1/****************************************************************************** 2 * 3 * Copyright (C) 1999-2012 Broadcom Corporation 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at: 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 * 17 ******************************************************************************/ 18 19/****************************************************************************** 20 * 21 * This file contains the main L2CAP entry points 22 * 23 ******************************************************************************/ 24 25#define LOG_TAG "bt_l2c_main" 26 27#include <stdio.h> 28#include <stdlib.h> 29#include <string.h> 30 31#include "bt_common.h" 32#include "bt_target.h" 33#include "btm_int.h" 34#include "btu.h" 35#include "device/include/controller.h" 36#include "hcimsgs.h" 37#include "l2c_api.h" 38#include "l2c_int.h" 39#include "l2cdefs.h" 40#include "osi/include/log.h" 41#include "osi/include/osi.h" 42 43/******************************************************************************/ 44/* L O C A L F U N C T I O N P R O T O T Y P E S */ 45/******************************************************************************/ 46static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len); 47 48/******************************************************************************/ 49/* G L O B A L L 2 C A P D A T A */ 50/******************************************************************************/ 51tL2C_CB l2cb; 52 53/******************************************************************************* 54 * 55 * Function l2c_rcv_acl_data 56 * 57 * Description This function is called from the HCI Interface when an ACL 58 * data packet is received. 59 * 60 * Returns void 61 * 62 ******************************************************************************/ 63void l2c_rcv_acl_data(BT_HDR* p_msg) { 64 uint8_t* p = (uint8_t*)(p_msg + 1) + p_msg->offset; 65 uint16_t handle, hci_len; 66 uint8_t pkt_type; 67 tL2C_LCB* p_lcb; 68 tL2C_CCB* p_ccb = NULL; 69 uint16_t l2cap_len, rcv_cid, psm; 70 uint16_t credit; 71 72 /* Extract the handle */ 73 STREAM_TO_UINT16(handle, p); 74 pkt_type = HCID_GET_EVENT(handle); 75 handle = HCID_GET_HANDLE(handle); 76 77 /* Since the HCI Transport is putting segmented packets back together, we */ 78 /* should never get a valid packet with the type set to "continuation" */ 79 if (pkt_type != L2CAP_PKT_CONTINUE) { 80 /* Find the LCB based on the handle */ 81 p_lcb = l2cu_find_lcb_by_handle(handle); 82 if (p_lcb == NULL) { 83 uint8_t cmd_code; 84 85 /* There is a slight possibility (specifically with USB) that we get an */ 86 /* L2CAP connection request before we get the HCI connection complete. */ 87 /* So for these types of messages, hold them for up to 2 seconds. */ 88 STREAM_TO_UINT16(hci_len, p); 89 STREAM_TO_UINT16(l2cap_len, p); 90 STREAM_TO_UINT16(rcv_cid, p); 91 STREAM_TO_UINT8(cmd_code, p); 92 93 if ((p_msg->layer_specific == 0) && (rcv_cid == L2CAP_SIGNALLING_CID) && 94 (cmd_code == L2CAP_CMD_INFO_REQ || cmd_code == L2CAP_CMD_CONN_REQ)) { 95 L2CAP_TRACE_WARNING( 96 "L2CAP - holding ACL for unknown handle:%d ls:%d" 97 " cid:%d opcode:%d cur count:%d", 98 handle, p_msg->layer_specific, rcv_cid, cmd_code, 99 list_length(l2cb.rcv_pending_q)); 100 p_msg->layer_specific = 2; 101 list_append(l2cb.rcv_pending_q, p_msg); 102 103 if (list_length(l2cb.rcv_pending_q) == 1) { 104 alarm_set_on_mloop(l2cb.receive_hold_timer, BT_1SEC_TIMEOUT_MS, 105 l2c_receive_hold_timer_timeout, NULL); 106 } 107 108 return; 109 } else { 110 L2CAP_TRACE_ERROR( 111 "L2CAP - rcvd ACL for unknown handle:%d ls:%d cid:%d" 112 " opcode:%d cur count:%d", 113 handle, p_msg->layer_specific, rcv_cid, cmd_code, 114 list_length(l2cb.rcv_pending_q)); 115 } 116 osi_free(p_msg); 117 return; 118 } 119 } else { 120 L2CAP_TRACE_WARNING("L2CAP - expected pkt start or complete, got: %d", 121 pkt_type); 