1 /* $NetBSD: rfcomm_session.c,v 1.1 2006/06/19 15:44:45 gdamore Exp $ */ 2 3 /*- 4 * Copyright (c) 2006 Itronix Inc. 5 * All rights reserved. 6 * 7 * Written by Iain Hibbert for Itronix Inc. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. The name of Itronix Inc. may not be used to endorse 18 * or promote products derived from this software without specific 19 * prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY ITRONIX INC. ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 23 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 24 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ITRONIX INC. BE LIABLE FOR ANY 25 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 26 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 27 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 28 * ON ANY THEORY OF LIABILITY, WHETHER IN 29 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 30 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 31 * POSSIBILITY OF SUCH DAMAGE. 32 */ 33 34 #include <sys/cdefs.h> 35 __KERNEL_RCSID(0, "$NetBSD: rfcomm_session.c,v 1.1 2006/06/19 15:44:45 gdamore Exp $"); 36 37 #include <sys/param.h> 38 #include <sys/kernel.h> 39 #include <sys/mbuf.h> 40 #include <sys/proc.h> 41 #include <sys/systm.h> 42 #include <sys/types.h> 43 44 #include <netbt/bluetooth.h> 45 #include <netbt/hci.h> 46 #include <netbt/l2cap.h> 47 #include <netbt/rfcomm.h> 48 49 /****************************************************************************** 50 * 51 * RFCOMM Multiplexer Sessions sit directly on L2CAP channels, and can 52 * multiplex up to 30 incoming and 30 outgoing connections. 53 * Only one Multiplexer is allowed between any two devices. 54 */ 55 56 static void rfcomm_session_timeout(void *); 57 static void rfcomm_session_recv_sabm(struct rfcomm_session *, int); 58 static void rfcomm_session_recv_disc(struct rfcomm_session *, int); 59 static void rfcomm_session_recv_ua(struct rfcomm_session *, int); 60 static void rfcomm_session_recv_dm(struct rfcomm_session *, int); 61 static void rfcomm_session_recv_uih(struct rfcomm_session *, int, int, struct mbuf *, int); 62 static void rfcomm_session_recv_mcc(struct rfcomm_session *, struct mbuf *); 63 static void rfcomm_session_recv_mcc_test(struct rfcomm_session *, int, struct mbuf *); 64 static void rfcomm_session_recv_mcc_fcon(struct rfcomm_session *, int); 65 static void rfcomm_session_recv_mcc_fcoff(struct rfcomm_session *, int); 66 static void rfcomm_session_recv_mcc_msc(struct rfcomm_session *, int, struct mbuf *); 67 static void rfcomm_session_recv_mcc_rpn(struct rfcomm_session *, int, struct mbuf *); 68 static void rfcomm_session_recv_mcc_rls(struct rfcomm_session *, int, struct mbuf *); 69 static void rfcomm_session_recv_mcc_pn(struct rfcomm_session *, int, struct mbuf *); 70 static void rfcomm_session_recv_mcc_nsc(struct rfcomm_session *, int, struct mbuf *); 71 72 /* L2CAP callbacks */ 73 static void rfcomm_session_connecting(void *); 74 static void rfcomm_session_connected(void *); 75 static void rfcomm_session_disconnected(void *, int); 76 static void *rfcomm_session_newconn(void *, struct sockaddr_bt *, struct sockaddr_bt *); 77 static void rfcomm_session_complete(void *, int); 78 static void rfcomm_session_input(void *, struct mbuf *); 79 80 static const struct btproto rfcomm_session_proto = { 81 rfcomm_session_connecting, 82 rfcomm_session_connected, 83 rfcomm_session_disconnected, 84 rfcomm_session_newconn, 85 rfcomm_session_complete, 86 rfcomm_session_input 87 }; 88 89 struct rfcomm_session_list 90 rfcomm_session_active = LIST_HEAD_INITIALIZER(rfcomm_session_active); 91 92 struct rfcomm_session_list 93 rfcomm_session_listen = LIST_HEAD_INITIALIZER(rfcomm_session_listen); 94 95 POOL_INIT(rfcomm_credit_pool, sizeof(struct rfcomm_credit), 96 0, 0, 0, "rfcomm_credit", NULL); 97 98 /* 99 * RFCOMM System Parameters (see section 5.3) 100 */ 101 int rfcomm_mtu_default = 127; /* bytes */ 102 int rfcomm_ack_timeout = 20; /* seconds */ 103 int rfcomm_mcc_timeout = 20; /* seconds */ 104 105 /* 106 * Reversed CRC table as per TS 07.10 Annex B.3.5 107 */ 108 static uint8_t crctable[256] = { /* reversed, 8-bit, poly=0x07 */ 109 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75, 110 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b, 111 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69, 112 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67, 113 114 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d, 115 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43, 116 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51, 117 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f, 118 119 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05, 120 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b, 121 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19, 122 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17, 123 124 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d, 125 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33, 126 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21, 127 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f, 128 129 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95, 130 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b, 131 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89, 132 