1 /* $DragonFly: src/sys/netbt/rfcomm_session.c,v 1.2 2008/03/18 13:41:42 hasso Exp $ */ 2 /* $OpenBSD: src/sys/netbt/rfcomm_session.c,v 1.3 2008/02/24 21:34:48 uwe Exp $ */ 3 /* $NetBSD: rfcomm_session.c,v 1.12 2008/01/31 19:30:23 plunky Exp $ */ 4 5 /*- 6 * Copyright (c) 2006 Itronix Inc. 7 * All rights reserved. 8 * 9 * Written by Iain Hibbert for Itronix Inc. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. The name of Itronix Inc. may not be used to endorse 20 * or promote products derived from this software without specific 21 * prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY ITRONIX INC. ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 25 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 26 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ITRONIX INC. BE LIABLE FOR ANY 27 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 28 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 29 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 30 * ON ANY THEORY OF LIABILITY, WHETHER IN 31 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 32 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 33 * POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 #include <sys/param.h> 37 #include <sys/kernel.h> 38 #include <sys/mbuf.h> 39 #include <sys/proc.h> 40 #include <sys/systm.h> 41 #include <sys/types.h> 42 #include <sys/endian.h> 43 44 #include <net/if.h> 45 46 #include <netbt/bluetooth.h> 47 #include <netbt/hci.h> 48 #include <netbt/l2cap.h> 49 #include <netbt/rfcomm.h> 50 51 /****************************************************************************** 52 * 53 * RFCOMM Multiplexer Sessions sit directly on L2CAP channels, and can 54 * multiplex up to 30 incoming and 30 outgoing connections. 55 * Only one Multiplexer is allowed between any two devices. 56 */ 57 58 static void rfcomm_session_recv_sabm(struct rfcomm_session *, int); 59 static void rfcomm_session_recv_disc(struct rfcomm_session *, int); 60 static void rfcomm_session_recv_ua(struct rfcomm_session *, int); 61 static void rfcomm_session_recv_dm(struct rfcomm_session *, int); 62 static void rfcomm_session_recv_uih(struct rfcomm_session *, int, int, struct mbuf *, int); 63 static void rfcomm_session_recv_mcc(struct rfcomm_session *, struct mbuf *); 64 static void rfcomm_session_recv_mcc_test(struct rfcomm_session *, int, struct mbuf *); 65 static void rfcomm_session_recv_mcc_fcon(struct rfcomm_session *, int); 66 static void rfcomm_session_recv_mcc_fcoff(struct rfcomm_session *, int); 67 static void rfcomm_session_recv_mcc_msc(struct rfcomm_session *, int, struct mbuf *); 68 static void rfcomm_session_recv_mcc_rpn(struct rfcomm_session *, int, struct mbuf *); 69 static void rfcomm_session_recv_mcc_rls(struct rfcomm_session *, int, struct mbuf *); 70 static void rfcomm_session_recv_mcc_pn(struct rfcomm_session *, int, struct mbuf *); 71 static void rfcomm_session_recv_mcc_nsc(struct rfcomm_session *, int, struct mbuf *); 72 73 /* L2CAP callbacks */ 74 static void rfcomm_session_connecting(void *); 75 static void rfcomm_session_connected(void *); 76 static void rfcomm_session_disconnected(void *, int); 77 static void *rfcomm_session_newconn(void *, struct sockaddr_bt *, struct sockaddr_bt *); 78 static void rfcomm_session_complete(void *, int); 79 static void rfcomm_session_linkmode(void *, int); 80 static void rfcomm_session_input(void *, struct mbuf *); 81 82 static const struct btproto rfcomm_session_proto = { 83 rfcomm_session_connecting, 84 rfcomm_session_connected, 85 rfcomm_session_disconnected, 86 rfcomm_session_newconn, 87 rfcomm_session_complete, 88 rfcomm_session_linkmode, 89 rfcomm_session_input, 90 }; 91 92 struct rfcomm_session_list 93 rfcomm_session_active = LIST_HEAD_INITIALIZER(rfcomm_session_active); 94 95 struct rfcomm_session_list 96 rfcomm_session_listen = LIST_HEAD_INITIALIZER(rfcomm_session_listen); 97 98 vm_zone_t rfcomm_credit_pool; 99 100 /* 101 * RFCOMM System Parameters (see section 5.3) 102 */ 103 int rfcomm_mtu_default = 127; /* bytes */ 104 int rfcomm_ack_timeout = 20; /* seconds */ 105 int rfcomm_mcc_timeout = 20; /* seconds */ 106 107 /* 108 * Reversed CRC table as per TS 07.10 Annex B.3.5 109 */ 110 static const uint8_t crctable[256] = { /* reversed, 8-bit, poly=0x07 */ 111 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75, 112 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b, 113 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69, 114 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67, 115 116 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d, 117 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43, 118 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51, 119 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f, 120 121 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05, 122 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b, 123 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19, 124 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17, 125 126 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d, 127 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33, 128 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21, 129 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f, 130 131 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95, 132 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b, 133 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89, 134 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87, 135 136 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad, 137 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3, 138 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1, 139 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf, 140 141 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5, 142 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb, 143 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9, 144 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7, 145 146 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd, 147 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3, 148 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1, 149 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf 150 }; 151 152 #define FCS(f, d) crctable[(f) ^ (d)] 153 154 /* 155 * rfcomm_init() 156 * 157 * initialize the "credit pool". 