1/******************************************************************************
2 *
3 *  Copyright 2014 Google, Inc.
4 *
5 *  Licensed under the Apache License, Version 2.0 (the "License");
6 *  you may not use this file except in compliance with the License.
7 *  You may obtain a copy of the License at:
8 *
9 *  http://www.apache.org/licenses/LICENSE-2.0
10 *
11 *  Unless required by applicable law or agreed to in writing, software
12 *  distributed under the License is distributed on an "AS IS" BASIS,
13 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 *  See the License for the specific language governing permissions and
15 *  limitations under the License.
16 *
17 ******************************************************************************/
18
19#define LOG_TAG "bt_hci_packet_fragmenter"
20
21#include "packet_fragmenter.h"
22
23#include <base/logging.h>
24#include <string.h>
25#include <unordered_map>
26
27#include "bt_target.h"
28#include "buffer_allocator.h"
29#include "device/include/controller.h"
30#include "hci_internals.h"
31#include "osi/include/log.h"
32#include "osi/include/osi.h"
33
34#define APPLY_CONTINUATION_FLAG(handle) (((handle)&0xCFFF) | 0x1000)
35#define APPLY_START_FLAG(handle) (((handle)&0xCFFF) | 0x2000)
36#define SUB_EVENT(event) ((event)&MSG_SUB_EVT_MASK)
37#define GET_BOUNDARY_FLAG(handle) (((handle) >> 12) & 0x0003)
38
39#define HANDLE_MASK 0x0FFF
40#define START_PACKET_BOUNDARY 2
41#define CONTINUATION_PACKET_BOUNDARY 1
42#define L2CAP_HEADER_PDU_LEN_SIZE 2
43#define L2CAP_HEADER_CID_SIZE 2
44#define L2CAP_HEADER_SIZE (L2CAP_HEADER_PDU_LEN_SIZE + L2CAP_HEADER_CID_SIZE)
45
46// Our interface and callbacks
47
48static const allocator_t* buffer_allocator;
49static const controller_t* controller;
50static const packet_fragmenter_callbacks_t* callbacks;
51
52static std::unordered_map<uint16_t /* handle */, BT_HDR*> partial_packets;
53
54static void init(const packet_fragmenter_callbacks_t* result_callbacks) {
55  callbacks = result_callbacks;
56}
57
58static void cleanup() { partial_packets.clear(); }
59
60static void fragment_and_dispatch(BT_HDR* packet) {
61  CHECK(packet != NULL);
62
63  uint16_t event = packet->event & MSG_EVT_MASK;
64  uint8_t* stream = packet->data + packet->offset;
65
66  // We only fragment ACL packets
67  if (event != MSG_STACK_TO_HC_HCI_ACL) {
68    callbacks->fragmented(packet, true);
69    return;
70  }
71
72  uint16_t max_data_size =
73      SUB_EVENT(packet->event) == LOCAL_BR_EDR_CONTROLLER_ID
74          ? controller->get_acl_data_size_classic()
75          : controller->get_acl_data_size_ble();
76
77  uint16_t max_packet_size = max_data_size + HCI_ACL_PREAMBLE_SIZE;
78  uint16_t remaining_length = packet->len;
79
80  uint16_t continuation_handle;
81  STREAM_TO_UINT16(continuation_handle, stream);
82  continuation_handle = APPLY_CONTINUATION_FLAG(continuation_handle);
83
84  while (remaining_length > max_packet_size) {
85    // Make sure we use the right ACL packet size
86    stream = packet->data + packet->offset;
87    STREAM_SKIP_UINT16(stream);
88    UINT16_TO_STREAM(stream, max_data_size);
89
90    packet->len = max_packet_size;
91    callbacks->fragmented(packet, false);
92
93    packet->offset += max_data_size;
94    remaining_length -= max_data_size;
95    packet->len = remaining_length;
96
97    // Write the ACL header for the next fragment
98    stream = packet->data + packet->offset;
99    UINT16_TO_STREAM(stream, continuation_handle);
100    UINT16_TO_STREAM(stream, remaining_length - HCI_ACL_PREAMBLE_SIZE);
101
102    // Apparently L2CAP can set layer_specific to a max number of segments to
103    // transmit
104    if (packet->layer_specific) {
105      packet->layer_specific--;
106
107      if (packet->layer_specific == 0) {
108        packet->event = MSG_HC_TO_STACK_L2C_SEG_XMIT;
109        callbacks->transmit_finished(packet, false);
110        return;
111      }
112    }
113  }
114
115  callbacks->fragmented(packet, true);
116}
117
118static bool check_uint16_overflow(uint16_t a, uint16_t b) {
119  return (UINT16_MAX - a) < b;
120}
121
122static void reassemble_and_dispatch(UNUSED_ATTR BT_HDR* packet) {
123  if ((packet->event & MSG_EVT_MASK) == MSG_HC_TO_STACK_HCI_ACL) {
124    uint8_t* stream = packet->data;
125    uint16_t handle;
126    uint16_t l2cap_length;
127    uint16_t acl_length;
128
129    STREAM_TO_UINT16(handle, stream);
130    STREAM_TO_UINT16(acl_length, stream);
131    STREAM_TO_UINT16(l2cap_length, stream);
132
133    CHECK(acl_length == packet->len - HCI_ACL_PREAMBLE_SIZE);
134
135    uint8_t boundary_flag = GET_BOUNDARY_FLAG(handle);
136    handle = handle & HANDLE_MASK;
137
138    if (boundary_flag == START_PACKET_BOUNDARY) {
