1 /******************************************************************************
2 *
3 * Copyright 1999-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 /******************************************************************************
20 *
21 * This file contains functions to send TS 07.10 frames
22 *
23 ******************************************************************************/
24
25 #define LOG_TAG "rfcomm"
26
27 #include <bluetooth/log.h>
28
29 #include <cstdint>
30
31 #include "internal_include/bt_target.h"
32 #include "os/logging/log_adapter.h"
33 #include "osi/include/allocator.h"
34 #include "stack/include/bt_hdr.h"
35 #include "stack/include/l2c_api.h"
36 #include "stack/include/rfcdefs.h"
37 #include "stack/rfcomm/port_int.h"
38 #include "stack/rfcomm/rfc_int.h"
39
40 using namespace bluetooth;
41
42 /*******************************************************************************
43 *
44 * Function rfc_send_sabme
45 *
46 * Description This function sends SABME frame.
47 *
48 ******************************************************************************/
rfc_send_sabme(tRFC_MCB * p_mcb,uint8_t dlci)49 void rfc_send_sabme(tRFC_MCB* p_mcb, uint8_t dlci) {
50 uint8_t* p_data;
51 uint8_t cr = RFCOMM_CR(p_mcb->is_initiator, true);
52 BT_HDR* p_buf = (BT_HDR*)osi_malloc(RFCOMM_CMD_BUF_SIZE);
53
54 p_buf->offset = L2CAP_MIN_OFFSET;
55 p_data = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
56
57 /* SABME frame, command, PF = 1, dlci */
58 *p_data++ = RFCOMM_EA | cr | (dlci << RFCOMM_SHIFT_DLCI);
59 *p_data++ = RFCOMM_SABME | RFCOMM_PF;
60 *p_data++ = RFCOMM_EA | 0;
61
62 *p_data =
63 RFCOMM_SABME_FCS((uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET, cr, dlci);
64
65 p_buf->len = 4;
66
67 rfc_check_send_cmd(p_mcb, p_buf);
68 }
69
70 /*******************************************************************************
71 *
72 * Function rfc_send_ua
73 *
74 * Description This function sends UA frame.
75 *
76 ******************************************************************************/
rfc_send_ua(tRFC_MCB * p_mcb,uint8_t dlci)77 void rfc_send_ua(tRFC_MCB* p_mcb, uint8_t dlci) {
78 uint8_t* p_data;
79 uint8_t cr = RFCOMM_CR(p_mcb->is_initiator, false);
80 BT_HDR* p_buf = (BT_HDR*)osi_malloc(RFCOMM_CMD_BUF_SIZE);
81
82 p_buf->offset = L2CAP_MIN_OFFSET;
83 p_data = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
84
85 /* ua frame, response, PF = 1, dlci */
86 *p_data++ = RFCOMM_EA | cr | (dlci << RFCOMM_SHIFT_DLCI);
87 *p_data++ = RFCOMM_UA | RFCOMM_PF;
88 *p_data++ = RFCOMM_EA | 0;
89
90 *p_data = RFCOMM_UA_FCS((uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET, cr, dlci);
91
92 p_buf->len = 4;
93
94 rfc_check_send_cmd(p_mcb, p_buf);
95 }
96
97 /*******************************************************************************
98 *
99 * Function rfc_send_dm
100 *
101 * Description This function sends DM frame.
102 *
103 ******************************************************************************/
rfc_send_dm(tRFC_MCB * p_mcb,uint8_t dlci,bool pf)104 void rfc_send_dm(tRFC_MCB* p_mcb, uint8_t dlci, bool pf) {
105 uint8_t* p_data;
106 uint8_t cr = RFCOMM_CR(p_mcb->is_initiator, false);
107 BT_HDR* p_buf = (BT_HDR*)osi_malloc(RFCOMM_CMD_BUF_SIZE);
108
109 p_buf->offset = L2CAP_MIN_OFFSET;
110 p_data = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
111
112 /* DM frame, response, PF = 1, dlci */
113 *p_data++ = RFCOMM_EA | cr | (dlci << RFCOMM_SHIFT_DLCI);
114 *p_data++ = RFCOMM_DM | ((pf) ? RFCOMM_PF : 0);
115 *p_data++ = RFCOMM_EA | 0;
116
117 *p_data = RFCOMM_DM_FCS((uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET, cr, dlci);
118
119 p_buf->len = 4;
120
121 rfc_check_send_cmd(p_mcb, p_buf);
122 }
123
124 /*******************************************************************************
125 *
126 * Function rfc_send_disc
127 *
128 * Description This function sends DISC frame.
