1 /* $NetBSD: rfcomm_session.c,v 1.16 2010/01/03 16:38:15 plunky Exp $ */ 2 3 /*- 4 * Copyright (c) 2006 Itronix Inc. 5 * All rights reserved. 6 * 7 * Written by Iain Hibbert for Itronix Inc. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. The name of Itronix Inc. may not be used to endorse 18 * or promote products derived from this software without specific 19 * prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY ITRONIX INC. ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 23 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 24 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ITRONIX INC. BE LIABLE FOR ANY 25 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 26 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 27 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 28 * ON ANY THEORY OF LIABILITY, WHETHER IN 29 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 30 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 31 * POSSIBILITY OF SUCH DAMAGE. 32 */ 33 34 #include <sys/cdefs.h> 35 __KERNEL_RCSID(0, "$NetBSD: rfcomm_session.c,v 1.16 2010/01/03 16:38:15 plunky Exp $"); 36 37 #include <sys/param.h> 38 #include <sys/kernel.h> 39 #include <sys/mbuf.h> 40 #include <sys/proc.h> 41 #include <sys/socketvar.h> 42 #include <sys/systm.h> 43 #include <sys/types.h> 44 45 #include <netbt/bluetooth.h> 46 #include <netbt/hci.h> 47 #include <netbt/l2cap.h> 48 #include <netbt/rfcomm.h> 49 50 /****************************************************************************** 51 * 52 * RFCOMM Multiplexer Sessions sit directly on L2CAP channels, and can 53 * multiplex up to 30 incoming and 30 outgoing connections. 54 * Only one Multiplexer is allowed between any two devices. 55 */ 56 57 static void rfcomm_session_timeout(void *); 58 static void rfcomm_session_recv_sabm(struct rfcomm_session *, int); 59 static void rfcomm_session_recv_disc(struct rfcomm_session *, int); 60 static void rfcomm_session_recv_ua(struct rfcomm_session *, int); 61 static void rfcomm_session_recv_dm(struct rfcomm_session *, int); 62 static void rfcomm_session_recv_uih(struct rfcomm_session *, int, int, struct mbuf *, int); 63 static void rfcomm_session_recv_mcc(struct rfcomm_session *, struct mbuf *); 64 static void rfcomm_session_recv_mcc_test(struct rfcomm_session *, int, struct mbuf *); 65 static void rfcomm_session_recv_mcc_fcon(struct rfcomm_session *, int); 66 static void rfcomm_session_recv_mcc_fcoff(struct rfcomm_session *, int); 67 static void rfcomm_session_recv_mcc_msc(struct rfcomm_session *, int, struct mbuf *); 68 static void rfcomm_session_recv_mcc_rpn(struct rfcomm_session *, int, struct mbuf *); 69 static void rfcomm_session_recv_mcc_rls(struct rfcomm_session *, int, struct mbuf *); 70 static void rfcomm_session_recv_mcc_pn(struct rfcomm_session *, int, struct mbuf *); 71 static void rfcomm_session_recv_mcc_nsc(struct rfcomm_session *, int, struct mbuf *); 72 73 /* L2CAP callbacks */ 74 static void rfcomm_session_connecting(void *); 75 static void rfcomm_session_connected(void *); 76 static void rfcomm_session_disconnected(void *, int); 77 static void *rfcomm_session_newconn(void *, struct sockaddr_bt *, struct sockaddr_bt *); 78 static void rfcomm_session_complete(void *, int); 79 static void rfcomm_session_linkmode(void *, int); 80 static void rfcomm_session_input(void *, struct mbuf *); 81 82 static const struct btproto rfcomm_session_proto = { 83 rfcomm_session_connecting, 84 rfcomm_session_connected, 85 rfcomm_session_disconnected, 86 rfcomm_session_newconn, 87 rfcomm_session_complete, 88 rfcomm_session_linkmode, 89 rfcomm_session_input, 90 }; 91 92 struct rfcomm_session_list 93 rfcomm_session_active = LIST_HEAD_INITIALIZER(rfcomm_session_active); 94 95 struct rfcomm_session_list 96 rfcomm_session_listen = LIST_HEAD_INITIALIZER(rfcomm_session_listen); 97 98 static struct pool rfcomm_credit_pool; 99 100 /* 101 * RFCOMM System Parameters (see section 5.3) 102 */ 103 int rfcomm_mtu_default = 127; /* bytes */ 104 int rfcomm_ack_timeout = 20; /* seconds */ 105 int rfcomm_mcc_timeout = 20; /* seconds */ 106 107 /* 108 * Reversed CRC table as per TS 07.10 Annex B.3.5 109 */ 110 static const uint8_t crctable[256] = { /* reversed, 8-bit, poly=0x07 */ 111 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75, 112 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b, 113 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69, 114 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67, 115 116 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d, 117 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43, 118 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51, 119 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f, 120 121 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05, 122 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b, 123 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19, 124 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17, 125 126 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d, 127 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33, 128 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21, 129 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f, 130 131 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95, 132 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b, 133 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89, 134 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87, 135 136 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad, 137 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3, 138 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1, 139 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf, 140 141 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5, 142 