1 /******************************************************************************
2 *
3 * Copyright (C) 2003-2016 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 /******************************************************************************
20 *
21 * Interface to AVRCP mandatory commands
22 *
23 ******************************************************************************/
24 #include <base/logging.h>
25 #include <string.h>
26
27 #include "avrc_api.h"
28 #include "avrc_int.h"
29 #include "bt_common.h"
30 #include "btu.h"
31 #include "osi/include/fixed_queue.h"
32 #include "osi/include/osi.h"
33
34 /*****************************************************************************
35 * Global data
36 ****************************************************************************/
37 extern fixed_queue_t* btu_general_alarm_queue;
38
39 #define AVRC_MAX_RCV_CTRL_EVT AVCT_BROWSE_UNCONG_IND_EVT
40
41 #ifndef MAX
42 #define MAX(a, b) ((a) > (b) ? (a) : (b))
43 #endif
44
45 static const uint8_t avrc_ctrl_event_map[] = {
46 AVRC_OPEN_IND_EVT, /* AVCT_CONNECT_CFM_EVT */
47 AVRC_OPEN_IND_EVT, /* AVCT_CONNECT_IND_EVT */
48 AVRC_CLOSE_IND_EVT, /* AVCT_DISCONNECT_CFM_EVT */
49 AVRC_CLOSE_IND_EVT, /* AVCT_DISCONNECT_IND_EVT */
50 AVRC_CONG_IND_EVT, /* AVCT_CONG_IND_EVT */
51 AVRC_UNCONG_IND_EVT, /* AVCT_UNCONG_IND_EVT */
52 AVRC_BROWSE_OPEN_IND_EVT, /* AVCT_BROWSE_CONN_CFM_EVT */
53 AVRC_BROWSE_OPEN_IND_EVT, /* AVCT_BROWSE_CONN_IND_EVT */
54 AVRC_BROWSE_CLOSE_IND_EVT, /* AVCT_BROWSE_DISCONN_CFM_EVT */
55 AVRC_BROWSE_CLOSE_IND_EVT, /* AVCT_BROWSE_DISCONN_IND_EVT */
56 AVRC_BROWSE_CONG_IND_EVT, /* AVCT_BROWSE_CONG_IND_EVT */
57 AVRC_BROWSE_UNCONG_IND_EVT /* AVCT_BROWSE_UNCONG_IND_EVT */
58 };
59
60 /* use this unused opcode to indication no need to call the callback function */
61 #define AVRC_OP_DROP 0xFE
62 /* use this unused opcode to indication no need to call the callback function &
63 * free buffer */
64 #define AVRC_OP_DROP_N_FREE 0xFD
65
66 #define AVRC_OP_UNIT_INFO_RSP_LEN 8
67 #define AVRC_OP_SUB_UNIT_INFO_RSP_LEN 8
68 #define AVRC_OP_REJ_MSG_LEN 11
69
70 /* Flags definitions for AVRC_MsgReq */
71 #define AVRC_MSG_MASK_IS_VENDOR_CMD 0x01
72 #define AVRC_MSG_MASK_IS_CONTINUATION_RSP 0x02
73
74 /******************************************************************************
75 *
76 * Function avrc_ctrl_cback
77 *
78 * Description This is the callback function used by AVCTP to report
79 * received link events.
80 *
81 * Returns Nothing.
82 *
83 *****************************************************************************/
avrc_ctrl_cback(uint8_t handle,uint8_t event,uint16_t result,BD_ADDR peer_addr)84 static void avrc_ctrl_cback(uint8_t handle, uint8_t event, uint16_t result,
85 BD_ADDR peer_addr) {
86 uint8_t avrc_event;
87
88 if (event <= AVRC_MAX_RCV_CTRL_EVT && avrc_cb.ccb[handle].p_ctrl_cback) {
89 avrc_event = avrc_ctrl_event_map[event];
90 if (event == AVCT_CONNECT_CFM_EVT) {
91 if (result != 0) /* failed */
92 avrc_event = AVRC_CLOSE_IND_EVT;
93 }
94 (*avrc_cb.ccb[handle].p_ctrl_cback)(handle, avrc_event, result, peer_addr);
95 }
96
97 if ((event == AVCT_DISCONNECT_CFM_EVT) ||
98 (event == AVCT_DISCONNECT_IND_EVT)) {
99 avrc_flush_cmd_q(handle);
100 alarm_free(avrc_cb.ccb_int[handle].tle);
101 avrc_cb.ccb_int[handle].tle = NULL;
102 }
103 }
104
105 /******************************************************************************
106 *
107 * Function avrc_flush_cmd_q
108 *
109 * Description Flush command queue for the specified avrc handle
110 *
111 * Returns Nothing.
112 *
113 *****************************************************************************/
avrc_flush_cmd_q(uint8_t handle)114 void avrc_flush_cmd_q(uint8_t handle) {
115 AVRC_TRACE_DEBUG("AVRC: Flushing command queue for handle=0x%02x", handle);
116 avrc_cb.ccb_int[handle].flags &= ~AVRC_CB_FLAGS_RSP_PENDING;
117
118 alarm_cancel(avrc_cb.ccb_int[handle].tle);
119 fixed_queue_free(avrc_cb.ccb_int[handle].cmd_q, osi_free);
120 avrc_cb.ccb_int[handle].cmd_q = NULL;
121 }
122
123 /******************************************************************************
124 *
125 * Function avrc_process_timeout
126 *
127 * Description Handle avrc command timeout
128 *
129 * Returns Nothing.
130 *
131 *****************************************************************************/
avrc_process_timeout(void * data)132 void avrc_process_timeout(void* data) {
133 tAVRC_PARAM* param = (tAVRC_PARAM*)data;
134
135 AVRC_TRACE_DEBUG("AVRC: command timeout (handle=0x%02x, label=0x%02x)",
136 param->handle, param->label);
137
138 /* Notify app */
139 if (avrc_cb.ccb[param->handle].p_ctrl_cback) {
140 (*avrc_cb.ccb[param->handle].p_ctrl_cback)(
141 param->handle, AVRC_CMD_TIMEOUT_EVT, param->label, NULL);
142 }
143
144 /* If vendor command timed-out, then send next command in the queue */
145 if (param->msg_mask & AVRC_MSG_MASK_IS_VENDOR_CMD) {
146 avrc_send_next_vendor_cmd(param->handle);
147 }
148 osi_free(param);
149 }
150
151 /******************************************************************************
152 *
153 * Function avrc_send_next_vendor_cmd
154 *
155 * Description Dequeue and send next vendor command for given handle
156 *
157 * Returns Nothing.
158 *
159 *****************************************************************************/
avrc_send_next_vendor_cmd(uint8_t handle)160 void avrc_send_next_vendor_cmd(uint8_t handle) {
161 BT_HDR* p_next_cmd;
162 uint8_t next_label;
163
164 while ((p_next_cmd = (BT_HDR*)fixed_queue_try_dequeue(
165 avrc_cb.ccb_int[handle].cmd_q)) != NULL) {
166 p_next_cmd->event &= 0xFF; /* opcode */
167 next_label = (p_next_cmd->layer_specific) >> 8; /* extract label */
168 p_next_cmd->layer_specific &= 0xFF; /* AVCT_DATA_CTRL or AVCT_DATA_BROWSE */
169
170 AVRC_TRACE_DEBUG(
171 "AVRC: Dequeuing command 0x%08x (handle=0x%02x, label=0x%02x)",
172 p_next_cmd, handle, next_label);
173
174 /* Send the message */
175 if ((AVCT_MsgReq(handle, next_label, AVCT_CMD, p_next_cmd)) ==
176 AVCT_SUCCESS) {
177 /* Start command timer to wait for response */
178 avrc_start_cmd_timer(handle, next_label, AVRC_MSG_MASK_IS_VENDOR_CMD);
179 return;
180 }
181 }
182
183 if (p_next_cmd == NULL) {
184 /* cmd queue empty */
185 avrc_cb.ccb_int[handle].flags &= ~AVRC_CB_FLAGS_RSP_PENDING;
186 }
187 }
188
189 /******************************************************************************
190 *
191 * Function avrc_start_cmd_timer
192 *
193 * Description Start timer for waiting for responses
194 *
195 * Returns Nothing.
