l2cap_signal.c revision 1.5
1 /* $NetBSD: l2cap_signal.c,v 1.5 2007/03/12 20:34:54 plunky Exp $ */ 2 3 /*- 4 * Copyright (c) 2005 Iain Hibbert. 5 * Copyright (c) 2006 Itronix Inc. 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. The name of Itronix Inc. may not be used to endorse 17 * or promote products derived from this software without specific 18 * prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY ITRONIX INC. ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 22 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 23 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ITRONIX INC. BE LIABLE FOR ANY 24 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 25 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 26 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 27 * ON ANY THEORY OF LIABILITY, WHETHER IN 28 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 30 * POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 #include <sys/cdefs.h> 34 __KERNEL_RCSID(0, "$NetBSD: l2cap_signal.c,v 1.5 2007/03/12 20:34:54 plunky Exp $"); 35 36 #include <sys/param.h> 37 #include <sys/kernel.h> 38 #include <sys/mbuf.h> 39 #include <sys/proc.h> 40 #include <sys/queue.h> 41 #include <sys/systm.h> 42 43 #include <machine/stdarg.h> 44 45 #include <netbt/bluetooth.h> 46 #include <netbt/hci.h> 47 #include <netbt/l2cap.h> 48 49 /******************************************************************************* 50 * 51 * L2CAP Signal processing 52 */ 53 54 static void l2cap_recv_command_rej(struct mbuf *, struct hci_link *); 55 static void l2cap_recv_connect_req(struct mbuf *, struct hci_link *); 56 static void l2cap_recv_connect_rsp(struct mbuf *, struct hci_link *); 57 static void l2cap_recv_config_req(struct mbuf *, struct hci_link *); 58 static void l2cap_recv_config_rsp(struct mbuf *, struct hci_link *); 59 static void l2cap_recv_disconnect_req(struct mbuf *, struct hci_link *); 60 static void l2cap_recv_disconnect_rsp(struct mbuf *, struct hci_link *); 61 static void l2cap_recv_info_req(struct mbuf *, struct hci_link *); 62 static int l2cap_send_signal(struct hci_link *, uint8_t, uint8_t, uint16_t, void *); 63 static int l2cap_send_command_rej(struct hci_link *, uint8_t, uint16_t, ...); 64 65 /* 66 * process incoming signal packets (CID 0x0001). Can contain multiple 67 * requests/responses. 68 */ 69 void 70 l2cap_recv_signal(struct mbuf *m, struct hci_link *link) 71 { 72 l2cap_cmd_hdr_t cmd; 73 74 for(;;) { 75 if (m->m_pkthdr.len == 0) 76 goto finish; 77 78 if (m->m_pkthdr.len < sizeof(cmd)) 79 goto reject; 80 81 m_copydata(m, 0, sizeof(cmd), &cmd); 82 cmd.length = le16toh(cmd.length); 83 84 if (m->m_pkthdr.len < sizeof(cmd) + cmd.length) 85 goto reject; 86 87 DPRINTFN(2, "(%s) code %d, ident %d, len %d\n", 88 link->hl_unit->hci_devname, 89 cmd.code, cmd.ident, cmd.length); 90 91 switch (cmd.code) { 92 case L2CAP_COMMAND_REJ: 93 if (cmd.length > sizeof(l2cap_cmd_rej_cp)) 94 goto finish; 95 96 l2cap_recv_command_rej(m, link); 97 break; 98 99 case L2CAP_CONNECT_REQ: 100 if (cmd.length != sizeof(l2cap_con_req_cp)) 101 goto reject; 102 103 l2cap_recv_connect_req(m, link); 104 break; 105 106 case L2CAP_CONNECT_RSP: 107 if (cmd.length != sizeof(l2cap_con_rsp_cp)) 108 goto finish; 109 110 l2cap_recv_connect_rsp(m, link); 111 break; 112 113 case L2CAP_CONFIG_REQ: 114 l2cap_recv_config_req(m, link); 115 break; 116 117 case L2CAP_CONFIG_RSP: 118 l2cap_recv_config_rsp(m, link); 119 break; 120 121 case