1 /* $NetBSD: rfcomm_session.c,v 1.11 2007/11/03 17:20:17 plunky Exp $ */ 2 3 /*- 4 * Copyright (c) 2006 Itronix Inc. 5 * All rights reserved. 6 * 7 * Written by Iain Hibbert for Itronix Inc. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. The name of Itronix Inc. may not be used to endorse 18 * or promote products derived from this software without specific 19 * prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY ITRONIX INC. ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 23 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 24 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ITRONIX INC. BE LIABLE FOR ANY 25 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 26 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 27 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 28 * ON ANY THEORY OF LIABILITY, WHETHER IN 29 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 30 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 31 * POSSIBILITY OF SUCH DAMAGE. 32 */ 33 34 #include <sys/cdefs.h> 35 __KERNEL_RCSID(0, "$NetBSD: rfcomm_session.c,v 1.11 2007/11/03 17:20:17 plunky Exp $"); 36 37 #include <sys/param.h> 38 #include <sys/kernel.h> 39 #include <sys/mbuf.h> 40 #include <sys/proc.h> 41 #include <sys/systm.h> 42 #include <sys/types.h> 43 44 #include <netbt/bluetooth.h> 45 #include <netbt/hci.h> 46 #include <netbt/l2cap.h> 47 #include <netbt/rfcomm.h> 48 49 /****************************************************************************** 50 * 51 * RFCOMM Multiplexer Sessions sit directly on L2CAP channels, and can 52 * multiplex up to 30 incoming and 30 outgoing connections. 53 * Only one Multiplexer is allowed between any two devices. 54 */ 55 56 static void rfcomm_session_timeout(void *); 57 static void rfcomm_session_recv_sabm(struct rfcomm_session *, int); 58 static void rfcomm_session_recv_disc(struct rfcomm_session *, int); 59 static void rfcomm_session_recv_ua(struct rfcomm_session *, int); 60 static void rfcomm_session_recv_dm(struct rfcomm_session *, int); 61 static void rfcomm_session_recv_uih(struct rfcomm_session *, int, int, struct mbuf *, int); 62 static void rfcomm_session_recv_mcc(struct rfcomm_session *, struct mbuf *); 63 static void rfcomm_session_recv_mcc_test(struct rfcomm_session *, int, struct mbuf *); 64 static void rfcomm_session_recv_mcc_fcon(struct rfcomm_session *, int); 65 static void rfcomm_session_recv_mcc_fcoff(struct rfcomm_session *, int); 66 static void rfcomm_session_recv_mcc_msc(struct rfcomm_session *, int, struct mbuf *); 67 static void rfcomm_session_recv_mcc_rpn(struct rfcomm_session *, int, struct mbuf *); 68 static void rfcomm_session_recv_mcc_rls(struct rfcomm_session *, int, struct mbuf *); 69 static void rfcomm_session_recv_mcc_pn(struct rfcomm_session *, int, struct mbuf *); 70 static void rfcomm_session_recv_mcc_nsc(struct rfcomm_session *, int, struct mbuf *); 71 72 /* L2CAP callbacks */ 73 static void rfcomm_session_connecting(void *); 74 static void rfcomm_session_connected(void *); 75 static void rfcomm_session_disconnected(void *, int); 76 static void *rfcomm_session_newconn(void *, struct sockaddr_bt *, struct sockaddr_bt *); 77 static void rfcomm_session_complete(void *, int); 78 static void rfcomm_session_linkmode(void *, int); 79 static void rfcomm_session_input(void *, struct mbuf *); 80 81 static const struct btproto rfcomm_session_proto = { 82 rfcomm_session_connecting, 83 rfcomm_session_connected, 84 rfcomm_session_disconnected, 85 rfcomm_session_newconn, 86 rfcomm_session_complete, 87 rfcomm_session_linkmode, 88 rfcomm_session_input, 89 }; 90 91 struct rfcomm_session_list 92 rfcomm_session_active = LIST_HEAD_INITIALIZER(rfcomm_session_active); 93 94 struct rfcomm_session_list 95 rfcomm_session_listen = LIST_HEAD_INITIALIZER(rfcomm_session_listen); 96 97 POOL_INIT(rfcomm_credit_pool, sizeof(struct rfcomm_credit), 98 0, 0, 0, "rfcomm_credit", NULL, IPL_SOFTNET); 99 100 /* 101 * RFCOMM System Parameters (see section 5.3) 102 */ 103 int rfcomm_mtu_default = 127; /* bytes */ 104 int rfcomm_ack_timeout = 20; /* seconds */ 105 int rfcomm_mcc_timeout = 20; /* seconds */ 106 107 /* 108 * Reversed CRC table as per TS 07.10 Annex B.3.5 109 */ 110 static const uint8_t crctable[256] = { /* reversed, 8-bit, poly=0x07 */ 111 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75, 112 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b, 113 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69, 114 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67, 115 116 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d, 117 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43, 118 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51, 119 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f, 120 121 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05, 122 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b, 123 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19, 124 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17, 125 126 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d, 127 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33, 128 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21, 129 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f, 130 131 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95, 132 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b, 133 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89, 134 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87, 135 136 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad, 137 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3, 138 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1, 139 