1 /******************************************************************************
2 *
3 * Copyright 2003-2016 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 /******************************************************************************
20 *
21 * Interface to AVRCP mandatory commands
22 *
23 ******************************************************************************/
24 #include "avrc_api.h"
25
26 #ifdef __ANDROID__
27 #include <avrcp.sysprop.h>
28 #endif
29 #include <base/logging.h>
30 #include <string.h>
31
32 #include "avrc_int.h"
33 #include "btif/include/btif_config.h"
34 #include "osi/include/allocator.h"
35 #include "osi/include/fixed_queue.h"
36 #include "osi/include/log.h"
37 #include "osi/include/osi.h"
38 #include "osi/include/properties.h"
39 #include "stack/include/bt_hdr.h"
40 #include "types/raw_address.h"
41
42 /*****************************************************************************
43 * Global data
44 ****************************************************************************/
45
46 #define AVRC_MAX_RCV_CTRL_EVT AVCT_BROWSE_UNCONG_IND_EVT
47
48 #ifndef MAX
49 #define MAX(a, b) ((a) > (b) ? (a) : (b))
50 #endif
51
52 static const uint8_t avrc_ctrl_event_map[] = {
53 AVRC_OPEN_IND_EVT, /* AVCT_CONNECT_CFM_EVT */
54 AVRC_OPEN_IND_EVT, /* AVCT_CONNECT_IND_EVT */
55 AVRC_CLOSE_IND_EVT, /* AVCT_DISCONNECT_CFM_EVT */
56 AVRC_CLOSE_IND_EVT, /* AVCT_DISCONNECT_IND_EVT */
57 AVRC_CONG_IND_EVT, /* AVCT_CONG_IND_EVT */
58 AVRC_UNCONG_IND_EVT, /* AVCT_UNCONG_IND_EVT */
59 AVRC_BROWSE_OPEN_IND_EVT, /* AVCT_BROWSE_CONN_CFM_EVT */
60 AVRC_BROWSE_OPEN_IND_EVT, /* AVCT_BROWSE_CONN_IND_EVT */
61 AVRC_BROWSE_CLOSE_IND_EVT, /* AVCT_BROWSE_DISCONN_CFM_EVT */
62 AVRC_BROWSE_CLOSE_IND_EVT, /* AVCT_BROWSE_DISCONN_IND_EVT */
63 AVRC_BROWSE_CONG_IND_EVT, /* AVCT_BROWSE_CONG_IND_EVT */
64 AVRC_BROWSE_UNCONG_IND_EVT /* AVCT_BROWSE_UNCONG_IND_EVT */
65 };
66
67 /* use this unused opcode to indication no need to call the callback function */
68 #define AVRC_OP_DROP 0xFE
69 /* use this unused opcode to indication no need to call the callback function &
70 * free buffer */
71 #define AVRC_OP_DROP_N_FREE 0xFD
72
73 #define AVRC_OP_UNIT_INFO_RSP_LEN 8
74 #define AVRC_OP_SUB_UNIT_INFO_RSP_LEN 8
75 #define AVRC_OP_REJ_MSG_LEN 11
76
77 /* Flags definitions for AVRC_MsgReq */
78 #define AVRC_MSG_MASK_IS_VENDOR_CMD 0x01
79 #define AVRC_MSG_MASK_IS_CONTINUATION_RSP 0x02
80
81 /******************************************************************************
82 *
83 * Function avrcp_absolute_volume_is_enabled
84 *
85 * Description Check if config support advance control (absolute volume)
86 *
87 * Returns return true if absolute_volume is enabled
88 *
89 *****************************************************************************/
avrcp_absolute_volume_is_enabled()90 bool avrcp_absolute_volume_is_enabled() {
91 #ifdef __ANDROID__
92 static const bool absolute_volume =
93 android::sysprop::bluetooth::Avrcp::absolute_volume().value_or(true);
94 return absolute_volume;
95 #else
96 return true;
97 #endif
98 }
99
100 /******************************************************************************
101 *
102 * Function avrc_ctrl_cback
103 *
104 * Description This is the callback function used by AVCTP to report
105 * received link events.
106 *
107 * Returns Nothing.
108 *
109 *****************************************************************************/
avrc_ctrl_cback(uint8_t handle,uint8_t event,uint16_t result,const RawAddress * peer_addr)110 static void avrc_ctrl_cback(uint8_t handle, uint8_t event, uint16_t result,
111 const RawAddress* peer_addr) {
112 uint8_t avrc_event;
113
114 if (event <= AVRC_MAX_RCV_CTRL_EVT && avrc_cb.ccb[handle].ctrl_cback) {
115 avrc_event = avrc_ctrl_event_map[event];
116 if (event == AVCT_CONNECT_CFM_EVT) {
117 if (result != 0) /* failed */
118 avrc_event = AVRC_CLOSE_IND_EVT;
119 }
120 avrc_cb.ccb[handle].ctrl_cback.Run(handle, avrc_event, result, peer_addr);
121 }
122
123 if ((event == AVCT_DISCONNECT_CFM_EVT) ||
124 (event == AVCT_DISCONNECT_IND_EVT)) {
125 avrc_flush_cmd_q(handle);
126 alarm_free(avrc_cb.ccb_int[handle].tle);
127 avrc_cb.ccb_int[handle].tle = NULL;
128 }
129 }
130
131 /******************************************************************************
132 *
133 * Function avrc_flush_cmd_q
134 *
135 * Description Flush command queue for the specified avrc handle
136 *
137 * Returns Nothing.
138 *
139 *****************************************************************************/
avrc_flush_cmd_q(uint8_t handle)140 void avrc_flush_cmd_q(uint8_t handle) {
141 AVRC_TRACE_DEBUG("AVRC: Flushing command queue for handle=0x%02x", handle);
142 avrc_cb.ccb_int[handle].flags &= ~AVRC_CB_FLAGS_RSP_PENDING;
143
144 alarm_cancel(avrc_cb.ccb_int[handle].tle);
145 fixed_queue_free(avrc_cb.ccb_int[handle].cmd_q, osi_free);
146 avrc_cb.ccb_int[handle].cmd_q = NULL;
147 }
148
149 /******************************************************************************
150 *
151 * Function avrc_process_timeout
152 *
153 * Description Handle avrc command timeout
154 *
155 * Returns Nothing.
156 *
157 *****************************************************************************/
avrc_process_timeout(void * data)158 void avrc_process_timeout(void* data) {
159 tAVRC_PARAM* param = (tAVRC_PARAM*)data;
160
161 AVRC_TRACE_DEBUG("AVRC: command timeout (handle=0x%02x, label=0x%02x)",
162 param->handle, param->label);
163
164 /* Notify app */
165 if (avrc_cb.ccb[param->handle].ctrl_cback) {
166 avrc_cb.ccb[param->handle].ctrl_cback.Run(
167 param->handle, AVRC_CMD_TIMEOUT_EVT, param->label, NULL);
168 }
169
170 /* If vendor command timed-out, then send next command in the queue */
171 if (param->msg_mask & AVRC_MSG_MASK_IS_VENDOR_CMD) {
172 avrc_send_next_vendor_cmd(param->handle);
173 }
174 osi_free(param);
175 }
176
177 /******************************************************************************
178 *
179 * Function avrc_send_next_vendor_cmd
180 *
181 * Description Dequeue and send next vendor command for given handle
182 *
183 * Returns Nothing.
184 *
185 *****************************************************************************/
avrc_send_next_vendor_cmd(uint8_t handle)186 void avrc_send_next_vendor_cmd(uint8_t handle) {
187 BT_HDR* p_next_cmd;
188 uint8_t next_label;
189
190 while ((p_next_cmd = (BT_HDR*)fixed_queue_try_dequeue(
191 avrc_cb.ccb_int[handle].cmd_q)) != NULL) {
192 p_next_cmd->event &= 0xFF; /* opcode */
193 next_label = (p_next_cmd->layer_specific) >> 8; /* extract label */
194 p_next_cmd->layer_specific &= 0xFF; /* AVCT_DATA_CTRL or AVCT_DATA_BROWSE */
195
196 AVRC_TRACE_DEBUG(
197 "AVRC: Dequeuing command 0x%08x (handle=0x%02x, label=0x%02x)",
198 p_next_cmd, handle, next_label);
199
200 /* Send the message */
201 if ((AVCT_MsgReq(handle, next_label, AVCT_CMD, p_next_cmd)) ==
202 AVCT_SUCCESS) {
203 /* Start command timer to wait for response */
204 avrc_start_cmd_timer(handle, next_label, AVRC_MSG_MASK_IS_VENDOR_CMD);
205 return;
206 }
207 }
208
209 if (p_next_cmd == NULL) {
210 /* cmd queue empty */
211 avrc_cb.ccb_int[handle].flags &= ~AVRC_CB_FLAGS_RSP_PENDING;
212 }
213 }
214
215 /******************************************************************************
216 *
217 * Function avrc_start_cmd_timer
218 *
219 * Description Start timer for waiting for responses
220 *
221 * Returns Nothing.
