1 /* $OpenBSD: rfcomm_session.c,v 1.2 2007/09/17 01:33:33 krw Exp $ */ 2 /* $NetBSD: rfcomm_session.c,v 1.9 2007/04/21 06:15:23 plunky Exp $ */ 3 /* $DragonFly: src/sys/netbt/rfcomm_session.c,v 1.1 2007/12/30 20:02:56 hasso Exp $ */ 4 5 /*- 6 * Copyright (c) 2006 Itronix Inc. 7 * All rights reserved. 8 * 9 * Written by Iain Hibbert for Itronix Inc. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. The name of Itronix Inc. may not be used to endorse 20 * or promote products derived from this software without specific 21 * prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY ITRONIX INC. ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 25 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 26 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ITRONIX INC. BE LIABLE FOR ANY 27 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 28 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 29 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 30 * ON ANY THEORY OF LIABILITY, WHETHER IN 31 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 32 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 33 * POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 #include <sys/cdefs.h> 37 38 #include <sys/param.h> 39 #include <sys/kernel.h> 40 #include <sys/mbuf.h> 41 #include <sys/proc.h> 42 #include <sys/systm.h> 43 #include <sys/types.h> 44 #include <sys/endian.h> 45 46 #include <net/if.h> 47 #include <net/pf/pfvar.h> 48 49 #include <netbt/bluetooth.h> 50 #include <netbt/hci.h> 51 #include <netbt/l2cap.h> 52 #include <netbt/rfcomm.h> 53 54 /****************************************************************************** 55 * 56 * RFCOMM Multiplexer Sessions sit directly on L2CAP channels, and can 57 * multiplex up to 30 incoming and 30 outgoing connections. 58 * Only one Multiplexer is allowed between any two devices. 59 */ 60 61 static void rfcomm_session_recv_sabm(struct rfcomm_session *, int); 62 static void rfcomm_session_recv_disc(struct rfcomm_session *, int); 63 static void rfcomm_session_recv_ua(struct rfcomm_session *, int); 64 static void rfcomm_session_recv_dm(struct rfcomm_session *, int); 65 static void rfcomm_session_recv_uih(struct rfcomm_session *, int, int, struct mbuf *, int); 66 static void rfcomm_session_recv_mcc(struct rfcomm_session *, struct mbuf *); 67 static void rfcomm_session_recv_mcc_test(struct rfcomm_session *, int, struct mbuf *); 68 static void rfcomm_session_recv_mcc_fcon(struct rfcomm_session *, int); 69 static void rfcomm_session_recv_mcc_fcoff(struct rfcomm_session *, int); 70 static void rfcomm_session_recv_mcc_msc(struct rfcomm_session *, int, struct mbuf *); 71 static void rfcomm_session_recv_mcc_rpn(struct rfcomm_session *, int, struct mbuf *); 72 static void rfcomm_session_recv_mcc_rls(struct rfcomm_session *, int, struct mbuf *); 73 static void rfcomm_session_recv_mcc_pn(struct rfcomm_session *, int, struct mbuf *); 74 static void rfcomm_session_recv_mcc_nsc(struct rfcomm_session *, int, struct mbuf *); 75 76 /* L2CAP callbacks */ 77 static void rfcomm_session_connecting(void *); 78 static void rfcomm_session_connected(void *); 79 static void rfcomm_session_disconnected(void *, int); 80 static void *rfcomm_session_newconn(void *, struct sockaddr_bt *, struct sockaddr_bt *); 81 static void rfcomm_session_complete(void *, int); 82 static void rfcomm_session_linkmode(void *, int); 83 static void rfcomm_session_input(void *, struct mbuf *); 84 85 static const struct btproto rfcomm_session_proto = { 86 rfcomm_session_connecting, 87 rfcomm_session_connected, 88 rfcomm_session_disconnected, 89 rfcomm_session_newconn, 90 rfcomm_session_complete, 91 rfcomm_session_linkmode, 92 rfcomm_session_input, 93 }; 94 95 struct rfcomm_session_list 96 rfcomm_session_active = LIST_HEAD_INITIALIZER(rfcomm_session_active); 97 98 struct rfcomm_session_list 99 rfcomm_session_listen = LIST_HEAD_INITIALIZER(rfcomm_session_listen); 100 101 vm_zone_t rfcomm_credit_pool; 102 103 /* 104 * RFCOMM System Parameters (see section 5.3) 105 */ 106 int rfcomm_mtu_default = 127; /* bytes */ 107 int rfcomm_ack_timeout = 20; /* seconds */ 108 int rfcomm_mcc_timeout = 20; /* seconds */ 109 110 /* 111 * Reversed CRC table as per TS 07.10 Annex B.3.5 112 */ 113 static const uint8_t crctable[256] = { /* reversed, 8-bit, poly=0x07 */ 114 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75, 115 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b, 116 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69, 117 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67, 118 119 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d, 120 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43, 121 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51, 122 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f, 123 124 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05, 125 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b, 126 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19, 127 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17, 128 129 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d, 130 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33, 131 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21, 132 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f, 133 134 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95, 135 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b, 136 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89, 137 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87, 138 139 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad, 140 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3, 141 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1, 142 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf, 143 144 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5, 145 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb, 146 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9, 147 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7, 148 149 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd, 150 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3, 151 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1, 152 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf 153 }; 154 155 #define FCS(f, d) crctable[(f) ^ (d)] 156 157 /* 158 * rfcomm_init() 159 * 160 * initialize the "credit pool". 