1 /******************************************************************************
2 *
3 * Copyright (C) 1999-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 /******************************************************************************
20 *
21 * This file contains the main L2CAP entry points
22 *
23 ******************************************************************************/
24
25 #include <stdlib.h>
26 #include <string.h>
27 #include <stdio.h>
28
29 #include "device/include/controller.h"
30 #include "btcore/include/counter.h"
31 #include "bt_target.h"
32 #include "btm_int.h"
33 #include "btu.h"
34 #include "gki.h"
35 #include "hcimsgs.h"
36 #include "l2c_api.h"
37 #include "l2c_int.h"
38 #include "l2cdefs.h"
39 #include "osi/include/log.h"
40
41 /********************************************************************************/
42 /* L O C A L F U N C T I O N P R O T O T Y P E S */
43 /********************************************************************************/
44 static void process_l2cap_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len);
45
46 /********************************************************************************/
47 /* G L O B A L L 2 C A P D A T A */
48 /********************************************************************************/
49 #if L2C_DYNAMIC_MEMORY == FALSE
50 tL2C_CB l2cb;
51 #endif
52
53 /*******************************************************************************
54 **
55 ** Function l2c_bcst_msg
56 **
57 ** Description
58 **
59 ** Returns void
60 **
61 *******************************************************************************/
l2c_bcst_msg(BT_HDR * p_buf,UINT16 psm)62 void l2c_bcst_msg( BT_HDR *p_buf, UINT16 psm )
63 {
64 UINT8 *p;
65
66 /* Ensure we have enough space in the buffer for the L2CAP and HCI headers */
67 if (p_buf->offset < L2CAP_BCST_MIN_OFFSET)
68 {
69 L2CAP_TRACE_ERROR ("L2CAP - cannot send buffer, offset: %d", p_buf->offset);
70 GKI_freebuf (p_buf);
71 return;
72 }
73
74 /* Step back some bytes to add the headers */
75 p_buf->offset -= (HCI_DATA_PREAMBLE_SIZE + L2CAP_PKT_OVERHEAD + L2CAP_BCST_OVERHEAD);
76 p_buf->len += L2CAP_PKT_OVERHEAD + L2CAP_BCST_OVERHEAD;
77
78 /* Set the pointer to the beginning of the data */
79 p = (UINT8 *)(p_buf + 1) + p_buf->offset;
80
81 /* First, the HCI transport header */
82 UINT16_TO_STREAM (p, 0x0050 | (L2CAP_PKT_START << 12) | (2 << 14));
83
84 uint16_t acl_data_size = controller_get_interface()->get_acl_data_size_classic();
85 /* The HCI transport will segment the buffers. */
86 if (p_buf->len > acl_data_size)
87 {
88 UINT16_TO_STREAM (p, acl_data_size);
89 }
90 else
91 {
92 UINT16_TO_STREAM (p, p_buf->len);
93 }
94
95 /* Now the L2CAP header */
96 UINT16_TO_STREAM (p, p_buf->len - L2CAP_PKT_OVERHEAD);
97 UINT16_TO_STREAM (p, L2CAP_CONNECTIONLESS_CID);
98 UINT16_TO_STREAM (p, psm);
99
100 p_buf->len += HCI_DATA_PREAMBLE_SIZE;
101
102 if (p_buf->len <= controller_get_interface()->get_acl_packet_size_classic())
103 {
104 counter_add("l2cap.ch2.tx.bytes", p_buf->len);
105 counter_add("l2cap.ch2.tx.pkts", 1);
106
107 bte_main_hci_send(p_buf, BT_EVT_TO_LM_HCI_ACL);
108 }
109 }
110
111
112 /*******************************************************************************
113 **
114 ** Function l2c_rcv_acl_data
115 **
116 ** Description This function is called from the HCI Interface when an ACL
117 ** data packet is received.
118 **
119 ** Returns void
120 **
121 *******************************************************************************/
l2c_rcv_acl_data(BT_HDR * p_msg)122 void l2c_rcv_acl_data (BT_HDR *p_msg)
123 {
124 UINT8 *p = (UINT8 *)(p_msg + 1) + p_msg->offset;
125 UINT16 handle, hci_len;
126 UINT8 pkt_type;
127 tL2C_LCB *p_lcb;
128 tL2C_CCB *p_ccb = NULL;
129 UINT16 l2cap_len, rcv_cid, psm;
130
131 /* Extract the handle */
132 STREAM_TO_UINT16 (handle, p);
133 pkt_type = HCID_GET_EVENT (handle);
