1 /* $NetBSD: rfcomm_session.c,v 1.12 2008/01/31 19:30:23 plunky Exp $ */ 2 3 /*- 4 * Copyright (c) 2006 Itronix Inc. 5 * All rights reserved. 6 * 7 * Written by Iain Hibbert for Itronix Inc. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. The name of Itronix Inc. may not be used to endorse 18 * or promote products derived from this software without specific 19 * prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY ITRONIX INC. ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 23 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 24 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ITRONIX INC. BE LIABLE FOR ANY 25 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 26 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 27 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 28 * ON ANY THEORY OF LIABILITY, WHETHER IN 29 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 30 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 31 * POSSIBILITY OF SUCH DAMAGE. 32 */ 33 34 #include <sys/cdefs.h> 35 __KERNEL_RCSID(0, "$NetBSD: rfcomm_session.c,v 1.12 2008/01/31 19:30:23 plunky Exp $"); 36 37 #include <sys/param.h> 38 #include <sys/kernel.h> 39 #include <sys/mbuf.h> 40 #include <sys/proc.h> 41 #include <sys/systm.h> 42 #include <sys/types.h> 43 44 #include <netbt/bluetooth.h> 45 #include <netbt/hci.h> 46 #include <netbt/l2cap.h> 47 #include <netbt/rfcomm.h> 48 49 /****************************************************************************** 50 * 51 * RFCOMM Multiplexer Sessions sit directly on L2CAP channels, and can 52 * multiplex up to 30 incoming and 30 outgoing connections. 53 * Only one Multiplexer is allowed between any two devices. 54 */ 55 56 static void rfcomm_session_timeout(void *); 57 static void rfcomm_session_recv_sabm(struct rfcomm_session *, int); 58 static void rfcomm_session_recv_disc(struct rfcomm_session *, int); 59 static void rfcomm_session_recv_ua(struct rfcomm_session *, int); 60 static void rfcomm_session_recv_dm(struct rfcomm_session *, int); 61 static void rfcomm_session_recv_uih(struct rfcomm_session *, int, int, struct mbuf *, int); 62 static void rfcomm_session_recv_mcc(struct rfcomm_session *, struct mbuf *); 63 static void rfcomm_session_recv_mcc_test(struct rfcomm_session *, int, struct mbuf *); 64 static void rfcomm_session_recv_mcc_fcon(struct rfcomm_session *, int); 65 static void rfcomm_session_recv_mcc_fcoff(struct rfcomm_session *, int); 66 static void rfcomm_session_recv_mcc_msc(struct rfcomm_session *, int, struct mbuf *); 67 static void rfcomm_session_recv_mcc_rpn(struct rfcomm_session *, int, struct mbuf *); 68 static void rfcomm_session_recv_mcc_rls(struct rfcomm_session *, int, struct mbuf *); 69 static void rfcomm_session_recv_mcc_pn(struct rfcomm_session *, int, struct mbuf *); 70 static void rfcomm_session_recv_mcc_nsc(struct rfcomm_session *, int, struct mbuf *); 71 72 /* L2CAP callbacks */ 73 static void rfcomm_session_connecting(void *); 74 static void rfcomm_session_connected(void *); 75 static void rfcomm_session_disconnected(void *, int); 76 static void *rfcomm_session_newconn(void *, struct sockaddr_bt *, struct sockaddr_bt *); 77 static void rfcomm_session_complete(void *, int); 78 static void rfcomm_session_linkmode(void *, int); 79 static void rfcomm_session_input(void *, struct mbuf *); 80 81 static const struct btproto rfcomm_session_proto = { 82 rfcomm_session_connecting, 83 rfcomm_session_connected, 84 rfcomm_session_disconnected, 85 rfcomm_session_newconn, 86 rfcomm_session_complete, 87 rfcomm_session_linkmode, 88 rfcomm_session_input, 89 }; 90 91 struct rfcomm_session_list 92 rfcomm_session_active = LIST_HEAD_INITIALIZER(rfcomm_session_active); 93 94 struct rfcomm_session_list 95 rfcomm_session_listen = LIST_HEAD_INITIALIZER(rfcomm_session_listen); 96 97 POOL_INIT(rfcomm_credit_pool, sizeof(struct rfcomm_credit), 98 0, 0, 0, "rfcomm_credit", NULL, IPL_SOFTNET); 99 100 /* 101 * RFCOMM System Parameters (see section 5.3) 102 */ 103 int rfcomm_mtu_default = 127; /* bytes */ 104 int rfcomm_ack_timeout = 20; /* seconds */ 105 int rfcomm_mcc_timeout = 20; /* seconds */ 106 107 /* 108 * Reversed CRC table as per TS 07.10 Annex B.3.5 109 */ 110 static const uint8_t crctable[256] = { /* reversed, 8-bit, poly=0x07 */ 111 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75, 112 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b, 113 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69, 114 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67, 115 116 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d, 117 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43, 118 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51, 119 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f, 120 121 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05, 122 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b, 123 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19, 124 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17, 125 126 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d, 127 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33, 128 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21, 129 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f, 130 131 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95, 132 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b, 133 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89, 134 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87, 135 136 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad, 137 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3, 138 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1, 139 