |= RFCOMM_SESSION_CFC;
1394 dlc->rd_txcred = (pn.credits & 0x07);
1395 }
1396
1397 callout_reset(&dlc->rd_timeout, rfcomm_ack_timeout * hz,
1398 rfcomm_dlc_timeout, dlc);
1399
1400 /* set link mode */
1401 err = rfcomm_dlc_setmode(dlc);
1402 if (err == EINPROGRESS) {
1403 dlc->rd_state = RFCOMM_DLC_WAIT_SEND_SABM;
1404 (*dlc->rd_proto->connecting)(dlc->rd_upper);
1405 return;
1406 }
1407 if (err)
1408 goto close;
1409
1410 /* we can proceed now */
1411 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_SABM, pn.dlci);
1412 if (err)
1413 goto close;
1414
1415 dlc->rd_state = RFCOMM_DLC_WAIT_RECV_UA;
1416 }
1417 return;
1418
1419 close:
1420 rfcomm_dlc_close(dlc, err);
1421 }
1422
1423 /*
1424 * process Non Supported Command command/response
1425 */
1426 static void
rfcomm_session_recv_mcc_nsc(struct rfcomm_session * rs,int cr,struct mbuf * m)1427 rfcomm_session_recv_mcc_nsc(struct rfcomm_session *rs,
1428 int cr, struct mbuf *m)
1429 {
1430 struct rfcomm_dlc *dlc, *next;
1431
1432 /*
1433 * Since we did nothing that is not mandatory,
1434 * we just abort the whole session..
1435 */
1436
1437 next = LIST_FIRST(&rs->rs_dlcs);
1438 while ((dlc = next) != NULL) {
1439 next = LIST_NEXT(dlc, rd_next);
1440 rfcomm_dlc_close(dlc, ECONNABORTED);
1441 }
1442
1443 rfcomm_session_free(rs);
1444 }
1445
1446 /***********************************************************************
1447 *
1448 * RFCOMM Session outward frame/uih/mcc building
1449 */
1450
1451 /*
1452 * SABM/DISC/DM/UA frames are all minimal and mostly identical.
1453 */
1454 int
rfcomm_session_send_frame(struct rfcomm_session * rs,int type,int dlci)1455 rfcomm_session_send_frame(struct rfcomm_session *rs, int type, int dlci)
1456 {
1457 struct rfcomm_cmd_hdr *hdr;
1458 struct rfcomm_credit *credit;
1459 struct mbuf *m;
1460 uint8_t fcs, cr;
1461
1462 credit = zalloc(rfcomm_credit_pool);
1463 if (credit == NULL)
1464 return ENOMEM;
1465
1466 m = m_gethdr(M_NOWAIT, MT_DATA);
1467 if (m == NULL) {
1468 zfree(rfcomm_credit_pool, credit);
1469 return ENOMEM;
1470 }
1471
1472 /*
1473 * The CR (command/response) bit identifies the frame either as a
1474 * commmand or a response and is used along with the DLCI to form
1475 * the address. Commands contain the non-initiator address, whereas
1476 * responses contain the initiator address, so the CR value is
1477 * also dependent on the session direction.