134 handle = HCID_GET_HANDLE (handle);
135
136 /* Since the HCI Transport is putting segmented packets back together, we */
137 /* should never get a valid packet with the type set to "continuation" */
138 if (pkt_type != L2CAP_PKT_CONTINUE)
139 {
140 /* Find the LCB based on the handle */
141 if ((p_lcb = l2cu_find_lcb_by_handle (handle)) == NULL)
142 {
143 UINT8 cmd_code;
144
145 /* There is a slight possibility (specifically with USB) that we get an */
146 /* L2CAP connection request before we get the HCI connection complete. */
147 /* So for these types of messages, hold them for up to 2 seconds. */
148 STREAM_TO_UINT16 (hci_len, p);
149 STREAM_TO_UINT16 (l2cap_len, p);
150 STREAM_TO_UINT16 (rcv_cid, p);
151 STREAM_TO_UINT8 (cmd_code, p);
152
153 if ((p_msg->layer_specific == 0) && (rcv_cid == L2CAP_SIGNALLING_CID)
154 && (cmd_code == L2CAP_CMD_INFO_REQ || cmd_code == L2CAP_CMD_CONN_REQ)) {
155 L2CAP_TRACE_WARNING ("L2CAP - holding ACL for unknown handle:%d ls:%d"
156 " cid:%d opcode:%d cur count:%d", handle, p_msg->layer_specific,
157 rcv_cid, cmd_code, list_length(l2cb.rcv_pending_q));
158 p_msg->layer_specific = 2;
159 list_append(l2cb.rcv_pending_q, p_msg);
160
161 if (list_length(l2cb.rcv_pending_q) == 1)
162 btu_start_timer (&l2cb.rcv_hold_tle, BTU_TTYPE_L2CAP_HOLD, BT_1SEC_TIMEOUT);
163
164 return;
165 } else {
166 L2CAP_TRACE_ERROR ("L2CAP - rcvd ACL for unknown handle:%d ls:%d cid:%d"
167 " opcode:%d cur count:%d", handle, p_msg->layer_specific, rcv_cid,
168 cmd_code, list_length(l2cb.rcv_pending_q));
169 }
170 GKI_freebuf (p_msg);
171 return;
172 }
173 }
174 else
175 {
176 L2CAP_TRACE_WARNING ("L2CAP - expected pkt start or complete, got: %d", pkt_type);
177 GKI_freebuf (p_msg);
178 return;
179 }
180
181 /* Extract the length and update the buffer header */
182 STREAM_TO_UINT16 (hci_len, p);
183 p_msg->offset += 4;
184
185 /* Extract the length and CID */
186 STREAM_TO_UINT16 (l2cap_len, p);
187 STREAM_TO_UINT16 (rcv_cid, p);
188
189 #if BLE_INCLUDED == TRUE
190 /* for BLE channel, always notify connection when ACL data received on the link */
191 if (p_lcb && p_lcb->transport == BT_TRANSPORT_LE && p_lcb->link_state != LST_DISCONNECTING)
192 /* only process fixed channel data as channel open indication when link is not in disconnecting mode */
193 l2cble_notify_le_connection(p_lcb->remote_bd_addr);
194 #endif
195
196 /* Find the CCB for this CID */
197 if (rcv_cid >= L2CAP_BASE_APPL_CID)
198 {
199 if ((p_ccb = l2cu_find_ccb_by_cid (p_lcb, rcv_cid)) == NULL)
200 {
201 L2CAP_TRACE_WARNING ("L2CAP - unknown CID: 0x%04x", rcv_cid);
202 GKI_freebuf (p_msg);
203 return;
204 }
205 }
206
207 if (hci_len >= L2CAP_PKT_OVERHEAD) /* Must receive at least the L2CAP length and CID.*/
208 {
209 p_msg->len = hci_len - L2CAP_PKT_OVERHEAD;
210 p_msg->offset += L2CAP_PKT_OVERHEAD;
211 }
212 else
213 {
214 L2CAP_TRACE_WARNING ("L2CAP - got incorrect hci header" );
215 GKI_freebuf (p_msg);
216 return;
217 }
218
219 if (l2cap_len != p_msg->len)
220 {
221 L2CAP_TRACE_WARNING ("L2CAP - bad length in pkt. Exp: %d Act: %d",
222 l2cap_len, p_msg->len);
223
224 GKI_freebuf (p_msg);
225 return;
226 }
227
228 /* Send the data through the channel state machine */
229 if (rcv_cid == L2CAP_SIGNALLING_CID)
230 {
231 counter_add("l2cap.sig.rx.bytes", l2cap_len);
232 counter_add("l2cap.sig.rx.pkts", 1);
233 process_l2cap_cmd (p_lcb, p, l2cap_len);
234 GKI_freebuf (p_msg);
235 }
236 else if (rcv_cid == L2CAP_CONNECTIONLESS_CID)
237 {
238 counter_add("l2cap.ch2.rx.bytes", l2cap_len);
239 counter_add("l2cap.ch2.rx.pkts", 1);
240 /* process_connectionless_data (p_lcb); */
241 STREAM_TO_UINT16 (psm, p);
242 L2CAP_TRACE_DEBUG( "GOT CONNECTIONLESS DATA PSM:%d", psm ) ;
243
244 #if (L2CAP_UCD_INCLUDED == TRUE)
245 /* if it is not broadcast, check UCD registration */
246 if ( l2c_ucd_check_rx_pkts( p_lcb, p_msg ) )
247 {
248 /* nothing to do */
249 }
250 else
251 #endif
