1 /******************************************************************************
2  *
3  *  Copyright 2014 Google, Inc.
4  *
5  *  Licensed under the Apache License, Version 2.0 (the "License");
6  *  you may not use this file except in compliance with the License.
7  *  You may obtain a copy of the License at:
8  *
9  *  http://www.apache.org/licenses/LICENSE-2.0
10  *
11  *  Unless required by applicable law or agreed to in writing, software
12  *  distributed under the License is distributed on an "AS IS" BASIS,
13  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  *  See the License for the specific language governing permissions and
15  *  limitations under the License.
16  *
17  ******************************************************************************/
18 
19 #define LOG_TAG "bt_hci_packet_fragmenter"
20 
21 #include "packet_fragmenter.h"
22 
23 #include <base/logging.h>
24 #include <string.h>
25 #include <unordered_map>
26 
27 #include "bt_target.h"
28 #include "buffer_allocator.h"
29 #include "device/include/controller.h"
30 #include "hci_internals.h"
31 #include "osi/include/log.h"
32 #include "osi/include/osi.h"
33 
34 #define APPLY_CONTINUATION_FLAG(handle) (((handle)&0xCFFF) | 0x1000)
35 #define APPLY_START_FLAG(handle) (((handle)&0xCFFF) | 0x2000)
36 #define SUB_EVENT(event) ((event)&MSG_SUB_EVT_MASK)
37 #define GET_BOUNDARY_FLAG(handle) (((handle) >> 12) & 0x0003)
38 
39 #define HANDLE_MASK 0x0FFF
40 #define START_PACKET_BOUNDARY 2
41 #define CONTINUATION_PACKET_BOUNDARY 1
42 #define L2CAP_HEADER_PDU_LEN_SIZE 2
43 #define L2CAP_HEADER_CID_SIZE 2
44 #define L2CAP_HEADER_SIZE (L2CAP_HEADER_PDU_LEN_SIZE + L2CAP_HEADER_CID_SIZE)
45 
46 // Our interface and callbacks
47 
48 static const allocator_t* buffer_allocator;
49 static const controller_t* controller;
50 static const packet_fragmenter_callbacks_t* callbacks;
51 
52 static std::unordered_map<uint16_t /* handle */, BT_HDR*> partial_packets;
53 
init(const packet_fragmenter_callbacks_t * result_callbacks)54 static void init(const packet_fragmenter_callbacks_t* result_callbacks) {
55   callbacks = result_callbacks;
56 }
57 
cleanup()58 static void cleanup() { partial_packets.clear(); }
59 
fragment_and_dispatch(BT_HDR * packet)60 static void fragment_and_dispatch(BT_HDR* packet) {
61   CHECK(packet != NULL);
62 
63   uint16_t event = packet->event & MSG_EVT_MASK;
64   uint8_t* stream = packet->data + packet->offset;
65 
66   // We only fragment ACL packets
67   if (event != MSG_STACK_TO_HC_HCI_ACL) {
68     callbacks->fragmented(packet, true);
69     return;
70   }
71 
72   uint16_t max_data_size =
73       SUB_EVENT(packet->event) == LOCAL_BR_EDR_CONTROLLER_ID
74           ? controller->get_acl_data_size_classic()
75           : controller->get_acl_data_size_ble();
76 
77   uint16_t max_packet_size = max_data_size + HCI_ACL_PREAMBLE_SIZE;
78   uint16_t remaining_length = packet->len;
79 
80   uint16_t continuation_handle;
81   STREAM_TO_UINT16(continuation_handle, stream);
82   continuation_handle = APPLY_CONTINUATION_FLAG(continuation_handle);
83 
84   while (remaining_length > max_packet_size) {
85     // Make sure we use the right ACL packet size
86     stream = packet->data + packet->offset;
87     STREAM_SKIP_UINT16(stream);
88     UINT16_TO_STREAM(stream, max_data_size);
89 
90     packet->len = max_packet_size;
91     callbacks->fragmented(packet, false);
92 
93     packet->offset += max_data_size;
94     remaining_length -= max_data_size;
95     packet->len = remaining_length;
96 
97     // Write the ACL header for the next fragment
98     stream = packet->data + packet->offset;
99     UINT16_TO_STREAM(stream, continuation_handle);
100     UINT16_TO_STREAM(stream, remaining_length - HCI_ACL_PREAMBLE_SIZE);
101 
102     // Apparently L2CAP can set layer_specific to a max number of segments to
103     // transmit
104     if (packet->layer_specific) {
105       packet->layer_specific--;
106 
107       if (packet->layer_specific == 0) {
108         packet->event = MSG_HC_TO_STACK_L2C_SEG_XMIT;
109         callbacks->transmit_finished(packet, false);
110         return;
111       }
112     }
113   }
114 
115   callbacks->fragmented(packet, true);
116 }
117 
check_uint16_overflow(uint16_t a,uint16_t b)118 static bool check_uint16_overflow(uint16_t a, uint16_t b) {
119   return (UINT16_MAX - a) < b;
120 }
121 
reassemble_and_dispatch(UNUSED_ATTR BT_HDR * packet)122 static void reassemble_and_dispatch(UNUSED_ATTR BT_HDR* packet) {
123   if ((packet->event & MSG_EVT_MASK) == MSG_HC_TO_STACK_HCI_ACL) {
124     uint8_t* stream = packet->data;
125     uint16_t handle;
126     uint16_t acl_length;
127 
128     STREAM_TO_UINT16(handle, stream);
129     STREAM_TO_UINT16(acl_length, stream);
130 
131     CHECK(acl_length == packet->len - HCI_ACL_PREAMBLE_SIZE);
132 
133     uint8_t boundary_flag = GET_BOUNDARY_FLAG(handle);
134     handle = handle & HANDLE_MASK;
135 
136     if (boundary_flag == START_PACKET_BOUNDARY) {
137       if (acl_length < 2) {
138         LOG_WARN("%s invalid acl_length %d", __func__, acl_length);
