1 /******************************************************************************
2  *
3  *  Copyright 1999-2012 Broadcom Corporation
4  *
5  *  Licensed under the Apache License, Version 2.0 (the "License");
6  *  you may not use this file except in compliance with the License.
7  *  You may obtain a copy of the License at:
8  *
9  *  http://www.apache.org/licenses/LICENSE-2.0
10  *
11  *  Unless required by applicable law or agreed to in writing, software
12  *  distributed under the License is distributed on an "AS IS" BASIS,
13  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  *  See the License for the specific language governing permissions and
15  *  limitations under the License.
16  *
17  ******************************************************************************/
18 
19 /******************************************************************************
20  *
21  *  This file contains functions to send TS 07.10 frames
22  *
23  ******************************************************************************/
24 
25 #include <stddef.h>
26 #include "bt_common.h"
27 #include "bt_target.h"
28 #include "l2c_api.h"
29 #include "log/log.h"
30 #include "port_api.h"
31 #include "port_int.h"
32 #include "rfc_int.h"
33 #include "rfcdefs.h"
34 
35 /*******************************************************************************
36  *
37  * Function         rfc_send_sabme
38  *
39  * Description      This function sends SABME frame.
40  *
41  ******************************************************************************/
rfc_send_sabme(tRFC_MCB * p_mcb,uint8_t dlci)42 void rfc_send_sabme(tRFC_MCB* p_mcb, uint8_t dlci) {
43   uint8_t* p_data;
44   uint8_t cr = RFCOMM_CR(p_mcb->is_initiator, true);
45   BT_HDR* p_buf = (BT_HDR*)osi_malloc(RFCOMM_CMD_BUF_SIZE);
46 
47   p_buf->offset = L2CAP_MIN_OFFSET;
48   p_data = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
49 
50   /* SABME frame, command, PF = 1, dlci */
51   *p_data++ = RFCOMM_EA | cr | (dlci << RFCOMM_SHIFT_DLCI);
52   *p_data++ = RFCOMM_SABME | RFCOMM_PF;
53   *p_data++ = RFCOMM_EA | 0;
54 
55   *p_data =
56       RFCOMM_SABME_FCS((uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET, cr, dlci);
57 
58   p_buf->len = 4;
59 
60   rfc_check_send_cmd(p_mcb, p_buf);
61 }
62 
63 /*******************************************************************************
64  *
65  * Function         rfc_send_ua
66  *
67  * Description      This function sends UA frame.
68  *
69  ******************************************************************************/
rfc_send_ua(tRFC_MCB * p_mcb,uint8_t dlci)70 void rfc_send_ua(tRFC_MCB* p_mcb, uint8_t dlci) {
71   uint8_t* p_data;
72   uint8_t cr = RFCOMM_CR(p_mcb->is_initiator, false);
73   BT_HDR* p_buf = (BT_HDR*)osi_malloc(RFCOMM_CMD_BUF_SIZE);
74 
75   p_buf->offset = L2CAP_MIN_OFFSET;
76   p_data = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
77 
78   /* ua frame, response, PF = 1, dlci */
79   *p_data++ = RFCOMM_EA | cr | (dlci << RFCOMM_SHIFT_DLCI);
80   *p_data++ = RFCOMM_UA | RFCOMM_PF;
81   *p_data++ = RFCOMM_EA | 0;
82 
83   *p_data = RFCOMM_UA_FCS((uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET, cr, dlci);
84 
85   p_buf->len = 4;
86 
87   rfc_check_send_cmd(p_mcb, p_buf);
88 }
89 
90 /*******************************************************************************
91  *
92  * Function         rfc_send_dm
93  *
94  * Description      This function sends DM frame.
95  *
96  ******************************************************************************/
rfc_send_dm(tRFC_MCB * p_mcb,uint8_t dlci,bool pf)97 void rfc_send_dm(tRFC_MCB* p_mcb, uint8_t dlci, bool pf) {
98   uint8_t* p_data;
99   uint8_t cr = RFCOMM_CR(p_mcb->is_initiator, false);
100   BT_HDR* p_buf = (BT_HDR*)osi_malloc(RFCOMM_CMD_BUF_SIZE);
101 
102   p_buf->offset = L2CAP_MIN_OFFSET;
103   p_data = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
104 
105   /* DM frame, response, PF = 1, dlci */
106   *p_data++ = RFCOMM_EA | cr | (dlci << RFCOMM_SHIFT_DLCI);
107   *p_data++ = RFCOMM_DM | ((pf) ? RFCOMM_PF : 0);
108   *p_data++ = RFCOMM_EA | 0;
109 
110   *p_data = RFCOMM_DM_FCS((uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET, cr, dlci);
111 
112   p_buf->len = 4;
113 
114   rfc_check_send_cmd(p_mcb, p_buf);
115 }
116 
117 /*******************************************************************************
118  *
119  * Function         rfc_send_disc
120  *
121  * Description      This function sends DISC frame.