161 */ 162 void 163 rfcomm_init(void) 164 { 165 rfcomm_credit_pool = zinit("rfcomm_credit", 166 sizeof(struct rfcomm_credit), 0, 0, 0); 167 } 168 169 /* 170 * rfcomm_session_alloc(list, sockaddr) 171 * 172 * allocate a new session and fill in the blanks, then 173 * attach session to front of specified list (active or listen) 174 */ 175 struct rfcomm_session * 176 rfcomm_session_alloc(struct rfcomm_session_list *list, 177 struct sockaddr_bt *laddr) 178 { 179 struct rfcomm_session *rs; 180 int err; 181 182 rs = kmalloc(sizeof(*rs), M_BLUETOOTH, M_NOWAIT | M_ZERO); 183 if (rs == NULL) 184 return NULL; 185 186 rs->rs_state = RFCOMM_SESSION_CLOSED; 187 188 callout_init(&rs->rs_timeout); 189 190 STAILQ_INIT(&rs->rs_credits); 191 LIST_INIT(&rs->rs_dlcs); 192 193 err = l2cap_attach(&rs->rs_l2cap, &rfcomm_session_proto, rs); 194 if (err) { 195 kfree(rs, M_BLUETOOTH); 196 return NULL; 197 } 198 199 (void)l2cap_getopt(rs->rs_l2cap, SO_L2CAP_OMTU, &rs->rs_mtu); 200 201 if (laddr->bt_psm == L2CAP_PSM_ANY) 202 laddr->bt_psm = L2CAP_PSM_RFCOMM; 203 204 (void)l2cap_bind(rs->rs_l2cap, laddr); 205 206 LIST_INSERT_HEAD(list, rs, rs_next); 207 208 return rs; 209 } 210 211 /* 212 * rfcomm_session_free(rfcomm_session) 213 * 214 * release a session, including any cleanup 215 */ 216 void 217 rfcomm_session_free(struct rfcomm_session *rs) 218 { 219 struct rfcomm_credit *credit; 220 221 KKASSERT(rs != NULL); 222 KKASSERT(LIST_EMPTY(&rs->rs_dlcs)); 223 224 rs->rs_state = RFCOMM_SESSION_CLOSED; 225 226 /* 227 * If the callout is already invoked we have no way to stop it, 228 * but it will call us back right away (there are no DLC's) so 229 * not to worry. 230 */ 231 callout_stop(&rs->rs_timeout); 232 if (callout_active(&rs->rs_timeout)) 233 return; 234 235 /* 236 * Take care that rfcomm_session_disconnected() doesnt call 237 * us back either as it will do if the l2cap_channel has not 238 * been closed when we detach it.. 239 */ 240 if (rs->rs_flags & RFCOMM_SESSION_FREE) 241 return; 242 243 rs->rs_flags |= RFCOMM_SESSION_FREE; 244 245 /* throw away any remaining credit notes */ 246 while ((credit = STAILQ_FIRST(&rs->rs_credits)) != NULL) { 247 STAILQ_REMOVE_HEAD(&rs->rs_credits, rc_next); 248 pool_put(&rfcomm_credit_pool, credit); 249 } 250 251 KKASSERT(STAILQ_EMPTY(&rs->rs_credits)); 252 253 /* Goodbye! */ 254 LIST_REMOVE(rs, rs_next); 255 l2cap_detach(&rs->rs_l2cap); 256 kfree(rs, M_BLUETOOTH); 257 } 258 259 /* 260 * rfcomm_session_lookup(sockaddr, sockaddr) 261 * 262 * Find active rfcomm session matching src and dest addresses 263 * when src is BDADDR_ANY match any local address 264 */ 265 struct rfcomm_session * 266 rfcomm_session_lookup(struct sockaddr_bt *src, struct sockaddr_bt *dest) 267 { 268 struct rfcomm_session *rs; 269 struct sockaddr_bt addr; 270 271 LIST_FOREACH(rs, &rfcomm_session_active, rs_next) { 272 if (rs->rs_state == RFCOMM_SESSION_CLOSED) 273 continue; 274 275 l2cap_sockaddr(rs->rs_l2cap, &addr); 276 277 if (bdaddr_same(&src->bt_bdaddr, &addr.bt_bdaddr) == 0) 278 if (bdaddr_any(&src->bt_bdaddr) == 0) 279 continue; 280 281 l2cap_peeraddr(rs->rs_l2cap, &addr); 282 283 if (addr.bt_psm != dest->bt_psm) 284 continue; 285 286 if (bdaddr_same(&dest->bt_bdaddr, &addr.bt_bdaddr)) 287 break; 288 } 289 290 return rs; 291 } 292 293 /* 294 * rfcomm_session_timeout(rfcomm_session) 295 * 296 * Session timeouts are scheduled when a session is left or 297 * created with no DLCs, and when SABM(0) or DISC(0) are 298 * sent. 299 * 300 * So, if it is in an open state with DLC's attached then 301 * we leave it alone, otherwise the session is lost. 302 */ 303 void 304 rfcomm_session_timeout(void *arg) 305 { 306 struct rfcomm_session *rs = arg; 307 struct rfcomm_dlc *dlc; 308 309 KKASSERT(rs != NULL); 310 311 crit_enter(); 312 313 if (rs->rs_state != RFCOMM_SESSION_OPEN) { 314 DPRINTF("timeout\n"); 315 rs->rs_state = RFCOMM_SESSION_CLOSED; 316 317 while (!LIST_EMPTY(&rs->rs_dlcs)) { 318 dlc = LIST_FIRST(&rs->rs_dlcs); 319 320 rfcomm_dlc_close(dlc, ETIMEDOUT); 321 } 322 } 323 324 if (LIST_EMPTY(&rs->rs_dlcs)) { 325 DPRINTF("expiring\n"); 326 rfcomm_session_free(rs); 327 } 328 crit_exit(); 329 } 330 331 /*********************************************************************** 332 * 333 * RFCOMM Session L2CAP protocol callbacks 334 * 335 */ 336 337 static void 338 rfcomm_session_connecting(void *arg) 339 { 340 /* struct rfcomm_session *rs = arg; */ 341 342 DPRINTF("Connecting\n"); 343 } 344 345 static void 346 rfcomm_session_connected(void *arg) 347 { 348 struct rfcomm_session *rs = arg; 349 350 DPRINTF("Connected\n"); 351 352 /* 353 * L2CAP is open. 354 * 355 * If we are initiator, we can send our SABM(0) 356 * a timeout should be active? 