122 osi_free(p_msg); 123 return; 124 } 125 126 /* Extract the length and update the buffer header */ 127 STREAM_TO_UINT16(hci_len, p); 128 p_msg->offset += 4; 129 130 if (hci_len < L2CAP_PKT_OVERHEAD) { 131 /* Must receive at least the L2CAP length and CID */ 132 L2CAP_TRACE_WARNING("L2CAP - got incorrect hci header"); 133 osi_free(p_msg); 134 return; 135 } 136 137 /* Extract the length and CID */ 138 STREAM_TO_UINT16(l2cap_len, p); 139 STREAM_TO_UINT16(rcv_cid, p); 140 141 /* for BLE channel, always notify connection when ACL data received on the 142 * link */ 143 if (p_lcb && p_lcb->transport == BT_TRANSPORT_LE && 144 p_lcb->link_state != LST_DISCONNECTING) 145 /* only process fixed channel data as channel open indication when link is 146 * not in disconnecting mode */ 147 l2cble_notify_le_connection(p_lcb->remote_bd_addr); 148 149 /* Find the CCB for this CID */ 150 if (rcv_cid >= L2CAP_BASE_APPL_CID) { 151 p_ccb = l2cu_find_ccb_by_cid(p_lcb, rcv_cid); 152 if (p_ccb == NULL) { 153 L2CAP_TRACE_WARNING("L2CAP - unknown CID: 0x%04x", rcv_cid); 154 osi_free(p_msg); 155 return; 156 } 157 } 158 159 p_msg->len = hci_len - L2CAP_PKT_OVERHEAD; 160 p_msg->offset += L2CAP_PKT_OVERHEAD; 161 162 if (l2cap_len != p_msg->len) { 163 L2CAP_TRACE_WARNING("L2CAP - bad length in pkt. Exp: %d Act: %d", 164 l2cap_len, p_msg->len); 165 166 osi_free(p_msg); 167 return; 168 } 169 170 /* Send the data through the channel state machine */ 171 if (rcv_cid == L2CAP_SIGNALLING_CID) { 172 process_l2cap_cmd(p_lcb, p, l2cap_len); 173 osi_free(p_msg); 174 } else if (rcv_cid == L2CAP_CONNECTIONLESS_CID) { 175 /* process_connectionless_data (p_lcb); */ 176 STREAM_TO_UINT16(psm, p); 177 L2CAP_TRACE_DEBUG("GOT CONNECTIONLESS DATA PSM:%d", psm); 178 179#if (L2CAP_UCD_INCLUDED == TRUE) 180 /* if it is not broadcast, check UCD registration */ 181 if (l2c_ucd_check_rx_pkts(p_lcb, p_msg)) { 182 /* nothing to do */ 183 } else 184#endif 185 osi_free(p_msg); 186 } else if (rcv_cid == L2CAP_BLE_SIGNALLING_CID) { 187 l2cble_process_sig_cmd(p_lcb, p, l2cap_len); 188 osi_free(p_msg); 189 } 190#if (L2CAP_NUM_FIXED_CHNLS > 0) 191 else if ((rcv_cid >= L2CAP_FIRST_FIXED_CHNL) && 192 (rcv_cid <= L2CAP_LAST_FIXED_CHNL) && 193 (l2cb.fixed_reg[rcv_cid - L2CAP_FIRST_FIXED_CHNL] 194 .pL2CA_FixedData_Cb != NULL)) { 195 /* If no CCB for this channel, allocate one */ 196 if (p_lcb && 197 /* only process fixed channel data when link is open or wait for data 198 indication */ 199 (p_lcb->link_state != LST_DISCONNECTING) && 200 l2cu_initialize_fixed_ccb( 201 p_lcb, rcv_cid, &l2cb.fixed_reg[rcv_cid - L2CAP_FIRST_FIXED_CHNL] 202 .fixed_chnl_opts)) { 203 p_ccb = p_lcb->p_fixed_ccbs[rcv_cid - L2CAP_FIRST_FIXED_CHNL]; 204 205 if (p_ccb->peer_cfg.fcr.mode != L2CAP_FCR_BASIC_MODE) 206 l2c_fcr_proc_pdu(p_ccb, p_msg); 207 else 208 (*l2cb.fixed_reg[rcv_cid - L2CAP_FIRST_FIXED_CHNL].pL2CA_FixedData_Cb)( 209 rcv_cid, p_lcb->remote_bd_addr, p_msg); 210 } else 211 osi_free(p_msg); 212 } 213#endif 214 215 else { 216 if (p_ccb == NULL) 217 osi_free(p_msg); 218 else { 219 if (p_lcb->transport == BT_TRANSPORT_LE) { 220 l2c_lcc_proc_pdu(p_ccb, p_msg); 221 // Got a pkt, valid send out credits to the peer device 222 credit = L2CAP_LE_DEFAULT_CREDIT; 223 l2c_csm_execute(p_ccb, L2CEVT_L2CA_SEND_FLOW_CONTROL_CREDIT, &credit); 224 } else { 225 /* Basic mode packets go straight to the state machine */ 226 if (p_ccb->peer_cfg.fcr.mode == L2CAP_FCR_BASIC_MODE) 227 l2c_csm_execute(p_ccb, L2CEVT_L2CAP_DATA, p_msg); 228 else { 229 /* eRTM or streaming mode, so we need to validate states first */ 230 if ((p_ccb->chnl_state == CST_OPEN) || 231 (p_ccb->chnl_state == CST_CONFIG)) 232 l2c_fcr_proc_pdu(p_ccb, p_msg); 233 else 234 osi_free(p_msg); 235 } 236 } 237 } 238 } 239} 240 241/******************************************************************************* 242 * 243 * Function process_l2cap_cmd 