129 *
130 ******************************************************************************/
rfc_send_disc(tRFC_MCB * p_mcb,uint8_t dlci)131 void rfc_send_disc(tRFC_MCB* p_mcb, uint8_t dlci) {
132 uint8_t* p_data;
133 uint8_t cr = RFCOMM_CR(p_mcb->is_initiator, true);
134 BT_HDR* p_buf = (BT_HDR*)osi_malloc(RFCOMM_CMD_BUF_SIZE);
135
136 p_buf->offset = L2CAP_MIN_OFFSET;
137 p_data = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
138
139 /* DISC frame, command, PF = 1, dlci */
140 *p_data++ = RFCOMM_EA | cr | (dlci << RFCOMM_SHIFT_DLCI);
141 *p_data++ = RFCOMM_DISC | RFCOMM_PF;
142 *p_data++ = RFCOMM_EA | 0;
143
144 *p_data = RFCOMM_DISC_FCS((uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET, cr, dlci);
145
146 p_buf->len = 4;
147
148 rfc_check_send_cmd(p_mcb, p_buf);
149 }
150
151 /*******************************************************************************
152 *
153 * Function rfc_send_buf_uih
154 *
155 * Description This function sends UIH frame.
156 *
157 ******************************************************************************/
rfc_send_buf_uih(tRFC_MCB * p_mcb,uint8_t dlci,BT_HDR * p_buf)158 void rfc_send_buf_uih(tRFC_MCB* p_mcb, uint8_t dlci, BT_HDR* p_buf) {
159 uint8_t* p_data;
160 uint8_t cr = RFCOMM_CR(p_mcb->is_initiator, true);
161 uint8_t credits;
162
163 p_buf->offset -= RFCOMM_CTRL_FRAME_LEN;
164 if (p_buf->len > 127) {
165 p_buf->offset--;
166 }
167
168 if (dlci) {
169 credits = (uint8_t)p_buf->layer_specific;
170 } else {
171 credits = 0;
172 }
173
174 if (credits) {
175 p_buf->offset--;
176 }
177
178 p_data = (uint8_t*)(p_buf + 1) + p_buf->offset;
179
180 /* UIH frame, command, PF = 0, dlci */
181 *p_data++ = RFCOMM_EA | cr | (dlci << RFCOMM_SHIFT_DLCI);
182 *p_data++ = RFCOMM_UIH | ((credits) ? RFCOMM_PF : 0);
183 if (p_buf->len <= 127) {
184 *p_data++ = RFCOMM_EA | (p_buf->len << 1);
185 p_buf->len += 3;
186 } else {
187 *p_data++ = (p_buf->len & 0x7f) << 1;
188 *p_data++ = p_buf->len >> RFCOMM_SHIFT_LENGTH2;
189 p_buf->len += 4;
190 }
191
192 if (credits) {
193 *p_data++ = credits;
194 p_buf->len++;
195 }
196
197 p_data = (uint8_t*)(p_buf + 1) + p_buf->offset + p_buf->len++;
198
199 *p_data = RFCOMM_UIH_FCS((uint8_t*)(p_buf + 1) + p_buf->offset, dlci);
200
201 if (dlci == RFCOMM_MX_DLCI) {
202 rfc_check_send_cmd(p_mcb, p_buf);
203 } else {
204 if (L2CA_DataWrite(p_mcb->lcid, p_buf) != L2CAP_DW_SUCCESS) {
205 log::warn("Unable to write L2CAP data peer:{} cid:{} len:{}",
206 p_mcb->bd_addr, p_mcb->lcid, p_buf->len);
207 }
208 }
209 }
210
211 /*******************************************************************************
212 *
213 * Function rfc_send_pn
214 *
215 * Description This function sends DLC Parameters Negotiation Frame.
216 *
217 ******************************************************************************/
rfc_send_pn(tRFC_MCB * p_mcb,uint8_t dlci,bool is_command,uint16_t mtu,uint8_t cl,uint8_t k)218 void rfc_send_pn(tRFC_MCB* p_mcb, uint8_t dlci, bool is_command, uint16_t mtu,
219 uint8_t cl, uint8_t k) {
220 uint8_t* p_data;
221 BT_HDR* p_buf = (BT_HDR*)osi_malloc(RFCOMM_CMD_BUF_SIZE);
222
223 p_buf->offset = L2CAP_MIN_OFFSET + RFCOMM_CTRL_FRAME_LEN;
224 p_data = (uint8_t*)(p_buf + 1) + p_buf->offset;
225
226 *p_data++ = RFCOMM_EA | RFCOMM_I_CR(is_command) | RFCOMM_MX_PN;
227 *p_data++ = RFCOMM_EA | (RFCOMM_MX_PN_LEN << 1);
228
229 *p_data++ = dlci;
230 *p_data++ = RFCOMM_PN_FRAM_TYPE_UIH | cl;
231
232 /* It appeared that we need to reply with the same priority bits as we
233 *received.
234 ** We will use the fact that we reply in the same context so rx_frame can
235 *still be used.
236 */
237 if (is_command) {
238 *p_data++ = RFCOMM_PN_PRIORITY_0;
239 } else {
240 *p_data++ = rfc_cb.rfc.rx_frame.u.pn.priority;
241 }
242 *p_data++ = RFCOMM_T1_DSEC;
243 *p_data++ = mtu & 0xFF;
244 *p_data++ = mtu >> 8;
245 *p_data++ = RFCOMM_N2;
246 *p_data = k;
247
248 /* Total length is sizeof PN data + mx header 2 */
249 p_buf->len = RFCOMM_MX_PN_LEN + 2;
250
251 rfc_send_buf_uih(p_mcb, RFCOMM_MX_DLCI, p_buf);
252 }
253
254 /*******************************************************************************
255 *
256 * Function rfc_send_fcon
257 *
258 * Description This function sends Flow Control On Command.