357 * 358 * We must take note of the L2CAP MTU because currently 359 * the L2CAP implementation can only do Basic Mode. 360 */ 361 l2cap_getopt(rs->rs_l2cap, SO_L2CAP_OMTU, &rs->rs_mtu); 362 363 rs->rs_mtu -= 6; /* (RFCOMM overhead could be this big) */ 364 if (rs->rs_mtu < RFCOMM_MTU_MIN) { 365 rfcomm_session_disconnected(rs, EINVAL); 366 return; 367 } 368 369 if (IS_INITIATOR(rs)) { 370 int err; 371 372 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_SABM, 0); 373 if (err) 374 rfcomm_session_disconnected(rs, err); 375 376 callout_reset(&rs->rs_timeout, rfcomm_ack_timeout * hz, 377 rfcomm_session_timeout, rs); 378 } 379 } 380 381 static void 382 rfcomm_session_disconnected(void *arg, int err) 383 { 384 struct rfcomm_session *rs = arg; 385 struct rfcomm_dlc *dlc; 386 387 DPRINTF("Disconnected\n"); 388 389 rs->rs_state = RFCOMM_SESSION_CLOSED; 390 391 while (!LIST_EMPTY(&rs->rs_dlcs)) { 392 dlc = LIST_FIRST(&rs->rs_dlcs); 393 394 rfcomm_dlc_close(dlc, err); 395 } 396 397 rfcomm_session_free(rs); 398 } 399 400 static void * 401 rfcomm_session_newconn(void *arg, struct sockaddr_bt *laddr, 402 struct sockaddr_bt *raddr) 403 { 404 struct rfcomm_session *new, *rs = arg; 405 406 DPRINTF("New Connection\n"); 407 408 /* 409 * Incoming session connect request. We should return a new 410 * session pointer if this is acceptable. The L2CAP layer 411 * passes local and remote addresses, which we must check as 412 * only one RFCOMM session is allowed between any two devices 413 */ 414 new = rfcomm_session_lookup(laddr, raddr); 415 if (new != NULL) 416 return NULL; 417 418 new = rfcomm_session_alloc(&rfcomm_session_active, laddr); 419 if (new == NULL) 420 return NULL; 421 422 new->rs_mtu = rs->rs_mtu; 423 new->rs_state = RFCOMM_SESSION_WAIT_CONNECT; 424 425 /* 426 * schedule an expiry so that if nothing comes of it we 427 * can punt. 428 */ 429 callout_reset(&rs->rs_timeout, rfcomm_mcc_timeout * hz, 430 rfcomm_session_timeout, rs); 431 432 return new->rs_l2cap; 433 } 434 435 static void 436 rfcomm_session_complete(void *arg, int count) 437 { 438 struct rfcomm_session *rs = arg; 439 struct rfcomm_credit *credit; 440 struct rfcomm_dlc *dlc; 441 442 /* 443 * count L2CAP packets are 'complete', meaning that they are cleared 444 * our buffers (for best effort) or arrived safe (for guaranteed) so 445 * we can take it off our list and pass the message on, so that 446 * eventually the data can be removed from the sockbuf 447 */ 448 while (count-- > 0) { 449 credit = STAILQ_FIRST(&rs->rs_credits); 450 #ifdef DIAGNOSTIC 451 if (credit == NULL) { 452 kprintf("%s: too many packets completed!\n", __func__); 453 break; 454 } 455 #endif 456 dlc = credit->rc_dlc; 457 if (dlc != NULL) { 458 dlc->rd_pending--; 459 (*dlc->rd_proto->complete) 460 (dlc->rd_upper, credit->rc_len); 461 462 /* 463 * if not using credit flow control, we may push 464 * more data now 465 */ 466 if ((rs->rs_flags & RFCOMM_SESSION_CFC) == 0 467 && dlc->rd_state == RFCOMM_DLC_OPEN) { 468 rfcomm_dlc_start(dlc); 469 } 470 471 /* 472 * When shutdown is indicated, we are just waiting to 473 * clear outgoing data. 474 */ 475 if ((dlc->rd_flags & RFCOMM_DLC_SHUTDOWN) 476 && dlc->rd_txbuf == NULL && dlc->rd_pending == 0) { 477 dlc->rd_state = RFCOMM_DLC_WAIT_DISCONNECT; 478 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 479 dlc->rd_dlci); 480 callout_reset(&dlc->rd_timeout, 481 rfcomm_ack_timeout * hz, 482 rfcomm_dlc_timeout, dlc); 483 } 484 } 485 486 STAILQ_REMOVE_HEAD(&rs->rs_credits, rc_next); 487 pool_put(&rfcomm_credit_pool, credit); 488 } 489 490 /* 491 * If session is closed, we are just waiting to clear the queue 492 */ 493 if (rs->rs_state == RFCOMM_SESSION_CLOSED) { 494 if (STAILQ_EMPTY(&rs->rs_credits)) 495 l2cap_disconnect(rs->rs_l2cap, 0); 496 } 497 } 498 499 /* 500 * Link Mode changed 501 * 502 * This is called when a mode change is complete. Proceed with connections 503 * where appropriate, or pass the new mode to any active DLCs. 504 */ 505 static void 506 rfcomm_session_linkmode(void *arg, int new) 507 { 508 struct rfcomm_session *rs = arg; 509 struct rfcomm_dlc *dlc, *next; 510 int err, mode = 0; 511 512 DPRINTF("auth %s, encrypt %s, secure %s\n", 513 (new & L2CAP_LM_AUTH ? "on" : "off"), 514 (new & L2CAP_LM_ENCRYPT ? "on" : "off"), 515 (new & L2CAP_LM_SECURE ? "on" : "off")); 516 517 if (new & L2CAP_LM_AUTH) 518 mode |= RFCOMM_LM_AUTH; 519 520 if (new & L2CAP_LM_ENCRYPT) 521 mode |= RFCOMM_LM_ENCRYPT; 522 523 if (new & L2CAP_LM_SECURE) 524 mode |= RFCOMM_LM_SECURE; 525 526 next = LIST_FIRST(&rs->rs_dlcs); 527 while ((dlc = next) != NULL) { 528 next = LIST_NEXT(dlc, rd_next); 529 530 switch (dlc->rd_state) { 531 case RFCOMM_DLC_WAIT_SEND_SABM: /* we are connecting */ 532 if ((mode & dlc->rd_mode) != dlc->rd_mode) { 533 rfcomm_dlc_close(dlc, ECONNABORTED); 534 } else { 535 err = rfcomm_session_send_frame(rs, 536 RFCOMM_FRAME_SABM, dlc->rd_dlci); 537 if (err) { 538 rfcomm_dlc_close(dlc, err); 539 } else { 540 dlc->rd_state = RFCOMM_DLC_WAIT_RECV_UA; 541 callout_reset(&dlc->rd_timeout, 542 rfcomm_ack_timeout * hz, 543 rfcomm_dlc_timeout, dlc); 544 545 break; 546 } 547 } 548 549 /* 550 * If we aborted the connection and there are no more DLCs 551 * on the session, it is our responsibility to disconnect. 552 */ 553 if (!LIST_EMPTY(&rs->rs_dlcs)) 554 break; 555 556 rs->rs_state = RFCOMM_SESSION_WAIT_DISCONNECT; 557 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 0); 558 callout_reset(&rs->rs_timeout, rfcomm_ack_timeout * hz, 559 rfcomm_session_timeout, rs); 560 break; 561 562 case RFCOMM_DLC_WAIT_SEND_UA: /* they are connecting */ 563 if ((mode & dlc->rd_mode) != dlc->rd_mode) { 564 rfcomm_session_send_frame(rs, 565 RFCOMM_FRAME_DM, dlc->rd_dlci); 566 rfcomm_dlc_close(dlc, ECONNABORTED); 567 break; 568 } 569 570 err = rfcomm_session_send_frame(rs, 571 RFCOMM_FRAME_UA, dlc->rd_dlci); 572 if (err) { 573 rfcomm_session_send_frame(rs, 574 RFCOMM_FRAME_DM, dlc->rd_dlci); 575 rfcomm_dlc_close(dlc, err); 576 break; 577 } 578 579 err = rfcomm_dlc_open(dlc); 580 if (err) { 581 rfcomm_session_send_frame(rs, 582 RFCOMM_FRAME_DM, dlc->rd_dlci); 583 rfcomm_dlc_close(dlc, err); 584 break; 585 } 586 587 break; 588 589 case RFCOMM_DLC_WAIT_RECV_UA: 590 case RFCOMM_DLC_OPEN: /* already established */ 591 (*dlc->rd_proto->linkmode)(dlc->rd_upper, mode); 592 break; 593 594 default: 595 break; 596 } 597 } 598 } 599 600 /* 601 * Receive data from L2CAP layer for session. There is always exactly one 602 * RFCOMM frame contained in each L2CAP frame. 