1 /* $DragonFly: src/sys/netbt/rfcomm_session.c,v 1.2 2008/03/18 13:41:42 hasso Exp $ */ 2 /* $OpenBSD: src/sys/netbt/rfcomm_session.c,v 1.3 2008/02/24 21:34:48 uwe Exp $ */ 3 /* $NetBSD: rfcomm_session.c,v 1.12 2008/01/31 19:30:23 plunky Exp $ */ 4 5 /*- 6 * Copyright (c) 2006 Itronix Inc. 7 * All rights reserved. 8 * 9 * Written by Iain Hibbert for Itronix Inc. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. The name of Itronix Inc. may not be used to endorse 20 * or promote products derived from this software without specific 21 * prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY ITRONIX INC. ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 25 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 26 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ITRONIX INC. BE LIABLE FOR ANY 27 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 28 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 29 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 30 * ON ANY THEORY OF LIABILITY, WHETHER IN 31 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 32 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 33 * POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 #include <sys/param.h> 37 #include <sys/kernel.h> 38 #include <sys/mbuf.h> 39 #include <sys/proc.h> 40 #include <sys/systm.h> 41 #include <sys/types.h> 42 #include <sys/endian.h> 43 44 #include <net/if.h> 45 #include <net/pf/pfvar.h> 46 47 #include <netbt/bluetooth.h> 48 #include <netbt/hci.h> 49 #include <netbt/l2cap.h> 50 #include <netbt/rfcomm.h> 51 52 /****************************************************************************** 53 * 54 * RFCOMM Multiplexer Sessions sit directly on L2CAP channels, and can 55 * multiplex up to 30 incoming and 30 outgoing connections. 56 * Only one Multiplexer is allowed between any two devices. 57 */ 58 59 static void rfcomm_session_recv_sabm(struct rfcomm_session *, int); 60 static void rfcomm_session_recv_disc(struct rfcomm_session *, int); 61 static void rfcomm_session_recv_ua(struct rfcomm_session *, int); 62 static void rfcomm_session_recv_dm(struct rfcomm_session *, int); 63 static void rfcomm_session_recv_uih(struct rfcomm_session *, int, int, struct mbuf *, int); 64 static void rfcomm_session_recv_mcc(struct rfcomm_session *, struct mbuf *); 65 static void rfcomm_session_recv_mcc_test(struct rfcomm_session *, int, struct mbuf *); 66 static void rfcomm_session_recv_mcc_fcon(struct rfcomm_session *, int); 67 static void rfcomm_session_recv_mcc_fcoff(struct rfcomm_session *, int); 68 static void rfcomm_session_recv_mcc_msc(struct rfcomm_session *, int, struct mbuf *); 69 static void rfcomm_session_recv_mcc_rpn(struct rfcomm_session *, int, struct mbuf *); 70 static void rfcomm_session_recv_mcc_rls(struct rfcomm_session *, int, struct mbuf *); 71 static void rfcomm_session_recv_mcc_pn(struct rfcomm_session *, int, struct mbuf *); 72 static void rfcomm_session_recv_mcc_nsc(struct rfcomm_session *, int, struct mbuf *); 73 74 /* L2CAP callbacks */ 75 static void rfcomm_session_connecting(void *); 76 static void rfcomm_session_connected(void *); 77 static void rfcomm_session_disconnected(void *, int); 78 static void *rfcomm_session_newconn(void *, struct sockaddr_bt *, struct sockaddr_bt *); 79 static void rfcomm_session_complete(void *, int); 80 static void rfcomm_session_linkmode(void *, int); 81 static void rfcomm_session_input(void *, struct mbuf *); 82 83 static const struct btproto rfcomm_session_proto = { 84 rfcomm_session_connecting, 85 rfcomm_session_connected, 86 rfcomm_session_disconnected, 87 rfcomm_session_newconn, 88 rfcomm_session_complete, 89 rfcomm_session_linkmode, 90 rfcomm_session_input, 91 }; 92 93 struct rfcomm_session_list 94 rfcomm_session_active = LIST_HEAD_INITIALIZER(rfcomm_session_active); 95 96 struct rfcomm_session_list 97 rfcomm_session_listen = LIST_HEAD_INITIALIZER(rfcomm_session_listen); 98 99 vm_zone_t rfcomm_credit_pool; 100 101 /* 102 * RFCOMM System Parameters (see section 5.3) 103 */ 104 int rfcomm_mtu_default = 127; /* bytes */ 105 int rfcomm_ack_timeout = 20; /* seconds */ 106 int rfcomm_mcc_timeout = 20; /* seconds */ 107 108 /* 109 * Reversed CRC table as per TS 07.10 Annex B.3.5 110 */ 111 static const uint8_t crctable[256] = { /* reversed, 8-bit, poly=0x07 */ 112 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75, 113 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b, 114 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69, 115 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67, 116 117 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d, 118 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43, 119 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51, 120 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f, 121 122 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05, 123 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b, 124 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19, 125 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17, 126 127 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d, 128 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33, 129 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21, 130 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f, 131 132 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95, 133 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b, 134 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89, 135 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87, 136 137 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad, 138 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3, 139 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1, 140 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf, 141 142 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5, 143 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb, 144 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9, 145 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7, 146 147 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd, 148 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3, 149 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1, 150 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf 151 }; 152 153 #define FCS(f, d) crctable[(f) ^ (d)] 154 155 /* 156 * rfcomm_init() 157 * 158 * initialize the "credit pool". 