1 /* $NetBSD: hci_socket.c,v 1.3 2006/08/17 17:11:28 christos Exp $ */ 2 3 /*- 4 * Copyright (c) 2005 Iain Hibbert. 5 * Copyright (c) 2006 Itronix Inc. 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. The name of Itronix Inc. may not be used to endorse 17 * or promote products derived from this software without specific 18 * prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY ITRONIX INC. ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 22 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 23 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ITRONIX INC. BE LIABLE FOR ANY 24 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 25 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 26 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 27 * ON ANY THEORY OF LIABILITY, WHETHER IN 28 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 30 * POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 #include <sys/cdefs.h> 34 __KERNEL_RCSID(0, "$NetBSD: hci_socket.c,v 1.3 2006/08/17 17:11:28 christos Exp $"); 35 36 #include "opt_bluetooth.h" 37 #ifdef BLUETOOTH_DEBUG 38 #define PRCOREQUESTS 39 #endif 40 41 #include <sys/param.h> 42 #include <sys/domain.h> 43 #include <sys/kauth.h> 44 #include <sys/kernel.h> 45 #include <sys/mbuf.h> 46 #include <sys/proc.h> 47 #include <sys/protosw.h> 48 #include <sys/socket.h> 49 #include <sys/socketvar.h> 50 #include <sys/systm.h> 51 52 #include <netbt/bluetooth.h> 53 #include <netbt/hci.h> 54 55 /******************************************************************************* 56 * 57 * HCI SOCK_RAW Sockets - for control of Bluetooth Devices 58 * 59 */ 60 61 /* 62 * the raw HCI protocol control block 63 */ 64 struct hci_pcb { 65 struct socket *hp_socket; /* socket */ 66 unsigned int hp_flags; /* flags */ 67 bdaddr_t hp_laddr; /* local address */ 68 bdaddr_t hp_raddr; /* remote address */ 69 struct hci_filter hp_efilter; /* user event filter */ 70 struct hci_filter hp_pfilter; /* user packet filter */ 71 LIST_ENTRY(hci_pcb) hp_next; /* next HCI pcb */ 72 }; 73 74 /* hp_flags */ 75 #define HCI_PRIVILEGED (1<<0) /* no security filter for root */ 76 #define HCI_DIRECTION (1<<1) /* direction control messages */ 77 #define HCI_PROMISCUOUS (1<<2) /* listen to all units */ 78 79 LIST_HEAD(hci_pcb_list, hci_pcb) hci_pcb = LIST_HEAD_INITIALIZER(hci_pcb); 80 81 /* sysctl defaults */ 82 int hci_sendspace = HCI_CMD_PKT_SIZE; 83 int hci_recvspace = 4096; 84 85 /* 86 * Security filter routines 87 * The security mask is an bit array. 88 * If the bit is set, the opcode/event is permitted. 89 * I only allocate the security mask if needed, and give it back 90 * if requested as its quite a chunk. This could no doubt be made 91 * somewhat bit more memory efficient given that most OGF/OCF's are 92 * not used, but this way is quick. 