222 *
223 *****************************************************************************/
avrc_start_cmd_timer(uint8_t handle,uint8_t label,uint8_t msg_mask)224 void avrc_start_cmd_timer(uint8_t handle, uint8_t label, uint8_t msg_mask) {
225 tAVRC_PARAM* param =
226 static_cast<tAVRC_PARAM*>(osi_malloc(sizeof(tAVRC_PARAM)));
227 param->handle = handle;
228 param->label = label;
229 param->msg_mask = msg_mask;
230
231 AVRC_TRACE_DEBUG("AVRC: starting timer (handle=0x%02x, label=0x%02x)", handle,
232 label);
233
234 alarm_set_on_mloop(avrc_cb.ccb_int[handle].tle, AVRC_CMD_TOUT_MS,
235 avrc_process_timeout, param);
236 }
237
238 /******************************************************************************
239 *
240 * Function avrc_get_data_ptr
241 *
242 * Description Gets a pointer to the data payload in the packet.
243 *
244 * Returns A pointer to the data payload.
245 *
246 *****************************************************************************/
avrc_get_data_ptr(BT_HDR * p_pkt)247 static uint8_t* avrc_get_data_ptr(BT_HDR* p_pkt) {
248 return (uint8_t*)(p_pkt + 1) + p_pkt->offset;
249 }
250
251 /******************************************************************************
252 *
253 * Function avrc_copy_packet
254 *
255 * Description Copies an AVRC packet to a new buffer. In the new buffer,
256 * the payload offset is at least AVCT_MSG_OFFSET octets.
257 *
258 * Returns The buffer with the copied data.
259 *
260 *****************************************************************************/
avrc_copy_packet(BT_HDR * p_pkt,int rsp_pkt_len)261 static BT_HDR* avrc_copy_packet(BT_HDR* p_pkt, int rsp_pkt_len) {
262 const int offset = MAX(AVCT_MSG_OFFSET, p_pkt->offset);
263 const int pkt_len = MAX(rsp_pkt_len, p_pkt->len);
264 BT_HDR* p_pkt_copy = (BT_HDR*)osi_calloc(BT_HDR_SIZE + offset + pkt_len);
265
266 /* Copy the packet header, set the new offset, and copy the payload */
267 memcpy(p_pkt_copy, p_pkt, BT_HDR_SIZE);
268 p_pkt_copy->offset = offset;
269 uint8_t* p_data = avrc_get_data_ptr(p_pkt);
270 uint8_t* p_data_copy = avrc_get_data_ptr(p_pkt_copy);
271 memcpy(p_data_copy, p_data, p_pkt->len);
272
273 return p_pkt_copy;
274 }
275
276 /******************************************************************************
277 *
278 * Function avrc_prep_end_frag
279 *
280 * Description This function prepares an end response fragment
281 *
282 * Returns Nothing.
283 *
284 *****************************************************************************/
avrc_prep_end_frag(uint8_t handle)285 static void avrc_prep_end_frag(uint8_t handle) {
286 tAVRC_FRAG_CB* p_fcb;
287 BT_HDR* p_pkt_new;
288 uint8_t *p_data, *p_orig_data;
289 uint8_t rsp_type;
290
291 AVRC_TRACE_DEBUG("%s", __func__);
292 p_fcb = &avrc_cb.fcb[handle];
293
294 /* The response type of the end fragment should be the same as the the PDU of
295 * "End Fragment Response" Errata:
296 * https://www.bluetooth.org/errata/errata_view.cfm?errata_id=4383
297 */
298 p_orig_data = ((uint8_t*)(p_fcb->p_fmsg + 1) + p_fcb->p_fmsg->offset);
299 rsp_type = ((*p_orig_data) & AVRC_CTYPE_MASK);
300
301 p_pkt_new = p_fcb->p_fmsg;
302 p_pkt_new->len -=
303 (AVRC_MAX_CTRL_DATA_LEN - AVRC_VENDOR_HDR_SIZE - AVRC_MIN_META_HDR_SIZE);
304 p_pkt_new->offset +=
305 (AVRC_MAX_CTRL_DATA_LEN - AVRC_VENDOR_HDR_SIZE - AVRC_MIN_META_HDR_SIZE);
306 p_data = (uint8_t*)(p_pkt_new + 1) + p_pkt_new->offset;
307 *p_data++ = rsp_type;
308 *p_data++ = (AVRC_SUB_PANEL << AVRC_SUBTYPE_SHIFT);
309 *p_data++ = AVRC_OP_VENDOR;
310 AVRC_CO_ID_TO_BE_STREAM(p_data, AVRC_CO_METADATA);
311 *p_data++ = p_fcb->frag_pdu;
312 *p_data++ = AVRC_PKT_END;
313
314 /* 4=pdu, pkt_type & len */
315 UINT16_TO_BE_STREAM(
316 p_data, (p_pkt_new->len - AVRC_VENDOR_HDR_SIZE - AVRC_MIN_META_HDR_SIZE));
317 }
318
319 /******************************************************************************
320 *
321 * Function avrc_send_continue_frag
322 *
323 * Description This function sends a continue response fragment
324 *
325 * Returns AVRC_SUCCESS if successful.
326 * AVRC_BAD_HANDLE if handle is invalid.
327 *
328 *****************************************************************************/
avrc_send_continue_frag(uint8_t handle,uint8_t label)329 static uint16_t avrc_send_continue_frag(uint8_t handle, uint8_t label) {
330 tAVRC_FRAG_CB* p_fcb;
331 BT_HDR *p_pkt_old, *p_pkt;
332 uint8_t *p_old, *p_data;
333 uint8_t cr = AVCT_RSP;
334
335 p_fcb = &avrc_cb.fcb[handle];
336 p_pkt = p_fcb->p_fmsg;
337
338 AVRC_TRACE_DEBUG("%s handle = %u label = %u len = %d", __func__, handle,
339 label, p_pkt->len);
340 if (p_pkt->len > AVRC_MAX_CTRL_DATA_LEN) {
341 int offset_len = MAX(AVCT_MSG_OFFSET, p_pkt->offset);
342 p_pkt_old = p_fcb->p_fmsg;
343 p_pkt = (BT_HDR*)osi_calloc(AVRC_PACKET_LEN + offset_len + BT_HDR_SIZE);
344 p_pkt->len = AVRC_MAX_CTRL_DATA_LEN;
345 p_pkt->offset = AVCT_MSG_OFFSET;
346 p_pkt->layer_specific = p_pkt_old->layer_specific;
347 p_pkt->event = p_pkt_old->event;
348 p_old = (uint8_t*)(p_pkt_old + 1) + p_pkt_old->offset;
349 p_data = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
350 memcpy(p_data, p_old, AVRC_MAX_CTRL_DATA_LEN);
351 /* use AVRC continue packet type */
352 p_data += AVRC_VENDOR_HDR_SIZE;
353 p_data++; /* pdu */
354 *p_data++ = AVRC_PKT_CONTINUE;
355 /* 4=pdu, pkt_type & len */
356 UINT16_TO_BE_STREAM(p_data,
357 (AVRC_MAX_CTRL_DATA_LEN - AVRC_VENDOR_HDR_SIZE - 4));
358
359 /* prepare the left over for as an end fragment */
360 avrc_prep_end_frag(handle);
361 } else {
362 /* end fragment. clean the control block */
363 p_fcb->frag_enabled = false;
364 p_fcb->p_fmsg = NULL;
365 }
366 return AVCT_MsgReq(handle, label, cr, p_pkt);
367 }
368
369 /******************************************************************************
370 *
371 * Function avrc_proc_vendor_command
372 *
373 * Description This function processes received vendor command.
374 *
375 * Returns if not NULL, the response to send right away.