159 */ 160 void 161 rfcomm_init(void) 162 { 163 rfcomm_credit_pool = zinit("rfcomm_credit", 164 sizeof(struct rfcomm_credit), 0, 0, 0); 165 } 166 167 /* 168 * rfcomm_session_alloc(list, sockaddr) 169 * 170 * allocate a new session and fill in the blanks, then 171 * attach session to front of specified list (active or listen) 172 */ 173 struct rfcomm_session * 174 rfcomm_session_alloc(struct rfcomm_session_list *list, 175 struct sockaddr_bt *laddr) 176 { 177 struct rfcomm_session *rs; 178 int err; 179 180 rs = kmalloc(sizeof(*rs), M_BLUETOOTH, M_NOWAIT | M_ZERO); 181 if (rs == NULL) 182 return NULL; 183 184 rs->rs_state = RFCOMM_SESSION_CLOSED; 185 186 callout_init(&rs->rs_timeout); 187 188 STAILQ_INIT(&rs->rs_credits); 189 LIST_INIT(&rs->rs_dlcs); 190 191 err = l2cap_attach(&rs->rs_l2cap, &rfcomm_session_proto, rs); 192 if (err) { 193 kfree(rs, M_BLUETOOTH); 194 return NULL; 195 } 196 197 (void)l2cap_getopt(rs->rs_l2cap, SO_L2CAP_OMTU, &rs->rs_mtu); 198 199 if (laddr->bt_psm == L2CAP_PSM_ANY) 200 laddr->bt_psm = L2CAP_PSM_RFCOMM; 201 202 (void)l2cap_bind(rs->rs_l2cap, laddr); 203 204 LIST_INSERT_HEAD(list, rs, rs_next); 205 206 return rs; 207 } 208 209 /* 210 * rfcomm_session_free(rfcomm_session) 211 * 212 * release a session, including any cleanup 213 */ 214 void 215 rfcomm_session_free(struct rfcomm_session *rs) 216 { 217 struct rfcomm_credit *credit; 218 219 KKASSERT(rs != NULL); 220 KKASSERT(LIST_EMPTY(&rs->rs_dlcs)); 221 222 rs->rs_state = RFCOMM_SESSION_CLOSED; 223 224 /* 225 * If the callout is already invoked we have no way to stop it, 226 * but it will call us back right away (there are no DLC's) so 227 * not to worry. 228 */ 229 callout_stop(&rs->rs_timeout); 230 if (callout_active(&rs->rs_timeout)) 231 return; 232 233 /* 234 * Take care that rfcomm_session_disconnected() doesnt call 235 * us back either as it will do if the l2cap_channel has not 236 * been closed when we detach it.. 237 */ 238 if (rs->rs_flags & RFCOMM_SESSION_FREE) 239 return; 240 241 rs->rs_flags |= RFCOMM_SESSION_FREE; 242 243 /* throw away any remaining credit notes */ 244 while ((credit = STAILQ_FIRST(&rs->rs_credits)) != NULL) { 245 STAILQ_REMOVE_HEAD(&rs->rs_credits, rc_next); 246 pool_put(&rfcomm_credit_pool, credit); 247 } 248 249 KKASSERT(STAILQ_EMPTY(&rs->rs_credits)); 250 251 /* Goodbye! */ 252 LIST_REMOVE(rs, rs_next); 253 l2cap_detach(&rs->rs_l2cap); 254 kfree(rs, M_BLUETOOTH); 255 } 256 257 /* 258 * rfcomm_session_lookup(sockaddr, sockaddr) 259 * 260 * Find active rfcomm session matching src and dest addresses 261 * when src is BDADDR_ANY match any local address 262 */ 263 struct rfcomm_session * 264 rfcomm_session_lookup(struct sockaddr_bt *src, struct sockaddr_bt *dest) 265 { 266 struct rfcomm_session *rs; 267 struct sockaddr_bt addr; 268 269 LIST_FOREACH(rs, &rfcomm_session_active, rs_next) { 270 if (rs->rs_state == RFCOMM_SESSION_CLOSED) 271 continue; 272 273 l2cap_sockaddr(rs->rs_l2cap, &addr); 274 275 if (bdaddr_same(&src->bt_bdaddr, &addr.bt_bdaddr) == 0) 276 if (bdaddr_any(&src->bt_bdaddr) == 0) 277 continue; 278 279 l2cap_peeraddr(rs->rs_l2cap, &addr); 280 281 if (addr.bt_psm != dest->bt_psm) 282 continue; 283 284 if (bdaddr_same(&dest->bt_bdaddr, &addr.bt_bdaddr)) 285 break; 286 } 287 288 return rs; 289 } 290 291 /* 292 * rfcomm_session_timeout(rfcomm_session) 293 * 294 * Session timeouts are scheduled when a session is left or 295 * created with no DLCs, and when SABM(0) or DISC(0) are 296 * sent. 297 * 298 * So, if it is in an open state with DLC's attached then 299 * we leave it alone, otherwise the session is lost. 300 */ 301 void 302 rfcomm_session_timeout(void *arg) 303 { 304 struct rfcomm_session *rs = arg; 305 struct rfcomm_dlc *dlc; 306 307 KKASSERT(rs != NULL); 308 309 crit_enter(); 310 311 if (rs->rs_state != RFCOMM_SESSION_OPEN) { 312 DPRINTF("timeout\n"); 313 rs->rs_state = RFCOMM_SESSION_CLOSED; 314 315 while (!LIST_EMPTY(&rs->rs_dlcs)) { 316 dlc = LIST_FIRST(&rs->rs_dlcs); 317 318 rfcomm_dlc_close(dlc, ETIMEDOUT); 319 } 320 } 321 322 if (LIST_EMPTY(&rs->rs_dlcs)) { 323 DPRINTF("expiring\n"); 324 rfcomm_session_free(rs); 325 } 326 crit_exit(); 327 } 328 329 /*********************************************************************** 330 * 331 * RFCOMM Session L2CAP protocol callbacks 332 * 333 */ 334 335 static void 336 rfcomm_session_connecting(void *arg) 337 { 338 /* struct rfcomm_session *rs = arg; */ 339 340 DPRINTF("Connecting\n"); 341 } 342 343 static void 344 rfcomm_session_connected(void *arg) 345 { 346 struct rfcomm_session *rs = arg; 347 348 DPRINTF("Connected\n"); 349 350 /* 351 * L2CAP is open. 352 * 353 * If we are initiator, we can send our SABM(0) 354 * a timeout should be active? 