1 /* $NetBSD: rfcomm_session.c,v 1.13 2008/04/24 11:38:37 ad Exp $ */ 2 3 /*- 4 * Copyright (c) 2006 Itronix Inc. 5 * All rights reserved. 6 * 7 * Written by Iain Hibbert for Itronix Inc. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. The name of Itronix Inc. may not be used to endorse 18 * or promote products derived from this software without specific 19 * prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY ITRONIX INC. ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 23 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 24 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ITRONIX INC. BE LIABLE FOR ANY 25 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 26 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 27 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 28 * ON ANY THEORY OF LIABILITY, WHETHER IN 29 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 30 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 31 * POSSIBILITY OF SUCH DAMAGE. 32 */ 33 34 #include <sys/cdefs.h> 35 __KERNEL_RCSID(0, "$NetBSD: rfcomm_session.c,v 1.13 2008/04/24 11:38:37 ad Exp $"); 36 37 #include <sys/param.h> 38 #include <sys/kernel.h> 39 #include <sys/mbuf.h> 40 #include <sys/proc.h> 41 #include <sys/systm.h> 42 #include <sys/types.h> 43 44 #include <netbt/bluetooth.h> 45 #include <netbt/hci.h> 46 #include <netbt/l2cap.h> 47 #include <netbt/rfcomm.h> 48 49 /****************************************************************************** 50 * 51 * RFCOMM Multiplexer Sessions sit directly on L2CAP channels, and can 52 * multiplex up to 30 incoming and 30 outgoing connections. 53 * Only one Multiplexer is allowed between any two devices. 54 */ 55 56 static void rfcomm_session_timeout(void *); 57 static void rfcomm_session_recv_sabm(struct rfcomm_session *, int); 58 static void rfcomm_session_recv_disc(struct rfcomm_session *, int); 59 static void rfcomm_session_recv_ua(struct rfcomm_session *, int); 60 static void rfcomm_session_recv_dm(struct rfcomm_session *, int); 61 static void rfcomm_session_recv_uih(struct rfcomm_session *, int, int, struct mbuf *, int); 62 static void rfcomm_session_recv_mcc(struct rfcomm_session *, struct mbuf *); 63 static void rfcomm_session_recv_mcc_test(struct rfcomm_session *, int, struct mbuf *); 64 static void rfcomm_session_recv_mcc_fcon(struct rfcomm_session *, int); 65 static void rfcomm_session_recv_mcc_fcoff(struct rfcomm_session *, int); 66 static void rfcomm_session_recv_mcc_msc(struct rfcomm_session *, int, struct mbuf *); 67 static void rfcomm_session_recv_mcc_rpn(struct rfcomm_session *, int, struct mbuf *); 68 static void rfcomm_session_recv_mcc_rls(struct rfcomm_session *, int, struct mbuf *); 69 static void rfcomm_session_recv_mcc_pn(struct rfcomm_session *, int, struct mbuf *); 70 static void rfcomm_session_recv_mcc_nsc(struct rfcomm_session *, int, struct mbuf *); 71 72 /* L2CAP callbacks */ 73 static void rfcomm_session_connecting(void *); 74 static void rfcomm_session_connected(void *); 75 static void rfcomm_session_disconnected(void *, int); 76 static void *rfcomm_session_newconn(void *, struct sockaddr_bt *, struct sockaddr_bt *); 77 static void rfcomm_session_complete(void *, int); 78 static void rfcomm_session_linkmode(void *, int); 79 static void rfcomm_session_input(void *, struct mbuf *); 80 81 static const struct btproto rfcomm_session_proto = { 82 rfcomm_session_connecting, 83 rfcomm_session_connected, 84 rfcomm_session_disconnected, 85 rfcomm_session_newconn, 86 rfcomm_session_complete, 87 rfcomm_session_linkmode, 88 rfcomm_session_input, 89 }; 90 91 struct rfcomm_session_list 92 rfcomm_session_active = LIST_HEAD_INITIALIZER(rfcomm_session_active); 93 94 struct rfcomm_session_list 95 rfcomm_session_listen = LIST_HEAD_INITIALIZER(rfcomm_session_listen); 96 97 POOL_INIT(rfcomm_credit_pool, sizeof(struct rfcomm_credit), 98 0, 0, 0, "rfcomm_credit", NULL, IPL_SOFTNET); 99 100 /* 101 * RFCOMM System Parameters (see section 5.3) 102 */ 103 int rfcomm_mtu_default = 127; /* bytes */ 104 int rfcomm_ack_timeout = 20; /* seconds */ 105 int rfcomm_mcc_timeout = 20; /* seconds */ 106 107 /* 108 * Reversed CRC table as per TS 07.10 Annex B.3.5 109 */ 110 static const uint8_t crctable[256] = { /* reversed, 8-bit, poly=0x07 */ 111 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75, 112 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b, 113 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69, 114 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67, 115 116 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d, 117 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43, 118 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51, 119 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f, 120 121 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05, 122 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b, 123 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19, 124 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17, 125 126 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d, 127 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33, 128 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21, 129 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f, 130 131 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95, 132 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b, 133 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89, 134 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87, 135 136 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad, 137 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3, 138 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1, 139 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf, 