1 /******************************************************************************
2 *
3 * Copyright 1999-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 /******************************************************************************
20 *
21 * this file contains SDP discovery functions
22 *
23 ******************************************************************************/
24
25 #define LOG_TAG "sdp_discovery"
26
27 #include <bluetooth/log.h>
28
29 #include <cstdint>
30
31 #include "internal_include/bt_target.h"
32 #include "osi/include/allocator.h"
33 #include "stack/include/bt_hdr.h"
34 #include "stack/include/bt_types.h"
35 #include "stack/include/sdpdefs.h"
36 #include "stack/sdp/sdp_discovery_db.h"
37 #include "stack/sdp/sdpint.h"
38 #include "types/bluetooth/uuid.h"
39 #include "types/raw_address.h"
40
41 using bluetooth::Uuid;
42 using namespace bluetooth;
43
44 /* Safety check in case we go crazy */
45 #define MAX_NEST_LEVELS 5
46
47 /*******************************************************************************
48 *
49 * Function sdpu_build_uuid_seq
50 *
51 * Description This function builds a UUID sequence from the list of
52 * passed UUIDs. It is also passed the address of the output
53 * buffer.
54 *
55 * Returns Pointer to next byte in the output buffer.
56 *
57 ******************************************************************************/
sdpu_build_uuid_seq(uint8_t * p_out,uint16_t num_uuids,Uuid * p_uuid_list,uint16_t & bytes_left)58 static uint8_t* sdpu_build_uuid_seq(uint8_t* p_out, uint16_t num_uuids,
59 Uuid* p_uuid_list, uint16_t& bytes_left) {
60 uint16_t xx;
61 uint8_t* p_len;
62
63 if (bytes_left < 2) {
64 DCHECK(0) << "SDP: No space for data element header";
65 return (p_out);
66 }
67
68 /* First thing is the data element header */
69 UINT8_TO_BE_STREAM(p_out, (DATA_ELE_SEQ_DESC_TYPE << 3) | SIZE_IN_NEXT_BYTE);
70
71 /* Remember where the length goes. Leave space for it. */
72 p_len = p_out;
73 p_out += 1;
74
75 /* Account for data element header and length */
76 bytes_left -= 2;
77
78 /* Now, loop through and put in all the UUID(s) */
79 for (xx = 0; xx < num_uuids; xx++, p_uuid_list++) {
80 int len = p_uuid_list->GetShortestRepresentationSize();
81
82 if (len + 1 > bytes_left) {
83 DCHECK(0) << "SDP: Too many UUIDs for internal buffer";
84 break;
85 } else {
86 bytes_left -= (len + 1);
87 }
88
89 if (len == Uuid::kNumBytes16) {
90 UINT8_TO_BE_STREAM(p_out, (UUID_DESC_TYPE << 3) | SIZE_TWO_BYTES);
91 UINT16_TO_BE_STREAM(p_out, p_uuid_list->As16Bit());
92 } else if (len == Uuid::kNumBytes32) {
93 UINT8_TO_BE_STREAM(p_out, (UUID_DESC_TYPE << 3) | SIZE_FOUR_BYTES);
94 UINT32_TO_BE_STREAM(p_out, p_uuid_list->As32Bit());
95 } else if (len == Uuid::kNumBytes128) {
96 UINT8_TO_BE_STREAM(p_out, (UUID_DESC_TYPE << 3) | SIZE_SIXTEEN_BYTES);
97 ARRAY_TO_BE_STREAM(p_out, p_uuid_list->To128BitBE(),
98 (int)Uuid::kNumBytes128);
99 } else {
100 DCHECK(0) << "SDP: Passed UUID has invalid length " << len;
101 }
102 }
103
104 /* Now, put in the length */
105 xx = (uint16_t)(p_out - p_len - 1);
106 UINT8_TO_BE_STREAM(p_len, xx);
107
108 return (p_out);
109 }
110
111 /*******************************************************************************
112 *
113 * Function sdp_snd_service_search_req
114 *
115 * Description Send a service search request to the SDP server.
