1 /* $OpenBSD: src/sys/netbt/rfcomm_session.c,v 1.3 2008/02/24 21:34:48 uwe Exp $ */ 2 /* $NetBSD: rfcomm_session.c,v 1.12 2008/01/31 19:30:23 plunky Exp $ */ 3 4 /*- 5 * Copyright (c) 2006 Itronix Inc. 6 * All rights reserved. 7 * 8 * Written by Iain Hibbert for Itronix Inc. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. The name of Itronix Inc. may not be used to endorse 19 * or promote products derived from this software without specific 20 * prior written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED BY ITRONIX INC. ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 24 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 25 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ITRONIX INC. BE LIABLE FOR ANY 26 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 27 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 28 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 29 * ON ANY THEORY OF LIABILITY, WHETHER IN 30 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 31 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 32 * POSSIBILITY OF SUCH DAMAGE. 33 */ 34 35 #include <sys/param.h> 36 #include <sys/kernel.h> 37 #include <sys/mbuf.h> 38 #include <sys/proc.h> 39 #include <sys/systm.h> 40 #include <sys/types.h> 41 #include <sys/endian.h> 42 43 #include <net/if.h> 44 45 #include <netbt/bluetooth.h> 46 #include <netbt/hci.h> 47 #include <netbt/l2cap.h> 48 #include <netbt/rfcomm.h> 49 50 /****************************************************************************** 51 * 52 * RFCOMM Multiplexer Sessions sit directly on L2CAP channels, and can 53 * multiplex up to 30 incoming and 30 outgoing connections. 54 * Only one Multiplexer is allowed between any two devices. 55 */ 56 57 static void rfcomm_session_recv_sabm(struct rfcomm_session *, int); 58 static void rfcomm_session_recv_disc(struct rfcomm_session *, int); 59 static void rfcomm_session_recv_ua(struct rfcomm_session *, int); 60 static void rfcomm_session_recv_dm(struct rfcomm_session *, int); 61 static void rfcomm_session_recv_uih(struct rfcomm_session *, int, int, struct mbuf *, int); 62 static void rfcomm_session_recv_mcc(struct rfcomm_session *, struct mbuf *); 63 static void rfcomm_session_recv_mcc_test(struct rfcomm_session *, int, struct mbuf *); 64 static void rfcomm_session_recv_mcc_fcon(struct rfcomm_session *, int); 65 static void rfcomm_session_recv_mcc_fcoff(struct rfcomm_session *, int); 66 static void rfcomm_session_recv_mcc_msc(struct rfcomm_session *, int, struct mbuf *); 67 static void rfcomm_session_recv_mcc_rpn(struct rfcomm_session *, int, struct mbuf *); 68 static void rfcomm_session_recv_mcc_rls(struct rfcomm_session *, int, struct mbuf *); 69 static void rfcomm_session_recv_mcc_pn(struct rfcomm_session *, int, struct mbuf *); 70 static void rfcomm_session_recv_mcc_nsc(struct rfcomm_session *, int, struct mbuf *); 71 72 /* L2CAP callbacks */ 73 static void rfcomm_session_connecting(void *); 74 static void rfcomm_session_connected(void *); 75 static void rfcomm_session_disconnected(void *, int); 76 static void *rfcomm_session_newconn(void *, struct sockaddr_bt *, struct sockaddr_bt *); 77 static void rfcomm_session_complete(void *, int); 78 static void rfcomm_session_linkmode(void *, int); 79 static void rfcomm_session_input(void *, struct mbuf *); 80 81 static const struct btproto rfcomm_session_proto = { 82 rfcomm_session_connecting, 83 rfcomm_session_connected, 84 rfcomm_session_disconnected, 85 rfcomm_session_newconn, 86 rfcomm_session_complete, 87 rfcomm_session_linkmode, 88 rfcomm_session_input, 89 }; 90 91 struct rfcomm_session_list 92 rfcomm_session_active = LIST_HEAD_INITIALIZER(rfcomm_session_active); 93 94 struct rfcomm_session_list 95 rfcomm_session_listen = LIST_HEAD_INITIALIZER(rfcomm_session_listen); 96 97 vm_zone_t rfcomm_credit_pool; 98 99 /* 100 * RFCOMM System Parameters (see section 5.3) 101 */ 102 int rfcomm_mtu_default = 127; /* bytes */ 103 int rfcomm_ack_timeout = 20; /* seconds */ 104 int rfcomm_mcc_timeout = 20; /* seconds */ 105 106 /* 107 * Reversed CRC table as per TS 07.10 Annex B.3.5 108 */ 109 static const uint8_t crctable[256] = { /* reversed, 8-bit, poly=0x07 */ 110 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75, 111 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b, 112 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69, 113 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67, 114 115 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d, 116 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43, 117 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51, 118 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f, 119 120 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05, 121 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b, 122 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19, 123 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17, 124 125 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d, 126 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33, 127 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21, 128 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f, 129 130 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95, 131 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b, 132 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89, 133 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87, 134 135 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad, 136 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3, 137 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1, 138 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf, 139 140 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5, 141 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb, 142 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9, 143 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7, 144 145 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd, 146 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3, 147 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1, 148 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf 149 }; 150 151 #define FCS(f, d) crctable[(f) ^ (d)] 152 153 /* 154 * rfcomm_init() 155 * 156 * initialize the "credit pool". 