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87, 133 134 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad, 135 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3, 136 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1, 137 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf, 138 139 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5, 140 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb, 141 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9, 142 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7, 143 144 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd, 145 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3, 146 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1, 147 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf 148 }; 149 150 #define FCS(f, d) crctable[(f) ^ (d)] 151 152 /* 153 * rfcomm_session_alloc(list, sockaddr) 154 * 155 * allocate a new session and fill in the blanks, then 156 * attach session to front of specified list (active or listen) 157 */ 158 struct rfcomm_session * 159 rfcomm_session_alloc(struct rfcomm_session_list *list, 160 struct sockaddr_bt *laddr) 161 { 162 struct rfcomm_session *rs; 163 int err; 164 165 rs = malloc(sizeof(*rs), M_BLUETOOTH, M_NOWAIT | M_ZERO); 166 if (rs == NULL) 167 return NULL; 168 169 rs->rs_state = RFCOMM_SESSION_CLOSED; 170 171 callout_init(&rs->rs_timeout); 172 callout_setfunc(&rs->rs_timeout, rfcomm_session_timeout, rs); 173 174 SIMPLEQ_INIT(&rs->rs_credits); 175 LIST_INIT(&rs->rs_dlcs); 176 177 err = l2cap_attach(&rs->rs_l2cap, &rfcomm_session_proto, rs); 178 if (err) { 179 free(rs, M_BLUETOOTH); 180 return NULL; 181 } 182 183 (void)l2cap_getopt(rs->rs_l2cap, SO_L2CAP_OMTU, &rs->rs_mtu); 184 185 if (laddr->bt_psm == L2CAP_PSM_ANY) 186 laddr->bt_psm = L2CAP_PSM_RFCOMM; 187 188 (void)l2cap_bind(rs->rs_l2cap, laddr); 189 190 LIST_INSERT_HEAD(list, rs, rs_next); 191 192 return rs; 193 } 194 195 /* 196 * rfcomm_session_free(rfcomm_session) 197 * 198 * release a session, including any cleanup 199 */ 200 void 201 rfcomm_session_free(struct rfcomm_session *rs) 202 { 203 struct rfcomm_credit *credit; 204 205 KASSERT(rs != NULL); 206 KASSERT(LIST_EMPTY(&rs->rs_dlcs)); 207 208 rs->rs_state = RFCOMM_SESSION_CLOSED; 209 210 /* 211 * If the callout is already invoked we have no way to stop it, 212 * but it will call us back right away (there are no DLC's) so 213 * not to worry. 214 */ 215 callout_stop(&rs->rs_timeout); 216 if (callout_invoking(&rs->rs_timeout)) 217 return; 218 219 /* 220 * Take care that rfcomm_session_disconnected() doesnt call 221 * us back either as it will do if the l2cap_channel has not 222 * been closed when we detach it.. 223 */ 224 if (rs->rs_flags & RFCOMM_SESSION_FREE) 225 return; 226 227 rs->rs_flags |= RFCOMM_SESSION_FREE; 228 229 /* throw away any remaining credit notes */ 230 while ((credit = SIMPLEQ_FIRST(&rs->rs_credits)) != NULL) { 231 SIMPLEQ_REMOVE_HEAD(&rs->rs_credits, rc_next); 232 pool_put(&rfcomm_credit_pool, credit); 233 } 234 235 KASSERT(SIMPLEQ_EMPTY(&rs->rs_credits)); 236 237 /* Goodbye! */ 238 LIST_REMOVE(rs, rs_next); 239 l2cap_detach(&rs->rs_l2cap); 240 free(rs, M_BLUETOOTH); 241 } 242 243 /* 244 * rfcomm_session_lookup(sockaddr, sockaddr) 245 * 246 * Find active rfcomm session matching src and dest addresses 247 * when src is BDADDR_ANY match any local address 248 */ 249 struct rfcomm_session * 250 rfcomm_session_lookup(struct sockaddr_bt *src, struct sockaddr_bt *dest) 251 { 252 struct rfcomm_session *rs; 253 struct sockaddr_bt addr; 254 255 LIST_FOREACH(rs, &rfcomm_session_active, rs_next) { 256 if (rs->rs_state == RFCOMM_SESSION_CLOSED) 257 continue; 258 259 l2cap_sockaddr(rs->rs_l2cap, &addr); 260 261 if (bdaddr_same(&src->bt_bdaddr, &addr.bt_bdaddr) == 0) 262 if (bdaddr_any(&src->bt_bdaddr) == 0) 263 continue; 264 265 l2cap_peeraddr(rs->rs_l2cap, &addr); 266 267 if (addr.bt_psm != dest->bt_psm) 268 continue; 269 270 if (bdaddr_same(&dest->bt_bdaddr, &addr.bt_bdaddr)) 271 break; 272 } 273 274 return rs; 275 } 276 277 /* 278 * rfcomm_session_timeout(rfcomm_session) 279 * 280 * Session timeouts are scheduled when a session is left or 281 * created with no DLCs, and when SABM(0) or DISC(0) are 282 * sent. 283 * 284 * So, if it is in an open state with DLC's attached then 285 * we leave it alone, otherwise the session is lost. 286 */ 287 static void 288 rfcomm_session_timeout(void *arg) 289 { 290 struct rfcomm_session *rs = arg; 291 struct rfcomm_dlc *dlc; 292 int s; 293 294 KASSERT(rs != NULL); 295 296 s = splsoftnet(); 297 callout_ack(&rs->rs_timeout); 298 299 if (rs->rs_state != RFCOMM_SESSION_OPEN) { 300 DPRINTF("timeout\n"); 301 rs->rs_state = RFCOMM_SESSION_CLOSED; 302 303 while (!LIST_EMPTY(&rs->rs_dlcs)) { 304 dlc = LIST_FIRST(&rs->rs_dlcs); 305 306 rfcomm_dlc_close(dlc, ETIMEDOUT); 307 } 308 } 309 310 if (LIST_EMPTY(&rs->rs_dlcs)) { 311 DPRINTF("expiring\n"); 312 rfcomm_session_free(rs); 313 } 314 splx(s); 315 } 316 317 /*********************************************************************** 318 * 319 * RFCOMM Session L2CAP protocol callbacks 320 * 321 */ 322 323 static void 324 rfcomm_session_connecting(void *arg) 325 { 326 //struct rfcomm_session *rs = arg; 327 328 DPRINTF("Connecting\n"); 329 } 330 331 static void 332 rfcomm_session_connected(void *arg) 333 { 334 struct rfcomm_session *rs = arg; 335 336 DPRINTF("Connected\n"); 337 338 /* 339 * L2CAP is open. 340 * 341 * If we are initiator, we can send our SABM(0) 342 * a timeout should be active? 