1 /******************************************************************************
2 *
3 * Copyright 2003-2016 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 /******************************************************************************
20 *
21 * Interface to AVRCP mandatory commands
22 *
23 ******************************************************************************/
24 #include <base/logging.h>
25 #include <string.h>
26
27 #include <log/log.h>
28
29 #include "avrc_api.h"
30 #include "avrc_int.h"
31 #include "bt_common.h"
32 #include "btu.h"
33 #include "osi/include/fixed_queue.h"
34 #include "osi/include/osi.h"
35
36 /*****************************************************************************
37 * Global data
38 ****************************************************************************/
39
40 #define AVRC_MAX_RCV_CTRL_EVT AVCT_BROWSE_UNCONG_IND_EVT
41
42 #ifndef MAX
43 #define MAX(a, b) ((a) > (b) ? (a) : (b))
44 #endif
45
46 static const uint8_t avrc_ctrl_event_map[] = {
47 AVRC_OPEN_IND_EVT, /* AVCT_CONNECT_CFM_EVT */
48 AVRC_OPEN_IND_EVT, /* AVCT_CONNECT_IND_EVT */
49 AVRC_CLOSE_IND_EVT, /* AVCT_DISCONNECT_CFM_EVT */
50 AVRC_CLOSE_IND_EVT, /* AVCT_DISCONNECT_IND_EVT */
51 AVRC_CONG_IND_EVT, /* AVCT_CONG_IND_EVT */
52 AVRC_UNCONG_IND_EVT, /* AVCT_UNCONG_IND_EVT */
53 AVRC_BROWSE_OPEN_IND_EVT, /* AVCT_BROWSE_CONN_CFM_EVT */
54 AVRC_BROWSE_OPEN_IND_EVT, /* AVCT_BROWSE_CONN_IND_EVT */
55 AVRC_BROWSE_CLOSE_IND_EVT, /* AVCT_BROWSE_DISCONN_CFM_EVT */
56 AVRC_BROWSE_CLOSE_IND_EVT, /* AVCT_BROWSE_DISCONN_IND_EVT */
57 AVRC_BROWSE_CONG_IND_EVT, /* AVCT_BROWSE_CONG_IND_EVT */
58 AVRC_BROWSE_UNCONG_IND_EVT /* AVCT_BROWSE_UNCONG_IND_EVT */
59 };
60
61 /* use this unused opcode to indication no need to call the callback function */
62 #define AVRC_OP_DROP 0xFE
63 /* use this unused opcode to indication no need to call the callback function &
64 * free buffer */
65 #define AVRC_OP_DROP_N_FREE 0xFD
66
67 #define AVRC_OP_UNIT_INFO_RSP_LEN 8
68 #define AVRC_OP_SUB_UNIT_INFO_RSP_LEN 8
69 #define AVRC_OP_REJ_MSG_LEN 11
70
71 /* Flags definitions for AVRC_MsgReq */
72 #define AVRC_MSG_MASK_IS_VENDOR_CMD 0x01
73 #define AVRC_MSG_MASK_IS_CONTINUATION_RSP 0x02
74
75 /******************************************************************************
76 *
77 * Function avrc_ctrl_cback
78 *
79 * Description This is the callback function used by AVCTP to report
80 * received link events.
81 *
82 * Returns Nothing.
83 *
84 *****************************************************************************/
avrc_ctrl_cback(uint8_t handle,uint8_t event,uint16_t result,const RawAddress * peer_addr)85 static void avrc_ctrl_cback(uint8_t handle, uint8_t event, uint16_t result,
86 const RawAddress* peer_addr) {
87 uint8_t avrc_event;
88
89 if (event <= AVRC_MAX_RCV_CTRL_EVT && avrc_cb.ccb[handle].ctrl_cback) {
90 avrc_event = avrc_ctrl_event_map[event];
91 if (event == AVCT_CONNECT_CFM_EVT) {
92 if (result != 0) /* failed */
93 avrc_event = AVRC_CLOSE_IND_EVT;
94 }
95 avrc_cb.ccb[handle].ctrl_cback.Run(handle, avrc_event, result, peer_addr);
96 }
97
98 if ((event == AVCT_DISCONNECT_CFM_EVT) ||
99 (event == AVCT_DISCONNECT_IND_EVT)) {
100 avrc_flush_cmd_q(handle);
101 alarm_free(avrc_cb.ccb_int[handle].tle);
102 avrc_cb.ccb_int[handle].tle = NULL;
103 }
104 }
105
106 /******************************************************************************
107 *
108 * Function avrc_flush_cmd_q
109 *
110 * Description Flush command queue for the specified avrc handle
111 *
112 * Returns Nothing.
113 *
114 *****************************************************************************/
avrc_flush_cmd_q(uint8_t handle)115 void avrc_flush_cmd_q(uint8_t handle) {
116 AVRC_TRACE_DEBUG("AVRC: Flushing command queue for handle=0x%02x", handle);
117 avrc_cb.ccb_int[handle].flags &= ~AVRC_CB_FLAGS_RSP_PENDING;
118
119 alarm_cancel(avrc_cb.ccb_int[handle].tle);
120 fixed_queue_free(avrc_cb.ccb_int[handle].cmd_q, osi_free);
121 avrc_cb.ccb_int[handle].cmd_q = NULL;
122 }
123
124 /******************************************************************************
125 *
126 * Function avrc_process_timeout
127 *
128 * Description Handle avrc command timeout
129 *
130 * Returns Nothing.
131 *
132 *****************************************************************************/
avrc_process_timeout(void * data)133 void avrc_process_timeout(void* data) {
134 tAVRC_PARAM* param = (tAVRC_PARAM*)data;
135
136 AVRC_TRACE_DEBUG("AVRC: command timeout (handle=0x%02x, label=0x%02x)",
137 param->handle, param->label);
138
139 /* Notify app */
140 if (avrc_cb.ccb[param->handle].ctrl_cback) {
141 avrc_cb.ccb[param->handle].ctrl_cback.Run(
142 param->handle, AVRC_CMD_TIMEOUT_EVT, param->label, NULL);
143 }
144
145 /* If vendor command timed-out, then send next command in the queue */
146 if (param->msg_mask & AVRC_MSG_MASK_IS_VENDOR_CMD) {
147 avrc_send_next_vendor_cmd(param->handle);
148 }
149 osi_free(param);
150 }
151
152 /******************************************************************************
153 *
154 * Function avrc_send_next_vendor_cmd
155 *
156 * Description Dequeue and send next vendor command for given handle
157 *
158 * Returns Nothing.
159 *
160 *****************************************************************************/
avrc_send_next_vendor_cmd(uint8_t handle)161 void avrc_send_next_vendor_cmd(uint8_t handle) {
162 BT_HDR* p_next_cmd;
163 uint8_t next_label;
164
165 while ((p_next_cmd = (BT_HDR*)fixed_queue_try_dequeue(
166 avrc_cb.ccb_int[handle].cmd_q)) != NULL) {
167 p_next_cmd->event &= 0xFF; /* opcode */
168 next_label = (p_next_cmd->layer_specific) >> 8; /* extract label */
169 p_next_cmd->layer_specific &= 0xFF; /* AVCT_DATA_CTRL or AVCT_DATA_BROWSE */
170
171 AVRC_TRACE_DEBUG(
172 "AVRC: Dequeuing command 0x%08x (handle=0x%02x, label=0x%02x)",
173 p_next_cmd, handle, next_label);
174
175 /* Send the message */
176 if ((AVCT_MsgReq(handle, next_label, AVCT_CMD, p_next_cmd)) ==
177 AVCT_SUCCESS) {
178 /* Start command timer to wait for response */
179 avrc_start_cmd_timer(handle, next_label, AVRC_MSG_MASK_IS_VENDOR_CMD);
180 return;
181 }
182 }
183
184 if (p_next_cmd == NULL) {
185 /* cmd queue empty */
186 avrc_cb.ccb_int[handle].flags &= ~AVRC_CB_FLAGS_RSP_PENDING;
187 }
188 }
189
190 /******************************************************************************
191 *
192 * Function avrc_start_cmd_timer
193 *
194 * Description Start timer for waiting for responses
195 *
196 * Returns Nothing.