122  *
123  ******************************************************************************/
rfc_send_disc(tRFC_MCB * p_mcb,uint8_t dlci)124 void rfc_send_disc(tRFC_MCB* p_mcb, uint8_t dlci) {
125   uint8_t* p_data;
126   uint8_t cr = RFCOMM_CR(p_mcb->is_initiator, true);
127   BT_HDR* p_buf = (BT_HDR*)osi_malloc(RFCOMM_CMD_BUF_SIZE);
128 
129   p_buf->offset = L2CAP_MIN_OFFSET;
130   p_data = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
131 
132   /* DISC frame, command, PF = 1, dlci */
133   *p_data++ = RFCOMM_EA | cr | (dlci << RFCOMM_SHIFT_DLCI);
134   *p_data++ = RFCOMM_DISC | RFCOMM_PF;
135   *p_data++ = RFCOMM_EA | 0;
136 
137   *p_data = RFCOMM_DISC_FCS((uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET, cr, dlci);
138 
139   p_buf->len = 4;
140 
141   rfc_check_send_cmd(p_mcb, p_buf);
142 }
143 
144 /*******************************************************************************
145  *
146  * Function         rfc_send_buf_uih
147  *
148  * Description      This function sends UIH frame.
149  *
150  ******************************************************************************/
rfc_send_buf_uih(tRFC_MCB * p_mcb,uint8_t dlci,BT_HDR * p_buf)151 void rfc_send_buf_uih(tRFC_MCB* p_mcb, uint8_t dlci, BT_HDR* p_buf) {
152   uint8_t* p_data;
153   uint8_t cr = RFCOMM_CR(p_mcb->is_initiator, true);
154   uint8_t credits;
155 
156   p_buf->offset -= RFCOMM_CTRL_FRAME_LEN;
157   if (p_buf->len > 127) {
158     p_buf->offset--;
159   }
160 
161   if (dlci) {
162     credits = (uint8_t)p_buf->layer_specific;
163   } else {
164     credits = 0;
165   }
166 
167   if (credits) {
168     p_buf->offset--;
169   }
170 
171   p_data = (uint8_t*)(p_buf + 1) + p_buf->offset;
172 
173   /* UIH frame, command, PF = 0, dlci */
174   *p_data++ = RFCOMM_EA | cr | (dlci << RFCOMM_SHIFT_DLCI);
175   *p_data++ = RFCOMM_UIH | ((credits) ? RFCOMM_PF : 0);
176   if (p_buf->len <= 127) {
177     *p_data++ = RFCOMM_EA | (p_buf->len << 1);
178     p_buf->len += 3;
179   } else {
180     *p_data++ = (p_buf->len & 0x7f) << 1;
181     *p_data++ = p_buf->len >> RFCOMM_SHIFT_LENGTH2;
182     p_buf->len += 4;
183   }
184 
185   if (credits) {
186     *p_data++ = credits;
187     p_buf->len++;
188   }
189 
190   p_data = (uint8_t*)(p_buf + 1) + p_buf->offset + p_buf->len++;
191 
192   *p_data = RFCOMM_UIH_FCS((uint8_t*)(p_buf + 1) + p_buf->offset, dlci);
193 
194   if (dlci == RFCOMM_MX_DLCI) {
195     rfc_check_send_cmd(p_mcb, p_buf);
196   } else {
197     L2CA_DataWrite(p_mcb->lcid, p_buf);
198   }
199 }
200 
201 /*******************************************************************************
202  *
203  * Function         rfc_send_pn
204  *
205  * Description      This function sends DLC Parameters Negotiation Frame.
206  *
207  ******************************************************************************/
rfc_send_pn(tRFC_MCB * p_mcb,uint8_t dlci,bool is_command,uint16_t mtu,uint8_t cl,uint8_t k)208 void rfc_send_pn(tRFC_MCB* p_mcb, uint8_t dlci, bool is_command, uint16_t mtu,
209                  uint8_t cl, uint8_t k) {
210   uint8_t* p_data;
211   BT_HDR* p_buf = (BT_HDR*)osi_malloc(RFCOMM_CMD_BUF_SIZE);
212 
213   p_buf->offset = L2CAP_MIN_OFFSET + RFCOMM_CTRL_FRAME_LEN;
214   p_data = (uint8_t*)(p_buf + 1) + p_buf->offset;
215 
216   *p_data++ = RFCOMM_EA | RFCOMM_I_CR(is_command) | RFCOMM_MX_PN;
217   *p_data++ = RFCOMM_EA | (RFCOMM_MX_PN_LEN << 1);
218 
219   *p_data++ = dlci;
220   *p_data++ = RFCOMM_PN_FRAM_TYPE_UIH | cl;
221 
222   /* It appeared that we need to reply with the same priority bits as we
223   *received.
224   ** We will use the fact that we reply in the same context so rx_frame can
225   *still be used.
226   */
227   if (is_command) {
228     *p_data++ = RFCOMM_PN_PRIORITY_0;
229   } else {
230     *p_data++ = rfc_cb.rfc.rx_frame.u.pn.priority;
231   }
232   *p_data++ = RFCOMM_T1_DSEC;
233   *p_data++ = mtu & 0xFF;
234   *p_data++ = mtu >> 8;
235   *p_data++ = RFCOMM_N2;
236   *p_data = k;
237 
238   /* Total length is sizeof PN data + mx header 2 */
239   p_buf->len = RFCOMM_MX_PN_LEN + 2;
240 
241   rfc_send_buf_uih(p_mcb, RFCOMM_MX_DLCI, p_buf);
242 }
243 
244 /*******************************************************************************
245  *
246  * Function         rfc_send_fcon
247  *
248  * Description      This function sends Flow Control On Command.