376 *
377 *****************************************************************************/
avrc_proc_vendor_command(uint8_t handle,uint8_t label,BT_HDR * p_pkt,tAVRC_MSG_VENDOR * p_msg)378 static BT_HDR* avrc_proc_vendor_command(uint8_t handle, uint8_t label,
379 BT_HDR* p_pkt,
380 tAVRC_MSG_VENDOR* p_msg) {
381 BT_HDR* p_rsp = NULL;
382 uint8_t* p_data;
383 uint8_t* p_begin;
384 uint8_t pkt_type;
385 bool abort_frag = false;
386 tAVRC_STS status = AVRC_STS_NO_ERROR;
387 tAVRC_FRAG_CB* p_fcb;
388
389 p_begin = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
390 p_data = p_begin + AVRC_VENDOR_HDR_SIZE;
391 pkt_type = *(p_data + 1) & AVRC_PKT_TYPE_MASK;
392
393 if (pkt_type != AVRC_PKT_SINGLE) {
394 /* reject - commands can only be in single packets at AVRCP level */
395 AVRC_TRACE_ERROR("commands must be in single packet pdu:0x%x", *p_data);
396 /* use the current GKI buffer to send the reject */
397 status = AVRC_STS_BAD_CMD;
398 }
399 /* check if there are fragments waiting to be sent */
400 else if (avrc_cb.fcb[handle].frag_enabled) {
401 p_fcb = &avrc_cb.fcb[handle];
402 if (p_msg->company_id == AVRC_CO_METADATA) {
403 switch (*p_data) {
404 case AVRC_PDU_ABORT_CONTINUATION_RSP:
405 /* aborted by CT - send accept response */
406 abort_frag = true;
407 p_begin = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
408 *p_begin = (AVRC_RSP_ACCEPT & AVRC_CTYPE_MASK);
409 if (*(p_data + 4) != p_fcb->frag_pdu) {
410 *p_begin = (AVRC_RSP_REJ & AVRC_CTYPE_MASK);
411 *(p_data + 4) = AVRC_STS_BAD_PARAM;
412 } else {
413 p_data = (p_begin + AVRC_VENDOR_HDR_SIZE + 2);
414 UINT16_TO_BE_STREAM(p_data, 0);
415 p_pkt->len = (p_data - p_begin);
416 }
417 AVCT_MsgReq(handle, label, AVCT_RSP, p_pkt);
418 p_msg->hdr.opcode =
419 AVRC_OP_DROP; /* used the p_pkt to send response */
420 break;
421
422 case AVRC_PDU_REQUEST_CONTINUATION_RSP:
423 if (*(p_data + 4) == p_fcb->frag_pdu) {
424 avrc_send_continue_frag(handle, label);
425 p_msg->hdr.opcode = AVRC_OP_DROP_N_FREE;
426 } else {
427 /* the pdu id does not match - reject the command using the current
428 * GKI buffer */
429 AVRC_TRACE_ERROR(
430 "%s continue pdu: 0x%x does not match the current pdu: 0x%x",
431 __func__, *(p_data + 4), p_fcb->frag_pdu);
432 status = AVRC_STS_BAD_PARAM;
433 abort_frag = true;
434 }
435 break;
436
437 default:
438 /* implicit abort */
439 abort_frag = true;
440 }
441 } else {
442 abort_frag = true;
443 /* implicit abort */
444 }
445
446 if (abort_frag) {
447 osi_free_and_reset((void**)&p_fcb->p_fmsg);
448 p_fcb->frag_enabled = false;
449 }
450 }
451
452 if (status != AVRC_STS_NO_ERROR) {
453 p_rsp = (BT_HDR*)osi_calloc(BT_DEFAULT_BUFFER_SIZE);
454 p_rsp->offset = p_pkt->offset;
455 p_data = (uint8_t*)(p_rsp + 1) + p_pkt->offset;
456 *p_data++ = AVRC_RSP_REJ;
457 p_data += AVRC_VENDOR_HDR_SIZE; /* pdu */
458 *p_data++ = 0; /* pkt_type */
459 UINT16_TO_BE_STREAM(p_data, 1); /* len */
460 *p_data++ = status; /* error code */
461 p_rsp->len = AVRC_VENDOR_HDR_SIZE + 5;
462 }
463
464 return p_rsp;
465 }
466
467 /******************************************************************************
468 *
469 * Function avrc_proc_far_msg
470 *
471 * Description This function processes metadata fragmenation
472 * and reassembly
473 *
474 * Returns 0, to report the message with msg_cback .
475 *
476 *****************************************************************************/
avrc_proc_far_msg(uint8_t handle,uint8_t label,uint8_t cr,BT_HDR ** pp_pkt,tAVRC_MSG_VENDOR * p_msg)477 static uint8_t avrc_proc_far_msg(uint8_t handle, uint8_t label, uint8_t cr,
478 BT_HDR** pp_pkt, tAVRC_MSG_VENDOR* p_msg) {
479 BT_HDR* p_pkt = *pp_pkt;
480 uint8_t* p_data;
481 uint8_t drop_code = 0;
482 bool buf_overflow = false;
483 BT_HDR* p_rsp = NULL;
484 BT_HDR* p_cmd = NULL;
485 bool req_continue = false;
486 BT_HDR* p_pkt_new = NULL;
487 uint8_t pkt_type;
488 tAVRC_RASM_CB* p_rcb;
489 tAVRC_NEXT_CMD avrc_cmd;
490 tAVRC_STS status;
491
492 p_data = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
493
494 /* Skip over vendor header (ctype, subunit*, opcode, CO_ID) */
495 p_data += AVRC_VENDOR_HDR_SIZE;
496
497 pkt_type = *(p_data + 1) & AVRC_PKT_TYPE_MASK;
498 AVRC_TRACE_DEBUG("pkt_type %d", pkt_type);
499 p_rcb = &avrc_cb.rcb[handle];
500
501 /* check if the message needs to be re-assembled */
502 if (pkt_type == AVRC_PKT_SINGLE || pkt_type == AVRC_PKT_START) {
503 /* previous fragments need to be dropped, when received another new message
504 */
505 p_rcb->rasm_offset = 0;
506 osi_free_and_reset((void**)&p_rcb->p_rmsg);
507 }
508
509 if (pkt_type != AVRC_PKT_SINGLE && cr == AVCT_RSP) {
510 /* not a single response packet - need to re-assemble metadata messages */
511 if (pkt_type == AVRC_PKT_START) {
512 /* Allocate buffer for re-assembly */
513 p_rcb->rasm_pdu = *p_data;
514 p_rcb->p_rmsg = (BT_HDR*)osi_calloc(BT_DEFAULT_BUFFER_SIZE);
515 /* Copy START packet to buffer for re-assembling fragments */
516 memcpy(p_rcb->p_rmsg, p_pkt, sizeof(BT_HDR)); /* Copy bt hdr */
517
518 /* Copy metadata message */
519 memcpy((uint8_t*)(p_rcb->p_rmsg + 1),
520 (uint8_t*)(p_pkt + 1) + p_pkt->offset, p_pkt->len);
521
522 /* offset of start of metadata response in reassembly buffer */
523 p_rcb->p_rmsg->offset = p_rcb->rasm_offset = 0;
524
525 /*
526 * Free original START packet, replace with pointer to
527 * reassembly buffer.
528 */
529 osi_free(p_pkt);
530 *pp_pkt = p_rcb->p_rmsg;
531
532 /*
533 * Set offset to point to where to copy next - use the same
534 * reassembly logic as AVCT.
535 */
536 p_rcb->p_rmsg->offset += p_rcb->p_rmsg->len;
537 req_continue = true;
538 } else if (p_rcb->p_rmsg == NULL) {
539 /* Received a CONTINUE/END, but no corresponding START
540 (or previous fragmented response was dropped) */
541 AVRC_TRACE_DEBUG(
542 "Received a CONTINUE/END without no corresponding START \
543 (or previous fragmented response was dropped)");
544 drop_code = 5;
545 osi_free(p_pkt);
546 *pp_pkt = NULL;
547 } else {
548 /* get size of buffer holding assembled message */
549 /*
550 * NOTE: The buffer is allocated above at the beginning of the
551 * reassembly, and is always of size BT_DEFAULT_BUFFER_SIZE.