197 *
198 *****************************************************************************/
avrc_start_cmd_timer(uint8_t handle,uint8_t label,uint8_t msg_mask)199 void avrc_start_cmd_timer(uint8_t handle, uint8_t label, uint8_t msg_mask) {
200 tAVRC_PARAM* param =
201 static_cast<tAVRC_PARAM*>(osi_malloc(sizeof(tAVRC_PARAM)));
202 param->handle = handle;
203 param->label = label;
204 param->msg_mask = msg_mask;
205
206 AVRC_TRACE_DEBUG("AVRC: starting timer (handle=0x%02x, label=0x%02x)", handle,
207 label);
208
209 alarm_set_on_mloop(avrc_cb.ccb_int[handle].tle, AVRC_CMD_TOUT_MS,
210 avrc_process_timeout, param);
211 }
212
213 /******************************************************************************
214 *
215 * Function avrc_get_data_ptr
216 *
217 * Description Gets a pointer to the data payload in the packet.
218 *
219 * Returns A pointer to the data payload.
220 *
221 *****************************************************************************/
avrc_get_data_ptr(BT_HDR * p_pkt)222 static uint8_t* avrc_get_data_ptr(BT_HDR* p_pkt) {
223 return (uint8_t*)(p_pkt + 1) + p_pkt->offset;
224 }
225
226 /******************************************************************************
227 *
228 * Function avrc_copy_packet
229 *
230 * Description Copies an AVRC packet to a new buffer. In the new buffer,
231 * the payload offset is at least AVCT_MSG_OFFSET octets.
232 *
233 * Returns The buffer with the copied data.
234 *
235 *****************************************************************************/
avrc_copy_packet(BT_HDR * p_pkt,int rsp_pkt_len)236 static BT_HDR* avrc_copy_packet(BT_HDR* p_pkt, int rsp_pkt_len) {
237 const int offset = MAX(AVCT_MSG_OFFSET, p_pkt->offset);
238 const int pkt_len = MAX(rsp_pkt_len, p_pkt->len);
239 BT_HDR* p_pkt_copy = (BT_HDR*)osi_malloc(BT_HDR_SIZE + offset + pkt_len);
240
241 /* Copy the packet header, set the new offset, and copy the payload */
242 memcpy(p_pkt_copy, p_pkt, BT_HDR_SIZE);
243 p_pkt_copy->offset = offset;
244 uint8_t* p_data = avrc_get_data_ptr(p_pkt);
245 uint8_t* p_data_copy = avrc_get_data_ptr(p_pkt_copy);
246 memcpy(p_data_copy, p_data, p_pkt->len);
247
248 return p_pkt_copy;
249 }
250
251 /******************************************************************************
252 *
253 * Function avrc_prep_end_frag
254 *
255 * Description This function prepares an end response fragment
256 *
257 * Returns Nothing.
258 *
259 *****************************************************************************/
avrc_prep_end_frag(uint8_t handle)260 static void avrc_prep_end_frag(uint8_t handle) {
261 tAVRC_FRAG_CB* p_fcb;
262 BT_HDR* p_pkt_new;
263 uint8_t *p_data, *p_orig_data;
264 uint8_t rsp_type;
265
266 AVRC_TRACE_DEBUG("%s", __func__);
267 p_fcb = &avrc_cb.fcb[handle];
268
269 /* The response type of the end fragment should be the same as the the PDU of
270 * "End Fragment Response" Errata:
271 * https://www.bluetooth.org/errata/errata_view.cfm?errata_id=4383
272 */
273 p_orig_data = ((uint8_t*)(p_fcb->p_fmsg + 1) + p_fcb->p_fmsg->offset);
274 rsp_type = ((*p_orig_data) & AVRC_CTYPE_MASK);
275
276 p_pkt_new = p_fcb->p_fmsg;
277 p_pkt_new->len -=
278 (AVRC_MAX_CTRL_DATA_LEN - AVRC_VENDOR_HDR_SIZE - AVRC_MIN_META_HDR_SIZE);
279 p_pkt_new->offset +=
280 (AVRC_MAX_CTRL_DATA_LEN - AVRC_VENDOR_HDR_SIZE - AVRC_MIN_META_HDR_SIZE);
281 p_data = (uint8_t*)(p_pkt_new + 1) + p_pkt_new->offset;
282 *p_data++ = rsp_type;
283 *p_data++ = (AVRC_SUB_PANEL << AVRC_SUBTYPE_SHIFT);
284 *p_data++ = AVRC_OP_VENDOR;
285 AVRC_CO_ID_TO_BE_STREAM(p_data, AVRC_CO_METADATA);
286 *p_data++ = p_fcb->frag_pdu;
287 *p_data++ = AVRC_PKT_END;
288
289 /* 4=pdu, pkt_type & len */
290 UINT16_TO_BE_STREAM(
291 p_data, (p_pkt_new->len - AVRC_VENDOR_HDR_SIZE - AVRC_MIN_META_HDR_SIZE));
292 }
293
294 /******************************************************************************
295 *
296 * Function avrc_send_continue_frag
297 *
298 * Description This function sends a continue response fragment
299 *
300 * Returns AVRC_SUCCESS if successful.
301 * AVRC_BAD_HANDLE if handle is invalid.
302 *
303 *****************************************************************************/
avrc_send_continue_frag(uint8_t handle,uint8_t label)304 static uint16_t avrc_send_continue_frag(uint8_t handle, uint8_t label) {
305 tAVRC_FRAG_CB* p_fcb;
306 BT_HDR *p_pkt_old, *p_pkt;
307 uint8_t *p_old, *p_data;
308 uint8_t cr = AVCT_RSP;
309
310 p_fcb = &avrc_cb.fcb[handle];
311 p_pkt = p_fcb->p_fmsg;
312
313 AVRC_TRACE_DEBUG("%s handle = %u label = %u len = %d", __func__, handle,
314 label, p_pkt->len);
315 if (p_pkt->len > AVRC_MAX_CTRL_DATA_LEN) {
316 int offset_len = MAX(AVCT_MSG_OFFSET, p_pkt->offset);
317 p_pkt_old = p_fcb->p_fmsg;
318 p_pkt = (BT_HDR*)osi_malloc(AVRC_PACKET_LEN + offset_len + BT_HDR_SIZE);
319 p_pkt->len = AVRC_MAX_CTRL_DATA_LEN;
320 p_pkt->offset = AVCT_MSG_OFFSET;
321 p_pkt->layer_specific = p_pkt_old->layer_specific;
322 p_pkt->event = p_pkt_old->event;
323 p_old = (uint8_t*)(p_pkt_old + 1) + p_pkt_old->offset;
324 p_data = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
325 memcpy(p_data, p_old, AVRC_MAX_CTRL_DATA_LEN);
326 /* use AVRC continue packet type */
327 p_data += AVRC_VENDOR_HDR_SIZE;
328 p_data++; /* pdu */
329 *p_data++ = AVRC_PKT_CONTINUE;
330 /* 4=pdu, pkt_type & len */
331 UINT16_TO_BE_STREAM(p_data,
332 (AVRC_MAX_CTRL_DATA_LEN - AVRC_VENDOR_HDR_SIZE - 4));
333
334 /* prepare the left over for as an end fragment */
335 avrc_prep_end_frag(handle);
336 } else {
337 /* end fragment. clean the control block */
338 p_fcb->frag_enabled = false;
339 p_fcb->p_fmsg = NULL;
340 }
341 return AVCT_MsgReq(handle, label, cr, p_pkt);
342 }
343
344 /******************************************************************************
345 *
346 * Function avrc_proc_vendor_command
347 *
348 * Description This function processes received vendor command.