93 */ 94 #define HCI_OPCODE_MASK_SIZE 0x800 95 96 uint32_t *hci_event_mask = NULL; 97 uint32_t *hci_opcode_mask = NULL; 98 99 static __inline int 100 hci_security_check_opcode(uint16_t opcode) 101 { 102 103 return (hci_opcode_mask[opcode >> 5] & (1 << (opcode & 0x1f))); 104 } 105 106 static __inline int 107 hci_security_check_event(uint8_t event) 108 { 109 110 return (hci_event_mask[event >> 5] & (1 << (event & 0x1f))); 111 } 112 113 static __inline void 114 hci_security_set_opcode(uint16_t opcode) 115 { 116 117 hci_opcode_mask[opcode >> 5] |= (1 << (opcode & 0x1f)); 118 } 119 120 static __inline void 121 hci_security_clr_event(uint8_t event) 122 { 123 124 hci_event_mask[event >> 5] &= ~(1 << (event & 0x1f)); 125 } 126 127 static int 128 hci_security_init(void) 129 { 130 131 if (hci_event_mask) 132 return 0; 133 134 // XXX could wait? 135 hci_event_mask = malloc(HCI_EVENT_MASK_SIZE + HCI_OPCODE_MASK_SIZE, 136 M_BLUETOOTH, M_NOWAIT | M_ZERO); 137 if (hci_event_mask == NULL) { 138 DPRINTF("no memory\n"); 139 return ENOMEM; 140 } 141 142 hci_opcode_mask = hci_event_mask + HCI_EVENT_MASK_SIZE; 143 144 /* Events */ 145 /* enable all but a few critical events */ 146 memset(hci_event_mask, 0xff, 147 HCI_EVENT_MASK_SIZE * sizeof(*hci_event_mask)); 148 hci_security_clr_event(HCI_EVENT_RETURN_LINK_KEYS); 149 hci_security_clr_event(HCI_EVENT_LINK_KEY_NOTIFICATION); 150 hci_security_clr_event(HCI_EVENT_VENDOR); 151 152 /* Commands - Link control */ 153 hci_security_set_opcode(HCI_CMD_INQUIRY); 154 hci_security_set_opcode(HCI_CMD_REMOTE_NAME_REQ); 155 hci_security_set_opcode(HCI_CMD_READ_REMOTE_FEATURES); 156 hci_security_set_opcode(HCI_CMD_READ_REMOTE_EXTENDED_FEATURES); 157 hci_security_set_opcode(HCI_CMD_READ_REMOTE_VER_INFO); 158 hci_security_set_opcode(HCI_CMD_READ_CLOCK_OFFSET); 159 hci_security_set_opcode(HCI_CMD_READ_LMP_HANDLE); 160 161 /* Commands - Link policy */ 162 hci_security_set_opcode(HCI_CMD_ROLE_DISCOVERY); 163 hci_security_set_opcode(HCI_CMD_READ_LINK_POLICY_SETTINGS); 164 hci_security_set_opcode(HCI_CMD_READ_DEFAULT_LINK_POLICY_SETTINGS); 165 166 /* Commands - Host controller and baseband */ 167 hci_security_set_opcode(HCI_CMD_READ_PIN_TYPE); 168 hci_security_set_opcode(HCI_CMD_READ_LOCAL_NAME); 169 hci_security_set_opcode(HCI_CMD_READ_CON_ACCEPT_TIMEOUT); 170 hci_security_set_opcode(HCI_CMD_READ_PAGE_TIMEOUT); 171 hci_security_set_opcode(HCI_CMD_READ_SCAN_ENABLE); 172 hci_security_set_opcode(HCI_CMD_READ_PAGE_SCAN_ACTIVITY); 173 hci_security_set_opcode(HCI_CMD_READ_INQUIRY_SCAN_ACTIVITY); 174 hci_security_set_opcode(HCI_CMD_READ_AUTH_ENABLE); 175 hci_security_set_opcode(HCI_CMD_READ_ENCRYPTION_MODE); 176 hci_security_set_opcode(HCI_CMD_READ_UNIT_CLASS); 177 hci_security_set_opcode(HCI_CMD_READ_VOICE_SETTING); 178 hci_security_set_opcode(HCI_CMD_READ_AUTO_FLUSH_TIMEOUT); 