116 *
117 * Returns void
118 *
119 ******************************************************************************/
sdp_snd_service_search_req(tCONN_CB * p_ccb,uint8_t cont_len,uint8_t * p_cont)120 static void sdp_snd_service_search_req(tCONN_CB* p_ccb, uint8_t cont_len,
121 uint8_t* p_cont) {
122 uint8_t *p, *p_start, *p_param_len;
123 BT_HDR* p_cmd = (BT_HDR*)osi_malloc(SDP_DATA_BUF_SIZE);
124 uint16_t param_len;
125 uint16_t bytes_left = SDP_DATA_BUF_SIZE;
126
127 /* Prepare the buffer for sending the packet to L2CAP */
128 p_cmd->offset = L2CAP_MIN_OFFSET;
129 p = p_start = (uint8_t*)(p_cmd + 1) + L2CAP_MIN_OFFSET;
130
131 /* Build a service search request packet */
132 UINT8_TO_BE_STREAM(p, SDP_PDU_SERVICE_SEARCH_REQ);
133 UINT16_TO_BE_STREAM(p, p_ccb->transaction_id);
134 p_ccb->transaction_id++;
135
136 /* Skip the length, we need to add it at the end */
137 p_param_len = p;
138 p += 2;
139
140 /* Account for header size, max service record count and
141 * continuation state */
142 const uint16_t base_bytes = (sizeof(BT_HDR) + L2CAP_MIN_OFFSET +
143 3u + /* service search request header */
144 2u + /* param len */
145 3u + ((p_cont) ? cont_len : 0));
146
147 if (base_bytes > bytes_left) {
148 DCHECK(0) << "SDP: Overran SDP data buffer";
149 osi_free(p_cmd);
150 return;
151 }
152
153 bytes_left -= base_bytes;
154
155 /* Build the UID sequence. */
156 p = sdpu_build_uuid_seq(p, p_ccb->p_db->num_uuid_filters,
157 p_ccb->p_db->uuid_filters, bytes_left);
158
159 /* Set max service record count */
160 UINT16_TO_BE_STREAM(p, sdp_cb.max_recs_per_search);
161
162 /* Set continuation state */
163 UINT8_TO_BE_STREAM(p, cont_len);
164
165 /* if this is not the first request */
166 if (cont_len && p_cont) {
167 memcpy(p, p_cont, cont_len);
168 p += cont_len;
169 }
170
171 /* Go back and put the parameter length into the buffer */
172 param_len = (uint16_t)(p - p_param_len - 2);
173 UINT16_TO_BE_STREAM(p_param_len, param_len);
174
175 p_ccb->disc_state = SDP_DISC_WAIT_HANDLES;
176
177 /* Set the length of the SDP data in the buffer */
178 p_cmd->len = (uint16_t)(p - p_start);
179
180 if (L2CA_DataWrite(p_ccb->connection_id, p_cmd) != L2CAP_DW_SUCCESS) {
181 log::warn("Unable to write L2CAP data peer:{} cid:{} len:{}",
182 p_ccb->device_address, p_ccb->connection_id, p_cmd->len);
183 }
184
185 /* Start inactivity timer */
186 alarm_set_on_mloop(p_ccb->sdp_conn_timer, SDP_INACT_TIMEOUT_MS,
187 sdp_conn_timer_timeout, p_ccb);
188 }
189
190 /*******************************************************************************
191 *
192 * Function sdp_copy_raw_data
193 *
194 * Description copy the raw data
195 *
196 *
197 * Returns bool
198 * true if successful
199 * false if not copied
200 *
201 ******************************************************************************/
sdp_copy_raw_data(tCONN_CB * p_ccb,bool offset)202 static bool sdp_copy_raw_data(tCONN_CB* p_ccb, bool offset) {
203 unsigned int cpy_len, rem_len;
204 uint32_t list_len;
205 uint8_t* p;
206 uint8_t* p_end;
207 uint8_t type;
208
209 if (p_ccb->p_db && p_ccb->p_db->raw_data) {
210 cpy_len = p_ccb->p_db->raw_size - p_ccb->p_db->raw_used;
211 list_len = p_ccb->list_len;
212 p = &p_ccb->rsp_list[0];
213 p_end = &p_ccb->rsp_list[0] + list_len;
214
215 if (offset) {
216 cpy_len -= 1;
217 type = *p++;
218 uint8_t* old_p = p;
219 p = sdpu_get_len_from_type(p, p_end, type, &list_len);
220 if (p == NULL || (p + list_len) > p_end) {
221 log::warn("bad length");
222 return false;
223 }
224 if ((int)cpy_len < (p - old_p)) {
225 log::warn("no bytes left for data");
226 return false;
227 }
228 cpy_len -= (p - old_p);
229 }
230 if (list_len < cpy_len) {
231 cpy_len = list_len;
232 }
233 rem_len = SDP_MAX_LIST_BYTE_COUNT - (unsigned int)(p - &p_ccb->rsp_list[0]);
234 if (cpy_len > rem_len) {
235 log::warn("rem_len :{} less than cpy_len:{}", rem_len, cpy_len);
236 cpy_len = rem_len;
237 }
238 memcpy(&p_ccb->p_db->raw_data[p_ccb->p_db->raw_used], p, cpy_len);
239 p_ccb->p_db->raw_used += cpy_len;
240 }
241 return true;
242 }
243
244 /*******************************************************************************
245 *
246 * Function add_record
247 *
248 * Description This function allocates space for a record from the DB.
249 *
250 * Returns pointer to next byte in data stream
251 *
252 ******************************************************************************/
add_record(tSDP_DISCOVERY_DB * p_db,const RawAddress & bd_addr)253 tSDP_DISC_REC* add_record(tSDP_DISCOVERY_DB* p_db, const RawAddress& bd_addr) {
254 tSDP_DISC_REC* p_rec;
255
256 /* See if there is enough space in the database */
257 if (p_db->mem_free < sizeof(tSDP_DISC_REC)) return (NULL);
258
259 p_rec = (tSDP_DISC_REC*)p_db->p_free_mem;
260 p_db->p_free_mem += sizeof(tSDP_DISC_REC);
261 p_db->mem_free -= sizeof(tSDP_DISC_REC);
262
263 p_rec->p_first_attr = NULL;
264 p_rec->p_next_rec = NULL;
265
266 p_rec->remote_bd_addr = bd_addr;
267
268 /* Add the record to the end of chain */
269 if (!p_db->p_first_rec)
270 p_db->p_first_rec = p_rec;
271 else {
272 tSDP_DISC_REC* p_rec1 = p_db->p_first_rec;
273
274 while (p_rec1->p_next_rec) p_rec1 = p_rec1->p_next_rec;
275
276 p_rec1->p_next_rec = p_rec;
277 }
278
279 return (p_rec);
280 }
281
282 #define SDP_ADDITIONAL_LIST_MASK 0x80
283 /*******************************************************************************
284 *
285 * Function add_attr
286 *
287 * Description This function allocates space for an attribute from the DB
288 * and copies the data into it.