249  *
250  ******************************************************************************/
rfc_send_fcon(tRFC_MCB * p_mcb,bool is_command)251 void rfc_send_fcon(tRFC_MCB* p_mcb, bool is_command) {
252   uint8_t* p_data;
253   BT_HDR* p_buf = (BT_HDR*)osi_malloc(RFCOMM_CMD_BUF_SIZE);
254 
255   p_buf->offset = L2CAP_MIN_OFFSET + RFCOMM_CTRL_FRAME_LEN;
256   p_data = (uint8_t*)(p_buf + 1) + p_buf->offset;
257 
258   *p_data++ = RFCOMM_EA | RFCOMM_I_CR(is_command) | RFCOMM_MX_FCON;
259   *p_data++ = RFCOMM_EA | (RFCOMM_MX_FCON_LEN << 1);
260 
261   /* Total length is sizeof FCON data + mx header 2 */
262   p_buf->len = RFCOMM_MX_FCON_LEN + 2;
263 
264   rfc_send_buf_uih(p_mcb, RFCOMM_MX_DLCI, p_buf);
265 }
266 
267 /*******************************************************************************
268  *
269  * Function         rfc_send_fcoff
270  *
271  * Description      This function sends Flow Control Off Command.
272  *
273  ******************************************************************************/
rfc_send_fcoff(tRFC_MCB * p_mcb,bool is_command)274 void rfc_send_fcoff(tRFC_MCB* p_mcb, bool is_command) {
275   uint8_t* p_data;
276   BT_HDR* p_buf = (BT_HDR*)osi_malloc(RFCOMM_CMD_BUF_SIZE);
277 
278   p_buf->offset = L2CAP_MIN_OFFSET + RFCOMM_CTRL_FRAME_LEN;
279   p_data = (uint8_t*)(p_buf + 1) + p_buf->offset;
280 
281   *p_data++ = RFCOMM_EA | RFCOMM_I_CR(is_command) | RFCOMM_MX_FCOFF;
282   *p_data++ = RFCOMM_EA | (RFCOMM_MX_FCOFF_LEN << 1);
283 
284   /* Total length is sizeof FCOFF data + mx header 2 */
285   p_buf->len = RFCOMM_MX_FCOFF_LEN + 2;
286 
287   rfc_send_buf_uih(p_mcb, RFCOMM_MX_DLCI, p_buf);
288 }
289 
290 /*******************************************************************************
291  *
292  * Function         rfc_send_msc
293  *
294  * Description      This function sends Modem Status Command Frame.
295  *
296  ******************************************************************************/
rfc_send_msc(tRFC_MCB * p_mcb,uint8_t dlci,bool is_command,tPORT_CTRL * p_pars)297 void rfc_send_msc(tRFC_MCB* p_mcb, uint8_t dlci, bool is_command,
298                   tPORT_CTRL* p_pars) {
299   uint8_t* p_data;
300   uint8_t signals;
301   uint8_t break_duration;
302   uint8_t len;
303   BT_HDR* p_buf = (BT_HDR*)osi_malloc(RFCOMM_CMD_BUF_SIZE);
304 
305   signals = p_pars->modem_signal;
306   break_duration = p_pars->break_signal;
307 
308   p_buf->offset = L2CAP_MIN_OFFSET + RFCOMM_CTRL_FRAME_LEN;
309   p_data = (uint8_t*)(p_buf + 1) + p_buf->offset;
310 
311   if (break_duration)
312     len = RFCOMM_MX_MSC_LEN_WITH_BREAK;
313   else
314     len = RFCOMM_MX_MSC_LEN_NO_BREAK;
315 
316   *p_data++ = RFCOMM_EA | RFCOMM_I_CR(is_command) | RFCOMM_MX_MSC;
317   *p_data++ = RFCOMM_EA | (len << 1);
318 
319   *p_data++ = RFCOMM_EA | RFCOMM_CR_MASK | (dlci << RFCOMM_SHIFT_DLCI);
320   *p_data++ = RFCOMM_EA | ((p_pars->fc) ? RFCOMM_MSC_FC : 0) |
321               ((signals & MODEM_SIGNAL_DTRDSR) ? RFCOMM_MSC_RTC : 0) |
322               ((signals & MODEM_SIGNAL_RTSCTS) ? RFCOMM_MSC_RTR : 0) |
323               ((signals & MODEM_SIGNAL_RI) ? RFCOMM_MSC_IC : 0) |
324               ((signals & MODEM_SIGNAL_DCD) ? RFCOMM_MSC_DV : 0);
325 
326   if (break_duration) {
327     *p_data++ = RFCOMM_EA | RFCOMM_MSC_BREAK_PRESENT_MASK |
328                 (break_duration << RFCOMM_MSC_SHIFT_BREAK);
329   }
330 
331   /* Total length is sizeof MSC data + mx header 2 */
332   p_buf->len = len + 2;
333 
334   rfc_send_buf_uih(p_mcb, RFCOMM_MX_DLCI, p_buf);
335 }
336 
337 /*******************************************************************************
338  *
339  * Function         rfc_send_rls
340  *
341  * Description      This function sends Remote Line Status Command Frame.