158 */ 159 void 160 rfcomm_init(void) 161 { 162 rfcomm_credit_pool = zinit("rfcomm_credit", 163 sizeof(struct rfcomm_credit), 0, 0, 0); 164 } 165 166 /* 167 * rfcomm_session_alloc(list, sockaddr) 168 * 169 * allocate a new session and fill in the blanks, then 170 * attach session to front of specified list (active or listen) 171 */ 172 struct rfcomm_session * 173 rfcomm_session_alloc(struct rfcomm_session_list *list, 174 struct sockaddr_bt *laddr) 175 { 176 struct rfcomm_session *rs; 177 int err; 178 179 rs = kmalloc(sizeof(*rs), M_BLUETOOTH, M_NOWAIT | M_ZERO); 180 if (rs == NULL) 181 return NULL; 182 183 rs->rs_state = RFCOMM_SESSION_CLOSED; 184 185 callout_init(&rs->rs_timeout); 186 187 STAILQ_INIT(&rs->rs_credits); 188 LIST_INIT(&rs->rs_dlcs); 189 190 err = l2cap_attach(&rs->rs_l2cap, &rfcomm_session_proto, rs); 191 if (err) { 192 kfree(rs, M_BLUETOOTH); 193 return NULL; 194 } 195 196 (void)l2cap_getopt(rs->rs_l2cap, SO_L2CAP_OMTU, &rs->rs_mtu); 197 198 if (laddr->bt_psm == L2CAP_PSM_ANY) 199 laddr->bt_psm = L2CAP_PSM_RFCOMM; 200 201 (void)l2cap_bind(rs->rs_l2cap, laddr); 202 203 LIST_INSERT_HEAD(list, rs, rs_next); 204 205 return rs; 206 } 207 208 /* 209 * rfcomm_session_free(rfcomm_session) 210 * 211 * release a session, including any cleanup 212 */ 213 void 214 rfcomm_session_free(struct rfcomm_session *rs) 215 { 216 struct rfcomm_credit *credit; 217 218 KKASSERT(rs != NULL); 219 KKASSERT(LIST_EMPTY(&rs->rs_dlcs)); 220 221 rs->rs_state = RFCOMM_SESSION_CLOSED; 222 223 /* 224 * If the callout is already invoked we have no way to stop it, 225 * but it will call us back right away (there are no DLC's) so 226 * not to worry. 227 */ 228 callout_stop(&rs->rs_timeout); 229 if (callout_active(&rs->rs_timeout)) 230 return; 231 232 /* 233 * Take care that rfcomm_session_disconnected() doesnt call 234 * us back either as it will do if the l2cap_channel has not 235 * been closed when we detach it.. 236 */ 237 if (rs->rs_flags & RFCOMM_SESSION_FREE) 238 return; 239 240 rs->rs_flags |= RFCOMM_SESSION_FREE; 241 242 /* throw away any remaining credit notes */ 243 while ((credit = STAILQ_FIRST(&rs->rs_credits)) != NULL) { 244 STAILQ_REMOVE_HEAD(&rs->rs_credits, rc_next); 245 zfree(rfcomm_credit_pool, credit); 246 } 247 248 KKASSERT(STAILQ_EMPTY(&rs->rs_credits)); 249 250 /* Goodbye! */ 251 LIST_REMOVE(rs, rs_next); 252 l2cap_detach(&rs->rs_l2cap); 253 kfree(rs, M_BLUETOOTH); 254 } 255 256 /* 257 * rfcomm_session_lookup(sockaddr, sockaddr) 258 * 259 * Find active rfcomm session matching src and dest addresses 260 * when src is BDADDR_ANY match any local address 261 */ 262 struct rfcomm_session * 263 rfcomm_session_lookup(struct sockaddr_bt *src, struct sockaddr_bt *dest) 264 { 265 struct rfcomm_session *rs; 266 struct sockaddr_bt addr; 267 268 LIST_FOREACH(rs, &rfcomm_session_active, rs_next) { 269 if (rs->rs_state == RFCOMM_SESSION_CLOSED) 270 continue; 271 272 l2cap_sockaddr(rs->rs_l2cap, &addr); 273 274 if (bdaddr_same(&src->bt_bdaddr, &addr.bt_bdaddr) == 0) 275 if (bdaddr_any(&src->bt_bdaddr) == 0) 276 continue; 277 278 l2cap_peeraddr(rs->rs_l2cap, &addr); 279 280 if (addr.bt_psm != dest->bt_psm) 281 continue; 282 283 if (bdaddr_same(&dest->bt_bdaddr, &addr.bt_bdaddr)) 284 break; 285 } 286 287 return rs; 288 } 289 290 /* 291 * rfcomm_session_timeout(rfcomm_session) 292 * 293 * Session timeouts are scheduled when a session is left or 294 * created with no DLCs, and when SABM(0) or DISC(0) are 295 * sent. 296 * 297 * So, if it is in an open state with DLC's attached then 298 * we leave it alone, otherwise the session is lost. 299 */ 300 void 301 rfcomm_session_timeout(void *arg) 302 { 303 struct rfcomm_session *rs = arg; 304 struct rfcomm_dlc *dlc; 305 306 KKASSERT(rs != NULL); 307 308 crit_enter(); 309 310 if (rs->rs_state != RFCOMM_SESSION_OPEN) { 311 DPRINTF("timeout\n"); 312 rs->rs_state = RFCOMM_SESSION_CLOSED; 313 314 while (!LIST_EMPTY(&rs->rs_dlcs)) { 315 dlc = LIST_FIRST(&rs->rs_dlcs); 316 317 rfcomm_dlc_close(dlc, ETIMEDOUT); 318 } 319 } 320 321 if (LIST_EMPTY(&rs->rs_dlcs)) { 322 DPRINTF("expiring\n"); 323 rfcomm_session_free(rs); 324 } 325 crit_exit(); 326 } 327 328 /*********************************************************************** 329 * 330 * RFCOMM Session L2CAP protocol callbacks 331 * 332 */ 333 334 static void 335 rfcomm_session_connecting(void *arg) 336 { 337 /* struct rfcomm_session *rs = arg; */ 338 339 DPRINTF("Connecting\n"); 340 } 341 342 static void 343 rfcomm_session_connected(void *arg) 344 { 345 struct rfcomm_session *rs = arg; 346 347 DPRINTF("Connected\n"); 348 349 /* 350 * L2CAP is open. 351 * 352 * If we are initiator, we can send our SABM(0) 353 * a timeout should be active? 