355 * 356 * We must take note of the L2CAP MTU because currently 357 * the L2CAP implementation can only do Basic Mode. 358 */ 359 l2cap_getopt(rs->rs_l2cap, SO_L2CAP_OMTU, &rs->rs_mtu); 360 361 rs->rs_mtu -= 6; /* (RFCOMM overhead could be this big) */ 362 if (rs->rs_mtu < RFCOMM_MTU_MIN) { 363 rfcomm_session_disconnected(rs, EINVAL); 364 return; 365 } 366 367 if (IS_INITIATOR(rs)) { 368 int err; 369 370 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_SABM, 0); 371 if (err) 372 rfcomm_session_disconnected(rs, err); 373 374 callout_reset(&rs->rs_timeout, rfcomm_ack_timeout * hz, 375 rfcomm_session_timeout, rs); 376 } 377 } 378 379 static void 380 rfcomm_session_disconnected(void *arg, int err) 381 { 382 struct rfcomm_session *rs = arg; 383 struct rfcomm_dlc *dlc; 384 385 DPRINTF("Disconnected\n"); 386 387 rs->rs_state = RFCOMM_SESSION_CLOSED; 388 389 while (!LIST_EMPTY(&rs->rs_dlcs)) { 390 dlc = LIST_FIRST(&rs->rs_dlcs); 391 392 rfcomm_dlc_close(dlc, err); 393 } 394 395 rfcomm_session_free(rs); 396 } 397 398 static void * 399 rfcomm_session_newconn(void *arg, struct sockaddr_bt *laddr, 400 struct sockaddr_bt *raddr) 401 { 402 struct rfcomm_session *new, *rs = arg; 403 404 DPRINTF("New Connection\n"); 405 406 /* 407 * Incoming session connect request. We should return a new 408 * session pointer if this is acceptable. The L2CAP layer 409 * passes local and remote addresses, which we must check as 410 * only one RFCOMM session is allowed between any two devices 411 */ 412 new = rfcomm_session_lookup(laddr, raddr); 413 if (new != NULL) 414 return NULL; 415 416 new = rfcomm_session_alloc(&rfcomm_session_active, laddr); 417 if (new == NULL) 418 return NULL; 419 420 new->rs_mtu = rs->rs_mtu; 421 new->rs_state = RFCOMM_SESSION_WAIT_CONNECT; 422 423 /* 424 * schedule an expiry so that if nothing comes of it we 425 * can punt. 426 */ 427 callout_reset(&rs->rs_timeout, rfcomm_mcc_timeout * hz, 428 rfcomm_session_timeout, rs); 429 430 return new->rs_l2cap; 431 } 432 433 static void 434 rfcomm_session_complete(void *arg, int count) 435 { 436 struct rfcomm_session *rs = arg; 437 struct rfcomm_credit *credit; 438 struct rfcomm_dlc *dlc; 439 440 /* 441 * count L2CAP packets are 'complete', meaning that they are cleared 442 * our buffers (for best effort) or arrived safe (for guaranteed) so 443 * we can take it off our list and pass the message on, so that 444 * eventually the data can be removed from the sockbuf 445 */ 446 while (count-- > 0) { 447 credit = STAILQ_FIRST(&rs->rs_credits); 448 #ifdef DIAGNOSTIC 449 if (credit == NULL) { 450 kprintf("%s: too many packets completed!\n", __func__); 451 break; 452 } 453 #endif 454 dlc = credit->rc_dlc; 455 if (dlc != NULL) { 456 dlc->rd_pending--; 457 (*dlc->rd_proto->complete) 458 (dlc->rd_upper, credit->rc_len); 459 460 /* 461 * if not using credit flow control, we may push 462 * more data now 463 */ 464 if ((rs->rs_flags & RFCOMM_SESSION_CFC) == 0 465 && dlc->rd_state == RFCOMM_DLC_OPEN) { 466 rfcomm_dlc_start(dlc); 467 } 468 469 /* 470 * When shutdown is indicated, we are just waiting to 471 * clear outgoing data. 472 */ 473 if ((dlc->rd_flags & RFCOMM_DLC_SHUTDOWN) 474 && dlc->rd_txbuf == NULL && dlc->rd_pending == 0) { 475 dlc->rd_state = RFCOMM_DLC_WAIT_DISCONNECT; 476 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 477 dlc->rd_dlci); 478 callout_reset(&dlc->rd_timeout, 479 rfcomm_ack_timeout * hz, 480 rfcomm_dlc_timeout, dlc); 481 } 482 } 483 484 STAILQ_REMOVE_HEAD(&rs->rs_credits, rc_next); 485 pool_put(&rfcomm_credit_pool, credit); 486 } 487 488 /* 489 * If session is closed, we are just waiting to clear the queue 490 */ 491 if (rs->rs_state == RFCOMM_SESSION_CLOSED) { 492 if (STAILQ_EMPTY(&rs->rs_credits)) 493 l2cap_disconnect(rs->rs_l2cap, 0); 494 } 495 } 496 497 /* 498 * Link Mode changed 499 * 500 * This is called when a mode change is complete. Proceed with connections 501 * where appropriate, or pass the new mode to any active DLCs. 502 */ 503 static void 504 rfcomm_session_linkmode(void *arg, int new) 505 { 506 struct rfcomm_session *rs = arg; 507 struct rfcomm_dlc *dlc, *next; 508 int err, mode = 0; 509 510 DPRINTF("auth %s, encrypt %s, secure %s\n", 511 (new & L2CAP_LM_AUTH ? "on" : "off"), 512 (new & L2CAP_LM_ENCRYPT ? "on" : "off"), 513 (new & L2CAP_LM_SECURE ? "on" : "off")); 514 515 if (new & L2CAP_LM_AUTH) 516 mode |= RFCOMM_LM_AUTH; 517 518 if (new & L2CAP_LM_ENCRYPT) 519 mode |= RFCOMM_LM_ENCRYPT; 520 521 if (new & L2CAP_LM_SECURE) 522 mode |= RFCOMM_LM_SECURE; 523 524 next = LIST_FIRST(&rs->rs_dlcs); 525 while ((dlc = next) != NULL) { 526 next = LIST_NEXT(dlc, rd_next); 527 528 switch (dlc->rd_state) { 529 case RFCOMM_DLC_WAIT_SEND_SABM: /* we are connecting */ 530 if ((mode & dlc->rd_mode) != dlc->rd_mode) { 531 rfcomm_dlc_close(dlc, ECONNABORTED); 532 } else { 533 err = rfcomm_session_send_frame(rs, 534 RFCOMM_FRAME_SABM, dlc->rd_dlci); 535 if (err) { 536 rfcomm_dlc_close(dlc, err); 537 } else { 538 dlc->rd_state = RFCOMM_DLC_WAIT_RECV_UA; 539 callout_reset(&dlc->rd_timeout, 540 rfcomm_ack_timeout * hz, 541 rfcomm_dlc_timeout, dlc); 542 543 break; 544 } 545 } 546 547 /* 548 * If we aborted the connection and there are no more DLCs 549 * on the session, it is our responsibility to disconnect. 550 */ 551 if (!LIST_EMPTY(&rs->rs_dlcs)) 552 break; 553 554 rs->rs_state = RFCOMM_SESSION_WAIT_DISCONNECT; 555 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 0); 556 callout_reset(&rs->rs_timeout, rfcomm_ack_timeout * hz, 557 rfcomm_session_timeout, rs); 558 break; 559 560 case RFCOMM_DLC_WAIT_SEND_UA: /* they are connecting */ 561 if ((mode & dlc->rd_mode) != dlc->rd_mode) { 562 rfcomm_session_send_frame(rs, 563 RFCOMM_FRAME_DM, dlc->rd_dlci); 564 rfcomm_dlc_close(dlc, ECONNABORTED); 565 break; 566 } 567 568 err = rfcomm_session_send_frame(rs, 569 RFCOMM_FRAME_UA, dlc->rd_dlci); 570 if (err) { 571 rfcomm_session_send_frame(rs, 572 RFCOMM_FRAME_DM, dlc->rd_dlci); 573 rfcomm_dlc_close(dlc, err); 574 break; 575 } 576 577 err = rfcomm_dlc_open(dlc); 578 if (err) { 579 rfcomm_session_send_frame(rs, 580 RFCOMM_FRAME_DM, dlc->rd_dlci); 581 rfcomm_dlc_close(dlc, err); 582 break; 583 } 584 585 break; 586 587 case RFCOMM_DLC_WAIT_RECV_UA: 588 case RFCOMM_DLC_OPEN: /* already established */ 589 (*dlc->rd_proto->linkmode)(dlc->rd_upper, mode); 590 break; 591 592 default: 593 break; 594 } 595 } 596 } 597 598 /* 599 * Receive data from L2CAP layer for session. There is always exactly one 600 * RFCOMM frame contained in each L2CAP frame. 