342  *
343  ******************************************************************************/
rfc_send_rls(tRFC_MCB * p_mcb,uint8_t dlci,bool is_command,uint8_t status)344 void rfc_send_rls(tRFC_MCB* p_mcb, uint8_t dlci, bool is_command,
345                   uint8_t status) {
346   uint8_t* p_data;
347   BT_HDR* p_buf = (BT_HDR*)osi_malloc(RFCOMM_CMD_BUF_SIZE);
348 
349   p_buf->offset = L2CAP_MIN_OFFSET + RFCOMM_CTRL_FRAME_LEN;
350   p_data = (uint8_t*)(p_buf + 1) + p_buf->offset;
351 
352   *p_data++ = RFCOMM_EA | RFCOMM_I_CR(is_command) | RFCOMM_MX_RLS;
353   *p_data++ = RFCOMM_EA | (RFCOMM_MX_RLS_LEN << 1);
354 
355   *p_data++ = RFCOMM_EA | RFCOMM_CR_MASK | (dlci << RFCOMM_SHIFT_DLCI);
356   *p_data++ = RFCOMM_RLS_ERROR | status;
357 
358   /* Total length is sizeof RLS data + mx header 2 */
359   p_buf->len = RFCOMM_MX_RLS_LEN + 2;
360 
361   rfc_send_buf_uih(p_mcb, RFCOMM_MX_DLCI, p_buf);
362 }
363 
364 /*******************************************************************************
365  *
366  * Function         rfc_send_nsc
367  *
368  * Description      This function sends Non Supported Command Response.
369  *
370  ******************************************************************************/
rfc_send_nsc(tRFC_MCB * p_mcb)371 void rfc_send_nsc(tRFC_MCB* p_mcb) {
372   uint8_t* p_data;
373   BT_HDR* p_buf = (BT_HDR*)osi_malloc(RFCOMM_CMD_BUF_SIZE);
374 
375   p_buf->offset = L2CAP_MIN_OFFSET + RFCOMM_CTRL_FRAME_LEN;
376   p_data = (uint8_t*)(p_buf + 1) + p_buf->offset;
377 
378   *p_data++ = RFCOMM_EA | RFCOMM_I_CR(false) | RFCOMM_MX_NSC;
379   *p_data++ = RFCOMM_EA | (RFCOMM_MX_NSC_LEN << 1);
380 
381   *p_data++ = rfc_cb.rfc.rx_frame.ea |
382               (rfc_cb.rfc.rx_frame.cr << RFCOMM_SHIFT_CR) |
383               rfc_cb.rfc.rx_frame.type;
384 
385   /* Total length is sizeof NSC data + mx header 2 */
386   p_buf->len = RFCOMM_MX_NSC_LEN + 2;
387 
388   rfc_send_buf_uih(p_mcb, RFCOMM_MX_DLCI, p_buf);
389 }
390 
391 /*******************************************************************************
392  *
393  * Function         rfc_send_rpn
394  *
395  * Description      This function sends Remote Port Negotiation Command
396  *
397  ******************************************************************************/
rfc_send_rpn(tRFC_MCB * p_mcb,uint8_t dlci,bool is_command,tPORT_STATE * p_pars,uint16_t mask)398 void rfc_send_rpn(tRFC_MCB* p_mcb, uint8_t dlci, bool is_command,
399                   tPORT_STATE* p_pars, uint16_t mask) {
400   uint8_t* p_data;
401   BT_HDR* p_buf = (BT_HDR*)osi_malloc(RFCOMM_CMD_BUF_SIZE);
402 
403   p_buf->offset = L2CAP_MIN_OFFSET + RFCOMM_CTRL_FRAME_LEN;
404   p_data = (uint8_t*)(p_buf + 1) + p_buf->offset;
405 
406   *p_data++ = RFCOMM_EA | RFCOMM_I_CR(is_command) | RFCOMM_MX_RPN;
407 
408   if (!p_pars) {
409     *p_data++ = RFCOMM_EA | (RFCOMM_MX_RPN_REQ_LEN << 1);
410 
411     *p_data++ = RFCOMM_EA | RFCOMM_CR_MASK | (dlci << RFCOMM_SHIFT_DLCI);
412 
413     p_buf->len = RFCOMM_MX_RPN_REQ_LEN + 2;
414   } else {
415     *p_data++ = RFCOMM_EA | (RFCOMM_MX_RPN_LEN << 1);
416 
417     *p_data++ = RFCOMM_EA | RFCOMM_CR_MASK | (dlci << RFCOMM_SHIFT_DLCI);
418     *p_data++ = p_pars->baud_rate;
419     *p_data++ = (p_pars->byte_size << RFCOMM_RPN_BITS_SHIFT) |
420                 (p_pars->stop_bits << RFCOMM_RPN_STOP_BITS_SHIFT) |
421                 (p_pars->parity << RFCOMM_RPN_PARITY_SHIFT) |
422                 (p_pars->parity_type << RFCOMM_RPN_PARITY_TYPE_SHIFT);
423     *p_data++ = p_pars->fc_type;
424     *p_data++ = p_pars->xon_char;
425     *p_data++ = p_pars->xoff_char;
426     *p_data++ = (mask & 0xFF);
427     *p_data++ = (mask >> 8);
428 
429     /* Total length is sizeof RPN data + mx header 2 */
430     p_buf->len = RFCOMM_MX_RPN_LEN + 2;
431   }
432 
433   rfc_send_buf_uih(p_mcb, RFCOMM_MX_DLCI, p_buf);
434 }
435 
436 /*******************************************************************************
437  *
438  * Function         rfc_send_test
439  *
440  * Description      This function sends Test frame.