354 * 355 * We must take note of the L2CAP MTU because currently 356 * the L2CAP implementation can only do Basic Mode. 357 */ 358 l2cap_getopt(rs->rs_l2cap, SO_L2CAP_OMTU, &rs->rs_mtu); 359 360 rs->rs_mtu -= 6; /* (RFCOMM overhead could be this big) */ 361 if (rs->rs_mtu < RFCOMM_MTU_MIN) { 362 rfcomm_session_disconnected(rs, EINVAL); 363 return; 364 } 365 366 if (IS_INITIATOR(rs)) { 367 int err; 368 369 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_SABM, 0); 370 if (err) 371 rfcomm_session_disconnected(rs, err); 372 373 callout_reset(&rs->rs_timeout, rfcomm_ack_timeout * hz, 374 rfcomm_session_timeout, rs); 375 } 376 } 377 378 static void 379 rfcomm_session_disconnected(void *arg, int err) 380 { 381 struct rfcomm_session *rs = arg; 382 struct rfcomm_dlc *dlc; 383 384 DPRINTF("Disconnected\n"); 385 386 rs->rs_state = RFCOMM_SESSION_CLOSED; 387 388 while (!LIST_EMPTY(&rs->rs_dlcs)) { 389 dlc = LIST_FIRST(&rs->rs_dlcs); 390 391 rfcomm_dlc_close(dlc, err); 392 } 393 394 rfcomm_session_free(rs); 395 } 396 397 static void * 398 rfcomm_session_newconn(void *arg, struct sockaddr_bt *laddr, 399 struct sockaddr_bt *raddr) 400 { 401 struct rfcomm_session *new, *rs = arg; 402 403 DPRINTF("New Connection\n"); 404 405 /* 406 * Incoming session connect request. We should return a new 407 * session pointer if this is acceptable. The L2CAP layer 408 * passes local and remote addresses, which we must check as 409 * only one RFCOMM session is allowed between any two devices 410 */ 411 new = rfcomm_session_lookup(laddr, raddr); 412 if (new != NULL) 413 return NULL; 414 415 new = rfcomm_session_alloc(&rfcomm_session_active, laddr); 416 if (new == NULL) 417 return NULL; 418 419 new->rs_mtu = rs->rs_mtu; 420 new->rs_state = RFCOMM_SESSION_WAIT_CONNECT; 421 422 /* 423 * schedule an expiry so that if nothing comes of it we 424 * can punt. 425 */ 426 callout_reset(&rs->rs_timeout, rfcomm_mcc_timeout * hz, 427 rfcomm_session_timeout, rs); 428 429 return new->rs_l2cap; 430 } 431 432 static void 433 rfcomm_session_complete(void *arg, int count) 434 { 435 struct rfcomm_session *rs = arg; 436 struct rfcomm_credit *credit; 437 struct rfcomm_dlc *dlc; 438 439 /* 440 * count L2CAP packets are 'complete', meaning that they are cleared 441 * our buffers (for best effort) or arrived safe (for guaranteed) so 442 * we can take it off our list and pass the message on, so that 443 * eventually the data can be removed from the sockbuf 444 */ 445 while (count-- > 0) { 446 credit = STAILQ_FIRST(&rs->rs_credits); 447 #ifdef DIAGNOSTIC 448 if (credit == NULL) { 449 kprintf("%s: too many packets completed!\n", __func__); 450 break; 451 } 452 #endif 453 dlc = credit->rc_dlc; 454 if (dlc != NULL) { 455 dlc->rd_pending--; 456 (*dlc->rd_proto->complete) 457 (dlc->rd_upper, credit->rc_len); 458 459 /* 460 * if not using credit flow control, we may push 461 * more data now 462 */ 463 if ((rs->rs_flags & RFCOMM_SESSION_CFC) == 0 464 && dlc->rd_state == RFCOMM_DLC_OPEN) { 465 rfcomm_dlc_start(dlc); 466 } 467 468 /* 469 * When shutdown is indicated, we are just waiting to 470 * clear outgoing data. 471 */ 472 if ((dlc->rd_flags & RFCOMM_DLC_SHUTDOWN) 473 && dlc->rd_txbuf == NULL && dlc->rd_pending == 0) { 474 dlc->rd_state = RFCOMM_DLC_WAIT_DISCONNECT; 475 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 476 dlc->rd_dlci); 477 callout_reset(&dlc->rd_timeout, 478 rfcomm_ack_timeout * hz, 479 rfcomm_dlc_timeout, dlc); 480 } 481 } 482 483 STAILQ_REMOVE_HEAD(&rs->rs_credits, rc_next); 484 zfree(rfcomm_credit_pool, credit); 485 } 486 487 /* 488 * If session is closed, we are just waiting to clear the queue 489 */ 490 if (rs->rs_state == RFCOMM_SESSION_CLOSED) { 491 if (STAILQ_EMPTY(&rs->rs_credits)) 492 l2cap_disconnect(rs->rs_l2cap, 0); 493 } 494 } 495 496 /* 497 * Link Mode changed 498 * 499 * This is called when a mode change is complete. Proceed with connections 500 * where appropriate, or pass the new mode to any active DLCs. 501 */ 502 static void 503 rfcomm_session_linkmode(void *arg, int new) 504 { 505 struct rfcomm_session *rs = arg; 506 struct rfcomm_dlc *dlc, *next; 507 int err, mode = 0; 508 509 DPRINTF("auth %s, encrypt %s, secure %s\n", 510 (new & L2CAP_LM_AUTH ? "on" : "off"), 511 (new & L2CAP_LM_ENCRYPT ? "on" : "off"), 512 (new & L2CAP_LM_SECURE ? "on" : "off")); 513 514 if (new & L2CAP_LM_AUTH) 515 mode |= RFCOMM_LM_AUTH; 516 517 if (new & L2CAP_LM_ENCRYPT) 518 mode |= RFCOMM_LM_ENCRYPT; 519 520 if (new & L2CAP_LM_SECURE) 521 mode |= RFCOMM_LM_SECURE; 522 523 next = LIST_FIRST(&rs->rs_dlcs); 524 while ((dlc = next) != NULL) { 525 next = LIST_NEXT(dlc, rd_next); 526 527 switch (dlc->rd_state) { 528 case RFCOMM_DLC_WAIT_SEND_SABM: /* we are connecting */ 529 if ((mode & dlc->rd_mode) != dlc->rd_mode) { 530 rfcomm_dlc_close(dlc, ECONNABORTED); 531 } else { 532 err = rfcomm_session_send_frame(rs, 533 RFCOMM_FRAME_SABM, dlc->rd_dlci); 534 if (err) { 535 rfcomm_dlc_close(dlc, err); 536 } else { 537 dlc->rd_state = RFCOMM_DLC_WAIT_RECV_UA; 538 callout_reset(&dlc->rd_timeout, 539 rfcomm_ack_timeout * hz, 540 rfcomm_dlc_timeout, dlc); 541 542 break; 543 } 544 } 545 546 /* 547 * If we aborted the connection and there are no more DLCs 548 * on the session, it is our responsibility to disconnect. 549 */ 550 if (!LIST_EMPTY(&rs->rs_dlcs)) 551 break; 552 553 rs->rs_state = RFCOMM_SESSION_WAIT_DISCONNECT; 554 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 0); 555 callout_reset(&rs->rs_timeout, rfcomm_ack_timeout * hz, 556 rfcomm_session_timeout, rs); 557 break; 558 559 case RFCOMM_DLC_WAIT_SEND_UA: /* they are connecting */ 560 if ((mode & dlc->rd_mode) != dlc->rd_mode) { 561 rfcomm_session_send_frame(rs, 562 RFCOMM_FRAME_DM, dlc->rd_dlci); 563 rfcomm_dlc_close(dlc, ECONNABORTED); 564 break; 565 } 566 567 err = rfcomm_session_send_frame(rs, 568 RFCOMM_FRAME_UA, dlc->rd_dlci); 569 if (err) { 570 rfcomm_session_send_frame(rs, 571 RFCOMM_FRAME_DM, dlc->rd_dlci); 572 rfcomm_dlc_close(dlc, err); 573 break; 574 } 575 576 err = rfcomm_dlc_open(dlc); 577 if (err) { 578 rfcomm_session_send_frame(rs, 579 RFCOMM_FRAME_DM, dlc->rd_dlci); 580 rfcomm_dlc_close(dlc, err); 581 break; 582 } 583 584 break; 585 586 case RFCOMM_DLC_WAIT_RECV_UA: 587 case RFCOMM_DLC_OPEN: /* already established */ 588 (*dlc->rd_proto->linkmode)(dlc->rd_upper, mode); 589 break; 590 591 default: 592 break; 593 } 594 } 595 } 596 597 /* 598 * Receive data from L2CAP layer for session. There is always exactly one 599 * RFCOMM frame contained in each L2CAP frame. 