601 */ 602 static void 603 rfcomm_session_input(void *arg, struct mbuf *m) 604 { 605 struct rfcomm_session *rs = arg; 606 int dlci, len, type, pf; 607 uint8_t fcs, b; 608 609 KKASSERT(m != NULL); 610 KKASSERT(rs != NULL); 611 612 /* 613 * UIH frames: FCS is only calculated on address and control fields 614 * For other frames: FCS is calculated on address, control and length 615 * Length may extend to two octets 616 */ 617 fcs = 0xff; 618 619 if (m->m_pkthdr.len < 4) { 620 DPRINTF("short frame (%d), discarded\n", m->m_pkthdr.len); 621 goto done; 622 } 623 624 /* address - one octet */ 625 m_copydata(m, 0, 1, &b); 626 m_adj(m, 1); 627 fcs = FCS(fcs, b); 628 dlci = RFCOMM_DLCI(b); 629 630 /* control - one octet */ 631 m_copydata(m, 0, 1, &b); 632 m_adj(m, 1); 633 fcs = FCS(fcs, b); 634 type = RFCOMM_TYPE(b); 635 pf = RFCOMM_PF(b); 636 637 /* length - may be two octets */ 638 m_copydata(m, 0, 1, &b); 639 m_adj(m, 1); 640 if (type != RFCOMM_FRAME_UIH) 641 fcs = FCS(fcs, b); 642 len = (b >> 1) & 0x7f; 643 644 if (RFCOMM_EA(b) == 0) { 645 if (m->m_pkthdr.len < 2) { 646 DPRINTF("short frame (%d, EA = 0), discarded\n", 647 m->m_pkthdr.len); 648 goto done; 649 } 650 651 m_copydata(m, 0, 1, &b); 652 m_adj(m, 1); 653 if (type != RFCOMM_FRAME_UIH) 654 fcs = FCS(fcs, b); 655 656 len |= (b << 7); 657 } 658 659 /* FCS byte is last octet in frame */ 660 m_copydata(m, m->m_pkthdr.len - 1, 1, &b); 661 m_adj(m, -1); 662 fcs = FCS(fcs, b); 663 664 if (fcs != 0xcf) { 665 DPRINTF("Bad FCS value (%#2.2x), frame discarded\n", fcs); 666 goto done; 667 } 668 669 DPRINTFN(10, "dlci %d, type %2.2x, len = %d\n", dlci, type, len); 670 671 switch (type) { 672 case RFCOMM_FRAME_SABM: 673 if (pf) 674 rfcomm_session_recv_sabm(rs, dlci); 675 break; 676 677 case RFCOMM_FRAME_DISC: 678 if (pf) 679 rfcomm_session_recv_disc(rs, dlci); 680 break; 681 682 case RFCOMM_FRAME_UA: 683 if (pf) 684 rfcomm_session_recv_ua(rs, dlci); 685 break; 686 687 case RFCOMM_FRAME_DM: 688 rfcomm_session_recv_dm(rs, dlci); 689 break; 690 691 case RFCOMM_FRAME_UIH: 692 rfcomm_session_recv_uih(rs, dlci, pf, m, len); 693 return; /* (no release) */ 694 695 default: 696 UNKNOWN(type); 697 break; 698 } 699 700 done: 701 m_freem(m); 702 } 703 704 /*********************************************************************** 705 * 706 * RFCOMM Session receive processing 707 */ 708 709 /* 710 * rfcomm_session_recv_sabm(rfcomm_session, dlci) 711 * 712 * Set Asyncrhonous Balanced Mode - open the channel. 713 */ 714 static void 715 rfcomm_session_recv_sabm(struct rfcomm_session *rs, int dlci) 716 { 717 struct rfcomm_dlc *dlc; 718 int err; 719 720 DPRINTFN(5, "SABM(%d)\n", dlci); 721 722 if (dlci == 0) { /* Open Session */ 723 rs->rs_state = RFCOMM_SESSION_OPEN; 724 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, 0); 725 LIST_FOREACH(dlc, &rs->rs_dlcs, rd_next) { 726 if (dlc->rd_state == RFCOMM_DLC_WAIT_SESSION) 727 rfcomm_dlc_connect(dlc); 728 } 729 return; 730 } 731 732 if (rs->rs_state != RFCOMM_SESSION_OPEN) { 733 DPRINTF("session was not even open!\n"); 734 return; 735 } 736 737 /* validate direction bit */ 738 if ((IS_INITIATOR(rs) && !RFCOMM_DIRECTION(dlci)) 739 || (!IS_INITIATOR(rs) && RFCOMM_DIRECTION(dlci))) { 740 DPRINTF("Invalid direction bit on DLCI\n"); 741 return; 742 } 743 744 /* 745 * look for our DLC - this may exist if we received PN 746 * already, or we may have to fabricate a new one. 747 */ 748 dlc = rfcomm_dlc_lookup(rs, dlci); 749 if (dlc == NULL) { 750 dlc = rfcomm_dlc_newconn(rs, dlci); 751 if (dlc == NULL) 752 return; /* (DM is sent) */ 753 } 754 755 /* 756 * ..but if this DLC is not waiting to connect, they did 757 * something wrong, ignore it. 758 */ 759 if (dlc->rd_state != RFCOMM_DLC_WAIT_CONNECT) 760 return; 761 762 /* set link mode */ 763 err = rfcomm_dlc_setmode(dlc); 764 if (err == EINPROGRESS) { 765 dlc->rd_state = RFCOMM_DLC_WAIT_SEND_UA; 766 (*dlc->rd_proto->connecting)(dlc->rd_upper); 767 return; 768 } 769 if (err) 770 goto close; 771 772 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, dlci); 773 if (err) 774 goto close; 775 776 /* and mark it open */ 777 err = rfcomm_dlc_open(dlc); 778 if (err) 779 goto close; 780 781 return; 782 783 close: 784 rfcomm_dlc_close(dlc, err); 785 } 786 787 /* 788 * Receive Disconnect Command 789 */ 790 static void 791 rfcomm_session_recv_disc(struct rfcomm_session *rs, int dlci) 792 { 793 struct rfcomm_dlc *dlc; 794 795 DPRINTFN(5, "DISC(%d)\n", dlci); 796 797 if (dlci == 0) { 798 /* 799 * Disconnect Session 800 * 801 * We set the session state to CLOSED so that when 802 * the UA frame is clear the session will be closed 803 * automatically. We wont bother to close any DLC's 804 * just yet as there should be none. In the unlikely 805 * event that something is left, it will get flushed 806 * out as the session goes down. 807 */ 808 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, 0); 809 rs->rs_state = RFCOMM_SESSION_CLOSED; 810 return; 811 } 812 813 dlc = rfcomm_dlc_lookup(rs, dlci); 814 if (dlc == NULL) { 815 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, dlci); 816 return; 817 } 818 819 rfcomm_dlc_close(dlc, ECONNRESET); 820 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, dlci); 821 } 822 823 /* 824 * Receive Unnumbered Acknowledgement Response 825 * 826 * This should be a response to a DISC or SABM frame that we 827 * have previously sent. If unexpected, ignore it. 828 */ 829 static void 830 rfcomm_session_recv_ua(struct rfcomm_session *rs, int dlci) 831 { 832 struct rfcomm_dlc *dlc; 833 834 DPRINTFN(5, "UA(%d)\n", dlci); 835 836 if (dlci == 0) { 837 switch (rs->rs_state) { 838 case RFCOMM_SESSION_WAIT_CONNECT: /* We sent SABM */ 839 callout_stop(&rs->rs_timeout); 840 rs->rs_state = RFCOMM_SESSION_OPEN; 841 LIST_FOREACH(dlc, &rs->rs_dlcs, rd_next) { 842 if (dlc->rd_state == RFCOMM_DLC_WAIT_SESSION) 843 rfcomm_dlc_connect(dlc); 844 } 845 break; 846 847 case RFCOMM_SESSION_WAIT_DISCONNECT: /* We sent DISC */ 848 callout_stop(&rs->rs_timeout); 849 rs->rs_state = RFCOMM_SESSION_CLOSED; 850 l2cap_disconnect(rs->rs_l2cap, 0); 851 break; 852 853 default: 854 DPRINTF("Received spurious UA(0)!