289 *
290 * Returns pointer to next byte in data stream
291 *
292 ******************************************************************************/
add_attr(uint8_t * p,uint8_t * p_end,tSDP_DISCOVERY_DB * p_db,tSDP_DISC_REC * p_rec,uint16_t attr_id,tSDP_DISC_ATTR * p_parent_attr,uint8_t nest_level)293 static uint8_t* add_attr(uint8_t* p, uint8_t* p_end, tSDP_DISCOVERY_DB* p_db,
294 tSDP_DISC_REC* p_rec, uint16_t attr_id,
295 tSDP_DISC_ATTR* p_parent_attr, uint8_t nest_level) {
296 tSDP_DISC_ATTR* p_attr;
297 uint32_t attr_len;
298 uint32_t total_len;
299 uint16_t attr_type;
300 uint16_t id;
301 uint8_t type;
302 uint8_t* p_attr_end;
303 uint8_t is_additional_list = nest_level & SDP_ADDITIONAL_LIST_MASK;
304
305 nest_level &= ~(SDP_ADDITIONAL_LIST_MASK);
306
307 type = *p++;
308 p = sdpu_get_len_from_type(p, p_end, type, &attr_len);
309 if (p == NULL || (p + attr_len) > p_end) {
310 log::warn("bad length in attr_rsp");
311 return NULL;
312 }
313 attr_len &= SDP_DISC_ATTR_LEN_MASK;
314 attr_type = (type >> 3) & 0x0f;
315
316 /* See if there is enough space in the database */
317 if (attr_len > 4)
318 total_len = attr_len - 4 + (uint16_t)sizeof(tSDP_DISC_ATTR);
319 else
320 total_len = sizeof(tSDP_DISC_ATTR);
321
322 p_attr_end = p + attr_len;
323 if (p_attr_end > p_end) {
324 log::warn("SDP - Attribute length beyond p_end");
325 return NULL;
326 }
327
328 /* Ensure it is a multiple of 4 */
329 total_len = (total_len + 3) & ~3;
330
331 /* See if there is enough space in the database */
332 if (p_db->mem_free < total_len) return (NULL);
333
334 p_attr = (tSDP_DISC_ATTR*)p_db->p_free_mem;
335 p_attr->attr_id = attr_id;
336 p_attr->attr_len_type = (uint16_t)attr_len | (attr_type << 12);
337 p_attr->p_next_attr = NULL;
338
339 /* Store the attribute value */
340 switch (attr_type) {
341 case UINT_DESC_TYPE:
342 if ((is_additional_list != 0) && (attr_len == 2)) {
343 BE_STREAM_TO_UINT16(id, p);
344 if (id != ATTR_ID_PROTOCOL_DESC_LIST)
345 p -= 2;
346 else {
347 /* Reserve the memory for the attribute now, as we need to add
348 * sub-attributes */
349 p_db->p_free_mem += sizeof(tSDP_DISC_ATTR);
350 p_db->mem_free -= sizeof(tSDP_DISC_ATTR);
351 total_len = 0;
352
353 /* LOG_VERBOSE ("SDP - attr nest level:%d(list)", nest_level); */
354 if (nest_level >= MAX_NEST_LEVELS) {
355 log::error("SDP - attr nesting too deep");
356 return p_attr_end;
357 }
358
359 /* Now, add the list entry */
360 p = add_attr(p, p_end, p_db, p_rec, ATTR_ID_PROTOCOL_DESC_LIST,
361 p_attr, (uint8_t)(nest_level + 1));
362
363 break;
364 }
365 }
366 FALLTHROUGH_INTENDED; /* FALLTHROUGH */
367
368 case TWO_COMP_INT_DESC_TYPE:
369 switch (attr_len) {
370 case 1:
371 p_attr->attr_value.v.u8 = *p++;
372 break;
373 case 2:
374 BE_STREAM_TO_UINT16(p_attr->attr_value.v.u16, p);
375 break;
376 case 4:
377 BE_STREAM_TO_UINT32(p_attr->attr_value.v.u32, p);
378 break;
379 default:
380 BE_STREAM_TO_ARRAY(p, p_attr->attr_value.v.array, (int32_t)attr_len);
381 break;
382 }
383 break;
384
385 case UUID_DESC_TYPE:
386 switch (attr_len) {
387 case 2:
388 BE_STREAM_TO_UINT16(p_attr->attr_value.v.u16, p);
389 break;
390 case 4:
391 BE_STREAM_TO_UINT32(p_attr->attr_value.v.u32, p);
392 if (p_attr->attr_value.v.u32 < 0x10000) {
393 attr_len = 2;
394 p_attr->attr_len_type = (uint16_t)attr_len | (attr_type << 12);
395 p_attr->attr_value.v.u16 = (uint16_t)p_attr->attr_value.v.u32;