259 *
260 ******************************************************************************/
rfc_send_fcon(tRFC_MCB * p_mcb,bool is_command)261 void rfc_send_fcon(tRFC_MCB* p_mcb, bool is_command) {
262 uint8_t* p_data;
263 BT_HDR* p_buf = (BT_HDR*)osi_malloc(RFCOMM_CMD_BUF_SIZE);
264
265 p_buf->offset = L2CAP_MIN_OFFSET + RFCOMM_CTRL_FRAME_LEN;
266 p_data = (uint8_t*)(p_buf + 1) + p_buf->offset;
267
268 *p_data++ = RFCOMM_EA | RFCOMM_I_CR(is_command) | RFCOMM_MX_FCON;
269 *p_data++ = RFCOMM_EA | (RFCOMM_MX_FCON_LEN << 1);
270
271 /* Total length is sizeof FCON data + mx header 2 */
272 p_buf->len = RFCOMM_MX_FCON_LEN + 2;
273
274 rfc_send_buf_uih(p_mcb, RFCOMM_MX_DLCI, p_buf);
275 }
276
277 /*******************************************************************************
278 *
279 * Function rfc_send_fcoff
280 *
281 * Description This function sends Flow Control Off Command.
282 *
283 ******************************************************************************/
rfc_send_fcoff(tRFC_MCB * p_mcb,bool is_command)284 void rfc_send_fcoff(tRFC_MCB* p_mcb, bool is_command) {
285 uint8_t* p_data;
286 BT_HDR* p_buf = (BT_HDR*)osi_malloc(RFCOMM_CMD_BUF_SIZE);
287
288 p_buf->offset = L2CAP_MIN_OFFSET + RFCOMM_CTRL_FRAME_LEN;
289 p_data = (uint8_t*)(p_buf + 1) + p_buf->offset;
290
291 *p_data++ = RFCOMM_EA | RFCOMM_I_CR(is_command) | RFCOMM_MX_FCOFF;
292 *p_data++ = RFCOMM_EA | (RFCOMM_MX_FCOFF_LEN << 1);
293
294 /* Total length is sizeof FCOFF data + mx header 2 */
295 p_buf->len = RFCOMM_MX_FCOFF_LEN + 2;
296
297 rfc_send_buf_uih(p_mcb, RFCOMM_MX_DLCI, p_buf);
298 }
299
300 /*******************************************************************************
301 *
302 * Function rfc_send_msc
303 *
304 * Description This function sends Modem Status Command Frame.
305 *
306 ******************************************************************************/
rfc_send_msc(tRFC_MCB * p_mcb,uint8_t dlci,bool is_command,tPORT_CTRL * p_pars)307 void rfc_send_msc(tRFC_MCB* p_mcb, uint8_t dlci, bool is_command,
308 tPORT_CTRL* p_pars) {
309 uint8_t* p_data;
310 uint8_t signals;
311 uint8_t break_duration;
312 uint8_t len;
313 BT_HDR* p_buf = (BT_HDR*)osi_malloc(RFCOMM_CMD_BUF_SIZE);
314
315 signals = p_pars->modem_signal;
316 break_duration = p_pars->break_signal;
317
318 p_buf->offset = L2CAP_MIN_OFFSET + RFCOMM_CTRL_FRAME_LEN;
319 p_data = (uint8_t*)(p_buf + 1) + p_buf->offset;
320
321 if (break_duration)
322 len = RFCOMM_MX_MSC_LEN_WITH_BREAK;
323 else
324 len = RFCOMM_MX_MSC_LEN_NO_BREAK;
325
326 *p_data++ = RFCOMM_EA | RFCOMM_I_CR(is_command) | RFCOMM_MX_MSC;
327 *p_data++ = RFCOMM_EA | (len << 1);
328
329 *p_data++ = RFCOMM_EA | RFCOMM_CR_MASK | (dlci << RFCOMM_SHIFT_DLCI);
330 *p_data++ = RFCOMM_EA | ((p_pars->fc) ? RFCOMM_MSC_FC : 0) |
331 ((signals & MODEM_SIGNAL_DTRDSR) ? RFCOMM_MSC_RTC : 0) |
332 ((signals & MODEM_SIGNAL_RTSCTS) ? RFCOMM_MSC_RTR : 0) |
333 ((signals & MODEM_SIGNAL_RI) ? RFCOMM_MSC_IC : 0) |
334 ((signals & MODEM_SIGNAL_DCD) ? RFCOMM_MSC_DV : 0);
335
336 if (break_duration) {
337 *p_data++ = RFCOMM_EA | RFCOMM_MSC_BREAK_PRESENT_MASK |
338 (break_duration << RFCOMM_MSC_SHIFT_BREAK);
339 }
340
341 /* Total length is sizeof MSC data + mx header 2 */
342 p_buf->len = len + 2;
343
344 rfc_send_buf_uih(p_mcb, RFCOMM_MX_DLCI, p_buf);
345 }
346
347 /*******************************************************************************
348 *
349 * Function rfc_send_rls
350 *
351 * Description This function sends Remote Line Status Command Frame.