157 */ 158 void 159 rfcomm_init(void) 160 { 161 rfcomm_credit_pool = zinit("rfcomm_credit", 162 sizeof(struct rfcomm_credit), 0, 0, 0); 163 } 164 165 /* 166 * rfcomm_session_alloc(list, sockaddr) 167 * 168 * allocate a new session and fill in the blanks, then 169 * attach session to front of specified list (active or listen) 170 */ 171 struct rfcomm_session * 172 rfcomm_session_alloc(struct rfcomm_session_list *list, 173 struct sockaddr_bt *laddr) 174 { 175 struct rfcomm_session *rs; 176 int err; 177 178 rs = kmalloc(sizeof(*rs), M_BLUETOOTH, M_NOWAIT | M_ZERO); 179 if (rs == NULL) 180 return NULL; 181 182 rs->rs_state = RFCOMM_SESSION_CLOSED; 183 184 callout_init(&rs->rs_timeout); 185 186 STAILQ_INIT(&rs->rs_credits); 187 LIST_INIT(&rs->rs_dlcs); 188 189 err = l2cap_attach(&rs->rs_l2cap, &rfcomm_session_proto, rs); 190 if (err) { 191 kfree(rs, M_BLUETOOTH); 192 return NULL; 193 } 194 195 (void)l2cap_getopt(rs->rs_l2cap, SO_L2CAP_OMTU, &rs->rs_mtu); 196 197 if (laddr->bt_psm == L2CAP_PSM_ANY) 198 laddr->bt_psm = L2CAP_PSM_RFCOMM; 199 200 (void)l2cap_bind(rs->rs_l2cap, laddr); 201 202 LIST_INSERT_HEAD(list, rs, rs_next); 203 204 return rs; 205 } 206 207 /* 208 * rfcomm_session_free(rfcomm_session) 209 * 210 * release a session, including any cleanup 211 */ 212 void 213 rfcomm_session_free(struct rfcomm_session *rs) 214 { 215 struct rfcomm_credit *credit; 216 217 KKASSERT(rs != NULL); 218 KKASSERT(LIST_EMPTY(&rs->rs_dlcs)); 219 220 rs->rs_state = RFCOMM_SESSION_CLOSED; 221 222 /* 223 * If the callout is already invoked we have no way to stop it, 224 * but it will call us back right away (there are no DLC's) so 225 * not to worry. 226 */ 227 callout_stop(&rs->rs_timeout); 228 if (callout_active(&rs->rs_timeout)) 229 return; 230 231 /* 232 * Take care that rfcomm_session_disconnected() doesnt call 233 * us back either as it will do if the l2cap_channel has not 234 * been closed when we detach it.. 235 */ 236 if (rs->rs_flags & RFCOMM_SESSION_FREE) 237 return; 238 239 rs->rs_flags |= RFCOMM_SESSION_FREE; 240 241 /* throw away any remaining credit notes */ 242 while ((credit = STAILQ_FIRST(&rs->rs_credits)) != NULL) { 243 STAILQ_REMOVE_HEAD(&rs->rs_credits, rc_next); 244 zfree(rfcomm_credit_pool, credit); 245 } 246 247 KKASSERT(STAILQ_EMPTY(&rs->rs_credits)); 248 249 /* Goodbye! */ 250 LIST_REMOVE(rs, rs_next); 251 l2cap_detach(&rs->rs_l2cap); 252 kfree(rs, M_BLUETOOTH); 253 } 254 255 /* 256 * rfcomm_session_lookup(sockaddr, sockaddr) 257 * 258 * Find active rfcomm session matching src and dest addresses 259 * when src is BDADDR_ANY match any local address 260 */ 261 struct rfcomm_session * 262 rfcomm_session_lookup(struct sockaddr_bt *src, struct sockaddr_bt *dest) 263 { 264 struct rfcomm_session *rs; 265 struct sockaddr_bt addr; 266 267 LIST_FOREACH(rs, &rfcomm_session_active, rs_next) { 268 if (rs->rs_state == RFCOMM_SESSION_CLOSED) 269 continue; 270 271 l2cap_sockaddr(rs->rs_l2cap, &addr); 272 273 if (bdaddr_same(&src->bt_bdaddr, &addr.bt_bdaddr) == 0) 274 if (bdaddr_any(&src->bt_bdaddr) == 0) 275 continue; 276 277 l2cap_peeraddr(rs->rs_l2cap, &addr); 278 279 if (addr.bt_psm != dest->bt_psm) 280 continue; 281 282 if (bdaddr_same(&dest->bt_bdaddr, &addr.bt_bdaddr)) 283 break; 284 } 285 286 return rs; 287 } 288 289 /* 290 * rfcomm_session_timeout(rfcomm_session) 291 * 292 * Session timeouts are scheduled when a session is left or 293 * created with no DLCs, and when SABM(0) or DISC(0) are 294 * sent. 295 * 296 * So, if it is in an open state with DLC's attached then 297 * we leave it alone, otherwise the session is lost. 298 */ 299 void 300 rfcomm_session_timeout(void *arg) 301 { 302 struct rfcomm_session *rs = arg; 303 struct rfcomm_dlc *dlc; 304 305 KKASSERT(rs != NULL); 306 307 crit_enter(); 308 309 if (rs->rs_state != RFCOMM_SESSION_OPEN) { 310 DPRINTF("timeout\n"); 311 rs->rs_state = RFCOMM_SESSION_CLOSED; 312 313 while (!LIST_EMPTY(&rs->rs_dlcs)) { 314 dlc = LIST_FIRST(&rs->rs_dlcs); 315 316 rfcomm_dlc_close(dlc, ETIMEDOUT); 317 } 318 } 319 320 if (LIST_EMPTY(&rs->rs_dlcs)) { 321 DPRINTF("expiring\n"); 322 rfcomm_session_free(rs); 323 } 324 crit_exit(); 325 } 326 327 /*********************************************************************** 328 * 329 * RFCOMM Session L2CAP protocol callbacks 330 * 331 */ 332 333 static void 334 rfcomm_session_connecting(void *arg) 335 { 336 /* struct rfcomm_session *rs = arg; */ 337 338 DPRINTF("Connecting\n"); 339 } 340 341 static void 342 rfcomm_session_connected(void *arg) 343 { 344 struct rfcomm_session *rs = arg; 345 346 DPRINTF("Connected\n"); 347 348 /* 349 * L2CAP is open. 350 * 351 * If we are initiator, we can send our SABM(0) 352 * a timeout should be active? 