252 GKI_freebuf (p_msg);
253 }
254 #if (BLE_INCLUDED == TRUE)
255 else if (rcv_cid == L2CAP_BLE_SIGNALLING_CID)
256 {
257 counter_add("l2cap.ble.rx.bytes", l2cap_len);
258 counter_add("l2cap.ble.rx.pkts", 1);
259 l2cble_process_sig_cmd (p_lcb, p, l2cap_len);
260 GKI_freebuf (p_msg);
261 }
262 #endif
263 #if (L2CAP_NUM_FIXED_CHNLS > 0)
264 else if ((rcv_cid >= L2CAP_FIRST_FIXED_CHNL) && (rcv_cid <= L2CAP_LAST_FIXED_CHNL) &&
265 (l2cb.fixed_reg[rcv_cid - L2CAP_FIRST_FIXED_CHNL].pL2CA_FixedData_Cb != NULL) )
266 {
267 counter_add("l2cap.fix.rx.bytes", l2cap_len);
268 counter_add("l2cap.fix.rx.pkts", 1);
269 /* If no CCB for this channel, allocate one */
270 if (p_lcb &&
271 /* only process fixed channel data when link is open or wait for data indication */
272 (p_lcb->link_state != LST_DISCONNECTING) &&
273 l2cu_initialize_fixed_ccb (p_lcb, rcv_cid, &l2cb.fixed_reg[rcv_cid - L2CAP_FIRST_FIXED_CHNL].fixed_chnl_opts))
274 {
275 p_ccb = p_lcb->p_fixed_ccbs[rcv_cid - L2CAP_FIRST_FIXED_CHNL];
276
277 if (p_ccb->peer_cfg.fcr.mode != L2CAP_FCR_BASIC_MODE)
278 l2c_fcr_proc_pdu (p_ccb, p_msg);
279 else
280 (*l2cb.fixed_reg[rcv_cid - L2CAP_FIRST_FIXED_CHNL].pL2CA_FixedData_Cb)
281 (rcv_cid, p_lcb->remote_bd_addr, p_msg);
282 }
283 else
284 GKI_freebuf (p_msg);
285 }
286 #endif
287
288 else
289 {
290 counter_add("l2cap.dyn.rx.bytes", l2cap_len);
291 counter_add("l2cap.dyn.rx.pkts", 1);
292 if (p_ccb == NULL)
293 GKI_freebuf (p_msg);
294 else
295 {
296 /* Basic mode packets go straight to the state machine */
297 if (p_ccb->peer_cfg.fcr.mode == L2CAP_FCR_BASIC_MODE)
298 l2c_csm_execute (p_ccb, L2CEVT_L2CAP_DATA, p_msg);
299 else
300 {
301 /* eRTM or streaming mode, so we need to validate states first */
302 if ((p_ccb->chnl_state == CST_OPEN) || (p_ccb->chnl_state == CST_CONFIG))
303 l2c_fcr_proc_pdu (p_ccb, p_msg);
304 else
305 GKI_freebuf (p_msg);
306 }
307 }
308 }
309 }
310
311 /*******************************************************************************
312 **
313 ** Function process_l2cap_cmd
314 **
315 ** Description This function is called when a packet is received on the
316 ** L2CAP signalling CID
317 **
318 ** Returns void
319 **
320 *******************************************************************************/
process_l2cap_cmd(tL2C_LCB * p_lcb,UINT8 * p,UINT16 pkt_len)321 static void process_l2cap_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len)
322 {
323 UINT8 *p_pkt_end, *p_next_cmd, *p_cfg_end, *p_cfg_start;
324 UINT8 cmd_code, cfg_code, cfg_len, id;
325 tL2C_CONN_INFO con_info;
326 tL2CAP_CFG_INFO cfg_info;
327 UINT16 rej_reason, rej_mtu, lcid, rcid, info_type;
328 tL2C_CCB *p_ccb;
329 tL2C_RCB *p_rcb;
330 BOOLEAN cfg_rej, pkt_size_rej = FALSE;
331 UINT16 cfg_rej_len, cmd_len;
332 UINT16 result;
333 tL2C_CONN_INFO ci;
334
335 #if (defined BLE_INCLUDED && BLE_INCLUDED == TRUE)
336 /* if l2cap command received in CID 1 on top of an LE link, ignore this command */
337 if (p_lcb->transport == BT_TRANSPORT_LE)
338 return;
339 #endif
340
341 /* Reject the packet if it exceeds the default Signalling Channel MTU */
342 if (pkt_len > L2CAP_DEFAULT_MTU)
343 {
344 /* Core Spec requires a single response to the first command found in a multi-command
345 ** L2cap packet. If only responses in the packet, then it will be ignored.
346 ** Here we simply mark the bad packet and decide which cmd ID to reject later
347 */
348 pkt_size_rej = TRUE;
349 L2CAP_TRACE_ERROR ("L2CAP SIG MTU Pkt Len Exceeded (672) -> pkt_len: %d", pkt_len);
350 }
351
352 p_next_cmd = p;
353 p_pkt_end = p + pkt_len;
354
355 memset (&cfg_info, 0, sizeof(cfg_info));
356
357 /* An L2CAP packet may contain multiple commands */
358 while (TRUE)
359 {
360 /* Smallest command is 4 bytes */
361 if ((p = p_next_cmd) > (p_pkt_end - 4))
362 break;
363
364 STREAM_TO_UINT8 (cmd_code, p);
365 STREAM_TO_UINT8 (id, p);
366 STREAM_TO_UINT16 (cmd_len, p);
367