343 * 344 * We must take note of the L2CAP MTU because currently 345 * the L2CAP implementation can only do Basic Mode. 346 */ 347 l2cap_getopt(rs->rs_l2cap, SO_L2CAP_OMTU, &rs->rs_mtu); 348 349 rs->rs_mtu -= 6; /* (RFCOMM overhead could be this big) */ 350 if (rs->rs_mtu < RFCOMM_MTU_MIN) { 351 rfcomm_session_disconnected(rs, EINVAL); 352 return; 353 } 354 355 if (IS_INITIATOR(rs)) { 356 int err; 357 358 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_SABM, 0); 359 if (err) 360 rfcomm_session_disconnected(rs, err); 361 362 callout_schedule(&rs->rs_timeout, rfcomm_ack_timeout * hz); 363 } 364 } 365 366 static void 367 rfcomm_session_disconnected(void *arg, int err) 368 { 369 struct rfcomm_session *rs = arg; 370 struct rfcomm_dlc *dlc; 371 372 DPRINTF("Disconnected\n"); 373 374 rs->rs_state = RFCOMM_SESSION_CLOSED; 375 376 while (!LIST_EMPTY(&rs->rs_dlcs)) { 377 dlc = LIST_FIRST(&rs->rs_dlcs); 378 379 rfcomm_dlc_close(dlc, err); 380 } 381 382 rfcomm_session_free(rs); 383 } 384 385 static void * 386 rfcomm_session_newconn(void *arg, struct sockaddr_bt *laddr, 387 struct sockaddr_bt *raddr) 388 { 389 struct rfcomm_session *new, *rs = arg; 390 391 DPRINTF("New Connection\n"); 392 393 /* 394 * Incoming session connect request. We should return a new 395 * session pointer if this is acceptable. The L2CAP layer 396 * passes local and remote addresses, which we must check as 397 * only one RFCOMM session is allowed between any two devices 398 */ 399 new = rfcomm_session_lookup(laddr, raddr); 400 if (new != NULL) 401 return NULL; 402 403 new = rfcomm_session_alloc(&rfcomm_session_active, laddr); 404 if (new == NULL) 405 return NULL; 406 407 new->rs_mtu = rs->rs_mtu; 408 new->rs_state = RFCOMM_SESSION_WAIT_CONNECT; 409 410 /* 411 * schedule an expiry so that if nothing comes of it we 412 * can punt. 413 */ 414 callout_schedule(&new->rs_timeout, rfcomm_mcc_timeout * hz); 415 416 return new->rs_l2cap; 417 } 418 419 static void 420 rfcomm_session_complete(void *arg, int count) 421 { 422 struct rfcomm_session *rs = arg; 423 struct rfcomm_credit *credit; 424 struct rfcomm_dlc *dlc; 425 426 /* 427 * count L2CAP packets are 'complete', meaning that they are cleared 428 * our buffers (for best effort) or arrived safe (for guaranteed) so 429 * we can take it off our list and pass the message on, so that 430 * eventually the data can be removed from the sockbuf 431 */ 432 while (count-- > 0) { 433 credit = SIMPLEQ_FIRST(&rs->rs_credits); 434 #ifdef DIAGNOSTIC 435 if (credit == NULL) { 436 printf("%s: too many packets completed!\n", __func__); 437 break; 438 } 439 #endif 440 dlc = credit->rc_dlc; 441 if (dlc != NULL) { 442 dlc->rd_pending--; 443 (*dlc->rd_proto->complete) 444 (dlc->rd_upper, credit->rc_len); 445 446 /* 447 * if not using credit flow control, we may push 448 * more data now 449 */ 450 if ((rs->rs_flags & RFCOMM_SESSION_CFC) == 0 451 && dlc->rd_state == RFCOMM_DLC_OPEN) { 452 rfcomm_dlc_start(dlc); 453 } 454 455 /* 456 * When shutdown is indicated, we are just waiting to 457 * clear outgoing data. 458 */ 459 if ((dlc->rd_flags & RFCOMM_DLC_SHUTDOWN) 460 && dlc->rd_txbuf == NULL && dlc->rd_pending == 0) { 461 dlc->rd_state = RFCOMM_DLC_WAIT_DISCONNECT; 462 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 463 dlc->rd_dlci); 464 callout_schedule(&dlc->rd_timeout, 465 rfcomm_ack_timeout * hz); 466 } 467 } 468 469 SIMPLEQ_REMOVE_HEAD(&rs->rs_credits, rc_next); 470 pool_put(&rfcomm_credit_pool, credit); 471 } 472 473 /* 474 * If session is closed, we are just waiting to clear the queue 475 */ 476 if (rs->rs_state == RFCOMM_SESSION_CLOSED) { 477 if (SIMPLEQ_EMPTY(&rs->rs_credits)) 478 l2cap_disconnect(rs->rs_l2cap, 0); 479 } 480 } 481 482 /* 483 * Receive data from L2CAP layer for session. There is always exactly one 484 * RFCOMM frame contained in each L2CAP frame. 485 */ 486 static void 487 rfcomm_session_input(void *arg, struct mbuf *m) 488 { 489 struct rfcomm_session *rs = arg; 490 int dlci, len, type, pf; 491 uint8_t fcs, b; 492 493 KASSERT(m != NULL); 494 KASSERT(rs != NULL); 495 496 /* 497 * UIH frames: FCS is only calculated on address and control fields 498 * For other frames: FCS is calculated on address, control and length 499 * Length may extend to two octets 500 */ 501 fcs = 0xff; 502 503 if (m->m_pkthdr.len < 4) { 504 DPRINTF("short frame (%d), discarded\n", m->m_pkthdr.len); 505 goto done; 506 } 507 508 /* address - one octet */ 509 m_copydata(m, 0, 1, &b); 510 m_adj(m, 1); 511 fcs = FCS(fcs, b); 512 dlci = RFCOMM_DLCI(b); 513 514 /* control - one octet */ 515 m_copydata(m, 0, 1, &b); 516 m_adj(m, 1); 517 fcs = FCS(fcs, b); 518 type = RFCOMM_TYPE(b); 519 pf = RFCOMM_PF(b); 520 521 /* length - may be two octets */ 522 m_copydata(m, 0, 1, &b); 523 m_adj(m, 1); 524 if (type != RFCOMM_FRAME_UIH) 525 fcs = FCS(fcs, b); 526 len = (b >> 1) & 0x7f; 527 528 if (RFCOMM_EA(b) == 0) { 529 if (m->m_pkthdr.len < 2) { 530 DPRINTF("short frame (%d, EA = 0), discarded\n", 531 m->m_pkthdr.len); 532 goto done; 533 } 534 535 m_copydata(m, 0, 1, &b); 536 m_adj(m, 1); 537 if (type != RFCOMM_FRAME_UIH) 538 fcs = FCS(fcs, b); 539 540 len |= (b << 7); 541 } 542 543 /* FCS byte is last octet in frame */ 544 m_copydata(m, m->m_pkthdr.len - 1, 1, &b); 545 m_adj(m, -1); 