552 */
553 uint16_t buf_len = BT_DEFAULT_BUFFER_SIZE - sizeof(BT_HDR);
554 /* adjust offset and len of fragment for header byte */
555 p_pkt->offset += (AVRC_VENDOR_HDR_SIZE + AVRC_MIN_META_HDR_SIZE);
556 p_pkt->len -= (AVRC_VENDOR_HDR_SIZE + AVRC_MIN_META_HDR_SIZE);
557 /* verify length */
558 if ((p_rcb->p_rmsg->offset + p_pkt->len) > buf_len) {
559 AVRC_TRACE_WARNING(
560 "Fragmented message too big! - report the partial message");
561 p_pkt->len = buf_len - p_rcb->p_rmsg->offset;
562 pkt_type = AVRC_PKT_END;
563 buf_overflow = true;
564 }
565
566 /* copy contents of p_pkt to p_rx_msg */
567 memcpy((uint8_t*)(p_rcb->p_rmsg + 1) + p_rcb->p_rmsg->offset,
568 (uint8_t*)(p_pkt + 1) + p_pkt->offset, p_pkt->len);
569
570 if (pkt_type == AVRC_PKT_END) {
571 p_rcb->p_rmsg->offset = p_rcb->rasm_offset;
572 p_rcb->p_rmsg->len += p_pkt->len;
573 p_pkt_new = p_rcb->p_rmsg;
574 p_rcb->rasm_offset = 0;
575 p_rcb->p_rmsg = NULL;
576 p_msg->p_vendor_data = (uint8_t*)(p_pkt_new + 1) + p_pkt_new->offset;
577 p_msg->hdr.ctype = p_msg->p_vendor_data[0] & AVRC_CTYPE_MASK;
578 /* 6 = ctype, subunit*, opcode & CO_ID */
579 p_msg->p_vendor_data += AVRC_VENDOR_HDR_SIZE;
580 p_msg->vendor_len = p_pkt_new->len - AVRC_VENDOR_HDR_SIZE;
581 p_data = p_msg->p_vendor_data + 1; /* skip pdu */
582 *p_data++ = AVRC_PKT_SINGLE;
583 UINT16_TO_BE_STREAM(p_data,
584 (p_msg->vendor_len - AVRC_MIN_META_HDR_SIZE));
585 AVRC_TRACE_DEBUG("end frag:%d, total len:%d, offset:%d", p_pkt->len,
586 p_pkt_new->len, p_pkt_new->offset);
587 } else {
588 p_rcb->p_rmsg->offset += p_pkt->len;
589 p_rcb->p_rmsg->len += p_pkt->len;
590 p_pkt_new = NULL;
591 req_continue = true;
592 }
593 osi_free(p_pkt);
594 *pp_pkt = p_pkt_new;
595 }
596 }
597
598 if (cr == AVCT_CMD) {
599 p_rsp = avrc_proc_vendor_command(handle, label, *pp_pkt, p_msg);
600 if (p_rsp) {
601 AVCT_MsgReq(handle, label, AVCT_RSP, p_rsp);
602 osi_free_and_reset((void**)pp_pkt);
603 drop_code = 3;
604 } else if (p_msg->hdr.opcode == AVRC_OP_DROP) {
605 drop_code = 1;
606 } else if (p_msg->hdr.opcode == AVRC_OP_DROP_N_FREE)
607 drop_code = 4;
608
609 } else if (cr == AVCT_RSP) {
610 if (req_continue) {
611 avrc_cmd.pdu = AVRC_PDU_REQUEST_CONTINUATION_RSP;
612 drop_code = 2;
613 } else if (buf_overflow) {
614 /* Incoming message too big to fit in BT_DEFAULT_BUFFER_SIZE. Send abort
615 * to peer */
616 avrc_cmd.pdu = AVRC_PDU_ABORT_CONTINUATION_RSP;
617 drop_code = 4;
618 } else {
619 return drop_code;
620 }
621 avrc_cmd.status = AVRC_STS_NO_ERROR;
622 avrc_cmd.opcode = AVRC_OP_INVALID;
623 avrc_cmd.target_pdu = p_rcb->rasm_pdu;
624
625 tAVRC_COMMAND avrc_command;
626 avrc_command.continu = avrc_cmd;
627 status = AVRC_BldCommand(&avrc_command, &p_cmd);
628 if (status == AVRC_STS_NO_ERROR) {
629 AVRC_MsgReq(handle, (uint8_t)(label), AVRC_CMD_CTRL, p_cmd);
630 }
631 }
632
633 return drop_code;
634 }
635
636 /******************************************************************************
637 *
638 * Function avrc_msg_cback
639 *
640 * Description This is the callback function used by AVCTP to report
641 * received AV control messages.
642 *
643 * Returns Nothing.
644 *
645 *****************************************************************************/
avrc_msg_cback(uint8_t handle,uint8_t label,uint8_t cr,BT_HDR * p_pkt)646 static void avrc_msg_cback(uint8_t handle, uint8_t label, uint8_t cr,
647 BT_HDR* p_pkt) {
648 uint8_t opcode;
649 tAVRC_MSG msg;
650 uint8_t* p_data;
651 uint8_t* p_begin;
652 bool drop = false;
653 bool do_free = true;
654 BT_HDR* p_rsp = NULL;
655 uint8_t* p_rsp_data;
656 int xx;
657 bool reject = false;
658 const char* p_drop_msg = "dropped";
659 tAVRC_MSG_VENDOR* p_msg = &msg.vendor;
660
661 if (cr == AVCT_CMD && (p_pkt->layer_specific & AVCT_DATA_CTRL &&
662 p_pkt->len > AVRC_PACKET_LEN)) {
663 AVRC_TRACE_WARNING("%s: Command length %d too long: must be at most %d",
664 __func__, p_pkt->len, AVRC_PACKET_LEN);
665 osi_free(p_pkt);
666 return;
667 }
668
669 if (cr == AVCT_REJ) {
670 /* The peer thinks that this PID is no longer open - remove this handle */
671 /* */
672 osi_free(p_pkt);
673 AVCT_RemoveConn(handle);
674 return;
675 } else if (cr == AVCT_RSP) {
676 /* Received response. Stop command timeout timer */
677 AVRC_TRACE_DEBUG("AVRC: stopping timer (handle=0x%02x)", handle);
678 alarm_cancel(avrc_cb.ccb_int[handle].tle);
679 }
680
681 p_data = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
682 memset(&msg, 0, sizeof(tAVRC_MSG));
683
684 if (p_pkt->layer_specific == AVCT_DATA_BROWSE) {
685 opcode = AVRC_OP_BROWSE;
686 msg.browse.hdr.ctype = cr;
687 msg.browse.p_browse_data = p_data;
688 msg.browse.browse_len = p_pkt->len;
689 msg.browse.p_browse_pkt = p_pkt;
690 } else {
691 if (p_pkt->len < AVRC_AVC_HDR_SIZE) {
692 AVRC_TRACE_WARNING("%s: message length %d too short: must be at least %d",
693 __func__, p_pkt->len, AVRC_AVC_HDR_SIZE);
694 osi_free(p_pkt);
695 return;
696 }
697 msg.hdr.ctype = p_data[0] & AVRC_CTYPE_MASK;
698 AVRC_TRACE_DEBUG("%s handle:%d, ctype:%d, offset:%d, len: %d", __func__,
699 handle, msg.hdr.ctype, p_pkt->offset, p_pkt->len);
700 msg.hdr.subunit_type =
701 (p_data[1] & AVRC_SUBTYPE_MASK) >> AVRC_SUBTYPE_SHIFT;
702 msg.hdr.subunit_id = p_data[1] & AVRC_SUBID_MASK;
703 opcode = p_data[2];
704 }
705
706 if (((avrc_cb.ccb[handle].control & AVRC_CT_TARGET) && (cr == AVCT_CMD)) ||
707 ((avrc_cb.ccb[handle].control & AVRC_CT_CONTROL) && (cr == AVCT_RSP))) {
708 switch (opcode) {
709 case AVRC_OP_UNIT_INFO:
710 if (cr == AVCT_CMD) {
711 /* send the response to the peer */
712 p_rsp = avrc_copy_packet(p_pkt, AVRC_OP_UNIT_INFO_RSP_LEN);
713 p_rsp_data = avrc_get_data_ptr(p_rsp);
714 *p_rsp_data = AVRC_RSP_IMPL_STBL;
715 /* check & set the offset. set response code, set subunit_type &
716 subunit_id,
717 set AVRC_OP_UNIT_INFO */
718 /* 3 bytes: ctype, subunit*, opcode */
719 p_rsp_data += AVRC_AVC_HDR_SIZE;
720 *p_rsp_data++ = 7;
721 /* Panel subunit & id=0 */
722 *p_rsp_data++ = (AVRC_SUB_PANEL << AVRC_SUBTYPE_SHIFT);
723 AVRC_CO_ID_TO_BE_STREAM(p_rsp_data, avrc_cb.ccb[handle].company_id);
724 p_rsp->len =