352 *
353 ******************************************************************************/
rfc_send_rls(tRFC_MCB * p_mcb,uint8_t dlci,bool is_command,uint8_t status)354 void rfc_send_rls(tRFC_MCB* p_mcb, uint8_t dlci, bool is_command,
355 uint8_t status) {
356 uint8_t* p_data;
357 BT_HDR* p_buf = (BT_HDR*)osi_malloc(RFCOMM_CMD_BUF_SIZE);
358
359 p_buf->offset = L2CAP_MIN_OFFSET + RFCOMM_CTRL_FRAME_LEN;
360 p_data = (uint8_t*)(p_buf + 1) + p_buf->offset;
361
362 *p_data++ = RFCOMM_EA | RFCOMM_I_CR(is_command) | RFCOMM_MX_RLS;
363 *p_data++ = RFCOMM_EA | (RFCOMM_MX_RLS_LEN << 1);
364
365 *p_data++ = RFCOMM_EA | RFCOMM_CR_MASK | (dlci << RFCOMM_SHIFT_DLCI);
366 *p_data++ = RFCOMM_RLS_ERROR | status;
367
368 /* Total length is sizeof RLS data + mx header 2 */
369 p_buf->len = RFCOMM_MX_RLS_LEN + 2;
370
371 rfc_send_buf_uih(p_mcb, RFCOMM_MX_DLCI, p_buf);
372 }
373
374 /*******************************************************************************
375 *
376 * Function rfc_send_nsc
377 *
378 * Description This function sends Non Supported Command Response.
379 *
380 ******************************************************************************/
rfc_send_nsc(tRFC_MCB * p_mcb)381 void rfc_send_nsc(tRFC_MCB* p_mcb) {
382 uint8_t* p_data;
383 BT_HDR* p_buf = (BT_HDR*)osi_malloc(RFCOMM_CMD_BUF_SIZE);
384
385 p_buf->offset = L2CAP_MIN_OFFSET + RFCOMM_CTRL_FRAME_LEN;
386 p_data = (uint8_t*)(p_buf + 1) + p_buf->offset;
387
388 *p_data++ = RFCOMM_EA | RFCOMM_I_CR(false) | RFCOMM_MX_NSC;
389 *p_data++ = RFCOMM_EA | (RFCOMM_MX_NSC_LEN << 1);
390
391 *p_data++ = rfc_cb.rfc.rx_frame.ea |
392 (rfc_cb.rfc.rx_frame.cr << RFCOMM_SHIFT_CR) |
393 rfc_cb.rfc.rx_frame.type;
394
395 /* Total length is sizeof NSC data + mx header 2 */
396 p_buf->len = RFCOMM_MX_NSC_LEN + 2;
397
398 rfc_send_buf_uih(p_mcb, RFCOMM_MX_DLCI, p_buf);
399 }
400
401 /*******************************************************************************
402 *
403 * Function rfc_send_rpn
404 *
405 * Description This function sends Remote Port Negotiation Command
406 *
407 ******************************************************************************/
rfc_send_rpn(tRFC_MCB * p_mcb,uint8_t dlci,bool is_command,tPORT_STATE * p_pars,uint16_t mask)408 void rfc_send_rpn(tRFC_MCB* p_mcb, uint8_t dlci, bool is_command,
409 tPORT_STATE* p_pars, uint16_t mask) {
410 uint8_t* p_data;
411 BT_HDR* p_buf = (BT_HDR*)osi_malloc(RFCOMM_CMD_BUF_SIZE);
412
413 p_buf->offset = L2CAP_MIN_OFFSET + RFCOMM_CTRL_FRAME_LEN;
414 p_data = (uint8_t*)(p_buf + 1) + p_buf->offset;
415
416 *p_data++ = RFCOMM_EA | RFCOMM_I_CR(is_command) | RFCOMM_MX_RPN;
417
418 if (!p_pars) {
419 *p_data++ = RFCOMM_EA | (RFCOMM_MX_RPN_REQ_LEN << 1);
420
421 *p_data++ = RFCOMM_EA | RFCOMM_CR_MASK | (dlci << RFCOMM_SHIFT_DLCI);
422
423 p_buf->len = RFCOMM_MX_RPN_REQ_LEN + 2;
424 } else {
425 *p_data++ = RFCOMM_EA | (RFCOMM_MX_RPN_LEN << 1);
426
427 *p_data++ = RFCOMM_EA | RFCOMM_CR_MASK | (dlci << RFCOMM_SHIFT_DLCI);
428 *p_data++ = p_pars->baud_rate;
429 *p_data++ = (p_pars->byte_size << RFCOMM_RPN_BITS_SHIFT) |
430 (p_pars->stop_bits << RFCOMM_RPN_STOP_BITS_SHIFT) |
431 (p_pars->parity << RFCOMM_RPN_PARITY_SHIFT) |
432 (p_pars->parity_type << RFCOMM_RPN_PARITY_TYPE_SHIFT);
433 *p_data++ = p_pars->fc_type;
434 *p_data++ = p_pars->xon_char;
435 *p_data++ = p_pars->xoff_char;
436 *p_data++ = (mask & 0xFF);
437 *p_data++ = (mask >> 8);
438
439 /* Total length is sizeof RPN data + mx header 2 */
440 p_buf->len = RFCOMM_MX_RPN_LEN + 2;
441 }
442
443 rfc_send_buf_uih(p_mcb, RFCOMM_MX_DLCI, p_buf);
444 }
445
446 /*******************************************************************************
447 *
448 * Function rfc_send_test
449 *
450 * Description This function sends Test frame.