349 *
350 * Returns if not NULL, the response to send right away.
351 *
352 *****************************************************************************/
avrc_proc_vendor_command(uint8_t handle,uint8_t label,BT_HDR * p_pkt,tAVRC_MSG_VENDOR * p_msg)353 static BT_HDR* avrc_proc_vendor_command(uint8_t handle, uint8_t label,
354 BT_HDR* p_pkt,
355 tAVRC_MSG_VENDOR* p_msg) {
356 BT_HDR* p_rsp = NULL;
357 uint8_t* p_data;
358 uint8_t* p_begin;
359 uint8_t pkt_type;
360 bool abort_frag = false;
361 tAVRC_STS status = AVRC_STS_NO_ERROR;
362 tAVRC_FRAG_CB* p_fcb;
363
364 p_begin = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
365 p_data = p_begin + AVRC_VENDOR_HDR_SIZE;
366 pkt_type = *(p_data + 1) & AVRC_PKT_TYPE_MASK;
367
368 if (pkt_type != AVRC_PKT_SINGLE) {
369 /* reject - commands can only be in single packets at AVRCP level */
370 AVRC_TRACE_ERROR("commands must be in single packet pdu:0x%x", *p_data);
371 /* use the current GKI buffer to send the reject */
372 status = AVRC_STS_BAD_CMD;
373 }
374 /* check if there are fragments waiting to be sent */
375 else if (avrc_cb.fcb[handle].frag_enabled) {
376 p_fcb = &avrc_cb.fcb[handle];
377 if (p_msg->company_id == AVRC_CO_METADATA) {
378 switch (*p_data) {
379 case AVRC_PDU_ABORT_CONTINUATION_RSP:
380 /* aborted by CT - send accept response */
381 abort_frag = true;
382 p_begin = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
383 *p_begin = (AVRC_RSP_ACCEPT & AVRC_CTYPE_MASK);
384 if (*(p_data + 4) != p_fcb->frag_pdu) {
385 *p_begin = (AVRC_RSP_REJ & AVRC_CTYPE_MASK);
386 *(p_data + 4) = AVRC_STS_BAD_PARAM;
387 } else {
388 p_data = (p_begin + AVRC_VENDOR_HDR_SIZE + 2);
389 UINT16_TO_BE_STREAM(p_data, 0);
390 p_pkt->len = (p_data - p_begin);
391 }
392 AVCT_MsgReq(handle, label, AVCT_RSP, p_pkt);
393 p_msg->hdr.opcode =
394 AVRC_OP_DROP; /* used the p_pkt to send response */
395 break;
396
397 case AVRC_PDU_REQUEST_CONTINUATION_RSP:
398 if (*(p_data + 4) == p_fcb->frag_pdu) {
399 avrc_send_continue_frag(handle, label);
400 p_msg->hdr.opcode = AVRC_OP_DROP_N_FREE;
401 } else {
402 /* the pdu id does not match - reject the command using the current
403 * GKI buffer */
404 AVRC_TRACE_ERROR(
405 "%s continue pdu: 0x%x does not match the current pdu: 0x%x",
406 __func__, *(p_data + 4), p_fcb->frag_pdu);
407 status = AVRC_STS_BAD_PARAM;
408 abort_frag = true;
409 }
410 break;
411
412 default:
413 /* implicit abort */
414 abort_frag = true;
415 }
416 } else {
417 abort_frag = true;
418 /* implicit abort */
419 }
420
421 if (abort_frag) {
422 osi_free_and_reset((void**)&p_fcb->p_fmsg);
423 p_fcb->frag_enabled = false;
424 }
425 }
426
427 if (status != AVRC_STS_NO_ERROR) {
428 p_rsp = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE);
429 p_rsp->offset = p_pkt->offset;
430 p_data = (uint8_t*)(p_rsp + 1) + p_pkt->offset;
431 *p_data++ = AVRC_RSP_REJ;
432 p_data += AVRC_VENDOR_HDR_SIZE; /* pdu */
433 *p_data++ = 0; /* pkt_type */
434 UINT16_TO_BE_STREAM(p_data, 1); /* len */
435 *p_data++ = status; /* error code */
436 p_rsp->len = AVRC_VENDOR_HDR_SIZE + 5;
437 }
438
439 return p_rsp;
440 }
441
442 /******************************************************************************
443 *
444 * Function avrc_proc_far_msg
445 *
446 * Description This function processes metadata fragmenation
447 * and reassembly
448 *
449 * Returns 0, to report the message with msg_cback .
450 *
451 *****************************************************************************/
avrc_proc_far_msg(uint8_t handle,uint8_t label,uint8_t cr,BT_HDR ** pp_pkt,tAVRC_MSG_VENDOR * p_msg)452 static uint8_t avrc_proc_far_msg(uint8_t handle, uint8_t label, uint8_t cr,
453 BT_HDR** pp_pkt, tAVRC_MSG_VENDOR* p_msg) {
454 BT_HDR* p_pkt = *pp_pkt;
455 uint8_t* p_data;
456 uint8_t drop_code = 0;
457 bool buf_overflow = false;
458 BT_HDR* p_rsp = NULL;
459 BT_HDR* p_cmd = NULL;
460 bool req_continue = false;
461 BT_HDR* p_pkt_new = NULL;
462 uint8_t pkt_type;
463 tAVRC_RASM_CB* p_rcb;
464 tAVRC_NEXT_CMD avrc_cmd;
465 tAVRC_STS status;
466
467 p_data = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
468
469 /* Skip over vendor header (ctype, subunit*, opcode, CO_ID) */
470 p_data += AVRC_VENDOR_HDR_SIZE;
471
472 pkt_type = *(p_data + 1) & AVRC_PKT_TYPE_MASK;
473 AVRC_TRACE_DEBUG("pkt_type %d", pkt_type);
474 p_rcb = &avrc_cb.rcb[handle];
475
476 /* check if the message needs to be re-assembled */
477 if (pkt_type == AVRC_PKT_SINGLE || pkt_type == AVRC_PKT_START) {
478 /* previous fragments need to be dropped, when received another new message
479 */
480 p_rcb->rasm_offset = 0;
481 osi_free_and_reset((void**)&p_rcb->p_rmsg);
482 }
483
484 if (pkt_type != AVRC_PKT_SINGLE && cr == AVCT_RSP) {
485 /* not a single response packet - need to re-assemble metadata messages */
486 if (pkt_type == AVRC_PKT_START) {
487 /* Allocate buffer for re-assembly */
488 p_rcb->rasm_pdu = *p_data;
489 p_rcb->p_rmsg = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE);
490 /* Copy START packet to buffer for re-assembling fragments */
491 memcpy(p_rcb->p_rmsg, p_pkt, sizeof(BT_HDR)); /* Copy bt hdr */
492
493 /* Copy metadata message */
494 memcpy((uint8_t*)(p_rcb->p_rmsg + 1),
495 (uint8_t*)(p_pkt + 1) + p_pkt->offset, p_pkt->len);
496
497 /* offset of start of metadata response in reassembly buffer */
498 p_rcb->p_rmsg->offset = p_rcb->rasm_offset = 0;
499
500 /*
501 * Free original START packet, replace with pointer to
502 * reassembly buffer.
503 */
504 osi_free(p_pkt);
505 *pp_pkt = p_rcb->p_rmsg;
506
507 /*
508 * Set offset to point to where to copy next - use the same
509 * reassembly logic as AVCT.