139         buffer_allocator->free(packet);
140         return;
141       }
142       uint16_t l2cap_length;
143       STREAM_TO_UINT16(l2cap_length, stream);
144       auto map_iter = partial_packets.find(handle);
145       if (map_iter != partial_packets.end()) {
146         LOG_WARN(
147             "%s found unfinished packet for handle with start packet. "
148             "Dropping old.",
149             __func__);
150 
151         BT_HDR* hdl = map_iter->second;
152         partial_packets.erase(map_iter);
153         buffer_allocator->free(hdl);
154       }
155 
156       if (acl_length < L2CAP_HEADER_PDU_LEN_SIZE) {
157         LOG_WARN("%s L2CAP packet too small (%d < %d). Dropping it.", __func__,
158                  packet->len, L2CAP_HEADER_PDU_LEN_SIZE);
159         buffer_allocator->free(packet);
160         return;
161       }
162 
163       uint16_t full_length =
164           l2cap_length + L2CAP_HEADER_SIZE + HCI_ACL_PREAMBLE_SIZE;
165 
166       // Check for buffer overflow and that the full packet size + BT_HDR size
167       // is less than the max buffer size
168       if (check_uint16_overflow(l2cap_length,
169                                 (L2CAP_HEADER_SIZE + HCI_ACL_PREAMBLE_SIZE)) ||
170           ((full_length + sizeof(BT_HDR)) > BT_DEFAULT_BUFFER_SIZE)) {
171         LOG_ERROR("%s Dropping L2CAP packet with invalid length (%d).",
172                   __func__, l2cap_length);
173         buffer_allocator->free(packet);
174         return;
175       }
176 
177       if (full_length <= packet->len) {
178         if (full_length < packet->len)
179           LOG_WARN("%s found l2cap full length %d less than the hci length %d.",
180                    __func__, l2cap_length, packet->len);
181 
182         callbacks->reassembled(packet);
183         return;
184       }
185 
186       BT_HDR* partial_packet =
187           (BT_HDR*)buffer_allocator->alloc(full_length + sizeof(BT_HDR));
188       partial_packet->event = packet->event;
189       partial_packet->len = full_length;
190       partial_packet->offset = packet->len;
191 
192       memcpy(partial_packet->data, packet->data, packet->len);
193 
194       // Update the ACL data size to indicate the full expected length
195       stream = partial_packet->data;
196       STREAM_SKIP_UINT16(stream);  // skip the handle
197       UINT16_TO_STREAM(stream, full_length - HCI_ACL_PREAMBLE_SIZE);
198 
199       partial_packets[handle] = partial_packet;
200 
201       // Free the old packet buffer, since we don't need it anymore
202       buffer_allocator->free(packet);
203     } else {
204       auto map_iter = partial_packets.find(handle);
205       if (map_iter == partial_packets.end()) {
206         LOG_WARN("%s got continuation for unknown packet. Dropping it.",
207                  __func__);
208         buffer_allocator->free(packet);
209         return;
210       }
211       BT_HDR* partial_packet = map_iter->second;
212 
213       packet->offset = HCI_ACL_PREAMBLE_SIZE;
214       uint16_t projected_offset =
215           partial_packet->offset + (packet->len - HCI_ACL_PREAMBLE_SIZE);
216       if (projected_offset >
217           partial_packet->len) {  // len stores the expected length
218         LOG_WARN(
219             "%s got packet which would exceed expected length of %d. "
220             "Truncating.",
221             __func__, partial_packet->len);
222         packet->len = (partial_packet->len - partial_packet->offset) + packet->offset;
223         projected_offset = partial_packet->len;
224       }
225 
226       memcpy(partial_packet->data + partial_packet->offset,
227              packet->data + packet->offset, packet->len - packet->offset);
228 
229       // Free the old packet buffer, since we don't need it anymore
230       buffer_allocator->free(packet);
231       partial_packet->offset = projected_offset;
232 
233       if (partial_packet->offset == partial_packet->len) {
234         partial_packets.erase(handle);
235         partial_packet->offset = 0;
236         callbacks->reassembled(partial_packet);
237       }
238     }
239   } else {
240     callbacks->reassembled(packet);
241   }
242 }
243 
244 static const packet_fragmenter_t interface = {init, cleanup,
245 
246                                               fragment_and_dispatch,
247                                               reassemble_and_dispatch};
248 
packet_fragmenter_get_interface()249 const packet_fragmenter_t* packet_fragmenter_get_interface() {
250   controller = controller_get_interface();
251   buffer_allocator = buffer_allocator_get_interface();
252   return &interface;
253 }
254 
packet_fragmenter_get_test_interface(const controller_t * controller_interface,const allocator_t * buffer_allocator_interface)255 const packet_fragmenter_t* packet_fragmenter_get_test_interface(
256     const controller_t* controller_interface,
257     const allocator_t* buffer_allocator_interface) {
258   controller = controller_interface;
259   buffer_allocator = buffer_allocator_interface;
260   return &interface;
261 }
262