451 *
452 ******************************************************************************/
rfc_send_test(tRFC_MCB * p_mcb,bool is_command,BT_HDR * p_buf)453 void rfc_send_test(tRFC_MCB* p_mcb, bool is_command, BT_HDR* p_buf) {
454 /* Shift buffer to give space for header */
455 if (p_buf->offset < (L2CAP_MIN_OFFSET + RFCOMM_MIN_OFFSET + 2)) {
456 uint8_t* p_src = (uint8_t*)(p_buf + 1) + p_buf->offset + p_buf->len - 1;
457 BT_HDR* p_new_buf =
458 (BT_HDR*)osi_malloc(p_buf->len + (L2CAP_MIN_OFFSET + RFCOMM_MIN_OFFSET +
459 2 + sizeof(BT_HDR) + 1));
460
461 p_new_buf->offset = L2CAP_MIN_OFFSET + RFCOMM_MIN_OFFSET + 2;
462 p_new_buf->len = p_buf->len;
463
464 uint8_t* p_dest =
465 (uint8_t*)(p_new_buf + 1) + p_new_buf->offset + p_new_buf->len - 1;
466
467 for (uint16_t xx = 0; xx < p_buf->len; xx++) *p_dest-- = *p_src--;
468
469 osi_free(p_buf);
470 p_buf = p_new_buf;
471 }
472
473 /* Adjust offset by number of bytes we are going to fill */
474 p_buf->offset -= 2;
475 uint8_t* p_data = (uint8_t*)(p_buf + 1) + p_buf->offset;
476
477 *p_data++ = RFCOMM_EA | RFCOMM_I_CR(is_command) | RFCOMM_MX_TEST;
478 *p_data++ = RFCOMM_EA | (p_buf->len << 1);
479
480 p_buf->len += 2;
481
482 rfc_send_buf_uih(p_mcb, RFCOMM_MX_DLCI, p_buf);
483 }
484
485 /*******************************************************************************
486 *
487 * Function rfc_send_credit
488 *
489 * Description This function sends a flow control credit in UIH frame.
490 *
491 ******************************************************************************/
rfc_send_credit(tRFC_MCB * p_mcb,uint8_t dlci,uint8_t credit)492 void rfc_send_credit(tRFC_MCB* p_mcb, uint8_t dlci, uint8_t credit) {
493 uint8_t* p_data;
494 uint8_t cr = RFCOMM_CR(p_mcb->is_initiator, true);
495 BT_HDR* p_buf = (BT_HDR*)osi_malloc(RFCOMM_CMD_BUF_SIZE);
496
497 p_buf->offset = L2CAP_MIN_OFFSET;
498 p_data = (uint8_t*)(p_buf + 1) + p_buf->offset;
499
500 *p_data++ = RFCOMM_EA | cr | (dlci << RFCOMM_SHIFT_DLCI);
501 *p_data++ = RFCOMM_UIH | RFCOMM_PF;
502 *p_data++ = RFCOMM_EA | 0;
503 *p_data++ = credit;
504 *p_data = RFCOMM_UIH_FCS((uint8_t*)(p_buf + 1) + p_buf->offset, dlci);
505
506 p_buf->len = 5;
507
508 rfc_check_send_cmd(p_mcb, p_buf);
509 }
510
511 /*******************************************************************************
512 *
513 * Function rfc_parse_data
514 *
515 * Description This function processes data packet received from L2CAP
516 *
517 ******************************************************************************/
rfc_parse_data(tRFC_MCB * p_mcb,MX_FRAME * p_frame,BT_HDR * p_buf)518 tRFC_EVENT rfc_parse_data(tRFC_MCB* p_mcb, MX_FRAME* p_frame, BT_HDR* p_buf) {
519 uint8_t ead, eal, fcs;
520 uint8_t* p_data = (uint8_t*)(p_buf + 1) + p_buf->offset;
521 uint8_t* p_start = p_data;
522 uint16_t len;
523
524 if (p_buf->len < RFCOMM_CTRL_FRAME_LEN) {
525 log::error("Bad Length1: {}", p_buf->len);
526 return (RFC_EVENT_BAD_FRAME);
527 }
528
529 RFCOMM_PARSE_CTRL_FIELD(ead, p_frame->cr, p_frame->dlci, p_data);
530 if (!ead) {
531 log::error("Bad Address(EA must be 1)");
532 return (RFC_EVENT_BAD_FRAME);
533 }
534 RFCOMM_PARSE_TYPE_FIELD(p_frame->type, p_frame->pf, p_data);
535
536 eal = *(p_data)&RFCOMM_EA;
537 len = *(p_data)++ >> RFCOMM_SHIFT_LENGTH1;
538 if (eal == 0 && p_buf->len > RFCOMM_CTRL_FRAME_LEN) {