603 */ 604 static void 605 rfcomm_session_input(void *arg, struct mbuf *m) 606 { 607 struct rfcomm_session *rs = arg; 608 int dlci, len, type, pf; 609 uint8_t fcs, b; 610 611 KKASSERT(m != NULL); 612 KKASSERT(rs != NULL); 613 614 /* 615 * UIH frames: FCS is only calculated on address and control fields 616 * For other frames: FCS is calculated on address, control and length 617 * Length may extend to two octets 618 */ 619 fcs = 0xff; 620 621 if (m->m_pkthdr.len < 4) { 622 DPRINTF("short frame (%d), discarded\n", m->m_pkthdr.len); 623 goto done; 624 } 625 626 /* address - one octet */ 627 m_copydata(m, 0, 1, &b); 628 m_adj(m, 1); 629 fcs = FCS(fcs, b); 630 dlci = RFCOMM_DLCI(b); 631 632 /* control - one octet */ 633 m_copydata(m, 0, 1, &b); 634 m_adj(m, 1); 635 fcs = FCS(fcs, b); 636 type = RFCOMM_TYPE(b); 637 pf = RFCOMM_PF(b); 638 639 /* length - may be two octets */ 640 m_copydata(m, 0, 1, &b); 641 m_adj(m, 1); 642 if (type != RFCOMM_FRAME_UIH) 643 fcs = FCS(fcs, b); 644 len = (b >> 1) & 0x7f; 645 646 if (RFCOMM_EA(b) == 0) { 647 if (m->m_pkthdr.len < 2) { 648 DPRINTF("short frame (%d, EA = 0), discarded\n", 649 m->m_pkthdr.len); 650 goto done; 651 } 652 653 m_copydata(m, 0, 1, &b); 654 m_adj(m, 1); 655 if (type != RFCOMM_FRAME_UIH) 656 fcs = FCS(fcs, b); 657 658 len |= (b << 7); 659 } 660 661 /* FCS byte is last octet in frame */ 662 m_copydata(m, m->m_pkthdr.len - 1, 1, &b); 663 m_adj(m, -1); 664 fcs = FCS(fcs, b); 665 666 if (fcs != 0xcf) { 667 DPRINTF("Bad FCS value (%#2.2x), frame discarded\n", fcs); 668 goto done; 669 } 670 671 DPRINTFN(10, "dlci %d, type %2.2x, len = %d\n", dlci, type, len); 672 673 switch (type) { 674 case RFCOMM_FRAME_SABM: 675 if (pf) 676 rfcomm_session_recv_sabm(rs, dlci); 677 break; 678 679 case RFCOMM_FRAME_DISC: 680 if (pf) 681 rfcomm_session_recv_disc(rs, dlci); 682 break; 683 684 case RFCOMM_FRAME_UA: 685 if (pf) 686 rfcomm_session_recv_ua(rs, dlci); 687 break; 688 689 case RFCOMM_FRAME_DM: 690 rfcomm_session_recv_dm(rs, dlci); 691 break; 692 693 case RFCOMM_FRAME_UIH: 694 rfcomm_session_recv_uih(rs, dlci, pf, m, len); 695 return; /* (no release) */ 696 697 default: 698 UNKNOWN(type); 699 break; 700 } 701 702 done: 703 m_freem(m); 704 } 705 706 /*********************************************************************** 707 * 708 * RFCOMM Session receive processing 709 */ 710 711 /* 712 * rfcomm_session_recv_sabm(rfcomm_session, dlci) 713 * 714 * Set Asyncrhonous Balanced Mode - open the channel. 715 */ 716 static void 717 rfcomm_session_recv_sabm(struct rfcomm_session *rs, int dlci) 718 { 719 struct rfcomm_dlc *dlc; 720 int err; 721 722 DPRINTFN(5, "SABM(%d)\n", dlci); 723 724 if (dlci == 0) { /* Open Session */ 725 rs->rs_state = RFCOMM_SESSION_OPEN; 726 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, 0); 727 LIST_FOREACH(dlc, &rs->rs_dlcs, rd_next) { 728 if (dlc->rd_state == RFCOMM_DLC_WAIT_SESSION) 729 rfcomm_dlc_connect(dlc); 730 } 731 return; 732 } 733 734 if (rs->rs_state != RFCOMM_SESSION_OPEN) { 735 DPRINTF("session was not even open!\n"); 736 return; 737 } 738 739 /* validate direction bit */ 740 if ((IS_INITIATOR(rs) && !RFCOMM_DIRECTION(dlci)) 741 || (!IS_INITIATOR(rs) && RFCOMM_DIRECTION(dlci))) { 742 DPRINTF("Invalid direction bit on DLCI\n"); 743 return; 744 } 745 746 /* 747 * look for our DLC - this may exist if we received PN 748 * already, or we may have to fabricate a new one. 749 */ 750 dlc = rfcomm_dlc_lookup(rs, dlci); 751 if (dlc == NULL) { 752 dlc = rfcomm_dlc_newconn(rs, dlci); 753 if (dlc == NULL) 754 return; /* (DM is sent) */ 755 } 756 757 /* 758 * ..but if this DLC is not waiting to connect, they did 759 * something wrong, ignore it. 760 */ 761 if (dlc->rd_state != RFCOMM_DLC_WAIT_CONNECT) 762 return; 763 764 /* set link mode */ 765 err = rfcomm_dlc_setmode(dlc); 766 if (err == EINPROGRESS) { 767 dlc->rd_state = RFCOMM_DLC_WAIT_SEND_UA; 768 (*dlc->rd_proto->connecting)(dlc->rd_upper); 769 return; 770 } 771 if (err) 772 goto close; 773 774 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, dlci); 775 if (err) 776 goto close; 777 778 /* and mark it open */ 779 err = rfcomm_dlc_open(dlc); 780 if (err) 781 goto close; 782 783 return; 784 785 close: 786 rfcomm_dlc_close(dlc, err); 787 } 788 789 /* 790 * Receive Disconnect Command 791 */ 792 static void 793 rfcomm_session_recv_disc(struct rfcomm_session *rs, int dlci) 794 { 795 struct rfcomm_dlc *dlc; 796 797 DPRINTFN(5, "DISC(%d)\n", dlci); 798 799 if (dlci == 0) { 800 /* 801 * Disconnect Session 802 * 803 * We set the session state to CLOSED so that when 804 * the UA frame is clear the session will be closed 805 * automatically. We wont bother to close any DLC's 806 * just yet as there should be none. In the unlikely 807 * event that something is left, it will get flushed 808 * out as the session goes down. 809 */ 810 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, 0); 811 rs->rs_state = RFCOMM_SESSION_CLOSED; 812 return; 813 } 814 815 dlc = rfcomm_dlc_lookup(rs, dlci); 816 if (dlc == NULL) { 817 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, dlci); 818 return; 819 } 820 821 rfcomm_dlc_close(dlc, ECONNRESET); 822 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, dlci); 823 } 824 825 /* 826 * Receive Unnumbered Acknowledgement Response 827 * 828 * This should be a response to a DISC or SABM frame that we 829 * have previously sent. If unexpected, ignore it. 830 */ 831 static void 832 rfcomm_session_recv_ua(struct rfcomm_session *rs, int dlci) 833 { 834 struct rfcomm_dlc *dlc; 835 836 DPRINTFN(5, "UA(%d)\n", dlci); 837 838 if (dlci == 0) { 839 switch (rs->rs_state) { 840 case RFCOMM_SESSION_WAIT_CONNECT: /* We sent SABM */ 841 callout_stop(&rs->rs_timeout); 842 rs->rs_state = RFCOMM_SESSION_OPEN; 843 LIST_FOREACH(dlc, &rs->rs_dlcs, rd_next) { 844 if (dlc->rd_state == RFCOMM_DLC_WAIT_SESSION) 845 rfcomm_dlc_connect(dlc); 846 } 847 break; 848 849 case RFCOMM_SESSION_WAIT_DISCONNECT: /* We sent DISC */ 850 callout_stop(&rs->rs_timeout); 851 rs->rs_state = RFCOMM_SESSION_CLOSED; 852 l2cap_disconnect(rs->rs_l2cap, 0); 853 break; 854 855 default: 856 DPRINTF("Received spurious UA(0)!