725 (uint16_t)(p_rsp_data - (uint8_t*)(p_rsp + 1) - p_rsp->offset);
726 cr = AVCT_RSP;
727 p_drop_msg = "auto respond";
728 } else {
729 /* parse response */
730 if (p_pkt->len < AVRC_OP_UNIT_INFO_RSP_LEN) {
731 AVRC_TRACE_WARNING(
732 "%s: message length %d too short: must be at least %d",
733 __func__, p_pkt->len, AVRC_OP_UNIT_INFO_RSP_LEN);
734 drop = true;
735 p_drop_msg = "UNIT_INFO_RSP too short";
736 break;
737 }
738 p_data += 4; /* 3 bytes: ctype, subunit*, opcode + octet 3 (is 7)*/
739 msg.unit.unit_type =
740 (*p_data & AVRC_SUBTYPE_MASK) >> AVRC_SUBTYPE_SHIFT;
741 msg.unit.unit = *p_data & AVRC_SUBID_MASK;
742 p_data++;
743 AVRC_BE_STREAM_TO_CO_ID(msg.unit.company_id, p_data);
744 }
745 break;
746
747 case AVRC_OP_SUB_INFO:
748 if (cr == AVCT_CMD) {
749 /* send the response to the peer */
750 p_rsp = avrc_copy_packet(p_pkt, AVRC_OP_SUB_UNIT_INFO_RSP_LEN);
751 p_rsp_data = avrc_get_data_ptr(p_rsp);
752 *p_rsp_data = AVRC_RSP_IMPL_STBL;
753 /* check & set the offset. set response code, set (subunit_type &
754 subunit_id),
755 set AVRC_OP_SUB_INFO, set (page & extention code) */
756 p_rsp_data += 4;
757 /* Panel subunit & id=0 */
758 *p_rsp_data++ = (AVRC_SUB_PANEL << AVRC_SUBTYPE_SHIFT);
759 memset(p_rsp_data, AVRC_CMD_OPRND_PAD, AVRC_SUBRSP_OPRND_BYTES);
760 p_rsp_data += AVRC_SUBRSP_OPRND_BYTES;
761 p_rsp->len =
762 (uint16_t)(p_rsp_data - (uint8_t*)(p_rsp + 1) - p_rsp->offset);
763 cr = AVCT_RSP;
764 p_drop_msg = "auto responded";
765 } else {
766 /* parse response */
767 if (p_pkt->len < AVRC_OP_SUB_UNIT_INFO_RSP_LEN) {
768 AVRC_TRACE_WARNING(
769 "%s: message length %d too short: must be at least %d",
770 __func__, p_pkt->len, AVRC_OP_SUB_UNIT_INFO_RSP_LEN);
771 drop = true;
772 p_drop_msg = "SUB_UNIT_INFO_RSP too short";
773 break;
774 }
775 p_data += AVRC_AVC_HDR_SIZE; /* 3 bytes: ctype, subunit*, opcode */
776 msg.sub.page =
777 (*p_data++ >> AVRC_SUB_PAGE_SHIFT) & AVRC_SUB_PAGE_MASK;
778 xx = 0;
779 while (*p_data != AVRC_CMD_OPRND_PAD && xx < AVRC_SUB_TYPE_LEN) {
780 msg.sub.subunit_type[xx] = *p_data++ >> AVRC_SUBTYPE_SHIFT;
781 if (msg.sub.subunit_type[xx] == AVRC_SUB_PANEL)
782 msg.sub.panel = true;
783 xx++;
784 }
785 }
786 break;
787
788 case AVRC_OP_VENDOR: {
789 p_data = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
790 p_begin = p_data;
791 if (p_pkt->len <
792 AVRC_VENDOR_HDR_SIZE) /* 6 = ctype, subunit*, opcode & CO_ID */
793 {
794 if (cr == AVCT_CMD)
795 reject = true;
796 else
797 drop = true;
798 break;
799 }
800 p_data += AVRC_AVC_HDR_SIZE; /* skip the first 3 bytes: ctype, subunit*,
801 opcode */
802 AVRC_BE_STREAM_TO_CO_ID(p_msg->company_id, p_data);
803 p_msg->p_vendor_data = p_data;
804 p_msg->vendor_len = p_pkt->len - (p_data - p_begin);
805
806 uint8_t drop_code = 0;
807 if (p_msg->company_id == AVRC_CO_METADATA) {
808 /* Validate length for metadata message */
809 if (p_pkt->len < (AVRC_VENDOR_HDR_SIZE + AVRC_MIN_META_HDR_SIZE)) {
810 if (cr == AVCT_CMD)
811 reject = true;
812 else
813 drop = true;
814 break;
815 }
816
817 /* Check+handle fragmented messages */
818 drop_code = avrc_proc_far_msg(handle, label, cr, &p_pkt, p_msg);
819 if (drop_code > 0) drop = true;
820 }
821 if (drop_code > 0) {
822 if (drop_code != 4) do_free = false;
823 switch (drop_code) {
824 case 1:
825 p_drop_msg = "sent_frag";
826 break;
827 case 2:
828 p_drop_msg = "req_cont";
829 break;
830 case 3:
831 p_drop_msg = "sent_frag3";
832 break;
833 case 4:
834 p_drop_msg = "sent_frag_free";
835 break;
836 default:
837 p_drop_msg = "sent_fragd";
838 }
839 }
840 /* If vendor response received, and did not ask for continuation */
841 /* then check queue for addition commands to send */
842 if ((cr == AVCT_RSP) && (drop_code != 2)) {
843 avrc_send_next_vendor_cmd(handle);
844 }
845 } break;
846
847 case AVRC_OP_PASS_THRU:
848 if (p_pkt->len < 5) /* 3 bytes: ctype, subunit*, opcode & op_id & len */
849 {
850 if (cr == AVCT_CMD)
851 reject = true;
852 else
853 drop = true;
854 break;
855 }
856 p_data += AVRC_AVC_HDR_SIZE; /* skip the first 3 bytes: ctype, subunit*,
857 opcode */
858 msg.pass.op_id = (AVRC_PASS_OP_ID_MASK & *p_data);
859 if (AVRC_PASS_STATE_MASK & *p_data)
860 msg.pass.state = true;
861 else
862 msg.pass.state = false;
863 p_data++;
864 msg.pass.pass_len = *p_data++;
865 if (msg.pass.pass_len != p_pkt->len - 5)
866 msg.pass.pass_len = p_pkt->len - 5;
867 if (msg.pass.pass_len)
868 msg.pass.p_pass_data = p_data;
869 else
870 msg.pass.p_pass_data = NULL;
871 break;
872
873 case AVRC_OP_BROWSE:
874 /* If browse response received, then check queue for addition commands
875 * to send */
876 if (cr == AVCT_RSP) {
877 avrc_send_next_vendor_cmd(handle);
878 }
879 break;
880
881 default:
882 if ((avrc_cb.ccb[handle].control & AVRC_CT_TARGET) &&
883 (cr == AVCT_CMD)) {
884 /* reject unsupported opcode */
885 reject = true;
886 }
887 drop = true;
888 break;
889 }
890 } else /* drop the event */
891 {
892 if (opcode != AVRC_OP_BROWSE) drop = true;
893 }
894
895 if (reject) {
896 /* reject unsupported opcode */
897 p_rsp = avrc_copy_packet(p_pkt, AVRC_OP_REJ_MSG_LEN);
898 p_rsp_data = avrc_get_data_ptr(p_rsp);
899 *p_rsp_data = AVRC_RSP_REJ;
900 p_drop_msg = "rejected";
901 cr = AVCT_RSP;
902 drop = true;
903 }
904
905 if (p_rsp) {
906 /* set to send response right away */
907 AVCT_MsgReq(handle, label, cr, p_rsp);
908 drop = true;
909 }
910
911 if (!drop) {
912 msg.hdr.opcode = opcode;
913 avrc_cb.ccb[handle].msg_cback.Run(handle, label, opcode, &msg);
914 } else {
915 AVRC_TRACE_WARNING("%s %s msg handle:%d, control:%d, cr:%d, opcode:x%x",
916 __func__, p_drop_msg, handle,
917 avrc_cb.ccb[handle].control, cr, opcode);
918 }
919
920 if (opcode == AVRC_OP_BROWSE && msg.browse.p_browse_pkt == NULL) {
921 do_free = false;
922 }
923
924 if (do_free) osi_free(p_pkt);
925 }
926
927 /******************************************************************************
928 *
929 * Function avrc_pass_msg
930 *
931 * Description Compose a PASS THROUGH command according to p_msg
932 *
933 * Input Parameters:
934 * p_msg: Pointer to PASS THROUGH message structure.
935 *
936 * Output Parameters:
937 * None.