600 */ 601 static void 602 rfcomm_session_input(void *arg, struct mbuf *m) 603 { 604 struct rfcomm_session *rs = arg; 605 int dlci, len, type, pf; 606 uint8_t fcs, b; 607 608 KKASSERT(m != NULL); 609 KKASSERT(rs != NULL); 610 611 /* 612 * UIH frames: FCS is only calculated on address and control fields 613 * For other frames: FCS is calculated on address, control and length 614 * Length may extend to two octets 615 */ 616 fcs = 0xff; 617 618 if (m->m_pkthdr.len < 4) { 619 DPRINTF("short frame (%d), discarded\n", m->m_pkthdr.len); 620 goto done; 621 } 622 623 /* address - one octet */ 624 m_copydata(m, 0, 1, &b); 625 m_adj(m, 1); 626 fcs = FCS(fcs, b); 627 dlci = RFCOMM_DLCI(b); 628 629 /* control - one octet */ 630 m_copydata(m, 0, 1, &b); 631 m_adj(m, 1); 632 fcs = FCS(fcs, b); 633 type = RFCOMM_TYPE(b); 634 pf = RFCOMM_PF(b); 635 636 /* length - may be two octets */ 637 m_copydata(m, 0, 1, &b); 638 m_adj(m, 1); 639 if (type != RFCOMM_FRAME_UIH) 640 fcs = FCS(fcs, b); 641 len = (b >> 1) & 0x7f; 642 643 if (RFCOMM_EA(b) == 0) { 644 if (m->m_pkthdr.len < 2) { 645 DPRINTF("short frame (%d, EA = 0), discarded\n", 646 m->m_pkthdr.len); 647 goto done; 648 } 649 650 m_copydata(m, 0, 1, &b); 651 m_adj(m, 1); 652 if (type != RFCOMM_FRAME_UIH) 653 fcs = FCS(fcs, b); 654 655 len |= (b << 7); 656 } 657 658 /* FCS byte is last octet in frame */ 659 m_copydata(m, m->m_pkthdr.len - 1, 1, &b); 660 m_adj(m, -1); 661 fcs = FCS(fcs, b); 662 663 if (fcs != 0xcf) { 664 DPRINTF("Bad FCS value (%#2.2x), frame discarded\n", fcs); 665 goto done; 666 } 667 668 DPRINTFN(10, "dlci %d, type %2.2x, len = %d\n", dlci, type, len); 669 670 switch (type) { 671 case RFCOMM_FRAME_SABM: 672 if (pf) 673 rfcomm_session_recv_sabm(rs, dlci); 674 break; 675 676 case RFCOMM_FRAME_DISC: 677 if (pf) 678 rfcomm_session_recv_disc(rs, dlci); 679 break; 680 681 case RFCOMM_FRAME_UA: 682 if (pf) 683 rfcomm_session_recv_ua(rs, dlci); 684 break; 685 686 case RFCOMM_FRAME_DM: 687 rfcomm_session_recv_dm(rs, dlci); 688 break; 689 690 case RFCOMM_FRAME_UIH: 691 rfcomm_session_recv_uih(rs, dlci, pf, m, len); 692 return; /* (no release) */ 693 694 default: 695 UNKNOWN(type); 696 break; 697 } 698 699 done: 700 m_freem(m); 701 } 702 703 /*********************************************************************** 704 * 705 * RFCOMM Session receive processing 706 */ 707 708 /* 709 * rfcomm_session_recv_sabm(rfcomm_session, dlci) 710 * 711 * Set Asyncrhonous Balanced Mode - open the channel. 712 */ 713 static void 714 rfcomm_session_recv_sabm(struct rfcomm_session *rs, int dlci) 715 { 716 struct rfcomm_dlc *dlc; 717 int err; 718 719 DPRINTFN(5, "SABM(%d)\n", dlci); 720 721 if (dlci == 0) { /* Open Session */ 722 rs->rs_state = RFCOMM_SESSION_OPEN; 723 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, 0); 724 LIST_FOREACH(dlc, &rs->rs_dlcs, rd_next) { 725 if (dlc->rd_state == RFCOMM_DLC_WAIT_SESSION) 726 rfcomm_dlc_connect(dlc); 727 } 728 return; 729 } 730 731 if (rs->rs_state != RFCOMM_SESSION_OPEN) { 732 DPRINTF("session was not even open!\n"); 733 return; 734 } 735 736 /* validate direction bit */ 737 if ((IS_INITIATOR(rs) && !RFCOMM_DIRECTION(dlci)) 738 || (!IS_INITIATOR(rs) && RFCOMM_DIRECTION(dlci))) { 739 DPRINTF("Invalid direction bit on DLCI\n"); 740 return; 741 } 742 743 /* 744 * look for our DLC - this may exist if we received PN 745 * already, or we may have to fabricate a new one. 746 */ 747 dlc = rfcomm_dlc_lookup(rs, dlci); 748 if (dlc == NULL) { 749 dlc = rfcomm_dlc_newconn(rs, dlci); 750 if (dlc == NULL) 751 return; /* (DM is sent) */ 752 } 753 754 /* 755 * ..but if this DLC is not waiting to connect, they did 756 * something wrong, ignore it. 757 */ 758 if (dlc->rd_state != RFCOMM_DLC_WAIT_CONNECT) 759 return; 760 761 /* set link mode */ 762 err = rfcomm_dlc_setmode(dlc); 763 if (err == EINPROGRESS) { 764 dlc->rd_state = RFCOMM_DLC_WAIT_SEND_UA; 765 (*dlc->rd_proto->connecting)(dlc->rd_upper); 766 return; 767 } 768 if (err) 769 goto close; 770 771 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, dlci); 772 if (err) 773 goto close; 774 775 /* and mark it open */ 776 err = rfcomm_dlc_open(dlc); 777 if (err) 778 goto close; 779 780 return; 781 782 close: 783 rfcomm_dlc_close(dlc, err); 784 } 785 786 /* 787 * Receive Disconnect Command 788 */ 789 static void 790 rfcomm_session_recv_disc(struct rfcomm_session *rs, int dlci) 791 { 792 struct rfcomm_dlc *dlc; 793 794 DPRINTFN(5, "DISC(%d)\n", dlci); 795 796 if (dlci == 0) { 797 /* 798 * Disconnect Session 799 * 800 * We set the session state to CLOSED so that when 801 * the UA frame is clear the session will be closed 802 * automatically. We wont bother to close any DLC's 803 * just yet as there should be none. In the unlikely 804 * event that something is left, it will get flushed 805 * out as the session goes down. 806 */ 807 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, 0); 808 rs->rs_state = RFCOMM_SESSION_CLOSED; 809 return; 810 } 811 812 dlc = rfcomm_dlc_lookup(rs, dlci); 813 if (dlc == NULL) { 814 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, dlci); 815 return; 816 } 817 818 rfcomm_dlc_close(dlc, ECONNRESET); 819 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, dlci); 820 } 821 822 /* 823 * Receive Unnumbered Acknowledgement Response 824 * 825 * This should be a response to a DISC or SABM frame that we 826 * have previously sent. If unexpected, ignore it. 827 */ 828 static void 829 rfcomm_session_recv_ua(struct rfcomm_session *rs, int dlci) 830 { 831 struct rfcomm_dlc *dlc; 832 833 DPRINTFN(5, "UA(%d)\n", dlci); 834 835 if (dlci == 0) { 836 switch (rs->rs_state) { 837 case RFCOMM_SESSION_WAIT_CONNECT: /* We sent SABM */ 838 callout_stop(&rs->rs_timeout); 839 rs->rs_state = RFCOMM_SESSION_OPEN; 840 LIST_FOREACH(dlc, &rs->rs_dlcs, rd_next) { 841 if (dlc->rd_state == RFCOMM_DLC_WAIT_SESSION) 842 rfcomm_dlc_connect(dlc); 843 } 844 break; 845 846 case RFCOMM_SESSION_WAIT_DISCONNECT: /* We sent DISC */ 847 callout_stop(&rs->rs_timeout); 848 rs->rs_state = RFCOMM_SESSION_CLOSED; 849 l2cap_disconnect(rs->rs_l2cap, 0); 850 break; 851 852 default: 853 DPRINTF("Received spurious UA(0)!