396 }
397 break;
398 case 16:
399 /* See if we can compress the UUID down to 16 or 32bit UUIDs */
400 if (sdpu_is_base_uuid(p)) {
401 if ((p[0] == 0) && (p[1] == 0)) {
402 p_attr->attr_len_type =
403 (p_attr->attr_len_type & ~SDP_DISC_ATTR_LEN_MASK) | 2;
404 p += 2;
405 BE_STREAM_TO_UINT16(p_attr->attr_value.v.u16, p);
406 p += Uuid::kNumBytes128 - 4;
407 } else {
408 p_attr->attr_len_type =
409 (p_attr->attr_len_type & ~SDP_DISC_ATTR_LEN_MASK) | 4;
410 BE_STREAM_TO_UINT32(p_attr->attr_value.v.u32, p);
411 p += Uuid::kNumBytes128 - 4;
412 }
413 } else {
414 BE_STREAM_TO_ARRAY(p, p_attr->attr_value.v.array,
415 (int32_t)attr_len);
416 }
417 break;
418 default:
419 log::warn("SDP - bad len in UUID attr: {}", attr_len);
420 return p_attr_end;
421 }
422 break;
423
424 case DATA_ELE_SEQ_DESC_TYPE:
425 case DATA_ELE_ALT_DESC_TYPE:
426 /* Reserve the memory for the attribute now, as we need to add
427 * sub-attributes */
428 p_db->p_free_mem += sizeof(tSDP_DISC_ATTR);
429 p_db->mem_free -= sizeof(tSDP_DISC_ATTR);
430 total_len = 0;
431
432 /* LOG_VERBOSE ("SDP - attr nest level:%d", nest_level); */
433 if (nest_level >= MAX_NEST_LEVELS) {
434 log::error("SDP - attr nesting too deep");
435 return p_attr_end;
436 }
437 if (is_additional_list != 0 ||
438 attr_id == ATTR_ID_ADDITION_PROTO_DESC_LISTS)
439 nest_level |= SDP_ADDITIONAL_LIST_MASK;
440 /* LOG_VERBOSE ("SDP - attr nest level:0x%x(finish)", nest_level); */
441
442 while (p < p_attr_end) {
443 /* Now, add the list entry */
444 p = add_attr(p, p_end, p_db, p_rec, 0, p_attr,
445 (uint8_t)(nest_level + 1));
446
447 if (!p) return (NULL);
448 }
449 break;
450
451 case TEXT_STR_DESC_TYPE:
452 case URL_DESC_TYPE:
453 BE_STREAM_TO_ARRAY(p, p_attr->attr_value.v.array, (int32_t)attr_len);
454 break;
455
456 case BOOLEAN_DESC_TYPE:
457 switch (attr_len) {
458 case 1:
459 p_attr->attr_value.v.u8 = *p++;
460 break;
461 default:
462 log::warn("SDP - bad len in boolean attr: {}", attr_len);
463 return p_attr_end;
464 }
465 break;
466
467 default: /* switch (attr_type) */
468 break;
469 }
470
471 p_db->p_free_mem += total_len;
472 p_db->mem_free -= total_len;
473
474 /* Add the attribute to the end of the chain */
475 if (!p_parent_attr) {
476 if (!p_rec->p_first_attr)
477 p_rec->p_first_attr = p_attr;
478 else {
479 tSDP_DISC_ATTR* p_attr1 = p_rec->p_first_attr;
480
481 while (p_attr1->p_next_attr) p_attr1 = p_attr1->p_next_attr;
482
483 p_attr1->p_next_attr = p_attr;
484 }
485 } else {
486 if (!p_parent_attr->attr_value.v.p_sub_attr) {
487 p_parent_attr->attr_value.v.p_sub_attr = p_attr;
488 /* LOG_VERBOSE ("parent:0x%x(id:%d), ch:0x%x(id:%d)",
489 p_parent_attr, p_parent_attr->attr_id, p_attr, p_attr->attr_id); */
490 } else {
491 tSDP_DISC_ATTR* p_attr1 = p_parent_attr->attr_value.v.p_sub_attr;
492 /* LOG_VERBOSE ("parent:0x%x(id:%d), ch1:0x%x(id:%d)",
493 p_parent_attr, p_parent_attr->attr_id, p_attr1, p_attr1->attr_id); */
494
495 while (p_attr1->p_next_attr) p_attr1 = p_attr1->p_next_attr;
496
497 p_attr1->p_next_attr = p_attr;
498 /* LOG_VERBOSE ("new ch:0x%x(id:%d)", p_attr, p_attr->attr_id); */
499 }
500 }
501
502 return (p);
503 }
504
505 /*******************************************************************************
506 *
507 * Function save_attr_seq
508 *
509 * Description This function is called when there is a response from
510 * the server.