L2CAP_DISCONNECT_REQ: 122 if (cmd.length != sizeof(l2cap_discon_req_cp)) 123 goto reject; 124 125 l2cap_recv_disconnect_req(m, link); 126 break; 127 128 case L2CAP_DISCONNECT_RSP: 129 if (cmd.length != sizeof(l2cap_discon_rsp_cp)) 130 goto finish; 131 132 l2cap_recv_disconnect_rsp(m, link); 133 break; 134 135 case L2CAP_ECHO_REQ: 136 m_adj(m, sizeof(cmd) + cmd.length); 137 l2cap_send_signal(link, L2CAP_ECHO_RSP, cmd.ident, 138 0, NULL); 139 break; 140 141 case L2CAP_ECHO_RSP: 142 m_adj(m, sizeof(cmd) + cmd.length); 143 break; 144 145 case L2CAP_INFO_REQ: 146 if (cmd.length != sizeof(l2cap_info_req_cp)) 147 goto reject; 148 149 l2cap_recv_info_req(m, link); 150 break; 151 152 case L2CAP_INFO_RSP: 153 m_adj(m, sizeof(cmd) + cmd.length); 154 break; 155 156 default: 157 goto reject; 158 } 159 } 160 161 #ifdef DIAGNOSTIC 162 panic("impossible!"); 163 #endif 164 165 reject: 166 l2cap_send_command_rej(link, cmd.ident, L2CAP_REJ_NOT_UNDERSTOOD); 167 finish: 168 m_freem(m); 169 } 170 171 /* 172 * Process Received Command Reject. For now we dont try to recover gracefully 173 * from this, it probably means that the link is garbled or the other end is 174 * insufficiently capable of handling normal traffic. (not *my* fault, no way!) 175 */ 176 static void 177 l2cap_recv_command_rej(struct mbuf *m, struct hci_link *link) 178 { 179 struct l2cap_req *req; 180 struct l2cap_channel *chan; 181 l2cap_cmd_hdr_t cmd; 182 l2cap_cmd_rej_cp cp; 183 184 m_copydata(m, 0, sizeof(cmd), &cmd); 185 m_adj(m, sizeof(cmd)); 186 187 cmd.length = le16toh(cmd.length); 188 189 m_copydata(m, 0, cmd.length, &cp); 190 m_adj(m, cmd.length); 191 192 req = l2cap_request_lookup(link, cmd.ident); 193 if (req == NULL) 194 return; 195 196 switch (le16toh(cp.reason)) { 197 case L2CAP_REJ_NOT_UNDERSTOOD: 198 /* 199 * I dont know what to do, just move up the timeout 200 */ 201 callout_schedule(&req->lr_rtx, 0); 202 break; 203 204 case L2CAP_REJ_MTU_EXCEEDED: 205 /* 206 * I didnt send any commands over L2CAP_MTU_MINIMUM size, but.. 207 */ 208 link->hl_mtu = le16toh(cp.data[0]); 209 callout_schedule(&req->lr_rtx, 0); // XX maybe resend instead? 210 break; 211 212 case L2CAP_REJ_INVALID_CID: 213 /* 214 * Well, if they dont have such a channel then our channel is 215 * most likely closed. Make it so. 216 */ 217 chan = req->lr_chan; 218 l2cap_request_free(req); 219 if (chan != NULL && chan->lc_state != L2CAP_CLOSED) 220 l2cap_close(chan, ECONNABORTED); 221 222 break; 223 224 default: 225 UNKNOWN(le16toh(cp.reason)); 226 break; 227 } 228 } 229 230 /* 231 * Process Received Connect Request. Find listening channel matching 232 * psm & addr and ask upper layer for a new channel. 233 */ 234 static void 235 l2cap_recv_connect_req(struct mbuf *m, struct hci_link *link) 236 { 237 struct sockaddr_bt laddr, raddr; 238 struct l2cap_channel *chan, *new; 239 l2cap_cmd_hdr_t cmd; 240 l2cap_con_req_cp cp; 241 l2cap_con_rsp_cp rp; 242 int err; 243 244 /* extract cmd */ 245 m_copydata(m, 0, sizeof(cmd), &cmd); 246 m_adj(m, sizeof(cmd)); 247 248 /* extract request */ 249 m_copydata(m, 0, sizeof(cp), &cp); 250 m_adj(m, sizeof(cp)); 251 252 /* init response */ 253 memset(&rp, 0, sizeof(rp)); 254 rp.scid = cp.scid; 255 256 memset(&laddr, 0, sizeof(struct sockaddr_bt)); 257 laddr.bt_len = sizeof(struct sockaddr_bt); 258 laddr.bt_family = AF_BLUETOOTH; 259 laddr.bt_psm = le16toh(cp.psm); 260 bdaddr_copy(&laddr.bt_bdaddr, &link->hl_unit->hci_bdaddr); 261 262 memset(&raddr, 0, sizeof(struct