1 /* $NetBSD: l2cap_signal.c,v 1.9 2007/11/10 23:12:23 plunky Exp $ */ 2 3 /*- 4 * Copyright (c) 2005 Iain Hibbert. 5 * Copyright (c) 2006 Itronix Inc. 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. The name of Itronix Inc. may not be used to endorse 17 * or promote products derived from this software without specific 18 * prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY ITRONIX INC. ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 22 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 23 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ITRONIX INC. BE LIABLE FOR ANY 24 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 25 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 26 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 27 * ON ANY THEORY OF LIABILITY, WHETHER IN 28 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 30 * POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 #include <sys/cdefs.h> 34 __KERNEL_RCSID(0, "$NetBSD: l2cap_signal.c,v 1.9 2007/11/10 23:12:23 plunky Exp $"); 35 36 #include <sys/param.h> 37 #include <sys/kernel.h> 38 #include <sys/mbuf.h> 39 #include <sys/proc.h> 40 #include <sys/queue.h> 41 #include <sys/systm.h> 42 43 #include <machine/stdarg.h> 44 45 #include <netbt/bluetooth.h> 46 #include <netbt/hci.h> 47 #include <netbt/l2cap.h> 48 49 /******************************************************************************* 50 * 51 * L2CAP Signal processing 52 */ 53 54 static void l2cap_recv_command_rej(struct mbuf *, struct hci_link *); 55 static void l2cap_recv_connect_req(struct mbuf *, struct hci_link *); 56 static void l2cap_recv_connect_rsp(struct mbuf *, struct hci_link *); 57 static void l2cap_recv_config_req(struct mbuf *, struct hci_link *); 58 static void l2cap_recv_config_rsp(struct mbuf *, struct hci_link *); 59 static void l2cap_recv_disconnect_req(struct mbuf *, struct hci_link *); 60 static void l2cap_recv_disconnect_rsp(struct mbuf *, struct hci_link *); 61 static void l2cap_recv_info_req(struct mbuf *, struct hci_link *); 62 static int l2cap_send_signal(struct hci_link *, uint8_t, uint8_t, uint16_t, void *); 63 static int l2cap_send_command_rej(struct hci_link *, uint8_t, uint16_t, ...); 64 65 /* 66 * process incoming signal packets (CID 0x0001). Can contain multiple 67 * requests/responses. 68 */ 69 void 70 l2cap_recv_signal(struct mbuf *m, struct hci_link *link) 71 { 72 l2cap_cmd_hdr_t cmd; 73 74 for(;;) { 75 if (m->m_pkthdr.len == 0) 76 goto finish; 77 78 if (m->m_pkthdr.len < sizeof(cmd)) 79 goto reject; 80 81 m_copydata(m, 0, sizeof(cmd), &cmd); 82 cmd.length = le16toh(cmd.length); 83 84 if (m->m_pkthdr.len < sizeof(cmd) + cmd.length) 85 goto reject; 86 87 DPRINTFN(2, "(%s) code %d, ident %d, len %d\n", 88 device_xname(link->hl_unit->hci_dev), 89 cmd.code, cmd.ident, cmd.length); 90 91 switch (cmd.code) { 92 case L2CAP_COMMAND_REJ: 93 if (cmd.length > sizeof(l2cap_cmd_rej_cp)) 94 goto finish; 95 96 l2cap_recv_command_rej(m, link); 97 break; 98 99 case L2CAP_CONNECT_REQ: 100 if (cmd.length != sizeof(l2cap_con_req_cp)) 101 goto reject; 102 103 l2cap_recv_connect_req(m, link); 104 break; 105 106 case L2CAP_CONNECT_RSP: 107 if (cmd.length != sizeof(l2cap_con_rsp_cp)) 108 goto finish; 109 110 l2cap_recv_connect_rsp(m, link); 111 break; 112 113 case L2CAP_CONFIG_REQ: 114 l2cap_recv_config_req(m, link); 115 break; 116 117 case L2CAP_CONFIG_RSP: 118 l2cap_recv_config_rsp(m, link); 119 break; 120 121 case L2CAP_DISCONNECT_REQ: 122 if (cmd.length != sizeof(l2cap_discon_req_cp)) 123 goto reject; 124 125 l2cap_recv_disconnect_req(m, link); 