353 * 354 * We must take note of the L2CAP MTU because currently 355 * the L2CAP implementation can only do Basic Mode. 356 */ 357 l2cap_getopt(rs->rs_l2cap, SO_L2CAP_OMTU, &rs->rs_mtu); 358 359 rs->rs_mtu -= 6; /* (RFCOMM overhead could be this big) */ 360 if (rs->rs_mtu < RFCOMM_MTU_MIN) { 361 rfcomm_session_disconnected(rs, EINVAL); 362 return; 363 } 364 365 if (IS_INITIATOR(rs)) { 366 int err; 367 368 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_SABM, 0); 369 if (err) 370 rfcomm_session_disconnected(rs, err); 371 372 callout_reset(&rs->rs_timeout, rfcomm_ack_timeout * hz, 373 rfcomm_session_timeout, rs); 374 } 375 } 376 377 static void 378 rfcomm_session_disconnected(void *arg, int err) 379 { 380 struct rfcomm_session *rs = arg; 381 struct rfcomm_dlc *dlc; 382 383 DPRINTF("Disconnected\n"); 384 385 rs->rs_state = RFCOMM_SESSION_CLOSED; 386 387 while (!LIST_EMPTY(&rs->rs_dlcs)) { 388 dlc = LIST_FIRST(&rs->rs_dlcs); 389 390 rfcomm_dlc_close(dlc, err); 391 } 392 393 rfcomm_session_free(rs); 394 } 395 396 static void * 397 rfcomm_session_newconn(void *arg, struct sockaddr_bt *laddr, 398 struct sockaddr_bt *raddr) 399 { 400 struct rfcomm_session *new, *rs = arg; 401 402 DPRINTF("New Connection\n"); 403 404 /* 405 * Incoming session connect request. We should return a new 406 * session pointer if this is acceptable. The L2CAP layer 407 * passes local and remote addresses, which we must check as 408 * only one RFCOMM session is allowed between any two devices 409 */ 410 new = rfcomm_session_lookup(laddr, raddr); 411 if (new != NULL) 412 return NULL; 413 414 new = rfcomm_session_alloc(&rfcomm_session_active, laddr); 415 if (new == NULL) 416 return NULL; 417 418 new->rs_mtu = rs->rs_mtu; 419 new->rs_state = RFCOMM_SESSION_WAIT_CONNECT; 420 421 /* 422 * schedule an expiry so that if nothing comes of it we 423 * can punt. 424 */ 425 callout_reset(&rs->rs_timeout, rfcomm_mcc_timeout * hz, 426 rfcomm_session_timeout, rs); 427 428 return new->rs_l2cap; 429 } 430 431 static void 432 rfcomm_session_complete(void *arg, int count) 433 { 434 struct rfcomm_session *rs = arg; 435 struct rfcomm_credit *credit; 436 struct rfcomm_dlc *dlc; 437 438 /* 439 * count L2CAP packets are 'complete', meaning that they are cleared 440 * our buffers (for best effort) or arrived safe (for guaranteed) so 441 * we can take it off our list and pass the message on, so that 442 * eventually the data can be removed from the sockbuf 443 */ 444 while (count-- > 0) { 445 credit = STAILQ_FIRST(&rs->rs_credits); 446 #ifdef DIAGNOSTIC 447 if (credit == NULL) { 448 kprintf("%s: too many packets completed!\n", __func__); 449 break; 450 } 451 #endif 452 dlc = credit->rc_dlc; 453 if (dlc != NULL) { 454 dlc->rd_pending--; 455 (*dlc->rd_proto->complete) 456 (dlc->rd_upper, credit->rc_len); 457 458 /* 459 * if not using credit flow control, we may push 460 * more data now 461 */ 462 if ((rs->rs_flags & RFCOMM_SESSION_CFC) == 0 463 && dlc->rd_state == RFCOMM_DLC_OPEN) { 464 rfcomm_dlc_start(dlc); 465 } 466 467 /* 468 * When shutdown is indicated, we are just waiting to 469 * clear outgoing data. 470 */ 471 if ((dlc->rd_flags & RFCOMM_DLC_SHUTDOWN) 472 && dlc->rd_txbuf == NULL && dlc->rd_pending == 0) { 473 dlc->rd_state = RFCOMM_DLC_WAIT_DISCONNECT; 474 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 475 dlc->rd_dlci); 476 callout_reset(&dlc->rd_timeout, 477 rfcomm_ack_timeout * hz, 478 rfcomm_dlc_timeout, dlc); 479 } 480 } 481 482 STAILQ_REMOVE_HEAD(&rs->rs_credits, rc_next); 483 zfree(rfcomm_credit_pool, credit); 484 } 485 486 /* 487 * If session is closed, we are just waiting to clear the queue 488 */ 489 if (rs->rs_state == RFCOMM_SESSION_CLOSED) { 490 if (STAILQ_EMPTY(&rs->rs_credits)) 491 l2cap_disconnect(rs->rs_l2cap, 0); 492 } 493 } 494 495 /* 496 * Link Mode changed 497 * 498 * This is called when a mode change is complete. Proceed with connections 499 * where appropriate, or pass the new mode to any active DLCs. 500 */ 501 static void 502 rfcomm_session_linkmode(void *arg, int new) 503 { 504 struct rfcomm_session *rs = arg; 505 struct rfcomm_dlc *dlc, *next; 506 int err, mode = 0; 507 508 DPRINTF("auth %s, encrypt %s, secure %s\n", 509 (new & L2CAP_LM_AUTH ? "on" : "off"), 510 (new & L2CAP_LM_ENCRYPT ? "on" : "off"), 511 (new & L2CAP_LM_SECURE ? "on" : "off")); 512 513 if (new & L2CAP_LM_AUTH) 514 mode |= RFCOMM_LM_AUTH; 515 516 if (new & L2CAP_LM_ENCRYPT) 517 mode |= RFCOMM_LM_ENCRYPT; 518 519 if (new & L2CAP_LM_SECURE) 520 mode |= RFCOMM_LM_SECURE; 521 522 next = LIST_FIRST(&rs->rs_dlcs); 523 while ((dlc = next) != NULL) { 524 next = LIST_NEXT(dlc, rd_next); 525 526 switch (dlc->rd_state) { 527 case RFCOMM_DLC_WAIT_SEND_SABM: /* we are connecting */ 528 if ((mode & dlc->rd_mode) != dlc->rd_mode) { 529 rfcomm_dlc_close(dlc, ECONNABORTED); 530 } else { 531 err = rfcomm_session_send_frame(rs, 532 RFCOMM_FRAME_SABM, dlc->rd_dlci); 533 if (err) { 534 rfcomm_dlc_close(dlc, err); 535 } else { 536 dlc->rd_state = RFCOMM_DLC_WAIT_RECV_UA; 537 callout_reset(&dlc->rd_timeout, 538 rfcomm_ack_timeout * hz, 539 rfcomm_dlc_timeout, dlc); 540 541 break; 542 } 543 } 544 545 /* 546 * If we aborted the connection and there are no more DLCs 547 * on the session, it is our responsibility to disconnect. 548 */ 549 if (!LIST_EMPTY(&rs->rs_dlcs)) 550 break; 551 552 rs->rs_state = RFCOMM_SESSION_WAIT_DISCONNECT; 553 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 0); 554 callout_reset(&rs->rs_timeout, rfcomm_ack_timeout * hz, 555 rfcomm_session_timeout, rs); 556 break; 557 558 case RFCOMM_DLC_WAIT_SEND_UA: /* they are connecting */ 559 if ((mode & dlc->rd_mode) != dlc->rd_mode) { 560 rfcomm_session_send_frame(rs, 561 RFCOMM_FRAME_DM, dlc->rd_dlci); 562 rfcomm_dlc_close(dlc, ECONNABORTED); 563 break; 564 } 565 566 err = rfcomm_session_send_frame(rs, 567 RFCOMM_FRAME_UA, dlc->rd_dlci); 568 if (err) { 569 rfcomm_session_send_frame(rs, 570 RFCOMM_FRAME_DM, dlc->rd_dlci); 571 rfcomm_dlc_close(dlc, err); 572 break; 573 } 574 575 err = rfcomm_dlc_open(dlc); 576 if (err) { 577 rfcomm_session_send_frame(rs, 578 RFCOMM_FRAME_DM, dlc->rd_dlci); 579 rfcomm_dlc_close(dlc, err); 580 break; 581 } 582 583 break; 584 585 case RFCOMM_DLC_WAIT_RECV_UA: 586 case RFCOMM_DLC_OPEN: /* already established */ 587 (*dlc->rd_proto->linkmode)(dlc->rd_upper, mode); 588 break; 589 590 default: 591 break; 592 } 593 } 594 } 595 596 /* 597 * Receive data from L2CAP layer for session. There is always exactly one 598 * RFCOMM frame contained in each L2CAP frame. 