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb, 143 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9, 144 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7, 145 146 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd, 147 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3, 148 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1, 149 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf 150 }; 151 152 #define FCS(f, d) crctable[(f) ^ (d)] 153 154 void 155 rfcomm_init(void) 156 { 157 158 pool_init(&rfcomm_credit_pool, sizeof(struct rfcomm_credit), 159 0, 0, 0, "rfcomm_credit", NULL, IPL_SOFTNET); 160 } 161 162 /* 163 * rfcomm_session_alloc(list, sockaddr) 164 * 165 * allocate a new session and fill in the blanks, then 166 * attach session to front of specified list (active or listen) 167 */ 168 struct rfcomm_session * 169 rfcomm_session_alloc(struct rfcomm_session_list *list, 170 struct sockaddr_bt *laddr) 171 { 172 struct rfcomm_session *rs; 173 struct sockopt sopt; 174 int err; 175 176 rs = malloc(sizeof(*rs), M_BLUETOOTH, M_NOWAIT | M_ZERO); 177 if (rs == NULL) 178 return NULL; 179 180 rs->rs_state = RFCOMM_SESSION_CLOSED; 181 182 callout_init(&rs->rs_timeout, 0); 183 callout_setfunc(&rs->rs_timeout, rfcomm_session_timeout, rs); 184 185 SIMPLEQ_INIT(&rs->rs_credits); 186 LIST_INIT(&rs->rs_dlcs); 187 188 err = l2cap_attach(&rs->rs_l2cap, &rfcomm_session_proto, rs); 189 if (err) { 190 free(rs, M_BLUETOOTH); 191 return NULL; 192 } 193 194 sockopt_init(&sopt, BTPROTO_L2CAP, SO_L2CAP_OMTU, 0); 195 (void)l2cap_getopt(rs->rs_l2cap, &sopt); 196 (void)sockopt_get(&sopt, &rs->rs_mtu, sizeof(rs->rs_mtu)); 197 sockopt_destroy(&sopt); 198 199 if (laddr->bt_psm == L2CAP_PSM_ANY) 200 laddr->bt_psm = L2CAP_PSM_RFCOMM; 201 202 (void)l2cap_bind(rs->rs_l2cap, laddr); 203 204 LIST_INSERT_HEAD(list, rs, rs_next); 205 206 return rs; 207 } 208 209 /* 210 * rfcomm_session_free(rfcomm_session) 211 * 212 * release a session, including any cleanup 213 */ 214 void 215 rfcomm_session_free(struct rfcomm_session *rs) 216 { 217 struct rfcomm_credit *credit; 218 219 KASSERT(rs != NULL); 220 KASSERT(LIST_EMPTY(&rs->rs_dlcs)); 221 222 rs->rs_state = RFCOMM_SESSION_CLOSED; 223 224 /* 225 * If the callout is already invoked we have no way to stop it, 226 * but it will call us back right away (there are no DLC's) so 227 * not to worry. 228 */ 229 callout_stop(&rs->rs_timeout); 230 if (callout_invoking(&rs->rs_timeout)) 231 return; 232 233 /* 234 * Take care that rfcomm_session_disconnected() doesnt call 235 * us back either as it will do if the l2cap_channel has not 236 * been closed when we detach it.. 237 */ 238 if (rs->rs_flags & RFCOMM_SESSION_FREE) 239 return; 240 241 rs->rs_flags |= RFCOMM_SESSION_FREE; 242 243 /* throw away any remaining credit notes */ 244 while ((credit = SIMPLEQ_FIRST(&rs->rs_credits)) != NULL) { 245 SIMPLEQ_REMOVE_HEAD(&rs->rs_credits, rc_next); 246 pool_put(&rfcomm_credit_pool, credit); 247 } 248 249 KASSERT(SIMPLEQ_EMPTY(&rs->rs_credits)); 250 251 /* Goodbye! */ 252 LIST_REMOVE(rs, rs_next); 253 l2cap_detach(&rs->rs_l2cap); 254 callout_destroy(&rs->rs_timeout); 255 free(rs, M_BLUETOOTH); 256 } 257 258 /* 259 * rfcomm_session_lookup(sockaddr, sockaddr) 260 * 261 * Find active rfcomm session matching src and dest addresses 262 * when src is BDADDR_ANY match any local address 263 */ 264 struct rfcomm_session * 265 rfcomm_session_lookup(struct sockaddr_bt *src, struct sockaddr_bt *dest) 266 { 267 struct rfcomm_session *rs; 268 struct sockaddr_bt addr; 269 270 LIST_FOREACH(rs, &rfcomm_session_active, rs_next) { 271 if (rs->rs_state == RFCOMM_SESSION_CLOSED) 272 continue; 273 274 l2cap_sockaddr(rs->rs_l2cap, &addr); 275 276 if (bdaddr_same(&src->bt_bdaddr, &addr.bt_bdaddr) == 0) 277 if (bdaddr_any(&src->bt_bdaddr) == 0) 278 continue; 279 280 l2cap_peeraddr(rs->rs_l2cap, &addr); 281 282 if (addr.bt_psm != dest->bt_psm) 283 continue; 284 285 if (bdaddr_same(&dest->bt_bdaddr, &addr.bt_bdaddr)) 286 break; 287 } 288 289 return rs; 290 } 291 292 /* 293 * rfcomm_session_timeout(rfcomm_session) 294 * 295 * Session timeouts are scheduled when a session is left or 296 * created with no DLCs, and when SABM(0) or DISC(0) are 297 * sent. 298 * 299 * So, if it is in an open state with DLC's attached then 300 * we leave it alone, otherwise the session is lost. 301 */ 302 static void 303 rfcomm_session_timeout(void *arg) 304 { 305 struct rfcomm_session *rs = arg; 306 struct rfcomm_dlc *dlc; 307 308 KASSERT(rs != NULL); 309 310 mutex_enter(bt_lock); 311 callout_ack(&rs->rs_timeout); 312 313 if (rs->rs_state != RFCOMM_SESSION_OPEN) { 314 DPRINTF("timeout\n"); 315 rs->rs_state = RFCOMM_SESSION_CLOSED; 316 317 while (!LIST_EMPTY(&rs->rs_dlcs)) { 318 dlc = LIST_FIRST(&rs->rs_dlcs); 319 320 rfcomm_dlc_close(dlc, ETIMEDOUT); 321 } 322 } 323 324 if (LIST_EMPTY(&rs->rs_dlcs)) { 325 DPRINTF("expiring\n"); 326 rfcomm_session_free(rs); 327 } 328 mutex_exit(bt_lock); 329 } 330 331 /*********************************************************************** 332 * 333 * RFCOMM Session L2CAP protocol callbacks 334 * 335 */ 336 337 static void 338 rfcomm_session_connecting(void *arg) 339 { 340 /* struct rfcomm_session *rs = arg; */ 341 342 DPRINTF("Connecting\n"); 343 } 344 345 static void 346 rfcomm_session_connected(void *arg) 347 { 348 struct rfcomm_session *rs = arg; 349 struct sockopt sopt; 350 351 DPRINTF("Connected\n"); 352 353 /* 354 * L2CAP is open. 355 * 356 * If we are initiator, we can send our SABM(0) 357 * a timeout should be active? 