441  *
442  ******************************************************************************/
rfc_send_test(tRFC_MCB * p_mcb,bool is_command,BT_HDR * p_buf)443 void rfc_send_test(tRFC_MCB* p_mcb, bool is_command, BT_HDR* p_buf) {
444   /* Shift buffer to give space for header */
445   if (p_buf->offset < (L2CAP_MIN_OFFSET + RFCOMM_MIN_OFFSET + 2)) {
446     uint8_t* p_src = (uint8_t*)(p_buf + 1) + p_buf->offset + p_buf->len - 1;
447     BT_HDR* p_new_buf =
448         (BT_HDR*)osi_malloc(p_buf->len + (L2CAP_MIN_OFFSET + RFCOMM_MIN_OFFSET +
449                                           2 + sizeof(BT_HDR) + 1));
450 
451     p_new_buf->offset = L2CAP_MIN_OFFSET + RFCOMM_MIN_OFFSET + 2;
452     p_new_buf->len = p_buf->len;
453 
454     uint8_t* p_dest =
455         (uint8_t*)(p_new_buf + 1) + p_new_buf->offset + p_new_buf->len - 1;
456 
457     for (uint16_t xx = 0; xx < p_buf->len; xx++) *p_dest-- = *p_src--;
458 
459     osi_free(p_buf);
460     p_buf = p_new_buf;
461   }
462 
463   /* Adjust offset by number of bytes we are going to fill */
464   p_buf->offset -= 2;
465   uint8_t* p_data = (uint8_t*)(p_buf + 1) + p_buf->offset;
466 
467   *p_data++ = RFCOMM_EA | RFCOMM_I_CR(is_command) | RFCOMM_MX_TEST;
468   *p_data++ = RFCOMM_EA | (p_buf->len << 1);
469 
470   p_buf->len += 2;
471 
472   rfc_send_buf_uih(p_mcb, RFCOMM_MX_DLCI, p_buf);
473 }
474 
475 /*******************************************************************************
476  *
477  * Function         rfc_send_credit
478  *
479  * Description      This function sends a flow control credit in UIH frame.
480  *
481  ******************************************************************************/
rfc_send_credit(tRFC_MCB * p_mcb,uint8_t dlci,uint8_t credit)482 void rfc_send_credit(tRFC_MCB* p_mcb, uint8_t dlci, uint8_t credit) {
483   uint8_t* p_data;
484   uint8_t cr = RFCOMM_CR(p_mcb->is_initiator, true);
485   BT_HDR* p_buf = (BT_HDR*)osi_malloc(RFCOMM_CMD_BUF_SIZE);
486 
487   p_buf->offset = L2CAP_MIN_OFFSET;
488   p_data = (uint8_t*)(p_buf + 1) + p_buf->offset;
489 
490   *p_data++ = RFCOMM_EA | cr | (dlci << RFCOMM_SHIFT_DLCI);
491   *p_data++ = RFCOMM_UIH | RFCOMM_PF;
492   *p_data++ = RFCOMM_EA | 0;
493   *p_data++ = credit;
494   *p_data = RFCOMM_UIH_FCS((uint8_t*)(p_buf + 1) + p_buf->offset, dlci);
495 
496   p_buf->len = 5;
497 
498   rfc_check_send_cmd(p_mcb, p_buf);
499 }
500 
501 /*******************************************************************************
502  *
503  * Function         rfc_parse_data
504  *
505  * Description      This function processes data packet received from L2CAP
506  *
507  ******************************************************************************/
rfc_parse_data(tRFC_MCB * p_mcb,MX_FRAME * p_frame,BT_HDR * p_buf)508 uint8_t rfc_parse_data(tRFC_MCB* p_mcb, MX_FRAME* p_frame, BT_HDR* p_buf) {
509   uint8_t ead, eal, fcs;
510   uint8_t* p_data = (uint8_t*)(p_buf + 1) + p_buf->offset;
511   uint8_t* p_start = p_data;
512   uint16_t len;
513 
514   if (p_buf->len < RFCOMM_CTRL_FRAME_LEN) {
515     RFCOMM_TRACE_ERROR("Bad Length1: %d", p_buf->len);
516     return (RFC_EVENT_BAD_FRAME);
517   }
518 
519   RFCOMM_PARSE_CTRL_FIELD(ead, p_frame->cr, p_frame->dlci, p_data);
520   if (!ead) {
521     RFCOMM_TRACE_ERROR("Bad Address(EA must be 1)");
522     return (RFC_EVENT_BAD_FRAME);
523   }
524   RFCOMM_PARSE_TYPE_FIELD(p_frame->type, p_frame->pf, p_data);
525 
526   eal = *(p_data)&RFCOMM_EA;
527   len = *(p_data)++ >> RFCOMM_SHIFT_LENGTH1;
528   if (eal == 0 && p_buf->len > RFCOMM_CTRL_FRAME_LEN) {
529     len += (*(p_data)++ << RFCOMM_SHIFT_LENGTH2);
530   } else if (eal == 0) {
531     RFCOMM_TRACE_ERROR("Bad Length when EAL = 0: %d", p_buf->len);
532     android_errorWriteLog(0x534e4554, "78288018");