179 hci_security_set_opcode(HCI_CMD_READ_NUM_BROADCAST_RETRANS); 180 hci_security_set_opcode(HCI_CMD_READ_HOLD_MODE_ACTIVITY); 181 hci_security_set_opcode(HCI_CMD_READ_XMIT_LEVEL); 182 hci_security_set_opcode(HCI_CMD_READ_SCO_FLOW_CONTROL); 183 hci_security_set_opcode(HCI_CMD_READ_LINK_SUPERVISION_TIMEOUT); 184 hci_security_set_opcode(HCI_CMD_READ_NUM_SUPPORTED_IAC); 185 hci_security_set_opcode(HCI_CMD_READ_IAC_LAP); 186 hci_security_set_opcode(HCI_CMD_READ_PAGE_SCAN_PERIOD); 187 hci_security_set_opcode(HCI_CMD_READ_PAGE_SCAN); 188 hci_security_set_opcode(HCI_CMD_READ_INQUIRY_SCAN_TYPE); 189 hci_security_set_opcode(HCI_CMD_READ_INQUIRY_MODE); 190 hci_security_set_opcode(HCI_CMD_READ_PAGE_SCAN_TYPE); 191 hci_security_set_opcode(HCI_CMD_READ_AFH_ASSESSMENT); 192 193 /* Commands - Informational */ 194 hci_security_set_opcode(HCI_CMD_READ_LOCAL_VER); 195 hci_security_set_opcode(HCI_CMD_READ_LOCAL_COMMANDS); 196 hci_security_set_opcode(HCI_CMD_READ_LOCAL_FEATURES); 197 hci_security_set_opcode(HCI_CMD_READ_LOCAL_EXTENDED_FEATURES); 198 hci_security_set_opcode(HCI_CMD_READ_BUFFER_SIZE); 199 hci_security_set_opcode(HCI_CMD_READ_COUNTRY_CODE); 200 hci_security_set_opcode(HCI_CMD_READ_BDADDR); 201 202 /* Commands - Status */ 203 hci_security_set_opcode(HCI_CMD_READ_FAILED_CONTACT_CNTR); 204 hci_security_set_opcode(HCI_CMD_READ_LINK_QUALITY); 205 hci_security_set_opcode(HCI_CMD_READ_RSSI); 206 hci_security_set_opcode(HCI_CMD_READ_AFH_CHANNEL_MAP); 207 hci_security_set_opcode(HCI_CMD_READ_CLOCK); 208 209 /* Commands - Testing */ 210 hci_security_set_opcode(HCI_CMD_READ_LOOPBACK_MODE); 211 212 return 0; 213 } 214 215 /* 216 * When command packet reaches the device, we can drop 217 * it from the socket buffer (called from hci_output_acl) 218 */ 219 void 220 hci_drop(void *arg) 221 { 222 struct socket *so = arg; 223 224 sbdroprecord(&so->so_snd); 225 sowwakeup(so); 226 } 227 228 /* 229 * HCI socket is going away and has some pending packets. We let them 230 * go by design, but remove the context pointer as it will be invalid 231 * and we no longer need to be notified. 232 */ 233 static void 234 hci_cmdwait_flush(struct socket *so) 235 { 236 struct hci_unit *unit; 237 struct socket *ctx; 238 struct mbuf *m; 239 240 DPRINTF("flushing %p\n", so); 241 242 SIMPLEQ_FOREACH(unit, &hci_unit_list, hci_next) { 243 m = MBUFQ_FIRST(&unit->hci_cmdwait); 244 while (m != NULL) { 245 ctx = M_GETCTX(m, struct socket *); 246 if (ctx == so) 247 M_SETCTX(m, NULL); 248 249 m = MBUFQ_NEXT(m); 250 } 251 } 252 } 253 254 /* 255 * HCI send packet 256 * This came from userland, so check it out. 257 */ 258 static int 259 hci_send(struct hci_pcb *pcb, struct mbuf *m, bdaddr_t *addr) 260 { 261 struct hci_unit *unit; 262 struct mbuf *m0; 263 hci_cmd_hdr_t hdr; 264 int err; 265 266 KASSERT(m); 267 KASSERT(addr); 