sockaddr_bt)); 263 raddr.bt_len = sizeof(struct sockaddr_bt); 264 raddr.bt_family = AF_BLUETOOTH; 265 raddr.bt_psm = le16toh(cp.psm); 266 bdaddr_copy(&raddr.bt_bdaddr, &link->hl_bdaddr); 267 268 LIST_FOREACH(chan, &l2cap_listen_list, lc_ncid) { 269 if (chan->lc_laddr.bt_psm != laddr.bt_psm 270 && chan->lc_laddr.bt_psm != L2CAP_PSM_ANY) 271 continue; 272 273 if (!bdaddr_same(&laddr.bt_bdaddr, &chan->lc_laddr.bt_bdaddr) 274 && bdaddr_any(&chan->lc_laddr.bt_bdaddr) == 0) 275 continue; 276 277 new= (*chan->lc_proto->newconn)(chan->lc_upper, &laddr, &raddr); 278 if (new == NULL) 279 continue; 280 281 err = l2cap_cid_alloc(new); 282 if (err) { 283 rp.result = htole16(L2CAP_NO_RESOURCES); 284 l2cap_send_signal(link, L2CAP_CONNECT_RSP, 285 cmd.ident, sizeof(rp), &rp); 286 (*new->lc_proto->disconnected)(new->lc_upper, err); 287 return; 288 } 289 290 new->lc_link = hci_acl_open(link->hl_unit, &link->hl_bdaddr); 291 KASSERT(new->lc_link == link); 292 293 new->lc_rcid = le16toh(cp.scid); 294 295 memcpy(&new->lc_laddr, &laddr, sizeof(struct sockaddr_bt)); 296 memcpy(&new->lc_raddr, &raddr, sizeof(struct sockaddr_bt)); 297 298 rp.dcid = htole16(new->lc_lcid); 299 rp.result = htole16(L2CAP_SUCCESS); 300 l2cap_send_signal(link, L2CAP_CONNECT_RSP, cmd.ident, 301 sizeof(rp), &rp); 302 303 new->lc_state = L2CAP_WAIT_CONFIG; 304 new->lc_flags |= (L2CAP_WAIT_CONFIG_REQ | L2CAP_WAIT_CONFIG_RSP); 305 l2cap_send_config_req(new); 306 return; 307 } 308 309 rp.result = htole16(L2CAP_PSM_NOT_SUPPORTED); 310 l2cap_send_signal(link, L2CAP_CONNECT_RSP, cmd.ident, sizeof(rp), &rp); 311 } 312 313 /* 314 * Process Received Connect Response. 315 */ 316 static void 317 l2cap_recv_connect_rsp(struct mbuf *m, struct hci_link *link) 318 { 319 l2cap_cmd_hdr_t cmd; 320 l2cap_con_rsp_cp cp; 321 struct l2cap_req *req; 322 struct l2cap_channel *chan; 323 324 m_copydata(m, 0, sizeof(cmd), &cmd); 325 m_adj(m, sizeof(cmd)); 326 327 m_copydata(m, 0, sizeof(cp), &cp); 328 m_adj(m, sizeof(cp)); 329 330 cp.scid = le16toh(cp.scid); 331 cp.dcid = le16toh(cp.dcid); 332 cp.result = le16toh(cp.result); 333 334 req = l2cap_request_lookup(link, cmd.ident); 335 if (req == NULL || req->lr_code != L2CAP_CONNECT_REQ) 336 return; 337 338 chan = req->lr_chan; 339 if (chan != NULL && chan->lc_lcid != cp.scid) 340 return; 341 342 if (chan == NULL || chan->lc_state != L2CAP_WAIT_CONNECT_RSP) { 343 l2cap_request_free(req); 344 return; 345 } 346 347 switch (cp.result) { 348 case L2CAP_SUCCESS: 349 /* 350 * Ok, at this point we have a connection to the other party. We 351 * could indicate upstream that we are ready for business and 352 * wait for a "Configure Channel Request" but I'm not so sure 353 * that is required in our case - we will proceed directly to 354 * sending our config request. We set two state bits because in 355 * the config state we are waiting for requests and responses. 356 */ 357 l2cap_request_free(req); 358 chan->lc_rcid = cp.dcid; 359 chan->lc_state = L2CAP_WAIT_CONFIG; 360 chan->lc_flags |= (L2CAP_WAIT_CONFIG_REQ | L2CAP_WAIT_CONFIG_RSP); 361 l2cap_send_config_req(chan); 362 break; 363 364 case L2CAP_PENDING: 365 // dont release request, should start eRTX timeout? 366 (*chan->lc_proto->connecting)(chan->lc_upper); 367 break; 368 369 case L2CAP_PSM_NOT_SUPPORTED: 370 case L2CAP_SECURITY_BLOCK: 371 case L2CAP_NO_RESOURCES: 372 default: 373 l2cap_request_free(req); 374 l2cap_close(chan, ECONNREFUSED); 375 break; 376 } 377 } 378 379 /* 380 * Process Received Config Reqest. 