546 fcs = FCS(fcs, b); 547 548 if (fcs != 0xcf) { 549 DPRINTF("Bad FCS value (%#2.2x), frame discarded\n", fcs); 550 goto done; 551 } 552 553 DPRINTFN(10, "dlci %d, type %2.2x, len = %d\n", dlci, type, len); 554 555 switch (type) { 556 case RFCOMM_FRAME_SABM: 557 if (pf) 558 rfcomm_session_recv_sabm(rs, dlci); 559 break; 560 561 case RFCOMM_FRAME_DISC: 562 if (pf) 563 rfcomm_session_recv_disc(rs, dlci); 564 break; 565 566 case RFCOMM_FRAME_UA: 567 if (pf) 568 rfcomm_session_recv_ua(rs, dlci); 569 break; 570 571 case RFCOMM_FRAME_DM: 572 rfcomm_session_recv_dm(rs, dlci); 573 break; 574 575 case RFCOMM_FRAME_UIH: 576 rfcomm_session_recv_uih(rs, dlci, pf, m, len); 577 return; /* (no release) */ 578 579 default: 580 UNKNOWN(type); 581 break; 582 } 583 584 done: 585 m_freem(m); 586 } 587 588 /*********************************************************************** 589 * 590 * RFCOMM Session receive processing 591 */ 592 593 /* 594 * rfcomm_session_recv_sabm(rfcomm_session, dlci) 595 * 596 * Set Asyncrhonous Balanced Mode - open the channel. 597 */ 598 static void 599 rfcomm_session_recv_sabm(struct rfcomm_session *rs, int dlci) 600 { 601 struct rfcomm_mcc_msc msc; 602 struct rfcomm_dlc *dlc; 603 int err; 604 605 DPRINTFN(5, "SABM(%d)\n", dlci); 606 607 if (dlci == 0) { /* Open Session */ 608 rs->rs_state = RFCOMM_SESSION_OPEN; 609 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, 0); 610 LIST_FOREACH(dlc, &rs->rs_dlcs, rd_next) { 611 if (dlc->rd_state == RFCOMM_DLC_WAIT_SESSION) 612 rfcomm_dlc_connect(dlc); 613 } 614 return; 615 } 616 617 if (rs->rs_state != RFCOMM_SESSION_OPEN) { 618 DPRINTF("session was not even open!\n"); 619 return; 620 } 621 622 /* validate direction bit */ 623 if ((IS_INITIATOR(rs) && !RFCOMM_DIRECTION(dlci)) 624 || (!IS_INITIATOR(rs) && RFCOMM_DIRECTION(dlci))) { 625 DPRINTF("Invalid direction bit on DLCI\n"); 626 return; 627 } 628 629 /* 630 * look for our DLC - this may exist if we received PN 631 * already, or we may have to fabricate a new one. 632 */ 633 dlc = rfcomm_dlc_lookup(rs, dlci); 634 if (dlc == NULL) { 635 dlc = rfcomm_dlc_newconn(rs, dlci); 636 if (dlc == NULL) 637 return; /* (DM is sent) */ 638 } 639 640 DPRINTFN(2, "send UA(%d) state = %d\n", dlci, dlc->rd_state); 641 642 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, dlci); 643 if (err) { 644 rfcomm_dlc_close(dlc, err); 645 return; 646 } 647 648 /* 649 * If this was some kind of spurious SABM then lets 650 * not do anything, heh. 651 */ 652 if (dlc->rd_state != RFCOMM_DLC_WAIT_CONNECT) 653 return; 654 655 msc.address = RFCOMM_MKADDRESS(1, dlc->rd_dlci); 656 msc.modem = dlc->rd_lmodem & 0xfe; /* EA = 0 */ 657 msc.brk = 0x00 | 0x01; /* EA = 1 */ 658 rfcomm_session_send_mcc(rs, 1, RFCOMM_MCC_MSC, &msc, sizeof(msc)); 659 callout_schedule(&dlc->rd_timeout, rfcomm_mcc_timeout * hz); 660 661 dlc->rd_state = RFCOMM_DLC_OPEN; 662 (*dlc->rd_proto->connected)(dlc->rd_upper); 663 } 664 665 /* 666 * Receive Disconnect Command 667 */ 668 static void 669 rfcomm_session_recv_disc(struct rfcomm_session *rs, int dlci) 670 { 671 struct rfcomm_dlc *dlc; 672 673 DPRINTFN(5, "DISC(%d)\n", dlci); 674 675 if (dlci == 0) { 676 /* 677 * Disconnect Session 678 * 679 * We set the session state to CLOSED so that when 680 * the UA frame is clear the session will be closed 681 * automatically. We wont bother to close any DLC's 682 * just yet as there should be none. In the unlikely 683 * event that something is left, it will get flushed 684 * out as the session goes down. 685 */ 686 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, 0); 687 rs->rs_state = RFCOMM_SESSION_CLOSED; 688 return; 689 } 690 691 dlc = rfcomm_dlc_lookup(rs, dlci); 692 if (dlc == NULL) { 693 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, dlci); 694 return; 695 } 696 697 rfcomm_dlc_close(dlc, ECONNRESET); 698 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, dlci); 699 } 700 701 /* 702 * Receive Unnumbered Acknowledgement Response 703 * 704 * This should be a response to a DISC or SABM frame that we 705 * have previously sent. If unexpected, ignore it. 706 */ 707 static void 708 rfcomm_session_recv_ua(struct rfcomm_session *rs, int dlci) 709 { 710 struct rfcomm_mcc_msc msc; 711 struct rfcomm_dlc *dlc; 712 713 DPRINTFN(5, "UA(%d)\n", dlci); 714 715 if (dlci == 0) { 716 switch (rs->rs_state) { 717 case RFCOMM_SESSION_WAIT_CONNECT: /* We sent SABM */ 718 callout_stop(&rs->rs_timeout); 719 rs->rs_state = RFCOMM_SESSION_OPEN; 720 LIST_FOREACH(dlc, &rs->rs_dlcs, rd_next) { 721 if (dlc->rd_state == RFCOMM_DLC_WAIT_SESSION) 722 rfcomm_dlc_connect(dlc); 723 } 724 break; 725 726 case RFCOMM_SESSION_WAIT_DISCONNECT: /* We sent DISC */ 727 callout_stop(&rs->rs_timeout); 728 rs->rs_state = RFCOMM_SESSION_CLOSED; 729 l2cap_disconnect(rs->rs_l2cap, 0); 730 break; 731 732 default: 733 DPRINTF("Received spurious UA(0)!\n"); 734 break; 735 } 736 737 return; 738 } 739 740 /* 741 * If we have no DLC on this dlci, we may have aborted 742 * without shutting down properly, so check if the session 743 * needs disconnecting. 