268 269 /* wants at least a header to start with */ 270 if (m->m_pkthdr.len < sizeof(hdr)) { 271 err = EMSGSIZE; 272 goto bad; 273 } 274 m_copydata(m, 0, sizeof(hdr), &hdr); 275 276 /* only allows CMD packets to be sent */ 277 if (hdr.type != HCI_CMD_PKT) { 278 err = EINVAL; 279 goto bad; 280 } 281 282 /* validates packet length */ 283 if (m->m_pkthdr.len != sizeof(hdr) + hdr.length) { 284 err = EMSGSIZE; 285 goto bad; 286 } 287 288 /* security checks for unprivileged users */ 289 if ((pcb->hp_flags & HCI_PRIVILEGED) == 0 290 && (hci_security_check_opcode(le16toh(hdr.opcode)) == 0)) { 291 err = EPERM; 292 goto bad; 293 } 294 295 /* finds destination */ 296 unit = hci_unit_lookup(addr); 297 if (unit == NULL) { 298 err = ENETDOWN; 299 goto bad; 300 } 301 302 /* makess a copy for precious to keep */ 303 m0 = m_copypacket(m, M_DONTWAIT); 304 if (m0 == NULL) { 305 err = ENOMEM; 306 goto bad; 307 } 308 sbappendrecord(&pcb->hp_socket->so_snd, m0); 309 M_SETCTX(m, pcb->hp_socket); /* enable drop callback */ 310 311 DPRINTFN(2, "(%s) opcode (%03x|%04x)\n", unit->hci_devname, 312 HCI_OGF(le16toh(hdr.opcode)), HCI_OCF(le16toh(hdr.opcode))); 313 314 /* Sendss it */ 315 if (unit->hci_num_cmd_pkts == 0) 316 MBUFQ_ENQUEUE(&unit->hci_cmdwait, m); 317 else 318 hci_output_cmd(unit, m); 319 320 return 0; 321 322 bad: 323 DPRINTF("packet (%d bytes) not sent (error %d)\n", 324 m->m_pkthdr.len, err); 325 if (m) m_freem(m); 326 return err; 327 } 328 329 /* 330 * User Request. 331 * up is socket 332 * m is either 333 * optional mbuf chain containing message 334 * ioctl command (PRU_CONTROL) 335 * nam is either 336 * optional mbuf chain containing an address 337 * ioctl data (PRU_CONTROL) 338 * optionally, protocol number (PRU_ATTACH) 339 * ctl is optional mbuf chain containing socket options 340 * l is pointer to process requesting action (if any) 341 * 342 * we are responsible for disposing of m and ctl if 343 * they are mbuf chains 344 */ 345 int 346 hci_usrreq(struct socket *up, int req, struct mbuf *m, 347 struct mbuf *nam, struct mbuf *ctl, struct lwp *l) 348 { 349 struct hci_pcb *pcb = (struct hci_pcb *)up->so_pcb; 350 struct sockaddr_bt *sa; 351 int err = 0, flags; 352 353 DPRINTFN(2, "%s\n", prurequests[req]); 354 355 switch(req) { 356 case PRU_CONTROL: 357 return hci_ioctl((unsigned long)m, (void *)nam, l); 358 359 case PRU_PURGEIF: 360 return EOPNOTSUPP; 361 362 case PRU_ATTACH: 363 if (pcb) 364 return EINVAL; 365 366 flags = 0; 367 if (l != NULL && kauth_authorize_generic(l->l_cred, 368 KAUTH_GENERIC_ISSUSER, &l->l_acflag)) { 369 err = hci_security_init(); 370 if (err) 371 return err; 372 } else { 373 flags = HCI_PRIVILEGED; 374 } 375 376 err = soreserve(up, hci_sendspace, hci_recvspace); 377 if (err) 378 return err; 379 380 pcb = malloc(sizeof(struct hci_pcb), M_PCB, M_NOWAIT | M_ZERO); 381 if (pcb == NULL) 382 return ENOMEM; 383 384 up->so_pcb = pcb; 385 pcb->hp_socket = up; 386 pcb->hp_flags = flags; 387 388 /* 389 * Set default user filter. By default, socket only passes 390 * Command_Complete and Command_Status Events. 