381 */ 382 static void 383 l2cap_recv_config_req(struct mbuf *m, struct hci_link *link) 384 { 385 uint8_t buf[L2CAP_MTU_MINIMUM]; 386 l2cap_cmd_hdr_t cmd; 387 l2cap_cfg_req_cp cp; 388 l2cap_cfg_opt_t opt; 389 l2cap_cfg_opt_val_t val; 390 l2cap_cfg_rsp_cp rp; 391 struct l2cap_channel *chan; 392 int left, len; 393 394 m_copydata(m, 0, sizeof(cmd), &cmd); 395 m_adj(m, sizeof(cmd)); 396 left = le16toh(cmd.length); 397 398 if (left < sizeof(cp)) 399 goto reject; 400 401 m_copydata(m, 0, sizeof(cp), &cp); 402 m_adj(m, sizeof(cp)); 403 left -= sizeof(cp); 404 405 cp.dcid = le16toh(cp.dcid); 406 cp.flags = le16toh(cp.flags); 407 408 chan = l2cap_cid_lookup(cp.dcid); 409 if (chan == NULL || chan->lc_link != link 410 || chan->lc_state != L2CAP_WAIT_CONFIG 411 || (chan->lc_flags & L2CAP_WAIT_CONFIG_REQ) == 0) { 412 /* XXX we should really accept reconfiguration requests */ 413 l2cap_send_command_rej(link, cmd.ident, L2CAP_REJ_INVALID_CID, 414 L2CAP_NULL_CID, cp.dcid); 415 goto out; 416 } 417 418 /* ready our response packet */ 419 rp.scid = htole16(chan->lc_rcid); 420 rp.flags = 0; /* "No Continuation" */ 421 rp.result = L2CAP_SUCCESS; 422 len = sizeof(rp); 423 424 /* 425 * Process the packet. We build the return packet on the fly adding any 426 * unacceptable parameters as we go. As we can only return one result, 427 * unknown option takes precedence so we start our return packet anew 428 * and ignore option values thereafter as they will be re-sent. 429 * 430 * Since we do not support enough options to make overflowing the min 431 * MTU size an issue in normal use, we just reject config requests that 432 * make that happen. This could be because options are repeated or the 433 * packet is corrupted in some way. 434 * 435 * If unknown option types threaten to overflow the packet, we just 436 * ignore them. We can deny them next time. 437 */ 438 while (left > 0) { 439 if (left < sizeof(opt)) 440 goto reject; 441 442 m_copydata(m, 0, sizeof(opt), &opt); 443 m_adj(m, sizeof(opt)); 444 left -= sizeof(opt); 445 446 if (left < opt.length) 447 goto reject; 448 449 switch(opt.type & L2CAP_OPT_HINT_MASK) { 450 case L2CAP_OPT_MTU: 451 if (rp.result == L2CAP_UNKNOWN_OPTION) 452 break; 453 454 if (opt.length != L2CAP_OPT_MTU_SIZE) 455 goto reject; 456 457 m_copydata(m, 0, L2CAP_OPT_MTU_SIZE, &val); 458 val.mtu = le16toh(val.mtu); 459 460 /* 461 * XXX how do we know what the minimum acceptable MTU is 462 * for a channel? Spec says some profiles have a higher 463 * minimum but I have no way to find that out at this 464 * juncture.. 465 */ 466 if (val.mtu < L2CAP_MTU_MINIMUM) { 467 if (len + sizeof(opt) + L2CAP_OPT_MTU_SIZE > sizeof(buf)) 468 goto reject; 469 470 rp.result = L2CAP_UNACCEPTABLE_PARAMS; 471 memcpy(buf + len, &opt, sizeof(opt)); 472 len += sizeof(opt); 473 val.mtu = htole16(L2CAP_MTU_MINIMUM); 474 memcpy(buf + len, &val, L2CAP_OPT_MTU_SIZE); 475 len += L2CAP_OPT_MTU_SIZE; 476 } else 477 chan->lc_omtu = val.mtu; 478 479 break; 480 481 case L2CAP_OPT_FLUSH_TIMO: 482 if (rp.result == L2CAP_UNKNOWN_OPTION) 483 break; 484 485 if (opt.length != L2CAP_OPT_FLUSH_TIMO_SIZE) 486 goto reject; 487 488 /* 489 * I think that this is informational only - he is 490 * informing us of the flush timeout he will be using. 