938 *
939 * Returns pointer to a valid GKI buffer if successful.
940 * NULL if p_msg is NULL.
941 *
942 *****************************************************************************/
avrc_pass_msg(tAVRC_MSG_PASS * p_msg)943 static BT_HDR* avrc_pass_msg(tAVRC_MSG_PASS* p_msg) {
944 CHECK(p_msg != NULL);
945 CHECK(AVRC_CMD_BUF_SIZE > (AVRC_MIN_CMD_LEN + p_msg->pass_len));
946
947 BT_HDR* p_cmd = (BT_HDR*)osi_calloc(AVRC_CMD_BUF_SIZE);
948 p_cmd->offset = AVCT_MSG_OFFSET;
949 p_cmd->layer_specific = AVCT_DATA_CTRL;
950
951 uint8_t* p_data = (uint8_t*)(p_cmd + 1) + p_cmd->offset;
952 *p_data++ = (p_msg->hdr.ctype & AVRC_CTYPE_MASK);
953 *p_data++ = (AVRC_SUB_PANEL << AVRC_SUBTYPE_SHIFT); /* Panel subunit & id=0 */
954 *p_data++ = AVRC_OP_PASS_THRU;
955 *p_data = (AVRC_PASS_OP_ID_MASK & p_msg->op_id);
956 if (p_msg->state) *p_data |= AVRC_PASS_STATE_MASK;
957 p_data++;
958
959 if (p_msg->op_id == AVRC_ID_VENDOR) {
960 *p_data++ = p_msg->pass_len;
961 if (p_msg->pass_len && p_msg->p_pass_data) {
962 memcpy(p_data, p_msg->p_pass_data, p_msg->pass_len);
963 p_data += p_msg->pass_len;
964 }
965 } else {
966 /* set msg len to 0 for other op_id */
967 *p_data++ = 0;
968 }
969 p_cmd->len = (uint16_t)(p_data - (uint8_t*)(p_cmd + 1) - p_cmd->offset);
970
971 return p_cmd;
972 }
973
974 /******************************************************************************
975 *
976 * Function ARVC_GetControlProfileVersion
977 *
978 * Description Get the AVRCP profile version
979 *
980 * Returns The AVRCP control profile version
981 *
982 *****************************************************************************/
AVRC_GetControlProfileVersion()983 uint16_t AVRC_GetControlProfileVersion() {
984 char volume_disabled[PROPERTY_VALUE_MAX] = {0};
985 osi_property_get("persist.bluetooth.disableabsvol", volume_disabled, "false");
986
987 uint16_t profile_version = AVRC_REV_1_3;
988 char avrcp_version[PROPERTY_VALUE_MAX] = {0};
989 osi_property_get(AVRC_CONTROL_VERSION_PROPERTY, avrcp_version,
990 strncmp(volume_disabled, "true", 4) == 0 ? AVRC_1_3_STRING
991 : AVRC_1_4_STRING);
992
993 if (!strncmp(AVRC_1_6_STRING, avrcp_version, sizeof(AVRC_1_6_STRING))) {
994 profile_version = AVRC_REV_1_6;
995 } else if (!strncmp(AVRC_1_5_STRING, avrcp_version,
996 sizeof(AVRC_1_5_STRING))) {
997 profile_version = AVRC_REV_1_5;
998 } else if (!strncmp(AVRC_1_4_STRING, avrcp_version,
999 sizeof(AVRC_1_4_STRING))) {
1000 profile_version = AVRC_REV_1_4;
1001 }
1002
1003 return profile_version;
1004 }
1005
1006 /******************************************************************************
1007 *
1008 * Function ARVC_GetProfileVersion
1009 *
1010 * Description Get the user assigned AVRCP profile version
1011 *
1012 * Returns The AVRCP profile version
1013 *
1014 *****************************************************************************/
AVRC_GetProfileVersion()1015 uint16_t AVRC_GetProfileVersion() {
1016 uint16_t profile_version = AVRC_REV_1_4;
1017 char avrcp_version[PROPERTY_VALUE_MAX] = {0};
1018 osi_property_get(AVRC_VERSION_PROPERTY, avrcp_version, AVRC_DEFAULT_VERSION);
1019
1020 if (!strncmp(AVRC_1_6_STRING, avrcp_version, sizeof(AVRC_1_6_STRING))) {
1021 profile_version = AVRC_REV_1_6;
1022 } else if (!strncmp(AVRC_1_5_STRING, avrcp_version,
1023 sizeof(AVRC_1_5_STRING))) {
1024 profile_version = AVRC_REV_1_5;
1025 } else if (!strncmp(AVRC_1_3_STRING, avrcp_version,
1026 sizeof(AVRC_1_3_STRING))) {
1027 profile_version = AVRC_REV_1_3;
1028 }
1029
1030 return profile_version;
1031 }
1032
1033 /******************************************************************************
1034 *
1035 * Function AVRC_Open
1036 *
1037 * Description This function is called to open a connection to AVCTP.
1038 * The connection can be either an initiator or acceptor, as
1039 * determined by the p_ccb->stream parameter.
1040 * The connection can be a target, a controller or for both
1041 * role, as determined by the p_ccb->control parameter.
1042 * By definition, a target connection is an acceptor connection
1043 * that waits for an incoming AVCTP connection from the peer.
1044 * The connection remains available to the application until
1045 * the application closes it by calling AVRC_Close(). The
1046 * application does not need to reopen the connection after an
1047 * AVRC_CLOSE_IND_EVT is received.
1048 *
1049 * Input Parameters:
1050 * p_ccb->company_id: Company Identifier.
1051 *
1052 * p_ccb->p_ctrl_cback: Pointer to control callback
1053 * function.
1054 *
1055 * p_ccb->p_msg_cback: Pointer to message callback
1056 * function.
1057 *
1058 * p_ccb->conn: AVCTP connection role. This is set to
1059 * AVCTP_INT for initiator connections and AVCTP_ACP
1060 * for acceptor connections.
1061 *
1062 * p_ccb->control: Control role. This is set to
1063 * AVRC_CT_TARGET for target connections, AVRC_CT_CONTROL
1064 * for control connections or
1065 * (AVRC_CT_TARGET|AVRC_CT_CONTROL)
1066 * for connections that support both roles.
1067 *
1068 * peer_addr: BD address of peer device. This value is
1069 * only used for initiator connections; for acceptor
1070 * connections it can be set to NULL.
1071 *
1072 * Output Parameters:
1073 * p_handle: Pointer to handle. This parameter is only
1074 * valid if AVRC_SUCCESS is returned.
1075 *
1076 * Returns AVRC_SUCCESS if successful.
1077 * AVRC_NO_RESOURCES if there are not enough resources to open
1078 * the connection.
1079 *
1080 *****************************************************************************/
AVRC_Open(uint8_t * p_handle,tAVRC_CONN_CB * p_ccb,const RawAddress & peer_addr)1081 uint16_t AVRC_Open(uint8_t* p_handle, tAVRC_CONN_CB* p_ccb,
1082 const RawAddress& peer_addr) {
1083 uint16_t status;
1084 tAVCT_CC cc;
1085
1086 cc.p_ctrl_cback = avrc_ctrl_cback; /* Control callback */
1087 cc.p_msg_cback = avrc_msg_cback; /* Message callback */
1088 cc.pid = UUID_SERVCLASS_AV_REMOTE_CONTROL; /* Profile ID */
1089 cc.role = p_ccb->conn; /* Initiator/acceptor role */
1090 cc.control = p_ccb->control; /* Control role (Control/Target) */
1091
1092 status = AVCT_CreateConn(p_handle, &cc, peer_addr);
1093 if (status == AVCT_SUCCESS) {
1094 avrc_cb.ccb[*p_handle] = *p_ccb;
1095 memset(&avrc_cb.ccb_int[*p_handle], 0, sizeof(tAVRC_CONN_INT_CB));
1096 memset(&avrc_cb.fcb[*p_handle], 0, sizeof(tAVRC_FRAG_CB));
1097 memset(&avrc_cb.rcb[*p_handle], 0, sizeof(tAVRC_RASM_CB));
1098 avrc_cb.ccb_int[*p_handle].tle = alarm_new("avrcp.commandTimer");
1099 avrc_cb.ccb_int[*p_handle].cmd_q = fixed_queue_new(SIZE_MAX);
1100 }
1101 AVRC_TRACE_DEBUG("%s role: %d, control:%d status:%d, handle:%d", __func__,
1102 cc.role, cc.control, status, *p_handle);
1103
1104 return status;
1105 }
1106
1107 /******************************************************************************
1108 *
1109 * Function AVRC_Close
1110 *
1111 * Description Close a connection opened with AVRC_Open().