196 *
197 *****************************************************************************/
avrc_start_cmd_timer(uint8_t handle,uint8_t label,uint8_t msg_mask)198 void avrc_start_cmd_timer(uint8_t handle, uint8_t label, uint8_t msg_mask) {
199 tAVRC_PARAM* param =
200 static_cast<tAVRC_PARAM*>(osi_malloc(sizeof(tAVRC_PARAM)));
201 param->handle = handle;
202 param->label = label;
203 param->msg_mask = msg_mask;
204
205 AVRC_TRACE_DEBUG("AVRC: starting timer (handle=0x%02x, label=0x%02x)", handle,
206 label);
207
208 alarm_set_on_queue(avrc_cb.ccb_int[handle].tle, AVRC_CMD_TOUT_MS,
209 avrc_process_timeout, param, btu_general_alarm_queue);
210 }
211
212 /******************************************************************************
213 *
214 * Function avrc_get_data_ptr
215 *
216 * Description Gets a pointer to the data payload in the packet.
217 *
218 * Returns A pointer to the data payload.
219 *
220 *****************************************************************************/
avrc_get_data_ptr(BT_HDR * p_pkt)221 static uint8_t* avrc_get_data_ptr(BT_HDR* p_pkt) {
222 return (uint8_t*)(p_pkt + 1) + p_pkt->offset;
223 }
224
225 /******************************************************************************
226 *
227 * Function avrc_copy_packet
228 *
229 * Description Copies an AVRC packet to a new buffer. In the new buffer,
230 * the payload offset is at least AVCT_MSG_OFFSET octets.
231 *
232 * Returns The buffer with the copied data.
233 *
234 *****************************************************************************/
avrc_copy_packet(BT_HDR * p_pkt,int rsp_pkt_len)235 static BT_HDR* avrc_copy_packet(BT_HDR* p_pkt, int rsp_pkt_len) {
236 const int offset = MAX(AVCT_MSG_OFFSET, p_pkt->offset);
237 const int pkt_len = MAX(rsp_pkt_len, p_pkt->len);
238 BT_HDR* p_pkt_copy = (BT_HDR*)osi_malloc(BT_HDR_SIZE + offset + pkt_len);
239
240 /* Copy the packet header, set the new offset, and copy the payload */
241 memcpy(p_pkt_copy, p_pkt, BT_HDR_SIZE);
242 p_pkt_copy->offset = offset;
243 uint8_t* p_data = avrc_get_data_ptr(p_pkt);
244 uint8_t* p_data_copy = avrc_get_data_ptr(p_pkt_copy);
245 memcpy(p_data_copy, p_data, p_pkt->len);
246
247 return p_pkt_copy;
248 }
249
250 #if (AVRC_METADATA_INCLUDED == TRUE)
251 /******************************************************************************
252 *
253 * Function avrc_prep_end_frag
254 *
255 * Description This function prepares an end response fragment
256 *
257 * Returns Nothing.
258 *
259 *****************************************************************************/
avrc_prep_end_frag(uint8_t handle)260 static void avrc_prep_end_frag(uint8_t handle) {
261 tAVRC_FRAG_CB* p_fcb;
262 BT_HDR* p_pkt_new;
263 uint8_t *p_data, *p_orig_data;
264 uint8_t rsp_type;
265
266 AVRC_TRACE_DEBUG("%s", __func__);
267 p_fcb = &avrc_cb.fcb[handle];
268
269 /* The response type of the end fragment should be the same as the the PDU of
270 *"End Fragment
271 ** Response" Errata:
272 *https://www.bluetooth.org/errata/errata_view.cfm?errata_id=4383
273 */
274 p_orig_data = ((uint8_t*)(p_fcb->p_fmsg + 1) + p_fcb->p_fmsg->offset);
275 rsp_type = ((*p_orig_data) & AVRC_CTYPE_MASK);
276
277 p_pkt_new = p_fcb->p_fmsg;
278 p_pkt_new->len -=
279 (AVRC_MAX_CTRL_DATA_LEN - AVRC_VENDOR_HDR_SIZE - AVRC_MIN_META_HDR_SIZE);
280 p_pkt_new->offset +=
281 (AVRC_MAX_CTRL_DATA_LEN - AVRC_VENDOR_HDR_SIZE - AVRC_MIN_META_HDR_SIZE);
282 p_data = (uint8_t*)(p_pkt_new + 1) + p_pkt_new->offset;
283 *p_data++ = rsp_type;
284 *p_data++ = (AVRC_SUB_PANEL << AVRC_SUBTYPE_SHIFT);
285 *p_data++ = AVRC_OP_VENDOR;
286 AVRC_CO_ID_TO_BE_STREAM(p_data, AVRC_CO_METADATA);
287 *p_data++ = p_fcb->frag_pdu;
288 *p_data++ = AVRC_PKT_END;
289
290 /* 4=pdu, pkt_type & len */
291 UINT16_TO_BE_STREAM(
292 p_data, (p_pkt_new->len - AVRC_VENDOR_HDR_SIZE - AVRC_MIN_META_HDR_SIZE));
293 }
294
295 /******************************************************************************
296 *
297 * Function avrc_send_continue_frag
298 *
299 * Description This function sends a continue response fragment
300 *
301 * Returns AVRC_SUCCESS if successful.
302 * AVRC_BAD_HANDLE if handle is invalid.
303 *
304 *****************************************************************************/
avrc_send_continue_frag(uint8_t handle,uint8_t label)305 static uint16_t avrc_send_continue_frag(uint8_t handle, uint8_t label) {
306 tAVRC_FRAG_CB* p_fcb;
307 BT_HDR *p_pkt_old, *p_pkt;
308 uint8_t *p_old, *p_data;
309 uint8_t cr = AVCT_RSP;
310
311 p_fcb = &avrc_cb.fcb[handle];
312 p_pkt = p_fcb->p_fmsg;
313
314 AVRC_TRACE_DEBUG("%s handle = %u label = %u len = %d", __func__, handle,
315 label, p_pkt->len);
316 if (p_pkt->len > AVRC_MAX_CTRL_DATA_LEN) {
317 int offset_len = MAX(AVCT_MSG_OFFSET, p_pkt->offset);
318 p_pkt_old = p_fcb->p_fmsg;
319 p_pkt = (BT_HDR*)osi_malloc(AVRC_PACKET_LEN + offset_len + BT_HDR_SIZE);
320 p_pkt->len = AVRC_MAX_CTRL_DATA_LEN;
321 p_pkt->offset = AVCT_MSG_OFFSET;
322 p_pkt->layer_specific = p_pkt_old->layer_specific;
323 p_pkt->event = p_pkt_old->event;
324 p_old = (uint8_t*)(p_pkt_old + 1) + p_pkt_old->offset;
325 p_data = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
326 memcpy(p_data, p_old, AVRC_MAX_CTRL_DATA_LEN);
327 /* use AVRC continue packet type */
328 p_data += AVRC_VENDOR_HDR_SIZE;
329 p_data++; /* pdu */
330 *p_data++ = AVRC_PKT_CONTINUE;
331 /* 4=pdu, pkt_type & len */
332 UINT16_TO_BE_STREAM(p_data,
333 (AVRC_MAX_CTRL_DATA_LEN - AVRC_VENDOR_HDR_SIZE - 4));
334
335 /* prepare the left over for as an end fragment */
336 avrc_prep_end_frag(handle);
337 } else {
338 /* end fragment. clean the control block */
339 p_fcb->frag_enabled = false;
340 p_fcb->p_fmsg = NULL;
341 }
342 return AVCT_MsgReq(handle, label, cr, p_pkt);
343 }
344
345 /******************************************************************************
346 *
347 * Function avrc_proc_vendor_command
348 *
349 * Description This function processes received vendor command.
350 *
351 * Returns if not NULL, the response to send right away.