368 /* Check command length does not exceed packet length */
369 if ((p_next_cmd = p + cmd_len) > p_pkt_end)
370 {
371 L2CAP_TRACE_WARNING ("Command len bad pkt_len: %d cmd_len: %d code: %d",
372 pkt_len, cmd_len, cmd_code);
373 break;
374 }
375
376 L2CAP_TRACE_DEBUG ("cmd_code: %d, id:%d, cmd_len:%d", cmd_code, id, cmd_len);
377
378 /* Bad L2CAP packet length, look or cmd to reject */
379 if (pkt_size_rej)
380 {
381 /* If command found rejected it and we're done, otherwise keep looking */
382 if (l2c_is_cmd_rejected(cmd_code, id, p_lcb))
383 return;
384 else
385 continue; /* Look for next cmd/response in current packet */
386 }
387
388 switch (cmd_code)
389 {
390 case L2CAP_CMD_REJECT:
391 STREAM_TO_UINT16 (rej_reason, p);
392 if (rej_reason == L2CAP_CMD_REJ_MTU_EXCEEDED)
393 {
394 STREAM_TO_UINT16 (rej_mtu, p);
395 /* What to do with the MTU reject ? We have negotiated an MTU. For now */
396 /* we will ignore it and let a higher protocol timeout take care of it */
397
398 L2CAP_TRACE_WARNING ("L2CAP - MTU rej Handle: %d MTU: %d", p_lcb->handle, rej_mtu);
399 }
400 if (rej_reason == L2CAP_CMD_REJ_INVALID_CID)
401 {
402 STREAM_TO_UINT16 (rcid, p);
403 STREAM_TO_UINT16 (lcid, p);
404
405 L2CAP_TRACE_WARNING ("L2CAP - rej with CID invalid, LCID: 0x%04x RCID: 0x%04x", lcid, rcid);
406
407 /* Remote CID invalid. Treat as a disconnect */
408 if (((p_ccb = l2cu_find_ccb_by_cid (p_lcb, lcid)) != NULL)
409 && (p_ccb->remote_cid == rcid))
410 {
411 /* Fake link disconnect - no reply is generated */
412 l2c_csm_execute (p_ccb, L2CEVT_LP_DISCONNECT_IND, NULL);
413 }
414 }
415
416 /* SonyEricsson Info request Bug workaround (Continue connection) */
417 else if (rej_reason == L2CAP_CMD_REJ_NOT_UNDERSTOOD && p_lcb->w4_info_rsp)
418 {
419 btu_stop_timer (&p_lcb->info_timer_entry);
420
421 p_lcb->w4_info_rsp = FALSE;
422 ci.status = HCI_SUCCESS;
423 memcpy (ci.bd_addr, p_lcb->remote_bd_addr, sizeof(BD_ADDR));
424
425 /* For all channels, send the event through their FSMs */
426 for (p_ccb = p_lcb->ccb_queue.p_first_ccb; p_ccb; p_ccb = p_ccb->p_next_ccb)
427 {
428 l2c_csm_execute (p_ccb, L2CEVT_L2CAP_INFO_RSP, &ci);
429 }
430 }
431 break;
432
433 case L2CAP_CMD_CONN_REQ:
434 STREAM_TO_UINT16 (con_info.psm, p);
435 STREAM_TO_UINT16 (rcid, p);
436 if ((p_rcb = l2cu_find_rcb_by_psm (con_info.psm)) == NULL)
437 {
438 L2CAP_TRACE_WARNING ("L2CAP - rcvd conn req for unknown PSM: %d", con_info.psm);
439 l2cu_reject_connection (p_lcb, rcid, id, L2CAP_CONN_NO_PSM);
440 break;
441 }
442 else
443 {
444 if (!p_rcb->api.pL2CA_ConnectInd_Cb)
445 {
446 L2CAP_TRACE_WARNING ("L2CAP - rcvd conn req for outgoing-only connection PSM: %d", con_info.psm);
447 l2cu_reject_connection (p_lcb, rcid, id, L2CAP_CONN_NO_PSM);
448 break;
449 }
450 }
451 if ((p_ccb = l2cu_allocate_ccb (p_lcb, 0)) == NULL)
452 {
453 L2CAP_TRACE_ERROR ("L2CAP - unable to allocate CCB");
454 l2cu_reject_connection (p_lcb, rcid, id, L2CAP_CONN_NO_RESOURCES);
455 break;
456 }
457 p_ccb->remote_id = id;
458 p_ccb->p_rcb = p_rcb;
459 p_ccb->remote_cid = rcid;
460
461 l2c_csm_execute(p_ccb, L2CEVT_L2CAP_CONNECT_REQ, &con_info);
462 break;
463
464 case L2CAP_CMD_CONN_RSP:
465 STREAM_TO_UINT16 (con_info.remote_cid, p);
466 STREAM_TO_UINT16 (lcid, p);
467 STREAM_TO_UINT16 (con_info.l2cap_result, p);
468 STREAM_TO_UINT16 (con_info.l2cap_status, p);
469
470 if ((p_ccb = l2cu_find_ccb_by_cid (p_lcb, lcid)) == NULL)
471 {
472 L2CAP_TRACE_WARNING ("L2CAP - no CCB for conn rsp, LCID: %d RCID: %d",
473 lcid, con_info.remote_cid);
474 break;
475 }
476 if (p_ccb->local_id != id)
477 {
478 L2CAP_TRACE_WARNING ("L2CAP - con rsp - bad ID. Exp: %d Got: %d",
479 p_ccb->local_id, id);
480 break;
481 }
482
483 if (con_info.l2cap_result == L2CAP_CONN_OK)
484 l2c_csm_execute(p_ccb, L2CEVT_L2CAP_CONNECT_RSP, &con_info);
485 else if (con_info.l2cap_result == L2CAP_CONN_PENDING)
486 l2c_csm_execute(p_ccb, L2CEVT_L2CAP_CONNECT_RSP_PND, &con_info);