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf, 140 141 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5, 142 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb, 143 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9, 144 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7, 145 146 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd, 147 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3, 148 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1, 149 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf 150 }; 151 152 #define FCS(f, d) crctable[(f) ^ (d)] 153 154 /* 155 * rfcomm_session_alloc(list, sockaddr) 156 * 157 * allocate a new session and fill in the blanks, then 158 * attach session to front of specified list (active or listen) 159 */ 160 struct rfcomm_session * 161 rfcomm_session_alloc(struct rfcomm_session_list *list, 162 struct sockaddr_bt *laddr) 163 { 164 struct rfcomm_session *rs; 165 int err; 166 167 rs = malloc(sizeof(*rs), M_BLUETOOTH, M_NOWAIT | M_ZERO); 168 if (rs == NULL) 169 return NULL; 170 171 rs->rs_state = RFCOMM_SESSION_CLOSED; 172 173 callout_init(&rs->rs_timeout, 0); 174 callout_setfunc(&rs->rs_timeout, rfcomm_session_timeout, rs); 175 176 SIMPLEQ_INIT(&rs->rs_credits); 177 LIST_INIT(&rs->rs_dlcs); 178 179 err = l2cap_attach(&rs->rs_l2cap, &rfcomm_session_proto, rs); 180 if (err) { 181 free(rs, M_BLUETOOTH); 182 return NULL; 183 } 184 185 (void)l2cap_getopt(rs->rs_l2cap, SO_L2CAP_OMTU, &rs->rs_mtu); 186 187 if (laddr->bt_psm == L2CAP_PSM_ANY) 188 laddr->bt_psm = L2CAP_PSM_RFCOMM; 189 190 (void)l2cap_bind(rs->rs_l2cap, laddr); 191 192 LIST_INSERT_HEAD(list, rs, rs_next); 193 194 return rs; 195 } 196 197 /* 198 * rfcomm_session_free(rfcomm_session) 199 * 200 * release a session, including any cleanup 201 */ 202 void 203 rfcomm_session_free(struct rfcomm_session *rs) 204 { 205 struct rfcomm_credit *credit; 206 207 KASSERT(rs != NULL); 208 KASSERT(LIST_EMPTY(&rs->rs_dlcs)); 209 210 rs->rs_state = RFCOMM_SESSION_CLOSED; 211 212 /* 213 * If the callout is already invoked we have no way to stop it, 214 * but it will call us back right away (there are no DLC's) so 215 * not to worry. 216 */ 217 callout_stop(&rs->rs_timeout); 218 if (callout_invoking(&rs->rs_timeout)) 219 return; 220 221 /* 222 * Take care that rfcomm_session_disconnected() doesnt call 223 * us back either as it will do if the l2cap_channel has not 224 * been closed when we detach it.. 225 */ 226 if (rs->rs_flags & RFCOMM_SESSION_FREE) 227 return; 228 229 rs->rs_flags |= RFCOMM_SESSION_FREE; 230 231 callout_destroy(&rs->rs_timeout); 232 233 /* throw away any remaining credit notes */ 234 while ((credit = SIMPLEQ_FIRST(&rs->rs_credits)) != NULL) { 235 SIMPLEQ_REMOVE_HEAD(&rs->rs_credits, rc_next); 236 pool_put(&rfcomm_credit_pool, credit); 237 } 238 239 KASSERT(SIMPLEQ_EMPTY(&rs->rs_credits)); 240 241 /* Goodbye! */ 242 LIST_REMOVE(rs, rs_next); 243 l2cap_detach(&rs->rs_l2cap); 244 free(rs, M_BLUETOOTH); 245 } 246 247 /* 248 * rfcomm_session_lookup(sockaddr, sockaddr) 249 * 250 * Find active rfcomm session matching src and dest addresses 251 * when src is BDADDR_ANY match any local address 252 */ 253 struct rfcomm_session * 254 rfcomm_session_lookup(struct sockaddr_bt *src, struct sockaddr_bt *dest) 255 { 256 struct rfcomm_session *rs; 257 struct sockaddr_bt addr; 258 259 LIST_FOREACH(rs, &rfcomm_session_active, rs_next) { 260 if (rs->rs_state == RFCOMM_SESSION_CLOSED) 261 continue; 262 263 l2cap_sockaddr(rs->rs_l2cap, &addr); 264 265 if (bdaddr_same(&src->bt_bdaddr, &addr.bt_bdaddr) == 0) 266 if (bdaddr_any(&src->bt_bdaddr) == 0) 267 continue; 268 269 l2cap_peeraddr(rs->rs_l2cap, &addr); 270 271 if (addr.bt_psm != dest->bt_psm) 272 continue; 273 274 if (bdaddr_same(&dest->bt_bdaddr, &addr.bt_bdaddr)) 275 break; 276 } 277 278 return rs; 279 } 280 281 /* 282 * rfcomm_session_timeout(rfcomm_session) 283 * 284 * Session timeouts are scheduled when a session is left or 285 * created with no DLCs, and when SABM(0) or DISC(0) are 286 * sent. 287 * 288 * So, if it is in an open state with DLC's attached then 289 * we leave it alone, otherwise the session is lost. 290 */ 291 static void 292 rfcomm_session_timeout(void *arg) 293 { 294 struct rfcomm_session *rs = arg; 295 struct rfcomm_dlc *dlc; 296 int s; 297 298 KASSERT(rs != NULL); 299 300 s = splsoftnet(); 301 callout_ack(&rs->rs_timeout); 302 303 if (rs->rs_state != RFCOMM_SESSION_OPEN) { 304 DPRINTF("timeout\n"); 305 rs->rs_state = RFCOMM_SESSION_CLOSED; 306 307 while (!LIST_EMPTY(&rs->rs_dlcs)) { 308 dlc = LIST_FIRST(&rs->rs_dlcs); 309 310 rfcomm_dlc_close(dlc, ETIMEDOUT); 311 } 312 } 313 314 if (LIST_EMPTY(&rs->rs_dlcs)) { 315 DPRINTF("expiring\n"); 316 rfcomm_session_free(rs); 317 } 318 splx(s); 319 } 320 321 /*********************************************************************** 322 * 323 * RFCOMM Session L2CAP protocol callbacks 324 * 325 */ 326 327 static void 328 rfcomm_session_connecting(void *arg) 329 { 330 /* struct rfcomm_session *rs = arg; */ 331 332 DPRINTF("Connecting\n"); 333 } 334 335 static void 336 rfcomm_session_connected(void *arg) 337 { 338 struct rfcomm_session *rs = arg; 339 340 DPRINTF("Connected\n"); 341 342 /* 343 * L2CAP is open. 344 * 345 * If we are initiator, we can send our SABM(0) 346 * a timeout should be active? 