391 */ 392 hci_filter_set(HCI_EVENT_COMMAND_COMPL, &pcb->hp_efilter); 393 hci_filter_set(HCI_EVENT_COMMAND_STATUS, &pcb->hp_efilter); 394 hci_filter_set(HCI_EVENT_PKT, &pcb->hp_pfilter); 395 396 LIST_INSERT_HEAD(&hci_pcb, pcb, hp_next); 397 398 return 0; 399 } 400 401 /* anything after here *requires* a pcb */ 402 if (pcb == NULL) { 403 err = EINVAL; 404 goto release; 405 } 406 407 switch(req) { 408 case PRU_DISCONNECT: 409 bdaddr_copy(&pcb->hp_raddr, BDADDR_ANY); 410 411 /* XXX we cannot call soisdisconnected() here, as it sets 412 * SS_CANTRCVMORE and SS_CANTSENDMORE. The problem being, 413 * that soisconnected() does not clear these and if you 414 * try to reconnect this socket (which is permitted) you 415 * get a broken pipe when you try to write any data. 416 */ 417 up->so_state &= ~SS_ISCONNECTED; 418 break; 419 420 case PRU_ABORT: 421 soisdisconnected(up); 422 /* fall through to */ 423 case PRU_DETACH: 424 if (up->so_snd.sb_mb != NULL) 425 hci_cmdwait_flush(up); 426 427 up->so_pcb = NULL; 428 LIST_REMOVE(pcb, hp_next); 429 free(pcb, M_PCB); 430 return 0; 431 432 case PRU_BIND: 433 KASSERT(nam); 434 sa = mtod(nam, struct sockaddr_bt *); 435 436 if (sa->bt_len != sizeof(struct sockaddr_bt)) 437 return EINVAL; 438 439 if (sa->bt_family != AF_BLUETOOTH) 440 return EAFNOSUPPORT; 441 442 bdaddr_copy(&pcb->hp_laddr, &sa->bt_bdaddr); 443 444 if (bdaddr_any(&sa->bt_bdaddr)) 445 pcb->hp_flags |= HCI_PROMISCUOUS; 446 else 447 pcb->hp_flags &= ~HCI_PROMISCUOUS; 448 449 return 0; 450 451 case PRU_CONNECT: 452 KASSERT(nam); 453 sa = mtod(nam, struct sockaddr_bt *); 454 455 if (sa->bt_len != sizeof(struct sockaddr_bt)) 456 return EINVAL; 457 458 if (sa->bt_family != AF_BLUETOOTH) 459 return EAFNOSUPPORT; 460 461 if (hci_unit_lookup(&sa->bt_bdaddr) == NULL) 462 return EADDRNOTAVAIL; 463 464 bdaddr_copy(&pcb->hp_raddr, &sa->bt_bdaddr); 465 soisconnected(up); 466 return 0; 467 468 case PRU_PEERADDR: 469 KASSERT(nam); 470 sa = mtod(nam, struct sockaddr_bt *); 471 472 memset(sa, 0, sizeof(struct sockaddr_bt)); 473 nam->m_len = 474 sa->bt_len = sizeof(struct sockaddr_bt); 475 sa->bt_family = AF_BLUETOOTH; 476 bdaddr_copy(&sa->bt_bdaddr, &pcb->hp_raddr); 477 return 0; 478 479 case PRU_SOCKADDR: 480 KASSERT(nam); 481 sa = mtod(nam, struct sockaddr_bt *); 482 483 memset(sa, 0, sizeof(struct sockaddr_bt)); 484 nam->m_len = 485 sa->bt_len = sizeof(struct sockaddr_bt); 486 sa->bt_family = AF_BLUETOOTH; 487 bdaddr_copy(&sa->bt_bdaddr, &pcb->hp_laddr); 488 return 0; 489 490 case PRU_SHUTDOWN: 491 socantsendmore(up); 492 break; 493 494 case