244 * 245 * Description This function is called when a packet is received on the 246 * L2CAP signalling CID 247 * 248 * Returns void 249 * 250 ******************************************************************************/ 251static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { 252 uint8_t *p_pkt_end, *p_next_cmd, *p_cfg_end, *p_cfg_start; 253 uint8_t cmd_code, cfg_code, cfg_len, id; 254 tL2C_CONN_INFO con_info; 255 tL2CAP_CFG_INFO cfg_info; 256 uint16_t rej_reason, rej_mtu, lcid, rcid, info_type; 257 tL2C_CCB* p_ccb; 258 tL2C_RCB* p_rcb; 259 bool cfg_rej, pkt_size_rej = false; 260 uint16_t cfg_rej_len, cmd_len; 261 uint16_t result; 262 tL2C_CONN_INFO ci; 263 264 /* if l2cap command received in CID 1 on top of an LE link, ignore this 265 * command */ 266 if (p_lcb->transport == BT_TRANSPORT_LE) return; 267 268 /* Reject the packet if it exceeds the default Signalling Channel MTU */ 269 if (pkt_len > L2CAP_DEFAULT_MTU) { 270 /* Core Spec requires a single response to the first command found in a 271 *multi-command 272 ** L2cap packet. If only responses in the packet, then it will be ignored. 273 ** Here we simply mark the bad packet and decide which cmd ID to reject 274 *later 275 */ 276 pkt_size_rej = true; 277 L2CAP_TRACE_ERROR("L2CAP SIG MTU Pkt Len Exceeded (672) -> pkt_len: %d", 278 pkt_len); 279 } 280 281 p_next_cmd = p; 282 p_pkt_end = p + pkt_len; 283 284 memset(&cfg_info, 0, sizeof(cfg_info)); 285 286 /* An L2CAP packet may contain multiple commands */ 287 while (true) { 288 /* Smallest command is 4 bytes */ 289 p = p_next_cmd; 290 if (p > (p_pkt_end - 4)) break; 291 292 STREAM_TO_UINT8(cmd_code, p); 293 STREAM_TO_UINT8(id, p); 294 STREAM_TO_UINT16(cmd_len, p); 295 296 if (cmd_len > BT_SMALL_BUFFER_SIZE) { 297 L2CAP_TRACE_WARNING("L2CAP - Invalid MTU Size"); 298 l2cu_send_peer_cmd_reject(p_lcb, L2CAP_CMD_REJ_MTU_EXCEEDED, id, 0, 0); 299 return; 300 } 301 302 /* Check command length does not exceed packet length */ 303 p_next_cmd = p + cmd_len; 304 if (p_next_cmd > p_pkt_end) { 305 L2CAP_TRACE_WARNING("Command len bad pkt_len: %d cmd_len: %d code: %d", 306 pkt_len, cmd_len, cmd_code); 307 break; 308 } 309 310 L2CAP_TRACE_DEBUG("cmd_code: %d, id:%d, cmd_len:%d", cmd_code, id, cmd_len); 311 312 /* Bad L2CAP packet length, look or cmd to reject */ 313 if (pkt_size_rej) { 314 /* If command found rejected it and we're done, otherwise keep looking */ 315 if (l2c_is_cmd_rejected(cmd_code, id, p_lcb)) 316 return; 317 else 318 continue; /* Look for next cmd/response in current packet */ 319 } 320 321 switch (cmd_code) { 322 case L2CAP_CMD_REJECT: 323 if (p + 2 > p_next_cmd) { 324 android_errorWriteLog(0x534e4554, "74202041"); 325 return; 326 } 327 STREAM_TO_UINT16(rej_reason, p); 328 if (rej_reason == L2CAP_CMD_REJ_MTU_EXCEEDED) { 329 if (p + 2 > p_next_cmd) { 330 android_errorWriteLog(0x534e4554, "74202041"); 331 return; 332 } 333 STREAM_TO_UINT16(rej_mtu, p); 334 /* What to do with the MTU reject ? We have negotiated an MTU. For now 335 */ 336 /* we will ignore it and let a higher protocol timeout take care of it 337 */ 338 339 L2CAP_TRACE_WARNING("L2CAP - MTU rej Handle: %d MTU: %d", 340 p_lcb->handle, rej_mtu); 341 } 342 if (rej_reason == L2CAP_CMD_REJ_INVALID_CID) { 343 if (p + 4 > p_next_cmd) { 344 android_errorWriteLog(0x534e4554, "74202041"); 345 return; 346 } 347 STREAM_TO_UINT16(rcid, p); 348 STREAM_TO_UINT16(lcid, p); 349 350 L2CAP_TRACE_WARNING( 351 "L2CAP - rej with CID invalid, LCID: 0x%04x RCID: 0x%04x", lcid, 352 rcid); 353 354 /* Remote CID invalid. Treat as a disconnect */ 355 p_ccb = l2cu_find_ccb_by_cid(p_lcb, lcid); 356 if ((p_ccb != NULL) && (p_ccb->remote_cid == rcid)) { 357 /* Fake link disconnect - no reply is generated */ 358 l2c_csm_execute(p_ccb, L2CEVT_LP_DISCONNECT_IND, NULL); 359 } 360 } 361 362 /* SonyEricsson Info request Bug workaround (Continue connection) */ 