358 * 359 * We must take note of the L2CAP MTU because currently 360 * the L2CAP implementation can only do Basic Mode. 361 */ 362 sockopt_init(&sopt, BTPROTO_L2CAP, SO_L2CAP_OMTU, 0); 363 (void)l2cap_getopt(rs->rs_l2cap, &sopt); 364 (void)sockopt_get(&sopt, &rs->rs_mtu, sizeof(rs->rs_mtu)); 365 sockopt_destroy(&sopt); 366 367 rs->rs_mtu -= 6; /* (RFCOMM overhead could be this big) */ 368 if (rs->rs_mtu < RFCOMM_MTU_MIN) { 369 rfcomm_session_disconnected(rs, EINVAL); 370 return; 371 } 372 373 if (IS_INITIATOR(rs)) { 374 int err; 375 376 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_SABM, 0); 377 if (err) 378 rfcomm_session_disconnected(rs, err); 379 380 callout_schedule(&rs->rs_timeout, rfcomm_ack_timeout * hz); 381 } 382 } 383 384 static void 385 rfcomm_session_disconnected(void *arg, int err) 386 { 387 struct rfcomm_session *rs = arg; 388 struct rfcomm_dlc *dlc; 389 390 DPRINTF("Disconnected\n"); 391 392 rs->rs_state = RFCOMM_SESSION_CLOSED; 393 394 while (!LIST_EMPTY(&rs->rs_dlcs)) { 395 dlc = LIST_FIRST(&rs->rs_dlcs); 396 397 rfcomm_dlc_close(dlc, err); 398 } 399 400 rfcomm_session_free(rs); 401 } 402 403 static void * 404 rfcomm_session_newconn(void *arg, struct sockaddr_bt *laddr, 405 struct sockaddr_bt *raddr) 406 { 407 struct rfcomm_session *new, *rs = arg; 408 409 DPRINTF("New Connection\n"); 410 411 /* 412 * Incoming session connect request. We should return a new 413 * session pointer if this is acceptable. The L2CAP layer 414 * passes local and remote addresses, which we must check as 415 * only one RFCOMM session is allowed between any two devices 416 */ 417 new = rfcomm_session_lookup(laddr, raddr); 418 if (new != NULL) 419 return NULL; 420 421 new = rfcomm_session_alloc(&rfcomm_session_active, laddr); 422 if (new == NULL) 423 return NULL; 424 425 new->rs_mtu = rs->rs_mtu; 426 new->rs_state = RFCOMM_SESSION_WAIT_CONNECT; 427 428 /* 429 * schedule an expiry so that if nothing comes of it we 430 * can punt. 431 */ 432 callout_schedule(&new->rs_timeout, rfcomm_mcc_timeout * hz); 433 434 return new->rs_l2cap; 435 } 436 437 static void 438 rfcomm_session_complete(void *arg, int count) 439 { 440 struct rfcomm_session *rs = arg; 441 struct rfcomm_credit *credit; 442 struct rfcomm_dlc *dlc; 443 444 /* 445 * count L2CAP packets are 'complete', meaning that they are cleared 446 * our buffers (for best effort) or arrived safe (for guaranteed) so 447 * we can take it off our list and pass the message on, so that 448 * eventually the data can be removed from the sockbuf 449 */ 450 while (count-- > 0) { 451 credit = SIMPLEQ_FIRST(&rs->rs_credits); 452 #ifdef DIAGNOSTIC 453 if (credit == NULL) { 454 printf("%s: too many packets completed!\n", __func__); 455 break; 456 } 457 #endif 458 dlc = credit->rc_dlc; 459 if (dlc != NULL) { 460 dlc->rd_pending--; 461 (*dlc->rd_proto->complete) 462 (dlc->rd_upper, credit->rc_len); 463 464 /* 465 * if not using credit flow control, we may push 466 * more data now 467 */ 468 if ((rs->rs_flags & RFCOMM_SESSION_CFC) == 0 469 && dlc->rd_state == RFCOMM_DLC_OPEN) { 470 rfcomm_dlc_start(dlc); 471 } 472 473 /* 474 * When shutdown is indicated, we are just waiting to 475 * clear outgoing data. 476 */ 477 if ((dlc->rd_flags & RFCOMM_DLC_SHUTDOWN) 478 && dlc->rd_txbuf == NULL && dlc->rd_pending == 0) { 479 dlc->rd_state = RFCOMM_DLC_WAIT_DISCONNECT; 480 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 481 dlc->rd_dlci); 482 callout_schedule(&dlc->rd_timeout, 483 rfcomm_ack_timeout * hz); 484 } 485 } 486 487 SIMPLEQ_REMOVE_HEAD(&rs->rs_credits, rc_next); 488 pool_put(&rfcomm_credit_pool, credit); 489 } 490 491 /* 492 * If session is closed, we are just waiting to clear the queue 493 */ 494 if (rs->rs_state == RFCOMM_SESSION_CLOSED) { 495 if (SIMPLEQ_EMPTY(&rs->rs_credits)) 496 l2cap_disconnect(rs->rs_l2cap, 0); 497 } 498 } 499 500 /* 501 * Link Mode changed 502 * 503 * This is called when a mode change is complete. Proceed with connections 504 * where appropriate, or pass the new mode to any active DLCs. 505 */ 506 static void 507 rfcomm_session_linkmode(void *arg, int new) 508 { 509 struct rfcomm_session *rs = arg; 510 struct rfcomm_dlc *dlc, *next; 511 int err, mode = 0; 512 513 DPRINTF("auth %s, encrypt %s, secure %s\n", 514 (new & L2CAP_LM_AUTH ? "on" : "off"), 515 (new & L2CAP_LM_ENCRYPT ? "on" : "off"), 516 (new & L2CAP_LM_SECURE ? "on" : "off")); 517 518 if (new & L2CAP_LM_AUTH) 519 mode |= RFCOMM_LM_AUTH; 520 521 if (new & L2CAP_LM_ENCRYPT) 522 mode |= RFCOMM_LM_ENCRYPT; 523 524 if (new & L2CAP_LM_SECURE) 525 mode |= RFCOMM_LM_SECURE; 526 527 next = LIST_FIRST(&rs->rs_dlcs); 528 while ((dlc = next) != NULL) { 529 next = LIST_NEXT(dlc, rd_next); 530 531 switch (dlc->rd_state) { 532 case RFCOMM_DLC_WAIT_SEND_SABM: /* we are connecting */ 533 if ((mode & dlc->rd_mode) != dlc->rd_mode) { 534 rfcomm_dlc_close(dlc, ECONNABORTED); 535 } else { 536 err = rfcomm_session_send_frame(rs, 537 RFCOMM_FRAME_SABM, dlc->rd_dlci); 538 if (err) { 539 rfcomm_dlc_close(dlc, err); 540 } else { 541 dlc->rd_state = RFCOMM_DLC_WAIT_RECV_UA; 542 callout_schedule(&dlc->rd_timeout, 543 rfcomm_ack_timeout * hz); 544 break; 545 } 546 } 547 548 /* 549 * If we aborted the connection and there are no more DLCs 550 * on the session, it is our responsibility to disconnect. 551 */ 552 if (!LIST_EMPTY(&rs->rs_dlcs)) 553 break; 554 555 rs->rs_state = RFCOMM_SESSION_WAIT_DISCONNECT; 556 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 0); 557 callout_schedule(&rs->rs_timeout, rfcomm_ack_timeout * hz); 558 break; 559 560 case RFCOMM_DLC_WAIT_SEND_UA: /* they are connecting */ 561 if ((mode & dlc->rd_mode) != dlc->rd_mode) { 562 rfcomm_session_send_frame(rs, 563 RFCOMM_FRAME_DM, dlc->rd_dlci); 564 rfcomm_dlc_close(dlc, ECONNABORTED); 565 break; 566 } 567 568 err = rfcomm_session_send_frame(rs, 569 RFCOMM_FRAME_UA, dlc->rd_dlci); 570 if (err) { 571 rfcomm_session_send_frame(rs, 572 RFCOMM_FRAME_DM, dlc->rd_dlci); 573 rfcomm_dlc_close(dlc, err); 574 break; 575 } 576 577 err = rfcomm_dlc_open(dlc); 578 if (err) { 579 rfcomm_session_send_frame(rs, 580 RFCOMM_FRAME_DM, dlc->rd_dlci); 581 rfcomm_dlc_close(dlc, err); 582 break; 583 } 584 585 break; 586 587 case RFCOMM_DLC_WAIT_RECV_UA: 588 case RFCOMM_DLC_OPEN: /* already established */ 589 (*dlc->rd_proto->linkmode)(dlc->rd_upper, mode); 590 break; 591 592 default: 593 break; 594 } 595 } 596 } 597 598 /* 599 * Receive data from L2CAP layer for session. There is always exactly one 600 * RFCOMM frame contained in each L2CAP frame. 