140 141 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5, 142 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb, 143 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9, 144 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7, 145 146 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd, 147 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3, 148 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1, 149 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf 150 }; 151 152 #define FCS(f, d) crctable[(f) ^ (d)] 153 154 /* 155 * rfcomm_session_alloc(list, sockaddr) 156 * 157 * allocate a new session and fill in the blanks, then 158 * attach session to front of specified list (active or listen) 159 */ 160 struct rfcomm_session * 161 rfcomm_session_alloc(struct rfcomm_session_list *list, 162 struct sockaddr_bt *laddr) 163 { 164 struct rfcomm_session *rs; 165 int err; 166 167 rs = malloc(sizeof(*rs), M_BLUETOOTH, M_NOWAIT | M_ZERO); 168 if (rs == NULL) 169 return NULL; 170 171 rs->rs_state = RFCOMM_SESSION_CLOSED; 172 173 callout_init(&rs->rs_timeout, 0); 174 callout_setfunc(&rs->rs_timeout, rfcomm_session_timeout, rs); 175 176 SIMPLEQ_INIT(&rs->rs_credits); 177 LIST_INIT(&rs->rs_dlcs); 178 179 err = l2cap_attach(&rs->rs_l2cap, &rfcomm_session_proto, rs); 180 if (err) { 181 free(rs, M_BLUETOOTH); 182 return NULL; 183 } 184 185 (void)l2cap_getopt(rs->rs_l2cap, SO_L2CAP_OMTU, &rs->rs_mtu); 186 187 if (laddr->bt_psm == L2CAP_PSM_ANY) 188 laddr->bt_psm = L2CAP_PSM_RFCOMM; 189 190 (void)l2cap_bind(rs->rs_l2cap, laddr); 191 192 LIST_INSERT_HEAD(list, rs, rs_next); 193 194 return rs; 195 } 196 197 /* 198 * rfcomm_session_free(rfcomm_session) 199 * 200 * release a session, including any cleanup 201 */ 202 void 203 rfcomm_session_free(struct rfcomm_session *rs) 204 { 205 struct rfcomm_credit *credit; 206 207 KASSERT(rs != NULL); 208 KASSERT(LIST_EMPTY(&rs->rs_dlcs)); 209 210 rs->rs_state = RFCOMM_SESSION_CLOSED; 211 212 /* 213 * If the callout is already invoked we have no way to stop it, 214 * but it will call us back right away (there are no DLC's) so 215 * not to worry. 216 */ 217 callout_stop(&rs->rs_timeout); 218 if (callout_invoking(&rs->rs_timeout)) 219 return; 220 221 /* 222 * Take care that rfcomm_session_disconnected() doesnt call 223 * us back either as it will do if the l2cap_channel has not 224 * been closed when we detach it.. 225 */ 226 if (rs->rs_flags & RFCOMM_SESSION_FREE) 227 return; 228 229 rs->rs_flags |= RFCOMM_SESSION_FREE; 230 231 /* throw away any remaining credit notes */ 232 while ((credit = SIMPLEQ_FIRST(&rs->rs_credits)) != NULL) { 233 SIMPLEQ_REMOVE_HEAD(&rs->rs_credits, rc_next); 234 pool_put(&rfcomm_credit_pool, credit); 235 } 236 237 KASSERT(SIMPLEQ_EMPTY(&rs->rs_credits)); 238 239 /* Goodbye! */ 240 LIST_REMOVE(rs, rs_next); 241 l2cap_detach(&rs->rs_l2cap); 242 callout_destroy(&rs->rs_timeout); 243 free(rs, M_BLUETOOTH); 244 } 245 246 /* 247 * rfcomm_session_lookup(sockaddr, sockaddr) 248 * 249 * Find active rfcomm session matching src and dest addresses 250 * when src is BDADDR_ANY match any local address 251 */ 252 struct rfcomm_session * 253 rfcomm_session_lookup(struct sockaddr_bt *src, struct sockaddr_bt *dest) 254 { 255 struct rfcomm_session *rs; 256 struct sockaddr_bt addr; 257 258 LIST_FOREACH(rs, &rfcomm_session_active, rs_next) { 259 if (rs->rs_state == RFCOMM_SESSION_CLOSED) 260 continue; 261 262 l2cap_sockaddr(rs->rs_l2cap, &addr); 263 264 if (bdaddr_same(&src->bt_bdaddr, &addr.bt_bdaddr) == 0) 265 if (bdaddr_any(&src->bt_bdaddr) == 0) 266 continue; 267 268 l2cap_peeraddr(rs->rs_l2cap, &addr); 269 270 if (addr.bt_psm != dest->bt_psm) 271 continue; 272 273 if (bdaddr_same(&dest->bt_bdaddr, &addr.bt_bdaddr)) 274 break; 275 } 276 277 return rs; 278 } 279 280 /* 281 * rfcomm_session_timeout(rfcomm_session) 282 * 283 * Session timeouts are scheduled when a session is left or 284 * created with no DLCs, and when SABM(0) or DISC(0) are 285 * sent. 286 * 287 * So, if it is in an open state with DLC's attached then 288 * we leave it alone, otherwise the session is lost. 289 */ 290 static void 291 rfcomm_session_timeout(void *arg) 292 { 293 struct rfcomm_session *rs = arg; 294 struct rfcomm_dlc *dlc; 295 296 KASSERT(rs != NULL); 297 298 mutex_enter(bt_lock); 299 callout_ack(&rs->rs_timeout); 300 301 if (rs->rs_state != RFCOMM_SESSION_OPEN) { 302 DPRINTF("timeout\n"); 303 rs->rs_state = RFCOMM_SESSION_CLOSED; 304 305 while (!LIST_EMPTY(&rs->rs_dlcs)) { 306 dlc = LIST_FIRST(&rs->rs_dlcs); 307 308 rfcomm_dlc_close(dlc, ETIMEDOUT); 309 } 310 } 311 312 if (LIST_EMPTY(&rs->rs_dlcs)) { 313 DPRINTF("expiring\n"); 314 rfcomm_session_free(rs); 315 } 316 mutex_exit(bt_lock); 317 } 318 319 /*********************************************************************** 320 * 321 * RFCOMM Session L2CAP protocol callbacks 322 * 323 */ 324 325 static void 326 rfcomm_session_connecting(void *arg) 327 { 328 /* struct rfcomm_session *rs = arg; */ 329 330 DPRINTF("Connecting\n"); 331 } 332 333 static void 334 rfcomm_session_connected(void *arg) 335 { 336 struct rfcomm_session *rs = arg; 337 338 DPRINTF("Connected\n"); 339 340 /* 341 * L2CAP is open. 342 * 343 * If we are initiator, we can send our SABM(0) 344 * a timeout should be active? 