\n"); 854 break; 855 } 856 857 return; 858 } 859 860 /* 861 * If we have no DLC on this dlci, we may have aborted 862 * without shutting down properly, so check if the session 863 * needs disconnecting. 864 */ 865 dlc = rfcomm_dlc_lookup(rs, dlci); 866 if (dlc == NULL) 867 goto check; 868 869 switch (dlc->rd_state) { 870 case RFCOMM_DLC_WAIT_RECV_UA: /* We sent SABM */ 871 rfcomm_dlc_open(dlc); 872 return; 873 874 case RFCOMM_DLC_WAIT_DISCONNECT: /* We sent DISC */ 875 rfcomm_dlc_close(dlc, 0); 876 break; 877 878 default: 879 DPRINTF("Received spurious UA(%d)!\n", dlci); 880 return; 881 } 882 883 check: /* last one out turns out the light */ 884 if (LIST_EMPTY(&rs->rs_dlcs)) { 885 rs->rs_state = RFCOMM_SESSION_WAIT_DISCONNECT; 886 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 0); 887 callout_reset(&rs->rs_timeout, rfcomm_ack_timeout*hz,rfcomm_session_timeout,rs); 888 } 889 } 890 891 /* 892 * Receive Disconnected Mode Response 893 * 894 * If this does not apply to a known DLC then we may ignore it. 895 */ 896 static void 897 rfcomm_session_recv_dm(struct rfcomm_session *rs, int dlci) 898 { 899 struct rfcomm_dlc *dlc; 900 901 DPRINTFN(5, "DM(%d)\n", dlci); 902 903 dlc = rfcomm_dlc_lookup(rs, dlci); 904 if (dlc == NULL) 905 return; 906 907 if (dlc->rd_state == RFCOMM_DLC_WAIT_CONNECT) 908 rfcomm_dlc_close(dlc, ECONNREFUSED); 909 else 910 rfcomm_dlc_close(dlc, ECONNRESET); 911 } 912 913 /* 914 * Receive Unnumbered Information with Header check (MCC or data packet) 915 */ 916 static void 917 rfcomm_session_recv_uih(struct rfcomm_session *rs, int dlci, 918 int pf, struct mbuf *m, int len) 919 { 920 struct rfcomm_dlc *dlc; 921 uint8_t credits = 0; 922 923 DPRINTFN(10, "UIH(%d)\n", dlci); 924 925 if (dlci == 0) { 926 rfcomm_session_recv_mcc(rs, m); 927 return; 928 } 929 930 if (m->m_pkthdr.len != len + pf) { 931 DPRINTF("Bad Frame Length (%d), frame discarded\n", 932 m->m_pkthdr.len); 933 934 goto discard; 935 } 936 937 dlc = rfcomm_dlc_lookup(rs, dlci); 938 if (dlc == NULL) { 939 DPRINTF("UIH received for non existent DLC, discarded\n"); 940 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, dlci); 941 goto discard; 942 } 943 944 if (dlc->rd_state != RFCOMM_DLC_OPEN) { 945 DPRINTF("non-open DLC (state = %d), discarded\n", 946 dlc->rd_state); 947 goto discard; 948 } 949 950 /* if PF is set, credits were included */ 951 if (rs->rs_flags & RFCOMM_SESSION_CFC) { 952 if (pf != 0) { 953 if (m->m_pkthdr.len < sizeof(credits)) { 954 DPRINTF("Bad PF value, UIH discarded\n"); 955 goto discard; 956 } 957 958 m_copydata(m, 0, sizeof(credits), &credits); 959 m_adj(m, sizeof(credits)); 960 961 dlc->rd_txcred += credits; 962 963 if (credits > 0 && dlc->rd_txbuf != NULL) 964 rfcomm_dlc_start(dlc); 965 } 966 967 if (len == 0) 968 goto discard; 969 970 if (dlc->rd_rxcred == 0) { 971 DPRINTF("Credit limit reached, UIH discarded\n"); 972 goto discard; 973 } 974 975 if (len > dlc->rd_rxsize) { 976 DPRINTF("UIH frame exceeds rxsize, discarded\n"); 977 goto discard; 978 } 979 980 dlc->rd_rxcred--; 981 dlc->rd_rxsize -= len; 982 } 983 984 (*dlc->rd_proto->input)(dlc->rd_upper, m); 985 return; 986 987 discard: 988 m_freem(m); 989 } 990 991 /* 992 * Receive Multiplexer Control Command 993 */ 994 static void 995 rfcomm_session_recv_mcc(struct rfcomm_session *rs, struct mbuf *m) 996 { 997 int type, cr, len; 998 uint8_t b; 999 1000 /* 1001 * Extract MCC header. 1002 * 1003 * Fields are variable length using extension bit = 1 to signify the 1004 * last octet in the sequence. 1005 * 1006 * Only single octet types are defined in TS 07.10/RFCOMM spec 1007 * 1008 * Length can realistically only use 15 bits (max RFCOMM MTU) 1009 */ 1010 if (m->m_pkthdr.len < sizeof(b)) { 1011 DPRINTF("Short MCC header, discarded\n"); 1012 goto release; 1013 } 1014 1015 m_copydata(m, 0, sizeof(b), &b); 1016 m_adj(m, sizeof(b)); 1017 1018 if (RFCOMM_EA(b) == 0) { /* verify no extensions */ 1019 DPRINTF("MCC type EA = 0, discarded\n"); 1020 goto release; 1021 } 1022 1023 type = RFCOMM_MCC_TYPE(b); 1024 cr = RFCOMM_CR(b); 1025 1026 len = 0; 1027 do { 1028 if (m->m_pkthdr.len < sizeof(b)) { 1029 DPRINTF("Short MCC header, discarded\n"); 1030 goto release; 1031 } 1032 1033 m_copydata(m, 0, sizeof(b), &b); 1034 m_adj(m, sizeof(b)); 1035 1036 len = (len << 7) | (b >> 1); 1037 len = min(len, RFCOMM_MTU_MAX); 1038 } while (RFCOMM_EA(b) == 0); 1039 1040 if (len != m->m_pkthdr.len) { 1041 DPRINTF("Incorrect MCC length, discarded\n"); 1042 goto release; 1043 } 1044 1045 DPRINTFN(2, "MCC %s type %2.2x (%d bytes)\n", 1046 (cr ? "command" : "response"), type, len); 1047 1048 /* 1049 * pass to command handler 1050 */ 1051 switch(type) { 1052 case RFCOMM_MCC_TEST: /* Test */ 1053 rfcomm_session_recv_mcc_test(rs, cr, m); 1054 break; 1055 1056 case RFCOMM_MCC_FCON: /* Flow Control On */ 1057 rfcomm_session_recv_mcc_fcon(rs, cr); 1058 break; 1059 1060 case RFCOMM_MCC_FCOFF: /* Flow Control Off */ 1061 rfcomm_session_recv_mcc_fcoff(rs, cr); 1062 break; 1063 1064 case RFCOMM_MCC_MSC: /* Modem Status Command */ 1065 