539 len += (*(p_data)++ << RFCOMM_SHIFT_LENGTH2);
540 } else if (eal == 0) {
541 log::error("Bad Length when EAL = 0: {}", p_buf->len);
542 return RFC_EVENT_BAD_FRAME;
543 }
544
545 if (p_buf->len < (3 + !ead + !eal + 1)) {
546 log::error("Bad Length: {}", p_buf->len);
547 return RFC_EVENT_BAD_FRAME;
548 }
549 p_buf->len -= (3 + !ead + !eal + 1); /* Additional 1 for FCS */
550 p_buf->offset += (3 + !ead + !eal);
551
552 /* handle credit if credit based flow control */
553 if ((p_mcb->flow == PORT_FC_CREDIT) && (p_frame->type == RFCOMM_UIH) &&
554 (p_frame->dlci != RFCOMM_MX_DLCI) && (p_frame->pf == 1)) {
555 if (p_buf->len < sizeof(uint8_t)) {
556 log::error("Bad Length in flow control: {}", p_buf->len);
557 return RFC_EVENT_BAD_FRAME;
558 }
559 p_frame->credit = *p_data++;
560 p_buf->len--;
561 p_buf->offset++;
562 } else {
563 p_frame->credit = 0;
564 }
565
566 if (p_buf->len != len) {
567 log::error("Bad Length2 {} {}", p_buf->len, len);
568 return (RFC_EVENT_BAD_FRAME);
569 }
570
571 fcs = *(p_data + len);
572
573 /* All control frames that we are sending are sent with P=1, expect */
574 /* reply with F=1 */
575 /* According to TS 07.10 spec ivalid frames are discarded without */
576 /* notification to the sender */
577 switch (p_frame->type) {
578 case RFCOMM_SABME:
579 if (RFCOMM_FRAME_IS_RSP(p_mcb->is_initiator, p_frame->cr) ||
580 !p_frame->pf || len || !RFCOMM_VALID_DLCI(p_frame->dlci) ||
581 !rfc_check_fcs(RFCOMM_CTRL_FRAME_LEN, p_start, fcs)) {
582 log::error("Bad SABME");
583 return (RFC_EVENT_BAD_FRAME);
584 } else
585 return (RFC_EVENT_SABME);
586
587 case RFCOMM_UA:
588 if (RFCOMM_FRAME_IS_CMD(p_mcb->is_initiator, p_frame->cr) ||
589 !p_frame->pf || len || !RFCOMM_VALID_DLCI(p_frame->dlci) ||
590 !rfc_check_fcs(RFCOMM_CTRL_FRAME_LEN, p_start, fcs)) {
591 log::error("Bad UA");
592 return (RFC_EVENT_BAD_FRAME);
593 } else
594 return (RFC_EVENT_UA);
595
596 case RFCOMM_DM:
597 if (RFCOMM_FRAME_IS_CMD(p_mcb->is_initiator, p_frame->cr) || len ||
598 !RFCOMM_VALID_DLCI(p_frame->dlci) ||
599 !rfc_check_fcs(RFCOMM_CTRL_FRAME_LEN, p_start, fcs)) {
600 log::error("Bad DM");
601 return (RFC_EVENT_BAD_FRAME);
602 } else
603 return (RFC_EVENT_DM);
604
605 case RFCOMM_DISC:
606 if (RFCOMM_FRAME_IS_RSP(p_mcb->is_initiator, p_frame->cr) ||
607 !p_frame->pf || len || !RFCOMM_VALID_DLCI(p_frame->dlci) ||
608 !rfc_check_fcs(RFCOMM_CTRL_FRAME_LEN, p_start, fcs)) {
609 log::error("Bad DISC");
610 return (RFC_EVENT_BAD_FRAME);
611 } else
612 return (RFC_EVENT_DISC);
613
614 case RFCOMM_UIH:
615 if (!RFCOMM_VALID_DLCI(p_frame->dlci)) {
616 log::error("Bad UIH - invalid DLCI");
617 return (RFC_EVENT_BAD_FRAME);
618 } else if (!rfc_check_fcs(2, p_start, fcs)) {
619 log::error("Bad UIH - FCS");
620 return (RFC_EVENT_BAD_FRAME);
621 } else if (RFCOMM_FRAME_IS_RSP(p_mcb->is_initiator, p_frame->cr)) {
622 /* we assume that this is ok to allow bad implementations to work */
623 log::error("Bad UIH - response");
624 return (RFC_EVENT_UIH);
625 } else {
626 return (RFC_EVENT_UIH);
627 }
628 }
629
630 return (RFC_EVENT_BAD_FRAME);
631 }
632
633 /*******************************************************************************
634 *
635 * Function rfc_process_mx_message
636 *
637 * Description This function processes UIH frames received on the
638 * multiplexer control channel.