\n"); 857 break; 858 } 859 860 return; 861 } 862 863 /* 864 * If we have no DLC on this dlci, we may have aborted 865 * without shutting down properly, so check if the session 866 * needs disconnecting. 867 */ 868 dlc = rfcomm_dlc_lookup(rs, dlci); 869 if (dlc == NULL) 870 goto check; 871 872 switch (dlc->rd_state) { 873 case RFCOMM_DLC_WAIT_RECV_UA: /* We sent SABM */ 874 rfcomm_dlc_open(dlc); 875 return; 876 877 case RFCOMM_DLC_WAIT_DISCONNECT: /* We sent DISC */ 878 rfcomm_dlc_close(dlc, 0); 879 break; 880 881 default: 882 DPRINTF("Received spurious UA(%d)!\n", dlci); 883 return; 884 } 885 886 check: /* last one out turns out the light */ 887 if (LIST_EMPTY(&rs->rs_dlcs)) { 888 rs->rs_state = RFCOMM_SESSION_WAIT_DISCONNECT; 889 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 0); 890 callout_reset(&rs->rs_timeout, rfcomm_ack_timeout*hz,rfcomm_session_timeout,rs); 891 } 892 } 893 894 /* 895 * Receive Disconnected Mode Response 896 * 897 * If this does not apply to a known DLC then we may ignore it. 898 */ 899 static void 900 rfcomm_session_recv_dm(struct rfcomm_session *rs, int dlci) 901 { 902 struct rfcomm_dlc *dlc; 903 904 DPRINTFN(5, "DM(%d)\n", dlci); 905 906 dlc = rfcomm_dlc_lookup(rs, dlci); 907 if (dlc == NULL) 908 return; 909 910 if (dlc->rd_state == RFCOMM_DLC_WAIT_CONNECT) 911 rfcomm_dlc_close(dlc, ECONNREFUSED); 912 else 913 rfcomm_dlc_close(dlc, ECONNRESET); 914 } 915 916 /* 917 * Receive Unnumbered Information with Header check (MCC or data packet) 918 */ 919 static void 920 rfcomm_session_recv_uih(struct rfcomm_session *rs, int dlci, 921 int pf, struct mbuf *m, int len) 922 { 923 struct rfcomm_dlc *dlc; 924 uint8_t credits = 0; 925 926 DPRINTFN(10, "UIH(%d)\n", dlci); 927 928 if (dlci == 0) { 929 rfcomm_session_recv_mcc(rs, m); 930 return; 931 } 932 933 if (m->m_pkthdr.len != len + pf) { 934 DPRINTF("Bad Frame Length (%d), frame discarded\n", 935 m->m_pkthdr.len); 936 937 goto discard; 938 } 939 940 dlc = rfcomm_dlc_lookup(rs, dlci); 941 if (dlc == NULL) { 942 DPRINTF("UIH received for non existent DLC, discarded\n"); 943 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, dlci); 944 goto discard; 945 } 946 947 if (dlc->rd_state != RFCOMM_DLC_OPEN) { 948 DPRINTF("non-open DLC (state = %d), discarded\n", 949 dlc->rd_state); 950 goto discard; 951 } 952 953 /* if PF is set, credits were included */ 954 if (rs->rs_flags & RFCOMM_SESSION_CFC) { 955 if (pf != 0) { 956 if (m->m_pkthdr.len < sizeof(credits)) { 957 DPRINTF("Bad PF value, UIH discarded\n"); 958 goto discard; 959 } 960 961 m_copydata(m, 0, sizeof(credits), &credits); 962 m_adj(m, sizeof(credits)); 963 964 dlc->rd_txcred += credits; 965 966 if (credits > 0 && dlc->rd_txbuf != NULL) 967 rfcomm_dlc_start(dlc); 968 } 969 970 if (len == 0) 971 goto discard; 972 973 if (dlc->rd_rxcred == 0) { 974 DPRINTF("Credit limit reached, UIH discarded\n"); 975 goto discard; 976 } 977 978 if (len > dlc->rd_rxsize) { 979 DPRINTF("UIH frame exceeds rxsize, discarded\n"); 980 goto discard; 981 } 982 983 dlc->rd_rxcred--; 984 dlc->rd_rxsize -= len; 985 } 986 987 (*dlc->rd_proto->input)(dlc->rd_upper, m); 988 return; 989 990 discard: 991 m_freem(m); 992 } 993 994 /* 995 * Receive Multiplexer Control Command 996 */ 997 static void 998 rfcomm_session_recv_mcc(struct rfcomm_session *rs, struct mbuf *m) 999 { 1000 int type, cr, len; 1001 uint8_t b; 1002 1003 /* 1004 * Extract MCC header. 1005 * 1006 * Fields are variable length using extension bit = 1 to signify the 1007 * last octet in the sequence. 1008 * 1009 * Only single octet types are defined in TS 07.10/RFCOMM spec 1010 * 1011 * Length can realistically only use 15 bits (max RFCOMM MTU) 1012 */ 1013 if (m->m_pkthdr.len < sizeof(b)) { 1014 DPRINTF("Short MCC header, discarded\n"); 1015 goto release; 1016 } 1017 1018 m_copydata(m, 0, sizeof(b), &b); 1019 m_adj(m, sizeof(b)); 1020 1021 if (RFCOMM_EA(b) == 0) { /* verify no extensions */ 1022 DPRINTF("MCC type EA = 0, discarded\n"); 1023 goto release; 1024 } 1025 1026 type = RFCOMM_MCC_TYPE(b); 1027 cr = RFCOMM_CR(b); 1028 1029 len = 0; 1030 do { 1031 if (m->m_pkthdr.len < sizeof(b)) { 1032 DPRINTF("Short MCC header, discarded\n"); 1033 goto release; 1034 } 1035 1036 m_copydata(m, 0, sizeof(b), &b); 1037 m_adj(m, sizeof(b)); 1038 1039 len = (len << 7) | (b >> 1); 1040 len = min(len, RFCOMM_MTU_MAX); 1041 } while (RFCOMM_EA(b) == 0); 1042 1043 if (len != m->m_pkthdr.len) { 1044 DPRINTF("Incorrect MCC length, discarded\n"); 1045 goto release; 1046 } 1047 1048 DPRINTFN(2, "MCC %s type %2.2x (%d bytes)\n", 1049 (cr ? "command" : "response"), type, len); 1050 1051 /* 1052 * pass to command handler 1053 */ 1054 switch(type) { 1055 case RFCOMM_MCC_TEST: /* Test */ 1056 rfcomm_session_recv_mcc_test(rs, cr, m); 1057 break; 1058 1059 case RFCOMM_MCC_FCON: /* Flow Control On */ 1060 rfcomm_session_recv_mcc_fcon(rs, cr); 1061 break; 1062 1063 case RFCOMM_MCC_FCOFF: /* Flow Control Off */ 1064 rfcomm_session_recv_mcc_fcoff(rs, cr); 1065 break; 1066 1067 case RFCOMM_MCC_MSC: /* Modem Status Command */ 1068 