126 break; 127 128 case L2CAP_DISCONNECT_RSP: 129 if (cmd.length != sizeof(l2cap_discon_rsp_cp)) 130 goto finish; 131 132 l2cap_recv_disconnect_rsp(m, link); 133 break; 134 135 case L2CAP_ECHO_REQ: 136 m_adj(m, sizeof(cmd) + cmd.length); 137 l2cap_send_signal(link, L2CAP_ECHO_RSP, cmd.ident, 138 0, NULL); 139 break; 140 141 case L2CAP_ECHO_RSP: 142 m_adj(m, sizeof(cmd) + cmd.length); 143 break; 144 145 case L2CAP_INFO_REQ: 146 if (cmd.length != sizeof(l2cap_info_req_cp)) 147 goto reject; 148 149 l2cap_recv_info_req(m, link); 150 break; 151 152 case L2CAP_INFO_RSP: 153 m_adj(m, sizeof(cmd) + cmd.length); 154 break; 155 156 default: 157 goto reject; 158 } 159 } 160 161 #ifdef DIAGNOSTIC 162 panic("impossible!"); 163 #endif 164 165 reject: 166 l2cap_send_command_rej(link, cmd.ident, L2CAP_REJ_NOT_UNDERSTOOD); 167 finish: 168 m_freem(m); 169 } 170 171 /* 172 * Process Received Command Reject. For now we dont try to recover gracefully 173 * from this, it probably means that the link is garbled or the other end is 174 * insufficiently capable of handling normal traffic. (not *my* fault, no way!) 175 */ 176 static void 177 l2cap_recv_command_rej(struct mbuf *m, struct hci_link *link) 178 { 179 struct l2cap_req *req; 180 struct l2cap_channel *chan; 181 l2cap_cmd_hdr_t cmd; 182 l2cap_cmd_rej_cp cp; 183 184 m_copydata(m, 0, sizeof(cmd), &cmd); 185 m_adj(m, sizeof(cmd)); 186 187 cmd.length = le16toh(cmd.length); 188 189 m_copydata(m, 0, cmd.length, &cp); 190 m_adj(m, cmd.length); 191 192 req = l2cap_request_lookup(link, cmd.ident); 193 if (req == NULL) 194 return; 195 196 switch (le16toh(cp.reason)) { 197 case L2CAP_REJ_NOT_UNDERSTOOD: 198 /* 199 * I dont know what to do, just move up the timeout 200 */ 201 callout_schedule(&req->lr_rtx, 0); 202 break; 203 204 case L2CAP_REJ_MTU_EXCEEDED: 205 /* 206 * I didnt send any commands over L2CAP_MTU_MINIMUM size, but.. 207 * 208 * XXX maybe we should resend this, instead? 209 */ 210 link->hl_mtu = le16toh(cp.data[0]); 211 callout_schedule(&req->lr_rtx, 0); 212 break; 213 214 case L2CAP_REJ_INVALID_CID: 215 /* 216 * Well, if they dont have such a channel then our channel is 217 * most likely closed. Make it so. 218 */ 219 chan = req->lr_chan; 220 l2cap_request_free(req); 221 if (chan != NULL && chan->lc_state != L2CAP_CLOSED) 222 l2cap_close(chan, ECONNABORTED); 223 224 break; 225 226 default: 227 UNKNOWN(le16toh(cp.reason)); 228 break; 229 } 230 } 231 232 /* 233 * Process Received Connect Request. Find listening channel matching 234 * psm & addr and ask upper layer for a new channel. 235 */ 236 static void 237 l2cap_recv_connect_req(struct mbuf *m, struct hci_link *link) 238 { 239 struct sockaddr_bt laddr, raddr; 240 struct l2cap_channel *chan, *new; 241 l2cap_cmd_hdr_t cmd; 242 l2cap_con_req_cp cp; 243 int err; 244 245 /* extract cmd */ 246 m_copydata(m, 0, sizeof(cmd), &cmd); 247 m_adj(m, sizeof(cmd)); 248 249 /* extract request */ 250 m_copydata(m, 0, sizeof(cp), &cp); 251 m_adj(m, sizeof(cp)); 252 253 cp.scid = le16toh(cp.scid); 254 cp.psm = le16toh(cp.psm); 255 256 memset(&laddr, 0, sizeof(struct sockaddr_bt)); 257 laddr.bt_len = sizeof(struct sockaddr_bt); 258 laddr.bt_family = AF_BLUETOOTH; 259 laddr.bt_psm = cp.psm; 260 bdaddr_copy(&laddr.bt_bdaddr, &link->hl_unit->hci_bdaddr); 261 262 memset(&raddr, 0, sizeof(struct sockaddr_bt)); 263 raddr.bt_len = sizeof(struct sockaddr_bt); 264 raddr.bt_family = AF_BLUETOOTH; 265 raddr.bt_psm = cp.psm; 266 bdaddr_copy(&raddr.bt_bdaddr, &link->hl_bdaddr); 267 268 LIST_FOREACH(chan, &l2cap_listen_list, lc_ncid) { 269 if (chan->lc_laddr.bt_psm != laddr.bt_psm 270 && chan->lc_laddr.bt_psm != L2CAP_PSM_ANY) 271 continue; 272 273 if (!bdaddr_same(&laddr.bt_bdaddr, &chan->lc_laddr.bt_bdaddr) 274 && bdaddr_any(&chan->lc_laddr.bt_bdaddr) == 0) 275 continue; 276 277 new= (*chan->lc_proto->newconn)(chan->lc_upper, &laddr, &raddr); 278 if (new == NULL) 279 continue; 280 281 err = l2cap_cid_alloc(new); 282 if (err) { 283 l2cap_send_connect_rsp(link, cmd.ident, 284 0, cp.scid, 285 L2CAP_NO_RESOURCES); 286 287 (*new->lc_proto->disconnected)(new->lc_upper, err); 288 return; 289 } 290 291 new->lc_link = hci_acl_open(link->hl_unit, &link->hl_bdaddr); 292 KASSERT(new->lc_link == link); 293 294 new->lc_rcid = cp.scid; 295 new->lc_ident = cmd.ident; 296 297 memcpy(&new->lc_laddr, &laddr, sizeof(struct sockaddr_bt)); 298 memcpy(&new->lc_raddr, &raddr, sizeof(struct sockaddr_bt)); 299 300 new->lc_mode = chan->lc_mode; 301 302 err = l2cap_setmode(new); 303 if (err == EINPROGRESS) { 304 new->lc_state = L2CAP_WAIT_SEND_CONNECT_RSP; 305 (*new->lc_proto->connecting)(new->lc_upper); 306 return; 307 } 308 if (err) { 309 new->lc_state = L2CAP_CLOSED; 310 hci_acl_close(link, err); 311 new->lc_link = NULL; 312 313 l2cap_send_connect_rsp(link, cmd.ident, 314 0, cp.scid, 315 L2CAP_NO_RESOURCES); 316 317 (*new->lc_proto->disconnected)(new->lc_upper, err); 318 return; 319 } 320 321 err = l2cap_send_connect_rsp(link, cmd.ident, 322 new->lc_lcid, new->lc_rcid, 323 L2CAP_SUCCESS); 324 if (err) { 325 l2cap_close(new, err); 326 return; 327 } 328 329 new->lc_state = L2CAP_WAIT_CONFIG; 330 new->lc_flags |= (L2CAP_WAIT_CONFIG_REQ | L2CAP_WAIT_CONFIG_RSP); 331 err = l2cap_send_config_req(new); 332 if (err) 333 l2cap_close(new, err); 334 335 return; 336 } 337 338 l2cap_send_connect_rsp(link, cmd.ident, 339 0, cp.scid, 340 L2CAP_PSM_NOT_SUPPORTED); 341 } 342 343 /* 344 * Process Received Connect Response. 345 */ 346 static void 347 l2cap_recv_connect_rsp(struct mbuf *m, struct hci_link *link) 348 { 349 l2cap_cmd_hdr_t cmd; 350 l2cap_con_rsp_cp cp; 351 struct l2cap_req *req; 352 struct l2cap_channel *chan; 353 354 m_copydata(m, 0, sizeof(cmd), &cmd); 355 m_adj(m, sizeof(cmd)); 356 357 m_copydata(m, 0, sizeof(cp), &cp); 358 m_adj(m, sizeof(cp)); 359 360 cp.scid = le16toh(cp.scid); 361 cp.dcid = le16toh(cp.dcid); 362 cp.result = le16toh(cp.result); 363 364 req = l2cap_request_lookup(link, cmd.ident); 365 if (req == NULL || req->lr_code != L2CAP_CONNECT_REQ) 366 return; 367 368 chan = req->lr_chan; 369 if (chan != NULL && chan->lc_lcid != cp.scid) 370 return; 371 372 if (chan == NULL || chan->lc_state != L2CAP_WAIT_RECV_CONNECT_RSP) { 373 l2cap_request_free(req); 374 return; 375 } 376 377 switch (cp.result) { 378 case L2CAP_SUCCESS: 379 /* 380 * Ok, at this point we have a connection to the other party. We 381 * could indicate upstream that we are ready for business and 382 * wait for a "Configure Channel Request" but I'm not so sure 383 * that is required in our case - we will proceed directly to 384 * sending our config request. We set two state bits because in 385 * the config state we are waiting for requests and responses. 386 */ 387 l2cap_request_free(req); 388 chan->lc_rcid = cp.dcid; 389 chan->lc_state = L2CAP_WAIT_CONFIG; 390 chan->lc_flags |= (L2CAP_WAIT_CONFIG_REQ | L2CAP_WAIT_CONFIG_RSP); 391 l2cap_send_config_req(chan); 392 break; 393 394 case L2CAP_PENDING: 395 /* XXX dont release request, should start eRTX timeout? */ 396 (*chan->lc_proto->connecting)(chan->lc_upper); 397 break; 398 399 case L2CAP_PSM_NOT_SUPPORTED: 400 case L2CAP_SECURITY_BLOCK: 401 case L2CAP_NO_RESOURCES: 402 default: 403 l2cap_request_free(req); 404 l2cap_close(chan, ECONNREFUSED); 405 break; 406 } 407 } 408 409 /* 410 * Process Received Config Reqest. 