1112 * This function is called when the
1113 * application is no longer using a connection.
1114 *
1115 * Input Parameters:
1116 * handle: Handle of this connection.
1117 *
1118 * Output Parameters:
1119 * None.
1120 *
1121 * Returns AVRC_SUCCESS if successful.
1122 * AVRC_BAD_HANDLE if handle is invalid.
1123 *
1124 *****************************************************************************/
AVRC_Close(uint8_t handle)1125 uint16_t AVRC_Close(uint8_t handle) {
1126 AVRC_TRACE_DEBUG("%s handle:%d", __func__, handle);
1127 avrc_flush_cmd_q(handle);
1128 return AVCT_RemoveConn(handle);
1129 }
1130
1131 /******************************************************************************
1132 *
1133 * Function AVRC_OpenBrowse
1134 *
1135 * Description This function is called to open a browsing connection to
1136 * AVCTP. The connection can be either an initiator or
1137 * acceptor, as determined by the p_conn_role.
1138 * The handle is returned by a previous call to AVRC_Open.
1139 *
1140 * Returns AVRC_SUCCESS if successful.
1141 * AVRC_NO_RESOURCES if there are not enough resources to open
1142 * the connection.
1143 *
1144 *****************************************************************************/
AVRC_OpenBrowse(uint8_t handle,uint8_t conn_role)1145 uint16_t AVRC_OpenBrowse(uint8_t handle, uint8_t conn_role) {
1146 return AVCT_CreateBrowse(handle, conn_role);
1147 }
1148
1149 /******************************************************************************
1150 *
1151 * Function AVRC_CloseBrowse
1152 *
1153 * Description Close a connection opened with AVRC_OpenBrowse().
1154 * This function is called when the
1155 * application is no longer using a connection.
1156 *
1157 * Returns AVRC_SUCCESS if successful.
1158 * AVRC_BAD_HANDLE if handle is invalid.
1159 *
1160 *****************************************************************************/
AVRC_CloseBrowse(uint8_t handle)1161 uint16_t AVRC_CloseBrowse(uint8_t handle) { return AVCT_RemoveBrowse(handle); }
1162
1163 /******************************************************************************
1164 *
1165 * Function AVRC_MsgReq
1166 *
1167 * Description This function is used to send the AVRCP byte stream in p_pkt
1168 * down to AVCTP.
1169 *
1170 * It is expected that p_pkt->offset is at least
1171 * AVCT_MSG_OFFSET
1172 * p_pkt->layer_specific is AVCT_DATA_CTRL or AVCT_DATA_BROWSE
1173 * p_pkt->event is AVRC_OP_VENDOR, AVRC_OP_PASS_THRU or
1174 * AVRC_OP_BROWSE
1175 * The above BT_HDR settings are set by the AVRC_Bld*
1176 * functions.
1177 *
1178 * Returns AVRC_SUCCESS if successful.
1179 * AVRC_BAD_HANDLE if handle is invalid.
1180 *
1181 *****************************************************************************/
AVRC_MsgReq(uint8_t handle,uint8_t label,uint8_t ctype,BT_HDR * p_pkt)1182 uint16_t AVRC_MsgReq(uint8_t handle, uint8_t label, uint8_t ctype,
1183 BT_HDR* p_pkt) {
1184 uint8_t* p_data;
1185 uint8_t cr = AVCT_CMD;
1186 bool chk_frag = true;
1187 uint8_t* p_start = NULL;
1188 tAVRC_FRAG_CB* p_fcb;
1189 uint16_t len;
1190 uint16_t status;
1191 uint8_t msg_mask = 0;
1192 uint16_t peer_mtu;
1193
1194 if (!p_pkt) return AVRC_BAD_PARAM;
1195
1196 AVRC_TRACE_DEBUG("%s handle = %u label = %u ctype = %u len = %d", __func__,
1197 handle, label, ctype, p_pkt->len);
1198 /* Handle for AVRCP fragment */
1199 bool is_new_avrcp = osi_property_get_bool("bluetooth.profile.avrcp.target.enabled", false);
1200 if (ctype >= AVRC_RSP_NOT_IMPL) cr = AVCT_RSP;
1201
1202 if (p_pkt->event == AVRC_OP_VENDOR) {
1203 if (is_new_avrcp) {
1204 p_start = (uint8_t*)(p_pkt + 1) + p_pkt->offset + AVRC_VENDOR_HDR_SIZE;
1205 } else {
1206 /* add AVRCP Vendor Dependent headers */
1207 p_start = ((uint8_t*)(p_pkt + 1) + p_pkt->offset);
1208 p_pkt->offset -= AVRC_VENDOR_HDR_SIZE;
1209 p_pkt->len += AVRC_VENDOR_HDR_SIZE;
1210 p_data = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
1211 *p_data++ = (ctype & AVRC_CTYPE_MASK);
1212 *p_data++ = (AVRC_SUB_PANEL << AVRC_SUBTYPE_SHIFT);
1213 *p_data++ = AVRC_OP_VENDOR;
1214 AVRC_CO_ID_TO_BE_STREAM(p_data, AVRC_CO_METADATA);
1215
1216 /* Check if this is a AVRC_PDU_REQUEST_CONTINUATION_RSP */
1217 if (cr == AVCT_CMD) {
1218 msg_mask |= AVRC_MSG_MASK_IS_VENDOR_CMD;
1219
1220 if ((*p_start == AVRC_PDU_REQUEST_CONTINUATION_RSP) ||
1221 (*p_start == AVRC_PDU_ABORT_CONTINUATION_RSP)) {
1222 msg_mask |= AVRC_MSG_MASK_IS_CONTINUATION_RSP;
1223 }
1224 }
1225 }
1226 } else if (p_pkt->event == AVRC_OP_PASS_THRU) {
1227 /* add AVRCP Pass Through headers */
1228 p_start = ((uint8_t*)(p_pkt + 1) + p_pkt->offset);
1229 p_pkt->offset -= AVRC_PASS_THRU_SIZE;
1230 p_pkt->len += AVRC_PASS_THRU_SIZE;
1231 p_data = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
1232 *p_data++ = (ctype & AVRC_CTYPE_MASK);
1233 *p_data++ = (AVRC_SUB_PANEL << AVRC_SUBTYPE_SHIFT);
1234 *p_data++ = AVRC_OP_PASS_THRU; /* opcode */
1235 *p_data++ = AVRC_ID_VENDOR; /* operation id */
1236 *p_data++ = 5; /* operation data len */
1237 AVRC_CO_ID_TO_BE_STREAM(p_data, AVRC_CO_METADATA);
1238 } else {
1239 chk_frag = false;
1240 if (p_pkt->layer_specific == AVCT_DATA_BROWSE) {
1241 peer_mtu = AVCT_GetBrowseMtu(handle);
1242 } else {
1243 peer_mtu = AVCT_GetPeerMtu(handle);
1244 }
1245 if (p_pkt->len > (peer_mtu - AVCT_HDR_LEN_SINGLE)) {
1246 AVRC_TRACE_ERROR(
1247 "%s bigger than peer mtu (p_pkt->len(%d) > peer_mtu(%d-%d))",
1248 __func__, p_pkt->len, peer_mtu, AVCT_HDR_LEN_SINGLE);
1249 osi_free(p_pkt);
1250 return AVRC_MSG_TOO_BIG;
1251 }
1252 }
1253
1254 /* abandon previous fragments */
1255 p_fcb = &avrc_cb.fcb[handle];
1256
1257 if (p_fcb == NULL) {
1258 AVRC_TRACE_ERROR("%s p_fcb is NULL", __func__);
1259 osi_free(p_pkt);
1260 return AVRC_NOT_OPEN;
1261 }
1262
1263 if (p_fcb->frag_enabled) p_fcb->frag_enabled = false;
1264
1265 osi_free_and_reset((void**)&p_fcb->p_fmsg);
1266
1267 /* AVRCP spec has not defined any control channel commands that needs
1268 * fragmentation at this level
1269 * check for fragmentation only on the response */
1270 if ((cr == AVCT_RSP) && (chk_frag)) {
1271 if (p_pkt->len > AVRC_MAX_CTRL_DATA_LEN) {
1272 int offset_len = MAX(AVCT_MSG_OFFSET, p_pkt->offset);
1273 BT_HDR* p_pkt_new =
1274 (BT_HDR*)osi_calloc(AVRC_PACKET_LEN + offset_len + BT_HDR_SIZE);
1275 if (p_start != NULL) {
1276 p_fcb->frag_enabled = true;
1277 p_fcb->p_fmsg = p_pkt;
1278 p_fcb->frag_pdu = *p_start;
1279 p_pkt = p_pkt_new;
1280 p_pkt_new = p_fcb->p_fmsg;
1281 p_pkt->len = AVRC_MAX_CTRL_DATA_LEN;
1282 p_pkt->offset = p_pkt_new->offset;
1283 p_pkt->layer_specific = p_pkt_new->layer_specific;
1284 p_pkt->event = p_pkt_new->event;
1285 p_data = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
1286 p_start -= AVRC_VENDOR_HDR_SIZE;
1287 memcpy(p_data, p_start, AVRC_MAX_CTRL_DATA_LEN);
1288 /* use AVRC start packet type */
1289 p_data += AVRC_VENDOR_HDR_SIZE;
1290 p_data++; /* pdu */
1291 *p_data++ = AVRC_PKT_START;
1292
1293 /* 4 pdu, pkt_type & len */
1294 len = (AVRC_MAX_CTRL_DATA_LEN - AVRC_VENDOR_HDR_SIZE -
1295 AVRC_MIN_META_HDR_SIZE);
1296 UINT16_TO_BE_STREAM(p_data, len);
1297
1298 /* prepare the left over for as an end fragment */
1299 avrc_prep_end_frag(handle);
1300 AVRC_TRACE_DEBUG("%s p_pkt len:%d/%d, next len:%d", __func__,
1301 p_pkt->len, len, p_fcb->p_fmsg->len);
1302 } else {
1303 /* TODO: Is this "else" block valid? Remove it? */
1304 AVRC_TRACE_ERROR("%s no buffers for fragmentation", __func__);
1305 osi_free(p_pkt);
1306 return AVRC_NO_RESOURCES;
1307 }
1308 }
1309 } else if ((p_pkt->event == AVRC_OP_VENDOR) && (cr == AVCT_CMD) &&
1310 (avrc_cb.ccb_int[handle].flags & AVRC_CB_FLAGS_RSP_PENDING) &&
1311 !(msg_mask & AVRC_MSG_MASK_IS_CONTINUATION_RSP)) {
1312 /* If we are sending a vendor specific command, and a response is pending,
1313 * then enqueue the command until the response has been received.
