/****************************************************************************** * * Copyright 2003-2012 Broadcom Corporation * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at: * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * ******************************************************************************/ /****************************************************************************** * * This module contains action functions of the link control state machine. * ******************************************************************************/ #include #include "avct_api.h" #include "avct_int.h" #include "bt_common.h" #include "bt_target.h" #include "bt_types.h" #include "bt_utils.h" #include "bta/include/bta_api.h" #include "btm_api.h" #include "osi/include/log.h" #include "osi/include/osi.h" #include "stack/btm/btm_sec.h" /* packet header length lookup table */ const uint8_t avct_lcb_pkt_type_len[] = {AVCT_HDR_LEN_SINGLE, AVCT_HDR_LEN_START, AVCT_HDR_LEN_CONT, AVCT_HDR_LEN_END}; /******************************************************************************* * * Function avct_lcb_msg_asmbl * * Description Reassemble incoming message. * * * Returns Pointer to reassembled message; NULL if no message * available. * ******************************************************************************/ static BT_HDR* avct_lcb_msg_asmbl(tAVCT_LCB* p_lcb, BT_HDR* p_buf) { uint8_t* p; uint8_t pkt_type; BT_HDR* p_ret; if (p_buf->len < 1) { osi_free(p_buf); p_ret = NULL; return p_ret; } /* parse the message header */ p = (uint8_t*)(p_buf + 1) + p_buf->offset; pkt_type = AVCT_PKT_TYPE(p); /* quick sanity check on length */ if (p_buf->len < avct_lcb_pkt_type_len[pkt_type] || (sizeof(BT_HDR) + p_buf->offset + p_buf->len) > BT_DEFAULT_BUFFER_SIZE) { if ((sizeof(BT_HDR) + p_buf->offset + p_buf->len) > BT_DEFAULT_BUFFER_SIZE) { android_errorWriteWithInfoLog(0x534e4554, "230867224", -1, NULL, 0); } osi_free(p_buf); AVCT_TRACE_WARNING("Bad length during reassembly"); p_ret = NULL; } /* single packet */ else if (pkt_type == AVCT_PKT_TYPE_SINGLE) { /* if reassembly in progress drop message and process new single */ if (p_lcb->p_rx_msg != NULL) AVCT_TRACE_WARNING("Got single during reassembly"); osi_free_and_reset((void**)&p_lcb->p_rx_msg); p_ret = p_buf; } /* start packet */ else if (pkt_type == AVCT_PKT_TYPE_START) { /* if reassembly in progress drop message and process new start */ if (p_lcb->p_rx_msg != NULL) AVCT_TRACE_WARNING("Got start during reassembly"); osi_free_and_reset((void**)&p_lcb->p_rx_msg); /* * Allocate bigger buffer for reassembly. As lower layers are * not aware of possible packet size after reassembly, they * would have allocated smaller buffer. */ if (sizeof(BT_HDR) + p_buf->offset + p_buf->len > BT_DEFAULT_BUFFER_SIZE) { android_errorWriteLog(0x534e4554, "232023771"); osi_free(p_buf); p_ret = NULL; return p_ret; } p_lcb->p_rx_msg = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE); memcpy(p_lcb->p_rx_msg, p_buf, sizeof(BT_HDR) + p_buf->offset + p_buf->len); /* Free original buffer */ osi_free(p_buf); /* update p to point to new buffer */ p = (uint8_t*)(p_lcb->p_rx_msg + 1) + p_lcb->p_rx_msg->offset; /* copy first header byte over nosp */ *(p + 1) = *p; /* set offset to point to where to copy next */ p_lcb->p_rx_msg->offset += p_lcb->p_rx_msg->len; /* adjust length for packet header */ p_lcb->p_rx_msg->len -= 1; p_ret = NULL; } /* continue or end */ else { /* if no reassembly in progress drop message */ if (p_lcb->p_rx_msg == NULL) { osi_free(p_buf); AVCT_TRACE_WARNING("Pkt type=%d out of order", pkt_type); p_ret = NULL; } else { /* get size of buffer holding assembled