411 */ 412 static void 413 l2cap_recv_config_req(struct mbuf *m, struct hci_link *link) 414 { 415 uint8_t buf[L2CAP_MTU_MINIMUM]; 416 l2cap_cmd_hdr_t cmd; 417 l2cap_cfg_req_cp cp; 418 l2cap_cfg_opt_t opt; 419 l2cap_cfg_opt_val_t val; 420 l2cap_cfg_rsp_cp rp; 421 struct l2cap_channel *chan; 422 int left, len; 423 424 m_copydata(m, 0, sizeof(cmd), &cmd); 425 m_adj(m, sizeof(cmd)); 426 left = le16toh(cmd.length); 427 428 if (left < sizeof(cp)) 429 goto reject; 430 431 m_copydata(m, 0, sizeof(cp), &cp); 432 m_adj(m, sizeof(cp)); 433 left -= sizeof(cp); 434 435 cp.dcid = le16toh(cp.dcid); 436 cp.flags = le16toh(cp.flags); 437 438 chan = l2cap_cid_lookup(cp.dcid); 439 if (chan == NULL || chan->lc_link != link 440 || chan->lc_state != L2CAP_WAIT_CONFIG 441 || (chan->lc_flags & L2CAP_WAIT_CONFIG_REQ) == 0) { 442 /* XXX we should really accept reconfiguration requests */ 443 l2cap_send_command_rej(link, cmd.ident, L2CAP_REJ_INVALID_CID, 444 L2CAP_NULL_CID, cp.dcid); 445 goto out; 446 } 447 448 /* ready our response packet */ 449 rp.scid = htole16(chan->lc_rcid); 450 rp.flags = 0; /* "No Continuation" */ 451 rp.result = L2CAP_SUCCESS; 452 len = sizeof(rp); 453 454 /* 455 * Process the packet. We build the return packet on the fly adding any 456 * unacceptable parameters as we go. As we can only return one result, 457 * unknown option takes precedence so we start our return packet anew 458 * and ignore option values thereafter as they will be re-sent. 459 * 460 * Since we do not support enough options to make overflowing the min 461 * MTU size an issue in normal use, we just reject config requests that 462 * make that happen. This could be because options are repeated or the 463 * packet is corrupted in some way. 464 * 465 * If unknown option types threaten to overflow the packet, we just 466 * ignore them. We can deny them next time. 467 */ 468 while (left > 0) { 469 if (left < sizeof(opt)) 470 goto reject; 471 472 m_copydata(m, 0, sizeof(opt), &opt); 473 m_adj(m, sizeof(opt)); 474 left -= sizeof(opt); 475 476 if (left < opt.length) 477 goto reject; 478 479 switch(opt.type & L2CAP_OPT_HINT_MASK) { 480 case L2CAP_OPT_MTU: 481 if (rp.result == L2CAP_UNKNOWN_OPTION) 482 break; 483 484 if (opt.length != L2CAP_OPT_MTU_SIZE) 485 goto reject; 486 487 m_copydata(m, 0, L2CAP_OPT_MTU_SIZE, &val); 488 val.mtu = le16toh(val.mtu); 489 490 /* 491 * XXX how do we know what the minimum acceptable MTU is 492 * for a channel? Spec says some profiles have a higher 493 * minimum but I have no way to find that out at this 494 * juncture.. 495 */ 496 if (val.mtu < L2CAP_MTU_MINIMUM) { 497 if (len + sizeof(opt) + L2CAP_OPT_MTU_SIZE > sizeof(buf)) 498 goto reject; 499 500 rp.result = L2CAP_UNACCEPTABLE_PARAMS; 501 memcpy(buf + len, &opt, sizeof(opt)); 502 len += sizeof(opt); 503 val.mtu = htole16(L2CAP_MTU_MINIMUM); 504 memcpy(buf + len, &val, L2CAP_OPT_MTU_SIZE); 505 len += L2CAP_OPT_MTU_SIZE; 506 } else 507 chan->lc_omtu = val.mtu; 508 509 break; 510 511 case L2CAP_OPT_FLUSH_TIMO: 512 if (rp.result == L2CAP_UNKNOWN_OPTION) 513 break; 514 515 if (opt.length != L2CAP_OPT_FLUSH_TIMO_SIZE) 516 goto reject; 517 518 /* 519 * I think that this is informational only - he is 520 * informing us of the flush timeout he will be using. 