1 /******************************************************************************
2 *
3 * Copyright 1999-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 /******************************************************************************
20 *
21 * This file contains the main L2CAP entry points
22 *
23 ******************************************************************************/
24
25 #define LOG_TAG "bt_l2c_main"
26
27 #include <stdio.h>
28 #include <stdlib.h>
29 #include <string.h>
30
31 #include "bt_common.h"
32 #include "bt_target.h"
33 #include "btu.h"
34 #include "device/include/controller.h"
35 #include "hci/include/btsnoop.h"
36 #include "hcimsgs.h"
37 #include "l2c_api.h"
38 #include "l2c_int.h"
39 #include "l2cdefs.h"
40 #include "osi/include/log.h"
41 #include "osi/include/osi.h"
42
43 /******************************************************************************/
44 /* L O C A L F U N C T I O N P R O T O T Y P E S */
45 /******************************************************************************/
46 static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len);
47
48 /******************************************************************************/
49 /* G L O B A L L 2 C A P D A T A */
50 /******************************************************************************/
51 tL2C_CB l2cb;
52
53 /*******************************************************************************
54 *
55 * Function l2c_rcv_acl_data
56 *
57 * Description This function is called from the HCI Interface when an ACL
58 * data packet is received.
59 *
60 * Returns void
61 *
62 ******************************************************************************/
l2c_rcv_acl_data(BT_HDR * p_msg)63 void l2c_rcv_acl_data(BT_HDR* p_msg) {
64 uint8_t* p = (uint8_t*)(p_msg + 1) + p_msg->offset;
65
66 /* Extract the handle */
67 uint16_t handle;
68 STREAM_TO_UINT16(handle, p);
69 uint8_t pkt_type = HCID_GET_EVENT(handle);
70 handle = HCID_GET_HANDLE(handle);
71
72 /* Since the HCI Transport is putting segmented packets back together, we */
73 /* should never get a valid packet with the type set to "continuation" */
74 if (pkt_type == L2CAP_PKT_CONTINUE) {
75 L2CAP_TRACE_WARNING("L2CAP - received packet continuation");
76 osi_free(p_msg);
77 return;
78 }
79
80 uint16_t hci_len;
81 STREAM_TO_UINT16(hci_len, p);
82 if (hci_len < L2CAP_PKT_OVERHEAD || hci_len != p_msg->len - 4) {
83 /* Remote-declared packet size must match HCI_ACL size - ACL header (4) */
84 L2CAP_TRACE_WARNING("L2CAP - got incorrect hci header");
85 osi_free(p_msg);
86 return;
87 }
88
89 uint16_t l2cap_len, rcv_cid;
90 STREAM_TO_UINT16(l2cap_len, p);
91 STREAM_TO_UINT16(rcv_cid, p);
92
93 /* Find the LCB based on the handle */
94 tL2C_LCB* p_lcb = l2cu_find_lcb_by_handle(handle);
95 if (!p_lcb) {
96 /* There is a slight possibility (specifically with USB) that we get an */
97 /* L2CAP connection request before we get the HCI connection complete. */
98 /* So for these types of messages, hold them for up to 2 seconds. */
99 if (l2cap_len == 0) {
100 L2CAP_TRACE_WARNING("received empty L2CAP packet");
101 osi_free(p_msg);
102 return;
103 }
104 uint8_t cmd_code;
105 STREAM_TO_UINT8(cmd_code, p);
106
107 if ((p_msg->layer_specific != 0) || (rcv_cid != L2CAP_SIGNALLING_CID) ||
108 (cmd_code != L2CAP_CMD_INFO_REQ && cmd_code != L2CAP_CMD_CONN_REQ)) {
109 bool qcom_debug_log =
110 (handle == 3804 && cmd_code == 10 && p_msg->layer_specific == 0);
111
112 if (!qcom_debug_log) {
113 L2CAP_TRACE_ERROR(
114 "L2CAP - rcvd ACL for unknown handle:%d ls:%d cid:%d opcode:%d cur "
115 "count:%d",
116 handle, p_msg->layer_specific, rcv_cid, cmd_code,
117 list_length(l2cb.rcv_pending_q));
118 }
119
120 osi_free(p_msg);
121 return;
122 }
123
124 L2CAP_TRACE_WARNING(
125 "L2CAP - holding ACL for unknown handle:%d ls:%d cid:%d opcode:%d cur "
126 "count:%d",
127 handle, p_msg->layer_specific, rcv_cid, cmd_code,
128 list_length(l2cb.rcv_pending_q));