511 *
512 * Returns pointer to next byte or NULL if error
513 *
514 ******************************************************************************/
save_attr_seq(tCONN_CB * p_ccb,uint8_t * p,uint8_t * p_msg_end)515 static uint8_t* save_attr_seq(tCONN_CB* p_ccb, uint8_t* p, uint8_t* p_msg_end) {
516 uint32_t seq_len, attr_len;
517 uint16_t attr_id;
518 uint8_t type, *p_seq_end;
519 tSDP_DISC_REC* p_rec;
520
521 type = *p++;
522
523 if ((type >> 3) != DATA_ELE_SEQ_DESC_TYPE) {
524 log::warn("SDP - Wrong type: 0x{:02x} in attr_rsp", type);
525 return (NULL);
526 }
527 p = sdpu_get_len_from_type(p, p_msg_end, type, &seq_len);
528 if (p == NULL || (p + seq_len) > p_msg_end) {
529 log::warn("SDP - Bad len in attr_rsp {}", seq_len);
530 return (NULL);
531 }
532
533 /* Create a record */
534 p_rec = add_record(p_ccb->p_db, p_ccb->device_address);
535 if (!p_rec) {
536 log::warn("SDP - DB full add_record");
537 return (NULL);
538 }
539
540 p_seq_end = p + seq_len;
541
542 while (p < p_seq_end) {
543 /* First get the attribute ID */
544 type = *p++;
545 p = sdpu_get_len_from_type(p, p_msg_end, type, &attr_len);
546 if (p == NULL || (p + attr_len) > p_seq_end) {
547 log::warn("Bad len in attr_rsp {}", attr_len);
548 return (NULL);
549 }
550 if (((type >> 3) != UINT_DESC_TYPE) || (attr_len != 2)) {
551 log::warn("SDP - Bad type: 0x{:02x} or len: {} in attr_rsp", type,
552 attr_len);
553 return (NULL);
554 }
555 BE_STREAM_TO_UINT16(attr_id, p);
556
557 /* Now, add the attribute value */
558 p = add_attr(p, p_seq_end, p_ccb->p_db, p_rec, attr_id, NULL, 0);
559
560 if (!p) {
561 log::warn("SDP - DB full add_attr");
562 return (NULL);
563 }
564 }
565
566 return (p);
567 }
568
569 /*******************************************************************************
570 *
571 * Function process_service_search_attr_rsp
572 *
573 * Description This function is called when there is a search attribute
574 * response from the server.
575 *
576 * Returns void
577 *
578 ******************************************************************************/
process_service_search_attr_rsp(tCONN_CB * p_ccb,uint8_t * p_reply,uint8_t * p_reply_end)579 static void process_service_search_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply,
580 uint8_t* p_reply_end) {
581 uint8_t *p, *p_start, *p_end, *p_param_len;
582 uint8_t type;
583 uint32_t seq_len;
584 uint16_t param_len, lists_byte_count = 0;
585 bool cont_request_needed = false;
586
587 /* If p_reply is NULL, we were called for the initial read */
588 if (p_reply) {
589 if (p_reply + 4 /* transaction ID and length */ + sizeof(lists_byte_count) >
590 p_reply_end) {
591 sdp_disconnect(p_ccb, SDP_INVALID_PDU_SIZE);
592 return;
593 }
594
595 /* Skip transaction ID and length */
596 p_reply += 4;
597
598 BE_STREAM_TO_UINT16(lists_byte_count, p_reply);
599
600 /* Copy the response to the scratchpad. First, a safety check on the length
601 */
602 if ((p_ccb->list_len + lists_byte_count) > SDP_MAX_LIST_BYTE_COUNT) {
603 sdp_disconnect(p_ccb, SDP_INVALID_PDU_SIZE);
604 return;
605 }
606
607 if (p_reply + lists_byte_count + 1 /* continuation */ > p_reply_end) {
608 sdp_disconnect(p_ccb, SDP_INVALID_PDU_SIZE);
609 return;
610 }
611
612 if (p_ccb->rsp_list == NULL)
613 p_ccb->rsp_list = (uint8_t*)osi_malloc(SDP_MAX_LIST_BYTE_COUNT);
614 memcpy(&p_ccb->rsp_list[p_ccb->list_len], p_reply, lists_byte_count);
615 p_ccb->list_len += lists_byte_count;
616 p_reply += lists_byte_count;
617 if (*p_reply) {
618 if (*p_reply > SDP_MAX_CONTINUATION_LEN) {
619 sdp_disconnect(p_ccb, SDP_INVALID_CONT_STATE);
620 return;
621 }
622
623 cont_request_needed = true;
624 }
625 }
626
627 /* If continuation request (or first time request) */
628 if ((cont_request_needed) || (!p_reply)) {
629 BT_HDR* p_msg = (BT_HDR*)osi_malloc(SDP_DATA_BUF_SIZE);
630 uint8_t* p;
631 uint16_t bytes_left = SDP_DATA_BUF_SIZE;