363 else if (rej_reason == L2CAP_CMD_REJ_NOT_UNDERSTOOD && 364 p_lcb->w4_info_rsp) { 365 alarm_cancel(p_lcb->info_resp_timer); 366 367 p_lcb->w4_info_rsp = false; 368 ci.status = HCI_SUCCESS; 369 ci.bd_addr = p_lcb->remote_bd_addr; 370 371 /* For all channels, send the event through their FSMs */ 372 for (p_ccb = p_lcb->ccb_queue.p_first_ccb; p_ccb; 373 p_ccb = p_ccb->p_next_ccb) { 374 l2c_csm_execute(p_ccb, L2CEVT_L2CAP_INFO_RSP, &ci); 375 } 376 } 377 break; 378 379 case L2CAP_CMD_CONN_REQ: 380 if (p + 4 > p_next_cmd) { 381 android_errorWriteLog(0x534e4554, "74202041"); 382 return; 383 } 384 STREAM_TO_UINT16(con_info.psm, p); 385 STREAM_TO_UINT16(rcid, p); 386 p_rcb = l2cu_find_rcb_by_psm(con_info.psm); 387 if (p_rcb == NULL) { 388 L2CAP_TRACE_WARNING("L2CAP - rcvd conn req for unknown PSM: %d", 389 con_info.psm); 390 l2cu_reject_connection(p_lcb, rcid, id, L2CAP_CONN_NO_PSM); 391 break; 392 } else { 393 if (!p_rcb->api.pL2CA_ConnectInd_Cb) { 394 L2CAP_TRACE_WARNING( 395 "L2CAP - rcvd conn req for outgoing-only connection PSM: %d", 396 con_info.psm); 397 l2cu_reject_connection(p_lcb, rcid, id, L2CAP_CONN_NO_PSM); 398 break; 399 } 400 } 401 p_ccb = l2cu_allocate_ccb(p_lcb, 0); 402 if (p_ccb == NULL) { 403 L2CAP_TRACE_ERROR("L2CAP - unable to allocate CCB"); 404 l2cu_reject_connection(p_lcb, rcid, id, L2CAP_CONN_NO_RESOURCES); 405 break; 406 } 407 p_ccb->remote_id = id; 408 p_ccb->p_rcb = p_rcb; 409 p_ccb->remote_cid = rcid; 410 411 l2c_csm_execute(p_ccb, L2CEVT_L2CAP_CONNECT_REQ, &con_info); 412 break; 413 414 case L2CAP_CMD_CONN_RSP: 415 if (p + 8 > p_next_cmd) { 416 android_errorWriteLog(0x534e4554, "74202041"); 417 return; 418 } 419 STREAM_TO_UINT16(con_info.remote_cid, p); 420 STREAM_TO_UINT16(lcid, p); 421 STREAM_TO_UINT16(con_info.l2cap_result, p); 422 STREAM_TO_UINT16(con_info.l2cap_status, p); 423 424 p_ccb = l2cu_find_ccb_by_cid(p_lcb, lcid); 425 if (p_ccb == NULL) { 426 L2CAP_TRACE_WARNING("L2CAP - no CCB for conn rsp, LCID: %d RCID: %d", 427 lcid, con_info.remote_cid); 428 break; 429 } 430 if (p_ccb->local_id != id) { 431 L2CAP_TRACE_WARNING("L2CAP - con rsp - bad ID. Exp: %d Got: %d", 432 p_ccb->local_id, id); 433 break; 434 } 435 436 if (con_info.l2cap_result == L2CAP_CONN_OK) 437 l2c_csm_execute(p_ccb, L2CEVT_L2CAP_CONNECT_RSP, &con_info); 438 else if (con_info.l2cap_result == L2CAP_CONN_PENDING) 439 l2c_csm_execute(p_ccb, L2CEVT_L2CAP_CONNECT_RSP_PND, &con_info); 440 else 441 l2c_csm_execute(p_ccb, L2CEVT_L2CAP_CONNECT_RSP_NEG, &con_info); 442 443 break; 444 445 case L2CAP_CMD_CONFIG_REQ: 446 p_cfg_end = p + cmd_len; 447 cfg_rej = false; 448 cfg_rej_len = 0; 449 450 if (p + 4 > p_next_cmd) { 451 android_errorWriteLog(0x534e4554, "74202041"); 452 return; 453 } 454 STREAM_TO_UINT16(lcid, p); 455 STREAM_TO_UINT16(cfg_info.flags, p); 456 457 p_cfg_start = p; 458 459 cfg_info.flush_to_present = cfg_info.mtu_present = 460 cfg_info.qos_present = cfg_info.fcr_present = cfg_info.fcs_present = 461 false; 462 463 while (p < p_cfg_end) { 464 if (p + 2 > p_next_cmd) { 465 android_errorWriteLog(0x534e4554, "74202041"); 466 return; 467 } 468 STREAM_TO_UINT8(cfg_code, p); 469 STREAM_TO_UINT8(cfg_len, p); 470 471 switch (cfg_code & 0x7F) { 472 case L2CAP_CFG_TYPE_MTU: 473 cfg_info.mtu_present = true; 474 if (p + 2 > p_next_cmd) { 475 android_errorWriteLog(0x534e4554, "74202041"); 476 return; 477 } 478 STREAM_TO_UINT16(cfg_info.mtu, p); 479 break; 480 481 case L2CAP_CFG_TYPE_FLUSH_TOUT: 482 cfg_info.flush_to_present = true; 483 if (p + 2 > p_next_cmd) { 484 android_errorWriteLog(0x534e4554, "74202041"); 485 return; 486 } 487 STREAM_TO_UINT16(cfg_info.flush_to, p); 488 break; 489 490 case L2CAP_CFG_TYPE_QOS: 491 cfg_info.qos_present = true; 492 if (p + 2 + 5 * 4 > p_next_cmd) { 493 android_errorWriteLog(0x534e4554, "74202041"); 494 return; 495 } 496 STREAM_TO_UINT8(cfg_info.qos.qos_flags, p); 497 