487 else
488 l2c_csm_execute(p_ccb, L2CEVT_L2CAP_CONNECT_RSP_NEG, &con_info);
489
490 break;
491
492 case L2CAP_CMD_CONFIG_REQ:
493 p_cfg_end = p + cmd_len;
494 cfg_rej = FALSE;
495 cfg_rej_len = 0;
496
497 STREAM_TO_UINT16 (lcid, p);
498 STREAM_TO_UINT16 (cfg_info.flags, p);
499
500 p_cfg_start = p;
501
502 cfg_info.flush_to_present = cfg_info.mtu_present = cfg_info.qos_present =
503 cfg_info.fcr_present = cfg_info.fcs_present = FALSE;
504
505 while (p < p_cfg_end)
506 {
507 STREAM_TO_UINT8 (cfg_code, p);
508 STREAM_TO_UINT8 (cfg_len, p);
509
510 switch (cfg_code & 0x7F)
511 {
512 case L2CAP_CFG_TYPE_MTU:
513 cfg_info.mtu_present = TRUE;
514 STREAM_TO_UINT16 (cfg_info.mtu, p);
515 break;
516
517 case L2CAP_CFG_TYPE_FLUSH_TOUT:
518 cfg_info.flush_to_present = TRUE;
519 STREAM_TO_UINT16 (cfg_info.flush_to, p);
520 break;
521
522 case L2CAP_CFG_TYPE_QOS:
523 cfg_info.qos_present = TRUE;
524 STREAM_TO_UINT8 (cfg_info.qos.qos_flags, p);
525 STREAM_TO_UINT8 (cfg_info.qos.service_type, p);
526 STREAM_TO_UINT32 (cfg_info.qos.token_rate, p);
527 STREAM_TO_UINT32 (cfg_info.qos.token_bucket_size, p);
528 STREAM_TO_UINT32 (cfg_info.qos.peak_bandwidth, p);
529 STREAM_TO_UINT32 (cfg_info.qos.latency, p);
530 STREAM_TO_UINT32 (cfg_info.qos.delay_variation, p);
531 break;
532
533 case L2CAP_CFG_TYPE_FCR:
534 cfg_info.fcr_present = TRUE;
535 STREAM_TO_UINT8 (cfg_info.fcr.mode, p);
536 STREAM_TO_UINT8 (cfg_info.fcr.tx_win_sz, p);
537 STREAM_TO_UINT8 (cfg_info.fcr.max_transmit, p);
538 STREAM_TO_UINT16 (cfg_info.fcr.rtrans_tout, p);
539 STREAM_TO_UINT16 (cfg_info.fcr.mon_tout, p);
540 STREAM_TO_UINT16 (cfg_info.fcr.mps, p);
541 break;
542
543 case L2CAP_CFG_TYPE_FCS:
544 cfg_info.fcs_present = TRUE;
545 STREAM_TO_UINT8 (cfg_info.fcs, p);
546 break;
547
548 case L2CAP_CFG_TYPE_EXT_FLOW:
549 cfg_info.ext_flow_spec_present = TRUE;
550 STREAM_TO_UINT8 (cfg_info.ext_flow_spec.id, p);
551 STREAM_TO_UINT8 (cfg_info.ext_flow_spec.stype, p);
552 STREAM_TO_UINT16 (cfg_info.ext_flow_spec.max_sdu_size, p);
553 STREAM_TO_UINT32 (cfg_info.ext_flow_spec.sdu_inter_time, p);
554 STREAM_TO_UINT32 (cfg_info.ext_flow_spec.access_latency, p);
555 STREAM_TO_UINT32 (cfg_info.ext_flow_spec.flush_timeout, p);
556 break;
557
558 default:
559 /* sanity check option length */
560 if ((cfg_len + L2CAP_CFG_OPTION_OVERHEAD) <= cmd_len)
561 {
562 p += cfg_len;
563 if ((cfg_code & 0x80) == 0)
564 {
565 cfg_rej_len += cfg_len + L2CAP_CFG_OPTION_OVERHEAD;
566 cfg_rej = TRUE;
567 }
568 }
569 /* bad length; force loop exit */
570 else
571 {
572 p = p_cfg_end;
573 cfg_rej = TRUE;
574 }
575 break;
576 }
577 }
578
579 if ((p_ccb = l2cu_find_ccb_by_cid (p_lcb, lcid)) != NULL)
580 {
581 p_ccb->remote_id = id;
582 if (cfg_rej)
583 {
584 l2cu_send_peer_config_rej (p_ccb, p_cfg_start, (UINT16) (cmd_len - L2CAP_CONFIG_REQ_LEN), cfg_rej_len);
585 }
586 else
587 {
588 l2c_csm_execute (p_ccb, L2CEVT_L2CAP_CONFIG_REQ, &cfg_info);
589 }
590 }
591 else
592 {
593 /* updated spec says send command reject on invalid cid */
594 l2cu_send_peer_cmd_reject (p_lcb, L2CAP_CMD_REJ_INVALID_CID, id, 0, 0);
595 }
596 break;
597
598 case L2CAP_CMD_CONFIG_RSP:
599 p_cfg_end = p + cmd_len;
600 STREAM_TO_UINT16 (lcid, p);
601 STREAM_TO_UINT16 (cfg_info.flags, p);
602 STREAM_TO_UINT16 (cfg_info.result, p);
603
604 cfg_info.flush_to_present = cfg_info.mtu_present = cfg_info.qos_present =
605 cfg_info.fcr_present = cfg_info.fcs_present = FALSE;
606
607 while (p < p_cfg_end)
608 {
609 STREAM_TO_UINT8 (cfg_code, p);
610 STREAM_TO_UINT8 (cfg_len, p);
611
612 switch (cfg_code & 0x7F)
613 {
614 case L2CAP_CFG_TYPE_MTU:
615 cfg_info.mtu_present = TRUE;
616 STREAM_TO_UINT16 (cfg_info.mtu, p);
617 break;
618
619 case L2CAP_CFG_TYPE_FLUSH_TOUT:
620 cfg_info.flush_to_present = TRUE;
621 STREAM_TO_UINT16 (cfg_info.flush_to, p);
622 break;
623
624 case L2CAP_CFG_TYPE_QOS:
625 cfg_info.qos_present = TRUE;