\n"); 855 break; 856 } 857 858 return; 859 } 860 861 /* 862 * If we have no DLC on this dlci, we may have aborted 863 * without shutting down properly, so check if the session 864 * needs disconnecting. 865 */ 866 dlc = rfcomm_dlc_lookup(rs, dlci); 867 if (dlc == NULL) 868 goto check; 869 870 switch (dlc->rd_state) { 871 case RFCOMM_DLC_WAIT_RECV_UA: /* We sent SABM */ 872 rfcomm_dlc_open(dlc); 873 return; 874 875 case RFCOMM_DLC_WAIT_DISCONNECT: /* We sent DISC */ 876 rfcomm_dlc_close(dlc, 0); 877 break; 878 879 default: 880 DPRINTF("Received spurious UA(%d)!\n", dlci); 881 return; 882 } 883 884 check: /* last one out turns out the light */ 885 if (LIST_EMPTY(&rs->rs_dlcs)) { 886 rs->rs_state = RFCOMM_SESSION_WAIT_DISCONNECT; 887 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 0); 888 callout_reset(&rs->rs_timeout, rfcomm_ack_timeout*hz,rfcomm_session_timeout,rs); 889 } 890 } 891 892 /* 893 * Receive Disconnected Mode Response 894 * 895 * If this does not apply to a known DLC then we may ignore it. 896 */ 897 static void 898 rfcomm_session_recv_dm(struct rfcomm_session *rs, int dlci) 899 { 900 struct rfcomm_dlc *dlc; 901 902 DPRINTFN(5, "DM(%d)\n", dlci); 903 904 dlc = rfcomm_dlc_lookup(rs, dlci); 905 if (dlc == NULL) 906 return; 907 908 if (dlc->rd_state == RFCOMM_DLC_WAIT_CONNECT) 909 rfcomm_dlc_close(dlc, ECONNREFUSED); 910 else 911 rfcomm_dlc_close(dlc, ECONNRESET); 912 } 913 914 /* 915 * Receive Unnumbered Information with Header check (MCC or data packet) 916 */ 917 static void 918 rfcomm_session_recv_uih(struct rfcomm_session *rs, int dlci, 919 int pf, struct mbuf *m, int len) 920 { 921 struct rfcomm_dlc *dlc; 922 uint8_t credits = 0; 923 924 DPRINTFN(10, "UIH(%d)\n", dlci); 925 926 if (dlci == 0) { 927 rfcomm_session_recv_mcc(rs, m); 928 return; 929 } 930 931 if (m->m_pkthdr.len != len + pf) { 932 DPRINTF("Bad Frame Length (%d), frame discarded\n", 933 m->m_pkthdr.len); 934 935 goto discard; 936 } 937 938 dlc = rfcomm_dlc_lookup(rs, dlci); 939 if (dlc == NULL) { 940 DPRINTF("UIH received for non existent DLC, discarded\n"); 941 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, dlci); 942 goto discard; 943 } 944 945 if (dlc->rd_state != RFCOMM_DLC_OPEN) { 946 DPRINTF("non-open DLC (state = %d), discarded\n", 947 dlc->rd_state); 948 goto discard; 949 } 950 951 /* if PF is set, credits were included */ 952 if (rs->rs_flags & RFCOMM_SESSION_CFC) { 953 if (pf != 0) { 954 if (m->m_pkthdr.len < sizeof(credits)) { 955 DPRINTF("Bad PF value, UIH discarded\n"); 956 goto discard; 957 } 958 959 m_copydata(m, 0, sizeof(credits), &credits); 960 m_adj(m, sizeof(credits)); 961 962 dlc->rd_txcred += credits; 963 964 if (credits > 0 && dlc->rd_txbuf != NULL) 965 rfcomm_dlc_start(dlc); 966 } 967 968 if (len == 0) 969 goto discard; 970 971 if (dlc->rd_rxcred == 0) { 972 DPRINTF("Credit limit reached, UIH discarded\n"); 973 goto discard; 974 } 975 976 if (len > dlc->rd_rxsize) { 977 DPRINTF("UIH frame exceeds rxsize, discarded\n"); 978 goto discard; 979 } 980 981 dlc->rd_rxcred--; 982 dlc->rd_rxsize -= len; 983 } 984 985 (*dlc->rd_proto->input)(dlc->rd_upper, m); 986 return; 987 988 discard: 989 m_freem(m); 990 } 991 992 /* 993 * Receive Multiplexer Control Command 994 */ 995 static void 996 rfcomm_session_recv_mcc(struct rfcomm_session *rs, struct mbuf *m) 997 { 998 int type, cr, len; 999 uint8_t b; 1000 1001 /* 1002 * Extract MCC header. 1003 * 1004 * Fields are variable length using extension bit = 1 to signify the 1005 * last octet in the sequence. 1006 * 1007 * Only single octet types are defined in TS 07.10/RFCOMM spec 1008 * 1009 * Length can realistically only use 15 bits (max RFCOMM MTU) 1010 */ 1011 if (m->m_pkthdr.len < sizeof(b)) { 1012 DPRINTF("Short MCC header, discarded\n"); 1013 goto release; 1014 } 1015 1016 m_copydata(m, 0, sizeof(b), &b); 1017 m_adj(m, sizeof(b)); 1018 1019 if (RFCOMM_EA(b) == 0) { /* verify no extensions */ 1020 DPRINTF("MCC type EA = 0, discarded\n"); 1021 goto release; 1022 } 1023 1024 type = RFCOMM_MCC_TYPE(b); 1025 cr = RFCOMM_CR(b); 1026 1027 len = 0; 1028 do { 1029 if (m->m_pkthdr.len < sizeof(b)) { 1030 DPRINTF("Short MCC header, discarded\n"); 1031 goto release; 1032 } 1033 1034 m_copydata(m, 0, sizeof(b), &b); 1035 m_adj(m, sizeof(b)); 1036 1037 len = (len << 7) | (b >> 1); 1038 len = min(len, RFCOMM_MTU_MAX); 1039 } while (RFCOMM_EA(b) == 0); 1040 1041 if (len != m->m_pkthdr.len) { 1042 DPRINTF("Incorrect MCC length, discarded\n"); 1043 goto release; 1044 } 1045 1046 DPRINTFN(2, "MCC %s type %2.2x (%d bytes)\n", 1047 (cr ? "command" : "response"), type, len); 1048 1049 /* 1050 * pass to command handler 1051 */ 1052 switch(type) { 1053 case RFCOMM_MCC_TEST: /* Test */ 1054 rfcomm_session_recv_mcc_test(rs, cr, m); 1055 break; 1056 1057 case RFCOMM_MCC_FCON: /* Flow Control On */ 1058 rfcomm_session_recv_mcc_fcon(rs, cr); 1059 break; 1060 1061 case RFCOMM_MCC_FCOFF: /* Flow Control Off */ 1062 rfcomm_session_recv_mcc_fcoff(rs, cr); 1063 break; 1064 1065 case RFCOMM_MCC_MSC: /* Modem Status Command */ 1066 