744 */ 745 dlc = rfcomm_dlc_lookup(rs, dlci); 746 if (dlc == NULL) 747 goto check; 748 749 switch (dlc->rd_state) { 750 case RFCOMM_DLC_WAIT_CONNECT: /* We sent SABM */ 751 msc.address = RFCOMM_MKADDRESS(1, dlc->rd_dlci); 752 msc.modem = dlc->rd_lmodem & 0xfe; /* EA = 0 */ 753 msc.brk = 0x00 | 0x01; /* EA = 1 */ 754 rfcomm_session_send_mcc(rs, 1, RFCOMM_MCC_MSC, 755 &msc, sizeof(msc)); 756 callout_schedule(&dlc->rd_timeout, rfcomm_mcc_timeout * hz); 757 758 dlc->rd_state = RFCOMM_DLC_OPEN; 759 (*dlc->rd_proto->connected)(dlc->rd_upper); 760 return; 761 762 case RFCOMM_DLC_WAIT_DISCONNECT: /* We sent DISC */ 763 rfcomm_dlc_close(dlc, 0); 764 break; 765 766 default: 767 DPRINTF("Received spurious UA(%d)!\n", dlci); 768 return; 769 } 770 771 check: /* last one out turns out the light */ 772 if (LIST_EMPTY(&rs->rs_dlcs)) { 773 rs->rs_state = RFCOMM_SESSION_WAIT_DISCONNECT; 774 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 0); 775 callout_schedule(&rs->rs_timeout, rfcomm_ack_timeout * hz); 776 } 777 } 778 779 /* 780 * Receive Disconnected Mode Response 781 * 782 * If this does not apply to a known DLC then we may ignore it. 783 */ 784 static void 785 rfcomm_session_recv_dm(struct rfcomm_session *rs, int dlci) 786 { 787 struct rfcomm_dlc *dlc; 788 789 DPRINTFN(5, "DM(%d)\n", dlci); 790 791 dlc = rfcomm_dlc_lookup(rs, dlci); 792 if (dlc == NULL) 793 return; 794 795 if (dlc->rd_state == RFCOMM_DLC_WAIT_CONNECT) 796 rfcomm_dlc_close(dlc, ECONNREFUSED); 797 else 798 rfcomm_dlc_close(dlc, ECONNRESET); 799 } 800 801 /* 802 * Receive Unnumbered Information with Header check (MCC or data packet) 803 */ 804 static void 805 rfcomm_session_recv_uih(struct rfcomm_session *rs, int dlci, 806 int pf, struct mbuf *m, int len) 807 { 808 struct rfcomm_dlc *dlc; 809 uint8_t credits = 0; 810 811 DPRINTFN(10, "UIH(%d)\n", dlci); 812 813 if (dlci == 0) { 814 rfcomm_session_recv_mcc(rs, m); 815 return; 816 } 817 818 if (m->m_pkthdr.len != len + pf) { 819 DPRINTF("Bad Frame Length (%d), frame discarded\n", 820 m->m_pkthdr.len); 821 822 goto discard; 823 } 824 825 dlc = rfcomm_dlc_lookup(rs, dlci); 826 if (dlc == NULL) { 827 DPRINTF("UIH received for non existent DLC, discarded\n"); 828 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, dlci); 829 goto discard; 830 } 831 832 if (dlc->rd_state != RFCOMM_DLC_OPEN) { 833 DPRINTF("non-open DLC (state = %d), discarded\n", 834 dlc->rd_state); 835 goto discard; 836 } 837 838 /* if PF is set, credits were included */ 839 if (rs->rs_flags & RFCOMM_SESSION_CFC) { 840 if (pf != 0) { 841 if (m->m_pkthdr.len < sizeof(credits)) { 842 DPRINTF("Bad PF value, UIH discarded\n"); 843 goto discard; 844 } 845 846 m_copydata(m, 0, sizeof(credits), &credits); 847 m_adj(m, sizeof(credits)); 848 849 dlc->rd_txcred += credits; 850 851 if (credits > 0 && dlc->rd_txbuf != NULL) 852 rfcomm_dlc_start(dlc); 853 } 854 855 if (len == 0) 856 goto discard; 857 858 if (dlc->rd_rxcred == 0) { 859 DPRINTF("Credit limit reached, UIH discarded\n"); 860 goto discard; 861 } 862 863 if (len > dlc->rd_rxsize) { 864 DPRINTF("UIH frame exceeds rxsize, discarded\n"); 865 goto discard; 866 } 867 868 dlc->rd_rxcred--; 869 dlc->rd_rxsize -= len; 870 } 871 872 (*dlc->rd_proto->input)(dlc->rd_upper, m); 873 return; 874 875 discard: 876 m_freem(m); 877 } 878 879 /* 880 * Receive Multiplexer Control Command 881 */ 882 static void 883 rfcomm_session_recv_mcc(struct rfcomm_session *rs, struct mbuf *m) 884 { 885 int type, cr, len; 886 uint8_t b; 887 888 /* 889 * Extract MCC header. 890 * 891 * Fields are variable length using extension bit = 1 to signify the 892 * last octet in the sequence. 893 * 894 * Only single octet types are defined in TS 07.10/RFCOMM spec 895 * 896 * Length can realistically only use 15 bits (max RFCOMM MTU) 897 */ 898 if (m->m_pkthdr.len < sizeof(b)) { 899 DPRINTF("Short MCC header, discarded\n"); 900 goto release; 901 } 902 903 m_copydata(m, 0, sizeof(b), &b); 904 m_adj(m, sizeof(b)); 905 906 if (RFCOMM_EA(b) == 0) { /* verify no extensions */ 907 DPRINTF("MCC type EA = 1, discarded\n"); 908 goto release; 909 } 910 911 type = RFCOMM_MCC_TYPE(b); 912 cr = RFCOMM_CR(b); 913 914 len = 0; 915 do { 916 if (m->m_pkthdr.len < sizeof(b)) { 917 DPRINTF("Short MCC header, discarded\n"); 918 goto release; 919 } 920 921 m_copydata(m, 0, sizeof(b), &b); 922 m_adj(m, sizeof(b)); 923 924 len = (len << 7) | (b >> 1); 925 len = min(len, RFCOMM_MTU_MAX); 926 } while (RFCOMM_EA(b) == 0); 927 928 if (len != m->m_pkthdr.len) { 929 DPRINTF("Incorrect MCC length, discarded\n"); 930 goto release; 931 } 932 933 DPRINTFN(2, "MCC %s type %2.2x (%d bytes)\n", 934 (cr ? "command" : "response"), type, len); 935 936 /* 937 * pass to command handler 938 */ 939 switch(type) { 940 case RFCOMM_MCC_TEST: /* Test */ 941 rfcomm_session_recv_mcc_test(rs, cr, m); 942 break; 943 944 case RFCOMM_MCC_FCON: /* Flow Control On */ 945 rfcomm_session_recv_mcc_fcon(rs, cr); 946 break; 947 948 case RFCOMM_MCC_FCOFF: /* Flow Control Off */ 949 rfcomm_session_recv_mcc_fcoff(rs, cr); 950 break; 951 952 case RFCOMM_MCC_MSC: /* Modem Status Command */ 953 rfcomm_session_recv_mcc_msc(rs, cr, m); 954 break; 955 956 case RFCOMM_MCC_RPN: /* Remote Port Negotiation */ 957 rfcomm_session_recv_mcc_rpn(rs, cr, m); 958 break; 959 960 case RFCOMM_MCC_RLS: /* Remote Line Status */ 961 rfcomm_session_recv_mcc_rls(rs, cr, m); 962 break; 963 964 case RFCOMM_MCC_PN: /* Parameter Negotiation */ 965 rfcomm_session_recv_mcc_pn(rs, cr, m); 966 break; 967 968 case RFCOMM_MCC_NSC: /* Non Supported Command */ 969 rfcomm_session_recv_mcc_nsc(rs, cr, m); 970 break; 971 972 default: 973 b = RFCOMM_MKMCC_TYPE(cr, type); 974 