345 * 346 * We must take note of the L2CAP MTU because currently 347 * the L2CAP implementation can only do Basic Mode. 348 */ 349 l2cap_getopt(rs->rs_l2cap, SO_L2CAP_OMTU, &rs->rs_mtu); 350 351 rs->rs_mtu -= 6; /* (RFCOMM overhead could be this big) */ 352 if (rs->rs_mtu < RFCOMM_MTU_MIN) { 353 rfcomm_session_disconnected(rs, EINVAL); 354 return; 355 } 356 357 if (IS_INITIATOR(rs)) { 358 int err; 359 360 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_SABM, 0); 361 if (err) 362 rfcomm_session_disconnected(rs, err); 363 364 callout_schedule(&rs->rs_timeout, rfcomm_ack_timeout * hz); 365 } 366 } 367 368 static void 369 rfcomm_session_disconnected(void *arg, int err) 370 { 371 struct rfcomm_session *rs = arg; 372 struct rfcomm_dlc *dlc; 373 374 DPRINTF("Disconnected\n"); 375 376 rs->rs_state = RFCOMM_SESSION_CLOSED; 377 378 while (!LIST_EMPTY(&rs->rs_dlcs)) { 379 dlc = LIST_FIRST(&rs->rs_dlcs); 380 381 rfcomm_dlc_close(dlc, err); 382 } 383 384 rfcomm_session_free(rs); 385 } 386 387 static void * 388 rfcomm_session_newconn(void *arg, struct sockaddr_bt *laddr, 389 struct sockaddr_bt *raddr) 390 { 391 struct rfcomm_session *new, *rs = arg; 392 393 DPRINTF("New Connection\n"); 394 395 /* 396 * Incoming session connect request. We should return a new 397 * session pointer if this is acceptable. The L2CAP layer 398 * passes local and remote addresses, which we must check as 399 * only one RFCOMM session is allowed between any two devices 400 */ 401 new = rfcomm_session_lookup(laddr, raddr); 402 if (new != NULL) 403 return NULL; 404 405 new = rfcomm_session_alloc(&rfcomm_session_active, laddr); 406 if (new == NULL) 407 return NULL; 408 409 new->rs_mtu = rs->rs_mtu; 410 new->rs_state = RFCOMM_SESSION_WAIT_CONNECT; 411 412 /* 413 * schedule an expiry so that if nothing comes of it we 414 * can punt. 415 */ 416 callout_schedule(&new->rs_timeout, rfcomm_mcc_timeout * hz); 417 418 return new->rs_l2cap; 419 } 420 421 static void 422 rfcomm_session_complete(void *arg, int count) 423 { 424 struct rfcomm_session *rs = arg; 425 struct rfcomm_credit *credit; 426 struct rfcomm_dlc *dlc; 427 428 /* 429 * count L2CAP packets are 'complete', meaning that they are cleared 430 * our buffers (for best effort) or arrived safe (for guaranteed) so 431 * we can take it off our list and pass the message on, so that 432 * eventually the data can be removed from the sockbuf 433 */ 434 while (count-- > 0) { 435 credit = SIMPLEQ_FIRST(&rs->rs_credits); 436 #ifdef DIAGNOSTIC 437 if (credit == NULL) { 438 printf("%s: too many packets completed!\n", __func__); 439 break; 440 } 441 #endif 442 dlc = credit->rc_dlc; 443 if (dlc != NULL) { 444 dlc->rd_pending--; 445 (*dlc->rd_proto->complete) 446 (dlc->rd_upper, credit->rc_len); 447 448 /* 449 * if not using credit flow control, we may push 450 * more data now 451 */ 452 if ((rs->rs_flags & RFCOMM_SESSION_CFC) == 0 453 && dlc->rd_state == RFCOMM_DLC_OPEN) { 454 rfcomm_dlc_start(dlc); 455 } 456 457 /* 458 * When shutdown is indicated, we are just waiting to 459 * clear outgoing data. 460 */ 461 if ((dlc->rd_flags & RFCOMM_DLC_SHUTDOWN) 462 && dlc->rd_txbuf == NULL && dlc->rd_pending == 0) { 463 dlc->rd_state = RFCOMM_DLC_WAIT_DISCONNECT; 464 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 465 dlc->rd_dlci); 466 callout_schedule(&dlc->rd_timeout, 467 rfcomm_ack_timeout * hz); 468 } 469 } 470 471 SIMPLEQ_REMOVE_HEAD(&rs->rs_credits, rc_next); 472 pool_put(&rfcomm_credit_pool, credit); 473 } 474 475 /* 476 * If session is closed, we are just waiting to clear the queue 477 */ 478 if (rs->rs_state == RFCOMM_SESSION_CLOSED) { 479 if (SIMPLEQ_EMPTY(&rs->rs_credits)) 480 l2cap_disconnect(rs->rs_l2cap, 0); 481 } 482 } 483 484 /* 485 * Link Mode changed 486 * 487 * This is called when a mode change is complete. Proceed with connections 488 * where appropriate, or pass the new mode to any active DLCs. 489 */ 490 static void 491 rfcomm_session_linkmode(void *arg, int new) 492 { 493 struct rfcomm_session *rs = arg; 494 struct rfcomm_dlc *dlc, *next; 495 int err, mode = 0; 496 497 DPRINTF("auth %s, encrypt %s, secure %s\n", 498 (new & L2CAP_LM_AUTH ? "on" : "off"), 499 (new & L2CAP_LM_ENCRYPT ? "on" : "off"), 500 (new & L2CAP_LM_SECURE ? "on" : "off")); 501 502 if (new & L2CAP_LM_AUTH) 503 mode |= RFCOMM_LM_AUTH; 504 505 if (new & L2CAP_LM_ENCRYPT) 506 mode |= RFCOMM_LM_ENCRYPT; 507 508 if (new & L2CAP_LM_SECURE) 509 mode |= RFCOMM_LM_SECURE; 510 511 next = LIST_FIRST(&rs->rs_dlcs); 512 while ((dlc = next) != NULL) { 513 next = LIST_NEXT(dlc, rd_next); 514 515 switch (dlc->rd_state) { 516 case RFCOMM_DLC_WAIT_SEND_SABM: /* we are connecting */ 517 if ((mode & dlc->rd_mode) != dlc->rd_mode) { 518 rfcomm_dlc_close(dlc, ECONNABORTED); 519 } else { 520 err = rfcomm_session_send_frame(rs, 521 RFCOMM_FRAME_SABM, dlc->rd_dlci); 522 if (err) { 523 rfcomm_dlc_close(dlc, err); 524 } else { 525 dlc->rd_state = RFCOMM_DLC_WAIT_RECV_UA; 526 callout_schedule(&dlc->rd_timeout, 527 rfcomm_ack_timeout * hz); 528 break; 529 } 530 } 531 532 /* 533 * If we aborted the connection and there are no more DLCs 534 * on the session, it is our responsibility to disconnect. 535 */ 536 if (!LIST_EMPTY(&rs->rs_dlcs)) 537 break; 538 539 rs->rs_state = RFCOMM_SESSION_WAIT_DISCONNECT; 540 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 0); 541 callout_schedule(&rs->rs_timeout, rfcomm_ack_timeout * hz); 542 break; 543 544 case RFCOMM_DLC_WAIT_SEND_UA: /* they are connecting */ 545 if ((mode & dlc->rd_mode) != dlc->rd_mode) { 546 rfcomm_session_send_frame(rs, 547 RFCOMM_FRAME_DM, dlc->rd_dlci); 548 rfcomm_dlc_close(dlc, ECONNABORTED); 549 break; 550 } 551 552 err = rfcomm_session_send_frame(rs, 553 RFCOMM_FRAME_UA, dlc->rd_dlci); 554 if (err) { 555 rfcomm_session_send_frame(rs, 556 RFCOMM_FRAME_DM, dlc->rd_dlci); 557 rfcomm_dlc_close(dlc, err); 558 break; 559 } 560 561 err = rfcomm_dlc_open(dlc); 562 if (err) { 563 rfcomm_session_send_frame(rs, 564 RFCOMM_FRAME_DM, dlc->rd_dlci); 565 rfcomm_dlc_close(dlc, err); 566 break; 567 } 568 569 break; 570 571 case RFCOMM_DLC_WAIT_RECV_UA: 572 case RFCOMM_DLC_OPEN: /* already established */ 573 (*dlc->rd_proto->linkmode)(dlc->rd_upper, mode); 574 break; 575 576 default: 577 break; 578 } 579 } 580 } 581 582 /* 583 * Receive data from L2CAP layer for session. There is always exactly one 584 * RFCOMM frame contained in each L2CAP frame. 