1 /* $NetBSD: rfcomm_session.c,v 1.17 2010/11/17 20:19:25 plunky Exp $ */ 2 3 /*- 4 * Copyright (c) 2006 Itronix Inc. 5 * All rights reserved. 6 * 7 * Written by Iain Hibbert for Itronix Inc. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. The name of Itronix Inc. may not be used to endorse 18 * or promote products derived from this software without specific 19 * prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY ITRONIX INC. ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 23 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 24 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ITRONIX INC. BE LIABLE FOR ANY 25 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 26 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 27 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 28 * ON ANY THEORY OF LIABILITY, WHETHER IN 29 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 30 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 31 * POSSIBILITY OF SUCH DAMAGE. 32 */ 33 34 #include <sys/cdefs.h> 35 __KERNEL_RCSID(0, "$NetBSD: rfcomm_session.c,v 1.17 2010/11/17 20:19:25 plunky Exp $"); 36 37 #include <sys/param.h> 38 #include <sys/kernel.h> 39 #include <sys/mbuf.h> 40 #include <sys/proc.h> 41 #include <sys/socketvar.h> 42 #include <sys/systm.h> 43 #include <sys/types.h> 44 45 #include <netbt/bluetooth.h> 46 #include <netbt/hci.h> 47 #include <netbt/l2cap.h> 48 #include <netbt/rfcomm.h> 49 50 /****************************************************************************** 51 * 52 * RFCOMM Multiplexer Sessions sit directly on L2CAP channels, and can 53 * multiplex up to 30 incoming and 30 outgoing connections. 54 * Only one Multiplexer is allowed between any two devices. 55 */ 56 57 static void rfcomm_session_timeout(void *); 58 static void rfcomm_session_recv_sabm(struct rfcomm_session *, int); 59 static void rfcomm_session_recv_disc(struct rfcomm_session *, int); 60 static void rfcomm_session_recv_ua(struct rfcomm_session *, int); 61 static void rfcomm_session_recv_dm(struct rfcomm_session *, int); 62 static void rfcomm_session_recv_uih(struct rfcomm_session *, int, int, struct mbuf *, int); 63 static void rfcomm_session_recv_mcc(struct rfcomm_session *, struct mbuf *); 64 static void rfcomm_session_recv_mcc_test(struct rfcomm_session *, int, struct mbuf *); 65 static void rfcomm_session_recv_mcc_fcon(struct rfcomm_session *, int); 66 static void rfcomm_session_recv_mcc_fcoff(struct rfcomm_session *, int); 67 static void rfcomm_session_recv_mcc_msc(struct rfcomm_session *, int, struct mbuf *); 68 static void rfcomm_session_recv_mcc_rpn(struct rfcomm_session *, int, struct mbuf *); 69 static void rfcomm_session_recv_mcc_rls(struct rfcomm_session *, int, struct mbuf *); 70 static void rfcomm_session_recv_mcc_pn(struct rfcomm_session *, int, struct mbuf *); 71 static void rfcomm_session_recv_mcc_nsc(struct rfcomm_session *, int, struct mbuf *); 72 73 /* L2CAP callbacks */ 74 static void rfcomm_session_connecting(void *); 75 static void rfcomm_session_connected(void *); 76 static void rfcomm_session_disconnected(void *, int); 77 static void *rfcomm_session_newconn(void *, struct sockaddr_bt *, struct sockaddr_bt *); 78 static void rfcomm_session_complete(void *, int); 79 static void rfcomm_session_linkmode(void *, int); 80 static void rfcomm_session_input(void *, struct mbuf *); 81 82 static const struct btproto rfcomm_session_proto = { 83 rfcomm_session_connecting, 84 rfcomm_session_connected, 85 rfcomm_session_disconnected, 86 rfcomm_session_newconn, 87 rfcomm_session_complete, 88 rfcomm_session_linkmode, 89 rfcomm_session_input, 90 }; 91 92 struct rfcomm_session_list 93 rfcomm_session_active = LIST_HEAD_INITIALIZER(rfcomm_session_active); 94 95 struct rfcomm_session_list 96 rfcomm_session_listen = LIST_HEAD_INITIALIZER(rfcomm_session_listen); 97 98 static struct pool rfcomm_credit_pool; 99 100 /* 101 * RFCOMM System Parameters (see section 5.3) 102 */ 103 int rfcomm_mtu_default = 127; /* bytes */ 104 int rfcomm_ack_timeout = 20; /* seconds */ 105 int rfcomm_mcc_timeout = 20; /* seconds */ 106 107 /* 108 * Reversed CRC table as per TS 07.10 Annex B.3.5 109 */ 110 static const uint8_t crctable[256] = { /* reversed, 8-bit, poly=0x07 */ 111 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75, 112 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b, 113 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69, 114 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67, 115 116 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d, 117 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43, 118 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51, 119 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f, 120 121 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05, 122 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b, 123 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19, 124 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17, 125 126 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d, 127 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33, 128 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21, 129 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f, 130 131 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95, 132 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b, 133 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89, 134 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87, 135 136 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad, 137 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3, 138 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1, 139 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf, 140 141 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5, 142 