632
633 p_msg->offset = L2CAP_MIN_OFFSET;
634 p = p_start = (uint8_t*)(p_msg + 1) + L2CAP_MIN_OFFSET;
635
636 /* Build a service search request packet */
637 UINT8_TO_BE_STREAM(p, SDP_PDU_SERVICE_SEARCH_ATTR_REQ);
638 UINT16_TO_BE_STREAM(p, p_ccb->transaction_id);
639 p_ccb->transaction_id++;
640
641 /* Skip the length, we need to add it at the end */
642 p_param_len = p;
643 p += 2;
644
645 /* Account for header size, max service record count and
646 * continuation state */
647 const uint16_t base_bytes = (sizeof(BT_HDR) + L2CAP_MIN_OFFSET +
648 3u + /* service search request header */
649 2u + /* param len */
650 3u + /* max service record count */
651 ((p_reply) ? (*p_reply) : 0));
652
653 if (base_bytes > bytes_left) {
654 sdp_disconnect(p_ccb, SDP_INVALID_CONT_STATE);
655 return;
656 }
657
658 bytes_left -= base_bytes;
659
660 /* Build the UID sequence. */
661 p = sdpu_build_uuid_seq(p, p_ccb->p_db->num_uuid_filters,
662 p_ccb->p_db->uuid_filters, bytes_left);
663
664 /* Max attribute byte count */
665 UINT16_TO_BE_STREAM(p, sdp_cb.max_attr_list_size);
666
667 /* If no attribute filters, build a wildcard attribute sequence */
668 if (p_ccb->p_db->num_attr_filters)
669 p = sdpu_build_attrib_seq(p, p_ccb->p_db->attr_filters,
670 p_ccb->p_db->num_attr_filters);
671 else
672 p = sdpu_build_attrib_seq(p, NULL, 0);
673
674 /* No continuation for first request */
675 if (p_reply) {
676 if ((p_reply + *p_reply + 1) <= p_reply_end) {
677 memcpy(p, p_reply, *p_reply + 1);
678 p += *p_reply + 1;
679 }
680 } else
681 UINT8_TO_BE_STREAM(p, 0);
682
683 /* Go back and put the parameter length into the buffer */
684 param_len = p - p_param_len - 2;
685 UINT16_TO_BE_STREAM(p_param_len, param_len);
686
687 /* Set the length of the SDP data in the buffer */
688 p_msg->len = p - p_start;
689
690 if (L2CA_DataWrite(p_ccb->connection_id, p_msg) != L2CAP_DW_SUCCESS) {
691 log::warn("Unable to write L2CAP data peer:{} cid:{} len:{}",
692 p_ccb->device_address, p_ccb->connection_id, p_msg->len);
693 }
694
695 /* Start inactivity timer */
696 alarm_set_on_mloop(p_ccb->sdp_conn_timer, SDP_INACT_TIMEOUT_MS,
697 sdp_conn_timer_timeout, p_ccb);
698
699 return;
700 }
701
702 /*******************************************************************/
703 /* We now have the full response, which is a sequence of sequences */
704 /*******************************************************************/
705
706 if (!sdp_copy_raw_data(p_ccb, true)) {
707 log::error("sdp_copy_raw_data failed");
708 sdp_disconnect(p_ccb, SDP_ILLEGAL_PARAMETER);
709 return;
710 }
711
712 p = &p_ccb->rsp_list[0];
713
714 /* The contents is a sequence of attribute sequences */
715 type = *p++;
716
717 if ((type >> 3) != DATA_ELE_SEQ_DESC_TYPE) {
718 log::warn("Wrong element in attr_rsp type:0x{:02x}", type);
719 sdp_disconnect(p_ccb, SDP_ILLEGAL_PARAMETER);
720 return;
721 }
722 p = sdpu_get_len_from_type(p, p + p_ccb->list_len, type, &seq_len);
723 if (p == NULL || (p + seq_len) > (p + p_ccb->list_len)) {
724 log::warn("Illegal search attribute length");
725 sdp_disconnect(p_ccb, SDP_ILLEGAL_PARAMETER);
726 return;
727 }
728 p_end = &p_ccb->rsp_list[p_ccb->list_len];
729
730 if ((p + seq_len) != p_end) {
731 sdp_disconnect(p_ccb, SDP_INVALID_CONT_STATE);
732 return;
733 }
734
735 while (p < p_end) {
736 p = save_attr_seq(p_ccb, p, &p_ccb->rsp_list[p_ccb->list_len]);
737 if (!p) {
738 sdp_disconnect(p_ccb, SDP_DB_FULL);
739 return;
740 }
741 }
742
743 /* Since we got everything we need, disconnect the call */
744 sdpu_log_attribute_metrics(p_ccb->device_address, p_ccb->p_db);
745 sdp_disconnect(p_ccb, SDP_SUCCESS);
746 }
747
748 /*******************************************************************************
749 *
750 * Function process_service_attr_rsp
751 *
752 * Description This function is called when there is a attribute response
753 * from the server.