352 *
353 *****************************************************************************/
avrc_proc_vendor_command(uint8_t handle,uint8_t label,BT_HDR * p_pkt,tAVRC_MSG_VENDOR * p_msg)354 static BT_HDR* avrc_proc_vendor_command(uint8_t handle, uint8_t label,
355 BT_HDR* p_pkt,
356 tAVRC_MSG_VENDOR* p_msg) {
357 BT_HDR* p_rsp = NULL;
358 uint8_t* p_data;
359 uint8_t* p_begin;
360 uint8_t pkt_type;
361 bool abort_frag = false;
362 tAVRC_STS status = AVRC_STS_NO_ERROR;
363 tAVRC_FRAG_CB* p_fcb;
364
365 p_begin = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
366 p_data = p_begin + AVRC_VENDOR_HDR_SIZE;
367 pkt_type = *(p_data + 1) & AVRC_PKT_TYPE_MASK;
368
369 if (pkt_type != AVRC_PKT_SINGLE) {
370 /* reject - commands can only be in single packets at AVRCP level */
371 AVRC_TRACE_ERROR("commands must be in single packet pdu:0x%x", *p_data);
372 /* use the current GKI buffer to send the reject */
373 status = AVRC_STS_BAD_CMD;
374 }
375 /* check if there are fragments waiting to be sent */
376 else if (avrc_cb.fcb[handle].frag_enabled) {
377 p_fcb = &avrc_cb.fcb[handle];
378 if (p_msg->company_id == AVRC_CO_METADATA) {
379 switch (*p_data) {
380 case AVRC_PDU_ABORT_CONTINUATION_RSP:
381 /* aborted by CT - send accept response */
382 abort_frag = true;
383 p_begin = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
384 *p_begin = (AVRC_RSP_ACCEPT & AVRC_CTYPE_MASK);
385 if (*(p_data + 4) != p_fcb->frag_pdu) {
386 *p_begin = (AVRC_RSP_REJ & AVRC_CTYPE_MASK);
387 *(p_data + 4) = AVRC_STS_BAD_PARAM;
388 } else {
389 p_data = (p_begin + AVRC_VENDOR_HDR_SIZE + 2);
390 UINT16_TO_BE_STREAM(p_data, 0);
391 p_pkt->len = (p_data - p_begin);
392 }
393 AVCT_MsgReq(handle, label, AVCT_RSP, p_pkt);
394 p_msg->hdr.opcode =
395 AVRC_OP_DROP; /* used the p_pkt to send response */
396 break;
397
398 case AVRC_PDU_REQUEST_CONTINUATION_RSP:
399 if (*(p_data + 4) == p_fcb->frag_pdu) {
400 avrc_send_continue_frag(handle, label);
401 p_msg->hdr.opcode = AVRC_OP_DROP_N_FREE;
402 } else {
403 /* the pdu id does not match - reject the command using the current
404 * GKI buffer */
405 AVRC_TRACE_ERROR(
406 "%s continue pdu: 0x%x does not match the current pdu: 0x%x",
407 __func__, *(p_data + 4), p_fcb->frag_pdu);
408 status = AVRC_STS_BAD_PARAM;
409 abort_frag = true;
410 }
411 break;
412
413 default:
414 /* implicit abort */
415 abort_frag = true;
416 }
417 } else {
418 abort_frag = true;
419 /* implicit abort */
420 }
421
422 if (abort_frag) {
423 osi_free_and_reset((void**)&p_fcb->p_fmsg);
424 p_fcb->frag_enabled = false;
425 }
426 }
427
428 if (status != AVRC_STS_NO_ERROR) {
429 /* use the current GKI buffer to build/send the reject message */
430 p_data = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
431 *p_data++ = AVRC_RSP_REJ;
432 p_data += AVRC_VENDOR_HDR_SIZE; /* pdu */
433 *p_data++ = 0; /* pkt_type */
434 UINT16_TO_BE_STREAM(p_data, 1); /* len */
435 *p_data++ = status; /* error code */
436 p_pkt->len = AVRC_VENDOR_HDR_SIZE + 5;
437 p_rsp = p_pkt;
438 }
439
440 return p_rsp;
441 }
442
443 /******************************************************************************
444 *
445 * Function avrc_proc_far_msg
446 *
447 * Description This function processes metadata fragmenation
448 * and reassembly
449 *
450 * Returns 0, to report the message with msg_cback .
451 *
452 *****************************************************************************/
avrc_proc_far_msg(uint8_t handle,uint8_t label,uint8_t cr,BT_HDR ** pp_pkt,tAVRC_MSG_VENDOR * p_msg)453 static uint8_t avrc_proc_far_msg(uint8_t handle, uint8_t label, uint8_t cr,
454 BT_HDR** pp_pkt, tAVRC_MSG_VENDOR* p_msg) {
455 BT_HDR* p_pkt = *pp_pkt;
456 uint8_t* p_data;
457 uint8_t drop_code = 0;
458 bool buf_overflow = false;
459 BT_HDR* p_rsp = NULL;
460 BT_HDR* p_cmd = NULL;
461 bool req_continue = false;
462 BT_HDR* p_pkt_new = NULL;
463 uint8_t pkt_type;
464 tAVRC_RASM_CB* p_rcb;
465 tAVRC_NEXT_CMD avrc_cmd;
466 tAVRC_STS status;
467
468 p_data = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
469
470 /* Skip over vendor header (ctype, subunit*, opcode, CO_ID) */
471 p_data += AVRC_VENDOR_HDR_SIZE;
472
473 pkt_type = *(p_data + 1) & AVRC_PKT_TYPE_MASK;
474 AVRC_TRACE_DEBUG("pkt_type %d", pkt_type);
475 p_rcb = &avrc_cb.rcb[handle];
476
477 /* check if the message needs to be re-assembled */
478 if (pkt_type == AVRC_PKT_SINGLE || pkt_type == AVRC_PKT_START) {
479 /* previous fragments need to be dropped, when received another new message
480 */
481 p_rcb->rasm_offset = 0;
482 osi_free_and_reset((void**)&p_rcb->p_rmsg);
483 }
484
485 if (pkt_type != AVRC_PKT_SINGLE && cr == AVCT_RSP) {
486 /* not a single response packet - need to re-assemble metadata messages */
487 if (pkt_type == AVRC_PKT_START) {
488 /* Allocate buffer for re-assembly */
489 p_rcb->rasm_pdu = *p_data;
490 p_rcb->p_rmsg = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE);
491 /* Copy START packet to buffer for re-assembling fragments */
492 memcpy(p_rcb->p_rmsg, p_pkt, sizeof(BT_HDR)); /* Copy bt hdr */
493
494 /* Copy metadata message */
495 memcpy((uint8_t*)(p_rcb->p_rmsg + 1),
496 (uint8_t*)(p_pkt + 1) + p_pkt->offset, p_pkt->len);
497
498 /* offset of start of metadata response in reassembly buffer */
499 p_rcb->p_rmsg->offset = p_rcb->rasm_offset = 0;
500
501 /*
502 * Free original START packet, replace with pointer to
503 * reassembly buffer.
504 */
505 osi_free(p_pkt);
506 *pp_pkt = p_rcb->p_rmsg;
507
508 /*
509 * Set offset to point to where to copy next - use the same
510 * reassembly logic as AVCT.
511 */
512 p_rcb->p_rmsg->offset += p_rcb->p_rmsg->len;
513 req_continue = true;
514 } else if (p_rcb->p_rmsg == NULL) {
515 /* Received a CONTINUE/END, but no corresponding START
516 (or previous fragmented response was dropped) */
517 AVRC_TRACE_DEBUG(
518 "Received a CONTINUE/END without no corresponding START \
519 (or previous fragmented response was dropped)");
520 drop_code = 5;
521 osi_free(p_pkt);
522 *pp_pkt = NULL;
523 } else {
524 /* get size of buffer holding assembled message */
525 /*
526 * NOTE: The buffer is allocated above at the beginning of the
527 * reassembly, and is always of size BT_DEFAULT_BUFFER_SIZE.