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_NSC, &b, sizeof(b)); 975 } 976 977 release: 978 m_freem(m); 979 } 980 981 /* 982 * process TEST command/response 983 */ 984 static void 985 rfcomm_session_recv_mcc_test(struct rfcomm_session *rs, int cr, struct mbuf *m) 986 { 987 void *data; 988 int len; 989 990 if (cr == 0) /* ignore ack */ 991 return; 992 993 /* 994 * we must send all the data they included back as is 995 */ 996 997 len = m->m_pkthdr.len; 998 if (len > RFCOMM_MTU_MAX) 999 return; 1000 1001 data = malloc(len, M_BLUETOOTH, M_NOWAIT); 1002 if (data == NULL) 1003 return; 1004 1005 m_copydata(m, 0, len, data); 1006 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_TEST, data, len); 1007 free(data, M_BLUETOOTH); 1008 } 1009 1010 /* 1011 * process Flow Control ON command/response 1012 */ 1013 static void 1014 rfcomm_session_recv_mcc_fcon(struct rfcomm_session *rs, int cr) 1015 { 1016 1017 if (cr == 0) /* ignore ack */ 1018 return; 1019 1020 rs->rs_flags |= RFCOMM_SESSION_RFC; 1021 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_FCON, NULL, 0); 1022 } 1023 1024 /* 1025 * process Flow Control OFF command/response 1026 */ 1027 static void 1028 rfcomm_session_recv_mcc_fcoff(struct rfcomm_session *rs, int cr) 1029 { 1030 1031 if (cr == 0) /* ignore ack */ 1032 return; 1033 1034 rs->rs_flags &= ~RFCOMM_SESSION_RFC; 1035 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_FCOFF, NULL, 0); 1036 } 1037 1038 /* 1039 * process Modem Status Command command/response 1040 */ 1041 static void 1042 rfcomm_session_recv_mcc_msc(struct rfcomm_session *rs, int cr, struct mbuf *m) 1043 { 1044 struct rfcomm_mcc_msc msc; /* (3 octets) */ 1045 struct rfcomm_dlc *dlc; 1046 int len = 0; 1047 1048 /* [ADDRESS] */ 1049 if (m->m_pkthdr.len < sizeof(msc.address)) 1050 return; 1051 1052 m_copydata(m, 0, sizeof(msc.address), &msc.address); 1053 m_adj(m, sizeof(msc.address)); 1054 len += sizeof(msc.address); 1055 1056 dlc = rfcomm_dlc_lookup(rs, RFCOMM_DLCI(msc.address)); 1057 1058 if (cr == 0) { /* ignore acks */ 1059 if (dlc != NULL) 1060 callout_stop(&dlc->rd_timeout); 1061 1062 return; 1063 } 1064 1065 if (dlc == NULL) { 1066 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, 1067 RFCOMM_DLCI(msc.address)); 1068 return; 1069 } 1070 1071 /* [SIGNALS] */ 1072 if (m->m_pkthdr.len < sizeof(msc.modem)) 1073 return; 1074 1075 m_copydata(m, 0, sizeof(msc.modem), &msc.modem); 1076 m_adj(m, sizeof(msc.modem)); 1077 len += sizeof(msc.modem); 1078 1079 dlc->rd_rmodem = msc.modem; 1080 // XXX how do we signal this upstream? 1081 1082 if (RFCOMM_EA(msc.modem) == 0) { 1083 if (m->m_pkthdr.len < sizeof(msc.brk)) 1084 return; 1085 1086 m_copydata(m, 0, sizeof(msc.brk), &msc.brk); 1087 m_adj(m, sizeof(msc.brk)); 1088 len += sizeof(msc.brk); 1089 1090 // XXX how do we signal this upstream? 1091 } 1092 1093 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_MSC, &msc, len); 1094 } 1095 1096 /* 1097 * process Remote Port Negotiation command/response 1098 */ 1099 static void 1100 rfcomm_session_recv_mcc_rpn(struct rfcomm_session *rs, int cr, struct mbuf *m) 1101 { 1102 struct rfcomm_mcc_rpn rpn; 1103 uint16_t mask; 1104 1105 if (cr == 0) /* ignore ack */ 1106 return; 1107 1108 /* default values */ 1109 rpn.bit_rate = RFCOMM_RPN_BR_9600; 1110 rpn.line_settings = RFCOMM_RPN_8_N_1; 1111 rpn.flow_control = RFCOMM_RPN_FLOW_NONE; 1112 rpn.xon_char = RFCOMM_RPN_XON_CHAR; 1113 rpn.xoff_char = RFCOMM_RPN_XOFF_CHAR; 1114 1115 if (m->m_pkthdr.len == sizeof(rpn)) { 1116 m_copydata(m, 0, sizeof(rpn), &rpn); 1117 rpn.param_mask = RFCOMM_RPN_PM_ALL; 1118 } else if (m->m_pkthdr.len == 1) { 1119 m_copydata(m, 0, 1, &rpn); 1120 rpn.param_mask = le16toh(rpn.param_mask); 1121 } else { 1122 DPRINTF("Bad RPN length (%d)\n", m->m_pkthdr.len); 1123 return; 1124 } 1125 1126 mask = 0; 1127 1128 if (rpn.param_mask & RFCOMM_RPN_PM_RATE) 1129 mask |= RFCOMM_RPN_PM_RATE; 1130 1131 if (rpn.param_mask & RFCOMM_RPN_PM_DATA 1132 && RFCOMM_RPN_DATA_BITS(rpn.line_settings) == RFCOMM_RPN_DATA_8) 1133 mask |= RFCOMM_RPN_PM_DATA; 1134 1135 if (rpn.param_mask & RFCOMM_RPN_PM_STOP 1136 && RFCOMM_RPN_STOP_BITS(rpn.line_settings) == RFCOMM_RPN_STOP_1) 1137 mask |= RFCOMM_RPN_PM_STOP; 1138 1139 if (rpn.param_mask & RFCOMM_RPN_PM_PARITY 1140 && RFCOMM_RPN_PARITY(rpn.line_settings) == RFCOMM_RPN_PARITY_NONE) 1141 mask |= RFCOMM_RPN_PM_PARITY; 1142 1143 if (rpn.param_mask & RFCOMM_RPN_PM_XON 1144 && rpn.xon_char == RFCOMM_RPN_XON_CHAR) 1145 mask |= RFCOMM_RPN_PM_XON; 1146 1147 if (rpn.param_mask & RFCOMM_RPN_PM_XOFF 1148 && rpn.xoff_char == RFCOMM_RPN_XOFF_CHAR) 1149 mask |= RFCOMM_RPN_PM_XOFF; 1150 1151 if (rpn.param_mask & RFCOMM_RPN_PM_FLOW 1152 && rpn.flow_control == RFCOMM_RPN_FLOW_NONE) 1153 mask |= RFCOMM_RPN_PM_FLOW; 1154 1155 rpn.param_mask = htole16(mask); 1156 1157 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_RPN, &rpn, sizeof(rpn)); 1158 } 1159 1160 /* 1161 * process Remote Line Status command/response 1162 */ 1163 static void 1164 rfcomm_session_recv_mcc_rls(struct rfcomm_session *rs, int cr, struct mbuf *m) 1165 { 1166 struct rfcomm_mcc_rls rls; 1167 1168 if (cr == 0) /* ignore ack */ 1169 return; 1170 1171 if (m->m_pkthdr.len != sizeof(rls)) { 1172 DPRINTF("Bad RLS length %d\n", m->m_pkthdr.len); 1173 return; 1174 } 1175 1176 m_copydata(m, 0, sizeof(rls), &rls); 1177 1178 /* 1179 * So far as I can tell, we just send back what 1180 * they