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb, 143 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9, 144 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7, 145 146 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd, 147 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3, 148 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1, 149 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf 150 }; 151 152 #define FCS(f, d) crctable[(f) ^ (d)] 153 154 void 155 rfcomm_init(void) 156 { 157 158 pool_init(&rfcomm_credit_pool, sizeof(struct rfcomm_credit), 159 0, 0, 0, "rfcomm_credit", NULL, IPL_SOFTNET); 160 } 161 162 /* 163 * rfcomm_session_alloc(list, sockaddr) 164 * 165 * allocate a new session and fill in the blanks, then 166 * attach session to front of specified list (active or listen) 167 */ 168 struct rfcomm_session * 169 rfcomm_session_alloc(struct rfcomm_session_list *list, 170 struct sockaddr_bt *laddr) 171 { 172 struct rfcomm_session *rs; 173 struct sockopt sopt; 174 int err; 175 176 rs = malloc(sizeof(*rs), M_BLUETOOTH, M_NOWAIT | M_ZERO); 177 if (rs == NULL) 178 return NULL; 179 180 rs->rs_state = RFCOMM_SESSION_CLOSED; 181 182 callout_init(&rs->rs_timeout, 0); 183 callout_setfunc(&rs->rs_timeout, rfcomm_session_timeout, rs); 184 185 SIMPLEQ_INIT(&rs->rs_credits); 186 LIST_INIT(&rs->rs_dlcs); 187 188 err = l2cap_attach(&rs->rs_l2cap, &rfcomm_session_proto, rs); 189 if (err) { 190 free(rs, M_BLUETOOTH); 191 return NULL; 192 } 193 194 sockopt_init(&sopt, BTPROTO_L2CAP, SO_L2CAP_OMTU, 0); 195 (void)l2cap_getopt(rs->rs_l2cap, &sopt); 196 (void)sockopt_get(&sopt, &rs->rs_mtu, sizeof(rs->rs_mtu)); 197 sockopt_destroy(&sopt); 198 199 if (laddr->bt_psm == L2CAP_PSM_ANY) 200 laddr->bt_psm = L2CAP_PSM_RFCOMM; 201 202 (void)l2cap_bind(rs->rs_l2cap, laddr); 203 204 LIST_INSERT_HEAD(list, rs, rs_next); 205 206 return rs; 207 } 208 209 /* 210 * rfcomm_session_free(rfcomm_session) 211 * 212 * release a session, including any cleanup 213 */ 214 void 215 rfcomm_session_free(struct rfcomm_session *rs) 216 { 217 struct rfcomm_credit *credit; 218 219 KASSERT(rs != NULL); 220 KASSERT(LIST_EMPTY(&rs->rs_dlcs)); 221 222 rs->rs_state = RFCOMM_SESSION_CLOSED; 223 224 /* 225 * If the callout is already invoked we have no way to stop it, 226 * but it will call us back right away (there are no DLC's) so 227 * not to worry. 228 */ 229 callout_stop(&rs->rs_timeout); 230 if (callout_invoking(&rs->rs_timeout)) 231 return; 232 233 /* 234 * Take care that rfcomm_session_disconnected() doesnt call 235 * us back either as it will do if the l2cap_channel has not 236 * been closed when we detach it.. 237 */ 238 if (rs->rs_flags & RFCOMM_SESSION_FREE) 239 return; 240 241 rs->rs_flags |= RFCOMM_SESSION_FREE; 242 243 /* throw away any remaining credit notes */ 244 while ((credit = SIMPLEQ_FIRST(&rs->rs_credits)) != NULL) { 245 SIMPLEQ_REMOVE_HEAD(&rs->rs_credits, rc_next); 246 pool_put(&rfcomm_credit_pool, credit); 247 } 248 249 KASSERT(SIMPLEQ_EMPTY(&rs->rs_credits)); 250 251 /* Goodbye! */ 252 LIST_REMOVE(rs, rs_next); 253 l2cap_detach(&rs->rs_l2cap); 254 callout_destroy(&rs->rs_timeout); 255 free(rs, M_BLUETOOTH); 256 } 257 258 /* 259 * rfcomm_session_lookup(sockaddr, sockaddr) 260 * 261 * Find active rfcomm session matching src and dest addresses 262 * when src is BDADDR_ANY match any local address 263 */ 264 struct rfcomm_session * 265 rfcomm_session_lookup(struct sockaddr_bt *src, struct sockaddr_bt *dest) 266 { 267 struct rfcomm_session *rs; 268 struct sockaddr_bt addr; 269 270 LIST_FOREACH(rs, &rfcomm_session_active, rs_next) { 271 if (rs->rs_state == RFCOMM_SESSION_CLOSED) 272 continue; 273 274 l2cap_sockaddr(rs->rs_l2cap, &addr); 275 276 if (bdaddr_same(&src->bt_bdaddr, &addr.bt_bdaddr) == 0) 277 if (bdaddr_any(&src->bt_bdaddr) == 0) 278 continue; 279 280 l2cap_peeraddr(rs->rs_l2cap, &addr); 281 282 if (addr.bt_psm != dest->bt_psm) 283 continue; 284 285 if (bdaddr_same(&dest->bt_bdaddr, &addr.bt_bdaddr)) 286 break; 287 } 288 289 return rs; 290 } 291 292 /* 293 * rfcomm_session_timeout(rfcomm_session) 294 * 295 * Session timeouts are scheduled when a session is left or 296 * created with no DLCs, and when SABM(0) or DISC(0) are 297 * sent. 298 * 299 * So, if it is in an open state with DLC's attached then 300 * we leave it alone, otherwise the session is lost. 301 */ 302 static void 303 rfcomm_session_timeout(void *arg) 304 { 305 struct rfcomm_session *rs = arg; 306 struct rfcomm_dlc *dlc; 307 308 KASSERT(rs != NULL); 309 310 mutex_enter(bt_lock); 311 callout_ack(&rs->rs_timeout); 312 313 if (rs->rs_state != RFCOMM_SESSION_OPEN) { 314 DPRINTF("timeout\n"); 315 rs->rs_state = RFCOMM_SESSION_CLOSED; 316 317 while (!LIST_EMPTY(&rs->rs_dlcs)) { 318 dlc = LIST_FIRST(&rs->rs_dlcs); 319 320 rfcomm_dlc_close(dlc, ETIMEDOUT); 321 } 322 } 323 324 if (LIST_EMPTY(&rs->rs_dlcs)) { 325 DPRINTF("expiring\n"); 326 rfcomm_session_free(rs); 327 } 328 mutex_exit(bt_lock); 329 } 330 331 /*********************************************************************** 332 * 333 * RFCOMM Session L2CAP protocol callbacks 334 * 335 */ 336 337 static void 338 rfcomm_session_connecting(void *arg) 339 { 340 /* struct rfcomm_session *rs = arg; */ 341 342 DPRINTF("Connecting\n"); 343 } 344 345 static void 346 rfcomm_session_connected(void *arg) 347 { 348 struct rfcomm_session *rs = arg; 349 struct sockopt sopt; 350 351 DPRINTF("Connected\n"); 352 353 /* 354 * L2CAP is open. 355 * 356 * If we are initiator, we can send our SABM(0) 357 * a timeout should be active? 