message */ /* * NOTE: The buffer is allocated above at the beginning of the * reassembly, and is always of size BT_DEFAULT_BUFFER_SIZE. */ uint16_t buf_len = BT_DEFAULT_BUFFER_SIZE - sizeof(BT_HDR); /* adjust offset and len of fragment for header byte */ p_buf->offset += AVCT_HDR_LEN_CONT; p_buf->len -= AVCT_HDR_LEN_CONT; /* verify length */ if ((p_lcb->p_rx_msg->offset + p_buf->len) > buf_len) { /* won't fit; free everything */ AVCT_TRACE_WARNING("%s: Fragmented message too big!", __func__); osi_free_and_reset((void**)&p_lcb->p_rx_msg); osi_free(p_buf); p_ret = NULL; } else { /* copy contents of p_buf to p_rx_msg */ memcpy((uint8_t*)(p_lcb->p_rx_msg + 1) + p_lcb->p_rx_msg->offset, (uint8_t*)(p_buf + 1) + p_buf->offset, p_buf->len); if (pkt_type == AVCT_PKT_TYPE_END) { p_lcb->p_rx_msg->offset -= p_lcb->p_rx_msg->len; p_lcb->p_rx_msg->len += p_buf->len; p_ret = p_lcb->p_rx_msg; p_lcb->p_rx_msg = NULL; } else { p_lcb->p_rx_msg->offset += p_buf->len; p_lcb->p_rx_msg->len += p_buf->len; p_ret = NULL; } osi_free(p_buf); } } } return p_ret; } /******************************************************************************* * * Function avct_lcb_chnl_open * * Description Open L2CAP channel to peer * * * Returns Nothing. * ******************************************************************************/ void avct_lcb_chnl_open(tAVCT_LCB* p_lcb, UNUSED_ATTR tAVCT_LCB_EVT* p_data) { uint16_t result = AVCT_RESULT_FAIL; p_lcb->ch_state = AVCT_CH_CONN; p_lcb->ch_lcid = L2CA_ConnectReq2(AVCT_PSM, p_lcb->peer_addr, BTA_SEC_AUTHENTICATE); if (p_lcb->ch_lcid == 0) { /* if connect req failed, send ourselves close event */ tAVCT_LCB_EVT avct_lcb_evt; avct_lcb_evt.result = result; avct_lcb_event(p_lcb, AVCT_LCB_LL_CLOSE_EVT, &avct_lcb_evt); } } /******************************************************************************* * * Function avct_lcb_unbind_disc * * Description Deallocate ccb and call callback with disconnect event. * * * Returns Nothing. * ******************************************************************************/ void avct_lcb_unbind_disc(UNUSED_ATTR tAVCT_LCB* p_lcb, tAVCT_LCB_EVT* p_data) { avct_ccb_dealloc(p_data->p_ccb, AVCT_DISCONNECT_CFM_EVT, 0, NULL); } /******************************************************************************* * * Function avct_lcb_open_ind * * Description Handle an LL_OPEN event. For each allocated ccb already * bound to this lcb, send a connect event. For each * unbound ccb with a new PID, bind that ccb to this lcb and * send a connect event. * * * Returns Nothing. * ******************************************************************************/ void avct_lcb_open_ind(tAVCT_LCB* p_lcb, tAVCT_LCB_EVT* p_data) { tAVCT_CCB* p_ccb = &avct_cb.ccb[0]; int i; bool bind = false; for (i = 0; i < AVCT_NUM_CONN; i++, p_ccb++) { /* if ccb allocated and */ if (p_ccb->allocated) { /* if bound to this lcb send connect confirm event */ if (p_ccb->p_lcb == p_lcb) { bind = true; L2CA_SetTxPriority(p_lcb->ch_lcid, L2CAP_CHNL_PRIORITY_HIGH); p_ccb->cc.p_ctrl_cback(avct_ccb_to_idx(p_ccb), AVCT_CONNECT_CFM_EVT, 0, &p_lcb->peer_addr); } /* if unbound acceptor and lcb doesn't already have a ccb for this PID */ else if ((p_ccb->p_lcb == NULL) && (p_ccb->cc.role == AVCT_ACP) && (avct_lcb_has_pid(p_lcb, p_ccb->cc.pid) == NULL)) { /* bind ccb to lcb and send connect ind event */ bind = true; p_ccb->p_lcb = p_lcb; L2CA_SetTxPriority(p_lcb->ch_lcid, L2CAP_CHNL_PRIORITY_HIGH); p_ccb->cc.p_ctrl_cback(avct_ccb_to_idx(p_ccb), AVCT_CONNECT_IND_EVT, 0, &p_lcb->peer_addr); } } } /* if no ccbs bound to this lcb, disconnect */ if (!bind) { avct_lcb_event(p_lcb, AVCT_LCB_INT_CLOSE_EVT, p_data); } } /******************************************************************************* * * Function avct_lcb_open_fail * * Description L2CAP channel open attempt failed. Deallocate any ccbs * on this lcb and send connect confirm event with failure. * * * Returns Nothing. * ******************************************************************************/ void avct_lcb_open_fail(tAVCT_LCB* p_lcb, tAVCT_LCB_EVT* p_data) { tAVCT_CCB* p_ccb = &avct_cb.ccb[0]; int i; for (i = 0; i < AVCT_NUM_CONN; i++, p_ccb++) { if (p_ccb->allocated && (p_ccb->p_lcb == p_lcb)) { avct_ccb_dealloc(p_ccb, AVCT_CONNECT_CFM_EVT, p_data->result, &p_lcb->peer_addr); } } } /******************************************************************************* * * Function avct_lcb_close_ind * * Description L2CAP channel closed by peer. Deallocate any initiator * ccbs on this lcb and send disconnect ind event. * * * Returns Nothing. * ******************************************************************************/ void avct_lcb_close_ind(tAVCT_LCB* p_lcb, UNUSED_ATTR tAVCT_LCB_EVT* p_data) { tAVCT_CCB* p_ccb = &avct_cb.ccb[0]; int i; for (i = 0; i < AVCT_NUM_CONN; i++, p_ccb++) { if (p_ccb->allocated && (p_ccb->p_lcb == p_lcb)) { if (p_ccb->cc.role == AVCT_INT) { avct_ccb_dealloc(p_ccb, AVCT_DISCONNECT_IND_EVT, 0, &p_lcb->peer_addr); } else { p_ccb->p_lcb = NULL; (*p_ccb->cc.p_ctrl_cback)(avct_ccb_to_idx(p_ccb), AVCT_DISCONNECT_IND_EVT, 0, &p_lcb->peer_addr); } } } } /******************************************************************************* * * Function avct_lcb_close_cfm * * Description L2CAP channel closed by us. Deallocate any initiator * ccbs on this lcb and send disconnect ind or cfm event. * * * Returns Nothing. * ******************************************************************************/ void avct_lcb_close_cfm(tAVCT_LCB* p_lcb, tAVCT_LCB_EVT* p_data) { tAVCT_CCB* p_ccb = &avct_cb.ccb[0]; int i; uint8_t event; for (i = 0; i < AVCT_NUM_CONN; i++, p_ccb++) { if (p_ccb->allocated && (p_ccb->p_lcb == p_lcb)) { /* if this ccb initiated close send disconnect cfm otherwise ind */ if (p_ccb->ch_close) { p_ccb->ch_close = false; event = AVCT_DISCONNECT_CFM_EVT; } else { event = AVCT_DISCONNECT_IND_EVT; } if (p_ccb->cc.role == AVCT_INT) { avct_ccb_dealloc(p_ccb, event, p_data->result, &p_lcb->peer_addr); } else { p_ccb->p_lcb = NULL; (*p_ccb->cc.p_ctrl_cback)(avct_ccb_to_idx(p_ccb), event, p_data->result, &p_lcb->peer_addr); } } } } /******************************************************************************* * * Function avct_lcb_bind_conn * * Description Bind ccb to lcb and send connect cfm event. * * * Returns Nothing. * ******************************************************************************/ void avct_lcb_bind_conn(tAVCT_LCB* p_lcb, tAVCT_LCB_EVT* p_data) { p_data->p_ccb->p_lcb = p_lcb; (*p_data->p_ccb->cc.p_ctrl_cback)(avct_ccb_to_idx(p_data->p_ccb), AVCT_CONNECT_CFM_EVT, 0, &p_lcb->peer_addr); } /******************************************************************************* * * Function avct_lcb_chk_disc * * Description A ccb wants to close; if it is the last ccb on this lcb, * close channel. Otherwise just deallocate and call * callback. * * Returns Nothing. * ******************************************************************************/ void avct_lcb_chk_disc(tAVCT_LCB* p_lcb, tAVCT_LCB_EVT* p_data) { avct_close_bcb(p_lcb, p_data); if (avct_lcb_last_ccb(p_lcb, p_data->p_ccb)) { LOG_INFO("Closing last avct channel to device"); p_data->p_ccb->ch_close = true; avct_lcb_event(p_lcb, AVCT_LCB_INT_CLOSE_EVT, p_data); } else { LOG_INFO("Closing avct channel with active remaining