754 *
755 * Returns void
756 *
757 ******************************************************************************/
process_service_attr_rsp(tCONN_CB * p_ccb,uint8_t * p_reply,uint8_t * p_reply_end)758 static void process_service_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply,
759 uint8_t* p_reply_end) {
760 uint8_t *p_start, *p_param_len;
761 uint16_t param_len, list_byte_count;
762 bool cont_request_needed = false;
763
764 /* If p_reply is NULL, we were called after the records handles were read */
765 if (p_reply) {
766 if (p_reply + 4 /* transaction ID and length */ + sizeof(list_byte_count) >
767 p_reply_end) {
768 sdp_disconnect(p_ccb, SDP_INVALID_PDU_SIZE);
769 return;
770 }
771
772 /* Skip transaction ID and length */
773 p_reply += 4;
774
775 BE_STREAM_TO_UINT16(list_byte_count, p_reply);
776
777 /* Copy the response to the scratchpad. First, a safety check on the length
778 */
779 if ((p_ccb->list_len + list_byte_count) > SDP_MAX_LIST_BYTE_COUNT) {
780 sdp_disconnect(p_ccb, SDP_INVALID_PDU_SIZE);
781 return;
782 }
783
784 if (p_reply + list_byte_count + 1 /* continuation */ > p_reply_end) {
785 sdp_disconnect(p_ccb, SDP_INVALID_PDU_SIZE);
786 return;
787 }
788
789 if (p_ccb->rsp_list == NULL)
790 p_ccb->rsp_list = (uint8_t*)osi_malloc(SDP_MAX_LIST_BYTE_COUNT);
791 memcpy(&p_ccb->rsp_list[p_ccb->list_len], p_reply, list_byte_count);
792 p_ccb->list_len += list_byte_count;
793 p_reply += list_byte_count;
794 if (*p_reply) {
795 if (*p_reply > SDP_MAX_CONTINUATION_LEN) {
796 sdp_disconnect(p_ccb, SDP_INVALID_CONT_STATE);
797 return;
798 }
799 cont_request_needed = true;
800 } else {
801 log::warn("process_service_attr_rsp");
802 if (!sdp_copy_raw_data(p_ccb, false)) {
803 log::error("sdp_copy_raw_data failed");
804 sdp_disconnect(p_ccb, SDP_ILLEGAL_PARAMETER);
805 return;
806 }
807
808 /* Save the response in the database. Stop on any error */
809 if (!save_attr_seq(p_ccb, &p_ccb->rsp_list[0],
810 &p_ccb->rsp_list[p_ccb->list_len])) {
811 sdp_disconnect(p_ccb, SDP_DB_FULL);
812 return;
813 }
814 p_ccb->list_len = 0;
815 p_ccb->cur_handle++;
816 }
817 }
818
819 /* Now, ask for the next handle. Re-use the buffer we just got. */
820 if (p_ccb->cur_handle < p_ccb->num_handles) {
821 BT_HDR* p_msg = (BT_HDR*)osi_malloc(SDP_DATA_BUF_SIZE);
822 uint8_t* p;
823
824 p_msg->offset = L2CAP_MIN_OFFSET;
825 p = p_start = (uint8_t*)(p_msg + 1) + L2CAP_MIN_OFFSET;
826
827 /* Get all the attributes from the server */
828 UINT8_TO_BE_STREAM(p, SDP_PDU_SERVICE_ATTR_REQ);
829 UINT16_TO_BE_STREAM(p, p_ccb->transaction_id);
830 p_ccb->transaction_id++;
831
832 /* Skip the length, we need to add it at the end */
833 p_param_len = p;
834 p += 2;
835
836 UINT32_TO_BE_STREAM(p, p_ccb->handles[p_ccb->cur_handle]);
837
838 /* Max attribute byte count */
839 UINT16_TO_BE_STREAM(p, sdp_cb.max_attr_list_size);
840
841 /* If no attribute filters, build a wildcard attribute sequence */
842 if (p_ccb->p_db->num_attr_filters)
843 p = sdpu_build_attrib_seq(p, p_ccb->p_db->attr_filters,
844 p_ccb->p_db->num_attr_filters);
845 else
846 p = sdpu_build_attrib_seq(p, NULL, 0);
847
848 /* Was this a continuation request ? */
849 if (cont_request_needed) {
850 if ((p_reply + *p_reply + 1) <= p_reply_end) {
851 memcpy(p, p_reply, *p_reply + 1);
852 p += *p_reply + 1;
853 }
854 } else
855 UINT8_TO_BE_STREAM(p, 0);
856
857 /* Go back and put the parameter length into the buffer */
858 param_len = (uint16_t)(p - p_param_len - 2);
859 UINT16_TO_BE_STREAM(p_param_len, param_len);
860
861 /* Set the length of the SDP data in the buffer */
862 p_msg->len = (uint16_t)(p - p_start);
863
864 if (L2CA_DataWrite(p_ccb->connection_id, p_msg) != L2CAP_DW_SUCCESS) {
865 log::warn("Unable to write L2CAP data peer:{} cid:{} len:{}",
866 p_ccb->device_address, p_ccb->connection_id, p_msg->len);
867 }
868
869 /* Start inactivity timer */
870 alarm_set_on_mloop(p_ccb->sdp_conn_timer, SDP_INACT_TIMEOUT_MS,
871 sdp_conn_timer_timeout, p_ccb);
872 } else {
873 sdpu_log_attribute_metrics(p_ccb->device_address, p_ccb->p_db);
874 sdp_disconnect(p_ccb, SDP_SUCCESS);
875 return;
876 }
877 }
878
879 /******************************************************************************
880 *
881 * Function process_service_search_rsp
882 *
883 * Description This function is called when there is a search response from
884 * the server.