STREAM_TO_UINT8(cfg_info.qos.service_type, p); 498 STREAM_TO_UINT32(cfg_info.qos.token_rate, p); 499 STREAM_TO_UINT32(cfg_info.qos.token_bucket_size, p); 500 STREAM_TO_UINT32(cfg_info.qos.peak_bandwidth, p); 501 STREAM_TO_UINT32(cfg_info.qos.latency, p); 502 STREAM_TO_UINT32(cfg_info.qos.delay_variation, p); 503 break; 504 505 case L2CAP_CFG_TYPE_FCR: 506 cfg_info.fcr_present = true; 507 if (p + 3 + 3 * 2 > p_next_cmd) { 508 android_errorWriteLog(0x534e4554, "74202041"); 509 return; 510 } 511 STREAM_TO_UINT8(cfg_info.fcr.mode, p); 512 STREAM_TO_UINT8(cfg_info.fcr.tx_win_sz, p); 513 STREAM_TO_UINT8(cfg_info.fcr.max_transmit, p); 514 STREAM_TO_UINT16(cfg_info.fcr.rtrans_tout, p); 515 STREAM_TO_UINT16(cfg_info.fcr.mon_tout, p); 516 STREAM_TO_UINT16(cfg_info.fcr.mps, p); 517 break; 518 519 case L2CAP_CFG_TYPE_FCS: 520 cfg_info.fcs_present = true; 521 if (p + 1 > p_next_cmd) { 522 android_errorWriteLog(0x534e4554, "74202041"); 523 return; 524 } 525 STREAM_TO_UINT8(cfg_info.fcs, p); 526 break; 527 528 case L2CAP_CFG_TYPE_EXT_FLOW: 529 cfg_info.ext_flow_spec_present = true; 530 if (p + 2 + 2 + 3 * 4 > p_next_cmd) { 531 android_errorWriteLog(0x534e4554, "74202041"); 532 return; 533 } 534 STREAM_TO_UINT8(cfg_info.ext_flow_spec.id, p); 535 STREAM_TO_UINT8(cfg_info.ext_flow_spec.stype, p); 536 STREAM_TO_UINT16(cfg_info.ext_flow_spec.max_sdu_size, p); 537 STREAM_TO_UINT32(cfg_info.ext_flow_spec.sdu_inter_time, p); 538 STREAM_TO_UINT32(cfg_info.ext_flow_spec.access_latency, p); 539 STREAM_TO_UINT32(cfg_info.ext_flow_spec.flush_timeout, p); 540 break; 541 542 default: 543 /* sanity check option length */ 544 if ((cfg_len + L2CAP_CFG_OPTION_OVERHEAD) <= cmd_len) { 545 p += cfg_len; 546 if ((cfg_code & 0x80) == 0) { 547 cfg_rej_len += cfg_len + L2CAP_CFG_OPTION_OVERHEAD; 548 cfg_rej = true; 549 } 550 } 551 /* bad length; force loop exit */ 552 else { 553 p = p_cfg_end; 554 cfg_rej = true; 555 } 556 break; 557 } 558 } 559 560 p_ccb = l2cu_find_ccb_by_cid(p_lcb, lcid); 561 if (p_ccb != NULL) { 562 p_ccb->remote_id = id; 563 if (cfg_rej) { 564 l2cu_send_peer_config_rej( 565 p_ccb, p_cfg_start, (uint16_t)(cmd_len - L2CAP_CONFIG_REQ_LEN), 566 cfg_rej_len); 567 } else { 568 l2c_csm_execute(p_ccb, L2CEVT_L2CAP_CONFIG_REQ, &cfg_info); 569 } 570 } else { 571 /* updated spec says send command reject on invalid cid */ 572 l2cu_send_peer_cmd_reject(p_lcb, L2CAP_CMD_REJ_INVALID_CID, id, 0, 0); 573 } 574 break; 575 576 case L2CAP_CMD_CONFIG_RSP: 577 p_cfg_end = p + cmd_len; 578 if (p + 6 > p_next_cmd) { 579 android_errorWriteLog(0x534e4554, "74202041"); 580 return; 581 } 582 STREAM_TO_UINT16(lcid, p); 583 STREAM_TO_UINT16(cfg_info.flags, p); 584 STREAM_TO_UINT16(cfg_info.result, p); 585 586 cfg_info.flush_to_present = cfg_info.mtu_present = 587 cfg_info.qos_present = cfg_info.fcr_present = cfg_info.fcs_present = 588 false; 589 590 while (p < p_cfg_end) { 591 if (p + 2 > p_next_cmd) { 592 android_errorWriteLog(0x534e4554, "74202041"); 593 return; 594 } 595 STREAM_TO_UINT8(cfg_code, p); 596 STREAM_TO_UINT8(cfg_len, p); 597 598 switch (cfg_code & 0x7F) { 599 case L2CAP_CFG_TYPE_MTU: 600 cfg_info.mtu_present = true; 601 if (p + 2 > p_next_cmd) { 602 android_errorWriteLog(0x534e4554, "74202041"); 603 return; 604 } 605 STREAM_TO_UINT16(cfg_info.mtu, p); 606 break; 607 608 case L2CAP_CFG_TYPE_FLUSH_TOUT: 609 cfg_info.flush_to_present = true; 610 if (p + 2 > p_next_cmd) { 611 android_errorWriteLog(0x534e4554, "74202041"); 612 return; 613 } 614 STREAM_TO_UINT16(cfg_info.flush_to, p); 615 break; 616 617 case L2CAP_CFG_TYPE_QOS: 618 cfg_info.qos_present = true; 619 if (p + 2 + 5 * 4 > p_next_cmd) { 620 android_errorWriteLog(0x534e4554, "74202041"); 621 return; 622 } 623 STREAM_TO_UINT8(cfg_info.qos.qos_flags, p); 624 STREAM_TO_UINT8(cfg_info.qos.service_type, p); 625 STREAM_TO_UINT32(cfg_info.qos.token_rate, p); 626 