528 */
529 uint16_t buf_len = BT_DEFAULT_BUFFER_SIZE - sizeof(BT_HDR);
530 /* adjust offset and len of fragment for header byte */
531 p_pkt->offset += (AVRC_VENDOR_HDR_SIZE + AVRC_MIN_META_HDR_SIZE);
532 p_pkt->len -= (AVRC_VENDOR_HDR_SIZE + AVRC_MIN_META_HDR_SIZE);
533 /* verify length */
534 if ((p_rcb->p_rmsg->offset + p_pkt->len) > buf_len) {
535 AVRC_TRACE_WARNING(
536 "Fragmented message too big! - report the partial message");
537 p_pkt->len = buf_len - p_rcb->p_rmsg->offset;
538 pkt_type = AVRC_PKT_END;
539 buf_overflow = true;
540 }
541
542 /* copy contents of p_pkt to p_rx_msg */
543 memcpy((uint8_t*)(p_rcb->p_rmsg + 1) + p_rcb->p_rmsg->offset,
544 (uint8_t*)(p_pkt + 1) + p_pkt->offset, p_pkt->len);
545
546 if (pkt_type == AVRC_PKT_END) {
547 p_rcb->p_rmsg->offset = p_rcb->rasm_offset;
548 p_rcb->p_rmsg->len += p_pkt->len;
549 p_pkt_new = p_rcb->p_rmsg;
550 p_rcb->rasm_offset = 0;
551 p_rcb->p_rmsg = NULL;
552 p_msg->p_vendor_data = (uint8_t*)(p_pkt_new + 1) + p_pkt_new->offset;
553 p_msg->hdr.ctype = p_msg->p_vendor_data[0] & AVRC_CTYPE_MASK;
554 /* 6 = ctype, subunit*, opcode & CO_ID */
555 p_msg->p_vendor_data += AVRC_VENDOR_HDR_SIZE;
556 p_msg->vendor_len = p_pkt_new->len - AVRC_VENDOR_HDR_SIZE;
557 p_data = p_msg->p_vendor_data + 1; /* skip pdu */
558 *p_data++ = AVRC_PKT_SINGLE;
559 UINT16_TO_BE_STREAM(p_data,
560 (p_msg->vendor_len - AVRC_MIN_META_HDR_SIZE));
561 AVRC_TRACE_DEBUG("end frag:%d, total len:%d, offset:%d", p_pkt->len,
562 p_pkt_new->len, p_pkt_new->offset);
563 } else {
564 p_rcb->p_rmsg->offset += p_pkt->len;
565 p_rcb->p_rmsg->len += p_pkt->len;
566 p_pkt_new = NULL;
567 req_continue = true;
568 }
569 osi_free(p_pkt);
570 *pp_pkt = p_pkt_new;
571 }
572 }
573
574 if (cr == AVCT_CMD) {
575 p_rsp = avrc_proc_vendor_command(handle, label, *pp_pkt, p_msg);
576 if (p_rsp) {
577 AVCT_MsgReq(handle, label, AVCT_RSP, p_rsp);
578 drop_code = 3;
579 } else if (p_msg->hdr.opcode == AVRC_OP_DROP) {
580 drop_code = 1;
581 } else if (p_msg->hdr.opcode == AVRC_OP_DROP_N_FREE)
582 drop_code = 4;
583
584 } else if (cr == AVCT_RSP) {
585 if (req_continue == true) {
586 avrc_cmd.pdu = AVRC_PDU_REQUEST_CONTINUATION_RSP;
587 drop_code = 2;
588 } else if (buf_overflow == true) {
589 /* Incoming message too big to fit in BT_DEFAULT_BUFFER_SIZE. Send abort
590 * to peer */
591 avrc_cmd.pdu = AVRC_PDU_ABORT_CONTINUATION_RSP;
592 drop_code = 4;
593 } else {
594 return drop_code;
595 }
596 avrc_cmd.status = AVRC_STS_NO_ERROR;
597 avrc_cmd.target_pdu = p_rcb->rasm_pdu;
598 status = AVRC_BldCommand((tAVRC_COMMAND*)&avrc_cmd, &p_cmd);
599 if (status == AVRC_STS_NO_ERROR) {
600 AVRC_MsgReq(handle, (uint8_t)(label), AVRC_CMD_CTRL, p_cmd);
601 }
602 }
603
604 return drop_code;
605 }
606 #endif /* (AVRC_METADATA_INCLUDED == TRUE) */
607
608 /******************************************************************************
609 *
610 * Function avrc_msg_cback
611 *
612 * Description This is the callback function used by AVCTP to report
613 * received AV control messages.
614 *
615 * Returns Nothing.
616 *
617 *****************************************************************************/
avrc_msg_cback(uint8_t handle,uint8_t label,uint8_t cr,BT_HDR * p_pkt)618 static void avrc_msg_cback(uint8_t handle, uint8_t label, uint8_t cr,
619 BT_HDR* p_pkt) {
620 uint8_t opcode;
621 tAVRC_MSG msg;
622 uint8_t* p_data;
623 uint8_t* p_begin;
624 bool drop = false;
625 bool do_free = true;
626 BT_HDR* p_rsp = NULL;
627 uint8_t* p_rsp_data;
628 int xx;
629 bool reject = false;
630 const char* p_drop_msg = "dropped";
631 tAVRC_MSG_VENDOR* p_msg = &msg.vendor;
632
633 if (cr == AVCT_CMD && (p_pkt->layer_specific & AVCT_DATA_CTRL &&
634 AVRC_PACKET_LEN < sizeof(p_pkt->len))) {
635 /* Ignore the invalid AV/C command frame */
636 p_drop_msg = "dropped - too long AV/C cmd frame size";
637 osi_free(p_pkt);
638 return;
639 }
640
641 if (cr == AVCT_REJ) {
642 /* The peer thinks that this PID is no longer open - remove this handle */
643 /* */
644 osi_free(p_pkt);
645 AVCT_RemoveConn(handle);
646 return;
647 } else if (cr == AVCT_RSP) {
648 /* Received response. Stop command timeout timer */
649 AVRC_TRACE_DEBUG("AVRC: stopping timer (handle=0x%02x)", handle);
650 alarm_cancel(avrc_cb.ccb_int[handle].tle);
651 }
652
653 p_data = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
654 memset(&msg, 0, sizeof(tAVRC_MSG));
655
656 if (p_pkt->layer_specific == AVCT_DATA_BROWSE) {
657 opcode = AVRC_OP_BROWSE;
658 msg.browse.hdr.ctype = cr;
659 msg.browse.p_browse_data = p_data;
660 msg.browse.browse_len = p_pkt->len;
661 msg.browse.p_browse_pkt = p_pkt;
662 } else {
663 msg.hdr.ctype = p_data[0] & AVRC_CTYPE_MASK;
664 AVRC_TRACE_DEBUG("%s handle:%d, ctype:%d, offset:%d, len: %d", __func__,
665 handle, msg.hdr.ctype, p_pkt->offset, p_pkt->len);
666 msg.hdr.subunit_type =
667 (p_data[1] & AVRC_SUBTYPE_MASK) >> AVRC_SUBTYPE_SHIFT;
668 msg.hdr.subunit_id = p_data[1] & AVRC_SUBID_MASK;
669 opcode = p_data[2];
670 }
671
672 if (((avrc_cb.ccb[handle].control & AVRC_CT_TARGET) && (cr == AVCT_CMD)) ||
673 ((avrc_cb.ccb[handle].control & AVRC_CT_CONTROL) && (cr == AVCT_RSP))) {
674 switch (opcode) {
675 case AVRC_OP_UNIT_INFO:
676 if (cr == AVCT_CMD) {
677 /* send the response to the peer */
678 p_rsp = avrc_copy_packet(p_pkt, AVRC_OP_UNIT_INFO_RSP_LEN);
679 p_rsp_data = avrc_get_data_ptr(p_rsp);
680 *p_rsp_data = AVRC_RSP_IMPL_STBL;
681 /* check & set the offset. set response code, set subunit_type &
682 subunit_id,
683 set AVRC_OP_UNIT_INFO */
684 /* 3 bytes: ctype, subunit*, opcode */