347 * 348 * We must take note of the L2CAP MTU because currently 349 * the L2CAP implementation can only do Basic Mode. 350 */ 351 l2cap_getopt(rs->rs_l2cap, SO_L2CAP_OMTU, &rs->rs_mtu); 352 353 rs->rs_mtu -= 6; /* (RFCOMM overhead could be this big) */ 354 if (rs->rs_mtu < RFCOMM_MTU_MIN) { 355 rfcomm_session_disconnected(rs, EINVAL); 356 return; 357 } 358 359 if (IS_INITIATOR(rs)) { 360 int err; 361 362 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_SABM, 0); 363 if (err) 364 rfcomm_session_disconnected(rs, err); 365 366 callout_schedule(&rs->rs_timeout, rfcomm_ack_timeout * hz); 367 } 368 } 369 370 static void 371 rfcomm_session_disconnected(void *arg, int err) 372 { 373 struct rfcomm_session *rs = arg; 374 struct rfcomm_dlc *dlc; 375 376 DPRINTF("Disconnected\n"); 377 378 rs->rs_state = RFCOMM_SESSION_CLOSED; 379 380 while (!LIST_EMPTY(&rs->rs_dlcs)) { 381 dlc = LIST_FIRST(&rs->rs_dlcs); 382 383 rfcomm_dlc_close(dlc, err); 384 } 385 386 rfcomm_session_free(rs); 387 } 388 389 static void * 390 rfcomm_session_newconn(void *arg, struct sockaddr_bt *laddr, 391 struct sockaddr_bt *raddr) 392 { 393 struct rfcomm_session *new, *rs = arg; 394 395 DPRINTF("New Connection\n"); 396 397 /* 398 * Incoming session connect request. We should return a new 399 * session pointer if this is acceptable. The L2CAP layer 400 * passes local and remote addresses, which we must check as 401 * only one RFCOMM session is allowed between any two devices 402 */ 403 new = rfcomm_session_lookup(laddr, raddr); 404 if (new != NULL) 405 return NULL; 406 407 new = rfcomm_session_alloc(&rfcomm_session_active, laddr); 408 if (new == NULL) 409 return NULL; 410 411 new->rs_mtu = rs->rs_mtu; 412 new->rs_state = RFCOMM_SESSION_WAIT_CONNECT; 413 414 /* 415 * schedule an expiry so that if nothing comes of it we 416 * can punt. 417 */ 418 callout_schedule(&new->rs_timeout, rfcomm_mcc_timeout * hz); 419 420 return new->rs_l2cap; 421 } 422 423 static void 424 rfcomm_session_complete(void *arg, int count) 425 { 426 struct rfcomm_session *rs = arg; 427 struct rfcomm_credit *credit; 428 struct rfcomm_dlc *dlc; 429 430 /* 431 * count L2CAP packets are 'complete', meaning that they are cleared 432 * our buffers (for best effort) or arrived safe (for guaranteed) so 433 * we can take it off our list and pass the message on, so that 434 * eventually the data can be removed from the sockbuf 435 */ 436 while (count-- > 0) { 437 credit = SIMPLEQ_FIRST(&rs->rs_credits); 438 #ifdef DIAGNOSTIC 439 if (credit == NULL) { 440 printf("%s: too many packets completed!\n", __func__); 441 break; 442 } 443 #endif 444 dlc = credit->rc_dlc; 445 if (dlc != NULL) { 446 dlc->rd_pending--; 447 (*dlc->rd_proto->complete) 448 (dlc->rd_upper, credit->rc_len); 449 450 /* 451 * if not using credit flow control, we may push 452 * more data now 453 */ 454 if ((rs->rs_flags & RFCOMM_SESSION_CFC) == 0 455 && dlc->rd_state == RFCOMM_DLC_OPEN) { 456 rfcomm_dlc_start(dlc); 457 } 458 459 /* 460 * When shutdown is indicated, we are just waiting to 461 * clear outgoing data. 462 */ 463 if ((dlc->rd_flags & RFCOMM_DLC_SHUTDOWN) 464 && dlc->rd_txbuf == NULL && dlc->rd_pending == 0) { 465 dlc->rd_state = RFCOMM_DLC_WAIT_DISCONNECT; 466 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 467 dlc->rd_dlci); 468 callout_schedule(&dlc->rd_timeout, 469 rfcomm_ack_timeout * hz); 470 } 471 } 472 473 SIMPLEQ_REMOVE_HEAD(&rs->rs_credits, rc_next); 474 pool_put(&rfcomm_credit_pool, credit); 475 } 476 477 /* 478 * If session is closed, we are just waiting to clear the queue 479 */ 480 if (rs->rs_state == RFCOMM_SESSION_CLOSED) { 481 if (SIMPLEQ_EMPTY(&rs->rs_credits)) 482 l2cap_disconnect(rs->rs_l2cap, 0); 483 } 484 } 485 486 /* 487 * Link Mode changed 488 * 489 * This is called when a mode change is complete. Proceed with connections 490 * where appropriate, or pass the new mode to any active DLCs. 491 */ 492 static void 493 rfcomm_session_linkmode(void *arg, int new) 494 { 495 struct rfcomm_session *rs = arg; 496 struct rfcomm_dlc *dlc, *next; 497 int err, mode = 0; 498 499 DPRINTF("auth %s, encrypt %s, secure %s\n", 500 (new & L2CAP_LM_AUTH ? "on" : "off"), 501 (new & L2CAP_LM_ENCRYPT ? "on" : "off"), 502 (new & L2CAP_LM_SECURE ? "on" : "off")); 503 504 if (new & L2CAP_LM_AUTH) 505 mode |= RFCOMM_LM_AUTH; 506 507 if (new & L2CAP_LM_ENCRYPT) 508 mode |= RFCOMM_LM_ENCRYPT; 509 510 if (new & L2CAP_LM_SECURE) 511 mode |= RFCOMM_LM_SECURE; 512 513 next = LIST_FIRST(&rs->rs_dlcs); 514 while ((dlc = next) != NULL) { 515 next = LIST_NEXT(dlc, rd_next); 516 517 switch (dlc->rd_state) { 518 case RFCOMM_DLC_WAIT_SEND_SABM: /* we are connecting */ 519 if ((mode & dlc->rd_mode) != dlc->rd_mode) { 520 rfcomm_dlc_close(dlc, ECONNABORTED); 521 } else { 522 err = rfcomm_session_send_frame(rs, 523 RFCOMM_FRAME_SABM, dlc->rd_dlci); 524 if (err) { 525 rfcomm_dlc_close(dlc, err); 526 } else { 527 dlc->rd_state = RFCOMM_DLC_WAIT_RECV_UA; 528 callout_schedule(&dlc->rd_timeout, 529 rfcomm_ack_timeout * hz); 530 break; 531 } 532 } 533 534 /* 535 * If we aborted the connection and there are no more DLCs 536 * on the session, it is our responsibility to disconnect. 537 */ 538 if (!LIST_EMPTY(&rs->rs_dlcs)) 539 break; 540 541 rs->rs_state = RFCOMM_SESSION_WAIT_DISCONNECT; 542 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 0); 543 callout_schedule(&rs->rs_timeout, rfcomm_ack_timeout * hz); 544 break; 545 546 case RFCOMM_DLC_WAIT_SEND_UA: /* they are connecting */ 547 if ((mode & dlc->rd_mode) != dlc->rd_mode) { 548 rfcomm_session_send_frame(rs, 549 RFCOMM_FRAME_DM, dlc->rd_dlci); 550 rfcomm_dlc_close(dlc, ECONNABORTED); 551 break; 552 } 553 554 err = rfcomm_session_send_frame(rs, 555 RFCOMM_FRAME_UA, dlc->rd_dlci); 556 if (err) { 557 rfcomm_session_send_frame(rs, 558 RFCOMM_FRAME_DM, dlc->rd_dlci); 559 rfcomm_dlc_close(dlc, err); 560 break; 561 } 562 563 err = rfcomm_dlc_open(dlc); 564 if (err) { 565 rfcomm_session_send_frame(rs, 566 RFCOMM_FRAME_DM, dlc->rd_dlci); 567 rfcomm_dlc_close(dlc, err); 568 break; 569 } 570 571 break; 572 573 case RFCOMM_DLC_WAIT_RECV_UA: 574 case RFCOMM_DLC_OPEN: /* already established */ 575 (*dlc->rd_proto->linkmode)(dlc->rd_upper, mode); 576 break; 577 578 default: 579 break; 580 } 581 } 582 } 583 584 /* 585 * Receive data from L2CAP layer for session. There is always exactly one 586 * RFCOMM frame contained in each L2CAP frame. 