599 */ 600 static void 601 rfcomm_session_input(void *arg, struct mbuf *m) 602 { 603 struct rfcomm_session *rs = arg; 604 int dlci, len, type, pf; 605 uint8_t fcs, b; 606 607 KKASSERT(m != NULL); 608 KKASSERT(rs != NULL); 609 610 /* 611 * UIH frames: FCS is only calculated on address and control fields 612 * For other frames: FCS is calculated on address, control and length 613 * Length may extend to two octets 614 */ 615 fcs = 0xff; 616 617 if (m->m_pkthdr.len < 4) { 618 DPRINTF("short frame (%d), discarded\n", m->m_pkthdr.len); 619 goto done; 620 } 621 622 /* address - one octet */ 623 m_copydata(m, 0, 1, &b); 624 m_adj(m, 1); 625 fcs = FCS(fcs, b); 626 dlci = RFCOMM_DLCI(b); 627 628 /* control - one octet */ 629 m_copydata(m, 0, 1, &b); 630 m_adj(m, 1); 631 fcs = FCS(fcs, b); 632 type = RFCOMM_TYPE(b); 633 pf = RFCOMM_PF(b); 634 635 /* length - may be two octets */ 636 m_copydata(m, 0, 1, &b); 637 m_adj(m, 1); 638 if (type != RFCOMM_FRAME_UIH) 639 fcs = FCS(fcs, b); 640 len = (b >> 1) & 0x7f; 641 642 if (RFCOMM_EA(b) == 0) { 643 if (m->m_pkthdr.len < 2) { 644 DPRINTF("short frame (%d, EA = 0), discarded\n", 645 m->m_pkthdr.len); 646 goto done; 647 } 648 649 m_copydata(m, 0, 1, &b); 650 m_adj(m, 1); 651 if (type != RFCOMM_FRAME_UIH) 652 fcs = FCS(fcs, b); 653 654 len |= (b << 7); 655 } 656 657 /* FCS byte is last octet in frame */ 658 m_copydata(m, m->m_pkthdr.len - 1, 1, &b); 659 m_adj(m, -1); 660 fcs = FCS(fcs, b); 661 662 if (fcs != 0xcf) { 663 DPRINTF("Bad FCS value (%#2.2x), frame discarded\n", fcs); 664 goto done; 665 } 666 667 DPRINTFN(10, "dlci %d, type %2.2x, len = %d\n", dlci, type, len); 668 669 switch (type) { 670 case RFCOMM_FRAME_SABM: 671 if (pf) 672 rfcomm_session_recv_sabm(rs, dlci); 673 break; 674 675 case RFCOMM_FRAME_DISC: 676 if (pf) 677 rfcomm_session_recv_disc(rs, dlci); 678 break; 679 680 case RFCOMM_FRAME_UA: 681 if (pf) 682 rfcomm_session_recv_ua(rs, dlci); 683 break; 684 685 case RFCOMM_FRAME_DM: 686 rfcomm_session_recv_dm(rs, dlci); 687 break; 688 689 case RFCOMM_FRAME_UIH: 690 rfcomm_session_recv_uih(rs, dlci, pf, m, len); 691 return; /* (no release) */ 692 693 default: 694 UNKNOWN(type); 695 break; 696 } 697 698 done: 699 m_freem(m); 700 } 701 702 /*********************************************************************** 703 * 704 * RFCOMM Session receive processing 705 */ 706 707 /* 708 * rfcomm_session_recv_sabm(rfcomm_session, dlci) 709 * 710 * Set Asyncrhonous Balanced Mode - open the channel. 711 */ 712 static void 713 rfcomm_session_recv_sabm(struct rfcomm_session *rs, int dlci) 714 { 715 struct rfcomm_dlc *dlc; 716 int err; 717 718 DPRINTFN(5, "SABM(%d)\n", dlci); 719 720 if (dlci == 0) { /* Open Session */ 721 rs->rs_state = RFCOMM_SESSION_OPEN; 722 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, 0); 723 LIST_FOREACH(dlc, &rs->rs_dlcs, rd_next) { 724 if (dlc->rd_state == RFCOMM_DLC_WAIT_SESSION) 725 rfcomm_dlc_connect(dlc); 726 } 727 return; 728 } 729 730 if (rs->rs_state != RFCOMM_SESSION_OPEN) { 731 DPRINTF("session was not even open!\n"); 732 return; 733 } 734 735 /* validate direction bit */ 736 if ((IS_INITIATOR(rs) && !RFCOMM_DIRECTION(dlci)) 737 || (!IS_INITIATOR(rs) && RFCOMM_DIRECTION(dlci))) { 738 DPRINTF("Invalid direction bit on DLCI\n"); 739 return; 740 } 741 742 /* 743 * look for our DLC - this may exist if we received PN 744 * already, or we may have to fabricate a new one. 745 */ 746 dlc = rfcomm_dlc_lookup(rs, dlci); 747 if (dlc == NULL) { 748 dlc = rfcomm_dlc_newconn(rs, dlci); 749 if (dlc == NULL) 750 return; /* (DM is sent) */ 751 } 752 753 /* 754 * ..but if this DLC is not waiting to connect, they did 755 * something wrong, ignore it. 756 */ 757 if (dlc->rd_state != RFCOMM_DLC_WAIT_CONNECT) 758 return; 759 760 /* set link mode */ 761 err = rfcomm_dlc_setmode(dlc); 762 if (err == EINPROGRESS) { 763 dlc->rd_state = RFCOMM_DLC_WAIT_SEND_UA; 764 (*dlc->rd_proto->connecting)(dlc->rd_upper); 765 return; 766 } 767 if (err) 768 goto close; 769 770 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, dlci); 771 if (err) 772 goto close; 773 774 /* and mark it open */ 775 err = rfcomm_dlc_open(dlc); 776 if (err) 777 goto close; 778 779 return; 780 781 close: 782 rfcomm_dlc_close(dlc, err); 783 } 784 785 /* 786 * Receive Disconnect Command 787 */ 788 static void 789 rfcomm_session_recv_disc(struct rfcomm_session *rs, int dlci) 790 { 791 struct rfcomm_dlc *dlc; 792 793 DPRINTFN(5, "DISC(%d)\n", dlci); 794 795 if (dlci == 0) { 796 /* 797 * Disconnect Session 798 * 799 * We set the session state to CLOSED so that when 800 * the UA frame is clear the session will be closed 801 * automatically. We wont bother to close any DLC's 802 * just yet as there should be none. In the unlikely 803 * event that something is left, it will get flushed 804 * out as the session goes down. 805 */ 806 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, 0); 807 rs->rs_state = RFCOMM_SESSION_CLOSED; 808 return; 809 } 810 811 dlc = rfcomm_dlc_lookup(rs, dlci); 812 if (dlc == NULL) { 813 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, dlci); 814 return; 815 } 816 817 rfcomm_dlc_close(dlc, ECONNRESET); 818 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, dlci); 819 } 820 821 /* 822 * Receive Unnumbered Acknowledgement Response 823 * 824 * This should be a response to a DISC or SABM frame that we 825 * have previously sent. If unexpected, ignore it. 826 */ 827 static void 828 rfcomm_session_recv_ua(struct rfcomm_session *rs, int dlci) 829 { 830 struct rfcomm_dlc *dlc; 831 832 DPRINTFN(5, "UA(%d)\n", dlci); 833 834 if (dlci == 0) { 835 switch (rs->rs_state) { 836 case RFCOMM_SESSION_WAIT_CONNECT: /* We sent SABM */ 837 callout_stop(&rs->rs_timeout); 838 rs->rs_state = RFCOMM_SESSION_OPEN; 839 LIST_FOREACH(dlc, &rs->rs_dlcs, rd_next) { 840 if (dlc->rd_state == RFCOMM_DLC_WAIT_SESSION) 841 rfcomm_dlc_connect(dlc); 842 } 843 break; 844 845 case RFCOMM_SESSION_WAIT_DISCONNECT: /* We sent DISC */ 846 callout_stop(&rs->rs_timeout); 847 rs->rs_state = RFCOMM_SESSION_CLOSED; 848 l2cap_disconnect(rs->rs_l2cap, 0); 849 break; 850 851 default: 852 DPRINTF("Received spurious UA(0)!