521 * I dont think this affects us in any significant way, 522 * so just ignore this value for now. 523 */ 524 break; 525 526 case L2CAP_OPT_QOS: 527 default: 528 /* ignore hints */ 529 if (opt.type & L2CAP_OPT_HINT_BIT) 530 break; 531 532 /* unknown options supercede all else */ 533 if (rp.result != L2CAP_UNKNOWN_OPTION) { 534 rp.result = L2CAP_UNKNOWN_OPTION; 535 len = sizeof(rp); 536 } 537 538 /* ignore if it don't fit */ 539 if (len + sizeof(opt) > sizeof(buf)) 540 break; 541 542 /* return unknown option type, but no data */ 543 buf[len++] = opt.type; 544 buf[len++] = 0; 545 break; 546 } 547 548 m_adj(m, opt.length); 549 left -= opt.length; 550 } 551 552 rp.result = htole16(rp.result); 553 memcpy(buf, &rp, sizeof(rp)); 554 l2cap_send_signal(link, L2CAP_CONFIG_RSP, cmd.ident, len, buf); 555 556 if ((cp.flags & L2CAP_OPT_CFLAG_BIT) == 0 557 && rp.result == le16toh(L2CAP_SUCCESS)) { 558 559 chan->lc_flags &= ~L2CAP_WAIT_CONFIG_REQ; 560 561 if ((chan->lc_flags & L2CAP_WAIT_CONFIG_RSP) == 0) { 562 chan->lc_state = L2CAP_OPEN; 563 /* XXX how to distinguish REconfiguration? */ 564 (*chan->lc_proto->connected)(chan->lc_upper); 565 } 566 } 567 return; 568 569 reject: 570 l2cap_send_command_rej(link, cmd.ident, L2CAP_REJ_NOT_UNDERSTOOD); 571 out: 572 m_adj(m, left); 573 } 574 575 /* 576 * Process Received Config Response. 577 */ 578 static void 579 l2cap_recv_config_rsp(struct mbuf *m, struct hci_link *link) 580 { 581 l2cap_cmd_hdr_t cmd; 582 l2cap_cfg_rsp_cp cp; 583 l2cap_cfg_opt_t opt; 584 l2cap_cfg_opt_val_t val; 585 struct l2cap_req *req; 586 struct l2cap_channel *chan; 587 int left; 588 589 m_copydata(m, 0, sizeof(cmd), &cmd); 590 m_adj(m, sizeof(cmd)); 591 left = le16toh(cmd.length); 592 593 if (left < sizeof(cp)) 594 goto out; 595 596 m_copydata(m, 0, sizeof(cp), &cp); 597 m_adj(m, sizeof(cp)); 598 left -= sizeof(cp); 599 600 cp.scid = le16toh(cp.scid); 601 cp.flags = le16toh(cp.flags); 602 cp.result = le16toh(cp.result); 603 604 req = l2cap_request_lookup(link, cmd.ident); 605 if (req == NULL || req->lr_code != L2CAP_CONFIG_REQ) 606 goto out; 607 608 chan = req->lr_chan; 609 if (chan != NULL && chan->lc_lcid != cp.scid) 610 goto out; 611 612 l2cap_request_free(req); 613 614 if (chan == NULL || chan->lc_state != L2CAP_WAIT_CONFIG 615 || (chan->lc_flags & L2CAP_WAIT_CONFIG_RSP) == 0) 616 goto out; 617 618 if ((cp.flags & L2CAP_OPT_CFLAG_BIT)) { 619 l2cap_cfg_req_cp rp; 620 621 /* 622 * They have more to tell us and want another ID to 623 * use, so send an empty config request 624 */ 625 if (l2cap_request_alloc(chan, L2CAP_CONFIG_REQ)) 626 goto discon; 627 628 rp.dcid = htole16(cp.scid); 629 rp.flags = 0; 630 631 if (l2cap_send_signal(link, L2CAP_CONFIG_REQ, link->hl_lastid, 632 sizeof(rp), &rp)) 633 goto discon; 634 } 635 636 switch(cp.result) { 637 case L2CAP_SUCCESS: 638 /* 639 * If continuation flag was not set, our config request was 640 * accepted. We may have to wait for their config request to 641 * complete, so check that but otherwise we are open 642 * 643 * There may be 'advisory' values in the packet but we just 644 * ignore those.. 645 */ 646 if ((cp.flags & L2CAP_OPT_CFLAG_BIT) == 0) { 647 chan->lc_flags &= ~L2CAP_WAIT_CONFIG_RSP; 648 649 if ((chan->lc_flags & L2CAP_WAIT_CONFIG_REQ) == 0) { 650 chan->lc_state = L2CAP_OPEN; 651 /* XXX how to distinguish REconfiguration? */ 652 (*chan->lc_proto->connected)(chan->lc_upper); 653 } 654 } 655 goto out; 656 657 case L2CAP_UNACCEPTABLE_PARAMS: 658 /* 659 * Packet contains unacceptable parameters with preferred values 660 */ 661 while (left > 0) { 662 if (left < sizeof(opt)) 663 goto discon; 664 665 m_copydata(m, 0, sizeof(opt), &opt); 666 m_adj(m, sizeof(opt)); 667 left -= sizeof(opt); 668 669 if (left < opt.length) 670 goto discon; 671 672 switch (opt.type) { 673 case L2CAP_OPT_MTU: 674 if (opt.length != L2CAP_OPT_MTU_SIZE) 675 goto discon; 676 677 m_copydata(m, 0, L2CAP_OPT_MTU_SIZE, &val); 678 chan->lc_imtu = le16toh(val.mtu); 679 if (chan->lc_imtu < L2CAP_MTU_MINIMUM) 680 chan->lc_imtu = L2CAP_MTU_DEFAULT; 681 break; 682 683 case L2CAP_OPT_FLUSH_TIMO: 684 if (opt.length != L2CAP_OPT_FLUSH_TIMO_SIZE) 685 goto discon; 686 687 /* 688 * Spec says: If we cannot honor proposed value, 689 * either disconnect or try again with original 690 * value. I can't really see why they want to 691 * interfere with OUR flush timeout in any case 692 * so we just punt for now. 693 */ 694 goto discon; 695 696 case L2CAP_OPT_QOS: 697 break; 698 699 default: 700 UNKNOWN(opt.type); 701 goto discon; 702 } 703 704 m_adj(m, opt.length); 705 left -= opt.length; 706 } 707 708 if ((cp.flags & L2CAP_OPT_CFLAG_BIT) == 0) 709 l2cap_send_config_req(chan); /* no state change */ 710 711 goto out; 712 713 case L2CAP_REJECT: 714 goto discon; 715 716 case L2CAP_UNKNOWN_OPTION: 717 /* 718 * Packet contains options not understood. Turn off unknown 719 * options by setting them to default values (means they will 720 * not be requested again). 721 * 722 * If our option was already off then fail (paranoia?) 723 * 724 * XXX Should we consider that options were set for a reason? 725 */ 726 while (left > 0) { 727 if (left < sizeof(opt)) 728 goto discon; 729 730 m_copydata(m, 0, sizeof(opt), &opt); 731 m_adj(m, sizeof(opt)); 732 left -= sizeof(opt); 733 734 if (left < opt.length) 735 goto discon; 736 737 m_adj(m, opt.length); 738 left -= opt.length; 739 740 switch(opt.type) { 741 case L2CAP_OPT_MTU: 742 if (chan->lc_imtu == L2CAP_MTU_DEFAULT) 743 goto discon; 744 745 chan->lc_imtu = L2CAP_MTU_DEFAULT; 746 break; 747 748 case L2CAP_OPT_FLUSH_TIMO: 749 if (chan->lc_flush == L2CAP_FLUSH_TIMO_DEFAULT) 750 goto discon; 751 752 chan->lc_flush = L2CAP_FLUSH_TIMO_DEFAULT; 753 break; 754 755 case L2CAP_OPT_QOS: 756 break; 757 758 default: 759 UNKNOWN(opt.type); 760 goto discon; 761 } 762 } 763 764 if ((cp.flags & L2CAP_OPT_CFLAG_BIT) == 0) 765 l2cap_send_config_req(chan); /* no state change */ 766 767 goto out; 768 769 default: 770 UNKNOWN(cp.result); 771 goto discon; 772 } 773 774 DPRINTF("how did I get here!?\n"); 775 776 discon: 777 l2cap_send_disconnect_req(chan); 778 l2cap_close(chan, ECONNABORTED); 779 780 out: 781 m_adj(m, left); 782 } 783 784 /* 785 * Process Received Disconnect Request. We must validate scid and dcid 786 * just in case but otherwise this connection is finished. 787 */ 788 static void 789 l2cap_recv_disconnect_req(struct mbuf *m, struct hci_link *link) 790 { 791 l2cap_cmd_hdr_t cmd; 792 l2cap_discon_req_cp cp; 793 l2cap_discon_rsp_cp rp; 794 struct l2cap_channel *chan; 795 796 m_copydata(m, 0, sizeof(cmd), &cmd); 797 m_adj(m, sizeof(cmd)); 798 799 m_copydata(m, 0, sizeof(cp), &cp); 800 m_adj(m, sizeof(cp)); 801 802 cp.scid = le16toh(cp.scid); 803 cp.dcid = le16toh(cp.dcid); 804 805 chan = l2cap_cid_lookup(cp.dcid); 806 if (chan == NULL || chan->lc_link != link || chan->lc_rcid != cp.scid) { 807 l2cap_send_command_rej(link, cmd.ident, L2CAP_REJ_INVALID_CID, 808 cp.dcid, cp.scid); 809 return; 810 } 811 812 rp.dcid = htole16(chan->lc_lcid); 813 rp.scid = htole16(chan->lc_rcid); 814 l2cap_send_signal(link, L2CAP_DISCONNECT_RSP, cmd.ident, 815 sizeof(rp), &rp); 816 817 if (chan->lc_state != L2CAP_CLOSED) 818 l2cap_close(chan, ECONNRESET); 819 } 820 821 /* 822 * Process Received Disconnect Response. We must validate scid and dcid but 823 * unless we were waiting for this signal, ignore it. 824 */ 825 static void 826 l2cap_recv_disconnect_rsp(struct mbuf *m, struct hci_link *link) 827 { 828 l2cap_cmd_hdr_t cmd; 829 l2cap_discon_rsp_cp cp; 830 struct l2cap_req *req; 831 struct l2cap_channel *chan; 832 833 m_copydata(m, 0, sizeof(cmd), &cmd); 834 m_adj(m, sizeof(cmd)); 835 836 m_copydata(m, 0, sizeof(cp), &cp); 837 m_adj(m, sizeof(cp)); 838 839 cp.scid = le16toh(cp.scid); 840 cp.dcid = le16toh(cp.dcid); 841 842 req = l2cap_request_lookup(link, cmd.ident); 843 if (req == NULL || req->lr_code != L2CAP_DISCONNECT_REQ) 844 return; 845 846 chan = req->lr_chan; 847 if (chan == NULL 848 || chan->lc_lcid != cp.scid 849 || chan->lc_rcid != cp.dcid) 850 return; 851 852 l2cap_request_free(req); 853 854 if (chan->lc_state != L2CAP_WAIT_DISCONNECT) 855 return; 856 857 l2cap_close(chan, 0); 858 } 859 860 /* 861 * Process Received Info Request. We must respond but alas dont 862 * support anything as yet so thats easy. 863 */ 864 static void 865 l2cap_recv_info_req(struct mbuf *m, struct hci_link *link) 866 { 867 l2cap_cmd_hdr_t cmd; 868 l2cap_info_req_cp cp; 869 l2cap_info_rsp_cp rp; 870 871 m_copydata(m, 0, sizeof(cmd), &cmd); 872 m_adj(m, sizeof(cmd)); 873 874 m_copydata(m, 0, sizeof(cp), &cp); 875 m_adj(m, sizeof(cp)); 876 877 switch(le16toh(cp.type)) { 878 case L2CAP_CONNLESS_MTU: 879 case L2CAP_EXTENDED_FEATURES: 880 default: 881 rp.type = cp.type; 882 rp.result = htole16(L2CAP_NOT_SUPPORTED); 883 884 l2cap_send_signal(link, L2CAP_INFO_RSP, cmd.ident, 885 sizeof(rp), &rp); 886 break; 887 } 888 } 889 890 /* 891 * Construct signal and wrap in C-Frame for link. 892 */ 893 static int 894 l2cap_send_signal(struct hci_link *link, uint8_t code, uint8_t ident, 895 uint16_t length, void *data) 896 { 897 struct mbuf *m; 898 l2cap_hdr_t *hdr; 899 l2cap_cmd_hdr_t *cmd; 900 901 #ifdef DIAGNOSTIC 902 if (link == NULL) 903 return ENETDOWN; 904 905 if (sizeof(l2cap_cmd_hdr_t) + length > link->hl_mtu) 906 aprint_error_dev(link->hl_unit->hci_dev, 907 "exceeding L2CAP Signal MTU for link!\n"); 908 #endif 909 910 m = m_gethdr(M_DONTWAIT, MT_DATA); 911 if (m == NULL) 912 return ENOMEM; 913 914 hdr = mtod(m, l2cap_hdr_t *); 915 cmd = (l2cap_cmd_hdr_t *)(hdr + 1); 916 917 m->m_len = m->m_pkthdr.len = MHLEN; 918 919 /* Command Data */ 920 if (length > 0) 921 m_copyback(m, sizeof(*hdr) + sizeof(*cmd), length, data); 922 923 /* Command Header */ 924 cmd->code = code; 925 cmd->ident = ident; 926 cmd->length = htole16(length); 927 length += sizeof(*cmd); 928 929 /* C-Frame Header */ 930 hdr->length = htole16(length); 931 hdr->dcid = htole16(L2CAP_SIGNAL_CID); 932 length += sizeof(*hdr); 933 934 if (m->m_pkthdr.len != MAX(MHLEN, length)) { 935 m_freem(m); 936 return ENOMEM; 937 } 938 939 m->m_pkthdr.len = length; 940 m->m_len = MIN(length, MHLEN); 941 942 DPRINTFN(2, "(%s) code %d, ident %d, len %d\n", 943 device_xname(link->hl_unit->hci_dev), code, ident, length); 944 945 return hci_acl_send(m, link, NULL); 946 } 947 948 /* 949 * Send Command Reject packet. 950 */ 951 static int 952 l2cap_send_command_rej(struct hci_link *link, uint8_t ident, 953 uint16_t reason, ...) 