129 p_msg->layer_specific = 2;
130 list_append(l2cb.rcv_pending_q, p_msg);
131
132 if (list_length(l2cb.rcv_pending_q) == 1) {
133 alarm_set_on_mloop(l2cb.receive_hold_timer, BT_1SEC_TIMEOUT_MS,
134 l2c_receive_hold_timer_timeout, NULL);
135 }
136 return;
137 }
138
139 /* Update the buffer header */
140 p_msg->offset += 4;
141
142 /* for BLE channel, always notify connection when ACL data received on the
143 * link */
144 if (p_lcb && p_lcb->transport == BT_TRANSPORT_LE &&
145 p_lcb->link_state != LST_DISCONNECTING) {
146 /* only process fixed channel data as channel open indication when link is
147 * not in disconnecting mode */
148 l2cble_notify_le_connection(p_lcb->remote_bd_addr);
149 }
150
151 /* Find the CCB for this CID */
152 tL2C_CCB* p_ccb = NULL;
153 if (rcv_cid >= L2CAP_BASE_APPL_CID) {
154 p_ccb = l2cu_find_ccb_by_cid(p_lcb, rcv_cid);
155 if (!p_ccb) {
156 L2CAP_TRACE_WARNING("L2CAP - unknown CID: 0x%04x", rcv_cid);
157 osi_free(p_msg);
158 return;
159 }
160 }
161
162 p_msg->len = hci_len - L2CAP_PKT_OVERHEAD;
163 p_msg->offset += L2CAP_PKT_OVERHEAD;
164
165 if (l2cap_len != p_msg->len) {
166 L2CAP_TRACE_WARNING("L2CAP - bad length in pkt. Exp: %d Act: %d",
167 l2cap_len, p_msg->len);
168 osi_free(p_msg);
169 return;
170 }
171
172 /* Send the data through the channel state machine */
173 if (rcv_cid == L2CAP_SIGNALLING_CID) {
174 process_l2cap_cmd(p_lcb, p, l2cap_len);
175 osi_free(p_msg);
176 return;
177 }
178
179 if (rcv_cid == L2CAP_CONNECTIONLESS_CID) {
180 /* process_connectionless_data (p_lcb); */
181 osi_free(p_msg);
182 return;
183 }
184
185 if (rcv_cid == L2CAP_BLE_SIGNALLING_CID) {
186 l2cble_process_sig_cmd(p_lcb, p, l2cap_len);
187 osi_free(p_msg);
188 return;
189 }
190
191 #if (L2CAP_NUM_FIXED_CHNLS > 0)
192 if ((rcv_cid >= L2CAP_FIRST_FIXED_CHNL) &&
193 (rcv_cid <= L2CAP_LAST_FIXED_CHNL) &&
194 (l2cb.fixed_reg[rcv_cid - L2CAP_FIRST_FIXED_CHNL].pL2CA_FixedData_Cb !=
195 NULL)) {
196 /* only process fixed channel data when link is open or wait for data
197 * indication */
198 if (!p_lcb || p_lcb->link_state == LST_DISCONNECTING ||
199 !l2cu_initialize_fixed_ccb(p_lcb, rcv_cid)) {
200 osi_free(p_msg);
201 return;
202 }
203
204 /* If no CCB for this channel, allocate one */
205 p_ccb = p_lcb->p_fixed_ccbs[rcv_cid - L2CAP_FIRST_FIXED_CHNL];
206
207 if (p_ccb->peer_cfg.fcr.mode != L2CAP_FCR_BASIC_MODE)
208 l2c_fcr_proc_pdu(p_ccb, p_msg);
209 else
210 (*l2cb.fixed_reg[rcv_cid - L2CAP_FIRST_FIXED_CHNL].pL2CA_FixedData_Cb)(
211 rcv_cid, p_lcb->remote_bd_addr, p_msg);
212 return;
213 }
214 #endif
215
216 if (!p_ccb) {
217 osi_free(p_msg);
218 return;
219 }
220
221 if (p_lcb->transport == BT_TRANSPORT_LE) {
222 l2c_lcc_proc_pdu(p_ccb, p_msg);
223
224 /* The remote device has one less credit left */
225 --p_ccb->remote_credit_count;
226
227 /* If the credits left on the remote device are getting low, send some */
228 if (p_ccb->remote_credit_count <= L2CAP_LE_CREDIT_THRESHOLD) {
229 uint16_t credits = L2CAP_LE_CREDIT_DEFAULT - p_ccb->remote_credit_count;
230 p_ccb->remote_credit_count = L2CAP_LE_CREDIT_DEFAULT;
231
232 /* Return back credits */
233 l2c_csm_execute(p_ccb, L2CEVT_L2CA_SEND_FLOW_CONTROL_CREDIT, &credits);
234 }
235 } else {
236 /* Basic mode packets go straight to the state machine */
237 if (p_ccb->peer_cfg.fcr.mode == L2CAP_FCR_BASIC_MODE)
238 l2c_csm_execute(p_ccb, L2CEVT_L2CAP_DATA, p_msg);
239 else {
240 /* eRTM or streaming mode, so we need to validate states first */
241 if ((p_ccb->chnl_state == CST_OPEN) || (p_ccb->chnl_state == CST_CONFIG))
242 l2c_fcr_proc_pdu(p_ccb, p_msg);
243 else
244 osi_free(p_msg);
245 }
246 }
247 }
248
249 /*******************************************************************************
250 *
251 * Function process_l2cap_cmd
252 *
253 * Description This function is called when a packet is received on the
254 * L2CAP signalling CID
255 *
256 * Returns void
257 *
258 ******************************************************************************/