533     return RFC_EVENT_BAD_FRAME;
534   }
535 
536   if (p_buf->len < (3 + !ead + !eal + 1)) {
537     android_errorWriteLog(0x534e4554, "120255805");
538     RFCOMM_TRACE_ERROR("Bad Length: %d", p_buf->len);
539     return RFC_EVENT_BAD_FRAME;
540   }
541   p_buf->len -= (3 + !ead + !eal + 1); /* Additional 1 for FCS */
542   p_buf->offset += (3 + !ead + !eal);
543 
544   /* handle credit if credit based flow control */
545   if ((p_mcb->flow == PORT_FC_CREDIT) && (p_frame->type == RFCOMM_UIH) &&
546       (p_frame->dlci != RFCOMM_MX_DLCI) && (p_frame->pf == 1)) {
547     if (p_buf->len < sizeof(uint8_t)) {
548       RFCOMM_TRACE_ERROR("Bad Length in flow control: %d", p_buf->len);
549       return RFC_EVENT_BAD_FRAME;
550     }
551     p_frame->credit = *p_data++;
552     p_buf->len--;
553     p_buf->offset++;
554   } else {
555     p_frame->credit = 0;
556   }
557 
558   if (p_buf->len != len) {
559     RFCOMM_TRACE_ERROR("Bad Length2 %d %d", p_buf->len, len);
560     return (RFC_EVENT_BAD_FRAME);
561   }
562 
563   fcs = *(p_data + len);
564 
565   /* All control frames that we are sending are sent with P=1, expect */
566   /* reply with F=1 */
567   /* According to TS 07.10 spec ivalid frames are discarded without */
568   /* notification to the sender */
569   switch (p_frame->type) {
570     case RFCOMM_SABME:
571       if (RFCOMM_FRAME_IS_RSP(p_mcb->is_initiator, p_frame->cr) ||
572           !p_frame->pf || len || !RFCOMM_VALID_DLCI(p_frame->dlci) ||
573           !rfc_check_fcs(RFCOMM_CTRL_FRAME_LEN, p_start, fcs)) {
574         RFCOMM_TRACE_ERROR("Bad SABME");
575         return (RFC_EVENT_BAD_FRAME);
576       } else
577         return (RFC_EVENT_SABME);
578 
579     case RFCOMM_UA:
580       if (RFCOMM_FRAME_IS_CMD(p_mcb->is_initiator, p_frame->cr) ||
581           !p_frame->pf || len || !RFCOMM_VALID_DLCI(p_frame->dlci) ||
582           !rfc_check_fcs(RFCOMM_CTRL_FRAME_LEN, p_start, fcs)) {
583         RFCOMM_TRACE_ERROR("Bad UA");
584         return (RFC_EVENT_BAD_FRAME);
585       } else
586         return (RFC_EVENT_UA);
587 
588     case RFCOMM_DM:
589       if (RFCOMM_FRAME_IS_CMD(p_mcb->is_initiator, p_frame->cr) || len ||
590           !RFCOMM_VALID_DLCI(p_frame->dlci) ||
591           !rfc_check_fcs(RFCOMM_CTRL_FRAME_LEN, p_start, fcs)) {
592         RFCOMM_TRACE_ERROR("Bad DM");
593         return (RFC_EVENT_BAD_FRAME);
594       } else
595         return (RFC_EVENT_DM);
596 
597     case RFCOMM_DISC:
598       if (RFCOMM_FRAME_IS_RSP(p_mcb->is_initiator, p_frame->cr) ||
599           !p_frame->pf || len || !RFCOMM_VALID_DLCI(p_frame->dlci) ||
600           !rfc_check_fcs(RFCOMM_CTRL_FRAME_LEN, p_start, fcs)) {
601         RFCOMM_TRACE_ERROR("Bad DISC");
602         return (RFC_EVENT_BAD_FRAME);
603       } else
604         return (RFC_EVENT_DISC);
605 
606     case RFCOMM_UIH:
607       if (!RFCOMM_VALID_DLCI(p_frame->dlci)) {
608         RFCOMM_TRACE_ERROR("Bad UIH - invalid DLCI");
609         return (RFC_EVENT_BAD_FRAME);
610       } else if (!rfc_check_fcs(2, p_start, fcs)) {
611         RFCOMM_TRACE_ERROR("Bad UIH - FCS");
612         return (RFC_EVENT_BAD_FRAME);
613       } else if (RFCOMM_FRAME_IS_RSP(p_mcb->is_initiator, p_frame->cr)) {
614         /* we assume that this is ok to allow bad implementations to work */
615         RFCOMM_TRACE_ERROR("Bad UIH - response");
616         return (RFC_EVENT_UIH);
617       } else {
618         return (RFC_EVENT_UIH);
619       }
620   }
621 
622   return (RFC_EVENT_BAD_FRAME);
623 }
624 
625 /*******************************************************************************
626  *
627  * Function         rfc_process_mx_message
628  *
629  * Description      This function processes UIH frames received on the
630  *                  multiplexer control channel.