rfcomm_session_recv_mcc_msc(rs, cr, m); 1069 break; 1070 1071 case RFCOMM_MCC_RPN: /* Remote Port Negotiation */ 1072 rfcomm_session_recv_mcc_rpn(rs, cr, m); 1073 break; 1074 1075 case RFCOMM_MCC_RLS: /* Remote Line Status */ 1076 rfcomm_session_recv_mcc_rls(rs, cr, m); 1077 break; 1078 1079 case RFCOMM_MCC_PN: /* Parameter Negotiation */ 1080 rfcomm_session_recv_mcc_pn(rs, cr, m); 1081 break; 1082 1083 case RFCOMM_MCC_NSC: /* Non Supported Command */ 1084 rfcomm_session_recv_mcc_nsc(rs, cr, m); 1085 break; 1086 1087 default: 1088 b = RFCOMM_MKMCC_TYPE(cr, type); 1089 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_NSC, &b, sizeof(b)); 1090 } 1091 1092 release: 1093 m_freem(m); 1094 } 1095 1096 /* 1097 * process TEST command/response 1098 */ 1099 static void 1100 rfcomm_session_recv_mcc_test(struct rfcomm_session *rs, int cr, struct mbuf *m) 1101 { 1102 void *data; 1103 int len; 1104 1105 if (cr == 0) /* ignore ack */ 1106 return; 1107 1108 /* 1109 * we must send all the data they included back as is 1110 */ 1111 1112 len = m->m_pkthdr.len; 1113 if (len > RFCOMM_MTU_MAX) 1114 return; 1115 1116 data = kmalloc(len, M_BLUETOOTH, M_NOWAIT); 1117 if (data == NULL) 1118 return; 1119 1120 m_copydata(m, 0, len, data); 1121 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_TEST, data, len); 1122 kfree(data, M_BLUETOOTH); 1123 } 1124 1125 /* 1126 * process Flow Control ON command/response 1127 */ 1128 static void 1129 rfcomm_session_recv_mcc_fcon(struct rfcomm_session *rs, int cr) 1130 { 1131 1132 if (cr == 0) /* ignore ack */ 1133 return; 1134 1135 rs->rs_flags |= RFCOMM_SESSION_RFC; 1136 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_FCON, NULL, 0); 1137 } 1138 1139 /* 1140 * process Flow Control OFF command/response 1141 */ 1142 static void 1143 rfcomm_session_recv_mcc_fcoff(struct rfcomm_session *rs, int cr) 1144 { 1145 if (cr == 0) /* ignore ack */ 1146 return; 1147 1148 rs->rs_flags &= ~RFCOMM_SESSION_RFC; 1149 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_FCOFF, NULL, 0); 1150 } 1151 1152 /* 1153 * process Modem Status Command command/response 1154 */ 1155 static void 1156 rfcomm_session_recv_mcc_msc(struct rfcomm_session *rs, int cr, struct mbuf *m) 1157 { 1158 struct rfcomm_mcc_msc msc; /* (3 octets) */ 1159 struct rfcomm_dlc *dlc; 1160 int len = 0; 1161 1162 /* [ADDRESS] */ 1163 if (m->m_pkthdr.len < sizeof(msc.address)) 1164 return; 1165 1166 m_copydata(m, 0, sizeof(msc.address), &msc.address); 1167 m_adj(m, sizeof(msc.address)); 1168 len += sizeof(msc.address); 1169 1170 dlc = rfcomm_dlc_lookup(rs, RFCOMM_DLCI(msc.address)); 1171 1172 if (cr == 0) { /* ignore acks */ 1173 if (dlc != NULL) 1174 callout_stop(&dlc->rd_timeout); 1175 1176 return; 1177 } 1178 1179 if (dlc == NULL) { 1180 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, 1181 RFCOMM_DLCI(msc.address)); 1182 return; 1183 } 1184 1185 /* [SIGNALS] */ 1186 if (m->m_pkthdr.len < sizeof(msc.modem)) 1187 return; 1188 1189 m_copydata(m, 0, sizeof(msc.modem), &msc.modem); 1190 m_adj(m, sizeof(msc.modem)); 1191 len += sizeof(msc.modem); 1192 1193 dlc->rd_rmodem = msc.modem; 1194 /* XXX how do we signal this upstream? */ 1195 1196 if (RFCOMM_EA(msc.modem) == 0) { 1197 if (m->m_pkthdr.len < sizeof(msc.brk)) 1198 return; 1199 1200 m_copydata(m, 0, sizeof(msc.brk), &msc.brk); 1201 m_adj(m, sizeof(msc.brk)); 1202 len += sizeof(msc.brk); 1203 1204 /* XXX how do we signal this upstream? */ 1205 } 1206 1207 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_MSC, &msc, len); 1208 } 1209 1210 /* 1211 * process Remote Port Negotiation command/response 1212 */ 1213 static void 1214 rfcomm_session_recv_mcc_rpn(struct rfcomm_session *rs, int cr, struct mbuf *m) 1215 { 1216 struct rfcomm_mcc_rpn rpn; 1217 uint16_t mask; 1218 1219 if (cr == 0) /* ignore ack */ 1220 return; 1221 1222 /* default values */ 1223 rpn.bit_rate = RFCOMM_RPN_BR_9600; 1224 rpn.line_settings = RFCOMM_RPN_8_N_1; 1225 rpn.flow_control = RFCOMM_RPN_FLOW_NONE; 1226 rpn.xon_char = RFCOMM_RPN_XON_CHAR; 1227 rpn.xoff_char = RFCOMM_RPN_XOFF_CHAR; 1228 1229 if (m->m_pkthdr.len == sizeof(rpn)) { 1230 m_copydata(m, 0, sizeof(rpn), (caddr_t)&rpn); 1231 rpn.param_mask = RFCOMM_RPN_PM_ALL; 1232 } else if (m->m_pkthdr.len == 1) { 1233 m_copydata(m, 0, 1, (caddr_t)&rpn); 1234 rpn.param_mask = letoh16(rpn.param_mask); 1235 } else { 1236 DPRINTF("Bad RPN length (%d)\n", m->m_pkthdr.len); 1237 return; 1238 } 1239 1240 mask = 0; 1241 1242 if (rpn.param_mask & RFCOMM_RPN_PM_RATE) 1243 mask |= RFCOMM_RPN_PM_RATE; 1244 1245 if (rpn.param_mask & RFCOMM_RPN_PM_DATA 1246 && RFCOMM_RPN_DATA_BITS(rpn.line_settings) == RFCOMM_RPN_DATA_8) 1247 mask |= RFCOMM_RPN_PM_DATA; 1248 1249 if (rpn.param_mask & RFCOMM_RPN_PM_STOP 1250 && RFCOMM_RPN_STOP_BITS(rpn.line_settings) == RFCOMM_RPN_STOP_1) 1251 mask |= RFCOMM_RPN_PM_STOP; 1252 1253 if (rpn.param_mask & RFCOMM_RPN_PM_PARITY 1254 && RFCOMM_RPN_PARITY(rpn.line_settings) == RFCOMM_RPN_PARITY_NONE) 1255 mask |= RFCOMM_RPN_PM_PARITY; 1256 1257 if (rpn.param_mask & RFCOMM_RPN_PM_XON 1258 && rpn.xon_char == RFCOMM_RPN_XON_CHAR) 1259 mask |= RFCOMM_RPN_PM_XON; 1260 1261 if (rpn.param_mask & RFCOMM_RPN_PM_XOFF 1262 && rpn.xoff_char == RFCOMM_RPN_XOFF_CHAR) 1263 mask |= RFCOMM_RPN_PM_XOFF; 1264 1265 if (rpn.param_mask & RFCOMM_RPN_PM_FLOW 1266 && rpn.flow_control == RFCOMM_RPN_FLOW_NONE) 1267 mask |= RFCOMM_RPN_PM_FLOW; 1268 1269 rpn.param_mask = htole16(mask); 1270 1271 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_RPN, &rpn, sizeof(rpn)); 1272 } 1273 1274 /* 1275 * process Remote Line Status command/response 1276 */ 1277 static void 1278 rfcomm_session_recv_mcc_rls(struct rfcomm_session *rs, int cr, struct mbuf *m) 1279 { 1280 struct rfcomm_mcc_rls rls; 1281 1282 if (cr == 0) /* ignore ack */ 1283 