rfcomm_session_recv_mcc_msc(rs, cr, m); 1066 break; 1067 1068 case RFCOMM_MCC_RPN: /* Remote Port Negotiation */ 1069 rfcomm_session_recv_mcc_rpn(rs, cr, m); 1070 break; 1071 1072 case RFCOMM_MCC_RLS: /* Remote Line Status */ 1073 rfcomm_session_recv_mcc_rls(rs, cr, m); 1074 break; 1075 1076 case RFCOMM_MCC_PN: /* Parameter Negotiation */ 1077 rfcomm_session_recv_mcc_pn(rs, cr, m); 1078 break; 1079 1080 case RFCOMM_MCC_NSC: /* Non Supported Command */ 1081 rfcomm_session_recv_mcc_nsc(rs, cr, m); 1082 break; 1083 1084 default: 1085 b = RFCOMM_MKMCC_TYPE(cr, type); 1086 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_NSC, &b, sizeof(b)); 1087 } 1088 1089 release: 1090 m_freem(m); 1091 } 1092 1093 /* 1094 * process TEST command/response 1095 */ 1096 static void 1097 rfcomm_session_recv_mcc_test(struct rfcomm_session *rs, int cr, struct mbuf *m) 1098 { 1099 void *data; 1100 int len; 1101 1102 if (cr == 0) /* ignore ack */ 1103 return; 1104 1105 /* 1106 * we must send all the data they included back as is 1107 */ 1108 1109 len = m->m_pkthdr.len; 1110 if (len > RFCOMM_MTU_MAX) 1111 return; 1112 1113 data = kmalloc(len, M_BLUETOOTH, M_NOWAIT); 1114 if (data == NULL) 1115 return; 1116 1117 m_copydata(m, 0, len, data); 1118 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_TEST, data, len); 1119 kfree(data, M_BLUETOOTH); 1120 } 1121 1122 /* 1123 * process Flow Control ON command/response 1124 */ 1125 static void 1126 rfcomm_session_recv_mcc_fcon(struct rfcomm_session *rs, int cr) 1127 { 1128 1129 if (cr == 0) /* ignore ack */ 1130 return; 1131 1132 rs->rs_flags |= RFCOMM_SESSION_RFC; 1133 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_FCON, NULL, 0); 1134 } 1135 1136 /* 1137 * process Flow Control OFF command/response 1138 */ 1139 static void 1140 rfcomm_session_recv_mcc_fcoff(struct rfcomm_session *rs, int cr) 1141 { 1142 if (cr == 0) /* ignore ack */ 1143 return; 1144 1145 rs->rs_flags &= ~RFCOMM_SESSION_RFC; 1146 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_FCOFF, NULL, 0); 1147 } 1148 1149 /* 1150 * process Modem Status Command command/response 1151 */ 1152 static void 1153 rfcomm_session_recv_mcc_msc(struct rfcomm_session *rs, int cr, struct mbuf *m) 1154 { 1155 struct rfcomm_mcc_msc msc; /* (3 octets) */ 1156 struct rfcomm_dlc *dlc; 1157 int len = 0; 1158 1159 /* [ADDRESS] */ 1160 if (m->m_pkthdr.len < sizeof(msc.address)) 1161 return; 1162 1163 m_copydata(m, 0, sizeof(msc.address), &msc.address); 1164 m_adj(m, sizeof(msc.address)); 1165 len += sizeof(msc.address); 1166 1167 dlc = rfcomm_dlc_lookup(rs, RFCOMM_DLCI(msc.address)); 1168 1169 if (cr == 0) { /* ignore acks */ 1170 if (dlc != NULL) 1171 callout_stop(&dlc->rd_timeout); 1172 1173 return; 1174 } 1175 1176 if (dlc == NULL) { 1177 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, 1178 RFCOMM_DLCI(msc.address)); 1179 return; 1180 } 1181 1182 /* [SIGNALS] */ 1183 if (m->m_pkthdr.len < sizeof(msc.modem)) 1184 return; 1185 1186 m_copydata(m, 0, sizeof(msc.modem), &msc.modem); 1187 m_adj(m, sizeof(msc.modem)); 1188 len += sizeof(msc.modem); 1189 1190 dlc->rd_rmodem = msc.modem; 1191 /* XXX how do we signal this upstream? */ 1192 1193 if (RFCOMM_EA(msc.modem) == 0) { 1194 if (m->m_pkthdr.len < sizeof(msc.brk)) 1195 return; 1196 1197 m_copydata(m, 0, sizeof(msc.brk), &msc.brk); 1198 m_adj(m, sizeof(msc.brk)); 1199 len += sizeof(msc.brk); 1200 1201 /* XXX how do we signal this upstream? */ 1202 } 1203 1204 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_MSC, &msc, len); 1205 } 1206 1207 /* 1208 * process Remote Port Negotiation command/response 1209 */ 1210 static void 1211 rfcomm_session_recv_mcc_rpn(struct rfcomm_session *rs, int cr, struct mbuf *m) 1212 { 1213 struct rfcomm_mcc_rpn rpn; 1214 uint16_t mask; 1215 1216 if (cr == 0) /* ignore ack */ 1217 return; 1218 1219 /* default values */ 1220 rpn.bit_rate = RFCOMM_RPN_BR_9600; 1221 rpn.line_settings = RFCOMM_RPN_8_N_1; 1222 rpn.flow_control = RFCOMM_RPN_FLOW_NONE; 1223 rpn.xon_char = RFCOMM_RPN_XON_CHAR; 1224 rpn.xoff_char = RFCOMM_RPN_XOFF_CHAR; 1225 1226 if (m->m_pkthdr.len == sizeof(rpn)) { 1227 m_copydata(m, 0, sizeof(rpn), (caddr_t)&rpn); 1228 rpn.param_mask = RFCOMM_RPN_PM_ALL; 1229 } else if (m->m_pkthdr.len == 1) { 1230 m_copydata(m, 0, 1, (caddr_t)&rpn); 1231 rpn.param_mask = letoh16(rpn.param_mask); 1232 } else { 1233 DPRINTF("Bad RPN length (%d)\n", m->m_pkthdr.len); 1234 return; 1235 } 1236 1237 mask = 0; 1238 1239 if (rpn.param_mask & RFCOMM_RPN_PM_RATE) 1240 mask |= RFCOMM_RPN_PM_RATE; 1241 1242 if (rpn.param_mask & RFCOMM_RPN_PM_DATA 1243 && RFCOMM_RPN_DATA_BITS(rpn.line_settings) == RFCOMM_RPN_DATA_8) 1244 mask |= RFCOMM_RPN_PM_DATA; 1245 1246 if (rpn.param_mask & RFCOMM_RPN_PM_STOP 1247 && RFCOMM_RPN_STOP_BITS(rpn.line_settings) == RFCOMM_RPN_STOP_1) 1248 mask |= RFCOMM_RPN_PM_STOP; 1249 1250 if (rpn.param_mask & RFCOMM_RPN_PM_PARITY 1251 && RFCOMM_RPN_PARITY(rpn.line_settings) == RFCOMM_RPN_PARITY_NONE) 1252 mask |= RFCOMM_RPN_PM_PARITY; 1253 1254 if (rpn.param_mask & RFCOMM_RPN_PM_XON 1255 && rpn.xon_char == RFCOMM_RPN_XON_CHAR) 1256 mask |= RFCOMM_RPN_PM_XON; 1257 1258 if (rpn.param_mask & RFCOMM_RPN_PM_XOFF 1259 && rpn.xoff_char == RFCOMM_RPN_XOFF_CHAR) 1260 mask |= RFCOMM_RPN_PM_XOFF; 1261 1262 if (rpn.param_mask & RFCOMM_RPN_PM_FLOW 1263 && rpn.flow_control == RFCOMM_RPN_FLOW_NONE) 1264 mask |= RFCOMM_RPN_PM_FLOW; 1265 1266 rpn.param_mask = htole16(mask); 1267 1268 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_RPN, &rpn, sizeof(rpn)); 1269 } 1270 1271 /* 1272 * process Remote Line Status command/response 1273 */ 1274 static void 1275 rfcomm_session_recv_mcc_rls(struct rfcomm_session *rs, int cr, struct mbuf *m) 1276 { 1277 struct rfcomm_mcc_rls rls; 1278 1279 if (cr == 0) /* ignore