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf, 140 141 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5, 142 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb, 143 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9, 144 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7, 145 146 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd, 147 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3, 148 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1, 149 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf 150 }; 151 152 #define FCS(f, d) crctable[(f) ^ (d)] 153 154 /* 155 * rfcomm_session_alloc(list, sockaddr) 156 * 157 * allocate a new session and fill in the blanks, then 158 * attach session to front of specified list (active or listen) 159 */ 160 struct rfcomm_session * 161 rfcomm_session_alloc(struct rfcomm_session_list *list, 162 struct sockaddr_bt *laddr) 163 { 164 struct rfcomm_session *rs; 165 int err; 166 167 rs = malloc(sizeof(*rs), M_BLUETOOTH, M_NOWAIT | M_ZERO); 168 if (rs == NULL) 169 return NULL; 170 171 rs->rs_state = RFCOMM_SESSION_CLOSED; 172 173 callout_init(&rs->rs_timeout, 0); 174 callout_setfunc(&rs->rs_timeout, rfcomm_session_timeout, rs); 175 176 SIMPLEQ_INIT(&rs->rs_credits); 177 LIST_INIT(&rs->rs_dlcs); 178 179 err = l2cap_attach(&rs->rs_l2cap, &rfcomm_session_proto, rs); 180 if (err) { 181 free(rs, M_BLUETOOTH); 182 return NULL; 183 } 184 185 (void)l2cap_getopt(rs->rs_l2cap, SO_L2CAP_OMTU, &rs->rs_mtu); 186 187 if (laddr->bt_psm == L2CAP_PSM_ANY) 188 laddr->bt_psm = L2CAP_PSM_RFCOMM; 189 190 (void)l2cap_bind(rs->rs_l2cap, laddr); 191 192 LIST_INSERT_HEAD(list, rs, rs_next); 193 194 return rs; 195 } 196 197 /* 198 * rfcomm_session_free(rfcomm_session) 199 * 200 * release a session, including any cleanup 201 */ 202 void 203 rfcomm_session_free(struct rfcomm_session *rs) 204 { 205 struct rfcomm_credit *credit; 206 207 KASSERT(rs != NULL); 208 KASSERT(LIST_EMPTY(&rs->rs_dlcs)); 209 210 rs->rs_state = RFCOMM_SESSION_CLOSED; 211 212 /* 213 * If the callout is already invoked we have no way to stop it, 214 * but it will call us back right away (there are no DLC's) so 215 * not to worry. 216 */ 217 callout_stop(&rs->rs_timeout); 218 if (callout_invoking(&rs->rs_timeout)) 219 return; 220 221 /* 222 * Take care that rfcomm_session_disconnected() doesnt call 223 * us back either as it will do if the l2cap_channel has not 224 * been closed when we detach it.. 225 */ 226 if (rs->rs_flags & RFCOMM_SESSION_FREE) 227 return; 228 229 rs->rs_flags |= RFCOMM_SESSION_FREE; 230 231 /* throw away any remaining credit notes */ 232 while ((credit = SIMPLEQ_FIRST(&rs->rs_credits)) != NULL) { 233 SIMPLEQ_REMOVE_HEAD(&rs->rs_credits, rc_next); 234 pool_put(&rfcomm_credit_pool, credit); 235 } 236 237 KASSERT(SIMPLEQ_EMPTY(&rs->rs_credits)); 238 239 /* Goodbye! */ 240 LIST_REMOVE(rs, rs_next); 241 l2cap_detach(&rs->rs_l2cap); 242 callout_destroy(&rs->rs_timeout); 243 free(rs, M_BLUETOOTH); 244 } 245 246 /* 247 * rfcomm_session_lookup(sockaddr, sockaddr) 248 * 249 * Find active rfcomm session matching src and dest addresses 250 * when src is BDADDR_ANY match any local address 251 */ 252 struct rfcomm_session * 253 rfcomm_session_lookup(struct sockaddr_bt *src, struct sockaddr_bt *dest) 254 { 255 struct rfcomm_session *rs; 256 struct sockaddr_bt addr; 257 258 LIST_FOREACH(rs, &rfcomm_session_active, rs_next) { 259 if (rs->rs_state == RFCOMM_SESSION_CLOSED) 260 continue; 261 262 l2cap_sockaddr(rs->rs_l2cap, &addr); 263 264 if (bdaddr_same(&src->bt_bdaddr, &addr.bt_bdaddr) == 0) 265 if (bdaddr_any(&src->bt_bdaddr) == 0) 266 continue; 267 268 l2cap_peeraddr(rs->rs_l2cap, &addr); 269 270 if (addr.bt_psm != dest->bt_psm) 271 continue; 272 273 if (bdaddr_same(&dest->bt_bdaddr, &addr.bt_bdaddr)) 274 break; 275 } 276 277 return rs; 278 } 279 280 /* 281 * rfcomm_session_timeout(rfcomm_session) 282 * 283 * Session timeouts are scheduled when a session is left or 284 * created with no DLCs, and when SABM(0) or DISC(0) are 285 * sent. 286 * 287 * So, if it is in an open state with DLC's attached then 288 * we leave it alone, otherwise the session is lost. 289 */ 290 static void 291 rfcomm_session_timeout(void *arg) 292 { 293 struct rfcomm_session *rs = arg; 294 struct rfcomm_dlc *dlc; 295 int s; 296 297 KASSERT(rs != NULL); 298 299 s = splsoftnet(); 300 callout_ack(&rs->rs_timeout); 301 302 if (rs->rs_state != RFCOMM_SESSION_OPEN) { 303 DPRINTF("timeout\n"); 304 rs->rs_state = RFCOMM_SESSION_CLOSED; 305 306 while (!LIST_EMPTY(&rs->rs_dlcs)) { 307 dlc = LIST_FIRST(&rs->rs_dlcs); 308 309 rfcomm_dlc_close(dlc, ETIMEDOUT); 310 } 311 } 312 313 if (LIST_EMPTY(&rs->rs_dlcs)) { 314 DPRINTF("expiring\n"); 315 rfcomm_session_free(rs); 316 } 317 splx(s); 318 } 319 320 /*********************************************************************** 321 * 322 * RFCOMM Session L2CAP protocol callbacks 323 * 324 */ 325 326 static void 327 rfcomm_session_connecting(void *arg) 328 { 329 /* struct rfcomm_session *rs = arg; */ 330 331 DPRINTF("Connecting\n"); 332 } 333 334 static void 335 rfcomm_session_connected(void *arg) 336 { 337 struct rfcomm_session *rs = arg; 338 339 DPRINTF("Connected\n"); 340 341 /* 342 * L2CAP is open. 343 * 344 * If we are initiator, we can send our SABM(0) 345 * a timeout should be active? 