639 *
640 ******************************************************************************/
rfc_process_mx_message(tRFC_MCB * p_mcb,BT_HDR * p_buf)641 void rfc_process_mx_message(tRFC_MCB* p_mcb, BT_HDR* p_buf) {
642 uint8_t* p_data = (uint8_t*)(p_buf + 1) + p_buf->offset;
643 MX_FRAME* p_rx_frame = &rfc_cb.rfc.rx_frame;
644 uint16_t length = p_buf->len;
645 uint8_t ea, cr, mx_len;
646
647 if (length < 2) {
648 log::error("Illegal MX Frame len when reading EA, C/R. len:{} < 2", length);
649 osi_free(p_buf);
650 return;
651 }
652 p_rx_frame->ea = *p_data & RFCOMM_EA;
653 p_rx_frame->cr = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR;
654 p_rx_frame->type = *p_data++ & ~(RFCOMM_CR_MASK | RFCOMM_EA_MASK);
655
656 if (!p_rx_frame->ea || !length) {
657 log::error("Invalid MX frame ea={}, len={}, bd_addr={}", p_rx_frame->ea,
658 length, p_mcb->bd_addr);
659 osi_free(p_buf);
660 return;
661 }
662
663 length--;
664
665 bool is_command = p_rx_frame->cr;
666
667 ea = *p_data & RFCOMM_EA;
668
669 mx_len = *p_data++ >> RFCOMM_SHIFT_LENGTH1;
670 length--;
671
672 if (!ea) {
673 if (length < 1) {
674 log::error("Illegal MX Frame when EA = 0. len:{} < 1", length);
675 osi_free(p_buf);
676 return;
677 }
678 mx_len += *p_data++ << RFCOMM_SHIFT_LENGTH2;
679 length--;
680 }
681
682 if (mx_len != length) {
683 log::error("Bad MX frame, p_mcb={}, bd_addr={}", fmt::ptr(p_mcb),
684 p_mcb->bd_addr);
685 osi_free(p_buf);
686 return;
687 }
688
689 log::verbose("type=0x{:02x}, bd_addr={}", p_rx_frame->type, p_mcb->bd_addr);
690 switch (p_rx_frame->type) {
691 case RFCOMM_MX_PN:
692 if (length != RFCOMM_MX_PN_LEN) {
693 log::error("Invalid PN length, p_mcb={}, bd_addr={}", fmt::ptr(p_mcb),
694 p_mcb->bd_addr);
695 break;
696 }
697
698 p_rx_frame->dlci = *p_data++ & RFCOMM_PN_DLCI_MASK;
699 p_rx_frame->u.pn.frame_type = *p_data & RFCOMM_PN_FRAME_TYPE_MASK;
700 p_rx_frame->u.pn.conv_layer = *p_data++ & RFCOMM_PN_CONV_LAYER_MASK;
701 p_rx_frame->u.pn.priority = *p_data++ & RFCOMM_PN_PRIORITY_MASK;
702 p_rx_frame->u.pn.t1 = *p_data++;
703 p_rx_frame->u.pn.mtu = *p_data + (*(p_data + 1) << 8);
704 p_data += 2;
705 p_rx_frame->u.pn.n2 = *p_data++;
706 p_rx_frame->u.pn.k = *p_data++ & RFCOMM_PN_K_MASK;
707
708 if (!p_rx_frame->dlci || !RFCOMM_VALID_DLCI(p_rx_frame->dlci) ||
709 (p_rx_frame->u.pn.mtu < RFCOMM_MIN_MTU) ||
710 (p_rx_frame->u.pn.mtu > RFCOMM_MAX_MTU)) {
711 log::error("Bad PN frame, p_mcb={}, bd_addr={}", fmt::ptr(p_mcb),
712 p_mcb->bd_addr);
713 break;
714 }
715
716 osi_free(p_buf);
717
718 rfc_process_pn(p_mcb, is_command, p_rx_frame);
719 return;
720
721 case RFCOMM_MX_TEST:
722 if (!length) break;
723
724 p_rx_frame->u.test.p_data = p_data;
725 p_rx_frame->u.test.data_len = length;
726
727 p_buf->offset += 2;
728 p_buf->len -= 2;
729
730 if (is_command)
731 rfc_send_test(p_mcb, false, p_buf);
732 else
733 rfc_process_test_rsp(p_mcb, p_buf);
734 return;
735
736 case RFCOMM_MX_FCON:
737 if (length != RFCOMM_MX_FCON_LEN) break;
738
739 osi_free(p_buf);
740
741 rfc_process_fcon(p_mcb, is_command);
742 return;
743
744 case RFCOMM_MX_FCOFF:
745 if (length != RFCOMM_MX_FCOFF_LEN) break;
746
747 osi_free(p_buf);
748
749 rfc_process_fcoff(p_mcb, is_command);
750 return;
751
752 case RFCOMM_MX_MSC:
753 if (length != RFCOMM_MX_MSC_LEN_WITH_BREAK &&