ack */ 1280 return; 1281 1282 if (m->m_pkthdr.len != sizeof(rls)) { 1283 DPRINTF("Bad RLS length %d\n", m->m_pkthdr.len); 1284 return; 1285 } 1286 1287 m_copydata(m, 0, sizeof(rls), (caddr_t)&rls); 1288 1289 /* 1290 * So far as I can tell, we just send back what 1291 * they sent us. This signifies errors that seem 1292 * irrelevent for RFCOMM over L2CAP. 1293 */ 1294 rls.address |= 0x03; /* EA = 1, CR = 1 */ 1295 rls.status &= 0x0f; /* only 4 bits valid */ 1296 1297 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_RLS, &rls, sizeof(rls)); 1298 } 1299 1300 /* 1301 * process Parameter Negotiation command/response 1302 */ 1303 static void 1304 rfcomm_session_recv_mcc_pn(struct rfcomm_session *rs, int cr, struct mbuf *m) 1305 { 1306 struct rfcomm_dlc *dlc; 1307 struct rfcomm_mcc_pn pn; 1308 int err; 1309 1310 if (m->m_pkthdr.len != sizeof(pn)) { 1311 DPRINTF("Bad PN length %d\n", m->m_pkthdr.len); 1312 return; 1313 } 1314 1315 m_copydata(m, 0, sizeof(pn), (caddr_t)&pn); 1316 1317 pn.dlci &= 0x3f; 1318 pn.mtu = letoh16(pn.mtu); 1319 1320 dlc = rfcomm_dlc_lookup(rs, pn.dlci); 1321 if (cr) { /* Command */ 1322 /* 1323 * If there is no DLC present, this is a new 1324 * connection so attempt to make one 1325 */ 1326 if (dlc == NULL) { 1327 dlc = rfcomm_dlc_newconn(rs, pn.dlci); 1328 if (dlc == NULL) 1329 return; /* (DM is sent) */ 1330 } 1331 1332 /* accept any valid MTU, and offer it back */ 1333 pn.mtu = min(pn.mtu, RFCOMM_MTU_MAX); 1334 pn.mtu = min(pn.mtu, rs->rs_mtu); 1335 pn.mtu = max(pn.mtu, RFCOMM_MTU_MIN); 1336 dlc->rd_mtu = pn.mtu; 1337 pn.mtu = htole16(pn.mtu); 1338 1339 /* credits are only set before DLC is open */ 1340 if (dlc->rd_state == RFCOMM_DLC_WAIT_CONNECT 1341 && (pn.flow_control & 0xf0) == 0xf0) { 1342 rs->rs_flags |= RFCOMM_SESSION_CFC; 1343 dlc->rd_txcred = pn.credits & 0x07; 1344 1345 dlc->rd_rxcred = (dlc->rd_rxsize / dlc->rd_mtu); 1346 dlc->rd_rxcred = min(dlc->rd_rxcred, 1347 RFCOMM_CREDITS_DEFAULT); 1348 1349 pn.flow_control = 0xe0; 1350 pn.credits = dlc->rd_rxcred; 1351 } else { 1352 pn.flow_control = 0x00; 1353 pn.credits = 0x00; 1354 } 1355 1356 /* unused fields must be ignored and set to zero */ 1357 pn.ack_timer = 0; 1358 pn.max_retrans = 0; 1359 1360 /* send our response */ 1361 err = rfcomm_session_send_mcc(rs, 0, 1362 RFCOMM_MCC_PN, &pn, sizeof(pn)); 1363 if (err) 1364 goto close; 1365 1366 } else { /* Response */ 1367 /* ignore responses with no matching DLC */ 1368 if (dlc == NULL) 1369 return; 1370 1371 callout_stop(&dlc->rd_timeout); 1372 1373 if (pn.mtu > RFCOMM_MTU_MAX || pn.mtu > dlc->rd_mtu) { 1374 dlc->rd_state = RFCOMM_DLC_WAIT_DISCONNECT; 1375 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 1376 pn.dlci); 1377 if (err) 1378 goto close; 1379 1380 callout_reset(&dlc->rd_timeout, rfcomm_ack_timeout * hz, 1381 rfcomm_dlc_timeout, dlc); 1382 return; 1383 } 1384 dlc->rd_mtu = pn.mtu; 1385 1386 /* if DLC is not waiting to connect, we are done */ 1387 if (dlc->rd_state != RFCOMM_DLC_WAIT_CONNECT) 1388 return; 1389 1390 /* set initial credits according to RFCOMM spec */ 1391 if ((pn.flow_control & 0xf0) == 0xe0) { 1392 rs->rs_flags |= RFCOMM_SESSION_CFC; 1393 dlc->rd_txcred = (pn.credits & 0x07); 1394 } 1395 1396 callout_reset(&dlc->rd_timeout, rfcomm_ack_timeout * hz, 1397 rfcomm_dlc_timeout, dlc); 1398 1399 /* set link mode */ 1400 err = rfcomm_dlc_setmode(dlc); 1401 if (err == EINPROGRESS) { 1402 dlc->rd_state = RFCOMM_DLC_WAIT_SEND_SABM; 1403 (*dlc->rd_proto->connecting)(dlc->rd_upper); 1404 return; 1405 } 1406 if (err) 1407 goto close; 1408 1409 /* we can proceed now */ 1410 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_SABM, pn.dlci); 1411 if (err) 1412 goto close; 1413 1414 dlc->rd_state = RFCOMM_DLC_WAIT_RECV_UA; 1415 } 1416 return; 1417 1418 close: 1419 rfcomm_dlc_close(dlc, err); 1420 } 1421 1422 /* 1423 * process Non Supported Command command/response 1424 */ 1425 static void 1426 rfcomm_session_recv_mcc_nsc(struct rfcomm_session *rs, 1427 int cr, struct mbuf *m) 1428 { 1429 struct rfcomm_dlc *dlc, *next; 1430 1431 /* 1432 * Since we did nothing that is not mandatory, 1433 * we just abort the whole session.. 1434 */ 1435 1436 next = LIST_FIRST(&rs->rs_dlcs); 1437 while ((dlc = next) != NULL) { 1438 next = LIST_NEXT(dlc, rd_next); 1439 rfcomm_dlc_close(dlc, ECONNABORTED); 1440 } 1441 1442 rfcomm_session_free(rs); 1443 } 1444 1445 /*********************************************************************** 1446 * 1447 * RFCOMM Session outward frame/uih/mcc building 1448 */ 1449 1450 /* 1451 * SABM/DISC/DM/UA frames are all minimal and mostly identical. 1452 */ 1453 int 1454 rfcomm_session_send_frame(struct rfcomm_session *rs, int type, int dlci) 1455 { 1456 struct rfcomm_cmd_hdr *hdr; 1457 struct rfcomm_credit *credit; 1458 struct mbuf *m; 1459 uint8_t fcs, cr; 1460 1461 credit = zalloc(rfcomm_credit_pool); 1462 if (credit == NULL) 1463 return ENOMEM; 1464 1465 m = m_gethdr(MB_DONTWAIT, MT_DATA); 1466 if (m == NULL) { 1467 zfree(rfcomm_credit_pool, credit); 1468 return ENOMEM; 1469 } 1470 1471 /* 1472 * The CR (command/response) bit identifies the frame either as a 1473 * commmand or a response and is used along with the DLCI to form 1474 * the address. Commands contain the non-initiator address, whereas 1475 * responses contain the initiator address, so the CR value is 1476 * also dependent on the session direction. 1477 */ 1478 if (type == RFCOMM_FRAME_UA || type == RFCOMM_FRAME_DM) 1479 cr = IS_INITIATOR(rs) ? 0 : 1; 1480 else 1481 cr = IS_INITIATOR(rs) ? 