346 * 347 * We must take note of the L2CAP MTU because currently 348 * the L2CAP implementation can only do Basic Mode. 349 */ 350 l2cap_getopt(rs->rs_l2cap, SO_L2CAP_OMTU, &rs->rs_mtu); 351 352 rs->rs_mtu -= 6; /* (RFCOMM overhead could be this big) */ 353 if (rs->rs_mtu < RFCOMM_MTU_MIN) { 354 rfcomm_session_disconnected(rs, EINVAL); 355 return; 356 } 357 358 if (IS_INITIATOR(rs)) { 359 int err; 360 361 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_SABM, 0); 362 if (err) 363 rfcomm_session_disconnected(rs, err); 364 365 callout_schedule(&rs->rs_timeout, rfcomm_ack_timeout * hz); 366 } 367 } 368 369 static void 370 rfcomm_session_disconnected(void *arg, int err) 371 { 372 struct rfcomm_session *rs = arg; 373 struct rfcomm_dlc *dlc; 374 375 DPRINTF("Disconnected\n"); 376 377 rs->rs_state = RFCOMM_SESSION_CLOSED; 378 379 while (!LIST_EMPTY(&rs->rs_dlcs)) { 380 dlc = LIST_FIRST(&rs->rs_dlcs); 381 382 rfcomm_dlc_close(dlc, err); 383 } 384 385 rfcomm_session_free(rs); 386 } 387 388 static void * 389 rfcomm_session_newconn(void *arg, struct sockaddr_bt *laddr, 390 struct sockaddr_bt *raddr) 391 { 392 struct rfcomm_session *new, *rs = arg; 393 394 DPRINTF("New Connection\n"); 395 396 /* 397 * Incoming session connect request. We should return a new 398 * session pointer if this is acceptable. The L2CAP layer 399 * passes local and remote addresses, which we must check as 400 * only one RFCOMM session is allowed between any two devices 401 */ 402 new = rfcomm_session_lookup(laddr, raddr); 403 if (new != NULL) 404 return NULL; 405 406 new = rfcomm_session_alloc(&rfcomm_session_active, laddr); 407 if (new == NULL) 408 return NULL; 409 410 new->rs_mtu = rs->rs_mtu; 411 new->rs_state = RFCOMM_SESSION_WAIT_CONNECT; 412 413 /* 414 * schedule an expiry so that if nothing comes of it we 415 * can punt. 416 */ 417 callout_schedule(&new->rs_timeout, rfcomm_mcc_timeout * hz); 418 419 return new->rs_l2cap; 420 } 421 422 static void 423 rfcomm_session_complete(void *arg, int count) 424 { 425 struct rfcomm_session *rs = arg; 426 struct rfcomm_credit *credit; 427 struct rfcomm_dlc *dlc; 428 429 /* 430 * count L2CAP packets are 'complete', meaning that they are cleared 431 * our buffers (for best effort) or arrived safe (for guaranteed) so 432 * we can take it off our list and pass the message on, so that 433 * eventually the data can be removed from the sockbuf 434 */ 435 while (count-- > 0) { 436 credit = SIMPLEQ_FIRST(&rs->rs_credits); 437 #ifdef DIAGNOSTIC 438 if (credit == NULL) { 439 printf("%s: too many packets completed!\n", __func__); 440 break; 441 } 442 #endif 443 dlc = credit->rc_dlc; 444 if (dlc != NULL) { 445 dlc->rd_pending--; 446 (*dlc->rd_proto->complete) 447 (dlc->rd_upper, credit->rc_len); 448 449 /* 450 * if not using credit flow control, we may push 451 * more data now 452 */ 453 if ((rs->rs_flags & RFCOMM_SESSION_CFC) == 0 454 && dlc->rd_state == RFCOMM_DLC_OPEN) { 455 rfcomm_dlc_start(dlc); 456 } 457 458 /* 459 * When shutdown is indicated, we are just waiting to 460 * clear outgoing data. 461 */ 462 if ((dlc->rd_flags & RFCOMM_DLC_SHUTDOWN) 463 && dlc->rd_txbuf == NULL && dlc->rd_pending == 0) { 464 dlc->rd_state = RFCOMM_DLC_WAIT_DISCONNECT; 465 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 466 dlc->rd_dlci); 467 callout_schedule(&dlc->rd_timeout, 468 rfcomm_ack_timeout * hz); 469 } 470 } 471 472 SIMPLEQ_REMOVE_HEAD(&rs->rs_credits, rc_next); 473 pool_put(&rfcomm_credit_pool, credit); 474 } 475 476 /* 477 * If session is closed, we are just waiting to clear the queue 478 */ 479 if (rs->rs_state == RFCOMM_SESSION_CLOSED) { 480 if (SIMPLEQ_EMPTY(&rs->rs_credits)) 481 l2cap_disconnect(rs->rs_l2cap, 0); 482 } 483 } 484 485 /* 486 * Link Mode changed 487 * 488 * This is called when a mode change is complete. Proceed with connections 489 * where appropriate, or pass the new mode to any active DLCs. 490 */ 491 static void 492 rfcomm_session_linkmode(void *arg, int new) 493 { 494 struct rfcomm_session *rs = arg; 495 struct rfcomm_dlc *dlc, *next; 496 int err, mode = 0; 497 498 DPRINTF("auth %s, encrypt %s, secure %s\n", 499 (new & L2CAP_LM_AUTH ? "on" : "off"), 500 (new & L2CAP_LM_ENCRYPT ? "on" : "off"), 501 (new & L2CAP_LM_SECURE ? "on" : "off")); 502 503 if (new & L2CAP_LM_AUTH) 504 mode |= RFCOMM_LM_AUTH; 505 506 if (new & L2CAP_LM_ENCRYPT) 507 mode |= RFCOMM_LM_ENCRYPT; 508 509 if (new & L2CAP_LM_SECURE) 510 mode |= RFCOMM_LM_SECURE; 511 512 next = LIST_FIRST(&rs->rs_dlcs); 513 while ((dlc = next) != NULL) { 514 next = LIST_NEXT(dlc, rd_next); 515 516 switch (dlc->rd_state) { 517 case RFCOMM_DLC_WAIT_SEND_SABM: /* we are connecting */ 518 if ((mode & dlc->rd_mode) != dlc->rd_mode) { 519 rfcomm_dlc_close(dlc, ECONNABORTED); 520 } else { 521 err = rfcomm_session_send_frame(rs, 522 RFCOMM_FRAME_SABM, dlc->rd_dlci); 523 if (err) { 524 rfcomm_dlc_close(dlc, err); 525 } else { 526 dlc->rd_state = RFCOMM_DLC_WAIT_RECV_UA; 527 callout_schedule(&dlc->rd_timeout, 528 rfcomm_ack_timeout * hz); 529 break; 530 } 531 } 532 533 /* 534 * If we aborted the connection and there are no more DLCs 535 * on the session, it is our responsibility to disconnect. 536 */ 537 if (!LIST_EMPTY(&rs->rs_dlcs)) 538 break; 539 540 rs->rs_state = RFCOMM_SESSION_WAIT_DISCONNECT; 541 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 0); 542 callout_schedule(&rs->rs_timeout, rfcomm_ack_timeout * hz); 543 break; 544 545 case RFCOMM_DLC_WAIT_SEND_UA: /* they are connecting */ 546 if ((mode & dlc->rd_mode) != dlc->rd_mode) { 547 rfcomm_session_send_frame(rs, 548 RFCOMM_FRAME_DM, dlc->rd_dlci); 549 rfcomm_dlc_close(dlc, ECONNABORTED); 550 break; 551 } 552 553 err = rfcomm_session_send_frame(rs, 554 RFCOMM_FRAME_UA, dlc->rd_dlci); 555 if (err) { 556 rfcomm_session_send_frame(rs, 557 RFCOMM_FRAME_DM, dlc->rd_dlci); 558 rfcomm_dlc_close(dlc, err); 559 break; 560 } 561 562 err = rfcomm_dlc_open(dlc); 563 if (err) { 564 rfcomm_session_send_frame(rs, 565 RFCOMM_FRAME_DM, dlc->rd_dlci); 566 rfcomm_dlc_close(dlc, err); 567 break; 568 } 569 570 break; 571 572 case RFCOMM_DLC_WAIT_RECV_UA: 573 case RFCOMM_DLC_OPEN: /* already established */ 574 (*dlc->rd_proto->linkmode)(dlc->rd_upper, mode); 575 break; 576 577 default: 578 break; 579 } 580 } 581 } 582 583 /* 584 * Receive data from L2CAP layer for session. There is always exactly one 585 * RFCOMM frame contained in each L2CAP frame. 