process_l2cap_cmd(tL2C_LCB * p_lcb,uint8_t * p,uint16_t pkt_len)259 static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
260 tL2C_CONN_INFO con_info;
261
262 /* if l2cap command received in CID 1 on top of an LE link, ignore this
263 * command */
264 if (p_lcb->transport == BT_TRANSPORT_LE) return;
265
266 /* Reject the packet if it exceeds the default Signalling Channel MTU */
267 bool pkt_size_rej = false;
268 if (pkt_len > L2CAP_DEFAULT_MTU) {
269 /* Core Spec requires a single response to the first command found in a
270 * multi-command L2cap packet. If only responses in the packet, then it
271 * will be ignored. Here we simply mark the bad packet and decide which cmd
272 * ID to reject later */
273 pkt_size_rej = true;
274 L2CAP_TRACE_ERROR("L2CAP SIG MTU pkt_len=%d Exceeded 672", pkt_len);
275 }
276
277 uint8_t* p_next_cmd = p;
278 uint8_t* p_pkt_end = p + pkt_len;
279
280 tL2CAP_CFG_INFO cfg_info;
281 memset(&cfg_info, 0, sizeof(cfg_info));
282
283 /* An L2CAP packet may contain multiple commands */
284 while (true) {
285 /* Smallest command is 4 bytes */
286 p = p_next_cmd;
287 if (p > (p_pkt_end - 4)) break;
288
289 uint8_t cmd_code, id;
290 uint16_t cmd_len;
291 STREAM_TO_UINT8(cmd_code, p);
292 STREAM_TO_UINT8(id, p);
293 STREAM_TO_UINT16(cmd_len, p);
294
295 if (cmd_len > BT_SMALL_BUFFER_SIZE) {
296 L2CAP_TRACE_WARNING("L2CAP - Invalid MTU Size");
297 l2cu_send_peer_cmd_reject(p_lcb, L2CAP_CMD_REJ_MTU_EXCEEDED, id, 0, 0);
298 return;
299 }
300
301 /* Check command length does not exceed packet length */
302 p_next_cmd = p + cmd_len;
303 if (p_next_cmd > p_pkt_end) {
304 L2CAP_TRACE_WARNING("Command len bad pkt_len: %d cmd_len: %d code: %d",
305 pkt_len, cmd_len, cmd_code);
306 break;
307 }
308
309 L2CAP_TRACE_DEBUG("cmd_code: %d, id:%d, cmd_len:%d", cmd_code, id, cmd_len);
310
311 /* Bad L2CAP packet length, look for cmd to reject */
312 if (pkt_size_rej) {
313 /* If command found rejected it and we're done, otherwise keep looking */
314 if (l2c_is_cmd_rejected(cmd_code, id, p_lcb))
315 return;
316 else
317 continue; /* Look for next cmd/response in current packet */
318 }
319
320 switch (cmd_code) {
321 case L2CAP_CMD_REJECT:
322 uint16_t rej_reason;
323 if (p + 2 > p_next_cmd) return;
324 STREAM_TO_UINT16(rej_reason, p);
325 if (rej_reason == L2CAP_CMD_REJ_MTU_EXCEEDED) {
326 uint16_t rej_mtu;
327 if (p + 2 > p_next_cmd) return;
328 STREAM_TO_UINT16(rej_mtu, p);
329 /* What to do with the MTU reject ? We have negotiated an MTU. For now
330 * we will ignore it and let a higher protocol timeout take care of it
331 */
332 L2CAP_TRACE_WARNING("L2CAP - MTU rej Handle: %d MTU: %d",
333 p_lcb->handle, rej_mtu);
334 }
335 if (rej_reason == L2CAP_CMD_REJ_INVALID_CID) {
336 uint16_t lcid, rcid;
337 if (p + 4 > p_next_cmd) return;
338 STREAM_TO_UINT16(rcid, p);
339 STREAM_TO_UINT16(lcid, p);
340
341 L2CAP_TRACE_WARNING(
342 "L2CAP - rej with CID invalid, LCID: 0x%04x RCID: 0x%04x", lcid,
343 rcid);
344
345 /* Remote CID invalid. Treat as a disconnect */
346 tL2C_CCB* p_ccb = l2cu_find_ccb_by_cid(p_lcb, lcid);
347 if ((p_ccb != NULL) && (p_ccb->remote_cid == rcid)) {
348 /* Fake link disconnect - no reply is generated */
349 l2c_csm_execute(p_ccb, L2CEVT_LP_DISCONNECT_IND, NULL);
350 }
351 }
352
353 /* SonyEricsson Info request Bug workaround (Continue connection) */
354 else if (rej_reason == L2CAP_CMD_REJ_NOT_UNDERSTOOD &&
355 p_lcb->w4_info_rsp) {
356 alarm_cancel(p_lcb->info_resp_timer);
357
358 p_lcb->w4_info_rsp = false;
359 tL2C_CONN_INFO ci;
360 ci.status = HCI_SUCCESS;
361 ci.bd_addr = p_lcb->remote_bd_addr;
362
363 /* For all channels, send the event through their FSMs */
364 for (tL2C_CCB* p_ccb = p_lcb->ccb_queue.p_first_ccb; p_ccb;
365 p_ccb = p_ccb->p_next_ccb) {
366 l2c_csm_execute(p_ccb, L2CEVT_L2CAP_INFO_RSP, &ci);
367 }
368 }
369 break;
370
371 case L2CAP_CMD_CONN_REQ: {
372 uint16_t rcid;
373 if (p + 4 > p_next_cmd) return;