\n"); 853 break; 854 } 855 856 return; 857 } 858 859 /* 860 * If we have no DLC on this dlci, we may have aborted 861 * without shutting down properly, so check if the session 862 * needs disconnecting. 863 */ 864 dlc = rfcomm_dlc_lookup(rs, dlci); 865 if (dlc == NULL) 866 goto check; 867 868 switch (dlc->rd_state) { 869 case RFCOMM_DLC_WAIT_RECV_UA: /* We sent SABM */ 870 rfcomm_dlc_open(dlc); 871 return; 872 873 case RFCOMM_DLC_WAIT_DISCONNECT: /* We sent DISC */ 874 rfcomm_dlc_close(dlc, 0); 875 break; 876 877 default: 878 DPRINTF("Received spurious UA(%d)!\n", dlci); 879 return; 880 } 881 882 check: /* last one out turns out the light */ 883 if (LIST_EMPTY(&rs->rs_dlcs)) { 884 rs->rs_state = RFCOMM_SESSION_WAIT_DISCONNECT; 885 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 0); 886 callout_reset(&rs->rs_timeout, rfcomm_ack_timeout*hz,rfcomm_session_timeout,rs); 887 } 888 } 889 890 /* 891 * Receive Disconnected Mode Response 892 * 893 * If this does not apply to a known DLC then we may ignore it. 894 */ 895 static void 896 rfcomm_session_recv_dm(struct rfcomm_session *rs, int dlci) 897 { 898 struct rfcomm_dlc *dlc; 899 900 DPRINTFN(5, "DM(%d)\n", dlci); 901 902 dlc = rfcomm_dlc_lookup(rs, dlci); 903 if (dlc == NULL) 904 return; 905 906 if (dlc->rd_state == RFCOMM_DLC_WAIT_CONNECT) 907 rfcomm_dlc_close(dlc, ECONNREFUSED); 908 else 909 rfcomm_dlc_close(dlc, ECONNRESET); 910 } 911 912 /* 913 * Receive Unnumbered Information with Header check (MCC or data packet) 914 */ 915 static void 916 rfcomm_session_recv_uih(struct rfcomm_session *rs, int dlci, 917 int pf, struct mbuf *m, int len) 918 { 919 struct rfcomm_dlc *dlc; 920 uint8_t credits = 0; 921 922 DPRINTFN(10, "UIH(%d)\n", dlci); 923 924 if (dlci == 0) { 925 rfcomm_session_recv_mcc(rs, m); 926 return; 927 } 928 929 if (m->m_pkthdr.len != len + pf) { 930 DPRINTF("Bad Frame Length (%d), frame discarded\n", 931 m->m_pkthdr.len); 932 933 goto discard; 934 } 935 936 dlc = rfcomm_dlc_lookup(rs, dlci); 937 if (dlc == NULL) { 938 DPRINTF("UIH received for non existent DLC, discarded\n"); 939 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, dlci); 940 goto discard; 941 } 942 943 if (dlc->rd_state != RFCOMM_DLC_OPEN) { 944 DPRINTF("non-open DLC (state = %d), discarded\n", 945 dlc->rd_state); 946 goto discard; 947 } 948 949 /* if PF is set, credits were included */ 950 if (rs->rs_flags & RFCOMM_SESSION_CFC) { 951 if (pf != 0) { 952 if (m->m_pkthdr.len < sizeof(credits)) { 953 DPRINTF("Bad PF value, UIH discarded\n"); 954 goto discard; 955 } 956 957 m_copydata(m, 0, sizeof(credits), &credits); 958 m_adj(m, sizeof(credits)); 959 960 dlc->rd_txcred += credits; 961 962 if (credits > 0 && dlc->rd_txbuf != NULL) 963 rfcomm_dlc_start(dlc); 964 } 965 966 if (len == 0) 967 goto discard; 968 969 if (dlc->rd_rxcred == 0) { 970 DPRINTF("Credit limit reached, UIH discarded\n"); 971 goto discard; 972 } 973 974 if (len > dlc->rd_rxsize) { 975 DPRINTF("UIH frame exceeds rxsize, discarded\n"); 976 goto discard; 977 } 978 979 dlc->rd_rxcred--; 980 dlc->rd_rxsize -= len; 981 } 982 983 (*dlc->rd_proto->input)(dlc->rd_upper, m); 984 return; 985 986 discard: 987 m_freem(m); 988 } 989 990 /* 991 * Receive Multiplexer Control Command 992 */ 993 static void 994 rfcomm_session_recv_mcc(struct rfcomm_session *rs, struct mbuf *m) 995 { 996 int type, cr, len; 997 uint8_t b; 998 999 /* 1000 * Extract MCC header. 1001 * 1002 * Fields are variable length using extension bit = 1 to signify the 1003 * last octet in the sequence. 1004 * 1005 * Only single octet types are defined in TS 07.10/RFCOMM spec 1006 * 1007 * Length can realistically only use 15 bits (max RFCOMM MTU) 1008 */ 1009 if (m->m_pkthdr.len < sizeof(b)) { 1010 DPRINTF("Short MCC header, discarded\n"); 1011 goto release; 1012 } 1013 1014 m_copydata(m, 0, sizeof(b), &b); 1015 m_adj(m, sizeof(b)); 1016 1017 if (RFCOMM_EA(b) == 0) { /* verify no extensions */ 1018 DPRINTF("MCC type EA = 0, discarded\n"); 1019 goto release; 1020 } 1021 1022 type = RFCOMM_MCC_TYPE(b); 1023 cr = RFCOMM_CR(b); 1024 1025 len = 0; 1026 do { 1027 if (m->m_pkthdr.len < sizeof(b)) { 1028 DPRINTF("Short MCC header, discarded\n"); 1029 goto release; 1030 } 1031 1032 m_copydata(m, 0, sizeof(b), &b); 1033 m_adj(m, sizeof(b)); 1034 1035 len = (len << 7) | (b >> 1); 1036 len = min(len, RFCOMM_MTU_MAX); 1037 } while (RFCOMM_EA(b) == 0); 1038 1039 if (len != m->m_pkthdr.len) { 1040 DPRINTF("Incorrect MCC length, discarded\n"); 1041 goto release; 1042 } 1043 1044 DPRINTFN(2, "MCC %s type %2.2x (%d bytes)\n", 1045 (cr ? "command" : "response"), type, len); 1046 1047 /* 1048 * pass to command handler 1049 */ 1050 switch(type) { 1051 case RFCOMM_MCC_TEST: /* Test */ 1052 rfcomm_session_recv_mcc_test(rs, cr, m); 1053 break; 1054 1055 case RFCOMM_MCC_FCON: /* Flow Control On */ 1056 rfcomm_session_recv_mcc_fcon(rs, cr); 1057 break; 1058 1059 case RFCOMM_MCC_FCOFF: /* Flow Control Off */ 1060 rfcomm_session_recv_mcc_fcoff(rs, cr); 1061 break; 1062 1063 case RFCOMM_MCC_MSC: /* Modem Status Command */ 1064 rfcomm_session_recv_mcc_msc(rs, cr, m); 