587 */ 588 static void 589 rfcomm_session_input(void *arg, struct mbuf *m) 590 { 591 struct rfcomm_session *rs = arg; 592 int dlci, len, type, pf; 593 uint8_t fcs, b; 594 595 KASSERT(m != NULL); 596 KASSERT(rs != NULL); 597 598 /* 599 * UIH frames: FCS is only calculated on address and control fields 600 * For other frames: FCS is calculated on address, control and length 601 * Length may extend to two octets 602 */ 603 fcs = 0xff; 604 605 if (m->m_pkthdr.len < 4) { 606 DPRINTF("short frame (%d), discarded\n", m->m_pkthdr.len); 607 goto done; 608 } 609 610 /* address - one octet */ 611 m_copydata(m, 0, 1, &b); 612 m_adj(m, 1); 613 fcs = FCS(fcs, b); 614 dlci = RFCOMM_DLCI(b); 615 616 /* control - one octet */ 617 m_copydata(m, 0, 1, &b); 618 m_adj(m, 1); 619 fcs = FCS(fcs, b); 620 type = RFCOMM_TYPE(b); 621 pf = RFCOMM_PF(b); 622 623 /* length - may be two octets */ 624 m_copydata(m, 0, 1, &b); 625 m_adj(m, 1); 626 if (type != RFCOMM_FRAME_UIH) 627 fcs = FCS(fcs, b); 628 len = (b >> 1) & 0x7f; 629 630 if (RFCOMM_EA(b) == 0) { 631 if (m->m_pkthdr.len < 2) { 632 DPRINTF("short frame (%d, EA = 0), discarded\n", 633 m->m_pkthdr.len); 634 goto done; 635 } 636 637 m_copydata(m, 0, 1, &b); 638 m_adj(m, 1); 639 if (type != RFCOMM_FRAME_UIH) 640 fcs = FCS(fcs, b); 641 642 len |= (b << 7); 643 } 644 645 /* FCS byte is last octet in frame */ 646 m_copydata(m, m->m_pkthdr.len - 1, 1, &b); 647 m_adj(m, -1); 648 fcs = FCS(fcs, b); 649 650 if (fcs != 0xcf) { 651 DPRINTF("Bad FCS value (%#2.2x), frame discarded\n", fcs); 652 goto done; 653 } 654 655 DPRINTFN(10, "dlci %d, type %2.2x, len = %d\n", dlci, type, len); 656 657 switch (type) { 658 case RFCOMM_FRAME_SABM: 659 if (pf) 660 rfcomm_session_recv_sabm(rs, dlci); 661 break; 662 663 case RFCOMM_FRAME_DISC: 664 if (pf) 665 rfcomm_session_recv_disc(rs, dlci); 666 break; 667 668 case RFCOMM_FRAME_UA: 669 if (pf) 670 rfcomm_session_recv_ua(rs, dlci); 671 break; 672 673 case RFCOMM_FRAME_DM: 674 rfcomm_session_recv_dm(rs, dlci); 675 break; 676 677 case RFCOMM_FRAME_UIH: 678 rfcomm_session_recv_uih(rs, dlci, pf, m, len); 679 return; /* (no release) */ 680 681 default: 682 UNKNOWN(type); 683 break; 684 } 685 686 done: 687 m_freem(m); 688 } 689 690 /*********************************************************************** 691 * 692 * RFCOMM Session receive processing 693 */ 694 695 /* 696 * rfcomm_session_recv_sabm(rfcomm_session, dlci) 697 * 698 * Set Asyncrhonous Balanced Mode - open the channel. 699 */ 700 static void 701 rfcomm_session_recv_sabm(struct rfcomm_session *rs, int dlci) 702 { 703 struct rfcomm_dlc *dlc; 704 int err; 705 706 DPRINTFN(5, "SABM(%d)\n", dlci); 707 708 if (dlci == 0) { /* Open Session */ 709 rs->rs_state = RFCOMM_SESSION_OPEN; 710 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, 0); 711 LIST_FOREACH(dlc, &rs->rs_dlcs, rd_next) { 712 if (dlc->rd_state == RFCOMM_DLC_WAIT_SESSION) 713 rfcomm_dlc_connect(dlc); 714 } 715 return; 716 } 717 718 if (rs->rs_state != RFCOMM_SESSION_OPEN) { 719 DPRINTF("session was not even open!\n"); 720 return; 721 } 722 723 /* validate direction bit */ 724 if ((IS_INITIATOR(rs) && !RFCOMM_DIRECTION(dlci)) 725 || (!IS_INITIATOR(rs) && RFCOMM_DIRECTION(dlci))) { 726 DPRINTF("Invalid direction bit on DLCI\n"); 727 return; 728 } 729 730 /* 731 * look for our DLC - this may exist if we received PN 732 * already, or we may have to fabricate a new one. 733 */ 734 dlc = rfcomm_dlc_lookup(rs, dlci); 735 if (dlc == NULL) { 736 dlc = rfcomm_dlc_newconn(rs, dlci); 737 if (dlc == NULL) 738 return; /* (DM is sent) */ 739 } 740 741 /* 742 * ..but if this DLC is not waiting to connect, they did 743 * something wrong, ignore it. 744 */ 745 if (dlc->rd_state != RFCOMM_DLC_WAIT_CONNECT) 746 return; 747 748 /* set link mode */ 749 err = rfcomm_dlc_setmode(dlc); 750 if (err == EINPROGRESS) { 751 dlc->rd_state = RFCOMM_DLC_WAIT_SEND_UA; 752 (*dlc->rd_proto->connecting)(dlc->rd_upper); 753 return; 754 } 755 if (err) 756 goto close; 757 758 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, dlci); 759 if (err) 760 goto close; 761 762 /* and mark it open */ 763 err = rfcomm_dlc_open(dlc); 764 if (err) 765 goto close; 766 767 return; 768 769 close: 770 rfcomm_dlc_close(dlc, err); 771 } 772 773 /* 774 * Receive Disconnect Command 775 */ 776 static void 777 rfcomm_session_recv_disc(struct rfcomm_session *rs, int dlci) 778 { 779 struct rfcomm_dlc *dlc; 780 781 DPRINTFN(5, "DISC(%d)\n", dlci); 782 783 if (dlci == 0) { 784 /* 785 * Disconnect Session 786 * 787 * We set the session state to CLOSED so that when 788 * the UA frame is clear the session will be closed 789 * automatically. We wont bother to close any DLC's 790 * just yet as there should be none. In the unlikely 791 * event that something is left, it will get flushed 792 * out as the session goes down. 793 */ 794 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, 0); 795 rs->rs_state = RFCOMM_SESSION_CLOSED; 796 return; 797 } 798 799 dlc = rfcomm_dlc_lookup(rs, dlci); 800 if (dlc == NULL) { 801 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, dlci); 802 return; 803 } 804 805 rfcomm_dlc_close(dlc, ECONNRESET); 806 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, dlci); 807 } 808 809 /* 810 * Receive Unnumbered Acknowledgement Response 811 * 812 * This should be a response to a DISC or SABM frame that we 813 * have previously sent. If unexpected, ignore it. 814 */ 815 static void 816 rfcomm_session_recv_ua(struct rfcomm_session *rs, int dlci) 817 { 818 struct rfcomm_dlc *dlc; 819 820 DPRINTFN(5, "UA(%d)\n", dlci); 821 822 if (dlci == 0) { 823 switch (rs->rs_state) { 824 case RFCOMM_SESSION_WAIT_CONNECT: /* We sent SABM */ 825 callout_stop(&rs->rs_timeout); 826 rs->rs_state = RFCOMM_SESSION_OPEN; 827 LIST_FOREACH(dlc, &rs->rs_dlcs, rd_next) { 828 if (dlc->rd_state == RFCOMM_DLC_WAIT_SESSION) 829 rfcomm_dlc_connect(dlc); 830 } 831 break; 832 833 case RFCOMM_SESSION_WAIT_DISCONNECT: /* We sent DISC */ 834 callout_stop(&rs->rs_timeout); 835 rs->rs_state = RFCOMM_SESSION_CLOSED; 836 l2cap_disconnect(rs->rs_l2cap, 0); 837 break; 838 839 default: 840 DPRINTF("Received spurious UA(0)!