rfcomm_session_recv_mcc_msc(rs, cr, m); 1067 break; 1068 1069 case RFCOMM_MCC_RPN: /* Remote Port Negotiation */ 1070 rfcomm_session_recv_mcc_rpn(rs, cr, m); 1071 break; 1072 1073 case RFCOMM_MCC_RLS: /* Remote Line Status */ 1074 rfcomm_session_recv_mcc_rls(rs, cr, m); 1075 break; 1076 1077 case RFCOMM_MCC_PN: /* Parameter Negotiation */ 1078 rfcomm_session_recv_mcc_pn(rs, cr, m); 1079 break; 1080 1081 case RFCOMM_MCC_NSC: /* Non Supported Command */ 1082 rfcomm_session_recv_mcc_nsc(rs, cr, m); 1083 break; 1084 1085 default: 1086 b = RFCOMM_MKMCC_TYPE(cr, type); 1087 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_NSC, &b, sizeof(b)); 1088 } 1089 1090 release: 1091 m_freem(m); 1092 } 1093 1094 /* 1095 * process TEST command/response 1096 */ 1097 static void 1098 rfcomm_session_recv_mcc_test(struct rfcomm_session *rs, int cr, struct mbuf *m) 1099 { 1100 void *data; 1101 int len; 1102 1103 if (cr == 0) /* ignore ack */ 1104 return; 1105 1106 /* 1107 * we must send all the data they included back as is 1108 */ 1109 1110 len = m->m_pkthdr.len; 1111 if (len > RFCOMM_MTU_MAX) 1112 return; 1113 1114 data = kmalloc(len, M_BLUETOOTH, M_NOWAIT); 1115 if (data == NULL) 1116 return; 1117 1118 m_copydata(m, 0, len, data); 1119 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_TEST, data, len); 1120 kfree(data, M_BLUETOOTH); 1121 } 1122 1123 /* 1124 * process Flow Control ON command/response 1125 */ 1126 static void 1127 rfcomm_session_recv_mcc_fcon(struct rfcomm_session *rs, int cr) 1128 { 1129 1130 if (cr == 0) /* ignore ack */ 1131 return; 1132 1133 rs->rs_flags |= RFCOMM_SESSION_RFC; 1134 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_FCON, NULL, 0); 1135 } 1136 1137 /* 1138 * process Flow Control OFF command/response 1139 */ 1140 static void 1141 rfcomm_session_recv_mcc_fcoff(struct rfcomm_session *rs, int cr) 1142 { 1143 if (cr == 0) /* ignore ack */ 1144 return; 1145 1146 rs->rs_flags &= ~RFCOMM_SESSION_RFC; 1147 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_FCOFF, NULL, 0); 1148 } 1149 1150 /* 1151 * process Modem Status Command command/response 1152 */ 1153 static void 1154 rfcomm_session_recv_mcc_msc(struct rfcomm_session *rs, int cr, struct mbuf *m) 1155 { 1156 struct rfcomm_mcc_msc msc; /* (3 octets) */ 1157 struct rfcomm_dlc *dlc; 1158 int len = 0; 1159 1160 /* [ADDRESS] */ 1161 if (m->m_pkthdr.len < sizeof(msc.address)) 1162 return; 1163 1164 m_copydata(m, 0, sizeof(msc.address), &msc.address); 1165 m_adj(m, sizeof(msc.address)); 1166 len += sizeof(msc.address); 1167 1168 dlc = rfcomm_dlc_lookup(rs, RFCOMM_DLCI(msc.address)); 1169 1170 if (cr == 0) { /* ignore acks */ 1171 if (dlc != NULL) 1172 callout_stop(&dlc->rd_timeout); 1173 1174 return; 1175 } 1176 1177 if (dlc == NULL) { 1178 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, 1179 RFCOMM_DLCI(msc.address)); 1180 return; 1181 } 1182 1183 /* [SIGNALS] */ 1184 if (m->m_pkthdr.len < sizeof(msc.modem)) 1185 return; 1186 1187 m_copydata(m, 0, sizeof(msc.modem), &msc.modem); 1188 m_adj(m, sizeof(msc.modem)); 1189 len += sizeof(msc.modem); 1190 1191 dlc->rd_rmodem = msc.modem; 1192 /* XXX how do we signal this upstream? */ 1193 1194 if (RFCOMM_EA(msc.modem) == 0) { 1195 if (m->m_pkthdr.len < sizeof(msc.brk)) 1196 return; 1197 1198 m_copydata(m, 0, sizeof(msc.brk), &msc.brk); 1199 m_adj(m, sizeof(msc.brk)); 1200 len += sizeof(msc.brk); 1201 1202 /* XXX how do we signal this upstream? */ 1203 } 1204 1205 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_MSC, &msc, len); 1206 } 1207 1208 /* 1209 * process Remote Port Negotiation command/response 1210 */ 1211 static void 1212 rfcomm_session_recv_mcc_rpn(struct rfcomm_session *rs, int cr, struct mbuf *m) 1213 { 1214 struct rfcomm_mcc_rpn rpn; 1215 uint16_t mask; 1216 1217 if (cr == 0) /* ignore ack */ 1218 return; 1219 1220 /* default values */ 1221 rpn.bit_rate = RFCOMM_RPN_BR_9600; 1222 rpn.line_settings = RFCOMM_RPN_8_N_1; 1223 rpn.flow_control = RFCOMM_RPN_FLOW_NONE; 1224 rpn.xon_char = RFCOMM_RPN_XON_CHAR; 1225 rpn.xoff_char = RFCOMM_RPN_XOFF_CHAR; 1226 1227 if (m->m_pkthdr.len == sizeof(rpn)) { 1228 m_copydata(m, 0, sizeof(rpn), (caddr_t)&rpn); 1229 rpn.param_mask = RFCOMM_RPN_PM_ALL; 1230 } else if (m->m_pkthdr.len == 1) { 1231 m_copydata(m, 0, 1, (caddr_t)&rpn); 1232 rpn.param_mask = letoh16(rpn.param_mask); 1233 } else { 1234 DPRINTF("Bad RPN length (%d)\n", m->m_pkthdr.len); 1235 return; 1236 } 1237 1238 mask = 0; 1239 1240 if (rpn.param_mask & RFCOMM_RPN_PM_RATE) 1241 mask |= RFCOMM_RPN_PM_RATE; 1242 1243 if (rpn.param_mask & RFCOMM_RPN_PM_DATA 1244 && RFCOMM_RPN_DATA_BITS(rpn.line_settings) == RFCOMM_RPN_DATA_8) 1245 mask |= RFCOMM_RPN_PM_DATA; 1246 1247 if (rpn.param_mask & RFCOMM_RPN_PM_STOP 1248 && RFCOMM_RPN_STOP_BITS(rpn.line_settings) == RFCOMM_RPN_STOP_1) 1249 mask |= RFCOMM_RPN_PM_STOP; 1250 1251 if (rpn.param_mask & RFCOMM_RPN_PM_PARITY 1252 && RFCOMM_RPN_PARITY(rpn.line_settings) == RFCOMM_RPN_PARITY_NONE) 1253 mask |= RFCOMM_RPN_PM_PARITY; 1254 1255 if (rpn.param_mask & RFCOMM_RPN_PM_XON 1256 && rpn.xon_char == RFCOMM_RPN_XON_CHAR) 1257 mask |= RFCOMM_RPN_PM_XON; 1258 1259 if (rpn.param_mask & RFCOMM_RPN_PM_XOFF 1260 && rpn.xoff_char == RFCOMM_RPN_XOFF_CHAR) 1261 mask |= RFCOMM_RPN_PM_XOFF; 1262 1263 if (rpn.param_mask & RFCOMM_RPN_PM_FLOW 1264 && rpn.flow_control == RFCOMM_RPN_FLOW_NONE) 1265 mask |= RFCOMM_RPN_PM_FLOW; 1266 1267 rpn.param_mask = htole16(mask); 1268 1269 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_RPN, &rpn, sizeof(rpn)); 1270 } 1271 1272 /* 1273 * process Remote Line Status command/response 1274 */ 1275 static void 1276 rfcomm_session_recv_mcc_rls(struct rfcomm_session *rs, int cr, struct mbuf *m) 1277 { 1278 struct rfcomm_mcc_rls rls; 1279 1280 if (cr == 0) /* ignore ack */ 1281 return; 