PRU_SEND: 495 sa = NULL; 496 if (nam) { 497 sa = mtod(nam, struct sockaddr_bt *); 498 499 if (sa->bt_len != sizeof(struct sockaddr_bt)) { 500 err = EINVAL; 501 goto release; 502 } 503 504 if (sa->bt_family != AF_BLUETOOTH) { 505 err = EAFNOSUPPORT; 506 goto release; 507 } 508 } 509 510 if (ctl) /* have no use for this */ 511 m_freem(ctl); 512 513 return hci_send(pcb, m, (sa ? &sa->bt_bdaddr : &pcb->hp_raddr)); 514 515 case PRU_SENSE: 516 return 0; /* (no sense - Doh!) */ 517 518 case PRU_RCVD: 519 case PRU_RCVOOB: 520 return EOPNOTSUPP; /* (no release) */ 521 522 case PRU_ACCEPT: 523 case PRU_CONNECT2: 524 case PRU_LISTEN: 525 case PRU_SENDOOB: 526 case PRU_FASTTIMO: 527 case PRU_SLOWTIMO: 528 case PRU_PROTORCV: 529 case PRU_PROTOSEND: 530 err = EOPNOTSUPP; 531 break; 532 533 default: 534 UNKNOWN(req); 535 err = EOPNOTSUPP; 536 break; 537 } 538 539 release: 540 if (m) 541 m_freem(m); 542 if (ctl) 543 m_freem(ctl); 544 return err; 545 } 546 547 /* 548 * System is short on memory. 549 */ 550 void 551 hci_drain(void) 552 { 553 554 /* 555 * We can give the security masks back, if there 556 * are no unprivileged sockets in operation.. 557 */ 558 if (hci_event_mask) { 559 struct hci_pcb *pcb; 560 561 LIST_FOREACH(pcb, &hci_pcb, hp_next) { 562 if ((pcb->hp_flags & HCI_PRIVILEGED) == 0) 563 break; 564 } 565 566 if (pcb == NULL) { 567 free(hci_event_mask, M_BLUETOOTH); 568 hci_event_mask = NULL; 569 hci_opcode_mask = NULL; 570 } 571 } 572 } 573 574 /* 575 * get/set socket options 576 */ 577 int 578 hci_ctloutput(int req, struct socket *so, int level, 579 int optname, struct mbuf **opt) 580 { 581 struct hci_pcb *pcb = (struct hci_pcb *)so->so_pcb; 582 struct mbuf *m; 583 int err = 0; 584 585 DPRINTFN(2, "req %s\n", prcorequests[req]); 586 587 if (pcb == NULL) 588 return EINVAL; 589 590 if (level != BTPROTO_HCI) 591 return 0; 592 593 switch(req) { 594 case PRCO_GETOPT: 595 m = m_get(M_WAIT, MT_SOOPTS); 596 switch (optname) { 597 case SO_HCI_EVT_FILTER: 598 m->m_len = sizeof(struct hci_filter); 599 memcpy(mtod(m, void *), &pcb->hp_efilter, m->m_len); 600 break; 601 602 case SO_HCI_PKT_FILTER: 603 m->m_len = sizeof(struct hci_filter); 604 memcpy(mtod(m, void *), &pcb->hp_pfilter, m->m_len); 605 break; 606 607 case SO_HCI_DIRECTION: 608 m->m_len = sizeof(int); 609 if (pcb->hp_flags & HCI_DIRECTION) 610 *mtod(m, int *) = 1; 611 else 612 *mtod(m, int *) = 0; 613 break; 614 615 default: 616 err = EINVAL; 617 m_freem(m); 618 m = NULL; 619 break; 620 } 621 *opt = m; 622 break; 623 624 case PRCO_SETOPT: 625 m = *opt; 626 if (m) switch (optname) { 627 case SO_HCI_EVT_FILTER: /* set event filter */ 628 m->m_len = min(m->m_len, sizeof(struct hci_filter)); 629 memcpy(&pcb->hp_efilter, mtod(m, void *), m->m_len); 630 break; 631 632 case SO_HCI_PKT_FILTER: /* set packet filter */ 633 m->m_len = min(m->m_len, sizeof(struct hci_filter)); 634 memcpy(&pcb->hp_pfilter, mtod(m, void *), m->m_len); 635 break; 636 637 case SO_HCI_DIRECTION: /* request direction ctl messages */ 638 if (*mtod(m, int *)) 639 pcb->hp_flags |= HCI_DIRECTION; 640 else 641 pcb->hp_flags &= ~HCI_DIRECTION; 642 break; 643 644 default: 645 err = EINVAL; 646 break; 647 } 648 m_freem(m); 649 break; 650 651 default: 652 err = EINVAL; 653 break; 654 } 655 656 return err; 657 } 658 659 /* 660 * HCI mbuf tap routine 661 * 662 * copy packets to any raw HCI sockets that wish (and are 663 * permitted) to see them 664 */ 665 void 666 hci_mtap(struct mbuf *m, struct hci_unit *unit) 667 { 668 struct hci_pcb *pcb; 669 struct mbuf *m0, *ctlmsg, **ctl; 670 struct sockaddr_bt sa; 671 uint8_t type; 672 uint8_t event; 673 uint16_t opcode; 674 675 KASSERT(m->m_len >= sizeof(type)); 676 677 type = *mtod(m, uint8_t *); 678 679 memset(&sa, 0, sizeof(sa)); 680 sa.bt_len = sizeof(struct sockaddr_bt); 681 sa.bt_family = AF_BLUETOOTH; 682 bdaddr_copy(&sa.bt_bdaddr, &unit->hci_bdaddr); 683 684 LIST_FOREACH(pcb, &hci_pcb, hp_next) { 685 /* 686 * filter according to source address 687 */ 688 if ((pcb->hp_flags & HCI_PROMISCUOUS) == 0 689 && bdaddr_same(&pcb->hp_laddr, &sa.bt_bdaddr) == 0) 690 continue; 691 692 /* 693 * filter according to packet type filter 694 */ 695 if (hci_filter_test(type, &pcb->hp_pfilter) == 0) 696 continue; 697 698 /* 699 * filter according to event/security filters 700 */ 701 switch(type) { 702 case HCI_EVENT_PKT: 703 KASSERT(m->m_len >= sizeof(hci_event_hdr_t)); 704 705 event = mtod(m, hci_event_hdr_t *)->event; 706 707 if (hci_filter_test(event, &pcb->hp_efilter) == 0) 708 continue; 709 710 if ((pcb->hp_flags & HCI_PRIVILEGED) == 0 711 && hci_security_check_event(event) == 0) 712 continue; 713 break; 714 715 case HCI_CMD_PKT: 716 KASSERT(m->m_len >= sizeof(hci_cmd_hdr_t)); 717 718 opcode = le16toh(mtod(m, hci_cmd_hdr_t *)->opcode); 719 720 if ((pcb->hp_flags & HCI_PRIVILEGED) == 0 721 && hci_security_check_opcode(opcode) == 0) 722 continue; 723 break; 724 725 case HCI_ACL_DATA_PKT: 726 case HCI_SCO_DATA_PKT: 727 default: 728 if ((pcb->hp_flags & HCI_PRIVILEGED) == 0) 729 continue; 730 731 break; 732 } 733 734 /* 735 * create control messages 736 */ 737 ctlmsg = NULL; 738 ctl = &ctlmsg; 739 if (pcb->hp_flags & HCI_DIRECTION) { 740 int dir = m->m_flags & M_LINK0 ? 1 : 0; 741 742 *ctl = sbcreatecontrol((caddr_t)&dir, sizeof(dir), 743 SCM_HCI_DIRECTION, BTPROTO_HCI); 744 745 if (*ctl != NULL) 746 ctl = &((*ctl)->m_next); 747 } 748 749 /* 750 * copy to socket 751 */ 752 m0 = m_copypacket(m, M_DONTWAIT); 753 if (m0 && sbappendaddr(&pcb->hp_socket->so_rcv, 754 (struct sockaddr *)&sa, m0, ctlmsg)) { 755 sorwakeup(pcb->hp_socket); 756 } else { 757 m_freem(ctlmsg); 758 m_freem(m0); 759 } 760 } 761 } 762