358 * 359 * We must take note of the L2CAP MTU because currently 360 * the L2CAP implementation can only do Basic Mode. 361 */ 362 sockopt_init(&sopt, BTPROTO_L2CAP, SO_L2CAP_OMTU, 0); 363 (void)l2cap_getopt(rs->rs_l2cap, &sopt); 364 (void)sockopt_get(&sopt, &rs->rs_mtu, sizeof(rs->rs_mtu)); 365 sockopt_destroy(&sopt); 366 367 rs->rs_mtu -= 6; /* (RFCOMM overhead could be this big) */ 368 if (rs->rs_mtu < RFCOMM_MTU_MIN) { 369 rfcomm_session_disconnected(rs, EINVAL); 370 return; 371 } 372 373 if (IS_INITIATOR(rs)) { 374 int err; 375 376 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_SABM, 0); 377 if (err) 378 rfcomm_session_disconnected(rs, err); 379 380 callout_schedule(&rs->rs_timeout, rfcomm_ack_timeout * hz); 381 } 382 } 383 384 static void 385 rfcomm_session_disconnected(void *arg, int err) 386 { 387 struct rfcomm_session *rs = arg; 388 struct rfcomm_dlc *dlc; 389 390 DPRINTF("Disconnected\n"); 391 392 /* 393 * If we have any DLCs outstanding in the unlikely case that the 394 * L2CAP channel disconnected normally, close them with an error 395 */ 396 if (err == 0) 397 err = ECONNRESET; 398 399 rs->rs_state = RFCOMM_SESSION_CLOSED; 400 401 while (!LIST_EMPTY(&rs->rs_dlcs)) { 402 dlc = LIST_FIRST(&rs->rs_dlcs); 403 404 rfcomm_dlc_close(dlc, err); 405 } 406 407 rfcomm_session_free(rs); 408 } 409 410 static void * 411 rfcomm_session_newconn(void *arg, struct sockaddr_bt *laddr, 412 struct sockaddr_bt *raddr) 413 { 414 struct rfcomm_session *new, *rs = arg; 415 416 DPRINTF("New Connection\n"); 417 418 /* 419 * Incoming session connect request. We should return a new 420 * session pointer if this is acceptable. The L2CAP layer 421 * passes local and remote addresses, which we must check as 422 * only one RFCOMM session is allowed between any two devices 423 */ 424 new = rfcomm_session_lookup(laddr, raddr); 425 if (new != NULL) 426 return NULL; 427 428 new = rfcomm_session_alloc(&rfcomm_session_active, laddr); 429 if (new == NULL) 430 return NULL; 431 432 new->rs_mtu = rs->rs_mtu; 433 new->rs_state = RFCOMM_SESSION_WAIT_CONNECT; 434 435 /* 436 * schedule an expiry so that if nothing comes of it we 437 * can punt. 438 */ 439 callout_schedule(&new->rs_timeout, rfcomm_mcc_timeout * hz); 440 441 return new->rs_l2cap; 442 } 443 444 static void 445 rfcomm_session_complete(void *arg, int count) 446 { 447 struct rfcomm_session *rs = arg; 448 struct rfcomm_credit *credit; 449 struct rfcomm_dlc *dlc; 450 451 /* 452 * count L2CAP packets are 'complete', meaning that they are cleared 453 * our buffers (for best effort) or arrived safe (for guaranteed) so 454 * we can take it off our list and pass the message on, so that 455 * eventually the data can be removed from the sockbuf 456 */ 457 while (count-- > 0) { 458 credit = SIMPLEQ_FIRST(&rs->rs_credits); 459 #ifdef DIAGNOSTIC 460 if (credit == NULL) { 461 printf("%s: too many packets completed!\n", __func__); 462 break; 463 } 464 #endif 465 dlc = credit->rc_dlc; 466 if (dlc != NULL) { 467 dlc->rd_pending--; 468 (*dlc->rd_proto->complete) 469 (dlc->rd_upper, credit->rc_len); 470 471 /* 472 * if not using credit flow control, we may push 473 * more data now 474 */ 475 if ((rs->rs_flags & RFCOMM_SESSION_CFC) == 0 476 && dlc->rd_state == RFCOMM_DLC_OPEN) { 477 rfcomm_dlc_start(dlc); 478 } 479 480 /* 481 * When shutdown is indicated, we are just waiting to 482 * clear outgoing data. 483 */ 484 if ((dlc->rd_flags & RFCOMM_DLC_SHUTDOWN) 485 && dlc->rd_txbuf == NULL && dlc->rd_pending == 0) { 486 dlc->rd_state = RFCOMM_DLC_WAIT_DISCONNECT; 487 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 488 dlc->rd_dlci); 489 callout_schedule(&dlc->rd_timeout, 490 rfcomm_ack_timeout * hz); 491 } 492 } 493 494 SIMPLEQ_REMOVE_HEAD(&rs->rs_credits, rc_next); 495 pool_put(&rfcomm_credit_pool, credit); 496 } 497 498 /* 499 * If session is closed, we are just waiting to clear the queue 500 */ 501 if (rs->rs_state == RFCOMM_SESSION_CLOSED) { 502 if (SIMPLEQ_EMPTY(&rs->rs_credits)) 503 l2cap_disconnect(rs->rs_l2cap, 0); 504 } 505 } 506 507 /* 508 * Link Mode changed 509 * 510 * This is called when a mode change is complete. Proceed with connections 511 * where appropriate, or pass the new mode to any active DLCs. 512 */ 513 static void 514 rfcomm_session_linkmode(void *arg, int new) 515 { 516 struct rfcomm_session *rs = arg; 517 struct rfcomm_dlc *dlc, *next; 518 int err, mode = 0; 519 520 DPRINTF("auth %s, encrypt %s, secure %s\n", 521 (new & L2CAP_LM_AUTH ? "on" : "off"), 522 (new & L2CAP_LM_ENCRYPT ? "on" : "off"), 523 (new & L2CAP_LM_SECURE ? "on" : "off")); 524 525 if (new & L2CAP_LM_AUTH) 526 mode |= RFCOMM_LM_AUTH; 527 528 if (new & L2CAP_LM_ENCRYPT) 529 mode |= RFCOMM_LM_ENCRYPT; 530 531 if (new & L2CAP_LM_SECURE) 532 mode |= RFCOMM_LM_SECURE; 533 534 next = LIST_FIRST(&rs->rs_dlcs); 535 while ((dlc = next) != NULL) { 536 next = LIST_NEXT(dlc, rd_next); 537 538 switch (dlc->rd_state) { 539 case RFCOMM_DLC_WAIT_SEND_SABM: /* we are connecting */ 540 if ((mode & dlc->rd_mode) != dlc->rd_mode) { 541 rfcomm_dlc_close(dlc, ECONNABORTED); 542 } else { 543 err = rfcomm_session_send_frame(rs, 544 RFCOMM_FRAME_SABM, dlc->rd_dlci); 545 if (err) { 546 rfcomm_dlc_close(dlc, err); 547 } else { 548 dlc->rd_state = RFCOMM_DLC_WAIT_RECV_UA; 549 callout_schedule(&dlc->rd_timeout, 550 rfcomm_ack_timeout * hz); 551 break; 552 } 553 } 554 555 /* 556 * If we aborted the connection and there are no more DLCs 557 * on the session, it is our responsibility to disconnect. 558 */ 559 if (!LIST_EMPTY(&rs->rs_dlcs)) 560 break; 561 562 rs->rs_state = RFCOMM_SESSION_WAIT_DISCONNECT; 563 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 0); 564 callout_schedule(&rs->rs_timeout, rfcomm_ack_timeout * hz); 565 break; 566 567 case RFCOMM_DLC_WAIT_SEND_UA: /* they are connecting */ 568 if ((mode & dlc->rd_mode) != dlc->rd_mode) { 569 rfcomm_session_send_frame(rs, 570 RFCOMM_FRAME_DM, dlc->rd_dlci); 571 rfcomm_dlc_close(dlc, ECONNABORTED); 572 break; 573 } 574 575 err = rfcomm_session_send_frame(rs, 576 RFCOMM_FRAME_UA, dlc->rd_dlci); 577 if (err) { 578 rfcomm_session_send_frame(rs, 579 RFCOMM_FRAME_DM, dlc->rd_dlci); 580 rfcomm_dlc_close(dlc, err); 581 break; 582 } 583 584 err = rfcomm_dlc_open(dlc); 585 if (err) { 586 rfcomm_session_send_frame(rs, 587 RFCOMM_FRAME_DM, dlc->rd_dlci); 588 rfcomm_dlc_close(dlc, err); 589 break; 590 } 591 592 break; 593 594 case RFCOMM_DLC_WAIT_RECV_UA: 595 case RFCOMM_DLC_OPEN: /* already established */ 596 (*dlc->rd_proto->linkmode)(dlc->rd_upper, mode); 597 break; 598 599 default: 600 break; 601 } 602 } 603 } 604 605 /* 606 * Receive data from L2CAP layer for session. There is always exactly one 607 * RFCOMM frame contained in each L2CAP frame. 