374 STREAM_TO_UINT16(con_info.psm, p);
375 STREAM_TO_UINT16(rcid, p);
376 tL2C_RCB* p_rcb = l2cu_find_rcb_by_psm(con_info.psm);
377 if (!p_rcb) {
378 L2CAP_TRACE_WARNING("L2CAP - rcvd conn req for unknown PSM: %d",
379 con_info.psm);
380 l2cu_reject_connection(p_lcb, rcid, id, L2CAP_CONN_NO_PSM);
381 break;
382 } else {
383 if (!p_rcb->api.pL2CA_ConnectInd_Cb) {
384 L2CAP_TRACE_WARNING(
385 "L2CAP - rcvd conn req for outgoing-only connection PSM: %d",
386 con_info.psm);
387 l2cu_reject_connection(p_lcb, rcid, id, L2CAP_CONN_NO_PSM);
388 break;
389 }
390 }
391 tL2C_CCB* p_ccb = l2cu_allocate_ccb(p_lcb, 0);
392 if (!p_ccb) {
393 L2CAP_TRACE_ERROR("L2CAP - unable to allocate CCB");
394 l2cu_reject_connection(p_lcb, rcid, id, L2CAP_CONN_NO_RESOURCES);
395 break;
396 }
397 p_ccb->remote_id = id;
398 p_ccb->p_rcb = p_rcb;
399 p_ccb->remote_cid = rcid;
400
401 if (p_rcb->psm == BT_PSM_RFCOMM) {
402 btsnoop_get_interface()->add_rfc_l2c_channel(
403 p_lcb->handle, p_ccb->local_cid, p_ccb->remote_cid);
404 } else if (p_rcb->log_packets) {
405 btsnoop_get_interface()->whitelist_l2c_channel(
406 p_lcb->handle, p_ccb->local_cid, p_ccb->remote_cid);
407 }
408
409 l2c_csm_execute(p_ccb, L2CEVT_L2CAP_CONNECT_REQ, &con_info);
410 break;
411 }
412
413 case L2CAP_CMD_CONN_RSP: {
414 uint16_t lcid;
415 if (p + 8 > p_next_cmd) return;
416 STREAM_TO_UINT16(con_info.remote_cid, p);
417 STREAM_TO_UINT16(lcid, p);
418 STREAM_TO_UINT16(con_info.l2cap_result, p);
419 STREAM_TO_UINT16(con_info.l2cap_status, p);
420
421 tL2C_CCB* p_ccb = l2cu_find_ccb_by_cid(p_lcb, lcid);
422 if (!p_ccb) {
423 L2CAP_TRACE_WARNING("L2CAP - no CCB for conn rsp, LCID: %d RCID: %d",
424 lcid, con_info.remote_cid);
425 break;
426 }
427 if (p_ccb->local_id != id) {
428 L2CAP_TRACE_WARNING("L2CAP - con rsp - bad ID. Exp: %d Got: %d",
429 p_ccb->local_id, id);
430 break;
431 }
432
433 if (con_info.l2cap_result == L2CAP_CONN_OK)
434 l2c_csm_execute(p_ccb, L2CEVT_L2CAP_CONNECT_RSP, &con_info);
435 else if (con_info.l2cap_result == L2CAP_CONN_PENDING)
436 l2c_csm_execute(p_ccb, L2CEVT_L2CAP_CONNECT_RSP_PND, &con_info);
437 else
438 l2c_csm_execute(p_ccb, L2CEVT_L2CAP_CONNECT_RSP_NEG, &con_info);
439
440 tL2C_RCB* p_rcb = p_ccb->p_rcb;
441 if (p_rcb->psm == BT_PSM_RFCOMM) {
442 btsnoop_get_interface()->add_rfc_l2c_channel(
443 p_lcb->handle, p_ccb->local_cid, p_ccb->remote_cid);
444 } else if (p_rcb->log_packets) {
445 btsnoop_get_interface()->whitelist_l2c_channel(
446 p_lcb->handle, p_ccb->local_cid, p_ccb->remote_cid);
447 }
448
449 break;
450 }
451
452 case L2CAP_CMD_CONFIG_REQ: {
453 uint8_t* p_cfg_end = p + cmd_len;
454 bool cfg_rej = false;
455 uint16_t cfg_rej_len = 0;
456
457 uint16_t lcid;
458 if (p + 4 > p_next_cmd) return;
459 STREAM_TO_UINT16(lcid, p);
460 STREAM_TO_UINT16(cfg_info.flags, p);
461
462 uint8_t* p_cfg_start = p;
463
464 cfg_info.flush_to_present = cfg_info.mtu_present =
465 cfg_info.qos_present = cfg_info.fcr_present = cfg_info.fcs_present =
466 false;
467
468 while (p < p_cfg_end) {
469 uint8_t cfg_code, cfg_len;
470 if (p + 2 > p_next_cmd) return;
471 STREAM_TO_UINT8(cfg_code, p);
472 STREAM_TO_UINT8(cfg_len, p);
473
474 switch (cfg_code & 0x7F) {
475 case L2CAP_CFG_TYPE_MTU:
476 cfg_info.mtu_present = true;
477 if (cfg_len != 2) {
478 android_errorWriteLog(0x534e4554, "119870451");
479 return;
480 }
481 if (p + cfg_len > p_next_cmd) {
482 android_errorWriteLog(0x534e4554, "74202041");
483 return;
484 }
485 STREAM_TO_UINT16(cfg_info.mtu, p);
486 break;
487
488 case L2CAP_CFG_TYPE_FLUSH_TOUT:
489 cfg_info.flush_to_present = true;
490 if (cfg_len != 2) {
491 android_errorWriteLog(0x534e4554, "119870451");
492 return;
493 }
494 if (p + cfg_len > p_next_cmd) {
495 android_errorWriteLog(0x534e4554, "74202041");
496 return;
497 }
498 STREAM_TO_UINT16(cfg_info.flush_to, p);
499 break;
500
501 case L2CAP_CFG_TYPE_QOS:
502 cfg_info.qos_present = true;
503 if (cfg_len != 2 + 5 * 4) {