1065 break; 1066 1067 case RFCOMM_MCC_RPN: /* Remote Port Negotiation */ 1068 rfcomm_session_recv_mcc_rpn(rs, cr, m); 1069 break; 1070 1071 case RFCOMM_MCC_RLS: /* Remote Line Status */ 1072 rfcomm_session_recv_mcc_rls(rs, cr, m); 1073 break; 1074 1075 case RFCOMM_MCC_PN: /* Parameter Negotiation */ 1076 rfcomm_session_recv_mcc_pn(rs, cr, m); 1077 break; 1078 1079 case RFCOMM_MCC_NSC: /* Non Supported Command */ 1080 rfcomm_session_recv_mcc_nsc(rs, cr, m); 1081 break; 1082 1083 default: 1084 b = RFCOMM_MKMCC_TYPE(cr, type); 1085 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_NSC, &b, sizeof(b)); 1086 } 1087 1088 release: 1089 m_freem(m); 1090 } 1091 1092 /* 1093 * process TEST command/response 1094 */ 1095 static void 1096 rfcomm_session_recv_mcc_test(struct rfcomm_session *rs, int cr, struct mbuf *m) 1097 { 1098 void *data; 1099 int len; 1100 1101 if (cr == 0) /* ignore ack */ 1102 return; 1103 1104 /* 1105 * we must send all the data they included back as is 1106 */ 1107 1108 len = m->m_pkthdr.len; 1109 if (len > RFCOMM_MTU_MAX) 1110 return; 1111 1112 data = kmalloc(len, M_BLUETOOTH, M_NOWAIT); 1113 if (data == NULL) 1114 return; 1115 1116 m_copydata(m, 0, len, data); 1117 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_TEST, data, len); 1118 kfree(data, M_BLUETOOTH); 1119 } 1120 1121 /* 1122 * process Flow Control ON command/response 1123 */ 1124 static void 1125 rfcomm_session_recv_mcc_fcon(struct rfcomm_session *rs, int cr) 1126 { 1127 1128 if (cr == 0) /* ignore ack */ 1129 return; 1130 1131 rs->rs_flags |= RFCOMM_SESSION_RFC; 1132 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_FCON, NULL, 0); 1133 } 1134 1135 /* 1136 * process Flow Control OFF command/response 1137 */ 1138 static void 1139 rfcomm_session_recv_mcc_fcoff(struct rfcomm_session *rs, int cr) 1140 { 1141 if (cr == 0) /* ignore ack */ 1142 return; 1143 1144 rs->rs_flags &= ~RFCOMM_SESSION_RFC; 1145 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_FCOFF, NULL, 0); 1146 } 1147 1148 /* 1149 * process Modem Status Command command/response 1150 */ 1151 static void 1152 rfcomm_session_recv_mcc_msc(struct rfcomm_session *rs, int cr, struct mbuf *m) 1153 { 1154 struct rfcomm_mcc_msc msc; /* (3 octets) */ 1155 struct rfcomm_dlc *dlc; 1156 int len = 0; 1157 1158 /* [ADDRESS] */ 1159 if (m->m_pkthdr.len < sizeof(msc.address)) 1160 return; 1161 1162 m_copydata(m, 0, sizeof(msc.address), &msc.address); 1163 m_adj(m, sizeof(msc.address)); 1164 len += sizeof(msc.address); 1165 1166 dlc = rfcomm_dlc_lookup(rs, RFCOMM_DLCI(msc.address)); 1167 1168 if (cr == 0) { /* ignore acks */ 1169 if (dlc != NULL) 1170 callout_stop(&dlc->rd_timeout); 1171 1172 return; 1173 } 1174 1175 if (dlc == NULL) { 1176 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, 1177 RFCOMM_DLCI(msc.address)); 1178 return; 1179 } 1180 1181 /* [SIGNALS] */ 1182 if (m->m_pkthdr.len < sizeof(msc.modem)) 1183 return; 1184 1185 m_copydata(m, 0, sizeof(msc.modem), &msc.modem); 1186 m_adj(m, sizeof(msc.modem)); 1187 len += sizeof(msc.modem); 1188 1189 dlc->rd_rmodem = msc.modem; 1190 /* XXX how do we signal this upstream? */ 1191 1192 if (RFCOMM_EA(msc.modem) == 0) { 1193 if (m->m_pkthdr.len < sizeof(msc.brk)) 1194 return; 1195 1196 m_copydata(m, 0, sizeof(msc.brk), &msc.brk); 1197 m_adj(m, sizeof(msc.brk)); 1198 len += sizeof(msc.brk); 1199 1200 /* XXX how do we signal this upstream? */ 1201 } 1202 1203 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_MSC, &msc, len); 1204 } 1205 1206 /* 1207 * process Remote Port Negotiation command/response 1208 */ 1209 static void 1210 rfcomm_session_recv_mcc_rpn(struct rfcomm_session *rs, int cr, struct mbuf *m) 1211 { 1212 struct rfcomm_mcc_rpn rpn; 1213 uint16_t mask; 1214 1215 if (cr == 0) /* ignore ack */ 1216 return; 1217 1218 /* default values */ 1219 rpn.bit_rate = RFCOMM_RPN_BR_9600; 1220 rpn.line_settings = RFCOMM_RPN_8_N_1; 1221 rpn.flow_control = RFCOMM_RPN_FLOW_NONE; 1222 rpn.xon_char = RFCOMM_RPN_XON_CHAR; 1223 rpn.xoff_char = RFCOMM_RPN_XOFF_CHAR; 1224 1225 if (m->m_pkthdr.len == sizeof(rpn)) { 1226 m_copydata(m, 0, sizeof(rpn), (caddr_t)&rpn); 1227 rpn.param_mask = RFCOMM_RPN_PM_ALL; 1228 } else if (m->m_pkthdr.len == 1) { 1229 m_copydata(m, 0, 1, (caddr_t)&rpn); 1230 rpn.param_mask = letoh16(rpn.param_mask); 1231 } else { 1232 DPRINTF("Bad RPN length (%d)\n", m->m_pkthdr.len); 1233 return; 1234 } 1235 1236 mask = 0; 1237 1238 if (rpn.param_mask & RFCOMM_RPN_PM_RATE) 1239 mask |= RFCOMM_RPN_PM_RATE; 1240 1241 if (rpn.param_mask & RFCOMM_RPN_PM_DATA 1242 && RFCOMM_RPN_DATA_BITS(rpn.line_settings) == RFCOMM_RPN_DATA_8) 1243 mask |= RFCOMM_RPN_PM_DATA; 1244 1245 if (rpn.param_mask & RFCOMM_RPN_PM_STOP 1246 && RFCOMM_RPN_STOP_BITS(rpn.line_settings) == RFCOMM_RPN_STOP_1) 1247 mask |= RFCOMM_RPN_PM_STOP; 1248 1249 if (rpn.param_mask & RFCOMM_RPN_PM_PARITY 1250 && RFCOMM_RPN_PARITY(rpn.line_settings) == RFCOMM_RPN_PARITY_NONE) 1251 mask |= RFCOMM_RPN_PM_PARITY; 1252 1253 if (rpn.param_mask & RFCOMM_RPN_PM_XON 1254 && rpn.xon_char == RFCOMM_RPN_XON_CHAR) 1255 mask |= RFCOMM_RPN_PM_XON; 1256 1257 if (rpn.param_mask & RFCOMM_RPN_PM_XOFF 1258 && rpn.xoff_char == RFCOMM_RPN_XOFF_CHAR) 1259 mask |= RFCOMM_RPN_PM_XOFF; 1260 1261 if (rpn.param_mask & RFCOMM_RPN_PM_FLOW 1262 && rpn.flow_control == RFCOMM_RPN_FLOW_NONE) 1263 mask |= RFCOMM_RPN_PM_FLOW; 1264 1265 rpn.param_mask = htole16(mask); 1266 1267 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_RPN, &rpn, sizeof(rpn)); 1268 } 1269 1270 /* 1271 * process Remote Line Status command/response 1272 */ 1273 static void 1274 rfcomm_session_recv_mcc_rls(struct rfcomm_session *rs, int cr, struct mbuf *m) 1275 { 1276 struct rfcomm_mcc_rls rls; 1277 1278 if (cr == 0) /* ignore ack */ 1279 return; 