491 * I dont think this affects us in any significant way, 492 * so just ignore this value for now. 493 */ 494 break; 495 496 case L2CAP_OPT_QOS: 497 default: 498 /* ignore hints */ 499 if (opt.type & L2CAP_OPT_HINT_BIT) 500 break; 501 502 /* unknown options supercede all else */ 503 if (rp.result != L2CAP_UNKNOWN_OPTION) { 504 rp.result = L2CAP_UNKNOWN_OPTION; 505 len = sizeof(rp); 506 } 507 508 /* ignore if it don't fit */ 509 if (len + sizeof(opt) > sizeof(buf)) 510 break; 511 512 /* return unknown option type, but no data */ 513 buf[len++] = opt.type; 514 buf[len++] = 0; 515 break; 516 } 517 518 m_adj(m, opt.length); 519 left -= opt.length; 520 } 521 522 rp.result = htole16(rp.result); 523 memcpy(buf, &rp, sizeof(rp)); 524 l2cap_send_signal(link, L2CAP_CONFIG_RSP, cmd.ident, len, buf); 525 526 if ((cp.flags & L2CAP_OPT_CFLAG_BIT) == 0 527 && rp.result == le16toh(L2CAP_SUCCESS)) { 528 529 chan->lc_flags &= ~L2CAP_WAIT_CONFIG_REQ; 530 531 if ((chan->lc_flags & L2CAP_WAIT_CONFIG_RSP) == 0) { 532 chan->lc_state = L2CAP_OPEN; 533 // XXX how to distinguish REconfiguration? 534 (*chan->lc_proto->connected)(chan->lc_upper); 535 } 536 } 537 return; 538 539 reject: 540 l2cap_send_command_rej(link, cmd.ident, L2CAP_REJ_NOT_UNDERSTOOD); 541 out: 542 m_adj(m, left); 543 } 544 545 /* 546 * Process Received Config Response. 547 */ 548 static void 549 l2cap_recv_config_rsp(struct mbuf *m, struct hci_link *link) 550 { 551 l2cap_cmd_hdr_t cmd; 552 l2cap_cfg_rsp_cp cp; 553 l2cap_cfg_opt_t opt; 554 l2cap_cfg_opt_val_t val; 555 struct l2cap_req *req; 556 struct l2cap_channel *chan; 557 int left; 558 559 m_copydata(m, 0, sizeof(cmd), &cmd); 560 m_adj(m, sizeof(cmd)); 561 left = le16toh(cmd.length); 562 563 if (left < sizeof(cp)) 564 goto out; 565 566 m_copydata(m, 0, sizeof(cp), &cp); 567 m_adj(m, sizeof(cp)); 568 left -= sizeof(cp); 569 570 cp.scid = le16toh(cp.scid); 571 cp.flags = le16toh(cp.flags); 572 cp.result = le16toh(cp.result); 573 574 req = l2cap_request_lookup(link, cmd.ident); 575 if (req == NULL || req->lr_code != L2CAP_CONFIG_REQ) 576 goto out; 577 578 chan = req->lr_chan; 579 if (chan != NULL && chan->lc_lcid != cp.scid) 580 goto out; 581 582 l2cap_request_free(req); 583 584 if (chan == NULL || chan->lc_state != L2CAP_WAIT_CONFIG 585 || (chan->lc_flags & L2CAP_WAIT_CONFIG_RSP) == 0) 586 goto out; 587 588 if ((cp.flags & L2CAP_OPT_CFLAG_BIT)) { 589 l2cap_cfg_req_cp rp; 590 591 /* 592 * They have more to tell us and want another ID to 593 * use, so send an empty config request 594 */ 595 if (l2cap_request_alloc(chan, L2CAP_CONFIG_REQ)) 596 goto discon; 597 598 rp.dcid = htole16(cp.scid); 599 rp.flags = 0; 600 601 if (l2cap_send_signal(link, L2CAP_CONFIG_REQ, link->hl_lastid, 602 sizeof(rp), &rp)) 603 goto discon; 604 } 605 606 switch(cp.result) { 607 case L2CAP_SUCCESS: 608 /* 609 * If continuation flag was not set, our config request was 610 * accepted. We may have to wait for their config request to 611 * complete, so check that but otherwise we are open 612 * 613 * There may be 'advisory' values in the packet but we just 614 * ignore those.. 615 */ 616 if ((cp.flags & L2CAP_OPT_CFLAG_BIT) == 0) { 617 chan->lc_flags &= ~L2CAP_WAIT_CONFIG_RSP; 618 619 if ((chan->lc_flags & L2CAP_WAIT_CONFIG_REQ) == 0) { 620 chan->lc_state = L2CAP_OPEN; 621 // XXX how to distinguish REconfiguration? 