885 *
886 * Returns void
887 *
888 ******************************************************************************/
process_service_search_rsp(tCONN_CB * p_ccb,uint8_t * p_reply,uint8_t * p_reply_end)889 static void process_service_search_rsp(tCONN_CB* p_ccb, uint8_t* p_reply,
890 uint8_t* p_reply_end) {
891 uint16_t xx;
892 uint16_t total, cur_handles, orig;
893 uint8_t cont_len;
894
895 if (p_reply + 8 > p_reply_end) {
896 sdp_disconnect(p_ccb, SDP_GENERIC_ERROR);
897 return;
898 }
899 /* Skip transaction, and param len */
900 p_reply += 4;
901 BE_STREAM_TO_UINT16(total, p_reply);
902 BE_STREAM_TO_UINT16(cur_handles, p_reply);
903
904 orig = p_ccb->num_handles;
905 p_ccb->num_handles += cur_handles;
906 if (p_ccb->num_handles == 0 || p_ccb->num_handles < orig) {
907 log::warn("SDP - Rcvd ServiceSearchRsp, no matches");
908 sdp_disconnect(p_ccb, SDP_NO_RECS_MATCH);
909 return;
910 }
911
912 /* Save the handles that match. We will can only process a certain number. */
913 if (total > sdp_cb.max_recs_per_search) total = sdp_cb.max_recs_per_search;
914 if (p_ccb->num_handles > sdp_cb.max_recs_per_search)
915 p_ccb->num_handles = sdp_cb.max_recs_per_search;
916
917 if (p_reply + ((p_ccb->num_handles - orig) * 4) + 1 > p_reply_end) {
918 sdp_disconnect(p_ccb, SDP_GENERIC_ERROR);
919 return;
920 }
921
922 for (xx = orig; xx < p_ccb->num_handles; xx++)
923 BE_STREAM_TO_UINT32(p_ccb->handles[xx], p_reply);
924
925 BE_STREAM_TO_UINT8(cont_len, p_reply);
926 if (cont_len != 0) {
927 if (cont_len > SDP_MAX_CONTINUATION_LEN) {
928 sdp_disconnect(p_ccb, SDP_INVALID_CONT_STATE);
929 return;
930 }
931 if (p_reply + cont_len > p_reply_end) {
932 sdp_disconnect(p_ccb, SDP_INVALID_CONT_STATE);
933 return;
934 }
935 /* stay in the same state */
936 sdp_snd_service_search_req(p_ccb, cont_len, p_reply);
937 } else {
938 /* change state */
939 p_ccb->disc_state = SDP_DISC_WAIT_ATTR;
940
941 /* Kick off the first attribute request */
942 process_service_attr_rsp(p_ccb, NULL, NULL);
943 }
944 }
945
946 /*******************************************************************************
947 *
948 * Function sdp_disc_connected
949 *
950 * Description This function is called when an SDP discovery attempt is
951 * connected.
952 *
953 * Returns void
954 *
955 ******************************************************************************/
sdp_disc_connected(tCONN_CB * p_ccb)956 void sdp_disc_connected(tCONN_CB* p_ccb) {
957 if (p_ccb->is_attr_search) {
958 p_ccb->disc_state = SDP_DISC_WAIT_SEARCH_ATTR;
959
960 process_service_search_attr_rsp(p_ccb, NULL, NULL);
961 } else {
962 /* First step is to get a list of the handles from the server. */
963 /* We are not searching for a specific attribute, so we will */
964 /* first search for the service, then get all attributes of it */
965
966 p_ccb->num_handles = 0;
967 sdp_snd_service_search_req(p_ccb, 0, NULL);
968 }
969 }
970
971 /*******************************************************************************
972 *
973 * Function sdp_disc_server_rsp
974 *
975 * Description This function is called when there is a response from
976 * the server.
977 *
978 * Returns void
979 *
980 ******************************************************************************/
sdp_disc_server_rsp(tCONN_CB * p_ccb,BT_HDR * p_msg)981 void sdp_disc_server_rsp(tCONN_CB* p_ccb, BT_HDR* p_msg) {
982 uint8_t *p, rsp_pdu;
983 bool invalid_pdu = true;
984
985 /* stop inactivity timer when we receive a response */
986 alarm_cancel(p_ccb->sdp_conn_timer);
987
988 /* Got a reply!! Check what we got back */
989 p = (uint8_t*)(p_msg + 1) + p_msg->offset;
990 uint8_t* p_end = p + p_msg->len;
991
992 if (p_msg->len < 1) {
993 sdp_disconnect(p_ccb, SDP_GENERIC_ERROR);
994 return;
995 }
996
997 BE_STREAM_TO_UINT8(rsp_pdu, p);
998
999 p_msg->len--;
1000
1001 switch (rsp_pdu) {
1002 case SDP_PDU_SERVICE_SEARCH_RSP:
1003 if (p_ccb->disc_state == SDP_DISC_WAIT_HANDLES) {
1004 process_service_search_rsp(p_ccb, p, p_end);
1005 invalid_pdu = false;
1006 }
1007 break;
1008
1009 case SDP_PDU_SERVICE_ATTR_RSP:
1010 if (p_ccb->disc_state == SDP_DISC_WAIT_ATTR) {
1011 process_service_attr_rsp(p_ccb, p, p_end);
1012 invalid_pdu = false;
1013 }
1014 break;
1015
1016 case SDP_PDU_SERVICE_SEARCH_ATTR_RSP:
1017 if (p_ccb->disc_state == SDP_DISC_WAIT_SEARCH_ATTR) {
1018 process_service_search_attr_rsp(p_ccb, p, p_end);
1019 invalid_pdu = false;
1020 }
1021 break;
1022 }
1023
1024 if (invalid_pdu) {
1025 log::warn("SDP - Unexp. PDU: {} in state: {}", rsp_pdu, p_ccb->disc_state);
1026 sdp_disconnect(p_ccb, SDP_GENERIC_ERROR);
1027 }
1028 }
1029