504 android_errorWriteLog(0x534e4554, "119870451");
505 return;
506 }
507 if (p + cfg_len > p_next_cmd) {
508 android_errorWriteLog(0x534e4554, "74202041");
509 return;
510 }
511 STREAM_TO_UINT8(cfg_info.qos.qos_flags, p);
512 STREAM_TO_UINT8(cfg_info.qos.service_type, p);
513 STREAM_TO_UINT32(cfg_info.qos.token_rate, p);
514 STREAM_TO_UINT32(cfg_info.qos.token_bucket_size, p);
515 STREAM_TO_UINT32(cfg_info.qos.peak_bandwidth, p);
516 STREAM_TO_UINT32(cfg_info.qos.latency, p);
517 STREAM_TO_UINT32(cfg_info.qos.delay_variation, p);
518 break;
519
520 case L2CAP_CFG_TYPE_FCR:
521 cfg_info.fcr_present = true;
522 if (cfg_len != 3 + 3 * 2) {
523 android_errorWriteLog(0x534e4554, "119870451");
524 return;
525 }
526 if (p + cfg_len > p_next_cmd) {
527 android_errorWriteLog(0x534e4554, "74202041");
528 return;
529 }
530 STREAM_TO_UINT8(cfg_info.fcr.mode, p);
531 STREAM_TO_UINT8(cfg_info.fcr.tx_win_sz, p);
532 STREAM_TO_UINT8(cfg_info.fcr.max_transmit, p);
533 STREAM_TO_UINT16(cfg_info.fcr.rtrans_tout, p);
534 STREAM_TO_UINT16(cfg_info.fcr.mon_tout, p);
535 STREAM_TO_UINT16(cfg_info.fcr.mps, p);
536 break;
537
538 case L2CAP_CFG_TYPE_FCS:
539 cfg_info.fcs_present = true;
540 if (cfg_len != 1) {
541 android_errorWriteLog(0x534e4554, "119870451");
542 return;
543 }
544 if (p + cfg_len > p_next_cmd) {
545 android_errorWriteLog(0x534e4554, "74202041");
546 return;
547 }
548 STREAM_TO_UINT8(cfg_info.fcs, p);
549 break;
550
551 case L2CAP_CFG_TYPE_EXT_FLOW:
552 cfg_info.ext_flow_spec_present = true;
553 if (cfg_len != 2 + 2 + 3 * 4) {
554 android_errorWriteLog(0x534e4554, "119870451");
555 return;
556 }
557 if (p + cfg_len > p_next_cmd) {
558 android_errorWriteLog(0x534e4554, "74202041");
559 return;
560 }
561 STREAM_TO_UINT8(cfg_info.ext_flow_spec.id, p);
562 STREAM_TO_UINT8(cfg_info.ext_flow_spec.stype, p);
563 STREAM_TO_UINT16(cfg_info.ext_flow_spec.max_sdu_size, p);
564 STREAM_TO_UINT32(cfg_info.ext_flow_spec.sdu_inter_time, p);
565 STREAM_TO_UINT32(cfg_info.ext_flow_spec.access_latency, p);
566 STREAM_TO_UINT32(cfg_info.ext_flow_spec.flush_timeout, p);
567 break;
568
569 default:
570 /* sanity check option length */
571 if ((cfg_len + L2CAP_CFG_OPTION_OVERHEAD) <= cmd_len) {
572 if (p + cfg_len > p_next_cmd) return;
573 p += cfg_len;
574 if ((cfg_code & 0x80) == 0) {
575 cfg_rej_len += cfg_len + L2CAP_CFG_OPTION_OVERHEAD;
576 cfg_rej = true;
577 }
578 }
579 /* bad length; force loop exit */
580 else {
581 p = p_cfg_end;
582 cfg_rej = true;
583 }
584 break;
585 }
586 }
587
588 tL2C_CCB* p_ccb = l2cu_find_ccb_by_cid(p_lcb, lcid);
589 if (p_ccb) {
590 p_ccb->remote_id = id;
591 if (cfg_rej) {
592 l2cu_send_peer_config_rej(
593 p_ccb, p_cfg_start, (uint16_t)(cmd_len - L2CAP_CONFIG_REQ_LEN),
594 cfg_rej_len);
595 } else {
596 l2c_csm_execute(p_ccb, L2CEVT_L2CAP_CONFIG_REQ, &cfg_info);
597 }
598 } else {
599 /* updated spec says send command reject on invalid cid */
600 l2cu_send_peer_cmd_reject(p_lcb, L2CAP_CMD_REJ_INVALID_CID, id, 0, 0);
601 }
602 break;
603 }
604
605 case L2CAP_CMD_CONFIG_RSP: {
606 uint8_t* p_cfg_end = p + cmd_len;
607 uint16_t lcid;
608 if (p + 6 > p_next_cmd) return;
609 STREAM_TO_UINT16(lcid, p);
610 STREAM_TO_UINT16(cfg_info.flags, p);
611 STREAM_TO_UINT16(cfg_info.result, p);
612
613 cfg_info.flush_to_present = cfg_info.mtu_present =
614 cfg_info.qos_present = cfg_info.fcr_present = cfg_info.fcs_present =
615 false;
616
617 while (p < p_cfg_end) {
618 uint8_t cfg_code, cfg_len;
619 if (p + 2 > p_next_cmd) return;
620 STREAM_TO_UINT8(cfg_code, p);
621 STREAM_TO_UINT8(cfg_len, p);
622
623 switch (cfg_code & 0x7F) {
624 case L2CAP_CFG_TYPE_MTU:
625 cfg_info.mtu_present = true;
626 if (p + 2 > p_next_cmd) return;
627 STREAM_TO_UINT16(cfg_info.mtu, p);
628 break;
629
630 case L2CAP_CFG_TYPE_FLUSH_TOUT:
631 cfg_info.flush_to_present = true;
632 if (p + 2 > p_next_cmd) return;
633 STREAM_TO_UINT16(cfg_info.flush_to, p);
634 break;
635
636 case L2CAP_CFG_TYPE_QOS:
637 cfg_info.qos_present = true;