685 p_rsp_data += AVRC_AVC_HDR_SIZE;
686 *p_rsp_data++ = 7;
687 /* Panel subunit & id=0 */
688 *p_rsp_data++ = (AVRC_SUB_PANEL << AVRC_SUBTYPE_SHIFT);
689 AVRC_CO_ID_TO_BE_STREAM(p_rsp_data, avrc_cb.ccb[handle].company_id);
690 p_rsp->len =
691 (uint16_t)(p_rsp_data - (uint8_t*)(p_rsp + 1) - p_rsp->offset);
692 cr = AVCT_RSP;
693 p_drop_msg = "auto respond";
694 } else {
695 /* parse response */
696 p_data += 4; /* 3 bytes: ctype, subunit*, opcode + octet 3 (is 7)*/
697 msg.unit.unit_type =
698 (*p_data & AVRC_SUBTYPE_MASK) >> AVRC_SUBTYPE_SHIFT;
699 msg.unit.unit = *p_data & AVRC_SUBID_MASK;
700 p_data++;
701 AVRC_BE_STREAM_TO_CO_ID(msg.unit.company_id, p_data);
702 }
703 break;
704
705 case AVRC_OP_SUB_INFO:
706 if (cr == AVCT_CMD) {
707 /* send the response to the peer */
708 p_rsp = avrc_copy_packet(p_pkt, AVRC_OP_SUB_UNIT_INFO_RSP_LEN);
709 p_rsp_data = avrc_get_data_ptr(p_rsp);
710 *p_rsp_data = AVRC_RSP_IMPL_STBL;
711 /* check & set the offset. set response code, set (subunit_type &
712 subunit_id),
713 set AVRC_OP_SUB_INFO, set (page & extention code) */
714 p_rsp_data += 4;
715 /* Panel subunit & id=0 */
716 *p_rsp_data++ = (AVRC_SUB_PANEL << AVRC_SUBTYPE_SHIFT);
717 memset(p_rsp_data, AVRC_CMD_OPRND_PAD, AVRC_SUBRSP_OPRND_BYTES);
718 p_rsp_data += AVRC_SUBRSP_OPRND_BYTES;
719 p_rsp->len =
720 (uint16_t)(p_rsp_data - (uint8_t*)(p_rsp + 1) - p_rsp->offset);
721 cr = AVCT_RSP;
722 p_drop_msg = "auto responded";
723 } else {
724 /* parse response */
725 p_data += AVRC_AVC_HDR_SIZE; /* 3 bytes: ctype, subunit*, opcode */
726 msg.sub.page =
727 (*p_data++ >> AVRC_SUB_PAGE_SHIFT) & AVRC_SUB_PAGE_MASK;
728 xx = 0;
729 while (*p_data != AVRC_CMD_OPRND_PAD && xx < AVRC_SUB_TYPE_LEN) {
730 msg.sub.subunit_type[xx] = *p_data++ >> AVRC_SUBTYPE_SHIFT;
731 if (msg.sub.subunit_type[xx] == AVRC_SUB_PANEL)
732 msg.sub.panel = true;
733 xx++;
734 }
735 }
736 break;
737
738 case AVRC_OP_VENDOR: {
739 p_data = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
740 p_begin = p_data;
741 if (p_pkt->len <
742 AVRC_VENDOR_HDR_SIZE) /* 6 = ctype, subunit*, opcode & CO_ID */
743 {
744 if (cr == AVCT_CMD)
745 reject = true;
746 else
747 drop = true;
748 break;
749 }
750 p_data += AVRC_AVC_HDR_SIZE; /* skip the first 3 bytes: ctype, subunit*,
751 opcode */
752 AVRC_BE_STREAM_TO_CO_ID(p_msg->company_id, p_data);
753 p_msg->p_vendor_data = p_data;
754 p_msg->vendor_len = p_pkt->len - (p_data - p_begin);
755
756 #if (AVRC_METADATA_INCLUDED == TRUE)
757 uint8_t drop_code = 0;
758 if (p_msg->company_id == AVRC_CO_METADATA) {
759 /* Validate length for metadata message */
760 if (p_pkt->len < (AVRC_VENDOR_HDR_SIZE + AVRC_MIN_META_HDR_SIZE)) {
761 if (cr == AVCT_CMD)
762 reject = true;
763 else
764 drop = true;
765 break;
766 }
767
768 /* Check+handle fragmented messages */
769 drop_code = avrc_proc_far_msg(handle, label, cr, &p_pkt, p_msg);
770 if (drop_code > 0) drop = true;
771 }
772 if (drop_code > 0) {
773 if (drop_code != 4) do_free = false;
774 switch (drop_code) {
775 case 1:
776 p_drop_msg = "sent_frag";
777 break;
778 case 2:
779 p_drop_msg = "req_cont";
780 break;
781 case 3:
782 p_drop_msg = "sent_frag3";
783 break;
784 case 4:
785 p_drop_msg = "sent_frag_free";
786 break;
787 default:
788 p_drop_msg = "sent_fragd";
789 }
790 }
791 #endif /* (AVRC_METADATA_INCLUDED == TRUE) */
792 /* If vendor response received, and did not ask for continuation */
793 /* then check queue for addition commands to send */
794 if ((cr == AVCT_RSP) && (drop_code != 2)) {
795 avrc_send_next_vendor_cmd(handle);
796 }
797 } break;
798
799 case AVRC_OP_PASS_THRU:
800 if (p_pkt->len < 5) /* 3 bytes: ctype, subunit*, opcode & op_id & len */
801 {
802 if (cr == AVCT_CMD)
803 reject = true;
804 else
805 drop = true;
806 break;
807 }
808 p_data += AVRC_AVC_HDR_SIZE; /* skip the first 3 bytes: ctype, subunit*,
809 opcode */
810 msg.pass.op_id = (AVRC_PASS_OP_ID_MASK & *p_data);
811 if (AVRC_PASS_STATE_MASK & *p_data)
812 msg.pass.state = true;
813 else
814 msg.pass.state = false;
815 p_data++;
816 msg.pass.pass_len = *p_data++;
817 if (msg.pass.pass_len != p_pkt->len - 5)
818 msg.pass.pass_len = p_pkt->len - 5;
819 if (msg.pass.pass_len)
820 msg.pass.p_pass_data = p_data;
821 else
822 msg.pass.p_pass_data = NULL;
823 break;
824
825 case AVRC_OP_BROWSE:
826 /* If browse response received, then check queue for addition commands
827 * to send */
828 if (cr == AVCT_RSP) {
829 avrc_send_next_vendor_cmd(handle);
830 }
831 break;
832
833 default:
834 if ((avrc_cb.ccb[handle].control & AVRC_CT_TARGET) &&
835 (cr == AVCT_CMD)) {
836 /* reject unsupported opcode */
837 reject = true;
838 }
839 drop = true;
840 break;
841 }
842 } else /* drop the event */
843 {
844 if (opcode != AVRC_OP_BROWSE) drop = true;
845 }
846
847 if (reject) {
848 /* reject unsupported opcode */
849 p_rsp = avrc_copy_packet(p_pkt, AVRC_OP_REJ_MSG_LEN);
850 p_rsp_data = avrc_get_data_ptr(p_rsp);
851 *p_rsp_data = AVRC_RSP_REJ;
852 p_drop_msg = "rejected";
853 cr = AVCT_RSP;
854 drop = true;
855 }
856
857 if (p_rsp) {
858 /* set to send response right away */
859 AVCT_MsgReq(handle, label, cr, p_rsp);
860 drop = true;
861 }
862
863 if (drop == false) {
864 msg.hdr.opcode = opcode;
865 (*avrc_cb.ccb[handle].p_msg_cback)(handle, label, opcode, &msg);
866 } else {
867 AVRC_TRACE_WARNING("%s %s msg handle:%d, control:%d, cr:%d, opcode:x%x",
868 __func__, p_drop_msg, handle,
869 avrc_cb.ccb[handle].control, cr, opcode);
870 }
871
872 if (opcode == AVRC_OP_BROWSE && msg.browse.p_browse_pkt == NULL) {
873 do_free = false;
874 }
875
876 if (do_free) osi_free(p_pkt);