510 */
511 p_rcb->p_rmsg->offset += p_rcb->p_rmsg->len;
512 req_continue = true;
513 } else if (p_rcb->p_rmsg == NULL) {
514 /* Received a CONTINUE/END, but no corresponding START
515 (or previous fragmented response was dropped) */
516 AVRC_TRACE_DEBUG(
517 "Received a CONTINUE/END without no corresponding START \
518 (or previous fragmented response was dropped)");
519 drop_code = 5;
520 osi_free(p_pkt);
521 *pp_pkt = NULL;
522 } else {
523 /* get size of buffer holding assembled message */
524 /*
525 * NOTE: The buffer is allocated above at the beginning of the
526 * reassembly, and is always of size BT_DEFAULT_BUFFER_SIZE.
527 */
528 uint16_t buf_len = BT_DEFAULT_BUFFER_SIZE - sizeof(BT_HDR);
529 /* adjust offset and len of fragment for header byte */
530 p_pkt->offset += (AVRC_VENDOR_HDR_SIZE + AVRC_MIN_META_HDR_SIZE);
531 p_pkt->len -= (AVRC_VENDOR_HDR_SIZE + AVRC_MIN_META_HDR_SIZE);
532 /* verify length */
533 if ((p_rcb->p_rmsg->offset + p_pkt->len) > buf_len) {
534 AVRC_TRACE_WARNING(
535 "Fragmented message too big! - report the partial message");
536 p_pkt->len = buf_len - p_rcb->p_rmsg->offset;
537 pkt_type = AVRC_PKT_END;
538 buf_overflow = true;
539 }
540
541 /* copy contents of p_pkt to p_rx_msg */
542 memcpy((uint8_t*)(p_rcb->p_rmsg + 1) + p_rcb->p_rmsg->offset,
543 (uint8_t*)(p_pkt + 1) + p_pkt->offset, p_pkt->len);
544
545 if (pkt_type == AVRC_PKT_END) {
546 p_rcb->p_rmsg->offset = p_rcb->rasm_offset;
547 p_rcb->p_rmsg->len += p_pkt->len;
548 p_pkt_new = p_rcb->p_rmsg;
549 p_rcb->rasm_offset = 0;
550 p_rcb->p_rmsg = NULL;
551 p_msg->p_vendor_data = (uint8_t*)(p_pkt_new + 1) + p_pkt_new->offset;
552 p_msg->hdr.ctype = p_msg->p_vendor_data[0] & AVRC_CTYPE_MASK;
553 /* 6 = ctype, subunit*, opcode & CO_ID */
554 p_msg->p_vendor_data += AVRC_VENDOR_HDR_SIZE;
555 p_msg->vendor_len = p_pkt_new->len - AVRC_VENDOR_HDR_SIZE;
556 p_data = p_msg->p_vendor_data + 1; /* skip pdu */
557 *p_data++ = AVRC_PKT_SINGLE;
558 UINT16_TO_BE_STREAM(p_data,
559 (p_msg->vendor_len - AVRC_MIN_META_HDR_SIZE));
560 AVRC_TRACE_DEBUG("end frag:%d, total len:%d, offset:%d", p_pkt->len,
561 p_pkt_new->len, p_pkt_new->offset);
562 } else {
563 p_rcb->p_rmsg->offset += p_pkt->len;
564 p_rcb->p_rmsg->len += p_pkt->len;
565 p_pkt_new = NULL;
566 req_continue = true;
567 }
568 osi_free(p_pkt);
569 *pp_pkt = p_pkt_new;
570 }
571 }
572
573 if (cr == AVCT_CMD) {
574 p_rsp = avrc_proc_vendor_command(handle, label, *pp_pkt, p_msg);
575 if (p_rsp) {
576 AVCT_MsgReq(handle, label, AVCT_RSP, p_rsp);
577 osi_free_and_reset((void**)pp_pkt);
578 drop_code = 3;
579 } else if (p_msg->hdr.opcode == AVRC_OP_DROP) {
580 drop_code = 1;
581 } else if (p_msg->hdr.opcode == AVRC_OP_DROP_N_FREE)
582 drop_code = 4;
583
584 } else if (cr == AVCT_RSP) {
585 if (req_continue) {
586 avrc_cmd.pdu = AVRC_PDU_REQUEST_CONTINUATION_RSP;
587 drop_code = 2;
588 } else if (buf_overflow) {
589 /* Incoming message too big to fit in BT_DEFAULT_BUFFER_SIZE. Send abort
590 * to peer */
591 avrc_cmd.pdu = AVRC_PDU_ABORT_CONTINUATION_RSP;
592 drop_code = 4;
593 } else {
594 return drop_code;
595 }
596 avrc_cmd.status = AVRC_STS_NO_ERROR;
597 avrc_cmd.target_pdu = p_rcb->rasm_pdu;
598
599 tAVRC_COMMAND avrc_command;
600 avrc_command.continu = avrc_cmd;
601 status = AVRC_BldCommand(&avrc_command, &p_cmd);
602 if (status == AVRC_STS_NO_ERROR) {
603 AVRC_MsgReq(handle, (uint8_t)(label), AVRC_CMD_CTRL, p_cmd);
604 }
605 }
606
607 return drop_code;
608 }
609
610 /******************************************************************************
611 *
612 * Function avrc_msg_cback
613 *
614 * Description This is the callback function used by AVCTP to report
615 * received AV control messages.
616 *
617 * Returns Nothing.
618 *
619 *****************************************************************************/
avrc_msg_cback(uint8_t handle,uint8_t label,uint8_t cr,BT_HDR * p_pkt)620 static void avrc_msg_cback(uint8_t handle, uint8_t label, uint8_t cr,
621 BT_HDR* p_pkt) {
622 uint8_t opcode;
623 tAVRC_MSG msg;
624 uint8_t* p_data;
625 uint8_t* p_begin;
626 bool drop = false;
627 bool do_free = true;
628 BT_HDR* p_rsp = NULL;
629 uint8_t* p_rsp_data;
630 int xx;
631 bool reject = false;
632 const char* p_drop_msg = "dropped";
633 tAVRC_MSG_VENDOR* p_msg = &msg.vendor;
634
635 if (cr == AVCT_CMD && (p_pkt->layer_specific & AVCT_DATA_CTRL &&
636 AVRC_PACKET_LEN < sizeof(p_pkt->len))) {
637 /* Ignore the invalid AV/C command frame */
638 p_drop_msg = "dropped - too long AV/C cmd frame size";
639 osi_free(p_pkt);
640 return;
641 }
642
643 if (cr == AVCT_REJ) {
644 /* The peer thinks that this PID is no longer open - remove this handle */
645 /* */
646 osi_free(p_pkt);
647 AVCT_RemoveConn(handle);
648 return;
649 } else if (cr == AVCT_RSP) {
650 /* Received response. Stop command timeout timer */
651 AVRC_TRACE_DEBUG("AVRC: stopping timer (handle=0x%02x)", handle);
652 alarm_cancel(avrc_cb.ccb_int[handle].tle);
653 }
654
655 p_data = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
656 memset(&msg, 0, sizeof(tAVRC_MSG));
657
658 if (p_pkt->layer_specific == AVCT_DATA_BROWSE) {
659 opcode = AVRC_OP_BROWSE;
660 msg.browse.hdr.ctype = cr;
661 msg.browse.p_browse_data = p_data;
662 msg.browse.browse_len = p_pkt->len;
663 msg.browse.p_browse_pkt = p_pkt;
664 } else {
665 if (p_pkt->len < AVRC_AVC_HDR_SIZE) {
666 android_errorWriteLog(0x534e4554, "111803925");
667 AVRC_TRACE_WARNING("%s: message length %d too short: must be at least %d",
668 __func__, p_pkt->len, AVRC_AVC_HDR_SIZE);
669 osi_free(p_pkt);
670 return;
671 }
672 msg.hdr.ctype = p_data[0] & AVRC_CTYPE_MASK;
673 AVRC_TRACE_DEBUG("%s handle:%d, ctype:%d, offset:%d, len: %d", __func__,
674 handle, msg.hdr.ctype, p_pkt->offset, p_pkt->len);
675 msg.hdr.subunit_type =
676 (p_data[1] & AVRC_SUBTYPE_MASK) >> AVRC_SUBTYPE_SHIFT;
677 msg.hdr.subunit_id = p_data[1] & AVRC_SUBID_MASK;