601 */ 602 static void 603 rfcomm_session_input(void *arg, struct mbuf *m) 604 { 605 struct rfcomm_session *rs = arg; 606 int dlci, len, type, pf; 607 uint8_t fcs, b; 608 609 KASSERT(m != NULL); 610 KASSERT(rs != NULL); 611 612 /* 613 * UIH frames: FCS is only calculated on address and control fields 614 * For other frames: FCS is calculated on address, control and length 615 * Length may extend to two octets 616 */ 617 fcs = 0xff; 618 619 if (m->m_pkthdr.len < 4) { 620 DPRINTF("short frame (%d), discarded\n", m->m_pkthdr.len); 621 goto done; 622 } 623 624 /* address - one octet */ 625 m_copydata(m, 0, 1, &b); 626 m_adj(m, 1); 627 fcs = FCS(fcs, b); 628 dlci = RFCOMM_DLCI(b); 629 630 /* control - one octet */ 631 m_copydata(m, 0, 1, &b); 632 m_adj(m, 1); 633 fcs = FCS(fcs, b); 634 type = RFCOMM_TYPE(b); 635 pf = RFCOMM_PF(b); 636 637 /* length - may be two octets */ 638 m_copydata(m, 0, 1, &b); 639 m_adj(m, 1); 640 if (type != RFCOMM_FRAME_UIH) 641 fcs = FCS(fcs, b); 642 len = (b >> 1) & 0x7f; 643 644 if (RFCOMM_EA(b) == 0) { 645 if (m->m_pkthdr.len < 2) { 646 DPRINTF("short frame (%d, EA = 0), discarded\n", 647 m->m_pkthdr.len); 648 goto done; 649 } 650 651 m_copydata(m, 0, 1, &b); 652 m_adj(m, 1); 653 if (type != RFCOMM_FRAME_UIH) 654 fcs = FCS(fcs, b); 655 656 len |= (b << 7); 657 } 658 659 /* FCS byte is last octet in frame */ 660 m_copydata(m, m->m_pkthdr.len - 1, 1, &b); 661 m_adj(m, -1); 662 fcs = FCS(fcs, b); 663 664 if (fcs != 0xcf) { 665 DPRINTF("Bad FCS value (%#2.2x), frame discarded\n", fcs); 666 goto done; 667 } 668 669 DPRINTFN(10, "dlci %d, type %2.2x, len = %d\n", dlci, type, len); 670 671 switch (type) { 672 case RFCOMM_FRAME_SABM: 673 if (pf) 674 rfcomm_session_recv_sabm(rs, dlci); 675 break; 676 677 case RFCOMM_FRAME_DISC: 678 if (pf) 679 rfcomm_session_recv_disc(rs, dlci); 680 break; 681 682 case RFCOMM_FRAME_UA: 683 if (pf) 684 rfcomm_session_recv_ua(rs, dlci); 685 break; 686 687 case RFCOMM_FRAME_DM: 688 rfcomm_session_recv_dm(rs, dlci); 689 break; 690 691 case RFCOMM_FRAME_UIH: 692 rfcomm_session_recv_uih(rs, dlci, pf, m, len); 693 return; /* (no release) */ 694 695 default: 696 UNKNOWN(type); 697 break; 698 } 699 700 done: 701 m_freem(m); 702 } 703 704 /*********************************************************************** 705 * 706 * RFCOMM Session receive processing 707 */ 708 709 /* 710 * rfcomm_session_recv_sabm(rfcomm_session, dlci) 711 * 712 * Set Asyncrhonous Balanced Mode - open the channel. 713 */ 714 static void 715 rfcomm_session_recv_sabm(struct rfcomm_session *rs, int dlci) 716 { 717 struct rfcomm_dlc *dlc; 718 int err; 719 720 DPRINTFN(5, "SABM(%d)\n", dlci); 721 722 if (dlci == 0) { /* Open Session */ 723 rs->rs_state = RFCOMM_SESSION_OPEN; 724 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, 0); 725 LIST_FOREACH(dlc, &rs->rs_dlcs, rd_next) { 726 if (dlc->rd_state == RFCOMM_DLC_WAIT_SESSION) 727 rfcomm_dlc_connect(dlc); 728 } 729 return; 730 } 731 732 if (rs->rs_state != RFCOMM_SESSION_OPEN) { 733 DPRINTF("session was not even open!\n"); 734 return; 735 } 736 737 /* validate direction bit */ 738 if ((IS_INITIATOR(rs) && !RFCOMM_DIRECTION(dlci)) 739 || (!IS_INITIATOR(rs) && RFCOMM_DIRECTION(dlci))) { 740 DPRINTF("Invalid direction bit on DLCI\n"); 741 return; 742 } 743 744 /* 745 * look for our DLC - this may exist if we received PN 746 * already, or we may have to fabricate a new one. 747 */ 748 dlc = rfcomm_dlc_lookup(rs, dlci); 749 if (dlc == NULL) { 750 dlc = rfcomm_dlc_newconn(rs, dlci); 751 if (dlc == NULL) 752 return; /* (DM is sent) */ 753 } 754 755 /* 756 * ..but if this DLC is not waiting to connect, they did 757 * something wrong, ignore it. 758 */ 759 if (dlc->rd_state != RFCOMM_DLC_WAIT_CONNECT) 760 return; 761 762 /* set link mode */ 763 err = rfcomm_dlc_setmode(dlc); 764 if (err == EINPROGRESS) { 765 dlc->rd_state = RFCOMM_DLC_WAIT_SEND_UA; 766 (*dlc->rd_proto->connecting)(dlc->rd_upper); 767 return; 768 } 769 if (err) 770 goto close; 771 772 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, dlci); 773 if (err) 774 goto close; 775 776 /* and mark it open */ 777 err = rfcomm_dlc_open(dlc); 778 if (err) 779 goto close; 780 781 return; 782 783 close: 784 rfcomm_dlc_close(dlc, err); 785 } 786 787 /* 788 * Receive Disconnect Command 789 */ 790 static void 791 rfcomm_session_recv_disc(struct rfcomm_session *rs, int dlci) 792 { 793 struct rfcomm_dlc *dlc; 794 795 DPRINTFN(5, "DISC(%d)\n", dlci); 796 797 if (dlci == 0) { 798 /* 799 * Disconnect Session 800 * 801 * We set the session state to CLOSED so that when 802 * the UA frame is clear the session will be closed 803 * automatically. We wont bother to close any DLC's 804 * just yet as there should be none. In the unlikely 805 * event that something is left, it will get flushed 806 * out as the session goes down. 807 */ 808 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, 0); 809 rs->rs_state = RFCOMM_SESSION_CLOSED; 810 return; 811 } 812 813 dlc = rfcomm_dlc_lookup(rs, dlci); 814 if (dlc == NULL) { 815 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, dlci); 816 return; 817 } 818 819 rfcomm_dlc_close(dlc, ECONNRESET); 820 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, dlci); 821 } 822 823 /* 824 * Receive Unnumbered Acknowledgement Response 825 * 826 * This should be a response to a DISC or SABM frame that we 827 * have previously sent. If unexpected, ignore it. 828 */ 829 static void 830 rfcomm_session_recv_ua(struct rfcomm_session *rs, int dlci) 831 { 832 struct rfcomm_dlc *dlc; 833 834 DPRINTFN(5, "UA(%d)\n", dlci); 835 836 if (dlci == 0) { 837 switch (rs->rs_state) { 838 case RFCOMM_SESSION_WAIT_CONNECT: /* We sent SABM */ 839 callout_stop(&rs->rs_timeout); 840 rs->rs_state = RFCOMM_SESSION_OPEN; 841 LIST_FOREACH(dlc, &rs->rs_dlcs, rd_next) { 842 if (dlc->rd_state == RFCOMM_DLC_WAIT_SESSION) 843 rfcomm_dlc_connect(dlc); 844 } 845 break; 846 847 case RFCOMM_SESSION_WAIT_DISCONNECT: /* We sent DISC */ 848 callout_stop(&rs->rs_timeout); 849 rs->rs_state = RFCOMM_SESSION_CLOSED; 850 l2cap_disconnect(rs->rs_l2cap, 0); 851 break; 852 853 default: 854 DPRINTF("Received spurious UA(0)!