1 /******************************************************************************
2  *
3  *  Copyright (C) 2014 Google, Inc.
4  *
5  *  Licensed under the Apache License, Version 2.0 (the "License");
6  *  you may not use this file except in compliance with the License.
7  *  You may obtain a copy of the License at:
8  *
9  *  http://www.apache.org/licenses/LICENSE-2.0
10  *
11  *  Unless required by applicable law or agreed to in writing, software
12  *  distributed under the License is distributed on an "AS IS" BASIS,
13  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  *  See the License for the specific language governing permissions and
15  *  limitations under the License.
16  *
17  ******************************************************************************/
18 
19 #define LOG_TAG "bt_hci_packet_fragmenter"
20 
21 #include "packet_fragmenter.h"
22 
23 #include <assert.h>
24 #include <string.h>
25 
26 #include "bt_target.h"
27 #include "buffer_allocator.h"
28 #include "device/include/controller.h"
29 #include "hci_internals.h"
30 #include "osi/include/hash_functions.h"
31 #include "osi/include/hash_map.h"
32 #include "osi/include/log.h"
33 #include "osi/include/osi.h"
34 
35 #define APPLY_CONTINUATION_FLAG(handle) (((handle) & 0xCFFF) | 0x1000)
36 #define APPLY_START_FLAG(handle) (((handle) & 0xCFFF) | 0x2000)
37 #define SUB_EVENT(event) ((event) & MSG_SUB_EVT_MASK)
38 #define GET_BOUNDARY_FLAG(handle) (((handle) >> 12) & 0x0003)
39 
40 #define HANDLE_MASK 0x0FFF
41 #define START_PACKET_BOUNDARY 2
42 #define CONTINUATION_PACKET_BOUNDARY 1
43 #define L2CAP_HEADER_SIZE       4
44 
45 // TODO(zachoverflow): find good value for this
46 #define NUMBER_OF_BUCKETS 42
47 
48 // Our interface and callbacks
49 static const packet_fragmenter_t interface;
50 static const allocator_t *buffer_allocator;
51 static const controller_t *controller;
52 static const packet_fragmenter_callbacks_t *callbacks;
53 
54 static hash_map_t *partial_packets;
55 
init(const packet_fragmenter_callbacks_t * result_callbacks)56 static void init(const packet_fragmenter_callbacks_t *result_callbacks) {
57   callbacks = result_callbacks;
58   partial_packets = hash_map_new(NUMBER_OF_BUCKETS, hash_function_naive, NULL, NULL, NULL);
59 }
60 
cleanup()61 static void cleanup() {
62   if (partial_packets)
63     hash_map_free(partial_packets);
64 }
65 
fragment_and_dispatch(BT_HDR * packet)66 static void fragment_and_dispatch(BT_HDR *packet) {
67   assert(packet != NULL);
68 
69   uint16_t event = packet->event & MSG_EVT_MASK;
70   uint8_t *stream = packet->data + packet->offset;
71 
72   // We only fragment ACL packets
73   if (event != MSG_STACK_TO_HC_HCI_ACL) {
74     callbacks->fragmented(packet, true);
75     return;
76   }
77 
78   uint16_t max_data_size =
79     SUB_EVENT(packet->event) == LOCAL_BR_EDR_CONTROLLER_ID ?
80       controller->get_acl_data_size_classic() :
81       controller->get_acl_data_size_ble();
82 
83   uint16_t max_packet_size = max_data_size + HCI_ACL_PREAMBLE_SIZE;
84   uint16_t remaining_length = packet->len;
85 
86   uint16_t continuation_handle;
87   STREAM_TO_UINT16(continuation_handle, stream);
88   continuation_handle = APPLY_CONTINUATION_FLAG(continuation_handle);
89 
90   while (remaining_length > max_packet_size) {
91     // Make sure we use the right ACL packet size
92     stream = packet->data + packet->offset;
93     STREAM_SKIP_UINT16(stream);
94     UINT16_TO_STREAM(stream, max_data_size);
95 
96     packet->len = max_packet_size;
97     callbacks->fragmented(packet, false);
98 
99     packet->offset += max_data_size;
100     remaining_length -= max_data_size;
101     packet->len = remaining_length;
102 
103     // Write the ACL header for the next fragment
104     stream = packet->data + packet->offset;
105     UINT16_TO_STREAM(stream, continuation_handle);
106     UINT16_TO_STREAM(stream, remaining_length - HCI_ACL_PREAMBLE_SIZE);
107 
108     // Apparently L2CAP can set layer_specific to a max number of segments to transmit
109     if (packet->layer_specific) {
110       packet->layer_specific--;
111 
112       if (packet->layer_specific == 0) {
113         packet->event = MSG_HC_TO_STACK_L2C_SEG_XMIT;
114         callbacks->transmit_finished(packet, false);
115         return;
116       }
117     }
118   }
119 
120   callbacks->fragmented(packet, true);
121 }
122 
check_uint16_overflow(uint16_t a,uint16_t b)123 static bool check_uint16_overflow(uint16_t a, uint16_t b) {
124   return (UINT16_MAX - a) < b;
125 }
126 
reassemble_and_dispatch(UNUSED_ATTR BT_HDR * packet)127 static void reassemble_and_dispatch(UNUSED_ATTR BT_HDR *packet) {
128   if ((packet->event & MSG_EVT_MASK) == MSG_HC_TO_STACK_HCI_ACL) {
129     uint8_t *stream = packet->data;
130     uint16_t handle;
131     uint16_t l2cap_length;
132     uint16_t acl_length;
133 
134     STREAM_TO_UINT16(handle, stream);