638 if (p + 2 + 5 * 4 > p_next_cmd) return;
639 STREAM_TO_UINT8(cfg_info.qos.qos_flags, p);
640 STREAM_TO_UINT8(cfg_info.qos.service_type, p);
641 STREAM_TO_UINT32(cfg_info.qos.token_rate, p);
642 STREAM_TO_UINT32(cfg_info.qos.token_bucket_size, p);
643 STREAM_TO_UINT32(cfg_info.qos.peak_bandwidth, p);
644 STREAM_TO_UINT32(cfg_info.qos.latency, p);
645 STREAM_TO_UINT32(cfg_info.qos.delay_variation, p);
646 break;
647
648 case L2CAP_CFG_TYPE_FCR:
649 cfg_info.fcr_present = true;
650 if (p + 3 + 3 * 2 > p_next_cmd) return;
651 STREAM_TO_UINT8(cfg_info.fcr.mode, p);
652 STREAM_TO_UINT8(cfg_info.fcr.tx_win_sz, p);
653 STREAM_TO_UINT8(cfg_info.fcr.max_transmit, p);
654 STREAM_TO_UINT16(cfg_info.fcr.rtrans_tout, p);
655 STREAM_TO_UINT16(cfg_info.fcr.mon_tout, p);
656 STREAM_TO_UINT16(cfg_info.fcr.mps, p);
657 break;
658
659 case L2CAP_CFG_TYPE_FCS:
660 cfg_info.fcs_present = true;
661 if (p + 1 > p_next_cmd) return;
662 STREAM_TO_UINT8(cfg_info.fcs, p);
663 break;
664
665 case L2CAP_CFG_TYPE_EXT_FLOW:
666 cfg_info.ext_flow_spec_present = true;
667 if (p + 2 + 2 + 3 * 4 > p_next_cmd) return;
668 STREAM_TO_UINT8(cfg_info.ext_flow_spec.id, p);
669 STREAM_TO_UINT8(cfg_info.ext_flow_spec.stype, p);
670 STREAM_TO_UINT16(cfg_info.ext_flow_spec.max_sdu_size, p);
671 STREAM_TO_UINT32(cfg_info.ext_flow_spec.sdu_inter_time, p);
672 STREAM_TO_UINT32(cfg_info.ext_flow_spec.access_latency, p);
673 STREAM_TO_UINT32(cfg_info.ext_flow_spec.flush_timeout, p);
674 break;
675 }
676 }
677
678 tL2C_CCB* p_ccb = l2cu_find_ccb_by_cid(p_lcb, lcid);
679 if (p_ccb) {
680 if (p_ccb->local_id != id) {
681 L2CAP_TRACE_WARNING("L2CAP - cfg rsp - bad ID. Exp: %d Got: %d",
682 p_ccb->local_id, id);
683 break;
684 }
685 if ((cfg_info.result == L2CAP_CFG_OK) ||
686 (cfg_info.result == L2CAP_CFG_PENDING))
687 l2c_csm_execute(p_ccb, L2CEVT_L2CAP_CONFIG_RSP, &cfg_info);
688 else
689 l2c_csm_execute(p_ccb, L2CEVT_L2CAP_CONFIG_RSP_NEG, &cfg_info);
690 } else {
691 L2CAP_TRACE_WARNING("L2CAP - rcvd cfg rsp for unknown CID: 0x%04x",
692 lcid);
693 }
694 break;
695 }
696
697 case L2CAP_CMD_DISC_REQ: {
698 uint16_t lcid, rcid;
699 if (p + 4 > p_next_cmd) return;
700 STREAM_TO_UINT16(lcid, p);
701 STREAM_TO_UINT16(rcid, p);
702
703 tL2C_CCB* p_ccb = l2cu_find_ccb_by_cid(p_lcb, lcid);
704 if (p_ccb) {
705 if (p_ccb->remote_cid == rcid) {
706 p_ccb->remote_id = id;
707 l2c_csm_execute(p_ccb, L2CEVT_L2CAP_DISCONNECT_REQ, &con_info);
708 }
709 } else
710 l2cu_send_peer_disc_rsp(p_lcb, id, lcid, rcid);
711
712 break;
713 }
714
715 case L2CAP_CMD_DISC_RSP: {
716 uint16_t lcid, rcid;
717 if (p + 4 > p_next_cmd) return;
718 STREAM_TO_UINT16(rcid, p);
719 STREAM_TO_UINT16(lcid, p);
720
721 tL2C_CCB* p_ccb = l2cu_find_ccb_by_cid(p_lcb, lcid);
722 if (p_ccb) {
723 if ((p_ccb->remote_cid == rcid) && (p_ccb->local_id == id)) {
724 l2c_csm_execute(p_ccb, L2CEVT_L2CAP_DISCONNECT_RSP, &con_info);
725 }
726 }
727 break;
728 }
729
730 case L2CAP_CMD_ECHO_REQ:
731 l2cu_send_peer_echo_rsp(p_lcb, id, p, cmd_len);
732 break;
733
734 case L2CAP_CMD_ECHO_RSP:
735 if (p_lcb->p_echo_rsp_cb) {
736 tL2CA_ECHO_RSP_CB* p_cb = p_lcb->p_echo_rsp_cb;
737
738 /* Zero out the callback in case app immediately calls us again */
739 p_lcb->p_echo_rsp_cb = NULL;
740
741 (*p_cb)(L2CAP_PING_RESULT_OK);
742 }
743 break;
744
745 case L2CAP_CMD_INFO_REQ: {
746 uint16_t info_type;
747 if (p + 2 > p_next_cmd) return;
748 STREAM_TO_UINT16(info_type, p);
749 l2cu_send_peer_info_rsp(p_lcb, id, info_type);
750 break;
751 }
752
753 case L2CAP_CMD_INFO_RSP:
754 /* Stop the link connect timer if sent before L2CAP connection is up */
755 if (p_lcb->w4_info_rsp) {
756 alarm_cancel(p_lcb->info_resp_timer);
757 p_lcb->w4_info_rsp = false;
758 }
759
760 uint16_t info_type, result;
761 if (p + 4 > p_next_cmd) return;
762 STREAM_TO_UINT16(info_type, p);
763 STREAM_TO_UINT16(result, p);
764
765 p_lcb->info_rx_bits |= (1 << info_type);
766
767 if ((info_type == L2CAP_EXTENDED_FEATURES_INFO_TYPE) &&