586 */ 587 static void 588 rfcomm_session_input(void *arg, struct mbuf *m) 589 { 590 struct rfcomm_session *rs = arg; 591 int dlci, len, type, pf; 592 uint8_t fcs, b; 593 594 KASSERT(m != NULL); 595 KASSERT(rs != NULL); 596 597 /* 598 * UIH frames: FCS is only calculated on address and control fields 599 * For other frames: FCS is calculated on address, control and length 600 * Length may extend to two octets 601 */ 602 fcs = 0xff; 603 604 if (m->m_pkthdr.len < 4) { 605 DPRINTF("short frame (%d), discarded\n", m->m_pkthdr.len); 606 goto done; 607 } 608 609 /* address - one octet */ 610 m_copydata(m, 0, 1, &b); 611 m_adj(m, 1); 612 fcs = FCS(fcs, b); 613 dlci = RFCOMM_DLCI(b); 614 615 /* control - one octet */ 616 m_copydata(m, 0, 1, &b); 617 m_adj(m, 1); 618 fcs = FCS(fcs, b); 619 type = RFCOMM_TYPE(b); 620 pf = RFCOMM_PF(b); 621 622 /* length - may be two octets */ 623 m_copydata(m, 0, 1, &b); 624 m_adj(m, 1); 625 if (type != RFCOMM_FRAME_UIH) 626 fcs = FCS(fcs, b); 627 len = (b >> 1) & 0x7f; 628 629 if (RFCOMM_EA(b) == 0) { 630 if (m->m_pkthdr.len < 2) { 631 DPRINTF("short frame (%d, EA = 0), discarded\n", 632 m->m_pkthdr.len); 633 goto done; 634 } 635 636 m_copydata(m, 0, 1, &b); 637 m_adj(m, 1); 638 if (type != RFCOMM_FRAME_UIH) 639 fcs = FCS(fcs, b); 640 641 len |= (b << 7); 642 } 643 644 /* FCS byte is last octet in frame */ 645 m_copydata(m, m->m_pkthdr.len - 1, 1, &b); 646 m_adj(m, -1); 647 fcs = FCS(fcs, b); 648 649 if (fcs != 0xcf) { 650 DPRINTF("Bad FCS value (%#2.2x), frame discarded\n", fcs); 651 goto done; 652 } 653 654 DPRINTFN(10, "dlci %d, type %2.2x, len = %d\n", dlci, type, len); 655 656 switch (type) { 657 case RFCOMM_FRAME_SABM: 658 if (pf) 659 rfcomm_session_recv_sabm(rs, dlci); 660 break; 661 662 case RFCOMM_FRAME_DISC: 663 if (pf) 664 rfcomm_session_recv_disc(rs, dlci); 665 break; 666 667 case RFCOMM_FRAME_UA: 668 if (pf) 669 rfcomm_session_recv_ua(rs, dlci); 670 break; 671 672 case RFCOMM_FRAME_DM: 673 rfcomm_session_recv_dm(rs, dlci); 674 break; 675 676 case RFCOMM_FRAME_UIH: 677 rfcomm_session_recv_uih(rs, dlci, pf, m, len); 678 return; /* (no release) */ 679 680 default: 681 UNKNOWN(type); 682 break; 683 } 684 685 done: 686 m_freem(m); 687 } 688 689 /*********************************************************************** 690 * 691 * RFCOMM Session receive processing 692 */ 693 694 /* 695 * rfcomm_session_recv_sabm(rfcomm_session, dlci) 696 * 697 * Set Asyncrhonous Balanced Mode - open the channel. 698 */ 699 static void 700 rfcomm_session_recv_sabm(struct rfcomm_session *rs, int dlci) 701 { 702 struct rfcomm_dlc *dlc; 703 int err; 704 705 DPRINTFN(5, "SABM(%d)\n", dlci); 706 707 if (dlci == 0) { /* Open Session */ 708 rs->rs_state = RFCOMM_SESSION_OPEN; 709 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, 0); 710 LIST_FOREACH(dlc, &rs->rs_dlcs, rd_next) { 711 if (dlc->rd_state == RFCOMM_DLC_WAIT_SESSION) 712 rfcomm_dlc_connect(dlc); 713 } 714 return; 715 } 716 717 if (rs->rs_state != RFCOMM_SESSION_OPEN) { 718 DPRINTF("session was not even open!\n"); 719 return; 720 } 721 722 /* validate direction bit */ 723 if ((IS_INITIATOR(rs) && !RFCOMM_DIRECTION(dlci)) 724 || (!IS_INITIATOR(rs) && RFCOMM_DIRECTION(dlci))) { 725 DPRINTF("Invalid direction bit on DLCI\n"); 726 return; 727 } 728 729 /* 730 * look for our DLC - this may exist if we received PN 731 * already, or we may have to fabricate a new one. 732 */ 733 dlc = rfcomm_dlc_lookup(rs, dlci); 734 if (dlc == NULL) { 735 dlc = rfcomm_dlc_newconn(rs, dlci); 736 if (dlc == NULL) 737 return; /* (DM is sent) */ 738 } 739 740 /* 741 * ..but if this DLC is not waiting to connect, they did 742 * something wrong, ignore it. 743 */ 744 if (dlc->rd_state != RFCOMM_DLC_WAIT_CONNECT) 745 return; 746 747 /* set link mode */ 748 err = rfcomm_dlc_setmode(dlc); 749 if (err == EINPROGRESS) { 750 dlc->rd_state = RFCOMM_DLC_WAIT_SEND_UA; 751 (*dlc->rd_proto->connecting)(dlc->rd_upper); 752 return; 753 } 754 if (err) 755 goto close; 756 757 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, dlci); 758 if (err) 759 goto close; 760 761 /* and mark it open */ 762 err = rfcomm_dlc_open(dlc); 763 if (err) 764 goto close; 765 766 return; 767 768 close: 769 rfcomm_dlc_close(dlc, err); 770 } 771 772 /* 773 * Receive Disconnect Command 774 */ 775 static void 776 rfcomm_session_recv_disc(struct rfcomm_session *rs, int dlci) 777 { 778 struct rfcomm_dlc *dlc; 779 780 DPRINTFN(5, "DISC(%d)\n", dlci); 781 782 if (dlci == 0) { 783 /* 784 * Disconnect Session 785 * 786 * We set the session state to CLOSED so that when 787 * the UA frame is clear the session will be closed 788 * automatically. We wont bother to close any DLC's 789 * just yet as there should be none. In the unlikely 790 * event that something is left, it will get flushed 791 * out as the session goes down. 792 */ 793 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, 0); 794 rs->rs_state = RFCOMM_SESSION_CLOSED; 795 return; 796 } 797 798 dlc = rfcomm_dlc_lookup(rs, dlci); 799 if (dlc == NULL) { 800 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, dlci); 801 return; 802 } 803 804 rfcomm_dlc_close(dlc, ECONNRESET); 805 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, dlci); 806 } 807 808 /* 809 * Receive Unnumbered Acknowledgement Response 810 * 811 * This should be a response to a DISC or SABM frame that we 812 * have previously sent. If unexpected, ignore it. 813 */ 814 static void 815 rfcomm_session_recv_ua(struct rfcomm_session *rs, int dlci) 816 { 817 struct rfcomm_dlc *dlc; 818 819 DPRINTFN(5, "UA(%d)\n", dlci); 820 821 if (dlci == 0) { 822 switch (rs->rs_state) { 823 case RFCOMM_SESSION_WAIT_CONNECT: /* We sent SABM */ 824 callout_stop(&rs->rs_timeout); 825 rs->rs_state = RFCOMM_SESSION_OPEN; 826 LIST_FOREACH(dlc, &rs->rs_dlcs, rd_next) { 827 if (dlc->rd_state == RFCOMM_DLC_WAIT_SESSION) 828 rfcomm_dlc_connect(dlc); 829 } 830 break; 831 832 case RFCOMM_SESSION_WAIT_DISCONNECT: /* We sent DISC */ 833 callout_stop(&rs->rs_timeout); 834 rs->rs_state = RFCOMM_SESSION_CLOSED; 835 l2cap_disconnect(rs->rs_l2cap, 0); 836 break; 837 838 default: 839 DPRINTF("Received spurious UA(0)!