return; 1284 1285 if (m->m_pkthdr.len != sizeof(rls)) { 1286 DPRINTF("Bad RLS length %d\n", m->m_pkthdr.len); 1287 return; 1288 } 1289 1290 m_copydata(m, 0, sizeof(rls), (caddr_t)&rls); 1291 1292 /* 1293 * So far as I can tell, we just send back what 1294 * they sent us. This signifies errors that seem 1295 * irrelevent for RFCOMM over L2CAP. 1296 */ 1297 rls.address |= 0x03; /* EA = 1, CR = 1 */ 1298 rls.status &= 0x0f; /* only 4 bits valid */ 1299 1300 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_RLS, &rls, sizeof(rls)); 1301 } 1302 1303 /* 1304 * process Parameter Negotiation command/response 1305 */ 1306 static void 1307 rfcomm_session_recv_mcc_pn(struct rfcomm_session *rs, int cr, struct mbuf *m) 1308 { 1309 struct rfcomm_dlc *dlc; 1310 struct rfcomm_mcc_pn pn; 1311 int err; 1312 1313 if (m->m_pkthdr.len != sizeof(pn)) { 1314 DPRINTF("Bad PN length %d\n", m->m_pkthdr.len); 1315 return; 1316 } 1317 1318 m_copydata(m, 0, sizeof(pn), (caddr_t)&pn); 1319 1320 pn.dlci &= 0x3f; 1321 pn.mtu = letoh16(pn.mtu); 1322 1323 dlc = rfcomm_dlc_lookup(rs, pn.dlci); 1324 if (cr) { /* Command */ 1325 /* 1326 * If there is no DLC present, this is a new 1327 * connection so attempt to make one 1328 */ 1329 if (dlc == NULL) { 1330 dlc = rfcomm_dlc_newconn(rs, pn.dlci); 1331 if (dlc == NULL) 1332 return; /* (DM is sent) */ 1333 } 1334 1335 /* accept any valid MTU, and offer it back */ 1336 pn.mtu = min(pn.mtu, RFCOMM_MTU_MAX); 1337 pn.mtu = min(pn.mtu, rs->rs_mtu); 1338 pn.mtu = max(pn.mtu, RFCOMM_MTU_MIN); 1339 dlc->rd_mtu = pn.mtu; 1340 pn.mtu = htole16(pn.mtu); 1341 1342 /* credits are only set before DLC is open */ 1343 if (dlc->rd_state == RFCOMM_DLC_WAIT_CONNECT 1344 && (pn.flow_control & 0xf0) == 0xf0) { 1345 rs->rs_flags |= RFCOMM_SESSION_CFC; 1346 dlc->rd_txcred = pn.credits & 0x07; 1347 1348 dlc->rd_rxcred = (dlc->rd_rxsize / dlc->rd_mtu); 1349 dlc->rd_rxcred = min(dlc->rd_rxcred, 1350 RFCOMM_CREDITS_DEFAULT); 1351 1352 pn.flow_control = 0xe0; 1353 pn.credits = dlc->rd_rxcred; 1354 } else { 1355 pn.flow_control = 0x00; 1356 pn.credits = 0x00; 1357 } 1358 1359 /* unused fields must be ignored and set to zero */ 1360 pn.ack_timer = 0; 1361 pn.max_retrans = 0; 1362 1363 /* send our response */ 1364 err = rfcomm_session_send_mcc(rs, 0, 1365 RFCOMM_MCC_PN, &pn, sizeof(pn)); 1366 if (err) 1367 goto close; 1368 1369 } else { /* Response */ 1370 /* ignore responses with no matching DLC */ 1371 if (dlc == NULL) 1372 return; 1373 1374 callout_stop(&dlc->rd_timeout); 1375 1376 if (pn.mtu > RFCOMM_MTU_MAX || pn.mtu > dlc->rd_mtu) { 1377 dlc->rd_state = RFCOMM_DLC_WAIT_DISCONNECT; 1378 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 1379 pn.dlci); 1380 if (err) 1381 goto close; 1382 1383 callout_reset(&dlc->rd_timeout, rfcomm_ack_timeout * hz, 1384 rfcomm_dlc_timeout, dlc); 1385 return; 1386 } 1387 dlc->rd_mtu = pn.mtu; 1388 1389 /* if DLC is not waiting to connect, we are done */ 1390 if (dlc->rd_state != RFCOMM_DLC_WAIT_CONNECT) 1391 return; 1392 1393 /* set initial credits according to RFCOMM spec */ 1394 if ((pn.flow_control & 0xf0) == 0xe0) { 1395 rs->rs_flags |= RFCOMM_SESSION_CFC; 1396 dlc->rd_txcred = (pn.credits & 0x07); 1397 } 1398 1399 callout_reset(&dlc->rd_timeout, rfcomm_ack_timeout * hz, 1400 rfcomm_dlc_timeout, dlc); 1401 1402 /* set link mode */ 1403 err = rfcomm_dlc_setmode(dlc); 1404 if (err == EINPROGRESS) { 1405 dlc->rd_state = RFCOMM_DLC_WAIT_SEND_SABM; 1406 (*dlc->rd_proto->connecting)(dlc->rd_upper); 1407 return; 1408 } 1409 if (err) 1410 goto close; 1411 1412 /* we can proceed now */ 1413 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_SABM, pn.dlci); 1414 if (err) 1415 goto close; 1416 1417 dlc->rd_state = RFCOMM_DLC_WAIT_RECV_UA; 1418 } 1419 return; 1420 1421 close: 1422 rfcomm_dlc_close(dlc, err); 1423 } 1424 1425 /* 1426 * process Non Supported Command command/response 1427 */ 1428 static void 1429 rfcomm_session_recv_mcc_nsc(struct rfcomm_session *rs, 1430 int cr, struct mbuf *m) 1431 { 1432 struct rfcomm_dlc *dlc, *next; 1433 1434 /* 1435 * Since we did nothing that is not mandatory, 1436 * we just abort the whole session.. 1437 */ 1438 1439 next = LIST_FIRST(&rs->rs_dlcs); 1440 while ((dlc = next) != NULL) { 1441 next = LIST_NEXT(dlc, rd_next); 1442 rfcomm_dlc_close(dlc, ECONNABORTED); 1443 } 1444 1445 rfcomm_session_free(rs); 1446 } 1447 1448 /*********************************************************************** 1449 * 1450 * RFCOMM Session outward frame/uih/mcc building 1451 */ 1452 1453 /* 1454 * SABM/DISC/DM/UA frames are all minimal and mostly identical. 1455 */ 1456 int 1457 rfcomm_session_send_frame(struct rfcomm_session *rs, int type, int dlci) 1458 { 1459 struct rfcomm_cmd_hdr *hdr; 1460 struct rfcomm_credit *credit; 1461 struct mbuf *m; 1462 uint8_t fcs, cr; 1463 1464 credit = pool_get(&rfcomm_credit_pool, PR_NOWAIT); 1465 if (credit == NULL) 1466 return ENOMEM; 1467 1468 m = m_gethdr(MB_DONTWAIT, MT_DATA); 1469 if (m == NULL) { 1470 pool_put(&rfcomm_credit_pool, credit); 1471 return ENOMEM; 1472 } 1473 1474 /* 1475 * The CR (command/response) bit identifies the frame either as a 1476 * commmand or a response and is used along with the DLCI to form 1477 * the address. Commands contain the non-initiator address, whereas 1478 * responses contain the initiator address, so the CR value is 1479 * also dependent on the session direction. 1480 */ 1481 if (type == RFCOMM_FRAME_UA || type == RFCOMM_FRAME_DM) 1482 cr = IS_INITIATOR(rs) ? 0 : 1; 1483 else 1484 cr = IS_INITIATOR(rs) ? 