631  *
632  ******************************************************************************/
rfc_process_mx_message(tRFC_MCB * p_mcb,BT_HDR * p_buf)633 void rfc_process_mx_message(tRFC_MCB* p_mcb, BT_HDR* p_buf) {
634   uint8_t* p_data = (uint8_t*)(p_buf + 1) + p_buf->offset;
635   MX_FRAME* p_rx_frame = &rfc_cb.rfc.rx_frame;
636   uint16_t length = p_buf->len;
637   uint8_t ea, cr, mx_len;
638 
639   if (length < 2) {
640     RFCOMM_TRACE_ERROR(
641         "%s: Illegal MX Frame len when reading EA, C/R. len:%d < 2", __func__,
642         length);
643     android_errorWriteLog(0x534e4554, "111937065");
644     osi_free(p_buf);
645     return;
646   }
647   p_rx_frame->ea = *p_data & RFCOMM_EA;
648   p_rx_frame->cr = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR;
649   p_rx_frame->type = *p_data++ & ~(RFCOMM_CR_MASK | RFCOMM_EA_MASK);
650 
651   if (!p_rx_frame->ea || !length) {
652     LOG(ERROR) << __func__
653                << ": Invalid MX frame ea=" << std::to_string(p_rx_frame->ea)
654                << ", len=" << length << ", bd_addr=" << p_mcb->bd_addr;
655     osi_free(p_buf);
656     return;
657   }
658 
659   length--;
660 
661   bool is_command = p_rx_frame->cr;
662 
663   ea = *p_data & RFCOMM_EA;
664 
665   mx_len = *p_data++ >> RFCOMM_SHIFT_LENGTH1;
666   length--;
667 
668   if (!ea) {
669     if (length < 1) {
670       RFCOMM_TRACE_ERROR("%s: Illegal MX Frame when EA = 0. len:%d < 1",
671                          __func__, length);
672       android_errorWriteLog(0x534e4554, "111937065");
673       osi_free(p_buf);
674       return;
675     }
676     mx_len += *p_data++ << RFCOMM_SHIFT_LENGTH2;
677     length--;
678   }
679 
680   if (mx_len != length) {
681     LOG(ERROR) << __func__ << ": Bad MX frame, p_mcb=" << p_mcb
682                << ", bd_addr=" << p_mcb->bd_addr;
683     osi_free(p_buf);
684     return;
685   }
686 
687   RFCOMM_TRACE_DEBUG("%s: type=0x%02x, bd_addr=%s", __func__, p_rx_frame->type,
688                      p_mcb->bd_addr.ToString().c_str());
689   switch (p_rx_frame->type) {
690     case RFCOMM_MX_PN:
691       if (length != RFCOMM_MX_PN_LEN) {
692         LOG(ERROR) << __func__ << ": Invalid PN length, p_mcb=" << p_mcb
693                    << ", bd_addr=" << p_mcb->bd_addr;
694         break;
695       }
696 
697       p_rx_frame->dlci = *p_data++ & RFCOMM_PN_DLCI_MASK;
698       p_rx_frame->u.pn.frame_type = *p_data & RFCOMM_PN_FRAME_TYPE_MASK;
699       p_rx_frame->u.pn.conv_layer = *p_data++ & RFCOMM_PN_CONV_LAYER_MASK;
700       p_rx_frame->u.pn.priority = *p_data++ & RFCOMM_PN_PRIORITY_MASK;
701       p_rx_frame->u.pn.t1 = *p_data++;
702       p_rx_frame->u.pn.mtu = *p_data + (*(p_data + 1) << 8);
703       p_data += 2;
704       p_rx_frame->u.pn.n2 = *p_data++;
705       p_rx_frame->u.pn.k = *p_data++ & RFCOMM_PN_K_MASK;
706 
707       if (!p_rx_frame->dlci || !RFCOMM_VALID_DLCI(p_rx_frame->dlci) ||
708           (p_rx_frame->u.pn.mtu < RFCOMM_MIN_MTU) ||
709           (p_rx_frame->u.pn.mtu > RFCOMM_MAX_MTU)) {
710         LOG(ERROR) << __func__ << ": Bad PN frame, p_mcb=" << p_mcb
711                    << ", bd_addr=" << p_mcb->bd_addr;
712         break;
713       }
714 
715       osi_free(p_buf);
716 
717       rfc_process_pn(p_mcb, is_command, p_rx_frame);
718       return;
719 
720     case RFCOMM_MX_TEST:
721       if (!length) break;
722 
723       p_rx_frame->u.test.p_data = p_data;
724       p_rx_frame->u.test.data_len = length;
725 
726       p_buf->offset += 2;
727       p_buf->len -= 2;
728 
729       if (is_command)
730         rfc_send_test(p_mcb, false, p_buf);
731       else
732         rfc_process_test_rsp(p_mcb, p_buf);
733       return;
734 
735     case RFCOMM_MX_FCON:
736       if (length != RFCOMM_MX_FCON_LEN) break;
737 
738       osi_free(p_buf);
739 
740       rfc_process_fcon(p_mcb, is_command);
741       return;
742 
743     case RFCOMM_MX_FCOFF:
744       if (length != RFCOMM_MX_FCOFF_LEN) break;
745 
746       osi_free(p_buf);
747 
748       rfc_process_fcoff(p_mcb, is_command);
749       return;
750 