608 */ 609 static void 610 rfcomm_session_input(void *arg, struct mbuf *m) 611 { 612 struct rfcomm_session *rs = arg; 613 int dlci, len, type, pf; 614 uint8_t fcs, b; 615 616 KASSERT(m != NULL); 617 KASSERT(rs != NULL); 618 619 /* 620 * UIH frames: FCS is only calculated on address and control fields 621 * For other frames: FCS is calculated on address, control and length 622 * Length may extend to two octets 623 */ 624 fcs = 0xff; 625 626 if (m->m_pkthdr.len < 4) { 627 DPRINTF("short frame (%d), discarded\n", m->m_pkthdr.len); 628 goto done; 629 } 630 631 /* address - one octet */ 632 m_copydata(m, 0, 1, &b); 633 m_adj(m, 1); 634 fcs = FCS(fcs, b); 635 dlci = RFCOMM_DLCI(b); 636 637 /* control - one octet */ 638 m_copydata(m, 0, 1, &b); 639 m_adj(m, 1); 640 fcs = FCS(fcs, b); 641 type = RFCOMM_TYPE(b); 642 pf = RFCOMM_PF(b); 643 644 /* length - may be two octets */ 645 m_copydata(m, 0, 1, &b); 646 m_adj(m, 1); 647 if (type != RFCOMM_FRAME_UIH) 648 fcs = FCS(fcs, b); 649 len = (b >> 1) & 0x7f; 650 651 if (RFCOMM_EA(b) == 0) { 652 if (m->m_pkthdr.len < 2) { 653 DPRINTF("short frame (%d, EA = 0), discarded\n", 654 m->m_pkthdr.len); 655 goto done; 656 } 657 658 m_copydata(m, 0, 1, &b); 659 m_adj(m, 1); 660 if (type != RFCOMM_FRAME_UIH) 661 fcs = FCS(fcs, b); 662 663 len |= (b << 7); 664 } 665 666 /* FCS byte is last octet in frame */ 667 m_copydata(m, m->m_pkthdr.len - 1, 1, &b); 668 m_adj(m, -1); 669 fcs = FCS(fcs, b); 670 671 if (fcs != 0xcf) { 672 DPRINTF("Bad FCS value (%#2.2x), frame discarded\n", fcs); 673 goto done; 674 } 675 676 DPRINTFN(10, "dlci %d, type %2.2x, len = %d\n", dlci, type, len); 677 678 switch (type) { 679 case RFCOMM_FRAME_SABM: 680 if (pf) 681 rfcomm_session_recv_sabm(rs, dlci); 682 break; 683 684 case RFCOMM_FRAME_DISC: 685 if (pf) 686 rfcomm_session_recv_disc(rs, dlci); 687 break; 688 689 case RFCOMM_FRAME_UA: 690 if (pf) 691 rfcomm_session_recv_ua(rs, dlci); 692 break; 693 694 case RFCOMM_FRAME_DM: 695 rfcomm_session_recv_dm(rs, dlci); 696 break; 697 698 case RFCOMM_FRAME_UIH: 699 rfcomm_session_recv_uih(rs, dlci, pf, m, len); 700 return; /* (no release) */ 701 702 default: 703 UNKNOWN(type); 704 break; 705 } 706 707 done: 708 m_freem(m); 709 } 710 711 /*********************************************************************** 712 * 713 * RFCOMM Session receive processing 714 */ 715 716 /* 717 * rfcomm_session_recv_sabm(rfcomm_session, dlci) 718 * 719 * Set Asyncrhonous Balanced Mode - open the channel. 720 */ 721 static void 722 rfcomm_session_recv_sabm(struct rfcomm_session *rs, int dlci) 723 { 724 struct rfcomm_dlc *dlc; 725 int err; 726 727 DPRINTFN(5, "SABM(%d)\n", dlci); 728 729 if (dlci == 0) { /* Open Session */ 730 rs->rs_state = RFCOMM_SESSION_OPEN; 731 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, 0); 732 LIST_FOREACH(dlc, &rs->rs_dlcs, rd_next) { 733 if (dlc->rd_state == RFCOMM_DLC_WAIT_SESSION) 734 rfcomm_dlc_connect(dlc); 735 } 736 return; 737 } 738 739 if (rs->rs_state != RFCOMM_SESSION_OPEN) { 740 DPRINTF("session was not even open!\n"); 741 return; 742 } 743 744 /* validate direction bit */ 745 if ((IS_INITIATOR(rs) && !RFCOMM_DIRECTION(dlci)) 746 || (!IS_INITIATOR(rs) && RFCOMM_DIRECTION(dlci))) { 747 DPRINTF("Invalid direction bit on DLCI\n"); 748 return; 749 } 750 751 /* 752 * look for our DLC - this may exist if we received PN 753 * already, or we may have to fabricate a new one. 754 */ 755 dlc = rfcomm_dlc_lookup(rs, dlci); 756 if (dlc == NULL) { 757 dlc = rfcomm_dlc_newconn(rs, dlci); 758 if (dlc == NULL) 759 return; /* (DM is sent) */ 760 } 761 762 /* 763 * ..but if this DLC is not waiting to connect, they did 764 * something wrong, ignore it. 765 */ 766 if (dlc->rd_state != RFCOMM_DLC_WAIT_CONNECT) 767 return; 768 769 /* set link mode */ 770 err = rfcomm_dlc_setmode(dlc); 771 if (err == EINPROGRESS) { 772 dlc->rd_state = RFCOMM_DLC_WAIT_SEND_UA; 773 (*dlc->rd_proto->connecting)(dlc->rd_upper); 774 return; 775 } 776 if (err) 777 goto close; 778 779 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, dlci); 780 if (err) 781 goto close; 782 783 /* and mark it open */ 784 err = rfcomm_dlc_open(dlc); 785 if (err) 786 goto close; 787 788 return; 789 790 close: 791 rfcomm_dlc_close(dlc, err); 792 } 793 794 /* 795 * Receive Disconnect Command 796 */ 797 static void 798 rfcomm_session_recv_disc(struct rfcomm_session *rs, int dlci) 799 { 800 struct rfcomm_dlc *dlc; 801 802 DPRINTFN(5, "DISC(%d)\n", dlci); 803 804 if (dlci == 0) { 805 /* 806 * Disconnect Session 807 * 808 * We set the session state to CLOSED so that when 809 * the UA frame is clear the session will be closed 810 * automatically. We wont bother to close any DLC's 811 * just yet as there should be none. In the unlikely 812 * event that something is left, it will get flushed 813 * out as the session goes down. 814 */ 815 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, 0); 816 rs->rs_state = RFCOMM_SESSION_CLOSED; 817 return; 818 } 819 820 dlc = rfcomm_dlc_lookup(rs, dlci); 821 if (dlc == NULL) { 822 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, dlci); 823 return; 824 } 825 826 rfcomm_dlc_close(dlc, 0); 827 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, dlci); 