585 */ 586 static void 587 rfcomm_session_input(void *arg, struct mbuf *m) 588 { 589 struct rfcomm_session *rs = arg; 590 int dlci, len, type, pf; 591 uint8_t fcs, b; 592 593 KASSERT(m != NULL); 594 KASSERT(rs != NULL); 595 596 /* 597 * UIH frames: FCS is only calculated on address and control fields 598 * For other frames: FCS is calculated on address, control and length 599 * Length may extend to two octets 600 */ 601 fcs = 0xff; 602 603 if (m->m_pkthdr.len < 4) { 604 DPRINTF("short frame (%d), discarded\n", m->m_pkthdr.len); 605 goto done; 606 } 607 608 /* address - one octet */ 609 m_copydata(m, 0, 1, &b); 610 m_adj(m, 1); 611 fcs = FCS(fcs, b); 612 dlci = RFCOMM_DLCI(b); 613 614 /* control - one octet */ 615 m_copydata(m, 0, 1, &b); 616 m_adj(m, 1); 617 fcs = FCS(fcs, b); 618 type = RFCOMM_TYPE(b); 619 pf = RFCOMM_PF(b); 620 621 /* length - may be two octets */ 622 m_copydata(m, 0, 1, &b); 623 m_adj(m, 1); 624 if (type != RFCOMM_FRAME_UIH) 625 fcs = FCS(fcs, b); 626 len = (b >> 1) & 0x7f; 627 628 if (RFCOMM_EA(b) == 0) { 629 if (m->m_pkthdr.len < 2) { 630 DPRINTF("short frame (%d, EA = 0), discarded\n", 631 m->m_pkthdr.len); 632 goto done; 633 } 634 635 m_copydata(m, 0, 1, &b); 636 m_adj(m, 1); 637 if (type != RFCOMM_FRAME_UIH) 638 fcs = FCS(fcs, b); 639 640 len |= (b << 7); 641 } 642 643 /* FCS byte is last octet in frame */ 644 m_copydata(m, m->m_pkthdr.len - 1, 1, &b); 645 m_adj(m, -1); 646 fcs = FCS(fcs, b); 647 648 if (fcs != 0xcf) { 649 DPRINTF("Bad FCS value (%#2.2x), frame discarded\n", fcs); 650 goto done; 651 } 652 653 DPRINTFN(10, "dlci %d, type %2.2x, len = %d\n", dlci, type, len); 654 655 switch (type) { 656 case RFCOMM_FRAME_SABM: 657 if (pf) 658 rfcomm_session_recv_sabm(rs, dlci); 659 break; 660 661 case RFCOMM_FRAME_DISC: 662 if (pf) 663 rfcomm_session_recv_disc(rs, dlci); 664 break; 665 666 case RFCOMM_FRAME_UA: 667 if (pf) 668 rfcomm_session_recv_ua(rs, dlci); 669 break; 670 671 case RFCOMM_FRAME_DM: 672 rfcomm_session_recv_dm(rs, dlci); 673 break; 674 675 case RFCOMM_FRAME_UIH: 676 rfcomm_session_recv_uih(rs, dlci, pf, m, len); 677 return; /* (no release) */ 678 679 default: 680 UNKNOWN(type); 681 break; 682 } 683 684 done: 685 m_freem(m); 686 } 687 688 /*********************************************************************** 689 * 690 * RFCOMM Session receive processing 691 */ 692 693 /* 694 * rfcomm_session_recv_sabm(rfcomm_session, dlci) 695 * 696 * Set Asyncrhonous Balanced Mode - open the channel. 697 */ 698 static void 699 rfcomm_session_recv_sabm(struct rfcomm_session *rs, int dlci) 700 { 701 struct rfcomm_dlc *dlc; 702 int err; 703 704 DPRINTFN(5, "SABM(%d)\n", dlci); 705 706 if (dlci == 0) { /* Open Session */ 707 rs->rs_state = RFCOMM_SESSION_OPEN; 708 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, 0); 709 LIST_FOREACH(dlc, &rs->rs_dlcs, rd_next) { 710 if (dlc->rd_state == RFCOMM_DLC_WAIT_SESSION) 711 rfcomm_dlc_connect(dlc); 712 } 713 return; 714 } 715 716 if (rs->rs_state != RFCOMM_SESSION_OPEN) { 717 DPRINTF("session was not even open!\n"); 718 return; 719 } 720 721 /* validate direction bit */ 722 if ((IS_INITIATOR(rs) && !RFCOMM_DIRECTION(dlci)) 723 || (!IS_INITIATOR(rs) && RFCOMM_DIRECTION(dlci))) { 724 DPRINTF("Invalid direction bit on DLCI\n"); 725 return; 726 } 727 728 /* 729 * look for our DLC - this may exist if we received PN 730 * already, or we may have to fabricate a new one. 731 */ 732 dlc = rfcomm_dlc_lookup(rs, dlci); 733 if (dlc == NULL) { 734 dlc = rfcomm_dlc_newconn(rs, dlci); 735 if (dlc == NULL) 736 return; /* (DM is sent) */ 737 } 738 739 /* 740 * ..but if this DLC is not waiting to connect, they did 741 * something wrong, ignore it. 742 */ 743 if (dlc->rd_state != RFCOMM_DLC_WAIT_CONNECT) 744 return; 745 746 /* set link mode */ 747 err = rfcomm_dlc_setmode(dlc); 748 if (err == EINPROGRESS) { 749 dlc->rd_state = RFCOMM_DLC_WAIT_SEND_UA; 750 (*dlc->rd_proto->connecting)(dlc->rd_upper); 751 return; 752 } 753 if (err) 754 goto close; 755 756 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, dlci); 757 if (err) 758 goto close; 759 760 /* and mark it open */ 761 err = rfcomm_dlc_open(dlc); 762 if (err) 763 goto close; 764 765 return; 766 767 close: 768 rfcomm_dlc_close(dlc, err); 769 } 770 771 /* 772 * Receive Disconnect Command 773 */ 774 static void 775 rfcomm_session_recv_disc(struct rfcomm_session *rs, int dlci) 776 { 777 struct rfcomm_dlc *dlc; 778 779 DPRINTFN(5, "DISC(%d)\n", dlci); 780 781 if (dlci == 0) { 782 /* 783 * Disconnect Session 784 * 785 * We set the session state to CLOSED so that when 786 * the UA frame is clear the session will be closed 787 * automatically. We wont bother to close any DLC's 788 * just yet as there should be none. In the unlikely 789 * event that something is left, it will get flushed 790 * out as the session goes down. 791 */ 792 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, 0); 793 rs->rs_state = RFCOMM_SESSION_CLOSED; 794 return; 795 } 796 797 dlc = rfcomm_dlc_lookup(rs, dlci); 798 if (dlc == NULL) { 799 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, dlci); 800 return; 801 } 802 803 rfcomm_dlc_close(dlc, ECONNRESET); 804 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, dlci); 805 } 806 807 /* 808 * Receive Unnumbered Acknowledgement Response 809 * 810 * This should be a response to a DISC or SABM frame that we 811 * have previously sent. If unexpected, ignore it. 812 */ 813 static void 814 rfcomm_session_recv_ua(struct rfcomm_session *rs, int dlci) 815 { 816 struct rfcomm_dlc *dlc; 817 818 DPRINTFN(5, "UA(%d)\n", dlci); 819 820 if (dlci == 0) { 821 switch (rs->rs_state) { 822 case RFCOMM_SESSION_WAIT_CONNECT: /* We sent SABM */ 823 callout_stop(&rs->rs_timeout); 824 rs->rs_state = RFCOMM_SESSION_OPEN; 825 LIST_FOREACH(dlc, &rs->rs_dlcs, rd_next) { 826 if (dlc->rd_state == RFCOMM_DLC_WAIT_SESSION) 827 rfcomm_dlc_connect(dlc); 828 } 829 break; 830 831 case RFCOMM_SESSION_WAIT_DISCONNECT: /* We sent DISC */ 832 callout_stop(&rs->rs_timeout); 833 rs->rs_state = RFCOMM_SESSION_CLOSED; 834 l2cap_disconnect(rs->rs_l2cap, 0); 835 break; 836 837 default: 838 DPRINTF("Received spurious UA(0)!