678 opcode = p_data[2];
679 }
680
681 if (((avrc_cb.ccb[handle].control & AVRC_CT_TARGET) && (cr == AVCT_CMD)) ||
682 ((avrc_cb.ccb[handle].control & AVRC_CT_CONTROL) && (cr == AVCT_RSP))) {
683 switch (opcode) {
684 case AVRC_OP_UNIT_INFO:
685 if (cr == AVCT_CMD) {
686 /* send the response to the peer */
687 p_rsp = avrc_copy_packet(p_pkt, AVRC_OP_UNIT_INFO_RSP_LEN);
688 p_rsp_data = avrc_get_data_ptr(p_rsp);
689 *p_rsp_data = AVRC_RSP_IMPL_STBL;
690 /* check & set the offset. set response code, set subunit_type &
691 subunit_id,
692 set AVRC_OP_UNIT_INFO */
693 /* 3 bytes: ctype, subunit*, opcode */
694 p_rsp_data += AVRC_AVC_HDR_SIZE;
695 *p_rsp_data++ = 7;
696 /* Panel subunit & id=0 */
697 *p_rsp_data++ = (AVRC_SUB_PANEL << AVRC_SUBTYPE_SHIFT);
698 AVRC_CO_ID_TO_BE_STREAM(p_rsp_data, avrc_cb.ccb[handle].company_id);
699 p_rsp->len =
700 (uint16_t)(p_rsp_data - (uint8_t*)(p_rsp + 1) - p_rsp->offset);
701 cr = AVCT_RSP;
702 p_drop_msg = "auto respond";
703 } else {
704 /* parse response */
705 if (p_pkt->len < AVRC_OP_UNIT_INFO_RSP_LEN) {
706 AVRC_TRACE_WARNING(
707 "%s: message length %d too short: must be at least %d",
708 __func__, p_pkt->len, AVRC_OP_UNIT_INFO_RSP_LEN);
709 android_errorWriteLog(0x534e4554, "79883824");
710 drop = true;
711 p_drop_msg = "UNIT_INFO_RSP too short";
712 break;
713 }
714 p_data += 4; /* 3 bytes: ctype, subunit*, opcode + octet 3 (is 7)*/
715 msg.unit.unit_type =
716 (*p_data & AVRC_SUBTYPE_MASK) >> AVRC_SUBTYPE_SHIFT;
717 msg.unit.unit = *p_data & AVRC_SUBID_MASK;
718 p_data++;
719 AVRC_BE_STREAM_TO_CO_ID(msg.unit.company_id, p_data);
720 }
721 break;
722
723 case AVRC_OP_SUB_INFO:
724 if (cr == AVCT_CMD) {
725 /* send the response to the peer */
726 p_rsp = avrc_copy_packet(p_pkt, AVRC_OP_SUB_UNIT_INFO_RSP_LEN);
727 p_rsp_data = avrc_get_data_ptr(p_rsp);
728 *p_rsp_data = AVRC_RSP_IMPL_STBL;
729 /* check & set the offset. set response code, set (subunit_type &
730 subunit_id),
731 set AVRC_OP_SUB_INFO, set (page & extention code) */
732 p_rsp_data += 4;
733 /* Panel subunit & id=0 */
734 *p_rsp_data++ = (AVRC_SUB_PANEL << AVRC_SUBTYPE_SHIFT);
735 memset(p_rsp_data, AVRC_CMD_OPRND_PAD, AVRC_SUBRSP_OPRND_BYTES);
736 p_rsp_data += AVRC_SUBRSP_OPRND_BYTES;
737 p_rsp->len =
738 (uint16_t)(p_rsp_data - (uint8_t*)(p_rsp + 1) - p_rsp->offset);
739 cr = AVCT_RSP;
740 p_drop_msg = "auto responded";
741 } else {
742 /* parse response */
743 if (p_pkt->len < AVRC_OP_SUB_UNIT_INFO_RSP_LEN) {
744 AVRC_TRACE_WARNING(
745 "%s: message length %d too short: must be at least %d",
746 __func__, p_pkt->len, AVRC_OP_SUB_UNIT_INFO_RSP_LEN);
747 android_errorWriteLog(0x534e4554, "79883824");
748 drop = true;
749 p_drop_msg = "SUB_UNIT_INFO_RSP too short";
750 break;
751 }
752 p_data += AVRC_AVC_HDR_SIZE; /* 3 bytes: ctype, subunit*, opcode */
753 msg.sub.page =
754 (*p_data++ >> AVRC_SUB_PAGE_SHIFT) & AVRC_SUB_PAGE_MASK;
755 xx = 0;
756 while (*p_data != AVRC_CMD_OPRND_PAD && xx < AVRC_SUB_TYPE_LEN) {
757 msg.sub.subunit_type[xx] = *p_data++ >> AVRC_SUBTYPE_SHIFT;
758 if (msg.sub.subunit_type[xx] == AVRC_SUB_PANEL)
759 msg.sub.panel = true;
760 xx++;
761 }
762 }
763 break;
764
765 case AVRC_OP_VENDOR: {
766 p_data = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
767 p_begin = p_data;
768 if (p_pkt->len <
769 AVRC_VENDOR_HDR_SIZE) /* 6 = ctype, subunit*, opcode & CO_ID */
770 {
771 if (cr == AVCT_CMD)
772 reject = true;
773 else
774 drop = true;
775 break;
776 }
777 p_data += AVRC_AVC_HDR_SIZE; /* skip the first 3 bytes: ctype, subunit*,
778 opcode */
779 AVRC_BE_STREAM_TO_CO_ID(p_msg->company_id, p_data);
780 p_msg->p_vendor_data = p_data;
781 p_msg->vendor_len = p_pkt->len - (p_data - p_begin);
782
783 uint8_t drop_code = 0;
784 if (p_msg->company_id == AVRC_CO_METADATA) {
785 /* Validate length for metadata message */
786 if (p_pkt->len < (AVRC_VENDOR_HDR_SIZE + AVRC_MIN_META_HDR_SIZE)) {
787 if (cr == AVCT_CMD)
788 reject = true;
789 else
790 drop = true;
791 break;
792 }
793
794 /* Check+handle fragmented messages */
795 drop_code = avrc_proc_far_msg(handle, label, cr, &p_pkt, p_msg);
796 if (drop_code > 0) drop = true;
797 }
798 if (drop_code > 0) {
799 if (drop_code != 4) do_free = false;
800 switch (drop_code) {
801 case 1:
802 p_drop_msg = "sent_frag";
803 break;
804 case 2:
805 p_drop_msg = "req_cont";
806 break;
807 case 3:
808 p_drop_msg = "sent_frag3";
809 break;
810 case 4:
811 p_drop_msg = "sent_frag_free";
812 break;
813 default:
814 p_drop_msg = "sent_fragd";
815 }
816 }
817 /* If vendor response received, and did not ask for continuation */
818 /* then check queue for addition commands to send */
819 if ((cr == AVCT_RSP) && (drop_code != 2)) {
820 avrc_send_next_vendor_cmd(handle);
821 }
822 } break;
823
824 case AVRC_OP_PASS_THRU:
825 if (p_pkt->len < 5) /* 3 bytes: ctype, subunit*, opcode & op_id & len */
826 {
827 if (cr == AVCT_CMD)
828 reject = true;
829 else
830 drop = true;
831 break;
832 }
833 p_data += AVRC_AVC_HDR_SIZE; /* skip the first 3 bytes: ctype, subunit*,
834 opcode */
835 msg.pass.op_id = (AVRC_PASS_OP_ID_MASK & *p_data);
836 if (AVRC_PASS_STATE_MASK & *p_data)
837 msg.pass.state = true;
838 else
839 msg.pass.state = false;
840 p_data++;
841 msg.pass.pass_len = *p_data++;
842 if (msg.pass.pass_len != p_pkt->len - 5)
843 msg.pass.pass_len = p_pkt->len - 5;
844 if (msg.pass.pass_len)
845 msg.pass.p_pass_data = p_data;
846 else
847 msg.pass.p_pass_data = NULL;
848 break;
849
850 case AVRC_OP_BROWSE:
851 /* If browse response received, then check queue for addition commands
852 * to send */
853 if (cr == AVCT_RSP) {
854 avrc_send_next_vendor_cmd(handle);
855 }
856 break;
857
858 default:
859 if ((avrc_cb.ccb[handle].control & AVRC_CT_TARGET) &&
860 (cr == AVCT_CMD)) {
861 /* reject unsupported opcode */
862 reject = true;
863 }
864 drop = true;
865 break;