828 } 829 830 /* 831 * Receive Unnumbered Acknowledgement Response 832 * 833 * This should be a response to a DISC or SABM frame that we 834 * have previously sent. If unexpected, ignore it. 835 */ 836 static void 837 rfcomm_session_recv_ua(struct rfcomm_session *rs, int dlci) 838 { 839 struct rfcomm_dlc *dlc; 840 841 DPRINTFN(5, "UA(%d)\n", dlci); 842 843 if (dlci == 0) { 844 switch (rs->rs_state) { 845 case RFCOMM_SESSION_WAIT_CONNECT: /* We sent SABM */ 846 callout_stop(&rs->rs_timeout); 847 rs->rs_state = RFCOMM_SESSION_OPEN; 848 LIST_FOREACH(dlc, &rs->rs_dlcs, rd_next) { 849 if (dlc->rd_state == RFCOMM_DLC_WAIT_SESSION) 850 rfcomm_dlc_connect(dlc); 851 } 852 break; 853 854 case RFCOMM_SESSION_WAIT_DISCONNECT: /* We sent DISC */ 855 callout_stop(&rs->rs_timeout); 856 rs->rs_state = RFCOMM_SESSION_CLOSED; 857 l2cap_disconnect(rs->rs_l2cap, 0); 858 break; 859 860 default: 861 DPRINTF("Received spurious UA(0)!\n"); 862 break; 863 } 864 865 return; 866 } 867 868 /* 869 * If we have no DLC on this dlci, we may have aborted 870 * without shutting down properly, so check if the session 871 * needs disconnecting. 872 */ 873 dlc = rfcomm_dlc_lookup(rs, dlci); 874 if (dlc == NULL) 875 goto check; 876 877 switch (dlc->rd_state) { 878 case RFCOMM_DLC_WAIT_RECV_UA: /* We sent SABM */ 879 rfcomm_dlc_open(dlc); 880 return; 881 882 case RFCOMM_DLC_WAIT_DISCONNECT: /* We sent DISC */ 883 rfcomm_dlc_close(dlc, 0); 884 break; 885 886 default: 887 DPRINTF("Received spurious UA(%d)!\n", dlci); 888 return; 889 } 890 891 check: /* last one out turns out the light */ 892 if (LIST_EMPTY(&rs->rs_dlcs)) { 893 rs->rs_state = RFCOMM_SESSION_WAIT_DISCONNECT; 894 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 0); 895 callout_schedule(&rs->rs_timeout, rfcomm_ack_timeout * hz); 896 } 897 } 898 899 /* 900 * Receive Disconnected Mode Response 901 * 902 * If this does not apply to a known DLC then we may ignore it. 903 */ 904 static void 905 rfcomm_session_recv_dm(struct rfcomm_session *rs, int dlci) 906 { 907 struct rfcomm_dlc *dlc; 908 909 DPRINTFN(5, "DM(%d)\n", dlci); 910 911 dlc = rfcomm_dlc_lookup(rs, dlci); 912 if (dlc == NULL) 913 return; 914 915 if (dlc->rd_state == RFCOMM_DLC_WAIT_CONNECT) 916 rfcomm_dlc_close(dlc, ECONNREFUSED); 917 else 918 rfcomm_dlc_close(dlc, ECONNRESET); 919 } 920 921 /* 922 * Receive Unnumbered Information with Header check (MCC or data packet) 923 */ 924 static void 925 rfcomm_session_recv_uih(struct rfcomm_session *rs, int dlci, 926 int pf, struct mbuf *m, int len) 927 { 928 struct rfcomm_dlc *dlc; 929 uint8_t credits = 0; 930 931 DPRINTFN(10, "UIH(%d)\n", dlci); 932 933 if (dlci == 0) { 934 rfcomm_session_recv_mcc(rs, m); 935 return; 936 } 937 938 if (m->m_pkthdr.len != len + pf) { 939 DPRINTF("Bad Frame Length (%d), frame discarded\n", 940 m->m_pkthdr.len); 941 942 goto discard; 943 } 944 945 dlc = rfcomm_dlc_lookup(rs, dlci); 946 if (dlc == NULL) { 947 DPRINTF("UIH received for non existent DLC, discarded\n"); 948 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, dlci); 949 goto discard; 950 } 951 952 if (dlc->rd_state != RFCOMM_DLC_OPEN) { 953 DPRINTF("non-open DLC (state = %d), discarded\n", 954 dlc->rd_state); 955 goto discard; 956 } 957 958 /* if PF is set, credits were included */ 959 if (rs->rs_flags & RFCOMM_SESSION_CFC) { 960 if (pf != 0) { 961 if (m->m_pkthdr.len < sizeof(credits)) { 962 DPRINTF("Bad PF value, UIH discarded\n"); 963 goto discard; 964 } 965 966 m_copydata(m, 0, sizeof(credits), &credits); 967 m_adj(m, sizeof(credits)); 968 969 dlc->rd_txcred += credits; 970 971 if (credits > 0 && dlc->rd_txbuf != NULL) 972 rfcomm_dlc_start(dlc); 973 } 974 975 if (len == 0) 976 goto discard; 977 978 if (dlc->rd_rxcred == 0) { 979 DPRINTF("Credit limit reached, UIH discarded\n"); 980 goto discard; 981 } 982 983 if (len > dlc->rd_rxsize) { 984 DPRINTF("UIH frame exceeds rxsize, discarded\n"); 985 goto discard; 986 } 987 988 dlc->rd_rxcred--; 989 dlc->rd_rxsize -= len; 990 } 991 992 (*dlc->rd_proto->input)(dlc->rd_upper, m); 993 return; 994 995 discard: 996 m_freem(m); 997 } 998 999 /* 1000 * Receive Multiplexer Control Command 1001 */ 1002 static void 1003 rfcomm_session_recv_mcc(struct rfcomm_session *rs, struct mbuf *m) 1004 { 1005 int type, cr, len; 1006 uint8_t b; 1007 1008 /* 1009 * Extract MCC header. 1010 * 1011 * Fields are variable length using extension bit = 1 to signify the 1012 * last octet in the sequence. 1013 * 1014 * Only single octet types are defined in TS 07.10/RFCOMM spec 1015 * 1016 * Length can realistically only use 15 bits (max RFCOMM MTU) 1017 */ 1018 if (m->m_pkthdr.len < sizeof(b)) { 1019 DPRINTF("Short MCC header, discarded\n"); 1020 goto release; 1021 } 1022 1023 m_copydata(m, 0, sizeof(b), &b); 1024 m_adj(m, sizeof(b)); 1025 1026 if (RFCOMM_EA(b) == 0) { /* verify no extensions */ 1027 DPRINTF("MCC type EA = 0, discarded\n"); 1028 goto release; 1029 } 1030 1031 type = RFCOMM_MCC_TYPE(b); 1032 cr = RFCOMM_CR(b); 1033 1034 len = 0; 1035 do { 1036 if (m->m_pkthdr.len < sizeof(b)) { 1037 DPRINTF("Short MCC header, discarded\n"); 1038 goto release; 1039 } 1040 1041 m_copydata(m, 0, sizeof(b), &b); 1042 m_adj(m, sizeof(b)); 1043 1044 len = (len << 7) | (b >> 1); 1045 len = min(len, RFCOMM_MTU_MAX); 1046 } while (RFCOMM_EA(b) == 0); 1047 1048 if (len != m->m_pkthdr.len) { 1049 DPRINTF("Incorrect MCC length, discarded\n"); 1050 goto release; 1051 } 1052 1053 DPRINTFN(2, "MCC %s type %2.2x (%d bytes)\n", 1054 (cr ? "command" : "response"), type, len); 1055 1056 /* 1057 * pass to command handler 1058 */ 1059 switch(type) { 1060 case RFCOMM_MCC_TEST: /* Test */ 1061 rfcomm_session_recv_mcc_test(rs, cr, m); 1062 break; 1063 1064 case RFCOMM_MCC_FCON: /* Flow Control On */ 1065 rfcomm_session_recv_mcc_fcon(rs, cr); 1066 break; 1067 1068 case