sent us. This signifies errors that seem 1181 * irrelevent for RFCOMM over L2CAP. 1182 */ 1183 rls.address |= 0x03; /* EA = 1, CR = 1 */ 1184 rls.status &= 0x0f; /* only 4 bits valid */ 1185 1186 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_RLS, &rls, sizeof(rls)); 1187 } 1188 1189 /* 1190 * process Parameter Negotiation command/response 1191 */ 1192 static void 1193 rfcomm_session_recv_mcc_pn(struct rfcomm_session *rs, int cr, struct mbuf *m) 1194 { 1195 struct rfcomm_dlc *dlc; 1196 struct rfcomm_mcc_pn pn; 1197 int err; 1198 1199 if (m->m_pkthdr.len != sizeof(pn)) { 1200 DPRINTF("Bad PN length %d\n", m->m_pkthdr.len); 1201 return; 1202 } 1203 1204 m_copydata(m, 0, sizeof(pn), &pn); 1205 1206 pn.dlci &= 0x3f; 1207 pn.mtu = le16toh(pn.mtu); 1208 1209 dlc = rfcomm_dlc_lookup(rs, pn.dlci); 1210 if (cr) { /* Command */ 1211 /* 1212 * If there is no DLC present, this is a new 1213 * connection so attempt to make one 1214 */ 1215 if (dlc == NULL) { 1216 dlc = rfcomm_dlc_newconn(rs, pn.dlci); 1217 if (dlc == NULL) 1218 return; /* (DM is sent) */ 1219 } 1220 1221 /* accept any valid MTU, and offer it back */ 1222 pn.mtu = min(pn.mtu, RFCOMM_MTU_MAX); 1223 pn.mtu = min(pn.mtu, rs->rs_mtu); 1224 pn.mtu = max(pn.mtu, RFCOMM_MTU_MIN); 1225 dlc->rd_mtu = pn.mtu; 1226 pn.mtu = htole16(pn.mtu); 1227 1228 /* credits are only set before DLC is open */ 1229 if (dlc->rd_state == RFCOMM_DLC_WAIT_CONNECT 1230 && (pn.flow_control & 0xf0) == 0xf0) { 1231 rs->rs_flags |= RFCOMM_SESSION_CFC; 1232 dlc->rd_txcred = pn.credits & 0x07; 1233 1234 dlc->rd_rxcred = (dlc->rd_rxsize / dlc->rd_mtu); 1235 dlc->rd_rxcred = min(dlc->rd_rxcred, 1236 RFCOMM_CREDITS_DEFAULT); 1237 1238 pn.flow_control = 0xe0; 1239 pn.credits = dlc->rd_rxcred; 1240 } else { 1241 pn.flow_control = 0x00; 1242 pn.credits = 0x00; 1243 } 1244 1245 /* unused fields must be ignored and set to zero */ 1246 pn.ack_timer = 0; 1247 pn.max_retrans = 0; 1248 1249 /* send our response */ 1250 err = rfcomm_session_send_mcc(rs, 0, 1251 RFCOMM_MCC_PN, &pn, sizeof(pn)); 1252 if (err) 1253 goto close; 1254 1255 } else { /* Response */ 1256 /* ignore responses with no matching DLC */ 1257 if (dlc == NULL) 1258 return; 1259 1260 callout_stop(&dlc->rd_timeout); 1261 1262 if (pn.mtu > RFCOMM_MTU_MAX || pn.mtu > dlc->rd_mtu) { 1263 dlc->rd_state = RFCOMM_DLC_WAIT_DISCONNECT; 1264 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 1265 pn.dlci); 1266 if (err) 1267 goto close; 1268 1269 callout_schedule(&dlc->rd_timeout, 1270 rfcomm_ack_timeout * hz); 1271 return; 1272 } 1273 dlc->rd_mtu = pn.mtu; 1274 1275 /* initial credits can only be set before DLC is open */ 1276 if (dlc->rd_state == RFCOMM_DLC_WAIT_CONNECT 1277 && (pn.flow_control & 0xf0) == 0xe0) { 1278 rs->rs_flags |= RFCOMM_SESSION_CFC; 1279 dlc->rd_txcred = (pn.credits & 0x07); 1280 } 1281 1282 /* Ok, lets go with it */ 1283 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_SABM, pn.dlci); 1284 if (err) 1285 goto close; 1286 1287 callout_schedule(&dlc->rd_timeout, rfcomm_ack_timeout * hz); 1288 } 1289 return; 1290 1291 close: 1292 rfcomm_dlc_close(dlc, err); 1293 } 1294 1295 /* 1296 * process Non Supported Command command/response 1297 */ 1298 static void 1299 rfcomm_session_recv_mcc_nsc(struct rfcomm_session *rs, int cr, struct mbuf *m) 1300 { 1301 struct rfcomm_dlc *dlc; 1302 1303 /* 1304 * Since we did nothing that is not mandatory, 1305 * we just abort the whole session.. 1306 */ 1307 LIST_FOREACH(dlc, &rs->rs_dlcs, rd_next) 1308 rfcomm_dlc_close(dlc, ECONNABORTED); 1309 1310 rfcomm_session_free(rs); 1311 } 1312 1313 /*********************************************************************** 1314 * 1315 * RFCOMM Session outward frame/uih/mcc building 1316 */ 1317 1318 /* 1319 * SABM/DISC/DM/UA frames are all minimal and mostly identical. 1320 */ 1321 int 1322 rfcomm_session_send_frame(struct rfcomm_session *rs, int type, int dlci) 1323 { 1324 struct rfcomm_cmd_hdr *hdr; 1325 struct rfcomm_credit *credit; 1326 struct mbuf *m; 1327 uint8_t fcs, cr; 1328 1329 credit = pool_get(&rfcomm_credit_pool, PR_NOWAIT); 1330 if (credit == NULL) 1331 return ENOMEM; 1332 1333 m = m_gethdr(M_DONTWAIT, MT_DATA); 1334 if (m == NULL) { 1335 pool_put(&rfcomm_credit_pool, credit); 1336 return ENOMEM; 1337 } 1338 1339 /* 1340 * The CR (command/response) bit identifies the frame either as a 1341 * commmand or a response and is used along with the DLCI to form 1342 * the address. Commands contain the non-initiator address, whereas 1343 * responses contain the initiator address, so the CR value is 1344 * also dependent on the session direction. 1345 */ 1346 if (type == RFCOMM_FRAME_UA || type == RFCOMM_FRAME_DM) 1347 cr = IS_INITIATOR(rs) ? 0 : 1; 1348 else 1349 cr = IS_INITIATOR(rs) ? 