866 }
867 } else /* drop the event */
868 {
869 if (opcode != AVRC_OP_BROWSE) drop = true;
870 }
871
872 if (reject) {
873 /* reject unsupported opcode */
874 p_rsp = avrc_copy_packet(p_pkt, AVRC_OP_REJ_MSG_LEN);
875 p_rsp_data = avrc_get_data_ptr(p_rsp);
876 *p_rsp_data = AVRC_RSP_REJ;
877 p_drop_msg = "rejected";
878 cr = AVCT_RSP;
879 drop = true;
880 }
881
882 if (p_rsp) {
883 /* set to send response right away */
884 AVCT_MsgReq(handle, label, cr, p_rsp);
885 drop = true;
886 }
887
888 if (!drop) {
889 msg.hdr.opcode = opcode;
890 avrc_cb.ccb[handle].msg_cback.Run(handle, label, opcode, &msg);
891 } else {
892 AVRC_TRACE_WARNING("%s %s msg handle:%d, control:%d, cr:%d, opcode:x%x",
893 __func__, p_drop_msg, handle,
894 avrc_cb.ccb[handle].control, cr, opcode);
895 }
896
897 if (opcode == AVRC_OP_BROWSE && msg.browse.p_browse_pkt == NULL) {
898 do_free = false;
899 }
900
901 if (do_free) osi_free(p_pkt);
902 }
903
904 /******************************************************************************
905 *
906 * Function avrc_pass_msg
907 *
908 * Description Compose a PASS THROUGH command according to p_msg
909 *
910 * Input Parameters:
911 * p_msg: Pointer to PASS THROUGH message structure.
912 *
913 * Output Parameters:
914 * None.
915 *
916 * Returns pointer to a valid GKI buffer if successful.
917 * NULL if p_msg is NULL.
918 *
919 *****************************************************************************/
avrc_pass_msg(tAVRC_MSG_PASS * p_msg)920 static BT_HDR* avrc_pass_msg(tAVRC_MSG_PASS* p_msg) {
921 CHECK(p_msg != NULL);
922 CHECK(AVRC_CMD_BUF_SIZE > (AVRC_MIN_CMD_LEN + p_msg->pass_len));
923
924 BT_HDR* p_cmd = (BT_HDR*)osi_malloc(AVRC_CMD_BUF_SIZE);
925 p_cmd->offset = AVCT_MSG_OFFSET;
926 p_cmd->layer_specific = AVCT_DATA_CTRL;
927
928 uint8_t* p_data = (uint8_t*)(p_cmd + 1) + p_cmd->offset;
929 *p_data++ = (p_msg->hdr.ctype & AVRC_CTYPE_MASK);
930 *p_data++ = (AVRC_SUB_PANEL << AVRC_SUBTYPE_SHIFT); /* Panel subunit & id=0 */
931 *p_data++ = AVRC_OP_PASS_THRU;
932 *p_data = (AVRC_PASS_OP_ID_MASK & p_msg->op_id);
933 if (p_msg->state) *p_data |= AVRC_PASS_STATE_MASK;
934 p_data++;
935
936 if (p_msg->op_id == AVRC_ID_VENDOR) {
937 *p_data++ = p_msg->pass_len;
938 if (p_msg->pass_len && p_msg->p_pass_data) {
939 memcpy(p_data, p_msg->p_pass_data, p_msg->pass_len);
940 p_data += p_msg->pass_len;
941 }
942 } else {
943 /* set msg len to 0 for other op_id */
944 *p_data++ = 0;
945 }
946 p_cmd->len = (uint16_t)(p_data - (uint8_t*)(p_cmd + 1) - p_cmd->offset);
947
948 return p_cmd;
949 }
950
951 /******************************************************************************
952 *
953 * Function AVRC_Open
954 *
955 * Description This function is called to open a connection to AVCTP.
956 * The connection can be either an initiator or acceptor, as
957 * determined by the p_ccb->stream parameter.
958 * The connection can be a target, a controller or for both
959 * role, as determined by the p_ccb->control parameter.
960 * By definition, a target connection is an acceptor connection
961 * that waits for an incoming AVCTP connection from the peer.
962 * The connection remains available to the application until
963 * the application closes it by calling AVRC_Close(). The
964 * application does not need to reopen the connection after an
965 * AVRC_CLOSE_IND_EVT is received.
966 *
967 * Input Parameters:
968 * p_ccb->company_id: Company Identifier.
969 *
970 * p_ccb->p_ctrl_cback: Pointer to control callback
971 * function.
972 *
973 * p_ccb->p_msg_cback: Pointer to message callback
974 * function.
975 *
976 * p_ccb->conn: AVCTP connection role. This is set to
977 * AVCTP_INT for initiator connections and AVCTP_ACP
978 * for acceptor connections.
979 *
980 * p_ccb->control: Control role. This is set to
981 * AVRC_CT_TARGET for target connections, AVRC_CT_CONTROL
982 * for control connections or
983 * (AVRC_CT_TARGET|AVRC_CT_CONTROL)
984 * for connections that support both roles.
985 *
986 * peer_addr: BD address of peer device. This value is
987 * only used for initiator connections; for acceptor
988 * connections it can be set to NULL.
989 *
990 * Output Parameters:
991 * p_handle: Pointer to handle. This parameter is only
992 * valid if AVRC_SUCCESS is returned.
993 *
994 * Returns AVRC_SUCCESS if successful.
995 * AVRC_NO_RESOURCES if there are not enough resources to open
996 * the connection.
997 *
998 *****************************************************************************/
AVRC_Open(uint8_t * p_handle,tAVRC_CONN_CB * p_ccb,const RawAddress & peer_addr)999 uint16_t AVRC_Open(uint8_t* p_handle, tAVRC_CONN_CB* p_ccb,
1000 const RawAddress& peer_addr) {
1001 uint16_t status;
1002 tAVCT_CC cc;
1003
1004 cc.p_ctrl_cback = avrc_ctrl_cback; /* Control callback */
1005 cc.p_msg_cback = avrc_msg_cback; /* Message callback */
1006 cc.pid = UUID_SERVCLASS_AV_REMOTE_CONTROL; /* Profile ID */
1007 cc.role = p_ccb->conn; /* Initiator/acceptor role */
1008 cc.control = p_ccb->control; /* Control role (Control/Target) */
1009
1010 status = AVCT_CreateConn(p_handle, &cc, peer_addr);
1011 if (status == AVCT_SUCCESS) {
1012 avrc_cb.ccb[*p_handle] = *p_ccb;
1013 memset(&avrc_cb.ccb_int[*p_handle], 0, sizeof(tAVRC_CONN_INT_CB));
1014 memset(&avrc_cb.fcb[*p_handle], 0, sizeof(tAVRC_FRAG_CB));
1015 memset(&avrc_cb.rcb[*p_handle], 0, sizeof(tAVRC_RASM_CB));
1016 avrc_cb.ccb_int[*p_handle].tle = alarm_new("avrcp.commandTimer");
1017 avrc_cb.ccb_int[*p_handle].cmd_q = fixed_queue_new(SIZE_MAX);
1018 }
1019 AVRC_TRACE_DEBUG("%s role: %d, control:%d status:%d, handle:%d", __func__,
1020 cc.role, cc.control, status, *p_handle);
1021
1022 return status;
1023 }
1024
1025 /******************************************************************************
1026 *
1027 * Function AVRC_Close
1028 *
1029 * Description Close a connection opened with AVRC_Open().