RFCOMM_MCC_FCOFF: /* Flow Control Off */ 1069 rfcomm_session_recv_mcc_fcoff(rs, cr); 1070 break; 1071 1072 case RFCOMM_MCC_MSC: /* Modem Status Command */ 1073 rfcomm_session_recv_mcc_msc(rs, cr, m); 1074 break; 1075 1076 case RFCOMM_MCC_RPN: /* Remote Port Negotiation */ 1077 rfcomm_session_recv_mcc_rpn(rs, cr, m); 1078 break; 1079 1080 case RFCOMM_MCC_RLS: /* Remote Line Status */ 1081 rfcomm_session_recv_mcc_rls(rs, cr, m); 1082 break; 1083 1084 case RFCOMM_MCC_PN: /* Parameter Negotiation */ 1085 rfcomm_session_recv_mcc_pn(rs, cr, m); 1086 break; 1087 1088 case RFCOMM_MCC_NSC: /* Non Supported Command */ 1089 rfcomm_session_recv_mcc_nsc(rs, cr, m); 1090 break; 1091 1092 default: 1093 b = RFCOMM_MKMCC_TYPE(cr, type); 1094 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_NSC, &b, sizeof(b)); 1095 } 1096 1097 release: 1098 m_freem(m); 1099 } 1100 1101 /* 1102 * process TEST command/response 1103 */ 1104 static void 1105 rfcomm_session_recv_mcc_test(struct rfcomm_session *rs, int cr, struct mbuf *m) 1106 { 1107 void *data; 1108 int len; 1109 1110 if (cr == 0) /* ignore ack */ 1111 return; 1112 1113 /* 1114 * we must send all the data they included back as is 1115 */ 1116 1117 len = m->m_pkthdr.len; 1118 if (len > RFCOMM_MTU_MAX) 1119 return; 1120 1121 data = malloc(len, M_BLUETOOTH, M_NOWAIT); 1122 if (data == NULL) 1123 return; 1124 1125 m_copydata(m, 0, len, data); 1126 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_TEST, data, len); 1127 free(data, M_BLUETOOTH); 1128 } 1129 1130 /* 1131 * process Flow Control ON command/response 1132 */ 1133 static void 1134 rfcomm_session_recv_mcc_fcon(struct rfcomm_session *rs, int cr) 1135 { 1136 1137 if (cr == 0) /* ignore ack */ 1138 return; 1139 1140 rs->rs_flags |= RFCOMM_SESSION_RFC; 1141 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_FCON, NULL, 0); 1142 } 1143 1144 /* 1145 * process Flow Control OFF command/response 1146 */ 1147 static void 1148 rfcomm_session_recv_mcc_fcoff(struct rfcomm_session *rs, int cr) 1149 { 1150 1151 if (cr == 0) /* ignore ack */ 1152 return; 1153 1154 rs->rs_flags &= ~RFCOMM_SESSION_RFC; 1155 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_FCOFF, NULL, 0); 1156 } 1157 1158 /* 1159 * process Modem Status Command command/response 1160 */ 1161 static void 1162 rfcomm_session_recv_mcc_msc(struct rfcomm_session *rs, int cr, struct mbuf *m) 1163 { 1164 struct rfcomm_mcc_msc msc; /* (3 octets) */ 1165 struct rfcomm_dlc *dlc; 1166 int len = 0; 1167 1168 /* [ADDRESS] */ 1169 if (m->m_pkthdr.len < sizeof(msc.address)) 1170 return; 1171 1172 m_copydata(m, 0, sizeof(msc.address), &msc.address); 1173 m_adj(m, sizeof(msc.address)); 1174 len += sizeof(msc.address); 1175 1176 dlc = rfcomm_dlc_lookup(rs, RFCOMM_DLCI(msc.address)); 1177 1178 if (cr == 0) { /* ignore acks */ 1179 if (dlc != NULL) 1180 callout_stop(&dlc->rd_timeout); 1181 1182 return; 1183 } 1184 1185 if (dlc == NULL) { 1186 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, 1187 RFCOMM_DLCI(msc.address)); 1188 return; 1189 } 1190 1191 /* [SIGNALS] */ 1192 if (m->m_pkthdr.len < sizeof(msc.modem)) 1193 return; 1194 1195 m_copydata(m, 0, sizeof(msc.modem), &msc.modem); 1196 m_adj(m, sizeof(msc.modem)); 1197 len += sizeof(msc.modem); 1198 1199 dlc->rd_rmodem = msc.modem; 1200 /* XXX how do we signal this upstream? */ 1201 1202 if (RFCOMM_EA(msc.modem) == 0) { 1203 if (m->m_pkthdr.len < sizeof(msc.brk)) 1204 return; 1205 1206 m_copydata(m, 0, sizeof(msc.brk), &msc.brk); 1207 m_adj(m, sizeof(msc.brk)); 1208 len += sizeof(msc.brk); 1209 1210 /* XXX how do we signal this upstream? */ 1211 } 1212 1213 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_MSC, &msc, len); 1214 } 1215 1216 /* 1217 * process Remote Port Negotiation command/response 1218 */ 1219 static void 1220 rfcomm_session_recv_mcc_rpn(struct rfcomm_session *rs, int cr, struct mbuf *m) 1221 { 1222 struct rfcomm_mcc_rpn rpn; 1223 uint16_t mask; 1224 1225 if (cr == 0) /* ignore ack */ 1226 return; 1227 1228 /* default values */ 1229 rpn.bit_rate = RFCOMM_RPN_BR_9600; 1230 rpn.line_settings = RFCOMM_RPN_8_N_1; 1231 rpn.flow_control = RFCOMM_RPN_FLOW_NONE; 1232 rpn.xon_char = RFCOMM_RPN_XON_CHAR; 1233 rpn.xoff_char = RFCOMM_RPN_XOFF_CHAR; 1234 1235 if (m->m_pkthdr.len == sizeof(rpn)) { 1236 m_copydata(m, 0, sizeof(rpn), &rpn); 1237 rpn.param_mask = RFCOMM_RPN_PM_ALL; 1238 } else if (m->m_pkthdr.len == 1) { 1239 m_copydata(m, 0, 1, &rpn); 1240 rpn.param_mask = le16toh(rpn.param_mask); 1241 } else { 1242 DPRINTF("Bad RPN length (%d)\n", m->m_pkthdr.len); 1243 return; 1244 } 1245 1246 mask = 0; 1247 1248 if (rpn.param_mask & RFCOMM_RPN_PM_RATE) 1249 mask |= RFCOMM_RPN_PM_RATE; 1250 1251 if (rpn.param_mask & RFCOMM_RPN_PM_DATA 1252 && RFCOMM_RPN_DATA_BITS(rpn.line_settings) == RFCOMM_RPN_DATA_8) 1253 mask |= RFCOMM_RPN_PM_DATA; 1254 1255 if (rpn.param_mask & RFCOMM_RPN_PM_STOP 1256 && RFCOMM_RPN_STOP_BITS(rpn.line_settings) == RFCOMM_RPN_STOP_1) 1257 mask |= RFCOMM_RPN_PM_STOP; 1258 1259 if (rpn.param_mask & RFCOMM_RPN_PM_PARITY 1260 && RFCOMM_RPN_PARITY(rpn.line_settings) == RFCOMM_RPN_PARITY_NONE) 1261 mask |= RFCOMM_RPN_PM_PARITY; 1262 1263 if (rpn.param_mask & RFCOMM_RPN_PM_XON 1264 && rpn.xon_char == RFCOMM_RPN_XON_CHAR) 1265 mask |= RFCOMM_RPN_PM_XON; 1266 1267 if (rpn.param_mask & RFCOMM_RPN_PM_XOFF 1268 && rpn.xoff_char == RFCOMM_RPN_XOFF_CHAR) 1269 mask |= RFCOMM_RPN_PM_XOFF; 1270 1271 if (rpn.param_mask & RFCOMM_RPN_PM_FLOW 1272 && rpn.flow_control == RFCOMM_RPN_FLOW_NONE) 1273 mask |= RFCOMM_RPN_PM_FLOW; 1274 1275 rpn.param_mask = htole16(mask); 1276 1277 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_RPN, &rpn, sizeof(rpn)); 1278 } 1279 1280 /* 1281 * process Remote Line Status command/response 1282 */ 1283 static void 1284 rfcomm_session_recv_mcc_rls(struct rfcomm_session *rs, int