\n"); 839 break; 840 } 841 842 return; 843 } 844 845 /* 846 * If we have no DLC on this dlci, we may have aborted 847 * without shutting down properly, so check if the session 848 * needs disconnecting. 849 */ 850 dlc = rfcomm_dlc_lookup(rs, dlci); 851 if (dlc == NULL) 852 goto check; 853 854 switch (dlc->rd_state) { 855 case RFCOMM_DLC_WAIT_RECV_UA: /* We sent SABM */ 856 rfcomm_dlc_open(dlc); 857 return; 858 859 case RFCOMM_DLC_WAIT_DISCONNECT: /* We sent DISC */ 860 rfcomm_dlc_close(dlc, 0); 861 break; 862 863 default: 864 DPRINTF("Received spurious UA(%d)!\n", dlci); 865 return; 866 } 867 868 check: /* last one out turns out the light */ 869 if (LIST_EMPTY(&rs->rs_dlcs)) { 870 rs->rs_state = RFCOMM_SESSION_WAIT_DISCONNECT; 871 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 0); 872 callout_schedule(&rs->rs_timeout, rfcomm_ack_timeout * hz); 873 } 874 } 875 876 /* 877 * Receive Disconnected Mode Response 878 * 879 * If this does not apply to a known DLC then we may ignore it. 880 */ 881 static void 882 rfcomm_session_recv_dm(struct rfcomm_session *rs, int dlci) 883 { 884 struct rfcomm_dlc *dlc; 885 886 DPRINTFN(5, "DM(%d)\n", dlci); 887 888 dlc = rfcomm_dlc_lookup(rs, dlci); 889 if (dlc == NULL) 890 return; 891 892 if (dlc->rd_state == RFCOMM_DLC_WAIT_CONNECT) 893 rfcomm_dlc_close(dlc, ECONNREFUSED); 894 else 895 rfcomm_dlc_close(dlc, ECONNRESET); 896 } 897 898 /* 899 * Receive Unnumbered Information with Header check (MCC or data packet) 900 */ 901 static void 902 rfcomm_session_recv_uih(struct rfcomm_session *rs, int dlci, 903 int pf, struct mbuf *m, int len) 904 { 905 struct rfcomm_dlc *dlc; 906 uint8_t credits = 0; 907 908 DPRINTFN(10, "UIH(%d)\n", dlci); 909 910 if (dlci == 0) { 911 rfcomm_session_recv_mcc(rs, m); 912 return; 913 } 914 915 if (m->m_pkthdr.len != len + pf) { 916 DPRINTF("Bad Frame Length (%d), frame discarded\n", 917 m->m_pkthdr.len); 918 919 goto discard; 920 } 921 922 dlc = rfcomm_dlc_lookup(rs, dlci); 923 if (dlc == NULL) { 924 DPRINTF("UIH received for non existent DLC, discarded\n"); 925 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, dlci); 926 goto discard; 927 } 928 929 if (dlc->rd_state != RFCOMM_DLC_OPEN) { 930 DPRINTF("non-open DLC (state = %d), discarded\n", 931 dlc->rd_state); 932 goto discard; 933 } 934 935 /* if PF is set, credits were included */ 936 if (rs->rs_flags & RFCOMM_SESSION_CFC) { 937 if (pf != 0) { 938 if (m->m_pkthdr.len < sizeof(credits)) { 939 DPRINTF("Bad PF value, UIH discarded\n"); 940 goto discard; 941 } 942 943 m_copydata(m, 0, sizeof(credits), &credits); 944 m_adj(m, sizeof(credits)); 945 946 dlc->rd_txcred += credits; 947 948 if (credits > 0 && dlc->rd_txbuf != NULL) 949 rfcomm_dlc_start(dlc); 950 } 951 952 if (len == 0) 953 goto discard; 954 955 if (dlc->rd_rxcred == 0) { 956 DPRINTF("Credit limit reached, UIH discarded\n"); 957 goto discard; 958 } 959 960 if (len > dlc->rd_rxsize) { 961 DPRINTF("UIH frame exceeds rxsize, discarded\n"); 962 goto discard; 963 } 964 965 dlc->rd_rxcred--; 966 dlc->rd_rxsize -= len; 967 } 968 969 (*dlc->rd_proto->input)(dlc->rd_upper, m); 970 return; 971 972 discard: 973 m_freem(m); 974 } 975 976 /* 977 * Receive Multiplexer Control Command 978 */ 979 static void 980 rfcomm_session_recv_mcc(struct rfcomm_session *rs, struct mbuf *m) 981 { 982 int type, cr, len; 983 uint8_t b; 984 985 /* 986 * Extract MCC header. 987 * 988 * Fields are variable length using extension bit = 1 to signify the 989 * last octet in the sequence. 990 * 991 * Only single octet types are defined in TS 07.10/RFCOMM spec 992 * 993 * Length can realistically only use 15 bits (max RFCOMM MTU) 994 */ 995 if (m->m_pkthdr.len < sizeof(b)) { 996 DPRINTF("Short MCC header, discarded\n"); 997 goto release; 998 } 999 1000 m_copydata(m, 0, sizeof(b), &b); 1001 m_adj(m, sizeof(b)); 1002 1003 if (RFCOMM_EA(b) == 0) { /* verify no extensions */ 1004 DPRINTF("MCC type EA = 0, discarded\n"); 1005 goto release; 1006 } 1007 1008 type = RFCOMM_MCC_TYPE(b); 1009 cr = RFCOMM_CR(b); 1010 1011 len = 0; 1012 do { 1013 if (m->m_pkthdr.len < sizeof(b)) { 1014 DPRINTF("Short MCC header, discarded\n"); 1015 goto release; 1016 } 1017 1018 m_copydata(m, 0, sizeof(b), &b); 1019 m_adj(m, sizeof(b)); 1020 1021 len = (len << 7) | (b >> 1); 1022 len = min(len, RFCOMM_MTU_MAX); 1023 } while (RFCOMM_EA(b) == 0); 1024 1025 if (len != m->m_pkthdr.len) { 1026 DPRINTF("Incorrect MCC length, discarded\n"); 1027 goto release; 1028 } 1029 1030 DPRINTFN(2, "MCC %s type %2.2x (%d bytes)\n", 1031 (cr ? "command" : "response"), type, len); 1032 1033 /* 1034 * pass to command handler 1035 */ 1036 switch(type) { 1037 case RFCOMM_MCC_TEST: /* Test */ 1038 rfcomm_session_recv_mcc_test(rs, cr, m); 1039 break; 1040 1041 case RFCOMM_MCC_FCON: /* Flow Control On */ 1042 rfcomm_session_recv_mcc_fcon(rs, cr); 1043 break; 1044 1045 case RFCOMM_MCC_FCOFF: /* Flow Control Off */ 1046 rfcomm_session_recv_mcc_fcoff(rs, cr); 1047 break; 1048 1049 case RFCOMM_MCC_MSC: /* Modem Status Command */ 1050 rfcomm_session_recv_mcc_msc(rs, cr, m); 1051 break; 1052 1053 case