768 (result == L2CAP_INFO_RESP_RESULT_SUCCESS)) {
769 if (p + 4 > p_next_cmd) return;
770 STREAM_TO_UINT32(p_lcb->peer_ext_fea, p);
771
772 #if (L2CAP_NUM_FIXED_CHNLS > 0)
773 if (p_lcb->peer_ext_fea & L2CAP_EXTFEA_FIXED_CHNLS) {
774 l2cu_send_peer_info_req(p_lcb, L2CAP_FIXED_CHANNELS_INFO_TYPE);
775 break;
776 } else {
777 l2cu_process_fixed_chnl_resp(p_lcb);
778 }
779 #endif
780 }
781
782 #if (L2CAP_NUM_FIXED_CHNLS > 0)
783 if (info_type == L2CAP_FIXED_CHANNELS_INFO_TYPE) {
784 if (result == L2CAP_INFO_RESP_RESULT_SUCCESS) {
785 if (p + L2CAP_FIXED_CHNL_ARRAY_SIZE > p_next_cmd) {
786 android_errorWriteLog(0x534e4554, "111215173");
787 return;
788 }
789 memcpy(p_lcb->peer_chnl_mask, p, L2CAP_FIXED_CHNL_ARRAY_SIZE);
790 }
791
792 l2cu_process_fixed_chnl_resp(p_lcb);
793 }
794 #endif
795 tL2C_CONN_INFO ci;
796 ci.status = HCI_SUCCESS;
797 ci.bd_addr = p_lcb->remote_bd_addr;
798 for (tL2C_CCB* p_ccb = p_lcb->ccb_queue.p_first_ccb; p_ccb;
799 p_ccb = p_ccb->p_next_ccb) {
800 l2c_csm_execute(p_ccb, L2CEVT_L2CAP_INFO_RSP, &ci);
801 }
802 break;
803
804 default:
805 L2CAP_TRACE_WARNING("L2CAP - bad cmd code: %d", cmd_code);
806 l2cu_send_peer_cmd_reject(p_lcb, L2CAP_CMD_REJ_NOT_UNDERSTOOD, id, 0,
807 0);
808 return;
809 }
810 }
811 }
812
813 /*******************************************************************************
814 *
815 * Function l2c_process_held_packets
816 *
817 * Description This function processes any L2CAP packets that arrived
818 * before the HCI connection complete arrived. It is a work
819 * around for badly behaved controllers.
820 *
821 * Returns void
822 *
823 ******************************************************************************/
l2c_process_held_packets(bool timed_out)824 void l2c_process_held_packets(bool timed_out) {
825 if (list_is_empty(l2cb.rcv_pending_q)) return;
826
827 if (!timed_out) {
828 alarm_cancel(l2cb.receive_hold_timer);
829 L2CAP_TRACE_WARNING("L2CAP HOLD CONTINUE");
830 } else {
831 L2CAP_TRACE_WARNING("L2CAP HOLD TIMEOUT");
832 }
833
834 for (const list_node_t* node = list_begin(l2cb.rcv_pending_q);
835 node != list_end(l2cb.rcv_pending_q);) {
836 BT_HDR* p_buf = static_cast<BT_HDR*>(list_node(node));
837 node = list_next(node);
838 if (!timed_out || (!p_buf->layer_specific) ||
839 (--p_buf->layer_specific == 0)) {
840 list_remove(l2cb.rcv_pending_q, p_buf);
841 p_buf->layer_specific = 0xFFFF;
842 l2c_rcv_acl_data(p_buf);
843 }
844 }
845
846 /* If anyone still in the queue, restart the timeout */
847 if (!list_is_empty(l2cb.rcv_pending_q)) {
848 alarm_set_on_mloop(l2cb.receive_hold_timer, BT_1SEC_TIMEOUT_MS,
849 l2c_receive_hold_timer_timeout, NULL);
850 }
851 }
852
853 /*******************************************************************************
854 *
855 * Function l2c_init
856 *
857 * Description This function is called once at startup to initialize
858 * all the L2CAP structures
859 *
860 * Returns void
861 *
862 ******************************************************************************/
l2c_init(void)863 void l2c_init(void) {
864 int16_t xx;
865
866 memset(&l2cb, 0, sizeof(tL2C_CB));
867 /* the psm is increased by 2 before being used */
868 l2cb.dyn_psm = 0xFFF;
869
870 /* the LE PSM is increased by 1 before being used */
871 l2cb.le_dyn_psm = LE_DYNAMIC_PSM_START - 1;
872
873 /* Put all the channel control blocks on the free queue */
874 for (xx = 0; xx < MAX_L2CAP_CHANNELS - 1; xx++) {
875 l2cb.ccb_pool[xx].p_next_ccb = &l2cb.ccb_pool[xx + 1];
876 }
877
878 #if (L2CAP_NON_FLUSHABLE_PB_INCLUDED == TRUE)
879 /* it will be set to L2CAP_PKT_START_NON_FLUSHABLE if controller supports */
880 l2cb.non_flushable_pbf = L2CAP_PKT_START << L2CAP_PKT_TYPE_SHIFT;
881 #endif
882
883 l2cb.p_free_ccb_first = &l2cb.ccb_pool[0];
884 l2cb.p_free_ccb_last = &l2cb.ccb_pool[MAX_L2CAP_CHANNELS - 1];
885
886 #ifdef L2CAP_DESIRED_LINK_ROLE
887 l2cb.desire_role = L2CAP_DESIRED_LINK_ROLE;
888 #else
889 l2cb.desire_role = HCI_ROLE_SLAVE;