\n"); 855 break; 856 } 857 858 return; 859 } 860 861 /* 862 * If we have no DLC on this dlci, we may have aborted 863 * without shutting down properly, so check if the session 864 * needs disconnecting. 865 */ 866 dlc = rfcomm_dlc_lookup(rs, dlci); 867 if (dlc == NULL) 868 goto check; 869 870 switch (dlc->rd_state) { 871 case RFCOMM_DLC_WAIT_RECV_UA: /* We sent SABM */ 872 rfcomm_dlc_open(dlc); 873 return; 874 875 case RFCOMM_DLC_WAIT_DISCONNECT: /* We sent DISC */ 876 rfcomm_dlc_close(dlc, 0); 877 break; 878 879 default: 880 DPRINTF("Received spurious UA(%d)!\n", dlci); 881 return; 882 } 883 884 check: /* last one out turns out the light */ 885 if (LIST_EMPTY(&rs->rs_dlcs)) { 886 rs->rs_state = RFCOMM_SESSION_WAIT_DISCONNECT; 887 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 0); 888 callout_schedule(&rs->rs_timeout, rfcomm_ack_timeout * hz); 889 } 890 } 891 892 /* 893 * Receive Disconnected Mode Response 894 * 895 * If this does not apply to a known DLC then we may ignore it. 896 */ 897 static void 898 rfcomm_session_recv_dm(struct rfcomm_session *rs, int dlci) 899 { 900 struct rfcomm_dlc *dlc; 901 902 DPRINTFN(5, "DM(%d)\n", dlci); 903 904 dlc = rfcomm_dlc_lookup(rs, dlci); 905 if (dlc == NULL) 906 return; 907 908 if (dlc->rd_state == RFCOMM_DLC_WAIT_CONNECT) 909 rfcomm_dlc_close(dlc, ECONNREFUSED); 910 else 911 rfcomm_dlc_close(dlc, ECONNRESET); 912 } 913 914 /* 915 * Receive Unnumbered Information with Header check (MCC or data packet) 916 */ 917 static void 918 rfcomm_session_recv_uih(struct rfcomm_session *rs, int dlci, 919 int pf, struct mbuf *m, int len) 920 { 921 struct rfcomm_dlc *dlc; 922 uint8_t credits = 0; 923 924 DPRINTFN(10, "UIH(%d)\n", dlci); 925 926 if (dlci == 0) { 927 rfcomm_session_recv_mcc(rs, m); 928 return; 929 } 930 931 if (m->m_pkthdr.len != len + pf) { 932 DPRINTF("Bad Frame Length (%d), frame discarded\n", 933 m->m_pkthdr.len); 934 935 goto discard; 936 } 937 938 dlc = rfcomm_dlc_lookup(rs, dlci); 939 if (dlc == NULL) { 940 DPRINTF("UIH received for non existent DLC, discarded\n"); 941 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, dlci); 942 goto discard; 943 } 944 945 if (dlc->rd_state != RFCOMM_DLC_OPEN) { 946 DPRINTF("non-open DLC (state = %d), discarded\n", 947 dlc->rd_state); 948 goto discard; 949 } 950 951 /* if PF is set, credits were included */ 952 if (rs->rs_flags & RFCOMM_SESSION_CFC) { 953 if (pf != 0) { 954 if (m->m_pkthdr.len < sizeof(credits)) { 955 DPRINTF("Bad PF value, UIH discarded\n"); 956 goto discard; 957 } 958 959 m_copydata(m, 0, sizeof(credits), &credits); 960 m_adj(m, sizeof(credits)); 961 962 dlc->rd_txcred += credits; 963 964 if (credits > 0 && dlc->rd_txbuf != NULL) 965 rfcomm_dlc_start(dlc); 966 } 967 968 if (len == 0) 969 goto discard; 970 971 if (dlc->rd_rxcred == 0) { 972 DPRINTF("Credit limit reached, UIH discarded\n"); 973 goto discard; 974 } 975 976 if (len > dlc->rd_rxsize) { 977 DPRINTF("UIH frame exceeds rxsize, discarded\n"); 978 goto discard; 979 } 980 981 dlc->rd_rxcred--; 982 dlc->rd_rxsize -= len; 983 } 984 985 (*dlc->rd_proto->input)(dlc->rd_upper, m); 986 return; 987 988 discard: 989 m_freem(m); 990 } 991 992 /* 993 * Receive Multiplexer Control Command 994 */ 995 static void 996 rfcomm_session_recv_mcc(struct rfcomm_session *rs, struct mbuf *m) 997 { 998 int type, cr, len; 999 uint8_t b; 1000 1001 /* 1002 * Extract MCC header. 1003 * 1004 * Fields are variable length using extension bit = 1 to signify the 1005 * last octet in the sequence. 1006 * 1007 * Only single octet types are defined in TS 07.10/RFCOMM spec 1008 * 1009 * Length can realistically only use 15 bits (max RFCOMM MTU) 1010 */ 1011 if (m->m_pkthdr.len < sizeof(b)) { 1012 DPRINTF("Short MCC header, discarded\n"); 1013 goto release; 1014 } 1015 1016 m_copydata(m, 0, sizeof(b), &b); 1017 m_adj(m, sizeof(b)); 1018 1019 if (RFCOMM_EA(b) == 0) { /* verify no extensions */ 1020 DPRINTF("MCC type EA = 0, discarded\n"); 1021 goto release; 1022 } 1023 1024 type = RFCOMM_MCC_TYPE(b); 1025 cr = RFCOMM_CR(b); 1026 1027 len = 0; 1028 do { 1029 if (m->m_pkthdr.len < sizeof(b)) { 1030 DPRINTF("Short MCC header, discarded\n"); 1031 goto release; 1032 } 1033 1034 m_copydata(m, 0, sizeof(b), &b); 1035 m_adj(m, sizeof(b)); 1036 1037 len = (len << 7) | (b >> 1); 1038 len = min(len, RFCOMM_MTU_MAX); 1039 } while (RFCOMM_EA(b) == 0); 1040 1041 if (len != m->m_pkthdr.len) { 1042 DPRINTF("Incorrect MCC length, discarded\n"); 1043 goto release; 1044 } 1045 1046 DPRINTFN(2, "MCC %s type %2.2x (%d bytes)\n", 1047 (cr ? "command" : "response"), type, len); 1048 1049 /* 1050 * pass to command handler 1051 */ 1052 switch(type) { 1053 case RFCOMM_MCC_TEST: /* Test */ 1054 rfcomm_session_recv_mcc_test(rs, cr, m); 1055 break; 1056 1057 case RFCOMM_MCC_FCON: /* Flow Control On */ 1058 rfcomm_session_recv_mcc_fcon(rs, cr); 1059 break; 1060 1061 case RFCOMM_MCC_FCOFF: /* Flow Control Off */ 1062 rfcomm_session_recv_mcc_fcoff(rs, cr); 