\n"); 840 break; 841 } 842 843 return; 844 } 845 846 /* 847 * If we have no DLC on this dlci, we may have aborted 848 * without shutting down properly, so check if the session 849 * needs disconnecting. 850 */ 851 dlc = rfcomm_dlc_lookup(rs, dlci); 852 if (dlc == NULL) 853 goto check; 854 855 switch (dlc->rd_state) { 856 case RFCOMM_DLC_WAIT_RECV_UA: /* We sent SABM */ 857 rfcomm_dlc_open(dlc); 858 return; 859 860 case RFCOMM_DLC_WAIT_DISCONNECT: /* We sent DISC */ 861 rfcomm_dlc_close(dlc, 0); 862 break; 863 864 default: 865 DPRINTF("Received spurious UA(%d)!\n", dlci); 866 return; 867 } 868 869 check: /* last one out turns out the light */ 870 if (LIST_EMPTY(&rs->rs_dlcs)) { 871 rs->rs_state = RFCOMM_SESSION_WAIT_DISCONNECT; 872 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 0); 873 callout_schedule(&rs->rs_timeout, rfcomm_ack_timeout * hz); 874 } 875 } 876 877 /* 878 * Receive Disconnected Mode Response 879 * 880 * If this does not apply to a known DLC then we may ignore it. 881 */ 882 static void 883 rfcomm_session_recv_dm(struct rfcomm_session *rs, int dlci) 884 { 885 struct rfcomm_dlc *dlc; 886 887 DPRINTFN(5, "DM(%d)\n", dlci); 888 889 dlc = rfcomm_dlc_lookup(rs, dlci); 890 if (dlc == NULL) 891 return; 892 893 if (dlc->rd_state == RFCOMM_DLC_WAIT_CONNECT) 894 rfcomm_dlc_close(dlc, ECONNREFUSED); 895 else 896 rfcomm_dlc_close(dlc, ECONNRESET); 897 } 898 899 /* 900 * Receive Unnumbered Information with Header check (MCC or data packet) 901 */ 902 static void 903 rfcomm_session_recv_uih(struct rfcomm_session *rs, int dlci, 904 int pf, struct mbuf *m, int len) 905 { 906 struct rfcomm_dlc *dlc; 907 uint8_t credits = 0; 908 909 DPRINTFN(10, "UIH(%d)\n", dlci); 910 911 if (dlci == 0) { 912 rfcomm_session_recv_mcc(rs, m); 913 return; 914 } 915 916 if (m->m_pkthdr.len != len + pf) { 917 DPRINTF("Bad Frame Length (%d), frame discarded\n", 918 m->m_pkthdr.len); 919 920 goto discard; 921 } 922 923 dlc = rfcomm_dlc_lookup(rs, dlci); 924 if (dlc == NULL) { 925 DPRINTF("UIH received for non existent DLC, discarded\n"); 926 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, dlci); 927 goto discard; 928 } 929 930 if (dlc->rd_state != RFCOMM_DLC_OPEN) { 931 DPRINTF("non-open DLC (state = %d), discarded\n", 932 dlc->rd_state); 933 goto discard; 934 } 935 936 /* if PF is set, credits were included */ 937 if (rs->rs_flags & RFCOMM_SESSION_CFC) { 938 if (pf != 0) { 939 if (m->m_pkthdr.len < sizeof(credits)) { 940 DPRINTF("Bad PF value, UIH discarded\n"); 941 goto discard; 942 } 943 944 m_copydata(m, 0, sizeof(credits), &credits); 945 m_adj(m, sizeof(credits)); 946 947 dlc->rd_txcred += credits; 948 949 if (credits > 0 && dlc->rd_txbuf != NULL) 950 rfcomm_dlc_start(dlc); 951 } 952 953 if (len == 0) 954 goto discard; 955 956 if (dlc->rd_rxcred == 0) { 957 DPRINTF("Credit limit reached, UIH discarded\n"); 958 goto discard; 959 } 960 961 if (len > dlc->rd_rxsize) { 962 DPRINTF("UIH frame exceeds rxsize, discarded\n"); 963 goto discard; 964 } 965 966 dlc->rd_rxcred--; 967 dlc->rd_rxsize -= len; 968 } 969 970 (*dlc->rd_proto->input)(dlc->rd_upper, m); 971 return; 972 973 discard: 974 m_freem(m); 975 } 976 977 /* 978 * Receive Multiplexer Control Command 979 */ 980 static void 981 rfcomm_session_recv_mcc(struct rfcomm_session *rs, struct mbuf *m) 982 { 983 int type, cr, len; 984 uint8_t b; 985 986 /* 987 * Extract MCC header. 988 * 989 * Fields are variable length using extension bit = 1 to signify the 990 * last octet in the sequence. 991 * 992 * Only single octet types are defined in TS 07.10/RFCOMM spec 993 * 994 * Length can realistically only use 15 bits (max RFCOMM MTU) 995 */ 996 if (m->m_pkthdr.len < sizeof(b)) { 997 DPRINTF("Short MCC header, discarded\n"); 998 goto release; 999 } 1000 1001 m_copydata(m, 0, sizeof(b), &b); 1002 m_adj(m, sizeof(b)); 1003 1004 if (RFCOMM_EA(b) == 0) { /* verify no extensions */ 1005 DPRINTF("MCC type EA = 0, discarded\n"); 1006 goto release; 1007 } 1008 1009 type = RFCOMM_MCC_TYPE(b); 1010 cr = RFCOMM_CR(b); 1011 1012 len = 0; 1013 do { 1014 if (m->m_pkthdr.len < sizeof(b)) { 1015 DPRINTF("Short MCC header, discarded\n"); 1016 goto release; 1017 } 1018 1019 m_copydata(m, 0, sizeof(b), &b); 1020 m_adj(m, sizeof(b)); 1021 1022 len = (len << 7) | (b >> 1); 1023 len = min(len, RFCOMM_MTU_MAX); 1024 } while (RFCOMM_EA(b) == 0); 1025 1026 if (len != m->m_pkthdr.len) { 1027 DPRINTF("Incorrect MCC length, discarded\n"); 1028 goto release; 1029 } 1030 1031 DPRINTFN(2, "MCC %s type %2.2x (%d bytes)\n", 1032 (cr ? "command" : "response"), type, len); 1033 1034 /* 1035 * pass to command handler 1036 */ 1037 switch(type) { 1038 case RFCOMM_MCC_TEST: /* Test */ 1039 rfcomm_session_recv_mcc_test(rs, cr, m); 1040 break; 1041 1042 case RFCOMM_MCC_FCON: /* Flow Control On */ 1043 rfcomm_session_recv_mcc_fcon(rs, cr); 1044 break; 1045 1046 case RFCOMM_MCC_FCOFF: /* Flow Control Off */ 1047 rfcomm_session_recv_mcc_fcoff(rs, cr); 1048 break; 1049 1050 case RFCOMM_MCC_MSC: /* Modem Status Command */ 1051 rfcomm_session_recv_mcc_msc(rs, cr, m); 1052 break; 1053 1054 