1280 1281 if (m->m_pkthdr.len != sizeof(rls)) { 1282 DPRINTF("Bad RLS length %d\n", m->m_pkthdr.len); 1283 return; 1284 } 1285 1286 m_copydata(m, 0, sizeof(rls), (caddr_t)&rls); 1287 1288 /* 1289 * So far as I can tell, we just send back what 1290 * they sent us. This signifies errors that seem 1291 * irrelevent for RFCOMM over L2CAP. 1292 */ 1293 rls.address |= 0x03; /* EA = 1, CR = 1 */ 1294 rls.status &= 0x0f; /* only 4 bits valid */ 1295 1296 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_RLS, &rls, sizeof(rls)); 1297 } 1298 1299 /* 1300 * process Parameter Negotiation command/response 1301 */ 1302 static void 1303 rfcomm_session_recv_mcc_pn(struct rfcomm_session *rs, int cr, struct mbuf *m) 1304 { 1305 struct rfcomm_dlc *dlc; 1306 struct rfcomm_mcc_pn pn; 1307 int err; 1308 1309 if (m->m_pkthdr.len != sizeof(pn)) { 1310 DPRINTF("Bad PN length %d\n", m->m_pkthdr.len); 1311 return; 1312 } 1313 1314 m_copydata(m, 0, sizeof(pn), (caddr_t)&pn); 1315 1316 pn.dlci &= 0x3f; 1317 pn.mtu = letoh16(pn.mtu); 1318 1319 dlc = rfcomm_dlc_lookup(rs, pn.dlci); 1320 if (cr) { /* Command */ 1321 /* 1322 * If there is no DLC present, this is a new 1323 * connection so attempt to make one 1324 */ 1325 if (dlc == NULL) { 1326 dlc = rfcomm_dlc_newconn(rs, pn.dlci); 1327 if (dlc == NULL) 1328 return; /* (DM is sent) */ 1329 } 1330 1331 /* accept any valid MTU, and offer it back */ 1332 pn.mtu = min(pn.mtu, RFCOMM_MTU_MAX); 1333 pn.mtu = min(pn.mtu, rs->rs_mtu); 1334 pn.mtu = max(pn.mtu, RFCOMM_MTU_MIN); 1335 dlc->rd_mtu = pn.mtu; 1336 pn.mtu = htole16(pn.mtu); 1337 1338 /* credits are only set before DLC is open */ 1339 if (dlc->rd_state == RFCOMM_DLC_WAIT_CONNECT 1340 && (pn.flow_control & 0xf0) == 0xf0) { 1341 rs->rs_flags |= RFCOMM_SESSION_CFC; 1342 dlc->rd_txcred = pn.credits & 0x07; 1343 1344 dlc->rd_rxcred = (dlc->rd_rxsize / dlc->rd_mtu); 1345 dlc->rd_rxcred = min(dlc->rd_rxcred, 1346 RFCOMM_CREDITS_DEFAULT); 1347 1348 pn.flow_control = 0xe0; 1349 pn.credits = dlc->rd_rxcred; 1350 } else { 1351 pn.flow_control = 0x00; 1352 pn.credits = 0x00; 1353 } 1354 1355 /* unused fields must be ignored and set to zero */ 1356 pn.ack_timer = 0; 1357 pn.max_retrans = 0; 1358 1359 /* send our response */ 1360 err = rfcomm_session_send_mcc(rs, 0, 1361 RFCOMM_MCC_PN, &pn, sizeof(pn)); 1362 if (err) 1363 goto close; 1364 1365 } else { /* Response */ 1366 /* ignore responses with no matching DLC */ 1367 if (dlc == NULL) 1368 return; 1369 1370 callout_stop(&dlc->rd_timeout); 1371 1372 if (pn.mtu > RFCOMM_MTU_MAX || pn.mtu > dlc->rd_mtu) { 1373 dlc->rd_state = RFCOMM_DLC_WAIT_DISCONNECT; 1374 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 1375 pn.dlci); 1376 if (err) 1377 goto close; 1378 1379 callout_reset(&dlc->rd_timeout, rfcomm_ack_timeout * hz, 1380 rfcomm_dlc_timeout, dlc); 1381 return; 1382 } 1383 dlc->rd_mtu = pn.mtu; 1384 1385 /* if DLC is not waiting to connect, we are done */ 1386 if (dlc->rd_state != RFCOMM_DLC_WAIT_CONNECT) 1387 return; 1388 1389 /* set initial credits according to RFCOMM spec */ 1390 if ((pn.flow_control & 0xf0) == 0xe0) { 1391 rs->rs_flags |= RFCOMM_SESSION_CFC; 1392 dlc->rd_txcred = (pn.credits & 0x07); 1393 } 1394 1395 callout_reset(&dlc->rd_timeout, rfcomm_ack_timeout * hz, 1396 rfcomm_dlc_timeout, dlc); 1397 1398 /* set link mode */ 1399 err = rfcomm_dlc_setmode(dlc); 1400 if (err == EINPROGRESS) { 1401 dlc->rd_state = RFCOMM_DLC_WAIT_SEND_SABM; 1402 (*dlc->rd_proto->connecting)(dlc->rd_upper); 1403 return; 1404 } 1405 if (err) 1406 goto close; 1407 1408 /* we can proceed now */ 1409 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_SABM, pn.dlci); 1410 if (err) 1411 goto close; 1412 1413 dlc->rd_state = RFCOMM_DLC_WAIT_RECV_UA; 1414 } 1415 return; 1416 1417 close: 1418 rfcomm_dlc_close(dlc, err); 1419 } 1420 1421 /* 1422 * process Non Supported Command command/response 1423 */ 1424 static void 1425 rfcomm_session_recv_mcc_nsc(struct rfcomm_session *rs, 1426 int cr, struct mbuf *m) 1427 { 1428 struct rfcomm_dlc *dlc, *next; 1429 1430 /* 1431 * Since we did nothing that is not mandatory, 1432 * we just abort the whole session.. 1433 */ 1434 1435 next = LIST_FIRST(&rs->rs_dlcs); 1436 while ((dlc = next) != NULL) { 1437 next = LIST_NEXT(dlc, rd_next); 1438 rfcomm_dlc_close(dlc, ECONNABORTED); 1439 } 1440 1441 rfcomm_session_free(rs); 1442 } 1443 1444 /*********************************************************************** 1445 * 1446 * RFCOMM Session outward frame/uih/mcc building 1447 */ 1448 1449 /* 1450 * SABM/DISC/DM/UA frames are all minimal and mostly identical. 1451 */ 1452 int 1453 rfcomm_session_send_frame(struct rfcomm_session *rs, int type, int dlci) 1454 { 1455 struct rfcomm_cmd_hdr *hdr; 1456 struct rfcomm_credit *credit; 1457 struct mbuf *m; 1458 uint8_t fcs, cr; 1459 1460 credit = zalloc(rfcomm_credit_pool); 1461 if (credit == NULL) 1462 return ENOMEM; 1463 1464 m = m_gethdr(M_NOWAIT, MT_DATA); 1465 if (m == NULL) { 1466 zfree(rfcomm_credit_pool, credit); 1467 return ENOMEM; 1468 } 1469 1470 /* 1471 * The CR (command/response) bit identifies the frame either as a 1472 * commmand or a response and is used along with the DLCI to form 1473 * the address. Commands contain the non-initiator address, whereas 1474 * responses contain the initiator address, so the CR value is 1475 * also dependent on the session direction. 1476 */ 1477 if (type == RFCOMM_FRAME_UA || type == RFCOMM_FRAME_DM) 1478 cr = IS_INITIATOR(rs) ? 0 : 1; 1479 else 1480 cr = IS_INITIATOR(rs) ? 