622 (*chan->lc_proto->connected)(chan->lc_upper); 623 } 624 } 625 goto out; 626 627 case L2CAP_UNACCEPTABLE_PARAMS: 628 /* 629 * Packet contains unacceptable parameters with preferred values 630 */ 631 while (left > 0) { 632 if (left < sizeof(opt)) 633 goto discon; 634 635 m_copydata(m, 0, sizeof(opt), &opt); 636 m_adj(m, sizeof(opt)); 637 left -= sizeof(opt); 638 639 if (left < opt.length) 640 goto discon; 641 642 switch (opt.type) { 643 case L2CAP_OPT_MTU: 644 if (opt.length != L2CAP_OPT_MTU_SIZE) 645 goto discon; 646 647 m_copydata(m, 0, L2CAP_OPT_MTU_SIZE, &val); 648 chan->lc_imtu = le16toh(val.mtu); 649 if (chan->lc_imtu < L2CAP_MTU_MINIMUM) 650 chan->lc_imtu = L2CAP_MTU_DEFAULT; 651 break; 652 653 case L2CAP_OPT_FLUSH_TIMO: 654 if (opt.length != L2CAP_OPT_FLUSH_TIMO_SIZE) 655 goto discon; 656 657 /* 658 * Spec says: If we cannot honor proposed value, 659 * either disconnect or try again with original 660 * value. I can't really see why they want to 661 * interfere with OUR flush timeout in any case 662 * so we just punt for now. 663 */ 664 goto discon; 665 666 case L2CAP_OPT_QOS: 667 break; 668 669 default: 670 UNKNOWN(opt.type); 671 goto discon; 672 } 673 674 m_adj(m, opt.length); 675 left -= opt.length; 676 } 677 678 if ((cp.flags & L2CAP_OPT_CFLAG_BIT) == 0) 679 l2cap_send_config_req(chan); // no state change 680 681 goto out; 682 683 case L2CAP_REJECT: 684 goto discon; 685 686 case L2CAP_UNKNOWN_OPTION: 687 /* 688 * Packet contains options not understood. Turn off unknown 689 * options by setting them to default values (means they will 690 * not be requested again). 691 * 692 * If our option was already off then fail (paranoia?) 693 * 694 * XXX Should we consider that options were set for a reason? 695 */ 696 while (left > 0) { 697 if (left < sizeof(opt)) 698 goto discon; 699 700 m_copydata(m, 0, sizeof(opt), &opt); 701 m_adj(m, sizeof(opt)); 702 left -= sizeof(opt); 703 704 if (left < opt.length) 705 goto discon; 706 707 m_adj(m, opt.length); 708 left -= opt.length; 709 710 switch(opt.type) { 711 case L2CAP_OPT_MTU: 712 if (chan->lc_imtu == L2CAP_MTU_DEFAULT) 713 goto discon; 714 715 chan->lc_imtu = L2CAP_MTU_DEFAULT; 716 break; 717 718 case L2CAP_OPT_FLUSH_TIMO: 719 if (chan->lc_flush == L2CAP_FLUSH_TIMO_DEFAULT) 720 goto discon; 721 722 chan->lc_flush = L2CAP_FLUSH_TIMO_DEFAULT; 723 break; 724 725 case L2CAP_OPT_QOS: 726 break; 727 728 default: 729 UNKNOWN(opt.type); 730 goto discon; 731 } 732 } 733 734 if ((cp.flags & L2CAP_OPT_CFLAG_BIT) == 0) 735 l2cap_send_config_req(chan); /* no state change */ 736 737 goto out; 738 739 default: 740 UNKNOWN(cp.result); 741 goto discon; 742 } 743 744 DPRINTF("how did I get here!?\n"); 745 746 discon: 747 l2cap_send_disconnect_req(chan); 748 l2cap_close(chan, ECONNABORTED); 749 750 out: 751 m_adj(m, left); 752 } 753 754 /* 755 * Process Received Disconnect Request. We must validate scid and dcid 756 * just in case but otherwise this connection is finished. 757 */ 758 static void 759 l2cap_recv_disconnect_req(struct mbuf *m, struct hci_link *link) 760 { 761 l2cap_cmd_hdr_t cmd; 762 l2cap_discon_req_cp cp; 763 l2cap_discon_rsp_cp rp; 764 struct l2cap_channel *chan; 765 766 m_copydata(m, 0, sizeof(cmd), &cmd); 767 m_adj(m, sizeof(cmd)); 768 769 m_copydata(m, 0, sizeof(cp), &cp); 770 m_adj(m, sizeof(cp)); 771 772 cp.scid = le16toh(cp.scid); 773 cp.dcid = le16toh(cp.dcid); 774 775 chan = l2cap_cid_lookup(cp.dcid); 776 if (chan == NULL || chan->lc_link != link || chan->lc_rcid != cp.scid) { 777 l2cap_send_command_rej(link, cmd.ident, L2CAP_REJ_INVALID_CID, 778 cp.dcid, cp.scid); 779 return; 780 } 781 782 rp.dcid = htole16(chan->lc_lcid); 783 rp.scid = htole16(chan->lc_rcid); 784 l2cap_send_signal(link, L2CAP_DISCONNECT_RSP, cmd.ident, 785 sizeof(rp), &rp); 786 787 if (chan->lc_state != L2CAP_CLOSED) 788 l2cap_close(chan, ECONNRESET); 789 } 790 791 /* 792 * Process Received Disconnect Response. We must validate scid and dcid but 793 * unless we were waiting for this signal, ignore it. 794 */ 795 static void 796 l2cap_recv_disconnect_rsp(struct mbuf *m, struct hci_link *link) 797 { 798 l2cap_cmd_hdr_t cmd; 799 l2cap_discon_rsp_cp cp; 800 struct l2cap_req *req; 801 struct l2cap_channel *chan; 802 803 m_copydata(m, 0, sizeof(cmd), &cmd); 804 m_adj(m, sizeof(cmd)); 805 806 m_copydata(m, 0, sizeof(cp), &cp); 807 m_adj(m, sizeof(cp)); 808 809 cp.scid = le16toh(cp.scid); 810 cp.dcid = le16toh(cp.dcid); 811 812 req = l2cap_request_lookup(link, cmd.ident); 813 if (req == NULL || req->lr_code != L2CAP_DISCONNECT_REQ) 814 return; 815 816 chan = req->lr_chan; 817 if (chan == NULL 818 || chan->lc_lcid != cp.scid 819 || chan->lc_rcid != cp.dcid) 820 return; 821 822 l2cap_request_free(req); 823 824 if (chan->lc_state != L2CAP_WAIT_DISCONNECT) 825 return; 826 827 l2cap_close(chan, 0); 828 } 829 830 /* 831 * Process Received Info Request. We must respond but alas dont 832 * support anything as yet so thats easy. 833 */ 834 static void 835 l2cap_recv_info_req(struct mbuf *m, struct hci_link *link) 836 { 837 l2cap_cmd_hdr_t cmd; 838 l2cap_info_req_cp cp; 839 l2cap_info_rsp_cp rp; 840 841 m_copydata(m, 0, sizeof(cmd), &cmd); 842 m_adj(m, sizeof(cmd)); 843 844 m_copydata(m, 0, sizeof(cp), &cp); 845 m_adj(m, sizeof(cp)); 846 847 switch(le16toh(cp.type)) { 848 case L2CAP_CONNLESS_MTU: 849 case L2CAP_EXTENDED_FEATURES: 850 default: 851 rp.type = cp.type; 852 rp.result = htole16(L2CAP_NOT_SUPPORTED); 853 854 l2cap_send_signal(link, L2CAP_INFO_RSP, cmd.ident, 855 sizeof(rp), &rp); 856 break; 857 } 858 } 859 860 /* 861 * Construct signal and wrap in C-Frame for link. 862 */ 863 static int 864 l2cap_send_signal(struct hci_link *link, uint8_t code, uint8_t ident, 865 uint16_t length, void *data) 866 { 867 struct mbuf *m; 868 l2cap_hdr_t *hdr; 869 l2cap_cmd_hdr_t *cmd; 870 871 #ifdef DIAGNOSTIC 872 if (link == NULL) 873 return ENETDOWN; 874 875 if (sizeof(l2cap_cmd_hdr_t) + length > link->hl_mtu) 876 printf("(%s) exceeding L2CAP Signal MTU for link!\n", 877 link->hl_unit->hci_devname); 878 #endif 879 880 m = m_gethdr(M_DONTWAIT, MT_DATA); 881 if (m == NULL) 882 return ENOMEM; 883 884 hdr = mtod(m, l2cap_hdr_t *); 885 cmd = (l2cap_cmd_hdr_t *)(hdr + 1); 886 887 m->m_len = m->m_pkthdr.len = MHLEN; 888 889 /* Command Data */ 890 if (length > 0) 891 m_copyback(m, sizeof(hdr) + sizeof(cmd), length, data); 892 893 /* Command Header */ 894 cmd->code = code; 895 cmd->ident = ident; 896 cmd->length = htole16(length); 897 length += sizeof(cmd); 898 899 /* C-Frame Header */ 900 hdr->length = htole16(length); 901 hdr->dcid = htole16(L2CAP_SIGNAL_CID); 902 length += sizeof(hdr); 903 904 if (m->m_pkthdr.len != MAX(MHLEN, length)) { 905 m_freem(m); 906 return ENOMEM; 907 } 908 909 m->m_pkthdr.len = length; 910 m->m_len = MIN(length, MHLEN); 911 912 DPRINTFN(2, "(%s) code %d, ident %d, len %d\n", 913 link->hl_unit->hci_devname, code, ident, length); 914 915 return hci_acl_send(m, link, NULL); 916 } 917 918 /* 919 * Send Command Reject packet. 920 */ 921 static int 922 l2cap_send_command_rej(struct hci_link *link, uint8_t ident, 923 uint16_t reason, ...) 