626 STREAM_TO_UINT8 (cfg_info.qos.qos_flags, p);
627 STREAM_TO_UINT8 (cfg_info.qos.service_type, p);
628 STREAM_TO_UINT32 (cfg_info.qos.token_rate, p);
629 STREAM_TO_UINT32 (cfg_info.qos.token_bucket_size, p);
630 STREAM_TO_UINT32 (cfg_info.qos.peak_bandwidth, p);
631 STREAM_TO_UINT32 (cfg_info.qos.latency, p);
632 STREAM_TO_UINT32 (cfg_info.qos.delay_variation, p);
633 break;
634
635 case L2CAP_CFG_TYPE_FCR:
636 cfg_info.fcr_present = TRUE;
637 STREAM_TO_UINT8 (cfg_info.fcr.mode, p);
638 STREAM_TO_UINT8 (cfg_info.fcr.tx_win_sz, p);
639 STREAM_TO_UINT8 (cfg_info.fcr.max_transmit, p);
640 STREAM_TO_UINT16 (cfg_info.fcr.rtrans_tout, p);
641 STREAM_TO_UINT16 (cfg_info.fcr.mon_tout, p);
642 STREAM_TO_UINT16 (cfg_info.fcr.mps, p);
643 break;
644
645 case L2CAP_CFG_TYPE_FCS:
646 cfg_info.fcs_present = TRUE;
647 STREAM_TO_UINT8 (cfg_info.fcs, p);
648 break;
649
650 case L2CAP_CFG_TYPE_EXT_FLOW:
651 cfg_info.ext_flow_spec_present = TRUE;
652 STREAM_TO_UINT8 (cfg_info.ext_flow_spec.id, p);
653 STREAM_TO_UINT8 (cfg_info.ext_flow_spec.stype, p);
654 STREAM_TO_UINT16 (cfg_info.ext_flow_spec.max_sdu_size, p);
655 STREAM_TO_UINT32 (cfg_info.ext_flow_spec.sdu_inter_time, p);
656 STREAM_TO_UINT32 (cfg_info.ext_flow_spec.access_latency, p);
657 STREAM_TO_UINT32 (cfg_info.ext_flow_spec.flush_timeout, p);
658 break;
659 }
660 }
661
662 if ((p_ccb = l2cu_find_ccb_by_cid (p_lcb, lcid)) != NULL)
663 {
664 if (p_ccb->local_id != id)
665 {
666 L2CAP_TRACE_WARNING ("L2CAP - cfg rsp - bad ID. Exp: %d Got: %d",
667 p_ccb->local_id, id);
668 break;
669 }
670 if ( (cfg_info.result == L2CAP_CFG_OK) || (cfg_info.result == L2CAP_CFG_PENDING) )
671 l2c_csm_execute (p_ccb, L2CEVT_L2CAP_CONFIG_RSP, &cfg_info);
672 else
673 l2c_csm_execute (p_ccb, L2CEVT_L2CAP_CONFIG_RSP_NEG, &cfg_info);
674 }
675 else
676 {
677 L2CAP_TRACE_WARNING ("L2CAP - rcvd cfg rsp for unknown CID: 0x%04x", lcid);
678 }
679 break;
680
681
682 case L2CAP_CMD_DISC_REQ:
683 STREAM_TO_UINT16 (lcid, p);
684 STREAM_TO_UINT16 (rcid, p);
685
686 if ((p_ccb = l2cu_find_ccb_by_cid (p_lcb, lcid)) != NULL)
687 {
688 if (p_ccb->remote_cid == rcid)
689 {
690 p_ccb->remote_id = id;
691 l2c_csm_execute (p_ccb, L2CEVT_L2CAP_DISCONNECT_REQ, &con_info);
692 }
693 }
694 else
695 l2cu_send_peer_disc_rsp (p_lcb, id, lcid, rcid);
696
697 break;
698
699 case L2CAP_CMD_DISC_RSP:
700 STREAM_TO_UINT16 (rcid, p);
701 STREAM_TO_UINT16 (lcid, p);
702
703 if ((p_ccb = l2cu_find_ccb_by_cid (p_lcb, lcid)) != NULL)
704 {
705 if ((p_ccb->remote_cid == rcid) && (p_ccb->local_id == id))
706 {
707 l2c_csm_execute (p_ccb, L2CEVT_L2CAP_DISCONNECT_RSP, &con_info);
708 }
709 }
710 break;
711
712 case L2CAP_CMD_ECHO_REQ:
713 l2cu_send_peer_echo_rsp (p_lcb, id, NULL, 0);
714 break;
715
716 case L2CAP_CMD_ECHO_RSP:
717 if (p_lcb->p_echo_rsp_cb)
718 {
719 tL2CA_ECHO_RSP_CB *p_cb = p_lcb->p_echo_rsp_cb;
720
721 /* Zero out the callback in case app immediately calls us again */
722 p_lcb->p_echo_rsp_cb = NULL;
723
724 (*p_cb) (L2CAP_PING_RESULT_OK);
725 }
726 break;
727
728 case L2CAP_CMD_INFO_REQ:
729 STREAM_TO_UINT16 (info_type, p);
730 l2cu_send_peer_info_rsp (p_lcb, id, info_type);
731 break;
732
733 case L2CAP_CMD_INFO_RSP:
734 /* Stop the link connect timer if sent before L2CAP connection is up */
735 if (p_lcb->w4_info_rsp)
736 {
737 btu_stop_timer (&p_lcb->info_timer_entry);
738 p_lcb->w4_info_rsp = FALSE;
739 }
740
741 STREAM_TO_UINT16 (info_type, p);
742 STREAM_TO_UINT16 (result, p);
743
744 p_lcb->info_rx_bits |= (1 << info_type);
745
746 if ( (info_type == L2CAP_EXTENDED_FEATURES_INFO_TYPE)
747 && (result == L2CAP_INFO_RESP_RESULT_SUCCESS) )
748 {
749 STREAM_TO_UINT32( p_lcb->peer_ext_fea, p );
750
751 #if (L2CAP_NUM_FIXED_CHNLS > 0)
752 if (p_lcb->peer_ext_fea & L2CAP_EXTFEA_FIXED_CHNLS)
753 {
754 l2cu_send_peer_info_req (p_lcb, L2CAP_FIXED_CHANNELS_INFO_TYPE);
755 break;
756 }
757 else
758 {
759 l2cu_process_fixed_chnl_resp (p_lcb);
760 }