954 { 955 l2cap_cmd_rej_cp cp; 956 int len = 0; 957 va_list ap; 958 959 va_start(ap, reason); 960 961 cp.reason = htole16(reason); 962 963 switch (reason) { 964 case L2CAP_REJ_NOT_UNDERSTOOD: 965 len = 2; 966 break; 967 968 case L2CAP_REJ_MTU_EXCEEDED: 969 len = 4; 970 cp.data[0] = va_arg(ap, int); /* SigMTU */ 971 cp.data[0] = htole16(cp.data[0]); 972 break; 973 974 case L2CAP_REJ_INVALID_CID: 975 len = 6; 976 cp.data[0] = va_arg(ap, int); /* dcid */ 977 cp.data[0] = htole16(cp.data[0]); 978 cp.data[1] = va_arg(ap, int); /* scid */ 979 cp.data[1] = htole16(cp.data[1]); 980 break; 981 982 default: 983 UNKNOWN(reason); 984 return EINVAL; 985 } 986 987 va_end(ap); 988 989 return l2cap_send_signal(link, L2CAP_COMMAND_REJ, ident, len, &cp); 990 } 991 992 /* 993 * Send Connect Request 994 */ 995 int 996 l2cap_send_connect_req(struct l2cap_channel *chan) 997 { 998 l2cap_con_req_cp cp; 999 int err; 1000 1001 err = l2cap_request_alloc(chan, L2CAP_CONNECT_REQ); 1002 if (err) 1003 return err; 1004 1005 cp.psm = htole16(chan->lc_raddr.bt_psm); 1006 cp.scid = htole16(chan->lc_lcid); 1007 1008 return l2cap_send_signal(chan->lc_link, L2CAP_CONNECT_REQ, 1009 chan->lc_link->hl_lastid, sizeof(cp), &cp); 1010 } 1011 1012 /* 1013 * Send Config Request 1014 * 1015 * For outgoing config request, we only put options in the packet if they 1016 * differ from the default and would have to be actioned. We dont support 1017 * enough option types to make overflowing SigMTU an issue so it can all 1018 * go in one packet. 1019 */ 1020 int 1021 l2cap_send_config_req(struct l2cap_channel *chan) 1022 { 1023 l2cap_cfg_req_cp *cp; 1024 l2cap_cfg_opt_t *opt; 1025 l2cap_cfg_opt_val_t *val; 1026 uint8_t *next, buf[L2CAP_MTU_MINIMUM]; 1027 int err; 1028 1029 err = l2cap_request_alloc(chan, L2CAP_CONFIG_REQ); 1030 if (err) 1031 return err; 1032 1033 /* Config Header (4 octets) */ 1034 cp = (l2cap_cfg_req_cp *)buf; 1035 cp->dcid = htole16(chan->lc_rcid); 1036 cp->flags = 0; /* "No Continuation" */ 1037 1038 next = buf + sizeof(l2cap_cfg_req_cp); 1039 1040 /* Incoming MTU (4 octets) */ 1041 if (chan->lc_imtu != L2CAP_MTU_DEFAULT) { 1042 opt = (l2cap_cfg_opt_t *)next; 1043 opt->type = L2CAP_OPT_MTU; 1044 opt->length = L2CAP_OPT_MTU_SIZE; 1045 1046 val = (l2cap_cfg_opt_val_t *)(opt + 1); 1047 val->mtu = htole16(chan->lc_imtu); 1048 1049 next += sizeof(l2cap_cfg_opt_t) + L2CAP_OPT_MTU_SIZE; 1050 } 1051 1052 /* Flush Timeout (4 octets) */ 1053 if (chan->lc_flush != L2CAP_FLUSH_TIMO_DEFAULT) { 1054 opt = (l2cap_cfg_opt_t *)next; 1055 opt->type = L2CAP_OPT_FLUSH_TIMO; 1056 opt->length = L2CAP_OPT_FLUSH_TIMO_SIZE; 1057 1058 val = (l2cap_cfg_opt_val_t *)(opt + 1); 1059 val->flush_timo = htole16(chan->lc_flush); 1060 1061 next += sizeof(l2cap_cfg_opt_t) + L2CAP_OPT_FLUSH_TIMO_SIZE; 1062 } 1063 1064 /* Outgoing QoS Flow (24 octets) */ 1065 /* Retransmission & Flow Control (11 octets) */ 1066 /* 1067 * From here we need to start paying attention to SigMTU as we have 1068 * possibly overflowed the minimum supported.. 1069 */ 1070 1071 return l2cap_send_signal(chan->lc_link, L2CAP_CONFIG_REQ, 1072 chan->lc_link->hl_lastid, (int)(next - buf), buf); 1073 } 1074 1075 /* 1076 * Send Disconnect Request 1077 */ 1078 int 1079 l2cap_send_disconnect_req(struct l2cap_channel *chan) 1080 { 1081 l2cap_discon_req_cp cp; 1082 int err; 1083 1084 err = l2cap_request_alloc(chan, L2CAP_DISCONNECT_REQ); 1085 if (err) 1086 return err; 1087 1088 cp.dcid = htole16(chan->lc_rcid); 1089 cp.scid = htole16(chan->lc_lcid); 1090 1091 return l2cap_send_signal(chan->lc_link, L2CAP_DISCONNECT_REQ, 1092 chan->lc_link->hl_lastid, sizeof(cp), &cp); 1093 } 1094 1095 /* 1096 * Send Connect Response 1097 */ 1098 int 1099 l2cap_send_connect_rsp(struct hci_link *link, uint8_t ident, uint16_t dcid, uint16_t scid, uint16_t result) 1100 { 1101 l2cap_con_rsp_cp cp; 1102 1103 memset(&cp, 0, sizeof(cp)); 1104 cp.dcid = htole16(dcid); 1105 cp.scid = htole16(scid); 1106 cp.result = htole16(result); 1107 1108 return l2cap_send_signal(link, L2CAP_CONNECT_RSP, ident, sizeof(cp), &cp); 1109 } 1110