751     case RFCOMM_MX_MSC:
752       if (length != RFCOMM_MX_MSC_LEN_WITH_BREAK &&
753           length != RFCOMM_MX_MSC_LEN_NO_BREAK) {
754         RFCOMM_TRACE_ERROR("%s: Illegal MX MSC Frame len:%d", __func__, length);
755         android_errorWriteLog(0x534e4554, "111937065");
756         osi_free(p_buf);
757         return;
758       }
759       ea = *p_data & RFCOMM_EA;
760       cr = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR;
761       p_rx_frame->dlci = *p_data++ >> RFCOMM_SHIFT_DLCI;
762 
763       if (!ea || !cr || !p_rx_frame->dlci ||
764           !RFCOMM_VALID_DLCI(p_rx_frame->dlci)) {
765         RFCOMM_TRACE_ERROR("Bad MSC frame");
766         break;
767       }
768 
769       p_rx_frame->u.msc.signals = *p_data++;
770 
771       if (mx_len == RFCOMM_MX_MSC_LEN_WITH_BREAK) {
772         p_rx_frame->u.msc.break_present =
773             *p_data & RFCOMM_MSC_BREAK_PRESENT_MASK;
774         p_rx_frame->u.msc.break_duration =
775             (*p_data & RFCOMM_MSC_BREAK_MASK) >> RFCOMM_MSC_SHIFT_BREAK;
776       } else {
777         p_rx_frame->u.msc.break_present = false;
778         p_rx_frame->u.msc.break_duration = 0;
779       }
780       osi_free(p_buf);
781 
782       rfc_process_msc(p_mcb, is_command, p_rx_frame);
783       return;
784 
785     case RFCOMM_MX_NSC:
786       if ((length != RFCOMM_MX_NSC_LEN) || !is_command) break;
787 
788       p_rx_frame->u.nsc.ea = *p_data & RFCOMM_EA;
789       p_rx_frame->u.nsc.cr = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR;
790       p_rx_frame->u.nsc.type = *p_data++ >> RFCOMM_SHIFT_DLCI;
791 
792       osi_free(p_buf);
793 
794       rfc_process_nsc(p_mcb, p_rx_frame);
795       return;
796 
797     case RFCOMM_MX_RPN:
798       if ((length != RFCOMM_MX_RPN_REQ_LEN) && (length != RFCOMM_MX_RPN_LEN))
799         break;
800 
801       ea = *p_data & RFCOMM_EA;
802       cr = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR;
803       p_rx_frame->dlci = *p_data++ >> RFCOMM_SHIFT_DLCI;
804 
805       if (!ea || !cr || !p_rx_frame->dlci ||
806           !RFCOMM_VALID_DLCI(p_rx_frame->dlci)) {
807         RFCOMM_TRACE_ERROR("Bad RPN frame");
808         break;
809       }
810 
811       p_rx_frame->u.rpn.is_request = (length == RFCOMM_MX_RPN_REQ_LEN);
812 
813       if (!p_rx_frame->u.rpn.is_request) {
814         p_rx_frame->u.rpn.baud_rate = *p_data++;
815         p_rx_frame->u.rpn.byte_size =
816             (*p_data >> RFCOMM_RPN_BITS_SHIFT) & RFCOMM_RPN_BITS_MASK;
817         p_rx_frame->u.rpn.stop_bits =
818             (*p_data >> RFCOMM_RPN_STOP_BITS_SHIFT) & RFCOMM_RPN_STOP_BITS_MASK;
819         p_rx_frame->u.rpn.parity =
820             (*p_data >> RFCOMM_RPN_PARITY_SHIFT) & RFCOMM_RPN_PARITY_MASK;
821         p_rx_frame->u.rpn.parity_type =
822             (*p_data++ >> RFCOMM_RPN_PARITY_TYPE_SHIFT) &
823             RFCOMM_RPN_PARITY_TYPE_MASK;
824 
825         p_rx_frame->u.rpn.fc_type = *p_data++ & RFCOMM_FC_MASK;
826         p_rx_frame->u.rpn.xon_char = *p_data++;
827         p_rx_frame->u.rpn.xoff_char = *p_data++;
828         p_rx_frame->u.rpn.param_mask =
829             (*p_data + (*(p_data + 1) << 8)) & RFCOMM_RPN_PM_MASK;
830       }
831       osi_free(p_buf);
832 
833       rfc_process_rpn(p_mcb, is_command, p_rx_frame->u.rpn.is_request,
834                       p_rx_frame);
835       return;
836 
837     case RFCOMM_MX_RLS:
838       if (length != RFCOMM_MX_RLS_LEN) break;
839 
840       ea = *p_data & RFCOMM_EA;
841       cr = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR;
842 
843       p_rx_frame->dlci = *p_data++ >> RFCOMM_SHIFT_DLCI;
844       p_rx_frame->u.rls.line_status = (*p_data & ~0x01);
845 
846       if (!ea || !cr || !p_rx_frame->dlci ||
847           !RFCOMM_VALID_DLCI(p_rx_frame->dlci)) {
848         RFCOMM_TRACE_ERROR("Bad RPN frame");
849         break;
850       }
851 
852       osi_free(p_buf);
853 
854       rfc_process_rls(p_mcb, is_command, p_rx_frame);
855       return;
856   }
857 
858   osi_free(p_buf);
859 
860   if (is_command) rfc_send_nsc(p_mcb);
861 }
862