139      auto map_iter = partial_packets.find(handle);
140      if (map_iter != partial_packets.end()) {
141        LOG_WARN(LOG_TAG,
142                 "%s found unfinished packet for handle with start packet. "
143                 "Dropping old.",
144                 __func__);
145
146        BT_HDR* hdl = map_iter->second;
147        partial_packets.erase(map_iter);
148        buffer_allocator->free(hdl);
149      }
150
151      if (acl_length < L2CAP_HEADER_PDU_LEN_SIZE) {
152        LOG_WARN(LOG_TAG, "%s L2CAP packet too small (%d < %d). Dropping it.",
153                 __func__, packet->len, L2CAP_HEADER_PDU_LEN_SIZE);
154        buffer_allocator->free(packet);
155        return;
156      }
157
158      uint16_t full_length =
159          l2cap_length + L2CAP_HEADER_SIZE + HCI_ACL_PREAMBLE_SIZE;
160
161      // Check for buffer overflow and that the full packet size + BT_HDR size
162      // is less than the max buffer size
163      if (check_uint16_overflow(l2cap_length,
164                                (L2CAP_HEADER_SIZE + HCI_ACL_PREAMBLE_SIZE)) ||
165          ((full_length + sizeof(BT_HDR)) > BT_DEFAULT_BUFFER_SIZE)) {
166        LOG_ERROR(LOG_TAG, "%s Dropping L2CAP packet with invalid length (%d).",
167                  __func__, l2cap_length);
168        buffer_allocator->free(packet);
169        return;
170      }
171
172      if (full_length <= packet->len) {
173        if (full_length < packet->len)
174          LOG_WARN(LOG_TAG,
175                   "%s found l2cap full length %d less than the hci length %d.",
176                   __func__, l2cap_length, packet->len);
177
178        callbacks->reassembled(packet);
179        return;
180      }
181
182      BT_HDR* partial_packet =
183          (BT_HDR*)buffer_allocator->alloc(full_length + sizeof(BT_HDR));
184      partial_packet->event = packet->event;
185      partial_packet->len = full_length;
186      partial_packet->offset = packet->len;
187
188      memcpy(partial_packet->data, packet->data, packet->len);
189
190      // Update the ACL data size to indicate the full expected length
191      stream = partial_packet->data;
192      STREAM_SKIP_UINT16(stream);  // skip the handle
193      UINT16_TO_STREAM(stream, full_length - HCI_ACL_PREAMBLE_SIZE);
194
195      partial_packets[handle] = partial_packet;
196
197      // Free the old packet buffer, since we don't need it anymore
198      buffer_allocator->free(packet);
199    } else {
200      auto map_iter = partial_packets.find(handle);
201      if (map_iter == partial_packets.end()) {
202        LOG_WARN(LOG_TAG,
203                 "%s got continuation for unknown packet. Dropping it.",
204                 __func__);
205        buffer_allocator->free(packet);
206        return;
207      }
208      BT_HDR* partial_packet = map_iter->second;
209
210      packet->offset = HCI_ACL_PREAMBLE_SIZE;
211      uint16_t projected_offset =
212          partial_packet->offset + (packet->len - HCI_ACL_PREAMBLE_SIZE);
213      if (projected_offset >
214          partial_packet->len) {  // len stores the expected length
215        LOG_WARN(LOG_TAG,
216                 "%s got packet which would exceed expected length of %d. "
217                 "Truncating.",
218                 __func__, partial_packet->len);
219        packet->len = partial_packet->len - partial_packet->offset;
220        projected_offset = partial_packet->len;
221      }
222
223      memcpy(partial_packet->data + partial_packet->offset,
224             packet->data + packet->offset, packet->len - packet->offset);
225
226      // Free the old packet buffer, since we don't need it anymore
227      buffer_allocator->free(packet);
228      partial_packet->offset = projected_offset;
229
230      if (partial_packet->offset == partial_packet->len) {
231        partial_packets.erase(handle);
232        partial_packet->offset = 0;
233        callbacks->reassembled(partial_packet);
234      }
235    }
236  } else {
237    callbacks->reassembled(packet);
238  }
239}
240
241static const packet_fragmenter_t interface = {init, cleanup,
242
243                                              fragment_and_dispatch,
244                                              reassemble_and_dispatch};
245
246const packet_fragmenter_t* packet_fragmenter_get_interface() {
247  controller = controller_get_interface();
248  buffer_allocator = buffer_allocator_get_interface();
249  return &interface;
250}
251
252const packet_fragmenter_t* packet_fragmenter_get_test_interface(
253    const controller_t* controller_interface,
254    const allocator_t* buffer_allocator_interface) {
255  controller = controller_interface;
256  buffer_allocator = buffer_allocator_interface;
257  return &interface;
258}
259