\n"); 841 break; 842 } 843 844 return; 845 } 846 847 /* 848 * If we have no DLC on this dlci, we may have aborted 849 * without shutting down properly, so check if the session 850 * needs disconnecting. 851 */ 852 dlc = rfcomm_dlc_lookup(rs, dlci); 853 if (dlc == NULL) 854 goto check; 855 856 switch (dlc->rd_state) { 857 case RFCOMM_DLC_WAIT_RECV_UA: /* We sent SABM */ 858 rfcomm_dlc_open(dlc); 859 return; 860 861 case RFCOMM_DLC_WAIT_DISCONNECT: /* We sent DISC */ 862 rfcomm_dlc_close(dlc, 0); 863 break; 864 865 default: 866 DPRINTF("Received spurious UA(%d)!\n", dlci); 867 return; 868 } 869 870 check: /* last one out turns out the light */ 871 if (LIST_EMPTY(&rs->rs_dlcs)) { 872 rs->rs_state = RFCOMM_SESSION_WAIT_DISCONNECT; 873 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 0); 874 callout_schedule(&rs->rs_timeout, rfcomm_ack_timeout * hz); 875 } 876 } 877 878 /* 879 * Receive Disconnected Mode Response 880 * 881 * If this does not apply to a known DLC then we may ignore it. 882 */ 883 static void 884 rfcomm_session_recv_dm(struct rfcomm_session *rs, int dlci) 885 { 886 struct rfcomm_dlc *dlc; 887 888 DPRINTFN(5, "DM(%d)\n", dlci); 889 890 dlc = rfcomm_dlc_lookup(rs, dlci); 891 if (dlc == NULL) 892 return; 893 894 if (dlc->rd_state == RFCOMM_DLC_WAIT_CONNECT) 895 rfcomm_dlc_close(dlc, ECONNREFUSED); 896 else 897 rfcomm_dlc_close(dlc, ECONNRESET); 898 } 899 900 /* 901 * Receive Unnumbered Information with Header check (MCC or data packet) 902 */ 903 static void 904 rfcomm_session_recv_uih(struct rfcomm_session *rs, int dlci, 905 int pf, struct mbuf *m, int len) 906 { 907 struct rfcomm_dlc *dlc; 908 uint8_t credits = 0; 909 910 DPRINTFN(10, "UIH(%d)\n", dlci); 911 912 if (dlci == 0) { 913 rfcomm_session_recv_mcc(rs, m); 914 return; 915 } 916 917 if (m->m_pkthdr.len != len + pf) { 918 DPRINTF("Bad Frame Length (%d), frame discarded\n", 919 m->m_pkthdr.len); 920 921 goto discard; 922 } 923 924 dlc = rfcomm_dlc_lookup(rs, dlci); 925 if (dlc == NULL) { 926 DPRINTF("UIH received for non existent DLC, discarded\n"); 927 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, dlci); 928 goto discard; 929 } 930 931 if (dlc->rd_state != RFCOMM_DLC_OPEN) { 932 DPRINTF("non-open DLC (state = %d), discarded\n", 933 dlc->rd_state); 934 goto discard; 935 } 936 937 /* if PF is set, credits were included */ 938 if (rs->rs_flags & RFCOMM_SESSION_CFC) { 939 if (pf != 0) { 940 if (m->m_pkthdr.len < sizeof(credits)) { 941 DPRINTF("Bad PF value, UIH discarded\n"); 942 goto discard; 943 } 944 945 m_copydata(m, 0, sizeof(credits), &credits); 946 m_adj(m, sizeof(credits)); 947 948 dlc->rd_txcred += credits; 949 950 if (credits > 0 && dlc->rd_txbuf != NULL) 951 rfcomm_dlc_start(dlc); 952 } 953 954 if (len == 0) 955 goto discard; 956 957 if (dlc->rd_rxcred == 0) { 958 DPRINTF("Credit limit reached, UIH discarded\n"); 959 goto discard; 960 } 961 962 if (len > dlc->rd_rxsize) { 963 DPRINTF("UIH frame exceeds rxsize, discarded\n"); 964 goto discard; 965 } 966 967 dlc->rd_rxcred--; 968 dlc->rd_rxsize -= len; 969 } 970 971 (*dlc->rd_proto->input)(dlc->rd_upper, m); 972 return; 973 974 discard: 975 m_freem(m); 976 } 977 978 /* 979 * Receive Multiplexer Control Command 980 */ 981 static void 982 rfcomm_session_recv_mcc(struct rfcomm_session *rs, struct mbuf *m) 983 { 984 int type, cr, len; 985 uint8_t b; 986 987 /* 988 * Extract MCC header. 989 * 990 * Fields are variable length using extension bit = 1 to signify the 991 * last octet in the sequence. 992 * 993 * Only single octet types are defined in TS 07.10/RFCOMM spec 994 * 995 * Length can realistically only use 15 bits (max RFCOMM MTU) 996 */ 997 if (m->m_pkthdr.len < sizeof(b)) { 998 DPRINTF("Short MCC header, discarded\n"); 999 goto release; 1000 } 1001 1002 m_copydata(m, 0, sizeof(b), &b); 1003 m_adj(m, sizeof(b)); 1004 1005 if (RFCOMM_EA(b) == 0) { /* verify no extensions */ 1006 DPRINTF("MCC type EA = 0, discarded\n"); 1007 goto release; 1008 } 1009 1010 type = RFCOMM_MCC_TYPE(b); 1011 cr = RFCOMM_CR(b); 1012 1013 len = 0; 1014 do { 1015 if (m->m_pkthdr.len < sizeof(b)) { 1016 DPRINTF("Short MCC header, discarded\n"); 1017 goto release; 1018 } 1019 1020 m_copydata(m, 0, sizeof(b), &b); 1021 m_adj(m, sizeof(b)); 1022 1023 len = (len << 7) | (b >> 1); 1024 len = min(len, RFCOMM_MTU_MAX); 1025 } while (RFCOMM_EA(b) == 0); 1026 1027 if (len != m->m_pkthdr.len) { 1028 DPRINTF("Incorrect MCC length, discarded\n"); 1029 goto release; 1030 } 1031 1032 DPRINTFN(2, "MCC %s type %2.2x (%d bytes)\n", 1033 (cr ? "command" : "response"), type, len); 1034 1035 /* 1036 * pass to command handler 1037 */ 1038 switch(type) { 1039 case RFCOMM_MCC_TEST: /* Test */ 1040 rfcomm_session_recv_mcc_test(rs, cr, m); 1041 break; 1042 1043 case RFCOMM_MCC_FCON: /* Flow Control On */ 1044 rfcomm_session_recv_mcc_fcon(rs, cr); 1045 break; 1046 1047 case RFCOMM_MCC_FCOFF: /* Flow Control Off */ 1048 rfcomm_session_recv_mcc_fcoff(rs, cr); 1049 break; 1050 1051 case RFCOMM_MCC_MSC: /* Modem Status Command */ 1052 rfcomm_session_recv_mcc_msc(rs, cr, m); 1053 break; 1054 1055 