1063 break; 1064 1065 case RFCOMM_MCC_MSC: /* Modem Status Command */ 1066 rfcomm_session_recv_mcc_msc(rs, cr, m); 1067 break; 1068 1069 case RFCOMM_MCC_RPN: /* Remote Port Negotiation */ 1070 rfcomm_session_recv_mcc_rpn(rs, cr, m); 1071 break; 1072 1073 case RFCOMM_MCC_RLS: /* Remote Line Status */ 1074 rfcomm_session_recv_mcc_rls(rs, cr, m); 1075 break; 1076 1077 case RFCOMM_MCC_PN: /* Parameter Negotiation */ 1078 rfcomm_session_recv_mcc_pn(rs, cr, m); 1079 break; 1080 1081 case RFCOMM_MCC_NSC: /* Non Supported Command */ 1082 rfcomm_session_recv_mcc_nsc(rs, cr, m); 1083 break; 1084 1085 default: 1086 b = RFCOMM_MKMCC_TYPE(cr, type); 1087 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_NSC, &b, sizeof(b)); 1088 } 1089 1090 release: 1091 m_freem(m); 1092 } 1093 1094 /* 1095 * process TEST command/response 1096 */ 1097 static void 1098 rfcomm_session_recv_mcc_test(struct rfcomm_session *rs, int cr, struct mbuf *m) 1099 { 1100 void *data; 1101 int len; 1102 1103 if (cr == 0) /* ignore ack */ 1104 return; 1105 1106 /* 1107 * we must send all the data they included back as is 1108 */ 1109 1110 len = m->m_pkthdr.len; 1111 if (len > RFCOMM_MTU_MAX) 1112 return; 1113 1114 data = malloc(len, M_BLUETOOTH, M_NOWAIT); 1115 if (data == NULL) 1116 return; 1117 1118 m_copydata(m, 0, len, data); 1119 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_TEST, data, len); 1120 free(data, M_BLUETOOTH); 1121 } 1122 1123 /* 1124 * process Flow Control ON command/response 1125 */ 1126 static void 1127 rfcomm_session_recv_mcc_fcon(struct rfcomm_session *rs, int cr) 1128 { 1129 1130 if (cr == 0) /* ignore ack */ 1131 return; 1132 1133 rs->rs_flags |= RFCOMM_SESSION_RFC; 1134 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_FCON, NULL, 0); 1135 } 1136 1137 /* 1138 * process Flow Control OFF command/response 1139 */ 1140 static void 1141 rfcomm_session_recv_mcc_fcoff(struct rfcomm_session *rs, int cr) 1142 { 1143 1144 if (cr == 0) /* ignore ack */ 1145 return; 1146 1147 rs->rs_flags &= ~RFCOMM_SESSION_RFC; 1148 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_FCOFF, NULL, 0); 1149 } 1150 1151 /* 1152 * process Modem Status Command command/response 1153 */ 1154 static void 1155 rfcomm_session_recv_mcc_msc(struct rfcomm_session *rs, int cr, struct mbuf *m) 1156 { 1157 struct rfcomm_mcc_msc msc; /* (3 octets) */ 1158 struct rfcomm_dlc *dlc; 1159 int len = 0; 1160 1161 /* [ADDRESS] */ 1162 if (m->m_pkthdr.len < sizeof(msc.address)) 1163 return; 1164 1165 m_copydata(m, 0, sizeof(msc.address), &msc.address); 1166 m_adj(m, sizeof(msc.address)); 1167 len += sizeof(msc.address); 1168 1169 dlc = rfcomm_dlc_lookup(rs, RFCOMM_DLCI(msc.address)); 1170 1171 if (cr == 0) { /* ignore acks */ 1172 if (dlc != NULL) 1173 callout_stop(&dlc->rd_timeout); 1174 1175 return; 1176 } 1177 1178 if (dlc == NULL) { 1179 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, 1180 RFCOMM_DLCI(msc.address)); 1181 return; 1182 } 1183 1184 /* [SIGNALS] */ 1185 if (m->m_pkthdr.len < sizeof(msc.modem)) 1186 return; 1187 1188 m_copydata(m, 0, sizeof(msc.modem), &msc.modem); 1189 m_adj(m, sizeof(msc.modem)); 1190 len += sizeof(msc.modem); 1191 1192 dlc->rd_rmodem = msc.modem; 1193 /* XXX how do we signal this upstream? */ 1194 1195 if (RFCOMM_EA(msc.modem) == 0) { 1196 if (m->m_pkthdr.len < sizeof(msc.brk)) 1197 return; 1198 1199 m_copydata(m, 0, sizeof(msc.brk), &msc.brk); 1200 m_adj(m, sizeof(msc.brk)); 1201 len += sizeof(msc.brk); 1202 1203 /* XXX how do we signal this upstream? */ 1204 } 1205 1206 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_MSC, &msc, len); 1207 } 1208 1209 /* 1210 * process Remote Port Negotiation command/response 1211 */ 1212 static void 1213 rfcomm_session_recv_mcc_rpn(struct rfcomm_session *rs, int cr, struct mbuf *m) 1214 { 1215 struct rfcomm_mcc_rpn rpn; 1216 uint16_t mask; 1217 1218 if (cr == 0) /* ignore ack */ 1219 return; 1220 1221 /* default values */ 1222 rpn.bit_rate = RFCOMM_RPN_BR_9600; 1223 rpn.line_settings = RFCOMM_RPN_8_N_1; 1224 rpn.flow_control = RFCOMM_RPN_FLOW_NONE; 1225 rpn.xon_char = RFCOMM_RPN_XON_CHAR; 1226 rpn.xoff_char = RFCOMM_RPN_XOFF_CHAR; 1227 1228 if (m->m_pkthdr.len == sizeof(rpn)) { 1229 m_copydata(m, 0, sizeof(rpn), &rpn); 1230 rpn.param_mask = RFCOMM_RPN_PM_ALL; 1231 } else if (m->m_pkthdr.len == 1) { 1232 m_copydata(m, 0, 1, &rpn); 1233 rpn.param_mask = le16toh(rpn.param_mask); 1234 } else { 1235 DPRINTF("Bad RPN length (%d)\n", m->m_pkthdr.len); 1236 return; 1237 } 1238 1239 mask = 0; 1240 1241 if (rpn.param_mask & RFCOMM_RPN_PM_RATE) 1242 mask |= RFCOMM_RPN_PM_RATE; 1243 1244 if (rpn.param_mask & RFCOMM_RPN_PM_DATA 1245 && RFCOMM_RPN_DATA_BITS(rpn.line_settings) == RFCOMM_RPN_DATA_8) 1246 mask |= RFCOMM_RPN_PM_DATA; 1247 1248 if (rpn.param_mask & RFCOMM_RPN_PM_STOP 1249 && RFCOMM_RPN_STOP_BITS(rpn.line_settings) == RFCOMM_RPN_STOP_1) 1250 mask |= RFCOMM_RPN_PM_STOP; 1251 1252 if (rpn.param_mask & RFCOMM_RPN_PM_PARITY 1253 && RFCOMM_RPN_PARITY(rpn.line_settings) == RFCOMM_RPN_PARITY_NONE) 1254 mask |= RFCOMM_RPN_PM_PARITY; 1255 1256 if (rpn.param_mask & RFCOMM_RPN_PM_XON 1257 && rpn.xon_char == RFCOMM_RPN_XON_CHAR) 1258 mask |= RFCOMM_RPN_PM_XON; 1259 1260 if (rpn.param_mask & RFCOMM_RPN_PM_XOFF 1261 && rpn.xoff_char == RFCOMM_RPN_XOFF_CHAR) 1262 mask |= RFCOMM_RPN_PM_XOFF; 1263 1264 if (rpn.param_mask & RFCOMM_RPN_PM_FLOW 1265 && rpn.flow_control == RFCOMM_RPN_FLOW_NONE) 1266 mask |= RFCOMM_RPN_PM_FLOW; 1267 1268 rpn.param_mask = htole16(mask); 1269 1270 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_RPN, &rpn, sizeof(rpn)); 1271 } 1272 1273 /* 1274 * process Remote Line Status command/response 1275 */ 1276 static void 1277 rfcomm_session_recv_mcc_rls(struct rfcomm_session *rs, int cr, struct mbuf *m) 1278 { 1279 struct rfcomm_mcc_rls