channels"); avct_lcb_unbind_disc(p_lcb, p_data); } } /******************************************************************************* * * Function avct_lcb_chnl_disc * * Description Disconnect L2CAP channel. * * * Returns Nothing. * ******************************************************************************/ void avct_lcb_chnl_disc(tAVCT_LCB* p_lcb, UNUSED_ATTR tAVCT_LCB_EVT* p_data) { avct_l2c_disconnect(p_lcb->ch_lcid, 0); } /******************************************************************************* * * Function avct_lcb_bind_fail * * Description Deallocate ccb and call callback with connect event * with failure result. * * * Returns Nothing. * ******************************************************************************/ void avct_lcb_bind_fail(UNUSED_ATTR tAVCT_LCB* p_lcb, tAVCT_LCB_EVT* p_data) { avct_ccb_dealloc(p_data->p_ccb, AVCT_CONNECT_CFM_EVT, AVCT_RESULT_FAIL, NULL); } /******************************************************************************* * * Function avct_lcb_cong_ind * * Description Handle congestion indication from L2CAP. * * * Returns Nothing. * ******************************************************************************/ void avct_lcb_cong_ind(tAVCT_LCB* p_lcb, tAVCT_LCB_EVT* p_data) { tAVCT_CCB* p_ccb = &avct_cb.ccb[0]; int i; uint8_t event; BT_HDR* p_buf; /* set event */ event = (p_data->cong) ? AVCT_CONG_IND_EVT : AVCT_UNCONG_IND_EVT; p_lcb->cong = p_data->cong; if (!p_lcb->cong && !fixed_queue_is_empty(p_lcb->tx_q)) { while (!p_lcb->cong && (p_buf = (BT_HDR*)fixed_queue_try_dequeue(p_lcb->tx_q)) != NULL) { if (L2CA_DataWrite(p_lcb->ch_lcid, p_buf) == L2CAP_DW_CONGESTED) { p_lcb->cong = true; } } } /* send event to all ccbs on this lcb */ for (i = 0; i < AVCT_NUM_CONN; i++, p_ccb++) { if (p_ccb->allocated && (p_ccb->p_lcb == p_lcb)) { (*p_ccb->cc.p_ctrl_cback)(avct_ccb_to_idx(p_ccb), event, 0, &p_lcb->peer_addr); } } } /******************************************************************************* * * Function avct_lcb_discard_msg * * Description Discard a message sent in from the API. * * * Returns Nothing. * ******************************************************************************/ void avct_lcb_discard_msg(UNUSED_ATTR tAVCT_LCB* p_lcb, tAVCT_LCB_EVT* p_data) { AVCT_TRACE_WARNING("%s Dropping message", __func__); osi_free_and_reset((void**)&p_data->ul_msg.p_buf); } /******************************************************************************* * * Function avct_lcb_send_msg * * Description Build and send an AVCTP message. * * * Returns Nothing. * ******************************************************************************/ void avct_lcb_send_msg(tAVCT_LCB* p_lcb, tAVCT_LCB_EVT* p_data) { uint16_t curr_msg_len; uint8_t pkt_type; uint8_t hdr_len; uint8_t* p; uint8_t nosp = 0; /* number of subsequent packets */ uint16_t temp; uint16_t buf_size = p_lcb->peer_mtu + L2CAP_MIN_OFFSET + BT_HDR_SIZE; /* store msg len */ curr_msg_len = p_data->ul_msg.p_buf->len; /* initialize packet type and other stuff */ if (curr_msg_len <= (p_lcb->peer_mtu - AVCT_HDR_LEN_SINGLE)) { pkt_type = AVCT_PKT_TYPE_SINGLE; } else { pkt_type = AVCT_PKT_TYPE_START; temp = (curr_msg_len + AVCT_HDR_LEN_START - p_lcb->peer_mtu); nosp = temp / (p_lcb->peer_mtu - 1) + 1; if ((temp % (p_lcb->peer_mtu - 1)) != 0) nosp++; } /* while we haven't sent all packets */ while (curr_msg_len != 0) { BT_HDR* p_buf; /* set header len */ hdr_len = avct_lcb_pkt_type_len[pkt_type]; /* if remaining msg must be fragmented */ if (p_data->ul_msg.p_buf->len > (p_lcb->peer_mtu - hdr_len)) { /* get a new buffer for fragment we are sending */ p_buf = (BT_HDR*)osi_malloc(buf_size); /* copy portion