761 #endif
762 }
763
764
765 #if (L2CAP_NUM_FIXED_CHNLS > 0)
766 if (info_type == L2CAP_FIXED_CHANNELS_INFO_TYPE)
767 {
768 if (result == L2CAP_INFO_RESP_RESULT_SUCCESS)
769 {
770 memcpy (p_lcb->peer_chnl_mask, p, L2CAP_FIXED_CHNL_ARRAY_SIZE);
771 }
772
773 l2cu_process_fixed_chnl_resp (p_lcb);
774 }
775 #endif
776 #if (L2CAP_UCD_INCLUDED == TRUE)
777 else if (info_type == L2CAP_CONNLESS_MTU_INFO_TYPE)
778 {
779 if (result == L2CAP_INFO_RESP_RESULT_SUCCESS)
780 {
781 STREAM_TO_UINT16 (p_lcb->ucd_mtu, p);
782 }
783 }
784 #endif
785
786 ci.status = HCI_SUCCESS;
787 memcpy (ci.bd_addr, p_lcb->remote_bd_addr, sizeof(BD_ADDR));
788 for (p_ccb = p_lcb->ccb_queue.p_first_ccb; p_ccb; p_ccb = p_ccb->p_next_ccb)
789 {
790 l2c_csm_execute (p_ccb, L2CEVT_L2CAP_INFO_RSP, &ci);
791 }
792 break;
793
794 default:
795 L2CAP_TRACE_WARNING ("L2CAP - bad cmd code: %d", cmd_code);
796 l2cu_send_peer_cmd_reject (p_lcb, L2CAP_CMD_REJ_NOT_UNDERSTOOD, id, 0, 0);
797 return;
798 }
799 }
800 }
801
802 /*******************************************************************************
803 **
804 ** Function l2c_process_held_packets
805 **
806 ** Description This function processes any L2CAP packets that arrived before
807 ** the HCI connection complete arrived. It is a work around for
808 ** badly behaved controllers.
809 **
810 ** Returns void
811 **
812 *******************************************************************************/
l2c_process_held_packets(BOOLEAN timed_out)813 void l2c_process_held_packets(BOOLEAN timed_out) {
814 if (list_is_empty(l2cb.rcv_pending_q))
815 return;
816
817 if (!timed_out) {
818 btu_stop_timer(&l2cb.rcv_hold_tle);
819 L2CAP_TRACE_WARNING("L2CAP HOLD CONTINUE");
820 } else {
821 L2CAP_TRACE_WARNING("L2CAP HOLD TIMEOUT");
822 }
823
824 for (const list_node_t *node = list_begin(l2cb.rcv_pending_q);
825 node != list_end(l2cb.rcv_pending_q);) {
826 BT_HDR *p_buf = list_node(node);
827 node = list_next(node);
828 if (!timed_out || (!p_buf->layer_specific) || (--p_buf->layer_specific == 0)) {
829 list_remove(l2cb.rcv_pending_q, p_buf);
830 p_buf->layer_specific = 0xFFFF;
831 l2c_rcv_acl_data(p_buf);
832 }
833 }
834
835 /* If anyone still in the queue, restart the timeout */
836 if (!list_is_empty(l2cb.rcv_pending_q))
837 btu_start_timer (&l2cb.rcv_hold_tle, BTU_TTYPE_L2CAP_HOLD, BT_1SEC_TIMEOUT);
838 }
839
840
841 /*******************************************************************************
842 **
843 ** Function l2c_init
844 **
845 ** Description This function is called once at startup to initialize
846 ** all the L2CAP structures
847 **
848 ** Returns void
849 **
850 *******************************************************************************/
l2c_init(void)851 void l2c_init (void)
852 {
853 INT16 xx;
854
855 memset (&l2cb, 0, sizeof (tL2C_CB));
856 /* the psm is increased by 2 before being used */
857 l2cb.dyn_psm = 0xFFF;
858
859 /* Put all the channel control blocks on the free queue */
860 for (xx = 0; xx < MAX_L2CAP_CHANNELS - 1; xx++)
861 {
862 l2cb.ccb_pool[xx].p_next_ccb = &l2cb.ccb_pool[xx + 1];
863 }
864
865 #if (L2CAP_NON_FLUSHABLE_PB_INCLUDED == TRUE)
866 /* it will be set to L2CAP_PKT_START_NON_FLUSHABLE if controller supports */
867 l2cb.non_flushable_pbf = L2CAP_PKT_START << L2CAP_PKT_TYPE_SHIFT;
868 #endif
869
870
871 l2cb.p_free_ccb_first = &l2cb.ccb_pool[0];
872 l2cb.p_free_ccb_last = &l2cb.ccb_pool[MAX_L2CAP_CHANNELS - 1];
873
874 #ifdef L2CAP_DESIRED_LINK_ROLE
875 l2cb.desire_role = L2CAP_DESIRED_LINK_ROLE;
876 #else
877 l2cb.desire_role = HCI_ROLE_SLAVE;
878 #endif
879
880 /* Set the default idle timeout */
881 l2cb.idle_timeout = L2CAP_LINK_INACTIVITY_TOUT;
882
883 #if defined(L2CAP_INITIAL_TRACE_LEVEL)
884 l2cb.l2cap_trace_level = L2CAP_INITIAL_TRACE_LEVEL;
885 #else
886 l2cb.l2cap_trace_level = BT_TRACE_LEVEL_NONE; /* No traces */
887 #endif
888
889 #if L2CAP_CONFORMANCE_TESTING == TRUE