1282 1283 if (m->m_pkthdr.len != sizeof(rls)) { 1284 DPRINTF("Bad RLS length %d\n", m->m_pkthdr.len); 1285 return; 1286 } 1287 1288 m_copydata(m, 0, sizeof(rls), (caddr_t)&rls); 1289 1290 /* 1291 * So far as I can tell, we just send back what 1292 * they sent us. This signifies errors that seem 1293 * irrelevent for RFCOMM over L2CAP. 1294 */ 1295 rls.address |= 0x03; /* EA = 1, CR = 1 */ 1296 rls.status &= 0x0f; /* only 4 bits valid */ 1297 1298 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_RLS, &rls, sizeof(rls)); 1299 } 1300 1301 /* 1302 * process Parameter Negotiation command/response 1303 */ 1304 static void 1305 rfcomm_session_recv_mcc_pn(struct rfcomm_session *rs, int cr, struct mbuf *m) 1306 { 1307 struct rfcomm_dlc *dlc; 1308 struct rfcomm_mcc_pn pn; 1309 int err; 1310 1311 if (m->m_pkthdr.len != sizeof(pn)) { 1312 DPRINTF("Bad PN length %d\n", m->m_pkthdr.len); 1313 return; 1314 } 1315 1316 m_copydata(m, 0, sizeof(pn), (caddr_t)&pn); 1317 1318 pn.dlci &= 0x3f; 1319 pn.mtu = letoh16(pn.mtu); 1320 1321 dlc = rfcomm_dlc_lookup(rs, pn.dlci); 1322 if (cr) { /* Command */ 1323 /* 1324 * If there is no DLC present, this is a new 1325 * connection so attempt to make one 1326 */ 1327 if (dlc == NULL) { 1328 dlc = rfcomm_dlc_newconn(rs, pn.dlci); 1329 if (dlc == NULL) 1330 return; /* (DM is sent) */ 1331 } 1332 1333 /* accept any valid MTU, and offer it back */ 1334 pn.mtu = min(pn.mtu, RFCOMM_MTU_MAX); 1335 pn.mtu = min(pn.mtu, rs->rs_mtu); 1336 pn.mtu = max(pn.mtu, RFCOMM_MTU_MIN); 1337 dlc->rd_mtu = pn.mtu; 1338 pn.mtu = htole16(pn.mtu); 1339 1340 /* credits are only set before DLC is open */ 1341 if (dlc->rd_state == RFCOMM_DLC_WAIT_CONNECT 1342 && (pn.flow_control & 0xf0) == 0xf0) { 1343 rs->rs_flags |= RFCOMM_SESSION_CFC; 1344 dlc->rd_txcred = pn.credits & 0x07; 1345 1346 dlc->rd_rxcred = (dlc->rd_rxsize / dlc->rd_mtu); 1347 dlc->rd_rxcred = min(dlc->rd_rxcred, 1348 RFCOMM_CREDITS_DEFAULT); 1349 1350 pn.flow_control = 0xe0; 1351 pn.credits = dlc->rd_rxcred; 1352 } else { 1353 pn.flow_control = 0x00; 1354 pn.credits = 0x00; 1355 } 1356 1357 /* unused fields must be ignored and set to zero */ 1358 pn.ack_timer = 0; 1359 pn.max_retrans = 0; 1360 1361 /* send our response */ 1362 err = rfcomm_session_send_mcc(rs, 0, 1363 RFCOMM_MCC_PN, &pn, sizeof(pn)); 1364 if (err) 1365 goto close; 1366 1367 } else { /* Response */ 1368 /* ignore responses with no matching DLC */ 1369 if (dlc == NULL) 1370 return; 1371 1372 callout_stop(&dlc->rd_timeout); 1373 1374 if (pn.mtu > RFCOMM_MTU_MAX || pn.mtu > dlc->rd_mtu) { 1375 dlc->rd_state = RFCOMM_DLC_WAIT_DISCONNECT; 1376 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 1377 pn.dlci); 1378 if (err) 1379 goto close; 1380 1381 callout_reset(&dlc->rd_timeout, rfcomm_ack_timeout * hz, 1382 rfcomm_dlc_timeout, dlc); 1383 return; 1384 } 1385 dlc->rd_mtu = pn.mtu; 1386 1387 /* if DLC is not waiting to connect, we are done */ 1388 if (dlc->rd_state != RFCOMM_DLC_WAIT_CONNECT) 1389 return; 1390 1391 /* set initial credits according to RFCOMM spec */ 1392 if ((pn.flow_control & 0xf0) == 0xe0) { 1393 rs->rs_flags |= RFCOMM_SESSION_CFC; 1394 dlc->rd_txcred = (pn.credits & 0x07); 1395 } 1396 1397 callout_reset(&dlc->rd_timeout, rfcomm_ack_timeout * hz, 1398 rfcomm_dlc_timeout, dlc); 1399 1400 /* set link mode */ 1401 err = rfcomm_dlc_setmode(dlc); 1402 if (err == EINPROGRESS) { 1403 dlc->rd_state = RFCOMM_DLC_WAIT_SEND_SABM; 1404 (*dlc->rd_proto->connecting)(dlc->rd_upper); 1405 return; 1406 } 1407 if (err) 1408 goto close; 1409 1410 /* we can proceed now */ 1411 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_SABM, pn.dlci); 1412 if (err) 1413 goto close; 1414 1415 dlc->rd_state = RFCOMM_DLC_WAIT_RECV_UA; 1416 } 1417 return; 1418 1419 close: 1420 rfcomm_dlc_close(dlc, err); 1421 } 1422 1423 /* 1424 * process Non Supported Command command/response 1425 */ 1426 static void 1427 rfcomm_session_recv_mcc_nsc(struct rfcomm_session *rs, 1428 int cr, struct mbuf *m) 1429 { 1430 struct rfcomm_dlc *dlc, *next; 1431 1432 /* 1433 * Since we did nothing that is not mandatory, 1434 * we just abort the whole session.. 1435 */ 1436 1437 next = LIST_FIRST(&rs->rs_dlcs); 1438 while ((dlc = next) != NULL) { 1439 next = LIST_NEXT(dlc, rd_next); 1440 rfcomm_dlc_close(dlc, ECONNABORTED); 1441 } 1442 1443 rfcomm_session_free(rs); 1444 } 1445 1446 /*********************************************************************** 1447 * 1448 * RFCOMM Session outward frame/uih/mcc building 1449 */ 1450 1451 /* 1452 * SABM/DISC/DM/UA frames are all minimal and mostly identical. 1453 */ 1454 int 1455 rfcomm_session_send_frame(struct rfcomm_session *rs, int type, int dlci) 1456 { 1457 struct rfcomm_cmd_hdr *hdr; 1458 struct rfcomm_credit *credit; 1459 struct mbuf *m; 1460 uint8_t fcs, cr; 1461 1462 credit = pool_get(&rfcomm_credit_pool, PR_NOWAIT); 1463 if (credit == NULL) 1464 return ENOMEM; 1465 1466 m = m_gethdr(MB_DONTWAIT, MT_DATA); 1467 if (m == NULL) { 1468 pool_put(&rfcomm_credit_pool, credit); 1469 return ENOMEM; 1470 } 1471 1472 /* 1473 * The CR (command/response) bit identifies the frame either as a 1474 * commmand or a response and is used along with the DLCI to form 1475 * the address. Commands contain the non-initiator address, whereas 1476 * responses contain the initiator address, so the CR value is 1477 * also dependent on the session direction. 1478 */ 1479 if (type == RFCOMM_FRAME_UA || type == RFCOMM_FRAME_DM) 1480 cr = IS_INITIATOR(rs) ? 0 : 1; 1481 else 1482 cr = IS_INITIATOR(rs) ? 