1478 */
1479 if (type == RFCOMM_FRAME_UA || type == RFCOMM_FRAME_DM)
1480 cr = IS_INITIATOR(rs) ? 0 : 1;
1481 else
1482 cr = IS_INITIATOR(rs) ? 1 : 0;
1483
1484 hdr = mtod(m, struct rfcomm_cmd_hdr *);
1485 hdr->address = RFCOMM_MKADDRESS(cr, dlci);
1486 hdr->control = RFCOMM_MKCONTROL(type, 1); /* PF = 1 */
1487 hdr->length = (0x00 << 1) | 0x01; /* len = 0x00, EA = 1 */
1488
1489 fcs = 0xff;
1490 fcs = FCS(fcs, hdr->address);
1491 fcs = FCS(fcs, hdr->control);
1492 fcs = FCS(fcs, hdr->length);
1493 fcs = 0xff - fcs; /* ones complement */
1494 hdr->fcs = fcs;
1495
1496 m->m_pkthdr.len = m->m_len = sizeof(struct rfcomm_cmd_hdr);
1497
1498 /* empty credit note */
1499 credit->rc_dlc = NULL;
1500 credit->rc_len = m->m_pkthdr.len;
1501 STAILQ_INSERT_TAIL(&rs->rs_credits, credit, rc_next);
1502
1503 DPRINTFN(5, "dlci %d type %2.2x (%d bytes, fcs=%#2.2x)\n",
1504 dlci, type, m->m_pkthdr.len, fcs);
1505
1506 return l2cap_send(rs->rs_l2cap, m);
1507 }
1508
1509 /*
1510 * rfcomm_session_send_uih(rfcomm_session, rfcomm_dlc, credits, mbuf)
1511 *
1512 * UIH frame is per DLC data or Multiplexer Control Commands
1513 * when no DLC is given. Data mbuf is optional (just credits
1514 * will be sent in that case)
1515 */
1516 int
rfcomm_session_send_uih(struct rfcomm_session * rs,struct rfcomm_dlc * dlc,int credits,struct mbuf * m)1517 rfcomm_session_send_uih(struct rfcomm_session *rs, struct rfcomm_dlc *dlc,
1518 int credits, struct mbuf *m)
1519 {
1520 struct rfcomm_credit *credit;
1521 struct mbuf *m0 = NULL;
1522 int err, len;
1523 uint8_t fcs, *hdr;
1524
1525 KKASSERT(rs != NULL);
1526
1527 len = (m == NULL) ? 0 : m->m_pkthdr.len;
1528 KKASSERT(!(credits == 0 && len == 0));
1529
1530 /*
1531 * Make a credit note for the completion notification
1532 */
1533 credit = zalloc(rfcomm_credit_pool);
1534 if (credit == NULL)
1535 goto nomem;
1536
1537 credit->rc_len = len;
1538 credit->rc_dlc = dlc;
1539
1540 /*
1541 * Wrap UIH frame information around payload.
1542 *
1543 * [ADDRESS] [CONTROL] [LENGTH] [CREDITS] [...] [FCS]
1544 *
1545 * Address is one octet.
1546 * Control is one octet.
1547 * Length is one or two octets.
1548 * Credits may be one octet.
1549 *
1550 * FCS is one octet and calculated on address and
1551 * control octets only.
1552 *
1553 * If there are credits to be sent, we will set the PF
1554 * flag and include them in the frame.
1555 */
1556 m0 = m_gethdr(M_NOWAIT, MT_DATA);
1557 if (m0 == NULL)
1558 goto nomem;
1559
1560 MH_ALIGN(m0, 5); /* (max 5 header octets) */
1561 hdr = mtod(m0, uint8_t *);
1562
1563 /* CR bit is set according to the initiator of the session */
1564 *hdr = RFCOMM_MKADDRESS((IS_INITIATOR(rs) ? 1 : 0),
1565 (dlc ? dlc->rd_dlci : 0));
1566 fcs = FCS(0xff, *hdr);
1567 hdr++;
1568
1569 /* PF bit is set if credits are being sent */
1570 *hdr = RFCOMM_MKCONTROL(RFCOMM_FRAME_UIH, (credits > 0 ? 1 : 0));
1571 fcs = FCS(fcs, *hdr);
1572 hdr++;
1573
1574 if (len < (1 << 7)) {
1575 *hdr++ = ((len << 1) & 0xfe) | 0x01; /* 7 bits, EA = 1 */
1576 } else {
1577 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */
1578 *hdr++ = ((len >> 7) & 0xff); /* 8 bits, no EA */
1579 }
1580
1581 if (credits > 0)
1582 *hdr++ = (uint8_t)credits;
1583
1584 m0->m_len = hdr - mtod(m0, uint8_t *);
1585
1586 /* Append payload */
1587 m0->m_next = m;
1588 m = NULL;
1589
1590 m0->m_pkthdr.len = m0->m_len + len;
1591
1592 /* Append FCS */
1593 fcs = 0xff - fcs; /* ones complement */
1594 len = m0->m_pkthdr.len;
1595 if (m_copyback2(m0, len, sizeof(fcs), &fcs, M_NOWAIT) != 0)
1596 goto nomem;
1597
1598 DPRINTFN(10, "dlci %d, pktlen %d (%d data, %d credits), fcs=%#2.2x\n",
1599 dlc ? dlc->rd_dlci : 0, m0->m_pkthdr.len, credit->rc_len,
1600 credits, fcs);
1601
1602 /*
1603 * UIH frame ready to go..