924 { 925 l2cap_cmd_rej_cp cp; 926 int len = 0; 927 va_list ap; 928 929 va_start(ap, reason); 930 931 cp.reason = htole16(reason); 932 933 switch (reason) { 934 case L2CAP_REJ_NOT_UNDERSTOOD: 935 len = 2; 936 break; 937 938 case L2CAP_REJ_MTU_EXCEEDED: 939 len = 4; 940 cp.data[0] = va_arg(ap, int); /* SigMTU */ 941 cp.data[0] = htole16(cp.data[0]); 942 break; 943 944 case L2CAP_REJ_INVALID_CID: 945 len = 6; 946 cp.data[0] = va_arg(ap, int); /* dcid */ 947 cp.data[0] = htole16(cp.data[0]); 948 cp.data[1] = va_arg(ap, int); /* scid */ 949 cp.data[1] = htole16(cp.data[1]); 950 break; 951 952 default: 953 UNKNOWN(reason); 954 return EINVAL; 955 } 956 957 va_end(ap); 958 959 return l2cap_send_signal(link, L2CAP_COMMAND_REJ, ident, len, &cp); 960 } 961 962 /* 963 * Send Connect Request 964 */ 965 int 966 l2cap_send_connect_req(struct l2cap_channel *chan) 967 { 968 l2cap_con_req_cp cp; 969 int err; 970 971 err = l2cap_request_alloc(chan, L2CAP_CONNECT_REQ); 972 if (err) 973 return err; 974 975 cp.psm = htole16(chan->lc_raddr.bt_psm); 976 cp.scid = htole16(chan->lc_lcid); 977 978 return l2cap_send_signal(chan->lc_link, L2CAP_CONNECT_REQ, 979 chan->lc_link->hl_lastid, sizeof(cp), &cp); 980 } 981 982 /* 983 * Send Config Request 984 * 985 * For outgoing config request, we only put options in the packet if they 986 * differ from the default and would have to be actioned. We dont support 987 * enough option types to make overflowing SigMTU an issue so it can all 988 * go in one packet. 989 */ 990 int 991 l2cap_send_config_req(struct l2cap_channel *chan) 992 { 993 l2cap_cfg_req_cp *cp; 994 l2cap_cfg_opt_t *opt; 995 l2cap_cfg_opt_val_t *val; 996 uint8_t *next, buf[L2CAP_MTU_MINIMUM]; 997 int err; 998 999 err = l2cap_request_alloc(chan, L2CAP_CONFIG_REQ); 1000 if (err) 1001 return err; 1002 1003 /* Config Header (4 octets) */ 1004 cp = (l2cap_cfg_req_cp *)buf; 1005 cp->dcid = htole16(chan->lc_rcid); 1006 cp->flags = 0; /* "No Continuation" */ 1007 1008 next = buf + sizeof(l2cap_cfg_req_cp); 1009 1010 /* Incoming MTU (4 octets) */ 1011 if (chan->lc_imtu != L2CAP_MTU_DEFAULT) { 1012 opt = (l2cap_cfg_opt_t *)next; 1013 opt->type = L2CAP_OPT_MTU; 1014 opt->length = L2CAP_OPT_MTU_SIZE; 1015 1016 val = (l2cap_cfg_opt_val_t *)(opt + 1); 1017 val->mtu = htole16(chan->lc_imtu); 1018 1019 next += sizeof(l2cap_cfg_opt_t) + L2CAP_OPT_MTU_SIZE; 1020 } 1021 1022 /* Flush Timeout (4 octets) */ 1023 if (chan->lc_flush != L2CAP_FLUSH_TIMO_DEFAULT) { 1024 opt = (l2cap_cfg_opt_t *)next; 1025 opt->type = L2CAP_OPT_FLUSH_TIMO; 1026 opt->length = L2CAP_OPT_FLUSH_TIMO_SIZE; 1027 1028 val = (l2cap_cfg_opt_val_t *)(opt + 1); 1029 val->flush_timo = htole16(chan->lc_flush); 1030 1031 next += sizeof(l2cap_cfg_opt_t) + L2CAP_OPT_FLUSH_TIMO_SIZE; 1032 } 1033 1034 /* Outgoing QoS Flow (24 octets) */ 1035 /* Retransmission & Flow Control (11 octets) */ 1036 /* 1037 * From here we need to start paying attention to SigMTU as we have 1038 * possibly overflowed the minimum supported.. 1039 */ 1040 1041 return l2cap_send_signal(chan->lc_link, L2CAP_CONFIG_REQ, 1042 chan->lc_link->hl_lastid, (int)(next - buf), buf); 1043 } 1044 1045 /* 1046 * Send Disconnect Request 1047 */ 1048 int 1049 l2cap_send_disconnect_req(struct l2cap_channel *chan) 1050 { 1051 l2cap_discon_req_cp cp; 1052 int err; 1053 1054 err = l2cap_request_alloc(chan, L2CAP_DISCONNECT_REQ); 1055 if (err) 1056 return err; 1057 1058 cp.dcid = htole16(chan->lc_rcid); 1059 cp.scid = htole16(chan->lc_lcid); 1060 1061 return l2cap_send_signal(chan->lc_link, L2CAP_DISCONNECT_REQ, 1062 chan->lc_link->hl_lastid, sizeof(cp), &cp); 1063 } 1064
Indexes created Thu Sep 25 08:09:54 GMT 2025