case RFCOMM_MCC_RPN: /* Remote Port Negotiation */ 1056 rfcomm_session_recv_mcc_rpn(rs, cr, m); 1057 break; 1058 1059 case RFCOMM_MCC_RLS: /* Remote Line Status */ 1060 rfcomm_session_recv_mcc_rls(rs, cr, m); 1061 break; 1062 1063 case RFCOMM_MCC_PN: /* Parameter Negotiation */ 1064 rfcomm_session_recv_mcc_pn(rs, cr, m); 1065 break; 1066 1067 case RFCOMM_MCC_NSC: /* Non Supported Command */ 1068 rfcomm_session_recv_mcc_nsc(rs, cr, m); 1069 break; 1070 1071 default: 1072 b = RFCOMM_MKMCC_TYPE(cr, type); 1073 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_NSC, &b, sizeof(b)); 1074 } 1075 1076 release: 1077 m_freem(m); 1078 } 1079 1080 /* 1081 * process TEST command/response 1082 */ 1083 static void 1084 rfcomm_session_recv_mcc_test(struct rfcomm_session *rs, int cr, struct mbuf *m) 1085 { 1086 void *data; 1087 int len; 1088 1089 if (cr == 0) /* ignore ack */ 1090 return; 1091 1092 /* 1093 * we must send all the data they included back as is 1094 */ 1095 1096 len = m->m_pkthdr.len; 1097 if (len > RFCOMM_MTU_MAX) 1098 return; 1099 1100 data = malloc(len, M_BLUETOOTH, M_NOWAIT); 1101 if (data == NULL) 1102 return; 1103 1104 m_copydata(m, 0, len, data); 1105 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_TEST, data, len); 1106 free(data, M_BLUETOOTH); 1107 } 1108 1109 /* 1110 * process Flow Control ON command/response 1111 */ 1112 static void 1113 rfcomm_session_recv_mcc_fcon(struct rfcomm_session *rs, int cr) 1114 { 1115 1116 if (cr == 0) /* ignore ack */ 1117 return; 1118 1119 rs->rs_flags |= RFCOMM_SESSION_RFC; 1120 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_FCON, NULL, 0); 1121 } 1122 1123 /* 1124 * process Flow Control OFF command/response 1125 */ 1126 static void 1127 rfcomm_session_recv_mcc_fcoff(struct rfcomm_session *rs, int cr) 1128 { 1129 1130 if (cr == 0) /* ignore ack */ 1131 return; 1132 1133 rs->rs_flags &= ~RFCOMM_SESSION_RFC; 1134 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_FCOFF, NULL, 0); 1135 } 1136 1137 /* 1138 * process Modem Status Command command/response 1139 */ 1140 static void 1141 rfcomm_session_recv_mcc_msc(struct rfcomm_session *rs, int cr, struct mbuf *m) 1142 { 1143 struct rfcomm_mcc_msc msc; /* (3 octets) */ 1144 struct rfcomm_dlc *dlc; 1145 int len = 0; 1146 1147 /* [ADDRESS] */ 1148 if (m->m_pkthdr.len < sizeof(msc.address)) 1149 return; 1150 1151 m_copydata(m, 0, sizeof(msc.address), &msc.address); 1152 m_adj(m, sizeof(msc.address)); 1153 len += sizeof(msc.address); 1154 1155 dlc = rfcomm_dlc_lookup(rs, RFCOMM_DLCI(msc.address)); 1156 1157 if (cr == 0) { /* ignore acks */ 1158 if (dlc != NULL) 1159 callout_stop(&dlc->rd_timeout); 1160 1161 return; 1162 } 1163 1164 if (dlc == NULL) { 1165 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, 1166 RFCOMM_DLCI(msc.address)); 1167 return; 1168 } 1169 1170 /* [SIGNALS] */ 1171 if (m->m_pkthdr.len < sizeof(msc.modem)) 1172 return; 1173 1174 m_copydata(m, 0, sizeof(msc.modem), &msc.modem); 1175 m_adj(m, sizeof(msc.modem)); 1176 len += sizeof(msc.modem); 1177 1178 dlc->rd_rmodem = msc.modem; 1179 /* XXX how do we signal this upstream? */ 1180 1181 if (RFCOMM_EA(msc.modem) == 0) { 1182 if (m->m_pkthdr.len < sizeof(msc.brk)) 1183 return; 1184 1185 m_copydata(m, 0, sizeof(msc.brk), &msc.brk); 1186 m_adj(m, sizeof(msc.brk)); 1187 len += sizeof(msc.brk); 1188 1189 /* XXX how do we signal this upstream? */ 1190 } 1191 1192 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_MSC, &msc, len); 1193 } 1194 1195 /* 1196 * process Remote Port Negotiation command/response 1197 */ 1198 static void 1199 rfcomm_session_recv_mcc_rpn(struct rfcomm_session *rs, int cr, struct mbuf *m) 1200 { 1201 struct rfcomm_mcc_rpn rpn; 1202 uint16_t mask; 1203 1204 if (cr == 0) /* ignore ack */ 1205 return; 1206 1207 /* default values */ 1208 rpn.bit_rate = RFCOMM_RPN_BR_9600; 1209 rpn.line_settings = RFCOMM_RPN_8_N_1; 1210 rpn.flow_control = RFCOMM_RPN_FLOW_NONE; 1211 rpn.xon_char = RFCOMM_RPN_XON_CHAR; 1212 rpn.xoff_char = RFCOMM_RPN_XOFF_CHAR; 1213 1214 if (m->m_pkthdr.len == sizeof(rpn)) { 1215 m_copydata(m, 0, sizeof(rpn), &rpn); 1216 rpn.param_mask = RFCOMM_RPN_PM_ALL; 1217 } else if (m->m_pkthdr.len == 1) { 1218 m_copydata(m, 0, 1, &rpn); 1219 rpn.param_mask = le16toh(rpn.param_mask); 1220 } else { 1221 DPRINTF("Bad RPN length (%d)\n", m->m_pkthdr.len); 1222 return; 1223 } 1224 1225 mask = 0; 1226 1227 if (rpn.param_mask & RFCOMM_RPN_PM_RATE) 1228 mask |= RFCOMM_RPN_PM_RATE; 1229 1230 if (rpn.param_mask & RFCOMM_RPN_PM_DATA 1231 && RFCOMM_RPN_DATA_BITS(rpn.line_settings) == RFCOMM_RPN_DATA_8) 1232 mask |= RFCOMM_RPN_PM_DATA; 1233 1234 if (rpn.param_mask & RFCOMM_RPN_PM_STOP 1235 && RFCOMM_RPN_STOP_BITS(rpn.line_settings) == RFCOMM_RPN_STOP_1) 1236 mask |= RFCOMM_RPN_PM_STOP; 1237 1238 if (rpn.param_mask & RFCOMM_RPN_PM_PARITY 1239 && RFCOMM_RPN_PARITY(rpn.line_settings) == RFCOMM_RPN_PARITY_NONE) 1240 mask |= RFCOMM_RPN_PM_PARITY; 1241 1242 if (rpn.param_mask & RFCOMM_RPN_PM_XON 1243 && rpn.xon_char == RFCOMM_RPN_XON_CHAR) 1244 mask |= RFCOMM_RPN_PM_XON; 1245 1246 if (rpn.param_mask & RFCOMM_RPN_PM_XOFF 1247 && rpn.xoff_char == RFCOMM_RPN_XOFF_CHAR) 1248 mask |= RFCOMM_RPN_PM_XOFF; 1249 1250 if (rpn.param_mask & RFCOMM_RPN_PM_FLOW 1251 && rpn.flow_control == RFCOMM_RPN_FLOW_NONE) 1252 mask |= RFCOMM_RPN_PM_FLOW; 1253 1254 rpn.param_mask = htole16(mask); 1255 1256 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_RPN, &rpn, sizeof(rpn)); 1257 } 1258 1259 /* 1260 * process Remote Line Status command/response 1261 */ 1262 static void 1263 rfcomm_session_recv_mcc_rls(struct rfcomm_session *rs, int cr, struct mbuf *m) 1264 { 1265 struct rfcomm_mcc_rls rls; 1266 1267 if (cr == 0) /* ignore ack */ 1268 return; 1269 1270 if (m->m_pkthdr.len != sizeof(rls)) { 1271 DPRINTF("Bad RLS length %d\n", m->m_pkthdr.len); 1272 return; 1273 } 1274 1275 m_copydata(m, 0, sizeof(rls), &rls); 1276 1277 /* 1278 * So far as I can tell, we just send back what 1279 * they sent us. This signifies errors that seem 1280 * irrelevent for RFCOMM over L2CAP. 1281 */ 1282 rls.address |= 0x03; /* EA = 1, CR = 1 */ 1283 rls.status &= 0x0f; /* only 4 bits valid */ 1284 1285 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_RLS, &rls, sizeof(rls)); 1286 } 1287 1288 /* 1289 * process Parameter Negotiation command/response 1290 */ 1291 static void 1292 rfcomm_session_recv_mcc_pn(struct rfcomm_session *rs, int cr, struct mbuf *m) 1293 { 1294 struct rfcomm_dlc *dlc; 1295 struct rfcomm_mcc_pn pn; 1296 int err; 1297 1298 if (m->m_pkthdr.len != sizeof(pn)) { 1299 DPRINTF("Bad PN length %d\n", m->m_pkthdr.len); 1300 return; 1301 } 1302 1303 m_copydata(m, 0, sizeof(pn), &pn); 1304 1305 pn.dlci &= 0x3f; 1306 pn.mtu = le16toh(pn.mtu); 1307 1308 dlc = rfcomm_dlc_lookup(rs, pn.dlci); 1309 if (cr) { /* Command */ 1310 /* 1311 * If there is no DLC present, this is a new 1312 * connection so attempt to make one 1313 */ 1314 if (dlc == NULL) { 1315 dlc = rfcomm_dlc_newconn(rs, pn.dlci); 1316 if (dlc == NULL) 1317 return; /* (DM is sent) */ 1318 } 1319 1320 /* accept any valid MTU, and offer it back */ 1321 pn.mtu = min(pn.mtu, RFCOMM_MTU_MAX); 1322 pn.mtu = min(pn.mtu, rs->rs_mtu); 1323 pn.mtu = max(pn.mtu, RFCOMM_MTU_MIN); 1324 dlc->rd_mtu = pn.mtu; 1325 pn.mtu = htole16(pn.mtu); 1326 1327 /* credits are only set before DLC is open */ 1328 if (dlc->rd_state == RFCOMM_DLC_WAIT_CONNECT 1329 && (pn.flow_control & 0xf0) == 0xf0) { 1330 rs->rs_flags |= RFCOMM_SESSION_CFC; 1331 dlc->rd_txcred = pn.credits & 0x07; 1332 1333 dlc->rd_rxcred = (dlc->rd_rxsize / dlc->rd_mtu); 1334 dlc->rd_rxcred = min(dlc->rd_rxcred, 1335 RFCOMM_CREDITS_DEFAULT); 1336 1337 pn.flow_control = 0xe0; 1338 pn.credits = dlc->rd_rxcred; 1339 } else { 1340 pn.flow_control = 0x00; 1341 pn.credits = 0x00; 1342 } 1343 1344 /* unused fields must be ignored and set to zero */ 1345 pn.ack_timer = 0; 1346 pn.max_retrans = 0; 1347 1348 /* send our response */ 1349 err = rfcomm_session_send_mcc(rs, 0, 1350 RFCOMM_MCC_PN, &pn, sizeof(pn)); 1351 if (err) 1352 goto close; 1353 1354 } else { /* Response */ 1355 /* ignore responses with no matching DLC */ 1356 if (dlc == NULL) 1357 return; 1358 1359 callout_stop(&dlc->rd_timeout); 1360 1361 if (pn.mtu > RFCOMM_MTU_MAX || pn.mtu > dlc->rd_mtu) { 1362 dlc->rd_state = RFCOMM_DLC_WAIT_DISCONNECT; 1363 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 1364 pn.dlci); 1365 if (err) 1366 goto close; 1367 1368 callout_schedule(&dlc->rd_timeout, 1369 rfcomm_ack_timeout * hz); 1370 return; 1371 } 1372 dlc->rd_mtu = pn.mtu; 1373 1374 /* if DLC is not waiting to connect, we are done */ 1375 if (dlc->rd_state != RFCOMM_DLC_WAIT_CONNECT) 1376 return; 1377 1378 /* set initial credits according to RFCOMM spec */ 1379 if ((pn.flow_control & 0xf0) == 0xe0) { 1380 rs->rs_flags |= RFCOMM_SESSION_CFC; 1381 dlc->rd_txcred = (pn.credits & 0x07); 1382 } 1383 1384 callout_schedule(&dlc->rd_timeout, rfcomm_ack_timeout * hz); 1385 1386 /* set link mode */ 1387 err = rfcomm_dlc_setmode(dlc); 1388 if (err == EINPROGRESS) { 1389 dlc->rd_state = RFCOMM_DLC_WAIT_SEND_SABM; 1390 (*dlc->rd_proto->connecting)(dlc->rd_upper); 1391 return; 1392 } 1393 if (err) 1394 goto close; 1395 1396 /* we can proceed now */ 1397 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_SABM, pn.dlci); 1398 if (err) 1399 goto close; 1400 1401 dlc->rd_state = RFCOMM_DLC_WAIT_RECV_UA; 1402 } 1403 return; 1404 1405 close: 1406 rfcomm_dlc_close(dlc, err); 1407 } 1408 1409 /* 1410 * process Non Supported Command command/response 1411 */ 1412 static void 1413 rfcomm_session_recv_mcc_nsc(struct rfcomm_session *rs, 1414 int cr, struct mbuf *m) 1415 { 1416 struct rfcomm_dlc *dlc, *next; 1417 1418 /* 1419 * Since we did nothing that is not mandatory, 1420 * we just abort the whole session.. 1421 */ 1422 1423 next = LIST_FIRST(&rs->rs_dlcs); 1424 while ((dlc = next) != NULL) { 1425 next = LIST_NEXT(dlc, rd_next); 1426 rfcomm_dlc_close(dlc, ECONNABORTED); 1427 } 1428 1429 rfcomm_session_free(rs); 1430 } 1431 1432 /*********************************************************************** 1433 * 1434 * RFCOMM Session outward frame/uih/mcc building 1435 */ 1436 1437 /* 1438 * SABM/DISC/DM/UA frames are all minimal and mostly identical. 1439 */ 1440 int 1441 rfcomm_session_send_frame(struct rfcomm_session *rs, int type, int dlci) 1442 { 1443 struct rfcomm_cmd_hdr *hdr; 1444 struct rfcomm_credit *credit; 1445 struct mbuf *m; 1446 uint8_t fcs, cr; 1447 1448 credit = pool_get(&rfcomm_credit_pool, PR_NOWAIT); 1449 if (credit == NULL) 1450 return ENOMEM; 1451 1452 m = m_gethdr(M_DONTWAIT, MT_DATA); 1453 if (m == NULL) { 1454 pool_put(&rfcomm_credit_pool, credit); 1455 return ENOMEM; 1456 } 1457 1458 /* 1459 * The CR (command/response) bit identifies the frame either as a 1460 * commmand or a response and is used along with the DLCI to form 1461 * the address. Commands contain the non-initiator address, whereas 1462 * responses contain the initiator address, so the CR value is 1463 * also dependent on the session direction. 1464 */ 1465 if (type == RFCOMM_FRAME_UA || type == RFCOMM_FRAME_DM) 1466 cr = IS_INITIATOR(rs) ? 0 : 1; 1467 else 1468 cr = IS_INITIATOR(rs) ? 