135     STREAM_TO_UINT16(acl_length, stream);
136     STREAM_TO_UINT16(l2cap_length, stream);
137 
138     assert(acl_length == packet->len - HCI_ACL_PREAMBLE_SIZE);
139 
140     uint8_t boundary_flag = GET_BOUNDARY_FLAG(handle);
141     handle = handle & HANDLE_MASK;
142 
143     BT_HDR *partial_packet = (BT_HDR *)hash_map_get(partial_packets, (void *)(uintptr_t)handle);
144 
145     if (boundary_flag == START_PACKET_BOUNDARY) {
146       if (partial_packet) {
147         LOG_WARN(LOG_TAG, "%s found unfinished packet for handle with start packet. Dropping old.", __func__);
148 
149         hash_map_erase(partial_packets, (void *)(uintptr_t)handle);
150         buffer_allocator->free(partial_packet);
151       }
152 
153       if (acl_length < L2CAP_HEADER_SIZE) {
154         LOG_WARN(LOG_TAG, "%s L2CAP packet too small (%d < %d). Dropping it.", __func__, packet->len, L2CAP_HEADER_SIZE);
155         buffer_allocator->free(packet);
156         return;
157       }
158 
159       uint16_t full_length = l2cap_length + L2CAP_HEADER_SIZE + HCI_ACL_PREAMBLE_SIZE;
160 
161       // Check for buffer overflow and that the full packet size + BT_HDR size is less than
162       // the max buffer size
163       if (check_uint16_overflow(l2cap_length, (L2CAP_HEADER_SIZE + HCI_ACL_PREAMBLE_SIZE)) ||
164           ((full_length + sizeof(BT_HDR)) > BT_DEFAULT_BUFFER_SIZE)) {
165         LOG_ERROR(LOG_TAG, "%s L2CAP packet has invalid length (%d). Dropping it.", __func__, l2cap_length);
166         buffer_allocator->free(packet);
167         return;
168       }
169 
170       if (full_length <= packet->len) {
171         if (full_length < packet->len)
172           LOG_WARN(LOG_TAG, "%s found l2cap full length %d less than the hci length %d.", __func__, l2cap_length, packet->len);
173 
174         callbacks->reassembled(packet);
175         return;
176       }
177 
178       partial_packet = (BT_HDR *)buffer_allocator->alloc(full_length + sizeof(BT_HDR));
179       partial_packet->event = packet->event;
180       partial_packet->len = full_length;
181       partial_packet->offset = packet->len;
182 
183       memcpy(partial_packet->data, packet->data, packet->len);
184 
185       // Update the ACL data size to indicate the full expected length
186       stream = partial_packet->data;
187       STREAM_SKIP_UINT16(stream); // skip the handle
188       UINT16_TO_STREAM(stream, full_length - HCI_ACL_PREAMBLE_SIZE);
189 
190       hash_map_set(partial_packets, (void *)(uintptr_t)handle, partial_packet);
191       // Free the old packet buffer, since we don't need it anymore
192       buffer_allocator->free(packet);
193     } else {
194       if (!partial_packet) {
195         LOG_WARN(LOG_TAG, "%s got continuation for unknown packet. Dropping it.", __func__);
196         buffer_allocator->free(packet);
197         return;
198       }
199 
200       packet->offset = HCI_ACL_PREAMBLE_SIZE;
201       uint16_t projected_offset = partial_packet->offset + (packet->len - HCI_ACL_PREAMBLE_SIZE);
202       if (projected_offset > partial_packet->len) { // len stores the expected length
203         LOG_WARN(LOG_TAG, "%s got packet which would exceed expected length of %d. Truncating.", __func__, partial_packet->len);
204         packet->len = partial_packet->len - partial_packet->offset;
205         projected_offset = partial_packet->len;
206       }
207 
208       memcpy(
209         partial_packet->data + partial_packet->offset,
210         packet->data + packet->offset,
211         packet->len - packet->offset
212       );
213 
214       // Free the old packet buffer, since we don't need it anymore
215       buffer_allocator->free(packet);
216       partial_packet->offset = projected_offset;
217 
218       if (partial_packet->offset == partial_packet->len) {
219         hash_map_erase(partial_packets, (void *)(uintptr_t)handle);
220         partial_packet->offset = 0;
221         callbacks->reassembled(partial_packet);
222       }
223     }
224   } else {
225     callbacks->reassembled(packet);
226   }
227 }
228 
229 static const packet_fragmenter_t interface = {
230   init,
231   cleanup,
232 
233   fragment_and_dispatch,
234   reassemble_and_dispatch
235 };
236 
packet_fragmenter_get_interface()237 const packet_fragmenter_t *packet_fragmenter_get_interface() {
238   controller = controller_get_interface();
239   buffer_allocator = buffer_allocator_get_interface();
240   return &interface;
241 }
242 
packet_fragmenter_get_test_interface(const controller_t * controller_interface,const allocator_t * buffer_allocator_interface)243 const packet_fragmenter_t *packet_fragmenter_get_test_interface(
244     const controller_t *controller_interface,
245     const allocator_t *buffer_allocator_interface) {
246   controller = controller_interface;
247   buffer_allocator = buffer_allocator_interface;
248   return &interface;
249 }
250