754 length != RFCOMM_MX_MSC_LEN_NO_BREAK) {
755 log::error("Illegal MX MSC Frame len:{}", length);
756 osi_free(p_buf);
757 return;
758 }
759 ea = *p_data & RFCOMM_EA;
760 cr = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR;
761 p_rx_frame->dlci = *p_data++ >> RFCOMM_SHIFT_DLCI;
762
763 if (!ea || !cr || !p_rx_frame->dlci ||
764 !RFCOMM_VALID_DLCI(p_rx_frame->dlci)) {
765 log::error("Bad MSC frame");
766 break;
767 }
768
769 p_rx_frame->u.msc.signals = *p_data++;
770
771 if (mx_len == RFCOMM_MX_MSC_LEN_WITH_BREAK) {
772 p_rx_frame->u.msc.break_present =
773 *p_data & RFCOMM_MSC_BREAK_PRESENT_MASK;
774 p_rx_frame->u.msc.break_duration =
775 (*p_data & RFCOMM_MSC_BREAK_MASK) >> RFCOMM_MSC_SHIFT_BREAK;
776 } else {
777 p_rx_frame->u.msc.break_present = false;
778 p_rx_frame->u.msc.break_duration = 0;
779 }
780 osi_free(p_buf);
781
782 rfc_process_msc(p_mcb, is_command, p_rx_frame);
783 return;
784
785 case RFCOMM_MX_NSC:
786 if ((length != RFCOMM_MX_NSC_LEN) || !is_command) break;
787
788 p_rx_frame->u.nsc.ea = *p_data & RFCOMM_EA;
789 p_rx_frame->u.nsc.cr = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR;
790 p_rx_frame->u.nsc.type = *p_data++ >> RFCOMM_SHIFT_DLCI;
791
792 osi_free(p_buf);
793
794 rfc_process_nsc(p_mcb, p_rx_frame);
795 return;
796
797 case RFCOMM_MX_RPN:
798 if ((length != RFCOMM_MX_RPN_REQ_LEN) && (length != RFCOMM_MX_RPN_LEN))
799 break;
800
801 ea = *p_data & RFCOMM_EA;
802 cr = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR;
803 p_rx_frame->dlci = *p_data++ >> RFCOMM_SHIFT_DLCI;
804
805 if (!ea || !cr || !p_rx_frame->dlci ||
806 !RFCOMM_VALID_DLCI(p_rx_frame->dlci)) {
807 log::error("Bad RPN frame");
808 break;
809 }
810
811 p_rx_frame->u.rpn.is_request = (length == RFCOMM_MX_RPN_REQ_LEN);
812
813 if (!p_rx_frame->u.rpn.is_request) {
814 p_rx_frame->u.rpn.baud_rate = *p_data++;
815 p_rx_frame->u.rpn.byte_size =
816 (*p_data >> RFCOMM_RPN_BITS_SHIFT) & RFCOMM_RPN_BITS_MASK;
817 p_rx_frame->u.rpn.stop_bits =
818 (*p_data >> RFCOMM_RPN_STOP_BITS_SHIFT) & RFCOMM_RPN_STOP_BITS_MASK;
819 p_rx_frame->u.rpn.parity =
820 (*p_data >> RFCOMM_RPN_PARITY_SHIFT) & RFCOMM_RPN_PARITY_MASK;
821 p_rx_frame->u.rpn.parity_type =
822 (*p_data++ >> RFCOMM_RPN_PARITY_TYPE_SHIFT) &
823 RFCOMM_RPN_PARITY_TYPE_MASK;
824
825 p_rx_frame->u.rpn.fc_type = *p_data++ & RFCOMM_FC_MASK;
826 p_rx_frame->u.rpn.xon_char = *p_data++;
827 p_rx_frame->u.rpn.xoff_char = *p_data++;
828 p_rx_frame->u.rpn.param_mask =
829 (*p_data + (*(p_data + 1) << 8)) & RFCOMM_RPN_PM_MASK;
830 }
831 osi_free(p_buf);
832
833 rfc_process_rpn(p_mcb, is_command, p_rx_frame->u.rpn.is_request,
834 p_rx_frame);
835 return;
836
837 case RFCOMM_MX_RLS:
838 if (length != RFCOMM_MX_RLS_LEN) break;
839
840 ea = *p_data & RFCOMM_EA;
841 cr = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR;
842
843 p_rx_frame->dlci = *p_data++ >> RFCOMM_SHIFT_DLCI;
844 p_rx_frame->u.rls.line_status = (*p_data & ~0x01);
845
846 if (!ea || !cr || !p_rx_frame->dlci ||
847 !RFCOMM_VALID_DLCI(p_rx_frame->dlci)) {
848 log::error("Bad RPN frame");
849 break;
850 }
851
852 osi_free(p_buf);
853
854 rfc_process_rls(p_mcb, is_command, p_rx_frame);
855 return;
856 }
857
858 osi_free(p_buf);
859
860 if (is_command) rfc_send_nsc(p_mcb);
861 }
862