rls; 1280 1281 if (cr == 0) /* ignore ack */ 1282 return; 1283 1284 if (m->m_pkthdr.len != sizeof(rls)) { 1285 DPRINTF("Bad RLS length %d\n", m->m_pkthdr.len); 1286 return; 1287 } 1288 1289 m_copydata(m, 0, sizeof(rls), &rls); 1290 1291 /* 1292 * So far as I can tell, we just send back what 1293 * they sent us. This signifies errors that seem 1294 * irrelevent for RFCOMM over L2CAP. 1295 */ 1296 rls.address |= 0x03; /* EA = 1, CR = 1 */ 1297 rls.status &= 0x0f; /* only 4 bits valid */ 1298 1299 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_RLS, &rls, sizeof(rls)); 1300 } 1301 1302 /* 1303 * process Parameter Negotiation command/response 1304 */ 1305 static void 1306 rfcomm_session_recv_mcc_pn(struct rfcomm_session *rs, int cr, struct mbuf *m) 1307 { 1308 struct rfcomm_dlc *dlc; 1309 struct rfcomm_mcc_pn pn; 1310 int err; 1311 1312 if (m->m_pkthdr.len != sizeof(pn)) { 1313 DPRINTF("Bad PN length %d\n", m->m_pkthdr.len); 1314 return; 1315 } 1316 1317 m_copydata(m, 0, sizeof(pn), &pn); 1318 1319 pn.dlci &= 0x3f; 1320 pn.mtu = le16toh(pn.mtu); 1321 1322 dlc = rfcomm_dlc_lookup(rs, pn.dlci); 1323 if (cr) { /* Command */ 1324 /* 1325 * If there is no DLC present, this is a new 1326 * connection so attempt to make one 1327 */ 1328 if (dlc == NULL) { 1329 dlc = rfcomm_dlc_newconn(rs, pn.dlci); 1330 if (dlc == NULL) 1331 return; /* (DM is sent) */ 1332 } 1333 1334 /* accept any valid MTU, and offer it back */ 1335 pn.mtu = min(pn.mtu, RFCOMM_MTU_MAX); 1336 pn.mtu = min(pn.mtu, rs->rs_mtu); 1337 pn.mtu = max(pn.mtu, RFCOMM_MTU_MIN); 1338 dlc->rd_mtu = pn.mtu; 1339 pn.mtu = htole16(pn.mtu); 1340 1341 /* credits are only set before DLC is open */ 1342 if (dlc->rd_state == RFCOMM_DLC_WAIT_CONNECT 1343 && (pn.flow_control & 0xf0) == 0xf0) { 1344 rs->rs_flags |= RFCOMM_SESSION_CFC; 1345 dlc->rd_txcred = pn.credits & 0x07; 1346 1347 dlc->rd_rxcred = (dlc->rd_rxsize / dlc->rd_mtu); 1348 dlc->rd_rxcred = min(dlc->rd_rxcred, 1349 RFCOMM_CREDITS_DEFAULT); 1350 1351 pn.flow_control = 0xe0; 1352 pn.credits = dlc->rd_rxcred; 1353 } else { 1354 pn.flow_control = 0x00; 1355 pn.credits = 0x00; 1356 } 1357 1358 /* unused fields must be ignored and set to zero */ 1359 pn.ack_timer = 0; 1360 pn.max_retrans = 0; 1361 1362 /* send our response */ 1363 err = rfcomm_session_send_mcc(rs, 0, 1364 RFCOMM_MCC_PN, &pn, sizeof(pn)); 1365 if (err) 1366 goto close; 1367 1368 } else { /* Response */ 1369 /* ignore responses with no matching DLC */ 1370 if (dlc == NULL) 1371 return; 1372 1373 callout_stop(&dlc->rd_timeout); 1374 1375 /* reject invalid or unacceptable MTU */ 1376 if (pn.mtu < RFCOMM_MTU_MIN || pn.mtu > dlc->rd_mtu) { 1377 dlc->rd_state = RFCOMM_DLC_WAIT_DISCONNECT; 1378 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 1379 pn.dlci); 1380 if (err) 1381 goto close; 1382 1383 callout_schedule(&dlc->rd_timeout, 1384 rfcomm_ack_timeout * hz); 1385 return; 1386 } 1387 dlc->rd_mtu = pn.mtu; 1388 1389 /* if DLC is not waiting to connect, we are done */ 1390 if (dlc->rd_state != RFCOMM_DLC_WAIT_CONNECT) 1391 return; 1392 1393 /* set initial credits according to RFCOMM spec */ 1394 if ((pn.flow_control & 0xf0) == 0xe0) { 1395 rs->rs_flags |= RFCOMM_SESSION_CFC; 1396 dlc->rd_txcred = (pn.credits & 0x07); 1397 } 1398 1399 callout_schedule(&dlc->rd_timeout, rfcomm_ack_timeout * hz); 1400 1401 /* set link mode */ 1402 err = rfcomm_dlc_setmode(dlc); 1403 if (err == EINPROGRESS) { 1404 dlc->rd_state = RFCOMM_DLC_WAIT_SEND_SABM; 1405 (*dlc->rd_proto->connecting)(dlc->rd_upper); 1406 return; 1407 } 1408 if (err) 1409 goto close; 1410 1411 /* we can proceed now */ 1412 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_SABM, pn.dlci); 1413 if (err) 1414 goto close; 1415 1416 dlc->rd_state = RFCOMM_DLC_WAIT_RECV_UA; 1417 } 1418 return; 1419 1420 close: 1421 rfcomm_dlc_close(dlc, err); 1422 } 1423 1424 /* 1425 * process Non Supported Command command/response 1426 */ 1427 static void 1428 rfcomm_session_recv_mcc_nsc(struct rfcomm_session *rs, 1429 int cr, struct mbuf *m) 1430 { 1431 struct rfcomm_dlc *dlc, *next; 1432 1433 /* 1434 * Since we did nothing that is not mandatory, 1435 * we just abort the whole session.. 1436 */ 1437 1438 next = LIST_FIRST(&rs->rs_dlcs); 1439 while ((dlc = next) != NULL) { 1440 next = LIST_NEXT(dlc, rd_next); 1441 rfcomm_dlc_close(dlc, ECONNABORTED); 1442 } 1443 1444 rfcomm_session_free(rs); 1445 } 1446 1447 /*********************************************************************** 1448 * 1449 * RFCOMM Session outward frame/uih/mcc building 1450 */ 1451 1452 /* 1453 * SABM/DISC/DM/UA frames are all minimal and mostly identical. 1454 */ 1455 int 1456 rfcomm_session_send_frame(struct rfcomm_session *rs, int type, int dlci) 1457 { 1458 struct rfcomm_cmd_hdr *hdr; 1459 struct rfcomm_credit *credit; 1460 struct mbuf *m; 1461 uint8_t fcs, cr; 1462 1463 credit = pool_get(&rfcomm_credit_pool, PR_NOWAIT); 1464 if (credit == NULL) 1465 return ENOMEM; 1466 1467 m = m_gethdr(M_DONTWAIT, MT_DATA); 1468 if (m == NULL) { 1469 pool_put(&rfcomm_credit_pool, credit); 1470 return ENOMEM; 1471 } 1472 1473 /* 1474 * The CR (command/response) bit identifies the frame either as a 1475 * commmand or a response and is used along with the DLCI to form 1476 * the address. Commands contain the non-initiator address, whereas 1477 * responses contain the initiator address, so the CR value is 1478 * also dependent on the session direction. 1479 */ 1480 if (type == RFCOMM_FRAME_UA || type == RFCOMM_FRAME_DM) 1481 cr = IS_INITIATOR(rs) ? 0 : 1; 1482 else 1483 cr = IS_INITIATOR(rs) ? 