cr, struct mbuf *m) 1285 { 1286 struct rfcomm_mcc_rls rls; 1287 1288 if (cr == 0) /* ignore ack */ 1289 return; 1290 1291 if (m->m_pkthdr.len != sizeof(rls)) { 1292 DPRINTF("Bad RLS length %d\n", m->m_pkthdr.len); 1293 return; 1294 } 1295 1296 m_copydata(m, 0, sizeof(rls), &rls); 1297 1298 /* 1299 * So far as I can tell, we just send back what 1300 * they sent us. This signifies errors that seem 1301 * irrelevent for RFCOMM over L2CAP. 1302 */ 1303 rls.address |= 0x03; /* EA = 1, CR = 1 */ 1304 rls.status &= 0x0f; /* only 4 bits valid */ 1305 1306 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_RLS, &rls, sizeof(rls)); 1307 } 1308 1309 /* 1310 * process Parameter Negotiation command/response 1311 */ 1312 static void 1313 rfcomm_session_recv_mcc_pn(struct rfcomm_session *rs, int cr, struct mbuf *m) 1314 { 1315 struct rfcomm_dlc *dlc; 1316 struct rfcomm_mcc_pn pn; 1317 int err; 1318 1319 if (m->m_pkthdr.len != sizeof(pn)) { 1320 DPRINTF("Bad PN length %d\n", m->m_pkthdr.len); 1321 return; 1322 } 1323 1324 m_copydata(m, 0, sizeof(pn), &pn); 1325 1326 pn.dlci &= 0x3f; 1327 pn.mtu = le16toh(pn.mtu); 1328 1329 dlc = rfcomm_dlc_lookup(rs, pn.dlci); 1330 if (cr) { /* Command */ 1331 /* 1332 * If there is no DLC present, this is a new 1333 * connection so attempt to make one 1334 */ 1335 if (dlc == NULL) { 1336 dlc = rfcomm_dlc_newconn(rs, pn.dlci); 1337 if (dlc == NULL) 1338 return; /* (DM is sent) */ 1339 } 1340 1341 /* accept any valid MTU, and offer it back */ 1342 pn.mtu = min(pn.mtu, RFCOMM_MTU_MAX); 1343 pn.mtu = min(pn.mtu, rs->rs_mtu); 1344 pn.mtu = max(pn.mtu, RFCOMM_MTU_MIN); 1345 dlc->rd_mtu = pn.mtu; 1346 pn.mtu = htole16(pn.mtu); 1347 1348 /* credits are only set before DLC is open */ 1349 if (dlc->rd_state == RFCOMM_DLC_WAIT_CONNECT 1350 && (pn.flow_control & 0xf0) == 0xf0) { 1351 rs->rs_flags |= RFCOMM_SESSION_CFC; 1352 dlc->rd_txcred = pn.credits & 0x07; 1353 1354 dlc->rd_rxcred = (dlc->rd_rxsize / dlc->rd_mtu); 1355 dlc->rd_rxcred = min(dlc->rd_rxcred, 1356 RFCOMM_CREDITS_DEFAULT); 1357 1358 pn.flow_control = 0xe0; 1359 pn.credits = dlc->rd_rxcred; 1360 } else { 1361 pn.flow_control = 0x00; 1362 pn.credits = 0x00; 1363 } 1364 1365 /* unused fields must be ignored and set to zero */ 1366 pn.ack_timer = 0; 1367 pn.max_retrans = 0; 1368 1369 /* send our response */ 1370 err = rfcomm_session_send_mcc(rs, 0, 1371 RFCOMM_MCC_PN, &pn, sizeof(pn)); 1372 if (err) 1373 goto close; 1374 1375 } else { /* Response */ 1376 /* ignore responses with no matching DLC */ 1377 if (dlc == NULL) 1378 return; 1379 1380 callout_stop(&dlc->rd_timeout); 1381 1382 /* reject invalid or unacceptable MTU */ 1383 if (pn.mtu < RFCOMM_MTU_MIN || pn.mtu > dlc->rd_mtu) { 1384 dlc->rd_state = RFCOMM_DLC_WAIT_DISCONNECT; 1385 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 1386 pn.dlci); 1387 if (err) 1388 goto close; 1389 1390 callout_schedule(&dlc->rd_timeout, 1391 rfcomm_ack_timeout * hz); 1392 return; 1393 } 1394 dlc->rd_mtu = pn.mtu; 1395 1396 /* if DLC is not waiting to connect, we are done */ 1397 if (dlc->rd_state != RFCOMM_DLC_WAIT_CONNECT) 1398 return; 1399 1400 /* set initial credits according to RFCOMM spec */ 1401 if ((pn.flow_control & 0xf0) == 0xe0) { 1402 rs->rs_flags |= RFCOMM_SESSION_CFC; 1403 dlc->rd_txcred = (pn.credits & 0x07); 1404 } 1405 1406 callout_schedule(&dlc->rd_timeout, rfcomm_ack_timeout * hz); 1407 1408 /* set link mode */ 1409 err = rfcomm_dlc_setmode(dlc); 1410 if (err == EINPROGRESS) { 1411 dlc->rd_state = RFCOMM_DLC_WAIT_SEND_SABM; 1412 (*dlc->rd_proto->connecting)(dlc->rd_upper); 1413 return; 1414 } 1415 if (err) 1416 goto close; 1417 1418 /* we can proceed now */ 1419 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_SABM, pn.dlci); 1420 if (err) 1421 goto close; 1422 1423 dlc->rd_state = RFCOMM_DLC_WAIT_RECV_UA; 1424 } 1425 return; 1426 1427 close: 1428 rfcomm_dlc_close(dlc, err); 1429 } 1430 1431 /* 1432 * process Non Supported Command command/response 1433 */ 1434 static void 1435 rfcomm_session_recv_mcc_nsc(struct rfcomm_session *rs, 1436 int cr, struct mbuf *m) 1437 { 1438 struct rfcomm_dlc *dlc, *next; 1439 1440 /* 1441 * Since we did nothing that is not mandatory, 1442 * we just abort the whole session.. 1443 */ 1444 1445 next = LIST_FIRST(&rs->rs_dlcs); 1446 while ((dlc = next) != NULL) { 1447 next = LIST_NEXT(dlc, rd_next); 1448 rfcomm_dlc_close(dlc, ECONNABORTED); 1449 } 1450 1451 rfcomm_session_free(rs); 1452 } 1453 1454 /*********************************************************************** 1455 * 1456 * RFCOMM Session outward frame/uih/mcc building 1457 */ 1458 1459 /* 1460 * SABM/DISC/DM/UA frames are all minimal and mostly identical. 1461 */ 1462 int 1463 rfcomm_session_send_frame(struct rfcomm_session *rs, int type, int dlci) 1464 { 1465 struct rfcomm_cmd_hdr *hdr; 1466 struct rfcomm_credit *credit; 1467 struct mbuf *m; 1468 uint8_t fcs, cr; 1469 1470 credit = pool_get(&rfcomm_credit_pool, PR_NOWAIT); 1471 if (credit == NULL) 1472 return ENOMEM; 1473 1474 m = m_gethdr(M_DONTWAIT, MT_DATA); 1475 if (m == NULL) { 1476 pool_put(&rfcomm_credit_pool, credit); 1477 return ENOMEM; 1478 } 1479 1480 /* 1481 * The CR (command/response) bit identifies the frame either as a 1482 * commmand or a response and is used along with the DLCI to form 1483 * the address. Commands contain the non-initiator address, whereas 1484 * responses contain the initiator address, so the CR value is 1485 * also dependent on the session direction. 1486 */ 1487 if (type == RFCOMM_FRAME_UA || type == RFCOMM_FRAME_DM) 1488 cr = IS_INITIATOR(rs) ? 0 : 1; 1489 else 1490 cr = IS_INITIATOR(rs) ? 