1 : 0; 1469 1470 hdr = mtod(m, struct rfcomm_cmd_hdr *); 1471 hdr->address = RFCOMM_MKADDRESS(cr, dlci); 1472 hdr->control = RFCOMM_MKCONTROL(type, 1); /* PF = 1 */ 1473 hdr->length = (0x00 << 1) | 0x01; /* len = 0x00, EA = 1 */ 1474 1475 fcs = 0xff; 1476 fcs = FCS(fcs, hdr->address); 1477 fcs = FCS(fcs, hdr->control); 1478 fcs = FCS(fcs, hdr->length); 1479 fcs = 0xff - fcs; /* ones complement */ 1480 hdr->fcs = fcs; 1481 1482 m->m_pkthdr.len = m->m_len = sizeof(struct rfcomm_cmd_hdr); 1483 1484 /* empty credit note */ 1485 credit->rc_dlc = NULL; 1486 credit->rc_len = m->m_pkthdr.len; 1487 SIMPLEQ_INSERT_TAIL(&rs->rs_credits, credit, rc_next); 1488 1489 DPRINTFN(5, "dlci %d type %2.2x (%d bytes, fcs=%#2.2x)\n", 1490 dlci, type, m->m_pkthdr.len, fcs); 1491 1492 return l2cap_send(rs->rs_l2cap, m); 1493 } 1494 1495 /* 1496 * rfcomm_session_send_uih(rfcomm_session, rfcomm_dlc, credits, mbuf) 1497 * 1498 * UIH frame is per DLC data or Multiplexer Control Commands 1499 * when no DLC is given. Data mbuf is optional (just credits 1500 * will be sent in that case) 1501 */ 1502 int 1503 rfcomm_session_send_uih(struct rfcomm_session *rs, struct rfcomm_dlc *dlc, 1504 int credits, struct mbuf *m) 1505 { 1506 struct rfcomm_credit *credit; 1507 struct mbuf *m0 = NULL; 1508 int err, len; 1509 uint8_t fcs, *hdr; 1510 1511 KASSERT(rs != NULL); 1512 1513 len = (m == NULL) ? 0 : m->m_pkthdr.len; 1514 KASSERT(!(credits == 0 && len == 0)); 1515 1516 /* 1517 * Make a credit note for the completion notification 1518 */ 1519 credit = pool_get(&rfcomm_credit_pool, PR_NOWAIT); 1520 if (credit == NULL) 1521 goto nomem; 1522 1523 credit->rc_len = len; 1524 credit->rc_dlc = dlc; 1525 1526 /* 1527 * Wrap UIH frame information around payload. 1528 * 1529 * [ADDRESS] [CONTROL] [LENGTH] [CREDITS] [...] [FCS] 1530 * 1531 * Address is one octet. 1532 * Control is one octet. 1533 * Length is one or two octets. 1534 * Credits may be one octet. 1535 * 1536 * FCS is one octet and calculated on address and 1537 * control octets only. 1538 * 1539 * If there are credits to be sent, we will set the PF 1540 * flag and include them in the frame. 1541 */ 1542 m0 = m_gethdr(M_DONTWAIT, MT_DATA); 1543 if (m0 == NULL) 1544 goto nomem; 1545 1546 MH_ALIGN(m0, 5); /* (max 5 header octets) */ 1547 hdr = mtod(m0, uint8_t *); 1548 1549 /* CR bit is set according to the initiator of the session */ 1550 *hdr = RFCOMM_MKADDRESS((IS_INITIATOR(rs) ? 1 : 0), 1551 (dlc ? dlc->rd_dlci : 0)); 1552 fcs = FCS(0xff, *hdr); 1553 hdr++; 1554 1555 /* PF bit is set if credits are being sent */ 1556 *hdr = RFCOMM_MKCONTROL(RFCOMM_FRAME_UIH, (credits > 0 ? 1 : 0)); 1557 fcs = FCS(fcs, *hdr); 1558 hdr++; 1559 1560 if (len < (1 << 7)) { 1561 *hdr++ = ((len << 1) & 0xfe) | 0x01; /* 7 bits, EA = 1 */ 1562 } else { 1563 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */ 1564 *hdr++ = ((len >> 7) & 0xff); /* 8 bits, no EA */ 1565 } 1566 1567 if (credits > 0) 1568 *hdr++ = (uint8_t)credits; 1569 1570 m0->m_len = hdr - mtod(m0, uint8_t *); 1571 1572 /* Append payload */ 1573 m0->m_next = m; 1574 m = NULL; 1575 1576 m0->m_pkthdr.len = m0->m_len + len; 1577 1578 /* Append FCS */ 1579 fcs = 0xff - fcs; /* ones complement */ 1580 len = m0->m_pkthdr.len; 1581 m_copyback(m0, len, sizeof(fcs), &fcs); 1582 if (m0->m_pkthdr.len != len + sizeof(fcs)) 1583 goto nomem; 1584 1585 DPRINTFN(10, "dlci %d, pktlen %d (%d data, %d credits), fcs=%#2.2x\n", 1586 dlc ? dlc->rd_dlci : 0, m0->m_pkthdr.len, credit->rc_len, 1587 credits, fcs); 1588 1589 /* 1590 * UIH frame ready to go.. 1591 */ 1592 err = l2cap_send(rs->rs_l2cap, m0); 1593 if (err) 1594 goto fail; 1595 1596 SIMPLEQ_INSERT_TAIL(&rs->rs_credits, credit, rc_next); 1597 return 0; 1598 1599 nomem: 1600 err = ENOMEM; 1601 1602 if (m0 != NULL) 1603 m_freem(m0); 1604 1605 if (m != NULL) 1606 m_freem(m); 1607 1608 fail: 1609 if (credit != NULL) 1610 pool_put(&rfcomm_credit_pool, credit); 1611 1612 return err; 1613 } 1614 1615 /* 1616 * send Multiplexer Control Command (or Response) on session 1617 */ 1618 int 1619 rfcomm_session_send_mcc(struct rfcomm_session *rs, int cr, 1620 uint8_t type, void *data, int len) 1621 { 1622 struct mbuf *m; 1623 uint8_t *hdr; 1624 int hlen; 1625 1626 m = m_gethdr(M_DONTWAIT, MT_DATA); 1627 if (m == NULL) 1628 return ENOMEM; 1629 1630 hdr = mtod(m, uint8_t *); 1631 1632 /* 1633 * Technically the type field can extend past one octet, but none 1634 * currently defined will do that. 1635 */ 1636 *hdr++ = RFCOMM_MKMCC_TYPE(cr, type); 1637 1638 /* 1639 * In the frame, the max length size is 2 octets (15 bits) whereas 1640 * no max length size is specified for MCC commands. We must allow 1641 * for 3 octets since for MCC frames we use 7 bits + EA in each. 1642 * 1643 * Only test data can possibly be that big. 1644 * 1645 * XXX Should we check this against the MTU? 1646 */ 1647 if (len < (1 << 7)) { 1648 *hdr++ = ((len << 1) & 0xfe) | 0x01; /* 7 bits, EA = 1 */ 1649 } else if (len < (1 << 14)) { 1650 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */ 1651 *hdr++ = ((len >> 6) & 0xfe) | 0x01; /* 7 bits, EA = 1 */ 1652 } else if (len < (1 << 15)) { 1653 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */ 1654 *hdr++ = ((len >> 6) & 0xfe); /* 7 bits, EA = 0 */ 1655 *hdr++ = ((len >> 13) & 0x02) | 0x01; /* 1 bit, EA = 1 */ 1656 } else { 1657 DPRINTF("incredible length! (%d)\n", len); 1658 m_freem(m); 1659 return EMSGSIZE; 1660 } 1661 1662 /* 1663 * add command data (to same mbuf if possible) 1664 */ 1665 hlen = hdr - mtod(m, uint8_t *); 1666 1667 if (len > 0) { 1668 m->m_pkthdr.len = m->m_len = MHLEN; 1669 m_copyback(m, hlen, len, data); 1670 if (m->m_pkthdr.len != max(MHLEN, hlen + len)) { 1671 m_freem(m); 1672 return ENOMEM; 1673 } 1674 } 1675 1676 m->m_pkthdr.len = hlen + len; 1677 m->m_len = min(MHLEN, m->m_pkthdr.len); 1678 1679 DPRINTFN(5, "%s type %2.2x len %d\n", 1680 (cr ? "command" : "response"), type, m->m_pkthdr.len); 1681 1682 return rfcomm_session_send_uih(rs, NULL, 0, m); 1683 } 1684