1 : 0; 1484 1485 hdr = mtod(m, struct rfcomm_cmd_hdr *); 1486 hdr->address = RFCOMM_MKADDRESS(cr, dlci); 1487 hdr->control = RFCOMM_MKCONTROL(type, 1); /* PF = 1 */ 1488 hdr->length = (0x00 << 1) | 0x01; /* len = 0x00, EA = 1 */ 1489 1490 fcs = 0xff; 1491 fcs = FCS(fcs, hdr->address); 1492 fcs = FCS(fcs, hdr->control); 1493 fcs = FCS(fcs, hdr->length); 1494 fcs = 0xff - fcs; /* ones complement */ 1495 hdr->fcs = fcs; 1496 1497 m->m_pkthdr.len = m->m_len = sizeof(struct rfcomm_cmd_hdr); 1498 1499 /* empty credit note */ 1500 credit->rc_dlc = NULL; 1501 credit->rc_len = m->m_pkthdr.len; 1502 SIMPLEQ_INSERT_TAIL(&rs->rs_credits, credit, rc_next); 1503 1504 DPRINTFN(5, "dlci %d type %2.2x (%d bytes, fcs=%#2.2x)\n", 1505 dlci, type, m->m_pkthdr.len, fcs); 1506 1507 return l2cap_send(rs->rs_l2cap, m); 1508 } 1509 1510 /* 1511 * rfcomm_session_send_uih(rfcomm_session, rfcomm_dlc, credits, mbuf) 1512 * 1513 * UIH frame is per DLC data or Multiplexer Control Commands 1514 * when no DLC is given. Data mbuf is optional (just credits 1515 * will be sent in that case) 1516 */ 1517 int 1518 rfcomm_session_send_uih(struct rfcomm_session *rs, struct rfcomm_dlc *dlc, 1519 int credits, struct mbuf *m) 1520 { 1521 struct rfcomm_credit *credit; 1522 struct mbuf *m0 = NULL; 1523 int err, len; 1524 uint8_t fcs, *hdr; 1525 1526 KASSERT(rs != NULL); 1527 1528 len = (m == NULL) ? 0 : m->m_pkthdr.len; 1529 KASSERT(!(credits == 0 && len == 0)); 1530 1531 /* 1532 * Make a credit note for the completion notification 1533 */ 1534 credit = pool_get(&rfcomm_credit_pool, PR_NOWAIT); 1535 if (credit == NULL) 1536 goto nomem; 1537 1538 credit->rc_len = len; 1539 credit->rc_dlc = dlc; 1540 1541 /* 1542 * Wrap UIH frame information around payload. 1543 * 1544 * [ADDRESS] [CONTROL] [LENGTH] [CREDITS] [...] [FCS] 1545 * 1546 * Address is one octet. 1547 * Control is one octet. 1548 * Length is one or two octets. 1549 * Credits may be one octet. 1550 * 1551 * FCS is one octet and calculated on address and 1552 * control octets only. 1553 * 1554 * If there are credits to be sent, we will set the PF 1555 * flag and include them in the frame. 1556 */ 1557 m0 = m_gethdr(M_DONTWAIT, MT_DATA); 1558 if (m0 == NULL) 1559 goto nomem; 1560 1561 MH_ALIGN(m0, 5); /* (max 5 header octets) */ 1562 hdr = mtod(m0, uint8_t *); 1563 1564 /* CR bit is set according to the initiator of the session */ 1565 *hdr = RFCOMM_MKADDRESS((IS_INITIATOR(rs) ? 1 : 0), 1566 (dlc ? dlc->rd_dlci : 0)); 1567 fcs = FCS(0xff, *hdr); 1568 hdr++; 1569 1570 /* PF bit is set if credits are being sent */ 1571 *hdr = RFCOMM_MKCONTROL(RFCOMM_FRAME_UIH, (credits > 0 ? 1 : 0)); 1572 fcs = FCS(fcs, *hdr); 1573 hdr++; 1574 1575 if (len < (1 << 7)) { 1576 *hdr++ = ((len << 1) & 0xfe) | 0x01; /* 7 bits, EA = 1 */ 1577 } else { 1578 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */ 1579 *hdr++ = ((len >> 7) & 0xff); /* 8 bits, no EA */ 1580 } 1581 1582 if (credits > 0) 1583 *hdr++ = (uint8_t)credits; 1584 1585 m0->m_len = hdr - mtod(m0, uint8_t *); 1586 1587 /* Append payload */ 1588 m0->m_next = m; 1589 m = NULL; 1590 1591 m0->m_pkthdr.len = m0->m_len + len; 1592 1593 /* Append FCS */ 1594 fcs = 0xff - fcs; /* ones complement */ 1595 len = m0->m_pkthdr.len; 1596 m_copyback(m0, len, sizeof(fcs), &fcs); 1597 if (m0->m_pkthdr.len != len + sizeof(fcs)) 1598 goto nomem; 1599 1600 DPRINTFN(10, "dlci %d, pktlen %d (%d data, %d credits), fcs=%#2.2x\n", 1601 dlc ? dlc->rd_dlci : 0, m0->m_pkthdr.len, credit->rc_len, 1602 credits, fcs); 1603 1604 /* 1605 * UIH frame ready to go.. 1606 */ 1607 err = l2cap_send(rs->rs_l2cap, m0); 1608 if (err) 1609 goto fail; 1610 1611 SIMPLEQ_INSERT_TAIL(&rs->rs_credits, credit, rc_next); 1612 return 0; 1613 1614 nomem: 1615 err = ENOMEM; 1616 1617 if (m0 != NULL) 1618 m_freem(m0); 1619 1620 if (m != NULL) 1621 m_freem(m); 1622 1623 fail: 1624 if (credit != NULL) 1625 pool_put(&rfcomm_credit_pool, credit); 1626 1627 return err; 1628 } 1629 1630 /* 1631 * send Multiplexer Control Command (or Response) on session 1632 */ 1633 int 1634 rfcomm_session_send_mcc(struct rfcomm_session *rs, int cr, 1635 uint8_t type, void *data, int len) 1636 { 1637 struct mbuf *m; 1638 uint8_t *hdr; 1639 int hlen; 1640 1641 m = m_gethdr(M_DONTWAIT, MT_DATA); 1642 if (m == NULL) 1643 return ENOMEM; 1644 1645 hdr = mtod(m, uint8_t *); 1646 1647 /* 1648 * Technically the type field can extend past one octet, but none 1649 * currently defined will do that. 1650 */ 1651 *hdr++ = RFCOMM_MKMCC_TYPE(cr, type); 1652 1653 /* 1654 * In the frame, the max length size is 2 octets (15 bits) whereas 1655 * no max length size is specified for MCC commands. We must allow 1656 * for 3 octets since for MCC frames we use 7 bits + EA in each. 1657 * 1658 * Only test data can possibly be that big. 1659 * 1660 * XXX Should we check this against the MTU? 1661 */ 1662 if (len < (1 << 7)) { 1663 *hdr++ = ((len << 1) & 0xfe) | 0x01; /* 7 bits, EA = 1 */ 1664 } else if (len < (1 << 14)) { 1665 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */ 1666 *hdr++ = ((len >> 6) & 0xfe) | 0x01; /* 7 bits, EA = 1 */ 1667 } else if (len < (1 << 15)) { 1668 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */ 1669 *hdr++ = ((len >> 6) & 0xfe); /* 7 bits, EA = 0 */ 1670 *hdr++ = ((len >> 13) & 0x02) | 0x01; /* 1 bit, EA = 1 */ 1671 } else { 1672 DPRINTF("incredible length! (%d)\n", len); 1673 m_freem(m); 1674 return EMSGSIZE; 1675 } 1676 1677 /* 1678 * add command data (to same mbuf if possible) 1679 */ 1680 hlen = hdr - mtod(m, uint8_t *); 1681 1682 if (len > 0) { 1683 m->m_pkthdr.len = m->m_len = MHLEN; 1684 m_copyback(m, hlen, len, data); 1685 if (m->m_pkthdr.len != max(MHLEN, hlen + len)) { 1686 m_freem(m); 1687 return ENOMEM; 1688 } 1689 } 1690 1691 m->m_pkthdr.len = hlen + len; 1692 m->m_len = min(MHLEN, m->m_pkthdr.len); 1693 1694 DPRINTFN(5, "%s type %2.2x len %d\n", 1695 (cr ? "command" : "response"), type, m->m_pkthdr.len); 1696 1697 return rfcomm_session_send_uih(rs, NULL, 0, m); 1698 } 1699