1604 */
1605 err = l2cap_send(rs->rs_l2cap, m0);
1606 if (err)
1607 goto fail;
1608
1609 STAILQ_INSERT_TAIL(&rs->rs_credits, credit, rc_next);
1610 return 0;
1611
1612 nomem:
1613 err = ENOMEM;
1614
1615 if (m0 != NULL)
1616 m_freem(m0);
1617
1618 if (m != NULL)
1619 m_freem(m);
1620
1621 fail:
1622 if (credit != NULL)
1623 zfree(rfcomm_credit_pool, credit);
1624
1625 return err;
1626 }
1627
1628 /*
1629 * send Multiplexer Control Command (or Response) on session
1630 */
1631 int
rfcomm_session_send_mcc(struct rfcomm_session * rs,int cr,uint8_t type,void * data,int len)1632 rfcomm_session_send_mcc(struct rfcomm_session *rs, int cr,
1633 uint8_t type, void *data, int len)
1634 {
1635 struct mbuf *m;
1636 uint8_t *hdr;
1637 int hlen;
1638
1639 m = m_gethdr(M_NOWAIT, MT_DATA);
1640 if (m == NULL)
1641 return ENOMEM;
1642
1643 hdr = mtod(m, uint8_t *);
1644
1645 /*
1646 * Technically the type field can extend past one octet, but none
1647 * currently defined will do that.
1648 */
1649 *hdr++ = RFCOMM_MKMCC_TYPE(cr, type);
1650
1651 /*
1652 * In the frame, the max length size is 2 octets (15 bits) whereas
1653 * no max length size is specified for MCC commands. We must allow
1654 * for 3 octets since for MCC frames we use 7 bits + EA in each.
1655 *
1656 * Only test data can possibly be that big.
1657 *
1658 * XXX Should we check this against the MTU?
1659 */
1660 if (len < (1 << 7)) {
1661 *hdr++ = ((len << 1) & 0xfe) | 0x01; /* 7 bits, EA = 1 */
1662 } else if (len < (1 << 14)) {
1663 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */
1664 *hdr++ = ((len >> 6) & 0xfe) | 0x01; /* 7 bits, EA = 1 */
1665 } else if (len < (1 << 15)) {
1666 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */
1667 *hdr++ = ((len >> 6) & 0xfe); /* 7 bits, EA = 0 */
1668 *hdr++ = ((len >> 13) & 0x02) | 0x01; /* 1 bit, EA = 1 */
1669 } else {
1670 DPRINTF("incredible length! (%d)\n", len);
1671 m_freem(m);
1672 return EMSGSIZE;
1673 }
1674
1675 /*
1676 * add command data (to same mbuf if possible)
1677 */
1678 hlen = hdr - mtod(m, uint8_t *);
1679 m->m_len = m->m_pkthdr.len = hlen; /* in case len == 0 */
1680
1681 if (len > 0 && m_copyback2(m, hlen, len, data, M_NOWAIT) != 0) {
1682 m_freem(m);
1683 return ENOMEM;
1684 }
1685
1686 DPRINTFN(5, "%s type %2.2x len %d\n",
1687 (cr ? "command" : "response"), type, m->m_pkthdr.len);
1688
1689 return rfcomm_session_send_uih(rs, NULL, 0, m);
1690 }
1691