1 : 0; 1485 1486 hdr = mtod(m, struct rfcomm_cmd_hdr *); 1487 hdr->address = RFCOMM_MKADDRESS(cr, dlci); 1488 hdr->control = RFCOMM_MKCONTROL(type, 1); /* PF = 1 */ 1489 hdr->length = (0x00 << 1) | 0x01; /* len = 0x00, EA = 1 */ 1490 1491 fcs = 0xff; 1492 fcs = FCS(fcs, hdr->address); 1493 fcs = FCS(fcs, hdr->control); 1494 fcs = FCS(fcs, hdr->length); 1495 fcs = 0xff - fcs; /* ones complement */ 1496 hdr->fcs = fcs; 1497 1498 m->m_pkthdr.len = m->m_len = sizeof(struct rfcomm_cmd_hdr); 1499 1500 /* empty credit note */ 1501 credit->rc_dlc = NULL; 1502 credit->rc_len = m->m_pkthdr.len; 1503 STAILQ_INSERT_TAIL(&rs->rs_credits, credit, rc_next); 1504 1505 DPRINTFN(5, "dlci %d type %2.2x (%d bytes, fcs=%#2.2x)\n", 1506 dlci, type, m->m_pkthdr.len, fcs); 1507 1508 return l2cap_send(rs->rs_l2cap, m); 1509 } 1510 1511 /* 1512 * rfcomm_session_send_uih(rfcomm_session, rfcomm_dlc, credits, mbuf) 1513 * 1514 * UIH frame is per DLC data or Multiplexer Control Commands 1515 * when no DLC is given. Data mbuf is optional (just credits 1516 * will be sent in that case) 1517 */ 1518 int 1519 rfcomm_session_send_uih(struct rfcomm_session *rs, struct rfcomm_dlc *dlc, 1520 int credits, struct mbuf *m) 1521 { 1522 struct rfcomm_credit *credit; 1523 struct mbuf *m0 = NULL; 1524 int err, len; 1525 uint8_t fcs, *hdr; 1526 1527 KKASSERT(rs != NULL); 1528 1529 len = (m == NULL) ? 0 : m->m_pkthdr.len; 1530 KKASSERT(!(credits == 0 && len == 0)); 1531 1532 /* 1533 * Make a credit note for the completion notification 1534 */ 1535 credit = pool_get(&rfcomm_credit_pool, PR_NOWAIT); 1536 if (credit == NULL) 1537 goto nomem; 1538 1539 credit->rc_len = len; 1540 credit->rc_dlc = dlc; 1541 1542 /* 1543 * Wrap UIH frame information around payload. 1544 * 1545 * [ADDRESS] [CONTROL] [LENGTH] [CREDITS] [...] [FCS] 1546 * 1547 * Address is one octet. 1548 * Control is one octet. 1549 * Length is one or two octets. 1550 * Credits may be one octet. 1551 * 1552 * FCS is one octet and calculated on address and 1553 * control octets only. 1554 * 1555 * If there are credits to be sent, we will set the PF 1556 * flag and include them in the frame. 1557 */ 1558 m0 = m_gethdr(MB_DONTWAIT, MT_DATA); 1559 if (m0 == NULL) 1560 goto nomem; 1561 1562 MH_ALIGN(m0, 5); /* (max 5 header octets) */ 1563 hdr = mtod(m0, uint8_t *); 1564 1565 /* CR bit is set according to the initiator of the session */ 1566 *hdr = RFCOMM_MKADDRESS((IS_INITIATOR(rs) ? 1 : 0), 1567 (dlc ? dlc->rd_dlci : 0)); 1568 fcs = FCS(0xff, *hdr); 1569 hdr++; 1570 1571 /* PF bit is set if credits are being sent */ 1572 *hdr = RFCOMM_MKCONTROL(RFCOMM_FRAME_UIH, (credits > 0 ? 1 : 0)); 1573 fcs = FCS(fcs, *hdr); 1574 hdr++; 1575 1576 if (len < (1 << 7)) { 1577 *hdr++ = ((len << 1) & 0xfe) | 0x01; /* 7 bits, EA = 1 */ 1578 } else { 1579 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */ 1580 *hdr++ = ((len >> 7) & 0xff); /* 8 bits, no EA */ 1581 } 1582 1583 if (credits > 0) 1584 *hdr++ = (uint8_t)credits; 1585 1586 m0->m_len = hdr - mtod(m0, uint8_t *); 1587 1588 /* Append payload */ 1589 m0->m_next = m; 1590 m = NULL; 1591 1592 m0->m_pkthdr.len = m0->m_len + len; 1593 1594 /* Append FCS */ 1595 fcs = 0xff - fcs; /* ones complement */ 1596 len = m0->m_pkthdr.len; 1597 m_copyback(m0, len, sizeof(fcs), &fcs); 1598 if (m0->m_pkthdr.len != len + sizeof(fcs)) 1599 goto nomem; 1600 1601 DPRINTFN(10, "dlci %d, pktlen %d (%d data, %d credits), fcs=%#2.2x\n", 1602 dlc ? dlc->rd_dlci : 0, m0->m_pkthdr.len, credit->rc_len, 1603 credits, fcs); 1604 1605 /* 1606 * UIH frame ready to go.. 1607 */ 1608 err = l2cap_send(rs->rs_l2cap, m0); 1609 if (err) 1610 goto fail; 1611 1612 STAILQ_INSERT_TAIL(&rs->rs_credits, credit, rc_next); 1613 return 0; 1614 1615 nomem: 1616 err = ENOMEM; 1617 1618 if (m0 != NULL) 1619 m_freem(m0); 1620 1621 if (m != NULL) 1622 m_freem(m); 1623 1624 fail: 1625 if (credit != NULL) 1626 pool_put(&rfcomm_credit_pool, credit); 1627 1628 return err; 1629 } 1630 1631 /* 1632 * send Multiplexer Control Command (or Response) on session 1633 */ 1634 int 1635 rfcomm_session_send_mcc(struct rfcomm_session *rs, int cr, 1636 uint8_t type, void *data, int len) 1637 { 1638 struct mbuf *m; 1639 uint8_t *hdr; 1640 int hlen; 1641 1642 m = m_gethdr(MB_DONTWAIT, MT_DATA); 1643 if (m == NULL) 1644 return ENOMEM; 1645 1646 hdr = mtod(m, uint8_t *); 1647 1648 /* 1649 * Technically the type field can extend past one octet, but none 1650 * currently defined will do that. 1651 */ 1652 *hdr++ = RFCOMM_MKMCC_TYPE(cr, type); 1653 1654 /* 1655 * In the frame, the max length size is 2 octets (15 bits) whereas 1656 * no max length size is specified for MCC commands. We must allow 1657 * for 3 octets since for MCC frames we use 7 bits + EA in each. 1658 * 1659 * Only test data can possibly be that big. 1660 * 1661 * XXX Should we check this against the MTU? 1662 */ 1663 if (len < (1 << 7)) { 1664 *hdr++ = ((len << 1) & 0xfe) | 0x01; /* 7 bits, EA = 1 */ 1665 } else if (len < (1 << 14)) { 1666 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */ 1667 *hdr++ = ((len >> 6) & 0xfe) | 0x01; /* 7 bits, EA = 1 */ 1668 } else if (len < (1 << 15)) { 1669 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */ 1670 *hdr++ = ((len >> 6) & 0xfe); /* 7 bits, EA = 0 */ 1671 *hdr++ = ((len >> 13) & 0x02) | 0x01; /* 1 bit, EA = 1 */ 1672 } else { 1673 DPRINTF("incredible length! (%d)\n", len); 1674 m_freem(m); 1675 return EMSGSIZE; 1676 } 1677 1678 /* 1679 * add command data (to same mbuf if possible) 1680 */ 1681 hlen = hdr - mtod(m, uint8_t *); 1682 1683 if (len > 0) { 1684 m->m_pkthdr.len = m->m_len = MHLEN; 1685 m_copyback(m, hlen, len, data); 1686 if (m->m_pkthdr.len != max(MHLEN, hlen + len)) { 1687 m_freem(m); 1688 return ENOMEM; 1689 } 1690 } 1691 1692 m->m_pkthdr.len = hlen + len; 1693 m->m_len = min(MHLEN, m->m_pkthdr.len); 1694 1695 DPRINTFN(5, "%s type %2.2x len %d\n", 1696 (cr ? "command" : "response"), type, m->m_pkthdr.len); 1697 1698 return rfcomm_session_send_uih(rs, NULL, 0, m); 1699 } 1700