1314 * This is to interop with TGs that abort sending responses whenever a new
1315 * command
1316 * is received (exception is continuation request command
1317 * must sent that to get additional response frags) */
1318 AVRC_TRACE_DEBUG(
1319 "AVRC: Enqueuing command 0x%08x (handle=0x%02x, label=0x%02x)", p_pkt,
1320 handle, label);
1321
1322 /* label in BT_HDR (will need this later when the command is dequeued) */
1323 p_pkt->layer_specific = (label << 8) | (p_pkt->layer_specific & 0xFF);
1324
1325 /* Enqueue the command */
1326 fixed_queue_enqueue(avrc_cb.ccb_int[handle].cmd_q, p_pkt);
1327 return AVRC_SUCCESS;
1328 }
1329
1330 /* Send the message */
1331 status = AVCT_MsgReq(handle, label, cr, p_pkt);
1332 if ((status == AVCT_SUCCESS) && (cr == AVCT_CMD)) {
1333 /* If a command was successfully sent, indicate that a response is pending
1334 */
1335 avrc_cb.ccb_int[handle].flags |= AVRC_CB_FLAGS_RSP_PENDING;
1336
1337 /* Start command timer to wait for response */
1338 avrc_start_cmd_timer(handle, label, msg_mask);
1339 }
1340
1341 return status;
1342 }
1343
1344 /******************************************************************************
1345 *
1346 * Function AVRC_PassCmd
1347 *
1348 * Description Send a PASS THROUGH command to the peer device. This
1349 * function can only be called for controller role connections.
1350 * Any response message from the peer is passed back through
1351 * the tAVRC_MSG_CBACK callback function.
1352 *
1353 * Input Parameters:
1354 * handle: Handle of this connection.
1355 *
1356 * label: Transaction label.
1357 *
1358 * p_msg: Pointer to PASS THROUGH message structure.
1359 *
1360 * Output Parameters:
1361 * None.
1362 *
1363 * Returns AVRC_SUCCESS if successful.
1364 * AVRC_BAD_HANDLE if handle is invalid.
1365 *
1366 *****************************************************************************/
AVRC_PassCmd(uint8_t handle,uint8_t label,tAVRC_MSG_PASS * p_msg)1367 uint16_t AVRC_PassCmd(uint8_t handle, uint8_t label, tAVRC_MSG_PASS* p_msg) {
1368 BT_HDR* p_buf;
1369 uint16_t status = AVRC_NO_RESOURCES;
1370 if (!p_msg) return AVRC_BAD_PARAM;
1371
1372 p_msg->hdr.ctype = AVRC_CMD_CTRL;
1373 p_buf = avrc_pass_msg(p_msg);
1374 if (p_buf) {
1375 status = AVCT_MsgReq(handle, label, AVCT_CMD, p_buf);
1376 if (status == AVCT_SUCCESS) {
1377 /* Start command timer to wait for response */
1378 avrc_start_cmd_timer(handle, label, 0);
1379 }
1380 }
1381 return (status);
1382 }
1383
1384 /******************************************************************************
1385 *
1386 * Function AVRC_PassRsp
1387 *
1388 * Description Send a PASS THROUGH response to the peer device. This
1389 * function can only be called for target role connections.
1390 * This function must be called when a PASS THROUGH command
1391 * message is received from the peer through the
1392 * tAVRC_MSG_CBACK callback function.
1393 *
1394 * Input Parameters:
1395 * handle: Handle of this connection.
1396 *
1397 * label: Transaction label. Must be the same value as
1398 * passed with the command message in the callback
1399 * function.
1400 *
1401 * p_msg: Pointer to PASS THROUGH message structure.
1402 *
1403 * Output Parameters:
1404 * None.
1405 *
1406 * Returns AVRC_SUCCESS if successful.
1407 * AVRC_BAD_HANDLE if handle is invalid.
1408 *
1409 *****************************************************************************/
AVRC_PassRsp(uint8_t handle,uint8_t label,tAVRC_MSG_PASS * p_msg)1410 uint16_t AVRC_PassRsp(uint8_t handle, uint8_t label, tAVRC_MSG_PASS* p_msg) {
1411 BT_HDR* p_buf;
1412 if (!p_msg) return AVRC_BAD_PARAM;
1413
1414 p_buf = avrc_pass_msg(p_msg);
1415 if (p_buf) return AVCT_MsgReq(handle, label, AVCT_RSP, p_buf);
1416 return AVRC_NO_RESOURCES;
1417 }
1418
1419 /******************************************************************************
1420 *
1421 * Function AVRC_SaveControllerVersion
1422 *
1423 * Description Save AVRC controller version of peer device into bt_config.
1424 * This version is used to send same AVRC target version to
1425 * peer device to avoid version mismatch IOP issue.
1426 *
1427 * Input Parameters:
1428 * bdaddr: BD address of peer device.
1429 *
1430 * version: AVRC controller version of peer device.
1431 *
1432 * Output Parameters:
1433 * None.
1434 *
1435 * Returns Nothing
1436 *
1437 *****************************************************************************/
AVRC_SaveControllerVersion(const RawAddress & bdaddr,uint16_t new_version)1438 void AVRC_SaveControllerVersion(const RawAddress& bdaddr,
1439 uint16_t new_version) {
1440 // store AVRC controller version into BT config
1441 uint16_t old_version = 0;
1442 size_t version_value_size = sizeof(old_version);
1443 if (btif_config_get_bin(bdaddr.ToString(),
1444 AVRCP_CONTROLLER_VERSION_CONFIG_KEY,
1445 (uint8_t*)&old_version, &version_value_size) &&
1446 new_version == old_version) {
1447 LOG_INFO("AVRC controller version same as cached config");
1448 } else if (btif_config_set_bin(
1449 bdaddr.ToString(), AVRCP_CONTROLLER_VERSION_CONFIG_KEY,
1450 (const uint8_t*)&new_version, sizeof(new_version))) {
1451 LOG_INFO("store AVRC controller version %x for %s into config.",
1452 new_version, ADDRESS_TO_LOGGABLE_CSTR(bdaddr));
1453 } else {
1454 LOG_WARN("Failed to store AVRC controller version for %s",
1455 ADDRESS_TO_LOGGABLE_CSTR(bdaddr));
1456 }
1457 }
1458