877 }
878
AVRC_build_empty_packet(BT_HDR * p_pkt)879 static void AVRC_build_empty_packet(BT_HDR* p_pkt) {
880 uint8_t* p_start = ((uint8_t*)(p_pkt + 1) + p_pkt->offset);
881 *p_start = AVRC_RSP_ACCEPT & AVRC_CTYPE_MASK;
882 p_start += AVRC_VENDOR_HDR_SIZE;
883 UINT8_TO_BE_STREAM(p_start, 0);
884 UINT8_TO_BE_STREAM(p_start, AVRC_PKT_SINGLE);
885 UINT16_TO_BE_STREAM(p_start, 0);
886 p_pkt->len = AVRC_VENDOR_HDR_SIZE + 4;
887 }
888
AVRC_build_error_packet(BT_HDR * p_pkt)889 static void AVRC_build_error_packet(BT_HDR* p_pkt) {
890 uint8_t* p_start = ((uint8_t*)(p_pkt + 1) + p_pkt->offset);
891 *p_start = AVRC_RSP_REJ & AVRC_CTYPE_MASK;
892 p_start += AVRC_VENDOR_HDR_SIZE;
893 UINT8_TO_BE_STREAM(p_start, 0);
894 UINT8_TO_BE_STREAM(p_start, AVRC_PKT_SINGLE);
895 UINT16_TO_BE_STREAM(p_start, 1);
896 UINT8_TO_BE_STREAM(p_start, AVRC_STS_BAD_PARAM);
897 p_pkt->len = AVRC_VENDOR_HDR_SIZE + 5;
898 }
899
AVRC_HandleContinueRsp(uint8_t handle,uint8_t label,BT_HDR * p_pkt)900 static uint16_t AVRC_HandleContinueRsp(uint8_t handle, uint8_t label,
901 BT_HDR* p_pkt) {
902 AVRC_TRACE_DEBUG("%s()", __func__);
903
904 uint8_t* p_data =
905 ((uint8_t*)(p_pkt + 1) + p_pkt->offset + AVRC_VENDOR_HDR_SIZE);
906 tAVRC_FRAG_CB* p_fcb = &avrc_cb.fcb[handle];
907
908 uint8_t pdu, pkt_type, target_pdu;
909 uint16_t len;
910
911 BE_STREAM_TO_UINT8(pdu, p_data);
912 BE_STREAM_TO_UINT8(pkt_type, p_data);
913 BE_STREAM_TO_UINT16(len, p_data);
914 BE_STREAM_TO_UINT8(target_pdu, p_data);
915
916 if (pdu == AVRC_PDU_REQUEST_CONTINUATION_RSP &&
917 target_pdu == p_fcb->frag_pdu) {
918 return avrc_send_continue_frag(handle, label);
919 }
920
921 if (pdu == AVRC_PDU_ABORT_CONTINUATION_RSP && target_pdu == p_fcb->frag_pdu) {
922 AVRC_build_empty_packet(p_pkt);
923 } else {
924 AVRC_TRACE_ERROR("%s() error: target_pdu: 0x%02x, frag_pdu: 0x%02x",
925 __func__, *(p_data + 4), p_fcb->frag_pdu);
926 AVRC_build_error_packet(p_pkt);
927 }
928
929 p_fcb->frag_enabled = false;
930 osi_free_and_reset((void**)&p_fcb->p_fmsg);
931
932 return AVCT_MsgReq(handle, label, AVCT_RSP, p_pkt);
933 }
934
935 /******************************************************************************
936 *
937 * Function avrc_pass_msg
938 *
939 * Description Compose a PASS THROUGH command according to p_msg
940 *
941 * Input Parameters:
942 * p_msg: Pointer to PASS THROUGH message structure.
943 *
944 * Output Parameters:
945 * None.
946 *
947 * Returns pointer to a valid GKI buffer if successful.
948 * NULL if p_msg is NULL.
949 *
950 *****************************************************************************/
avrc_pass_msg(tAVRC_MSG_PASS * p_msg)951 static BT_HDR* avrc_pass_msg(tAVRC_MSG_PASS* p_msg) {
952 CHECK(p_msg != NULL);
953 CHECK(AVRC_CMD_BUF_SIZE > (AVRC_MIN_CMD_LEN + p_msg->pass_len));
954
955 BT_HDR* p_cmd = (BT_HDR*)osi_malloc(AVRC_CMD_BUF_SIZE);
956 p_cmd->offset = AVCT_MSG_OFFSET;
957 p_cmd->layer_specific = AVCT_DATA_CTRL;
958
959 uint8_t* p_data = (uint8_t*)(p_cmd + 1) + p_cmd->offset;
960 *p_data++ = (p_msg->hdr.ctype & AVRC_CTYPE_MASK);
961 *p_data++ = (AVRC_SUB_PANEL << AVRC_SUBTYPE_SHIFT); /* Panel subunit & id=0 */
962 *p_data++ = AVRC_OP_PASS_THRU;
963 *p_data = (AVRC_PASS_OP_ID_MASK & p_msg->op_id);
964 if (p_msg->state) *p_data |= AVRC_PASS_STATE_MASK;
965 p_data++;
966
967 if (p_msg->op_id == AVRC_ID_VENDOR) {
968 *p_data++ = p_msg->pass_len;
969 if (p_msg->pass_len && p_msg->p_pass_data) {
970 memcpy(p_data, p_msg->p_pass_data, p_msg->pass_len);
971 p_data += p_msg->pass_len;
972 }
973 } else {
974 /* set msg len to 0 for other op_id */
975 *p_data++ = 0;
976 }
977 p_cmd->len = (uint16_t)(p_data - (uint8_t*)(p_cmd + 1) - p_cmd->offset);
978
979 return p_cmd;
980 }
981
982 /******************************************************************************
983 *
984 * Function AVRC_Open
985 *
986 * Description This function is called to open a connection to AVCTP.
987 * The connection can be either an initiator or acceptor, as
988 * determined by the p_ccb->stream parameter.
989 * The connection can be a target, a controller or for both
990 * role, as determined by the p_ccb->control parameter.
991 * By definition, a target connection is an acceptor connection
992 * that waits for an incoming AVCTP connection from the peer.
993 * The connection remains available to the application until
994 * the application closes it by calling AVRC_Close(). The
995 * application does not need to reopen the connection after an
996 * AVRC_CLOSE_IND_EVT is received.
997 *
998 * Input Parameters:
999 * p_ccb->company_id: Company Identifier.
1000 *
1001 * p_ccb->p_ctrl_cback: Pointer to control callback
1002 * function.
1003 *
1004 * p_ccb->p_msg_cback: Pointer to message callback
1005 * function.
1006 *
1007 * p_ccb->conn: AVCTP connection role. This is set to
1008 * AVCTP_INT for initiator connections and AVCTP_ACP
1009 * for acceptor connections.
1010 *
1011 * p_ccb->control: Control role. This is set to
1012 * AVRC_CT_TARGET for target connections, AVRC_CT_CONTROL
1013 * for control connections or
1014 * (AVRC_CT_TARGET|AVRC_CT_CONTROL)
1015 * for connections that support both roles.
1016 *
1017 * peer_addr: BD address of peer device. This value is
1018 * only used for initiator connections; for acceptor
1019 * connections it can be set to NULL.
1020 *
1021 * Output Parameters:
1022 * p_handle: Pointer to handle. This parameter is only
1023 * valid if AVRC_SUCCESS is returned.
1024 *
1025 * Returns AVRC_SUCCESS if successful.
1026 * AVRC_NO_RESOURCES if there are not enough resources to open
1027 * the connection.