890 /* Conformance testing needs a dynamic response */
891 l2cb.test_info_resp = L2CAP_EXTFEA_SUPPORTED_MASK;
892 #endif
893
894 /* Number of ACL buffers to use for high priority channel */
895 #if (defined(L2CAP_HIGH_PRI_CHAN_QUOTA_IS_CONFIGURABLE) && (L2CAP_HIGH_PRI_CHAN_QUOTA_IS_CONFIGURABLE == TRUE))
896 l2cb.high_pri_min_xmit_quota = L2CAP_HIGH_PRI_MIN_XMIT_QUOTA;
897 #endif
898
899 #if BLE_INCLUDED == TRUE
900 l2cb.l2c_ble_fixed_chnls_mask =
901 L2CAP_FIXED_CHNL_ATT_BIT | L2CAP_FIXED_CHNL_BLE_SIG_BIT | L2CAP_FIXED_CHNL_SMP_BIT;
902 #endif
903
904 l2cb.rcv_pending_q = list_new(NULL);
905 if (l2cb.rcv_pending_q == NULL)
906 LOG_ERROR("%s unable to allocate memory for link layer control block", __func__);
907 }
908
l2c_free(void)909 void l2c_free(void) {
910 list_free(l2cb.rcv_pending_q);
911 }
912
913 /*******************************************************************************
914 **
915 ** Function l2c_process_timeout
916 **
917 ** Description This function is called when an L2CAP-related timeout occurs
918 **
919 ** Returns void
920 **
921 *******************************************************************************/
l2c_process_timeout(TIMER_LIST_ENT * p_tle)922 void l2c_process_timeout (TIMER_LIST_ENT *p_tle)
923 {
924 /* What type of timeout ? */
925 switch (p_tle->event)
926 {
927 case BTU_TTYPE_L2CAP_LINK:
928 l2c_link_timeout ((tL2C_LCB *)p_tle->param);
929 break;
930
931 case BTU_TTYPE_L2CAP_CHNL:
932 l2c_csm_execute (((tL2C_CCB *)p_tle->param), L2CEVT_TIMEOUT, NULL);
933 break;
934
935 case BTU_TTYPE_L2CAP_FCR_ACK:
936 l2c_csm_execute (((tL2C_CCB *)p_tle->param), L2CEVT_ACK_TIMEOUT, NULL);
937 break;
938
939 case BTU_TTYPE_L2CAP_HOLD:
940 /* Update the timeouts in the hold queue */
941 l2c_process_held_packets(TRUE);
942 break;
943
944 case BTU_TTYPE_L2CAP_INFO:
945 l2c_info_timeout((tL2C_LCB *)p_tle->param);
946 break;
947 }
948 }
949
950 /*******************************************************************************
951 **
952 ** Function l2c_data_write
953 **
954 ** Description API functions call this function to write data.
955 **
956 ** Returns L2CAP_DW_SUCCESS, if data accepted, else FALSE
957 ** L2CAP_DW_CONGESTED, if data accepted and the channel is congested
958 ** L2CAP_DW_FAILED, if error
959 **
960 *******************************************************************************/
l2c_data_write(UINT16 cid,BT_HDR * p_data,UINT16 flags)961 UINT8 l2c_data_write (UINT16 cid, BT_HDR *p_data, UINT16 flags)
962 {
963 tL2C_CCB *p_ccb;
964
965 /* Find the channel control block. We don't know the link it is on. */
966 if ((p_ccb = l2cu_find_ccb_by_cid (NULL, cid)) == NULL)
967 {
968 L2CAP_TRACE_WARNING ("L2CAP - no CCB for L2CA_DataWrite, CID: %d", cid);
969 GKI_freebuf (p_data);
970 return (L2CAP_DW_FAILED);
971 }
972
973 #ifndef TESTER /* Tester may send any amount of data. otherwise sending message
974 bigger than mtu size of peer is a violation of protocol */
975 if (p_data->len > p_ccb->peer_cfg.mtu)
976 {
977 L2CAP_TRACE_WARNING ("L2CAP - CID: 0x%04x cannot send message bigger than peer's mtu size", cid);
978 GKI_freebuf (p_data);
979 return (L2CAP_DW_FAILED);
980 }
981 #endif
982
983 /* channel based, packet based flushable or non-flushable */
984 p_data->layer_specific = flags;
985
986 /* If already congested, do not accept any more packets */
987 if (p_ccb->cong_sent)
988 {
989 L2CAP_TRACE_ERROR ("L2CAP - CID: 0x%04x cannot send, already congested xmit_hold_q.count: %u buff_quota: %u",
990 p_ccb->local_cid, GKI_queue_length(&p_ccb->xmit_hold_q), p_ccb->buff_quota);
991
992 GKI_freebuf (p_data);
993 return (L2CAP_DW_FAILED);
994 }
995
996 counter_add("l2cap.dyn.tx.bytes", p_data->len);
997 counter_add("l2cap.dyn.tx.pkts", 1);
998
999 l2c_csm_execute (p_ccb, L2CEVT_L2CA_DATA_WRITE, p_data);
1000
1001 if (p_ccb->cong_sent)
1002 return (L2CAP_DW_CONGESTED);
1003
1004 return (L2CAP_DW_SUCCESS);
1005 }
1006
1007