of data from current message to new buffer */ p_buf->offset = L2CAP_MIN_OFFSET + hdr_len; p_buf->len = p_lcb->peer_mtu - hdr_len; memcpy( (uint8_t*)(p_buf + 1) + p_buf->offset, (uint8_t*)(p_data->ul_msg.p_buf + 1) + p_data->ul_msg.p_buf->offset, p_buf->len); p_data->ul_msg.p_buf->offset += p_buf->len; p_data->ul_msg.p_buf->len -= p_buf->len; } else { p_buf = p_data->ul_msg.p_buf; } curr_msg_len -= p_buf->len; /* set up to build header */ p_buf->len += hdr_len; p_buf->offset -= hdr_len; p = (uint8_t*)(p_buf + 1) + p_buf->offset; /* build header */ AVCT_BUILD_HDR(p, p_data->ul_msg.label, pkt_type, p_data->ul_msg.cr); if (pkt_type == AVCT_PKT_TYPE_START) { UINT8_TO_STREAM(p, nosp); } if ((pkt_type == AVCT_PKT_TYPE_START) || (pkt_type == AVCT_PKT_TYPE_SINGLE)) { UINT16_TO_BE_STREAM(p, p_data->ul_msg.p_ccb->cc.pid); } if (p_lcb->cong) { fixed_queue_enqueue(p_lcb->tx_q, p_buf); } /* send message to L2CAP */ else { if (L2CA_DataWrite(p_lcb->ch_lcid, p_buf) == L2CAP_DW_CONGESTED) { p_lcb->cong = true; } } /* update pkt type for next packet */ if (curr_msg_len > (p_lcb->peer_mtu - AVCT_HDR_LEN_END)) { pkt_type = AVCT_PKT_TYPE_CONT; } else { pkt_type = AVCT_PKT_TYPE_END; } } AVCT_TRACE_DEBUG("%s tx_q_count:%d", __func__, fixed_queue_length(p_lcb->tx_q)); return; } /******************************************************************************* * * Function avct_lcb_free_msg_ind * * Description Discard an incoming AVCTP message. * * * Returns Nothing. * ******************************************************************************/ void avct_lcb_free_msg_ind(UNUSED_ATTR tAVCT_LCB* p_lcb, tAVCT_LCB_EVT* p_data) { if (p_data == NULL) return; osi_free_and_reset((void**)&p_data->p_buf); } /******************************************************************************* * * Function avct_lcb_msg_ind * * Description Handle an incoming AVCTP message. * * * Returns Nothing. * ******************************************************************************/ void avct_lcb_msg_ind(tAVCT_LCB* p_lcb, tAVCT_LCB_EVT* p_data) { uint8_t* p; uint8_t label, type, cr_ipid; uint16_t pid; tAVCT_CCB* p_ccb; /* this p_buf is to be reported through p_msg_cback. The layer_specific * needs to be set properly to indicate that it is received through * control channel */ p_data->p_buf->layer_specific = AVCT_DATA_CTRL; /* reassemble message; if no message available (we received a fragment) return */ p_data->p_buf = avct_lcb_msg_asmbl(p_lcb, p_data->p_buf); if (p_data->p_buf == NULL) { return; } p = (uint8_t*)(p_data->p_buf + 1) + p_data->p_buf->offset; /* parse header byte */ AVCT_PARSE_HDR(p, label, type, cr_ipid); /* check for invalid cr_ipid */ if (cr_ipid == AVCT_CR_IPID_INVALID) { AVCT_TRACE_WARNING("Invalid cr_ipid", cr_ipid); osi_free_and_reset((void**)&p_data->p_buf); return; } /* parse and lookup PID */ BE_STREAM_TO_UINT16(pid, p); p_ccb = avct_lcb_has_pid(p_lcb, pid); if (p_ccb) { /* PID found; send msg up, adjust bt hdr and call msg callback */ p_data->p_buf->offset += AVCT_HDR_LEN_SINGLE; p_data->p_buf->len -= AVCT_HDR_LEN_SINGLE; (*p_ccb->cc.p_msg_cback)(avct_ccb_to_idx(p_ccb), label, cr_ipid, p_data->p_buf); return; } /* PID not found; drop message */ AVCT_TRACE_WARNING("No ccb for PID=%x", pid); osi_free_and_reset((void**)&p_data->p_buf); /* if command send reject */ if (cr_ipid == AVCT_CMD) { BT_HDR* p_buf = (BT_HDR*)osi_malloc(AVCT_CMD_BUF_SIZE); p_buf->len = AVCT_HDR_LEN_SINGLE; p_buf->offset = AVCT_MSG_OFFSET - AVCT_HDR_LEN_SINGLE; p = (uint8_t*)(p_buf + 1) + p_buf->offset; AVCT_BUILD_HDR(p, label, AVCT_PKT_TYPE_SINGLE, AVCT_REJ); UINT16_TO_BE_STREAM(p, pid); L2CA_DataWrite(p_lcb->ch_lcid, p_buf); } }