1 : 0; 1350 1351 hdr = mtod(m, struct rfcomm_cmd_hdr *); 1352 hdr->address = RFCOMM_MKADDRESS(cr, dlci); 1353 hdr->control = RFCOMM_MKCONTROL(type, 1); /* PF = 1 */ 1354 hdr->length = (0x00 << 1) | 0x01; /* len = 0x00, EA = 1 */ 1355 1356 fcs = 0xff; 1357 fcs = FCS(fcs, hdr->address); 1358 fcs = FCS(fcs, hdr->control); 1359 fcs = FCS(fcs, hdr->length); 1360 fcs = 0xff - fcs; /* ones complement */ 1361 hdr->fcs = fcs; 1362 1363 m->m_pkthdr.len = m->m_len = sizeof(struct rfcomm_cmd_hdr); 1364 1365 /* empty credit note */ 1366 credit->rc_dlc = NULL; 1367 credit->rc_len = m->m_pkthdr.len; 1368 SIMPLEQ_INSERT_TAIL(&rs->rs_credits, credit, rc_next); 1369 1370 DPRINTFN(5, "dlci %d type %2.2x (%d bytes, fcs=%#2.2x)\n", 1371 dlci, type, m->m_pkthdr.len, fcs); 1372 1373 return l2cap_send(rs->rs_l2cap, m); 1374 } 1375 1376 /* 1377 * rfcomm_session_send_uih(rfcomm_session, rfcomm_dlc, credits, mbuf) 1378 * 1379 * UIH frame is per DLC data or Multiplexer Control Commands 1380 * when no DLC is given. Data mbuf is optional (just credits 1381 * will be sent in that case) 1382 */ 1383 int 1384 rfcomm_session_send_uih(struct rfcomm_session *rs, struct rfcomm_dlc *dlc, 1385 int credits, struct mbuf *m) 1386 { 1387 struct rfcomm_credit *credit; 1388 struct mbuf *m0 = NULL; 1389 int err, len; 1390 uint8_t fcs, *hdr; 1391 1392 KASSERT(rs != NULL); 1393 1394 len = (m == NULL) ? 0 : m->m_pkthdr.len; 1395 KASSERT(!(credits == 0 && len == 0)); 1396 1397 /* 1398 * Make a credit note for the completion notification 1399 */ 1400 credit = pool_get(&rfcomm_credit_pool, PR_NOWAIT); 1401 if (credit == NULL) 1402 goto nomem; 1403 1404 credit->rc_len = len; 1405 credit->rc_dlc = dlc; 1406 1407 /* 1408 * Wrap UIH frame information around payload. 1409 * 1410 * [ADDRESS] [CONTROL] [LENGTH] [CREDITS] [...] [FCS] 1411 * 1412 * Address is one octet. 1413 * Control is one octet. 1414 * Length is one or two octets. 1415 * Credits may be one octet. 1416 * 1417 * FCS is one octet and calculated on address and 1418 * control octets only. 1419 * 1420 * If there are credits to be sent, we will set the PF 1421 * flag and include them in the frame. 1422 */ 1423 m0 = m_gethdr(M_DONTWAIT, MT_DATA); 1424 if (m0 == NULL) 1425 goto nomem; 1426 1427 MH_ALIGN(m0, 5); /* (max 5 header octets) */ 1428 hdr = mtod(m0, uint8_t *); 1429 1430 /* CR bit is set according to the initiator of the session */ 1431 *hdr = RFCOMM_MKADDRESS((IS_INITIATOR(rs) ? 1 : 0), 1432 (dlc ? dlc->rd_dlci : 0)); 1433 fcs = FCS(0xff, *hdr); 1434 hdr++; 1435 1436 /* PF bit is set if credits are being sent */ 1437 *hdr = RFCOMM_MKCONTROL(RFCOMM_FRAME_UIH, (credits > 0 ? 1 : 0)); 1438 fcs = FCS(fcs, *hdr); 1439 hdr++; 1440 1441 if (len < (1 << 7)) { 1442 *hdr++ = ((len << 1) & 0xfe) | 0x01; /* 7 bits, EA = 1 */ 1443 } else { 1444 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */ 1445 *hdr++ = ((len >> 7) & 0xff); /* 8 bits, no EA */ 1446 } 1447 1448 if (credits > 0) 1449 *hdr++ = (uint8_t)credits; 1450 1451 m0->m_len = hdr - mtod(m0, uint8_t *); 1452 1453 /* Append payload */ 1454 m0->m_next = m; 1455 m = NULL; 1456 1457 m0->m_pkthdr.len = m0->m_len + len; 1458 1459 /* Append FCS */ 1460 fcs = 0xff - fcs; /* ones complement */ 1461 len = m0->m_pkthdr.len; 1462 m_copyback(m0, len, sizeof(fcs), &fcs); 1463 if (m0->m_pkthdr.len != len + sizeof(fcs)) 1464 goto nomem; 1465 1466 DPRINTFN(10, "dlci %d, pktlen %d (%d data, %d credits), fcs=%#2.2x\n", 1467 dlc ? dlc->rd_dlci : 0, m0->m_pkthdr.len, credit->rc_len, 1468 credits, fcs); 1469 1470 /* 1471 * UIH frame ready to go.. 1472 */ 1473 err = l2cap_send(rs->rs_l2cap, m0); 1474 if (err) 1475 goto fail; 1476 1477 SIMPLEQ_INSERT_TAIL(&rs->rs_credits, credit, rc_next); 1478 return 0; 1479 1480 nomem: 1481 err = ENOMEM; 1482 1483 if (m0 != NULL) 1484 m_freem(m0); 1485 1486 if (m != NULL) 1487 m_freem(m); 1488 1489 fail: 1490 if (credit != NULL) 1491 pool_put(&rfcomm_credit_pool, credit); 1492 1493 return err; 1494 } 1495 1496 /* 1497 * send Multiplexer Control Command (or Response) on session 1498 */ 1499 int 1500 rfcomm_session_send_mcc(struct rfcomm_session *rs, int cr, 1501 uint8_t type, void *data, int len) 1502 { 1503 struct mbuf *m; 1504 uint8_t *hdr; 1505 int hlen; 1506 1507 m = m_gethdr(M_DONTWAIT, MT_DATA); 1508 if (m == NULL) 1509 return ENOMEM; 1510 1511 hdr = mtod(m, uint8_t *); 1512 1513 /* 1514 * Technically the type field can extend past one octet, but none 1515 * currently defined will do that. 1516 */ 1517 *hdr++ = RFCOMM_MKMCC_TYPE(cr, type); 1518 1519 /* 1520 * In the frame, the max length size is 2 octets (15 bits) whereas 1521 * no max length size is specified for MCC commands. We must allow 1522 * for 3 octets since for MCC frames we use 7 bits + EA in each. 1523 * 1524 * Only test data can possibly be that big. 1525 * 1526 * XXX Should we check this against the MTU? 1527 */ 1528 if (len < (1 << 7)) { 1529 *hdr++ = ((len << 1) & 0xfe) | 0x01; /* 7 bits, EA = 1 */ 1530 } else if (len < (1 << 14)) { 1531 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */ 1532 *hdr++ = ((len >> 6) & 0xfe) | 0x01; /* 7 bits, EA = 1 */ 1533 } else if (len < (1 << 15)) { 1534 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */ 1535 *hdr++ = ((len >> 6) & 0xfe); /* 7 bits, EA = 0 */ 1536 *hdr++ = ((len >> 13) & 0x02) | 0x01; /* 1 bit, EA = 1 */ 1537 } else { 1538 DPRINTF("incredible length! (%d)\n", len); 1539 m_freem(m); 1540 return EMSGSIZE; 1541 } 1542 1543 /* 1544 * add command data (to same mbuf if possible) 1545 */ 1546 hlen = hdr - mtod(m, uint8_t *); 1547 1548 if (len > 0) { 1549 m->m_pkthdr.len = m->m_len = MHLEN; 1550 m_copyback(m, hlen, len, data); 1551 if (m->m_pkthdr.len != max(MHLEN, hlen + len)) { 1552 m_freem(m); 1553 return ENOMEM; 1554 } 1555 } 1556 1557 m->m_pkthdr.len = hlen + len; 1558 m->m_len = min(MHLEN, m->m_pkthdr.len); 1559 1560 DPRINTFN(5, "%s type %2.2x len %d\n", 1561 (cr ? "command" : "response"), type, m->m_pkthdr.len); 1562 1563 return rfcomm_session_send_uih(rs, NULL, 0, m); 1564 } 1565