1 : 0; 1481 1482 hdr = mtod(m, struct rfcomm_cmd_hdr *); 1483 hdr->address = RFCOMM_MKADDRESS(cr, dlci); 1484 hdr->control = RFCOMM_MKCONTROL(type, 1); /* PF = 1 */ 1485 hdr->length = (0x00 << 1) | 0x01; /* len = 0x00, EA = 1 */ 1486 1487 fcs = 0xff; 1488 fcs = FCS(fcs, hdr->address); 1489 fcs = FCS(fcs, hdr->control); 1490 fcs = FCS(fcs, hdr->length); 1491 fcs = 0xff - fcs; /* ones complement */ 1492 hdr->fcs = fcs; 1493 1494 m->m_pkthdr.len = m->m_len = sizeof(struct rfcomm_cmd_hdr); 1495 1496 /* empty credit note */ 1497 credit->rc_dlc = NULL; 1498 credit->rc_len = m->m_pkthdr.len; 1499 STAILQ_INSERT_TAIL(&rs->rs_credits, credit, rc_next); 1500 1501 DPRINTFN(5, "dlci %d type %2.2x (%d bytes, fcs=%#2.2x)\n", 1502 dlci, type, m->m_pkthdr.len, fcs); 1503 1504 return l2cap_send(rs->rs_l2cap, m); 1505 } 1506 1507 /* 1508 * rfcomm_session_send_uih(rfcomm_session, rfcomm_dlc, credits, mbuf) 1509 * 1510 * UIH frame is per DLC data or Multiplexer Control Commands 1511 * when no DLC is given. Data mbuf is optional (just credits 1512 * will be sent in that case) 1513 */ 1514 int 1515 rfcomm_session_send_uih(struct rfcomm_session *rs, struct rfcomm_dlc *dlc, 1516 int credits, struct mbuf *m) 1517 { 1518 struct rfcomm_credit *credit; 1519 struct mbuf *m0 = NULL; 1520 int err, len; 1521 uint8_t fcs, *hdr; 1522 1523 KKASSERT(rs != NULL); 1524 1525 len = (m == NULL) ? 0 : m->m_pkthdr.len; 1526 KKASSERT(!(credits == 0 && len == 0)); 1527 1528 /* 1529 * Make a credit note for the completion notification 1530 */ 1531 credit = zalloc(rfcomm_credit_pool); 1532 if (credit == NULL) 1533 goto nomem; 1534 1535 credit->rc_len = len; 1536 credit->rc_dlc = dlc; 1537 1538 /* 1539 * Wrap UIH frame information around payload. 1540 * 1541 * [ADDRESS] [CONTROL] [LENGTH] [CREDITS] [...] [FCS] 1542 * 1543 * Address is one octet. 1544 * Control is one octet. 1545 * Length is one or two octets. 1546 * Credits may be one octet. 1547 * 1548 * FCS is one octet and calculated on address and 1549 * control octets only. 1550 * 1551 * If there are credits to be sent, we will set the PF 1552 * flag and include them in the frame. 1553 */ 1554 m0 = m_gethdr(M_NOWAIT, MT_DATA); 1555 if (m0 == NULL) 1556 goto nomem; 1557 1558 MH_ALIGN(m0, 5); /* (max 5 header octets) */ 1559 hdr = mtod(m0, uint8_t *); 1560 1561 /* CR bit is set according to the initiator of the session */ 1562 *hdr = RFCOMM_MKADDRESS((IS_INITIATOR(rs) ? 1 : 0), 1563 (dlc ? dlc->rd_dlci : 0)); 1564 fcs = FCS(0xff, *hdr); 1565 hdr++; 1566 1567 /* PF bit is set if credits are being sent */ 1568 *hdr = RFCOMM_MKCONTROL(RFCOMM_FRAME_UIH, (credits > 0 ? 1 : 0)); 1569 fcs = FCS(fcs, *hdr); 1570 hdr++; 1571 1572 if (len < (1 << 7)) { 1573 *hdr++ = ((len << 1) & 0xfe) | 0x01; /* 7 bits, EA = 1 */ 1574 } else { 1575 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */ 1576 *hdr++ = ((len >> 7) & 0xff); /* 8 bits, no EA */ 1577 } 1578 1579 if (credits > 0) 1580 *hdr++ = (uint8_t)credits; 1581 1582 m0->m_len = hdr - mtod(m0, uint8_t *); 1583 1584 /* Append payload */ 1585 m0->m_next = m; 1586 m = NULL; 1587 1588 m0->m_pkthdr.len = m0->m_len + len; 1589 1590 /* Append FCS */ 1591 fcs = 0xff - fcs; /* ones complement */ 1592 len = m0->m_pkthdr.len; 1593 m_copyback(m0, len, sizeof(fcs), &fcs); 1594 if (m0->m_pkthdr.len != len + sizeof(fcs)) 1595 goto nomem; 1596 1597 DPRINTFN(10, "dlci %d, pktlen %d (%d data, %d credits), fcs=%#2.2x\n", 1598 dlc ? dlc->rd_dlci : 0, m0->m_pkthdr.len, credit->rc_len, 1599 credits, fcs); 1600 1601 /* 1602 * UIH frame ready to go.. 1603 */ 1604 err = l2cap_send(rs->rs_l2cap, m0); 1605 if (err) 1606 goto fail; 1607 1608 STAILQ_INSERT_TAIL(&rs->rs_credits, credit, rc_next); 1609 return 0; 1610 1611 nomem: 1612 err = ENOMEM; 1613 1614 if (m0 != NULL) 1615 m_freem(m0); 1616 1617 if (m != NULL) 1618 m_freem(m); 1619 1620 fail: 1621 if (credit != NULL) 1622 zfree(rfcomm_credit_pool, credit); 1623 1624 return err; 1625 } 1626 1627 /* 1628 * send Multiplexer Control Command (or Response) on session 1629 */ 1630 int 1631 rfcomm_session_send_mcc(struct rfcomm_session *rs, int cr, 1632 uint8_t type, void *data, int len) 1633 { 1634 struct mbuf *m; 1635 uint8_t *hdr; 1636 int hlen; 1637 1638 m = m_gethdr(M_NOWAIT, MT_DATA); 1639 if (m == NULL) 1640 return ENOMEM; 1641 1642 hdr = mtod(m, uint8_t *); 1643 1644 /* 1645 * Technically the type field can extend past one octet, but none 1646 * currently defined will do that. 1647 */ 1648 *hdr++ = RFCOMM_MKMCC_TYPE(cr, type); 1649 1650 /* 1651 * In the frame, the max length size is 2 octets (15 bits) whereas 1652 * no max length size is specified for MCC commands. We must allow 1653 * for 3 octets since for MCC frames we use 7 bits + EA in each. 1654 * 1655 * Only test data can possibly be that big. 1656 * 1657 * XXX Should we check this against the MTU? 1658 */ 1659 if (len < (1 << 7)) { 1660 *hdr++ = ((len << 1) & 0xfe) | 0x01; /* 7 bits, EA = 1 */ 1661 } else if (len < (1 << 14)) { 1662 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */ 1663 *hdr++ = ((len >> 6) & 0xfe) | 0x01; /* 7 bits, EA = 1 */ 1664 } else if (len < (1 << 15)) { 1665 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */ 1666 *hdr++ = ((len >> 6) & 0xfe); /* 7 bits, EA = 0 */ 1667 *hdr++ = ((len >> 13) & 0x02) | 0x01; /* 1 bit, EA = 1 */ 1668 } else { 1669 DPRINTF("incredible length! (%d)\n", len); 1670 m_freem(m); 1671 return EMSGSIZE; 1672 } 1673 1674 /* 1675 * add command data (to same mbuf if possible) 1676 */ 1677 hlen = hdr - mtod(m, uint8_t *); 1678 1679 if (len > 0) { 1680 m->m_pkthdr.len = m->m_len = MHLEN; 1681 m_copyback(m, hlen, len, data); 1682 if (m->m_pkthdr.len != max(MHLEN, hlen + len)) { 1683 m_freem(m); 1684 return ENOMEM; 1685 } 1686 } 1687 1688 m->m_pkthdr.len = hlen + len; 1689 m->m_len = min(MHLEN, m->m_pkthdr.len); 1690 1691 DPRINTFN(5, "%s type %2.2x len %d\n", 1692 (cr ? "command" : "response"), type, m->m_pkthdr.len); 1693 1694 return rfcomm_session_send_uih(rs, NULL, 0, m); 1695 } 1696