1 : 0; 1482 1483 hdr = mtod(m, struct rfcomm_cmd_hdr *); 1484 hdr->address = RFCOMM_MKADDRESS(cr, dlci); 1485 hdr->control = RFCOMM_MKCONTROL(type, 1); /* PF = 1 */ 1486 hdr->length = (0x00 << 1) | 0x01; /* len = 0x00, EA = 1 */ 1487 1488 fcs = 0xff; 1489 fcs = FCS(fcs, hdr->address); 1490 fcs = FCS(fcs, hdr->control); 1491 fcs = FCS(fcs, hdr->length); 1492 fcs = 0xff - fcs; /* ones complement */ 1493 hdr->fcs = fcs; 1494 1495 m->m_pkthdr.len = m->m_len = sizeof(struct rfcomm_cmd_hdr); 1496 1497 /* empty credit note */ 1498 credit->rc_dlc = NULL; 1499 credit->rc_len = m->m_pkthdr.len; 1500 STAILQ_INSERT_TAIL(&rs->rs_credits, credit, rc_next); 1501 1502 DPRINTFN(5, "dlci %d type %2.2x (%d bytes, fcs=%#2.2x)\n", 1503 dlci, type, m->m_pkthdr.len, fcs); 1504 1505 return l2cap_send(rs->rs_l2cap, m); 1506 } 1507 1508 /* 1509 * rfcomm_session_send_uih(rfcomm_session, rfcomm_dlc, credits, mbuf) 1510 * 1511 * UIH frame is per DLC data or Multiplexer Control Commands 1512 * when no DLC is given. Data mbuf is optional (just credits 1513 * will be sent in that case) 1514 */ 1515 int 1516 rfcomm_session_send_uih(struct rfcomm_session *rs, struct rfcomm_dlc *dlc, 1517 int credits, struct mbuf *m) 1518 { 1519 struct rfcomm_credit *credit; 1520 struct mbuf *m0 = NULL; 1521 int err, len; 1522 uint8_t fcs, *hdr; 1523 1524 KKASSERT(rs != NULL); 1525 1526 len = (m == NULL) ? 0 : m->m_pkthdr.len; 1527 KKASSERT(!(credits == 0 && len == 0)); 1528 1529 /* 1530 * Make a credit note for the completion notification 1531 */ 1532 credit = zalloc(rfcomm_credit_pool); 1533 if (credit == NULL) 1534 goto nomem; 1535 1536 credit->rc_len = len; 1537 credit->rc_dlc = dlc; 1538 1539 /* 1540 * Wrap UIH frame information around payload. 1541 * 1542 * [ADDRESS] [CONTROL] [LENGTH] [CREDITS] [...] [FCS] 1543 * 1544 * Address is one octet. 1545 * Control is one octet. 1546 * Length is one or two octets. 1547 * Credits may be one octet. 1548 * 1549 * FCS is one octet and calculated on address and 1550 * control octets only. 1551 * 1552 * If there are credits to be sent, we will set the PF 1553 * flag and include them in the frame. 1554 */ 1555 m0 = m_gethdr(MB_DONTWAIT, MT_DATA); 1556 if (m0 == NULL) 1557 goto nomem; 1558 1559 MH_ALIGN(m0, 5); /* (max 5 header octets) */ 1560 hdr = mtod(m0, uint8_t *); 1561 1562 /* CR bit is set according to the initiator of the session */ 1563 *hdr = RFCOMM_MKADDRESS((IS_INITIATOR(rs) ? 1 : 0), 1564 (dlc ? dlc->rd_dlci : 0)); 1565 fcs = FCS(0xff, *hdr); 1566 hdr++; 1567 1568 /* PF bit is set if credits are being sent */ 1569 *hdr = RFCOMM_MKCONTROL(RFCOMM_FRAME_UIH, (credits > 0 ? 1 : 0)); 1570 fcs = FCS(fcs, *hdr); 1571 hdr++; 1572 1573 if (len < (1 << 7)) { 1574 *hdr++ = ((len << 1) & 0xfe) | 0x01; /* 7 bits, EA = 1 */ 1575 } else { 1576 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */ 1577 *hdr++ = ((len >> 7) & 0xff); /* 8 bits, no EA */ 1578 } 1579 1580 if (credits > 0) 1581 *hdr++ = (uint8_t)credits; 1582 1583 m0->m_len = hdr - mtod(m0, uint8_t *); 1584 1585 /* Append payload */ 1586 m0->m_next = m; 1587 m = NULL; 1588 1589 m0->m_pkthdr.len = m0->m_len + len; 1590 1591 /* Append FCS */ 1592 fcs = 0xff - fcs; /* ones complement */ 1593 len = m0->m_pkthdr.len; 1594 m_copyback(m0, len, sizeof(fcs), &fcs); 1595 if (m0->m_pkthdr.len != len + sizeof(fcs)) 1596 goto nomem; 1597 1598 DPRINTFN(10, "dlci %d, pktlen %d (%d data, %d credits), fcs=%#2.2x\n", 1599 dlc ? dlc->rd_dlci : 0, m0->m_pkthdr.len, credit->rc_len, 1600 credits, fcs); 1601 1602 /* 1603 * UIH frame ready to go.. 1604 */ 1605 err = l2cap_send(rs->rs_l2cap, m0); 1606 if (err) 1607 goto fail; 1608 1609 STAILQ_INSERT_TAIL(&rs->rs_credits, credit, rc_next); 1610 return 0; 1611 1612 nomem: 1613 err = ENOMEM; 1614 1615 if (m0 != NULL) 1616 m_freem(m0); 1617 1618 if (m != NULL) 1619 m_freem(m); 1620 1621 fail: 1622 if (credit != NULL) 1623 zfree(rfcomm_credit_pool, credit); 1624 1625 return err; 1626 } 1627 1628 /* 1629 * send Multiplexer Control Command (or Response) on session 1630 */ 1631 int 1632 rfcomm_session_send_mcc(struct rfcomm_session *rs, int cr, 1633 uint8_t type, void *data, int len) 1634 { 1635 struct mbuf *m; 1636 uint8_t *hdr; 1637 int hlen; 1638 1639 m = m_gethdr(MB_DONTWAIT, MT_DATA); 1640 if (m == NULL) 1641 return ENOMEM; 1642 1643 hdr = mtod(m, uint8_t *); 1644 1645 /* 1646 * Technically the type field can extend past one octet, but none 1647 * currently defined will do that. 1648 */ 1649 *hdr++ = RFCOMM_MKMCC_TYPE(cr, type); 1650 1651 /* 1652 * In the frame, the max length size is 2 octets (15 bits) whereas 1653 * no max length size is specified for MCC commands. We must allow 1654 * for 3 octets since for MCC frames we use 7 bits + EA in each. 1655 * 1656 * Only test data can possibly be that big. 1657 * 1658 * XXX Should we check this against the MTU? 1659 */ 1660 if (len < (1 << 7)) { 1661 *hdr++ = ((len << 1) & 0xfe) | 0x01; /* 7 bits, EA = 1 */ 1662 } else if (len < (1 << 14)) { 1663 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */ 1664 *hdr++ = ((len >> 6) & 0xfe) | 0x01; /* 7 bits, EA = 1 */ 1665 } else if (len < (1 << 15)) { 1666 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */ 1667 *hdr++ = ((len >> 6) & 0xfe); /* 7 bits, EA = 0 */ 1668 *hdr++ = ((len >> 13) & 0x02) | 0x01; /* 1 bit, EA = 1 */ 1669 } else { 1670 DPRINTF("incredible length! (%d)\n", len); 1671 m_freem(m); 1672 return EMSGSIZE; 1673 } 1674 1675 /* 1676 * add command data (to same mbuf if possible) 1677 */ 1678 hlen = hdr - mtod(m, uint8_t *); 1679 1680 if (len > 0) { 1681 m->m_pkthdr.len = m->m_len = MHLEN; 1682 m_copyback(m, hlen, len, data); 1683 if (m->m_pkthdr.len != max(MHLEN, hlen + len)) { 1684 m_freem(m); 1685 return ENOMEM; 1686 } 1687 } 1688 1689 m->m_pkthdr.len = hlen + len; 1690 m->m_len = min(MHLEN, m->m_pkthdr.len); 1691 1692 DPRINTFN(5, "%s type %2.2x len %d\n", 1693 (cr ? "command" : "response"), type, m->m_pkthdr.len); 1694 1695 return rfcomm_session_send_uih(rs, NULL, 0, m); 1696 } 1697