case RFCOMM_MCC_RPN: /* Remote Port Negotiation */ 1055 rfcomm_session_recv_mcc_rpn(rs, cr, m); 1056 break; 1057 1058 case RFCOMM_MCC_RLS: /* Remote Line Status */ 1059 rfcomm_session_recv_mcc_rls(rs, cr, m); 1060 break; 1061 1062 case RFCOMM_MCC_PN: /* Parameter Negotiation */ 1063 rfcomm_session_recv_mcc_pn(rs, cr, m); 1064 break; 1065 1066 case RFCOMM_MCC_NSC: /* Non Supported Command */ 1067 rfcomm_session_recv_mcc_nsc(rs, cr, m); 1068 break; 1069 1070 default: 1071 b = RFCOMM_MKMCC_TYPE(cr, type); 1072 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_NSC, &b, sizeof(b)); 1073 } 1074 1075 release: 1076 m_freem(m); 1077 } 1078 1079 /* 1080 * process TEST command/response 1081 */ 1082 static void 1083 rfcomm_session_recv_mcc_test(struct rfcomm_session *rs, int cr, struct mbuf *m) 1084 { 1085 void *data; 1086 int len; 1087 1088 if (cr == 0) /* ignore ack */ 1089 return; 1090 1091 /* 1092 * we must send all the data they included back as is 1093 */ 1094 1095 len = m->m_pkthdr.len; 1096 if (len > RFCOMM_MTU_MAX) 1097 return; 1098 1099 data = malloc(len, M_BLUETOOTH, M_NOWAIT); 1100 if (data == NULL) 1101 return; 1102 1103 m_copydata(m, 0, len, data); 1104 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_TEST, data, len); 1105 free(data, M_BLUETOOTH); 1106 } 1107 1108 /* 1109 * process Flow Control ON command/response 1110 */ 1111 static void 1112 rfcomm_session_recv_mcc_fcon(struct rfcomm_session *rs, int cr) 1113 { 1114 1115 if (cr == 0) /* ignore ack */ 1116 return; 1117 1118 rs->rs_flags |= RFCOMM_SESSION_RFC; 1119 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_FCON, NULL, 0); 1120 } 1121 1122 /* 1123 * process Flow Control OFF command/response 1124 */ 1125 static void 1126 rfcomm_session_recv_mcc_fcoff(struct rfcomm_session *rs, int cr) 1127 { 1128 1129 if (cr == 0) /* ignore ack */ 1130 return; 1131 1132 rs->rs_flags &= ~RFCOMM_SESSION_RFC; 1133 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_FCOFF, NULL, 0); 1134 } 1135 1136 /* 1137 * process Modem Status Command command/response 1138 */ 1139 static void 1140 rfcomm_session_recv_mcc_msc(struct rfcomm_session *rs, int cr, struct mbuf *m) 1141 { 1142 struct rfcomm_mcc_msc msc; /* (3 octets) */ 1143 struct rfcomm_dlc *dlc; 1144 int len = 0; 1145 1146 /* [ADDRESS] */ 1147 if (m->m_pkthdr.len < sizeof(msc.address)) 1148 return; 1149 1150 m_copydata(m, 0, sizeof(msc.address), &msc.address); 1151 m_adj(m, sizeof(msc.address)); 1152 len += sizeof(msc.address); 1153 1154 dlc = rfcomm_dlc_lookup(rs, RFCOMM_DLCI(msc.address)); 1155 1156 if (cr == 0) { /* ignore acks */ 1157 if (dlc != NULL) 1158 callout_stop(&dlc->rd_timeout); 1159 1160 return; 1161 } 1162 1163 if (dlc == NULL) { 1164 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, 1165 RFCOMM_DLCI(msc.address)); 1166 return; 1167 } 1168 1169 /* [SIGNALS] */ 1170 if (m->m_pkthdr.len < sizeof(msc.modem)) 1171 return; 1172 1173 m_copydata(m, 0, sizeof(msc.modem), &msc.modem); 1174 m_adj(m, sizeof(msc.modem)); 1175 len += sizeof(msc.modem); 1176 1177 dlc->rd_rmodem = msc.modem; 1178 /* XXX how do we signal this upstream? */ 1179 1180 if (RFCOMM_EA(msc.modem) == 0) { 1181 if (m->m_pkthdr.len < sizeof(msc.brk)) 1182 return; 1183 1184 m_copydata(m, 0, sizeof(msc.brk), &msc.brk); 1185 m_adj(m, sizeof(msc.brk)); 1186 len += sizeof(msc.brk); 1187 1188 /* XXX how do we signal this upstream? */ 1189 } 1190 1191 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_MSC, &msc, len); 1192 } 1193 1194 /* 1195 * process Remote Port Negotiation command/response 1196 */ 1197 static void 1198 rfcomm_session_recv_mcc_rpn(struct rfcomm_session *rs, int cr, struct mbuf *m) 1199 { 1200 struct rfcomm_mcc_rpn rpn; 1201 uint16_t mask; 1202 1203 if (cr == 0) /* ignore ack */ 1204 return; 1205 1206 /* default values */ 1207 rpn.bit_rate = RFCOMM_RPN_BR_9600; 1208 rpn.line_settings = RFCOMM_RPN_8_N_1; 1209 rpn.flow_control = RFCOMM_RPN_FLOW_NONE; 1210 rpn.xon_char = RFCOMM_RPN_XON_CHAR; 1211 rpn.xoff_char = RFCOMM_RPN_XOFF_CHAR; 1212 1213 if (m->m_pkthdr.len == sizeof(rpn)) { 1214 m_copydata(m, 0, sizeof(rpn), &rpn); 1215 rpn.param_mask = RFCOMM_RPN_PM_ALL; 1216 } else if (m->m_pkthdr.len == 1) { 1217 m_copydata(m, 0, 1, &rpn); 1218 rpn.param_mask = le16toh(rpn.param_mask); 1219 } else { 1220 DPRINTF("Bad RPN length (%d)\n", m->m_pkthdr.len); 1221 return; 1222 } 1223 1224 mask = 0; 1225 1226 if (rpn.param_mask & RFCOMM_RPN_PM_RATE) 1227 mask |= RFCOMM_RPN_PM_RATE; 1228 1229 if (rpn.param_mask & RFCOMM_RPN_PM_DATA 1230 && RFCOMM_RPN_DATA_BITS(rpn.line_settings) == RFCOMM_RPN_DATA_8) 1231 mask |= RFCOMM_RPN_PM_DATA; 1232 1233 if (rpn.param_mask & RFCOMM_RPN_PM_STOP 1234 && RFCOMM_RPN_STOP_BITS(rpn.line_settings) == RFCOMM_RPN_STOP_1) 1235 mask |= RFCOMM_RPN_PM_STOP; 1236 1237 if (rpn.param_mask & RFCOMM_RPN_PM_PARITY 1238 && RFCOMM_RPN_PARITY(rpn.line_settings) == RFCOMM_RPN_PARITY_NONE) 1239 mask |= RFCOMM_RPN_PM_PARITY; 1240 1241 if (rpn.param_mask & RFCOMM_RPN_PM_XON 1242 && rpn.xon_char == RFCOMM_RPN_XON_CHAR) 1243 mask |= RFCOMM_RPN_PM_XON; 1244 1245 if (rpn.param_mask & RFCOMM_RPN_PM_XOFF 1246 && rpn.xoff_char == RFCOMM_RPN_XOFF_CHAR) 1247 mask |= RFCOMM_RPN_PM_XOFF; 1248 1249 if (rpn.param_mask & RFCOMM_RPN_PM_FLOW 1250 && rpn.flow_control == RFCOMM_RPN_FLOW_NONE) 1251 mask |= RFCOMM_RPN_PM_FLOW; 1252 1253 rpn.param_mask = htole16(mask); 1254 1255 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_RPN, &rpn, sizeof(rpn)); 1256 } 1257 1258 /* 1259 * process Remote Line Status command/response 1260 */ 1261 static void 1262 rfcomm_session_recv_mcc_rls(struct rfcomm_session *rs, int cr, struct mbuf *m) 1263 { 1264 struct rfcomm_mcc_rls rls; 1265 1266 if (cr == 0) /* ignore ack */ 1267 return; 1268 1269 if (m->m_pkthdr.len != sizeof(rls)) { 1270 DPRINTF("Bad RLS length %d\n", m->m_pkthdr.len); 1271 return; 1272 } 1273 1274 m_copydata(m, 0, sizeof(rls), &rls); 1275 1276 /* 1277 * So far as I can tell, we just send back what 1278 * they sent us. This signifies errors that seem 1279 * irrelevent for RFCOMM over L2CAP. 1280 */ 1281 rls.address |= 0x03; /* EA = 1, CR = 1 */ 1282 rls.status &= 0x0f; /* only 4 bits valid */ 1283 1284 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_RLS, &rls, sizeof(rls)); 1285 } 1286 1287 /* 1288 * process Parameter Negotiation command/response 1289 */ 1290 static void 1291 rfcomm_session_recv_mcc_pn(struct rfcomm_session *rs, int cr, struct mbuf *m) 1292 { 1293 struct rfcomm_dlc *dlc; 1294 struct rfcomm_mcc_pn pn; 1295 int err; 1296 1297 if (m->m_pkthdr.len != sizeof(pn)) { 1298 DPRINTF("Bad PN length %d\n", m->m_pkthdr.len); 1299 return; 1300 } 1301 1302 m_copydata(m, 0, sizeof(pn), &pn); 1303 1304 pn.dlci &= 0x3f; 1305 pn.mtu = le16toh(pn.mtu); 1306 1307 dlc = rfcomm_dlc_lookup(rs, pn.dlci); 1308 if (cr) { /* Command */ 1309 /* 1310 * If there is no DLC present, this is a new 1311 * connection so attempt to make one 1312 */ 1313 if (dlc == NULL) { 1314 dlc = rfcomm_dlc_newconn(rs, pn.dlci); 1315 if (dlc == NULL) 1316 return; /* (DM is sent) */ 1317 } 1318 1319 /* accept any valid MTU, and offer it back */ 1320 pn.mtu = min(pn.mtu, RFCOMM_MTU_MAX); 1321 pn.mtu = min(pn.mtu, rs->rs_mtu); 1322 pn.mtu = max(pn.mtu, RFCOMM_MTU_MIN); 1323 dlc->rd_mtu = pn.mtu; 1324 pn.mtu = htole16(pn.mtu); 1325 1326 /* credits are only set before DLC is open */ 1327 if (dlc->rd_state == RFCOMM_DLC_WAIT_CONNECT 1328 && (pn.flow_control & 0xf0) == 0xf0) { 1329 rs->rs_flags |= RFCOMM_SESSION_CFC; 1330 dlc->rd_txcred = pn.credits & 0x07; 1331 1332 dlc->rd_rxcred = (dlc->rd_rxsize / dlc->rd_mtu); 1333 dlc->rd_rxcred = min(dlc->rd_rxcred, 1334 RFCOMM_CREDITS_DEFAULT); 1335 1336 pn.flow_control = 0xe0; 1337 pn.credits = dlc->rd_rxcred; 1338 } else { 1339 pn.flow_control = 0x00; 1340 pn.credits = 0x00; 1341 } 1342 1343 /* unused fields must be ignored and set to zero */ 1344 pn.ack_timer = 0; 1345 pn.max_retrans = 0; 1346 1347 /* send our response */ 1348 err = rfcomm_session_send_mcc(rs, 0, 1349 RFCOMM_MCC_PN, &pn, sizeof(pn)); 1350 if (err) 1351 goto close; 1352 1353 } else { /* Response */ 1354 /* ignore responses with no matching DLC */ 1355 if (dlc == NULL) 1356 return; 1357 1358 callout_stop(&dlc->rd_timeout); 1359 1360 if (pn.mtu > RFCOMM_MTU_MAX || pn.mtu > dlc->rd_mtu) { 1361 dlc->rd_state = RFCOMM_DLC_WAIT_DISCONNECT; 1362 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 1363 pn.dlci); 1364 if (err) 1365 goto close; 1366 1367 callout_schedule(&dlc->rd_timeout, 1368 rfcomm_ack_timeout * hz); 1369 return; 1370 } 1371 dlc->rd_mtu = pn.mtu; 1372 1373 /* if DLC is not waiting to connect, we are done */ 1374 if (dlc->rd_state != RFCOMM_DLC_WAIT_CONNECT) 1375 return; 1376 1377 /* set initial credits according to RFCOMM spec */ 1378 if ((pn.flow_control & 0xf0) == 0xe0) { 1379 rs->rs_flags |= RFCOMM_SESSION_CFC; 1380 dlc->rd_txcred = (pn.credits & 0x07); 1381 } 1382 1383 callout_schedule(&dlc->rd_timeout, rfcomm_ack_timeout * hz); 1384 1385 /* set link mode */ 1386 err = rfcomm_dlc_setmode(dlc); 1387 if (err == EINPROGRESS) { 1388 dlc->rd_state = RFCOMM_DLC_WAIT_SEND_SABM; 1389 (*dlc->rd_proto->connecting)(dlc->rd_upper); 1390 return; 1391 } 1392 if (err) 1393 goto close; 1394 1395 /* we can proceed now */ 1396 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_SABM, pn.dlci); 1397 if (err) 1398 goto close; 1399 1400 dlc->rd_state = RFCOMM_DLC_WAIT_RECV_UA; 1401 } 1402 return; 1403 1404 close: 1405 rfcomm_dlc_close(dlc, err); 1406 } 1407 1408 /* 1409 * process Non Supported Command command/response 1410 */ 1411 static void 1412 rfcomm_session_recv_mcc_nsc(struct rfcomm_session *rs, 1413 int cr, struct mbuf *m) 1414 { 1415 struct rfcomm_dlc *dlc, *next; 1416 1417 /* 1418 * Since we did nothing that is not mandatory, 1419 * we just abort the whole session.. 1420 */ 1421 1422 next = LIST_FIRST(&rs->rs_dlcs); 1423 while ((dlc = next) != NULL) { 1424 next = LIST_NEXT(dlc, rd_next); 1425 rfcomm_dlc_close(dlc, ECONNABORTED); 1426 } 1427 1428 rfcomm_session_free(rs); 1429 } 1430 1431 /*********************************************************************** 1432 * 1433 * RFCOMM Session outward frame/uih/mcc building 1434 */ 1435 1436 /* 1437 * SABM/DISC/DM/UA frames are all minimal and mostly identical. 1438 */ 1439 int 1440 rfcomm_session_send_frame(struct rfcomm_session *rs, int type, int dlci) 1441 { 1442 struct rfcomm_cmd_hdr *hdr; 1443 struct rfcomm_credit *credit; 1444 struct mbuf *m; 1445 uint8_t fcs, cr; 1446 1447 credit = pool_get(&rfcomm_credit_pool, PR_NOWAIT); 1448 if (credit == NULL) 1449 return ENOMEM; 1450 1451 m = m_gethdr(M_DONTWAIT, MT_DATA); 1452 if (m == NULL) { 1453 pool_put(&rfcomm_credit_pool, credit); 1454 return ENOMEM; 1455 } 1456 1457 /* 1458 * The CR (command/response) bit identifies the frame either as a 1459 * commmand or a response and is used along with the DLCI to form 1460 * the address. Commands contain the non-initiator address, whereas 1461 * responses contain the initiator address, so the CR value is 1462 * also dependent on the session direction. 1463 */ 1464 if (type == RFCOMM_FRAME_UA || type == RFCOMM_FRAME_DM) 1465 cr = IS_INITIATOR(rs) ? 0 : 1; 1466 else 1467 cr = IS_INITIATOR(rs) ? 