1030 * This function is called when the
1031 * application is no longer using a connection.
1032 *
1033 * Input Parameters:
1034 * handle: Handle of this connection.
1035 *
1036 * Output Parameters:
1037 * None.
1038 *
1039 * Returns AVRC_SUCCESS if successful.
1040 * AVRC_BAD_HANDLE if handle is invalid.
1041 *
1042 *****************************************************************************/
AVRC_Close(uint8_t handle)1043 uint16_t AVRC_Close(uint8_t handle) {
1044 AVRC_TRACE_DEBUG("%s handle:%d", __func__, handle);
1045 avrc_flush_cmd_q(handle);
1046 return AVCT_RemoveConn(handle);
1047 }
1048
1049 /******************************************************************************
1050 *
1051 * Function AVRC_OpenBrowse
1052 *
1053 * Description This function is called to open a browsing connection to
1054 * AVCTP. The connection can be either an initiator or
1055 * acceptor, as determined by the p_conn_role.
1056 * The handle is returned by a previous call to AVRC_Open.
1057 *
1058 * Returns AVRC_SUCCESS if successful.
1059 * AVRC_NO_RESOURCES if there are not enough resources to open
1060 * the connection.
1061 *
1062 *****************************************************************************/
AVRC_OpenBrowse(uint8_t handle,uint8_t conn_role)1063 uint16_t AVRC_OpenBrowse(uint8_t handle, uint8_t conn_role) {
1064 return AVCT_CreateBrowse(handle, conn_role);
1065 }
1066
1067 /******************************************************************************
1068 *
1069 * Function AVRC_CloseBrowse
1070 *
1071 * Description Close a connection opened with AVRC_OpenBrowse().
1072 * This function is called when the
1073 * application is no longer using a connection.
1074 *
1075 * Returns AVRC_SUCCESS if successful.
1076 * AVRC_BAD_HANDLE if handle is invalid.
1077 *
1078 *****************************************************************************/
AVRC_CloseBrowse(uint8_t handle)1079 uint16_t AVRC_CloseBrowse(uint8_t handle) { return AVCT_RemoveBrowse(handle); }
1080
1081 /******************************************************************************
1082 *
1083 * Function AVRC_MsgReq
1084 *
1085 * Description This function is used to send the AVRCP byte stream in p_pkt
1086 * down to AVCTP.
1087 *
1088 * It is expected that p_pkt->offset is at least
1089 * AVCT_MSG_OFFSET
1090 * p_pkt->layer_specific is AVCT_DATA_CTRL or AVCT_DATA_BROWSE
1091 * p_pkt->event is AVRC_OP_VENDOR, AVRC_OP_PASS_THRU or
1092 * AVRC_OP_BROWSE
1093 * The above BT_HDR settings are set by the AVRC_Bld*
1094 * functions.
1095 *
1096 * Returns AVRC_SUCCESS if successful.
1097 * AVRC_BAD_HANDLE if handle is invalid.
1098 *
1099 *****************************************************************************/
AVRC_MsgReq(uint8_t handle,uint8_t label,uint8_t ctype,BT_HDR * p_pkt)1100 uint16_t AVRC_MsgReq(uint8_t handle, uint8_t label, uint8_t ctype,
1101 BT_HDR* p_pkt) {
1102 uint8_t* p_data;
1103 uint8_t cr = AVCT_CMD;
1104 bool chk_frag = true;
1105 uint8_t* p_start = NULL;
1106 tAVRC_FRAG_CB* p_fcb;
1107 uint16_t len;
1108 uint16_t status;
1109 uint8_t msg_mask = 0;
1110 uint16_t peer_mtu;
1111
1112 if (!p_pkt) return AVRC_BAD_PARAM;
1113
1114 AVRC_TRACE_DEBUG("%s handle = %u label = %u ctype = %u len = %d", __func__,
1115 handle, label, ctype, p_pkt->len);
1116
1117 if (ctype >= AVRC_RSP_NOT_IMPL) cr = AVCT_RSP;
1118
1119 if (p_pkt->event == AVRC_OP_VENDOR) {
1120 /* add AVRCP Vendor Dependent headers */
1121 p_start = ((uint8_t*)(p_pkt + 1) + p_pkt->offset);
1122 p_pkt->offset -= AVRC_VENDOR_HDR_SIZE;
1123 p_pkt->len += AVRC_VENDOR_HDR_SIZE;
1124 p_data = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
1125 *p_data++ = (ctype & AVRC_CTYPE_MASK);
1126 *p_data++ = (AVRC_SUB_PANEL << AVRC_SUBTYPE_SHIFT);
1127 *p_data++ = AVRC_OP_VENDOR;
1128 AVRC_CO_ID_TO_BE_STREAM(p_data, AVRC_CO_METADATA);
1129
1130 /* Check if this is a AVRC_PDU_REQUEST_CONTINUATION_RSP */
1131 if (cr == AVCT_CMD) {
1132 msg_mask |= AVRC_MSG_MASK_IS_VENDOR_CMD;
1133
1134 if ((*p_start == AVRC_PDU_REQUEST_CONTINUATION_RSP) ||
1135 (*p_start == AVRC_PDU_ABORT_CONTINUATION_RSP)) {
1136 msg_mask |= AVRC_MSG_MASK_IS_CONTINUATION_RSP;
1137 }
1138 }
1139 } else if (p_pkt->event == AVRC_OP_PASS_THRU) {
1140 /* add AVRCP Pass Through headers */
1141 p_start = ((uint8_t*)(p_pkt + 1) + p_pkt->offset);
1142 p_pkt->offset -= AVRC_PASS_THRU_SIZE;
1143 p_pkt->len += AVRC_PASS_THRU_SIZE;
1144 p_data = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
1145 *p_data++ = (ctype & AVRC_CTYPE_MASK);
1146 *p_data++ = (AVRC_SUB_PANEL << AVRC_SUBTYPE_SHIFT);
1147 *p_data++ = AVRC_OP_PASS_THRU; /* opcode */
1148 *p_data++ = AVRC_ID_VENDOR; /* operation id */
1149 *p_data++ = 5; /* operation data len */
1150 AVRC_CO_ID_TO_BE_STREAM(p_data, AVRC_CO_METADATA);
1151 } else {
1152 chk_frag = false;
1153 if (p_pkt->layer_specific == AVCT_DATA_BROWSE) {
1154 peer_mtu = AVCT_GetBrowseMtu(handle);
1155 } else {
1156 peer_mtu = AVCT_GetPeerMtu(handle);
1157 }
1158 if (p_pkt->len > (peer_mtu - AVCT_HDR_LEN_SINGLE)) {
1159 AVRC_TRACE_ERROR(
1160 "%s bigger than peer mtu (p_pkt->len(%d) > peer_mtu(%d-%d))",
1161 __func__, p_pkt->len, peer_mtu, AVCT_HDR_LEN_SINGLE);
1162 osi_free(p_pkt);
1163 return AVRC_MSG_TOO_BIG;
1164 }
1165 }
1166
1167 /* abandon previous fragments */
1168 p_fcb = &avrc_cb.fcb[handle];
1169
1170 if (p_fcb == NULL) {
1171 AVRC_TRACE_ERROR("%s p_fcb is NULL", __func__);
1172 osi_free(p_pkt);
1173 return AVRC_NOT_OPEN;
1174 }
1175
1176 if (p_fcb->frag_enabled) p_fcb->frag_enabled = false;
1177
1178 osi_free_and_reset((void**)&p_fcb->p_fmsg);
1179
1180 /* AVRCP spec has not defined any control channel commands that needs