1028 *
1029 *****************************************************************************/
AVRC_Open(uint8_t * p_handle,tAVRC_CONN_CB * p_ccb,BD_ADDR_PTR peer_addr)1030 uint16_t AVRC_Open(uint8_t* p_handle, tAVRC_CONN_CB* p_ccb,
1031 BD_ADDR_PTR peer_addr) {
1032 uint16_t status;
1033 tAVCT_CC cc;
1034
1035 cc.p_ctrl_cback = avrc_ctrl_cback; /* Control callback */
1036 cc.p_msg_cback = avrc_msg_cback; /* Message callback */
1037 cc.pid = UUID_SERVCLASS_AV_REMOTE_CONTROL; /* Profile ID */
1038 cc.role = p_ccb->conn; /* Initiator/acceptor role */
1039 cc.control = p_ccb->control; /* Control role (Control/Target) */
1040
1041 status = AVCT_CreateConn(p_handle, &cc, peer_addr);
1042 if (status == AVCT_SUCCESS) {
1043 memcpy(&avrc_cb.ccb[*p_handle], p_ccb, sizeof(tAVRC_CONN_CB));
1044 memset(&avrc_cb.ccb_int[*p_handle], 0, sizeof(tAVRC_CONN_INT_CB));
1045 #if (AVRC_METADATA_INCLUDED == TRUE)
1046 memset(&avrc_cb.fcb[*p_handle], 0, sizeof(tAVRC_FRAG_CB));
1047 memset(&avrc_cb.rcb[*p_handle], 0, sizeof(tAVRC_RASM_CB));
1048 #endif
1049 avrc_cb.ccb_int[*p_handle].tle = alarm_new("avrcp.commandTimer");
1050 avrc_cb.ccb_int[*p_handle].cmd_q = fixed_queue_new(SIZE_MAX);
1051 }
1052 AVRC_TRACE_DEBUG("%s role: %d, control:%d status:%d, handle:%d", __func__,
1053 cc.role, cc.control, status, *p_handle);
1054
1055 return status;
1056 }
1057
1058 /******************************************************************************
1059 *
1060 * Function AVRC_Close
1061 *
1062 * Description Close a connection opened with AVRC_Open().
1063 * This function is called when the
1064 * application is no longer using a connection.
1065 *
1066 * Input Parameters:
1067 * handle: Handle of this connection.
1068 *
1069 * Output Parameters:
1070 * None.
1071 *
1072 * Returns AVRC_SUCCESS if successful.
1073 * AVRC_BAD_HANDLE if handle is invalid.
1074 *
1075 *****************************************************************************/
AVRC_Close(uint8_t handle)1076 uint16_t AVRC_Close(uint8_t handle) {
1077 AVRC_TRACE_DEBUG("%s handle:%d", __func__, handle);
1078 return AVCT_RemoveConn(handle);
1079 }
1080
1081 /******************************************************************************
1082 *
1083 * Function AVRC_OpenBrowse
1084 *
1085 * Description This function is called to open a browsing connection to
1086 * AVCTP. The connection can be either an initiator or
1087 * acceptor, as determined by the p_conn_role.
1088 * The handle is returned by a previous call to AVRC_Open.
1089 *
1090 * Returns AVRC_SUCCESS if successful.
1091 * AVRC_NO_RESOURCES if there are not enough resources to open
1092 * the connection.
1093 *
1094 *****************************************************************************/
AVRC_OpenBrowse(uint8_t handle,uint8_t conn_role)1095 uint16_t AVRC_OpenBrowse(uint8_t handle, uint8_t conn_role) {
1096 return AVCT_CreateBrowse(handle, conn_role);
1097 }
1098
1099 /******************************************************************************
1100 *
1101 * Function AVRC_CloseBrowse
1102 *
1103 * Description Close a connection opened with AVRC_OpenBrowse().
1104 * This function is called when the
1105 * application is no longer using a connection.
1106 *
1107 * Returns AVRC_SUCCESS if successful.
1108 * AVRC_BAD_HANDLE if handle is invalid.
1109 *
1110 *****************************************************************************/
AVRC_CloseBrowse(uint8_t handle)1111 uint16_t AVRC_CloseBrowse(uint8_t handle) { return AVCT_RemoveBrowse(handle); }
1112
1113 /******************************************************************************
1114 *
1115 * Function AVRC_MsgReq
1116 *
1117 * Description This function is used to send the AVRCP byte stream in p_pkt
1118 * down to AVCTP.
1119 *
1120 * It is expected that p_pkt->offset is at least
1121 * AVCT_MSG_OFFSET
1122 * p_pkt->layer_specific is AVCT_DATA_CTRL or AVCT_DATA_BROWSE
1123 * p_pkt->event is AVRC_OP_VENDOR, AVRC_OP_PASS_THRU or
1124 * AVRC_OP_BROWSE
1125 * The above BT_HDR settings are set by the AVRC_Bld*
1126 * functions.
1127 *
1128 * Returns AVRC_SUCCESS if successful.
1129 * AVRC_BAD_HANDLE if handle is invalid.
1130 *
1131 *****************************************************************************/
AVRC_MsgReq(uint8_t handle,uint8_t label,uint8_t ctype,BT_HDR * p_pkt)1132 uint16_t AVRC_MsgReq(uint8_t handle, uint8_t label, uint8_t ctype,
1133 BT_HDR* p_pkt) {
1134 #if (AVRC_METADATA_INCLUDED == TRUE)
1135 uint8_t* p_data;
1136 uint8_t cr = AVCT_CMD;
1137 bool chk_frag = true;
1138 uint8_t* p_start = NULL;
1139 tAVRC_FRAG_CB* p_fcb;
1140 uint16_t len;
1141 uint16_t status;
1142 uint8_t msg_mask = 0;
1143 uint16_t peer_mtu;
1144
1145 if (!p_pkt) return AVRC_BAD_PARAM;
1146
1147 AVRC_TRACE_DEBUG("%s handle = %u label = %u ctype = %u len = %d", __func__,
1148 handle, label, ctype, p_pkt->len);
1149
1150 if (ctype >= AVRC_RSP_NOT_IMPL) cr = AVCT_RSP;
1151
1152 p_data = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
1153 if (*p_data == AVRC_PDU_REQUEST_CONTINUATION_RSP ||
1154 *p_data == AVRC_PDU_ABORT_CONTINUATION_RSP) {
1155 return AVRC_HandleContinueRsp(handle, label, p_pkt);
1156 }
1157
1158 if (p_pkt->event == AVRC_OP_VENDOR) {
1159 /* add AVRCP Vendor Dependent headers */
1160 p_start = ((uint8_t*)(p_pkt + 1) + p_pkt->offset);
1161 p_pkt->offset -= AVRC_VENDOR_HDR_SIZE;
1162 p_pkt->len += AVRC_VENDOR_HDR_SIZE;
1163 p_data = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
1164 *p_data++ = (ctype & AVRC_CTYPE_MASK);
1165 *p_data++ = (AVRC_SUB_PANEL << AVRC_SUBTYPE_SHIFT);
1166 *p_data++ = AVRC_OP_VENDOR;
1167 AVRC_CO_ID_TO_BE_STREAM(p_data, AVRC_CO_METADATA);
1168
1169 /* Check if this is a AVRC_PDU_REQUEST_CONTINUATION_RSP */
1170 if (cr == AVCT_CMD) {
1171 msg_mask |= AVRC_MSG_MASK_IS_VENDOR_CMD;
1172
1173 if ((*p_start == AVRC_PDU_REQUEST_CONTINUATION_RSP) ||
1174 (*p_start == AVRC_PDU_ABORT_CONTINUATION_RSP)) {
1175 msg_mask |= AVRC_MSG_MASK_IS_CONTINUATION_RSP;
1176 }
1177 }
1178 } else if (p_pkt->event == AVRC_OP_PASS_THRU) {
1179 /* add AVRCP Pass Through headers */
1180 p_start = ((uint8_t*)(p_pkt + 1) + p_pkt->offset);
1181 p_pkt->offset -= AVRC_PASS_THRU_SIZE;
1182 p_pkt->len += AVRC_PASS_THRU_SIZE;
1183 p_data = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
1184 *p_data++ = (ctype & AVRC_CTYPE_MASK);
1185 *p_data++ = (AVRC_SUB_PANEL << AVRC_SUBTYPE_SHIFT);
1186 *p_data++ = AVRC_OP_PASS_THRU; /* opcode */
1187 *p_data++ = AVRC_ID_VENDOR; /* operation id */
1188 *p_data++ = 5; /* operation data len */