1 : 0; 1483 1484 hdr = mtod(m, struct rfcomm_cmd_hdr *); 1485 hdr->address = RFCOMM_MKADDRESS(cr, dlci); 1486 hdr->control = RFCOMM_MKCONTROL(type, 1); /* PF = 1 */ 1487 hdr->length = (0x00 << 1) | 0x01; /* len = 0x00, EA = 1 */ 1488 1489 fcs = 0xff; 1490 fcs = FCS(fcs, hdr->address); 1491 fcs = FCS(fcs, hdr->control); 1492 fcs = FCS(fcs, hdr->length); 1493 fcs = 0xff - fcs; /* ones complement */ 1494 hdr->fcs = fcs; 1495 1496 m->m_pkthdr.len = m->m_len = sizeof(struct rfcomm_cmd_hdr); 1497 1498 /* empty credit note */ 1499 credit->rc_dlc = NULL; 1500 credit->rc_len = m->m_pkthdr.len; 1501 STAILQ_INSERT_TAIL(&rs->rs_credits, credit, rc_next); 1502 1503 DPRINTFN(5, "dlci %d type %2.2x (%d bytes, fcs=%#2.2x)\n", 1504 dlci, type, m->m_pkthdr.len, fcs); 1505 1506 return l2cap_send(rs->rs_l2cap, m); 1507 } 1508 1509 /* 1510 * rfcomm_session_send_uih(rfcomm_session, rfcomm_dlc, credits, mbuf) 1511 * 1512 * UIH frame is per DLC data or Multiplexer Control Commands 1513 * when no DLC is given. Data mbuf is optional (just credits 1514 * will be sent in that case) 1515 */ 1516 int 1517 rfcomm_session_send_uih(struct rfcomm_session *rs, struct rfcomm_dlc *dlc, 1518 int credits, struct mbuf *m) 1519 { 1520 struct rfcomm_credit *credit; 1521 struct mbuf *m0 = NULL; 1522 int err, len; 1523 uint8_t fcs, *hdr; 1524 1525 KKASSERT(rs != NULL); 1526 1527 len = (m == NULL) ? 0 : m->m_pkthdr.len; 1528 KKASSERT(!(credits == 0 && len == 0)); 1529 1530 /* 1531 * Make a credit note for the completion notification 1532 */ 1533 credit = pool_get(&rfcomm_credit_pool, PR_NOWAIT); 1534 if (credit == NULL) 1535 goto nomem; 1536 1537 credit->rc_len = len; 1538 credit->rc_dlc = dlc; 1539 1540 /* 1541 * Wrap UIH frame information around payload. 1542 * 1543 * [ADDRESS] [CONTROL] [LENGTH] [CREDITS] [...] [FCS] 1544 * 1545 * Address is one octet. 1546 * Control is one octet. 1547 * Length is one or two octets. 1548 * Credits may be one octet. 1549 * 1550 * FCS is one octet and calculated on address and 1551 * control octets only. 1552 * 1553 * If there are credits to be sent, we will set the PF 1554 * flag and include them in the frame. 1555 */ 1556 m0 = m_gethdr(MB_DONTWAIT, MT_DATA); 1557 if (m0 == NULL) 1558 goto nomem; 1559 1560 MH_ALIGN(m0, 5); /* (max 5 header octets) */ 1561 hdr = mtod(m0, uint8_t *); 1562 1563 /* CR bit is set according to the initiator of the session */ 1564 *hdr = RFCOMM_MKADDRESS((IS_INITIATOR(rs) ? 1 : 0), 1565 (dlc ? dlc->rd_dlci : 0)); 1566 fcs = FCS(0xff, *hdr); 1567 hdr++; 1568 1569 /* PF bit is set if credits are being sent */ 1570 *hdr = RFCOMM_MKCONTROL(RFCOMM_FRAME_UIH, (credits > 0 ? 1 : 0)); 1571 fcs = FCS(fcs, *hdr); 1572 hdr++; 1573 1574 if (len < (1 << 7)) { 1575 *hdr++ = ((len << 1) & 0xfe) | 0x01; /* 7 bits, EA = 1 */ 1576 } else { 1577 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */ 1578 *hdr++ = ((len >> 7) & 0xff); /* 8 bits, no EA */ 1579 } 1580 1581 if (credits > 0) 1582 *hdr++ = (uint8_t)credits; 1583 1584 m0->m_len = hdr - mtod(m0, uint8_t *); 1585 1586 /* Append payload */ 1587 m0->m_next = m; 1588 m = NULL; 1589 1590 m0->m_pkthdr.len = m0->m_len + len; 1591 1592 /* Append FCS */ 1593 fcs = 0xff - fcs; /* ones complement */ 1594 len = m0->m_pkthdr.len; 1595 m_copyback(m0, len, sizeof(fcs), &fcs); 1596 if (m0->m_pkthdr.len != len + sizeof(fcs)) 1597 goto nomem; 1598 1599 DPRINTFN(10, "dlci %d, pktlen %d (%d data, %d credits), fcs=%#2.2x\n", 1600 dlc ? dlc->rd_dlci : 0, m0->m_pkthdr.len, credit->rc_len, 1601 credits, fcs); 1602 1603 /* 1604 * UIH frame ready to go.. 1605 */ 1606 err = l2cap_send(rs->rs_l2cap, m0); 1607 if (err) 1608 goto fail; 1609 1610 STAILQ_INSERT_TAIL(&rs->rs_credits, credit, rc_next); 1611 return 0; 1612 1613 nomem: 1614 err = ENOMEM; 1615 1616 if (m0 != NULL) 1617 m_freem(m0); 1618 1619 if (m != NULL) 1620 m_freem(m); 1621 1622 fail: 1623 if (credit != NULL) 1624 pool_put(&rfcomm_credit_pool, credit); 1625 1626 return err; 1627 } 1628 1629 /* 1630 * send Multiplexer Control Command (or Response) on session 1631 */ 1632 int 1633 rfcomm_session_send_mcc(struct rfcomm_session *rs, int cr, 1634 uint8_t type, void *data, int len) 1635 { 1636 struct mbuf *m; 1637 uint8_t *hdr; 1638 int hlen; 1639 1640 m = m_gethdr(MB_DONTWAIT, MT_DATA); 1641 if (m == NULL) 1642 return ENOMEM; 1643 1644 hdr = mtod(m, uint8_t *); 1645 1646 /* 1647 * Technically the type field can extend past one octet, but none 1648 * currently defined will do that. 1649 */ 1650 *hdr++ = RFCOMM_MKMCC_TYPE(cr, type); 1651 1652 /* 1653 * In the frame, the max length size is 2 octets (15 bits) whereas 1654 * no max length size is specified for MCC commands. We must allow 1655 * for 3 octets since for MCC frames we use 7 bits + EA in each. 1656 * 1657 * Only test data can possibly be that big. 1658 * 1659 * XXX Should we check this against the MTU? 1660 */ 1661 if (len < (1 << 7)) { 1662 *hdr++ = ((len << 1) & 0xfe) | 0x01; /* 7 bits, EA = 1 */ 1663 } else if (len < (1 << 14)) { 1664 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */ 1665 *hdr++ = ((len >> 6) & 0xfe) | 0x01; /* 7 bits, EA = 1 */ 1666 } else if (len < (1 << 15)) { 1667 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */ 1668 *hdr++ = ((len >> 6) & 0xfe); /* 7 bits, EA = 0 */ 1669 *hdr++ = ((len >> 13) & 0x02) | 0x01; /* 1 bit, EA = 1 */ 1670 } else { 1671 DPRINTF("incredible length! (%d)\n", len); 1672 m_freem(m); 1673 return EMSGSIZE; 1674 } 1675 1676 /* 1677 * add command data (to same mbuf if possible) 1678 */ 1679 hlen = hdr - mtod(m, uint8_t *); 1680 1681 if (len > 0) { 1682 m->m_pkthdr.len = m->m_len = MHLEN; 1683 m_copyback(m, hlen, len, data); 1684 if (m->m_pkthdr.len != max(MHLEN, hlen + len)) { 1685 m_freem(m); 1686 return ENOMEM; 1687 } 1688 } 1689 1690 m->m_pkthdr.len = hlen + len; 1691 m->m_len = min(MHLEN, m->m_pkthdr.len); 1692 1693 DPRINTFN(5, "%s type %2.2x len %d\n", 1694 (cr ? "command" : "response"), type, m->m_pkthdr.len); 1695 1696 return rfcomm_session_send_uih(rs, NULL, 0, m); 1697 } 1698