1 : 0; 1468 1469 hdr = mtod(m, struct rfcomm_cmd_hdr *); 1470 hdr->address = RFCOMM_MKADDRESS(cr, dlci); 1471 hdr->control = RFCOMM_MKCONTROL(type, 1); /* PF = 1 */ 1472 hdr->length = (0x00 << 1) | 0x01; /* len = 0x00, EA = 1 */ 1473 1474 fcs = 0xff; 1475 fcs = FCS(fcs, hdr->address); 1476 fcs = FCS(fcs, hdr->control); 1477 fcs = FCS(fcs, hdr->length); 1478 fcs = 0xff - fcs; /* ones complement */ 1479 hdr->fcs = fcs; 1480 1481 m->m_pkthdr.len = m->m_len = sizeof(struct rfcomm_cmd_hdr); 1482 1483 /* empty credit note */ 1484 credit->rc_dlc = NULL; 1485 credit->rc_len = m->m_pkthdr.len; 1486 SIMPLEQ_INSERT_TAIL(&rs->rs_credits, credit, rc_next); 1487 1488 DPRINTFN(5, "dlci %d type %2.2x (%d bytes, fcs=%#2.2x)\n", 1489 dlci, type, m->m_pkthdr.len, fcs); 1490 1491 return l2cap_send(rs->rs_l2cap, m); 1492 } 1493 1494 /* 1495 * rfcomm_session_send_uih(rfcomm_session, rfcomm_dlc, credits, mbuf) 1496 * 1497 * UIH frame is per DLC data or Multiplexer Control Commands 1498 * when no DLC is given. Data mbuf is optional (just credits 1499 * will be sent in that case) 1500 */ 1501 int 1502 rfcomm_session_send_uih(struct rfcomm_session *rs, struct rfcomm_dlc *dlc, 1503 int credits, struct mbuf *m) 1504 { 1505 struct rfcomm_credit *credit; 1506 struct mbuf *m0 = NULL; 1507 int err, len; 1508 uint8_t fcs, *hdr; 1509 1510 KASSERT(rs != NULL); 1511 1512 len = (m == NULL) ? 0 : m->m_pkthdr.len; 1513 KASSERT(!(credits == 0 && len == 0)); 1514 1515 /* 1516 * Make a credit note for the completion notification 1517 */ 1518 credit = pool_get(&rfcomm_credit_pool, PR_NOWAIT); 1519 if (credit == NULL) 1520 goto nomem; 1521 1522 credit->rc_len = len; 1523 credit->rc_dlc = dlc; 1524 1525 /* 1526 * Wrap UIH frame information around payload. 1527 * 1528 * [ADDRESS] [CONTROL] [LENGTH] [CREDITS] [...] [FCS] 1529 * 1530 * Address is one octet. 1531 * Control is one octet. 1532 * Length is one or two octets. 1533 * Credits may be one octet. 1534 * 1535 * FCS is one octet and calculated on address and 1536 * control octets only. 1537 * 1538 * If there are credits to be sent, we will set the PF 1539 * flag and include them in the frame. 1540 */ 1541 m0 = m_gethdr(M_DONTWAIT, MT_DATA); 1542 if (m0 == NULL) 1543 goto nomem; 1544 1545 MH_ALIGN(m0, 5); /* (max 5 header octets) */ 1546 hdr = mtod(m0, uint8_t *); 1547 1548 /* CR bit is set according to the initiator of the session */ 1549 *hdr = RFCOMM_MKADDRESS((IS_INITIATOR(rs) ? 1 : 0), 1550 (dlc ? dlc->rd_dlci : 0)); 1551 fcs = FCS(0xff, *hdr); 1552 hdr++; 1553 1554 /* PF bit is set if credits are being sent */ 1555 *hdr = RFCOMM_MKCONTROL(RFCOMM_FRAME_UIH, (credits > 0 ? 1 : 0)); 1556 fcs = FCS(fcs, *hdr); 1557 hdr++; 1558 1559 if (len < (1 << 7)) { 1560 *hdr++ = ((len << 1) & 0xfe) | 0x01; /* 7 bits, EA = 1 */ 1561 } else { 1562 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */ 1563 *hdr++ = ((len >> 7) & 0xff); /* 8 bits, no EA */ 1564 } 1565 1566 if (credits > 0) 1567 *hdr++ = (uint8_t)credits; 1568 1569 m0->m_len = hdr - mtod(m0, uint8_t *); 1570 1571 /* Append payload */ 1572 m0->m_next = m; 1573 m = NULL; 1574 1575 m0->m_pkthdr.len = m0->m_len + len; 1576 1577 /* Append FCS */ 1578 fcs = 0xff - fcs; /* ones complement */ 1579 len = m0->m_pkthdr.len; 1580 m_copyback(m0, len, sizeof(fcs), &fcs); 1581 if (m0->m_pkthdr.len != len + sizeof(fcs)) 1582 goto nomem; 1583 1584 DPRINTFN(10, "dlci %d, pktlen %d (%d data, %d credits), fcs=%#2.2x\n", 1585 dlc ? dlc->rd_dlci : 0, m0->m_pkthdr.len, credit->rc_len, 1586 credits, fcs); 1587 1588 /* 1589 * UIH frame ready to go.. 1590 */ 1591 err = l2cap_send(rs->rs_l2cap, m0); 1592 if (err) 1593 goto fail; 1594 1595 SIMPLEQ_INSERT_TAIL(&rs->rs_credits, credit, rc_next); 1596 return 0; 1597 1598 nomem: 1599 err = ENOMEM; 1600 1601 if (m0 != NULL) 1602 m_freem(m0); 1603 1604 if (m != NULL) 1605 m_freem(m); 1606 1607 fail: 1608 if (credit != NULL) 1609 pool_put(&rfcomm_credit_pool, credit); 1610 1611 return err; 1612 } 1613 1614 /* 1615 * send Multiplexer Control Command (or Response) on session 1616 */ 1617 int 1618 rfcomm_session_send_mcc(struct rfcomm_session *rs, int cr, 1619 uint8_t type, void *data, int len) 1620 { 1621 struct mbuf *m; 1622 uint8_t *hdr; 1623 int hlen; 1624 1625 m = m_gethdr(M_DONTWAIT, MT_DATA); 1626 if (m == NULL) 1627 return ENOMEM; 1628 1629 hdr = mtod(m, uint8_t *); 1630 1631 /* 1632 * Technically the type field can extend past one octet, but none 1633 * currently defined will do that. 1634 */ 1635 *hdr++ = RFCOMM_MKMCC_TYPE(cr, type); 1636 1637 /* 1638 * In the frame, the max length size is 2 octets (15 bits) whereas 1639 * no max length size is specified for MCC commands. We must allow 1640 * for 3 octets since for MCC frames we use 7 bits + EA in each. 1641 * 1642 * Only test data can possibly be that big. 1643 * 1644 * XXX Should we check this against the MTU? 1645 */ 1646 if (len < (1 << 7)) { 1647 *hdr++ = ((len << 1) & 0xfe) | 0x01; /* 7 bits, EA = 1 */ 1648 } else if (len < (1 << 14)) { 1649 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */ 1650 *hdr++ = ((len >> 6) & 0xfe) | 0x01; /* 7 bits, EA = 1 */ 1651 } else if (len < (1 << 15)) { 1652 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */ 1653 *hdr++ = ((len >> 6) & 0xfe); /* 7 bits, EA = 0 */ 1654 *hdr++ = ((len >> 13) & 0x02) | 0x01; /* 1 bit, EA = 1 */ 1655 } else { 1656 DPRINTF("incredible length! (%d)\n", len); 1657 m_freem(m); 1658 return EMSGSIZE; 1659 } 1660 1661 /* 1662 * add command data (to same mbuf if possible) 1663 */ 1664 hlen = hdr - mtod(m, uint8_t *); 1665 1666 if (len > 0) { 1667 m->m_pkthdr.len = m->m_len = MHLEN; 1668 m_copyback(m, hlen, len, data); 1669 if (m->m_pkthdr.len != max(MHLEN, hlen + len)) { 1670 m_freem(m); 1671 return ENOMEM; 1672 } 1673 } 1674 1675 m->m_pkthdr.len = hlen + len; 1676 m->m_len = min(MHLEN, m->m_pkthdr.len); 1677 1678 DPRINTFN(5, "%s type %2.2x len %d\n", 1679 (cr ? "command" : "response"), type, m->m_pkthdr.len); 1680 1681 return rfcomm_session_send_uih(rs, NULL, 0, m); 1682 } 1683