STREAM_TO_UINT32(cfg_info.qos.token_bucket_size, p); 627 STREAM_TO_UINT32(cfg_info.qos.peak_bandwidth, p); 628 STREAM_TO_UINT32(cfg_info.qos.latency, p); 629 STREAM_TO_UINT32(cfg_info.qos.delay_variation, p); 630 break; 631 632 case L2CAP_CFG_TYPE_FCR: 633 cfg_info.fcr_present = true; 634 if (p + 3 + 3 * 2 > p_next_cmd) { 635 android_errorWriteLog(0x534e4554, "74202041"); 636 return; 637 } 638 STREAM_TO_UINT8(cfg_info.fcr.mode, p); 639 STREAM_TO_UINT8(cfg_info.fcr.tx_win_sz, p); 640 STREAM_TO_UINT8(cfg_info.fcr.max_transmit, p); 641 STREAM_TO_UINT16(cfg_info.fcr.rtrans_tout, p); 642 STREAM_TO_UINT16(cfg_info.fcr.mon_tout, p); 643 STREAM_TO_UINT16(cfg_info.fcr.mps, p); 644 break; 645 646 case L2CAP_CFG_TYPE_FCS: 647 cfg_info.fcs_present = true; 648 if (p + 1 > p_next_cmd) { 649 android_errorWriteLog(0x534e4554, "74202041"); 650 return; 651 } 652 STREAM_TO_UINT8(cfg_info.fcs, p); 653 break; 654 655 case L2CAP_CFG_TYPE_EXT_FLOW: 656 cfg_info.ext_flow_spec_present = true; 657 if (p + 2 + 2 + 3 * 4 > p_next_cmd) { 658 android_errorWriteLog(0x534e4554, "74202041"); 659 return; 660 } 661 STREAM_TO_UINT8(cfg_info.ext_flow_spec.id, p); 662 STREAM_TO_UINT8(cfg_info.ext_flow_spec.stype, p); 663 STREAM_TO_UINT16(cfg_info.ext_flow_spec.max_sdu_size, p); 664 STREAM_TO_UINT32(cfg_info.ext_flow_spec.sdu_inter_time, p); 665 STREAM_TO_UINT32(cfg_info.ext_flow_spec.access_latency, p); 666 STREAM_TO_UINT32(cfg_info.ext_flow_spec.flush_timeout, p); 667 break; 668 } 669 } 670 671 p_ccb = l2cu_find_ccb_by_cid(p_lcb, lcid); 672 if (p_ccb != NULL) { 673 if (p_ccb->local_id != id) { 674 L2CAP_TRACE_WARNING("L2CAP - cfg rsp - bad ID. Exp: %d Got: %d", 675 p_ccb->local_id, id); 676 break; 677 } 678 if ((cfg_info.result == L2CAP_CFG_OK) || 679 (cfg_info.result == L2CAP_CFG_PENDING)) 680 l2c_csm_execute(p_ccb, L2CEVT_L2CAP_CONFIG_RSP, &cfg_info); 681 else 682 l2c_csm_execute(p_ccb, L2CEVT_L2CAP_CONFIG_RSP_NEG, &cfg_info); 683 } else { 684 L2CAP_TRACE_WARNING("L2CAP - rcvd cfg rsp for unknown CID: 0x%04x", 685 lcid); 686 } 687 break; 688 689 case L2CAP_CMD_DISC_REQ: 690 if (p + 4 > p_next_cmd) { 691 android_errorWriteLog(0x534e4554, "74202041"); 692 return; 693 } 694 STREAM_TO_UINT16(lcid, p); 695 STREAM_TO_UINT16(rcid, p); 696 697 p_ccb = l2cu_find_ccb_by_cid(p_lcb, lcid); 698 if (p_ccb != NULL) { 699 if (p_ccb->remote_cid == rcid) { 700 p_ccb->remote_id = id; 701 l2c_csm_execute(p_ccb, L2CEVT_L2CAP_DISCONNECT_REQ, &con_info); 702 } 703 } else 704 l2cu_send_peer_disc_rsp(p_lcb, id, lcid, rcid); 705 706 break; 707 708 case L2CAP_CMD_DISC_RSP: 709 if (p + 4 > p_next_cmd) { 710 android_errorWriteLog(0x534e4554, "74202041"); 711 return; 712 } 713 STREAM_TO_UINT16(rcid, p); 714 STREAM_TO_UINT16(lcid, p); 715 716 p_ccb = l2cu_find_ccb_by_cid(p_lcb, lcid); 717 if (p_ccb != NULL) { 718 if ((p_ccb->remote_cid == rcid) && (p_ccb->local_id == id)) { 719 l2c_csm_execute(p_ccb, L2CEVT_L2CAP_DISCONNECT_RSP, &con_info); 720 } 721 } 722 break; 723 724 case L2CAP_CMD_ECHO_REQ: 725 l2cu_send_peer_echo_rsp(p_lcb, id, p, cmd_len); 726 break; 727 728 case L2CAP_CMD_ECHO_RSP: 729 if (p_lcb->p_echo_rsp_cb) { 730 tL2CA_ECHO_RSP_CB* p_cb = p_lcb->p_echo_rsp_cb; 731 732 /* Zero out the callback in case app immediately calls us again */ 733 p_lcb->p_echo_rsp_cb = NULL; 734 735 (*p_cb)(L2CAP_PING_RESULT_OK); 736 } 737 break; 738 739 case L2CAP_CMD_INFO_REQ: 740 if (p + 2 > p_next_cmd) { 741 android_errorWriteLog(0x534e4554, "74202041"); 742 return; 743 } 744 STREAM_TO_UINT16(info_type, p); 745 l2cu_send_peer_info_rsp(p_lcb, id, info_type); 746 break; 747 748 case L2CAP_CMD_INFO_RSP: 749 /* Stop the link connect timer if sent before L2CAP connection is up */ 750 if (p_lcb->w4_info_rsp) { 751 alarm_cancel(p_lcb->info_resp_timer); 752 p_lcb->w4_info_rsp = false; 753 } 754 755 if (p + 4 > p_next_cmd) { 756 android_errorWriteLog(0x534e4554, "74202041"); 757 return; 758 } 759 