RFCOMM_MCC_RPN: /* Remote Port Negotiation */ 1054 rfcomm_session_recv_mcc_rpn(rs, cr, m); 1055 break; 1056 1057 case RFCOMM_MCC_RLS: /* Remote Line Status */ 1058 rfcomm_session_recv_mcc_rls(rs, cr, m); 1059 break; 1060 1061 case RFCOMM_MCC_PN: /* Parameter Negotiation */ 1062 rfcomm_session_recv_mcc_pn(rs, cr, m); 1063 break; 1064 1065 case RFCOMM_MCC_NSC: /* Non Supported Command */ 1066 rfcomm_session_recv_mcc_nsc(rs, cr, m); 1067 break; 1068 1069 default: 1070 b = RFCOMM_MKMCC_TYPE(cr, type); 1071 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_NSC, &b, sizeof(b)); 1072 } 1073 1074 release: 1075 m_freem(m); 1076 } 1077 1078 /* 1079 * process TEST command/response 1080 */ 1081 static void 1082 rfcomm_session_recv_mcc_test(struct rfcomm_session *rs, int cr, struct mbuf *m) 1083 { 1084 void *data; 1085 int len; 1086 1087 if (cr == 0) /* ignore ack */ 1088 return; 1089 1090 /* 1091 * we must send all the data they included back as is 1092 */ 1093 1094 len = m->m_pkthdr.len; 1095 if (len > RFCOMM_MTU_MAX) 1096 return; 1097 1098 data = malloc(len, M_BLUETOOTH, M_NOWAIT); 1099 if (data == NULL) 1100 return; 1101 1102 m_copydata(m, 0, len, data); 1103 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_TEST, data, len); 1104 free(data, M_BLUETOOTH); 1105 } 1106 1107 /* 1108 * process Flow Control ON command/response 1109 */ 1110 static void 1111 rfcomm_session_recv_mcc_fcon(struct rfcomm_session *rs, int cr) 1112 { 1113 1114 if (cr == 0) /* ignore ack */ 1115 return; 1116 1117 rs->rs_flags |= RFCOMM_SESSION_RFC; 1118 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_FCON, NULL, 0); 1119 } 1120 1121 /* 1122 * process Flow Control OFF command/response 1123 */ 1124 static void 1125 rfcomm_session_recv_mcc_fcoff(struct rfcomm_session *rs, int cr) 1126 { 1127 1128 if (cr == 0) /* ignore ack */ 1129 return; 1130 1131 rs->rs_flags &= ~RFCOMM_SESSION_RFC; 1132 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_FCOFF, NULL, 0); 1133 } 1134 1135 /* 1136 * process Modem Status Command command/response 1137 */ 1138 static void 1139 rfcomm_session_recv_mcc_msc(struct rfcomm_session *rs, int cr, struct mbuf *m) 1140 { 1141 struct rfcomm_mcc_msc msc; /* (3 octets) */ 1142 struct rfcomm_dlc *dlc; 1143 int len = 0; 1144 1145 /* [ADDRESS] */ 1146 if (m->m_pkthdr.len < sizeof(msc.address)) 1147 return; 1148 1149 m_copydata(m, 0, sizeof(msc.address), &msc.address); 1150 m_adj(m, sizeof(msc.address)); 1151 len += sizeof(msc.address); 1152 1153 dlc = rfcomm_dlc_lookup(rs, RFCOMM_DLCI(msc.address)); 1154 1155 if (cr == 0) { /* ignore acks */ 1156 if (dlc != NULL) 1157 callout_stop(&dlc->rd_timeout); 1158 1159 return; 1160 } 1161 1162 if (dlc == NULL) { 1163 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, 1164 RFCOMM_DLCI(msc.address)); 1165 return; 1166 } 1167 1168 /* [SIGNALS] */ 1169 if (m->m_pkthdr.len < sizeof(msc.modem)) 1170 return; 1171 1172 m_copydata(m, 0, sizeof(msc.modem), &msc.modem); 1173 m_adj(m, sizeof(msc.modem)); 1174 len += sizeof(msc.modem); 1175 1176 dlc->rd_rmodem = msc.modem; 1177 /* XXX how do we signal this upstream? */ 1178 1179 if (RFCOMM_EA(msc.modem) == 0) { 1180 if (m->m_pkthdr.len < sizeof(msc.brk)) 1181 return; 1182 1183 m_copydata(m, 0, sizeof(msc.brk), &msc.brk); 1184 m_adj(m, sizeof(msc.brk)); 1185 len += sizeof(msc.brk); 1186 1187 /* XXX how do we signal this upstream? */ 1188 } 1189 1190 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_MSC, &msc, len); 1191 } 1192 1193 /* 1194 * process Remote Port Negotiation command/response 1195 */ 1196 static void 1197 rfcomm_session_recv_mcc_rpn(struct rfcomm_session *rs, int cr, struct mbuf *m) 1198 { 1199 struct rfcomm_mcc_rpn rpn; 1200 uint16_t mask; 1201 1202 if (cr == 0) /* ignore ack */ 1203 return; 1204 1205 /* default values */ 1206 rpn.bit_rate = RFCOMM_RPN_BR_9600; 1207 rpn.line_settings = RFCOMM_RPN_8_N_1; 1208 rpn.flow_control = RFCOMM_RPN_FLOW_NONE; 1209 rpn.xon_char = RFCOMM_RPN_XON_CHAR; 1210 rpn.xoff_char = RFCOMM_RPN_XOFF_CHAR; 1211 1212 if (m->m_pkthdr.len == sizeof(rpn)) { 1213 m_copydata(m, 0, sizeof(rpn), &rpn); 1214 rpn.param_mask = RFCOMM_RPN_PM_ALL; 1215 } else if (m->m_pkthdr.len == 1) { 1216 m_copydata(m, 0, 1, &rpn); 1217 rpn.param_mask = le16toh(rpn.param_mask); 1218 } else { 1219 DPRINTF("Bad RPN length (%d)\n", m->m_pkthdr.len); 1220 return; 1221 } 1222 1223 mask = 0; 1224 1225 if (rpn.param_mask & RFCOMM_RPN_PM_RATE) 1226 mask |= RFCOMM_RPN_PM_RATE; 1227 1228 if (rpn.param_mask & RFCOMM_RPN_PM_DATA 1229 && RFCOMM_RPN_DATA_BITS(rpn.line_settings) == RFCOMM_RPN_DATA_8) 1230 mask |= RFCOMM_RPN_PM_DATA; 1231 1232 if (rpn.param_mask & RFCOMM_RPN_PM_STOP 1233 && RFCOMM_RPN_STOP_BITS(rpn.line_settings) == RFCOMM_RPN_STOP_1) 1234 mask |= RFCOMM_RPN_PM_STOP; 1235 1236 if (rpn.param_mask & RFCOMM_RPN_PM_PARITY 1237 && RFCOMM_RPN_PARITY(rpn.line_settings) == RFCOMM_RPN_PARITY_NONE) 1238 mask |= RFCOMM_RPN_PM_PARITY; 1239 1240 if (rpn.param_mask & RFCOMM_RPN_PM_XON 1241 && rpn.xon_char == RFCOMM_RPN_XON_CHAR) 1242 mask |= RFCOMM_RPN_PM_XON; 1243 1244 if (rpn.param_mask & RFCOMM_RPN_PM_XOFF 1245 && rpn.xoff_char == RFCOMM_RPN_XOFF_CHAR) 1246 mask |= RFCOMM_RPN_PM_XOFF; 1247 1248 if (rpn.param_mask & RFCOMM_RPN_PM_FLOW 1249 && rpn.flow_control == RFCOMM_RPN_FLOW_NONE) 1250 mask |= RFCOMM_RPN_PM_FLOW; 1251 1252 rpn.param_mask = htole16(mask); 1253 1254 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_RPN, &rpn, sizeof(rpn)); 1255 } 1256 1257 /* 1258 * process Remote Line Status command/response 1259 */ 1260 static void 1261 rfcomm_session_recv_mcc_rls(struct rfcomm_session *rs, int cr, struct mbuf *m) 1262 { 1263 struct rfcomm_mcc_rls rls; 1264 1265 if (cr == 0) /* ignore ack */ 1266 return; 1267 1268 if (m->m_pkthdr.len != sizeof(rls)) { 1269 DPRINTF("Bad RLS length %d\n", m->m_pkthdr.len); 1270 return; 1271 } 1272 1273 m_copydata(m, 0, sizeof(rls), &rls); 1274 1275 /* 1276 * So far as I can tell, we just send back what 1277 * they sent us. This signifies errors that seem 1278 * irrelevent for RFCOMM over L2CAP. 1279 */ 1280 rls.address |= 0x03; /* EA = 1, CR = 1 */ 1281 rls.status &= 0x0f; /* only 4 bits valid */ 1282 1283 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_RLS, &rls, sizeof(rls)); 1284 } 1285 1286 /* 1287 * process Parameter Negotiation command/response 1288 */ 1289 static void 1290 rfcomm_session_recv_mcc_pn(struct rfcomm_session *rs, int cr, struct mbuf *m) 1291 { 1292 struct rfcomm_dlc *dlc; 1293 struct rfcomm_mcc_pn pn; 1294 int err; 1295 1296 if (m->m_pkthdr.len != sizeof(pn)) { 1297 DPRINTF("Bad PN length %d\n", m->m_pkthdr.len); 1298 return; 1299 } 1300 1301 m_copydata(m, 0, sizeof(pn), &pn); 1302 1303 pn.dlci &= 0x3f; 1304 pn.mtu = le16toh(pn.mtu); 1305 1306 dlc = rfcomm_dlc_lookup(rs, pn.dlci); 1307 if (cr) { /* Command */ 1308 /* 1309 * If there is no DLC present, this is a new 1310 * connection so attempt to make one 1311 */ 1312 if (dlc == NULL) { 1313 dlc = rfcomm_dlc_newconn(rs, pn.dlci); 1314 if (dlc == NULL) 1315 return; /* (DM is sent) */ 1316 } 1317 1318 /* accept any valid MTU, and offer it back */ 1319 pn.mtu = min(pn.mtu, RFCOMM_MTU_MAX); 1320 pn.mtu = min(pn.mtu, rs->rs_mtu); 1321 pn.mtu = max(pn.mtu, RFCOMM_MTU_MIN); 1322 dlc->rd_mtu = pn.mtu; 1323 pn.mtu = htole16(pn.mtu); 1324 1325 /* credits are only set before DLC is open */ 1326 if (dlc->rd_state == RFCOMM_DLC_WAIT_CONNECT 1327 && (pn.flow_control & 0xf0) == 0xf0) { 1328 rs->rs_flags |= RFCOMM_SESSION_CFC; 1329 dlc->rd_txcred = pn.credits & 0x07; 1330 1331 dlc->rd_rxcred = (dlc->rd_rxsize / dlc->rd_mtu); 1332 dlc->rd_rxcred = min(dlc->rd_rxcred, 1333 RFCOMM_CREDITS_DEFAULT); 1334 1335 pn.flow_control = 0xe0; 1336 pn.credits = dlc->rd_rxcred; 1337 } else { 1338 pn.flow_control = 0x00; 1339 pn.credits = 0x00; 1340 } 1341 1342 /* unused fields must be ignored and set to zero */ 1343 pn.ack_timer = 0; 1344 pn.max_retrans = 0; 1345 1346 /* send our response */ 1347 err = rfcomm_session_send_mcc(rs, 0, 1348 RFCOMM_MCC_PN, &pn, sizeof(pn)); 1349 if (err) 1350 goto close; 1351 1352 } else { /* Response */ 1353 /* ignore responses with no matching DLC */ 1354 if (dlc == NULL) 1355 return; 1356 1357 callout_stop(&dlc->rd_timeout); 1358 1359 if (pn.mtu > RFCOMM_MTU_MAX || pn.mtu > dlc->rd_mtu) { 1360 dlc->rd_state = RFCOMM_DLC_WAIT_DISCONNECT; 1361 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 1362 pn.dlci); 1363 if (err) 1364 goto close; 1365 1366 callout_schedule(&dlc->rd_timeout, 1367 rfcomm_ack_timeout * hz); 1368 return; 1369 } 1370 dlc->rd_mtu = pn.mtu; 1371 1372 /* if DLC is not waiting to connect, we are done */ 1373 if (dlc->rd_state != RFCOMM_DLC_WAIT_CONNECT) 1374 return; 1375 1376 /* set initial credits according to RFCOMM spec */ 1377 if ((pn.flow_control & 0xf0) == 0xe0) { 1378 rs->rs_flags |= RFCOMM_SESSION_CFC; 1379 dlc->rd_txcred = (pn.credits & 0x07); 1380 } 1381 1382 callout_schedule(&dlc->rd_timeout, rfcomm_ack_timeout * hz); 1383 1384 /* set link mode */ 1385 err = rfcomm_dlc_setmode(dlc); 1386 if (err == EINPROGRESS) { 1387 dlc->rd_state = RFCOMM_DLC_WAIT_SEND_SABM; 1388 (*dlc->rd_proto->connecting)(dlc->rd_upper); 1389 return; 1390 } 1391 if (err) 1392 goto close; 1393 1394 /* we can proceed now */ 1395 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_SABM, pn.dlci); 1396 if (err) 1397 goto close; 1398 1399 dlc->rd_state = RFCOMM_DLC_WAIT_RECV_UA; 1400 } 1401 return; 1402 1403 close: 1404 rfcomm_dlc_close(dlc, err); 1405 } 1406 1407 /* 1408 * process Non Supported Command command/response 1409 */ 1410 static void 1411 rfcomm_session_recv_mcc_nsc(struct rfcomm_session *rs, 1412 int cr, struct mbuf *m) 1413 { 1414 struct rfcomm_dlc *dlc, *next; 1415 1416 /* 1417 * Since we did nothing that is not mandatory, 1418 * we just abort the whole session.. 1419 */ 1420 1421 next = LIST_FIRST(&rs->rs_dlcs); 1422 while ((dlc = next) != NULL) { 1423 next = LIST_NEXT(dlc, rd_next); 1424 rfcomm_dlc_close(dlc, ECONNABORTED); 1425 } 1426 1427 rfcomm_session_free(rs); 1428 } 1429 1430 /*********************************************************************** 1431 * 1432 * RFCOMM Session outward frame/uih/mcc building 1433 */ 1434 1435 /* 1436 * SABM/DISC/DM/UA frames are all minimal and mostly identical. 1437 */ 1438 int 1439 rfcomm_session_send_frame(struct rfcomm_session *rs, int type, int dlci) 1440 { 1441 struct rfcomm_cmd_hdr *hdr; 1442 struct rfcomm_credit *credit; 1443 struct mbuf *m; 1444 uint8_t fcs, cr; 1445 1446 credit = pool_get(&rfcomm_credit_pool, PR_NOWAIT); 1447 if (credit == NULL) 1448 return ENOMEM; 1449 1450 m = m_gethdr(M_DONTWAIT, MT_DATA); 1451 if (m == NULL) { 1452 pool_put(&rfcomm_credit_pool, credit); 1453 return ENOMEM; 1454 } 1455 1456 /* 1457 * The CR (command/response) bit identifies the frame either as a 1458 * commmand or a response and is used along with the DLCI to form 1459 * the address. Commands contain the non-initiator address, whereas 1460 * responses contain the initiator address, so the CR value is 1461 * also dependent on the session direction. 1462 */ 1463 if (type == RFCOMM_FRAME_UA || type == RFCOMM_FRAME_DM) 1464 cr = IS_INITIATOR(rs) ? 0 : 1; 1465 else 1466 cr = IS_INITIATOR(rs) ? 