1181 * fragmentation at this level
1182 * check for fragmentation only on the response */
1183 if ((cr == AVCT_RSP) && (chk_frag)) {
1184 if (p_pkt->len > AVRC_MAX_CTRL_DATA_LEN) {
1185 int offset_len = MAX(AVCT_MSG_OFFSET, p_pkt->offset);
1186 BT_HDR* p_pkt_new =
1187 (BT_HDR*)osi_malloc(AVRC_PACKET_LEN + offset_len + BT_HDR_SIZE);
1188 if (p_start != NULL) {
1189 p_fcb->frag_enabled = true;
1190 p_fcb->p_fmsg = p_pkt;
1191 p_fcb->frag_pdu = *p_start;
1192 p_pkt = p_pkt_new;
1193 p_pkt_new = p_fcb->p_fmsg;
1194 p_pkt->len = AVRC_MAX_CTRL_DATA_LEN;
1195 p_pkt->offset = p_pkt_new->offset;
1196 p_pkt->layer_specific = p_pkt_new->layer_specific;
1197 p_pkt->event = p_pkt_new->event;
1198 p_data = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
1199 p_start -= AVRC_VENDOR_HDR_SIZE;
1200 memcpy(p_data, p_start, AVRC_MAX_CTRL_DATA_LEN);
1201 /* use AVRC start packet type */
1202 p_data += AVRC_VENDOR_HDR_SIZE;
1203 p_data++; /* pdu */
1204 *p_data++ = AVRC_PKT_START;
1205
1206 /* 4 pdu, pkt_type & len */
1207 len = (AVRC_MAX_CTRL_DATA_LEN - AVRC_VENDOR_HDR_SIZE -
1208 AVRC_MIN_META_HDR_SIZE);
1209 UINT16_TO_BE_STREAM(p_data, len);
1210
1211 /* prepare the left over for as an end fragment */
1212 avrc_prep_end_frag(handle);
1213 AVRC_TRACE_DEBUG("%s p_pkt len:%d/%d, next len:%d", __func__,
1214 p_pkt->len, len, p_fcb->p_fmsg->len);
1215 } else {
1216 /* TODO: Is this "else" block valid? Remove it? */
1217 AVRC_TRACE_ERROR("%s no buffers for fragmentation", __func__);
1218 osi_free(p_pkt);
1219 return AVRC_NO_RESOURCES;
1220 }
1221 }
1222 } else if ((p_pkt->event == AVRC_OP_VENDOR) && (cr == AVCT_CMD) &&
1223 (avrc_cb.ccb_int[handle].flags & AVRC_CB_FLAGS_RSP_PENDING) &&
1224 !(msg_mask & AVRC_MSG_MASK_IS_CONTINUATION_RSP)) {
1225 /* If we are sending a vendor specific command, and a response is pending,
1226 * then enqueue the command until the response has been received.
1227 * This is to interop with TGs that abort sending responses whenever a new
1228 * command
1229 * is received (exception is continuation request command
1230 * must sent that to get additional response frags) */
1231 AVRC_TRACE_DEBUG(
1232 "AVRC: Enqueuing command 0x%08x (handle=0x%02x, label=0x%02x)", p_pkt,
1233 handle, label);
1234
1235 /* label in BT_HDR (will need this later when the command is dequeued) */
1236 p_pkt->layer_specific = (label << 8) | (p_pkt->layer_specific & 0xFF);
1237
1238 /* Enqueue the command */
1239 fixed_queue_enqueue(avrc_cb.ccb_int[handle].cmd_q, p_pkt);
1240 return AVRC_SUCCESS;
1241 }
1242
1243 /* Send the message */
1244 status = AVCT_MsgReq(handle, label, cr, p_pkt);
1245 if ((status == AVCT_SUCCESS) && (cr == AVCT_CMD)) {
1246 /* If a command was successfully sent, indicate that a response is pending
1247 */
1248 avrc_cb.ccb_int[handle].flags |= AVRC_CB_FLAGS_RSP_PENDING;
1249
1250 /* Start command timer to wait for response */
1251 avrc_start_cmd_timer(handle, label, msg_mask);
1252 }
1253
1254 return status;
1255 }
1256
1257 /******************************************************************************
1258 *
1259 * Function AVRC_PassCmd
1260 *
1261 * Description Send a PASS THROUGH command to the peer device. This
1262 * function can only be called for controller role connections.
1263 * Any response message from the peer is passed back through
1264 * the tAVRC_MSG_CBACK callback function.
1265 *
1266 * Input Parameters:
1267 * handle: Handle of this connection.
1268 *
1269 * label: Transaction label.
1270 *
1271 * p_msg: Pointer to PASS THROUGH message structure.
1272 *
1273 * Output Parameters:
1274 * None.
1275 *
1276 * Returns AVRC_SUCCESS if successful.
1277 * AVRC_BAD_HANDLE if handle is invalid.
1278 *
1279 *****************************************************************************/
AVRC_PassCmd(uint8_t handle,uint8_t label,tAVRC_MSG_PASS * p_msg)1280 uint16_t AVRC_PassCmd(uint8_t handle, uint8_t label, tAVRC_MSG_PASS* p_msg) {
1281 BT_HDR* p_buf;
1282 uint16_t status = AVRC_NO_RESOURCES;
1283 if (!p_msg) return AVRC_BAD_PARAM;
1284
1285 p_msg->hdr.ctype = AVRC_CMD_CTRL;
1286 p_buf = avrc_pass_msg(p_msg);
1287 if (p_buf) {
1288 status = AVCT_MsgReq(handle, label, AVCT_CMD, p_buf);
1289 if (status == AVCT_SUCCESS) {
1290 /* Start command timer to wait for response */
1291 avrc_start_cmd_timer(handle, label, 0);
1292 }
1293 }
1294 return (status);
1295 }
1296
1297 /******************************************************************************
1298 *
1299 * Function AVRC_PassRsp
1300 *
1301 * Description Send a PASS THROUGH response to the peer device. This
1302 * function can only be called for target role connections.
1303 * This function must be called when a PASS THROUGH command
1304 * message is received from the peer through the
1305 * tAVRC_MSG_CBACK callback function.
1306 *
1307 * Input Parameters:
1308 * handle: Handle of this connection.
1309 *
1310 * label: Transaction label. Must be the same value as
1311 * passed with the command message in the callback
1312 * function.
1313 *
1314 * p_msg: Pointer to PASS THROUGH message structure.
1315 *
1316 * Output Parameters:
1317 * None.
1318 *
1319 * Returns AVRC_SUCCESS if successful.
1320 * AVRC_BAD_HANDLE if handle is invalid.
1321 *
1322 *****************************************************************************/
AVRC_PassRsp(uint8_t handle,uint8_t label,tAVRC_MSG_PASS * p_msg)1323 uint16_t AVRC_PassRsp(uint8_t handle, uint8_t label, tAVRC_MSG_PASS* p_msg) {
1324 BT_HDR* p_buf;
1325 if (!p_msg) return AVRC_BAD_PARAM;
1326
1327 p_buf = avrc_pass_msg(p_msg);
1328 if (p_buf) return AVCT_MsgReq(handle, label, AVCT_RSP, p_buf);
1329 return AVRC_NO_RESOURCES;
1330 }
1331