890 #endif
891
892 /* Set the default idle timeout */
893 l2cb.idle_timeout = L2CAP_LINK_INACTIVITY_TOUT;
894
895 #if defined(L2CAP_INITIAL_TRACE_LEVEL)
896 l2cb.l2cap_trace_level = L2CAP_INITIAL_TRACE_LEVEL;
897 #else
898 l2cb.l2cap_trace_level = BT_TRACE_LEVEL_NONE; /* No traces */
899 #endif
900
901 #if (L2CAP_CONFORMANCE_TESTING == TRUE)
902 /* Conformance testing needs a dynamic response */
903 l2cb.test_info_resp = L2CAP_EXTFEA_SUPPORTED_MASK;
904 #endif
905
906 /* Number of ACL buffers to use for high priority channel */
907 #if (L2CAP_HIGH_PRI_CHAN_QUOTA_IS_CONFIGURABLE == TRUE)
908 l2cb.high_pri_min_xmit_quota = L2CAP_HIGH_PRI_MIN_XMIT_QUOTA;
909 #endif
910
911 l2cb.l2c_ble_fixed_chnls_mask = L2CAP_FIXED_CHNL_ATT_BIT |
912 L2CAP_FIXED_CHNL_BLE_SIG_BIT |
913 L2CAP_FIXED_CHNL_SMP_BIT;
914
915 l2cb.rcv_pending_q = list_new(NULL);
916 CHECK(l2cb.rcv_pending_q != NULL);
917
918 l2cb.receive_hold_timer = alarm_new("l2c.receive_hold_timer");
919 }
920
l2c_free(void)921 void l2c_free(void) {
922 list_free(l2cb.rcv_pending_q);
923 l2cb.rcv_pending_q = NULL;
924 }
925
l2c_receive_hold_timer_timeout(UNUSED_ATTR void * data)926 void l2c_receive_hold_timer_timeout(UNUSED_ATTR void* data) {
927 /* Update the timeouts in the hold queue */
928 l2c_process_held_packets(true);
929 }
930
l2c_ccb_timer_timeout(void * data)931 void l2c_ccb_timer_timeout(void* data) {
932 tL2C_CCB* p_ccb = (tL2C_CCB*)data;
933
934 l2c_csm_execute(p_ccb, L2CEVT_TIMEOUT, NULL);
935 }
936
l2c_fcrb_ack_timer_timeout(void * data)937 void l2c_fcrb_ack_timer_timeout(void* data) {
938 tL2C_CCB* p_ccb = (tL2C_CCB*)data;
939
940 l2c_csm_execute(p_ccb, L2CEVT_ACK_TIMEOUT, NULL);
941 }
942
l2c_lcb_timer_timeout(void * data)943 void l2c_lcb_timer_timeout(void* data) {
944 tL2C_LCB* p_lcb = (tL2C_LCB*)data;
945
946 l2c_link_timeout(p_lcb);
947 }
948
949 /*******************************************************************************
950 *
951 * Function l2c_data_write
952 *
953 * Description API functions call this function to write data.
954 *
955 * Returns L2CAP_DW_SUCCESS, if data accepted, else false
956 * L2CAP_DW_CONGESTED, if data accepted and the channel is
957 * congested
958 * L2CAP_DW_FAILED, if error
959 *
960 ******************************************************************************/
l2c_data_write(uint16_t cid,BT_HDR * p_data,uint16_t flags)961 uint8_t l2c_data_write(uint16_t cid, BT_HDR* p_data, uint16_t flags) {
962
963 /* Find the channel control block. We don't know the link it is on. */
964 tL2C_CCB* p_ccb = l2cu_find_ccb_by_cid(NULL, cid);
965 if (!p_ccb) {
966 L2CAP_TRACE_WARNING("L2CAP - no CCB for L2CA_DataWrite, CID: %d", cid);
967 osi_free(p_data);
968 return (L2CAP_DW_FAILED);
969 }
970
971 #ifndef TESTER
972 /* Tester may send any amount of data. otherwise sending message bigger than
973 * mtu size of peer is a violation of protocol */
974 uint16_t mtu;
975
976 if (p_ccb->p_lcb->transport == BT_TRANSPORT_LE)
977 mtu = p_ccb->peer_conn_cfg.mtu;
978 else
979 mtu = p_ccb->peer_cfg.mtu;
980
981 if (p_data->len > mtu) {
982 L2CAP_TRACE_WARNING(
983 "L2CAP - CID: 0x%04x cannot send message bigger than peer's mtu size: "
984 "len=%u mtu=%u",
985 cid, p_data->len, mtu);
986 osi_free(p_data);
987 return (L2CAP_DW_FAILED);
988 }
989 #endif
990
991 /* channel based, packet based flushable or non-flushable */
992 p_data->layer_specific = flags;
993
994 /* If already congested, do not accept any more packets */
995 if (p_ccb->cong_sent) {
996 L2CAP_TRACE_ERROR(
997 "L2CAP - CID: 0x%04x cannot send, already congested "
998 "xmit_hold_q.count: %u buff_quota: %u",
999 p_ccb->local_cid, fixed_queue_length(p_ccb->xmit_hold_q),
1000 p_ccb->buff_quota);
1001
1002 osi_free(p_data);
1003 return (L2CAP_DW_FAILED);
1004 }
1005
1006 l2c_csm_execute(p_ccb, L2CEVT_L2CA_DATA_WRITE, p_data);
1007
1008 if (p_ccb->cong_sent) return (L2CAP_DW_CONGESTED);
1009
1010 return (L2CAP_DW_SUCCESS);
1011 }
1012