1 : 0; 1467 1468 hdr = mtod(m, struct rfcomm_cmd_hdr *); 1469 hdr->address = RFCOMM_MKADDRESS(cr, dlci); 1470 hdr->control = RFCOMM_MKCONTROL(type, 1); /* PF = 1 */ 1471 hdr->length = (0x00 << 1) | 0x01; /* len = 0x00, EA = 1 */ 1472 1473 fcs = 0xff; 1474 fcs = FCS(fcs, hdr->address); 1475 fcs = FCS(fcs, hdr->control); 1476 fcs = FCS(fcs, hdr->length); 1477 fcs = 0xff - fcs; /* ones complement */ 1478 hdr->fcs = fcs; 1479 1480 m->m_pkthdr.len = m->m_len = sizeof(struct rfcomm_cmd_hdr); 1481 1482 /* empty credit note */ 1483 credit->rc_dlc = NULL; 1484 credit->rc_len = m->m_pkthdr.len; 1485 SIMPLEQ_INSERT_TAIL(&rs->rs_credits, credit, rc_next); 1486 1487 DPRINTFN(5, "dlci %d type %2.2x (%d bytes, fcs=%#2.2x)\n", 1488 dlci, type, m->m_pkthdr.len, fcs); 1489 1490 return l2cap_send(rs->rs_l2cap, m); 1491 } 1492 1493 /* 1494 * rfcomm_session_send_uih(rfcomm_session, rfcomm_dlc, credits, mbuf) 1495 * 1496 * UIH frame is per DLC data or Multiplexer Control Commands 1497 * when no DLC is given. Data mbuf is optional (just credits 1498 * will be sent in that case) 1499 */ 1500 int 1501 rfcomm_session_send_uih(struct rfcomm_session *rs, struct rfcomm_dlc *dlc, 1502 int credits, struct mbuf *m) 1503 { 1504 struct rfcomm_credit *credit; 1505 struct mbuf *m0 = NULL; 1506 int err, len; 1507 uint8_t fcs, *hdr; 1508 1509 KASSERT(rs != NULL); 1510 1511 len = (m == NULL) ? 0 : m->m_pkthdr.len; 1512 KASSERT(!(credits == 0 && len == 0)); 1513 1514 /* 1515 * Make a credit note for the completion notification 1516 */ 1517 credit = pool_get(&rfcomm_credit_pool, PR_NOWAIT); 1518 if (credit == NULL) 1519 goto nomem; 1520 1521 credit->rc_len = len; 1522 credit->rc_dlc = dlc; 1523 1524 /* 1525 * Wrap UIH frame information around payload. 1526 * 1527 * [ADDRESS] [CONTROL] [LENGTH] [CREDITS] [...] [FCS] 1528 * 1529 * Address is one octet. 1530 * Control is one octet. 1531 * Length is one or two octets. 1532 * Credits may be one octet. 1533 * 1534 * FCS is one octet and calculated on address and 1535 * control octets only. 1536 * 1537 * If there are credits to be sent, we will set the PF 1538 * flag and include them in the frame. 1539 */ 1540 m0 = m_gethdr(M_DONTWAIT, MT_DATA); 1541 if (m0 == NULL) 1542 goto nomem; 1543 1544 MH_ALIGN(m0, 5); /* (max 5 header octets) */ 1545 hdr = mtod(m0, uint8_t *); 1546 1547 /* CR bit is set according to the initiator of the session */ 1548 *hdr = RFCOMM_MKADDRESS((IS_INITIATOR(rs) ? 1 : 0), 1549 (dlc ? dlc->rd_dlci : 0)); 1550 fcs = FCS(0xff, *hdr); 1551 hdr++; 1552 1553 /* PF bit is set if credits are being sent */ 1554 *hdr = RFCOMM_MKCONTROL(RFCOMM_FRAME_UIH, (credits > 0 ? 1 : 0)); 1555 fcs = FCS(fcs, *hdr); 1556 hdr++; 1557 1558 if (len < (1 << 7)) { 1559 *hdr++ = ((len << 1) & 0xfe) | 0x01; /* 7 bits, EA = 1 */ 1560 } else { 1561 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */ 1562 *hdr++ = ((len >> 7) & 0xff); /* 8 bits, no EA */ 1563 } 1564 1565 if (credits > 0) 1566 *hdr++ = (uint8_t)credits; 1567 1568 m0->m_len = hdr - mtod(m0, uint8_t *); 1569 1570 /* Append payload */ 1571 m0->m_next = m; 1572 m = NULL; 1573 1574 m0->m_pkthdr.len = m0->m_len + len; 1575 1576 /* Append FCS */ 1577 fcs = 0xff - fcs; /* ones complement */ 1578 len = m0->m_pkthdr.len; 1579 m_copyback(m0, len, sizeof(fcs), &fcs); 1580 if (m0->m_pkthdr.len != len + sizeof(fcs)) 1581 goto nomem; 1582 1583 DPRINTFN(10, "dlci %d, pktlen %d (%d data, %d credits), fcs=%#2.2x\n", 1584 dlc ? dlc->rd_dlci : 0, m0->m_pkthdr.len, credit->rc_len, 1585 credits, fcs); 1586 1587 /* 1588 * UIH frame ready to go.. 1589 */ 1590 err = l2cap_send(rs->rs_l2cap, m0); 1591 if (err) 1592 goto fail; 1593 1594 SIMPLEQ_INSERT_TAIL(&rs->rs_credits, credit, rc_next); 1595 return 0; 1596 1597 nomem: 1598 err = ENOMEM; 1599 1600 if (m0 != NULL) 1601 m_freem(m0); 1602 1603 if (m != NULL) 1604 m_freem(m); 1605 1606 fail: 1607 if (credit != NULL) 1608 pool_put(&rfcomm_credit_pool, credit); 1609 1610 return err; 1611 } 1612 1613 /* 1614 * send Multiplexer Control Command (or Response) on session 1615 */ 1616 int 1617 rfcomm_session_send_mcc(struct rfcomm_session *rs, int cr, 1618 uint8_t type, void *data, int len) 1619 { 1620 struct mbuf *m; 1621 uint8_t *hdr; 1622 int hlen; 1623 1624 m = m_gethdr(M_DONTWAIT, MT_DATA); 1625 if (m == NULL) 1626 return ENOMEM; 1627 1628 hdr = mtod(m, uint8_t *); 1629 1630 /* 1631 * Technically the type field can extend past one octet, but none 1632 * currently defined will do that. 1633 */ 1634 *hdr++ = RFCOMM_MKMCC_TYPE(cr, type); 1635 1636 /* 1637 * In the frame, the max length size is 2 octets (15 bits) whereas 1638 * no max length size is specified for MCC commands. We must allow 1639 * for 3 octets since for MCC frames we use 7 bits + EA in each. 1640 * 1641 * Only test data can possibly be that big. 1642 * 1643 * XXX Should we check this against the MTU? 1644 */ 1645 if (len < (1 << 7)) { 1646 *hdr++ = ((len << 1) & 0xfe) | 0x01; /* 7 bits, EA = 1 */ 1647 } else if (len < (1 << 14)) { 1648 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */ 1649 *hdr++ = ((len >> 6) & 0xfe) | 0x01; /* 7 bits, EA = 1 */ 1650 } else if (len < (1 << 15)) { 1651 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */ 1652 *hdr++ = ((len >> 6) & 0xfe); /* 7 bits, EA = 0 */ 1653 *hdr++ = ((len >> 13) & 0x02) | 0x01; /* 1 bit, EA = 1 */ 1654 } else { 1655 DPRINTF("incredible length! (%d)\n", len); 1656 m_freem(m); 1657 return EMSGSIZE; 1658 } 1659 1660 /* 1661 * add command data (to same mbuf if possible) 1662 */ 1663 hlen = hdr - mtod(m, uint8_t *); 1664 1665 if (len > 0) { 1666 m->m_pkthdr.len = m->m_len = MHLEN; 1667 m_copyback(m, hlen, len, data); 1668 if (m->m_pkthdr.len != max(MHLEN, hlen + len)) { 1669 m_freem(m); 1670 return ENOMEM; 1671 } 1672 } 1673 1674 m->m_pkthdr.len = hlen + len; 1675 m->m_len = min(MHLEN, m->m_pkthdr.len); 1676 1677 DPRINTFN(5, "%s type %2.2x len %d\n", 1678 (cr ? "command" : "response"), type, m->m_pkthdr.len); 1679 1680 return rfcomm_session_send_uih(rs, NULL, 0, m); 1681 } 1682