1 : 0; 1491 1492 hdr = mtod(m, struct rfcomm_cmd_hdr *); 1493 hdr->address = RFCOMM_MKADDRESS(cr, dlci); 1494 hdr->control = RFCOMM_MKCONTROL(type, 1); /* PF = 1 */ 1495 hdr->length = (0x00 << 1) | 0x01; /* len = 0x00, EA = 1 */ 1496 1497 fcs = 0xff; 1498 fcs = FCS(fcs, hdr->address); 1499 fcs = FCS(fcs, hdr->control); 1500 fcs = FCS(fcs, hdr->length); 1501 fcs = 0xff - fcs; /* ones complement */ 1502 hdr->fcs = fcs; 1503 1504 m->m_pkthdr.len = m->m_len = sizeof(struct rfcomm_cmd_hdr); 1505 1506 /* empty credit note */ 1507 credit->rc_dlc = NULL; 1508 credit->rc_len = m->m_pkthdr.len; 1509 SIMPLEQ_INSERT_TAIL(&rs->rs_credits, credit, rc_next); 1510 1511 DPRINTFN(5, "dlci %d type %2.2x (%d bytes, fcs=%#2.2x)\n", 1512 dlci, type, m->m_pkthdr.len, fcs); 1513 1514 return l2cap_send(rs->rs_l2cap, m); 1515 } 1516 1517 /* 1518 * rfcomm_session_send_uih(rfcomm_session, rfcomm_dlc, credits, mbuf) 1519 * 1520 * UIH frame is per DLC data or Multiplexer Control Commands 1521 * when no DLC is given. Data mbuf is optional (just credits 1522 * will be sent in that case) 1523 */ 1524 int 1525 rfcomm_session_send_uih(struct rfcomm_session *rs, struct rfcomm_dlc *dlc, 1526 int credits, struct mbuf *m) 1527 { 1528 struct rfcomm_credit *credit; 1529 struct mbuf *m0 = NULL; 1530 int err, len; 1531 uint8_t fcs, *hdr; 1532 1533 KASSERT(rs != NULL); 1534 1535 len = (m == NULL) ? 0 : m->m_pkthdr.len; 1536 KASSERT(!(credits == 0 && len == 0)); 1537 1538 /* 1539 * Make a credit note for the completion notification 1540 */ 1541 credit = pool_get(&rfcomm_credit_pool, PR_NOWAIT); 1542 if (credit == NULL) 1543 goto nomem; 1544 1545 credit->rc_len = len; 1546 credit->rc_dlc = dlc; 1547 1548 /* 1549 * Wrap UIH frame information around payload. 1550 * 1551 * [ADDRESS] [CONTROL] [LENGTH] [CREDITS] [...] [FCS] 1552 * 1553 * Address is one octet. 1554 * Control is one octet. 1555 * Length is one or two octets. 1556 * Credits may be one octet. 1557 * 1558 * FCS is one octet and calculated on address and 1559 * control octets only. 1560 * 1561 * If there are credits to be sent, we will set the PF 1562 * flag and include them in the frame. 1563 */ 1564 m0 = m_gethdr(M_DONTWAIT, MT_DATA); 1565 if (m0 == NULL) 1566 goto nomem; 1567 1568 MH_ALIGN(m0, 5); /* (max 5 header octets) */ 1569 hdr = mtod(m0, uint8_t *); 1570 1571 /* CR bit is set according to the initiator of the session */ 1572 *hdr = RFCOMM_MKADDRESS((IS_INITIATOR(rs) ? 1 : 0), 1573 (dlc ? dlc->rd_dlci : 0)); 1574 fcs = FCS(0xff, *hdr); 1575 hdr++; 1576 1577 /* PF bit is set if credits are being sent */ 1578 *hdr = RFCOMM_MKCONTROL(RFCOMM_FRAME_UIH, (credits > 0 ? 1 : 0)); 1579 fcs = FCS(fcs, *hdr); 1580 hdr++; 1581 1582 if (len < (1 << 7)) { 1583 *hdr++ = ((len << 1) & 0xfe) | 0x01; /* 7 bits, EA = 1 */ 1584 } else { 1585 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */ 1586 *hdr++ = ((len >> 7) & 0xff); /* 8 bits, no EA */ 1587 } 1588 1589 if (credits > 0) 1590 *hdr++ = (uint8_t)credits; 1591 1592 m0->m_len = hdr - mtod(m0, uint8_t *); 1593 1594 /* Append payload */ 1595 m0->m_next = m; 1596 m = NULL; 1597 1598 m0->m_pkthdr.len = m0->m_len + len; 1599 1600 /* Append FCS */ 1601 fcs = 0xff - fcs; /* ones complement */ 1602 len = m0->m_pkthdr.len; 1603 m_copyback(m0, len, sizeof(fcs), &fcs); 1604 if (m0->m_pkthdr.len != len + sizeof(fcs)) 1605 goto nomem; 1606 1607 DPRINTFN(10, "dlci %d, pktlen %d (%d data, %d credits), fcs=%#2.2x\n", 1608 dlc ? dlc->rd_dlci : 0, m0->m_pkthdr.len, credit->rc_len, 1609 credits, fcs); 1610 1611 /* 1612 * UIH frame ready to go.. 1613 */ 1614 err = l2cap_send(rs->rs_l2cap, m0); 1615 if (err) 1616 goto fail; 1617 1618 SIMPLEQ_INSERT_TAIL(&rs->rs_credits, credit, rc_next); 1619 return 0; 1620 1621 nomem: 1622 err = ENOMEM; 1623 1624 if (m0 != NULL) 1625 m_freem(m0); 1626 1627 if (m != NULL) 1628 m_freem(m); 1629 1630 fail: 1631 if (credit != NULL) 1632 pool_put(&rfcomm_credit_pool, credit); 1633 1634 return err; 1635 } 1636 1637 /* 1638 * send Multiplexer Control Command (or Response) on session 1639 */ 1640 int 1641 rfcomm_session_send_mcc(struct rfcomm_session *rs, int cr, 1642 uint8_t type, void *data, int len) 1643 { 1644 struct mbuf *m; 1645 uint8_t *hdr; 1646 int hlen; 1647 1648 m = m_gethdr(M_DONTWAIT, MT_DATA); 1649 if (m == NULL) 1650 return ENOMEM; 1651 1652 hdr = mtod(m, uint8_t *); 1653 1654 /* 1655 * Technically the type field can extend past one octet, but none 1656 * currently defined will do that. 1657 */ 1658 *hdr++ = RFCOMM_MKMCC_TYPE(cr, type); 1659 1660 /* 1661 * In the frame, the max length size is 2 octets (15 bits) whereas 1662 * no max length size is specified for MCC commands. We must allow 1663 * for 3 octets since for MCC frames we use 7 bits + EA in each. 1664 * 1665 * Only test data can possibly be that big. 1666 * 1667 * XXX Should we check this against the MTU? 1668 */ 1669 if (len < (1 << 7)) { 1670 *hdr++ = ((len << 1) & 0xfe) | 0x01; /* 7 bits, EA = 1 */ 1671 } else if (len < (1 << 14)) { 1672 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */ 1673 *hdr++ = ((len >> 6) & 0xfe) | 0x01; /* 7 bits, EA = 1 */ 1674 } else if (len < (1 << 15)) { 1675 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */ 1676 *hdr++ = ((len >> 6) & 0xfe); /* 7 bits, EA = 0 */ 1677 *hdr++ = ((len >> 13) & 0x02) | 0x01; /* 1 bit, EA = 1 */ 1678 } else { 1679 DPRINTF("incredible length! (%d)\n", len); 1680 m_freem(m); 1681 return EMSGSIZE; 1682 } 1683 1684 /* 1685 * add command data (to same mbuf if possible) 1686 */ 1687 hlen = hdr - mtod(m, uint8_t *); 1688 1689 if (len > 0) { 1690 m->m_pkthdr.len = m->m_len = MHLEN; 1691 m_copyback(m, hlen, len, data); 1692 if (m->m_pkthdr.len != max(MHLEN, hlen + len)) { 1693 m_freem(m); 1694 return ENOMEM; 1695 } 1696 } 1697 1698 m->m_pkthdr.len = hlen + len; 1699 m->m_len = min(MHLEN, m->m_pkthdr.len); 1700 1701 DPRINTFN(5, "%s type %2.2x len %d\n", 1702 (cr ? "command" : "response"), type, m->m_pkthdr.len); 1703 1704 return rfcomm_session_send_uih(rs, NULL, 0, m); 1705 } 1706