1189 AVRC_CO_ID_TO_BE_STREAM(p_data, AVRC_CO_METADATA);
1190 } else {
1191 chk_frag = false;
1192 peer_mtu = AVCT_GetBrowseMtu(handle);
1193 if (p_pkt->len > (peer_mtu - AVCT_HDR_LEN_SINGLE)) {
1194 AVRC_TRACE_ERROR(
1195 "%s bigger than peer mtu (p_pkt->len(%d) > peer_mtu(%d-%d))",
1196 __func__, p_pkt->len, peer_mtu, AVCT_HDR_LEN_SINGLE);
1197 osi_free(p_pkt);
1198 return AVRC_MSG_TOO_BIG;
1199 }
1200 }
1201
1202 /* abandon previous fragments */
1203 p_fcb = &avrc_cb.fcb[handle];
1204
1205 if (p_fcb == NULL) {
1206 AVRC_TRACE_ERROR("%s p_fcb is NULL", __func__);
1207 osi_free(p_pkt);
1208 return AVRC_NOT_OPEN;
1209 }
1210
1211 if (p_fcb->frag_enabled) p_fcb->frag_enabled = false;
1212
1213 osi_free_and_reset((void**)&p_fcb->p_fmsg);
1214
1215 /* AVRCP spec has not defined any control channel commands that needs
1216 * fragmentation at this level
1217 * check for fragmentation only on the response */
1218 if ((cr == AVCT_RSP) && (chk_frag == true)) {
1219 if (p_pkt->len > AVRC_MAX_CTRL_DATA_LEN) {
1220 int offset_len = MAX(AVCT_MSG_OFFSET, p_pkt->offset);
1221 BT_HDR* p_pkt_new =
1222 (BT_HDR*)osi_malloc(AVRC_PACKET_LEN + offset_len + BT_HDR_SIZE);
1223 if (p_start != NULL) {
1224 p_fcb->frag_enabled = true;
1225 p_fcb->p_fmsg = p_pkt;
1226 p_fcb->frag_pdu = *p_start;
1227 p_pkt = p_pkt_new;
1228 p_pkt_new = p_fcb->p_fmsg;
1229 p_pkt->len = AVRC_MAX_CTRL_DATA_LEN;
1230 p_pkt->offset = p_pkt_new->offset;
1231 p_pkt->layer_specific = p_pkt_new->layer_specific;
1232 p_pkt->event = p_pkt_new->event;
1233 p_data = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
1234 p_start -= AVRC_VENDOR_HDR_SIZE;
1235 memcpy(p_data, p_start, AVRC_MAX_CTRL_DATA_LEN);
1236 /* use AVRC start packet type */
1237 p_data += AVRC_VENDOR_HDR_SIZE;
1238 p_data++; /* pdu */
1239 *p_data++ = AVRC_PKT_START;
1240
1241 /* 4 pdu, pkt_type & len */
1242 len = (AVRC_MAX_CTRL_DATA_LEN - AVRC_VENDOR_HDR_SIZE -
1243 AVRC_MIN_META_HDR_SIZE);
1244 UINT16_TO_BE_STREAM(p_data, len);
1245
1246 /* prepare the left over for as an end fragment */
1247 avrc_prep_end_frag(handle);
1248 AVRC_TRACE_DEBUG("%s p_pkt len:%d/%d, next len:%d", __func__,
1249 p_pkt->len, len, p_fcb->p_fmsg->len);
1250 } else {
1251 /* TODO: Is this "else" block valid? Remove it? */
1252 AVRC_TRACE_ERROR("%s no buffers for fragmentation", __func__);
1253 osi_free(p_pkt);
1254 return AVRC_NO_RESOURCES;
1255 }
1256 }
1257 } else if ((p_pkt->event == AVRC_OP_VENDOR) && (cr == AVCT_CMD) &&
1258 (avrc_cb.ccb_int[handle].flags & AVRC_CB_FLAGS_RSP_PENDING) &&
1259 !(msg_mask & AVRC_MSG_MASK_IS_CONTINUATION_RSP)) {
1260 /* If we are sending a vendor specific command, and a response is pending,
1261 * then enqueue the command until the response has been received.
1262 * This is to interop with TGs that abort sending responses whenever a new
1263 * command
1264 * is received (exception is continuation request command
1265 * must sent that to get additional response frags) */
1266 AVRC_TRACE_DEBUG(
1267 "AVRC: Enqueuing command 0x%08x (handle=0x%02x, label=0x%02x)", p_pkt,
1268 handle, label);
1269
1270 /* label in BT_HDR (will need this later when the command is dequeued) */
1271 p_pkt->layer_specific = (label << 8) | (p_pkt->layer_specific & 0xFF);
1272
1273 /* Enqueue the command */
1274 fixed_queue_enqueue(avrc_cb.ccb_int[handle].cmd_q, p_pkt);
1275 return AVRC_SUCCESS;
1276 }
1277
1278 /* Send the message */
1279 status = AVCT_MsgReq(handle, label, cr, p_pkt);
1280 if ((status == AVCT_SUCCESS) && (cr == AVCT_CMD)) {
1281 /* If a command was successfully sent, indicate that a response is pending
1282 */
1283 avrc_cb.ccb_int[handle].flags |= AVRC_CB_FLAGS_RSP_PENDING;
1284
1285 /* Start command timer to wait for response */
1286 avrc_start_cmd_timer(handle, label, msg_mask);
1287 }
1288
1289 return status;
1290 #else
1291 return AVRC_NO_RESOURCES;
1292 #endif
1293 }
1294
1295 /******************************************************************************
1296 *
1297 * Function AVRC_PassCmd
1298 *
1299 * Description Send a PASS THROUGH command to the peer device. This
1300 * function can only be called for controller role connections.
1301 * Any response message from the peer is passed back through
1302 * the tAVRC_MSG_CBACK callback function.
1303 *
1304 * Input Parameters:
1305 * handle: Handle of this connection.
1306 *
1307 * label: Transaction label.
1308 *
1309 * p_msg: Pointer to PASS THROUGH message structure.
1310 *
1311 * Output Parameters:
1312 * None.
1313 *
1314 * Returns AVRC_SUCCESS if successful.
1315 * AVRC_BAD_HANDLE if handle is invalid.
1316 *
1317 *****************************************************************************/
AVRC_PassCmd(uint8_t handle,uint8_t label,tAVRC_MSG_PASS * p_msg)1318 uint16_t AVRC_PassCmd(uint8_t handle, uint8_t label, tAVRC_MSG_PASS* p_msg) {
1319 BT_HDR* p_buf;
1320 uint16_t status = AVRC_NO_RESOURCES;
1321 if (!p_msg) return AVRC_BAD_PARAM;
1322
1323 p_msg->hdr.ctype = AVRC_CMD_CTRL;
1324 p_buf = avrc_pass_msg(p_msg);
1325 if (p_buf) {
1326 status = AVCT_MsgReq(handle, label, AVCT_CMD, p_buf);
1327 if (status == AVCT_SUCCESS) {
1328 /* Start command timer to wait for response */
1329 avrc_start_cmd_timer(handle, label, 0);
1330 }
1331 }
1332 return (status);
1333 }
1334
1335 /******************************************************************************
1336 *
1337 * Function AVRC_PassRsp
1338 *
1339 * Description Send a PASS THROUGH response to the peer device. This
1340 * function can only be called for target role connections.
1341 * This function must be called when a PASS THROUGH command
1342 * message is received from the peer through the
1343 * tAVRC_MSG_CBACK callback function.
1344 *
1345 * Input Parameters:
1346 * handle: Handle of this connection.
1347 *
1348 * label: Transaction label. Must be the same value as
1349 * passed with the command message in the callback
1350 * function.
1351 *
1352 * p_msg: Pointer to PASS THROUGH message structure.
1353 *
1354 * Output Parameters:
1355 * None.
1356 *
1357 * Returns AVRC_SUCCESS if successful.
1358 * AVRC_BAD_HANDLE if handle is invalid.
1359 *
1360 *****************************************************************************/
AVRC_PassRsp(uint8_t handle,uint8_t label,tAVRC_MSG_PASS * p_msg)1361 uint16_t AVRC_PassRsp(uint8_t handle, uint8_t label, tAVRC_MSG_PASS* p_msg) {
1362 BT_HDR* p_buf;
1363 if (!p_msg) return AVRC_BAD_PARAM;
1364
1365 p_buf = avrc_pass_msg(p_msg);
1366 if (p_buf) return AVCT_MsgReq(handle, label, AVCT_RSP, p_buf);
1367 return AVRC_NO_RESOURCES;
1368 }
1369