STREAM_TO_UINT16(info_type, p); 760 STREAM_TO_UINT16(result, p); 761 762 p_lcb->info_rx_bits |= (1 << info_type); 763 764 if ((info_type == L2CAP_EXTENDED_FEATURES_INFO_TYPE) && 765 (result == L2CAP_INFO_RESP_RESULT_SUCCESS)) { 766 if (p + 4 > p_next_cmd) { 767 android_errorWriteLog(0x534e4554, "74202041"); 768 return; 769 } 770 STREAM_TO_UINT32(p_lcb->peer_ext_fea, p); 771 772#if (L2CAP_NUM_FIXED_CHNLS > 0) 773 if (p_lcb->peer_ext_fea & L2CAP_EXTFEA_FIXED_CHNLS) { 774 l2cu_send_peer_info_req(p_lcb, L2CAP_FIXED_CHANNELS_INFO_TYPE); 775 break; 776 } else { 777 l2cu_process_fixed_chnl_resp(p_lcb); 778 } 779#endif 780 } 781 782#if (L2CAP_NUM_FIXED_CHNLS > 0) 783 if (info_type == L2CAP_FIXED_CHANNELS_INFO_TYPE) { 784 if (result == L2CAP_INFO_RESP_RESULT_SUCCESS) { 785 memcpy(p_lcb->peer_chnl_mask, p, L2CAP_FIXED_CHNL_ARRAY_SIZE); 786 } 787 788 l2cu_process_fixed_chnl_resp(p_lcb); 789 } 790#endif 791#if (L2CAP_UCD_INCLUDED == TRUE) 792 else if (info_type == L2CAP_CONNLESS_MTU_INFO_TYPE) { 793 if (result == L2CAP_INFO_RESP_RESULT_SUCCESS) { 794 STREAM_TO_UINT16(p_lcb->ucd_mtu, p); 795 } 796 } 797#endif 798 799 ci.status = HCI_SUCCESS; 800 ci.bd_addr = p_lcb->remote_bd_addr; 801 for (p_ccb = p_lcb->ccb_queue.p_first_ccb; p_ccb; 802 p_ccb = p_ccb->p_next_ccb) { 803 l2c_csm_execute(p_ccb, L2CEVT_L2CAP_INFO_RSP, &ci); 804 } 805 break; 806 807 default: 808 L2CAP_TRACE_WARNING("L2CAP - bad cmd code: %d", cmd_code); 809 l2cu_send_peer_cmd_reject(p_lcb, L2CAP_CMD_REJ_NOT_UNDERSTOOD, id, 0, 810 0); 811 return; 812 } 813 } 814} 815 816/******************************************************************************* 817 * 818 * Function l2c_process_held_packets 819 * 820 * Description This function processes any L2CAP packets that arrived 821 * before the HCI connection complete arrived. It is a work 822 * around for badly behaved controllers. 823 * 824 * Returns void 825 * 826 ******************************************************************************/ 827void l2c_process_held_packets(bool timed_out) { 828 if (list_is_empty(l2cb.rcv_pending_q)) return; 829 830 if (!timed_out) { 831 alarm_cancel(l2cb.receive_hold_timer); 832 L2CAP_TRACE_WARNING("L2CAP HOLD CONTINUE"); 833 } else { 834 L2CAP_TRACE_WARNING("L2CAP HOLD TIMEOUT"); 835 } 836 837 for (const list_node_t* node = list_begin(l2cb.rcv_pending_q); 838 node != list_end(l2cb.rcv_pending_q);) { 839 BT_HDR* p_buf = static_cast<BT_HDR*>(list_node(node)); 840 node = list_next(node); 841 if (!timed_out || (!p_buf->layer_specific) || 842 (--p_buf->layer_specific == 0)) { 843 list_remove(l2cb.rcv_pending_q, p_buf); 844 p_buf->layer_specific = 0xFFFF; 845 l2c_rcv_acl_data(p_buf); 846 } 847 } 848 849 /* If anyone still in the queue, restart the timeout */ 850 if (!list_is_empty(l2cb.rcv_pending_q)) { 851 alarm_set_on_mloop(l2cb.receive_hold_timer, BT_1SEC_TIMEOUT_MS, 852 l2c_receive_hold_timer_timeout, NULL); 853 } 854} 855 856/******************************************************************************* 857 * 858 * Function l2c_init 859 * 860 * Description This function is called once at startup to initialize 861 * all the L2CAP structures 862 * 863 * Returns void 864 * 865 ******************************************************************************/ 866void l2c_init(void) { 867 int16_t xx; 868 869 memset(&l2cb, 0, sizeof(tL2C_CB)); 870 /* the psm is increased by 2 before being used */ 871 l2cb.dyn_psm = 0xFFF; 872 873 /* Put all the channel control blocks on the free queue */ 874 for (xx = 0; xx < MAX_L2CAP_CHANNELS - 1; xx++) { 875 l2cb.ccb_pool[xx].p_next_ccb = &l2cb.ccb_pool[xx + 1]; 876 } 877 878#if (L2CAP_NON_FLUSHABLE_PB_INCLUDED == TRUE) 879 /* it will be set to L2CAP_PKT_START_NON_FLUSHABLE if controller supports */ 880 l2cb.non_flushable_pbf = L2CAP_PKT_START << L2CAP_PKT_TYPE_SHIFT; 881#endif 882 883 l2cb.p_free_ccb_first = &l2cb.ccb_pool[0]; 884 l2cb.p_free_ccb_last = &l2cb.ccb_pool[MAX_L2CAP_CHANNELS - 1]; 885 886#ifdef L2CAP_DESIRED_LINK_ROLE 887 l2cb.desire_role = L2CAP_DESIRED_LINK_ROLE; 888#else 889 l2cb.desire_role = HCI_ROLE_SLAVE; 890#endif 891 892 /* Set the default idle timeout */ 893 l2cb.idle_timeout = L2CAP_LINK_INACTIVITY_TOUT; 894 895#if defined(L2CAP_INITIAL_TRACE_LEVEL) 896 l2cb.l2cap_trace_level = L2CAP_INITIAL_TRACE_LEVEL; 897#else 898 l2cb.l2cap_trace_level = BT_TRACE_LEVEL_NONE; /* No traces */ 899#endif 900 901#if (L2CAP_CONFORMANCE_TESTING == TRUE) 902 /* Conformance testing needs a dynamic response */ 903 l2cb.test_info_resp = L2CAP_EXTFEA_SUPPORTED_MASK; 904#endif 905 906/* Number of ACL buffers to use for high priority channel */ 907#if (L2CAP_HIGH_PRI_CHAN_QUOTA_IS_CONFIGURABLE == TRUE) 908 l2cb.high_pri_min_xmit_quota = L2CAP_HIGH_PRI_MIN_XMIT_QUOTA; 909#endif 910 911 l2cb.l2c_ble_fixed_chnls_mask = L2CAP_FIXED_CHNL_ATT_BIT | 912 L2CAP_FIXED_CHNL_BLE_SIG_BIT | 913 L2CAP_FIXED_CHNL_SMP_BIT; 914 915 l2cb.rcv_pending_q = list_new(NULL); 916 CHECK(l2cb.rcv_pending_q != NULL); 917 918 l2cb.receive_hold_timer = alarm_new("l2c.receive_hold_timer"); 919} 920 921void l2c_free(void) { 922 list_free(l2cb.rcv_pending_q); 923 l2cb.rcv_pending_q = NULL; 924} 925 926void l2c_receive_hold_timer_timeout(UNUSED_ATTR void* data) { 927 /* Update the timeouts in the hold queue */ 928 l2c_process_held_packets(true); 929} 930 931void l2c_ccb_timer_timeout(void* data) { 932 tL2C_CCB* p_ccb = (tL2C_CCB*)data; 933 934 l2c_csm_execute(p_ccb, L2CEVT_TIMEOUT, NULL); 935} 936 937void l2c_fcrb_ack_timer_timeout(void* data) { 938 tL2C_CCB* p_ccb = (tL2C_CCB*)data; 939 940 l2c_csm_execute(p_ccb, L2CEVT_ACK_TIMEOUT, NULL); 941} 942 943void l2c_lcb_timer_timeout(void* data) { 944 tL2C_LCB* p_lcb = (tL2C_LCB*)data; 945 946 l2c_link_timeout(p_lcb); 947} 948 949/******************************************************************************* 950 * 951 * Function l2c_data_write 952 * 953 * Description API functions call this function to write data. 954 * 955 * Returns L2CAP_DW_SUCCESS, if data accepted, else false 956 * L2CAP_DW_CONGESTED, if data accepted and the channel is 957 * congested 958 * L2CAP_DW_FAILED, if error 959 * 960 ******************************************************************************/ 961uint8_t l2c_data_write(uint16_t cid, BT_HDR* p_data, uint16_t flags) { 962 tL2C_CCB* p_ccb; 963 964 /* Find the channel control block. We don't know the link it is on. */ 965 p_ccb = l2cu_find_ccb_by_cid(NULL, cid); 966 if (p_ccb == NULL) { 967 L2CAP_TRACE_WARNING("L2CAP - no CCB for L2CA_DataWrite, CID: %d", cid); 968 osi_free(p_data); 969 return (L2CAP_DW_FAILED); 970 } 971 972#ifndef TESTER /* Tester may send any amount of data. otherwise sending \ 973 message \ 974 bigger than mtu size of peer is a violation of protocol */ 975 uint16_t mtu; 976 977 if (p_ccb->p_lcb->transport == BT_TRANSPORT_LE) 978 mtu = p_ccb->peer_conn_cfg.mtu; 979 else 980 mtu = p_ccb->peer_cfg.mtu; 981 982 if (p_data->len > mtu) { 983 L2CAP_TRACE_WARNING( 984 "L2CAP - CID: 0x%04x cannot send message bigger than peer's mtu size: " 985 "len=%u mtu=%u", 986 cid, p_data->len, mtu); 987 osi_free(p_data); 988 return (L2CAP_DW_FAILED); 989 } 990#endif 991 992 /* channel based, packet based flushable or non-flushable */ 993 p_data->layer_specific = flags; 994 995 /* If already congested, do not accept any more packets */ 996 if (p_ccb->cong_sent) { 997 L2CAP_TRACE_ERROR( 998 "L2CAP - CID: 0x%04x cannot send, already congested " 999 "xmit_hold_q.count: %u buff_quota: %u", 1000 p_ccb->local_cid, fixed_queue_length(p_ccb->xmit_hold_q), 1001 p_ccb->buff_quota); 1002 1003 osi_free(p_data); 1004 return (L2CAP_DW_FAILED); 1005 } 1006 1007 l2c_csm_execute(p_ccb, L2CEVT_L2CA_DATA_WRITE, p_data); 1008 1009 if (p_ccb->cong_sent) return (L2CAP_DW_CONGESTED); 1010 1011 return (L2CAP_DW_SUCCESS); 1012} 1013